Are we outsourcing our privacy to US technology companies?

Have you ever sent a text message using an iPhone to another iPhone? Maybe you've sent or received email using Hotmail or Gmail? Did you ever Skype a family member? Or upload a photograph or document to Dropbox or Google Drive?

If so, you have the right to be worried, according to digital rights campaigners in Ireland.

US intelligence agencies are reported to have been operating a programme called Prism, providing direct access to the servers of some of the biggest organisations on the web. The companies affected include Facebook, Apple, Google, Yahoo and Skype.

Unlike reports earlier in the week about the blanket surveillance of phone calls – which involved customers based in the US – these latest allegations target “non-US persons”.

The technology firms at the centre of the allegations said yesterday they had no knowledge of the programme.

They insisted they did not offer blanket access to security officials. Instead, they said they only handed over data when they received a subpoena relating to named individuals.

But for campaigners such as TJ McIntyre, a lecturer at UCD school of law and chairman of Digital Rights Ireland, the disclosures highlight how we entrust our privacy almost entirely to US companies that store information in their “clouds” , or huge data centres.

“We should be massively concerned about this,” he said. “The US defence is that ‘we have set out to target foreigners’. So if you’re not a US citizen, you do not have any private rights.”

Wider implications
Most Irish citizens might wonder what interest US intelligence agencies would have in combing through family snaps, school essays or rambling conversations. McIntyre, however, said there were wider implications. "These issues may not be of interest to an individual – but only provided you don't need confidentiality in your medical records, provided you don't need a free press that isn't spied on by government, and provided there's no one out there to abuse your personal information."

There may also be implications regarding the transfer of personal data from Ireland to the US. At present, a "Safe Harbour" arrangement is in place that allows for the transfer of personal data out of Europe to the US – but only on the basis that the receiving country provides an adequate level of data protection.

McIntyre said these latest allegations raised serious questions about whether the US was providing these kinds of safeguards.

The Data Protection Commissioner’s office in Ireland said yesterday there was ambiguity over whether some of the named technology firms could be subject to Irish data protection laws.

Google, for example, has claimed that Google Inc in California is responsible for processing the data of EU users, and not any of its EU subsidiaries, including Google (Ireland).

In the case of Facebook, the Data Protection Commissioner’s office said it would expect that any requests for information by US intelligence would be addressed to Facebook Inc rather than to Facebook (Ireland).

In any case, it said access to data by law enforcement agencies was provided for under Irish law.

Investigating offences
Data Protection Acts permit organisations to release personal data for the purpose of "preventing, detecting or investigating offences, apprehending or prosecuting offenders", among other grounds.

“How exactly these provisions in Irish law would interact with the legal systems of other countries is a complex issue on which it is difficult to give a clear response,” a spokeswoman said.

“We understand that companies based in other countries [such as the US] may be required as a matter of law to provide personal data in response to law enforcement requests irrespective of where that data is stored.”