:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/DTW5ODUCPXXC7VYYFQTFP2PIWI.jpg)
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/5fed9ec9-e0d2-4b29-898a-83fc9bc5d78e.png)
Google has many business interests but it has yet to get into performance art. The canny Californians hedge their bets, though, and should they wish to open a theatre, their premiere production might be Song and Dance: The Collected Emails of Nóirín O'Sullivan.
When our Garda commissioner signed up for Gmail, and began using it to send and receive messages that didn’t fit through the official Garda email system, she will, of course have read Google’s terms of service.
Used by over a billion people, Gmail’s terms of service are more readable than most. And their consequences are staggering. By using Google’s services, Gmail users who upload any information agree to grant Google a “worldwide licence to use, host, store, reproduce, modify . . . publish, publicly perform, publicly display and distribute such content”.
All in- and out-bound emails are automatically scanned by Google’s systems, even if O’Sullivan’s correspondent is using the official Garda email service. Finally, if O’Sullivan has a problem with Song and Dance: The Collected Emails of Nóirín O’Sullivan, she has agreed that all disputes will be heard in a Californian court, under US law.
There is no evidence that Google has ever used information sent through its Gmail service for anything but its original purpose. Trust may be good enough for most Irish email users, who value convenience over security. But is trust an appropriate security standard for our Garda commissioner, whose emails may contain law-enforcement reports, serious crime analyses, terrorism alerts and personnel matters?
Informed choices
The Garda response, that O'Sullivan's devices were secure and that she had used best practice with passwords, suggests no one in Phoenix Park has read Google's terms of service either. Because the risk from using services such as Gmail is not hackers but Google itself.
Gmail isn’t free, nor are any Google services. In lieu of cash payment, Google collects and stores data. Lots and lots of data. All messages to and from a Gmail users like O’Sullivan – including from colleagues using the official Garda email system – are scanned for keywords that Google can then sell for advertising purposes. Just how much data Google retains is a commercial secret but, given the low cost of storage, why not keep everything?
Almost as remarkable as the Garda response to the Gmail revelations was the reaction of our data protection Minister. Visiting Berlin, he insisted in meetings with German officials, that Ireland operates a rigorous data protection regime. Asked about the Garda Gmail affair, Dara Murphy said he was unaware of any "overarching" Government data protection policy on the use of Gmail for official business. Was sending Government emails via Gmail a bad idea? Mr Murphy didn't want to commit. Did he himself ever use Gmail or another web mail service for Government business? No answer.
In Europe, data protection best practice is to allow the collection of as little data as required to do the job, to store it for as short a time as needed and to ensure people make informed choices regarding data collection.
Ambivalent approach
By allowing Gmail for official business, An Garda Síochána has demonstrated yet again, after repeated scandals involving its Pulse database, that it simply does not get data protection.
In the case of the Hillary Clinton email scandal, at least the US politician's emails were on a server operated by her family foundation. In this case, Garda emails are now on a server somewhere out in the ether.
Given the Garda commissioner’s ambivalent approach to whistleblowers, it’s ironic that her use of Gmail may have made her an unwitting informant for the NSA, should it ever pull in her Gmail data in one of its regular intelligence trawls of the big online companies such as Google. Intelligence gleaned in this way is regularly shared by the NSA with its “Five Eyes” intelligence partners, including Britain.
For anyone still struggling to understand the Gmail fuss, imagine Ms O’Sullivan, to cut costs, was using a new courier service to bike important documents across Dublin. Instead of a cash payment, this courier company made photocopies of all files. Those files may never be seen again or may be demanded by a foreign intelligence services.
By using Gmail for work either O’Sullivan breached Irish data protection law and professional guidelines or she didn’t realise the far-reaching consequences of her actions. It is a staggering lapse of judgment that makes a mockery of informed consent and exposes widespread Garda institutional failure on data protection. Neither outcome is a vote of confidence in the Garda Commissioner.
Derek Scally is Berlin Corespondent