Big Brother bill under scrutiny

13 Mar 2003

Privacy is not merely instrumental in the achievement of other goals but is a basic human right that applies to all persons by virtue of their status as human beings. It is not possible to overstate just how fundamental privacy is in a civilised legal system,” said the Law Reform Commission in 1998 in its report on privacy, surveillance and the interception of telecommunications.

Such an idealistic and civilised viewpoint is in danger of being swept aside by a contentious new bill that is aimed at monitoring and capturing internet and telephone data to be used in the interest of combating crime and protecting national security against terrorism.

The proposed Telecommunications Retention of Data Traffic Bill due to go before the Oireachtas in coming weeks has raised the ire of many civil rights groups as well as telecom carriers and internet service providers (ISPs) who seriously doubt they can log and monitor phone calls, text messages, faxes, emails and internet usage over a four-year period.

When news of the bill was leaked to the media in November it prompted outrage and Justice Minister Michael McDowell TD had to row in and deny that it was a “Big Brother bill”. Telcos and ISPs say that the technicality of storing and accessing such data was nigh on impossible and that the existence of such legislation might harm the progress of e-commerce and internet usage in Ireland.

A recent forum held by the Department of Justice, Equality and Law Reform aimed at soliciting the views of telcos, ISPs and civil rights groups showed that the department had failed to assess the technological conundrum that storing such information for four years presents. In fact, it emerged at the forum that many other governments around the world are slowly beginning to realise just how unwieldy such legislation might be – to the extent that no storage technology in the world exists to keep up with such demands.

In an impromptu press conference at the forum, McDowell conceded that the leaked proposed legislation was in fact a draft document that had not been sanctioned by his department.

Opposition to the draft bill has attracted many potential adversaries, but none more powerful than that of Data Protection Commissioner Joe Meade who called for reason and moderation in any form of data retention legislation. “I will be supportive of measures that are demonstrably necessary to protect against crime or terrorism, but such measures must be proportionate and have regard to the human right to privacy,” he said.

Referring to traffic data, such as that found in an itemised phone bill, Meade said that the minister would need to be clear on what data can be stored, the fact that calls or emails had been sent or the actual contents of these communications. “Traffic data reveals huge amounts about one’s private life. They are your electronic footprints, but unlike the physical fingerprints you leave around you in the real world, they are recorded. For landline phone calls it can reveal the number you dialed, the duration of the call and the time of the call. Traffic data also includes a record of the location of a cell phone in question as it moves about from cell to cell. For this reason, traffic data generated by mobile calls is far more personal and revealing.

“In relation to the internet, traffic data would encompass the email addresses on all correspondence to and from the subscriber, a record of date, time and size of message as well as other transmission details but hopefully excluding message subject and content. It would also encompass a record of every login session, every web page visited and read, every search item entered, every file downloaded, every purchase made and so forth – in short, virtually the entirety of one’s online ‘session’, but hopefully excluding the content of email messages,” he added.

He warned: “However, if you can no longer feel secure that your telephone, web surfing and electronic communications are in fact private, then that signals a major change in the nature of the society in which we are living.” He added that if traffic data is not securely controlled, the data could be used by marketers and other bodies to profile a person’s habits and movements. This could lead to wrong assumptions about a person’s behaviour or, in extreme cases, even blackmail.

Meade pointed to an order he issued to telcos and ISPs in January 2001. “I discovered that all traffic data for telcos was being routinely retained for a period of six years, the rationale being that it was necessary to do so in case a claim arose under the Statute of Limitations. I found it difficult to accept this reasoning and pressed for the six-month retention period to be the norm. While this period was eventually acceptable to most of the telcos and ISPs, it raised legitimate concerns in the Department of Justice regarding access for security and crime investigations. Following discussions with me, the department indicated that a retention period of three years, rather than the then six years, was necessary for security purposes for telcos. While I respected their view, I consider that a maximum period of three years does not strike the correct balance,” he said.

Meade noted that all across Europe, similar proposals are being considered that will result in the mandatory, systematic retention of traffic data concerning all kinds of telecommunications for a period of one year or more, in order to permit possible access by law enforcement agencies. His fellow European data commissioners have expressed grave doubts as to the legitimacy and legality of such broad measures and stated systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and, therefore, unacceptable in any case.

“They also drew attention to the excessive costs that would be involved for the telco and internet industry, as well as the absence of such measures in the US,” Meade said.

These excessive costs were highlighted by Esat BT’s solicitor Audrey O’Sullivan. “Retaining every single email for three years is quite monumental in terms of systems and resources required to maintain that. It is a very real cost imposition on telecoms companies working in tough market conditions.” A colleague of O’Sullivan’s demonstrated that retaining proxy data on its existing customer base over three to four years would mean storing 337 terabytes of data, costing the company some €4m.

It is clear that the proposed Telecommunications Retention of Data Traffic Bill is a hastily organised affair, requiring much more thought and assessment of technical feasibility. If the Department of Justice is serious about implementing the bill it must be prepared to work with telcos and ISPs as well as privacy advocates and the Data Protection Commission to strike a balance that we can all live with.

By John Kennedy