Boards.ie and the recently passed Criminal Justice (Mutual Assistance) Act 2008 SI

Dav

Recently, Minister Frances Fitzgerald signed off on a Statutory Instrument on the Criminal Justice (Mutual Assistance) Act 2008 (PDF Link). You can have a read of some of the ins and outs of it here: http://www.irishtimes.com/business/technology/state-sanctions-phone-and-email-tapping-1.2027844

What this SI allows for is the formal requesting of tapping of Irish communications by foreign governments and vice versa within EU member states. This has implications for us as the traffic in and out of our site would fall within the remit of this law.

Currently, we have a policy of notifying anyone who's data has been requested via a Section 8 request of the Data Protection Act. In my time working here (almost 6 years), I've dealt with only 6 such requests and of those, only 1 of them was seeking out the details of a suspect in a criminal investigation. With that specific case, An Garda Siochana said that informing the individual of the request would significantly jeopardise their case, so in that case we did not inform the member of the request.

This new SI not only compels us to offer up information if requested of us in this manner, but it actively prevents us from telling you if you were involved. If we refuse, we go to court, but not just any regular court session, this SI has provisions for secret "in-camera" courts too which is completely unprecedented in Irish law. This means that not only can we not tell you about the request, we can't even tell anyone that there was any request or that we were even in a courtroom to try and defend your privacy.

We're not thrilled about this as you can imagine. Friends of ours like TJ McIntyre and Eoin O'Dell who are heavily involved in Digital Rights Ireland are suggesting that such things are contrary to European law. There are any number of legitimate reasons for international communications taps - especially for a country with a history of domestic terrorism like ours - but the process for setting them up should be open and transparent and not hidden away only to be revealed by people like Edward Snowden who revealed that such activity has been happening with Irish communications channels for a long time. Naturally, our government has had no comment to make and their history of simply ignoring data protection law when it's inconvenient for them speaks volumes.

Orion

Fcuk me - that's Patriot Act bull. Can you even tell your solicitors if such a request comes in? In the US ISPs can't even do that.

The Hill Billy

McCarthy-era carry on. Another rod that I shall use for the backs of those seeking reelection when the time comes.

Who sponsored/proposed this SI?

TJM

While I hate to correct Dav, I do have to clarify something.

The SI, bad as it is, does not apply the secret courts provisions to Boards or other forums - it is limited, to oversimplify, to telcos such as Eircom, Three, UPC and the like.

The context is tedious, but bear with me.

This is the section of the 2008 Act which the SI brings into force. It modifies section 110 of the Postal and Telecommunications Services Act of 1983 to do two things:

1. It is now an offence not to comply with ministerial directions to do something (these directions have been used to require telcos to tap phones and introduce data retention); and
2. Prosecutions for that offence must now be heard in camera - essentially, in complete secrecy.

So who is covered by s.110? It originally applied to Telecom Eireann and An Post - the two state companies established in 1983 to take over from the former Department of Post and Telegraphs.

As the telecoms market was liberalised it was extended in successive laws to apply to the new licensed entrants, and eventually to all "authorised undertakings" - i.e. operators which operate under a general authorisation issued by Comreg.

Who is an authorised undertaking? You are an authorised undertaking if you provide an "electronic communications network" or an "electronic communications service". These are terms of art taken from EU telecoms law, which draws a sharp distinction between these and "information society services". Roughly speaking, the distinction is between the traditional telcos (who provide the infrastructure and connectivity services) and the websites, services, etc. which you access via those connectivity services. (There's a good explanation of the distinction here at p.359 onwards.)

In short, if you are an "information society service" (which Boards.ie clearly is) then you are

(a) not a provider of a "communications network" or "communications service", therefore
(b) not an authorised undertaking, therefore
(c) not subject to the ministerial directions under s.110, therefore
(d) not subject to prosecution in secret for not complying with those directions.

Should we still be worried about the secret ministerial directions and secret prosecutions? Absolutely - there's clear potential for abuse. Vodafone recently suggested that the power was wide enough to allow the Irish state to demand direct access to telco networks. I would fear that these secret ministerial directions could equally be used to require telcos to do other harmful things, such as man in the middle attacks against SSL or tampering with DNS for censorship or surveillance purposes. But, for the time being at least, Boards is safe-ish.

quietsailor

Is there any way this can be made a sticky out on the main front page for a week. It's only chance I saw the thread and several boards users I talked to had no idea the thread exists

Dav

TJM wrote: »

While I hate to correct Dav, I do have to clarify something.

....

But, for the time being at least, Boards is safe-ish.

Well, I don't mind admitting that's somewhat of a relief to hear, the powers that be here were under the impression that this extended to us and platforms like us. I shall pass this back up the line to the Board.

DeVore

That is ... until they decide that Private Messages are really emails...

This is absolute bull from the government, another stroke-of-the-pen piece of legislation (this time from Francis Fitzgerald, Minister for Justice (ha!)).

Nody

DeVore wrote: »

That is ... until they decide that Private Messages are really emails...

This is absolute bull from the government, another stroke-of-the-pen piece of legislation (this time from Francis Fitzgerald, Minister for Justice (ha!)).

Everyone are equal in front of the law; some are simply more equal than others...

Move boards hosting abroad?

Sparks

ronoc wrote: »

Move boards hosting abroad?

That hasn't saved other sites.
Also, EU law on data protection and US jurisdictions don't mix well, just ask Microsoft...

Eoin

Can you tell users that such a request hasn't been made? e.g. like a warrant canary - though it's probably not worth the potential hassle if that's a grey area.

Dav

ronoc wrote: »

Move boards hosting abroad?

That has absolutely zero impact on anything. It doesn't make us immune to Irish or European Law if we're not hosted outside of that area, the law is applied where the 1's and 0's are turned into meaningful information that you can read on your screen.

As has been explained above by TJM, our understanding of this appears to be somewhat incorrect, so we can at least relax on this particular issue, but your ISPs can not. I'd urge you to talk to them (and as luck would have it, you can do so here) and ask them what their policy will be for this and what their policies of notification re: data requests etc are for their customers.

As I said, on the extremely rare occasions we get a request for information, unless it's going to cause a problem for an ongoing case investigation for the Gardaí, we will let you know that it's happened.

hullaballoo

Fundamental freedoms lol

Sparks

ask them what their policy will be for this

"We intend to do whatever will maximise our current quarter profit margin", most likely...

expectationlost

DeVore wrote: »

That is ... until they decide that Private Messages are really emails...

This is absolute bull from the government, another stroke-of-the-pen piece of legislation (this time from Francis Fitzgerald, Minister for Justice (ha!)).

my understanding is that this had been planned since 2008 http://www.irishstatutebook.ie/2008/en/act/pub/0007/print.html#part3 and before as far back as 2000 and had to be implemented 5 years after the lisbon treaty from dec 2009 to dec 2014 http://www.europarl.europa.eu/aboutparliament/en/displayFtu.html?ftuId=FTU_5.12.6.html

Article 10 of Protocol 36 to the Treaties

Article 10
1. As a transitional measure, and with respect to acts of the Union in the field of police
cooperation and judicial cooperation in criminal matters which have been adopted before the entry
into force of the Treaty of Lisbon, the powers of the institutions shall be the following at the date of
entry into force of that Treaty: the powers of the Commission under Article 258 of the Treaty on the
Functioning of the European Union shall not be applicable and the powers of the Court of Justice of
the European Union under Title VI of the Treaty on European Union, in the version in force before
the entry into force of the Treaty of Lisbon, shall remain the same, including where they have been
accepted under Article 35(2) of the said Treaty on European Union.
2. The amendment of an act referred to in paragraph 1 shall entail the applicability of the powers
of the institutions referred to in that paragraph as set out in the Treaties with respect to the amended
act for those Member States to which that amended act shall apply.
3. In any case, the transitional measure mentioned in paragraph 1 shall cease to have effect
five years after the date of entry into force of the Treaty of Lisbon.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008M/PRO/36:EN:HTML

El Weirdo

TJM wrote: »

While I hate to correct Dav, I do have to clarify something.

The SI, bad as it is, does not apply the secret courts provisions to Boards or other forums - it is limited, to oversimplify, to telcos such as Eircom, Three, UPC and the like.

The context is tedious, but bear with me.

This is the section of the 2008 Act which the SI brings into force. It modifies section 110 of the Postal and Telecommunications Services Act of 1983 to do two things:

1. It is now an offence not to comply with ministerial directions to do something (these directions have been used to require telcos to tap phones and introduce data retention); and
2. Prosecutions for that offence must now be heard in camera - essentially, in complete secrecy.

So who is covered by s.110? It originally applied to Telecom Eireann and An Post - the two state companies established in 1983 to take over from the former Department of Post and Telegraphs.

As the telecoms market was liberalised it was extended in successive laws to apply to the new licensed entrants, and eventually to all "authorised undertakings" - i.e. operators which operate under a general authorisation issued by Comreg.

Who is an authorised undertaking? You are an authorised undertaking if you provide an "electronic communications network" or an "electronic communications service". These are terms of art taken from EU telecoms law, which draws a sharp distinction between these and "information society services". Roughly speaking, the distinction is between the traditional telcos (who provide the infrastructure and connectivity services) and the websites, services, etc. which you access via those connectivity services. (There's a good explanation of the distinction here at p.359 onwards.)

In short, if you are an "information society service" (which Boards.ie clearly is) then you are

(a) not a provider of a "communications network" or "communications service", therefore
(b) not an authorised undertaking, therefore
(c) not subject to the ministerial directions under s.110, therefore
(d) not subject to prosecution in secret for not complying with those directions.

Should we still be worried about the secret ministerial directions and secret prosecutions? Absolutely - there's clear potential for abuse. Vodafone recently suggested that the power was wide enough to allow the Irish state to demand direct access to telco networks. I would fear that these secret ministerial directions could equally be used to require telcos to do other harmful things, such as man in the middle attacks against SSL or tampering with DNS for censorship or surveillance purposes. But, for the time being at least, Boards is safe-ish.

That looks like legal advice to me...

oscarBravo

Sparks wrote: »

"We intend to do whatever will maximise our current quarter profit margin", most likely...

That's a(n understandably) cynical perspective; my perspective (as someone who runs a smallish ISP) is "we intend to do whatever it takes to ensure that we're focusing our efforts and limited funds on providing a service to our customers, rather than wasting time and money in fruitless legal actions that we're not even allowed to talk about".