Profiling by the Irish Government

Cantab.

Do we actually have spooks in Ireland?

Do our security services monitor voice calls (using automatic speech recognition) and emails to build profiles on people?

They're definitely tracking number plates -- they've those cameras all over the M1, in Fairview and in loads of other places.

I believe in Ireland you still have to have a court order to bug someone. But how about bugging people en masse and building automatic 'anonymous' profiles for delving in to when there's a problem (i.e. they'd have reasonable suspicion in this instance).

Anyone out there in the security industry know more about this? I know it definitely goes on in the UK and the USA and the security services can basically do what they like.

Martyr

I would guess any spying is carried out by a division of the Gardai, rather than secret agents..we (Ireland) probably don't have enough foreign interests to justify training/employing James Bond-style spies.

AFAIK, Gardai don't need a court order anymore to monitor your phone calls.

Cantab.

Average Joe wrote: »

I would guess any spying is carried out by a division of the Gardai, rather than secret agents..we (Ireland) probably don't have enough foreign interests to justify training/employing James Bond-style spies.

AFAIK, Gardai don't need a court order anymore to monitor your phone calls.

This is all pretty scary stuff.

Think about how much it would cost to deploy a speech recognition system on say 2 million phone users in Ireland. If each conversation was about 1000 words and you had 5 conversations a day 365 days a year, then:

1000 words x 10 letters per word x 1 ASCII byte = 10000 bytes per conversation

10k * 5 * 365 = 18 MB per person per year

Now add some zip compression = 5 MB per person per year

So, 2 million people's phone calls is roughly 10 million MB or 10 TeraBytes

Let's say they profile 10% of the population -- 1 TB per year

Not beyond the realm of possibility?

And with ASR becoming more-and-more plug-and-play, off-the-shelf, all the garda IT dept. will need to do is plug in some wires and Bob's your uncle.

Imagine the power you would have if you could simply search your database to find out who said what and when.

The motivation for such systems is huge. It's only a matter of time and I wouldn't be at all surprised if they borrow technology and expertise from Britain/America to help identify suspects/terrorists/etc.

probe

Kennedy and Arnold v. Ireland [1987] IR 587 upheld the right to privacy under article 40.3 of the constitution (journos phones being tapped). Despite this the mobile phone companies operating in Ireland are systematically collecting traffic and location data from everybody who uses a mobile phone, (including journos) storing it for three years (with no obligation to destroy it after that point?), and are almost certainly sending it out of the country to you know where...

Germany and Switzerland, by comparison, only allows traffic data to be retained for six months for criminal investigation purposes. I don't think any right thinking person would argue against a six month data retention period, assuming access to the data was judicially controlled with adequate safeguards to prevent abuse and telco workers selling information to PIs and anyone else who has money to spend who wants to find out about someone else.

http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-559527

http://www.justice.ie/en/JELR/WkgGrpPrivacy.pdf/Files/WkgGrpPrivacy.pdf (report of working group on privacy).

Types of data typically collected by the spyware available on the market includes:

* Emails sent and received
* Instant Messages sent and received
* Websites visited
* Messaging types
* Device identity
* Location of mobile equipment
* Traffic analysis
* IP address assigned
* Logon/Logoff time and date
* From, To, CC, Bcc, email addresses
* Authentication user name
* Dial Up, CLI number assigned
* ADSL endpoint
* Mac address
* Proxy server logs
* Social connectedness (who's calling or texting whom)
* Call Detail Records (CDR's)
* Location Information
* Telephone calls made and received
* Name
* Subscriber DOB
* Billing address
* Payment methods
* Account/credit card details
* Contact information
* Customer reference/account number
* IMEI, IMSI
* Email address
* All numbers associated with call (e.g. physical/presentational/network Assigned CLI, DNI, IMSI, IMEI, exchange/divert numbers)
* Date and time of start of call
* Duration of call
* Type of call
* Location data at start and/or end of call, in form of grid ref.
* Cell site data from time cell ceases to be used.
* IMSI/MSISDN/IMEI mappings.
* IMSI, IP address assigned.
* Mobile data exchanged
* Unanswered calls
* SMS, EMS and MMS Data
* Calling number, IMEI
* Called number, IMEI
* Date and time of sending
* Location data when messages sent and received, in form of grid reference.
* Collateral data -eg the mapping between cell mast IDs and their location, and the translation of dialing via by IN networks.

.probe

http://www.tjmcintyre.com Irish IT Law Blog by TJ Mcintyre, UCD
http://www.digitalrightsireland.org

mick.fr

Guys stop the crap seriously lol
The intelligence service of Ireland is the smallest Intelligence Service organization in the world.

And 2 since there is no obligation whatsoever in this country to register a Ready to Go phone with a valid ID at least, who would you prove that Mr. X was spoken to Mr. Y
Ireland is one of the latest country in EU where anybody can buy a handset with credits and carry illegal activities in other EU countries without giving the chance to the authorities to prove who was actually speaking over the phone.

Lack of legislation, as usual, because Ireland is not facing the same issues others are facing.

Irish intelligence yeah ok

Martyr

The intelligence service of Ireland is the smallest Intelligence Service organization in the world.

i didn't know there was one at all, where is the evidence to suggest otherwise? - links would be helpful.

And 2 since there is no obligation whatsoever in this country to register a Ready to Go phone with a valid ID at least, who would you prove that Mr. X was spoken to Mr. Y

No, there isn't, thats true.. (the phone conversations cannot be used in court, but are useful in gathering intelligence)

There were discussions on enacting such a law, but it wouldn't work well.. With all the old sim cards in circulation..not to mention the fact that Mr.X can simply give Mr.Y's personal details, or fabricate them completely..when purchasing a pre-paid mobile.

Would it really be that difficult to obtain the phone number from another source anyway?

probe

mick.fr wrote: »

Guys stop the crap seriously lol
The intelligence service of Ireland is the smallest Intelligence Service organization in the world.

And 2 since there is no obligation whatsoever in this country to register a Ready to Go phone with a valid ID at least, who would you prove that Mr. X was spoken to Mr. Y
Ireland is one of the latest country in EU where anybody can buy a handset with credits and carry illegal activities in other EU countries without giving the chance to the authorities to prove who was actually speaking over the phone.

Lack of legislation, as usual, because Ireland is not facing the same issues others are facing.

Irish intelligence yeah ok

It is irrelevant whether a mobile phone is registered or not. Drug dealers and bank robbers etc will beg, borrow or steal phones if they have to, to make sure that the phone they use in a crime is not registered in their name. Compulsory registration would probably increase violent crime, as criminals grabbed mobile phones from anyone using them in the street to do their next "job". You don't need to know who owns each phone to get a lot of information from analysis of certain data. And you don’t need more than 6 months of data to do it either. I don't propose that we discuss this here, because I suspect criminals use google too.

There are other aspects of the issue which can be considered without prejudicing matters at the criminal investigation end - such as the legal and constitutional issues of mass surveillance of ordinary people and the retention of these data for long periods of time.

China used to do it for decades with people in each apartment block assigned to watching their neighbours and reporting on every move. Millions of spies within. Ireland could be accused of doing this electronically, because virtually everybody seems to have a mobile phone, reporting on their every move and communication. If there was someone standing outside everybody’s door 24h/24 and following them around tailing their cars – there would be screaming and shouting about it on TodayPK and every other radio programme. And rightly so. But because data snooping and retention is out of sight, this spy is out of peoples’ minds.

It gives enormous power and intelligence gathering capability to people working in telcos and public servants who have virtually unrestricted access to these databases. Probe knows someone who has been the victim of these dirty tricks by people working for a certain Irish telco, due to their sustained public criticism of the company's abuse of monopoly, which the individual was able to trace to a very high level in that organization. Power over their customers (ie the citizen) and power over their "masters" (ie the politicians). To a greater or lesser extent, it is a security risk for everybody - except the criminal fraternity who know how to take care of themselves.

Michael McDowell has a lot to answer for legislatively putting this spying infrastructure into place through the back door (via a last-minute insertion of the provisions into an otherwise unrelated law). Part 7 of http://www.irishstatutebook.ie/2005/en/act/pub/0002/index.html

.probe

www.digitalrights.ie
http://www.digitalrights.ie/2006/07/29/dri-challenge-to-data-retention/

PS: As for the secret service, "they" under-spent their budget by about €400,000..... as is typically the case every year.
http://www.independent.ie/opinion/editorial/theyre-secret-all-right-1295522.html

Cantab.

My aunt works in social welfare and she knows I was on the dole once (for a very short period) -- she brought it up in an argument we were having over Christmas. Data protection my arse!

I used to work in a teleco company. I've actually seen guys listening in to random phone calls "for the laugh". It's so easy to do it's not funny. I can also tell you of a mate of mine whose phone was stolen whilst working for one of the big operators -- he used the system to look up his IMEI number and actually called the guy using his phone! He had the last 50 calls he made so even if he switched off the phone and threw it away he's still be able to ring him up on his new number! He basically said that if he didn't arrange to leave his phone behind the bar of a pub within 24 hours, he'd report him to the guards. Got his phone back the next day so he did!

Whilst working in the teleco sector, I was working on a project that gave government security agencies and emergency services priority on the network over normal users. There was also the provision for these agencies to use encryption that's not available to the ordinary user.

If I could, I'd like to encrypt all my voice calls and emails -- this is unfeasible though, because I'd imagine anyone who'd want to contact me would need to have my public key and standardised software.

Why can't we buy phones and send emails that facilitate public/private key encryption? And I'm talking proper encryption that the user has control over -- not some PGP or 64 bit hashing, etc.

mick.fr

Anyway those issues that are being brought to the Irish attention recently or not regarding telecoms companies recording things etc.

That is no news at all to most of the other EU countries and US.

I remember after 2001 in France when they announced they will be doing that (Live since 2004 in France I believe), everybody was whining but nonetheless this has been implemented.
This costed a lot of money to the providers (Extra storage disk, archiving, tape drives...) but they had no choice.
One good thing it will bring to Ireland, is that we will get rid of the small monkeys that are trying to sell hosting here. If I may say :-)

I remember in Germany an ISP sued the Government over this new law because they had to spent 600.000 euro to comply with the new legislation.

DublinWriter

Cantab. wrote: »

My aunt works in social welfare and she knows I was on the dole once (for a very short period) -- she brought it up in an argument we were having over Christmas. Data protection my arse!

A number of bods in the Revenue Commissioners were slapped down a number of grades recently and suspended over their 'snooping' into the computerised tax files of the Irish rich and famous.

As for the Irish Intelligence Service? There isn't one. Period. Threats to domestic security posed by both native and foreign subversives are handled by a specialised unit of the Crime and Security section of An Garda Siochana and the Irish Army Intelligence unit called G2.

Although Ireland is a signatory to the Echelon system, we are in name only and we don't have any US NSA presence or hardware on Irish soil. Yet.

There is a provision in the Department of Justice's yearly budget for an item called 'Secret Service', but it's not as exciting as it sounds.

As for computerised profiling, do you think an administration that spent €150m on a useless e-voting system and the same amount again on a dodgy HRM system for the Health Service is remotely capable of such a thing?

probe

mick.fr wrote: »

Anyway those issues that are being brought to the Irish attention recently or not regarding telecoms companies recording things etc.

That is no news at all to most of the other EU countries and US.

I remember after 2001 in France when they announced they will be doing that (Live since 2004 in France I believe), everybody was whining but nonetheless this has been implemented.
This costed a lot of money to the providers (Extra storage disk, archiving, tape drives...) but they had no choice.
One good thing it will bring to Ireland, is that we will get rid of the small monkeys that are trying to sell hosting here. If I may say :-)

I remember in Germany an ISP sued the Government over this new law because they had to spent 600.000 euro to comply with the new legislation.

One has to ask oneself who does mick.fr work for?

The issue is not the matter of data retention - it is the three year period of retention in Ireland - and that is a minimum. Not to mention the lack of privacy laws in Ireland to put people in prison for long periods if they illegally monitor telecommunications traffic "for a laugh", snoop on their text messages (which are all stored - and seem to be available to every call centre worker in Irish mobile phone companies, at the click of a mouse), and sell this stolen information to PIs and anyone else.

In Germany, they just enacted retention at the start of 2008 and the period is 6 months - the same as Switzerland.

In France, Décret n° 2006-358 of 24.03.2006 requires traffic data to be destroyed after 1 year.

.probe

Cantab.

DublinWriter wrote: »

A number of bods in the Revenue Commissioners were slapped down a number of grades recently and suspended over their 'snooping' into the computerised tax files of the Irish rich and famous.

I used to work in a call centre in my student days and we had full access to millions of US customers. We could look up Michael Jackson or Michael Jordan and see how many cars they had! Data protection my ass.

DublinWriter wrote: »

As for the Irish Intelligence Service? There isn't one. Period. Threats to domestic security posed by both native and foreign subversives are handled by a specialised unit of the Crime and Security section of An Garda Siochana and the Irish Army Intelligence unit called G2.

It doesn't have to be done by the intelligence service. The army and/or guards could implement an automatic profiling system if they really wanted to. All they need is to put out a tender (in the UK or the US) and train a couple of their members on how to operate the system. I wouldn't be surprised if there were systems already in place to monitor IRA people and those on US government watch-lists (with the support of the US/UK of course -- Ireland doesn't have the ability to design their own systems from scrratch). I'm led to believe that Ireland is a bit of a haven for international ter.rorists and foreign governments would have a big interest on keeping tabs on these people.

DublinWriter wrote: »

Although Ireland is a signatory to the Echelon system, we are in name only and we don't have any US NSA presence or hardware on Irish soil. Yet.

I wouldn't be so absolutist about ruling it out completely.

DublinWriter wrote: »

There is a provision in the Department of Justice's yearly budget for an item called 'Secret Service', but it's not as exciting as it sounds.

As for computerised profiling, do you think an administration that spent €150m on a useless e-voting system and the same amount again on a dodgy HRM system for the Health Service is remotely capable of such a thing?

The motivation behind the e-voting was probably corrupt.

Anyway, e-voting machines aside, I think the value of having mass-profiling and speech/face/number plate recognition would be huge to any security force/government. It's just your freedom goes out the window. It's only a matter of time before smart CCTV, all-electronic purchasing (right down to your lunch-time mars bar), phone call transcribing and location tracking becomes the norm rather than the exception.

It seems the scientists and the spooks are miles ahead of the government and the legal system with regards controlling the spawning of these technologies.

DublinWriter

Cantab. wrote: »

I used to work in a call centre in my student days and we had full access to millions of US customers. We could look up Michael Jackson or Michael Jordan and see how many cars they had! Data protection my ass.

Meanwhile, back in Ireland...

Cantab. wrote: »

It doesn't have to be done by the intelligence service. The army and/or guards could implement an automatic profiling system if they really wanted to. All they need is to put out a tender (in the UK or the US) and train a couple of their members on how to operate the system.

Yes, the already over-stretched resources of An Garda Siochana are too busy manning the sweet-shop in Templemore. Such a inituative would require direction from the Minisiter of Justice. I'll be checking the very publically accessible etenders.gov.ie on a regular basis for the evidence of such an RTF, but as for now, I won't hold my breath.

Cantab. wrote: »

The motivation behind the e-voting was probably corrupt.

Nope, just inept.

Cantab. wrote: »

It seems the scientists and the spooks are miles ahead of the government and the legal system with regards controlling the spawning of these technologies.

Dude, you've been watching too many episodes of Spooks and James Bond films. This is Ireland, they can't even resource a basic policing service, don't go getting all 'Minority Report' on yourself.

Cantab.

DublinWriter wrote: »

Dude, you've been watching too many episodes of Spooks and James Bond films. This is Ireland, they can't even resource a basic policing service, don't go getting all 'Minority Report' on yourself.

I've never seen an episode of minority report or spooks. In fact, I don't watch TV at all.

Anyway, the point I was trying to make that surveillance systems can be implemented at the behest of foreign governments and not just the Irish government. If UK/US agencies came in and asked for access to data channels I very much doubt the Irish authorities are going to scream "think of the data protection".

mick.fr

DublinWriter wrote: »

As for the Irish Intelligence Service? There isn't one. Period. Threats to domestic security posed by both native and foreign subversives are handled by a specialised unit of the Crime and Security section of An Garda Siochana and the Irish Army Intelligence unit called G2.

Although Ireland is a signatory to the Echelon system, we are in name only and we don't have any US NSA presence or hardware on Irish soil. Yet.

Yes agree but there is, as little as they might be, and whatever form they have, they do have exchanges with other nations services. There is even Interpol in da Park :-)

No Echelon system in Irish soil, but on US soil in Dublin there is :-) most of the US embassies are stuffed with some very nice gadgets :-) they can record phone calls, fax etc without the need of having a huge white balloon in a cow field.

mick.fr

probe wrote: »

In Germany, they just enacted retention at the start of 2008 and the period is 6 months - the same as Switzerland.

In France, Décret n° 2006-358 of 24.03.2006 requires traffic data to be destroyed after 1 year.

.probe

I really don't think so for Germany, I believe this is older than that.
And for France, this is only an amendment. This has been up since a couple of years already.

Cantab.

mick.fr wrote: »

Yes agree but there is, as little as they might be, and whatever form they have, they do have exchanges with other nations services. There is even Interpol in da Park :-)

No Echelon system in Irish soil, but on US soil in Dublin there is :-) most of the US embassies are stuffed with some very nice gadgets :-) they can record phone calls, fax etc without the need of having a huge white balloon in a cow field.

Just what goes on in the Phoenix Park exactly?

mick.fr

Cantab. wrote: »

Just what goes on in the Phoenix Park exactly?

If I knew you would be the last to know lol
I have just been told this is where they are, which is not a surprise since this is the Police HQ.

Capt'n Midnight

Cantab. wrote: »

Think about how much it would cost to deploy a speech recognition system on say 2 million phone users in Ireland.
...
The motivation for such systems is huge. It's only a matter of time and I wouldn't be at all surprised if they borrow technology and expertise from Britain/America to help identify suspects/terrorists/etc.

This was being done in the UK in the 80's triggered by keywords

Capt'n Midnight

mick.fr wrote:

And 2 since there is no obligation whatsoever in this country to register a Ready to Go phone with a valid ID at least, who would you prove that Mr. X was spoken to Mr. Y

Mr X was 120m away from the south west sector antenna, and look we have him on CCTV
Also we have Mr Y's and Mr W's phone in close proximity to his on many other occasions And we know who Mr W is

Ireland is one of the latest country in EU where anybody can buy a handset with credits and carry illegal activities in other EU countries without giving the chance to the authorities to prove who was actually speaking over the phone.

Secondhand ready to go FTW

Capt'n Midnight

My understanding of it is that traffic between the phone and the base station is encrypted and is not easy to break.
Traffic from the base station back to the rest of the network isn't encrypted to the same level if at all.


http://foreignaffairs.gov.ie/home/index.aspx - didn't they have a big antenna on the roof ?

IIRC most of the budget for "spying" went to pay for informers

mick.fr

Capt'n Midnight wrote: »

Mr X was 120m away from the south west sector antenna, and look we have him on CCTV
Also we have Mr Y's and Mr W's phone in close proximity to his on many other occasions And we know who Mr W is

Secondhand ready to go FTW

Well not extremely relevant, it is certainly true in many circumstances, but if originally if you don't have the guys passport copy and CCTV, it is difficult to prove such guy has ever used a specific phone line/handset.

That is the reason why in other countries most of the time you have to provide a valid ID and proof of address when you want to get, even a ready to go handset, and especially one I would even say.

Martyr

its not difficult to change IMEI on handset, mick.fr - its not even illegal in ireland to do so.
even if it were, phone companies could hardly block what they thought was a fake IMEI

additionally, there are highly skilled phone reverse engineers who could no doubt create a phone based on someone elses.

its not the same as cloning btw - sim cards since 2002 are extremely difficult, nearly impossible to clone.

but there are weaknesses in software, and alot of it is running on base stations, phones..etc - so in fairness, this whole idea of making sure people can't buy a new phone sim or handset is only gonna stop morons making abusive phone calls..etc not really track down terrorists or those with the money to buy such a phone

Screaming Monkey

Capt'n Midnight wrote: »

My understanding of it is that traffic between the phone and the base station is encrypted and is not easy to break.

Its getting cheaper to break the encryption, which i suppose makes it easier
http://www.schneier.com/blog/archives/2008/02/cryptanalysis_o_1.html

probe

The freedom of information disclosures obtained by IT journalist Karlin Lillington on telecommunications data retention in IRL are at:

http://www.dcmnr.gov.ie/NR/rdonlyres/4BABB2D3-63DD-4C7B-87F3-71E75E5A7E11/0/FOI_92_Records.PDF

According to the FoI disclosure, traffic data is retained for 6 or 7 years by eircom/Telecom Eireann/P&T, and probably most of the rest of them.

In the Act (IRL-2005/02), there is nothing in it requiring eircom or any of the other e-spying agencies (telcos) to delete the traffic data after 3 years. While the Data Protection office told the telcos to delete traffic data in 2005, McDowell seems to have overridden the Data Protection commissioner by requiring them to hold on to the data in section 63(3) of his "terror act". http://www.irishstatutebook.ie/2005/en/act/pub/0002/sec0063.html#partvii-sec63

French law (F-2005/358) requires telcos to delete traffic data after one year.

In the information in the FoI disclosure above, the Data Protection Commissioner states that eircom/Telecom Eireann is in breach of the Act. Section 6 of the Act gives everybody the right to write to eircom (or their mobile phone company, etc) to require them to erase the traffic data they are holding as a result of their breach of the Act. http://www.irishstatutebook.ie/1988/en/act/pub/0025/sec0006.html#zza25y1988s6. Under the Act, (sec 2) eircom or whoever may not keep data “for longer than is necessary for that purpose or those purposes” (ie billing and to comply with McDowell’s 3 year data retention racket).

The Attorney General’s advice has been tippex’d out! One wonders why this advice has been deleted? Is it an admission of illegality or unconstitutionality in the law? Or its breach of article 8 of the European Convention on Human Rights regarding the right to privacy of personal correspondence. http://www.echr.coe.int/NR/rdonlyres/D5CC24A7-DC13-4318-B457-5C9014916D7A/0/EnglishAnglais.pdf

On page 41 of the FoI document, they reveal an EU proposal to collect telecommunications for every country in the EU in a central European database, and store it for 2 years!

Yet another reason to vote NO! in the forthcoming EU referendum.

Support Digital Rights Ireland - www.digitalrights.ie

.probe

probe

www.siliconrepublic.com

28.02.2008 - “From the age of uniformity, from the age of solitude, from the age of Big Brother, from the age of doublethink – greetings!” – George Orwell, 1984
We are about to enter into a state where every digital step you take is recorded. At the end of March, the Government will introduce the most draconian law in the history of personal privacy in Ireland: 24-hour internet monitoring. A log will be made of everyone’s internet activity and every email sent and received.

Greetings from the State of surveillance.

By the end of March 2008, the Irish Government will begin mass digital surveillance, noting when we log on and log off the internet, as well as every email we send and who we send it to. We have entered into a new democratic state where our entire digital footprint is recorded and stored for up to two years by our internet service providers (ISPs).

Legal professionals suggest the move equates to the mass digital surveillance of the entire people of Ireland and may leave the Government to weather a brewing legal storm over the issues of human rights and privacy.

The Criminal Justice (Terrorist Offences) Act 2005 implies that personal data would only ever be accessed in the situation of fighting terrorist offences.
But this is not the case: presently your stored telecommunications data may be accessed in the investigation of any crime, be it serious or trivial, in relation to a terrorist offence or not at all.

So what is the worst that can happen? Death, according to the personal weblog of law lecturer and chair of civil rights group Digital Rights Ireland, TJ McIntyre. He was referring to the case of a pensioner in the UK who died following a heart attack after a brick was thrown through the window of his house by an irate driver who felt he had taken her parking space at the local supermarket.

How did this woman track down the elderly man? Her boyfriend called in a favour from a policeman friend who provided the man’s home address after running his registration plate through the system.

Granted, this example is extreme, but even the ‘mildest’ outcome of this surveillance still means a massive storage headache for the Irish IT industry. A more severe case is a damaging security breach and public information leak. We have seen recent cases both in Ireland and the UK where breach of private data has ranged from criminal to accidental with far-reaching implications.

Here in Ireland several data leaks have occurred, including the case of a senior civil servant who accessed without authorisation and then sold the social welfare records of 40 different individuals to the media.

Furthermore, the Data Protection Commissioner, Billy Hawkes, doesn’t think the wide scope given to the Gardaí to access our stored data will be reined in.

“We are taking it that no attempt will be made to raise the bar from the current provisions which permit access to these records by the Gardaí when investigating ‘crime’, in order to bring them into line with the directive provision requiring access to records when investigating ‘serious crime’,” he says.

“Even more worrying is the recent loss of a laptop containing almost 175,000 patient records belonging to the Irish Blood Transfusion Service. The laptop was stolen from a worker at a New York blood bank who had taken it from the premises while carrying out a software upgrade. It contains files relating to 174,324 donor records and 3,294 patient blood group records made between July and October last year.”

This leaves us in a situation where the ISPs are investing in terabytes of extra storage to retain data that if lost or breached will affect everyone, while those who wish to avoid detection have the ability to do so.

The cost of this data retention weighs heavily on the minds of ISPs located here in Ireland.

If the Government was to go in line with the current data retention period of three years for telephony and decide upon the upper limit of two years for internet data, then this could have the effect of de-clawing the already ageing Celtic Tiger, warns Paul Durrant, general manager of the Internet Service Providers Association of Ireland (ISPAI).

“The ISPAI is very concerned that if the Irish Government decides upon a retention period of over six months, greater than most of our leading competitors in Europe, this could have a detrimental effect on the IT industry in Ireland, which has played such a central role in generating the Celtic Tiger and giving us the standard of living that we now have.

“People don’t realise how volatile and how mobile internet-based industries are. Marginal cost differences can have a huge impact on location-based decisions,” says Durrant.

Google, with European headquarters in Dublin, has previously expressed concern over the provisions of the EU Directive and its impact on consumer privacy, internet firms and the ISPs.

“Google isn’t just a large employer but a very significant one because it acts as a beacon for other high-tech firms and shows that Ireland is a serious player in the international market,” says Simon McGarr of McGarr Solicitors.

McGarr’s firm represents civil rights group Digital Rights Ireland in its ongoing case against domestic and EU data retention laws.

“When this data retention is extended to internet data, it requires ISPs to store information that they have absolutely no business requirements for. It is being stored purely to meet the requirements of this legislation and therefore is a huge additional burden on many ISPs,” Durrant observes.

Given the short timeframe for putting this legislation into action, the industry – ie ISPs – should know the score. They are charged with the responsibility of storing this vast bank of data on the Irish citizen, but frustratingly they are still not quite sure of their role in the process.

“We, as ISPs, do not have any difficulty with the objective of fighting serious crime but what we need are clear instructions on the expectations of governments across Europe as to what exactly it is we have to retain and when,” says Durrant.

Shane Deasy, managing director for wireless internet provider BitBuzz, while willing and able to comply with the new legislation, echoes Durrant’s sentiment: “There is a grey area – details we have yet to get answers to.

“The industry has met with the Department of Justice and has had several discussions on this forthcoming legislation but to my knowledge the industry has not yet been given information on exactly what data they are required to store and for how long.

“It may require a lot more storage on the part of the ISPs but at the moment we simply don’t know exactly what we are going to be asked to retain.”

If the notion of mass electronic surveillance makes you feel uncomfortable and you are left wondering when this democratic decision was made and why you didn’t add your tuppenceworth, it is probably worth mentioning that you never had a say in the first place.

Current data retention requirements in Ireland have their legal grounding in the Criminal Justice (Terrorist Offences) Act 2005, added on at the last minute and pushed through by the then Minister for Justice, Michael McDowell, without public discussion or visibility.

This time around it seems to be the same old story. “We have not yet seen any specific proposals from the Government, either in terms of a statutory instrument or anything else,” says Pat Rabbitte, Labour’s justice spokesman.

Rabbitte vows not to let this happen again with the impending EU data retention directive: “We will insist that this does not happen on this occasion and that all proposals in this area are properly discussed and their implications fully teased.”

Clearly opposition parties, civil rights groups and Irish citizens feel the need for more discussion surrounding the directive before it is rushed through by statutory instrument.

“The Irish Government claims it is introducing the directive now because it is running out of time but in fact it had the power to avail of a further exemption for another 18 months: something many other member states did but Ireland chose not to,” says McGarr.

The big question, he adds, is whether our civil rights under Article 8 of the European Convention on Human Rights are being upheld: “This is the mass surveillance of the people of Ireland.”

All this information is being stored about every innocent citizen out there and Durrant along with many others believes that it is in some ways turning around the whole reality of our legal system.

The real problem with this directive, he says, is that ISPs will be storing terabytes upon terabytes of data relating to innocent people who are doing nothing except going about their normal digital lives of browsing and emailing.

The adage of “the innocent have nothing to fear” is clearly not the case and McIntyre adds that data retention is trivially easy to circumvent, so those who want to avoid being detected will find a way regardless of mass digital surveillance.

“If you want to avoid data retention, there is simple software you can use to do it and simple mechanisms such as using a non-EU web-based email provider,” he said, adding that telephony monitoring can be avoided by purchasing a pre-pay mobile SIM card, which does not require registration.

“The criminals, who you really want to capture, are the very people who will take the trouble to know how to get around this, so although they will possibly leave digital footprints, it could be extremely difficult to find them.”

http://www.siliconrepublic.com/news/news.nv?storyid=single10383

.probe

liamo

As mentioned on a different, I think it may be time to start tunnelling Internet traffic through a non-EU hosted VPN.

On a related note, I wasn't clear if capture and retention of email traffic relates to email in an Email provider's site (eg someone@eircom.net, etc) or all traffic on port 25, etc. Can anyone provide clarity on this?

I host my own email on my home server however it goes through Eircom's infrastructure and is subject to any and all surveillance. Of course, I could host my server in a non-EU location and access it over a VPN but any emails to and from EU hosted mail servers will still be subject to surveillance which kind of defeats the purpose of moving it in the first place.

Is anyone currently taking any steps to protect their privacy? Like to share them?

Regards,

Liam

probe

liamo wrote: »

As mentioned on a different, I think it may be time to start tunnelling Internet traffic through a non-EU hosted VPN.

On a related note, I wasn't clear if capture and retention of email traffic relates to email in an Email provider's site (eg someone@eircom.net, etc) or all traffic on port 25, etc. Can anyone provide clarity on this?

I host my own email on my home server however it goes through Eircom's infrastructure and is subject to any and all surveillance. Of course, I could host my server in a non-EU location and access it over a VPN but any emails to and from EU hosted mail servers will still be subject to surveillance which kind of defeats the purpose of moving it in the first place.

Is anyone currently taking any steps to protect their privacy? Like to share them?

Regards,

Liam

The best solution is to physically relocate yourself out of Ireland!

Assuming this is not practical in your circumstances, the other option is to relocate virtually. VPN your way out and suggest to your contacts that they do the same thing, perhaps sharing your platform. Rent a server from a hosting service in Germany or Switzerland – and share the cost with your friends/contacts.

While Germany is in the EU, it has a sound legal system, a good constitution, a strong culture of personal liberty and freedom, and an efficient court system to protect people’s legal rights against abuse by the state or snooping terrorist telcos.

Germany’s and Switzerland’s data retention limit is six months, which I would have thought most people would regard as being reasonable. As opposed to Ireland’s out of control, poorly regulated, badly legislated for, three to seven years+ data retention e-spying on citizens racket, where there is no independent, accountable, court supervision and pre-approval of what is going on. It operates under half baked, rushed legislation, pushed through the system by a ******* *****, who fortunately lost his Dáil Éireann seat, and is now out of the political equation. Unfortunately the damage he has done to people’s human rights remains ongoing.

Back to the virtual solution: On your bare bones server in a hosting centre in Germany or Switzerland, install (or get the host to install) something like Astaro security gateway software on it (open source, made in Germany, linux based firewall, VPN, unified threat management software package that gets updated several times a week) and let all your friends/contacts VPN to it over the internet. All the Irish telco mafia will see is AES256 noise for whatever you and your contacts are doing on the net. The Irish traffic data will just show a boring single connection to your box in Germany.

While the Astaro solution is aimed at the corporate market, Astaro software is free for personal use. It supports SSL, PPTP, and L2TP over IPsec, and IPsec VPNs, site to site VPNs and the client VPN software is free, and can run on Linux, MacOS X, BSD or Solaris, as well as Windows 2000/XP client machines.

The Astaro gateway also has VoIP security, email encryption (set-up in a way that is easy to use for people who aren’t into encryption stuff), anti-virus, and lots more. Download the software (which includes a Linux OS in the package), burn the ISO as an image on a CD or DVD, boot from the CD or DVD using a spare old PC - it will erase and reformat the hard disk in the process, and have a play with it – and you will see its potential. The entire package is very lightweight, and only requires a minimal hardware platform to operate.

The Astaro security gateway is also available as a security appliance in various sizes that scales up to large corporate environments, and is ideal for companies with home workers or road warriors who don’t want their business secrets sold to their competitors by the intelligence gathering mafia in neighbouring rogue states or elsewhere.

Links:

www.astaro.com

Download software: http://www.astaro.com/download - private users can get a free license to use this with updates for life.

“How to” videos (setting up set it up, setting up VPNs, email security, tunnelling, proxy profiles), etc:
http://www.astaro.com/support/recorded_technical_videos

Product overview:
http://www.astaro.com/content/download/2903/23691/file/Astaro_Security_Gateway_Overview_us.pdf


.probe

PS: AND VOTE NO IN THE EU CONSTITUTION REFERENDUM!

The EU has allowed itself to be turned into a tool for politicians to get away with doing things the electorate doesn't want. The antithesis of democracy.

Black Swan

Get your tin foil hats on cause No Such Agency has virtually an unlimited budget and the technology to access anyone on the planet since 9/11, and will continue to have these resources no matter who wins the USA presidency year end. The only thing that ensures some measure of privacy from them are the huge numbers of telecomm users (hundreds of millions?) and the logistical nightmare of sorting through those few to follow and the vast majority to ignore; i.e., whom to take seriously among the tens of millions of innocent BS'ers that use the same key words to chat as the bad guys for example?

VPN'ing your communications through another country's host will only increase their interest in you, cause you must admit, it would be a bit extraordinary?

probe

Blue_Lagoon wrote: »

Get your tin foil hats on cause No Such Agency has virtually an unlimited budget and the technology to access anyone on the planet since 9/11, and will continue to have these resources no matter who wins the USA presidency year end. The only thing that ensures some measure of privacy from them are the huge numbers of telecomm users (hundreds of millions?) and the logistical nightmare of sorting through those few to follow and the vast majority to ignore; i.e., whom to take seriously among the tens of millions of innocent BS'ers that use the same key words to chat as the bad guys for example?

VPN'ing your communications through another country's host will only increase their interest in you, cause you must admit, it would be a bit extraordinary?

If one has nothing to hide, who cares? Anyway Germany is not “another country” – it is an EU member state. If you are doing something criminal over your vpn set-up, I have no doubt the Gardai can easily apply to a German court for access to your traffic data, and your Astaro server logs.

The purpose of this exercise from my perspective is a protest at the shambolic (to quote myself again) “badly legislated for, three to seven years+ data retention e-spying on citizens racket, where there is no independent, accountable, court supervision and pre-approval of what is going on. It operates under half baked, rushed legislation, pushed through the system by a ******* *****, who fortunately lost his Dáil Éireann seat, and is now out of the political equation. Unfortunately the damage he has done to people’s human rights remains ongoing.”

It is nothing to do with hiding criminal activity. Rather it is action to protect your personal human rights against illegal laws in Ireland. Laws that are in breach of the ECHR and the Irish Constitution.

And to preserve your freedom of speech against the appalling monopoly racket that is the telecommunications market in Ireland. Run by racketeers that won’t hesitate to attempt to “pay you back” given the opportunity, if you are a loud enough critic.

Take another simple example, like your Google search keywords for the past three years – would you like those to be published in a supplement to the Irish Times on Monday morning, with your name and picture? Do you want them to be stored for three years under data retention laws, for some public servant neighbour of yours to look at when they have nothing better to do some Friday afternoon? "for a laugh"?

Quoting Gereman Federal Judge, Hans-Jürgen Papier, in his ruling delivered on Wednesday "Collecting such data directly encroaches on a citizen's rights, given that fear of being observed" could prevent "unselfconscious personal communication".

This is not hiding stuff of interest to the NSA snoops – because they will be able to see it anyway (the web surfing bit) in the clear when it enters the internet in Germany.

Corporate laptops and general IP traffic over the internet is using VPN technology all the time. There is a tonne of VPN traffic sloshing around the net.

.probe

Cantab.

Is there no open-source secure email?

And by secure, I mean above 256 bit.

Personally, I'd love to be able to secure all my text and voice communications with 10000 bit public/private key encryption. I imagine I wouldn't be allowed to correspond with anyone in the US cos they've got limits on key sizes? Or is that law now outdated?

EU Convention for the Protection of Human Rights and Fundamental Freedoms

Article 8 – Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Cantab.

Blue_Lagoon wrote: »

Get your tin foil hats on cause No Such Agency has virtually an unlimited budget and the technology to access anyone on the planet since 9/11, and will continue to have these resources no matter who wins the USA presidency year end. The only thing that ensures some measure of privacy from them are the huge numbers of telecomm users (hundreds of millions?) and the logistical nightmare of sorting through those few to follow and the vast majority to ignore; i.e., whom to take seriously among the tens of millions of innocent BS'ers that use the same key words to chat as the bad guys for example?

VPN'ing your communications through another country's host will only increase their interest in you, cause you must admit, it would be a bit extraordinary?

I've done a lot of work on voice recognition and information extraction from text. You would not believe the amount of effort that has gone into this technology. The best brains have been working on it for years. What really did it for me was when I saw a room full of top-of-the-range servers churning away on voice calls day and night in about 10 different languages. It's absolutely unbelievable what's going on.

probe

Cantab. wrote: »

Is there no open-source secure email?

And by secure, I mean above 256 bit.

Personally, I'd love to be able to secure all my text and voice communications with 10000 bit public/private key encryption. I imagine I wouldn't be allowed to correspond with anyone in the US cos they've got limits on key sizes? Or is that law now outdated?

I think you might be a bit paranoid about encryption key sizes.

AES is the Rijndael encryption standard developed at www.kuleuven.be/english - a well known Belgian university founded in 1425 - long before www.nsa.gov was even thought of.

The 256 bit symmetric key used by AES is roughly equivalent to a 15,360 bit asymmetric key (eg RSA – if they had such a monster).

Use a tough password (say 60 characters of random text and symbols) and you'll be long dead before they manage to crack it, if ever! Even if they take down google and use its global processor resources flat out in their attempts.

.probe

Black Swan

probe wrote: »

It is nothing to do with hiding criminal activity. Rather it is action to protect your personal human rights against illegal laws in Ireland. Laws that are in breach of the ECHR and the Irish Constitution.

Do you want them to be stored for three years under data retention laws, for some public servant neighbour of yours to look at when they have nothing better to do some Friday afternoon? "for a laugh"?

Fair enough. One other problem with these extraordinary data retention laws is that it cost money to store this huge amount of data by ISPs (and other telecom providers), and who ultimately pays for it? Not the provider! This cost is passed on to the customer, so not only are they violating your privacy, but they are also charging you to do it.

Cantab.

Blue_Lagoon wrote: »

Fair enough. One other problem with these extraordinary data retention laws is that it cost money to store this huge amount of data by ISPs (and other telecom providers), and who ultimately pays for it? Not the provider! This cost is passed on to the customer, so not only are they violating your privacy, but they are also charging you to do it.

Storage is cheap.

All you need to store is the call time, originating phone number and the destination phone number (and perhaps the length of the call).

A couple of bytes per call.

Multiplied by 3-4 million phones, add a bit of zipping and 10TB odd would store 3 years of data. It's not rocket science. The data is there already -- why dispose of it if it's useful? (to the government that is)

Cantab.

probe wrote: »

I think you might be a bit paranoid about encryption key sizes.

AES is the Rijndael encryption standard developed at www.kuleuven.be/english - a well known Belgian university founded in 1425 - long before www.nsa.gov was even thought of.

The 256 bit symmetric key used by AES is roughly equivalent to a 15,360 bit asymmetric key (eg RSA – if they had such a monster).

Use a tough password (say 60 characters of random text and symbols) and you'll be long dead before they manage to crack it, if ever! Even if they take down google and use its global processor resources flat out in their attempts.

.probe

I'm paranoid about any encryption standards "authorised" by the NSA.

This new elliptic curve stuff that Microsoft are pushing looks dodgy to me. I've heard reports of back doors.

People talk about encryption crackers that take the lifetime of the universe to crack. Yeah, sure, but if you get dedicated hardware on board, lots of data pruning and some smart guys you could crack these codes.

Capt'n Midnight

Cantab. wrote:

Storage is cheap.

Amen.
The cost of storing everything since day one , is twice the cost of storing the next 18 months of data, always has been. Larger data sets and more processor power mean slightly greater data compression opportunities too.

You don't think they really spent all those millions on e-voting machines. Or that the tolling system on the M50 really costs 114Million or why the health and the NRA seem such poor value for money

Seriously something like BOINC running on government / civil service / semi-state PC's would give serious crunching power, for just the cost of electricity.

probe

Cantab. wrote: »

Storage is cheap.

All you need to store is the call time, originating phone number and the destination phone number (and perhaps the length of the call).

A couple of bytes per call.

Multiplied by 3-4 million phones, add a bit of zipping and 10TB odd would store 3 years of data. It's not rocket science. The data is there already -- why dispose of it if it's useful? (to the government that is)

The date and time the call started, call duration, location of caller, calling and called and diverted to numbers, IMEI, IMSI, unanswered calls, and text messages exchanged etc. etc.

And for internet traffic, the date, time, ip numbers, the URL (which contains things like google search keywords), etc. Streaming audio and video (eg watching youtube pages) generates a lot of network packets to be logged.

But that is a minor aside, compared with the big issue concerning fundamental breaches of human rights by the EU and the banana republics that carry out these directives by implementing them into law without proper judicial safeguards to control access to the data accumulated.

.probe

Cantab.

probe wrote: »

The date and time the call started, call duration, location of caller, calling and called and diverted to numbers, IMEI, IMSI, unanswered calls, and text messages exchanged etc. etc.

And for internet traffic, the date, time, ip numbers, the URL (which contains things like google search keywords), etc. Streaming audio and video (eg watching youtube pages) generates a lot of network packets to be logged.

But that is a minor aside, compared with the big issue concerning fundamental breaches of human rights by the EU and the banana republics that carry out these directives by implementing them into law without proper judicial safeguards to control access to the data accumulated.

.probe

Sorry, but I don't trust anyone with my personal information -- I don't want my own father to know the full details of my phone and internet usage, what I say and when I said it.

So, I'm hardly going to want/trust the government to manage my information.

Gombeens in charge of Ireland means gombeens having access to your data. No thanks.