Provision of Real-time Lawful Interception Assistance

THE POSTAL AND TELECOMMUNICATIONS SERVICES ACT 1983 AS AMENDED BY THE POSTAL PACKETS AND TELECOMMUNICATIONS MESSAGES (REGULATION) ACT 1993

The Postal and Telecommunications Services Act 1983 (the “1983 Act”) (as amended by the Postal Packets and Telecommunications Messages (Regulation) Act 1993 (the “1993 Act”)) establishes a regime for the interception of telecommunications messages under Irish law. Although “telecommunications message” is not defined for these purposes, it is likely to include emails and SMS messages as well as phone calls etc.

Section 110 of the 1983 Act provides that the Minister for Posts and Telegraphs (now the Minister for Communications, Energy and Natural Resources) (the “Minister”) may issue directions in writing to a Licenced Operator requiring them to do (or refrain from doing) anything which the Minister may specify from time to time as necessary in the national interest. As a direction by the Minister is a specific exception to the prohibition on interception of telecommunications messages under section 98 of the same Act, it is clear that the Minister may issue a direction in writing to mobile network operators requiring them to intercept individual customer communications. As such, it would seem that the Minister’s powers are sufficiently broad to require Licenced Operators to assist in implementing interception capabilities on their networks. However, for such a direction to authorise the implementation of interception capabilities on a Licenced Operator’s network (such as Vodafone’s network), the direction would need to very specifically refer to this. Furthermore, under section 110 of the 1983 Act, the Minister’s powers seem sufficiently broad to allow implementation of a technical capacity that enables direct access to a Licenced Operator’s network (without the Licenced Operator’s operational control or oversight).

In addition, section 2 of the 1993 Act provides that the Minister for Justice may give an authorisation of interception in writing or in a case of exceptional urgency, orally, for the purpose of criminal investigation or in the interests of the security of the State. The definition of “interception” contained in section 1 in the 1993 Act would seem to encompass the interception of individual customer communications. The Minister for Justice is specifically empowered to enable another person to intercept a telecommunications message, and as such the powers of the Minister for Justice would seem sufficiently broad to require Licenced Operators to assist in implementing interception capabilities on their networks. However, for such an authorisation to require the implementation of interception capabilities on, for example, Vodafone’s network, the authorisation would need to specifically refer to this.

Applications for an authorisation of interception under Section 2 of the 1993 Act must be made in writing by the Garda Commissioner or the Chief of Staff of the Defence Forces for the purpose of criminal investigation or in the interests of the security of the State.

Section 2(5) of the 1993 Act provides that authorisations of interception under Section 2 of the 1983 Act shall remain in force for a maximum of three months, unless extended for a further three months at a time under Section 2(6) of the 1993 Act.

POSTAL AND TELECOMMUNICATIONS SERVICES (AMENDMENT) ACT 1999

Section 7 of the Postal and Telecommunications Services (Amendment) Act 1999 (the 1999 Act) applies the provisions of the 1983 Act and the 1993 Act relating to directions, authorisations and warrants for the interception of telecommunications messages to telecommunications operators licensed under the 1983 Act (Licensed Operators). As Vodafone is a Licensed Operator, it is subject to the interception regime set out in the 1983, 1993 and 1999 Acts and as such, may be required to intercept individual customer communications.

CRIMINAL JUSTICE (SURVEILLANCE ACT) 2009

Section 4 of the Criminal Justice (Surveillance) Act 2009 (the 2009 Act) states that a superior officer of the Garda Síochána (the Irish police), the Defence Forces or the Revenue Commissioners may apply to a judge for an authorisation to carry out surveillance where they have reasonable grounds for believing that it is necessary for a criminal investigation into, or the prevention of the commission of, an arrestable offence (Garda Síochána and Revenue Commissioners) or maintaining the security of the State (Garda Síochána and Defence Forces).

Section 1 of the 2009 Act defines ‘surveillance’ as:

i. monitoring, observing, listening to or making a recording of the movements, activities and communications of a particular person/group of persons; or

ii. monitoring or making a recording of places or things by or with the assistance of surveillance devices.

As such, the powers granted to Irish law enforcement agencies under Section 4 of the 2009 Act seem sufficiently broad to allow the implementation of a technical capability that enables direct access to a Licensed Operator’s network (without the Licensed Operator’s operational control or oversight).

Applications for authorisations of surveillance under Section 4 of the 2009 Act can be made to any District Court judge on sworn evidence by a member of the Garda Síochána, not below the rank of chief superintendent, or an officer of the Permanent Defence Force, not below the rank of colonel, in order to safeguard the security of the State where to do so is justified.

In addition, a member of the Garda Síochána or a member of the Defence Forces may carry out surveillance without an authorisation under Section 7 of the 2009 Act if the surveillance has been approved by a superior officer in circumstances where the security of the State would otherwise be likely to be compromised.

Disclosure of Communications Data

COMMUNICATIONS (RETENTION OF DATA) ACT 2011

Section 6 of the Communications (Retention of Data) Act 2011 (the 2011 Act) allows for the making of requests to service providers to disclose customer data retained in accordance with Section 3 of the 2011 Act (a Disclosure Request).

Section 1 of the 2011 Act defines ‘service provider’ as a ‘person engaged in the provision of a publicly available electronic communications service or a public communications network by means of a fixed line or mobile telephone or the Internet’ (referred to herein as a Licensed Operator). As Vodafone falls within the definition of a service provider, it is subject to the retention and disclosure of data regime set out in the 2011 Act.

In addition, Schedule 2 of the 2011 Act details the types of information in relation to  fixed network and mobile telephony which must be retained by Licensed Operators, for two years:

i. the names and addresses of subscribers or registered users; and

ii. the data necessary to identify the location of mobile communication equipment.

The types of information in relation to internet access, internet email and internet telephony which must be retained by Licensed Operators for one year:

i. the names and addresses of subscribers; and

ii. registered users to whom IP addresses, user ID or telephone numbers are allocated.

Disclosure Requests under Section 6 of the 2011 Act can be made by a member of the Garda Síochána, not below the rank of chief superintendent, an officer of the Permanent Defence Force, not below the rank of colonel, or an officer of the Revenue Commissioners, not below the rank of principal officer. Such parties may request a Licensed Operator to disclose customer data retained in accordance with Section 3 of the 2011 Act where the data is required for:

i. the prevention, detection, investigation or prosecution of a serious offence (Garda Síochána and Revenue Commissioners);

ii. the safeguarding of the security of the State (Garda Síochána and Defence Forces); and

iii. the saving of human life (Garda Síochána and Defence Forces).

Under Section 6(4) of the 2011 Act, Disclosure Requests should be made in writing, or in a case of exceptional urgency, orally.

Law enforcement agencies in Ireland may obtain search warrants under a wide array of legislation. Such search warrants may be issued in respect of stored customer data, which may require Vodafone to provide copies of relevant metadata relating to customer communications and to disclose the content of stored customer communications, including voicemails.

Law enforcement agencies in Ireland may also obtain Orders requiring persons to show a member of the Garda Síochána any material which is in their possession which is likely to be of substantial value in the context of certain criminal investigations or proceedings (Disclosure Orders), under a variety of statutes including the Central Bank (Supervision and Enforcement) Act 2013, the Criminal Justice Act 2011 and the Taxes Consolidation Act 1997. Such Disclosure Orders may require Vodafone to provide copies of relevant metadata relating to customer communications and to disclose the content of stored customer communications.

The extent of the powers of an Irish law enforcement agency under a search warrant will depend on the particular statutory provisions under which the warrant has been issued. There is no standard regime in relation to search warrants in Irish law, and warrants may be issued under approximately 200 different statutes. It is therefore difficult to outline the exact obligations which all such warrants impose.

The powers under a warrant will generally include, as a minimum, a power to enter premises, to search the premises for relevant evidence, and to seize and retain anything which may be regarded as evidence. Further powers, such as the power to put certain questions to persons present on the premises, and to require the assistance of such persons, are also common.

While warrants are generally issued to the Garda Síochána, they may also be issued to other law enforcement bodies including the Competition Authority, the Office of the Director of Corporate Enforcement and the Revenue Commissioners, in connection with offences over which they have jurisdiction.

Disclosure Orders are similar to search warrants, and may include a power to enter premises and to search for the relevant material. However, the focus of Disclosure Orders is on obtaining material from third parties, and they operate in the first instance as a direction to the third party to produce the relevant material, rather than a power for law enforcement agencies to enter premises and seize it. Disclosure Orders often include a provision stating that where the relevant information is not in legible form, the subject of the Order shall be required to give the password to the information to enable the law enforcement agency official to examine the information or produce the information in a form in which it is, or can be made, legible and comprehensible. The exact extent of the powers of an Irish law enforcement agency under a Disclosure Order will depend on the particular statutory provisions under which the Disclosure Order has been issued. For example, the provisions dealing with Disclosure Orders in some Acts, such as the Criminal Justice Act 1994, specifically refer to information held on computers. There is no standard regime in relation to Orders to make material available in Irish law, and such Orders may be issued under a number of different statutes.

National Security and Emergency Powers

Except as already outlined above, the government does not have any other legal authority to invoke special powers in relation to access to Licensed Operators’ customer data and/or network on the grounds of national security.

There do not seem to be any additional special powers bestowed on the government in times of emergency.

Oversight of the Use of Powers

POSTAL PACKETS AND TELECOMMUNICATIONS MESSAGES (REGULATION) ACT 1993

Section 8 of the 1993 Act provides that the government can designate a High Court judge for the purposes of the 1993 Act (the Designated Judge). The Designated Judge must keep the operation of the 1993 Act under review and ascertain whether its provisions are being complied with.

The Designated Judge reports to the Irish Prime Minister (the Taoiseach) periodically and can investigate any case in which an authorisation of interception has been given. If the Designated Judge informs the Minister for Justice that a particular authorisation of interception should not have been given, should be cancelled or should not have been extended, the Minister for Justice shall inform the Minister and cancel the authorisation.

In addition, any contravention of the 1993 Act is subject to investigation by the complaints referee (a judge of the Circuit Court, District Court or a barrister or solicitor of at least 10 years’ standing) (the Complaints Referee), under Section 9 of the 1993 Act. Where a person believes that a communication has been intercepted, they can apply to the Complaints Referee for an investigation into whether an authorisation of interception was in force and if so, whether there has been any contravention of the provisions of the 1993 Act. If there has been (i) a contravention; or (ii) a contravention which the Complaints Referee deems an offence, but not a serious offence, and the Complaints Referee refers the complaint to the Designated Judge who agrees; the Complaints Referee will notify the applicant and report their findings to the Taoiseach. The Complaints Referee may also:

i. quash the authorisation;

ii. direct the destruction of any copy of the intercepted communication; or

iii. recommend the payment of a specified sum of compensation to the applicant.

If there was no authorisation of interception or no contravention of the authorisation of interception, the Complaints Referee must inform the applicant of this.

A contravention of the provisions or conditions of the 1993 Act will not of itself render the authorisation of interception invalid or constitute a cause of action.

CRIMINAL JUSTICE (SURVEILLANCE ACT) 2009

Where a person believes that they may be the subject of an authorisation or approval under Section 7 or 8 (urgent surveillance or tracking devices only, not regular authorisations) of the 2009 Act, they can apply to the Complaints Referee for an investigation into whether an authorisation or approval was granted and if so, whether there has been a relevant contravention of the 2009 Act. If there has been a contravention, the Complaints Referee will notify the applicant and report their findings to the Taoiseach. The Complaints Referee may also:

i. quash the authorisation or reverse the approval;

ii. direct the destruction of the written record of the approval and any material obtained;

iii. recommend the payment of a specified sum of compensation to the applicant; and

iv. report the matter to the Garda Síochána Ombudsman Commission or the Minister for Justice as appropriate.

If there was no authorisation or approval, or no contravention of the authorisation/ approval, the Complaints Referee must inform the applicant of this. Under Section 11(9) of the 2009 Act, a relevant contravention which is not material will not of itself render the authorisation or approval invalid.

Most search warrants are issued by a District Court Judge or a Peace Commissioner. The judge or commissioner must consider the sworn information and, acting judicially, satisfy themselves that the requirements for the issue of a warrant under the relevant Act are fulfilled. However, in a small number of cases a warrant may be issued by a senior officer of the Garda Síochána.

Generally, Disclosure Orders are issued by a District Court Judge who must consider the sworn information and, acting judicially, be satisfied that the requirements for the issue of a Disclosure Order under the relevant Act are fulfilled.

COMMUNICATIONS (RETENTION OF DATA) ACT 2011

Section 1 of the 2011 Act defines ‘designated judge’ as a judge of the High Court designated under Section 8 of the 1993 Act. Section 12 of the 2011 Act provides that the Designated Judge must keep the operation of the 2011 Act under review and ascertain whether its provisions are being complied with. The Designated Judge reports to the Taoiseach periodically and can investigate any case in which an authorisation of interception has been given.

In addition, a contravention of the provisions of Section 6 (Disclosure Requests) under the 2011 Act will not of itself render the Disclosure Request invalid or constitute a cause of action.

Under Section 10 of the 2011 Act, where a person believes that data relating to them in the possession of a Licensed Operator has been accessed following a Disclosure Request, they can apply to the Complaints Referee for an investigation into whether a Disclosure Request was in force and if so, whether there has been any contravention of the provisions of Section 6 of the 2011 Act. If there has been a contravention, the Complaints Referee will notify the applicant and report their findings to the Taoiseach. The Complaints Referee may also:

i. direct the destruction of the relevant data and any copies thereof; and

ii. recommend the payment of a specified sum of compensation to the applicant.

If there was no Disclosure Request or no contravention of the Disclosure Request, the Complaints Referee must inform the applicant of this.

Censorship-related Powers

SHUT-DOWN OF NETWORK & SERVICES

There are two bodies empowered to shut down Vodafone’s network and services; Ireland’s Minister for Justice and Equality and the independent statutory body responsible for the regulation of the electronic communications sector in Ireland (ComReg).

Criminal Justice Act 2013

Sections 20 to 29 of the Criminal Justice Act 2013 permit the Minister for Justice and Equality, subject to certain conditions, to authorise the shut-down of mobile communication services in response to a serious threat. A serious threat is when an explosive or other lethal device will be activated by use of a mobile communication service and that activation will likely cause death, serious bodily harm or substantial property damage. In such circumstances, Vodafone could therefore be ordered to shut down its network by the Minister for Justice and Equality.

The Minister may only make such authorisation upon application having been made in writing by a member of the Garda Síochána not below the rank of Assistant Commissioner. The Minister may only then make the authorisation if they are satisfied that there are reasonable grounds for believing that a serious threat exists; there is a reasonable prospect that shutting the mobile communications service down would be of material help in averting that threat; and authorising the shut-down is necessary and proportionate in all the circumstances (including the importance of maintaining the availability of the mobile communications service and the effect of a cessation on users).

Section 24 provides that the Minister’s authorisation shall remain in force for no longer than 24 hours and a mobile communication service shall be shut down for no longer than six hours.

European Communities (Electronic Communications Networks & Services) (Authorisation) Regulations 2011 SI 335/2011

Vodafone could have its authorisation to operate its network suspended or withdrawn by ComReg if it is in breach of the conditions attached to its authorisation.

Under Regulation 16(12) European Communities (Electronic Communications Networks and Services) (Authorisation) Regulations 2011 SI 335/2011, ComReg may take urgent interim measures to remedy certain types of situation. Those interim measures include requiring a network provider (such as Vodafone) to cease use of specified network apparatus with immediate effect.

The type of situations in question relate to:

• when ComReg has evidence that a network provider has breached the conditions of its authorisation to provide an electronic communications network;
• its rights of use for radio frequencies or numbers; or
• specific obligations which represent an immediate and serious threat to public safety, public security or public health, or which will create serious economic or operational problems for other network providers or network users.

Regulation 17(1) enables ComReg to suspend or withdraw authorisation to provide an electronic communications network where there has been a serious or repeated breach by a network provider of the conditions attached to its authorisation. ComReg must first allow the network provider 28 days in which to make representations before effecting the suspension or withdrawal of authorisation.

BLOCKING OF URLS & IP ADDRESSES

The government has no legal authority to order Vodafone to block URLs or IP addresses.

POWER TO TAKE CONTROL OF VODAFONE’S NETWORK

The government has no legal authority to control Vodafone’s network subject to any such authority being introduced by emergency legislation passed in a state of emergency (during which the Constitution would be suspended on behalf of State security).

Oversight of the Use of Powers (Censorship-related)

There is no judicial oversight but every public law power is subject to judicial review so as to ensure that it is being used lawfully.

In addition, Regulation 4(1) of the European Communities (Electronic Communications Networks and Services) (Framework) Regulations 2011 SI 333/2011 states that a network provider (such as Vodafone) affected by a decision made by ComReg may appeal against that decision to the High Court within 28 days of being notified of that decision.

Encryption and Law Enforcement Assistance

1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?

Yes. There are a variety of legal powers which government and law enforcement agencies could potentially use to require a telecommunications operator to decrypt communications data.

The powers described (see ‘Provision of real-time lawful interception assistance’ above) would seem to be sufficiently broad that they could be used to issue a direction or authorisation requiring a telecommunications operator to decrypt communications data where the telecommunications operator has applied the encryption. However, for such a direction or authorisation to require the telecommunications operator to decrypt communications data, the direction or authorisation would need to very specifically refer to this. The recipient of such a direction or authorisation might argue that the decryption of communications data is beyond the scope of what was expressly intended by the statutory power giving rise to such direction or authorisation and/or that decryption was not technically feasible.

Disclosure Orders (see ‘Disclosure of communications data’ above) often include a provision stating that where the relevant information is not in legible form, the subject of the Order shall be required to give the password to the information to enable the LEA official to examine the information or produce the information in a form in which it is, or can be made, legible and comprehensible. As such, while the exact extent of the powers of an Irish LEA under a Disclosure Order will depend on the particular statutory provisions under which the Disclosure Order has been issued, it is possible that a Disclosure Order might require a telecommunications operator to decrypt communications data where the telecommunications operator has applied the encryption subject to the operator being satisfied that the decryption was in scope and technically feasible.

In addition, LEAs may obtain search warrants under approximately 200 different statutes. See ‘Disclosure of communications data’ above for a description of how they might be applied to the telecommunications operator. The extent of the powers of an Irish LEA under a search warrant will depend on the particular statutory provisions under which the warrant has been issued. There is no standard regime in relation to search warrants in Irish law and it is difficult to outline the exact obligations which all such warrants impose. However, it is possible that a search warrant might require the telecommunications operator to decrypt communications data where the telecommunications operator has applied the encryption.

Finally, Section 5 of the Criminal Justice Act 2006 (the 2006 Act) states that where a member of the Garda Síochána has reasonable grounds for believing that there is evidence of, or relating to, the commission of arrestable offences (which are punishable by term of imprisonment of five years or more) (Arrestable Offences), they may take such steps as they reasonably consider necessary to preserve that evidence. Section 5(19) defines ‘preserve’, in relation to evidence as including any action to prevent the concealment, loss, removal, contamination or destruction of, or damage or alteration to, the evidence. This legal power could potentially be used by the Garda Síochána (where they have reasonable grounds for believing that there is evidence relating to the commission of Arrestable Offences contained in communications data) to require the telecommunications operator to decrypt communications data where the telecommunications operator has applied the encryption.

In addition, under the mutual l assistance regime in Ireland (under the Criminal Justice (Mutual Assistance) Act 2008 and the Criminal Justice (Mutual Assistance) (Amendment Act) 2015), subject to compliance with the relevant procedures, some of the powers and/or remedies set out above (or similar powers or remedies) may be used by LEAs on behalf of foreign law enforcement agencies, including potentially to require the telecommunications operator to decrypt communications data where the telecommunications operator has applied the encryption.

2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?

The powers summarised earlier in this chapter would seem sufficiently broad that they could be used to require a telecommunications operator to decrypt data carried on its networks as part of a telecommunications service or otherwise where the encryption has been applied by a third party, including equipment interference or other forms of assistance. However, for such a direction or authorisation to require a telecommunications operator to decrypt data where the encryption has been applied by a third party, the direction or authorisation would need to very specifically refer to this. The recipient of such an Order might argue that the decryption of communications data is beyond the scope of what was expressly intended by the statutory power and/or not technically feasible.

It is possible that the legal powers summarised earlier in this chapter and directly above at Question 1 (Disclosure Orders, Search Orders and preservation of evidence) could be used to require Vodafone to decrypt encryption that had been applied by a third party, including equipment interference or other forms of assistance.

In addition, under the mutual assistance regime in Ireland (see a more detailed description at Question 1 above) powers could potentially be used to require a telecommunications operator to decrypt communications data where the encryption has been applied by a third party, including equipment interference or other forms of assistance. However, again, this would be open to challenge by a telecommunications operator on the basis that it cannot be asked to do something that it lacks the technological capacity to do.

3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?

Vodafone is not aware of any express legal prohibition on the telecommunications operator offering end-to-end encryption on its communication services. The telecommunications operator has positive obligations arising from Irish electronic communications and associated legislation, and its General Authorisation (ie its Irish telecoms regulatory authorisation) to protect the security and integrity of its networks, and the privacy and confidentiality of communications made using its network.

Such obligations are, however, subject to general law enforcement powers and remedies. As set out in response to Questions 1 and 2 above, existing law enforcement powers and/or remedies could be sufficiently broad to require that such practice is not applied in certain cases. However, the issue has not, to our knowledge, been tested in these specific circumstances in Ireland and could potentially be open to challenge.

4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimate to be circa 1990) has been applied to contemporary cases involving encryption.

Vodafone is not aware of any reported judgments which have applied legislation predating the advent of commercial encryption to require a telecommunications service provider to decrypt data which was encrypted.