Does the Irish government spy on its citizens?

As the CIA's advanced tools for surveillance are revealed, we look at what the Irish government has at its disposal

Last week WikiLeaks revealed to the world just what capabilities the CIA has at its fingertips to covertly monitor suspects. It showed that the intelligence agency had a cache of highly sophisticated hacking tools which operatives could use to hack everything from your iPhone, Android smartphones, Windows PC and even your smart television.

While the revelations may have surprised some, for most people in the cybersecurity world, this was about as surprising as finding out that Donald Trump likes to eat Doritos, bacon and Big Macs. The CIA is one of the most prominent intelligence organisations in the world, operating in a country which has enemies in multiple regions around the globe.

What would have been a surprise was if the CIA didn’t have all these sophisticated weapons at its disposal. It’s a spying agency, it needs to spy, and given we are living in the 21st century when so much of our lives are digital, that means it has to have hacking tools.

Also, given the fact that the NSA’s mass surveillance capabilities were laid bare by the documents leaked by former contractor Edward Snowden, it seems that many people’s ability to be shocked by what the US government is up to, has been numbed somewhat.

But that's the US, what about Ireland?

Does the Irish government have a similarly deep treasure trove of hacking tools available to it in order to monitor its own citizens or people overseas who may pose a potential threat to national security?

The short answer is that without our own Snowden or whoever was behind the CIA leaks, we simply don’t know — but there is enough information available that we can make a reasonably educated guess.

To start with, there are four types of surveillance that are regulated in the Irish state today:

  • Interception of communications (limited to telecoms providers)
  • Data Retention
  • Surveillance devices (covert listening bugs or cameras)
  • Tracking device (GPS trackers on cars or containers)

Only in the case of surveillance devices is the signature of a judge needed. In the case of intercepting communications, the Minister of Justice can grant permission while a ranking member of the Gardaí or Defence Forces can sanction the use of tracking devices or accessing retained data.

This lack of oversight can cause problems. In 2010 a member of the Gardaí was found to be spying on her former partner through the data retention mechanism — and this was only discovered because of the partner’s suspicions rather than any internal controls.  

Irish legislation has not kept pace with digital innovation and there is no legislation which provides the Gardaí with the ability to monitor communications such as WhatsApp, Facebook Messenger or even online email services such as Gmail. 

Playing catch up

In November of last year the Irish government outlined a series of updates to “amend the legislative framework for lawful interception and covert surveillance in the context of the fight against organised crime and terrorism.”

The main update to the law would take the existing framework for interception of voice calls and text messages, and extend it to the internet. This would allow for the interception of everything from email to direct messages on Twitter and even communications which are encrypted — though this would require the cooperation of companies like Apple and Facebook.

Since November however there has been no update from the Department of Justice about the proposed amendments or when they may be brought into law. The Department didn’t immediately respond to a request for comment on the status of the changes.

The Defence Forces

While the Gardaí are the primary policing force in the country, and charged with protecting national security, the Defence Forces — specifically a unit known as G2 — also have a remit in this area. A Defence Forces spokesman told Newstalk.com that various acts “provide authority for intelligence gathering and surveillance to be conducted by the Defence Forces in the interests of the security of the State.”

According to the Irish government the Defence Forces is also charged with protecting Ireland against cyber attacks — but it may have to carry out this mission without the necessary tools. There is also no legislation permitting the use of malware, which means that if the Gardaí or the Defence Forces are using hacking tools similar to those mentioned in the CIA dump, it is entirely illegal.

There is however evidence that the Irish intelligence community is at least interested in the use of these tools. In 2015 it was revealed that the Defence Forces was talking to the notorious Italian company Hacking Team, which sells spyware to governments and law enforcement agencies. The leaked emails showed Defence Forces staff engaged in conversations with account manager at Hacking Team from 2012 until the middle of 2015.

Transparency

Unfortunately, as Privacy International and Digital Rights Ireland pointed out in a report last year,  the Irish Government does not provide statistics on the number of cases in which communications are intercepted and has prevented communications providers from reporting this information, despite not having any legal basis for doing so. In 2014, Vodafone published a Transparency Report in which it stated that it “cannot disclose” the number of interception requests it received.

However, we do know that some companies provide details of data stored in Ireland. A transparency report from Microsoft in 2013 showed that the contents of emails were provided to Gardaí on five separate occasions the previous year.

Microsoft is different from other companies in that it stores emails in Ireland but there is still no statutory basis for it to hand over such information to the Irish authorities.

Since then, major US tech companies like Apple, Facebook and Amazon have all established data centres here, with Ireland quickly becoming one of the major global locations for information storage — which could cause a lot of headaches for the Irish government, its data protection officials and its citizens.