The Gist: A Balancing Act
The Minister for Justice wants to break the EU’s encrypted messaging security. This is the Gist
Imagine, if you will, becoming the Minister for Justice.
It’s one of the big policy Departments and is recognised to be a place for talent. It also involves a big risk of Ministers being damaged by their time there- historically due to getting too close to An Garda Síochana and then having that blow up in the Minister’s face.
We don’t have to go back as far as Sean Doherty and the 1980s phone tapping scandal he presided over (which eventually took down CJ Haughey). Francis Fitzgerald resigned as a Minister and Deputy FG leader as she got caught up in the Garda institutional response to the whistleblowing of Sgt McCabe. Then Alan Shatter resigned after a report into his actions during the same controversy. (He later successfully challenged that report but has never held Ministerial office since)
In fact, although it was the Department of Health which Brian Cowan famously described as Angola, because it had so many political landmines buried in it, no posting has been so likely to blow up under a Minister as the Department of Justice in the last decade.
Security through insecurity
Which leads us to the latest plan by the current Minister for Justice, Jim O’Callaghan. He has taken a clear line since his appointment of announcing that he will grant any and all of wishes of An Garda Síochana when it comes to new surveillance powers. He has even promised to give them powers that his immediate predecessors, Helen McEnteee and Simon Harris had specifically rejected as excessive.
So, for example, Simon Harris had denounced the Deskerati as a shadowy force of people with terrifying horizontal wooden surfaces at their disposal, preventing him from bringing in facial recognition via CCTV. But even he had said that power should not allow for a live facial recognition system monitoring the public sphere. His proposal was to allow facial recognition, but limited to archive footage.
Our new Minister wants no such limits, seeking not just a live biometric facial recognition system but also a live biometric recognition system to recognise people in CCTV by other attributes like their gait.
This is specifically a use case which the European Data Protection Board, the collective body of every single Data Protection Regulator in the EU, has already determined to be illegal:
“remote processing of biometric data in public spaces for identification purposes fail to strike a fair balance between the competing private and public interests, thus constituting a disproportionate interference with the data subject’s rights under Articles 7 and 8 of the Charter.”
The War on Maths
So we come to the Minister’s other illegal plan- breaking encryption for everyone to force platforms to give the police backdoor access to secure messaging systems, such as Apple’s iMessage or Meta’s WhatsApp.
He is, at least, quite clear that this plan involves a breach of everyone’s rights to privacy and data protection. But he argues, correctly, that there are other competing rights such as security. And, he again rightly says, when rights are clashing a balance has to be struck between them.
He gave a speech addressing this exact point, saying “We need to recall that the countervailing balance to the right to the individual right to privacy is frequently the collective right to security. Collective rights need to be acknowledged and on occasion should supersede individual rights.”
The Minister’s problem is that both of the European Courts to which Ireland is answerable have already assessed his proposed balance and found that his outcome would be illegal.
Let’s start with the European Court of Human Rights in Strasbourg. In 2022, they decided on the legality of requiring a backdoor to encrypted messages in the case of Podchasov v Russia.
The Minister’s argument about the balancing of collective security and individual liberty had been at the heart of the case (Though here it was being advanced by Putin’s Russia, an unfortunate intellectual bedfellow).
Paragraphs 75 to 77 of the judgement contain probably the pithiest statement of the Court’s findings on the necessity and proportionality of Minister O’Callaghan’s proposed balancing of rights.
The Court found that, while crimebusting and security were legitimate policy aims, it wasn’t proportionate to weaken encryption for everyone as the price of pursuing them.
it appears that in order to enable decryption of communications protected by end-to-end encryption, such as communications through Telegram’s “secret chats”, it would be necessary to weaken encryption for all users. These measures allegedly cannot be limited to specific individuals and would affect everyone indiscriminately, including individuals who pose no threat to a legitimate government interest. Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications.
Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field (see, in particular, paragraphs 28 and 34 above).
…the ICO’s statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users; it is accordingly not proportionate to the legitimate aims pursued.” (Emphasis added)
In other words, there is a balance to be struck between Garda surveillance powers and individual rights. But the Minister is proposing a tipping of the scales that has already been found to be illegal.
In coming to that decision, the ECHR quoted the UN's expert report on privacy in the digital age which was even clearer;
"the impact of most encryption restrictions on the right to privacy and associated rights are disproportionate, often affecting not only the targeted individuals but the general population. Outright bans by Governments, or the criminalization of encryption in particular, cannot be justified as they would prevent all users within their jurisdictions from having a secure way to communicate. Key escrow systems have significant vulnerabilities, since they depend on the integrity of the storage facility and expose stored keys to cyberattacks.
Moreover, mandated back doors in encryption tools create liabilities that go far beyond their usefulness with regard to specific users identified as crime suspects or security threats. They jeopardize the privacy and security of all users and expose them to unlawful interference, not only by States, but also by non-State actors, including criminal networks.
Licensing and registration requirements have similar disproportionate effects as they require that encryption software contain exploitable weaknesses. Such adverse effects are not necessarily limited to the iurisdiction imposing the restriction" (Again, emphasis added)
But that's not all! The Irish Government has already argued and lost repeatedly in front of the EU's top court, the CJEU in Luxembourg, when arguing that security or policing issues which may arise in the future should rank ahead of the certain and concrete personal data and privacy freedoms of everyone in the state.
In both the Digital Rights Ireland case and the GD case the court found that the Irish government's assessment of what was a proportionate interference in the general population's data and privacy rights in order to permit data retention (for potential future policing purposes) was incorrect.
In GD, they set out the long history of case law on the question
it follows from the Court’s case-law that the question whether the Member States may justify a limitation on the rights and obligations laid down, inter alia, in Articles 5, 6 and 9 of Directive 2002/58 must be assessed by measuring the seriousness of the interference entailed by such a limitation and by verifying that the importance of the public interest objective pursued by that limitation is proportionate to that seriousness (judgment of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 131 and the case-law cited).
And then it (again) ruled that interfering with the data protection and privacy rights of all of a population, on a general and indiscriminate basis, was preclueded by the Charter of Fundamental Rights.
[EU law] read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding legislative measures which, as a preventive measure for the purposes of combating serious crime and preventing serious threats to public security, provide for the general and indiscriminate retention of traffic and location data.
The Minister knows all of the above. His Department has been the lead on representing the losing side of each of those outings to the CJEU. His current proposal represents a continuation of the Department of Justice's long-held, Trumpian, approach to unwelcome findings that their plans are illegal. It is also the same Departmental culture that planted so many of those landmines under his predecessors' political careers.
When something the department wants isn't available to it, simply assert the contrary, in the face of all the existing facts, and plough on.
There’s always another Minister.