Irish GSM Providers Asked to Track Users' Web Use

With the disclaimer "I'm both Irish and work for the EU Commission," reader VShael writes "The head of the Irish police force has requested that Irish cell phone providers (Vodafone, 02, Meteor, 3) retain detailed information on the web pages that people view over their handheld devices. This information would be held over for 'possible future criminal investigations', but would be gathered without a warrant, probable cause, or without the citizen being suspected of a crime. This request goes way beyond the European Union's data retention directive, which never included retention of web-based email. Representatives of Vodafone, O2 and 3 discussed the letter at a meeting with Mr Davis (6th November 2008) and questioned the legal basis under which they could retain this data. It is their understanding that the content of calls or e-mails, or details on webpages browsed, are excluded from the EU directive. As such, any retention or disclosure of that information would be a violation of existing EU data protection legislation."

Garda Commissioner

Did this guy not get legal advice pointing out that what he's asking for is almost definitely illegal/unconstitutional?

Re:Garda Commissioner

It's a request, so they are free to ignore it.

Re:

Obviously, but the fact that he requested such a stupid thing which is bound to get rejected is now a matter of public knowledge. So he looks like an idiot.

Re:Garda Commissioner

Did this guy not get legal advice pointing out that what he's asking for is almost definitely illegal/unconstitutional?

While it may contravene several EU regulations, I don't think it would be unconstitutional in Ireland. The police in Ireland, the Garda Siochana, have a wide variety of powers that would astonish most people; for example, you can be convicted of a crime solely on the word of a senior Guard. Many of these powers date back to the troubles and before that the civil war, but theres no fuss about them because they are rarely if ever used, and then only to put away the "teflon dons", where evidence is difficult to gather.

I'm of two minds about the request. On the one hand, the Guards have already got enough power to screw over anyone they want, and they haven't done so. Ireland is still a very community based culture, everyone knows everyone else sort of thing, and word gets around quick. The Guards in my experience are a highly professional group of men and women who make a habit of nipping trouble in the bud. Yes, I'm sure lots of people will come in with horror stories now, but you'll have that.

On the other hand, I am very wary of requests for further far reaching powers for their own sake. I suspect this has something to do with the massive influx of eastern Europeans into Ireland over the last six years (the population of the country actually grew by 10%). While for the most part these are good people, they also brought with them some unpleasant baggage, in the form of the Russian mafia, who have been quietly flexing their muscles lately in the Dublin underworld. These types would not fall under the usual categories, and would be much harder to control, what with the language barrier for a start.

I'd like to hear both sides of the story before throwing any stones.

Re:Garda Commissioner

"The Guards in my experience are a highly professional group of men and women who make a habit of nipping trouble in the bud. Yes, I'm sure lots of people will come in with horror stories now, but you'll have that."
That probably depends on what part of the country you come from. The same families have been dealing drugs in the same place openly for at least fifteen years in my area. The guards are sitting in their station located two minutes walk away, and have never arrested anyone despite the complaints. They might stop some 15 year old with a bit of hash but wont touch the scumbags they saw sell it to them. That is not nipping trouble in the bud.

This whole thing is ridiculous, and stinks of some senior guard reading the UK headlines and thinking he should be proposing similar for his own sense of importance. It will be useless even if implemented.

Re:Garda Commissioner

ok ill byte

as naturalized citizen emigrating from former soviet union many many years ago (cue soviet russia jokes) ill have to disagree on few points

firstly I have great respect for the Garda as most people here do, and yes Ireland is a small country where everyone knows everyone else, and yes i considered joining and they are looking for people who have can speak in several languages

i will also agree that most of the recent eastern europeans are hard working people and have helped this economy along by doing the jobs the irish were "above" doing in recent "boom" times, these are also the people who got the stick fastest in the current downturn

now i will disagree about the language barrier, english is very easy to pick up

also will disagree about the russian mafia. they are not here in ireland, and you have to realise that most people came here from russia to escape that sort of thing and have a family in peace

and to be honest the wouldnt be able to gain any turf as we have our own gangs in dublin who dont hesitate to kill each other, theres a gangland murder on the news practialy every day

also a point about immigrants to ireland that people might find interesting, they have to carry biometric green cards at all times and has to be produced when a Garda says "papers please!", no thats not a joke

Re:

Strange that you should say it's expensive, I use 3 in the uk and can get net access for £5 a month. I also use 3's like home service when I am in ireland and still get my internet access at no extra cost (already paid for in the UK).

I don't know if it would apply to the hspda modems (priced from £10 for 1gb data to £20 -7gb) but probably it would.

3's network is a bit patchy - leading to a notorious problem where calls end up on a partner network and get charged at inter

Re:

It's fairly cheap when you are in the home country of the SIM card you have purchased. The prices hit the roof once you go abroad (which is the main reason I would want to use such a service). Then you have the 5 pounds for th e day fee, then you are charged something like 1 pence per kilobyte. I know that a 1 Megabyte PDF document cost 10 pounds, and that surfing slashdot on any day cost me 5 pounds.

Re:Garda Commissioner

The Guards in my experience are a highly professional group of men and women who make a habit of nipping trouble in the bud.

Ha ha ha haaa ha ha haaaa ha ha! You made me spit my coffee with that humdinger.

There's no point in telling you any horror stories but myself, both my brothers and most of my friends bear the scars of Garda professionalism. From beatings to planted drugs to just plain discourteous treatment (being treated like shit because you're a young, Dublin male so CLEARLY must be up to something...) they cover the lot.

"Professional" as in they get paid for what they do, I suppose.

Re:Garda Commissioner

And you hear the same complaint from people around the world, oddly enough usually with little to no evidence. You can always contact the Garda Ombudsman if you have a complaint.

No you can't. If you're trying to reduce the level of harassment you're suffering then best keep quiet and get on with your life.

How do you gather evidence of the Gardai knocking to your house every day and demand you drop your complaint? Or spending the night getting kicked up and down a police station? When the only witnesses are other Gardai it's literally your word against theirs and that never works out in your favour. If they weren't careful and left a mark sure, he fell down the stairs, your honour. Got his hand caught in a door. Tripped over his shoelaces.

You hear the same complaint from people around the world because ALL police forces are heavy handed and act with impunity. I'm not lying - I have no reason to. I've been beaten. My friends have been beaten. Other friends have had their houses raided with unsigned warrants. Someone I know had a large amount of cannabis planted on him (or rather thrown near him - this is a matter of public record - the case was dismissed as laughable).

This shite goes on every single day.

At least the Mayday Bank Holiday protesters a few years ago had video evidence of disgraceful Garda behaviour but I don't carry recording equipment with me at all times so when one of them calls me a fucker because he doesn't like long haired guys in T shirts there's not a fucking thing I can do but walk away and pound impotent rage out of a wall or into a bottle.

It doesn't happen any more - I'm older now (old, fat and affluent looking, if still long haired and T shirt clad) and could be earning any sort of money to fight them in court but young men are still being beaten and harrassed for no better reason than they're young men - sure, youngfellas are always up to no good, especially around here.

I'm sure I'll hear about bad apples now but fucked if I've ever met a good one.

Orwell Estate...

Orwell's Estate should sue this guy for copyright infringement. That'd teach him!

Re:

Would it be copyright infringement though? Or more properly something like trademark or patent violation? ;)

Re:

In any case just sue him! :D

Encryption

Yet another reason why Firefox's stupid warnings on self-signed certificates are wrong.

Another reason why HTTPS is a stupid standard.

We need viable encryption of all traffic, now.

Rich.

Re:Encryption

It would be very easy for an ISP to perform man-in-the-middle attacks on supposedly secure sites which use self-signed certificates. Self-signed certificates provide some security against eavedropping by third parties, but almost none against a malicious network. They can only be useful if you have some independent method of verifying them, and very few people would know how to do that. (Of course, that also applies to certificates signed by many certifying agencies - it is probably quite easy to get a fake certificate that will be silently accepted by browsers)

Re:

It would be very easy for an ISP to perform man-in-the-middle attacks on supposedly secure sites which use self-signed certificates.

'Very easy' if you are a cryptographer, but very difficult in practice. The computer hardware costs would be high and ISPs do not have the technical expertise required. Furthermore, while snooping on plaintext connections just requires listening to the traffic as it passes, a MITM attack requires actively meddling with the data and pretending to be somebody else. This is far

Re:

'Very easy' if you are a cryptographer, but very difficult in practice. The computer hardware costs would be high and ISPs do not have the technical expertise required. Furthermore, while snooping on plaintext connections just requires listening to the traffic as it passes, a MITM attack requires actively meddling with the data and pretending to be somebody else. This is far too much of a legal risk for any legitimate business like an ISP.

In the Australian trials for Internet censorship software, 5 of the 6 filters had the ability to filter HTTPS traffic by performing a MITM attack.

This forgery would be evident, unless the filter had access to a trusted signing key.

Mozilla's decision to show strong warnings for self-signed certificates is justified, because if the certificates were accepted blindly, governments/attackers would easily be able to hijack HTTPS by forging "self-signed" certificates.

Re:

Nonsense, you can easily detect if someone forges certs in a man-in-the-middle attack by comparing signatures after the fact.

But you can't detect massive dragnet surveillance of the type actually being carried out by government organizations.

Let's not confuse some theoretical, hard-to-do, impossible-to-get-away-with attack from what is actually happening in the real world now.

Rich.

Re:

The kind of 'almighty terrorist government' that decides to monitor your web browsing is far more likely to be the government of the USA or allied countries. And they can quite easily MITM your traffic if they want (do you really think that the NSA doesn't have copies of Verisign's root keypair?). If you are really concerned about that you need to exchange PGP keys in person and certainly not rely on a flimsy chain of trust running from Verisign through other crappy signing authorities to your browser.

On

Universal law.

"This information would be held over for 'possible future criminal investigations', but would be gathered without a warrant, probable cause, or without the citizen being suspected of a crime. "

Remember people the "world" isn't "the US". Warrants, probable cause, and presumption of innocence aren't universal.

Re:

Yes, but they are ubiquitous among common law legal systems that can trace their heritage to England's.

Re:

Actually, I chose the term because although the story is of more interest to Irish readers, the vast vast majority of slashdot readers ARE American. Framing the issue in terms they would understand, is simply common sense. (For the same reason, I listed the GSM providers, and explained what the Gardai are. Totally uncessary for Irish readers.)

I'm getting sick of this

It's 'way past time the service providers grew a set and sent a resounding "Fuck you!" to these fascist pricks. And it's also 'way past time those of us who live alleged democracies to start demanding some privacy protection. I'm a lot more frightened of Big Brother than some whack-job terrorist. The terrorist might manage to kill a few of us. Big Brother will sit down hard on ALL of us and never, get off.

The best I ever heard it put was by an English commentator. He said we need to recall that the freedom we're so thoughtlessly flushing down the toilet isn't even ours to give away. It was bought and paid for with the blood of our parents and grandparents and great-grandparents.

Trying to be very political... and failing!

Well, I'm Irish and I work for the Irish Government (Civil Servant, minor role).

To my mind, it looks like that Garda Commissioner has tried to be very smart, but ended up looking very stupid. People on Slashdot probably don't know, but the Irish government decided recently to 'merge' the Data Protection Commissioner (DPC) - the independent body that made sure noone, including the government and police, misused people's private data or were overly invasive - with a whole host of other, barely related organisations.
Thankfully, they were made climb down and back away from their original plans which looked - from an outsider's point of view - like they were using the 'merger' to scrap some of the more thorny Agencies that regularly complain about government policy and the police altogether. (When the Secretary General of the UN called to make 'observations' on the plan, I think they realised they had overstretched themselves a bit!)
However, they are still in a position where they can't lose too much face, and a 'merger' is still on the cards - except this time, it probably is a merger along the lines of sharing buildings and stationery orders. What the guard probably saw that the DPC was still on the cards for a merger without realising that is wasn't screwed over as badly as was initially intended. Or else he realised that he couldn't now just wait a year and then be able to force through his agenda without a State Agency that could effectively oppose him. Whatever the reason, he decided to rush in there to stick his oar into the operators.

He probably wasn't expecting the operators to go public, nor did he realise that the DPC is still operating effectively.

He deserves it, though. The Irish police (the 'guards') are notoriously weak on a technical level. They are so technophobic, they even call their computer people 'gits'! (Garda Information Technology section.)

As an example, many guards use Google or Yahoo email address as their official email addresses. Despite having set aside time and money for it years ago, most guards and, indeed, some police stations do not have email addresses. These free email addresses are used to communicate information about serious crimes, crime-scene photos etc. How's that for 'web-based email security'??? (For god's sake, nobody tell them about 'Flicker'!!!)

I also have occasion to know that many case records still exist only in the little black notebooks of individual guards. No such thing as entering a current investigation on a secure system or even having a typed version of ongoing case notes. This is after investing millions in a police system called 'PULSE'. This was supposed to be a secure system for recording all aspects of a case. You can't even upload a picture to the system, logs people out after five minutes of inactivity - even though it takes more then two minutes to log in and so on. It cost millions, yet the police still sometimes have to fall back to typewriters!

Even extends to basic tech like radios. A lot of them have to bring their own mobile phones to work. Either their radio system doesn't work in some areas or was never installed properly or their handsets have been broken and out of commission for a long time. And so on.

This, despite all our brilliant legislation about electronic signatures, eCommerce and so on.

(I'll also ad the disclaimer that this is not the area of the Service that I work in).

Webmail is not excluded by EU DRD

Technically, the EU Data Retention Directive requires retention of comms data pertaining to 'Internet E-mail' - it doesn't make a distinction between SMTP/POP3 e-mail and web-based e-mail.

If an ISP is running a mail system for its customers, then it should have comms data from use of its own mail system. For webmail, it should be the organisation running the webmail system which retains this data & provides it to the police on request - as the ISP obviously knows nothing about this without digging into all the traffic its customers pass over the network. Of course, many webmail systems are outside the jurisdiction of the EU - which causes a bit of a problem!

Whether this is a good thing or bad thing is an interesting debate & I think less obvious than the case made by privacy advocates tends to state. The police have relied on such comms data from telephone systems for decades to help catch the bad guys ...