Looking at data protection through the prism of national security
By Will Goodbody, Science and Technology Correspondent
Hands up how many people were surprised to learn that US security authorities have access to the phone records and the server traffic of the biggest telecom and internet companies in the world?
The “revelations” in the Washington Post and Guardian this week that the National Security Agency is trawling data relating to non-US citizens on the systems of giants like Microsoft, Google, YouTube and others may have made for strong headlines.
But in reality, it’s likely that many people would be more surprised to learn that the type of trawling carried out by operation PRISM was not going on. Following 9/11, the rules of engagement of counter-terrorism in the US changed utterly. Law enforcement officials secured significant new formal powers, and it is certainly fair to assume that levels of unofficial monitoring of internet and phone based chatter and records jumped too.
However, just because we shouldn’t be surprised that this type of spying is going on, doesn’t make it right that it is. And this latest insight into the murky world of intelligence, where the light of truth and transparency is rarely shone, is sure to re-ignite tensions between those espousing a security agenda on the one hand, and a privacy agenda on the other.
It’s not the sort of publicity that large tech firms like to receive either. In an era of growing threats to digital security and rising concern among users about how secure their data is, data protection is something internet based firms are being forced to take ever more seriously. Tech businesses know this sort of embarrassing story, true or otherwise, can cost them customers and business.
The speedy denials from companies like Microsoft , Google, Facebook, Yahoo and Apple that they know of or are involved in PRISM, is testament to these concerns. They claim they only ever give access to their servers to law enforcement agencies that have obtained court orders and do not know of or provide security agencies with “back door” access to the data they store. That’s not to say that such access isn’t going on without their knowledge.
And what of Ireland in all of this? All the aforementioned firms have large presences here. Some like Microsoft and Google have massive data storage centres in and around Dublin. Are these being raided regularly by US spooks and is the data of Irish customers of these firms being examined in the process?
While Facebook’s data protection system does fall under the remit of the Office of the Data Protection Commissioner (ODPC)here because it has chosen to be regulated here, Microsoft and Google’s data storage operations do not as they have not. As a result, the ODPC says it doesn’t know if these facilities for example, are being accessed formally or informally by US security agencies.
We shouldn’t forget as well that Irish and European law enforcement officials have available to them legal tools similar to those in existence in the US, to enable them to have formal access to stored data should they need it. There’s even a clause written into data protection legislation here, permitting any organisation to cooperate with law enforcement agencies that are investigating a serious crime.
Fundamentally, all of this comes down to a simple question? How comfortable are you with government having access to your private data in order to keep you and other citizens safe. Searching for threats online must be a needle in a haystack style task for intelligence operatives. And so in order to find the needle, and protect against threats, one could argue they need full access to the haystack.
On the other hand, should innocent citizens have to allow blanket access to their personal data, on the off-chance that by allowing it they and others may be kept safe?
It’s a conflict likely to remain unresolved, and which will only become more intense as more and more of our affairs move online, and the threat from global terrorism increases.