As a journalist, I must raise the pressing question on everyone’s mind now that we know that Garda Commissioner Nóirín O’Sullivan used Gmail for official Garda business.
It is this: what advertisements did Google serve up to her as a consequence?
Perhaps a promotion for the latest episode of the HBO series True Detective? Suggested books on labour mediation techniques, from Amazon? Or a link to encrypted email and messaging products?
Gmail machine-reads personal emails for words that might indicate a user’s interests, in order to send targeted advertisements.
More seriously (and this is, of course, a very serious issue indeed), what is the head of a national police and security force doing using a free commercial email service even if only “occasionally” for anything to do with Garda business? This is a service which controversially “reads” its users’ emails. Even if the reading is by an algorithm, this means the company does know key content words in your emails.
A service which allows users to pick the crappiest, easy-to-hack personal password they wish? From a company which is subject to US laws that allow US surveillance agencies to secretly demand the handover of email content? A service which has seen many accounts directly (and indirectly) hacked before?
The Garda is already going through six years of the Commissioner’s emails to make sure O’Sullivan’s Gmail account details weren’t exposed in a recent Dropbox hack in which millions of Gmail account details were offered for sale on the dark web.The Garda has said it believes her accounts were “ secure”.
Encryption
But surely the lesson of
Edward Snowden
– even if law enforcement agencies are not the whistleblower’s biggest fan club – is that gee, guys, it might be a good idea to use encryption.
Even if, say, you personally like other countries’ surveillance agencies, Snowden’s leaks clearly indicated that companies too are a worry, as they create great big data stores on the users of their services.
The Garda already has embarrassingly bad form internationally, in just this area.
You might have forgotten about this, but a few years back the Fine Gael website was defaced by two teenage hackers, and a user database was stolen. Eventually, an Irish judge simply fined the two students for what she accepted was a stunt.
But the FBI also got involved, requesting the extradition of one on the claim that he was associated with international hacker groups LulzSec and Anonymous.
The FBI was interested because – wait for it, as you could not make this up – the teen had hacked into the the Apple iCloud account of the senior garda cybercrime investigator involved in the case, an account which was also linked to his personal Gmail account. The hacker also had accessed several other officers’ Gmail accounts (they seem to be very popular amongst gardaí).
Cybercrime
Well, hey, when you work professionally in the area of cybercrime, why would you bother following even the most elementary precautions and security protocols with your own sensitive work communications?
In this case, according to FBI documents, the garda officer was forwarding his official email to his Gmail account, giving the hacker access to correspondence with the FBI (because, if you are a cybersecurity expert, you forward FBI emails to Gmail too, don’t you?).
The FBI emails contained access information and the passwords for conference calls on the hacker’s own case – one of which, the FBI said, he recorded and leaked online. The extradition documents noted the hacker had boasted: “I just got into the iCloud for the head of the national police cybercrime unit. I have all his contacts and can track his location 24/7.”
As you could, as iCloud tracks the location of a person’s devices and stores contacts and account details, backs up email, and so on.
Eventually, the FBI quietly dropped the extradition request, and the case. One can only imagine how impressed the FBI were with Irish cybersecurity defences.
Clearly this experience from 2011 – nearly six years ago now – failed to offer a learning opportunity.
Protocols
Apparently the Government has no policy on the use of secure, encrypted email and messaging services nor protocols against forwarding work emails to a personal email account.
At least, the person who should know, the junior Minister responsible for data protection Dara Murphy, told this paper this week that he was not aware of any "overarching" Government policy prohibiting public servants from using web services for official business.
“I am not aware there is a Government policy. I haven’t given any thought as to whether what should or shouldn’t be a policy,” he said.
At the risk of stating the obvious (but good grief, someone needs to), yes, we need an overarching Government policy. Yes, we need encrypted email as the Government norm.
And yes, this urgent, alarming – and frankly, embarrassing – issue, of national and international import, sits squarely in the remit of the Minister of State for Data Protection, and that of the Data Protection Commissioner, the Minister for Justice and the Taoiseach.
It’s 2016. Time to get together and sort this out.