DIGITAL RIGHTS IRELAND LTD.

Mr. Billy Hawkes

Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois

via post and email

Saturday, 26 March 2011

Re: Garda Proposals for Internet Blocking and Monitoring of Internet Use

Dear Mr. Hawkes

It has recently emerged that the Garda Síochána has written in private to Irish internet service
providers asking them to put in place a system of internet blocking of sites which are alleged
to contain child pornography, and a copy of one such letter is enclosed.

While well intentioned, such systems raise significant privacy and data protection issues
which have not been addressed, particularly as what is envisaged is a purely self-regulatory
system with no legislative basis or judicial oversight.

As you are already aware, the European Data Protection Supervisor recently considered the
issues presented by blocking systems in his opinion of 10 May 2010 on the proposal for a
Directive of the European Parliament and of the Council on combating the sexual abuse,
sexual exploitation of children and child pornography, repealing Framework Decision
2004/68/JHA. In that opinion, he noted that “appropriate safeguards are needed to ensure that
monitoring and/or blocking will only be done in a strictly targeted way and under judicial
control, and that misuse of this mechanism is prevented by adequate security measures”. In this
case, however, no such controls are proposed.

REGISTERED NUMBER 410355  REGISTERED OFFICE: 10 CASTLE HILL, BENNETTSBRIDGE

ROAD, KILKENNY  EMAIL: INFO@DIGITALRIGHTS.IE
DIRECTORS: TJ MCINTYRE, COLM MACCARTHAIGH, ANTOIN O’LACHTNAIN
Indeed, one particularly unusual feature of the Garda proposals seeks to monitor internet use
without any legislative basis whatsoever. Although acknowledging that a “customer may have
accessed a [blocked] site inadvertently” the proposals go on to request that in such cases ISPs
should provide “details of other websites visited by the user, along with other technical
details”.

As you know, disclosure of such information would not be permitted under the
Communications (Retention of Data) Act 2011 and indeed the disclosure of browsing
histories without Ministerial approval would appear to be an offence under section 98 of the
Postal and Telecommunications Services Act 1983. It is, therefore, quite remarkable that
disclosure of this information is being sought on an entirely non-legislative basis and without
any reference to the legislation which is already in place in this area.

Such disclosure would also give rise to very serious data protection concerns, particularly as
it is very often possible to identify users based on details of the URLs which they have
visited, and the other “technical details” sought will make identification easier again.

It should also be noted that the designation of URLs to be blocked itself gives rise to
significant data protection issues. Domain names or URLs often identify individuals. In some
cases – e.g. www.EndaKenny.ie or www.example.com/users/JohnDoe – the domain name or
URL on its own will identify an individual. In other cases, the publicly available WHOIS
information will identify the owner of a domain.

Consequently, a decision to block a particular domain name or URL can amount to a very
serious accusation indeed against an identifiable individual. This is particularly so given that
visitors to that domain name or URL will be presented with a “STOP page” stating that this
page “has been documented by the Garda Síochána as having been used in the distribution of
material depicting the sexual abuse of children”. If, for example, a user tries to access
www.example.com/users/JohnDoe and is presented with such a page, it is very likely that
they will infer that John Doe has been involved in the distribution of child pornography.

In summary, therefore, it appears to Digital Rights Ireland that the Garda proposals for
blocking present very serious data protection issues and we would request that before any

Page 2 of 3
such system is deployed it is investigated by your office to ensure compliance with data
protection law. We would be obliged if you would keep us informed as to the progress of
your investigation.

If you require any additional information or if we can be of any further assistance in this
matter please do not hesitate to contact the writer.

Yours sincerely

TJ McIntyre

Page 3 of 3