Seanad Éireann debate -
Tuesday, 16 May 2017

I thank the House for its public consideration of this legislation and the opportunity to take Committee and Remaining Stages of the Criminal Justice (Offences Relating to Information Systems) Bill today. It is a relatively short Bill but it is important legislation designed to counter cybercrime, in particular that involving information systems and their data, and the timeframe and offences and penalties for this kind of activity. I am pleased to recall that Senators generally welcomed and broadly supported this legislation on Second Stage, displaying a shared determination to combat cybercrime against communications and information infrastructure which is so vital to us all in the modern world.

I bring forward one Government amendment to the Bill, which is technical in nature, together with a number of minor consequential amendments. Therefore, I propose to take the three amendments together, dealing with the main amendment first and then outlining the consequential revisions.

The main amendment is No. 3 on the list of amendments and relates to section 9 which deals with the liability of corporate bodies for offences under the Bill and is designed to give effect to Article 10 of the EU directive on attacks against information systems which this Bill seeks to transpose. Following further consultation with the Office of the Attorney General, it has been found necessary to revise section 9 to ensure Article 10 is correctly provided for and fully transposed, in particular Article 10.2 which relates to the liability of a body corporate for the commission of an offence by a relevant person under its authority due to a lack of supervision or control by the body corporate.

Section 9(1) gives effect to Article 10.2 of the directive. Section 9(2) provides for a defence for a body corporate in respect of subsection 9(1) if it can prove that it took all reasonable steps and exercised all due diligence to avoid the commission of the offence. Section 9(3) clarifies that where an offence under the Act is committed by a body corporate, liability shall rest with the person acting on behalf of the corporate body as well as the corporate body itself. This is essentially the wording of the original section 9 which is being replaced by this new provision. Section 9(4)(a) preserves the common law doctrine on corporate criminal liability which the Attorney General's office has advised encompasses obligations under Article 10.1 of the directive and is broader in scope. Hence, it is not considered necessary or desirable to legislate for the narrower provision in Article 10.1. Section 9(4)(b) provides that criminal proceedings may also be taken against perpetrators, inciters of or accessories to offences under the Act. Section 9(5) provides a definition of "relevant person", as referenced in subsection 9(1), and includes a definition of "subsidiary".

I will turn now briefly to the two small consequential amendments to the main amendment to section 9. The first consequential amendment is to section 1 which deals with interpretation, and involves including the offence created under subsection 9(1) in relation to bodies corporate, as outlined earlier, within the definition of "relevant offence" in section 1(1). This is necessary to ensure an offence under section 9(1) comes within the broader framework relating to relevant offences under the Bill. References to "relevant offence" have particular significance in relation to the operation of this legislation, such as in section 7 relating to search warrants, section 9(1) itself relating to relevant offences committed by a corporate body due to lack of supervision or control, and section 10 which deals with jurisdiction. The second consequential amendment is to section 8 which sets out the penalties in respect of offences under the legislation. The amendment inserts the offence created under section 9(1) in relation to bodies corporate into section 8(1), alongside certain other offences under the Bill. This ensures that offences committed under section 9(1) are also captured within the penalties regime.

My point relates somewhat to section 6. I know that we are going sequentially, and I will speak more about this under section 6. As we discuss section 4, I want to flag the high pertinence of this section given the attacks we have seen over the weekend in the UK, but also noting that when we talk about altering data or information, there are a few opportunities that could be missed in this Bill and I hope they can be dealt with at another point. As well as altering, there is the manipulation of data, such as the presentation of data in a context which is manipulative and serves to distort its original content and intent. I will return to the manipulation of data again more extensively under section 6, but it relates to the categories mentioned in section 4. I wanted to flag this because I did not realise we were doing all Stages today. I had hoped to do a Report Stage amendment but I see there is no opportunity for that now. Nonetheless, I want to flag a number of issues for the Minister of State's attention.

Section 3 is extremely broad.

It covers interference with information systems without lawful authority. Section 3(b) refers to "transmitting, damaging, deleting, altering or suppressing, or causing the deterioration of, data on the system" and so on. The provision is already broad. What the Senator has referred to has been covered because the provision is so broad. In any event, I thank her for raising this matter.

I want to highlight what I believe to be a potential gap in legislation. It is a pity that the matter about which I am concerned is not explicitly addressed. I hope that it may be addressed by means of a ministerial order or regulation or through other means in the future. I refer to the use of behaviour targeted advertisements and the use of end-user consumer information management. This is a major source of revenue and it relates to behavioural targeting. The area is largely unregulated. It is a major revenue source for certain economic actors. I am speaking about well-known entities such as Facebook, YouTube, Twitter, Google, LinkedIn and many others. These are all major and important actors within Irish society. They also use this form of profit generation. In view of the lack of regulation in this area, it is also open to use by any start-up or company. For example, certain companies used such information in active ways in respect of recent elections in the USA and during the Brexit referendum. I am not implying that these companies are abusing the data but I am concerned about how consumer rights are being protected in this area. I am also concerned about the vulnerabilities that are evident. For example, when data is being gathered without appropriate screening or mechanisms for the protection of such data, it is sometimes used to target vulnerable individuals and, in some cases, provoke extremist political reactions. There is a question over how content and data are being used and how data is being gathered. There is also a question regarding transparency in respect of the use of data.

There is little in existing legislation that would stop any new start-up from dramatically abusing extremely detailed data lawfully collected from the system. I recognise that the Bill deals with non-lawful action in the criminal area, but I am keen to highlight those areas that may be legal but in respect of which regulation and transparency are required. For example, it would be positive to consider whether transparent algorithms might be provided whereby people can see the way in which they are being targeted or whereby the scope of material they are getting is being narrowed. Several practical suggestions are open to us. I am suggesting to the Minister of State that we might have a chance to discuss this in another way or to bring it forward, if not by means of this legislation then through regulation.

We need to be concerned about this matter in terms of privacy and consumer protection. It is also very important in the context of the wider sense of politics and extremism, as well as the targeting of people to be recruited into extremist movements. There has been strong manipulation. We have also seen how it has been used in terms of mental health issues.

Section 6 makes clear that it is an offence for a person who does not have lawful authority to use programmes, code or data for illegal purposes. Will the Minister of State look into the misuse of data that is collected legally? Will he consider the regulation of the collection of data in greater detail? Will he investigate what might be done on a national level to protect Irish citizens and all those who reside in Ireland from this form of manipulation or any potential crime that may flow from it?

I have a comment in respect of section 10. This is positive and timely legislation. It is great to see Ireland taking a grip on these issues and addressing them at a time when they are pertinent. However, I am trying to unpack some other issues - I know it is complicated. I would like us to take a lead in the context of jumping into those areas as well in order that we do not see some of the extreme situations that have been experienced elsewhere, particularly regarding interference in electoral processes. The Netherlands has moved back to a paper system of voting, such is the concern of those responsible. The authorities there have moved back to a paper system on foot of the concern regarding illegal interference in the voting system. This is one form of interference. The legislation is the kind of instrument that will help to protect against such outcomes. There are other forms of interference, manipulation and exploitation and we need to consider them as well.

The Senator is correct in identifying that this is timely legislation, especially this week. We can see the potential damage that could be caused to Government agencies, Departments, State agencies, health systems and God knows what else through unlawful interference with those systems. We were well prepared for it in Ireland and it has not impacted on us to the same extent as it has in other jurisdictions. However, we have been informed that this might only be the beginning and that both the emergence of more and more malware and further unlawful hacking are possible.

The Senator referred to the manipulation and use of data. I contend that data is the new gold; it is extremely valuable. The question of how it is used or abused is important. However, that is not what the Bill covers, as such. In any event, the Senator is right to raise the issue.

This is a matter of which we need to be aware and in respect of which we might, perhaps, have a public debate. It all relates to the use, value, and collection of data and so forth. That is another debate completely. The Bill relates to interference with systems without lawful authority. In particular, it relates to information systems, interference with data and so forth, as it is laid down. This is a short but extremely important item of legislation. In one way, it is probably one of the most important items of legislation with which we are dealing at present. It is not getting a great deal of attention. If, however, our systems had been interfered with at the weekend, people would have been calling for it to be brought forward. That said, the Bill is here now and I thank the Senators for their support for it. It is important for our economy and society that we pass it, get it on the Statute Book and get it implemented as soon as possible.

My concern relates to the nature of the jurisdiction under section 10(3). It is limited to an Irish citizen or a person ordinarily resident in the State. What I liked about the original section 9 – I realise it is gone now – was that, as well as a body corporate, an individual could also held accountable. I wonder about the rationale for limiting or curtailing it. Surely, if an individual is operating in another state - that is likely to be the case - that person should nonetheless be considered liable. We may not be in a position to prosecute a person operating out of another jurisdiction, but we should be able to recognise it as being an issue of concern. We may or may not have an extradition agreement with another country where a person has been involved in large-scale hacking or damage of our information systems. Let us suppose someone is operating out of the Netherlands and engages in some of the activity prohibited in this legislation. It seems strange that we are precluding ourselves from trying such a person in respect of a crime. We may or may not be able to do so practicably, but we should at the least be able to seek to do so.

The Bill provides that a person may be tried in the State for an offence under sections 2 to 6, inclusive, if that offence is committed by a person inside the State in respect of an information system outside the State or if it relates to offences committed inside or outside the State in respect of an information system in the State. Legal jurisdiction extends to the commission of such an offence by a person outside the State in respect of an information system outside the State if the person is an Irish citizen, is a person ordinarily resident in the State or is a body corporate or company under the law of the State and the act is an offence under the law of the place where the act was committed.

I welcome the legislation. It is often the case that important legislation does not receive much coverage or attention when it gets over the line in the Seanad. The proof of the pudding lies in the events of last weekend. When something goes wrong we are criticised for failing to update or develop legislation. Our legislation in this area was archaic, was not up to standard and had evolved insufficiently to address various scenarios that could arise. This legislation will evolve and will be amended many times in future. This is an important day as the Bill is an important recognition of what is needed in a modern society in which information and communications technology knows no boundaries and affects the lives of every citizen.

I welcome Councillor O'Brien and his friends to the Gallery. It is great to see him in Leinster House. Councillor O'Brien has been an exceptionally hardworking councillor in the Claremorris area of County Mayo for many years. His commitment to public service on behalf of the people of County Mayo knows no bounds.

I commend the Minister of State, Deputy Stanton, on bringing the legislation through the House. We dealt with Committee and Remaining Stages in one sitting because the Government was required to enact this legislation expeditiously or it would otherwise have infringed European legislation.

I concur with Senator Conway. While I am not the Fianna Fáil Party spokesperson on this matter, I spoke on the Bill on Second Stage and listened to the Minister of State's contributions on it. This is timely and welcome legislation. If anything, the events at the weekend have shown how vulnerable our information systems are to attack. Attacking these systems is a lucrative area. We rely on information technology for virtually everything we do, from using our iPads to checking emails, banking online and booking and checking in for flights. The vulnerability of the National Health Service in the United Kingdom was highlighted by the hacking attacks at the weekend. Thankfully - touch wood - our systems have not been as affected as systems in the UK, although we never know when an attack will occur. It is appropriate, therefore, that the House pass this Bill in a timely and speedy fashion. I congratulate the Minister of State and his officials on the work they have done.

It would be remiss of me not to acknowledge my grandmother on one side and grandfather on the other, both of whom were from County Mayo. I also welcome Councillor O'Brien from County Mayo who, while not a member of the Fianna Fáil Party, is more than welcome to the House. I also acknowledge the work he does.

I congratulate the Minister of State on having this good legislation passed and welcome the indication he gave that he is willing to discuss related issues. This issue will move from the periphery to the centre of political debate. For this reason, I welcome any opportunity we may have in a future debate to discuss some of the other issues I raised. I sound a note of caution, however, and ask the Minister of State to examine my concern in this regard. As Senator Conway stated, we may seek to amend and strengthen the legislation. I am concerned about the question of jurisdiction because we need to decide if we will relate the action to which the Minister of State referred to the place from which the perpetrator takes that action or the place where the crime has its impact. If the crime is perpetrated on a citizen in Ireland, for example, we have a duty to protect that citizen and ensure the perpetrator is held accountable, irrespective of whether we are in position to try the perpetrator here.

A large number of those who conducted the recent malware attacks in the United Kingdom may not be part of a body corporate or resident in the UK but are, nonetheless, targeting UK institutions and have, therefore, committed a crime. Given how important the issue of jurisdiction will become, we must think carefully about what precedents we establish, and establish boundaries so as to ensure the greatest capacity for vindicating and supporting the rights of citizens and other residents and protecting them and our institutions in future, whether directly or through international co-operation. I urge the Minister of State to examine how we can do this in a robust manner.

As my mother is from Ballindine, County Mayo, where I spent many months of my childhood, I join in the general welcome for Mayo.

While I do not have any connections with Mayo, its county footballers have my full solidarity when they play against Dublin.

I will not repeat ad nauseam what has been said. I am heartened the Bill has been passed. As previous speakers acknowledged, we will need to amend it as the world changes. The Minister of State spoke extensively on this issue today and on Second Stage. Senator Higgins is correct to flag these issues, particularly in the current climate. We are benefitting from having an open ear in the Minister of State in this regard. Today, the House has concluded its consideration of important legislation. There is a willingness and eagerness among Senators to keep it under constant review and to respond to events. We should not be afraid to state that Ireland must play a lead role in ensuring more of this kind of responsible, reactive and innovative legislation is implemented to protect information and data related to citizens' personal and private lives from criminals who, as we saw recently, seek to exploit them for negative purposes.

I thank Senators for giving their time to consider this relatively concise but significant Bill. This is the first time legislation has been introduced in this jurisdiction which is specifically dedicated to combating cybercrime. The general and strong support for the Bill shows the Legislature is committed to dealing with cybercrime. It will prove of immense benefit to An Garda Síochána in its ever increasing work in this area. As Senators noted, it will be a very important addition to the Statute Book.

Modern technology is such that systems have changed how we carry out our business, facilitating push-button, touchscreen interaction through time and space. The benefits of this new and evolving technology are evident, but reliance on such technology can unfortunately mean vulnerability. New technology creates opportunities for new forms of crime, or at least crime committed in an online environment in cyberspace rather than in physical space as was traditionally the case. The widely reported global cyberattack last weekend served as a real reminder of the insidious threat of cybercrime. The unprecedented attack affected some 200,000 systems across more than 150 countries worldwide. The scale of the problem should not be underestimated.

Europol's European cybercrime centre reports that cybercrime costs EU member states approximately €265 billion per year, with the figure growing to around €900 billion for the global economy. That is just the financial side of things. The inherent nature of cybercrime means that it transcends geographical boundaries and is a transnational problem which recognises no borders. Senator Higgins is on the button when she talks about the international problem. By strengthening and harmonising our laws across and even beyond Europe, we present a united front against cybercrime to counter its transnational dimension. As explained previously during the progress of the Bill, this legislation allows Ireland to give effect to an EU directive on attacks against information systems. The Bill will also give effect to many of the key provisions of the Council of Europe Convention on Cybercrime, known as the Budapest Convention. The legislation before us reflects these international instruments in that it provides for criminal offences in respect of attacks against information systems and establishes effective, proportional and dissuasive penalties for such offences. The offences provided for relate to information systems and their data. I will not got through what those offences are.

It is incumbent on the Government and the Legislature to seek to safeguard these systems, which are part of our daily lives in the modern world, as the Senator has said. These systems are increasingly relied upon by governments, businesses and individual citizens alike. It is vital that we seek to protect them and maintain users' confidence in their safety and reliability. The legislation ensures that unlawful activities relating to information systems are criminalised and that strong penalties are in place to both deter and punish offenders, of up to ten years' imprisonment in the most serious cases. The Bill seeks to protect vital infrastructures for the benefit of all and to ensure there are no legislative gaps that can be exploited by those who seek to undermine information systems and their data.

I thank the Senators for their support and agree with them that we have to keep this area under observation and scrutiny. It is changing by the hour and more threats are emerging and will emerge. This is an important step and the first piece of legislation in this area. It is very pertinent given what has taken place just this weekend.