An Garda Síochána unlawfully retains files on innocent people who it has already cleared of producing or sharing of child sex abuse material

19 October 2022 

The U.S. National Center for Missing and Exploited Children (NCMEC) has forwarded information about suspected Child Sexual Abuse Material (CSAM) and people who share it to An Garda Síochána since 2010. The Irish Council for Civil Liberties (ICCL) obtained data about NCMEC’s 2020 referrals to Ireland, and has learned that An Garda Síochána verified that more than 11% of the referrals (471 referrals) were not CSAM. The people concerned were innocent, and the materials were innocuous images or videos, such as children playing on a beach. But despite clearing the people concerned, An Garda Síochána did not delete their data. We do not know how many people cleared of suspicion of sharing CSAM remain in An Garda Síochána’s files. 

ICCL has told An Garda Síochána that there is no legal basis to retain personal data of innocent people it has cleared as suspected producers or sharers of online Child Sex Abuse Material (CSAM). 

This follows correspondence between ICCL and An Garda Síochána (see correspondence here) about the retention of personal data, arising out of these referrals. NCMEC sends suspected CSAM to police after receiving reports from providers, such as Facebook or Google, who scan messages and emails for CSAM voluntarily.

Olga Cronin of ICCL said: 

“The creation and circulation of CSAM online or offline is a heinous crime. Effective measures must be taken to protect the rights and freedoms of victims and survivors. However, the figures we present today question the current efforts to combat it. Innocent people have been unlawfully kept in a net of surveillance and suspicion with no cause." 

An Garda Síochána has verified that at least 471 reports (11%, or greater than 1 in 10) of the 4,192 referrals it received in 2020 were not CSAM. They told ICCL they “will not action a referral further for a number of reasons on the basis of its content, the following are examples: children playing on a beach, topless content, nudist, adult content, etc”.

When asked what An Garda Síochána do with the IP addresses and identifying information pertaining to NCMEC referrals after false positive content is identified, they confirmed that the following data relating to all referrals is retained: NCMEC CyberTip number, date received, suspect email address, suspect screen name, suspect IP address and reporting Electronic Service Provider.

However, An Garda Síochána admitted to ICCL that:

there may be no legal basis to retain data relating to (1) suspect email address, (2) suspect screen name, (3) suspect IP address in the first place in cases which are clearly not child abuse material – for example referrals involving images and videos of children playing on a beach as it may not be proportionate to do so.”

An Garda Síochána confirmed they would seek a legal opinion on the retention of personal data pertaining to innocent people wrongly flagged as suspect sharers of CSAM online. However, to date, ICCL has not seen this legal opinion. 

Olga Cronin of ICCL said:

“This has implications for people’s right to privacy, data protection and presumption of innocence. An Garda Síochána is retaining the personal data of people incorrectly flagged as suspects - in some situations for merely taking pictures of their kids on a beach. This is at odds with data protection law.”

ICCL is calling on An Garda Síochána to stop retaining personal data pertaining to people they have cleared as not being CSAM sharers, and to destroy the data it has been holding on these people to date.

Digital Rights Ireland (DRI) has joined ICCL's call. Dr TJ McIntyre of DRI said: 

"Limitations to privacy and data protection rights must be limited to what is strictly necessary and proportionate. There is no legal basis for An Garda Síochána to retain the personal data belonging to people who have taken innocent pictures. An Garda Síochána must stop this practice."

The numbers 

The gardaí received 2,848 referrals in 2017; 6,812 in 2018; 3,888 in 2019; 4,192 in 2020 and approximately 3,500 referrals in 2021, by October 2021.

An Garda Síochána gave a further breakdown for the referrals it received in 2020, confirming:

  • 409 (9.7%) were “actionable”; 
  • 265  (6.3%) were “completed”;
  • 852 referrals were marked as “Child Abuse Material”;
  • 471 were “not Child Abuse Material”
  • 75 were “self-generated”; 
  • 51 were “adult”;
  • 333 referrals were “viral”;
  • 606 were “below the threshold”;
  • 506 were “age undetermined”; and
  • 940 had IP addresses “which could not be progressed further”. 

ICCL has asked An Garda Síochána to provide an explanation or definition for the terms used, such as “actionable”, “completed”, and “marked as below the threshold” but awaits a response. The true number of false positives is likely to be higher than 471, as An Garda Síochána has not confirmed what categories such as “below the threshold” mean, nor whether the adult content was included in the figure of 471. 

EU law proposal 

ICCL presents these figures today as the European Digital Rights (EDRi) network raises serious concerns about a newly-proposed EU law to prevent and combat child sexual abuse. This is a proposed law that will mandate the monitoring of virtually all public and private digital communications.

The Irish figures presented today contradict the European Commission’s claim that scanning tools are so robust that there is no need to worry about accuracy, reliability or false positives.

EDRi Senior Policy Advisor Ella Jakubowska said: 

In a democratic society, we should all be treated as innocent unless there is probable cause to treat us otherwise. The EU's new proposal flips this principle on its head, treating the personal communications of practically all internet users as if they are likely to contain child abuse material.”

The European Commission’s Regulatory Scrutiny Board (RSB), which assesses whether a legislative proposal is necessary and proportionate according to human rights law, has said law would likely amount to generalised surveillance, which contravenes the EU prohibition of general monitoring.

The United Nations High Commissioner for Human Rights has emphasised the same risk, while the European Data Protection Board and Supervisor have jointly warned that the proposed law “could become the basis for de facto generalised and indiscriminate scanning of the content of virtually all types of electronic communications of all users in EU/EEA” and “may present more risks to individuals, and, by extension, to society at large, than to the criminals pursued for CSAM.”

A detailed examination of EDRi's can concerns be read in full here.

Background 

In early 2021, ICCL asked An Garda Síochána about the referrals it receives from NCMEC. In October 2021, ICCL received answers but has since asked further questions (see below). 

In October 2021, An Garda Síochána told ICCL it has been receiving referrals from NCMEC directly since 2015. Before that, it received referrals via the UK authorities and the FBI in the US, going back as far as 2010. ICCL does not know how many people cleared of suspicion of sharing CSAM remain in An Garda Síochána’s files and/or how long such people’s data has been retained.

However, it is ICCL's position that An Garda Síochána has no legal basis to retain personal data of innocent people it has cleared as suspected producers or sharers of online CSAM.

Section 71 (1) (e) of the Irish Data Protection Act 2018, in respect of the processing of personal data by data controllers for the purposes of the prevention, detection and prosecution of criminal offences and the execution of criminal penalties, states:

“data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed.” 

Section 71 (2) states:

“The processing of personal data shall be lawful where, and to the extent that (a) the processing is necessary for the performance of a function of a controller…”

Section 71 (7) states:

“A controller shall ensure, in relation to personal data for which it is responsible, that an appropriate time limit is established for (a) the erasure of the data, or (b) the carrying out of periodic reviews of the need for the retention of the data.”

Contact

For media queries: olga.cronin@iccl.ie

Correspondence

These are the questions ICCL asked of An Garda Síochána in March 2021, and the answers received in October 2021:

  1. When did An Garda Síochána start to receive referrals from NCMEC?

    “This office started directly receiving NCMEC referrals in 2015. Before this referrals from NCMEC were received via UK, FBI etc., as far back as 2010.”

  2. How many referrals has An Garda Síochána received per year?

    “The number of referrals received is different year on year. In 2017, 2,848 referrals were received; in 2018, we received 6,812. In 2019, 3,888 referrals were received. In 2020, we received 4,192 and so far in 2021, we have received approximately 3,500.”

  3. How many suspect IP addresses have the gardaí received per year?

    “The number of IP addresses received each year is not recorded at this office. Each referral is unique and a referral received may have numerous different IP addresses contained within it.”

  4. How many referrals contained the same offending content per year?

    “Duplicate content can be a feature of NCMEC referrals. While we know that this does happen, regularly content can be deemed to have gone ‘viral’, the number of recurring duplicate content referrals are not recorded.”

  5. How many referrals have led to the launch of a Garda investigation per year?

    “Using 2020 as an example, a total of 4,192 referrals were received from NCMEC. 409 of these referrals were actionable, and from those referrals 265 files were completed.”

  6. How many investigations have led to prosecutions per year?

    “This information is not retained at OnCE.”

  7. How many prosecutions have led to convictions per year?

    “As above.”

  8. How many referrals contained non-illegal content per year?

    “OnCE doesn’t use a specific categorisation of non-illegal. A total of 471 were marked as being not Child Abuse Material in 2020 from a total of 4,192. This is the focus of the OnCE unit. 506 referrals were marked as being age undetermined. 940 referrals included IP addresses which could not be progressed further. 852 referrals were marked as Child Abuse Material. 606 were marked as below the threshold. 75 were self-generated. 333 were marked as viral. 51 were adult.”

  9. What percentage of referrals contained non-illegal content per year?

    “Please see above.”

  10. What is the general nature of the non-illegal content which has triggered false referral to An Garda Síochána?

    “OnCE will not action a referral further for a number of reasons on the basis of its content, the following are examples: Children playing on a beach, topless content, nudist, adult content, etc.”

  11. What does An Garda Síochána do with the IP addresses and identifying information pertaining to NCMEC referrals after a) an investigation is complete and b) after the content is found to be non-illegal?

    “The following data relating to all NCMEC referrals received is retained at OnCE: NCMEC Cybertip No., Date received, suspect email address, suspect screen name, suspect IP address and reporting ESP. Actioned NCMEC referrals are retained in full at OnCE. With specific reference to Question 11 above, the processing of personal data for the purposes of law enforcement falls under Part 5 of the Data Protection Act 2018. While Section 94(3)(a) of the Data Protection Act 2018 states that a data controller can restrict access to data held for the purposes of the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effectiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters aforesaid, I am to report that I have spoken to [redacted], Garda Data Protection Unit who has advised that there may be no legal basis to retain data relating to (1) suspect email address, (2) suspect screen name, (3) suspect IP address in the first place in cases which are clearly not child abuse material – for example referrals involving images and videos of children playing on a beach as it may not be proportionate to do so. Clearly we are covered retaining referrals and related data which involve Child Abuse Material even when the investigation is complete. It is my recommendation that a definitive opinion on the lawfulness from a Data Protection viewpoint of our practice in OnCE in retaining certain data from all NCMEC referrals be obtained from the Garda Data Protection Officer is obtained. I will draft correspondence seeking such an opinion under separate cover and forward same via your office.”

Follow-up questions
ICCL is awaiting An Garda Síochána’s legal opinion on this retention of personal data pertaining to people incorrectly flagged as suspected CSAM sharers. ICCL is also awaiting answers to the following follow-up questions it sent to An Garda Síochána in November 2021 about that retention of data and other details: 

  1. How long has An Garda Síochána retained these data?  
  2. What technical and organisational measures does An Garda Síochána have in place to ensure and to be able to demonstrate that the processing of this material is performed in accordance with the LED (Law Enforcement Directive, as per Part 5 of the Data Protection Act 2018)?
  3. What technical and organisational measures does An Garda Síochána have in place to ensure that data protection principles are implemented in an effective manner and the rights of data subjects are protected?  
  4. Has anyone whose data was wrongfully retained been subject to a decision based solely on automated processing and which produced an adverse legal effect on them?  
  5. Did An Garda Síochána carry out a Data Protection Impact Assessment in respect of this data retention, and if so is this available?  
  6. Does An Garda Síochána know if any human viewed the material which was referred to it by NCMEC before it was received by An Garda Síochána?  
  7. What other personal data - other than an incorrectly flagged person’s email address, screen name, and IP address - is retained by An Garda Síochána?  
  8. Are the incorrectly flagged images also retained by An Garda Síochána?  
  9. Could you please provide a breakdown of the Electronic Service Providers that reported the false-positive referrals received by An Garda Síochána?  
  10. What form does this database take? Is the data of people incorrectly flagged retained with/alongside or separate to the data of people correctly flagged?  
  11. Who has access to this data? Is it connected to PULSE?  
  12. Does An Garda Síochána retain a log of who accesses this database and when? If yes, how long is this log stored?  
  13. Has An Garda Síochána informed the Data Protection Commission of this practice?  
  14. Will An Garda Síochána be informing the people wrongly flagged that their data has been retained? 
  15. Is it possible for the Online Child Exploitation Unit to count the number of unique IP addresses that it has retained per year and share those figures with ICCL?  
  16. Failing that, who or which department of An Garda Síochána records the number of IP addresses collected yearly; number of yearly investigations which lead to prosecutions; and number of yearly prosecutions which lead to convictions?  
  17. How many (i) IP addresses and (ii) unique IP addresses have been wrongly flagged per Electronic Service Provider?  
  18. When An Garda Síochána says 409 of 4,192 referrals in 2020 were “actionable”, what does that mean? 
  19. When An Garda Síochána says 265 of those referrals in 2020 were “completed”, what does that mean?  
  20. When An Garda Síochána says 606 of those referrals in 2020 were “marked as below the threshold”, what does that mean?