Ireland Proposes Giving Police New Digital Surveillance Powers
The Irish government is planning to bolster its police’s ability to intercept communications, including encrypted messages, and provide a legal basis for spyware use.
Posted on January 26, 2026 at 7:04 AM • 13 Comments
Same is going through preparation in Finland also and they’re about to rewrite parts of the constitution:
https://oikeusministerio.fi/en/project?tunnus=OM067:00/2024
“The necessary amendments to Section 10 of the Constitution will be prepared, taking into account the needs related to criminal, civil and military intelligence, as well as EU legislation, new forms of serious crime and technological developments.”
Also, at the same time, they’re going to let the police, customs etc. use the passport biometry databases – of course it was promised a decade ago not to do so.
“The government said it will follow the EU Commission’s (EC) roadmap for law enforcement data interception, including a section on encryption issues, which it published last year.”
Per the roadmap, the Commission is slated to deliver a technology roadmap on encryption in Q2-2026.
T.J. Wylde offers his thoughts on the law’s implications as Ireland is the European host for dozens of major tech companies. The companies will face decisions on how to respond.
Stop thinking that it’s about “encryption” because whilst that’s what they appear to be talking about it, they are in fact just talking about “devices with communications” of any kind…
This tells me that they are thinking more along the “Client Side Scanning” rather than “back-dooring” crypto algorithms.
If you think back quite some time ago now around two decades ago in the US many “contract” mobile phones came with a supposed “Tech Support harness” that sent what the user had typed over the Internet to a US company. Sen Ron Wyden was so upset he got quite vocal about it at the time.
In effect this was the first “client Side Reporting”. Since then it’s only gone “down hill”. With Google and Apple both having Apps that inappropriately collect data from the user and send it to a company.
I first talked about the “end run” around Encryption with “secure messaging Apps” especially Signal.
Even after I had talked about the inadvisability of having the secure endpoint on the same device as the communications endpoint.
But not paranoid… as often is the case I was just ahead of the curve on the rank nastyness of Law Enforcement and other Government agencies.
The UK “RIPA Extra” as some called it reserved the right to attack any device that can be reached from a UK jurisdiction “communications network” so in effect the whole “connected” world currently…
Granting police expanded digital surveillance powers is a slippery slope. Tools intended for intercepting encrypted messages, deploying spyware, and scanning devices in targeted investigations inevitably get repurposed for less serious offenses. Every time we weaken privacy protections in the name of security, we create new vulnerabilities—both for citizens and for the systems themselves. True security requires designing laws and technology that resist abuse, not ones that depend on perfect government restraint.
“Ireland will also take the EU’s lead on spyware, establishing a legal provision for its use, only in cases of strict necessity.” (my italics)
So that’s all right then. It’s a relief because for a moment I thought there might be a risk of mission creep.
It’s ironic that the Medium hosts T.J.Wylde’s piece on a page riddled with trackers and spyware. Leave javascript on and watch the constant chatter as long as the page is open.
[…] including encrypted messages, and provide a legal basis for spyware use.
The former is against the laws of mathematics, it is hard beating them so trust on strong encryption. Just use true end-to-end encryption, drop anything “secure” provided by third parties, not to say U.S.-based corporations. The latter is just a matter of running an operating system where spyware is not so easy to deploy. Computers? Choose a good hardened open source operating system like OpenBSD. Smartphones? Buy a Pixel device and run GrapheneOS on it.
Interception of encrypted messages and problems with government-sponsored spyware have a single source: our foundation must be strong, based on open source, secure, and auditable tools.
Look at it this way. We are in a war against our governments and big corporations, so stop trusting on them to protect ourselves.
@ lurker
Any thoughts on what’s going on with Medium?
Here are some more resources. A 20 Jan 2026 press release:
“I have now directed my officials to prepare a General Scheme for the Communications (Interception and Lawful Access) Bill which I intend to publish during 2026. It is my intention to consult widely with stakeholders as the General Scheme is being drafted.”
Also, the 2025 EC roadmap for lawful data access is just plain interesting. Do you use any tools to parse documents?
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52025DC0349
There is a significant amount of .js embeded in the html page file, plus 43 separate scripts.js downloaded with the page, 4 of them over 300kB each, plus a perl script! I speak better Elbonian than javascript, so i don’t have a clue what they’re all doing. Some of the scripts are cleearly marked “Copyright Google LLC” some are “Copyright The Closure Library Authors”.
I’ve rehoned my tcpdump skills, but this is https, so we have to intercept the traffic outside the tls connection. More @Clive’s dept than mine …
“… tools to parse documents?”
Naked eyeballs and liquid caffeine. I remember that Brussels law required tram tickets to be in 2 languages. Now Brussels/EU law requires legal documents to be in 24 languages, -and- it must mean the same to readers of all 24.
Aaah, I see what you mean with that special EuroParliament format xml document.
In your browser just “Save as HTML only” gives a readable result with the links mostly preeserved.
“Just use true end-to-end encryption, drop anything “secure” provided by third parties, not to say U.S.-based corporations. The latter is just a matter of running an operating system where spyware is not so easy to deploy. Computers?”
The problem is as I’ve said before is you have to look at the “whole system” and identify “the weakest link in the chain”.
Which is not that encryption is weak but it’s easy to ignore E2EE on consumer devices where,
The “encryption endpoint” is effectively before the reach of the “communication endpoint”.
To be secure the “encryption endpoint” has to be well after the “communications endpoint” and,
“There must be no way to reach forward from the communications endpoint to past the encryption or other security end points.”
That is not possible on any “consumer or commercial systems” because of the way they are designed.
It’s not just the OS or Apps or other software you need entirely different hardware configurations at a fundamental layer in the “physical computing stack” that underpins all the other computing “stacks”.
In part it’s why from one aspect mobile phones “can be” more secure than computers but in other aspects “are way less secure”.
That is you can not realistically update the hardware inside a phone, so in the main there is no need to have a “driver installation route” in the mobile phones OS.
Unfortunately most mobile phones IoT and similar consumer / commercial devices use an OS that was designed to be “general in use”… Thus have the need/suport for device drivers deeply embedded in the OS where in effect it can not be removed.
The OS’s you mention all fall in that “general in use” category thus are “Vulnerable by Design”.
This means that you have to take the “encryption endpoint” and user interface”, “Off Device” onto an other device that is secure.
This is usually “insecure” due to the use of USB Bluetooth or similar for “convenience” of design or use.
Thus the “communications endpoint” gets extended to that device, and the problem returns.
This is not a problem “Hardware Security Modules”(HSMs) were ever designed to solve.
To do it effectively you have to have proper “Energy Gapping” and a “strongly mandated” and “instrumented” gap crossing path. Such systems rarely exist these days because communications gets built in to the silicon chip the CPU and the RAM/ROM –the OS uses– are on.
The only one we have these days is the “human themselves” hence why I talk about setting up a secure system I talk about using “Human eyes and paper and pencil secure crypto like an OTP”.
Which whilst simple and can be secure has all sorts of attached issues that make it not at all “convenient to use” and any kind of OpSec for “Journalists and those with legal privilege” and “their clients” to use.
Oh and have a think back to the Carrier-IQ scandal I referred to in my above post,
And the C19 beaconing systems for “contact tracing” added by both Apple and Google with the base remnants still in the OSs…
“Legally mandated User Side / Content Side Scanning is just a pen stroke away from us all”.
With only the sufficiently determind and “artful” in the technical and related knowledge domains being able to escape it. And there are so few of those that they are easy to “watch with scrutiny” and deter, detain, or dispose of (that is the “finish” in the expression “Find fix and Finish”(FFF).
For those who don’t know, the UK security agencies regard “Client Side Scanning” as the “way out” of “encryption back-door arguments” and have done for some time, see this 2022 article,
The arguments made by the security services are a master class in obfuscation and lying to hide intent.
Which is to have “Client Side Scanning” put on every consumer and commercial device.
Thus “moves the goal posts” but does not in any way mitigate the risks of “encryption backdoors” in fact it makes things worse a lot worse because,
1, It gives access to everything on the device not just communications.
2, It’s not just a “pull” technology by it’s very nature it is also a “push” technology as well.
Thus not only can everything be seen anything can be uploaded onto your device, in any place with any faux-metadata of choice[1]
In the UK there is a rapidly increasing amount of “No Defence” legislation. That is you are automatically guilty. One such is the ill defined CSAM. Where actual facts are discarded in favour of non expert opinion and other types of hearsay.
I suspect most readers will realise the implications of this…
Now add in the idea that all devices that have user data storage and search like mobile phones “will have local AI”…
Any one care to place a bet on just how long it will take “Guard Labour” or others to abuse such a process?
[1] Whilst this faux-metadata can be found it is an exceptional difficult and thus expensive thing to do. Thus unavailable to by far the majority of people. Thus the fundamental tenant of an adversarial justice system that there be “Equity in arms” is effectively irreversibly broken with Client Side Scanning.
Cynthia Yee Ting Ng is doing Doctoral Research work into “Client Side Scanning” and the wider technological-social effects at Warwick University in the UK.
And I thing her thesis when “published” will be worth a read.
She already has a paper published but… It’s from a conference with the proceedings behind the usual pay-wall nonsense. I had a look at it a while ago –through someone I know– and found it an interesting read and I suspect you might as well,
https://warwick.ac.uk/fac/cross_fac/cim/people/cynthia-yee-ting-ng/
Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/
I am a public-interest technologist, working at the intersection of security, technology, and people. I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc. This personal website expresses the opinions of none of those organizations.