Below is the full text of today’s presentation by the Garda Síochána Ombudsman Commission to the Joint Oireachtas Committee on Public Service Oversight and Petitions :
Good afternoon, Chairman and Committee members. Thank you for the invitation to come before you today.
As you know, the Commission was previously before you on the 3rd July 2013. On that occasion, we discussed issues which had arisen in the context of our capacity to properly investigate complaints alleging garda misbehaviour.
More specifically, we reported to you on what we felt were undue delays by the Garda Síochána in the provision of information relating to investigations.
The exchange of information between the Garda Síochána and GSOC is essentially managed under agreed Protocols drawn up under section 108 of the Garda Síochána Act 2005, as amended. Protocols had been in place between the two organisations since commencement of GSOC’s operations in 2007.
As outlined by us in July 2013, we were in negotiations with the Garda Síochána on the revision of those Protocols.
In GSOC’s Annual Report for 2012, and in a section 80(5) report which was laid before the Houses of the Oireachtas, we reported on the delays caused to our investigations and the non-compliance by the Garda Síochána with timelines for the provision of information.
In the meantime, since our appearance before you, revised Protocols were agreed and signed off on the 23rd September 2013 by the Chairman of the Commission and the Garda Commissioner.
The operation of these revised Protocols is a work in progress; however, both organisations are actively working to ensure compliance through ongoing monitoring and review. Indications are that some improvement in the system can be seen.
The Commission is happy to discuss any matters in relation to those issues with you today.
In the last week, as you will be aware, information relating to a specific security sweep was published without authorisation having been given by this Commission. As a consequence of the publication, a focus on GSOC and other agencies has been intense.
Firstly, we would like to point out our unhappiness with the release of the contents of a secret document into the public domain. The media coverage at the weekend took us all by surprise. Since Sunday last, we have been briefing the Minister and the Garda Commissioner, dealing with press queries and so on.
As a direct result of the newspaper coverage on Sunday, I - as Chairman of the Commission - was called to see the Minister on Monday of this week. Over a period of two hours, I updated the Minister on the situation.
I should point out that there is an inaccuracy referenced in three separate places in a report that may come into the public domain; I pointed out the presence of inaccuracies to the Minister.
I laid out to the Minister that, in view of the amount of detail in the public domain last Sunday, the Commission strongly suspects that a copy of a section of a report which is marked “secret” was possibly in the hands of a journalist. I expressed my regret to the Minister that he had been blindsided by the appearance of this information in the media.
I must explain to the Committee my clear recollection of the reasons and the thinking to retain a UK specialist company. I should inform the Committee that the final investigation report and the UK specialist company documentation make reference to reasons for the sweep that do not accord with my recollection of those reasons. This is a matter that I identified in my own notes short after receiving and considering the final investigation report.
I can only assume that this arose because of a misunderstanding and I make no criticism of the authors. However, I am categorical in my recollection of the reasons but it is, nevertheless, important in the interest of clarity that this is brought to the attention of the Committee.
On Monday, we launched an internal inquiry to see how much information was in the public domain.
The three Commissioners met Secretary General on Tuesday afternoon to further update the position. Later that afternoon, after a kind invitation from the Commissioner, I met him privately in Garda HQ to brief him. He again had been blindsided by the release of this information. He was understandably concerned and during our two hour meeting I tried to allay his sense of grievance.
We have agreed that for the benefit of public confidence to ensure that we continue to maintain and develop the relationship between our two organisations. We both agreed to try to find a way through this crisis.
Last night, we felt that the level of public discourse was such that we needed to appear in public and answer questions. The Commission was represented on Prime Time and that was another way to update the wider public in relation to this series of unfolding events.
Why did we conduct this inquiry?
As a brief background, can we outline the work in which GSOC has been engaged for the past few years. We were appointed in December 2011. From the earliest days of our tenure, we were conscious that in the context of organisational risk management it is prudent, for the purposes of good governance, that precautionary measures are utilised in order to allay fears of unauthorised penetration of assets – physical or electronic.
GSOC has, since its commencement of operations in 2007, taken very seriously all aspects of its security and carries out ongoing testing and reviewing of its systems and procedures. Part of this ongoing monitoring includes penetration testing of electronic systems and security sweeps. The staging of these test procedures is sensitive and it is, therefore, closely guarded in the context of information control.
This, as you will appreciate, is a standard operating procedure for organisations holding sensitive data.
In the early days after our appointment, we decided that a security sweep of our building which had not been undertaken since the one conducted in 2007 was something that we would undertake. We did not progress this immediately at that time.
Risk Management and Security Checks
Security checks, albeit part of standard procedures, should always be predicated be on the level of risk that exists at any given time. Risk assessment should be dynamic as time and circumstances change.
The work of GSOC is high profile. The work we are engaged in can accrue great interest and it is wise to put risk assessment in that context.
Throughout 2012, we spent considerable time negotiating privately with AGS around our operational protocols addressing issues of timeliness and other issues of inter-agency cooperation.
Towards the end of 2012, we took a strategic decision that we needed to air publicly some dissatisfaction with the level of cooperation we were getting from AGS. This resulted in us making very public comment around the publication of one report following a sensitive investigation.
For example, on the 9 May 2013, we took the unusual step of submitting to the Minister, a special report in accordance with section 80(5) of the Garda Síochána Act 2005. That special report contained some highly critical comments in relation to our relationship with the Garda Síochána.
A few weeks later, on 23 May 2013, we also made some further criticism of the Garda Síochána’s adherence to our operational Protocols in our Annual Report. You may recall that this Committee invited us to attend to discuss these reports on 3 July 2013. This was a level of publicity and controversy which was unusual for the Commission.
In the context of this public profile, we did then have heightened concerns about confidentiality, particularly in light of some public discourse appearing to be exceptionally well-informed. For that reason, consideration was given to the engagement of the Irish firm which had previously undertaken such a security sweep for this organisation.
When did we conduct this inquiry?
On 9 June 2013, contact was made with that Irish service provider. It was established that the firm was no longer operational. Further enquiries were made with oversight bodies similar to GSOC (in Northern Ireland and England/Wales) to establish whether a suitable resource to undertake this work existed. On 3 September 2013, contact was made with a UK service provider. On the basis of a recommendation of suitability, this UK firm (which specialises in Technical Surveillance Counter Measures) was engaged by GSOC.
How was the inquiry conducted?
On 23 to 27 September 2013, in accordance with standard operating procedures, a security sweep was conducted of GSOC’s office.
The overall cost of the security checks undertaken in late 2013 was just under €18,000. As well as the general check of our building, the Commission also sought expert advice on the sorts of capabilities that exist in relation to the interception of ICT communications (including telephones).
What was found?
Two potential threats were identified during this security sweep of 23 to 27 September 2013.
Threat 1: a wireless device, located in the Boardroom (the Commission’s conference room), was found to have connected to an external Wi-Fi network. Access to this wireless device was protected by a password; absent this password, the device should not have been able to connect to that external Wi-Fi network. As GSOC does not have a Wi-Fi network, this device had never been activated by GSOC and its password was unknown. Its connection to an external network was, therefore, a concern. This device, although Wi-Fi enabled, was unable to communicate with any of GSOC’s databases or electronic systems.
Threat 2: as part of the security checks, the conference call telephone unit located in the Chairman’s office was subjected to a number of tests. One was called an “alerting” test. Immediately after this test, the conference phone line rang. The security expert judged that the likelihood of a “wrong number” being called at that time, to that exact number, was so small as to be at virtually zero. GSOC conducted a number of telecoms checks to seek to establish the source of this telephone call but was unable to do so. Further checks revealed no additional anomalies or matters of concern.
On 7 October 2013, after confirmation paperwork was received from the specialist firm, the investigation team assessed these two threats.
On 8 October 2013, a public interest investigation was launched pursuant to section 102(4) of the Garda Síochána Act, 2005. The investigation was launched on the basis that the Acting Director of Investigations was of the opinion that, to the extent that these threats could be proven, section 102(4) engaged – that is to say that such surveillance may have originated with AGS and, if so, a member of AGS may have committed an offence or behaved in a manner that justified disciplinary proceedings. The investigation was launched in the public interest to ensure that the objectives of GSOC, as set out in section 67(1) of the Act, were not compromised or impugned.
As part of that investigation, the specialist firm was re-engaged and a number of steps were undertaken, including accessing retained telecommunications. During the course of the investigation, the specialists advised regarding the risks of interception to mobile telephony. The Commission established that commercial products were available that could – for example - intercept mobile phones, take them over, send and delete texts from them, etc.
Threat 3: during a visit by the specialist firm on 19 and 20 October 2013, it detected a UK 3G network. UK networks do not operate within Ireland except in Border areas. They advised that such a network can only be simulated through a specialist device. The device simulated a UK mobile phone network, will pick up UK phones registered to that network. Once a phone has been connected, it can be forced to disable call encryption making the call data vulnerable to interception and recording. The specialist firm indicated that this level of technology is only available to Government agencies.
What did the inquiry find?
Preliminary Results:
Analysis of these threats was inconclusive. GSOC was operating at the limits of its technical knowledge and on information only from security professionals. The Commission did not rule out that there could be reasonable explanations for any/all of these issues.
· Connection by the Wi-Fi device in the conference room with an external Wi-Fi network was occurring randomly and with no discernible pattern or agent apparent.
· The anomaly in the telephone unit in the Chairman’s office could not be repeated – the Commission could not rule out the possibility that an innocent call was made to the office at 1am. Telecoms data could not identify a number from which the call originated or even that a call had been made.
· Concerning the device scanning for mobile phones, the Commission could not rule out that such a device was being lawfully used in the vicinity of our building or that it was not directed at our building.
Final Test:
Absent any further clarification, the Commission could not simply proceed on the basis that these issues were purely innocent or coincidental. Accordingly, the Commission conducted a specific operational test, on 19 November 2013; this was coordinated by the security firm and involved a GSOC investigation team. It also involved the three Commissioners to test these issues. This operational test yielded no results and added no clarity to the threats identified above.
Why were the results not reported?
This report was in my possession only just prior to the Christmas break. I had to think very carefully about the need to report matters to the Minister and other parties. At that time, I made a strategic decision not to report what could only be described as suspicious activity that did not meet the threshold of an offence. I have said before in my briefing to the Minister and my briefing to the Garda Commissioner that I regret my decision now.
My decision making at the time just prior to Christmas looked at the potential damage that could be done to public confidence if these suspicious activities were in the public domain.
In that, we had opened an investigation under section 102(4), the threshold test was achieved but by definition any likely offence may involve a Garda member. The level of public disquiet in relation to allegations that the Gardaí might be involved in that type of activity was immense. I took the decision alone not to report at that time and, to the point of having publication forced upon the State, I had still not engaged in any reporting.
It is our earnest wish that we can all learn from and move on from this experience.