Irish police to be given powers to demand passwords

Police forces in Ireland will be given the power to demand passwords for electronic devices when carrying out search warrants under new legislation.

The changes are part of the Garda Síochána Bill, published on Monday by the country's minister for justice, Heather Humphreys.

The police in Ireland are known as the Garda Síochána, or the Gardaí (the Guards) for short, and the new legislation includes sweeping changes to law enforcement in the country. This includes a new requirement to make a written record of a stop and search, which will enable data to be collected so the effectiveness and use of the powers can be assessed.

The changes come as more crime migrates online, where it is carried out on phones, computers, and other devices protected by personal logins. Failure to comply surrender an electronic device’s password could result in a €30,000 fine or up to five years in prison under the new legislation.

"The law in this area is currently very complex, spread across the common law, hundreds of pieces of legislation, constitutional and EU law," Humphreys said. "Bringing it together will make the use of police powers by Gardaí clear, transparent and accessible. The aim is to create a system that is both clear and straightforward for Gardaí to use and easy for people to understand what powers Gardaí can use and what their rights are in those circumstances.

"At the same time, where we are proposing to extend additional powers to Gardaí, we are also strengthening safeguards. The Bill will have a strong focus on the fundamental rights and procedural rights of the accused. I believe this will maintain the crucial balance which is key to our criminal justice system, while ensuring greater clarity and streamlining of Garda powers.

Other special measures will be introduced for suspects who are children and suspects who may have impaired capacity, and the bill will also bring in longer detention periods for the investigation of multiple offences being investigated together, for a maximum of up to 48 hours.

However, the change in legislation relating to passwords has caused concern for security experts. Niamh Muldoon, the global data protection officer at OneLogin, says the move goes against the fundamentals of security best practice and in particular Identity and Access Control.

"It potentially removes the individual accountability associated with actions under the account which may impact the chain of custody of evidence associated with the case," Muldoon told IT Pro.

"I urge all government bodies to partner with cybersecurity experts when considering legislation associated with digital identities to gather insights on practical implementations to ensure policy and/or legislation deliver to its achieved goal with no potential loopholes."