The Irish government is handing its police force tools that rival NSO Group's Pegasus. The Communications (Interception and Lawful Access) Bill grants An Garda Síochána legal authority to deploy spyware on citizens' devices, intercept encrypted messages before encryption activates, and harvest location data from anyone in a targeted area. Justice Minister Jim O'Callaghan secured cabinet approval for the bill in January 2026. Officials plan to publish the general scheme later this year.
The bill replaces Ireland's 1993 interception law, which only covered landlines and postal mail. O'Callaghan frames this as catching up with technology. Civil liberties groups frame it as normalising mass surveillance. The bill authorises police to install covert surveillance software on phones and laptops. It activates cameras and microphones remotely. It extracts photos, emails, and passwords. It records keystrokes. It tracks real-time location.
Israel's NSO Group sells this under the name Pegasus. Greece, Poland, and Hungary have already been caught using similar tools against journalists and political opponents. Ireland wants to make it legal. The difference between Ireland and those countries isn't the technology. It's the paperwork. Ireland plans to require judicial authorisation before deployment. That's the same safeguard Poland had when it used spyware to target opposition figures. Judges approve 99% of surveillance requests.
Breaking Encryption Without Breaking Encryption
The bill specifically targets encrypted communications. Government documents state the law will apply to "all forms of communications, whether encrypted or not." This includes WhatsApp, Signal, and any other end-to-end encrypted service. The technical approach is client-side scanning. Police don't break the encryption itself. They capture your messages before encryption activates or after it decrypts on your device.
The Irish Council for Civil Liberties calls the government's claim that this can be done without undermining encryption "a fantasy." When you build backdoor access for police, you create vulnerabilities that foreign intelligence services and criminal hackers will exploit. There is no such thing as a backdoor that only works for authorised users. The European Court of Human Rights warned in 2025 that client-side scanning enables "routine, general and indiscriminate surveillance" that can be exploited by malicious networks. Ireland's government is proceeding anyway.
Mass Location Tracking
The bill authorises electronic scanning equipment that can locate and record identifier data from every mobile device in a specific area. This technology is called an IMSI catcher or Stingray. It mimics a cell tower. Your phone connects to it automatically. The device logs your phone's unique identifier and your location. Police can deploy this at protests, political rallies, or any location they choose. Everyone in range gets logged. No warrant needed for the initial sweep.
The bill also extends to IoT devices. Smart speakers, video doorbells, fitness watches. Anything connected to the internet becomes a potential surveillance tool. Your Alexa could be compelled to hand over recordings. Your Ring doorbell footage could be accessed without Amazon notifying you.
The Metadata Trap
Government officials emphasise that judicial authorisation will protect citizens. They don't emphasise that the bill covers both message content and metadata. Metadata is who you contacted, when, from where, and how often. Former NSA General Counsel Stewart Baker said "metadata absolutely tells you everything about somebody's life." Irish police will have legal authority to collect this data in bulk. They can build social graphs showing every person you communicate with. They can track movement patterns over months or years. They can identify who attended specific events based on location clusters.
All of this happens before they need to prove you committed any crime. The metadata collection itself requires only judicial approval for "serious crime or security threats." Serious crime is defined by whoever writes the regulations. Today it means terrorism and organised crime. In five years it could mean tax evasion or copyright infringement.
Ireland's Privacy Hypocrisy
Ireland built its tech sector reputation on data protection. Apple, Google, Meta, and Microsoft placed their European headquarters in Dublin partly because of Ireland's privacy framework. The country criticised Hungary's use of Pegasus against journalists. It objected to Greece's surveillance of opposition figures. The Communications Bill abandons that position. Ireland is legalising the same surveillance tools it condemned when Hungary used them.
O'Callaghan wants these powers before publishing details of the safeguards. Authority first, accountability later. The Irish Council for Civil Liberties notes that with the general scheme still unpublished, there are no actual details to scrutinise. The government is asking for trust based on promises. Those promises include judicial oversight, narrow application to serious crimes, and protection of privileged communications with journalists and lawyers. Every European country that deployed similar spyware made identical promises. Every one violated them.
What This Means Practically
If this bill passes, Irish police gain legal authority to compromise your devices without your knowledge. You won't receive notification. The spyware operates covertly. You might never know you were surveilled unless evidence appears in court. Even then, source protection rules often prevent disclosure of surveillance methods. End-to-end encryption still functions at the protocol level. Signal and WhatsApp will continue encrypting your messages in transit. But if police have installed spyware on your device, they capture those messages before they're encrypted or after they're decrypted.
Your location becomes trackable whenever your phone is powered on. IMSI catchers don't require individual warrants. They sweep everyone in range. If you're at a protest, a political meeting, or simply walking through an area police are monitoring, your device identifier gets logged. Any IoT device in your home becomes a potential listening post. Smart speakers with always-on microphones. Security cameras. Even your smart TV. The bill creates legal mechanisms for police to access that data directly.
The chilling effect on journalism, activism, and political organising shows up in every country that deployed these tools. Sources stop talking to reporters. Activists switch to in-person meetings. Political opposition becomes cautious about digital communications.
No Going Back
Once surveillance infrastructure exists, it doesn't get dismantled. It expands. Courts defer to national security claims. Oversight bodies lack technical expertise to audit surveillance systems. We know this pattern because we've watched it repeat in the UK, France, Germany, and now Ireland.
The government is betting that citizens will accept these powers if they're presented as crime-fighting tools with judicial oversight. The general scheme will be published in 2026. Public consultation will follow. Then parliamentary debate. By the time this becomes law, the infrastructure decisions will already be made. The contracts with spyware vendors will be signed. The training programs for police will be running. Reversing it becomes politically impossible.
This is how surveillance states are built. Not through sudden authoritarian takeovers. Through legislative processes that make each expansion seem reasonable in isolation. Update a 1993 law for modern communications. Add judicial oversight to existing police powers. Require tech companies to cooperate with lawful access requests. Each step sounds measured. The cumulative effect is mass surveillance infrastructure with legal authorisation. Ireland is choosing to build that infrastructure. Once you accept that police need legal tools to break encryption and deploy spyware, you've accepted the premise that privacy is conditional. A privilege that can be suspended with proper paperwork. Privacy either exists as a default or it doesn't. Ireland is moving toward a system where it doesn't.
Keep learning
FAQ
Can police access my WhatsApp messages under this bill
Yes, through client-side spyware that captures messages before WhatsApp encrypts them. The encryption itself remains intact but becomes irrelevant if your device is compromised.
What is an IMSI catcher and how does it track me
IMSI catchers mimic cell towers. Your phone connects automatically and reveals its unique identifier and location. Police can deploy these to track all phones in a specific area without individual warrants.
Will I know if police install spyware on my phone
No. The software operates covertly. You typically won't receive notification unless surveillance evidence appears in court, and even then source protection rules often prevent disclosure of methods used.
Historical evidence from other European countries suggests no. Judges approve over 99% of surveillance requests and lack technical expertise to audit the systems they authorize.
PLACEHOLDER_FAQ_ANSWER_4
Can I protect myself if this bill passes
Use devices with verified secure boot, avoid IoT devices with always-on microphones, and assume any device can be compromised. VPNs protect network traffic but not device-level surveillance.