Category: data sharing

Google vs. Privacy Commissioners Round 1

Google and a group of Information and Privacy Commissioners have been having an interesting set-to over the last couple of days. First, a group including Canada’s Privacy Commissioner and the UK’s Information Commissioner sent a letter to Google expressing concern about their inadequate privacy policies, especially with regard to new developments like Buzz, Google’s new answer to Facebook.

Then Google put up a post on its blog, unveiling a new tool with maps out various governments requests for censorship of Google’s internet services. Interestingly, it framed this by reference to Article 19 of the Universal Declaration on Human Rights.

So now we have two sets of bodies referring to different ‘human rights’ as the basis for their politics. Of course they are not incompatible. Google is right to highlight state intervention in consensual information-sharing as a threat, but equally the Privacy Commissioners are right to pull up Google for lax privacy-protection practices. The problem with Google is that it thinks it is at the leading edge of a revolution in openness and transparency (which not coincidentally will lead to most people storing their information in Google’s ‘cloud’), and the problem with the Privacy Commissioners is that they are not yet adapting fast-enough to the multiple and changing configurations of personal privacy and openness that are now emerging as they have to work with quite outdated data-protection laws.

This won’t be the end, but let’s hope it doesn’t get messy…

European Parliament blocks EU-US data-sharing agreement

In a rare burst of sanity and concern for the rights of EU citizens, the European Parliament has exercised one of its very limited range of powers and blocked an agreement to continue the ability of the US government to access the Swift international bank transfer system. The parliament argued that the agreement, the descendent of a secret arrangement discovered in 2006, which came about in the aftermath of 9/11, paid insufficient attention to privacy. They are right. It doesn’t pay any attention to the safeguarding of citizens’ information rights, it merely confirms the terms of the undemocratic original agreement, one of a surge of such arrangements that were rushed through in the wake of the attacks when no-one was likely to pay much attention to things like human rights. Now, however, in an slightly less charged atmosphere, the Parliament has been able to demand that such rights should be respected in any transparent and accountable agreement. No-one is arguing that data should not be shared where there is a case for it to be shared, but this should not be at the expense of the rights and freedoms of which we are supposedly exemplars.

Voluntary Self-Surveillance

In a nice bit of synchronicity with the ‘Surveillance and Empowerment’ call just issued by Surveillance & Society, there’s a really interesting little piece on the rise of ‘self-tracking’ by Curetogether founder, Alexandra Carmichael, in the latest issue of h+ magazine, an open-access publication from ‘transhumanist’ pioneer, R.U. Sirius.

The piece concentrates on those who have health problems who want to track and share symptoms and other biometric data, but argues that this is a wider interest: “we do it because we love data, or we do it because we have specific things we want to optimize about ourselves.”

There are also some useful links to life-logging and patient data-sharing sites.

(thanks to BoingBoing for the link to h+)

Everyday prejudices mean Canadians end up on watchlists

Another great audit report from the Office of the Privacy Commissioner here in Canada, investigating the Financial Transactions and Reports Analysis Centre of Canada (Fintrac) has just been released. Fintrac, created in 2001 in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and now with even more extended powers, operates a databases which is supposed to contain details of those suspected of supporting terrorism or money laundering (often on behalf of major criminal and terrorist groups).

However, there is a good story in The Globe and Mail today which leads on the most worrying aspect identified by the audit, which is that in many cases, the Fintrac database is massively overreliant on unsubstantiated suspicions from low-level functionaries in banks, insurance firms and credit agencies. Some of these ‘suspicions’ were clearly simple prejudice as they appeared to be based entirely on ethnicity. Part of the problem is that there are no clear guidelines as to what constitutes a reasonable suspicion in the legislation.

But being put on the database can have serious consequences, firstly because of the potential penalties involved (up to $2m CAN fines and 5-years imprisonment) and secondly, because the information in the Fintrac database can be accessed by Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police  (the RCMP – Canada’s FBI) or shared with overseas police and intelligence services. In the latter case, as we already know, mounting errors can result in innocent people being subject to ever more harsh treatment including being excluded from countries, placed on no-fly lists or even the UN1267 ‘known terrorists and affiliates’ list, as well as, in the worst cases, opening them up to extraordinary rendition, imprisonment and torture.

Jennifer Stoddart, the current Privacy Commissioner, has a well-deserved reputation getting positive changes made, so let’s hope she can persuade Fintrac to get this sorted out pretty soon.

Canadian Internet Snooping Law

I’ve noted before that there seems to be a concerted push around the world by governments to introduce comprehensive new telecoms surveillance laws that force telecommunications and Internet Service Providers (ISPs) to record, store, and provide access to and/or share with state intelligence agencies, the traffic and/or communications data of their customers (in other words, users like us). What is noticeably here is that there is a particular logic that appears in the arguments of governments who are attempting to persuade their parliaments or people of the need for such laws. This logic that is firstly, circular and self-referential, in that it makes reference to the fact that other governments have passed such laws as if this in itself provides some compelling reason for the law to be passed in their own country. The second part of this is a king of competitive disadvantage arguments that flows from the first argument: if ‘we’ don’t have this law, then somehow we are falling behind in a never openly discussed intelligence-capability race that will hit national technological innovation too.

The media often seem oblivious to what seems obvious, and hence the story on the CTV news site today with reference to Canada’s currently proposed communications law that would allow the Canadian Security and Intelligence Service (CSIS) warrantless access to such the data from Internet and telecoms providers. They consider it to be ‘unexpected’ that the parliamentary Security Intelligence Review Committee has come out in support of the bill. Looking at the reasons why though, they are exactly what one would expect if one has been following the debates around the world and contain exactly the logics I have outlined. The story notes that the committee “points out that governments in the United States and Europe have already passed laws requiring co-operation between security agencies and online service providers” (without, incidentally, pointing out that these remain enormously controversial, or that other governments have abandoned some of their attempts) and later that “intelligence technology… requires continued access to new talent and innovative research.” However they won’t go into details as it is a “very sensitive matter.”

And absent from this debate as usual is the fact that this is not just a question of ‘national security’ if you set up these systems, you feed the US National Security Agency too. Canadian intelligence is still bound by agreements made after WW2, particularly the CANUSA agreement on Signals Intelligence (SIGINT), later incorporated into the UKUSA structure. And as we all know, right now, the USA does not always have the same strategic interests as Canada (the issue of arctic sovereignty is just one example). If this bill is passed, it’s a license for US spies, not just Canadian ones.

CIA buys into Web 2.0 monitoring firm

Wired online has a report that the US Central Intelligence Agency has bought a significant stake in a market research firm called Visible Technologies that specializes in monitoring new social media such as blogs, mirco-blogs, forums, customer feedback sites and social networking sites (although not closed sites like Facebook – or at least that’s what they claim).  This is interesting but it isn’t surprising – most of what intelligence agencies has always been sifting through the masses of openly available information out there – what is now called open-source intelligence – but the fact is that people are putting more of themselves out their than ever before, and material that you would never have expected to be of interest to either commercial or state organisations is now there to be mined for useful data.

(thanks, once again to Aaron Martin for this).

UAE plans DNA database of entire population

Police in the United Kingdom have recently been forced by the European Court of Human Rights to scale back their increasingly large National DNA Database (NDNAD), which previously potentially included DNA profiles of anyone arrested by the police, whether charged with any offence or not. This at least shows that there is some recourse to law and and a higher authority that will protect the rights of citizens against the extension of state power… in reasonably democratic Europe at least.

However authoritarian regimes need have no such concerns. The Persian Gulf state of the United Arab Emirates (UAE) has decided that it is to create a national DNA database of the entire resident population. According to The National newspaper, this will not even need any kind of debate or  even new legislation. They estimate that this will take up to 10 years if population growth is factored in.The paper claims this will be the world’s first such comprehensive database, but this is only partly true. Iceland, Sweden and Estonia have all set up comprehensive DNA databases run by their health services. But the UAE’s certainly appears to be the first attempts at a comprehensive law enforcement DNA database.

DNA pioneer, Sir Alec Jeffrys, has his doubts of course. But learned critique, or opposition or overt resistance are probably all largely irrelevant to the UAE government. However, if there is to be a roadblock,  it may be the economy: the UAE’s population is made up to a great extent of temporary foreign workers of all skill levels and occupation types, and the economy depends largely on the willingness of such workers to continue to come to the UAE. Whilst those at the bottom may feel they have little choice, those at the top may decide that such a policy would make the difference between them coming to and investing in the UAE, or not. The second article claims that ‘visitors’ will be exempt, but not ‘residents’. How this plays out remains to be seen. I have no doubt that the UAE will give in to the pressure of global wealth and find some way of exempting rich foreign residents, whilst making absolutely sure that poor immigrant workers are the first to be sampled.

Towards Open-Circuit Television

The era of Closed-Circuit Television (CCTV) surveillance may be coming to an end. Surprised? Unfortunately, this does not mean that we are likely to see less surveillance, and cameras being torn down any time soon – quite the contrary. Instead a number of developments are pointing the way to the emergence of more Open-Circuit Television (OCTV) surveillance. These developments include technological ones, like wireless networking, the move to store data via ‘cloud’ computing, participatory locative computing technologies like CityWare, and the increasing affordability and availability of personal surveillance devices (for example, these plug and play mini-cameras unveiled at DemoFall 09). However they also include changes in the way that video surveillance is monitored and by whom.

Back in 2007, a pilot scheme in Shoreditch in London, which enabled residents to watch CCTV cameras on a special TV channel, was canned. However the project had proved to be incredibly popular amongst residents. Now The Daily Telegraph reports that an entrepreneur in Devon, Tony Morgan has set up a company, Internet Eyes, which is marketing what is calls an ‘event notification system’. They plan to broadcast surveillance footage from paying customers on the Internet, with the idea that the public will work as monitors. They won’t just be doing this for nothing however: the whole thing is set up like a game, where ‘players’ gain points for spotting suspected crimes (three if it is an actual crime) and lost points for false alarms. To back this up, there are monthly prizes (paid for out of the subscriptions of the organisations whose cameras are being monitored) of up to 1000 GBP (about $1600 US). Their website claims that a provisional launch is scheduled for November.

Mark Andrejevic has been arguing, most recently in iSpy, that those who watch Reality TV are engaging in a form of labour, now we see the idea transferred directly to video surveillance in ‘real reality’ (a phrase which will make Bill Bogard laugh, at least – he’s been arguing that simulation and surveillance are increasingly interconnected, for years). This idea might seem absurd, indeed ‘unreal’ but it is an unsurprising outcome of the culture of voyeurism that has been engendered by that combination of ever-present CCTV on the streets and Reality TV shows that came together so neatly in Britain from the early 1990s. It certainly raises a shudder too, at the thought of idiots and racists with time on their hands using this kind of things to reinforce prejudices and create trouble.

But is it really so bad? At the moment, UK residents are asked to trust in the ‘professionalism’ of an almost entirely self-regulating private security industry or the police. Neither have a particularly good record on race-relations for a start. Why is it intrinsically worse, if there are to be cameras at all (which I am certainly not arguing that there should be) to have cameras that are entirely open to public scrutiny? Is this any different from watching public webcams? Wouldn’t it actually be an improvement if this went further? If say, the CCTV cameras in police stations were open to public view? Would it make others, including the powerful, more accountable like a kind of institutionalised sousveillance?

In Ken Macleod‘s recent novel, The Execution Channel, the title refers to an anonymous but pervasive broadcast that shows the insides of torture chambers and prison cells, which functions as a device of moral conscience (at least for literary purposes) but also a Ballardian commentary on the pervasive blandness of what used to be the most outrageous atrocity. Accountability is in the end as far from this project as it is from Internet Eyes. Set up like a game, it will be treated like a game. It strips out any consequence or content from reality and leaves just the surfaces. What is ‘seen’ is simply the most superficial – and seen by the most suspicious. Participatory internet surveillance is Unreality TV. In any case, I don’t think it will either be successful in terms of crime-control (other such participatory surveillance schemes, like that on the Texas-Mexico border, have so-far proved to be failures) or useful in social terms, and may also be illegal without significant safeguards and controls anyway.

And there is nothing to stop multiple people signing up with multiple aliases and just messing the system up… not that I’d suggest anything like that, of course.

(Thank-you to Aaron Martin for badgering me with multiple posts pointing in this direction! Sometimes it just takes a little time to think about what is going on here…)

Reclaim your data!

A new campaign launches on the 1st October in Europe to reclaim your data from the European police authorities.

Now in Europe, national police databases systems, the Schengen Information System (SIS) on immigration and border control, the files of Europol and more, are planned to be integrated following the Prüm Treaty and the so-called ‘Stockholm Programme’ (now in preparation for European Council vote in December this year).

As the organisers make clear, this does not just concern people convicted of any crime, but all immigrants, political protestors arrested at demonstrations, all the many entirely innocent people included on the UK’s National DNA Database – or any other national police database that includes data on the innocent, etc. What’s more, as a result of pre-existing (and originally secretly negotiated) agreements with the USA, the data will also be shared with the FBI and other US intelligence agencies.

So – first of all, protest! In what ever way you can. And secondly, as the campaign suggests:

“to anyone who would like to know what the police (think they) know about you, or simply to register your dissent, we recommend exercising your right to access your own data by sending a request for information to the relevant police authority in your country. The digest received in response will help to give us an idea of the full extent of police access to citizen data, as well as serving as a starting point for getting your data out of the computer systems, by legal or political means.”

Further details here (in English and German).

German-language document generator for data requests.

Facebook forced to grow up by Canadians

Wel, Facebook has finally been forced to grow up  and develop a sensible approach to personal data. Previously, as I have documented elsewhere, the US-based social networking site had pretty much assumed ownership of all personal data in perpetuity. However it has now promised to develop new privacy and consent rules and ways of allowing site users to chose which data they will allow to be shared with third parties.

So why the sudden change of heart? Well, it’s all down to those pesky Canucks. Yes, where the USA couldn’t bothered and where the EU didn’t even try, the Canadian Privacy Commissioner, Jennifer Stoddart, had declared Facebook to be in violation of Canada’s privacy laws. And it turns out that in complying it was just easier for Facebook to make wholesale changes for all customers rather than trying to apply different rules to different jurisdictions.

This suggests an interesting new phenomenon. Instead of transnational corporations being able to always seek out a country with the lowest standards as a basis for compliance on issues like privacy and data protection, a nation with higher standards and an activist regulator has shown itself able to force such a company to adjust its global operations to its much higher standard. This is good news for net users worldwide.

However, we shouldn’t rejoice too much: as Google and Yahoo have shown in the case of China, in the absense of any meaningful internal ethical standards, a big enough market can still impose distinct and separate policies that are far more harmful to the interests of individual users in those nations.