From today, private lives in the UK will be a little less private, as EU Directive 2006/24/EC becomes part of national law.
Traffic data on e-mail, website visits and Internet telephone calls now have to be recorded and retained by Internet Service Providers (ISPs). Specifically, the Directive mandates the retention of: the source of a communication; the destination of a communication; the date, time and duration of a communication; the type of communication; the type and identity of the communication device; and the location of mobile communication equipment.
This is coming into force despite the fact that many countries and ISPs still object to the directive. It has to be said that many ISPs are objecting on grounds of cost rather than any ethical reason. German courts are yet to determine the constitutionality of the directive and Sweden is not going to implement it at all.
As with many of these kinds of laws, it was rushed through on a wave of emotion after a particular ‘trigger event’ – in this case, the 7/7 bombings in London in 2005. There was a whole lot of devious practice in the Council of Ministers to get it passed too – if the Directive had been considered as a policing and security matter, it would still have needed unanimity, which means that the objections of Germany and Sweden would have vetoed the Directive. Instead, it was reclassified as ‘commercial’ on the grounds that it was about the regulation of corporations, and commerical matters need only a majority vote. How convenient…
The Home Office in Britain says our rights are safe because of RIPA, which is hardly cause for rejoicing. My main concerns, apart from the fact that this is yet another moment in the gradual erosion of private life, are that:
1. police access will rapidly become routine rather than specific, and this could be extended to many other public authorities – the original drafts of the Communications Bill would have extended the right of access to such data to all RIPA-empowered organisations (which includes most public authorities);
2. the data will be used illicitly by ISP employees for criminal purposes (remember that most identity thefts are inside jobs) – the records will be a blackmailers delight;
3. there will more ‘losses’ of this data by ISPs and others who have access to it. Remember the accidental revelation of user data by AOL in the USA?
This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal…
A new report for the Joseph Rowntree Reform Trust by a very credible largely Foundation for Information Policy Research (FIPR) team that combines engineers, lawyers, software developers, and political scientists, has concluded that a quarter of the UK public-sector databases are illegal under human rights or data protection law. It also looks at UK involvement in some European database projects and finds all of them questionable too.
The report rates the 46 databases on a traffic light system – green, amber, red – and argues that those rated ‘red’, in particular the National Identity Register and the Communications Database, and are simply unreformable and should be scrapped. This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal, and not just massively expensive, morally questionable or politically undesirable. In fact, a quarter of all the databases were found to contravene the law and more than half were ‘problematic’ (i.e. open to challenge in court) . All of those rated ‘amber’ (29 databases) the authors argue, should be subject to independent review.
There are a number of other major recommendations, including the reassertion of the necessity and proportionality tests contained in DP law, citizens should anonymous rights to access data, more open procurement of systems, and better training processes for civil servants. The most important and radical measures proposed, and entirely correctly in my view, are those concerning the location of data and the whole nature of UK IT development. For the former, the report recommends that the default location for sensitive personal data should be local, with national systems kept to a minimum – this appears to be rather like the ‘information clearing house’ system as opposed to central databases, that we proposed in our Report on the Surveillance Society, but better worded and justified! In the latter case, the authors simply note that fewer than 30% of government IT projects succeed at a cost of 16Bn GBP per annum and that there should never be a general and aimless government IT program, rather there should only ever be specific projects for clearly defined and justified (proportional and necessary) aims.
It is an excellent report and probably unanswerable in its logic. Tellingly, The Guardian report contains no response from any government minister…
As a result of an annual report on datamining sent to the US Congress by the Office of the Director of National Intelligence, a research project, Video Analysis and Content Extraction (VACE), has been revealed. The program is aiming to produce an computer system that will be able to search and analyse video images, especially “surveillance-camera data from countries other than the United States” to identify “well-established patterns of clearly suspicious behavior.”
Conducted by the Office of Incisive Analysis, part of the Intelligence Advanced Research Projects Activity (IARPA), the program has apparently been running since 2001,and is merely one of several post-9/11 research projects aiming to create advanced dataveillance systems to analyse data from global sources. How the USA would obtain the information is not specified…
One could spend a long time listing all the DARPA and IARPA projects that are running, many of which are speculative and come to nothing. The report also mentions the curious Project Reynard that I have mentioned before, which aims to analyse the behaviours of avatars in online gaming environments with the aim of detecting ‘suspicious behaviours’. Reynard is apparently achieving some successful results, but we have no real idea at what stage VACE is, and the report only states that some elements are being tested with real world data. This implies that there is nowhere near a complete system. Nevertheless the mentality behind these projects is worrying. It is hardly the first time that the USA has tried to create what Paul Edwards called a ‘closed world’ and these utopian projects which effectively try to know the whole world in some way (like ECHELON, or the FBI’s proposed Server in the Sky) are an ongoing US state obsession.
It is the particular idea that ‘suspicious patterns of behaviour’ can be identified through constant surveillance and automated analysis, that our behaviour and indeed thoughts are no longer our own business. Because it is thoughts and anticipating action that is the ultimate goal. One can see this, at a finer grain, of programs like Project Hostile Intent, a Department of Homeland Security initiative to analyse ‘microexpressions’, supposedly preconscious facial movements. The EU is not immune from such incredibly intrusive proposals: so-called ‘spy in the cabin’ cameras and microphones in the back of every seat have been proposed by the EU-funded SAFEE project, which is supported by a large consortium of security corporations. The European Commission has already hinted that it might try to ‘require’ airlines to use the system when developed.
No doubt too, because of the close (and largely secret and unaccountable) co-operation of the EU and USA on security issues, all the images and recordings would find their way into these proposes databases and their inhuman agents would check them over to make sure we are all passive, good humans with correct behaviours, expressions and thoughts, whether we are in the real or the virtual world…
The Met are unlikely to care. They are not generally known for their respect for the political rights of British citizens…
The Guardian has posted another worrying story (and an interesting video) on the routine police surveillance of environmental activists, most of whom have no connection to any criminal behaviour. The Metropolitan police, who have always been in the forefront of efforts to try to portray political activists as actual or potential criminals, is collecting storing and sharing information, including many private personal details, on activists using Crimint, the national criminal intelligence system. The data includes activists “seen on a regular basis” as well as less frequent activists, regardless of arrests or convictions, their names, political associations and photographs. This information is being shared between police forces to build up more complete portraits of political activity nationwide.
The human rights group, Liberty, is challenging this data collection and sharing on the grounds that it breaches Article 8 of the European Convention on Human Rights. My view is that it almost certainly does, and that the Met are unlikely to care. They are not generally known for their respect for the political rights of British citizens indeed one of their original purposes was to crack down on political dissent back in the Nineteenth Century and they have always maintained this role. They operate the National Extremism Tactical Coordination Unit (NETCU) which is also involve in spreading disinformation on political activists and their HQ at New Scotland Yard will apparently host the new privately-run ACPO Confidential Intelligence Unit (CIU).
I have had my own personal experience of the Met’s way of dealing with activists and it is certainly not in any way respectful of anyone’s rights. It urgently needs to be brought under some proper control and accountability, and hopefully being found guilty of breaching Article 8 of the ECHR, if it happens, will be a good start.
For some time, I’ve been concerned about the little-discussed practice of ‘blacklisting’, the creation and sale of databases of workers thought to be troublemakers, radicals or union activists. Last year, I noted the failed attempt by the British government to legitimise this activity with the creation of the National Dismissal Register, and connected this to earlier surveillance of workers through the Economic League. See this more recent post where I summarised the story in a slightly different context.
But the Economic League, set up after WW1 and finally closed in 1993, had several offshoots. Now, as reported in most of the British press, one of them has been closed down by the UK Information Commissioner’s Office (ICO). ‘The Consulting Association’, a firm based in Droitwich, Worcestershire had apparently been operating for 15 years selling confidential information on construction workers to all the major building companies. According to the BBC, 3,213 workers’ names were contained on the list and were categorised by political affiliations and union activity etc.
Not surprisingly the firm was owned and run by one Ian Kerr, who was previously involved in the Economic League and who still seems to think he was doing nothing wrong, despite his past, and despite the fact that he had previously denied even the existence of this database. But he, along with all the clients named by the report, including Amec, Taylor Woodrow, Laing O’Rourke and Balfour Beatty and many others – there is a full list on the Guardian site – were breaking the Data Protection Act by illegally keeping and trading in personal information. We’ll see whether the big building firms get away with it; most likely they will simply claim that that they didn’t know the data was illegally acquired and traded.
Given the recent history of the National Dismissal Register to set up databases of troublesome workers, it is particularly ironic that minister, Peter Mandelson, is quoted as applauding this action by the ICO in the various reports.
Labour simply needs to admit that it has been wrong on this and to develop some more credible plans which recognises that real security protects liberties rather than undermining them in the name of security.
Richard Thomas is no longer a lone voice in the top echelons of the British state against the growing culture of surveillance, but he remains the most persistent and hard-hitting critic, not least because of he makes the best possible use of his position as UK Information Commissioner when most government watchdogs are largely toothless.
Now in an interview in The Times newspaper, he has renewed his attack on the government’s data-sharing and surveillance proposals,arguing that we risk “hardwiring surveillance” into the British way of life. He has clearly fully absorbed the report we wrote for him back in 2006, in which we warned of the possibility of a ‘technological lock-in’ and is building on it in a serious and creative way.
Thomas is clear in the interview that government plans are ‘excessive’ and so much so that they ‘risked undermining democracy’. With Thomas now joined in his stance by eminent critics like the House of Lords Constitution Committee, former MI5 chief, Stella Rimington and most recently, former far-from-liberal Home Secretary, David Blunkett, as well as just about all media and academic opinion, it seems difficult to see how the government can continue to claim that its plans are in any way credible. Labour is now obviously isolated, unpopular and wrong on surveillance. This needs more than token gestures like the resignation of the Home Secretary, Jacqui Smith (she has other reasons why she should resign anyway), it needs some real soul-searching and a complete reconsideration of the direction in which the government is heading. Labour simply needs to admit that it has been wrong on this and to develop some more credible plans which recognise that real security protects liberties rather than undermining them in the name of security.
Both human rights advocates and the police seem to be strongly in favour of the new RIC system as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state.
Departamento de Policia Federal, Brasilia
I have just come back from a very productive interview with Romulo Berredo, from the Director-General’s office at the Departamento de Policia Federal (DPF), who are the Brazilian equivalent of the FBI. There was a lot covered and I couldn’t hope to reproduce it all here. There were however a number of immediately interesting aspects.
The first was more evidence that the whole basis on which identity cards and database issues are being considered here is entirely different from the UK. Now I know this represents a police, and a state, view, but so far, both Brazilian human rights advocatesand the police seem to be strongly in favour of the new Registro de Identidade Civil (RIC) system. This is both as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state. It is fairly easy to acquire 27 different identities in Brazil at present. And identification is important here. The great fear that many people seem to have – indeed it was called a ‘cultural’ characteristic by Berredo – is not the use of identification by the state as a form of control or intrusion but as a guarantee against the anonymity that would allow abuses by the state or indeed by other malicious persons. It provides a metaphysical and material kind of certainty and stability. The legacy of the last dictatorship was not so much an East German-style nightmare of knowledge and order but of corrupt and arbitrary rule.
It is this latter legacy which also drives the divisions between the different police forces in Brazil. The states-based Policia Militar (Military Police) and Policia Civil are both tainted in different ways by associations with authoritarian rule, and the former particularly with extra-legal execution and torture, and they continue to be regarded with caution, suspicion or even hatred by many Brazilians. The other police forces are also suspicious of the growing role of the DPF, which is often seen in terms of a power struggle not rational subsidiarity. Ironically then it is the states-based police forces that are dragging their heels over plans to create the kinds of national databases of criminal information that the UK has, and not for any libertarian reasons. In fact the DPF seem far more concerned with protecting human rights and defending the idea of citizenship, and because they are tasked with anti-corruption investigations have even arrested Senators and Judges, something unheard of even ten years ago. Of course those very same Senators and Judges are now fighting back, in a manner rather similar to Berlusconi in Italy, trying to alter the law to give immunities and protections. For example, handcuffing of arrested suspects was always normal until it happened to a Senator arrested for corruption. The Senate suddenly became interested in the ‘human rights’ of arrested suspects and passed a law limiting the use of handcuffs! Corruption at every level is still an enormous problem here, though Berredo argued that it was largely associated with those who had retained power from the years of the dictatorship.
The concentration on inclusion and joining-up government where it is clearly much needed does however lead to some gaps in thinking. The creation of new databases brings with it new duties and new potential problems of data-handling. As the privacy and data-protection law expert, Danilo Doneda, pointed out to me the other day, Brazil is in an almost unique position in not having any kind of regulator for privacy and information / data rights. He argued it was because the authorities just don’t see the need. Berredo confirmed this. He claimed that the DPF were trusted by the public – and relative to other police forces, that is certainly true! – and that they had to carry out their duties appropriately or they would lose that trust. It sounds nice, but it isn’t a good-enough (or legally-sound) basis for the protection of data-rights.
It all confirmed once again that Brazil is not yet a surveillance society – the state does not yet have the capabilities. There is no national database of fingerprints (even for convicted criminals) for example. But as Berredo said, it is moving in that direction. He was keen that there should be be limits. I liked the fact that he used this word. ‘Limits’ is a word that I found that the neither the UK government nor the European Commission seem to like, and they seem very unwilling to say what limits might be. However Berredo was quite clear that a technologically-driven surveillance future in which individuals could be tracked – he used the example of Google Latitude – was not one which he wanted to see. He recognised that he was both a policemen (at work) and a private citizen (at home) and that he, as much as anyone else, valued his privacy.
(Thank-you very much to Delegado Romulo Barredo of the DPF, for his openness, time and patience, and also to Agent Alessandre Reis, for his help)
£34Bn is probably a small proportion of this wider surveillance economy, and may not even be anywhere near the total ‘cost’ to citizens of the obsession with surveillance.
How much does surveillance cost? It is a key question which is very difficult to answer with any precision. The groups associated with the Convention on Modern Liberty (mainly Liberty, No2ID and Privacy International) have come up an estimate of £34 Billion (about $50Bn US) for the UK. This seems to be mainly costs related to central government databases, and includes £10Bn for the setting up and running of the proposed new communications database. Is it correct? Or even close? Well, it’s a good start as a guess. It doesn’t of course differentiate between costs for aspects of the systems that might be desirable or even necessary (like parts of the NHS Spine system). But then I’ve had this argument with No2ID before – the don’t get the idea that ‘surveillance’ includes things that without which there would be no welfare, education or health services at all. It is worth thinking about it from the other way, from the supply side too – the question of what is the overall size of the surveillance industry. Because of course, it isn’t just government that is spying on us. The biggest databases are run by private corporations (especially retailers, insurance companies and loyalty-card operators)… there are all sorts of private security and surveillance operations. £34Bn is probably a small proportion of this wider surveillance economy, and may not even be anywhere near the total ‘cost’ to citizens of the obsession with surveillance.
Following the damning reports of the House of Lords Constitution Committee and yesterday, the International Commission of Jurists, now Stella Rimington, ex-Head of the security service, MI5, has warned that Britain risks becoming a police state. In an internview with the Spanish newspaper La Vanguardia reported by the Daily Telegraph, Ms Rimington attacked government plans for the National Identity Register and the soon-expected plans for a database of all communications (delayed from last year). If even ex-heads of the security service are now asking the government to change direction, in addition to civil liberties experts, independent judges, and just about everyone else, their stock of excuses must be rapidly diminishing. The current cabinet must know that their actions smack of the desperation of a failing government desperately searching for votes in being ‘tough on crime and terrorism’… but they seem to be locked into a trajectory of ever-increasing surveillance and security that they cannot justify but cannot escape. You do wonder who is actually advising them that this is all a good idea…
Surveillance like this harms us all: it makes our lives banal and reveals only the sadness and the pain.
Still from I Love Alaska
There is something at once banal and heartbreaking about what is revealed through the examination of personal data. The episodic film, I Love Alaska, captures this beautifully. The film by Lernert Engelberts and Sander Plug is based on AOL’s accidental exposure of the search data of hundreds of thousands of its users, and focuses on just one, 711391. The film consists of an actress reading out the (unusually discursive and plain language) search terms of User 711391 like an incantation, with background sound from Alaskan locations and static camera shots that serve to emphasize her boredom, isolation and loneliness.
I was watching episode 5 of the film when two stories popped into my inbox that just happened to be related. The first was from theNew York Times business section and dealt with the other side of the recent US sporting scandal over revelations that baseball player Alex Rodriguez has taken steroids. Like User 711391, Rodriguez had given up his data (in this case, a sample) in the belief that the data would be anonymous and aggregated. But it wasn’t.
So, then we come to how the state deals with this. The Toronto Globe and Mail comments on the way the Canadian federal government is, like so many others, proposing to introduce new legislation to monitor and control Internet use. The comment argues that there is no general need to store personal Internet use data (or Canada will end up like the UK…), and that Internet surveillance should be governed by judicial oversight. Quite so. But, as the NYT article points out, it isn’t just the expanding appetite of the state for data (frequently coupled in the UK with incompetence in data handling) that we should fear but the growth in numbers of, and lack of any oversight or control over, private-sector dataveillance operations.
Some people will argue that any talk of privacy here is irrelevant: User 711391 was cheating on her husband; Rodrguez was taking steroids; there are paedophiles and terrorists conspiring on the Internet. With surveillance the guilty are revealed. Surely, as Damon Knight’s classic short story, ‘I See You’, claimed, with everything exposed we are truly free from ‘sin’? But no. In its revelations, surveillance like this harms us all: it makes our lives banal and reveals only the sadness and the pain. For User 711391, her access to the Internet served at different times as her main source of entertainment, desire, friendship, and even conscience. The AOL debacle revealed all of this and demeaned her and many others in the process. Most of us deserve the comfort of our very ordinary secrets and the ability for things to be forgotten. This is the true value of privacy.
(Thanks to Chiara Fonio for letting me know about I Love Alaska)
ubisurv 