Category: data

Death to the ICO?

Chris Parsons draws my attention to a blog posting on the very swish and refurbished Privacy International site (nice job BTW – I will check in regularly). Simon Davies argues in this post for the ‘assisted suicide’ of the UK Information Commissioner’s Office (ICO) because it has become a ‘threat to privacy’. The bases for this argument are several, namely that:

  1. “the legislation that underpins the Office is narrow and in places regressive”;
  2. the ICO is “a quasi judicial regulator that sees its role as protecting data rather than people”, which leads to timid decisions;
  3. the ICO is sometimes “ill-informed… and almost always out of step with the more proactive and advanced regulators overseas” especially when it comes to technology;
  4. its complaints procedure is slow and frequently pointless;
  5. there are too many surveillance-related commissioners in the UK (the Surveillance Commissioner, the Interception of Communications Commissioner, the Equality & Human Rights Commission etc.)
  6. it is disconnected from “an information environment dominated by companies which appear to be largely exempt from local protections for citizens.”

Now, I’ve done some work on commission for the ICO, and therefore you might expect me to defend it from these criticisms. But in fact, I find much to agree with here, as well as some points with which I disagree, and much to ponder.

On the side of agreement,the ICO, like much of government, is undoubtedly technologically rather backward. When, in the Report on the Surveillance Society, we wrote about the way in which governments were behind the times, this was as much a message for them as for parliament or the executive. Maybe it is down to funding, maybe to institutional inertia, maybe deliberate choice, but the ICO has still has not taken serious steps to remedy this as Simon points out, and relies largely on occasional external reports, many of which are in any case general rather than specialist, to update it.

I also agree with the charge that the ICO has been relatively powerless in the face of the rise of corporate surveillance. This is not surprising given its origins as an arm’s-length regulator of government, and some of the particular issues of concern – like whether it took the Google wireless hacking episode seriously enough or made the correct decisions – are far from obvious. But one can clearly contrast the relatively activist stance of even quite bureaucratic Privacy Commissioners like the federal Canadian body over Facebook, with the ICO. It has in the recent past taken some serious actions against illegal private sector surveillance – for example the bust of a notorious blacklisting firm – but this direction appears to have fizzled out. Not being privy to internal policy discussions, I am not sure why.

Then there are some areas in which the criticisms are valid, but which may not be directed at the right target.

The first of these is the proliferation of Commissioners of various kinds – and incidentally, we have thankfully been spared the birth of yet another one with the cancellation of the ID Cards scheme. I have also been arguing for the merging of all the various surveillance-related quangos for a long time. The reason so many of them exist is partly because of the piecemeal way in which British legislative process occurs. There are rarely comprehensive Acts covering broad areas, instead existing institutions, however inappropriate to the job needed, are often merely supplemented or modified. The other reason is of course the ongoing effort to protect certain parts of the state from serious scrutiny, in particular the intelligence services and political police.

The second is that, fundamentally, it seems clear that British data protection and privacy legislation is generally archaic and not up to the job. Neither is its Freedom of Information legislation, even though it was a massive advance on the culture of secrecy that preceded what in retrospect may have been one of New Labour’s most important measures.

However, I am not sure that either of these points are in themselves a criticism of the ICO but rather of the legislation which created it, and the governance environment in which it has to operate. The way in which the ICO came about, through a rough fusion of old Data Protection and newer Freedom of Information functions produced a lumbering Frankenstein’s monster made of parts and bits, kept going on a drip-feed of limited funding, something that was never going to be capable of what campaigners expected of it. The same could be said partially of the critique of the complaints procedure, itself is a widely shared opinion and one with which I would not take issue. However, how much of this is down to the limited funding and staffing, and once again, the foundational legislation which hampers as much as empowers the ICO to do much of what we outsiders would want them to do?

Then, some of the criticisms are more personal opinion, with which I am sure many in the ICO would disagree, particularly the idea that the ICO does not care about people. Both Simon and I know many people in the ICO personally and whatever our political differences with them, the idea that they are heartless data bureaucrats with no interest in people is a rather unhelpful and hyperbolic caricature, as is the idea that the ICO is an ‘enemy of privacy’. The ICO had a legally mandated job to do first and foremost and it needn’t, legally, go beyond that at all. Yet it has. The interventions that the previous Information Commissioner, Richard Thomas, made on surveillance in particular were absolutely vital in adding a new level to a debate that had previously, despite the best efforts of activists, campaigners and researchers, been of more marginal concern. One could argue that surveillance and privacy would never have become such a topic parliamentary debate, let along an election issue, without his advocacy. Certainly it hasn’t gone far enough, but is has hardly, during this period at least, acted as a stereotypically uncaring bureaucracy.

So what of the solutions?

Simon advocates only one: that the government “scrap the data protection functions of the ICO and building a new Privacy Act that creates a true watchdog with a broad mandate.” It is hardly surprising that Privacy International see the ‘privacy’ element as the most important one here. Simon will also not be surprised to discover that I disagree with him on this. In fact, my argument for a while has been that privacy cannot justifiably be prioritised over other forms of human informational rights. In addition, the concept of ‘human rights’ in general does not deal with everything about information relationships, positive or negative, and the many elements of those information relationships between state, citizen and corporation cannot be so arbitrarily separated.

I would therefore argue that a comprehensive Information Act, which covered citizens’ rights to information (their own, and that generated by government and corporations), their rights of privacy and the more general parameters of what the state and companies may know of those who information this is and how they are allowed to do so (i.e the limits of surveillance). I agree that ‘data protection’ is an out-of-date concept. But ‘privacy’ does not, and cannot, replace it, at least not alone. Privacy Commissioners, where they exist, find themselves dealing with a lot more than privacy and end up becoming ‘surveillance’ or ‘information commissioners’ in practice or by stealth, and in some cases an emphasis on privacy over all else can hamper legitimate needs to know (as has been true in the case of family members of elderly patients with dementia in Canada for example).

My conclusion about what a new Information Act would contain in terms of the regulatory bodies has something in common with Simon’s view, but I have two options. One is the creation of a single mega-regulator – a real Information Commissioner that covered all the areas of our information relationships with the state and corporations that would be able to go after corporations, local and national government over issues of their secrecy, transparency and accountability, and our privacy and informational needs. It wouldn’t just merge the existing ICO, Surveillance Commissioner, Interception of Communications Commissioner and so on), but start with new legislation and a new structure.

The other option would be a merge all the existing bodies but create two new ones to replace them: a Surveillance and Privacy Commissioner, to cover all of the areas of state and corporate intrusion into the lives of citizens, but also a Freedom of Information Commissioner, to cover the equally vital areas of state and corporate transparency and accountability. Privacy without FoI, whether together in one organisation or separate, is altogether too defensive an approach to what we can expect from the state.

And whichever route one took, the organisation(s) should have a wider range of powers built in and required – research (including technological foresight), advocacy, assessment, response and enforcement functions – with protected funding and legally binding decision-making capability. I think we would all be in agreement on that…

Facebook learns nothing

Having been strongly criticised over its ‘Places’ feature for its lack of understanding of the concept of ‘consent’ in data protection, and why ‘opt-in’ is better for users than ‘opt-out’ when it comes to new ‘services’ (i.e: ways they can share your data with other organisations), Facebook is doing it again.

Between today and tomorrow, the new Facebook feature called “Instant Personalization” goes into effect. The new setting shares your data with non-Facebook sites and it is automatically set to “Enabled”.

To turn it off: Go to Account>Privacy Settings>Apps & Websites>Instant Personalization>edit settings & uncheck “Enable”.

(Or of course, you can just ‘Turn Off All Platform Apps” too!)

The really important thing is that if your Facebook Friends don’t do this, they will be sharing info about you as well. So, copy this and repost to yours…

(Thanks to Lorna Muir for this alert)

Two Weeks to Go for Bill C-32

Many people will still not be aware of the imminence of a new bill on copyright for Canada. Everything you need to know (and more) is on Michael Geist’s excellent site. The key thing is that, like most such bills around the world, this bill is still skewed towards industry perspectives and does not place much importance on the rights on the ordinary citizen or resident of Canada, in particular in the areas of ‘digital locks’ that prevent fair use of digital materials, and the lack of provision for copying across form factors for personal use. You have until the end of January to make your views heard.

Spain vs. Google or Freedom of Expression vs. the Right to Be Forgotten

Several outlets are reporting today, the interesting clash between Spanish courts and Google. The argument is over whether Google should carry articles that have been challenged by Spanish citizens as breaching their privacy. An injunction was won in the courts by the Spanish data protection commissioner over publication of material that is being challenged under privacy legislation.

Clearly there are two main issues here. One is the specific issue of whether Google, as a search engine, can be considered as a publisher, or as it claims, simply an intermediary which publishes nothing, only linking to items published by others. This is important for Google as a business and for those who use it.

But the other is a more interesting issue which is the deeper question of what is going on here which is the struggle between two kinds of rights. The right to freedom of expression, to be able to say what one likes, is a longstanding one in democracies, however it is almost nowhere absolute. The problem in a search-engine enabled information age, is that these exceptions, which relate to both the (un)truth of published allegations (questions of libel and false accusation) and of privacy and to several other values, are increasingly challenged by the ability of people in one jurisdiction to access the same (libellous, untrue or privacy-destructive) information from outside that jurisdiction via the Internet.

In Spain, the question has apparently increasingly been framed in terms of a new ‘right to be forgotten’ or ‘right to delete’. This is not entirely new – certainly police records in many countries have elements that are time-limited, but these kinds of official individually beneficial forgettings are increasingly hard to maintain when information is ‘out there’ proliferating, being copied, reposted and so on.

This makes an interesting contrast with the Wikileaks affair. Here, where it comes to the State and corporations, questions of privacy and individual rights should not be used even analogically. The state may assert ‘secrecy’ but the state has no ‘right of privacy’. Secrecy is an instrumental concept relating to questions of risk. Corporations may assert ‘confidentiality’ but this is a question of law and custom relating to the regulation of the economy, not to ‘rights’.

Privacy is a right that can only be attached to (usually) human beings in their unofficial thoughts, activities and existence. And the question of forgetting is really a spatio-temporal extension of the concept of privacy necessary in an information society. Because the nature of information and communication has changed, privacy has to be considered over space and through time in a way that was not really necessary (or at least not for so many people so much of the time) previously.

This is where Google’s position comes back into play. Its insistence on neutrality is premised on a libertarian notion of information (described by Erik Davis some time ago as a kind of gnostic American macho libertarianism that pervades US thinking on the Internet). But if this is ‘freedom of information’ as usually understood in democratic societies, it does have limits and an extreme political interpretation of such freedom cannot apply. Should Google therefore abandon the pretence of neutrality and play a role in helping ‘us’ forget things that are untrue, hurtful and private to individuals?

The alternative is challenging: the idea that not acting is a morally ‘neutral’ position is clearly incorrect because it presages a new global norm of information flow presaged on not forgetting, and on the collapse of different jurisdictional norms of privacy. In this world, whilst privacy may not be dead, the law can no longer be relied on to enforce it and other methods from simple personal data management, to more ‘outlaw’ technological means of enforcement will increasingly be the standard for those who wish to maintain privacy. This suggests that money and/or technical expertise will be the things that will allow one to be forgotten, and those without either will be unable to have meaningful privacy except insofar as one is uninteresting or unnoticed.

The Internet Must Be Defended (3): Everything is Terrorism?

One of the most ominous developments in the current conflict over Wikileaks has been the move in some quarters to define the publication of leaked information as something more than just ‘irresponsible’ or ‘criminal’ (e.g. ‘theft’ or even ‘espionage’). I have a lot of difficulty with those kinds of labels anyway, but it was only a matter of time before we saw serious, official calls for such activities to be defined as ‘terrorism’.

The Speaker of the Hungarian Parliament, Laszlo Kover, yesterday called for the action of leaking confidential and secret information to be redefined as ‘information terrorism’. He seemed to be referring here not just to Wikileaks but to all ‘online news reporting’, in other words, he is advocating treating those who report on such information as ‘terrorists’ too.

Terrorism, let us not forget, is the use of violence to influence politics, in other words to impose one’s political will through fear of death or injury. There is no way in the world that one can argue rationally that releasing information that allows people to see what happens inside the organisations making claims to rule over us, or act on our behalf, is that kind of violence, indeed it is highly irresponsible to try to associate the term with any processes of nonviolent communication.

The problem is that to many people this probably doesn’t seem unreasonable – people already talk about ‘information war’ as if that meant something clear and comprehensible. But this kind of action would be to extend the definition of terrorism, already stretched to breaking point by legislative changes in the USA, UK and other western countries, into the realm of freedom of speech and the politics of transparency and accountability.

Since 9/11, we have seen a gradual movement, at first indirect and associational as with John Robb’s talk of the ‘open-source insurgency’ back in 2005, and now increasingly overt, to define the advocates of openness and transparency as terrorists. This must be resisted before it takes root in any kind of legislation because ultimately this means that the Internet itself, the communications architecture which supports such activity, is portrayed as the vehicle for such ‘information terrorism.’ This will simply increase the movement of the drive to close the Net away from a crazy, fascistic notion (which it is) towards ‘common-sense.’ It will stifle the development of any genuine global polity.

What to do? Well the first thing is to respond immediately any time something like this is said by any politician or even commentator. This kind of talk should remain in the realm of the ridiculous and the repressive. We need to change the direction of the discourse.

The Internet Must Be Defended!

As I am just putting the finishing touches on a new issue of Surveillance & Society, on surveillance and empowerment, the furore over the Wikileaks website and it’s publication of secret cables from US diplomatic sources has been growing. Over the last few days, Julian Assange, the public face of the website and one of its founders has been arrested in London on supposedly unrelated charges as US right-wing critics call for his head, the site’s domain name has been withdrawn, Amazon has kicked the organization off its US cloud computing service, one of Assange’s bank accounts has been seized, and major companies involved in money transfer, Paypal, Visa and Mastercard, have all stopped serving Wikileaks claiming that Wikileaks had breached their terms of service.

At the same time, hundreds of mirror sites for Wikileaks have been set up around the world, and the leaks show no sign of slowing down. The revelations themselves are frequently mundane or confirm what informed analysts knew already, but it is not the content of these particular leaks that is important, it is the point at which they come in the struggle over information rights and the long-term future of the Internet.

The journal which I manage is presaged on open-access to knowledge. I support institutional transparency and accountability at the same time as I defend personal privacy. It is vital not to get the two mixed up. In the case of Wikileaks, the revelation of secret information is not a breach of anyone’s personal privacy, rather it is a massively important development in our ability to hold states to account in the information age. It is about equalization, democratization and the potential creation of a global polity to hold the already globalized economy and political elites accountable.

John Naughton, writing on The Guardian website, argues that western states who claim openness is part of freedom and democracy cannot have it both ways. We should, he says, ‘live with the Wikileakable world’. It is this view we accept, not the ambivalence of people like digital critic, Clay Shirky, who, despite being a long-term advocate of openness seemingly so long as the openness of the Internet remained safely confined to areas like economic innovation, cannot bring himself to defend this openness when its genuinely political potential is beginning to be realised.

The alternative to openness is closure, as Naughton argues. The Internet, created by the US military but long freed from their control, is now under thread of being recaptured, renationalized, sterilized and controlled. With multiple attacks on the net from everything from capitalist states’ redefinition of intellectual property and copyrights, through increasingly comprehensive surveillance of Internet traffic by almost all states, to totalitarian states’ censorship of sites, and now the two becoming increasingly indistinguishable over the case of Wikileaks, now is the time for all who support an open and liberatory Internet to stand up.

Over 30 years ago, between 1975 and 1976 at the Collège de France, Michel Foucault gave a powerful series of lectures entitled Society Must Be Defended. With so much that is social vested in these electronic chains of connection and communication, we must now argue clearly and forcefully that, nation-states and what they want be damned, “The Internet Must Be Defended!”

Japanese data losses expose surveillance of foreign residents

A scandal over leaked security documents has exposed the Japanese security service’s monitoring of foreigners, amongst other ‘anti-terrorist’ operations. The documents were posted on the web in November, and according to a report in the Yomiuri Shimbun last month, include “a list of foreigners being monitored by the division, and files related to secret police strategies – for example, guidelines for nurturing informants”.

Not only does this expose the concentration of the Japanese security services on foreigners, many included on the list simply by virtue of being ‘foreign’, rather than being any actually determined threat, but it is also a reminder that the Japanese laws on information sharing, leaking and so on, are archaic. As the newspaper says:

“At present, there is no law to punish those leaking confidential information. Even worse, stealing electronic data is not included in the list of offenses punishable under the Penal Code. In many cases, this makes it impossible for suspects to be held criminally responsible.”

I am not quite sure that the theft of electronic data is actually unpunishable, at least from conversations I have had with specialists in Japan, however I should add that there is, I am told, no law against selling stolen electronic data, which means that even if the theft could be punished, it would not reduce the economic incentives to steal data (which I have mentioned before is not uncommon).

Then of course there is the wider issue of whether it serves a higher purpose that this information is released anyway. No doubt it does embarrass the government, but there is not reason to think that this actively compromises real security in Japan as the NPA are quoted as claiming. If anything this does us a favour in reminding just how prejudiced much of the Japanese state’s relationship with its foreign residents, especially those who are non-white, is, and how much state surveillance is directed at them.

(thanks to Ikuko Inoue for sending me this story)

“To destroy invisible government”

There was a really interesting piece posted this week on the blog, zunguzungu, which analyzes an early essay written by Wikileaks frontman, Julian Assange. The essay which is available on Cryptome (pdf) – itself a precursor of Wikileaks – is a very well-crafted and argued piece which reveals Assange as a radical idealist for a new transparent society, whose aim is ultimately to destroy the need for Wikileaks itself by making secretive government impossible. Very worth reading.

Latest round of Wikileaks shows nothing new, but changes everything

The ongoing Wikileaks revelations have been fascinating, but the latest round, those of US diplomatic cables, are perhaps the least revealing thus far. Basically, there’s a lot of the usual personal opinion and gossip that one would expect and the unsurprising revelations that the US gathers information on its allies as well as its enemies. The only really challenging insight is that Saudi Arabia want Iran dealt with far more urgently, it seems, than Israel. But then, even that is hardly unexpected given the religious and political gulf between those two states.

The more important thing for the longer-term is the process going on here, the fact that nation-states, even powerful ones, no longer seem to be able to have complete control over the information that they generate. Potentially, this is not about international relations at all or about any one particular nation-state, but potentially challenges the asymmetrical relationship between all nation-states the their peoples. Of course, there are already right-wing US politicians scrambling to label Wikileaks as a terrorist organisation, which just shows how corrupted the use of the idea of ‘terrorism’ has become, but below this, it demonstrates the very real fear of losing control amongst the political elite. The problem is that, with the current wave of nationalism sweeping the USA, such desperate sentiments play well to the gallery…

US subversion in Norway

Norway has long been a close ally of the USA. Outside of the EU, but inside NATO, it provided bases and consistent support for the USA during the Cold War, unsurprisingly seeing neighbouring USSR as a serious threat to its interests. Yet… those days would seem to be long gone, at least as far as the US is concerned, if a story recently revealed is to be believed.

According to the Dagbladet newspaper, Norway’s TV2 News reported that 15-20 Norwegians, including ex-police, had been recruited by the US Embassy over 10 years to form a secret group, the Surveillance Detection Unit (SDU) that would apparently monitor terrorist threats in Norway. The group operated from a building near the embassy, and collected information on hundreds of Norwegian citizens, whose details were added to a database called SIMAS (Security Incident Management Analysis System).

This was all done apparently without the Norwegian government’s consent, although according to the report, the US Embassy has admitted carrying out the program. The question is – is this standard US practice, or simple a ‘rogue’ embassy group of bored spooks getting above themselves? The answer is that it is almost undoubtedly the former. SIMAS is the US diplomatic service’s global database. According to a Privacy Impact Assessment (!) submitted by the State Department on the system:

“Security Incident Management and Analysis System (SIMAS) is a worldwide Bureau of Diplomatic Security (DS) web-based application, which serves as a repository for all suspicious activity and crime reporting from U.S. Diplomatic Missions abroad (all U.S. embassies and consulates). Department of State personnel, including Diplomatic Security personnel, regional security officers, and cleared foreign nationals, enter Suspicious Activity Reports (SARs) into SIMAS as a central repository for all physical security incidents overseas. SIMAS Reports typically contain a detailed narrative description of the suspicious activity prompting the report, available suspicious person(s) and vehicle descriptors, and other identification data as may be available (e.g. photographs). Reports also indicate date, time and location of suspicious activity, and may include amplifying comments from relevant Bureau offices.”

The data entered into the system on individuals include:

“Citizenship Status and Information (source-documents)

  • DSP-11 (Passport Application)
  • OF-156 (VISA application)

Biometric Information (source-observation and photography)

  • Gender
  • Race
  • Height
  • Weight
  • Eye Color
  • Skin Tone
  • Hair Color
  • Hair Style
  • Images
  • Age or Estimated Age
  • Body Type (Build)
  • Scars, Marks, & Tattoos

Other (source-personal interview by authorities)

  • Name
  • Address
  • DOB
  • Telephone Number
  • Father’s Name
  • Mother’s Name”

It is supposed to be limited to “suspicious or potentially threatening incidents gathered from observations in the vicinity of a post” in order to protect the embassy, however it seems that far more was going on in the case uncovered in Norway, and it would not be surprising if the SDU was operating as a cover for a range of other intelligence activities.

Update: the Norwegian government is now complaining to the US government about this, saying that it breaks Norwegian privacy laws. But, but… they did a PIA! Surely everything is okay now? Oh, and the US claim that “Norwegian authorities had been informed in advance about the surveillance activities.” Hey, this means someone is lying to us! Surely not… 😉