data – Page 8 – ubisurv

Data Protection in Japan

Comprehensive data protection in Japan is fairly recent. Until 2003, data protection was still governed under much two earlier ‘ information society initiatives: firstly, the Act for the Protection of Computer Processed Personal Data Held by Administrative Organisation (1988) and secondly, the Protection of Computer Processed Personal Data Act (1990), which are based on the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These laws were limited an applied only to the state, and within that, only to some national government organisations rather than all of them.

Lawyers and those concerned with privacy within and without government were well aware of these limitations, and in the late 90s, a special Privacy Issues Study Working Group was set upby the Electronic Commerce Promotion Council of Japan (ECom). This committee issued Guidelines Concerning Protection of Personal Data in Electronic Commerce in the Private Sector in March 1998. The Chair of that committee, Professor Masao Horibe, provides an account here.

Subsequently, a Personal Data Protection Legislation Special Committee was established in January 2000 under the Advanced Information and Telecommunications Society Promotion Headquarters (now the IT Strategic Headquarters), a body responsible directly to the Japanese cabinet. This body has issued all the laws and directions regarding IT, e-Japan etc.

The need to “protect personal data” (kojin deta) was mentioned in Article 22 of the Basic Law on the Formation of an Advanced Information and Telecommunications Network Society within the rubric of ‘security’. This was followed up by the e-Japan strategy of January 2001, which under the section on the Facilitation of E-Commerce, recommended that “Necessary legislative measures should be taken to win the confidence of consumers, including submission of a bill to protect personal data to the ordinary session of the Diet in 2001.”

The Bill was introduced in March 2001, but as a result of concerns about its effects on the freedom of the press, was left to fall by 2002. However the Personal Information Protection Bill was passed in 2003, one of five bills with implications for data protections to be passed in that Diet session.The bill came into force in 2005. I’ll discuss the content and operation of the bill later, but there’s a good summary in English from when the Bill was passed here.

The one particularly interesting thing to note here is that it doesn’t designate or establish any one body to oversee the operation of the law or the enforcement of rights, or deal with complaints as in European countries and Canada, for example, Instead it keeps data protection as an internal matter for designated government ministries (and for companies), with legal action an option if all else fails. The law is generally on the side of data flow and commercial / administrative convenience, which is not surprising given its origins in industry-led e-commerce promotion organisations.

Japan to introduce resident-monitored CCTV

One of the most interesting developments in recent years has been the way in which the state has attempted to adapt Japan’s traditional culture of responsibilized local community organisations (chounaikai) for the new surveillance society (kanshi shakai, in Japanese). Cynics may well argue that what is called here bohan machizukuri (or community safety development – or sometimes the similar anzen anshin machizukuri) is simply a way in which the government can attempt to save money whilst pretending to be tough on what is always claimed to be a worsening crime rate. It is also true to say that this is also a further perversion of the machizukuri (bottom-up community development) idea that came out of local environmental movements of the 1960s.

Nevertheless, the Japan Times reported that the Keisatsuchou (National Police Agency or NPA) appears to be pushing forward with plans to extend its rather small number of CCTV cameras* into 15 residential areas starting January 2010 (two of which, Higashiyamato and Musashimurayama, are suburbs of Tokyo, and I’ll be visiting these whilst I am here) at the cost of 597 Million Yen (around £3.85 Million or $6.3 Million US). There’s always an underlying fear that is played on when such systems are installed, and in this case it is a classic: the threat to children. The small camera systems(around 25 cameras in size) will be installed on streets that are commonly used by kids going to and from school.

The fact that the schemes are focused on child safety would certainly be one of the reasons why the use of local volunteer committees to watch the cameras and manage the data from local civic facilities like community centres, has been put forward. It could also be in response to opposition from some local residents to what they see as the imposition of unwanted state invasion of their privacy, although according to the Japan Times, the police say it “will help residents to secure safety by themselves.” Their big problem is that there do not appear to be many volunteers yet!

There are many questions here. One mystery is that in Japan most school runs already have several, often elderly, volunteers who look out for children in person,in a more genuinely machizukuri form of bohan machizukuri so why the more expensive cameras? Another massive question is the one around privacy and data protection. How will volunteers be expected to act as official data controllers, especially in such a sensitive area as surveillance of children in public space? Finally, what will the effect be on trust and community relations to have one set of people in the community monitoring others? How will they be held accountable?

These, and many other questions will be just some of the things occupying my time here for the next two months…

*There are just 363 NPA cameras in Japan, however there are more owned by local municipal authorities, particularly in Tokyo, and thousands more operated by private companies and shoutenkai (shopkeepers’ associations).

MI5 in all kinds of trouble…

The British internal security service, MI5, has found itself in all kinds of trouble this week. First there was the report of the inquiry into the intelligence aspects of the 7/7 bombings in London. Although the report ‘cleared’ MI5 of wrongdoing (which was hardly unexpected!), it is clear that there was a catalogue of intelligence failures resulting from aspects as varied as a lack of funding, poor communication between MI5 and police, and simple mistake in judging the seriousness of the activities of those who came to the notice of MI5, particularly the two eventual bombers, Mohammed Sidique Khan and Shehzad Tanweer.

Then today, there have been serious allegations made in The Independent of the MI5 trying recruitment by blackmail on young British Muslims. Basically the modus operandi was to approach the potential informant and tell them that they were suspected of terrorist activities or terrorist sympathies, but that if they cooperated with MI5 then this would be overlooked. However if they refused then their ‘terrorist connections’ would be made more widely known.

All of this, as if it needed pointing out again, leads to the the clear conclusion that the security services need better and more transparent oversight, as well as clearer direction, and yes, perhaps more money (if they can behave themselves). The point is that properly controlled and justified targeted surveillance of genuine suspects (like Khan and Tanweer) is exactly what a security service should do, whereas mass preemptive surveillance (a la Met Police) or random blackmail is not. In fact the latter would tend to be counterproductive as in general, they will increase distrust in government and in particular, drive more young Muslims towards extremism.

Google: ‘give us data or you could die!’

I’ve been keeping a bit of an eye on the way that online systems are being used to map disease spread, including by Google. What I didn’t anticipate is that Google would use this as a kind of emotional blackmail to persuade governments to allow them as much data as they like for as long as possible.

Arguing against the European Commission’s proposal that Google should have to delete personal data after 6 months, Larry Page claims that to do so would be “in direct conflict with being able to map pandemics” and that without this the “more likely we all are to die.”

Google talk a lot of sense sometimes – I was very impressed with their Privacy counsel, Richard Fleischer, at a meeting I was at the other week – and in many ways they are now an intimate part of the daily lives of millions of people, but this kind of overwrought emotionalism does them no favours and belies their moto, ‘don’t be evil’.

(again, thanks to Seda Gurses for finding this)

Contact Point goes live

The controversial new central database of all children in the UK has gone live today for the North-west of England, and will gradually be rolled out across the UK. The £224M ‘Contact Point’, one of the main planks of the ‘Every Child Matters’ initiative, will be accessible to around 390, 000 police, social workers and other relevant professionals. It is mainly being promoted as a time-saving initiative, allowing quicker and more informed intervention in the case of vulnerable children, which we all hope it does, although this of course depends on the correct information being on the database in the first place. In addition, as the Joseph Rowntree Reform Trust review, Database State, rated the system as ‘red’ for danger in terms of privacy:

“because of the privacy concerns and the legal issues with maintaining sensitive data with no effective opt-out, and because the security is inadequate (having been designed as an afterthought), and because it provides a mechanism for registering all children that complements the National Identity Register.”

FBI data warehouse revealed by EFF

Tenacious FoI and ‘institutional discovery’ work both in and out of the US courts by the Electronic Frontier Foundation has resulted in the FBI releasing lots of information about its enormous dataveillance program, based around the Investigative Data Warehouse (IDW).

The clear and comprehensible report is available from EFF here, but the basic messages are that:

the FBI now has a data warehouse with over a billion unique documents or seven times as many as are contained in the Library of Congress;
it is using content management and datamining software to connect, cross-reference and analyse data from over fifty previously separate datasets included in the warehouse. These include, by the way, both the entire US-VISIT database, the No-Fly list and other controversial post-9/11 systems.
The IDW will be used for both link and pattern analysis using technology connected to the Foreign Terrorist Tracking Task Force (FTTTF) prgram, in other words Knowledge Disovery in Databases (KDD) software, which will through connecting people, groups and places, will generate entirely ‘new’ data and project links forward in time as predictions.

EFF conclude that datamining is the future for the IDW. This is true, but I would also say that it was the past and is the present too. Datamining is not new for the US intelligence services, indeed many of the techniques we now call datamining were developed by the National Security Agency (NSA). There would be no point in the FBI just warehousing vast numbers of documents without techniques for analysing and connecting them. KDD may well be more recent for the FBI and this phildickian ‘pre-crime’ is most certainly the future in more ways than one…

There is a lot that interests me here (and indeed, I am currently trying to write a piece about the socio-techncial history of these massive intelligence data analysis systems), but one issue is whether this complex operation will ‘work’ or whether it will throw up so many random and worthless ‘connections’ (the ‘six-degrees of Kevin Bacon’ syndrome) that it will actually slow-down or damage actual investigations into real criminal activities. That all depends on the architecture of the system, and that is something we know little about, although there are a few hints in the EFF report…

(thanks to Rosamunde van Brakel for the link)

Phorm philling

UK satirical magazine, Private Eye, this week brings the ludicrous Stop Phoul Play website to my attention. This is a corporate spin site devoted entirely to defending BT’s underhand and intrusive ‘Phorm’ online advertising technology against what it calls ‘privacy pirates’ who they claim are either being paid or pushed to damage BT.

Those listed as ‘piracy pirates’ include the excellent investigative IT journal, The Register, the Open Rights Group and the brilliant Foundation for Information Policy Research (FIPR), along with numerous bloggers and contributors to web forums. Now, it may be that some other corporations with rival technologies would like Phorm to fail, just as Microsoft probably enjoys it a great deal every time Google takes a PR hit (or vice-versa), but to suggest that everyone who make a criticism of Phorm is secretly part of some conspiracy against BT is frankly, either stupid paranoid.

And there are very good reasons for being critical of Phorm in the trojan-like manner of its operation and the way in which it has been tested without the consent of users. As Private Eye also reminds us, Phorm has landed the UK government in legal trouble with the EU. It hardly needs a conspiracy to make people justifiably annoyed.

This is one of the weirder exercises in PR I have seen, not least because its paranoia and promotion of conspiracies can only be damaging to BT. Thus it is no surprise to find that, according to the The Register, that it is the product of the fevered imagination of Patrick Robertson, whose previous clients include the lovely General Pinochet and former Tory MP and convicted liar, Jonathan Aitkin. So go take a look at Stop Phoul Play (while it still exists…) – it really is quite insane.

High Court rules innocent man’s DNA must be removed from database

As if the govenrment wasn’t in enough of a bind over the police National DNA databases, in a landmark ruling yesterday, the High Court of England and Wales has decided that the DNA of the innocent should not be on the database in the current legal circumstances. The man from County Durham was maliciously accused of assaulting a pupil at the school at which he was a teacher, and despite volunteering for questioning was arrested, fingerprinted and swabbed. These records were of course kept despite his innocence.

This story reminds us that being on the NDNAD is not an isolated thing, but part of a complex network of records that do imply suspicion (like it or not) – even Sir Alec Jeffreys, who pioneered DNA fingerprinting, thinks so… in the case of this teacher, he would have been wrongly suspected every time he applied for jobs working with children.

This is another indication that the government’s policy on the DNA database and police tactics to populate it, have been not just morally questionable but illegal, and confirms that the response issued this week was inadequate and devious. It will be interesting to see how they might now immediately have to modify their plans to conform to this new ruling (which, being a British court, they can hardly blame on ‘un-British’ European law)…

UK National DNA Database – what will change?

The government’s official response to the damning ruling by the European Court over the retention of DNA and fingerprint samples and data is a farce, which seems utterly contemptuous of the ruling and reasoning of the court, shows no sign of understanding the significance of Article 8 or the British common law principle of innocent until proven guilty.

One thing that has struck me recently in the UK has been the sudden increase in the level of defensiveness by New Labour over the surveillance apparatus it has constructed over the last 12 years. Report after report has damned their slapdash attitude to human rights and civil liberties – we expect the government’s official response to the Lords Constitution Committee report next week – and there have been attacks from various political ‘big beasts’ including David Blunkett, former MI5 Chief Stella Rimington, and most recently Stephen Byers and even current cabinet ministers reportedly asked for the ID card scheme to be scrapped.

As a result, there has been a splurge of sudden backtracks, retreats and promises of change and consultation on future plans but there have also been rather devious attempts to avoid taking real action to remedy already existing wrongs. In the first category, we have seen the abandonment of Clause 152 of the Coroners and Justice Bill, where a an blanket permission for government data-sharing had been hidden, and there have been suggestions that the proposed new super-database of communications traffic data might not be constructed after all – though largely, it seems, on grounds of cost not principle.

However, in the second category, today we got the government’s official responseto the damning ruling by the European Court over the retention of DNA and fingerprint samples and data by the UK police. It is, to put it mildly, a farce, which seems utterly contemptuous of the ruling and reasoning of the court, and shows no sign of understanding the significance of Article 8 for individual liberty. Mind you, it also shows little sign of comprehending the British common law principle of innocent until proven guilty.

The government proposals are to retain the DNA samples and profiles, and fingerprints (these are just as important and not so often mentioned in the news reports) of all those convicted of a crime. Of the innocent, the National DNA Database (NDNAD) has around 350,000+ people who are certainly in such a position, however the police apparently need two years to go through the Police National Computer to check the other 500,000+ DNA profiles of those not convicted of any crime, as they can’t be sure whether existing profiles match to those who have committed offences (so much for joined-up government…). Then those people, who are, let’s not forget, entirely innocent in law will be sorted into two categories – those arrested but not convicted for serious and violent offences, and those arrested and not convicted of minor offences.

Will the latter have their profiles immediately removed, as we might reasonably expect?

Err, no.

In fact, these innocent people will have their DNA profiles and fingerprints retained for 6 years – more than the number of years (5) that Scotland retains the DNA of those suspected of serious and violent offences. Those in the latter category will have their DNA profiles and fingerprints retained for 12 years. In addition the profiles of children will be retained until they are 18, and then removed only if they have been arrested (again, not convicted) for one minor offence.

Is this an acceptable response? Quite clearly not. It is against the spirit of the ruling by the European Court, even if it might be interpreted as complying with the exact wording issued. More to the point, it is an attempt to get around the difficult issues, not deal with them. It is devious, based on the pre-emptive logic of risk-surveillance principles, and goes against the long-standing principles of British Common Law as well as more recent developments in Human Rights law, and is not the response of a government that has any trust in the people who elected them. It allows the police to continue to populate the NDNAD by stealth. And they certainly are using whatever methods they can to do so – for example, one key indicator is the rise in the number of stop and searches under Section 44 of the Terrorism Act, which in London, it was also reported today, rose from 72,000 in 2007 to 170,000 in 2008, a rise of 236%, however it rose by 325% amongst the black population. There seems to be no mention of the role that discriminatory stop and search policing plays in populating the NDNAD in recent government statements, however it is quite clear that stop and search policing is discriminatory, and we know too that young black men are disproportionately represented in the NDNAD.

In this climate, with a government obsessed by pre-emptive security to compensate for its growing loss of power and trust, and a police service that appears, after the G20, increasingly out-of-control, what is the chance of developing a fair, accountable, just and transparent system of personal data retention in law enforcement in the UK? At the moment, it could appear, the answer is ‘very small’.

Goverment gives personal data to private companies

It has been revealed that the British government has been passing information gathered by the police on citizens to private companies. The Guardian todayshowed that data on climate change protestors found its way from the police to the ridiculously-renamed Department for Business, Enterprise and Regulatory Reform (BERR) to power company, E-ON.

Now, of course the government can argue that electricity supply is a matter of ‘resilience’, ‘contingency planning’ and ‘national security’, but then how can they justify it being in private corporate hands in the first place? How exactly can companies whose primary aim is to provide ‘shareholder value’ at all costs, many of whom are transnationals that have no commitment to the UK, be treated as if they were state organisations, and be given data from state databases? The boundaries between public and private are being increasingly eroded, and once, again it is the relationship between citizen and state which suffers.

The government cannot just give data, especially data which was collected in very questionable ways for highly dubious reasons in the first place, to whoever it thinks might find it useful. This kind of action shows that the the state is now quite often simply the servant of private enterprise, and the police no better than an adjunct to private security. It makes a mockery of regulation of surveillance power and data protection, and does nothing for our already-weakened trust in the state’s ability to protect our rights or or information.