Category: UK

Private Sector Data Losses

People often concentrate rather too much on abuses by the state of personal data. But private sector organisations are certainly no better. One key example was made public this week, when the new UK Information Commissioner, Christopher Graham, announced that he would be prosecuting a major mobile phone company (he is not saying which one yet*) for selling personal information which it held on customers. The trade in personal information is a very difficult thing to regulate: telecoms companies will deny up front that they ever do anything like this, but yet we know it happens frequently in every jurisdiction, in both management-sanctioned and illicit forms; and practically, of course, once the information is ‘out there’, it cannot be recalled. So, no-one should feel safe just because they have ticked (or unticked) that little box under all that often indeciferable text about what a company might do with your data. I hope that whatever firm this is, it gets hits where it will hurt most, on its bottom line.

*Update: T-Mobile have now confirmed that they are the company responsible.

UK pushes forward with online data retention plans

Like Canada, the UK is pushing forward with new plans to force telecommunications companies and ISPs to retain online data, despite opposition from both the industry and ordinary service users. The New Labour govenrment had delayed the plans from last year, faced with the strength of the opposition and launched a ‘consulation’. The consultation apparently still generated 40% opposition, which one would think was enough to tell them that something was wrong. But, as I said last year, “the collection of such traffic data will still go ahead… partly at least because the Americans want it; there is pressure on many countries for this kind of data collection and storage – see for example, the FRA law in Sweden. Networking these databases together with others is a major aim of the FBI’s secretive ‘Server in the Sky’ project.”

However, now the UK plans go further than many other countries’ schemes in this area, as they would cover not only traffic data but also a whole range of data which would not normally have been regarded as  traditional communications like social networking activity and even internal online gaming data. This would seem to be in line with US programs that regard the behaviour of – let’t not forget, fantasy – game and virtual world avatars as somehow indicative of real-world tendencies and practices (e.g.: Projects VACE and Reynard), an extremely dubious assumption and one which extends the reach of the state into people’s fantasy and dream lives.

The BBC story mentions an estimated 2Bn GBP (around $3.5 CAN) cost for this – which will no doubt be passed on to service users – but given the immense problems posed by some of this data, I would reckon that this could a massive underestimate, especially if one takes into account the UK state’s history of appallingly-managed computerisation and database-building schemes. The original plans also would have allowed all agencies empowered under the Regulation of Investigatory Powers Act (RIPA) to make use of such data, and the RIPA consultation response from the UK government did contain some indications that some new agencies would be given powers of access, but I am still not sure whether the government will keep the list of agencies as long as it was in last year’s draft Communications Bill.

Guardian article

The Guardian‘s Comment is Free site published a short version of my critiques of RIPA today… you can read it here.

 

Or the full version prior to editing is here:

A little-known tribunal is meeting this week to consider a case a case of wrongful surveillance. The case brought by Jenny Paton and Tim Joyce against Poole District Council in the Regulation of Investigatory Powers Tribunal concerns the local authority’s targeted surveillance measures against the couple and their children in an investigation of their application for school places. Among other activities, council employees trailed the family and interrogated neighbours.

The case comes in the same week that the government issued its response to a consultation process on the reform of the law which the tribunal oversees: the Regulation of Investigatory Powers Act (RIPA) (2000). RIPA has proved controversial as it seems to give many different public bodies new powers of surveillance, but that isn’t entirely true: as many local council officials admit, much of this was going on before 2000, but RIPA regulates and restricts it – in fact, it restricts it too much to some of the published responses to the consultation process. It is, however, almost impossible to determine whether RIPA has increased or decreased surveillance of this kind as no consistent records were kept prior to RIPA’s introduction. What is certainly the case is that the public is now more aware of the use of surveillance powers by agencies they had never realized were allowed to do such things.

Surveys have found that only 9% of RIPA authorizations resulted in either prosecution of enforcement action. In Australia, earlier this year, when only 28% of the use of targeted surveillance (in that case by police) resulted in prosecutions, their law was denounced as an excuse for ‘fishing expeditions.’ So what does a 9% rate indicate for Britain? Desperation perhaps? Or at least that RIPA was being massively overused for trivial issues. The House of Lords Constitution Committee report, Surveillance: Citizens and the State, certainly thought so, arguing not only that the inadequate administrative procedures should be reviewed but also that the government should think again about the whole business of allowing Local Authorities police powers, and that in any case, these powers “should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years.”

The government has failed to take heed of these recommendations. Ok, so they have agreed to restrict the authorization of covert surveillance under RIPA to ‘Director, Head of Service, Service Manager or equivalent’, and that Local Authorities should designate compliance officers so there will be no more junior officers deciding to play James Bond, as in the Poole case. However, by going to a ‘consultation’ whose respondents were dominated by Local Authorities and other RIPA-enabled agencies, they have managed to avoid doing anything particularly radical. This started from limiting the scope of the review through the questions they asked in the consultation.

For example, by asking which covert investigatory techniques specifically should be removed (and discounting any views that said ‘all of them’) they managed to get a mixed set of answers that failed to produced a clear vote against any one technique. Result: no techniques get removed and in fact some of the existing allowed techniques get extended to yet more agencies, for example the new Child Maintenance and Enforcement Commission (the replacement for the Child Support Agency). In particular, this extension of powers covers telecommunications data, whose keeping by the state has of course increased since RIPA was proposed. Now RIPA will be used to allow new bodies access to this data.

A curious note throughout the response by the government is the insistence on using an idea of non-interference with law-enforcement as a reason for not allowing elected officials any more than strategic scrutiny over the actions their own officials take under RIPA. This matters because RIPA is just one of many ways in which law-enforcement is not spreading as a function to increasing numbers of agencies beyond the police and judiciary. This seems to be general position that New Labour has taken – although it hasn’t always got its way – does anyone remember the dropped proposals to allow any ‘responsible people’ to levy on the spot fines?

And the government response seems to take a bullish delight in attacking those who have criticized the surveillance society. They insist, for example – and despite all the evidence to suggest that such interventions have limited effectiveness – that Local Authorities should make more use of overt, mass surveillance, like CCTV, instead of using RIPA. They are creating a binary choice, which seems to say assume that some kind of surveillance should be used: which do you choose, overt or covert? But, of course, that shouldn’t be the choice at all. They are also trying to have their cake and eat it on CCTV: the response to the consultation dismisses those consultees who brought up the subject of CCTV – which is not covered by RIPA – but feel quite able themselves to recommend its extended use in their own response. This of course also ignores the perfectly legitimate feeling amongst many that it is about CCTV was brought under proper control and a reformed RIPA might well be the place to do it.

Then there are things missing: notably, the concentration on Local Authorities, which for the most part has completely obscured the use of covert surveillance by central government departments and arms-length agencies including the Department for Environment, Food and Rural Affairs (Defra), the NHS and the Environment Agency, all of which have been criticized in the past by the Surveillance Commissioner.  Nothing seems to be proposed to increase the visibility of the RIPA Tribunal which is, just for now, in the news. The Lords described it as all but invisible and weak. Nor do the government propose to do anything to strengthen training or the Code of Practice, and in any case, there has been a huge over reliance on such self-regulation for matters which should have more formal control; this is also how CCTV and the security industry is largely – and incredibly ineffectively – regulated in the UK.

Pretty much anyone could have predicted this limp response from the Home Office to some rather serious problems. They don’t read their own research, they don’t do consultation in a meaningful manner, and then, surprise, surprise, they conclude that there really isn’t very much wrong after all. Jenny Paton and Tim Joyce may well disagree, and let us hope that the RIPA Tribunal do too.

RIPA to be limited

The UK Home Office is finally publishing plans to reform the Regulation of Investigatory Powers Act (RIPA) which defined in law the surveillance powers open to hundreds of government bodies. You can see what I have previously said about the consultation here. The consultation on RIPA actually had 7 major questions. The Home Office has now responded to all the opinions offered during the consultation. In more detail, this is what was said:

1.    Taking into account the reasons for requiring the use of covert investigatory techniques under RIPA set out for each public authority, should any of them nevertheless be removed from the RIPA framework?

Response: basically, none should be removed. Although the Home Office noted that many respondents had objections, they didn’t feel they added up. Indeed this section also seems to include extensions of the powers (or clarifications that act effectively as extensions) for example the ability of the Child Maintenance and Enforcement Commission (the replacement for the Child Support Agency), to have access to telecommunications data to investigate fathers required to pay child support. These extensions may be warranted or not, but they show the tendency for what Gary Marx long ago called ‘surveillance creep’ to occur – the saving of telecommunications data has increased since RIPA was proposed and now RIPA will be used to allow new agencies access to this data.

They also note that they will not be returning any of these investigatory functions to the police. This is interesting because later they use the reason of non-interference in law-enforcement for denying elected councillors detailed oversight. So this confirms a trend to less and less accountable law enforcement.

2. If any public authorities should be removed from the RIPA framework, what, if any, alternative tools should they be given to enable them to do their jobs?

Response: given the previous response, it is not surprising that no real change is proposed here. The Home Office in fact insists that more emphasis should be placed on overt surveillance by local authorities (like CCTV) in order to reduce the need to resort to RIPA’s covert surveillance!

3.    What more should we do to reduce bureaucracy for the police so they can use RIPA more easily to protect the public against criminals?

This wasn’t a question that I ever noticed critics of RIPA asking. Some agencies seem to have objected to the amount of paperwork around RIPA and The Home Office “agrees that it is in no-one’s interests for documentation to be unnecessarily time-consuming” and they, for once, insist on a proper auditable trail that can help protect privacy. They say in any case, applications are already down massively.

There is an interesting note that suggests the increasing use of RIPA for counter-terrorism activities which is left rather open – “the Government is facilitating the work of police collaborative units, such as the regional counter-terrorist units… This means officers seeking to use techniques under RIPA will be able to apply to authorising officers in different forces, where the Chief Officers have made a collaboration agreement that permits this”, in other words that RIPA might be used for massive, blanket undercover surveillance operations. Now that certain wasn’t what the government has recently claimed it was intended for – although of course, as anyone with any kind of memory will recall, it was exactly the justification used for passing it.

4.    Should the rank at which local authorities authorise the use of covert investigatory techniques be raised to senior executive?

Response: The media reports thus far have focused on the plan to limit the authorisation of such practices to council chief executives and directors – a recommendation made by the House of Lords Constitution Committee – what the Home Office actually recommends is to restrict the decision to a rather wider set: ‘Director, Head of Service, Service Manager or equivalent’. So, no junior officers any more, which is good, but not necessarily senior managers only. They also recommend having a compliance officer designated, which is good if they genuinely work on active and ethical compliance rather than thinking of excuses in retrospect.

5. Should elected councillors be given a role in overseeing the way local authorities use covert investigatory techniques?

Response: yes they should, but it should be ‘strategic’ and limited to once a year setting of policy and strategy with quarterly oversight meetings. They argue, as I mentioned earlier, that non-interference in law-enforcement is a good reason for keeping elected officials away from the details… Councillors in the UK have been increasingly hamstrung in the way that they can oversee their supposed bureaucracy, even to the point where they have been fined and suspended for criticising their own officers. Some real control would be welcome (after all, that is what the purpose of local democracy should be).

6. Are the Government’s other proposed changes in the Consolidating Orders appropriate?

Response: the Home Office basically rejected all the respondents’ comments on the proposals.

7.    Do the revised Codes of Practice provide sufficient clarity on when it is necessary and proportionate to use techniques regulated in RIPA?

Response: the codes of practice will be made clearer. No more guidance will be given. The Guardian says that the proposals will ‘ban’ the use of RIPA for ‘minor matters’ but I can’t really see that they do this, and the points of such codes is usually to avoid recourse to the law by encouraging a voluntary self-regulation; it is how CCTV is largely – and incredibly ineffectively – regulated in the UK too.

UK police still adding innocent people’s DNA to database

 

Research in the UK has shown that police forces in Britain are continuing to add the DNA – and incidentally the fingerprints, although this is never mentioned – of innocent people to the DNA database despite the European Court of Human Rights ruling that it was illegal (and the government’s promise to accept the ruling). According to The Guardian newspaper today, 90,000 innocent people have been added to the National DNA database (NDNAD) since a the court ruling and the Association of Chief Police Officers (ACPO) – incidentally, a private organisation – is still telling chief constables to continue with this collection. On the other hand the process of removing individual profiles has been painfully slow: only 611 DNA profiles of innocent people have been removed, and all as a result of individual challenges in court. It seems that the police are determined to drag their feet as long as possible and, in fact, break the law quite openly. Hardly a good example…

Surveillance image of the week 3: remembering One and Other

One and Other, Anthony Gormley’s remarkable populist and popular participatory artwork, which enabled 2400 ordinary people to spend an hour each on the vacant fourth plinth in London’s Trafalgar Square, ended recently. Not surprisingly, given London’s reputation as a the surveillance capital of the world, there were some pointed reminders. This ‘plinther’ spent her hour dressed as a CCTV camera looking at the watchers and the watched…

CCTV plinth protest
CCTV plinth protest

(thanks to Eric Stoddart for this)

UK state spy program targets innocent

The headline may not come as any surprise but a damning report has been released on a key strand of the British government’s counterterrrorism strategy, Preventing Violent Extremism (or just ‘Prevent’). £140m (around $200m US) has been allocated to this program but much of it seems to have been devoted not to combatting nascent Islamic extremism (which is the stated aim) but MI5 simply collecting masses of information on entirely innocent British Muslims – information that will be kept until they are 100 years old! Part of this is because of the tenuous nature of the strategy in the first place: how would one define or identify those who are not terrorists but might become so? Will it be, as in cases reported by The Guardian, the student who attends a lecture on the conditions in Gaza or Muslim men with mental health problems? And much of this depends on teachers and lecturers reporting students. Therefore the program would seem inevitably to encourage suspicion and distrust, as Arun Kundnani writes and as the general tone of left and civil liberties critique has reinforced. But opposition has come from all sides: Pauline Neville-Jones, the Conservative shadow security minister, but also former chair of the Joint Intelligence Committee and political director of the Foreign Office, has also condemned the whole approach of New Labour, which she argues is rooted in the identification of discrete ‘communities’ who share similar characteristics. This can of course be the basis of a form of multiculturalism, but at times of increased security and suspicion it seems all to easy for it to morph into what is effectively racial profiling…

Manchester Airport trials virtual strip-search system

Rapiscan image (BBC)
Rapiscan image (BBC)

You would think after 4 years of trials at Heathrow, that British airports would now be able to work out whether or not they could and more importantly, should, use the various varieties of body scanners that are now available. However Manchester Airport is holding another trial starting from now at its Terminal 2. At least it will give a chance for the public to say what they think. The scans are remote – i.e.: the officer observing the images is not on the airport floor, which prevents the kind of scenario we mentioned in our Report on the Surveillance Society of lewd remarks directed at passengers. Personally, I am rather less concerned about this rather abstract view of my body being seen briefly as I pass through an airport than I am about my financial details and personal life being traded between private companies, or about being under constant video surveillance in ordinary public space in the city. However, the images, although ghostly, are detailed enough that genitals, deformities, medical implants and so on can be seen, and if this story is to be believed it would seem that there is no provision for women’s images to be seen by a women alone and men’s only by a man. This will make it entirely unacceptable to some people, in particular members of certain religious groups. But the scans are – at least, for now – voluntary, in that passengers can refuse and have a traditional pat-down search instead.

However, this technology won’t be staying in the airports for long. I reported back in July on stories that terahertz wave scanning could soon be made to fit into portable cameras. That raises a whole different set of social, political and ethical questions…

(Thanks to Simon Reilly for sending me the link)

Towards Open-Circuit Television

The era of Closed-Circuit Television (CCTV) surveillance may be coming to an end. Surprised? Unfortunately, this does not mean that we are likely to see less surveillance, and cameras being torn down any time soon – quite the contrary. Instead a number of developments are pointing the way to the emergence of more Open-Circuit Television (OCTV) surveillance. These developments include technological ones, like wireless networking, the move to store data via ‘cloud’ computing, participatory locative computing technologies like CityWare, and the increasing affordability and availability of personal surveillance devices (for example, these plug and play mini-cameras unveiled at DemoFall 09). However they also include changes in the way that video surveillance is monitored and by whom.

Back in 2007, a pilot scheme in Shoreditch in London, which enabled residents to watch CCTV cameras on a special TV channel, was canned. However the project had proved to be incredibly popular amongst residents. Now The Daily Telegraph reports that an entrepreneur in Devon, Tony Morgan has set up a company, Internet Eyes, which is marketing what is calls an ‘event notification system’. They plan to broadcast surveillance footage from paying customers on the Internet, with the idea that the public will work as monitors. They won’t just be doing this for nothing however: the whole thing is set up like a game, where ‘players’ gain points for spotting suspected crimes (three if it is an actual crime) and lost points for false alarms. To back this up, there are monthly prizes (paid for out of the subscriptions of the organisations whose cameras are being monitored) of up to 1000 GBP (about $1600 US). Their website claims that a provisional launch is scheduled for November.

Mark Andrejevic has been arguing, most recently in iSpy, that those who watch Reality TV are engaging in a form of labour, now we see the idea transferred directly to video surveillance in ‘real reality’ (a phrase which will make Bill Bogard laugh, at least – he’s been arguing that simulation and surveillance are increasingly interconnected, for years). This idea might seem absurd, indeed ‘unreal’ but it is an unsurprising outcome of the culture of voyeurism that has been engendered by that combination of ever-present CCTV on the streets and Reality TV shows that came together so neatly in Britain from the early 1990s. It certainly raises a shudder too, at the thought of idiots and racists with time on their hands using this kind of things to reinforce prejudices and create trouble.

But is it really so bad? At the moment, UK residents are asked to trust in the ‘professionalism’ of an almost entirely self-regulating private security industry or the police. Neither have a particularly good record on race-relations for a start. Why is it intrinsically worse, if there are to be cameras at all (which I am certainly not arguing that there should be) to have cameras that are entirely open to public scrutiny? Is this any different from watching public webcams? Wouldn’t it actually be an improvement if this went further? If say, the CCTV cameras in police stations were open to public view? Would it make others, including the powerful, more accountable like a kind of institutionalised sousveillance?

In Ken Macleod‘s recent novel, The Execution Channel, the title refers to an anonymous but pervasive broadcast that shows the insides of torture chambers and prison cells, which functions as a device of moral conscience (at least for literary purposes) but also a Ballardian commentary on the pervasive blandness of what used to be the most outrageous atrocity. Accountability is in the end as far from this project as it is from Internet Eyes. Set up like a game, it will be treated like a game. It strips out any consequence or content from reality and leaves just the surfaces. What is ‘seen’ is simply the most superficial – and seen by the most suspicious. Participatory internet surveillance is Unreality TV. In any case, I don’t think it will either be successful in terms of crime-control (other such participatory surveillance schemes, like that on the Texas-Mexico border, have so-far proved to be failures) or useful in social terms, and may also be illegal without significant safeguards and controls anyway.

And there is nothing to stop multiple people signing up with multiple aliases and just messing the system up… not that I’d suggest anything like that, of course.

(Thank-you to Aaron Martin for badgering me with multiple posts pointing in this direction! Sometimes it just takes a little time to think about what is going on here…)

Racial profiling hits a new low

Just when you think that state surveillance in supposedly free countries could not sink any lower, it has been revealed that UK Border Agency is finding a pilot project into using DNA and isotope analysis to determine the origin of asylum-seekers. This is not a joke or a scare-story. It is a real project. Science Insider has the details here. The Agency is refusing to say who is doing this research for them, nor has it provided any references to studies that show that what they are proposing will work. It appears that most scientists working in the area think it is based on entirely faulty premises and there is no reason to believe it will work. That’s only a minor objection compared to the political and ethical ones of course. As the story in Science Insider points out the Border Agency seem to be making a fundamental (and totally racist) error in assuming that ethnicity and nationality are synonymous. And this research would probably not got past any university ethics committee, which makes one wonder what kind of screening or ethical procedures the Border Agency used, and indeed who would carry out such an obviously unsound piece of research. It’s another example of increasingly unaccountable arms-length agencies (which have proliferated in recent years) using the ‘technical’ as an excuse to bypass what should be a matter of high-level policy, and indeed something that so obviously harks back to the bad days of Europe’s racist and genocidal past that it beggars belief that any sane official would have let this get further than a suggestion in a meeting.

(thanks to Andy Gates for pointing me to the story)