Category: information rights

Further details on the new UK government’s Civil Liberties agenda

The UK full coalition agreement between the Conservatives and Liberal Democrat parties has just been published. It includes a section on civil liberties which is much more than we could have hoped for and which makes no mention of rolling back the Human Rights Act or the more ludicrous fringe Conservative demands… In full it is as follows:

“The parties agree to implement a full programme of measures to reverse the substantial erosion of civil liberties under the Labour government and roll back state intrusion.

This will include:

• A freedom or great repeal bill;

• The scrapping of the ID card scheme, the national identity register, the next generation of biometric passports and the Contact Point database;

• Outlawing the fingerprinting of children at school without parental permission;

• The extension of the scope of the Freedom of Information Act to provide greater transparency;

• Adopting the protections of the Scottish model for the DNA database;

• The protection of historic freedoms through the defence of trial by jury;

• The restoration of rights to non-violent protest;

• The review of libel laws to protect freedom of speech;

• Safeguards against the misuse of anti-terrorism legislation;

• Further regulation of CCTV;

• Ending of storage of internet and email records without good reason;

• A new mechanism to prevent the proliferation of unnecessary new criminal offences.”

All of these points are excellent. They lack detail of course, and the devil is always in the detail, and I would have liked to have seen a little more on what would be included in the ‘great repeal’ given that later it only talks about ‘safeguards’ against the abuse of anti-terrorism laws, but really this is as good as anyone could have hoped for, even, though they may not admit it, many of the more socially-liberal Labour Party supporters. The reform of libel laws and commitment to transparency is equally as welcome as the rolling back or regulation of surveillance, and this seems to extend into other parts of the agreement for the reform of government and elections. I hope the eventual full programme will also include some rationalisation of the crazy landscape of multiple ‘commissions’ to regulate different aspects of state-citizen information relations, in favour of an expanded and more powerful Information Commissioner’s Office, but we will see. However, this is a great start (and I never, ever, thought I would be saying that about a Conservative government…).

UK pushes forward with online data retention plans

Like Canada, the UK is pushing forward with new plans to force telecommunications companies and ISPs to retain online data, despite opposition from both the industry and ordinary service users. The New Labour govenrment had delayed the plans from last year, faced with the strength of the opposition and launched a ‘consulation’. The consultation apparently still generated 40% opposition, which one would think was enough to tell them that something was wrong. But, as I said last year, “the collection of such traffic data will still go ahead… partly at least because the Americans want it; there is pressure on many countries for this kind of data collection and storage – see for example, the FRA law in Sweden. Networking these databases together with others is a major aim of the FBI’s secretive ‘Server in the Sky’ project.”

However, now the UK plans go further than many other countries’ schemes in this area, as they would cover not only traffic data but also a whole range of data which would not normally have been regarded as  traditional communications like social networking activity and even internal online gaming data. This would seem to be in line with US programs that regard the behaviour of – let’t not forget, fantasy – game and virtual world avatars as somehow indicative of real-world tendencies and practices (e.g.: Projects VACE and Reynard), an extremely dubious assumption and one which extends the reach of the state into people’s fantasy and dream lives.

The BBC story mentions an estimated 2Bn GBP (around $3.5 CAN) cost for this – which will no doubt be passed on to service users – but given the immense problems posed by some of this data, I would reckon that this could a massive underestimate, especially if one takes into account the UK state’s history of appallingly-managed computerisation and database-building schemes. The original plans also would have allowed all agencies empowered under the Regulation of Investigatory Powers Act (RIPA) to make use of such data, and the RIPA consultation response from the UK government did contain some indications that some new agencies would be given powers of access, but I am still not sure whether the government will keep the list of agencies as long as it was in last year’s draft Communications Bill.

US Congress debates online data protection

The US House of Representatives will finally get to debate whether online advertising which tracks the browsing habits of users is a violation of privacy and needs to be controlled. A bill introduced by Rep. Rick Boucher of Virginia will be propsing an opt-out regime that gives users information about the uses to which their data will be put, and allows them to refuse to be enroled. At present many such services work entirely unannounced, placing cookies on users’ hard drives and using other tracking and datamining techniques, and without any way in which a user can say ‘no’. Of course, we have yet to see the results of the inveitable industry scare-stories and hard-lobbying on the what will be proposed, let alone pased. But the proposal itself is particularly significant because so far the US has so far always bowed to business interests on online privacy and data protection, and if this bill is pased, it is a sign that what EFF-founder, Howard Rhiengold, long ago called the ‘electronic frontier’ might start to acquire a little more law and order in favour of ordinary people.

Facebook forced to grow up by Canadians

Wel, Facebook has finally been forced to grow up  and develop a sensible approach to personal data. Previously, as I have documented elsewhere, the US-based social networking site had pretty much assumed ownership of all personal data in perpetuity. However it has now promised to develop new privacy and consent rules and ways of allowing site users to chose which data they will allow to be shared with third parties.

So why the sudden change of heart? Well, it’s all down to those pesky Canucks. Yes, where the USA couldn’t bothered and where the EU didn’t even try, the Canadian Privacy Commissioner, Jennifer Stoddart, had declared Facebook to be in violation of Canada’s privacy laws. And it turns out that in complying it was just easier for Facebook to make wholesale changes for all customers rather than trying to apply different rules to different jurisdictions.

This suggests an interesting new phenomenon. Instead of transnational corporations being able to always seek out a country with the lowest standards as a basis for compliance on issues like privacy and data protection, a nation with higher standards and an activist regulator has shown itself able to force such a company to adjust its global operations to its much higher standard. This is good news for net users worldwide.

However, we shouldn’t rejoice too much: as Google and Yahoo have shown in the case of China, in the absense of any meaningful internal ethical standards, a big enough market can still impose distinct and separate policies that are far more harmful to the interests of individual users in those nations.

Varieties of anti-surveillance activism in Japan

Although some progressive activists would like it to be otherwise, anti-surveillance feeling is not confined to the left, indeed in many countries, like the USA, libertarian individualist right-wing anti-surveillance activism is perhaps more common. And it seems that such a position is not unusual in Japan either.

Having returned from a weekend of hot springs, fine sake-tasting and eating way too much, today we met with the Mayor of the Suginami ward of Tokyo, Hiroshi Yamada, a prominent figure in the anti-juki-net campaign, and a also one of the leaders of a group of right-wing figures trying to promote a new nationalist grouping at that end of the Japanese political spectrum. But this new right is not at all a simple matter of ‘back to the 1930s’ that some commentators would have you believe. Yes, this group – which also includes the Mayors of major cities including Yokohama and Nagoya as well as popular journalists like Yoshiko Sakurai – has very conservative, revisionist views, on Japanese history, but in many ways they have far more in common with the new US libertarian right in their rejection of large state and high taxes, and in other areas too, for example Sakurai has rather unscientific views on climate change!

Part of the this libertarian outlook is the rejection of state intrusion into the private lives of individuals. Mayor Yamada saw the juki-net system as part of unwelcome movement towards a more top-down society, concentrating power at the centre. He was very clear that the state’s ability to collect information on the individual should be based on what the individual wanted to give up, not on what the state thought it needed (this is very much the opposite of what the Prime Minister’s IT Strategic HQ said to us last week). He was also most concerned about the risks posed by large databases, both as an attractive target to external hackers and to corrupt use from inside operators. Yamada is not opposed to what he calls IT shakai (IT society), but the use of IT should be based on what is useful to individuals, and of course what is actually he needed, he argued, would often be less expensive than the massive computerisation schemes favoured by the current administration as part of their i-Japan strategy. In this sense, he said he would oppose any move to unnecessary centralised databases and certainly to any possible national ID register or card.

In most respects, what Mayor Yamada said could probably have been said by any left-wing civil liberties activist in the UK, or by conservative right opponents of intrusive state like Conservative ex-Shadow Cabinet Minister, David Davis. Perhaps many aspects of what is felt to be wrong with surveillance society do not correlate neatly with old left-right divisions. This view was shared by Toshimaru Ogura, a Toyama University professor and major figure in left-wing anti-surveillance activism whom we met with just afterwards, along with campaigning journalist, Midori Ogasawara again. Just as the Convention on Modern Liberty event earlier in the year showed for the UK, there are many different varieties of anti-surveillance feeling in Japan, and whilst opponents may disagree with each other, and may even find other aspects of the politics of their erstwhile collaborators utterly distasteful, they do collaborate, even if it is only for short periods.

Professor Ogura’s analysis, as that of Ogasawara and indeed of Kanshi-no! whom we met the other day, is much more focused on the way in which surveillance excludes and discriminates – against union members, activists, gaikokujin (foreigners) and so on – and also the ways in which it favours the interests not just of the state but capital. We’ll be talking to groups who deal with the concerns of these excluded people in the last week we are here. Privacy is important, but Ogura’s analysis is concerned with the disproportionate effects of surveillance. It is not just that privacy is affected but that particular groups’ and individuals’ rights are damaged more than others, and those people are not generally the ‘ordinary taxpayers’ to whom Yamada and the libertarian right are trying to appeal.

Like me, Professor Ogura is also particularly interested in the way in which particular corporations and business coalitions pushing technological ‘solutions’ to social and organisational problems can have a profound influence the way government makes decisions. Such coalitions would still be there however large government was, and in some ways, without a government large enough to stand up to the private sector, a different kind of more purely market-driven surveillance society would emerge. In that sense, it is what government does, and to whom it responds, that is more important that more arbitrary questions of ‘size’.

There’s a lot more to consider here too, in particular the extent to which any of the things we consider under the umbrella of ‘surveillance’ are actually and actively part of some coordinated state (or other) plan. I’m starting to develop a sense of this here, but I will leave those thoughts to another post.

(Thank-you to Mayor Hirioshi Yamada, Professor Ogura Toshimaru and again, to Midori Ogasawara for being so generous with their valuable time).

At the IT Strategic Headquarters

Yesterday we visited the Prime Minister’s IT Senryaku Honbu (IT Strategic Headquarters). (This has actually been the only national-level government agency that has agreed to speak to us, and some of the reasons for refusal have been rather telling, not least that of Houmusho (the Ministry of Justice), which claimed that they had nothing to do with privacy and so on, which betrays a level of ignorance about the effects of their own policies that is probably more the result of bureaucratic sectionalism and literalism than anything else but is nevertheless interesting!). The IT Strategic HQ is responsible for developing the ‘i-Japan’ strategy, the latest incarnation of what has at various times been called ‘Information Society Japan’ and ‘e-Japan’ policy. They are also the agency that wrote the most recent Japanese data protection laws, which I wrote about a couple of weeks ago.

We were treated to a prepared presentation on the latest incarnation of the i-Japan strategy, in which the ‘i’ seems to stand for ‘inclusion’ and ‘innovation’ but not apparently for ‘interactive’, which one might expect from its use elsewhere in computing. However it was the brief interview we had afterwards that was more enlightening.

In short, the government has acknowledged that what they originally wanted out of juki-net has failed due to opposition, despite the supreme court victory that ruled that the current cut-down version was constitutional. However, as Kanshi-no! argued, they are not going to back down that easily. The movement towards the creation of centralised government databases will continue, and there most likely will eventually be a fully configured identification system (and card) and rather alarmingly, the new i-Japan strategy makes it quite clear that laws that currently prevent this from happening will simply be changed or removed. They do not want opposition groups, nor indeed the current global recession, to be able to hold up or change these plans.

However the main thrust of development of centralised databases has shifted away from juki-net and the jyuminhyo (residents’ registration) system, towards national insurance, health and pensions. This is, as the agency than runs juki-net, Lasdec, suggested to us – and I am now beginning to think that this suggestion was rather more of a loaded hint than I had first thought – by far the most data-rich area of government records and therefore in many ways more suitable for being the basis of an architecture of central registration and identification. The database that the government intends to create in this area will also have the possibility for citizens to add in (voluntarily, they say), information from private sources, such as bank account and other financial details. Of course this could be more ‘convenient’ in terms of benefits and taxes, but it also puts an enormous amount of previously private data in the government’s hands and presents a huge temptation to identity fraud and theft from both outside and, more importantly inside the state bureaucracy (and let’s not forget, most identity fraud is an inside job).

It gets more worrying still as despite the advanced stage of these plans, the government has apparently still not decided exactly who will have access to this database, and the police in particular, as well as private insurance companies, are still considered as potential users. It seems that although the IT Strategic HQ might have developed data protection in Japan but they do not appear to understand its principles of necessity, proportionality and consent – indeed I asked them about these principles and they really had no serious reply. Instead they claimed that people in Japan wanted to have these central databases because the current fragmented system had led to poor security and data losses, and in any case, ageing society and the pensions crisis meant this had to be done. I have noticed that in Japan, ‘ageing society’ like ‘terrorism’ in the UK, seems to have become the spectre evoked to silence potential criticism.

There are many other issues too: the government is also trying to introduce a voluntary system of Electronic Health Records (EHR), but this is not as developed as the Connecting for Health centralised database that is still experiencing significant problems in its introduction in the UK; and there are some rather less controversial social inclusion measures included the provision of computers for schools and so on. However my overall impression after leaving the IT Strategic HQ was of a government that was determined to press ahead with centralised collection and control of personal information regardless of the views of citizens or of whether it is really necessary even to achieve the policy aims they have. And this won’t change as the result of a change in government either. If, as seems likely, the Liberal Democratic Party (LDP or Jyuminshuto) are voted out, the Democratic Party of Japan (DPJ or Minshuto) which will succeed them, has already said that it will create a central database.

(Thank-you to the officials of the IT Strategic Headquarters for their time).

Tokyo Brandscaping and the SuiPo system

Brandscaping is a term used in marketing to describe the metaphorical landscape of brands (either for a particular brand, company or sector), however it is also being used by some researchers, including me, to describe the way in which brands are being infiltrated into urban landscapes, with the ultimate aim of being ‘inhabitable’ perhaps even 24/7 (see for example Disney’s move into urban development with Celebration in Florida).

Contemporary brandscaping makes use of new ambient intelligence, pervasive or ubiquitous computing technologies (‘ubicomp’) and ubiquitous wireless communications to create a landscape in which the consumer is targeted with specific messages directing them to certain consumption patterns. Such communication cans of course be two-way and provide corporations with valuable and very personal data on consumption patterns. As I’ve argued in many presentations over the last few years, ubicomp is necessarily also ubiquitous surveillance (what I call ‘ubisurv’ – hence the name of this blog!) because to work it requires locatability and addressability. Japan, and Tokyo in particular, has been the site for a number of cutting edge experiments in this regard, including the ‘Tokyo Ubiquitous Technology Project’ which embedded 1000 RFID tags which can communicate with RFID-enabled keitai (mobile phones) in upscale Ginza as well as several other pilot schemes around Ueno Park and Shinjuku.

TUTP is not all about marketing surveillance however, part of the scheme has involved ‘Universal Design’ (UD) principles, with one experiment to embed chips in the yellow tactile tiles designed to help guide sight- and mobility-impaired people around the city so that useful access information could be passed through specially-enabled walking sticks. I’m very interested in such experiments as they indicate an alternative direction for ubicomp environments which are about genuinely enabling people who are currently disabled by social and architectural norms, and creating a richer sensory landscape. They show that both surveillance and ‘scary’ technology like RFID chips can be humanised.

Unfortunately in our consumer-capitalist world (and Tokyo is the exemplary city of hyper-consumption), marketing and building brandscapes tends to take priority over enabling the excluded and the disadvantaged. But there are different ways of doing this too, which can be more or less intrusive and consensual. The other day I was talking about the growth in functionality of the Suica smart travel card system. Suica-enabled keitai can now, be used buying all sorts of things and since 2006 there have been a growing number of ‘SuiPo’ (short for ‘Suica Poster’) sites, Suica-enabled advertising hoardings that will, on demand send information to your mobile e-mail address with on particular advertising in which you are interested if you pass your Suica card or phone over a scanner placed next to the poster (see photos below)

The difference between SuiPo and the Ginza RFID scheme however is that it with SuiPo is that it is the consumer who makes the choice whether to activate any particular poster’s additional information system. In this sense it is a development of the i-Mode system in which many keitai can read information from special barcodes embdedded in magazine advertisements. It doesn’t automatically call your phone every time you pass an enabled poster, once you have signed up. Not as high-tech but slightly more consensual. However this will, of course, lead to the accumulation of a lot of data on consumption interests. This potentially generates a massive consumer surveillance tool, because it can be linked up travel patterns (your registered Suica card sends information back on where you go – I was wrong about the absolute differences between London’s Oyster and Tokyo’s Suica systems the other day) and information about consumption.

So will this potential become reality? The page on privacy and data protection on the SuiPo website (as usual the link is hidden away at the bottom of the front page!), is pretty standard stuff except for the legitimate purposes for which the data can be used once you sign up. They are, for those who don’t read Japanese, for:

  1. Sending the specific requested information to you;
  2. Improving services;
  3. Data processing and analysis;
  4. JR East’s promotional marketing; and
  5. JR East customer questionnaires.

Purposes 2 and 3 pretty much allow JR to do anything it likes with the data once you have signed up, and there is no statement as to what can or cannot be done with data once it has been ‘mined’ – analysed and transformed into more useful to the company or other organisations (corporate or state) which might want to buy or access such knowledge. ‘Ubisurv’ indeed…

Data Protection in Japan

Comprehensive data protection in Japan is fairly recent. Until 2003, data protection was still governed under much two earlier ‘ information society initiatives: firstly, the Act for the Protection of Computer Processed Personal Data Held by Administrative Organisation (1988) and secondly, the Protection of Computer Processed Personal Data Act (1990), which are based on the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These laws were limited an applied only to the state, and within that, only to some national government organisations rather than all of them.

Lawyers and those concerned with privacy within and without government were well aware of these limitations, and in the late 90s, a special Privacy Issues Study Working Group was set upby the Electronic Commerce Promotion Council of Japan (ECom). This committee issued Guidelines Concerning Protection of Personal Data in Electronic Commerce in the Private Sector in March 1998. The Chair of that committee, Professor Masao Horibe, provides an account here.

Subsequently, a Personal Data Protection Legislation Special Committee was established in January 2000 under the Advanced Information and Telecommunications Society Promotion Headquarters (now the IT Strategic Headquarters), a body responsible directly to the Japanese cabinet. This body has issued all the laws and directions regarding IT, e-Japan etc.

The need to “protect personal data” (kojin deta) was mentioned in Article 22 of the Basic Law on the Formation of an Advanced Information and Telecommunications Network Society within the rubric of ‘security’. This was followed up by the e-Japan strategy of January 2001, which under the section on the Facilitation of E-Commerce, recommended that “Necessary legislative measures should be taken to win the confidence of consumers, including submission of a bill to protect personal data to the ordinary session of the Diet in 2001.”

The Bill was introduced in March 2001, but as a result of concerns about its effects on the freedom of the press, was left to fall by 2002. However the Personal Information Protection Bill was passed in 2003, one of five bills with implications for data protections to be passed in that Diet session.The bill came into force in 2005. I’ll discuss the content and operation of the bill later, but there’s a good summary in English from when the Bill was passed here.

The one particularly interesting thing to note here is that it doesn’t designate or establish any one body to oversee the operation of the law or the enforcement of rights, or deal with complaints as in European countries and Canada, for example, Instead it keeps data protection as an internal matter for designated government ministries (and for companies), with legal action an option if all else fails. The law is generally on the side of data flow and commercial / administrative convenience, which is not surprising given its origins in industry-led e-commerce promotion organisations.

Google: ‘give us data or you could die!’

I’ve been keeping a bit of an eye on the way that online systems are being used to map disease spread, including by Google. What I didn’t anticipate is that Google would use this as a kind of emotional blackmail to persuade governments to allow them as much data as they like for as long as possible.

Arguing against the European Commission’s proposal that Google should have to delete personal data after 6 months, Larry Page claims that to do so would be “in direct conflict with being able to map pandemics” and that without this the “more likely we all are to die.”

Google talk a lot of sense sometimes –  I was very impressed with their Privacy counsel, Richard Fleischer, at a meeting I was at the other week – and in many ways they are now an intimate part of the daily lives of millions of people, but this kind of overwrought emotionalism does them no favours and belies their moto, ‘don’t be evil’.

(again, thanks to Seda Gurses for finding this)

Phorm philling

UK satirical magazine, Private Eye, this week brings the ludicrous Stop Phoul Play website to my attention. This is a corporate spin site devoted entirely to defending BT’s underhand and intrusive ‘Phorm’ online advertising technology against what it calls ‘privacy pirates’ who they claim are either being paid or pushed to damage BT.

Those listed as ‘piracy pirates’ include the excellent investigative IT journal, The Register, the Open Rights Group and the brilliant Foundation for Information Policy Research (FIPR), along with numerous bloggers and contributors to web forums. Now, it may be that some other corporations with rival technologies would like Phorm to fail, just as Microsoft probably enjoys it a great deal every time Google takes a PR hit (or vice-versa), but to suggest that everyone who make a criticism of Phorm is secretly part of some conspiracy against BT is frankly, either stupid paranoid.

And there are very good reasons for being critical of Phorm in the trojan-like manner of its operation and the way in which it has been tested without the consent of users. As Private Eye also reminds us, Phorm has landed the UK government in legal trouble with the EU. It hardly needs a conspiracy to make people justifiably annoyed.

This is one of the weirder exercises in PR I have seen, not least because its paranoia and promotion of conspiracies can only be damaging to BT. Thus it is no surprise to find that, according to the The Register, that it is the product of the fevered imagination of Patrick Robertson, whose previous clients include the lovely General Pinochet and former Tory MP and convicted liar, Jonathan Aitkin. So go take a look at Stop Phoul Play (while it still exists…) – it really is quite insane.