It has been revealed that the British government has been passing information gathered by the police on citizens to private companies. The Guardian todayshowed that data on climate change protestors found its way from the police to the ridiculously-renamed Department for Business, Enterprise and Regulatory Reform (BERR) to power company, E-ON.
Now, of course the government can argue that electricity supply is a matter of ‘resilience’, ‘contingency planning’ and ‘national security’, but then how can they justify it being in private corporate hands in the first place? How exactly can companies whose primary aim is to provide ‘shareholder value’ at all costs, many of whom are transnationals that have no commitment to the UK, be treated as if they were state organisations, and be given data from state databases? The boundaries between public and private are being increasingly eroded, and once, again it is the relationship between citizen and state which suffers.
The government cannot just give data, especially data which was collected in very questionable ways for highly dubious reasons in the first place, to whoever it thinks might find it useful. This kind of action shows that the the state is now quite often simply the servant of private enterprise, and the police no better than an adjunct to private security. It makes a mockery of regulation of surveillance power and data protection, and does nothing for our already-weakened trust in the state’s ability to protect our rights or or information.
From today, private lives in the UK will be a little less private, as EU Directive 2006/24/EC becomes part of national law.
Traffic data on e-mail, website visits and Internet telephone calls now have to be recorded and retained by Internet Service Providers (ISPs). Specifically, the Directive mandates the retention of: the source of a communication; the destination of a communication; the date, time and duration of a communication; the type of communication; the type and identity of the communication device; and the location of mobile communication equipment.
This is coming into force despite the fact that many countries and ISPs still object to the directive. It has to be said that many ISPs are objecting on grounds of cost rather than any ethical reason. German courts are yet to determine the constitutionality of the directive and Sweden is not going to implement it at all.
As with many of these kinds of laws, it was rushed through on a wave of emotion after a particular ‘trigger event’ – in this case, the 7/7 bombings in London in 2005. There was a whole lot of devious practice in the Council of Ministers to get it passed too – if the Directive had been considered as a policing and security matter, it would still have needed unanimity, which means that the objections of Germany and Sweden would have vetoed the Directive. Instead, it was reclassified as ‘commercial’ on the grounds that it was about the regulation of corporations, and commerical matters need only a majority vote. How convenient…
The Home Office in Britain says our rights are safe because of RIPA, which is hardly cause for rejoicing. My main concerns, apart from the fact that this is yet another moment in the gradual erosion of private life, are that:
1. police access will rapidly become routine rather than specific, and this could be extended to many other public authorities – the original drafts of the Communications Bill would have extended the right of access to such data to all RIPA-empowered organisations (which includes most public authorities);
2. the data will be used illicitly by ISP employees for criminal purposes (remember that most identity thefts are inside jobs) – the records will be a blackmailers delight;
3. there will more ‘losses’ of this data by ISPs and others who have access to it. Remember the accidental revelation of user data by AOL in the USA?
This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal…
A new report for the Joseph Rowntree Reform Trust by a very credible largely Foundation for Information Policy Research (FIPR) team that combines engineers, lawyers, software developers, and political scientists, has concluded that a quarter of the UK public-sector databases are illegal under human rights or data protection law. It also looks at UK involvement in some European database projects and finds all of them questionable too.
The report rates the 46 databases on a traffic light system – green, amber, red – and argues that those rated ‘red’, in particular the National Identity Register and the Communications Database, and are simply unreformable and should be scrapped. This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal, and not just massively expensive, morally questionable or politically undesirable. In fact, a quarter of all the databases were found to contravene the law and more than half were ‘problematic’ (i.e. open to challenge in court) . All of those rated ‘amber’ (29 databases) the authors argue, should be subject to independent review.
There are a number of other major recommendations, including the reassertion of the necessity and proportionality tests contained in DP law, citizens should anonymous rights to access data, more open procurement of systems, and better training processes for civil servants. The most important and radical measures proposed, and entirely correctly in my view, are those concerning the location of data and the whole nature of UK IT development. For the former, the report recommends that the default location for sensitive personal data should be local, with national systems kept to a minimum – this appears to be rather like the ‘information clearing house’ system as opposed to central databases, that we proposed in our Report on the Surveillance Society, but better worded and justified! In the latter case, the authors simply note that fewer than 30% of government IT projects succeed at a cost of 16Bn GBP per annum and that there should never be a general and aimless government IT program, rather there should only ever be specific projects for clearly defined and justified (proportional and necessary) aims.
It is an excellent report and probably unanswerable in its logic. Tellingly, The Guardian report contains no response from any government minister…
It is a kind of digital enclosure, an attempt to impose on the Internet the same kind of removal of common rights that the British ruling classes imposed on the land from the Seventeenth Century onwards…
I have just completed an article on the UK as a ‘bad example’ to the rest of Europe, and lo and behold another piece of regressive, repressive idiocy by the British government appears. It seems that the UK is trying to amend the proposed EU-wide Telecommunications package to destroy the principle of net neutrality. Their proposals will “remove the principle of users’ rights to access and distribute Internet content and services”, and replace it with “a ‘principle’ that users can be told not only the conditions for access, but also the conditions for the use of applications and services.”
In other words, they want to make the entire Internet work by End-User Licensing Agreements (EULAs) rather than the general principle of end-to-end connectivity. It is a kind of digital enclosure, an attempt to impose on the Internet the same kind of removal of common rights that the British ruling classes imposed on the land from the Seventeenth Century onwards. There is nothing about the Internet Age about this, indeed it is pre-industrial – it is pure justification of the same powerful economic interests that the British state has always represented. And, as the original report points out, this is particularly bitter because both the British (OFCOM-originated) amendments and their duplicate Czech mini-me amendments have a lot of their substantive justitifications cut’n’pasted wholesale from Wikipedia!
Like the thieves who stole our land, they are utterly shameless.
(I think I originally saw this in BoingBoing, and sorry for not linking it, but it keeps crashing my little computer right now…)
For some time, I’ve been concerned about the little-discussed practice of ‘blacklisting’, the creation and sale of databases of workers thought to be troublemakers, radicals or union activists. Last year, I noted the failed attempt by the British government to legitimise this activity with the creation of the National Dismissal Register, and connected this to earlier surveillance of workers through the Economic League. See this more recent post where I summarised the story in a slightly different context.
But the Economic League, set up after WW1 and finally closed in 1993, had several offshoots. Now, as reported in most of the British press, one of them has been closed down by the UK Information Commissioner’s Office (ICO). ‘The Consulting Association’, a firm based in Droitwich, Worcestershire had apparently been operating for 15 years selling confidential information on construction workers to all the major building companies. According to the BBC, 3,213 workers’ names were contained on the list and were categorised by political affiliations and union activity etc.
Not surprisingly the firm was owned and run by one Ian Kerr, who was previously involved in the Economic League and who still seems to think he was doing nothing wrong, despite his past, and despite the fact that he had previously denied even the existence of this database. But he, along with all the clients named by the report, including Amec, Taylor Woodrow, Laing O’Rourke and Balfour Beatty and many others – there is a full list on the Guardian site – were breaking the Data Protection Act by illegally keeping and trading in personal information. We’ll see whether the big building firms get away with it; most likely they will simply claim that that they didn’t know the data was illegally acquired and traded.
Given the recent history of the National Dismissal Register to set up databases of troublesome workers, it is particularly ironic that minister, Peter Mandelson, is quoted as applauding this action by the ICO in the various reports.
The Electronic Frontier Foundation (EFF) and the Open Society Initiative have created the very useful ‘Surveillance Self-Defense’ (SSD) site. Although the SSD is aimed at US citizens and the legal aspects are therefore more relevant to those living in the States, the general advice and information on risk management and defensive technologies is all worth reading for anyone who uses a computer anywhere in the world.
Essentially this is a kind of care and maintenance of your ‘data double’ concept, which is one response to the growth of surveillance. Of course no-one should think that this kind of ‘personal information economy’ approach is enough and the EFF certainly don’t. There is in any case a general effect that could emerge from this kind of action should large numbers of people start taking the advice of EFF: mass surveillance effectively becomes more difficult, more expensive and less worthwhile. However, things like SSD cannot be a substitute for political action to curb the powers of state and private sector to monitor us and reduce individual liberties and dignity.
Some good news for once. The Sydney Morning Herald reports that the heinous plans that the Australian government had for surveilling and censoring the Internet have been iced. The plans would have introduced mandatory filtering of the Internet in Australia despite the technical impossibility and political and ethical objections. The fight over these proposals had been vicious with opponents even receiving death threats, but the side of both sense and liberty appears to have won an important victory.
Now, let’s see if similar good sense will prevail in other countries which are advocating similar, if not quite as extreme, China-style net-disabling proposals like the UK and Brazil…
(Thanks to bOINGbOING who’ve been keeping us up to date on this one)
You read it right. The former UK Home Secretary, with a reputation as one of the most authoritarian of recent years (though it is hard to chose in that regard), will condemn the growth of surveillance in a speech at the University of Essex today. He will also, according to Tom Young at VUnet, call for the ID card scheme (which he introduced!) to be scrapped, and for the information-sharing powers that were hidden in the new Coroners and Justice Bill, to be reduced. He also argues that the latter will happen as he knows the Justice Minister, Jack Straw, recognises the problem.
I don’t know whether to laugh or cry. Certainly it is fantastic when a prominent figure like this changes their mind and is prepared to admit that they were wrong, I just wish that sometimes they listened to the arguments against what they were doing when they were in office. In addition, of course Blunkett spent several years after leaving office writing very strong pro-surveillance, pro-ID card pieces for the populist, right-wing tabloid newspaper, The Sun, and is (or was) according to the Register of House of Commons Members Interests, paid £25-30,000 ($35-40,000 US) as the Chair of the International Advisory Committee of Entrust Inc., a company that works on digital certification and Internet surveillance, and which was involved in consortia for the ID card contract. Perhaps they have had enough of him.
But let’s hope he really has had a genuine change of heart.
It is hard to say anything about Facebook that hasn’t been said elsewhere. Of course, the decision to reverse its attempt to change its terms, which would have made it nigh on impossible for members to remove material they had posted, is a good one. Effectively what it would have done is made Facebook the owner of all personal data posted on the site.
The campaign against it was of course organised through Facebook groups! That in itself should have been enough to persuade Facebook’s young owners of the power and passion generated by the system they had created. But I don’t think they really do understand it, or indeed very much about the implications of what they are doing at all. I mentioned their youth. Last time Facebook got into trouble, it was because of comments made by their ‘Marketing Director’ (age: 24) at Davos, which were (apparently erroneously) taken by the press to indicate that Facebook was going to sell personal data.
Now, I know that it’s not cool and probably won’t make me popular to knock youth at a time where youth is everything (despite the fact that the word is ageing) – Fast Company last month had snowboarder Shaun White as its cover star in a story full of fawning admiration about how rich he had become by telling big companies about the youth market. But at least White seems to have his head screwed on – maybe it’s a class thing? Facebook’s owners on the other hand need to grow up a bit. They need to learn a bit more about the value of some rather old-fashioned fundamental rights, particularly privacy, and strop treating the system they have created as the personal spare-time sophomore project as which it began. I think that they just didn’t appreciate how people would view their proposals.
There is a serious issue here. Privacy is something that you only start to truly truly understand as you get older. Partly this is because your mistakes and your secrets get more serious and more potentially damaging as you get older! But, as I have said before, most of those are nobody’s business but your own and no-one benefits from forced transparency – honesty and conscience are also profoundly personal matters. It has been argued that the ‘youthfulness’ of the Net has encouraged a general carelessness with privacy. I am not sure that is entirely true, as Facebook users have shown – they care. But it’s the careless and – let’s face it – privileged youth of many of these new entrepreneurs, the fast companies, which is more concerning. Most are not success stories from the wrong side of the tracks, who have learned ‘the hard way’.
The threat of legal action from EPIC, which was preparing to take them to the Federal Trade Commission might have concentrated minds in this regard. Maybe it was just the threat itself – EPIC have a strong record in these kinds of cases and have taken down Microsoft and Doubleclick. However I would like to think that the arrogance and energy of youth might be tempered with a bit more maturity and consideration in the future. If only, as I’ve said before, because Facebook is no longer a fresh young company in Web 2.0 terms and could easily be eclipsed by the next big thing. Perhaps they can hire someone more ‘real’ like Shaun White to tell them how privacy rights and user control of information would be like, totally rad, dude…
Woah man, I am so stoked about privacy... (Shaun White, not actually advising Facebook on privacy, pictured for Fast Company)
On a more serious note, EPIC put a lot of time and money into protecting privacy in the USA and they do a damn good job, and in cases like that of Facebook they are having a positive affect the world over, so give them some money!
Both human rights advocates and the police seem to be strongly in favour of the new RIC system as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state.
Departamento de Policia Federal, Brasilia
I have just come back from a very productive interview with Romulo Berredo, from the Director-General’s office at the Departamento de Policia Federal (DPF), who are the Brazilian equivalent of the FBI. There was a lot covered and I couldn’t hope to reproduce it all here. There were however a number of immediately interesting aspects.
The first was more evidence that the whole basis on which identity cards and database issues are being considered here is entirely different from the UK. Now I know this represents a police, and a state, view, but so far, both Brazilian human rights advocatesand the police seem to be strongly in favour of the new Registro de Identidade Civil (RIC) system. This is both as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state. It is fairly easy to acquire 27 different identities in Brazil at present. And identification is important here. The great fear that many people seem to have – indeed it was called a ‘cultural’ characteristic by Berredo – is not the use of identification by the state as a form of control or intrusion but as a guarantee against the anonymity that would allow abuses by the state or indeed by other malicious persons. It provides a metaphysical and material kind of certainty and stability. The legacy of the last dictatorship was not so much an East German-style nightmare of knowledge and order but of corrupt and arbitrary rule.
It is this latter legacy which also drives the divisions between the different police forces in Brazil. The states-based Policia Militar (Military Police) and Policia Civil are both tainted in different ways by associations with authoritarian rule, and the former particularly with extra-legal execution and torture, and they continue to be regarded with caution, suspicion or even hatred by many Brazilians. The other police forces are also suspicious of the growing role of the DPF, which is often seen in terms of a power struggle not rational subsidiarity. Ironically then it is the states-based police forces that are dragging their heels over plans to create the kinds of national databases of criminal information that the UK has, and not for any libertarian reasons. In fact the DPF seem far more concerned with protecting human rights and defending the idea of citizenship, and because they are tasked with anti-corruption investigations have even arrested Senators and Judges, something unheard of even ten years ago. Of course those very same Senators and Judges are now fighting back, in a manner rather similar to Berlusconi in Italy, trying to alter the law to give immunities and protections. For example, handcuffing of arrested suspects was always normal until it happened to a Senator arrested for corruption. The Senate suddenly became interested in the ‘human rights’ of arrested suspects and passed a law limiting the use of handcuffs! Corruption at every level is still an enormous problem here, though Berredo argued that it was largely associated with those who had retained power from the years of the dictatorship.
The concentration on inclusion and joining-up government where it is clearly much needed does however lead to some gaps in thinking. The creation of new databases brings with it new duties and new potential problems of data-handling. As the privacy and data-protection law expert, Danilo Doneda, pointed out to me the other day, Brazil is in an almost unique position in not having any kind of regulator for privacy and information / data rights. He argued it was because the authorities just don’t see the need. Berredo confirmed this. He claimed that the DPF were trusted by the public – and relative to other police forces, that is certainly true! – and that they had to carry out their duties appropriately or they would lose that trust. It sounds nice, but it isn’t a good-enough (or legally-sound) basis for the protection of data-rights.
It all confirmed once again that Brazil is not yet a surveillance society – the state does not yet have the capabilities. There is no national database of fingerprints (even for convicted criminals) for example. But as Berredo said, it is moving in that direction. He was keen that there should be be limits. I liked the fact that he used this word. ‘Limits’ is a word that I found that the neither the UK government nor the European Commission seem to like, and they seem very unwilling to say what limits might be. However Berredo was quite clear that a technologically-driven surveillance future in which individuals could be tracked – he used the example of Google Latitude – was not one which he wanted to see. He recognised that he was both a policemen (at work) and a private citizen (at home) and that he, as much as anyone else, valued his privacy.
(Thank-you very much to Delegado Romulo Barredo of the DPF, for his openness, time and patience, and also to Agent Alessandre Reis, for his help)
ubisurv 