Rights – Page 4

UK consultation on CCTV: a weak brew?

The UK government has released a consultation document on a ‘Code of practice relating to surveillance cameras’ (CCTV). The closing date for comments in May 25th.

I will go through the document in more detail but there are several initial things to note here:

1. I am interested first of all in the fact that the camera systems are refered to as ‘surveillance cameras’ rather than ‘security cameras’ or ‘safety cameras’ as in many situations I have encountered around the world.

2. This is merely a step toward a state code of practice. The government had promised to ‘regulate’ CCTV, and what many people might have legitimately expected from such a promise was legislation, in other word a statutory footing for surveillance cameras and legal controls. A code of practice is very much at the weak and volunteeristic end of ‘regulation’ if it is regulation at all. The proposed Code itself is really quite weak and presaged on “gradually raising standards to a common level.” with nothing that is mandatory.

3. The document proposes another ‘Commissioner’ to govern surveillance cameras, a ‘Surveillance Camera Commissioner’. This government, despite its avowed attempt to reverse the proliferation of Quangos, seems to want to create another one. One would think that this would naturally fall under the remit of the Information Commissioner, but it appears that the Tory attacks on the ICO (which have been going on in newspapers like The Times for some years and have now spread to other libertarian groups) have been having some effect. Does Britain need another Commissioner in the area of information, surveillance and privacy? I don’t think so. I think we need to clarify the roles of existing Commissioners, and reduce their number – provide adequate budgets and better guidance and division of labour. I suggested a few weeks ago that splitting the ICO into a Surveillance and Privacy Commissioner (which would incorporate the data protection function and absorb all the existing micro-commissions like Surveillance, Interception of Telecommunications and now this new proposed Surveillance Camera Commissioner) and a separate Freedom of Information Commissioner, would be the best solution.

4. The consultation document acknowledges that camera surveillance has increased too rapidly in Britain and has eroded privacy and been overly intrusive. That’s a start. However it also hedges this quite strongly by saying that the government does not intend to limit law enforcement’s abilities. I am not sure the two things are compatible – but I will have to examine the proposals in more detail.

5. The document acknowledges that “CCTV does not always provide the benefits expected of it” but explains this as largely down to technical and operation reasons rather than anything more fundamentally problematic. This is not necessarily justified by evidence or particularly insightful.

6. The document acknowledges that Automatic Number Plate (Licence Plate) Recogntion (ANPR / ALPR) is largely unregulated too and that it connects to all kinds of databases, yet proposes little more than auditable data trails.

7. The document mentions both flying drone cameras / Unmanned Aerial Vehicles (UAVs) and helmet-mounted cameras, but assumes mistakenly that these are ‘niche and novel’. If this can still be said to be true, it will not be for much longer, and the document is overly dismissive of the immediacy of this issue.

8. The document is way too cautious and has the fingerprints of a ‘Sir Humphrey’ bureaucratic avoidance of anything that might ‘frighten the horses’, motivated as it claims to be by “the wish to avoid imposing unreasonable or impracticable bureaucratic or financial burdens on organisations” and recommending “an incremental approach.” It is too late for incrementalism, about 20 years too late in fact.

At first glance, the consultation document appears to be a rather weak brew rather than the strong medicine that is required.

On the Internet, no-one knows you’re a dog

So the (now rather old) joke goes. In fact, this joke is now often seen as an example of how people early on in the history of the Internet misunderstood it. People, the argument goes, are just people on the Net, pretty much the same way they are in real life. No technological determinism here, no siree.

However there is increasing evidence that this new ‘common knowledge’ is dead wrong, but it isn’t necessarily individual ‘dogs’ pretending to be humans online, it is whole organised packs (don’t worry, I won’t take this metaphor any further). Various sources have been reporting the development call by the US military for software development to create artificial posters on Internet forums, chatrooms, and news sites. The US state it seems has woken up to the possibilities of what is often called ‘astroturfing’, the creation of fake grassroots movements, with fake members.

George Monbiot, a leading British investigative journalist with The Guardian newspaper knows about astroturfing more than most. He frequently writes about climate change denialists, and the comments under his stories are always filled with pseudonymous critics who seem to pop up every time the word ‘climate’ is mentioned and their responses often appear to be scripted and organised. He’s been digging deeper, and while his investigations are still ongoing, he has provided a useful summary of recent development here.

As well as the corporate interests (tobacco, oil, pharma etc.) it’s also worth pointing out that other states are far ahead of the US on this. China notoriously has its so-called ’50-Cent Party’, students and others who are recruited by the state and paid by the message to counter any anti-Chinese or pro-Tibetan, pro-Taiwan or pro-Uighur sentiment. Their early efforts were laughably obvious, but are becoming more and more subtle. Israel is open in its backing of such ‘online armies’, and advocates the use of a particular software tool, called Megaphone, which enables its users to respond quickly and widely to any reports or discussion seem as against the interests of the Israeli state.

Anonymity is also used by these organised groups as a form of individual intimidation through other ‘open’ channels, especially of those who lack the resources and sometimes the low cunning to be able to respond effectively. One is Freedom of Information legislation. In the area of climate change denial, we saw this with the systematic and organised petitioning of the University of East Anglia’s Climate Research Unit, in which FoI requests were really a form of harassment. More recently, as I have just heard from Chris Parsons, two professors from Ottawa, Errol Mendes and Amir Attaran, seen as ‘liberal’ and critical of the Canadian government, have similarly found themselves the subject of a huge upsurge in FoI requests, many of which seem to be deliberately requesting very intimate information. This would appear to be Freedom of Information as intimidation.

There are several responses one could have to this. One would be to withdraw from more public and open forms of interaction, to batten down the hatches, retreat into extreme forms of privacy. This would be a mistake: it really would, as some of the more alarmist reports have proposed, mean the death of Web2.0. The other would be to take the Anonymous route, to ferret out the spies and the fakes. This could be done with better forum and comment software, but would mean a lot of hacking effort and knowledge. How is a chatroom supposed to go up against the power of states and corporations? The real risk with this, as with more low-tech forms of ‘exposure’, is that we help create a culture of suspicion in which moles and spies are everywhere, and genuine political interaction is chilled. It may be coincidental, but it is not unrelated, that we are seeing a growing attention being called to this kind of thing just as we have seen the power of social media in the uprisings across the Arab world. In this area at least privacy is not the answer, a more radical political openness and transparency may well be required to facilitate the kind of social trust that can keep Web2.0 growing and changing in a positive direction.

Death to the ICO?

Chris Parsons draws my attention to a blog posting on the very swish and refurbished Privacy International site (nice job BTW – I will check in regularly). Simon Davies argues in this post for the ‘assisted suicide’ of the UK Information Commissioner’s Office (ICO) because it has become a ‘threat to privacy’. The bases for this argument are several, namely that:

“the legislation that underpins the Office is narrow and in places regressive”;
the ICO is “a quasi judicial regulator that sees its role as protecting data rather than people”, which leads to timid decisions;
the ICO is sometimes “ill-informed… and almost always out of step with the more proactive and advanced regulators overseas” especially when it comes to technology;
its complaints procedure is slow and frequently pointless;
there are too many surveillance-related commissioners in the UK (the Surveillance Commissioner, the Interception of Communications Commissioner, the Equality & Human Rights Commission etc.)
it is disconnected from “an information environment dominated by companies which appear to be largely exempt from local protections for citizens.”

Now, I’ve done some work on commission for the ICO, and therefore you might expect me to defend it from these criticisms. But in fact, I find much to agree with here, as well as some points with which I disagree, and much to ponder.

On the side of agreement,the ICO, like much of government, is undoubtedly technologically rather backward. When, in the Report on the Surveillance Society, we wrote about the way in which governments were behind the times, this was as much a message for them as for parliament or the executive. Maybe it is down to funding, maybe to institutional inertia, maybe deliberate choice, but the ICO has still has not taken serious steps to remedy this as Simon points out, and relies largely on occasional external reports, many of which are in any case general rather than specialist, to update it.

I also agree with the charge that the ICO has been relatively powerless in the face of the rise of corporate surveillance. This is not surprising given its origins as an arm’s-length regulator of government, and some of the particular issues of concern – like whether it took the Google wireless hacking episode seriously enough or made the correct decisions – are far from obvious. But one can clearly contrast the relatively activist stance of even quite bureaucratic Privacy Commissioners like the federal Canadian body over Facebook, with the ICO. It has in the recent past taken some serious actions against illegal private sector surveillance – for example the bust of a notorious blacklisting firm – but this direction appears to have fizzled out. Not being privy to internal policy discussions, I am not sure why.

Then there are some areas in which the criticisms are valid, but which may not be directed at the right target.

The first of these is the proliferation of Commissioners of various kinds – and incidentally, we have thankfully been spared the birth of yet another one with the cancellation of the ID Cards scheme. I have also been arguing for the merging of all the various surveillance-related quangos for a long time. The reason so many of them exist is partly because of the piecemeal way in which British legislative process occurs. There are rarely comprehensive Acts covering broad areas, instead existing institutions, however inappropriate to the job needed, are often merely supplemented or modified. The other reason is of course the ongoing effort to protect certain parts of the state from serious scrutiny, in particular the intelligence services and political police.

The second is that, fundamentally, it seems clear that British data protection and privacy legislation is generally archaic and not up to the job. Neither is its Freedom of Information legislation, even though it was a massive advance on the culture of secrecy that preceded what in retrospect may have been one of New Labour’s most important measures.

However, I am not sure that either of these points are in themselves a criticism of the ICO but rather of the legislation which created it, and the governance environment in which it has to operate. The way in which the ICO came about, through a rough fusion of old Data Protection and newer Freedom of Information functions produced a lumbering Frankenstein’s monster made of parts and bits, kept going on a drip-feed of limited funding, something that was never going to be capable of what campaigners expected of it. The same could be said partially of the critique of the complaints procedure, itself is a widely shared opinion and one with which I would not take issue. However, how much of this is down to the limited funding and staffing, and once again, the foundational legislation which hampers as much as empowers the ICO to do much of what we outsiders would want them to do?

Then, some of the criticisms are more personal opinion, with which I am sure many in the ICO would disagree, particularly the idea that the ICO does not care about people. Both Simon and I know many people in the ICO personally and whatever our political differences with them, the idea that they are heartless data bureaucrats with no interest in people is a rather unhelpful and hyperbolic caricature, as is the idea that the ICO is an ‘enemy of privacy’. The ICO had a legally mandated job to do first and foremost and it needn’t, legally, go beyond that at all. Yet it has. The interventions that the previous Information Commissioner, Richard Thomas, made on surveillance in particular were absolutely vital in adding a new level to a debate that had previously, despite the best efforts of activists, campaigners and researchers, been of more marginal concern. One could argue that surveillance and privacy would never have become such a topic parliamentary debate, let along an election issue, without his advocacy. Certainly it hasn’t gone far enough, but is has hardly, during this period at least, acted as a stereotypically uncaring bureaucracy.

So what of the solutions?

Simon advocates only one: that the government “scrap the data protection functions of the ICO and building a new Privacy Act that creates a true watchdog with a broad mandate.” It is hardly surprising that Privacy International see the ‘privacy’ element as the most important one here. Simon will also not be surprised to discover that I disagree with him on this. In fact, my argument for a while has been that privacy cannot justifiably be prioritised over other forms of human informational rights. In addition, the concept of ‘human rights’ in general does not deal with everything about information relationships, positive or negative, and the many elements of those information relationships between state, citizen and corporation cannot be so arbitrarily separated.

I would therefore argue that a comprehensive Information Act, which covered citizens’ rights to information (their own, and that generated by government and corporations), their rights of privacy and the more general parameters of what the state and companies may know of those who information this is and how they are allowed to do so (i.e the limits of surveillance). I agree that ‘data protection’ is an out-of-date concept. But ‘privacy’ does not, and cannot, replace it, at least not alone. Privacy Commissioners, where they exist, find themselves dealing with a lot more than privacy and end up becoming ‘surveillance’ or ‘information commissioners’ in practice or by stealth, and in some cases an emphasis on privacy over all else can hamper legitimate needs to know (as has been true in the case of family members of elderly patients with dementia in Canada for example).

My conclusion about what a new Information Act would contain in terms of the regulatory bodies has something in common with Simon’s view, but I have two options. One is the creation of a single mega-regulator – a real Information Commissioner that covered all the areas of our information relationships with the state and corporations that would be able to go after corporations, local and national government over issues of their secrecy, transparency and accountability, and our privacy and informational needs. It wouldn’t just merge the existing ICO, Surveillance Commissioner, Interception of Communications Commissioner and so on), but start with new legislation and a new structure.

The other option would be a merge all the existing bodies but create two new ones to replace them: a Surveillance and Privacy Commissioner, to cover all of the areas of state and corporate intrusion into the lives of citizens, but also a Freedom of Information Commissioner, to cover the equally vital areas of state and corporate transparency and accountability. Privacy without FoI, whether together in one organisation or separate, is altogether too defensive an approach to what we can expect from the state.

And whichever route one took, the organisation(s) should have a wider range of powers built in and required – research (including technological foresight), advocacy, assessment, response and enforcement functions – with protected funding and legally binding decision-making capability. I think we would all be in agreement on that…

Facebook learns nothing

Having been strongly criticised over its ‘Places’ feature for its lack of understanding of the concept of ‘consent’ in data protection, and why ‘opt-in’ is better for users than ‘opt-out’ when it comes to new ‘services’ (i.e: ways they can share your data with other organisations), Facebook is doing it again.

Between today and tomorrow, the new Facebook feature called “Instant Personalization” goes into effect. The new setting shares your data with non-Facebook sites and it is automatically set to “Enabled”.

To turn it off: Go to Account>Privacy Settings>Apps & Websites>Instant Personalization>edit settings & uncheck “Enable”.

(Or of course, you can just ‘Turn Off All Platform Apps” too!)

The really important thing is that if your Facebook Friends don’t do this, they will be sharing info about you as well. So, copy this and repost to yours…

(Thanks to Lorna Muir for this alert)

Corporate Privacy?

I’ve been arguing a lot recently that individual privacy, state secrecy and corporate confidentiality should be regarded as clearly separate things. Keeping this separation is important precisely because it stops organisations which we should expect to be open to inspection and accountable to us, from using ‘privacy’ as an excuse for avoiding such inspection. Philosophically, the distinction should be clear, but legally it may not be so obvious. One problem however lies in the nature of the whole notion of ‘incorporation’, which in its very language already assigns certain individual human attributes to organisations. And corporations are very much aware of this.

Marc Rotenberg points me to a very interesting legal test case in which the Electronic Privacy Information Center (EPIC) in the USA is currently involved. This case originally started when in 2008 the Federal Communications Commission ruled that corporations could not use ‘privacy’ as a reason to reject Freedom of Information requests. In 2009, a court overruled this decision. And now the FCC, ironically aided by EPIC, an organisation which frequently finds itself challenging rather than supporting the state on such issues, is seeking to have this ruling overturned in the Supreme Court.

This strikes me as a vital case, not just for the USA, for other jurisdictions where corporations will be observing the outcome and seeking to bring similar challenges if they can. If privacy, and indeed any other fundamental human right, is to mean anything it can neither be granted to companies who find it simply a convenient cover for a desire for confidentiality, nor to states who seek to maintain secrecy. Clearly there is information possessed by corporations and by states that might have elements that could be damaging to personal privacy. Private individuals acting in a corporate or state capacity may perhaps in some clearly delineated circumstances have the right not to be personally identified, even more so for individuals from outside the organisation concerned, but the ‘what’ of the information should still not, by association with an individual expressing a desire for privacy or anonymity, acquire the protection of privacy.

Two Weeks to Go for Bill C-32

Many people will still not be aware of the imminence of a new bill on copyright for Canada. Everything you need to know (and more) is on Michael Geist’s excellent site. The key thing is that, like most such bills around the world, this bill is still skewed towards industry perspectives and does not place much importance on the rights on the ordinary citizen or resident of Canada, in particular in the areas of ‘digital locks’ that prevent fair use of digital materials, and the lack of provision for copying across form factors for personal use. You have until the end of January to make your views heard.

Spain vs. Google or Freedom of Expression vs. the Right to Be Forgotten

Several outlets are reporting today, the interesting clash between Spanish courts and Google. The argument is over whether Google should carry articles that have been challenged by Spanish citizens as breaching their privacy. An injunction was won in the courts by the Spanish data protection commissioner over publication of material that is being challenged under privacy legislation.

Clearly there are two main issues here. One is the specific issue of whether Google, as a search engine, can be considered as a publisher, or as it claims, simply an intermediary which publishes nothing, only linking to items published by others. This is important for Google as a business and for those who use it.

But the other is a more interesting issue which is the deeper question of what is going on here which is the struggle between two kinds of rights. The right to freedom of expression, to be able to say what one likes, is a longstanding one in democracies, however it is almost nowhere absolute. The problem in a search-engine enabled information age, is that these exceptions, which relate to both the (un)truth of published allegations (questions of libel and false accusation) and of privacy and to several other values, are increasingly challenged by the ability of people in one jurisdiction to access the same (libellous, untrue or privacy-destructive) information from outside that jurisdiction via the Internet.

In Spain, the question has apparently increasingly been framed in terms of a new ‘right to be forgotten’ or ‘right to delete’. This is not entirely new – certainly police records in many countries have elements that are time-limited, but these kinds of official individually beneficial forgettings are increasingly hard to maintain when information is ‘out there’ proliferating, being copied, reposted and so on.

This makes an interesting contrast with the Wikileaks affair. Here, where it comes to the State and corporations, questions of privacy and individual rights should not be used even analogically. The state may assert ‘secrecy’ but the state has no ‘right of privacy’. Secrecy is an instrumental concept relating to questions of risk. Corporations may assert ‘confidentiality’ but this is a question of law and custom relating to the regulation of the economy, not to ‘rights’.

Privacy is a right that can only be attached to (usually) human beings in their unofficial thoughts, activities and existence. And the question of forgetting is really a spatio-temporal extension of the concept of privacy necessary in an information society. Because the nature of information and communication has changed, privacy has to be considered over space and through time in a way that was not really necessary (or at least not for so many people so much of the time) previously.

This is where Google’s position comes back into play. Its insistence on neutrality is premised on a libertarian notion of information (described by Erik Davis some time ago as a kind of gnostic American macho libertarianism that pervades US thinking on the Internet). But if this is ‘freedom of information’ as usually understood in democratic societies, it does have limits and an extreme political interpretation of such freedom cannot apply. Should Google therefore abandon the pretence of neutrality and play a role in helping ‘us’ forget things that are untrue, hurtful and private to individuals?

The alternative is challenging: the idea that not acting is a morally ‘neutral’ position is clearly incorrect because it presages a new global norm of information flow presaged on not forgetting, and on the collapse of different jurisdictional norms of privacy. In this world, whilst privacy may not be dead, the law can no longer be relied on to enforce it and other methods from simple personal data management, to more ‘outlaw’ technological means of enforcement will increasingly be the standard for those who wish to maintain privacy. This suggests that money and/or technical expertise will be the things that will allow one to be forgotten, and those without either will be unable to have meaningful privacy except insofar as one is uninteresting or unnoticed.

UK Control Orders to be replaced by Surveillance Orders

There has been a lot of speculation in the last couple of weeks about the fate of the ‘Control Orders’ that have been placed on various people (largely British Muslims) who are strongly suspected by the authorities of involvement with terrorism, but who have not committed any crime that would likely lead to a successful prosecution. These orders tend to amount to forms of curfewing or house arrest without trial, and banning them from using all forms of telecommunications, and needless to say, have been immensely controversial with civil liberties groups arguing that they subvert the rule of law, and that if there is evidence of terrorist activity people should be investigated and charged with such offenses. This has also been a test case for the willingness of the Conservative- LibDem coalition to take onboard key Liberal Democrat priorities and to go further in rolling back the creeping authoritarianism that characterised the final years of the New Labour regime.

So what will replace them? Speculation had centred around the replacement of the order with a system that allowed suspects to move around relatively freely but placed them under intensified ongoing surveillance. Now the BBC is claiming that it has details of what are likely to be called ‘Surveillance Orders’. These, they say, will give the security services the power to:

Ban suspects from travelling to locations such as open parks and thick walled buildings where surveillance is hard;

Allow suspects to use mobile phones and the internet but only if the numbers and details are given to the security services;

Ban suspects travelling abroad; and

Ban suspects meeting certain named individuals, but limited to people who are themselves under surveillance or suspected of involvement in terrorism.

Some of this is hardly new: those suspected of involvedment in football hooliganism in the UK have been subject to travel bans since the 1980s, and it seems to be from this that precendent is taken for at least this part of the new place. It is also almost funny that certain locales are seemingly specified as being difficult for surveillance – and I know this won’t be in the actual Bill – but, surely it is actually quite useful for real terrorists to know this? 😉

But this is all very interesting not least because it uses ‘surveillance’ as a supposed replacement for ‘control’, or as something synonymous with increased freedom. That may be so in physical terms, but the constant monitoring suggested under these new orders creates something very far from freedom. However in many ways it constitutes simply an intensified version of the kind of low-level constant monitoring or mass surveillance that is characteristic of contemporary surveillance societies. It is not so much that there are the ‘unwatched’ and the ‘watched’ rather there is a spectrum of surveillance between the lightly and heavily monitored. The new ‘Surveillance Orders’ would merely seem to push the dial for an individual into the category of heavy monitoring.

Internet doit être défendu! (4)

I write this addition to my ongoing series of thoughts on the implications of the Wikileaks scandal, en Francais because according to Le Point, the the Assemblée Nationale has passed a bill, Loppsi 2, which, amongst other things, in its Article 4, allows the French government to ban particular websites, and essentially to ‘filter’ the Internet. The Bill of course has ‘good intentions’, in this case, it is aimed at paedophiles, but the wording is such that it allows a far wider use against “la cybercriminalité en général”. Regardless, as the article points out: “Les expériences de listes noires à l’étranger ont toutes été des fiascos,” in other words such bills have generally been a complete failure as in most cases the state’s technology and expertise cannot deliver what the law allows.

However, I am left wondering what makes this any different from what China does, and what moral right the French state now has to criticise Chinese censorship or indeed any other regime that is repressive of information rights. And of course, what other very reasonable ‘good intentions’ could be drawn upon for closing the Net – opposing ‘information terrorism’, par example?

Facebook face-recognition

Reports are that US users can now use an automated face-recognition function to tag people in photos posted to the site. To make it clear, this is not the already dubious practice of someone else tagging you in a photo, but an automated service – enter a picture and the system will search around identifying and tagging.

As a Facebook engineer is quoted as saying:

“Now if you upload pictures from your cousin’s wedding, we’ll group together pictures of the bride and suggest her name… Instead of typing her name 64 times, all you’ll need to do is click ‘Save’ to tag all of your cousin’s pictures at once.”

Once again, just as with Facebook Places, the privacy implications of this do not appear to have been thought through (or more likely just disregarded) and it’s notable that this has not yet been extended to Canada, where the federal Privacy Commissioner has made it very clear that Facebook cannot unilaterally override privacy laws.

Let’s see how this one plays out, and how much, once again, Facebook has to retrofit privacy settings…