surveillance – Page 22

Everyday prejudices mean Canadians end up on watchlists

Another great audit report from the Office of the Privacy Commissioner here in Canada, investigating the Financial Transactions and Reports Analysis Centre of Canada (Fintrac) has just been released. Fintrac, created in 2001 in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and now with even more extended powers, operates a databases which is supposed to contain details of those suspected of supporting terrorism or money laundering (often on behalf of major criminal and terrorist groups).

However, there is a good story in The Globe and Mail today which leads on the most worrying aspect identified by the audit, which is that in many cases, the Fintrac database is massively overreliant on unsubstantiated suspicions from low-level functionaries in banks, insurance firms and credit agencies. Some of these ‘suspicions’ were clearly simple prejudice as they appeared to be based entirely on ethnicity. Part of the problem is that there are no clear guidelines as to what constitutes a reasonable suspicion in the legislation.

But being put on the database can have serious consequences, firstly because of the potential penalties involved (up to $2m CAN fines and 5-years imprisonment) and secondly, because the information in the Fintrac database can be accessed by Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police (the RCMP – Canada’s FBI) or shared with overseas police and intelligence services. In the latter case, as we already know, mounting errors can result in innocent people being subject to ever more harsh treatment including being excluded from countries, placed on no-fly lists or even the UN1267 ‘known terrorists and affiliates’ list, as well as, in the worst cases, opening them up to extraordinary rendition, imprisonment and torture.

Jennifer Stoddart, the current Privacy Commissioner, has a well-deserved reputation getting positive changes made, so let’s hope she can persuade Fintrac to get this sorted out pretty soon.

UK pushes forward with online data retention plans

Like Canada, the UK is pushing forward with new plans to force telecommunications companies and ISPs to retain online data, despite opposition from both the industry and ordinary service users. The New Labour govenrment had delayed the plans from last year, faced with the strength of the opposition and launched a ‘consulation’. The consultation apparently still generated 40% opposition, which one would think was enough to tell them that something was wrong. But, as I said last year, “the collection of such traffic data will still go ahead… partly at least because the Americans want it; there is pressure on many countries for this kind of data collection and storage – see for example, the FRA law in Sweden. Networking these databases together with others is a major aim of the FBI’s secretive ‘Server in the Sky’ project.”

However, now the UK plans go further than many other countries’ schemes in this area, as they would cover not only traffic data but also a whole range of data which would not normally have been regarded as traditional communications like social networking activity and even internal online gaming data. This would seem to be in line with US programs that regard the behaviour of – let’t not forget, fantasy – game and virtual world avatars as somehow indicative of real-world tendencies and practices (e.g.: Projects VACE and Reynard), an extremely dubious assumption and one which extends the reach of the state into people’s fantasy and dream lives.

The BBC story mentions an estimated 2Bn GBP (around $3.5 CAN) cost for this – which will no doubt be passed on to service users – but given the immense problems posed by some of this data, I would reckon that this could a massive underestimate, especially if one takes into account the UK state’s history of appallingly-managed computerisation and database-building schemes. The original plans also would have allowed all agencies empowered under the Regulation of Investigatory Powers Act (RIPA) to make use of such data, and the RIPA consultation response from the UK government did contain some indications that some new agencies would be given powers of access, but I am still not sure whether the government will keep the list of agencies as long as it was in last year’s draft Communications Bill.

Surveillance State, USA

There’s a really good article by Alfred McCoy here, on the US surveillance state. I am currently reading his brilliant new book, Policing America’s Empire.

Guardian article

The Guardian‘s Comment is Free site published a short version of my critiques of RIPA today… you can read it here.

Or the full version prior to editing is here:

A little-known tribunal is meeting this week to consider a case a case of wrongful surveillance. The case brought by Jenny Paton and Tim Joyce against Poole District Council in the Regulation of Investigatory Powers Tribunal concerns the local authority’s targeted surveillance measures against the couple and their children in an investigation of their application for school places. Among other activities, council employees trailed the family and interrogated neighbours.

The case comes in the same week that the government issued its response to a consultation process on the reform of the law which the tribunal oversees: the Regulation of Investigatory Powers Act (RIPA) (2000). RIPA has proved controversial as it seems to give many different public bodies new powers of surveillance, but that isn’t entirely true: as many local council officials admit, much of this was going on before 2000, but RIPA regulates and restricts it – in fact, it restricts it too much to some of the published responses to the consultation process. It is, however, almost impossible to determine whether RIPA has increased or decreased surveillance of this kind as no consistent records were kept prior to RIPA’s introduction. What is certainly the case is that the public is now more aware of the use of surveillance powers by agencies they had never realized were allowed to do such things.

Surveys have found that only 9% of RIPA authorizations resulted in either prosecution of enforcement action. In Australia, earlier this year, when only 28% of the use of targeted surveillance (in that case by police) resulted in prosecutions, their law was denounced as an excuse for ‘fishing expeditions.’ So what does a 9% rate indicate for Britain? Desperation perhaps? Or at least that RIPA was being massively overused for trivial issues. The House of Lords Constitution Committee report, Surveillance: Citizens and the State, certainly thought so, arguing not only that the inadequate administrative procedures should be reviewed but also that the government should think again about the whole business of allowing Local Authorities police powers, and that in any case, these powers “should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years.”

The government has failed to take heed of these recommendations. Ok, so they have agreed to restrict the authorization of covert surveillance under RIPA to ‘Director, Head of Service, Service Manager or equivalent’, and that Local Authorities should designate compliance officers so there will be no more junior officers deciding to play James Bond, as in the Poole case. However, by going to a ‘consultation’ whose respondents were dominated by Local Authorities and other RIPA-enabled agencies, they have managed to avoid doing anything particularly radical. This started from limiting the scope of the review through the questions they asked in the consultation.

For example, by asking which covert investigatory techniques specifically should be removed (and discounting any views that said ‘all of them’) they managed to get a mixed set of answers that failed to produced a clear vote against any one technique. Result: no techniques get removed and in fact some of the existing allowed techniques get extended to yet more agencies, for example the new Child Maintenance and Enforcement Commission (the replacement for the Child Support Agency). In particular, this extension of powers covers telecommunications data, whose keeping by the state has of course increased since RIPA was proposed. Now RIPA will be used to allow new bodies access to this data.

A curious note throughout the response by the government is the insistence on using an idea of non-interference with law-enforcement as a reason for not allowing elected officials any more than strategic scrutiny over the actions their own officials take under RIPA. This matters because RIPA is just one of many ways in which law-enforcement is not spreading as a function to increasing numbers of agencies beyond the police and judiciary. This seems to be general position that New Labour has taken – although it hasn’t always got its way – does anyone remember the dropped proposals to allow any ‘responsible people’ to levy on the spot fines?

And the government response seems to take a bullish delight in attacking those who have criticized the surveillance society. They insist, for example – and despite all the evidence to suggest that such interventions have limited effectiveness – that Local Authorities should make more use of overt, mass surveillance, like CCTV, instead of using RIPA. They are creating a binary choice, which seems to say assume that some kind of surveillance should be used: which do you choose, overt or covert? But, of course, that shouldn’t be the choice at all. They are also trying to have their cake and eat it on CCTV: the response to the consultation dismisses those consultees who brought up the subject of CCTV – which is not covered by RIPA – but feel quite able themselves to recommend its extended use in their own response. This of course also ignores the perfectly legitimate feeling amongst many that it is about CCTV was brought under proper control and a reformed RIPA might well be the place to do it.

Then there are things missing: notably, the concentration on Local Authorities, which for the most part has completely obscured the use of covert surveillance by central government departments and arms-length agencies including the Department for Environment, Food and Rural Affairs (Defra), the NHS and the Environment Agency, all of which have been criticized in the past by the Surveillance Commissioner. Nothing seems to be proposed to increase the visibility of the RIPA Tribunal which is, just for now, in the news. The Lords described it as all but invisible and weak. Nor do the government propose to do anything to strengthen training or the Code of Practice, and in any case, there has been a huge over reliance on such self-regulation for matters which should have more formal control; this is also how CCTV and the security industry is largely – and incredibly ineffectively – regulated in the UK.

Pretty much anyone could have predicted this limp response from the Home Office to some rather serious problems. They don’t read their own research, they don’t do consultation in a meaningful manner, and then, surprise, surprise, they conclude that there really isn’t very much wrong after all. Jenny Paton and Tim Joyce may well disagree, and let us hope that the RIPA Tribunal do too.

RIPA to be limited

The UK Home Office is finally publishing plans to reform the Regulation of Investigatory Powers Act (RIPA) which defined in law the surveillance powers open to hundreds of government bodies. You can see what I have previously said about the consultation here. The consultation on RIPA actually had 7 major questions. The Home Office has now responded to all the opinions offered during the consultation. In more detail, this is what was said:

1. Taking into account the reasons for requiring the use of covert investigatory techniques under RIPA set out for each public authority, should any of them nevertheless be removed from the RIPA framework?

Response: basically, none should be removed. Although the Home Office noted that many respondents had objections, they didn’t feel they added up. Indeed this section also seems to include extensions of the powers (or clarifications that act effectively as extensions) for example the ability of the Child Maintenance and Enforcement Commission (the replacement for the Child Support Agency), to have access to telecommunications data to investigate fathers required to pay child support. These extensions may be warranted or not, but they show the tendency for what Gary Marx long ago called ‘surveillance creep’ to occur – the saving of telecommunications data has increased since RIPA was proposed and now RIPA will be used to allow new agencies access to this data.

They also note that they will not be returning any of these investigatory functions to the police. This is interesting because later they use the reason of non-interference in law-enforcement for denying elected councillors detailed oversight. So this confirms a trend to less and less accountable law enforcement.

2. If any public authorities should be removed from the RIPA framework, what, if any, alternative tools should they be given to enable them to do their jobs?

Response: given the previous response, it is not surprising that no real change is proposed here. The Home Office in fact insists that more emphasis should be placed on overt surveillance by local authorities (like CCTV) in order to reduce the need to resort to RIPA’s covert surveillance!

3. What more should we do to reduce bureaucracy for the police so they can use RIPA more easily to protect the public against criminals?

This wasn’t a question that I ever noticed critics of RIPA asking. Some agencies seem to have objected to the amount of paperwork around RIPA and The Home Office “agrees that it is in no-one’s interests for documentation to be unnecessarily time-consuming” and they, for once, insist on a proper auditable trail that can help protect privacy. They say in any case, applications are already down massively.

There is an interesting note that suggests the increasing use of RIPA for counter-terrorism activities which is left rather open – “the Government is facilitating the work of police collaborative units, such as the regional counter-terrorist units… This means officers seeking to use techniques under RIPA will be able to apply to authorising officers in different forces, where the Chief Officers have made a collaboration agreement that permits this”, in other words that RIPA might be used for massive, blanket undercover surveillance operations. Now that certain wasn’t what the government has recently claimed it was intended for – although of course, as anyone with any kind of memory will recall, it was exactly the justification used for passing it.

4. Should the rank at which local authorities authorise the use of covert investigatory techniques be raised to senior executive?

Response: The media reports thus far have focused on the plan to limit the authorisation of such practices to council chief executives and directors – a recommendation made by the House of Lords Constitution Committee – what the Home Office actually recommends is to restrict the decision to a rather wider set: ‘Director, Head of Service, Service Manager or equivalent’. So, no junior officers any more, which is good, but not necessarily senior managers only. They also recommend having a compliance officer designated, which is good if they genuinely work on active and ethical compliance rather than thinking of excuses in retrospect.

5. Should elected councillors be given a role in overseeing the way local authorities use covert investigatory techniques?

Response: yes they should, but it should be ‘strategic’ and limited to once a year setting of policy and strategy with quarterly oversight meetings. They argue, as I mentioned earlier, that non-interference in law-enforcement is a good reason for keeping elected officials away from the details… Councillors in the UK have been increasingly hamstrung in the way that they can oversee their supposed bureaucracy, even to the point where they have been fined and suspended for criticising their own officers. Some real control would be welcome (after all, that is what the purpose of local democracy should be).

6. Are the Government’s other proposed changes in the Consolidating Orders appropriate?

Response: the Home Office basically rejected all the respondents’ comments on the proposals.

7. Do the revised Codes of Practice provide sufficient clarity on when it is necessary and proportionate to use techniques regulated in RIPA?

Response: the codes of practice will be made clearer. No more guidance will be given. The Guardian says that the proposals will ‘ban’ the use of RIPA for ‘minor matters’ but I can’t really see that they do this, and the points of such codes is usually to avoid recourse to the law by encouraging a voluntary self-regulation; it is how CCTV is largely – and incredibly ineffectively – regulated in the UK too.

The Biggest Database in the World

James Bamford has a superb review of the new book by Matthew Aid about the US National Security Agency (NSA) in the New York Review of Books this month. What seems to be causing a stir around the intelligence research (and computing) community is the reference to a report by the MITRE corporation into a the information needs of the NSA in relation to new central NSA data repository being constructed in the deserts of Utah. The report, which is being rather speculative, says that IF the trend for increasing numbers of sensors collecting all kinds of information continues, then the kind of storage capacity required would be in the range of yottabytes by 2015 – as CrunchGear blog points out: there are “a thousand gigabytes in a terabyte, a thousand terabytes in a petabyte, a thousand petabytes in an exabyte, a thousand exabytes in a zettabyte, and a thousand zettabytes in a yottabyte. In other words, a yottabyte is 1,000,000,000,000,000GB.” However CrunchGear misses the ‘ifs’ in the report as some of the comments on the story point out. There is no doubt however, that the NSA will have some technical capabilities that are way beyond what the ordinary commercial market currently provides and it’s probably useless to speculate just how far beyond. Perhaps more important in any case, are the technologies and techniques required to sort such a huge amount of information into usable data and to create meaningful categories and profiles from it – that is where the cutting edge is. The size of storage units is not really even that interesting… The other interesting thing here is the hint of competition within US intelligence that never seems to stop: just a few months back, the FBI was revealed to have its Investigative Data Warehouse (IDW) plan. Data Warehouses or repositories seem to be the current fashion in intelligence: whilst the whole rest of the world moves more towards ‘cloud computing’ and more open systems, they collect it all and lock it down.

Information-rich animals

Iris scanning has been proposed for horse by a company called Global Animal Management (GAM) Inc. As bloodstock is a huge and lucrative business – feeding everything from the private obsessions of the super-rich through the horseracing industry to the dreams of teenage horse-enthusiasts – it is not surprising to see such investment in biometrics. Racehorses were, after all, the first living creatures to be regularly microchipped. Vets seem sceptical about the idea, but surely members of the medical profession would be more enthusiastic about non-invasive replacements for invasive identification techniques like RFID?

Ironically, support for the scepticism comes form GAM’s own website, where a very interesting short video shows just how comprehensive the surveillance of animals through RFID chips has become. RFID chips do not just identify, they carry whole life-cycle information on origins, movements, health and disease and legal compliances. And because of the chips this information is carried with the animal not simply associated with it via a distant database as the result of an occasional scan. The system creates what GAM calls ‘information-rich animals’, which presumably is what makes GAM – and it hopes, its customers – cash-rich too…

(thanks to Aaron Martin, whose reading now seems to include Horse and Hound magazine…)

Canadian Internet Snooping Law

I’ve noted before that there seems to be a concerted push around the world by governments to introduce comprehensive new telecoms surveillance laws that force telecommunications and Internet Service Providers (ISPs) to record, store, and provide access to and/or share with state intelligence agencies, the traffic and/or communications data of their customers (in other words, users like us). What is noticeably here is that there is a particular logic that appears in the arguments of governments who are attempting to persuade their parliaments or people of the need for such laws. This logic that is firstly, circular and self-referential, in that it makes reference to the fact that other governments have passed such laws as if this in itself provides some compelling reason for the law to be passed in their own country. The second part of this is a king of competitive disadvantage arguments that flows from the first argument: if ‘we’ don’t have this law, then somehow we are falling behind in a never openly discussed intelligence-capability race that will hit national technological innovation too.

The media often seem oblivious to what seems obvious, and hence the story on the CTV news site today with reference to Canada’s currently proposed communications law that would allow the Canadian Security and Intelligence Service (CSIS) warrantless access to such the data from Internet and telecoms providers. They consider it to be ‘unexpected’ that the parliamentary Security Intelligence Review Committee has come out in support of the bill. Looking at the reasons why though, they are exactly what one would expect if one has been following the debates around the world and contain exactly the logics I have outlined. The story notes that the committee “points out that governments in the United States and Europe have already passed laws requiring co-operation between security agencies and online service providers” (without, incidentally, pointing out that these remain enormously controversial, or that other governments have abandoned some of their attempts) and later that “intelligence technology… requires continued access to new talent and innovative research.” However they won’t go into details as it is a “very sensitive matter.”

And absent from this debate as usual is the fact that this is not just a question of ‘national security’ if you set up these systems, you feed the US National Security Agency too. Canadian intelligence is still bound by agreements made after WW2, particularly the CANUSA agreement on Signals Intelligence (SIGINT), later incorporated into the UKUSA structure. And as we all know, right now, the USA does not always have the same strategic interests as Canada (the issue of arctic sovereignty is just one example). If this bill is passed, it’s a license for US spies, not just Canadian ones.

UK police still adding innocent people’s DNA to database

Research in the UK has shown that police forces in Britain are continuing to add the DNA – and incidentally the fingerprints, although this is never mentioned – of innocent people to the DNA database despite the European Court of Human Rights ruling that it was illegal (and the government’s promise to accept the ruling). According to The Guardian newspaper today, 90,000 innocent people have been added to the National DNA database (NDNAD) since a the court ruling and the Association of Chief Police Officers (ACPO) – incidentally, a private organisation – is still telling chief constables to continue with this collection. On the other hand the process of removing individual profiles has been painfully slow: only 611 DNA profiles of innocent people have been removed, and all as a result of individual challenges in court. It seems that the police are determined to drag their feet as long as possible and, in fact, break the law quite openly. Hardly a good example…

Bizarre happenings in Rio de Janeiro

My collaborator, Paola Barreto Leblanc writes to me “Something really bizarre happened this week. In a public street in Rio’s center CCTVs from some buildings and a Bank – private circuits – caught a criminal action led by police officers [Policia Militar – PM, or Military Police, in fact]. Instead of helping a victim of an attack they rob the robbers!” The news story is available on youtube:

The thing that adds an extra layer of particularly bleak humour to this nasty event is that the name of the PM officer involved is capitão Bizarro (Captain Bizarre)… however, the really sad fact about the whole incident is that the victim was prominent social justice activist and founder of the internationally-renowned favela music group AfroReggae, Evandro João da Silva. He did a lot more good for the city and for the improvement of the lives of the urban poor than any gang-members or police officers ever did and he will be sorely missed. The PM chief, Mário Sérgio Duarte, who we interviewed back in April, is once again in the papers and on TV, apologizing. I noted at the time that Colonel Duarte seemed ‘profoundly indifferent’ to CCTV – I wonder if he will change his mind now and in what direction…

As Paola also writes to me, the nexus of CCTV in Rio is an intensely confusing one, mixing drug-gangs, corrupt police, the media, who like anywhere else seem to be living off the images from CCTV cameras without much in the way of respect for the victims. We are now starting to work together on a paper on these developments.