New ID cards Website

http://www.identity-cards.net/ the national id cards website

This website contains a comprehensive listing of national ID cards by geographic region worldwide allowing users to study and compare specific national policies regarding identity cards, as well as a list of resources on the topic.

National identification systems have been proliferating in recent years as part of a concerted drive to find common identifiers for populations around the world. Whether the driving force is immigration control, anti-terrorism, electronic government or rising rates of identity theft, identity card systems are being developed, proposed or debated in most countries. However, there is no comprehensive database documenting the status of national identity card systems anywhere in the world, and this website has been designed in order to fill this gap.

We invite users to help compile this information. Go to ‘UPDATE ID INFORMATION’ and follow the steps to submit current information about national ID card systems globally.

This website has been developed under The New Transparency Project an MCRI project funded by the Social Sciences and Humanities Research Council of Canada. The idea for the website comes from the book “Playing the Identity Card” recently edited by Colin Bennett and David Lyon, and published by Routledge (2008). The website is maintained and updated by a group of students and faculty from Queen’s University and the University of Victoria.

(Information from The New Transparency Project)

Private Sector Data Losses

People often concentrate rather too much on abuses by the state of personal data. But private sector organisations are certainly no better. One key example was made public this week, when the new UK Information Commissioner, Christopher Graham, announced that he would be prosecuting a major mobile phone company (he is not saying which one yet*) for selling personal information which it held on customers. The trade in personal information is a very difficult thing to regulate: telecoms companies will deny up front that they ever do anything like this, but yet we know it happens frequently in every jurisdiction, in both management-sanctioned and illicit forms; and practically, of course, once the information is ‘out there’, it cannot be recalled. So, no-one should feel safe just because they have ticked (or unticked) that little box under all that often indeciferable text about what a company might do with your data. I hope that whatever firm this is, it gets hits where it will hurt most, on its bottom line.

*Update: T-Mobile have now confirmed that they are the company responsible.

UK pushes forward with online data retention plans

Like Canada, the UK is pushing forward with new plans to force telecommunications companies and ISPs to retain online data, despite opposition from both the industry and ordinary service users. The New Labour govenrment had delayed the plans from last year, faced with the strength of the opposition and launched a ‘consulation’. The consultation apparently still generated 40% opposition, which one would think was enough to tell them that something was wrong. But, as I said last year, “the collection of such traffic data will still go ahead… partly at least because the Americans want it; there is pressure on many countries for this kind of data collection and storage – see for example, the FRA law in Sweden. Networking these databases together with others is a major aim of the FBI’s secretive ‘Server in the Sky’ project.”

However, now the UK plans go further than many other countries’ schemes in this area, as they would cover not only traffic data but also a whole range of data which would not normally have been regarded as  traditional communications like social networking activity and even internal online gaming data. This would seem to be in line with US programs that regard the behaviour of – let’t not forget, fantasy – game and virtual world avatars as somehow indicative of real-world tendencies and practices (e.g.: Projects VACE and Reynard), an extremely dubious assumption and one which extends the reach of the state into people’s fantasy and dream lives.

The BBC story mentions an estimated 2Bn GBP (around $3.5 CAN) cost for this – which will no doubt be passed on to service users – but given the immense problems posed by some of this data, I would reckon that this could a massive underestimate, especially if one takes into account the UK state’s history of appallingly-managed computerisation and database-building schemes. The original plans also would have allowed all agencies empowered under the Regulation of Investigatory Powers Act (RIPA) to make use of such data, and the RIPA consultation response from the UK government did contain some indications that some new agencies would be given powers of access, but I am still not sure whether the government will keep the list of agencies as long as it was in last year’s draft Communications Bill.

Guardian article

The Guardian‘s Comment is Free site published a short version of my critiques of RIPA today… you can read it here.

 

Or the full version prior to editing is here:

A little-known tribunal is meeting this week to consider a case a case of wrongful surveillance. The case brought by Jenny Paton and Tim Joyce against Poole District Council in the Regulation of Investigatory Powers Tribunal concerns the local authority’s targeted surveillance measures against the couple and their children in an investigation of their application for school places. Among other activities, council employees trailed the family and interrogated neighbours.

The case comes in the same week that the government issued its response to a consultation process on the reform of the law which the tribunal oversees: the Regulation of Investigatory Powers Act (RIPA) (2000). RIPA has proved controversial as it seems to give many different public bodies new powers of surveillance, but that isn’t entirely true: as many local council officials admit, much of this was going on before 2000, but RIPA regulates and restricts it – in fact, it restricts it too much to some of the published responses to the consultation process. It is, however, almost impossible to determine whether RIPA has increased or decreased surveillance of this kind as no consistent records were kept prior to RIPA’s introduction. What is certainly the case is that the public is now more aware of the use of surveillance powers by agencies they had never realized were allowed to do such things.

Surveys have found that only 9% of RIPA authorizations resulted in either prosecution of enforcement action. In Australia, earlier this year, when only 28% of the use of targeted surveillance (in that case by police) resulted in prosecutions, their law was denounced as an excuse for ‘fishing expeditions.’ So what does a 9% rate indicate for Britain? Desperation perhaps? Or at least that RIPA was being massively overused for trivial issues. The House of Lords Constitution Committee report, Surveillance: Citizens and the State, certainly thought so, arguing not only that the inadequate administrative procedures should be reviewed but also that the government should think again about the whole business of allowing Local Authorities police powers, and that in any case, these powers “should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years.”

The government has failed to take heed of these recommendations. Ok, so they have agreed to restrict the authorization of covert surveillance under RIPA to ‘Director, Head of Service, Service Manager or equivalent’, and that Local Authorities should designate compliance officers so there will be no more junior officers deciding to play James Bond, as in the Poole case. However, by going to a ‘consultation’ whose respondents were dominated by Local Authorities and other RIPA-enabled agencies, they have managed to avoid doing anything particularly radical. This started from limiting the scope of the review through the questions they asked in the consultation.

For example, by asking which covert investigatory techniques specifically should be removed (and discounting any views that said ‘all of them’) they managed to get a mixed set of answers that failed to produced a clear vote against any one technique. Result: no techniques get removed and in fact some of the existing allowed techniques get extended to yet more agencies, for example the new Child Maintenance and Enforcement Commission (the replacement for the Child Support Agency). In particular, this extension of powers covers telecommunications data, whose keeping by the state has of course increased since RIPA was proposed. Now RIPA will be used to allow new bodies access to this data.

A curious note throughout the response by the government is the insistence on using an idea of non-interference with law-enforcement as a reason for not allowing elected officials any more than strategic scrutiny over the actions their own officials take under RIPA. This matters because RIPA is just one of many ways in which law-enforcement is not spreading as a function to increasing numbers of agencies beyond the police and judiciary. This seems to be general position that New Labour has taken – although it hasn’t always got its way – does anyone remember the dropped proposals to allow any ‘responsible people’ to levy on the spot fines?

And the government response seems to take a bullish delight in attacking those who have criticized the surveillance society. They insist, for example – and despite all the evidence to suggest that such interventions have limited effectiveness – that Local Authorities should make more use of overt, mass surveillance, like CCTV, instead of using RIPA. They are creating a binary choice, which seems to say assume that some kind of surveillance should be used: which do you choose, overt or covert? But, of course, that shouldn’t be the choice at all. They are also trying to have their cake and eat it on CCTV: the response to the consultation dismisses those consultees who brought up the subject of CCTV – which is not covered by RIPA – but feel quite able themselves to recommend its extended use in their own response. This of course also ignores the perfectly legitimate feeling amongst many that it is about CCTV was brought under proper control and a reformed RIPA might well be the place to do it.

Then there are things missing: notably, the concentration on Local Authorities, which for the most part has completely obscured the use of covert surveillance by central government departments and arms-length agencies including the Department for Environment, Food and Rural Affairs (Defra), the NHS and the Environment Agency, all of which have been criticized in the past by the Surveillance Commissioner.  Nothing seems to be proposed to increase the visibility of the RIPA Tribunal which is, just for now, in the news. The Lords described it as all but invisible and weak. Nor do the government propose to do anything to strengthen training or the Code of Practice, and in any case, there has been a huge over reliance on such self-regulation for matters which should have more formal control; this is also how CCTV and the security industry is largely – and incredibly ineffectively – regulated in the UK.

Pretty much anyone could have predicted this limp response from the Home Office to some rather serious problems. They don’t read their own research, they don’t do consultation in a meaningful manner, and then, surprise, surprise, they conclude that there really isn’t very much wrong after all. Jenny Paton and Tim Joyce may well disagree, and let us hope that the RIPA Tribunal do too.

RIPA to be limited

The UK Home Office is finally publishing plans to reform the Regulation of Investigatory Powers Act (RIPA) which defined in law the surveillance powers open to hundreds of government bodies. You can see what I have previously said about the consultation here. The consultation on RIPA actually had 7 major questions. The Home Office has now responded to all the opinions offered during the consultation. In more detail, this is what was said:

1.    Taking into account the reasons for requiring the use of covert investigatory techniques under RIPA set out for each public authority, should any of them nevertheless be removed from the RIPA framework?

Response: basically, none should be removed. Although the Home Office noted that many respondents had objections, they didn’t feel they added up. Indeed this section also seems to include extensions of the powers (or clarifications that act effectively as extensions) for example the ability of the Child Maintenance and Enforcement Commission (the replacement for the Child Support Agency), to have access to telecommunications data to investigate fathers required to pay child support. These extensions may be warranted or not, but they show the tendency for what Gary Marx long ago called ‘surveillance creep’ to occur – the saving of telecommunications data has increased since RIPA was proposed and now RIPA will be used to allow new agencies access to this data.

They also note that they will not be returning any of these investigatory functions to the police. This is interesting because later they use the reason of non-interference in law-enforcement for denying elected councillors detailed oversight. So this confirms a trend to less and less accountable law enforcement.

2. If any public authorities should be removed from the RIPA framework, what, if any, alternative tools should they be given to enable them to do their jobs?

Response: given the previous response, it is not surprising that no real change is proposed here. The Home Office in fact insists that more emphasis should be placed on overt surveillance by local authorities (like CCTV) in order to reduce the need to resort to RIPA’s covert surveillance!

3.    What more should we do to reduce bureaucracy for the police so they can use RIPA more easily to protect the public against criminals?

This wasn’t a question that I ever noticed critics of RIPA asking. Some agencies seem to have objected to the amount of paperwork around RIPA and The Home Office “agrees that it is in no-one’s interests for documentation to be unnecessarily time-consuming” and they, for once, insist on a proper auditable trail that can help protect privacy. They say in any case, applications are already down massively.

There is an interesting note that suggests the increasing use of RIPA for counter-terrorism activities which is left rather open – “the Government is facilitating the work of police collaborative units, such as the regional counter-terrorist units… This means officers seeking to use techniques under RIPA will be able to apply to authorising officers in different forces, where the Chief Officers have made a collaboration agreement that permits this”, in other words that RIPA might be used for massive, blanket undercover surveillance operations. Now that certain wasn’t what the government has recently claimed it was intended for – although of course, as anyone with any kind of memory will recall, it was exactly the justification used for passing it.

4.    Should the rank at which local authorities authorise the use of covert investigatory techniques be raised to senior executive?

Response: The media reports thus far have focused on the plan to limit the authorisation of such practices to council chief executives and directors – a recommendation made by the House of Lords Constitution Committee – what the Home Office actually recommends is to restrict the decision to a rather wider set: ‘Director, Head of Service, Service Manager or equivalent’. So, no junior officers any more, which is good, but not necessarily senior managers only. They also recommend having a compliance officer designated, which is good if they genuinely work on active and ethical compliance rather than thinking of excuses in retrospect.

5. Should elected councillors be given a role in overseeing the way local authorities use covert investigatory techniques?

Response: yes they should, but it should be ‘strategic’ and limited to once a year setting of policy and strategy with quarterly oversight meetings. They argue, as I mentioned earlier, that non-interference in law-enforcement is a good reason for keeping elected officials away from the details… Councillors in the UK have been increasingly hamstrung in the way that they can oversee their supposed bureaucracy, even to the point where they have been fined and suspended for criticising their own officers. Some real control would be welcome (after all, that is what the purpose of local democracy should be).

6. Are the Government’s other proposed changes in the Consolidating Orders appropriate?

Response: the Home Office basically rejected all the respondents’ comments on the proposals.

7.    Do the revised Codes of Practice provide sufficient clarity on when it is necessary and proportionate to use techniques regulated in RIPA?

Response: the codes of practice will be made clearer. No more guidance will be given. The Guardian says that the proposals will ‘ban’ the use of RIPA for ‘minor matters’ but I can’t really see that they do this, and the points of such codes is usually to avoid recourse to the law by encouraging a voluntary self-regulation; it is how CCTV is largely – and incredibly ineffectively – regulated in the UK too.

Europe’s Surveillance State

EU_surveillance
The Open Europe report

I have just got hold of a new report by UK-eurosceptic think-tank, Open Europe, called How the EU is Watching You: the Rise of Europe’s Surveillance State, which whilst it isn’t as startling as the NeoConPanopticon report from the Trilateral Institute and Statewatch, does some to collect some useful information together in one place. Crucially the report points out the same thing as Will Webster and I did in our paper in JCER a couple of months ago, that this isn’t just a case of ‘European’ bad practice being imposed on the UK, but just as much UK bad practice being exported and generalised throughout Europe.

One interesting footnote is how the discourse of opposition and analysis is changing. A few years ago, and still in academia, the idea of the ‘surveillance society’ was the dominant way of describing the situation, but now there is once again an increasing focus on the ‘surveillance state’ or the ‘database state’.  This is partly, I think because there are an increasing number of right-libertarian and anti-state or small-state groupings openly opposing increasing surveillance – for example, the new Big Brother Watch in the UK, and they tend to emphasise the state’s role (or in this case, the role of an organisation they regard as an unaccountable superstate). This also reflects the growing opposition from the UK in particular. This is particularly interesting because in the past, the idea of the ‘surveillance state’ was mainly a historical term to do with the development of repressive political policing, especially that involved in colonial counter-insurgency – see, for example, Alfred McCoy’s new book, Policing America’s Empire, on the role of the US occupation of the Philippines in the co-evolution of US and Filipino state surveillance practices – or in the totalitarian regimes of the former Eastern Bloc.

The landscape today is much less obviously one of state control. Indeed one could see these developments as a result of the retreat of the power of the individual state and an attempted reconfiguration of state-power of a new kind at a supranational level. And, this power is crucially dependent, as it has been since the end of WW2 on the private sector. The military-industrial complex is now a security-industrial complex and security is no longer anywhere near being simply state business.

The Biggest Database in the World

James Bamford has a superb review of the new book by Matthew Aid about the US National Security Agency (NSA) in the New York Review of Books this month. What seems to be causing a stir around the intelligence research (and computing) community is the reference to a report by the MITRE corporation into a the information needs of the NSA in relation to new central NSA data repository being constructed in the deserts of Utah. The report, which is being rather speculative, says that IF the trend for increasing numbers of sensors collecting all kinds of information continues, then the kind of storage capacity required would be in the range of yottabytes by 2015 – as CrunchGear blog points out: there are “a thousand gigabytes in a terabyte, a thousand terabytes in a petabyte, a thousand petabytes in an exabyte, a thousand exabytes in a zettabyte, and a thousand zettabytes in a yottabyte. In other words, a yottabyte is 1,000,000,000,000,000GB.” However CrunchGear misses the ‘ifs’ in the report as some of the comments on the story point out. There is no doubt however, that the NSA will have some technical capabilities that are way beyond what the ordinary commercial market currently provides and it’s probably useless to speculate just how far beyond. Perhaps more important in any case, are the technologies and techniques required to sort such a huge amount of information into usable data and to create meaningful categories and profiles from it – that is where the cutting edge is. The size of storage units is not really even that interesting… The other interesting thing here is the hint of competition within US intelligence that never seems to stop: just a few months back, the FBI was revealed to have its Investigative Data Warehouse (IDW) plan. Data Warehouses or repositories seem to be the current fashion in intelligence: whilst the whole rest of the world moves more towards ‘cloud computing’ and more open systems, they collect it all and lock it down.

Information-rich animals

Iris scanning has been proposed for horse by a company called Global Animal Management (GAM) Inc. As bloodstock is a huge and lucrative business – feeding everything from the private obsessions of the super-rich through the horseracing industry to the dreams of teenage horse-enthusiasts – it is not surprising to see such investment in biometrics. Racehorses were, after all, the first living creatures to be regularly microchipped. Vets seem sceptical about the idea, but surely members of the medical profession would be more enthusiastic about non-invasive replacements for invasive identification techniques like RFID?

Ironically, support for the scepticism comes form GAM’s own website, where a very interesting short video shows just how comprehensive the surveillance of animals through RFID chips has become. RFID chips do not just identify, they carry whole life-cycle information on origins, movements, health and disease and legal compliances. And because of the chips this information is carried with the animal not simply associated with it via a distant database as the result of an occasional scan. The system creates what GAM calls ‘information-rich animals’, which presumably is what makes GAM – and it hopes, its customers – cash-rich too…

(thanks to Aaron Martin, whose reading now seems to include Horse and Hound magazine…)

Canadian Internet Snooping Law

I’ve noted before that there seems to be a concerted push around the world by governments to introduce comprehensive new telecoms surveillance laws that force telecommunications and Internet Service Providers (ISPs) to record, store, and provide access to and/or share with state intelligence agencies, the traffic and/or communications data of their customers (in other words, users like us). What is noticeably here is that there is a particular logic that appears in the arguments of governments who are attempting to persuade their parliaments or people of the need for such laws. This logic that is firstly, circular and self-referential, in that it makes reference to the fact that other governments have passed such laws as if this in itself provides some compelling reason for the law to be passed in their own country. The second part of this is a king of competitive disadvantage arguments that flows from the first argument: if ‘we’ don’t have this law, then somehow we are falling behind in a never openly discussed intelligence-capability race that will hit national technological innovation too.

The media often seem oblivious to what seems obvious, and hence the story on the CTV news site today with reference to Canada’s currently proposed communications law that would allow the Canadian Security and Intelligence Service (CSIS) warrantless access to such the data from Internet and telecoms providers. They consider it to be ‘unexpected’ that the parliamentary Security Intelligence Review Committee has come out in support of the bill. Looking at the reasons why though, they are exactly what one would expect if one has been following the debates around the world and contain exactly the logics I have outlined. The story notes that the committee “points out that governments in the United States and Europe have already passed laws requiring co-operation between security agencies and online service providers” (without, incidentally, pointing out that these remain enormously controversial, or that other governments have abandoned some of their attempts) and later that “intelligence technology… requires continued access to new talent and innovative research.” However they won’t go into details as it is a “very sensitive matter.”

And absent from this debate as usual is the fact that this is not just a question of ‘national security’ if you set up these systems, you feed the US National Security Agency too. Canadian intelligence is still bound by agreements made after WW2, particularly the CANUSA agreement on Signals Intelligence (SIGINT), later incorporated into the UKUSA structure. And as we all know, right now, the USA does not always have the same strategic interests as Canada (the issue of arctic sovereignty is just one example). If this bill is passed, it’s a license for US spies, not just Canadian ones.