UK travel database

Lots of media outlets today and yesterday reporting on the UK government’s e-Borders initiative. I’m not quite sure why particularly now: we’ve known about the e-Borders program – which is based around the new RFID-chipped passports – for some time. Of course the system involves collecting vast amounts of data, including rather more personal information than seems in any way necessary, like for example, travel companions – as if terrorists and criminals will obediently identify themselves by booking and traveling together!

For that is the justification for all this. On the website, Phil Woolas, the Minister of State for Borders and Immigration – another barrel-scraping appointment by a government that doesn’t really have many options for ministers now – said that this is is just about allowing ‘us to count all passengers in and out of the UK.’  But this isn’t just counting. What was a system derived in a combination of bowing to US demands after 9/11 and embarrassment over the government’s total inability to counter opposition criticism over immigration with any real facts has expanded its functionality (as with all of these systems) into something rather more comprehensive.

Woolas goes on to say that it ‘targets those who aren’t willing to play by our rules’ – tough talk, but it with the ever increasing numbers of trivial, silly and sometimes plain bad rules introduced by the current government, it’s hard to know what playing by the rules means anymore. This is a major problem for those who just accept all of this with a shrug and argue ‘nothing to hide nothing to fear’. I also wonder how long it will be before this database is hacked or details get left on a train or the whole thing is ‘lost’. Maybe I will start paying attention to Phil Woolas’s idea of the rules when his government starts paying attention to the European Convention on Human Rights, introduces some proper accountability and oversight for all these new surveillance initiatives as the House or Lords recommended, and stops losing our data and pandering to fear. Accountability, competence, ethics and rationality: it’s not much to ask from a government is it?

Major new report on surveillance out next week

House of Lords
House of Lords

I hear on the grapevine that the British House of Lords’ Constitution Committee Report on Surveillance and Data Sharing will be out next Friday 6th February. The inquiry conducted by the committee has been one of the most thorough of any so far conducted, and certainly promises to be more considered than the rather rushed House of Commons Home Affairs Committee report, A Surveillance Society? from last year. Both reports were ordered largely in response to the Report on the Surveillance Society that Surveillance Studies Network wrote for the UK Information Commissioner in late 2006, and which is still getting coverage around the world (see CCTV in Canada for example). Check the Committee’s website for the report itself and, of course, back here for a review, on Friday.

Brazil as surveillance society? Privacy International´s view (1)

Every year, Privacy International publishes a kind of index of privacy. The methodology is qualitative and has a strong element of subjectivity based on PI´s campaigning objectives (for example my colleague, Minas Samatas, finds their assessment of Greece as the best country in Europe in this regard, ludicrous). There are also problems with the equivalence of the all the different categories, both in terms of whether all the surveillance identified is even ethically ´bad´ anyway, and in the adding up of categories to conclude that you can lump together the USA, UK, Russia and China. However, it remains a good focus for discussion and no-one else does anything similar.

Let´s see what they concluded about Brazil. Brazil ends up in the 3rd worst category overall, with a ´systematic failure to uphold safeguards´. In particular, PI condemned:

  • the role of the courts in weakening constitutional rights of data protection (something I will be coming back to next week);
  • the lack of a privacy law;
  • the lack of habeus data provisions;
  • the lack of a regulatory of personal data and privacy;
  • an overly simplistic test for the legailty of communications interception;
  • the new ID law;
  • recent Youtube censorship;
  • increasing workplace surveillance, which has only been partially addressed by the courts;
  • widepsread private interception of intenet and e-mail traffic;
  • that fact that ISPs are required to keep and hand over traffic data to police;
  • the extensive road transport surveillance using RFID.

However they also noted:

  • the protection of the right to privacy of children under a 1990 law; and
  • the fact that bank records are protected under the constitution, and warrants are required to seize them

I will be going through their country in report in more detail next week and using this as one of the bases for the questions I will ask NGO representatives and parliamentarians in the weeks after wards.

Top Ten Problems with UK Information Sharing Proposals

Chris Pounder of Amberhawk information consultants sends me his Top Ten Problems with the British government´s new information-sharing proposals that are to be found buried deep in the Coroners and Justice Bill, where perhaps they thought no-one would notice… these are part of much lengthier and more thorough analysis submitted to the Joint parliamentary Committee on Human Rights (JCHR), which explains why the proposals ignore or conflict with the recommendations of 2008´s Data Sharing Review conducted by Richard Thomas and Mark Walport for the Ministry of Justice itself. These are sumarised by me here, and any errors and omissions are therefore my own:

  1. Lack of scrutiny. There is no provision for the JCHR to scrutinise this (or any other) wide-ranging statutory power which impacts on Article 8 of the European Convention on Human Rights (ECHR), nor any attempt to explain how this provision is consistent with human rights legislation.
  2. The extension of information sharing beyond personal data. The use of “any person” in the Bill means that it applies to information sharing by any public or private body or individual. “Information sharing” powers are not limited to personal data and the person who receives the shared information might be a foreign government or organisation. [for example the FBI´s proposed Server in the Sky]
  3. The “exceptional” may become the routine The Data Sharing Review recommended that the sharing of personal data should be legitimised in exceptional circumstances. However, in the Bill there is instead a legitimation of general information sharing, whenever it falls within a “relevant policy objective” [which is basically anything a Minister decides].
  4. The generality of an Information Sharing Order. There is no limit as to how “person”, “purpose” and “information class” are specified in an Order. There is no explicit requirement for the purpose of the information sharing to be one of those specified in Article 8(2) ECHR.
  5. The prospect of unlimited data sharing from large Government databases. The Bill appears to facilitate data sharing from any Government database without Parliament being explicitly informed of this sharing when an Order is before Parliament. The prohibition in the clause only relates to Part 1 of the Regulation of Investigatory Powers Act (RIPA). By implication, sharing from other national databases (e.g. the national identity register of the ID Cards Act) does not need to be explicitly mentioned in an Order. This means that unlimited data can be shared from these other national databases by means of a general order-making provision.
  6. The exclusion of critical comment on the purpose of the processing. In the Bill, the Information Commissioner is not allowed to comment on whether “the sharing of information enabled by the order is necessary to secure a relevant policy objective”. The effect is to inhibit the Commissioner from commenting on the purpose of the processing, which is the main purpose of the Information Commissioner! Plus, because this applies to more than personal information, much of the proposed sharing is outside his remit.”
  7. The range of the powers. The powers are widely drawn and their application is very broad. There is no explicit provision in the main sharing provisions which would facilitate data subject rights and freedoms (e.g. right to object ; need to obtain consent). Instead, these provisions can “modify” the application of any law (including the Data Protection Act and the Human Rights Act) which will weaken the protection afforded to data subjects.
  8. The lack of transparency. There is no obligation to disclose to the Information Commissioner or Parliament any background document or legal advice about a proposed Information Sharing Order. There is no obligation to answer any formal request for information from the Commissioner. There is no obligation to engage the public on the subject of a draft Information Sharing Order.
  9. The irrelevance of the proposed Code of Practice. There is nothing in these information sharing clauses which expressly states that the sharing of personal data has to be consistent with the proposed non-statutory Code of Practice. The Code is not subject to approval by Parliament; rather, it is subject to approval by the Secretary of State (SoS).There is no provision which sets out what happens if there is a disagreement between SoS and Information Commissioner about the content of a Code. There is no active role for Parliament in relation to the content of a Code.
  10. Orders can be implemented to achieve purely administrative objectives. For example, suppose Ministers are told by civil servants that the problems associated with one of the Government’s big database projects would be resolved if they used criminal convictions from the Police National Computer. The Bill allows the Minister to argue that the sharing was necessary to secure a policy objective, it was proportionate as there was no other way of securing the policy objective (abandoning a large IT project is not an option), and it was in the public interest to secure the policy objective (given the amount of money committed to the project). This means that sharing which could be excessive and disproportionate in terms of Article 8 becomes necessary and proportionate in terms of realising a policy objective.

Previously, I commented that No2ID were overstating their case that this proposal was the greatest threat to information rights after the ID Register. After reading Chris´s analysis, I think they might be underestimating its importance. The creation of a generalised and weakly accountable ability for the state to share information of any kind with any one they wish, is a far greater threat than the creation of any single database, however extensive. I disagree with their views on the Data Sharing Review, but No2ID’s data sharing site still has the best summary of proposals and action people can take…

Civil liberties in Britain

In February, the Convention on Modern Liberty will be taking place in cities across the UK and online. Unfortunately I will still be in Brazil and there are no listed events in Newcastle, which is a great shame – I would certainly have been organising some. This is an issue that tends to cross party lines and unite people of all political persuasions, so I hope as many people as possible in the UK get involved…

The Guardian newspaper´s Comment is Free site also has a special section set up for the event called Liberty Central. Surveillance Studies Network and Surveillance & Society were supposed to be listed there (they contacted us), but they aren´t yet…