Information Commissioner

Death to the ICO?

Chris Parsons draws my attention to a blog posting on the very swish and refurbished Privacy International site (nice job BTW – I will check in regularly). Simon Davies argues in this post for the ‘assisted suicide’ of the UK Information Commissioner’s Office (ICO) because it has become a ‘threat to privacy’. The bases for this argument are several, namely that:

“the legislation that underpins the Office is narrow and in places regressive”;
the ICO is “a quasi judicial regulator that sees its role as protecting data rather than people”, which leads to timid decisions;
the ICO is sometimes “ill-informed… and almost always out of step with the more proactive and advanced regulators overseas” especially when it comes to technology;
its complaints procedure is slow and frequently pointless;
there are too many surveillance-related commissioners in the UK (the Surveillance Commissioner, the Interception of Communications Commissioner, the Equality & Human Rights Commission etc.)
it is disconnected from “an information environment dominated by companies which appear to be largely exempt from local protections for citizens.”

Now, I’ve done some work on commission for the ICO, and therefore you might expect me to defend it from these criticisms. But in fact, I find much to agree with here, as well as some points with which I disagree, and much to ponder.

On the side of agreement,the ICO, like much of government, is undoubtedly technologically rather backward. When, in the Report on the Surveillance Society, we wrote about the way in which governments were behind the times, this was as much a message for them as for parliament or the executive. Maybe it is down to funding, maybe to institutional inertia, maybe deliberate choice, but the ICO has still has not taken serious steps to remedy this as Simon points out, and relies largely on occasional external reports, many of which are in any case general rather than specialist, to update it.

I also agree with the charge that the ICO has been relatively powerless in the face of the rise of corporate surveillance. This is not surprising given its origins as an arm’s-length regulator of government, and some of the particular issues of concern – like whether it took the Google wireless hacking episode seriously enough or made the correct decisions – are far from obvious. But one can clearly contrast the relatively activist stance of even quite bureaucratic Privacy Commissioners like the federal Canadian body over Facebook, with the ICO. It has in the recent past taken some serious actions against illegal private sector surveillance – for example the bust of a notorious blacklisting firm – but this direction appears to have fizzled out. Not being privy to internal policy discussions, I am not sure why.

Then there are some areas in which the criticisms are valid, but which may not be directed at the right target.

The first of these is the proliferation of Commissioners of various kinds – and incidentally, we have thankfully been spared the birth of yet another one with the cancellation of the ID Cards scheme. I have also been arguing for the merging of all the various surveillance-related quangos for a long time. The reason so many of them exist is partly because of the piecemeal way in which British legislative process occurs. There are rarely comprehensive Acts covering broad areas, instead existing institutions, however inappropriate to the job needed, are often merely supplemented or modified. The other reason is of course the ongoing effort to protect certain parts of the state from serious scrutiny, in particular the intelligence services and political police.

The second is that, fundamentally, it seems clear that British data protection and privacy legislation is generally archaic and not up to the job. Neither is its Freedom of Information legislation, even though it was a massive advance on the culture of secrecy that preceded what in retrospect may have been one of New Labour’s most important measures.

However, I am not sure that either of these points are in themselves a criticism of the ICO but rather of the legislation which created it, and the governance environment in which it has to operate. The way in which the ICO came about, through a rough fusion of old Data Protection and newer Freedom of Information functions produced a lumbering Frankenstein’s monster made of parts and bits, kept going on a drip-feed of limited funding, something that was never going to be capable of what campaigners expected of it. The same could be said partially of the critique of the complaints procedure, itself is a widely shared opinion and one with which I would not take issue. However, how much of this is down to the limited funding and staffing, and once again, the foundational legislation which hampers as much as empowers the ICO to do much of what we outsiders would want them to do?

Then, some of the criticisms are more personal opinion, with which I am sure many in the ICO would disagree, particularly the idea that the ICO does not care about people. Both Simon and I know many people in the ICO personally and whatever our political differences with them, the idea that they are heartless data bureaucrats with no interest in people is a rather unhelpful and hyperbolic caricature, as is the idea that the ICO is an ‘enemy of privacy’. The ICO had a legally mandated job to do first and foremost and it needn’t, legally, go beyond that at all. Yet it has. The interventions that the previous Information Commissioner, Richard Thomas, made on surveillance in particular were absolutely vital in adding a new level to a debate that had previously, despite the best efforts of activists, campaigners and researchers, been of more marginal concern. One could argue that surveillance and privacy would never have become such a topic parliamentary debate, let along an election issue, without his advocacy. Certainly it hasn’t gone far enough, but is has hardly, during this period at least, acted as a stereotypically uncaring bureaucracy.

So what of the solutions?

Simon advocates only one: that the government “scrap the data protection functions of the ICO and building a new Privacy Act that creates a true watchdog with a broad mandate.” It is hardly surprising that Privacy International see the ‘privacy’ element as the most important one here. Simon will also not be surprised to discover that I disagree with him on this. In fact, my argument for a while has been that privacy cannot justifiably be prioritised over other forms of human informational rights. In addition, the concept of ‘human rights’ in general does not deal with everything about information relationships, positive or negative, and the many elements of those information relationships between state, citizen and corporation cannot be so arbitrarily separated.

I would therefore argue that a comprehensive Information Act, which covered citizens’ rights to information (their own, and that generated by government and corporations), their rights of privacy and the more general parameters of what the state and companies may know of those who information this is and how they are allowed to do so (i.e the limits of surveillance). I agree that ‘data protection’ is an out-of-date concept. But ‘privacy’ does not, and cannot, replace it, at least not alone. Privacy Commissioners, where they exist, find themselves dealing with a lot more than privacy and end up becoming ‘surveillance’ or ‘information commissioners’ in practice or by stealth, and in some cases an emphasis on privacy over all else can hamper legitimate needs to know (as has been true in the case of family members of elderly patients with dementia in Canada for example).

My conclusion about what a new Information Act would contain in terms of the regulatory bodies has something in common with Simon’s view, but I have two options. One is the creation of a single mega-regulator – a real Information Commissioner that covered all the areas of our information relationships with the state and corporations that would be able to go after corporations, local and national government over issues of their secrecy, transparency and accountability, and our privacy and informational needs. It wouldn’t just merge the existing ICO, Surveillance Commissioner, Interception of Communications Commissioner and so on), but start with new legislation and a new structure.

The other option would be a merge all the existing bodies but create two new ones to replace them: a Surveillance and Privacy Commissioner, to cover all of the areas of state and corporate intrusion into the lives of citizens, but also a Freedom of Information Commissioner, to cover the equally vital areas of state and corporate transparency and accountability. Privacy without FoI, whether together in one organisation or separate, is altogether too defensive an approach to what we can expect from the state.

And whichever route one took, the organisation(s) should have a wider range of powers built in and required – research (including technological foresight), advocacy, assessment, response and enforcement functions – with protected funding and legally binding decision-making capability. I think we would all be in agreement on that…

New ICO Surveillance Report

The UK Information Commissioner is reporting to Parliament on the state of surveillance, based on an update report on developments since 2006 authored by Surveillance Studies Network members (including me).

On Thursday 11th November, Christopher Graham, the UK Information Commissioner, sent his report on the state of surveillance and recommendations for action to the House of Commons Home Affairs Committee. His report includes the SSN-authored ‘An Update to a Report on the Surveillance Society’, on which it is based.

The update report, co-authored by Charles Raab, Kirstie Ball, Stephen Graham, David Lyon, David Murakami Wood and Clive Norris, was written in the first half of 2010. It features a review of UK surveillance since they wrote the 2006 ‘Report on the Surveillance Society’ for the Information Commissioner’s Office. The new report focuses on developments in information collection, processing and dissemination, and on the regulatory challenges posed by these surveillance developments.

The Commissioner’s overview and recommendations, and the SSN update report, can be viewed here. I’ll put something up about what I think about his recommendations later after I have had a chance to read them…

SSN to do new Surveillance Society report for ICO

The same team that did the influential Report on the Surveillance Society for the UK Information Commissioner’s Office (ICO) back in 2006 will be doing a follow-up report on the state of surveillance in the UK for the ICO and the national Parliament this year. Many of the things discussed in that report, which I coordinated, have been accelerating and intensifying, most obviously things like airport body-scanning and the use of drone surveillance cameras, but other things have stalled or slowed, for example the implementation of the ID card regime and more widespread use of RFID tags outside of inventory systems. We’ll be assessing the state of play and making some recommendations as a result. The project this time will be led by Professor Charles Raab in Political Science at Edinburgh University, and one of the world’s leading experts on privacy regulation, and will also include Dr Kirstie Ball of the Open University Business School, Professor Clive Norris of the Centre for Criminological Research at Sheffield, Professor Steve Graham from the Global Urban Research Unit (my old place) at Newcastle University – all in the UK – as well as myself and Professor David Lyon here at the Surveillance Studies Centre at Queen’s University, in Ontario. It will be great to be back working with the whole team again, and I hope we can contribute to a more focused debate and some real changes to UK policy and practice. We shall see…

Private Sector Data Losses

People often concentrate rather too much on abuses by the state of personal data. But private sector organisations are certainly no better. One key example was made public this week, when the new UK Information Commissioner, Christopher Graham, announced that he would be prosecuting a major mobile phone company (he is not saying which one yet*) for selling personal information which it held on customers. The trade in personal information is a very difficult thing to regulate: telecoms companies will deny up front that they ever do anything like this, but yet we know it happens frequently in every jurisdiction, in both management-sanctioned and illicit forms; and practically, of course, once the information is ‘out there’, it cannot be recalled. So, no-one should feel safe just because they have ticked (or unticked) that little box under all that often indeciferable text about what a company might do with your data. I hope that whatever firm this is, it gets hits where it will hurt most, on its bottom line.

*Update: T-Mobile have now confirmed that they are the company responsible.

UK Ministry of Justice sounding old, tired and defeated

I was at a meeting organised by the Information Commissioner’s Office (ICO) today (Wednesday) in London where both Jack Straw and Michael Wills from the Ministry of Justice spoke. In the wake of the expenses revelations it was not surprising that both sounded somewhat conciliatory, but the degree of both overt and tacit admission of mistakes and changes needed was quite surprising. I had a bit of a set-to with Michael Wills on the apparent lack of knowledge amongst government ministers of the results of their own research on the (in)effectiveness of CCTV, to which he responded with the Melanie Phillips defence – i.e.: come and talk to ordinary people and they will tell you they want CCTV. This is a diversion for many reasons, not least of which is that unlike both the Daily Mail’s moral minority and the minister, I actually live in places where they only visit on official business and I also understand that what people mean when they demand CCTV is not the technology itself but a solution to the real and perceived problems of crime and anti-social behaviour that they face. They only demand CCTV because they see the programs on TV and are convinced that CCTV ‘works’ – however if you talk to senior police officers or anyone who has done research on this, they will tell you, yes, targeted mobile CCTV surveillance to deal with specific problems can be very effective (in terms of both cost and results) but mass camera surveillance is not the same thing. It is rather disappointing that a Justice Minister did not appear to understand the difference.

Jack Staw gave a weird speech. It was both full of matey bonhomie and characterised by stuttering hesitancy and vagueness. He made a number of historical errors, for example in claiming that the culture of secrecy was a product of the Cold War, when the first Official Secrets Act was a product of WW1. He also claimed that CCTV was all about ‘low-level disorder’ and ‘reassurance’, which will be news to all those (like his ministerial colleague) who still think it prevents crime. But he did rightly take some credit for Freedom of Information, including allowing parliamentary expenses to be included, even as it turned out, to his latter-day embarrassment.

Where it got very interesting was in his comments on the government’s consultation on the future of the DNA database following the damning verdict of the European Court. Contrary to Jacqui Smith, Straw indicated that he would be quite happy with the proposed 12 year retention period being reduced to 9 or even 6 years. He also claimed that there was a behind-the-scenes review of The Terrorism Act and other post-9/11 measures going on, which I don’t think many people in the room even appreciated. He admitted that the Labour government got many things wrong after 9/11 and that the environment had now also changed.

It was all very interesting, but you really got the feeling that this was a government on the way out anyway. The Tories will no doubt scrap the ID cards and register, but listening to the Shadow Justice Minister, Dominic Grieve, I got the impression that they don’t have much to offer apart from caution. That might be welcome for a while, but as a speaker from Google remarked, the debate is so far behind the reality of technological change that none of this will really matter very much unless there is a real culture shift. The ICO under the massively influential Richard Thomas, for whom this was very much a valedictory event before he steps down, has made great strides in this direction, but the government and opposition parties are still a long way away from understanding the need to establish a new basis for informational relationships between people, state and private companies that we desperately need.

Surveillance to be ‘hardwired’ into British culture?

Labour simply needs to admit that it has been wrong on this and to develop some more credible plans which recognises that real security protects liberties rather than undermining them in the name of security.

Richard Thomas is no longer a lone voice in the top echelons of the British state against the growing culture of surveillance, but he remains the most persistent and hard-hitting critic, not least because of he makes the best possible use of his position as UK Information Commissioner when most government watchdogs are largely toothless.

Now in an interview in The Times newspaper, he has renewed his attack on the government’s data-sharing and surveillance proposals,arguing that we risk “hardwiring surveillance” into the British way of life. He has clearly fully absorbed the report we wrote for him back in 2006, in which we warned of the possibility of a ‘technological lock-in’ and is building on it in a serious and creative way.

Thomas is clear in the interview that government plans are ‘excessive’ and so much so that they ‘risked undermining democracy’. With Thomas now joined in his stance by eminent critics like the House of Lords Constitution Committee, former MI5 chief, Stella Rimington and most recently, former far-from-liberal Home Secretary, David Blunkett, as well as just about all media and academic opinion, it seems difficult to see how the government can continue to claim that its plans are in any way credible. Labour is now obviously isolated, unpopular and wrong on surveillance. This needs more than token gestures like the resignation of the Home Secretary, Jacqui Smith (she has other reasons why she should resign anyway), it needs some real soul-searching and a complete reconsideration of the direction in which the government is heading. Labour simply needs to admit that it has been wrong on this and to develop some more credible plans which recognise that real security protects liberties rather than undermining them in the name of security.

Britain is a surveillance society and it must change: detailed anaysis of the Lords Constitution Committee report

This is probably the best parliamentary report on surveillance I have ever read, and if only half of the recommendations are given any attention by the government, then Britain will be a much better place.

It’s 3.00am here in Brazil, and I have just spent the last four hours reading, analyzing and writing about the House of Lords Constitution Committee Report Surveillance: Citizens and the State. My expectations of the work of the committee have generally not been disappointed. This is probably the best parliamentary report on surveillance I have ever read, and if only half of the recommendations are given any attention by the government, then Britain will be a much better place. However it is not only relevant to Britain. The UK seems to have come to be regarded as some kind of model for other democracies to follow in terms of surveillance and security – at least by governments. Reading this report should serve to disabuse others of any notion that Britain is a good example.

Here’s the detailed analysis. It is long and there are no pictures! But this is serious stuff. I have gone through the whole report and thought about all the recommendations. It is worth remembering first of all what the Committee was asked to do. Here are the questions they started out with:

Have increased surveillance and data collection by the state fundamentally altered the way it relates to its citizens?
What forms of surveillance and data collection might be considered constitutionally proper or improper? Is there a line that should not be crossed? How could it be identified?
What effect do public and private sector surveillance and data collection have on a citizen’s liberty and privacy?
How have surveillance and data collection altered the nature of citizenship in the 21st century, especially in terms of citizens’ relationship with the state?
Is the Data Protection Act 1998 sufficient to protect citizens? Is there a need for additional constitutional protection for citizens in relation to surveillance and the collection of data?

The answers to the first and last questions are, in short ‘yes’ and ‘no’ respectively. Their basic conclusion is that increasing surveillance by the state is the greatest change to the nature of the relationship between state and individual in Britain since the end of the second world war. In opposition to the House of Commons Home Affairs Committee report from last year, and largely in support of our Report on the Surveillance Society form 2006 and that of the Royal Academy of Engineers from 2007, they show that Britain is a surveillance society, and that this must change. They do not go so far as to recommend an Information Act to bring all legislation in this area together, as I have been arguing, but they do advocate significant new legal / constitutional measures to rebalance the state-individual relationship in favour of the individual.

There are 8 chapters of consideration of all of the evidence given, which is treated in a very careful and even-handed way. The Home Office, the police and the Surveillance Commissioners for example, all come in for a telling-off at various points, but at the same time, some of the current government’s initiatives on openness are quite rightly praised (although of course they don’t go far enough in tackling the culture of secrecy that has plagued British government for far too long).

Who comes out of it well? First of all, the Information Commissioner, Richard Thomas and his office (the ICO). This is entirely right. None of this debate would have happened without him and he continues to push the agenda forward in an activist manner that many campaigners should look to as an example. Secondly, the media. The Lords seem to be very aware of the role of investigative journalists in holding the government to account. People are too willing these days to make blanket generalisations about the media as if they were all superficial and obsessed with celebrity. In the case of surveillance, the BBC and The Guardian in particular have done a great job. Thirdly academics and campaigners alike come across as far more informed and sensible about this than the state, which leads the Lords to recommend that the government pay us far more attention. On a personal note, it is a bit disconcerting to see myself, Surveillance Studies Network and other people and organizations with whom I work mentioned (approvingly) quite so much in such an important document…

The Committee place the two values of privacy and freedom as the foundations of its recommendations. The Lords argue that privacy and the restraint of state powers are at the heart of liberty, and that they should be taken into account at all times. There is, I am very pleased to see no mention of ‘trade-offs’ between freedom and security and it seems that they accepted my argument (they do quote me on this) that when claims to protect fundamental freedoms by increasing security are actually eroding those freedoms, the tacit agreement that binds people and state is broken. They stress that all organisations involved in surveillance and date handling need to give far more attention to privacy at all stage, indeed that it should be built in.

There are many individual recommendations.The first concern the Information Commissioner. Basically, the Lords argue that he should be given more extensive powers and more resources, specifically:

to have a role in assessing the effect on any new surveillance measure on public trust;
to be able to monitor the human rights (Article 8, ECHR) effects of government and private surveillance practices on the public;
to be consulted by the government at the earliest stages of policy development – they specifically attack the government for not doing thus far; to extend the ICO’s power of inspection to private companies (again something I am quoted on) – they don’t note that the power of inspection over government departments was only granted in a rush by Gordon Brown following the revelations of disastrous losses of data by various state bodies;
to speed up the implementation of the ICO’s new power to fine bodies that break the rule on data protection and freedom of information;
to be a statutory consultee on all surveillance and data processing laws and for the ICO to report to Parliament on this;
for the government and the ICO to undertake a review of the law governing citizens’ consent to use of their personal data – there is quite a lot of interesting discussion in the body of the report on how consent might operate, and I am very pleased that they haven’t, unlike the government, given up on the importance of consent;
for the government to work with the ICO on raising public awareness as it should already be doing but has failed to do;
and finally, and this is really important – for the Data Protection Act to be amended to mandate a Privacy Impact Assessments (PIA) “prior to the adoption of any new surveillance, data collection or processing scheme, including new arrangements for data sharing” with a role for the ICO in overseeing these. The government will probably try to ignore this, but this is the most crucial recommendation for future policy.

On the various other commissions – of which there are too many in my opinion – they merely recommend that the Surveillance and Communications Commissioner work together better and seek the advice of the ICO, especially with regard to the misuse of powers under the Regulations of Investigatory Powers Act (RIPA), and that the Investigatory Powers Tribunal stops hiding from the public. These are weak recommendations. Later they are rather more robust about the problems of having too many ineffectual regulators of RIPA, but despite a brief mention, any recommendations regarding the regulation of the Intelligence Services get quietly dropped along the way (not surprisingly). I would have thought that recommending at the very least that the offices of the Surveillance and Communications Commissioners are brought under the control of the ICO, if not completely absorbed into the ICO, would have been a much better long-term move.

They also have a number of other recommendations on the egregious RIPA, firstly that the (inadequate) administrative procedures are reviewed and secondly that the government should think again about the whole business of allowing Local Authorities police powers, and that in any case, these powers” should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years.” In my opinion, this effectively amounts to saying ‘repeal RIPA’ without saying so directly. The use of intense targeted surveillance powers to deal with minor infractions is what a lot of RIPA is all about whether that was the intention or not. It is an ill-thought out and badly worded law, like so many in this area.

The Lords recognize this deficiency in detail and specificity and argue as a general point, following the Human Rights Committee, that “the Government’s powers should be set out in primary legislation.” Crucially they also note that the government has not seemed very concerned with what happens after legislation is passed or how it works. They recommend the formation of a new Joint Committee in parliament on surveillance and data powers that would have post-legislative scrutiny as one of its key functions.

There are several measures concerning particular technologies. Their coverage of technologies of surveillance and data-collections is not too bad. I gave a seminar to the Committee on the range of surveillance technologies before they started their hearings, and I was beginning to despair at the levels of knowledge – “can they really do that?” was a common cry – and yet here they consider everything from CCTV to ubiquitous computing / ambient intelligence. There are still major deficiencies however. Although they take my point that government needs to get ahead of the technological game in order to regulate effectively, they still have not. They don’t recommend anything specific about the use of scanners in public places, location tracking, about the increasing dependence on RFID, or about the new flexibility, mobility, decrease in size and bodily intrusiveness of surveillance technologies and what this means for regulation. Mind you that is all in our report to the ICO that inspired all this (see Paragraph 4!)

They recommend that:

the Government comply fully with the recent ruling from the European Court of Human Rights that DNA profiles of innocent people are no longer kept indefinitely on the National DNA Database (NDNAD) – they also rule out a complete national database on both liberty and cost grounds, and argue that there should be a single, clear law governing the NDNAD and better transparency all-round.
On CCTV, they recommend more research on “the effectiveness of CCTV in preventing, detecting and investigating crime”, and more importantly that the government finally put CCTV on a proper statutory basis, with clear regulations, and systems of complaint and redress.
The report is at its weakest on the proposed new National Identity Register (NIR) and ID card. No2ID will not be happy, as all that they say is that “the Government’s development of identification systems should give priority to citizen-oriented considerations.” This is practically meaningless.Considering that this is the Constitution Committee report, and that the NIR and ID card are at the heart of how the government sees the information relationship between state and individual, this is also an unacceptable and compromised omission. No doubt it is evidence of a key area of disagreement amongst members, but the Chair should have banged some heads together on this one!
Although it is treated as a legislative measure, the Lords recommend mandatory encryption of personal data “in some circumstances.” This should have been stronger – bear in mind that most of the data lost by the state over the last few years was not encrypted
They also recommend that the government incorporate ‘design solutions’ in particular Privacy-Enhancing Technologies (PETs) in all new schemes. This is good as a minimum – we have to make sure that the government doesn’t use PETs as a way of claiming to have dealt with the problem – ooh, look: technology!

In other general measures for the whole of government, the Lords return to their central themes, specifically:

that Government should instruct government agencies and private organisations involved in surveillance and data use on compliance with Article 8 ECHR and in particular the legal meanings of necessity and proportionality. They also recommend legal aid should be available for challenges under Article 8.
a system of judicial oversight for surveillance carried out by public authorities, with compensation “to those subject to unlawful surveillance by the police, intelligence services, or other public bodies” acting under RIPA. This would be a severe blow the ad-hoc and effectively extra-legal expansion of surveillance powers under the present government. It would be great if it happens, but I am not going to hold my breath until it does…
increasing the stature and power of the data protection minister
lots of general blah about improving safeguards and restrictions on data handling and implementing standards and training, and education, to improve public confidence. But the thing is, public confidence isn’t really the main issue. Public confidence is low because the government and its private sector contractors have been time and again demonstrated to be incompetent.
there are also several paragraphs of recommendations which basically amount to saying ‘listen to the public’ and particularly, pay attention to pressure groups and research in this area because they know what they are talking about. They are right, you know – we do! They also want more research to get better information on public opinion in this area. We can do that too!

Despite this slight degeneration into well-meaning generality at the end, and despite the glaring hole when it comes to the NIR and ID cards, the principles advocated by this report, if implemented, would transform the direction of government in Britain. Many of the individual recommendations are things that I and others have been arguing for, for some time.

So what was the government’s first response? Well, the thoroughly useless Home Secretary, Jacqui Smith, according to the BBC has “rejected claims of a surveillance society as “not for one moment” true and called for “common sense” guidelines on CCTV and DNA.” When she has read the report she will realize that such guidelines are right in front of her – indeed, she got ‘common sense’ from the European Court on the DNA database some time ago and her department still does not know what to do with it!

As I said, if even half of this reported is acted on, Britain’s ways of dealing with surveillance will be transformed. I am not paying much attention to the Conservatives – in opposition you can say anything and they will beat the government with the liberty stick one day and the security stick the next. The question is, are New Labour brave enough to admit that their approach to surveillance has been almost entirely wrong?

We will soon find out.