Tag: RIPA

UK U-turn on Interception Consulation

The BBC reports that the UK Home Office has been forced by the European Union to accept input from civil and digital rights groups over the revision of its Regulation of Investigatory Powers Act (RIPA) – I’ve posted lots on RIPA here in the past, so it’s worth doing a search of this site for some of the backstory.

The u-turn was apparently sparked by the EU’s report on the Phorm debacle (see also here) which, amongst other things concluded that the UK was in breach of the Privacy Directive for having no adequate complaints procedure or systems of legal redress for those who believe they have been subject to illicit surveillance. Amongst the little nuggets in this story is the fact that since its creation in 1986, the Interception Commissioner has upheld four complaints. Yes, four. 4.

The consultation has also been extended to the 17th of December, so get writing if you haven’t already made your views known. You can find the consultation document here (pdf).

UK ID Card Program scrapped after election (and more)

As both the Conservative Party and the Liberal Democrats in the UK had the scrapping of the National Identity Card card scheme as part of their manifesto, the unpopular program has been suspended immediately by the new coalition government, pending further announcements.

The full statement reads as follows:

“Both Parties that now form the new Government stated in their manifestos that they will cancel Identity Cards and the National Identity Register. We will announce in due course how this will be achieved. Applications can continue to be made for ID cards but we would advise anyone thinking of applying to wait for further announcements.

Until Parliament agrees otherwise, identity cards remain valid and as such can still be used as an identity document and for travel within Europe. We will update you with further information as soon as we have it.”

But although the cards will almost certainly go, despite the statement it is unclear yet what will be the fate of the National Identity Register (NIR), the new central database at the heart of the scheme. Neither party, and the Tories especially, said anything specific in their manifestos about scrapping the database, so we will see what happens here – although the statement issued seems categorical about this too. Although the end of the card scheme reduces opportunities for the ‘papers, please’ style abuse of minorities, it is the database that is of biggest concern to those interested in surveillance and social sorting. I have long favoured a secure central government Information Clearinghouse, which whilst transferring necessary information as needed and consented to between different parts of government, would not in itself hold any data. I suspect however, that some fudge will emerge!

In the meantime, the price of the coalition also was reported to include new legislation regulating video surveillance (CCTV) cameras (only about 20 years too late, but that’s the speed of British politics for you), and the review of many of the new powers in the (Anti-)Terrorism and Civil Contingencies Acts (and perhaps the Regulation of Investigatory Powers Act too – though it hasn’t yet been mentioned specifically). It is very rare that legislation is repealed or rolled back but we may yet see an increase in civil liberties under the new coalition. The one big worry in this are though is the Conservative opposition to the Human Rights Act – however with their Liberal Democrat partners being committed to the HRA, I can’t see any moves to repeal the act in this Parliament.

I am cautiously optimistic…

Guardian article

The Guardian‘s Comment is Free site published a short version of my critiques of RIPA today… you can read it here.

 

Or the full version prior to editing is here:

A little-known tribunal is meeting this week to consider a case a case of wrongful surveillance. The case brought by Jenny Paton and Tim Joyce against Poole District Council in the Regulation of Investigatory Powers Tribunal concerns the local authority’s targeted surveillance measures against the couple and their children in an investigation of their application for school places. Among other activities, council employees trailed the family and interrogated neighbours.

The case comes in the same week that the government issued its response to a consultation process on the reform of the law which the tribunal oversees: the Regulation of Investigatory Powers Act (RIPA) (2000). RIPA has proved controversial as it seems to give many different public bodies new powers of surveillance, but that isn’t entirely true: as many local council officials admit, much of this was going on before 2000, but RIPA regulates and restricts it – in fact, it restricts it too much to some of the published responses to the consultation process. It is, however, almost impossible to determine whether RIPA has increased or decreased surveillance of this kind as no consistent records were kept prior to RIPA’s introduction. What is certainly the case is that the public is now more aware of the use of surveillance powers by agencies they had never realized were allowed to do such things.

Surveys have found that only 9% of RIPA authorizations resulted in either prosecution of enforcement action. In Australia, earlier this year, when only 28% of the use of targeted surveillance (in that case by police) resulted in prosecutions, their law was denounced as an excuse for ‘fishing expeditions.’ So what does a 9% rate indicate for Britain? Desperation perhaps? Or at least that RIPA was being massively overused for trivial issues. The House of Lords Constitution Committee report, Surveillance: Citizens and the State, certainly thought so, arguing not only that the inadequate administrative procedures should be reviewed but also that the government should think again about the whole business of allowing Local Authorities police powers, and that in any case, these powers “should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years.”

The government has failed to take heed of these recommendations. Ok, so they have agreed to restrict the authorization of covert surveillance under RIPA to ‘Director, Head of Service, Service Manager or equivalent’, and that Local Authorities should designate compliance officers so there will be no more junior officers deciding to play James Bond, as in the Poole case. However, by going to a ‘consultation’ whose respondents were dominated by Local Authorities and other RIPA-enabled agencies, they have managed to avoid doing anything particularly radical. This started from limiting the scope of the review through the questions they asked in the consultation.

For example, by asking which covert investigatory techniques specifically should be removed (and discounting any views that said ‘all of them’) they managed to get a mixed set of answers that failed to produced a clear vote against any one technique. Result: no techniques get removed and in fact some of the existing allowed techniques get extended to yet more agencies, for example the new Child Maintenance and Enforcement Commission (the replacement for the Child Support Agency). In particular, this extension of powers covers telecommunications data, whose keeping by the state has of course increased since RIPA was proposed. Now RIPA will be used to allow new bodies access to this data.

A curious note throughout the response by the government is the insistence on using an idea of non-interference with law-enforcement as a reason for not allowing elected officials any more than strategic scrutiny over the actions their own officials take under RIPA. This matters because RIPA is just one of many ways in which law-enforcement is not spreading as a function to increasing numbers of agencies beyond the police and judiciary. This seems to be general position that New Labour has taken – although it hasn’t always got its way – does anyone remember the dropped proposals to allow any ‘responsible people’ to levy on the spot fines?

And the government response seems to take a bullish delight in attacking those who have criticized the surveillance society. They insist, for example – and despite all the evidence to suggest that such interventions have limited effectiveness – that Local Authorities should make more use of overt, mass surveillance, like CCTV, instead of using RIPA. They are creating a binary choice, which seems to say assume that some kind of surveillance should be used: which do you choose, overt or covert? But, of course, that shouldn’t be the choice at all. They are also trying to have their cake and eat it on CCTV: the response to the consultation dismisses those consultees who brought up the subject of CCTV – which is not covered by RIPA – but feel quite able themselves to recommend its extended use in their own response. This of course also ignores the perfectly legitimate feeling amongst many that it is about CCTV was brought under proper control and a reformed RIPA might well be the place to do it.

Then there are things missing: notably, the concentration on Local Authorities, which for the most part has completely obscured the use of covert surveillance by central government departments and arms-length agencies including the Department for Environment, Food and Rural Affairs (Defra), the NHS and the Environment Agency, all of which have been criticized in the past by the Surveillance Commissioner.  Nothing seems to be proposed to increase the visibility of the RIPA Tribunal which is, just for now, in the news. The Lords described it as all but invisible and weak. Nor do the government propose to do anything to strengthen training or the Code of Practice, and in any case, there has been a huge over reliance on such self-regulation for matters which should have more formal control; this is also how CCTV and the security industry is largely – and incredibly ineffectively – regulated in the UK.

Pretty much anyone could have predicted this limp response from the Home Office to some rather serious problems. They don’t read their own research, they don’t do consultation in a meaningful manner, and then, surprise, surprise, they conclude that there really isn’t very much wrong after all. Jenny Paton and Tim Joyce may well disagree, and let us hope that the RIPA Tribunal do too.

RIPA to be limited

The UK Home Office is finally publishing plans to reform the Regulation of Investigatory Powers Act (RIPA) which defined in law the surveillance powers open to hundreds of government bodies. You can see what I have previously said about the consultation here. The consultation on RIPA actually had 7 major questions. The Home Office has now responded to all the opinions offered during the consultation. In more detail, this is what was said:

1.    Taking into account the reasons for requiring the use of covert investigatory techniques under RIPA set out for each public authority, should any of them nevertheless be removed from the RIPA framework?

Response: basically, none should be removed. Although the Home Office noted that many respondents had objections, they didn’t feel they added up. Indeed this section also seems to include extensions of the powers (or clarifications that act effectively as extensions) for example the ability of the Child Maintenance and Enforcement Commission (the replacement for the Child Support Agency), to have access to telecommunications data to investigate fathers required to pay child support. These extensions may be warranted or not, but they show the tendency for what Gary Marx long ago called ‘surveillance creep’ to occur – the saving of telecommunications data has increased since RIPA was proposed and now RIPA will be used to allow new agencies access to this data.

They also note that they will not be returning any of these investigatory functions to the police. This is interesting because later they use the reason of non-interference in law-enforcement for denying elected councillors detailed oversight. So this confirms a trend to less and less accountable law enforcement.

2. If any public authorities should be removed from the RIPA framework, what, if any, alternative tools should they be given to enable them to do their jobs?

Response: given the previous response, it is not surprising that no real change is proposed here. The Home Office in fact insists that more emphasis should be placed on overt surveillance by local authorities (like CCTV) in order to reduce the need to resort to RIPA’s covert surveillance!

3.    What more should we do to reduce bureaucracy for the police so they can use RIPA more easily to protect the public against criminals?

This wasn’t a question that I ever noticed critics of RIPA asking. Some agencies seem to have objected to the amount of paperwork around RIPA and The Home Office “agrees that it is in no-one’s interests for documentation to be unnecessarily time-consuming” and they, for once, insist on a proper auditable trail that can help protect privacy. They say in any case, applications are already down massively.

There is an interesting note that suggests the increasing use of RIPA for counter-terrorism activities which is left rather open – “the Government is facilitating the work of police collaborative units, such as the regional counter-terrorist units… This means officers seeking to use techniques under RIPA will be able to apply to authorising officers in different forces, where the Chief Officers have made a collaboration agreement that permits this”, in other words that RIPA might be used for massive, blanket undercover surveillance operations. Now that certain wasn’t what the government has recently claimed it was intended for – although of course, as anyone with any kind of memory will recall, it was exactly the justification used for passing it.

4.    Should the rank at which local authorities authorise the use of covert investigatory techniques be raised to senior executive?

Response: The media reports thus far have focused on the plan to limit the authorisation of such practices to council chief executives and directors – a recommendation made by the House of Lords Constitution Committee – what the Home Office actually recommends is to restrict the decision to a rather wider set: ‘Director, Head of Service, Service Manager or equivalent’. So, no junior officers any more, which is good, but not necessarily senior managers only. They also recommend having a compliance officer designated, which is good if they genuinely work on active and ethical compliance rather than thinking of excuses in retrospect.

5. Should elected councillors be given a role in overseeing the way local authorities use covert investigatory techniques?

Response: yes they should, but it should be ‘strategic’ and limited to once a year setting of policy and strategy with quarterly oversight meetings. They argue, as I mentioned earlier, that non-interference in law-enforcement is a good reason for keeping elected officials away from the details… Councillors in the UK have been increasingly hamstrung in the way that they can oversee their supposed bureaucracy, even to the point where they have been fined and suspended for criticising their own officers. Some real control would be welcome (after all, that is what the purpose of local democracy should be).

6. Are the Government’s other proposed changes in the Consolidating Orders appropriate?

Response: the Home Office basically rejected all the respondents’ comments on the proposals.

7.    Do the revised Codes of Practice provide sufficient clarity on when it is necessary and proportionate to use techniques regulated in RIPA?

Response: the codes of practice will be made clearer. No more guidance will be given. The Guardian says that the proposals will ‘ban’ the use of RIPA for ‘minor matters’ but I can’t really see that they do this, and the points of such codes is usually to avoid recourse to the law by encouraging a voluntary self-regulation; it is how CCTV is largely – and incredibly ineffectively – regulated in the UK too.

RIPA Reform

I’ve been looking over the government’s proposals for consultation on the reform on the Regulation of Investigatory Powers Act 2000 (RIPA), officially published on Friday. There’s actually very little that they suggest, apart from some minor and largely voluntary controls on the use of RIPA for trivial purposes by Local Authorities. The Times rang me up and asked me to knock off 500 words (in about an hour!) for a comment on the proposals… which I did… and here it is, unedited*:

Reforming RIPA

Back in the year 2000, opposition was developing to a new piece of legislation, the Regulation of Investigatory Powers Bill. But the controversy over the Bill which became the Regulation of Investigatory Powers Act 2000 (RIPA) was all about provisions to bring electronic communications (e-mail) under the same regulatory regime as telephone and telex, and to demand encryption keys.

What was relatively uncontroversial then were the provision for the regulation of covert surveillance by Local Authorities. Now, councils are accused of abusing the RIPA for trivial purposes, such as dog fouling or littering, or using oppressive or intrusive methods that are not proportional or appropriate to the alleged offences, such as covert monitoring of children to establish where parents involved in an application for school places lived. And much seems to have been inefficient too: a survey of Britain’s 182 Local Authorities found that they have used RIPA surveillance on over 10,000 occasions, yet only 9% resulted in prosecution or enforcement action. But it is not just local government. The Surveillance Commissioner has criticized national ministries like DEFRA and agencies including Ofcom and the Charities Commission over their misuse of RIPA**.

Officials respond that RIPA merely restricts and records what organisations were already doing. Most of the surveillance, they argue, is of the level of two men in a car watching a known fly-tipping site, and that even this requires onerous form-filling – four pages for each request. And even the statistics mislead, because there simply were no statistics on surveillance by these organisations before RIPA.

If RIPA has enabled us to see both the levels and abuse of surveillance powers, it has done us this favour at least. But the Surveillance Commissioner found generalized lax practice, a lack of proper justifications and proportionality, and little training or accountability: RIPA is being used because the powers exist, not because there is any pressing justification to use surveillance in this manner.

RIPA was always expansionary in that it allowed more than was intended. It was also a rag-bag; even the original e-mail surveillance provisions were cut and pasted from another bill. Like so much of the legislation from this government, it was poorly drafted and justified in parliament at the time by reference to issues (like national security) which little relevance to what most of the Act was about. And its appeals body, the Investigatory Powers Tribunal, is practically invisible, as the House of Lords Constitution Committee report on surveillance argued recently.

The Constitution Committee went a lot further than the government in this consultation document, arguing that surveillance powers should be reserved for the investigation of serious criminal offences and that should judicial oversight for all surveillance carried out by public authorities. Instead here, the government merely suggests moving sign-off powers higher up within the organizations. The Lords also suggested that there should have been proper provision for public accountability and post-legislative scrutiny in RIPA. Instead, this review is taking place due largely to government embarrassment over the constant stream of revelations.

Yet the government seems intent on extending surveillance and other powers still further; there has been a proliferation of databases, agencies, laws, and quasi-police. The new Communications Bill will extend surveillance powers over the Internet still further. The consultation document also reminds us in one section that there is still no meaningful regulation of the now ubiquitous CCTV cameras: they are outside of RIPA and, it seems, out of control. RIPA is merely one aspect of a very British tendency to manage things through surveillance before other means – which is a good working definition of a ‘surveillance society’. This has to be controlled, and in a rather more thoughtful and systematic way than these knee-jerk reviews in response to media concern.

*The edited version has now been published by The Times as ‘A very British tendency…’ They have just trimmed the attempt to broaden the argument at the end!

**This is what you get for writing something very quickly – in the editing, I compressed stuff that had originally said that Ofcom and the Charities Commission were using RIPA and that various organisations had been criticised into one sentence that implied that they were the organisations being criticised. Neither have been so criticised by the Surveillance Commissioner and I apologise to both for suggesting that they were.

EU Telecommunications Directive in effect

From today, private lives in the UK will be a little less private, as EU Directive 2006/24/EC becomes part of national law.

Traffic data on e-mail, website visits and Internet telephone calls now have to be recorded and retained by Internet Service Providers (ISPs). Specifically, the Directive mandates the retention of: the source of a communication; the destination of a communication; the date, time and duration of a communication; the type of communication; the type and identity of the communication device; and the location of mobile communication equipment.

This is coming into force despite the fact that many countries and ISPs still object to the directive. It has to be said that many ISPs are objecting on grounds of cost rather than any ethical reason. German courts are yet to determine the constitutionality of the directive and Sweden is not going to implement it at all.

As with many of these kinds of laws, it was rushed through on a wave of emotion after a particular ‘trigger event’ – in this case, the 7/7 bombings in London in 2005. There was a whole lot of devious practice in the Council of Ministers to get it passed too – if the Directive had been considered as a policing and security matter, it would still have needed unanimity, which means that the objections of Germany and Sweden would have vetoed the Directive. Instead, it was reclassified as ‘commercial’ on the grounds that it was about the regulation of corporations, and commerical matters need only a majority vote. How convenient…

The Home Office in Britain says our rights are safe because of RIPA, which is hardly cause for rejoicing. My main concerns, apart from the fact that this is yet another moment in the gradual erosion of private life, are that:

1. police access will rapidly become routine rather than specific, and this could be extended to many other public authorities – the original drafts of the Communications Bill would have extended the right of access to such data to all RIPA-empowered organisations (which includes most public authorities);

2. the data will be used illicitly by ISP employees for criminal purposes (remember that most identity thefts are inside jobs) – the records will be a blackmailers delight;

3. there will more ‘losses’ of this data by ISPs and others who have access to it. Remember the accidental revelation of user data by AOL in the USA?

Massive British Local Government Spying

Details obtained under the Freedom of Information Act have revealed the extent of the use of the Regulation of Investigatory Powers Act (RIPA) 2000 by Britain’s 182 Local Authorities. The Act has apparently been used to authorise surveillance on over 10,000 occasions for monitoring acts that are mostly trivial. Only 9% of these resulted in any kind of prosecution or enforcement action. This, to me, indicates massive abuse of surveillance by local governments, and they must be controlled. Almost everyone thinks this now, and the government is currently conducting a review of RIPA (due the embarrassment caused by the constant stream of revelations).

This doesn’t go far enough. RIPA is simply bad legislation that was justified in parliament by reference to crime and terrorism. It is poorly overseen and its Tribunal for complaints – yes, there is one, not that anyone knows – is practically invisible. It should be repealed and a more carefully thought out law on the use of surveillance by public bodies with proper provision for judicial oversight, public accountability and post-legislative scrutiny should be introduced.

Surveillance in the UK and the USA: commonalities and differences

In one of those fortuitous instances of synchronicity, there are two stories today that illustrate some of both the commonalities and the differences between state surveillance practices and regulation in the UK and the USA.

In the UK, The Guardian has revealed that the Surveillance Commissioner (a separate office to the Information Commissioner) has been very critical behind the scenes, as the Lords Committee was in public, of the uses to which the Regulation of Investigatory Powers Act (2000) (RIPA) has been put, not this time by local government, but by national ministries like the Department for Environment, Food and Rural Affairs (DEFRA) and agencies, including Ofcom (the broaadcast and communications regulator) and the Charities Commission. DEFRA came in for a particular telling-off over its spying on fishermen. The chief commissioner, Sir Christopher Rose found generalised lax practice, a lack of proper justification for and proportionality in the used of RIPA, and little training or accountability. In short, RIPA is being used because the powers exist not because there is any pressing justification to use surveillance in this manner – the used of surveillance has expanded because it is available.

It is very interesting that The Guardian had to discover all this through Freedom of Information Act (FOIA) requests, and that the Surveillance Commissioner had not put all of this in the public domain as a matter of course. It highlights for me, once again, the clear difference in attitude and regulatory practice between him and the open, accountable, and active Information Commissioner’s Office (ICO). It confirms my view that we would be much better off if the Surveillance Commissioner’s work was absorbed into the ICO.

In the USA, it is to lawyers that people immediately turn if some bad practice is suspected on behalf of the government. The Los Angeles Times reports that on Friday, the US government lost the case it had been bringing to try to stop an Islamic charity based in Oregon from suing them over what they claim were illegal wiretapping operations targeted at them. The case stems from the Bush administration’s attempts to bypass what were already very weak regulations governing the surveillance of American citizens which were introduced in the Foreign Intelligence Surveillance Act (1978) (FISA) and recently amended in the Protect America Act (2007). Requests are supposed to go to the Foreign Intelligence Surveillance Court (FISC) which meets in secret and does not have to publish its rulings and so far as we know, has never turned down a request – so it is somewhat mystifying except as a matter of speed and convenience that the Bush administration did bypass the court.

Now the Obama administration is (shamefully) defending the actions of his predecessor. This is not entirely surprising. Intelligence is one area of continuity between governments: it is what Peter Gill called the ‘secret state’, a core that remains constant regardless of changes of administration. Nixon and Bush were both stupid enough to get caught, but the NSA, CIA and FBI are continually looking for different ways to get around domestic regulations on surveillance. Political devices like the UKUSA agreement served this purpose for many years – whereby Canadian and British intelligence services would collect SIGINT on Americans and supply it to the NSA and vice-versa. But GCHQ and others just don’t have the capabilities to carry out the amount of monitoring that now goes on. It’s been the reality for many years now that the NSA in particular does spy on Americans. Again, they have the capabilities so those capabilities are used.

Of course, unlike in the UK, we are talking about the threat of terrorism not anglers catching one-too-many fish; that really does say something about the petty bureaucracy that characterises the UK! However RIPA was also justified originally with reference to terrorism and serious and organised crime. Anyway, the ruling in the Oregon case clearly states that state secrets privilege was not enough to justify warrantless surveillance of suspects, whatever they had allegedly done. It seems that at least is one point of hope that the USA and the UK have in common. Let’s see where these situations now lead in each country…

Britain is a surveillance society and it must change: detailed anaysis of the Lords Constitution Committee report

This is probably the best parliamentary report on surveillance I have ever read, and if only half of the recommendations are given any attention by the government, then Britain will be a much better place.

It’s 3.00am here in Brazil, and I have just spent the last four hours reading, analyzing and writing about the House of Lords Constitution Committee Report Surveillance: Citizens and the State. My expectations of the work of the committee have generally not been disappointed. This is probably the best parliamentary report on surveillance I have ever read, and if only half of the recommendations are given any attention by the government, then Britain will be a much better place. However it is not only relevant to Britain. The UK seems to have come to be regarded as some kind of model for other democracies to follow in terms of surveillance and security – at least by governments. Reading this report should serve to disabuse others of any notion that Britain is a good example.

Here’s the detailed analysis. It is long and there are no pictures! But this is serious stuff. I have gone through the whole report and thought about all the recommendations. It is worth remembering first of all what the Committee was asked to do. Here are the questions they started out with:

  • Have increased surveillance and data collection by the state fundamentally altered the way it relates to its citizens?
  • What forms of surveillance and data collection might be considered constitutionally proper or improper? Is there a line that should not be crossed? How could it be identified?
  • What effect do public and private sector surveillance and data collection have on a citizen’s liberty and privacy?
  • How have surveillance and data collection altered the nature of citizenship in the 21st century, especially in terms of citizens’ relationship with the state?
  • Is the Data Protection Act 1998 sufficient to protect citizens? Is there a need for additional constitutional protection for citizens in relation to surveillance and the collection of data?

The answers to the first and last questions are, in short ‘yes’ and ‘no’ respectively. Their basic conclusion is that increasing surveillance by the state is the greatest change to the nature of the relationship between state and individual in Britain since the end of the second world war. In opposition to the House of Commons Home Affairs Committee report from last year, and largely in support of our Report on the Surveillance Society form 2006 and that of the Royal Academy of Engineers from 2007, they show that Britain is a surveillance society, and that this must change. They do not go so far as to recommend an Information Act to bring all legislation in this area together, as I have been arguing, but they do advocate significant new legal / constitutional measures to rebalance the state-individual relationship in favour of the individual.

There are 8 chapters of consideration of all of the evidence given, which is treated in a very careful and even-handed way. The Home Office, the police and the Surveillance Commissioners for example, all come in for a telling-off at various points, but at the same time, some of the current government’s initiatives on openness are quite rightly praised (although of course they don’t go far enough in tackling the culture of secrecy that has plagued British government for far too long).

Who comes out of it well? First of all, the Information Commissioner, Richard Thomas and his office (the ICO). This is entirely right. None of this debate would have happened without him and he continues to push the agenda forward in an activist manner that many campaigners should look to as an example. Secondly, the media. The Lords seem to be very aware of the role of investigative journalists in holding the government to account. People are too willing these days to make blanket generalisations about the media as if they were all superficial and obsessed with celebrity. In the case of surveillance, the BBC and The Guardian in particular have done a great job. Thirdly academics and campaigners alike come across as far more informed and sensible about this than the state, which leads the Lords to recommend that the government pay us far more attention. On a personal note, it is a bit disconcerting to see myself, Surveillance Studies Network and other people and organizations with whom I work mentioned (approvingly) quite so much in such an important document…

The Committee place the two values of privacy and freedom as the foundations of its recommendations. The Lords argue that privacy and the restraint of state powers are at the heart of liberty, and that they should be taken into account at all times. There is, I am very pleased to see no mention of ‘trade-offs’ between freedom and security and it seems that they accepted my argument (they do quote me on this) that when claims to protect fundamental freedoms by increasing security are actually eroding those freedoms, the tacit agreement that binds people and state is broken. They stress that all organisations involved in surveillance and date handling need to give far more attention to privacy at all stage, indeed that it should be built in.

There are many individual recommendations.The first concern the Information Commissioner. Basically, the Lords argue that he should be given more extensive powers and more resources, specifically:

  • to have a role in assessing the effect on any new surveillance measure on public trust;
  • to be able to monitor the human rights (Article 8, ECHR) effects of government and private surveillance practices on the public;
  • to be consulted by the government at the earliest stages of policy development – they specifically attack the government for not doing thus far; to extend the ICO’s power of inspection to private companies (again something I am quoted on) – they don’t note that the power of inspection over government departments was only granted in a rush by Gordon Brown following the revelations of disastrous losses of data by various state bodies;
  • to speed up the implementation of the ICO’s new power to fine bodies that break the rule on data protection and freedom of information;
  • to be a statutory consultee on all surveillance and data processing laws and for the ICO to report to Parliament on this;
  • for the government and the ICO to undertake a review of the law governing citizens’ consent to use of their personal data – there is quite a lot of interesting discussion in the body of the report on how consent might operate, and I am very pleased that they haven’t, unlike the government, given up on the importance of consent;
  • for the government to work with the ICO on raising public awareness as it should already be doing but has failed to do;
  • and finally, and this is really important – for the Data Protection Act to be amended to mandate a Privacy Impact Assessments (PIA) “prior to the adoption of any new surveillance, data collection or processing scheme, including new arrangements for data sharing” with a role for the ICO in overseeing these. The government will probably try to ignore this, but this is the most crucial recommendation for future policy.

On the various other commissions – of which there are too many in my opinion – they merely recommend that the Surveillance and Communications Commissioner work together better and seek the advice of the ICO, especially with regard to the misuse of powers under the Regulations of Investigatory Powers Act (RIPA), and that the Investigatory Powers Tribunal stops hiding from the public. These are weak recommendations. Later they are rather more robust about the problems of having too many ineffectual regulators of RIPA, but despite a brief mention, any recommendations regarding the regulation of the Intelligence Services get quietly dropped along the way (not surprisingly). I would have thought that recommending at the very least that the offices of the Surveillance and Communications Commissioners are brought under the control of the ICO, if not completely absorbed into the ICO, would have been a much better long-term move.

They also have a number of other recommendations on the egregious RIPA, firstly that the (inadequate) administrative procedures are reviewed and secondly that the government should think again about the whole business of allowing Local Authorities police powers, and that in any case, these powers” should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years.” In my opinion, this effectively amounts to saying ‘repeal RIPA’ without saying so directly. The use of intense targeted surveillance powers to deal with minor infractions is what a lot of RIPA is all about whether that was the intention or not. It is an ill-thought out and badly worded law, like so many in this area.

The Lords recognize this deficiency in detail and specificity and argue as a general point, following the Human Rights Committee, that “the Government’s powers should be set out in primary legislation.” Crucially they also note that the government has not seemed very concerned with what happens after legislation is passed or how it works. They recommend the formation of a new Joint Committee in parliament on surveillance and data powers that would have post-legislative scrutiny as one of its key functions.

There are several measures concerning particular technologies. Their coverage of technologies of surveillance and data-collections is not too bad. I gave a seminar to the Committee on the range of surveillance technologies before they started their hearings, and I was beginning to despair at the levels of knowledge – “can they really do that?” was a common cry – and yet here they consider everything from CCTV to ubiquitous computing / ambient intelligence. There are still major deficiencies however. Although they take my point that government needs to get ahead of the technological game in order to regulate effectively, they still have not. They don’t recommend anything specific about the use of scanners in public places, location tracking, about the increasing dependence on RFID, or about the new flexibility, mobility, decrease in size and bodily intrusiveness of surveillance technologies and what this means for regulation. Mind you that is all in our report to the ICO that inspired all this (see Paragraph 4!)

They recommend that:

  • the Government comply fully with the recent ruling from the European Court of Human Rights that DNA profiles of innocent people are no longer kept indefinitely on the National DNA Database (NDNAD) – they also rule out a complete national database on both liberty and cost grounds, and argue that there should be a single, clear law governing the NDNAD and better transparency all-round.
  • On CCTV, they recommend more research on “the effectiveness of CCTV in preventing, detecting and investigating crime”, and more importantly that the government finally put CCTV on a proper statutory basis, with clear regulations, and systems of complaint and redress.
  • The report is at its weakest on the proposed new National Identity Register (NIR) and ID card. No2ID will not be happy, as all that they say is that “the Government’s development of identification systems should give priority to citizen-oriented considerations.” This is practically meaningless.Considering that this is the Constitution Committee report, and that the NIR and ID card are at the heart of how the government sees the information relationship between state and individual, this is also an unacceptable and compromised omission. No doubt it is evidence of a key area of disagreement amongst members, but the Chair should have banged some heads together on this one!
  • Although it is treated as a legislative measure, the Lords recommend mandatory encryption of personal data “in some circumstances.” This should have been stronger – bear in mind that most of the data lost by the state over the last few years was not encrypted
  • They also recommend that the government incorporate ‘design solutions’ in particular Privacy-Enhancing Technologies (PETs) in all new schemes. This is good as a minimum – we have to make sure that the government doesn’t use PETs as a way of claiming to have dealt with the problem – ooh, look: technology!

In other general measures for the whole of government, the Lords return to their central themes, specifically:

  • that Government should instruct government agencies and private organisations involved in surveillance and data use on compliance with Article 8 ECHR and in particular the legal meanings of necessity and proportionality. They also recommend legal aid should be available for challenges under Article 8.
  • a system of judicial oversight for surveillance carried out by public authorities, with compensation “to those subject to unlawful surveillance by the police, intelligence services, or other public bodies” acting under RIPA. This would be a severe blow the ad-hoc and effectively extra-legal expansion of surveillance powers under the present government. It would be great if it happens, but I am not going to hold my breath until it does…
  • increasing the stature and power of the data protection minister
  • lots of general blah about improving safeguards and restrictions on data handling and implementing standards and training, and education, to improve public confidence. But the thing is, public confidence isn’t really the main issue. Public confidence is low because the government and its private sector contractors have been time and again demonstrated to be incompetent.
  • there are also several paragraphs of recommendations which basically amount to saying ‘listen to the public’ and particularly, pay attention to pressure groups and research in this area because they know what they are talking about. They are right, you know – we do! They also want more research to get better information on public opinion in this area. We can do that too!

Despite this slight degeneration into well-meaning generality at the end, and despite the glaring hole when it comes to the NIR and ID cards, the principles advocated by this report, if implemented, would transform the direction of government in Britain. Many of the individual recommendations are things that I and others have been arguing for, for some time.

So what was the government’s first response? Well, the thoroughly useless Home Secretary, Jacqui Smith, according to the BBC has “rejected claims of a surveillance society as “not for one moment” true and called for “common sense” guidelines on CCTV and DNA.” When she has read the report she will realize that such guidelines are right in front of her – indeed, she got ‘common sense’ from the European Court on the DNA database some time ago and her department still does not know what to do with it!

As I said, if even half of this reported is acted on, Britain’s ways of dealing with surveillance will be transformed. I am not paying much attention to the Conservatives – in opposition you can say anything and they will beat the government with the liberty stick one day and the security stick the next. The question is, are New Labour brave enough to admit that their approach to surveillance has been almost entirely wrong?

We will soon find out.

Keep quiet or get labelled a terrorist…

BoingBoing brings this piece from the Daily Kos to my attention. It’s a disturbing story of what has happened on a number of occasions to people who annoy flight attendants and end up being labeled as terrorists. These ridiculous rulings have been severely debilitating – in the most extreme case, one woman lost access to her children, and in a Kafkaesque twist was unable to argue the case because she could not reach the custody hearing (in Hawai’i) because she was banned from flying!

These rulings have all occurred through extreme interpretations of the provisions of the US PATRIOT Act. However both this tendency for laws to extend their reach is not unique to the USA, indeed Britain may be far more culpable in this regard but in its mundane, bureaucratic way. Examples include the way that the Harassment Act, designed to protect people from stalkers, has become a tool of corporations against protestors, and the Regulation of Investigatory Powers Act (RIPA), which has enabled local authorities to employ intensive surveillance of individuals for such heinous acts as recycling wrongly.

The other issue here is once again, one of responsibilization, the enabling of ordinary people in minor positions of responsibility, or none, to use powers that would previously have been reserved to law enforcement officials or the court system. In the USA, it is flight attendants, whose role has increased markedly as post-9/11 provisions have ratcheted up expectations of passenger behaviour, but in Britain, the New Labour administration has enabled hundreds of bureaucrats to issue fines without any court process through the Regulatory Enforcement and Sanction Act, passed last year.

Basically, there are more and more people who, on a whim and with little or no evidence, can make life extremely difficult if you don’t conform to increasingly tight behavioural norms based on pre-established categories – ‘acting like a terrorist‘ being just one. Some of these norms we may even agree with – no-one likes rudeness – but what is happening is a process of desocialization and the replacement of what used to be matters of civility by narrow protocols.