Wednesday, 30 March 2016

A (light hearted and) handy guide to privacy activists for the under 10s

Privacy activists in the olden days
There weren’t many privacy activists in the olden days. This was because there was no Internet, and very few people had heard of the Data Protection Commissioner. As it was expensive to make a telephone call, and texts had not yet been invented, it was quite hard to spread rumours and exchange information with lots of people you didn’t know. Only print journalists were usually able to do this, which is why the Sunday papers were often packed with stories about prostitutes and vicars. 

Journalists didn't bother about people’s privacy in the olden days.

Nowadays, privacy activists are bored with journalists because, on the whole, they behave themselves.

Nowadays privacy activists are bitter, but balanced, people. They have chips on both shoulders. Social media companies are a big disappointment to privacy activists.

Privacy activists now think that most people are:
a) Simple and easily led
b) Un-enlightened and susceptible to short-term pleasures
c) Terribly sad and struggling, unable to cope on their own
d) All of the above

Education is a life-long task
Privacy activists think that most people are unable to think for themselves and require life-long education to help them make informed decisions.

Privacy activists work tirelessly campaigning to encourage most people to be acutely aware when buying online, rather than in local shops. They are disappointed that most people like to exchange their privacy for “free stuff”.

Most people like to surf the Internet, watch pornography, have sex and book foreign holidays. They do not understand that these activities are dangerous and need continuous education from privacy activists.

Most people need to be protected from the internet, even though they don’t read behavioural targeted adverts. They are easily influenced and their happy-go-lucky ways can be turned into bigoted nasty ways. Privacy activists are needed to help them use Facebook carefully and not make mistakes.

Privacy activists like to be sad and unhappy
Many privacy activists have a very nice life, but they like to be sad. To help with this, they choose to be sad for other people. Sometimes these people are far away and sometimes they are nearby, but different to them.

In the olden days, privacy activists tried to make it better for other people. Nowadays, they like to protect them by being offended when a normal person doesn’t behave as the activist would like them to do.

Privacy activists like to help other people by being offended on their behalf. This means that the other people can carry on with their lives and the privacy activists do all the work. This isn’t really fair, but the privacy activists seem to carry on doing it, so they must enjoy it. Despite all this effort privacy activists are still very sad.

Privacy activists care more than other people
Privacy activists care so much that they hate most social media companies. And Google. Other people don’t really think about social media companies, they only care about themselves and other people that they know. This means that piracy activists have to hate the social media companies even more, even more than they actually hate Google.

Privacy activists show that they care by telling other people about how much they care. They send special “I care” signals to other people. Forwarding videos on Facebook is one way that they can show how much they care. The videos often show people far away who are living miserable lives, but links to poorly written privacy policies are also considered sufficient.

Privacy activists (see below) are very helpful. They make lots of “I object” videos which makes it quick and easy for other activists to send their “objections”. They do this several times throughout each day when they are not busy.

Sometimes privacy activists are made angry by other people
Privacy activists care so much, it makes them hate people who don’t show that they care. These people are normal people. Privacy activists have given them a name. It is “Corporate scum”. Privacy activists like to shout at the people and tell them that they are scum even when they aren’t listening.

Shouting at the staff at the Information Commissioner’s Office is another way to show that they care. Caring is very important to privacy activists.

Privacy activists care so deeply that they don’t have time for thinking and convincing. They use their precious time for shouting about caring.

Also, normal people don’t know what privacy activists are saying, so it is helpful when they point to the people and shout “scum”. They think that normal people do understand shouting and caring.

If you have observed someone and you are not sure if they are a privacy activist, seek their opinion on “the corporates”. If they start to shout and care, they are privacy activists.

Privacy activists are helpful
Privacy activists are people who have an encrypted internet connection. They make the internet very loud.

Privacy activists help other people care on the internet. They are very helpful in pointing out when people have forgotten to show that they care. They help people in many ways – watching videos, commenting on things and clicking on buttons called “start a petition”. Privacy activists sometimes go outside their houses and meet other privacy activists and they care together and shout at the corporate scum.

Privacy activists are funny
Privacy activists have “enlightened comedians” who make jokes on “panel games” and tweet a lot. These are broadcast on the television, BBC Radio 4, and Twitter.

The enlightened comedians make people laugh at normal people, whom they consider stupid. In the olden days, comedians made jokes about Irish people, but these comedians weren’t clever like the enlightened comedians.

Instead of the Irish people, the enlightened comedians make jokes about Facebook. Because they care, they use special words like “Privacy Policies”, “Trans border data flows” and “Privacy Shield”, so the normal people will not notice.

Normal people do funny things like posting selfies on the Internet, eating Haribos and watching television. This is funny and the enlightened comedians are helpful because they point at them and laugh, so we know who to laugh at as well. It is very funny and we all laugh because we are enlightened too.

Further reading
Any tweet by @tim2040 should be enough to put you off your dinner.

I am deeply indebted to Andy Shaw, whose recent article on a handy guide to Left-wing people for the under 10s prompted me to lovingly plagiarize his work. I do hope he won’t be offended.

Thursday, 11 February 2016

Scrutinizing the draft Investigatory Powers Bill

The point about pre-legislative scrutiny is that a parliamentary bill gets a good prod before it begins its usual passage through Parliament. The main issues are identified, and stakeholders can marshal their views in an attempt to influence the decision-makers in good time for changes to be made that ought to result in a statute that is far fitter for purpose.

Three Parliamentary Committees have recently reported on the Draft Investigatory Powers Bill. The measure, complete with a guide to its powers and safeguards, was published as a 296-page document on 4 November. It is not an easy read, even for the surveillance specialists.

Given that a number of stakeholders submitted the same comments to (at least two of) the Committees, it’s not surprising that they all independently reached (broadly) similar conclusions. What is surprising, however, is the tone of the reports. Each gave the Home Office a good kicking. And the Committee comprising the most experienced politicians gave the Home Office the hardest kicking.

First up was the Science and Technology Committee. The committee of 11 MPs had received 50 written submissions, held 2 public hearings during which witnesses gave evidence, and published a 38-page report making 14 recommendations on 30th January.

The STC noted that "Previous attempts to legislate in this area have met with criticisms over the lack of consultation with communications service providers (CSPs) on matters of technical feasibility and cost.” …. Following the failure of previous attempts to introduce data legislation, the Government has made efforts to consult and engage with communications service providers likely to be most affected by the draft Bill. However, there remain widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. This has given rise to uncertainties over the likely scope and costs associated with implementing the proposed measures.

The nature of ICRs and the true extent of the Bill’s ‘removal of electronic protection’ and ‘equipment interference’ powers are precisely the subject of uncertainty and concern from business due to lack of clarity in the Bill and in the consultation so far. It is clear that greater reassurance is needed—both on the face of the Bill and in forthcoming Codes of Practice—that businesses will not be subject to disproportionate additional burdens that will not be fully paid for.

If law enforcement agencies and the intelligence and security services are effectively to combat terrorism and serious crime, they must have the means to keep pace with developments in communications. They will doubtless need to continue to deploy a range of methods for intercepting and acquiring information about communications. The evidence we have received suggests there are still many unanswered questions about how this legislation will work in the fast moving world of technological innovation."

Next to report was the Intelligence & Security Committee, a group of very senior politicians. The committee comprising 2 peers and 7 MPs held no public hearings, but instead heard evidence in private from the Home Secretary, Home Office officials and the heads of the intelligence agencies. A 13-page report, making some 23 recommendations, was published on 9th February.

The ISC pulled few punches. "The Investigatory Powers Bill is the first major piece of legislation governing the Agencies’ powers in over 15 years. While the issues under consideration are undoubtedly complex, we are nevertheless concerned that thus far the Government has missed the opportunity to provide the clarity and assurance which is badly needed. That the confusion surrounding the existing legislation fuelled many of the allegations and suspicions concerning the Agencies’ investigatory powers over the past few years clearly demonstrates the importance of transparency in this area.
Overall, the privacy protections are inconsistent and in our view need strengthening. We recommend that an additional Part be included in the new legislation to provide universal privacy protections, not just those that apply to sensitive professions.
The provisions in relation to three of the key Agency capabilities – Equipment Interference, Bulk Personal Datasets and Communications Data – are too broad and lack sufficient clarity.
We fail to see how Parliament is expected to approve any legislation when a key component, on which much of it rests, has not been agreed, let alone scrutinised by an independent body. 

The approach towards the examination of Communications Data in the draft Bill is inconsistent and largely incomprehensible. The Committee recommends that the same process for authorising the examination of any Communications Data (including Related Communications Data) is applied, irrespective of how the Agencies have acquired the data in the first instance. This must be clearly set out on the face of the Bill: it is not sufficient to rely on internal policies or Codes of Practice.
The issues we have highlighted in this Report must be addressed before any subsequent Bill is laid before the House and we would urge the Government to ensure that it takes sufficient time and care in so doing. While we recognise the timing constraints imposed by the ‘sunset clause’ in the Data Retention and Investigatory Powers Act 2014, it appears that the draft Bill has perhaps suffered from a lack of sufficient time and preparation and it is important that this lesson is learned prior to introduction of the new legislation."
Finally, it was the turn of the Joint Committee on the draft Bill. This committee, comprising 7 peers and 7 MPs, had received 148 written submissions, running to over 1500 pages of evidence, heard from 59 people in 22 public panels during which witnesses gave evidence, and published a mighty 198-page report making 86 recommendations on 11th February. As a specialist adviser to this Committee, I was one of the lucky few who spent their Xmas holidays reading over half a million words of evidence.

Here, the criticism is more measured, although the message is the same:

"Resolving the tension between privacy and effective law enforcement in this area is no easy task. The Home Office has now come forward with a draft Bill which seeks to consolidate in a clear and transparent way the law enabling all intrusive capabilities. The Committee, together with the many witnesses who gave evidence to us, was unanimous on the desirability of having a new Bill.
The major change which would be brought about by the draft Bill is the creation of a new judicial oversight body and the much greater involvement of judges in the authorisation of warrants allowing for intrusive activities. As well as being important in in its own terms, making this change will reduce the risk that the UK’s surveillance regime is found not to comply with EU law or the European Convention on Human Rights.
A proposal which has attracted much attention from our witnesses is that of the creation of an obligation on communications service providers to collect and retain users’ internet connection records (ICRs). We heard a good case from law enforcement and others about the desirability of having such a scheme. We are satisfied that the potential value of ICRs could outweigh the intrusiveness involved in collecting and using them. But we also heard strong concerns, in particular from some of the providers themselves, about the lack of clarity over what form the ICRs would take and about the cost and feasibility of creating and storing them. The Home Office has further work to do before Parliament can be confident that the scheme has been adequately thought through.
Other concerns were over the provisions in the Bill for bulk powers to intercept, to acquire communications data and to interfere with equipment. These powers are not new, but have been avowed for the first time in legislation. The public debate over these powers is a healthy one, and the Home Office should ensure that it and the security and intelligence agencies are willing to make their case strongly in the months ahead.
Much of the important detail about the way the new legislation will work is to be contained in a set of Codes of Practice. We call on the Government to ensure that these Codes are published alongside the Bill to inform the further scrutiny which the Bill will receive from the two Houses. In our view, the Bill would also benefit from a post- legislative review by Parliament five years after its enactment. We call for provisions for such a review to be included in the Bill."
The Joint Committee’s recommendations for improving the draft Bill were all designed to ensure that the powers are workable, can be clearly understood by those affected by them and have proper safeguards. Most significantly:
On encryption: "The Home Secretary assured the Committee that its approach to encryption is not designed to compromise security or require the creation of ‘backdoors’. The Committee welcomed this clarification, but was concerned that this needs to be made clear the drafting of the legislation."
On bulk powers: The Committee recommends that if bulk powers are to be included in the Bill, a fuller justification for each should also be published alongside the Bill. It recognises that the Intelligence and Security Committee has recently published its report, which the Committee believes will be of significant value to the two Houses when the Bill is introduced and scrutinised.”
And, on Internet Connection Records (ICRs): "The Committee can see the desirability of ICRs, but has not been persuaded that enough work has been done to conclusively prove the case for them. The Committee would like to see the Government work harder with industry in order to provide more robust information."
So, where do we go from here?

Pre-legislative scrutiny is, after all, just the end of the beginning.

In parliamentary terms, the Government’s business managers have already decided how much parliamentary time can be made available for Home Office-sponsored legislation before the end of the year – when the sunset clause for the records retention provisions in the Data Retention and Investigatory Powers Act 2014 takes effect.

Should Parliament concentrate on passing a Bill that is narrower in scope this year, say one that just addresses the data retention and oversight provisions? Is there really sufficient time to consider other elements – such as overhauling the bulk data and equipment interference provisions in 2016? A second Bill, containing the remaining provisions, could always be considered in 2017.

The Parliamentary calendar will be constrained this year as much business will cease during the EU referendum campaign, the dates of which have not yet been set. 

Looking at the 2016 Parliamentary holidays for the House of Commons (the House of Lords will set slightly different dates), the February recess is from today (11 February) until 22 February. The Easter recess is set from 24 March to 11 April. The Summer recess will be from late July to early September, the Conference recess will be from mid September to mid October, there will be a week’s break in mid November and then the Christmas recess will commence in mid December. That doesn’t leave a lot of time for legislating.

So, a new bill needs to be ready and tabled within weeks. And, if it is to get through both Houses of Parliament unscathed, it really does needs to take full account of each of the 123 recommendations that have been made by the scrutiny Committees.

There will be no rest for the Home Secretary, her officials and the Parliamentary draftsmen for the foreseeable future.


Tuesday, 18 August 2015

In praise of David Smith

As Deputy Commissioner David Smith completes his last lap of the data protection conference circuit, various speakers are extending their hastily-prepared remarks to include a short homily on his contribution to data protection over the decades. Yes, he really has been at the ICO for decades.

It's a convention that public servants are never presented with anything other than small tokens of appreciation from grateful hosts. It’s the ICO’s practice for gifts to be declared in a central register and, to the extent that is practical, for them to be used as prizes at the ICO’s annual Xmas raffle.

At it's summer party last night, the Crouch End Chapter of the Institute of Data Protection decided not to present David with a physical token of their appreciation of his work. Instead, a toast was proposed by the Chairwoman of the Dagenham Data Practitioners, who had been invited to the party along with all the other members of the DDP.

To round off the evening, we sang an ode in David’s honour. The words are reproduced below, in case the ICO Chorus fancy sending David off in song, too.

Eternal David, strong to save,
We thank you for advice you gave,
You bidd'st the mighty Google deep
Its own appointed limits keep;
Oh, hear us when we cry to Thee,
For those in peril because of me

O Dave! Whose voice we always heard
And hushed our raging at Thy word,
Your temper never would explode,
Just point us to a data Code;
Oh, hear us when we cry to Thee,
For those in peril because of me

Most gentle Smithie! Who didst brood
Upon the chaos dark and rude,
And bid its angry tumult cease,
And give, for wild confusion, peace;
Oh, hear us when we cry to Thee,
For those in peril because of me

And now you’re off! It is the end
Of kind words from a distant friend;
We hope and pray the next one in
Will forbear us should we start to sin,
Support us when we cry oh ****
Our data’s gone, we’re out of luck