Tuesday, 9 November 2010

Is the Home Office winning the battle for online privacy for us?

Writing in The Telegraph today, Milo Yiannopoulos has wondered whether we are winning the battle for online privacy. He thinks not, and has argued that online privacy norms are being dictated by companies with a vested interest in acquiring and selling our personal data.

His assumptions may be about to be misjudged. Help may be at hand – from the Home Office itself.

Let me explain.

We all know that the European Commission has been unhappy at the way the British Government has implemented bits of the E-Privacy Directive as it relates to interception, and that some people in Brussels have done a lot of work to try to find out just what bits of the Directive have not been fully incorporated into British law. I understand that one of the areas that has been keeping the Burghers at the Commission awake at night is the frightening prospect that the cracks which have appeared in British law are now so huge as to allow third parties to do a bit (or a lot) of intercepting in a totally unacceptable manner.

Someone has obviously got it in for Phorm and the bods who build and sell all this deep packet inspection kit that internet service providers are apparently so keen on acquiring.

It appears that the Burghers have had a look at our mighty RIPA, the Regulation of Investigatory Powers Act, and they have decided that the hurdles over which the interceptors should jump are not sufficiently high. They’ve taken a good look, in particular, at the provisions in section 3(1) of RIPA, which allows interception to take place if both the sender and the recipient have reasonable grounds for believing that consent has been given. And they don’t like what they’ve seen.

It appears that this reasonable grounds test is too easy to pass, and what needs to be done is that it should be replaced with the (higher) test which is contained in Article 5(1) of the E-Privacy Directive and Article 2(h) of the Data Protection Directive.

What am I on about?

I mean that the Burghers want to swap out the reasonable grounds test with the requirement that both sender and recipient of the communications must have consented to the interception. And, in this context, the consent would have to be freely given, specific and informed.

This appears to be a very much higher hurdle - and I’m not immediately sure how it can be achieved, in practice.

I can certainly understand how, say, the sender of a communication can consent in a manner which is freely given, specific and informed, so that all of their outgoing communications can be monitored. This is known as “one way consent” – but that is not sufficient to legitimise this interception activity. For it to be legitimate, apparently the consent has to be “two way”. But, and this is a big but, if the person doing the intercepting has no way of knowing who the sender will be communicating with until they start to communicate, then how on earth are they expected to obtain the freely given, specific and informed consent of the recipient of each of these communications?

Perhaps the Home Office’s cunning plan is to assume that since it’s pretty hard to get the recipient’s freely given, specific and informed consent to an interception on a communication they don’t even know they will receive, then all of this (unlawful) interception nonsense will simply fall away. And that Phorm will fade into oblivion and all this deep packet inspection kit (and maybe the odd cookie or two) will cease to be used for nefarious purposes. And then the internet will become a less surveilled place. And then we will all receive marketing material that is less relevant than would be the case if behavioral advertising techniques were to be permitted.

Or, perhaps I have got it wholly wrong, and that any changes to the interception legislation which are proposed by the Burghers at the European Commission will only have a limited impact. Why – well, the people doing most of this stuff won’t be based in the UK anyway, and probably won’t notice any changes to the British interception legislation. So, they could easily continue to place their spyware on our devices, and monitor our communications, after having satisfied themselves that there are reasonable grounds for believing that consent has been given.

Unless, of course, the Home Office has another cunning plan up its sleeve to enforce these new rules.