Tuesday, 30 April 2013

And now they’re being serious

Yesterday, the Open Rights Group adopted a more serious approach to address the issues faced by the law enforcement community, by publishing a report on digital surveillance. Written by a number of people who also gave evidence to the Joint Committee on the Communications Data Bill last year, it calls for more targeted, more transparent and more accountable surveillance laws, and offers a number of recommendations for how to achieve this. 

It’s always useful if people who oppose various measures offer alternative suggestions. And this document certainly does indicate that the civil society groups who opposed the Government’s previous proposals are keen to continue the discussions about sensible surveillance laws in the digital age. The calls are for greater transparency, greater accountability, and greater oversight. Just how this can be achieved, while not drawing too much attention to significant capability gaps that might be exploited by criminals before they can be plugged, is an issue that requires careful consideration.

Some investigators may feel uncomfortable that these groups have very different views to their own on what techniques are necessary in today’s society. But these views do need to be considered by the Government – and when they are felt they are inappropriate, explanations should be provided as to why this is considered to be the case. 

 In a thriving democracy, where citizens are governed by consent and policed by consent, it is necessary to have the occasional debate about just what it is that citizens are consenting to. 

This report provides a useful way of continuing the debate. Some of the recommendations are unlikely to be implemented – for reasons which, perhaps when they have been made public, will be accepted by a large number of people.  But it’s always useful to maintain amicable and constructive discussions between all stakeholders on matters as important as these.

The ten recommendations are:
  1. Hold an overarching review, potentially through a Royal Commission, to properly study surveillance in the digital age.
  2. Judicial oversight of requests for intrusive communications data, in particular for all traffic data requests.
  3. Choose ‘data preservation’ rather than blanket data retention. Include quick response and emergency processes, and means to intelligently and accountably identify targets.
  4. Create a unified Surveillance Commissioner capable of carrying out a strong, independent audit with “multi-skilled investigators including human rights and computer experts.”
  5. Reject vague proposals, such as those in the draft Communications Data Bill, for automated, pervasive analytics tools designed to trawl through and across datasets.
  6. Provide stringent penalties for misuse of either powers or data.
  7. Individuals should be notified by default of a decision authorising the request for their communications data.
  8. Invest in law enforcement’s capacity to use and analyse the data already available to them.
  9. Lift the ban on the use of intercept evidence in court.
  10. Use the International Principles on Communications Surveillance and Human Rights developed by Privacy International and other groups as a template for future laws.



Sunday, 28 April 2013

Professor Elemental and the Communications Data Bill

Ridicule is a great way of opposing something you don't like. Which, presumably, is why our chums at the Open Rights Group have released a few funny videos about what they know of the proposals in the Communications Data Bill.

However, even the ORG accepts that something needs to be done - and they will be scrutinising any revised proposals the Government makes to ensure that they don't cross their red lines. The ORG has written to their supporters to explain that they'll be checking any new proposals to ensure:
  1. That the request filter and data trawling engine is dropped
  2. That the data ISPs and CSPs are compelled to collect will be minimal
  3. That there is no easy way for the Government to compel new data sets to be created
ORG's views are  remarkably similar to those of Privacy International. On 25 April PI's technologist, Sam Smith, commented: "We hope the UK's replacement policy will include far better training for police on the masses of data they acquire from suspects already, a more expeditious and rigerous MLAT process, and transparent rules on what is requestable and requested."

This stance still allows the Government to introduce legislation containing the less-controversial proposals in the near future, which I do hope will be welcomed by most stakeholders.

Look for the You Tube videos for "Professor Elemental Builds a Great machine for Catching Villains" (Chapters 1-4)


Friday, 26 April 2013

Keeping the Communications Data Bill alive

Those following the progress of the Communications Data Bill have had a busy week.  It started with media stories of Ben Hammersley, a Number 10 technology advisor warning of “disastrous consequences” should what he thought he knew of the Bill be passed. Then, reports emerged that various civil liberties groups had complained that they had not been properly consulted on any revised proposals, and that a group of 10 leading academics had written to the Prime Minister urging the Government to abandon the Bill and to work with the technical community and the police to devise an another approach which meets the needs of the law enforcement community.

The week continued with stories of various Coalition MPs (including Rt Hon David Davies MP, Nick de Bois MP, Dr Julian Huppert MP and Dominic Raab MP) expressing their opposition to what they knew of the proposals, and it culminated with the Deputy Prime Minister making some broad policy statements in his weekly radio programme on LBC Radio on Thursday, and subsequently more detailed comments in an article in today’s Daily Telegraph

Yesterday afternoon, the Deputy Prime Minister also found the time to write to me (and thousands of others) to explain that he would not be supporting proposals to keep records of every website I visit and details of who I communicate with on social media sites. But, he was careful to point out that: “There is always a careful balance to strike between security and individual liberty and I have always agreed that we must help our law enforcement agencies keep up with the challenge of policing in the internet age – like the technical issue of what to do when the challenge of policing in the internet age – like the technical issue of what to do when there are more mobile devices with not enough IP addresses to go round.”

A close reading of today’s article reveals that while the Deputy Prime Minister has concerns about some aspects of the Government’s proposals, he is not suggesting that nothing should be done. Indeed, there is plenty that could be done that politicians from all parties would probably welcome, as would (most of) the civil society groups, and the public at large. 

So, while there is disagreement on the need to store web logs, for example, there appears to be little significant disagreement on other aspects of the Government’s proposals, such as the need to address the problem of identifying devices that share IP addresses; to review which public authority investigators should be able to access communications data;  and for what purposes; to acknowledge the important role that specially trained “Single Point of Contact” officers play in the data acquisition process; to review the important role that the Interception of Communications Commissioner and the Information Commissioner should play in ensuring that the safeguards against abuse are adequate; and to consider the desirability of new criminal offences for misuse of communications data.

Britain is not the only country to face the need to develop legislation in this sensitive area. But, it is one of the first to be open about the challenges that internet communications present to the law enforcement community. Parliaments in Australia, Canada and America (to name but a few) are following this British debate very closely. What is agreed here could well be introduced over there.

Something needs to be done. And soon. So, I very much hope that the Government shortly places before Parliament a Bill that deals with the (relatively) non-controversial elements of its proposals, while at the same time entering into a more intensive dialogue with representatives from industry and civil society to achieve what the Deputy Prime Minister terms “a wider constellation of support” in respect of the elements that evidently do require more debate.



Thursday, 25 April 2013

Butchering the Regulation

A choice selection of Britain’s data protection elite assembled at Smiths of Smithfield last night, to enjoy the most generous hospitality of their wonderful hosts, our chums at Promontory.

After a hard day’s data protecting, Smithfield really was the place to be. In the private room, the semi-private room and elsewhere within the establishment, earnest discussions on the issues of the day continued into the small hours. In one corner of the restaurant (pictured), and in the absence of hard news about the fate of the General Data Protection Regulation, opinions were shared about likely scenarios. 

One person surmised that, given the Commission’s commitment to do something in the current European Parliamentary term, then some sort of text would emerge. But, given the frantic atmosphere in which last minute discussions and political compromises were likely to be made, the final text would not achieve much. And, when examined in slow time and in detail by the usual experts, provisions in various articles would be seen to be inconsistent with provisions elsewhere in the text.  

Would this matter? Probably not, if regulators decided to adopt a local approach to implementation, to reflect local sensibilities.  Surely, someone argued,  it is better to allow local regulators some latitude, rather than require them to follow the whims of politicians who don’t understand in detail what they are legislating about, and who will be leaving the European Parliament within months of their vote.    
Another pointed out that we should not criticise the regulators. After all, they are only doing their job.  They don’t make the laws. The firepower really needs to be aimed at those who are politically accountable for taking the relevant decisions. Not those who are to be charged with implementing the decisions.

Let’s face it.  Confidence in European institutions is not at its highest, right now. All over Europe, citizens appear to be increasingly disenchanted about what is being offered to them from the centre. Accordingly, any new measures that might cause local citizens to query their necessity might only cause further disenchantment with the grand European project. That’s absolutely not what is needed when citizens are about to vote in European elections for candidates that might cement or sever links between nation states and the European Union.  

Another surmised that, no, the Commission and the European Parliament will come up trumps. Under the guise of the Lithuanian Presidency during the second half of this year, and the Greek Presidency during the first half of 2014, heroic efforts will be made by the Council of Ministers and the College of Commissioners to keep data protection a priority. Other measures, such as the 70 items of legislation that are needed to implement the EU budget for the next seven years, as well as preparation for the Eastern Partnership summit, will wait their turn. Instead, European citizens will be delivered a package of fundamental human rights that will be so compelling that Commissioner Vivane Reding will instantly be proclaimed beatified.   

I was desperate to hear more from this commentator, but just at that point they slipped from their chair to the floor. 

Well, it was a late night.


Wednesday, 24 April 2013

Crime, Privacy & the Communications Data Bill

Privacy is not an absolute. Privacy has its limits. No-one really wants cybercriminals to operate with impunity, or for them to live anonymous lives “because of data protection”.  Likewise, no-one wants to live in a surveillance society if there aren’t sufficient safeguards to guarantee that the vast majority of honest, decent, citizens can live private lives, free from state interference. And a “terrorist” to some is a “legitimate freedom fighter” to others.

Drawing the line is hard. Digital evidence that leads to a criminal either exists, or it does not. Once deleted, it can’t easily be recovered.
I was recently moved by Christopher Wolf’s latest contribution to this issue. In an article discussing curtailing hate speech on-line, he concluded: In the privacy world we populate, the debate usually is how to strike a balance between commerce and privacy, or law enforcement and privacy. In the world of hate speech, the balance between anonymity and its useful role in free expression and the harm anonymous hate speech can cause requires a careful look at circumstances when privacy needs to give way to reducing the increasing instances of online hate.
Words of hate lead to acts of hate. And as important as words are, it is vitally important in this mournful season of explosions and loss to address the hate underlying the tragedies we experience all too often. As a privacy lawyer and a privacy advocate, when it comes to hate speech, privacy may have to take backseat."

In Britain, we are likely to see more public debate around this issue, when the Government introduces a Communications Data Bill for scrutiny by Parliament. Depending on whom you believe, this measure is either an unwarranted intrusion into the private lives of citizens, or it is a proportionate and necessary step in the fight against terrorism and serious crime.

Is there much more that can be said on this issue? 

What is just as interesting as what is being said is who is saying it. A casual observer would easily be able to search the internet for articles which criticise many aspects of what is known of the Government’s proposals, but they would be quite hard pressed to find many articles by people who actually support them. Can it be the case that these proposals have too few friends, or is it the case that the supporters lack the inclination to be as vocal in their views as are the opponents?

Organisations like Big Brother Watch, Privacy International, the Open Rights Group, Liberty and Justice have certainly got their act together, and they have developed compelling arguments and have assembled a wide body of evidence to support their own positions. In a mature democracy, when Governments consider measures that threaten traditional notions of privacy rights, it is necessary to rigorously challenge the Government’s intentions.   So I don’t criticise them for what they have done.

What does strike me as odd, however, is the one-sided nature of the public debate.  Where are the bill’s supporters, and why is it that their voice is hardly heard? Presumably, supporters do exist.

I don’t think it’s mainly the media’s fault that the debate has been so one-sided. I don’t for one second believe that there is a media-inspired conspiracy to smother the supporters. I just don’t see much evidence that the supporters are overly keen on liaising with each other or, more importantly, engaging in the sort of public debate that their opponents are enjoying.

Perhaps, in due course, we might hear from the national charity Victim Support. Do victims of crime have any views on the tools that should be available to public officials to investigate crime?

Perhaps, in due course, we might hear from local Police and Crime Commissioners.  These newly and democratically elected officials might well have some views on the resources that ought to be made available to police investigators. They are, after all, charged with challenging their local police forces to deliver value for money for the taxpayer, ensure that all public services work together to prevent crime, seek swift and sure justice, and reduce offending. As they focus on goals to reduce key crimes, improve public confidence in the police, and reduce costs, perhaps by using innovative technologies, surely they must be developing their own views on what surveillance techniques are appropriate and what are not.

Perhaps, in due course, we will also hear more from the surveillance regulators, as it is they whom the public will expect to guarantee that appropriate safeguards are in place, and that state officials who abuse their position are properly punished. 

There are, bewilderingly, a wide range of regulators and regulatory bodies that currently play a role in safeguarding the public interest in this field. They include the Interception of Communications Commissioner, Information Commissioner, Surveillance Commissioner, Surveillance Camera Commissioner, Biometrics Commissioner, Intelligence Services Commissioner, the Police & Crime Commissioners, and the Investigatory Powers Tribunal. As the public (quite rightly) demand greater accountability from investigators, perhaps those listed above will play a more vocal and public role in providing the public with sufficient assurance - and evidence - that all is well.  

Perhaps we will not hear from many of the supporters, and the forthcoming Parliamentary debate will be characterised by a stream of criticism from those who have already developed a voice and are not afraid of using it.

Or will the Government get so spooked by a lack of vocal public support that it will decide not to proceed with new legislation at this stage? I hope not. Even the opponents probably have so many issues with the existing law that they would welcome an opportunity to change it.