Saturday 30 January 2010

Who hinders hoax 999 callers?

A friend of mine got in touch earlier today to ask if something had gone wrong with the phone system used by the emergency services. Apparently, he and some of his mates were down the pub last night. One of his mates had brought along an unregistered pre-pay phone, and was boasting that he could use it to make hoax calls to the emergency services, night and day, and the emergency services were incapable of stopping him. I was asked if this really was the case.

I had a quick squint on the internet to find out.

I found a press release on the Ofcom website which spreads some light on the matter. Ofcom is the communications regulator. It regulates TV and radio, fixed line telecoms and mobiles, plus the airwaves over which wireless devices operate.

On 15 October 2009, Ofcom announced that mobile phone users were now “able to call the emergency service numbers (999 and 112) from another network if their own network is unavailable and an alternative provider has coverage. The phone will automatically switch over to whichever network operator has the best signal in that area. This will provide added reassurance to consumers should they need to call 999 or 112 and will be of particular benefit to those in rural areas across the UK. The successful launch of emergency mobile roaming is the result of a joint effort between Ofcom, the mobile network operators, emergency authorities and the fixed operators who act as call handling agents.”

In the accompanying notes to editors, Ofcom explained that “consumers should be aware that emergency mobile roaming in its current form has limitations; location information is less accurate and it is not possible for the emergency services to make a return call. Callers should therefore be aware that calling the emergency services from a fixed line phone or a mobile phone from the network it is registered with remains preferable if this option is available. Consumers should also ensure that the mobile handset from which they wish to make an emergency call contains a SIM card.”

The notes to the editors didn’t point out what would happen to pranksters who thought it fun to make hoax calls to the emergency services. Before 15 October 2009, the mobile phone networks were able to act very effectively, by disconnecting the SIM cards from the network, under a “three strikes and you’re out” rule. If someone made three hoax calls to the emergency services, they were quickly disconnected by their service provider, preventing them from making any more calls to anyone, ever.

So, it seems that after 15 October 2009, if someone made three hoax calls to the emergency services, they were quickly disconnected by their service provider, which prevented their SIM card from being used to make or receive calls from their friends. But, if an alternative network provider had coverage in their area, they would be able to continue to make calls to ... you’ve guessed it ... the emergency services.

Perhaps it's time for the emergency services to create their own filtering system to block calls from known pranksters. They obviously know what SIM cards the pranksters are using, as its them who make the disconnection request to the home network service provider in the first place.

I told my friend: "Don't make hoax 999 calls - you never know when the emergency services might discover who you are."

Friday 29 January 2010

Did you notice anyone commemorating International Data Protection Day yesterday?

I didn't, either.

Perhaps the 2011 commemorations will have a higher public profile.

Thursday 28 January 2010

Tackling serious crime - does it matter if the Human Rights Convention has stuffed the State?

In my last blog I questioned whether the state was capable of giving police sufficient powers to protect us from people like “Fred in the shed”, whose “human rights”, as granted to him by the European Convention on Human Rights, can appear to give him the edge over those he might wish to harm when he went on-line. I explained that I would use this blog to have a quick look at some of the Convention rights and freedoms and see if I can draw any conclusions as to how they might be applied to material accessed on the internet.

Article 6 provides that “It is unlawful for a public authority to act in a way which is incompatible with a Convention right.” This suggests that the police have to tread very carefully when doing anything that could be construed as observing, or interfering, with Fred. He remains innocent until there is any evidence to establish otherwise. The police therefore have to follow recognised standards of behaviour, and remain publically accountable for their actions.

Article 2(1) provides that “Everyone’s right to life shall be protected by law.” This suggests that the police ought to be able to do things to prevent Fred from committing crimes that threaten other people’s lives, but not necessarily to use those same powers to detect his involvement in absolutely all other types of crimes.

Article 5(1) provides that “Everyone has the right to liberty and security of person.” This suggests that the police have to treat Fred with the same degree of civility and respect as everyone else enjoys.

Article 8 (1) provides that “Everyone has the right to respect for his private and family life, his home and his correspondence.” And, in 8(2), “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” This is the really hard one, as it’s not clear what Fred’s “correspondence” really means in an internet world. Is this just the content of his emails, or does it extend to, say, detailed records of his surfing habits on the internet too? Back in 1993, Parliament only appeared to allow service providers to keep some of Fred’s web browsing history for 4 days. In it’s Retention of Communications Data (Code of Practice) Order 2003 (SI 2003 No 3175), only certain types of web activity logs were specified as being able to be retained. They were: “Proxy server logs (date/time, IP address used, URL’s visited, services)” and the restrictions were quite clear: “The data types here will be restricted solely to Communications Data and exclude content of communication. This will mean that storage under this code can only take place to the level of……" and for just 4 days.

Obviously, this place somewhat of a restriction on that the state would like to do, so the Data Retention (EC Directive) Regulations 2009 (SI 2009 No 859) came into force on 6 April 2009, which appear to allow the state to require certain providers to retain more types of web activity logs, and for longer. What the state had to do was to write to the relevant providers to tell them what it wanted them to do. But it’s not clear whether these Regulations will actually provide the police with what they are after. The wording of the SI refers to “ Data necessary to trace and identify the source, the destination, the date, time and duration, [and] the type of a “communication”, together with “Data necessary to identify users’ communication equipment (or what purports to be their equipment).” So what if Fred is just surfing the internet, and not actually making a “communication” ? Is the state able to force internet service providers to retain such logs? Dunno. Perhaps an opportunity has been missed. But although the state can’t insist, it might be possible for a company (such as an internet service provider) to explain to Fred that it had decided to retain all internet records for its own marketing and customer care purposes for a set period, and then allow him to go to another internet service provider if this condition were unacceptable.

(And, if the service provider had found a way of retaining this information, the state might well consider allowing the police to use their RIPA powers to acquire it, when deemed proportionate and necessary.)

Article 10(1) provides that “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.” And, in 10(2), “ The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such … restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence…” This appears to mean that there should be few restrictions on just what Fred is allowed to access on the internet. Of course any links to unlawful sites must be blocked, but the state needs to exercise very great care when trying to prohibit access to – or censor - other types of material on the internet, such as those the state might find distasteful. But although the state can’t insist, it might be possible for a company (such as an internet service provider) to explain to Fred that it had decided to block access to particular types of material, and allow him to go to another internet service provider if this condition were unacceptable.

Article 17 provides that “Nothing in this Convention may be interpreted as implying for any State, group or person any right to engage in any activity or perform any act aimed at the destruction of any of the rights and freedoms set forth herein or at their limitation to a greater extent than is provided for in the Convention”. So, Fred appears to be protected from inteference with (or forcing internet providers to record) his internet browsing habits, for example, as the Convention does not appear to give the state the specific right to exercise such powers in the first place. But as I have suggested in my comments on Article 8, although the state can’t insist, it might be possible for a company (such as an internet service provider) to explain to Fred that it had decided to retain all internet records for its own marketing and customer care purposes for a set period, and allow him to go to another internet service provider if this condition were unacceptable. (And thus it may be made available to the police, when proportionate and necessary.)

Finally, Article 1 of Part II of something known as the First Protocol to the Convention is relevant, as it refers to the protection of property: “Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one shall be deprived of his possessions except in the public interest and subject to the conditions provided for by law and by the general principles of international law”. This is of particular help to service providers, as it forms the basis on which they can argue that costs incurred in retaining communications records, beyond the period they need for their own business purposes, should be met by the state. The Data Protection Act requires personal information to be deleted as soon as the data controller no longer has a legitimate use for it – so this is the sugar that sweetens the medicine that has to be swallowed when providers are required to do things which ordinarily they would not.

I appear to be concluding that the state can’t properly protect the public from Fred in the shed, because the European Convention on Human Rights gets in the way. But companies, such as internet service providers, might be able to circumvent some of those restrictions if they really wanted to. Data protection legislation can allow personal information be used for a wide range of purposes, provided the data controller's privacy policy fairly sets out just how the information that will be provided or generated by people will be used.

Can data protection legislation really provide the band aid to patch over these gaps in human rights legislation? That’s a huge question, and one that needs to be considered in another blog.

Balancing the rights of the police and the policed

When I'm asked to get involved with public policy debates about how long communication service providers should be required to retain information for which they no longer have any use for themselves, I often feel as though I’m being forced to choose between two competing interests. And when I look to the law for assistance, I find it’s a bit vague. Perhaps this is how the Attorney General felt when he was forced to provide a definite yes/no answer on the legality of starting a recent war.

I find it easier to know where to start looking for the rights of the policed, as the Human Rights Act helpfully sets out those rights. And it gives “human rights” to things that aren’t even human too – when the legislation refers to “natural or legal” persons, businesses prick their ears up (well, they would if they had ears), and occasionally assert their rights. And then, for individuals, the Data Protection Act kicks in and expands on some of these basic fundamental rights.

The trouble is, I find it really hard to know even where to start looking for the rights of the police. Is it the case that they have all the rights that have not been specifically granted to anyone else? If we had a written Constitution, it might be easier to know where to look. But as we haven’t, its not easy to find documents that properly set out the balance between the competing interests.

Why does this matter?

It matters when some people take advantage of their “human rights” to abuse the rights of others. I want to live in a fair, just and tolerant society. I don’t want my rights to be abused (or me to be harmed) by someone who unfairly hides behind a cloak of anonymity. That’s not cricket. All should be fair in love and war. And crime.

And I sometimes wonder whether the people who, over 50 years ago, drafted the principles that form the basis of our human rights legislation really would have settled on the same text if they were asked to create a set of principles that were fit for purpose for today. I think that they would accept that there was a need to revise some of them.

And I think this because the conditions, and threats, that existed 50 years ago have changed. Back in those days, European nations were extricating themselves from the disastrous consequences of war and the dangers appeared to come from oppressive regimes. Accordingly, the European Convention on Human Rights seems to be more concerned with setting out the rights of individuals, to empower them against the weight of a threatening central regime. But does that legislation adequately address the threats that people can face today – where threats can equally come from large companies, or from other people? And, more explicitly, does it give the state sufficient power to protect people from “Fred in the shed”. Or can “Fred” exploit a legal vacuum that appears to exist that makes it very hard for the State to keep enough information about him to prevent him from causing harm to anyone else?

Terrorism these days appears to be just as likely to be delivered by people like “Fred” than from oppressive regimes. And, thanks to the internet, people like Fred can equip themselves with the information necessary to cause outrage to many. So how should the internet be policed, so that people can be protected from Fred? Especially when many people appear to want security without lifting a finger themselves.

The internet isn’t mentioned anywhere within the European Convention on Human Rights – it didn’t exist when the Convention was drafted. This causes me problems when I try to work out what rights the police should have and what anonymity the policed ought to be able to expect as they use the internet.

If the Convention were to be redrafted today by, say, a set of German campaigners, I guess that they would be keen to reflect the recent data protection scandals in that country. They include incidents involving the illegal trade of address lists and bank account information. And some of the largest German companies in key industries, including transportation, finance, automotive, retail, and health care, have been accused of misbehaviour, say by monitoring the personal data and activities of their employees. Media coverage of these developments sparked widespread public interest among politicians, trade unions, and consumers on the mishandling of personal data, so in July 2009 various changes were made to the Bundesdatenschutzgesetz, Germany's Federal Data Protection Act. In essence, they tighten the controls and, in some cases, require information to be deleted so that it is no longer capable of being abused. But when that information is deleted, it also can’t be used for policing purposes.

If the Convention were to be redrafted today by, say, a set of British campaigners, I wonder what line would be taken. As far as Ian Walden, Professor of Information and Communications Law at Queen Mary College, is concerned, according to the Daily Telegraph (23 Jan 2010), the authorities have taken “advantage of the terrorist bombing in London” to erode civil liberties. He was responding to media reports that the police and security services were set to monitor every phone call, text message, email and website visit made by private citizens. The details would be stored for a year and will be available for monitoring by government bodies. Apparently, all telecoms companies and internet service providers will be required by law to keep a record of every customer’s personal communications, showing who they have contacted, when and where, as well as the websites they have visited.

Ian was quoted as saying that “The police clearly took advantage of the terrorist bombing in London to get an agenda, which has been around for years, pushed to the forefront”

“They would never have got Government support for data retention, which became a European issue, without the Madrid and London bombings.” The 2004 Madrid bombers [apparently] used one shared web based email account to make plans, rather than exchanging messages that could be intercepted. Their actions killed 191 people and wounded over 1,000.

“Concerns from civil liberty groups are we will lose the liberties that we thought we had without necessarily notifying us. Why does the data on all of us have to be retained in order to find out about those that are bad?”

Ian highlighted the danger of laws created to catch dangerous criminals later being manipulated to spy on millions on households, and reflected on the fact that local councils had been criticised for using anti-terrorism (RIPA) laws to snoop on residents suspected of littering and dog fouling offences.

“My concern is that its easy policy-making… if you say it’s against terrorism and it’s against child pornography then nobody is going to say no.”

Ian’s comments echo those made by Dame Stella Rimington, the former head of MI5, who last year accused ministers of interfering with people’s privacy and playing straight into the hands of terrorists, by creating a “police state”. Similar comments were made last year by Tory immigration spokesman Damian Green. He gained notoriety in November 2008 by being arrested, held for nine hours, and his homes and House of Commons office searched by police under anti-terrorism legislation, probing alleged Home Office leaks.

I’m not sure that I entirely share those comments. But it’s hard to know just where to draw the line.

In my next blog I’ll have a quick look at some of the Convention rights and freedoms and see if I can draw any conclusions as to how they might need to be tweaked to take account of the internet age we live in today.

Tuesday 26 January 2010

RIPA – A tale of an unnecessary squabble between Government Departments

Travelling to work today, I reflected on the lengths to which the Prime Minister had sought to impose his authority on a recent dispute between two political parties in Northern Ireland. He cleared his diary and tried to settle matters by personally intervening in the affair.

It’s a shame he can’t be bothered to find the time to intervene in a dispute that is currently brewing between two of his cabinet colleagues over the extent to which all public authorities should be regulated when they access communications data.

What do I mean?

Well, in a little-noticed Parliamentary move, those awfully clever bods at the Home Office have tabled a draft Statutory Instrument which, because no-one takes much notice of such things, will come into force on 6th April. For those who want to look it up, it’s called the Regulation of Investigatory Powers (Communications Data) Order 2010.

The purpose of this SI is to consolidate a crop of SIs which currently exist, which set out various public authorities can demand post or communications information from providers, in accordance with the provisions of the mighty Regulation of Investigatory Powers Act (RIPA). The expectation is that if the authority follows the procedure in the SI, then they should also be complying with the provisions of the Human Rights Act.

When the Home Office first mooted this proposal, back in March 2009, operators liked the idea as a way of setting out, in one document, just who could do what. There are lots of public authorities that access communications data, but that is because they all have their own investigatory functions. It’s not just the police who root out the bad boys. Loan sharks, fly tippers, dodgy dealers are generally investigated by people working for local authorities. The explanatory notes to the SI very helpfully list some 42 different types of public authorities, and it provides examples of just why they need communications data to carry out their work. It's very compelling evidence.

These investigators hail from a wide range of Agencies and Government Departments, including investigators from the Department of Agriculture & Rural Development, the Department for Business, Innovation & Skills, the Department of Enterprise, Trade & Investment, the Department for Environment, Food and Rural Affairs, Department of Health, the Department for Transport, the Home Office, the Ministry of Defence, and the Ministry of Justice.

But – and this is a big but – investigators from one Government Department have refused to play ball. For reasons of their own, they’ve formed the view that they don’t need to subject themselves to the sort of regulation and oversight that comes with RIPA. Who are these miscreants? Step forward the bunch from the Department for Work and Pensions.

DWP's investigators have been told to exercise powers under Section 109B of the Social Security Administration Act 1992 (as amended by the Social Security Fraud Act 2001) to require information from “any person”, including providers. They’ve been told to boycott the RIPA regime.

It’s quite hard to work out just why Yvette Cooper, the current Secretary of State for Work & Pensions, has refused to join the rest of her Cabinet colleagues in allowing her Department to participate in a central scheme. It’s not as though she hasn’t had second-hand experience of RIPA. After all, her husband, Ed Balls was the Economic Secretary to the Treasury between May 2006 and June 2007, and should have been aware that both the Financial Services Authority and HM Revenue & Customs had happily operated under the RIPA regime. Ed was then (and still is) appointed Secretary of State for Children, Schools & Families, and in that capacity he ought to be aware that the Child Maintenance and Enforcement Commission has also happily operated within the RIPA regime.

So, if it’s good enough for Ed, why isn’t it good enough for Yvette?

When providers commented on the Home Office’s proposals last year, some of them hoped that, at last, the Department of Work and Pensions might be forced to end its RIPA boycott. Providers pointed out that, as a consequence of the DPW’s boycott of the RIPA regime:

• They had not had an opportunity to provide any initial or refresher training to competent DWP investigators on the range of information that is available from providers, or to advise how maximum value can be derived from their records (unlike the training currently given to potential and accredited Single Point of Contact (“SPOC”) Officers).
• They found it hard to check the authenticity of all DWP investigators, (the Home Office has a RIPA website which has an up-to-date list of accredited SPOC Officers).
• They had not provided any statistics to the DWP to enable them to confirm that all of the requests received had actually been sent from DWP investigators.
• They had not been involved in any of the oversight mechanisms that the DWP might have put in place to mirror the oversight functions of the Interception of Communications Commissioner (whose annual visits to providers were greatly appreciated, as providers could brief him on trends which had been detected). Providers were not even sure whether an equivalent oversight function exists within the DWP.
• Providers were not able to recover any costs that were incurred in dealing with these requests.
• Providers were also not sure how many other Authorities would follow the DWP’s example and remove themselves from the RIPA regime should they also elect to exercise any concurrent powers that may be conferred on their investigators to acquire “any information” in the future.

What’s wrong with “joined-up Government” and a requirement for all Government Departments to follow common standards - through the RIPA regime?

If I were the Prime Minister, I would stop this unsightly squabble between the Home Office & the DWP by requiring Yvette Cooper to stay behind after the next Cabinet meeting and make her write on Alan Johnson's whiteboard “I must let the Interception of Communications Commissioner oversee all public authorities who access communications data, including my Department of Work and Pensions” 100 times.

Monday 25 January 2010

'Porn, pipes and the state: Regulating internet content'

I thought that title might attract some attention. It certainly attracted mine when I saw it as the headline in a flyer for a lecture that Ian Walden, Professor of Information and Communications Law at Queen Mary College, will be giving in London next Wednesday.

Ian’s main interest lies in the point that although most governments were keen to leave the internet relatively unencumbered by regulation during its first decades, the recent clamour for greater controls over illegal and harmful content continues unabated. I’m looking forward to Ian using this opportunity to examine the Internet Watch Foundation as case study for controlling illegal internet content. I hope he will also be discussing the legal position of communication and internet service providers as gateways for exercising control. I’m also looking forward to him discussing the regulatory structures, and specifically the role of the state, in underpinning any such regime.

And I also hope that he’ll cast his net slightly wider, and consider the position of providers who, acting as dumb pipes, enable people who know what they are after to access material which is not unlawful, but to many people, extremely distasteful. When does such material fall into the category of promoting an activity that others (ie most of polite society) would abhor? And if it does fall into that category, then what should be the process for banning it, or for preventing access to it? And, for this process to be effective, how can polite society react almost immediately to the miscreants who will certainly keep shunting the links to this material between servers which are housed well outside the geographic borders of this country?

In criticising various government’s approaches to regulating content on the internet, we appear to be falling into the trap of castigating the Chinese Government for adopting the same practices that some British politicians would appear to wish the British Government to have. But their aim is for I(in their minds) a respectable cause - namely censorship to prevent radicalisation of the people. The trouble appears to be that as the Chinese and the British Government occupies different parts of the political spectrum, their views on what “radical” material should be censored differs widely.

Take “democracy”, or “the promotion of radical terrorist acts”, for example. Activities that are promoted in one country might well be purged in others.

Perhaps the issue is one of degree, rather than of principle. I expect that those good folks at Google are unhappy with the way the Chinese Government regulates access to material on the internet because its approach is much more restrictive than say, the British (or, dare I suggest it, the American) approach. But I can’t believe that China is the only country that has tried to have a quiet word with the geeks in the Googleplex who create the ranked query links we all so heavily rely on.

I saw another quite shocking example today, which really made me sit up and ask myself whether everyone always has a right to exercise free speech or freely post content on the internet. I read that a convicted criminal has apparently managed to create a facebook profile (from prison, yes a place where electronic devices are supposed to be banned!) and he has used it taunt the family of the youth he received a life sentence for murdering. In blogging about it, I expect that this might encourage a few people to try to search for the material themselves. I only hope that the Google geeks do the right thing and make it very hard for people to find this squalid stuff. Even I'm happy to censor the odd bit of "free speech" every now and again.

Should we instead ask for a more transparent system of regulation? The Internet Watch Foundation could continue to prohibit and require service providers to take down links to illegal material. Then, a new body, say the Internet Classification Agency, could classify internet content, and ban search engines from ranking sites that a new “Contentmaster” decrees are not for UK eyes. Would that be a job for someone like me? If so, I’ll certainly consider allowing myself to be dragged from my current role, elevated to the exalted rank of, say, “The Count of Crouch End”, appointed "Contentmaster of the ICA", and be given a seedy office in Soho from which I (and, no doubt, lots of my underlings) could ply our unhappy and disgusting trade.

Come to think of it, there's already an ICA on The Mall, which is quite close to Soho. That ICA - not to be confused with mine, is the "Institute of Contemporary Arts" which proclaims itself as "one of the world's most innovative and influential cultural institutions, presenting a dynamic and daily programme of contemporary arts, ideas, film and culture." It sounds, in terms of a mission statement, quite similar to what I would expect my mission to be - but that ICA is a registered charity. I would have preferred my ICA to be a quango. (Quangos usually have more generous pension schemes, and you get longer holidays). However, if Ekow Eshun, the current Artistic Director of that ICA, fancies a job share and a slightly revised remit, we ought to be able to work something out.

Anyway, back to the point. If you’re also (professionally) interested in porn and the regulation of “distasteful” content too, then please say “Hello” to me as you creep along rear rows of the Skeel Lecture Theatre, in Mile End on 3rd February. Ian’s on at 6.30pm. There’s no warm up act – so if you’re late, you may have missed the best images....

Sunday 24 January 2010

“Dude – Want to use a Pop’s identity?”

Not a phrase that will be common to many people, but I understand that it’s catching on among the boys at Eton College.

Yes, really!

Now for the background – earlier this week I attended a very interesting meeting of the the Real Time Club which, founded in 1967, is believed to be the world's oldest IT dining Club. This meeting was quite special, as everyone gathered at their usual venue - the National Liberal Club – to consider how young people, "yoof", actually use technology. It was explained to us that young people relate to technology in different ways than their elders, more messaging via social networks than email, new values on privacy, more awareness of media and cost.

No evening like this would work without the personal testimonies of some of these “yoofs” – and the Real Time Club really did its members proud. No, it didn’t ask anyone from the local secondary schools in Westminster. We didn’t get the opportunity to hear from the "yoofs" attending the local Westminster City School, nor the "yoofs" from the equally historic Grey Coat Hospital, founded in 1666, after the Great Fire of London, when many inhabitants of the Old City of London moved to the medieval town of Westminster.

Instead, we got Liam Maxwell, Head of Computing at Eton College, (founded in 1440 by King Henry VI), who spoke about identity and young people's interactions with the internet and society. And to demonstrate the generational gap that spans more than just techniques and privacy practices, he brought along a selection of Eton's finest to explain what it actually meant to them in their own daily lives. The students at Eton College are generally known as Oppidans, if someone is paying their full college fees; or scholars, if their education is being subsidised to any significant extent. They had a profoundly different approach to privacy and one which older adults may not, and perhaps should not, be able to fully comprehend.

Just how media literate are they? Impressively so, actually. They are not as wrapped up in cotton wool as one might imagine. I should explain that, according to its website, Eton College, with a compliment of some 1300 boys, "is a full boarding school with no day or weekly students. Typically there are about 50 boys in a boarding house, ten in each year group. This offers a distinctive balance between small houses, which give a strong pastoral base, within a large, varied and challenging school. A new boy to the school will come to know the people in his house community very well indeed – especially his house master who is principally responsible for him, and his dame, who looks after his domestic well-being. They offer support and encouragement in every aspect of a boy’s life but without unnecessary intrusion. It is a delicate and important balance: boys are encouraged to share problems with those that can help but are steered towards mature resolution of them through their own thought and effort. From the very beginning, each boy has his own study-bedroom, there are no shared rooms. Boys thus have their own private space and are required to organise themselves and to develop self-discipline in meeting tasks and deadlines.”

So, when someone is paying the full whack of over £28,850 per year in college fees, what sort of protections do they get from the evils that lurk in cyberspace? Each boy has their own log-on access to the internet and, depending on their age, controls are in place to prohibit access to the murkier areas of the internet. I expect the controls are designed to enable them to access the occasional bit of smut, but not porn.

The younger Oppidans are not (officially) allowed to access websites such as Facebook. And the older Oppidans, whom Liam Maxwell had brought along, explained that their own "Facebook" profiles showed off their better sides, rather than their complete personas. No-one wanted everything, “warts and all”, to be on public display. A "Facebook" profile portrayed an image of someone one wanted to be, rather than perhaps the totality of what one actually was. They were all well aware of the foolishness of placing material on-line that might later come back to haunt them. They were concerned at the implications of photos of them in high spirits, but were assured by their “beaks” (their Eton schoolmasters) that there would be no long term adverse implications, unless of course the images were of activities that were unlawful. (Perhaps, I thought to myself, it was acceptable for Oppidans to publish images of themselves spraying coke over each other, but certainly not snorting it.)

Well, we were all assured then.

And were there ever any suggestions that the "Pops" (the school prefects, see the accompanying picture which has been lovingly borrowed from the official Eton College website) might consider allowing any of the younger boys to use their identity for the purpose circumventing Eton’s age controls on the internet? "You mean so that the younger boys could also maintain their own facebook pages? Surely not!" the Oppidans replied, blushing and grinning from ear to ear...

So, if, despite their very best endeavours, Eton College can’t totally control a young person’s access to the internet, then what hope has a modern day parent, who lets their child surf the web from the privacy of their own bedroom, rather than from the living room where they may be more readily supervised?

As the evening drew to a close, one extremely distinguished Real Time Club member rose to his feet to fondly reminisce about his schooldays at Eton, just after the Second World War. Back then, according to Wikipedia, junior boys had to act as fags, or servants, to older boys. Their duties included cleaning, cooking, and running errands. A Library member was entitled to yell at any time and without notice "Boy, Up!" or "Boy, Queue!", and all first-year boys had to come running. The last boy to arrive was given the task. These practices, known as fagging, were phased out of most houses in the 1970s and completely abolished in the 1980s, although apparently first-year boys are still given some tasks by the Captains of House and Games. Anyway, the extremely distinguished member explained that the fagging system was most useful as it got the younger boys to quickly familiarise themselves with many of the older boys.

“Oh, but sir, we use emails for all that these days!” trilled an Oppidan.

Saturday 23 January 2010

What will BigBrotherWatch be watching out for next?

Earlier this week I was invited to the launch of a new pressure group run by Alex Deane, a campaigner with a mission. And he’s got influential friends too – the launch was attended by Mark Littlewood (Instiute of Economic Affairs), Shane Frith (Progressive Vision), Philip Booth (No2ID), Simon Richards (Freedom Association), Eamonn Butler (Adam Smith Institute), Jill Kirby (Centre for Policy Studies), Simon Clark (Taking Liberties Blog) various bods from the Taxpayer's Alliance - and many more. I spent a good 15 minutes chatting to someone who had worked in President Nixon’s administration, back in the 1970s. So you get the idea of the sort of crowd that Alex had attracted.

The opening speeches were pretty interesting, as we all got our first glimpse of what it was that the pressure group was trying to address. Tory MP David Davies (a latter day “Norman Tebbit “ of the Tory Party) introduced a fellow blast from the (recent) past, former Cabinet Minister Tony Benn. Just what do these prominent politicians have in common, occupying very different positions on the political spectrum? Well, the right and the left have met to agree on a common concern about freedom and abuse, and most particularly the extent to which a person’s civil liberties are capable of being abused by the misuse of the information which is compiled by a database state.

To get us all in the right mood, Tony Benn recalled: "I was on my way in my car to the House of Commons recently and, just outside, I was stopped on the street by a young policewoman, so I pulled over as she asked me too."

"She said "What's your name? (so I told her), and she said "How did I spell it? (so I told her), and she went through my car looking for bombs. And I asked, as I was very polite as I was not in favour of having a dust up, just why she had done that."

"She said that I was approaching a building of great sensitivity, and she was sure that I would understand why she was stopping me under the Prevention of Terrorism Act."

"That’s the first proper use of it I’ve heard of!" David Davis retorted.

Tony Benn was quite persuasive as he presented his own personal example of the speed with which technologies were being developed. His basic point was that we can’t control the speed of technological developments, but more importantly it was incredibly hard to prevent the misuse of such developments.

When Tony Benn’s great grandfather was born in 1821, railway trains had not been invented. When his father was born in 1850, telephones had not been invented. When his mother was born in 1897, no planes had left the surface of the earth. When Tony himself was born in 1925, there was no television. When his children were born, there was no internet. And when he left the House of Commons in 2001, there was no Internet Modernization Programme.

As I reflected on this later, there could have been no possibilities of terrorist outrages similar to the (2004) Madrid railway bombings when Tony's great grandfather was born; no remote detonations of bombs by telephone when his father was born; no 9/11 style atrocities when his mother was born; no live (1989) images of the brave students in Tiananman Square when he was born; and no need for an Internet Watch Foundation when his children were born. New technologies need new types of protective measures.

But, back to the point, the really big issue is about what “else” the state does with the powers (and the information) it has acquired. Civil liberties are very important because of the way these powers (and this information) can be misused. Tony Benn didn’t mind if his medical symptoms were on a hospital database, so that the doctors could look after him properly when he was ill, but he was not in favour of the establishment of databases for the control of people. He looks forward to the day when no one thinks it’s necessary to keep all our details on a database and watch everything we do. But I suspect we may have a long wait before that day eventually arrives.

And his thoughts gave me a lot to chew on as I attended (yet) another meeting of the “former” Interception Modernisation Programme a few days later. So you thought the IMP was dead? Well, Home Secretary should think very carefully before repeating some of those immortal lines of Monty Python star John Cleese, in the sketch where Mr Praline returned to the shop with his dead parrot:

“'E's not pinin'! 'E's passed on! This parrot is no more! He has ceased to be! 'E's expired and gone to meet 'is maker! 'E's a stiff! Bereft of life, 'e rests in peace! If you hadn't nailed 'im to the perch 'e'd be pushing up the daisies! 'Is metabolic processes are now 'istory! 'E's off the twig! 'E's kicked the bucket, 'e's shuffled off 'is mortal coil, run down the curtain and joined the bleedin' choir invisibile!! THIS IS AN EX-PARROT!!”

Hmmmmmm, I would expect the Home Scretary to use another line in the sketch, perhaps the line where the owner of the shop said “ No no he's not dead, he's, he's restin'! Remarkable bird, the Norwegian Blue, idn'it, ay? Beautiful plumage!”

I’ll probably return to the examine the plumage of the revamped IMP in another blog. I won't use its new name yet just in case I'm not supposed to. But, if you creep along past bits of the Home Office today and listen very carefully, just every now and again you can hear the faint refrain:

“The IMP is dead. Long live the CCD!”

Sunday 17 January 2010

Checking up on the “Personal Information Promise”

This time last year, just before International Data Protection Day 2009, I was among a small group of people who were approached by the Information Commissioner’s Office and asked whether I would support this initiative. On the day itself, a photo call at One Great George Street recorded the small band of people who had been able to get their Chief Executives to agree to associate themselves with it. I was able to present ours to Richard Thomas, the then Information Commissioner. The evening before the photo call, I had been in deepest Stoke Newington calling on an emergency calligrapher (yes, such people exist – it’s not just your plumbing that you may need sorted out 24 hours a day) making sure that the certificates, having been duly signed by the boss, had the right corporate name on them.

I was so keen for our company to be among the first to sign up that I actually forgot to ensure that the right date was appended to the certificate – so ours is actually dated the day before International Data Protection Day 2009. Accordingly, my formal “claim to fame” is that my company was the “first” to have signed the promise. If anyone has documentary evidence of another Chief Executive’s signature on an official ICO certificates which is dated before 28 January 2009 then I’ll eat (a section) of my copy of the Data Protection Act.

Given the 10th "Personal Information Promise", I thought I might just as well have a quick review of all of the promises to see if I have acted or behaved differently over the last year as a result of the initiative. After all, that small band of signatories has grown to an army of several thousand, and it might not be too long before someone asks for evidence of compliance or behavioural change.

So here we go.

on behalf of
promise that we will:

1.Value the personal information entrusted to us and make sure we respect that trust;

Some improvements here. I think I’ve always tried to value the stuff. But a tsunami of intensive media coverage about corporate data breaches has really focussed corporate minds on the need to respect personal information.

2. Go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards;

Not much change here, as I’ve always aimed to adopt good practice standards.

3. Consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems;

Not much change here, as I always make privacy impact assessments. I don't always write them down, but it's my job to think about the privacy implications of everything the business does. Thankfully, given a security review following the breach tsunami (see promise 1 above), even more people within the company now follow the established rules, which are to involve me at an early stage of product development.

4. Be open with individuals about how we use their information and who we give it to;

Not much change here, as I’ve always aimed to adopt good practice standards.

5. Make it easy for individuals to access and correct their personal information;

Not much change here, as I’ve always aimed to adopt good administrative standards. Of course there are the odd slip ups – mostly in ensuring that the credit reference agencies get the correct updates about an individual’s credit history. But on the whole I feel my team does a really excellent job. If it didn’t then I would have expected to have received many more letters of complaint from the case handlers at Wilmslow.

6. Keep personal information to the minimum necessary and delete it when we no longer need it;

Not much change here, as I’ve always aimed to adopt good retention standards. I’ve worked hard behind the scenes, given evidence to a Parliamentary Committee, assisted a “People’s Enquiry”, and even been quoted in "The Register" and “The Daily Mail” on the problems faced by companies such as the one I work for when tensions arise as we want to delete records, but others want them retained on the basis that they might come in useful to someone sometime in the future. And this issue will remain just as important this year as it did last year. I can see myself spending a lot of time this year at the Home Office, with various law enforcement agency representatives, and traipsing around the corridors within Parliament and Portcullis House, as I try to get those who matter to fully appreciate the consequences of what they think they believe in.

7. Have effective safeguards in place to make sure personal informationis kept securely and does not fall into the wrong hands;

I try. I really do try. And, thanks to the breach tsunami, lots more people within the company are trying too, and more resources have been provided to ensure that we can maintain a level of security that is commensurate with this promise.

8. Provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly;

Oh yes. Plenty of training going on around here. And I’ve developed guidance for managers to assist them when their reports can’t meet the standards that are both expected of them and also which they have acknowledged they should meet.

9. Put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises;

Oh yes – thanks to the breach tsunami, resources are not that hard to come by any more. Even in a recession.

10. Regularly check that we are living up to our promises and report on how we are doing.
Oh yes – and how’s this report, for starters?

So I claim another first –I believe this to be the first annual review of a Data Protection Promise.
And again, if anyone has documentary evidence of an earlier annual review, then I’ll eat (yet another section) of my copy of the Data Protection Act.

Saturday 9 January 2010

How can I delete embarrassing stuff from the Internet Archive?

Have you ever tried to locate something on the internet you know you previously read, but can’t because it’s no longer there?

I’ve recently come across a website that will be very useful when I try to recall stuff that had been posted, but was subsequently taken down or otherwise removed by the website owner. Is it a British site? Come on, you must be kidding. No, it’s based in an office somewhere perhaps around 300 Funston Ave, San Francisco, CA 94118. This is the address that appears in the Archive’s privacy policy. The funny thing is, however, that when you use the Google Maps “Streetview” tool, what you get when you ask to visit 300 Funston Ave is an image of a Christian Science Church, not an office block.

So is the Internet Archive run by a charitable organisation, a church, or by some higher power?

Ok, so I have no idea who really runs this site. But I do know that it’s “Wayback Machine” can be used to locate and access archived versions of the web site. Although the public facing version of the site explains that “we can't guarantee that your site has been or will be archived. We can no longer offer the service to pack up sites that have been lost. We recommend using the Warrick Tool.”

I wonder what would happen if any of the staff have done some moonlighting and archived other pages that have appeared on the web. Or if any of the staff have been given an order by the US Department of Homeland Security, perhaps citing the PATRIOT Act, requiring it to archive a bit more stuff. Dunno, and I shouldn’t ask, really. I don’t like asking questions if I haven’t already got a hunch about the answers.

The Archive assures people who want to have their site's pages excluded from the Wayback Machine by explaining that it “is not interested in preserving or offering access to Web sites or other Internet documents of persons who do not want their materials in the collection. By placing a simple robots.txt file on your Web server, you can exclude your site from being crawled as well as exclude any historical pages from the Wayback Machine.”

The Archive explains that it “collects Web pages that are publicly available the same ones that you might find as you surfed around the Web. We do not archive pages that require a password to access, pages tagged for "robot exclusion" by their owners, pages that are only accessible when a person types into and sends a form, or pages on secure servers.”

So, if I were an Internet Archive employee and wanted to be a bit naughty and do some moonlighting, I suppose all I would need to do is re-write the computer program to delete the bit about ignoring pages tagged with robot exclusions. That bit might be simple. Not sure about unencrypting material placed on forms or pages sent to secure servers, though.

Why was I looking at this in the first place? Well, towards the end of last year I was (professionally) involved in an incident which, within 24 hours, had pushed the war in Afghanistan, the model Katie Price and the media personality Jordan completely off the front pages of all the serious newspapers and media outlets in the UK. (I now know what Gordon Brown must feel like on a bad day). And today I’ve been surfing the net to locate some colourful images to supplement the inevitable set of PowerPoint presentations that I’ll be delivering about the incident. What surprised me was the amount of information still available about the bloody thing. And what shocked me was the coverage given to it in Wikipedia. I thought to myself, just how will anyone be able to rescue their reputation if this stuff is never to be allowed to die? I mean, I work for a large company, and yet almost one fifth of it’s Wikipedia entry has been taken up by information about that one single incident. Outrageous.

If anything, the internet has totally re-written the rules about the dissemination of digital media, and the rights (or lack of rights) that people have to remove content which has been given undue prominence. If I were a criminal, perhaps I could rely on the provisions on the Rehabilitation of Offenders Act, which allows certain criminal convictions to be spent, or ignored, after a set period. I wonder whether the Internet Archive will adopt an equivalent policy?

On the one hand, I hope it won’t. Because try as hard as I can, I still don’t want anyone to forget people like Lord Jeffrey Archer, and what he got up to in the past. Perhaps if he were to renounce his peerage, I might be persuaded of the view that private people deserve a private life. But I don’t hold to the view that celebrities should automatically be entitled to airbrush out of their past material which is of a commercial disadvantage to them.

But on the other hand, where an individual (or a company) has been caused embarrassment of damage to its reputation in a wholly inappropriate way, then I fail to see why the internet should be allowed to make a permanent record of it. They may publish, but I may perish – and if I did, I might be very very, sore about that.