Friday 28 November 2014

What do we think of the ICO so far?

Our chums at the MoJ are seeking our views on the ICO's performance. Evidently, as part of the UK Government's requirement to reform public bodies, all non departmental public bodies must be reviewed at least once every three years.  

This review will examine whether there is a continuing need for the ICO to carry out its functions, and whether the organisation should continue to operate in its current form, considering whether services could be provided more effectively and efficiently. 

We, the people, have been asked to respond to the questions that are set out below:

      1.     With regard to the ICO’s functions to enforce and oversee the DPA and a range of a different regulations,
a.     Do you consider, in relation to any or all of the above, that the provision of their services to individual users and to organisations remains necessary?  Please explain your reasons for your answer.
b.     Do you consider that services provided by the ICO in these areas could be improved? Please explain your reasons for your answer.
c.     Do you consider that services provided by the ICO could be delivered differently? Please explain your reasons for your answer, including any examples from other regulators or comparable international bodies.
      2.     Is the independence of the ICO best supported by reporting to Parliament or to a government department such as the Ministry of Justice? Please explain your reasons for your views.
      3.     With continually changing technology, an increased use of social media and the internet, do you believe the ICO will continue to be fit for purpose?
      4.     Do you have any additional comments you would like to submit as evidence to the review?

The deadline for responding is 16th January. Bearing in mind that the data protection Xmas party season starts next week (with the Data Protection Forum’s famous December meeting, which always ends with a marvelous festive lunch), we actually haven’t got that long to think about our responses.

What are we likely to say?

In response to Q1, I expect respondents will be split between those who don’t think the ICO is sufficiently effective, given its budgetary constraints, and those who are pretty content with the current state of affairs, as the only time they usually come into contact with the Information Commissioner and his team is when they attend the ICO’s annual Data Protection Officer Conference in Manchester each April, or when they attend other events where an ICO official is speaking. Or perhaps when they pay their annual registration fee.

Many people may well have heard of the ICO’s enforcement (and audit) teams, but much fewer will have been visited by the ICO’s staff during the year, so they may not fully appreciate just what all the 350-odd ICO employees really do all day.

This might, however, prove to be a useful opportunity to compare the size of different regulatory bodies, and to ask whether the ICO is appropriately resourced. Is it sufficient to the ICO to be expected to spend some spend some £16 million on data protection work when the Financial Ombudsman Service is likely to require an operating budget of over £250 million for 2014 / 15?

That statistic tells me a lot about the problem at hand. If the Government really wanted to properly enforce the laws it has passed, it needs to ensure that the right resources are available. Perhaps “data protection compliance” is similar to the “right to be forgotten” or “a fundamental right”  – a soundbite that trips easily off the tongue, but is really hard to pin down in practice.

In response to Q2, I expect that the balance of views will be for the ICO to report to, and be funded by, Parliament, rather than a Government Department. If the Parliamentary and Health Services Ombudsman (with an operating budget of some £33 million) can report directly to Parliament, then so should the ICO.

In response to Q3, I’m not sure how many people can answer this. Does the question invite us to ponder how effective the ICO will be in a world where many huge data controllers will operate from countries outside the ICO’s ambit? If so, perhaps this is where we need to put a word in for the Global Enforcement Network, and hope that the ICO has enough funds in the kitty for its staff to travel to all corners of the earth and liaise with local regulators.

In response to Q4, I wonder how many respondents will point out that should the UK vote to weaken our links with countries that remain within the EU, then it will be even more important for a suitably equipped ICO to be able to deal with data protection standards and opinions emerging from European data protection regulators, and make sure that the standards can be interpreted in ways that meet the needs of pragmatic Brits.

As well as advising on rules that are sufficiently robust to persuade the EU that the UK has affords its citizens an adequate level of protection.



Thursday 27 November 2014

Will the Data Protection Taliban turn on Twitter?

Usually, when an extremely large organisation recalibrates their customers’ privacy expectations, we can expect howls of indignation to emerge from the fundamentalist wing of the data protection community.

So, on learning that Twitter was evidently going to snoop on every app in their customers’ phones, I sat back and waited for the reaction.

Have I heard anything from the Article 29 Working Party yet?    

Have I heard anything from the ICO yet?    

Have I heard anything from BigBrotherWatch yet?    

Perhaps Twitter isn’t the type of extremely large organisation that naturally attracts instant fury from the usual suspects.  After all, only 284 million people use Twitter every month.

Evidently, people are more concerned at whatever Google or Facebook might be doing with their customers’ information, rather than (relatively) tiny Twitter.

But things may change. When I recall the torrents of abuse that usually accompany any G or FB privacy announcement, even when they’re trying their hardest to make things more transparent to their customers, I do wonder how Twitter will deal with the feedback that will emerge.

Of course, it may be that Twitter fully briefed the Article 29 Working Party and the European Commission about its announcement, and stressed the ease with which customers will be able to object to Twitter automatically opting everyone into its new data collection service.

We can expect the usual concerns. Why should people have to opt out? Why is it the case that they have all been automatically opted in?

These are sorts of issues that I frequently help my clients deal with.

From a “privacy by default” perspective, I can understand why the DP Taliban would be upset.

But life isn’t always about opting in.  At least Twitter is being transparent about what they are doing, and they’ve developed a user education programme that informs individuals of the choices that are now before them. They’re trying to be innovative and are trying to remind customers of the “value exchange” that exists when people subscribe to a “free” service.

If Twitter’s users don’t want their apps to be logged, they can always object. And if they really really don’t like what’s happening, they can always cancel their Twitter account.



Wednesday 26 November 2014

How do I expect my communications to be monitored?

I have a range of expectations when it comes to having my communications monitored.

I don’t want spam, so I expect my communications and internet service providers to do whatever they feel appropriate to prevent it from reaching and clogging up my in-boxes. This means that my incoming communications will be reviewed – perhaps not the actual content of a message, but at least on the basis of the metadata that accompanies the content. 

If, for example a provider notes that a huge volume of communications of an identical length are uncharacteristically spewing out of a single address, I would expect it to carry out some form of investigation in an attempt to determine to whether the communications are solicited or otherwise.

By the same token, I don’t want my outgoing messages monitored.  Whatever I have to say is for me to determine. Surely, this is what freedom of expression is all about.

When working for EE, I had to address the issue of what steps the company should take to ensure that not only was the confidentiality of its customers’ communications preserved, but also that if what appeared to be inappropriate activity came to EE’s notice, it was reported to the appropriate authorities.

Inappropriate activity was invariably discovered by chance, rather than as a result of a deliberate effort to monitor a customer’s lifestyle. It was very occasionally discovered when customers left their own mobile devices in stores in order that the device could be repaired. Staff had very strict instructions  never to look at any content the customer may have left on their personal devices. However, it was necessary to ensure that, when borrowed devices were returned to the store, the factory settings had been restored and that no inappropriate content (in the form of personal texts or images) remained on the borrowed device.

There were a few horror stories of customers alleging that they had borrowed a mobile phone from a store whilst their own device was being repaired, and were shocked at the images that had apparently been left by a previous user. Sometimes they would demand compensation, otherwise they would tell the media. Occasionally, they forgot to look at the date / timestamps – if they had, they would have realised that the offending images were downloaded to the device after the device had left the store, not before.

Very, very infrequently, loan devices were returned with images that were considered so disturbing that I reported the incident to the police.  The only occasions I can recall involved images relating to child cruelty. Quite what happened to the people who were responsible for such cruelty, I’ll never know. I saw it as my job just to make sure that the appropriate police force was formally notified. If that force decided to take any further action against the individuals involved, that was a matter for them.

I certainly didn’t think that I had any further duty to monitor those individuals. I had neither the skills nor the legal powers to do such a thing.

That’s what I expect law enforcement officers to do.

And that’s why I’m reassured, in a way, that an “unnamed” internet service provider has recently been criticized for failing to closely monitor the communications of one of their customers who turned into a terrorist.

I don’t expect my service providers to have the means (or the will) to monitor all of my communications manually, and consider contextually, whether any are sufficiently offensive for them to be reported to the authorities.

Yes, they may well have some automatic programmes in place that identify the most egregious communications / images that are sent by criminals, and I'm happy for the digital fingerprints of my images to be compared with those that the authorities are trying to prevent from being circulated. I understand that the illegal list really does contain just the most appalling images, not those that "the man on the Clapham omnibus" would merely consider distasteful.  

However, I do expect my service providers, wherever they are based in the world, to develop close working relationships with the UK’s law enforcement community, in order that when investigators do exercise their legal powers to monitor my communications, providers can respond speedily.



Monday 24 November 2014

Communications data in the parliamentary spotlight again

Finally – after a two year wait, another of the recommendations in the report I helped the Joint Parliamentary Committee on the Draft Communications Data Bill agree upon will make a little more headway.

First, a recap.

During the autumn of 2012, the Committee reviewed the thorny issue of IP address resolution. It gave what was has just been announced by Home Secretary Teresa May the green light.

This is what the report said:

73. As outlined in paragraph 65, Home Office officials eventually told us in public evidence that they would like clause 1 to enable them to access two specific types of data: subscriber data relating to IP addresses and web logs.

74. Subscriber data relating to IP addresses is the information that makes it possible to trace who is using an IP address at a given point in time. An IP address is a numerical label assigned to a device connected to the internet (e.g. a computer, smart phone or printer). The IP address of a device is not constant; it may change frequently and be shared between several devices. The originating IP address of a communication is routinely gathered in many types of internet transaction, but if the CSP does not hold information on which of its subscribers held which IP address at a particular point in time it is very hard for law enforcement authorities to prove an association between an action on the internet and a particular individual. Not all United Kingdom providers currently obtain all the data necessary to trace which subscriber is using which IP address. During the course of our inquiry we heard of various circumstances in which the lack of this data has impeded investigations. We accept that if CSPs could be required to generate and retain information that would allow IP addresses to be matched to subscribers this would be of significant value to law enforcement. We do not think that IP address resolution raises particular privacy concerns.

75. We recommend that a narrower clause 1 should allow notices to be served on CSPs requiring them to generate and retain subscriber data relating to IP addresses.

This was one of the 38 issues that the report recommended be addressed. Obviously, not all of the recommendations required changes in the law before they could be implemented, and work is already underway to implement most of those that don't require legislative change.

Quite why we have had to wait so long for this eminently sensible recommendation to be implemented is something that only the Home Secretary can explain. I’m certainly not aware that the main political parties have ever challenged it.  They didn’t at the time of the report’s publication – and they haven’t done so since. Evidently, it is not easy to find the parliamentary time to change laws, these days. 

Will the ability to trace what device is using an IP address at a given point in time be of significant value to law enforcement investigators? – Quite probably.

Will it enable law enforcement investigators to better understand the types of communications that suspects are engaged in? – Quite probably.

Will it enable law enforcement investigators to break encryption tools applied by targets who use their devices for nefarious purposes? – Probably not.

But will it be useful to law enforcement investigators in other ways? Oh yes!

And are you going to tell me what they are?  Oh no.


I've just noted that the (usually) reliable Register has reported that a Liberal Democrat spokesperson has commented:

This announcement is welcome news but comes after months of Conservative foot dragging. They always bang on about new security powers but have done nothing about IP addresses since we called for it in Spring 2013.

I don't think its right for the Lib Dems to take all the credit for today's announcement. They didn't "call for it" first. The Joint Parliamentary Committee did.