Blog


June 03, 2016 | Jim Killock

Understanding and reviewing the bulk powers in the IP Bill

Parliament wants an independent review of the bulk powers contained in the #IPBill. This is a difficult task and there are significant requirements that need to be met if we are to value the results.

This post represents the opinions of Privacy International and the Open Rights Group. Other organisations are welcome to add their names as being in agreement.

files cc-by-nc plashingvole flickrThe public operational case for bulk powers and review

The majority of the powers in the Investigatory Powers Bill are new to Parliament. While much of the capability is already in use by the security and intelligence agencies, they have been deployed under secret interpretations of statutes, which Parliament has not consented to. The primary reason they were not able to consent to them is because the fact of the bulk powers were not avowed until very recently, and indeed, some are still not avowed.

As this is the first time that Parliament has considered the powers, it is right that the Government make full, detailed, operational cases from first principles for every such new power, and that case is scrutinised.  As of yet, the Government’s attempts at providing an operational case have been insufficient.  There is much work to be done to give Parliament and the public a full picture of scope and utility of the bulk powers.

An Independent Review

An independent assessment should be made of the operational case for each bulk power by a security-cleared panel who will have additional fact-finding powers, allowing them to scrutinse material that for national security reasons can't be made public. To this end, the launch of a review panel is a welcome one.

The review is a step forward in ensuring democractic accountability for the actions of our security and intelligence agencies. But to be credible, the review must:

1 Establish public terms of reference.

No terms of reference have yet been set. It is essential that terms of reference is agreed and made public immediately.

2 Take the time that is needed.

The panel cannot undertake a full review of the bulk powers contained in the Investigatory Powers Bill in the time frame provided. To to so, an assessessment of the three security and intelligence agencies investigative capabilities would be required which will be impossible with the resource currently available to the panel. Should the panel expand the scope of their review or feel they are unable to complete the review with the level of rigour required in the time available, a time extension must be permitted, with the bulk powers split from the IPBill until the review can report back to their satisfaction.

3 Be produced by a balanced panel.

Perspectives from outside the intelligence community are needed to ensure independence inclduing civil libertities and human rights expertise. We recommend in particular the inclusion of a technical expert from outside the intelligence community, as well as the ability for the panel to request technical assistance from agencies in the form of seconding a technical staffer of the panels choosing to work for the scrutiny panel. Recent panel reviews of bulk powers in the US should be consulted to ensure lessons are learned. 

4 Examine the capabailities and their use, rather than the legal powers.

It would be unsatisfactory to review the high-level case for bulk powers without analysing how they have, and continue to be used in fact. The production of a new public operational case is only the beginning of that exercise. The bulk powers are drafted in such a way that there is considerable variety of technical capabilities that could be deployed under each of the bulk powers. The review must analyse the case for the capabilities, rather than just the power. 

Capabilities the panel should consider include those that have had least scurinty such as Bulk Communications Data Acquisition, Bulk Equipment Interference due to their late avowal, or in the case of Bulk Equipment Interferance continued disavowal. Longstanding concerns about Bulk Interception of secondary data will also need detailed scrutiny.

5 Test the necessity of the bulk powers, not merely their usefulness.

Such capabilities need to be assessed, not as to whether they are merely helpful, faster or offer some form of value, but that given the likely widespread intrusion bulk powers result in, that they are strictly necessary to prevent attacks in the UK. An essential aspect of this requires analysing case studies provided by agencies to determine whether more targeted measures could achieve the same or a similar goal. 

6 Report publicly.

Unlike previously sensitive reviews, such as Nigel Sheinwald's review of the UK-US data sharing which remains classified, the review's report must be a public document.

The Government’s Current Operational Case

The existing 47 page "operational case for bulk powers" which was published alongside the introduction of the Bill is inadequate.  More than half of the document is introductory in nature, covering topics such as how the internet works, leaving an average of 5 pages devoted to each capability, with most of that material being already public, in other explanatory documents. Despite the opportunity to provide concrete, solid examples of how bulk powers bring unique value, most of the material even within each section is kept at a high level. By way of example, the first three pages of the four page Bulk Interception case, covers (i) introduction to the power, (ii) current legal position, and (iii) new safeguards in the IPBill. The fourth and final page provides three one-paragraph case studies.

A new public operational case needs to be made. This operational case must go further than setting out individual, unsupported case studies. Sufficient material should be made public to permit detailed analysis, and stand the scrutiny of parliamentarians, civil society, academia and any other body.

[Read more] (1 comments)


June 03, 2016 | Javier Ruiz

The Request Filter will turn your personal records into a police database

Next week MPs will be discussing amendments to the #IPBIll. We must ensure they understand what the Request Filter really is—a federated database, or Google search for citizen-suspects.

database cc-by-eirik-stavelin-flickrThe Investigatory Powers BIll (IPB) is reaching a critical junction. Next week, the House of Commons will be discussing the bill at the Report Stage, which is the last chance for MPs to propose or support amendments before the bill is passed to the Lords.

The bill is very long and complex, and hundreds of amendments have been proposed. However, the “Request Filter” in particular is receiving far too little attention. With a huge range of issues to deal with, the Request Filter has been absent from the discussions from the front benches, despite being the one of two completely new developments in the Bill. As the IPB enters report stage we need to ensure that the Filter gets the attention it deserves from MPs.

The Request Filter is described by the Home Office as a safeguard designed to reduce the collateral intrusion produced in searching for small, specific information in a large dataset. In reality, the Request Filter would allow automated complex searches across the retained data from all telecommunications operators.

This has the potential for population profiling, composite fishing trips and the unaccountable generation of new insights. It is bulk data surveillance without the bulk label, and without any judicial authorisation at all. The Food Standards Agency will be able to self-authorise itself to cross reference your internet history with your mobile phone location and landline phone calls—and search and compare millions of other people’s records too.

Queries can be made across datasets. Location data - which pub you were in - can be compared with who you phoned, or which websites you visit. All with great convenience, through automated search. The searches will be increasingly focused on events, such as a website visited, or place people have gathered, rather than the suspects. This is the reverse of the position today, which requires the police to focus on suspects, and work outwards.  In the future, with the Filter, any query can examine the data of thousands of innocent persons - to “check” that they don’t fit the police’s search criteria.

The idea of “passive” retained records, that lie unexamined until someone comes to the attention of the authorities, will lie dead. The data becomes an actively checked resource, allowing everyone’s potential guilt to be assessed as needed.

The Filter creates convenience for law enforcement queries, and pushes practice towards the use of intrusive capabilities. It lowers the practical level on which they are employed. Techniques that today would be used only in the most serious crimes, because they require thought and care, tomorrow may be employed in run of the mill criminal activity, public order, or even food standards, as the bill stands.

The Filter was at the centre of debates when the original Snooper’s Charter was first introduced in 2012. Parliament described the Request Filter at the time as “essentially a federated database of all UK citizens’ communications data”.

This dystopian surveillance tool should be stopped, and next week MPs will have the chance to do it. There are several amendments presented by the Lib-Dem MP Alistair Carmichael that aim to remove the filter.

Another MP, the Conservative Stephen McPartland, who was part of the Science and Technology Committee and understands the implications of the Filter, has tabled a series of amendments with measures designed to constrain the power. These include restricting the Filter to exceptional circumstances, putting it under the control of the Judicial Commissioner as other bulk powers, and bringing it into the statute book as formal Regulations - so it is subjected to the normal transparency and processes of judicial review.

It is important that all those amendments get debated. We want the complete removal of the filter. McPartland’s amendments describe the minimum requirements even a proponent should be seeking, but more importantly give MPs an opportunity to be told what the filter is, what it is capable of, and why the government plans so little oversight for it.

The nature of the Filter must be discussed to expose the Orwellian doublespeak characterisation by the Home Office of this surveillance tools as a “safeguard” to improve privacy. This will only happen if MPs’ can have enough time to discuss the BIll, and their constituents - i.e. you - remind them that this is important.

[Read more]


May 26, 2016 | Jim Killock

Andy Burnham’s demands—can they be met?

Andy Burnham has asked for further changes to the Investigatory Powers Bill. Parliamentarians are right to have concerns about the Bill. Some of what Burnham is asking for is very important, and he has won a very important concession in getting a review of bulk surveillance powers.

Andy Burnham, cc-by-nc TheBMA // FlickrStrong opposition is vital to ensure surveillance is conducted lawfully and proportionally. It is essential that this pressure continues from Labour to secure further concessions and ensure those it has already won are fully realised. Burnham has to be careful not be handed superficial changes by the Home Office, who are used to fobbing off politicians, including their own ministers. Let’s look at some of the problems he faces, to secure concessions he has set out in his letter:

(1) Review of bulk powers

Burnham has done well to secure a review of bulk powers by David Anderson. However, this late in the day, it will only look at a fraction of GCHQ’s billion-pound operation. Furthermore, it needs to look at the programmes themselves, to assess whether they work and provide value for money against the intrusion they cause. By assessing the programmes, a more sensible answer about the powers can be given, such as how to restrain and review capabilities. The review also needs to propose how to carry out ongoing review, as it will barely get started in three months. ORG has given them a slight head start in summarising the Snowden evidence relating to the UK in our report.

It is a shame that the review will inevitably report after the Commons has finished scrutinising the bill, but blame for that must go to the Government.

(2) Protections for Trades Unionists

This is all about processes, rather than simple statements at the top of the Bill. It shares the same problems as other carve outs for particular professions – essentially, GCHQ mass surveillance (“bulk datasets”) can’t tell the difference between people, and the police decide when they think they need to consult a magistrate prior to a data request to a telephone company. We discuss this more fully below.

(3) Over-arching Privacy clause

Any meaningful clause needs to set specific restraints that apply across the board, for instance by requiring that any intrusive act must be subject to an independent system of authorisation. This could serve to limit legal workarounds that tend to prove popular with agencies once they find them. On the other hand, statements of principle reminding us that surveillance must be ‘necessary and proportionate’ will sound great but won’t offer anything genuinely new or protective.

(4) Internet Connection Records

It is useful to suggest that ICRs – information about your web browsing history – should only be used for the most serious of crimes. This reminds us that ICRs are very intrusive. However, we still have no real idea why they are needed or even how to properly define them. It is highly likely that collection of ICRs will be open to legal challenge as a measure that fails to target actual suspects, but instead intrudes on everyone’s privacy.

The issue of the query engine – the “filter” is yet to be properly assessed by Parliament. It seems to provide very dramatic powers of searching and profiling, which mean everyone’s data being trawled through to produce results. It would be good to see Labour ask more questions about this.

(5) Judicial authorisation of warrants

The most serious kinds of warrants, for wire taps and bulk data gathering, are signed by ministers, or in the future, to be examined by Judicial Commissioners. Mr Burnham is on the right lines by insisting that this process can be guaranteed to allow judges to make a full assessment, rather than just marking the ministers’ homework.

Labour should also remember that the 4-500,000 data requests made by police annually are still not subject to an external process. Oversight Commissioners instead check off a portion to see if they are being assessed correctly. This is how journalists have continued to find themselves subject to police investigation, despite requirements for the police to approach the courts where they are involved.

(6) Protection for sensitive professions

It is correct to ask for this, but there are two massive holes. Firstly, all the bulk programmes suck up all the data they can find. GCHQ programmes assess the data, and finally data is presented to operatives. It is only at this final step that any hope can be given of protecting MPs, trades unionists, journalists, doctors or lawyers communicating with their sources or clients. By which time, GCHQ might well be in a much better place to assess that some risk may exist – because their surveillance apparatus will have automatically decided which person has made travel routes, phone calls or website visits that make them look suspicious. This does not feel like a meaningful protection: only by returning to a system based on prior suspicision leading to targeted surveillance can we hope to protect professional privilege.

The second massive hole is that the police make their own requests for data from ISPs and telephone companies. This places the judgement about who is a journalist or professional in their hands. There will be a lot of grey in this for the police to ignore. Who, after all, is a journalists in the age of blogging and self-publishing? Who is a trades unionist—would this just apply to people acting in an official capacity, or the millions of members (unlikely)?

 

It is very clear that the Bill is still a long way from being acceptable. Andy Burnham has highlighted some key issues. He needs to be very careful about the responses he receives.

[Read more]


May 26, 2016 | Jim Killock

How we make sure the bulk powers review is meaningful

Andy Burnham has written to Theresa May to ask for further changes to the Investigatory Powers Bill, and to open negotiations on an independent review of ‘bulk powers’.

As he mentions in his letter review of bulk powers is particularly important, if it is done correctly. Any review has to frame its work correctly, however. There are four key issues:

(1) The review cannot possibly assess the efficacy of all of the bulk programmes in three months.

They should therefore narrow their focus to one or two specific programmes or datasets, to understand the full picture in relation to these examples. This should allow the review panelists to get sufficient depth and information to properly understand and question what is taking place.

(2) It must be clear that they are assessing the programmes rather than the powers.

It is much easier to justify a power on the basis that it may be needed sometime, or it has been useful once. If one example of the use of the power appears to have been essential, then the panel may feel compelled to say that the power is needed.

A specific programme however can only be justified in its own terms, i.e. does it work, is it worth the cost, and could alternative methods have led investigators the same conclusions.

By understanding which programmes are manifestly excessive, Parliamentarians, authorisation and oversight bodies and the review can all start to understand how to restrain GCHQ’s activities.

(3) The panel must have the expertise to conduct their investigations

A team of three won’t have everything they need. They therefore need to be able to bring in help, or appoint more people.

(4) The group should be able to recommend a future processes to assess bulk programmes in the future

The panel will not complete the work needed. They need to be clear about what is needed to continue to assess these programmes for efficacy and proportionality during the lifetime of any future Act of Parliament.

 

 

[Read more]


May 18, 2016 | Javier Ruiz

Government announces new data sharing legislation in Queen's Speech

The government has just announced new data sharing legislation in the Queen’s Speech.

This is not a surprise, as the Cabinet Office has been preparing for over two years, with extensive discussions across government and with civil society groups under the Open Policy Making programme. The process culminated in a public consultation last month. We responded with quite a few critical comments, and over 160 ORG supporters wrote to the Cabinet Office to ask them to put privacy at the centre of any new measures.

As we have said before in this blog, ORG’s principles are that data sharing agreements should not lead to a widespread intrusion on people’s privacy; should be proportionate, limited in scope and enshrine fundamental rights; and carry strong safeguards against wilful abuse and unintended consequences.

However, some proposals we are expecting simply need to be withdrawn, particularly the bulk sharing of civil registration data across government. We are mainly concerned about births and marriages data. Notifications of deaths have lower privacy implications, but nevertheless should be handled sensitively. 

Electronic access to individual certificates can be positive, avoiding the need for paper copies, but this is very different from bulk sharing. Spreading civil registration data across government will lead to common identifiers and data centralisation. The government is keen to stress that they do not wish to create a new “citizen database”, but this is not the point. The same level of intrusion can be generated by widespread data matching with a form of “ID card lite”. The core principle of ID is not the card itself but the uniqueness of the number or key and the centralisation aspects.

It is very likely that these proposals will be rejected by public opinion, as previous attempts have been in the past. The Conservative Party in opposition was against ID cards and the database state, and would need to explain in Parliament why they have reversed their position in Government. These proposals are not explicitly mentioned in the data sharing notes accompanying the Queen's Speech, as are several other initiatives under discussion, so it is possible the government has seen some sense and withdrawn them. More clarity would be welcome.

The wider proposals have been severely criticised by UK tech heavyweights such as Jerry Fishenden, who argues that the proposals are not well defined - lacking “detail about basic, fundamental areas (such as security, privacy, accountability)” - and remind him of previous initiatives such as the “Transformational Government (2005), the Identity Card Act (2006), and the Coroners and Justice Bill (2008)”. Even more worryingly for government, he thinks that the proposals may not deliver their stated benefits. The proposals to increasing data sharing on fraud could be “more likely to increase fraud rather than help mitigate it”.

The policy making process around these proposals started on a very positive note, with government bringing civil society in very early to discuss our concerns. The dialogue has continued to the last minute, but we are disappointed that the master lines appear to have been set in advance at the political level, with ministers believing that data sharing is the solution and must be increased. Only room for minor changes remains in our discussions with well meaning civil servants.

We foresee some trouble for the new proposals if they end up becoming yet another attempt to increase the volume of personal data flowing across government, with legal and social constraints being seen as something to be “managed” instead of positive features. The Cabinet Office should instead be looking at smarter uses of personal data that are doubly innovative in being both efficient and citizen friendly.

The Cabinet Office is also embarked in a parallel process to create an Ethical Framework for the use of Data Science in government, which will cover issues of privacy, data sharing, and algorithmic decision-making. This framework is guided by principles such as data minimisation and the need to build robust models and take public perceptions into account.

We will wait for the government to respond to the consultation before we fully set our views. In our submission we argued that key safeguards needed to be in the face of the bill, not in codes of practice of unclear enforceability. Those powers that are being piloted, such as fraud, need sunset clauses and parliamentary discussion, not revisions by the same ministers involved.

The half baked powers on data sharing to tackle debt need to be reconsidered as part of a proper national strategy on debt management involving relevant civil society groups and debt charities. There are dangers of stigmatisation as well as intrusion into privacy.

Overall, these proposals may contain elements that are acceptable, but the newer, less considered ideas simply need to go.

 

[Read more] (1 comments)


May 06, 2016 | Slavka Bielikova

IPBill Public Bill Committee - what happened?

The IP Bill Public Committee has been busy this week going through all amendments to conclude the committee stage. They managed to wrap up one day earlier than scheduled and the Bill can now enter the Report Stage.

Thirteenth and Fourteenth Sittings (28 April)

Transcripts of both sittings: 13th, 14th 

The amendments tabled for these sessions discussed: 

IP Commissioner and other Judicial Commissioners

Keir Starmer - speaking for Labour - brought to the table that the appointment of Judicial Commissioners should not follow the full Judicial Appointments Commission process. Starmer pointed out that High Court judges have already been through the JAC and that there is no need for their competencies to be retested. 

These amendments also tackled the question of which judges/judicial commissioners should oversee the function of the Secretary of State. Keir Starmer, supported in this instance by the Minister for Security John Hayes, emphasized that it would be troubling if the Prime Minister makes the appointment by only consulting the Lord Chief of Justice. The amendment was withdrawn to be discussed at a later stage. 

John Hayes raised a question of hierarchy regarding the involvement of the Prime Minister (PM) and Lord Chancellor in the appointments process. Originally, the amendments would remove the PM’s involvement in the appointment process and would be substituted by the Lord Chancellor, which Hayes argued would alter the Cabinet's hierarchy. Keir Starmer agreed with the raised point and suggested it should be the Lord Chief Justice who appoints judicial commissioners. 

SNP advocated for PM’s involvement in the process. 

Main oversight functions

The amendments deal with consistency of oversight functions. Joanna Cherry - speaking for the SNP - highlighted that the obligation to remove electronic protections or encryption can be issued as either a national security notice or as a technical capability notice by the Secretary of State. The amendments she put forward would make sure the judicial commissioners have responsibility for oversight of national security notices and technical capability notices. This amendment would remove the Secretary of State to modify the functions of the IP Commissioner and Judicial Commissioners. 

This amendment was not agreed on. 

Additional functions

Joanna Cherry introduced amendments regarding additional functions that would give the Judicial Commissioners power to refer issues of concern to the Investigatory Powers Tribunal without having to rely on a complaint being made. John Hayes pointed out that this would not be necessary since judges will be able to advice on when to make a complaint. 

The amendments were withdrawn. 

Fifteenth and Sixteenth Sittings (3 May)

Transcripts of both sittings: 15th, 16th The amendments tabled for these sessions discussed: 

National Security Notices

Keir Starmer presented amendments that would subject the national security notices to the double lock mechanism, meaning that they would also need to go before the Judicial Commissioner. 

Joanna Cherry criticised the lack of national security definition. The Solicitor General responded to her criticism saying that

“Any attempt to define it in the Bill runs a real risk of restricting the ability of this country to respond to constantly evolving and unpredictable threats. It is vital that legislation does not, however unintentionally, constrain the ability of our security and intelligence agencies to protect this country.” 

These amendments were not agreed on.

Maintenance of Technical Capability

Keir Starmer raised concerns that operators might be called upon to comply with a notice from the Secretary of State. Compliance would relate to removing encryption; however, Keir Starmer described this power as too wide ranging, especially after taking into consideration that provisions for notices are merely set out in the Code of Practice and not in the Bill itself. Starmer argued the amendments tabled would provide legal certainty for industry that the government will not require backdoors to be installed into products and services. Further, the amendments would require the Secretary of State to provide evidence that the notice is justified. 

The Solicitor General made a point saying that encryption is better outlined in the secondary legislation than primary legislation on the grounds it can still be changed if it evolves. 

Joanna Cherry brought forward several points that resonate with the latest international developments regarding the Apple-FBI case. The Bill would require that the recipient of a notice must comply with it but must not disclose either its existence or its contents. The Solicitor General clarified that the Apple-FBI case in the UK setting would not be subjected to this provision because Apple does not qualify as a communication service provider which the clause relates to. However, the clause defines communication service providers as “relevant operators” and it is likely that Apple would qualify as a “relevant operator”. 

The amendments were withdrawn. 

Warrants: notification by Judicial Commissioner

Joanna Cherry brought forward amendments relating to equipment interference (hacking). The amendments require that the targets of equipment interference are notified after the act. At the moment, the targets are only notified if hacking was carried out by error of a public authority. The notice does not cover hacking by the communication service providers. 

The amendment was not agreed on. 

This was the last Public Committee sitting. The IP Bill will now go through Report Stage followed by Third Reading of the Bill in the House of Commons. The dates have not been announced yet but most likely will take place in June. 

The updated version of the Bill showing changes made in the Committee is available here.

[Read more]


April 21, 2016 | Javier Ruiz

Better Data in Government Consultation

The Cabinet Office is consulting on new legislation to extend data sharing across government. Here we set out our overall approach and main areas of concern with the proposals.

The Cabinet Office is embarked on an attempt to redesign public administration, a new digital revolution led by a belief in the power of data to solve every problem. We’ve often heard arguments that if Google can do this or that, why can’t the government. This needs some pause. At ORG we also believe that we are at the gates of a data revolution, but unless we put people squarely at the helm this may not lead to the positive outcomes data evangelists expect.

There is currently a public consultation on proposals to extend data sharing across government as part of this new drive. It concentrates on three relatively limited areas - essentially, research, fraud investigations and a more concerning area of identifying people in need of specific help or services. This is a highly sensitive area for privacy campaigners and ORG has spent a lot of time on this. We feel we need to explain in detail the process and our position in order to avoid misunderstandings. 

Government proposals on data sharing

The government wants to legislate to create several frameworks that would make data sharing agreements between public bodies - and a few private entities - easier and faster. Some of those agreements can take over two years to establish and involve considerable time and effort from lawyers. It must be stressed that data sharing already takes place and government could simply choose to follow current procedures to create all the data transfers involved in this legislation.

Our instinctive response as privacy advocates is that removing friction and barriers could also remove controls and enable the proliferation of invasive databases. For example, removing the need for Parliament to approve new data flows - a key plank of the proposals - speeds up the process considerably. It also removes public accountability. The government's approach has been to narrow the scope while introducing safeguards that they claim should provide equivalent protections against abuse, without creating unnecessary bureaucratic burdens.

The current proposals relate to quite specific areas: fraud, debt, improving research and statistics and profiling for the delivery of beneficial public services. These carry various degrees of risk, which we discuss in more detail below.

The critical question in this process is whether it is possible to have agile and fast data flows within government to quickly match policy developments while providing adequate protections and avoiding a free for all.

Open policy making experiment

These proposals have been discussed for two years as part of a groundbreaking Open Policy Making process, where civil society and civil servants have collaborated to try to achieve the highest level of consensus possible. We must stress that the process did not aim to achieve full and absolute consensus and we have disagreements and criticisms. We know that despite our best efforts the end result will not be exactly what we would have liked.

We remain positive about the engagement though, as it has sharpened our capacity to constructively intervene in policy making, and many details in the proposals have been improved. We expect that wider scrutiny under the consultation will find loopholes we may have missed.

As many of our specific objections and concerns have already been dealt with, this makes it all the more important to explain very clearly our remaining reservations about the overall approach and specific areas.

One difficult issue for us throughout the process has been to focus our engagement on privacy and data aspects, not straying too far from our core issues. At the same time, as part of civil society representing a public interest position, we've had to raise broader points on the fairness of the underlying policies. Where possible we've brought along other organisations with expertise in particular areas such as debt.

Our principles and overall concerns

ORG’s minimal criteria are that data sharing agreements should not lead to a widespread intrusion on people’s privacy; should be proportionate, limited in scope and enshrine fundamental rights; and carry strong safeguards against wilful abuse and unintended consequences.

It would be fair to say that these aspects have been taken very seriously by the Cabinet Office team and particularly the scope of proposals has been tightened. We are concerned however that in cases safeguards are placed in codes of practice, which are no substitute for primary legislation.

One concern around safeguards is the tendency throughout the process to see compliance with data protection laws as a safeguard. We have stressed that this is not necessarily the case. This is particularly problematic with the new EU General Data Protection Regulation (GDPR), which is set to replace the Data Protection Act as the backbone of privacy protections in the UK. The recently approved GDPR is a much needed update and an overall improvement, but during a long and convoluted negotiation process European governments carved out many exceptions in the GDPR that give public administrations plenty of room to manoeuvre around privacy restrictions. Data sharing legislation needs to provide specific safeguards closing any potential loopholes.

More proactively, ORG engaged in this process as an opportunity to consider the expectations and relationships between citizens and government. Putting citizens at the centre of a new data-driven administration should include devolving much higher levels of control to individuals. It is disappointing that these aspects have not been explored.

Where devolving control is not possible - e.g. taxation or justice - new information governance models need to accompany any increase in data sharing. We have concerns that simply creating a legal powers without a shift on how we see personal information could end up taking us to widespread data sharing without any consent. ORG members know better than most that data and technology can save lives, but we also know that mistaken, even if well meaning, decisions based on bad data can ruin lives. The Cabinet Office seems to have focussed on the former.

At the very least this legislative drive could be an opportunity to streamline the vast number of data gateways currently in existence and improve transparency. Where the Cabinet Office sees an administration hamstrung by restrictive privacy regulations, we refer them back to the Joseph Rowntree sponsored report from 2009, which found large numbers of government databases had problems and some may well be in breach of human rights laws.

The proposals contain some improvements on transparency, and a rationalisation of data flows has been a subtext to much of the discussions, but we believe these are not enough. We would like to see mandatory central registers of data transfers and the closure of “zombie” sharing agreements when new ones are started. Use it or lose it sunset clauses should become the norm in any new data agreement.

Accountability is also paramount. If Parliament is not to have a role in authorising data sharing we need to have mechanisms for challenging any new agreements without the need to go to court for a judicial review.

Increasing data sharing may bring some improvements to government efficiency and the quality of public policy, but the case for these positive outcomes, given the other costs, must be clearly made. The government must demonstrate that new legislation removing obstacles to data sharing will deliver improvements. Our perception during discussions was that in some cases civil servants were under pressure to come up with positive case studies after a decision that data sharing must be good had already been reached somewhere higher up. Throughout the discussions we also found a healthy scepticism among some civil servants, who believed that there were other issues that would need to be tackled, such as technical capacity and organisational culture.

The proposed strands

We will go in more detail in our response to the consultation but here we want to give a quick summary of our views on the concrete proposals included in the legislation.

The proposals around research and statistics are the least problematic from our perspective. If the safeguards proposed are applied properly sharing data for these purposes could lead to better policies and insights without causing excessive privacy intrusions.

The proposals on fraud are sensitive because there is a thin line separating it from errors. Indeed, during the discussions with the Cabinet Office we looked at the use of data to reduce administrative errors and prevent fraud as part of the same processes.

Fraud investigations can be a legitimate use of data, if done narrowly and proportionately and does not involve wholesale data matching. A key issue is who makes this judgement, can how it be challenged. There should be sufficient transparency to ensure that Judicial Review is possible. Is the ICO providing oversight?

This and other strands must also demonstrate that the sharing is working: is the privacy intrusion reducing fraud? Is the sharing targeted, or can broad searches be further narrowed? During the discussions this area was going to be tested in pilot projects and we think that is the best approach.

The third strand on profiling for public services is where we see very high risks. There are dangers of discrimination, stigma, and risk aversion leading to oversensitive reactions.

We spent a long time trying to ensure that the proposals were narrowed to only cover positive interventions, eg to identify people who are low income who could benefit from government subsidies. Interventions need to be defined very tightly. Absolutely they must not include punitive elements. There is always the danger that targeted benefits are used to withdraw generalised benefits, or reduce the pool of beneficiaries.

Even with best intentions people can be stigmatised or may simply not wish to participate. Individuals need to be able to opt out from participation and profiling as much as possible.

One common thread is the central role of HMRC's data, with many of the provisions in the proposals designed to remove statutory limitations on access. The wider implications of these changes should be debated more widely.

Specific concerns about last minute additions

In particular, two proposals have been brought into the process very late. These are very controversial, and go against the grain of the process, which was designed to find the areas where agreement could be found.

We are particularly worried about proposals to share data on debt that were removed and then brought back at the end of the Open Policy Making process. The proposals to enable widespread data sharing to tackle government debt have not been supported by a clear case, and could have huge implications for vulnerable people facing economic hardship. Creating a “single view of debtors” requires a broader strategy on public debt management that is currently missing. As such we think it would be best to leave these proposals out of the current process and take more time to consider the issue of debt as a whole, not just the data angle.

Another last minute addition is the plan for the sharing across government of data from the General Registry Office, who hold certificates for births, deaths and marriages. We have concerns about proposals for bulk sharing of the whole registry database across government to improve identification. Despite repeated reassurance from government to the contrary, the sharing of these common identifiers across government has a whiff of ID Cards lite.

The best person to make data sharing decisions for the citizen is the citizen. We can see the case for making it easier to for citizens to send certificates electronically instead of having to apply and send a paper copy by post. It is the sharing of data in bulk outside of a consent framework that is a concern. In cases where bulk registry data might be useful, such as fraud prevention, specific agreements should be explicitly mandated by Parliament, instead of creating a broad power.

In any case, bringing such proposals into this process late runs against the spirit and intention of the open policy process. Government should remove them, if only to retain the credibility of future processes. If they are retained, then civil society will take note, and be far less willing to engage in such processes in the future. There is, in short, an element of good faith which is being sacrificed here.

We have prepared a tool to help you respond to the consultation. Responses should be send by Friday 22/04/2016.

[Read more]


March 17, 2016 | Jim Killock

The Investigatory Powers debate is missing one huge power: the “filter”, or police profiling engine

The debate on the Investigatory Powers Bill has focused a lot on the new extension to police powers, and the collection of “Internet Connection Records” to keep a log of everyone’s web browsing. Critics like myself worry about the ability this creates to see into everyone’s most intimate thoughts and feelings; while proponents are prone to say that the police will never have time to look at irrelevant material about innocent people.

However, the really novel and threatening part of this proposal isn’t being given anywhere near the level of attention needed.

The truly groundbreaking proposal is the “filter”, which could be seen as a government Google search to trawl your call records, Internet and location data. The filter is clearly named so that it sounds helpful, perhaps boring or else maybe something that filters down information so that it is privacy friendly. It is anything but. It is so intrusive and worrying, I would rather you think of the Filter as the PHILTRE: the Police Held Internet–Lets Them Read Everything.

Remember when these proposals started, back in the late 2000s, under the last Labour government? Maybe not, but that’s how long Home Office officials have been trying to make this happen. Their original plan was to build a single database that would store everything they could find about who you email, message and what you read — and where you are, as logged by your mobile phone. Place all that information in a single searchable database and the dangers become obvious. So obvious that the Conservative opposition was up in arms.

How on earth would you stop abuse, if all this information was placed into a single database? Surely, it would lead to fishing trips, or police searches to find lists of all the environmental protesters, trades unionists or libertarians, and to identify who it is that seem to be their leaders? How would you stop the police from producing pre-arrest lists of miscreants before demonstrations, or from deciding to infiltrate certain public meetings? Indeed, who would be able to resist using the database from working out who was at the location of relatively petty offenses, perhaps of littering or vandalism, or calculating who had been speeding by examining everyone’s mobile phone location data.

So the current government does not want try to hoard everyone’s data into a single database. Instead, they’ve come up with the PHILTRE, which can query lots of smaller, separate databases held by each private company. As this PHILTRE can be applied to separate data stores, all at once, we are in effect back with a proposal for a single government database and all the same problems — but in a way that government can claim that it “is not a single government database”.

But as long as the data can be queried and sorted in parallel, it becomes immensely powerful and just as intrusive. For instance, for a journalist to protect against revealing a whistleblower, they would need to avoid not just phoning them, but meeting them while both were carrying their mobiles and creating matching location logs. All of the profiling and fishing expeditions are just as easily achievable.

Most worrying is the authorisation process. Police, agencies and tax authorities will continue to authorise their own access of our personal data, just as they do today with phone call records — there’s not a judge anywhere near the day to day use of this search facility.

The Home Office is selling this Google-style search through the population’s mind as a privacy enhancement. Only the relevant search results will be returned. Masses of irrelevant information about other people will not have to be given to officers. They give the example of mobile phone mast data — where the filter could cut the required information down to just that about the person you need to know about.

This might sometimes be true. But two things make me suspect this is a highly partial story. For one thing, the search engine can tell you about the kinds of things it thinks it might tell you — perhaps social graphs, location histories, dodgy website visits, organisations supported — before you ask it. This is to educate and help police get the right information. It is also an invitation to make increasing use of the tool. If it is limited in its purpose, this seems an unnecessary step.

Secondly, there are no limits to what results the search engine might be asked to produce. Nothing for instance, says that only a single person or place can be searched against, so that only one person’s contacts might be returned, or just the people at a single crime scene. Thus the prospect of fishing trips is given no legislative limit. The only serious limit is that this information might be kept for no longer than 12 months.

For years privacy campaigners have been trying to explain how your web history and location data can be dangerous tools for personal and whole population surveillance. Now it seems the UK government wants to engage in a whole population experiment to show us what it really means. Parliament, the courts, but most of all, you, can help stop them.

[Read more] (1 comments)