Our privacy work is expanding, and is a major concern for technology users. Privacy is a fundamental human right, protected in British and European law.
At its basic level, privacy is about trust and security; but it is also about power. Information about you allows companies to do things, good and bad. It also gives companies market leverage, through knowing and understanding their user base. Increasingly, therefore, questions about your user data are becoming issues of competition and market control.
When we responded to the Ministry of Justice’s call for evidence in 2010, their questions made it plain that they were seeking to understand burdens placed on business by data protection, rather than problems that end users had with enforcing their rights, or the failures of data protection to deliver secure and trusted information services.
We joined EDRI in visiting the Commission to explain civil societies’ concerns. We explained that privacy was important for users’ trust. In our case, we also explained the deep problems that the UK faces with our Information Commissioner, and the lack of powers, botched definitions and poor enforcement of data protection law.
Cookies and profiling
Behavioural advertising first became an active area of concern when BT and Phorm started intercepting their customers web traffic. But Phorm is merely the worst example among many; the trade in data about you, collected via third party cookies is pervasive and almost always takes place without your prior consent.
Last year, the EU’s amendment to the e-Privacy Directive came into force, requiring that users’ consent be required before cookies are placed onto a users’ computer, excepting those used to keep websites working. The Directive has come under attack by industry, partly because some tracking cookies are used by analytics and other services considered very useful by websites, and because advertisers are highly resistant to the idea of obtaining consent.
The basic problem is that users have no real way to signal consent, or effectively stop their information being spread to myriad companies that partner to most commonly visited commercial websites.
ORG kept a close watch on the situation, and went to meetings in the EU and with DCMS to put forward the simple message that user consent is paramount. We also, decided that we should get proactively involved with the W3C to defend the new Do Not Track (DNT) standard.
DNT will work by allowing a user to set their web browser “signal” to websites that they do not wish to be tracked. Ad networks and others should then respect this signal, and take steps to minimize or delete the data they collect.
The battle at W3C is between companies who want to retain most or a lot of the data, to allow extensive reuse, but limit the profiling activities; and civil society representatives who are determined that DNT really does make a meaningful impact on data collection and storage.
ORG is inputting into the discussions where appropriate and working with civil society groups to help W3C reach a good conclusion in their work.
Communications Capabilities Development Plan
The Intercept Modernisation Plan, IMP, was meant to have died when the Labour government lost the election. This plan, to force ISPs to collect “traffic data” about your online communications, is extremely intrusive. By knowing who you talk to, and often where you are, all kinds of inference may be made. By storing this in a series of databases, law enforcement could potentially search records on a speculative basis to look for patterns of behaviour or types of person.
A great deal of your communications data is stored by companies like Facebook, Google or Yahoo. If the government wants even the “traffic data”, then it must approach the company and ask. Generally that requires at least a senior officer to sign a request.
That makes mass fishing expeditions impractical. Under the new scheme, they could become easy and routine. Other risks will be generated. It is difficult to see how whistleblowers, journalistic sources or even MPs could be protected when records of who they are talking to, and when, would be recorded and be easily accessible.
During the year, there was little sign that anything was happening, save mentions in strategy documents and budgets. However, there were persistent rumours that Labour’s plans would resurface.
Eventually, at the end of the year the Internet Service Providers Association (ISPA) let their members know about the potential for the Communication Capabilities Development Programme (CCDP) to be relaunched, after being briefed by Home Office officials. At this point ORG began working on it extremely hard. There are now a stream of media reports, FOI requests and Parliamentary Questions trying to dig at what is happening, which have been initiated by our push to shed light on the government’s intentions.
A worrying conflation of the commercial sale of government personal data, like health records, and “open data” has emerged from the office of the Transparency Tzar, Tim Kelsey.
We have been working to help the Open Data community understand possible privacy risks, and talking at international and Westminster events about this. But the problem has little to do with ‘open data’. Most of the UK datasets in question are not going to be openly published: they are going to be accessed on a commercial basis, to create government revenues and “value to industry”. The safeguards against the identification of real people would be through ‘anonymisation’ techniques, the safety of which is increasingly challenged by technical experts.