Thursday, November 26, 2009

News: SWIFT Update

The Legalift reported last week that 4 Countries remain opposed to the draft agreement granting US access to SWIFT banking transfers records. Germany's justice minister says that Berlin is uncomfortable with the plan and France, Austria and Finland have also signalled discontent with the scheme.

The draft plan is significantly different from the resolution issued by the European Parliament on the issue. 'Terrorism' is left undefined, requirements for judicial oversight are nowhere to be seen and the restriction of access to the specific issue of 'terrorism financing' is loosened to "prevention, investigation, detection, or prosecution of terrorism or terrorist financing". Ralf Bendrath has a round up of all these issues and many more.

If a decision is not reached by November 30th, then, as the Lisbon Treaty kicks in on December the 1st, the European Parliament may have much more say in the process (and it is likely to take another 6 months). Germany and Austria are reported to be under pressure to drop their opposition.

News: IMP Still Budgetted for 2016 Release

After mention was left out of the Queen's Speech, there was a lot of speculation that, in response to political pressure, plans for the Interception Modernisation Programme to monitor all electronic communications had been abandoned.

The Register reveals that the £2Bn remains in the Home Office's financial plans, scheduled for completion in 2016.

News: Facial Recognition Technology to be used at Cardiff Airport

Frome the Register: Cardiff now joins Manchester Airport in allowing inbound passengers to have their passports checked automatically with facial recognition systems. The option is available for adults with chipped biometric passports, issued since 2006, which, amongst other information, have a picture of the holder encoded on them that can be compared to the subject checking through.

The article refers to the embarassing revelations last year that facial recognition technology in use at Manchester airport was unable to distinguish between pictures of Wynona Ryder and Osama Bin Laden. This happened because the machines initially gave far too many false negatives, and in reponse staff turned the settings so low they effectively 'switched them off'.

Wednesday, November 18, 2009

News: Biometrics to be Used to Identify 'Outsiders' in Afghanistan

From the Sunday Times: in Afghanistan biometrics such as fingerprints, retina scans or DNA tests are being proposed as a means to draw up "gated communities" in which outsider 'rebels' can be swiftly identified. In Basra, patrolling US soldiers are being issued with iPODs with a list of all local people.

Brigadier James Cowan, the new commander of British forces in Afghanistan, gave an interview to the Sunday Times in which he emphasised the importance of reassuring the local population of UK and US ability to provide security.

For the brigadier it is all about challenging the Taliban’s rule of fear: “What you have to do is create communities where people wish to be separate from the enemy because they have the confidence to be separate from them.”

Cowan’s staff have embarked on a huge exercise known as “human terrain mapping”. It involves not only delineating tribal boundaries, but also family networks, land ownership and all the possible grievances that can be exploited by the Taliban.

News: UK T-Mobile Staff Sold Private Data

From BBC News: T-Mobile staff sold customer data on to other mobile phone companies to target people coming to the end of their contract for coldcalls. Thousands of customers and millions of records were involved. The Information Commissioner has said he is preparing a prosecution.

News: Swiss take Google Street View to Court

From the Register: Swiss Federal Data Protection and Information Commissioner (FDPIC) Hans-Peter Thur is taking Google Street View to court, unsatisfied with the privacy enhancing blurring Google have offered in the Street View images so far:

Thür's patience has now run out, and his office said in a statement: "In its written response on 14 October 2009, Google for the most part declined to comply with the requests. For these reasons, the FDPIC has decided to take the matter further and to take legal action before the Federal Administrative Court."

AFP notes that Google has insisted it's "absolutely convinced that Swiss View is legal in Switzerland."

News: New Datamining System to Detect 'Deviations' on the High Seas

From the Register: The US Navy is to use new computer monitoring software to detect 'deviations' in normal behaviour at sea. Dubbed 'PANDA' (Predictive Analysis for Naval Deployment Activities), the system will examine data on worldwide shipping movements for evidence of unusual and threatening behaviour:

The idea is that the Office of Naval Intelligence will deploy PANDA at its National Maritime Intelligence Centre in Maryland, where the new tech will be able to monitor tracking information covering much of the watery globe.

As well as information fed in by US warships, monitoring stations, patrol aircraft and so on, the US intelligence community is also known to make extensive use of radar spy satellites able to scan vast swathes of ocean from orbit and pick out any ships.

News: New Policy on UK DNA Retention

From the Guardian: Police have announced that they are to retain the DNA of those released without charge. Home Office Ministers say they want a 6 year limit (having previously sought a 12 year limit) for retaining profiles. Ministers are also advocating indefinite retention of those arrested on suspicion of terrorism or other national security provisions. Those convicted of any offence remain on the database for life. The Tories say they would implement the Scottish system whereby the profile of those unconvicted of any offence is destroyed on release from prison:

The national DNA database is already the largest in the world, with the profiles of 4.5 million people already recorded. They include 850,000 DNA profiles of people who have never been charged with or convicted of a crime. The need to find a new regime follows a landmark ruling in the S and Marper case by the European court of human rights, which ruled that the Home Office's current regime of "blanket and indefinite" retention of innocent people's DNA was illegal.

News: ICO to Fine Companies £500,000 For Serious Data Breaches

From Panopticon Blog: The Information Commissioner is to get powers to deliver civil penalty notices on a data controller for a serious contravention of the data protection principles if the contravention is:

1) Deliberate or reckless
2) Of a sort that is likely to cause substantial damage or distress

The post makes two criticisms: first, the proposed cap of £500,000, as large as it might seem, compares less favourably with other regulator's powers to fine up to 10% of an organisations turnover. Second, as the government ultimately pays for many of the organisations in question, imposing large fines may have 'a slightly unreal quality to it'.

Comment: Murderer Requests Wikipedia Anonymity

Following up on the news that a convicted murderer wants Wikipedia to remove references to his crime. There's a controversy over what laws the various different versions of Wikipedia fall under - a German privacy law coming into tension US right to free, truthful speech. I'm not interested in this legal question so much as I am the more general question of what rights of privacy anyone ought to be entitled to from Wikipedia.

Some have pointed out that the identity of the actor's killer is a matter of public record, and so some might want to claim that placing this information on Wikipedia makes no difference to the individual's privacy. I find that unconvincing - clearly wikipedia has more prominence than a court record. Where the issue is the criminal's ability to get on with day to day life I'm sure the appearance of the information on Wikipedia makes a material difference.

Surely some information which is interesting and publicly verifiable ought not to appear on Wikipedia because of its intrusiveness. For example, I imagine the past romantic relationships of public figures could be established on at least some occasions, but unless it reveals something of legitimate interest to the public (such as a politician caught in a possible conflict of interest) such material should not be published. Likewise public figures' children, except where they are notable in their own right (as a child actor, say), should basically be left alone. (I assume this is the present policy - Obama's children do not have pages, despite the vast amount of press coverage of their first day of school, their new puppy etc.)

So where does this murderer fit in? As far as I have seen, nobody has argued for any legitimate public interest in the killer's identity - nothing hangs on who did it, it isn't necessary to any understanding of why the actor died, say. As such, I can't see any need for the information to appear in the article.

News: Murderer Requests Wikipedia Anonymity

From EFF: Lawyers Stopp and Stopp have sent a 'cease and desist' letter to the German and English language versions of Wikipedia requesting that the page about German actor Walter Sedlmayr, remove all mention of their client's murdering him.

Under German law, as 15 years have elapsed, he has returned to having the status of any other private citizen and, it is argued, is entitled to anonymity in order to facilitate 'reintegration into society'.

Comment: What's Worse?

The discussion of the UK plans for the 'Big Brother Database' has me wondering: What's worse, centralised storage of this communications data, or forcing ISPs and Mobile Phone companies to hold on the data for long periods of time?

Clearly this data is incredibly sensitive, and there are good reasons to want to restrict anyone's access to it. But, were such information to be stored, what would be worse? The idea of a centrally held database tends to make for bigger headlines, calling to mind, as it does, the vision of faceless government bureaucrats poring over our intimate secrets.

And the risk of government officials abusing such private information is indeed one of the reasons one would want to restrict access. But it's only one of the reasons. Surely another is the risk of any sort of public disclosure of this information. It is intrusive for anybody I haven't chosen to do so to view information about who I telephone or what websites I visit. But this information tends to be of much more interest to our neighbours, friends and work colleagues and of virtually zero interest to government. In deciding which is worse, one of the matters I think we should consider is which arrangement makes it less likely for some data breach to result in unauthorised access to my data.

Some will point to the many cases where various levels of government have proven hopelessly careless with our information (to the point of accidentally releasing vetting records with details of debt, extra marital affairs, drug use and use of prostitutes). But I don't think we can simplify this to a case of 'private sector good, public sector bad': some of the most notorious cases of releasing private information have been the fault of businesses - just think of the AOL scandal when records of people's searches were released, to remain posted in the internet to this very day. Private companies have a commercial interest in avoiding such scandals, to be sure, but is that any safer than trusting it to government?

Comment: UK Gov Plans Shelved

The shelving of plans for the Interception Modernisation Programme (IMP) has been reported in a number of different ways. According to the Independent this was effectively 'a cancellation of the Big Brother database' while the BBC reported that the UK surveillance plan was 'to go ahead'. In this confusion Slashdot resorted to the headline 'In the UK, Big Brother Recedes and Advances'.

I think the Register has this one right. The post makes three points:

1) Next years general election (probably to take place in May) makes this a bad time to bring forward legislation that might provoke negative headlines. (Henry Porter has a nice point about the timing as well: with all the recent column inches covering the 20th anniversary of the Berlin Wall coming down, proposing big increases in surveillance invites comparisons with the Stasi all too easily).

2) Internet Service Providers, whose cooperation is needed for the scheme, are currently resistent. Before proceeding, government has to convince them of its merits and feasibility.

3) The players who want this (GCHQ, SOCA, ACPO, the Security Service, the Child Exploitation and Online Protection Agency and the Met) are not going away anytime soon:

Note that GCHQ and friends will still be around after the next election, as will their demands for IMP.

Ever the political pragmatists, the Tories know this well, and the section of shadow justice minister Dominic Grieve's recent speech on reversing the rise of the surveillance state was notably soft on IMP.

He said a Conservative government would submit the proposals to the Information Commissioner's Office to assess their impact on privacy. The ICO has already said it believes the case for mass surveillance of the internet has not been made.

News: UK Gov Plans to Snoop on Internet and Mobile Use Shelved

From the Guardian: a previously mooted £2bn surveillance project for keeping tabs of all British citizens' email, internet use, mobile calls and texts, is to be left out of the upcoming Queens Speech, laying out the legislative plans for the coming year:

The Home Office ditched plans earlier this year for a central database tracking all phone, text, email and internet use. Instead ministers want internet service providers and phone companies to store this data for access by police and security services. The data includes who contacts whom, when, where and how – but not the content of what was said or written.

The Home Office summary of the responses to its consultation published shows that the internet and phone industry want assurances that they will be compensated for the costs involved and also fear technical problems.

Monday, November 16, 2009

Inadequate Information Sharing Again Cited as Key Problem

In the recent Fort Hood shooting incident, inadequate information sharing is again being cited as a critical flaw in government strategies to prevent acts of violence. The gunman, Maj. Nidal Malik Hasan, had come onto the FBI’s radar screen when he established contact with a radical imam believed to have ties to al Qaeda. When Hasan later underwent an FBI background check in the process of purchasing the firearm, which authorities believe he later used to open fire on soldiers at the Fort Hood base, the fact that Hasan was purchasing a gun was not shared with the Joint Terrorism Task Force (led by the FBI). The FBI, meanwhile, has issued a statement that their investigation had concluded that Hasan “was not involved in terrorist activities or terrorist planning.” Additionally, at least one military investigator was involved in that investigation, however, the fact that Hasan was under investigation was not communicated generally to military officials (see this story from ABC); that kind of disclosure beyond the Task Force requires the authorization of the Task Force supervisor from the FBI (see FBI Statement).

Monday, November 9, 2009

News: Resolution on International Privacy Standards Adopted

A resolution for International Standards on the Protection of Personal Data and Privacy was adopted at the 31st International Conference of Data Protection and Privacy Commissioners. A copy of the Resolution is available in Spanish here.

Friday, November 6, 2009

News: UK Local Authority use of RIPA to be Restricted

From the Times: The Home Secretary Alan Johnson has announced curbs to the surveillance powers of local authorities. Computer Weekly summarises the important proposals as follows:

• raise the rank of the authorising officer to at least director level;

• give elected councillors a role in overseeing how local authorities use covert investigatory techniques;

• require voters' communications with MPs on constituency business to be treated as confidential information, and therefore subject to authorisation by a higher rank of officer;

• treat covert surveillance of legal consultations as "intrusive" rather than "directed" surveillance, meaning it can be carried out only by very few public authorities.

• clarify the test of necessity and proportionality so that powers will not be used to investigate dog fouling or people putting bins out a day early;

News: More than 1 in 10 in UK on DNA Database

From the Telegraph: English and Welsh police have taken DNA samples from more than 5,500,000 people. Combined with Scotland and Northern Ireland there are almost 6,000,000 people on what the Telegraph are reporting to be the largest DNA database in the world.

News: Companies Clumsily Disclosing your Info may be Forced to go Public

From The Register: The EC is considering passing new laws that would make it mandatory for organisations which accidentally lose personal data to inform the people concerned and relevant authorities:

Supporters of such schemes say that the fear of public recriminations for data loss will improve companies' performances, while opponents fear that if every breach is revealed the public will become desensitised to the issue of data loss.

News: Romanian Constitutional Court Strikes Down Data Retention Directive

From EDRI: The Romanian Consitutional Court (CCR) has declared the Data Retention Directive incompatible with the Romanian constitution. The case was initiated by a Romanian NGO, the Civil Society Commissariat, who sued its mobile phone company for retaining traffic data according to the new regulations, forcing a CCR ruling on the law's constitutionality:

CCR has accepted the motion for law's unconstitutionality through decision 1258/2009, based on the breach of article 28 of the Romanian Constitution, which stipulates the secrecy of correspondence. Other articles invoked were articles 25, 26 and 30 which deal with freedom of movement, privacy and freedom of expression respectively.

Wednesday, November 4, 2009

Conference News: Madrid Global Privacy Conference & Declaration

I’ve just gotten back from a privacy conference in Madrid titled “Global Privacy Standards for a Global World” which was organized by The Public Voice. One highlight of the conference was the presentation of a Civil Society Declaration calling for the development of international privacy standards — and perhaps most controversially — a moratorium on “the development or implementation of new systems of mass surveillance, including facial recognition, whole body imaging, biometric identifiers, and embedded RFID tags, subject to a full and transparent evaluation by independent authorities and democratic debate." Numerous organizations and individuals have signed the statement (already dubbed “The Madrid Declaration”) and you can, too, by sending an e-mail to privacyATDatos-personalesDOTorg.

Another highlight was an emphatic speech by Stavros Lambrinidis, Vice President of the EU Parliament, declaring that the growing scope of surveillance within the western world is incompatible with democratic society and urging everyone not to simply allow the expanding creep of the level of surveillance to continue unchecked. There is a danger that the ultimate surveillance society will not emerge under a totalitarian regime, he claimed, but rather with citizens’ unreflected “consent.” You can have a look at what else was discussed by calling up the conference agenda here.

One special guest not listed on the program was a representative of Un barrio feliz – a grass-roots movement which has sprung up in opposition to plans to install a system of video surveillance cameras in Madrid’s Lavapiés district. You can view the movement’s blog in Spanish here. One major complaint was that the police have not been forthcoming concerning the plan and the underlying reasons for it. We heard that the local police have cited different grounds for installing camera systems in other neighborhoods (in one case – pick-pocketing, in another – prostitution), and that cameras were needed in Lavapiés because unsavory characters inhabited or frequented the area. The speaker from Un barrio feliz, however, reported that crime statistics indicate that criminal incidents have been decreasing in Lavapiés, making the police’s explanation all the more baffling. Lambrinidis picked up on these examples in his speech to question whether many of the methods of surveillance that have been proposed or implemented could be deemed necessary, proportional, and appropriate in a legal sense.