BREAKDOWN OF TRUST (re DATA SECURITY)

Hot on the heels of their excellent "2007 International Privacy Rankings", those good people at Privacy International have published figures showing a huge collapse of public trust in the Government's ability to hold our personal data securely.

Of course, of itself, this isn't particularly surprising or startling news. In the wake of the HMRC fiasco and the steady and recurring drip of revelations about the failure of individual Departments to protect our data - following on from the scandalous breach of the loss/theft of an RN laptop, this from the Ministry of Justice is merely the latest cock-up that has come to light - I am surprised that anyone has any faith whatsoever in a presumption that the Government can demonstrate even a smidgeon of competence in this field. No, what makes PI's report interesting are two associated consequences/repercussions.

First, it would be naive to assume that this breakdown of trust will confine itself to our interactions with Government. As PI's text points out, it will inevitably leech into the broader context of e-commerce generally - that is to say in both the public and private sectors (something confirmed, at least in part, by the FSA's recent Financial Risk Outlook): "At this stage it is not a simple matter to predict the potential financial impact of such a trend, but it is quite possible that the economy's growth could be inhibited if trust in data security continues to erode. The cost could easily run into billions of pounds per year". With the UK/world economy looking ever-more flaky (post N.Rock, the credit crunch, et al), the timing of this could not be worse, especially in terms of the direction of the psychology of the market (as per recent stock market volatility being a function of a lack of confidence). As Simon Davies says, this makes it a matter of considerable urgency that the Government should get a grip on the means to re-establish trust as soon as possible - although, as this piece from Rosemary Jay at out-law.com makes plain, the prospect of this looks exceedingly remote. Failure to do so could have the unintended consequence of entrenching the downturn in the economy more deeply.

This leads to my second point. I would guess that, whatever their public utterances, the various Government Ministers who have some measure of responsibility in this field are in a blind panic - if not worse, much worse - as to how to retrieve the position. In fact I have it on good authority that they have even resorted to approaching various privacy advocates with whom they have been conducting something akin to open warfare vis a vis ID cards for suggestions/advice. This would be laughable if it wasn't so serious! But their blind adherence to the Government's perceived wisdom about data management/Transformational Government/&c (all that tripe) means that their minds are closed to any sensible suggestions that may come their way. In their current mindset, all that is left to them is to shift the deck-chairs on the Great Bottler's good ship Titanic.

So, dear reader, whoop-de-do, things are going to get worse before they get better, not only in terms of data security/management but also the economy. And I reckon that, in the current climate, the best thing to do is to hold on to that distrust for a while as the best way of riding out the twin storms of Government incompetence over data security and the economic downturn.

ONE LAW FOR THEM ...

When one reads about this sort of thing, one really does wonder why our lords and masters find it so difficult to comprehend that we are so disengaged from the political process. It is a classic case (pace MPs' pension arrangements, salaries/expenses, &c) of them locking themselves in their ivory towers and assuming that the (idiot) general public can be subject to the full force of the law (with all its foibles, failings and flaws) while they sail blithely above it! So why should the security of the personal data of the general masses be less robust than that of anyone who lays claim to so-called 'celebrity' status? As Mark Wallace of the Taxpayers' Alliance says, it "is a completely unacceptable double standard." Bear in mind too that the same sort of procedure is built in to the ContactPoint database - as I understand it, the personal details of the chidren of parents accorded 'celebrity' status are afforded similar 'extra security measures' on the database.

In fact, in statutory terms, these sorts of arrangements could well be challengeable on the basis of hybridity. There is a general presumption that the law should treat all citizens as equal and that putative special categories of individuals should not be singled out for preferential treatment under it, as seems to be the case here. That said, I'm uncertain what the appropriate means of redress would be in these circumstances.

HUMAN RIGHTS CHALLENGE TO RIPA?

Outlaw.com has a mildly speculative piece about the possibility that the recently introduced provision (under the Regulation of Investigatory Powers Act) to force the handover of encryption keys could be challenged under the Human Rights Act.

Insofar as this is accurate, it is both very welcome and potentially very far-reaching. It infers that, intriguingly, a whole raft of anti-privacy-related legislation (varying from the security regimes at airports, through ContactPoint, all the way up to ID cards) could be subject to the same sort of risk. Indeed, if any such action were ever to be tested in the Courts, it could even have ramifications for the current inadequacies of the requirement of Ministers to make Section 19 declarations under the terms of the Human Rights Act on the face of all Bills presented to Parliament.

However, as the piece makes plain, the current law has been drafted so that, in essence, the State can both 'have its cake and eat it'. As it points out the difficulty is that the 'European' equivalent to a 5th amendment right is not absolute but will rely upon the interpretation of the courts in the circumstances of the case - an elegant solution for the State but, I venture to suggest, not one that works particularly well in the interests of the citizen.

Nevertheless the article does raise two specific issues in my mind. First there is the issue as to whether the appropriate safeguards - level of authorisation, &c - are sufficiently well-defined in statute and are adequately transparent and accountable. I question that. Second, as William Malcolm observes in the article: "The whole purpose of the Regulation of Investigatory Powers framework is to place on a statutory footing, on a transparent footing, the way in which law enforcement agencies and national security agencies access these materials". In other words, its purpose is to deliver legal certainty. But, on the basis that the current policy may be challengeable in the courts and that the outcome of any such challenge would be dependent upon how the relevant court interpreted the circumstances of the case and theavailable evidence, that certainty simply does not exist.

Not for the first time, the policy-makers and legislators seem to have managed to make a pig's ear out of a silk purse!!! Still, we shall see.

ID CARDS - WHERE ARE THEY NOW?

There has been much speculation about the scrapping of the ID cards policy in recent days (here and here) - and an especially fatuous analysis of the politics of this from the BBC. Here I stand by my previous analysis about this which is a matter of record (for example here). For a variety of reasons (principally concerned with political calculation) the Great Bottler has always been lukewarm about the whole ghastly project. In the current climate, I would go further; he will be calculating that it would be in his (and New Labour's) best interests to neutralise the electoral liability that they represent (all the more so in the wake of the HMRC fiasco). Nevertheless he will only move on the issue at a time of his choosing when he reckons both that he will not be seen as a 'victim' of events and when he can maximise the potential political advantage of doing so. That said, I am prepared to concede that the looming prospect of them being kicked into the long grass has probably edged somewhat closer.

But - and it's a massive but - ID cards are merely the visible part of a huge iceberg - it's what we can't see under the surface of the water that really matters. Those excellent bods at No2ID (and many others) are only too well aware of this - in deliberately choosing to target the whole "database state" rather than ID cards in isolation. Indeed, the Great Bottler is no doubt equally well aware of this (which may in part explain his diffidence on the subject thus far) and will be factoring this in to his eventual decision about the policy. The stark reality - and sad truth - is that, however desirable the scrapping of ID cards may be, their demise will do nothing to exorcise a principal plank of policy that causes the greatest degree of concern: i.e. the availability to Government of a comprehensive digital footprint of our whole-life experience in the minutest detail. So, the passport database, eventually covering round about 80% of the UK population (after all it was always intended that this would provide the backbone to the National Identity Register), will continue to exist and operate. Legislative provision for serial data-sharing across Government continues relatively unabated. Et cetera, et cetera. And, if a little ironically, what makes all of this so much worse is that the accountability and transparency of the regime - as compared with the situation that would exist with full implementation of ID cards - is all but non-existent. Again this may explain why the Great Bottler is attracted to this approach as to all intents and purposes it is the delivery of the policy by stealth, something that he has proved himself to be especially adept at over the years!

What is is frustrating - and depressing - is that our politicos, for all their high-minded rhetoric in opposition to ID cards, appear to be either unable or unwilling to recognise this (e.g. Calamity Clegg's grandstanding on the issue a few weeks ago). I can't help feeling that all of us would be very much more comfortable about our political process if those engaged in it could at least exhibit a full grasp of the issues facing them; indeed, that might inspire us to respect them a little more!

And what is now required above all else - a persistent theme of mine - is a root-and-branch re-think of the whole sorry mess of identity/data management by, for and on behalf of government, together with new primary legislation to attend to these matters in a coherent way. Will any of the parties have either the wisdom or courage to grasp this nettle? I'm not holding my breath!

UK = "ENDEMIC SURVEILLANCE SOCIETY"

I'm sure you will have noted that Privacy International published their "2007 International Privacy Ranking" a few weeks ago. Indeed there was some comment on the Report at the time (for example here from The Register and here from Spyblog) - and to this extent I concede that this is something of a 'catch-up' post. We can make of the Report's findings what we will. But the criteria that PI have deployed to make their assessments are appropriately objective. And on that basis it makes for decidedly uncomfortable reading.

Two things in particular strike me about the Report. First the trend in both the UK and the USA is undeniably towards ever greater erosion of our privacy rights. In other words the position defined by the Report is no blip on the radar. Rather, however well-intentioned some of the imperatives that underpin it may be (improvements to public services, prevention/detection of fraud, or what-have-you), it is an entrenched and relentless policy direction.

Second - and much more importantly - the right to privacy (and the attendant provision of adequate safeguards against the intrusion of the State into our daily lives) is a fundamental building block of a free society. Therefore, as sure as eggs is eggs, its emasculation makes us less free. If we stop to think about the somewhat woolly concept of 'The War on Terror', we can adopt a simplictic view that it is being 'fought' - I use the word advisedly - to protect our essential freedoms from the encroachment of the fundamentalist - perhaps even barbaric - ideology of the terrorist cause. The irony is that the assault on our privacy rights is justified in no small part on the basis of it being necessary in the interests of national security and to protect us from terrorist-inspired outrages. Accordingly I hope I'm not alone in supposing that it is perverse - some might even say asinine - to abate quintessential democratic freedoms (that of privacy in all its guises in particular) as a conscious and deliberate policy imperative when, to all intents and purposes, the declared aim is to defend them.

Now it may be that, at least superficially, privacy is less valued in societal terms than once it was. Innovations such as Facebook, MySpace, (perhaps even blogging) and others of this ilk are illustrative of how easily the (as it were) security of our privacy can be fragmented as a function and/or consequence of our interaction with the Internet and the Web. For my part I suspect that the vast majority of users of such sites are blissfully unaware of the way(s) in which their adherence to them either can or does undermine their privacy rights. In effect it is, in the main, an unintended - and, if considered properly and on the basis of full understanding, unwanted - consequence of 'buying into'/keeping pace with the latest technological advances. In other words it isn't so much that privacy is valued less; rather, in the context of how the Web works, it is less understood and/or misunderstood. What matters here is that the societal changes wrought by the Web/Internet make it more, not less, important that the right to privacy should be defended.

The upshot is that the policy direction here as espoused by our lords and masters (in both the UK and US) is completely and utterly wrong. It is absolute garbage. Methinks, time for a change (not least of direction)!

NORMAL SERVICE WILL RESUME SHORTLY

A belated - but no less sincere for that - Happy New Year to one and all (more likely the former) who pop in to have a look at my musings.

Clearly I haven't been posting anything over the past few weeks. I apologise for that. For no particular reason I decided to extend my Christmas/New Year holiday, a) because it seemed like a good idea and b) because I have an extremely generous employer (myself!) who let me do so.

Still, I'm back in the saddle now and, as the title says, normal service in terms of posting will now resume although you may have to bear with me for a little while as I catch up with all the paper-work/correspondence that I've neglected for the past month or so. And it may well be that I feel inspired to do a few "out-of-date" posts as I trawl back over the events/news/&c of the last month or so; inevitably there will be some items that I feel worthy of some sort of comment even if they are now "history".

Once again an exceedingly Happy New Year to y'all!!!