Thursday 29 July 2010

A licence to print money?

My oh my, the good people that make up the Article 29 Working Party have been busy bunnies recently. Data retention, RFID, standard contractual clauses – it’s enough to give any serious privacy blogger repetitive strain injury.

Their latest offering goes by the innocent name of “Opinion on the principle of accountability” and Matron would surely have dismissed it (and hence missed it) as some sort of administrative porn had the term not cropped up recently in a number of submissions to the European Commission’s online consultation on the future of the EU data protection framework. And indeed, the opinion is designed to put ideas into the heads of those folks at the Commission who are currently trying to figure out what needs to be done to bring the existing EU data protection regime into the 21st century. Since Matron closely follows everything relating to the long-promised review of the EU Data Protection Directive, she decided to take a peek and what a revelation it has been.

Accountability, you see, describes (very inadequately, Matron feels) what could well be a completely new way of “doing” data protection. As the Working Party itself readily admits, the term has real meaning only in the English language, so heaven knows what the EU translators will make of it. But, in essence, it is the very simple idea that if you are supposed to do something, you should not only do it, but also put processes in place that ensure that you do it well and provide evidence to prove that you have done it properly and in accordance with those processes. In practice, this usually amounts to a whole lot of dead trees and I am sure that, if this blog is read by any members of the health, social services or teaching professions, they will by now sagely nod their heads.

Matron has always had a difficult relationship with the whole accountability concept, partly on account of the dead tree issue, but partly because she can’t help thinking that the time spent on recording what one has done would, in most cases, be better spent on actually doing more of it. At the very real risk of sounding like a Big Society Tory, noting on a patient file – as has happened in the case of Mrs. Matron's grandmother – that “Lily Rose is dehydrated” is not much help when there is then no one who has the time to bring her a glass of water and make sure she drinks it. But putting such petty prejudices aside for the moment let us look at what the Working Party actually has to say.

It starts with making a few salient points that we would all do well to remember even though they are, to the informed privacy wonk at least, rather obvious. Namely, that the growth of information and communication systems and the increasing capability for individuals to use and interact with technologies has changed the rules of the game for the processing of personal data. In a digital world where more and more companies hold more and more of our data and in an on-line environment where personal data has “become the de facto currency in exchange for on-line content” we have to make sure more than ever before that those who use personal data implement “real and effective internal mechanisms” to protect that data. So far, so much Matron is in agreement.

Also, data protection breaches have the potential to be much more devastating in a networked environment where – as Matron's pal Pangloss once put it – it is no use shutting the stable door once the data has bolted. And it is by no means only the data subjects who should worry. With increased penalties (both monetary and custodial) coming into force in many EU member states, data controllers should have a good enough incentive to play by the rules. And that says nothing about the potential damage to their reputation.

However, despite these threats, experience has actually shown that many data controllers pay little or no attention to data protection provisions. In fact, by and large they seem to rely on the –possibly correct - notion that the national data protection authorities are so underfunded and so overworked that the odds of them ever being caught are miniscule. Rogue data controllers are all too often able to vanish in the crowd and unless our cash-strapped governments pump vast amounts of money into enforcement activities (a likely event!), we will all have to live with the consequences.

Which is why, for example, the Information Commissioner’s Office here in the UK has long been engaged in what can only be described as a battle for the “hearts and minds” of data controllers. Publication after publication was produced intended to convince data controllers that there is some commercial or economic benefit to be had from implementing data protection rules. Their latest attempt, a document called “The Privacy Dividend”, makes this point on a seam-busting 93 pages. That’s almost as long as the iPhone Privacy Policy and that’s saying something. No matter, the CEOs aren’t buying it! Data protection costs money, and money is what we all have too little of at the moment.

So, if they won’t come by crook, maybe it is indeed time for the hook, in this case in the form of a “revised legal architecture of accountability-based mechanisms”. But what should these systems look like? Well, for a start they are supposed to consist of a two-tier system with the first tier comprising a legally binding statutory accountability requirement and the second tier including a number of additional, but voluntary accountability systems. Ignoring for the moment the point that any “voluntary” systems are likely to go the way of all St Augustine dilemmas (“make me pure, but not yet”), Matron wishes to pay particular attention to the general accountability principle which, so the Working Party, should be inserted into the revised directive as an additional principle with which data controllers have to comply. It has even proposed concrete wording for such a new Article, which Matron is happy to share with you:

Article X - Implementation of data protection principles
1. The controller shall implement appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with.
2 The controller shall demonstrate compliance with paragraph 1 to the supervisory authority on its request.

As the legally astute will quickly divine, the new principle has two elements: a requirement to take appropriate and effective measures to implement data protection principles and a requirement to demonstrate upon request that appropriate and effective measures have been taken (sound familiar yet?).

Although the Working Party shies away from postulating the incorporation of specific types of measures into the revised directive, it’s reticence does not go so far as to prevent it from making a number of suggestions. Among other things, it thinks that in the future data controllers should:

  • adopt internal policies and processes necessary to implement data protection principles;
  • appoint personal data protection officials;
  • map procedures to ensure proper identification of all data processing operations and maintain an inventory of data processing operations;
  • set up procedures to manage access, correction and deletion requests which should be transparent to data subjects;
  • establish an internal complaints handling mechanism;
  • set up internal procedures for the effective management and reporting of security breaches; and
  • perform privacy impact assessments.

And here is where Matron is in two minds about this noble endeavour. On the face of it, all these activities sound very useful and, indeed, if fully embraced by data controllers they would vastly improve the way in which personal data is processed in this country. This is what data controllers should be doing anyway and Matron is forever frustrated, if she comes across a company that happily goes ahead with some harebrained business scheme without giving any thought to the potentially disastrous data protection implications (in fact, in some cases, the term “harebrained” is an insult to the proud species of hare!). But the way Matron sees it, the introduction of such a principle would in no way solve what is the real problem here: the complete lack of oomph behind the enforcement actions by national data protection authorities.

Admittedly, some of this enforcement would be “outsourced” to the data controllers themselves through an additional requirement to have the effectiveness of the accountability measures verified regularly through monitoring and internal and external audits. The Working Party also, possibly correctly, claims that these requirements would strengthen the position of data protection authorities which would have the power to request evidence of compliance from the data controller. This, so the Working Party, would provide the authorities with “very relevant compliance related information”. And if such information was not forthcoming, data protection authorities would have an immediate cause of action against data controllers, independently of the alleged violation of any underlying data protection principles. All true, no doubt, BUT IT WOULDN'T GIVE THEM ANY MORE MONEY TO DO THIS VASTLY MORE DEMANDING JOB!

Also, the latter argument sticks in Matron’s craw. In fact it reminds her (yet again! Does life forever imitate art?) of a particular Yes Minister episode, where an Under-Secretary patiently explains to Hacker that a local council which failed to return its annual statistics was nevertheless highly effective (virtually all its children could read and write, even though they had a progressive education!). They just didn’t like sending bits of blue paper to Whitehall.

Maybe Matron is unfair in this instance (if so, please make coherent arguments as to why this is so in the comments section). Maybe this would turn out to be more than just a paper exercise. But, as the Working Party itself admits, compliance with an accountability requirement does not automatically ensure compliance with the actual data protection principles. And surely that is what counts? But for that to be achieved, we need people to take ownership of data protection, to realize what insufficient protection could mean for them as individuals, to close the gap between the privacy haves and have-nots.

Is this plan going to help achieve that objective? Maybe. Is it going to make a lot of lawyers a lot of money? Almost certainly. Matron, who make a living out of drafting the sort of documents companies would be required to adopt is already secretly compounding a portfolio of materials in her head that might allow her to retire to some place warm and appealing rather earlier than she had previously hoped. In fact, this almost seems to be one of the Working Party’s desired side effects when it states that the introduction of the accountability principle will “contribute to the development of legal and technical expertise in the area of implementing data protection requirements as highly knowledgeable individuals with technical and legal understanding in the field of data protection, with abilities to communicate, train staff, set up and implement policies, and audit will be indispensable in this area”. You’re not wrong there mates! Just let me get a shovel for all that dosh.

Overall, the whole approach seems to owe a lot to the concepts already tried in relation to Binding Corporate Rules (BCRs) (see here for the Working Party’s guidance on those to verify this statement). To date, the uptake of BCRs has been spectacularly slow because the immense effort and cost involved in putting them into place has meant that they were only ever economically viable for big global groups of companies. Is it really a proportionate approach to extend these sort of requirements to all data controllers in the EU? And will it win those hearts and minds or will in alienate data controllers further? Answers on a postcard, please!

Thursday 15 July 2010

An opening salvo?

After many weeks of joyful distractions, Matron just spent a few days concentrating on the day job and, among other things, dutifully worked her way through the EU Working Party’s Report on the implementation of the Data Retention Directive. At the risk of teaching grandmothers to suck the proverbial eggs, that is the small innocuous piece of EU legislation that requires EU member states to impose an obligation on its telco providers and ISPs to retain all data relating to the telephone call made and e-mails sent by us, the Great Unwashed. Sender, addressee, time of transmission, location of transmission – you get the picture. As will the law enforcement authorities and selected others who may access that data. The full picture. Of all of us.

While the WP’s report does not include the comprehensive condemnation of the Directive that many were hoping for, it makes for interesting reading. Of course, the easy explanation for the lack of condemnation may possibly be that there was nothing to condemn as yet. According to the report, only a few member states did provide the requested information regarding the number of requests submitted to providers, the cases where the requested information was provided and those where the provider was unable to make available the requested data. Nor is data available about the time elapsed between the date on which the data were stored and the date on which the authorities requested transmission of said data. As the WP rightly points out, this lack of information makes it somewhat difficult to evaluate a) whether the prescribed retention periods are realistic and b) whether the mandatory retention of traffic data is actually necessary to combat crime and terrorism. In an ideal world both of these questions should obviously have been asked before the Directive was adopted, but when did evidence-based policy making last get in the way of a good lobbying campaign (the British DEAct debacle is a point in case)?

The fact that the questions are asked only now, when the Commission is seriously considering either revoking or at least substantially amending the Directive, may make for some amusing debates. Matron wonders in whose favour this lack of information will be interpreted. Will member states pipe up that it is far too early to even consider a revocation, given that we do not yet know, whether the sodding thing worked in the first place? Or will the Commission - as it should properly do - remind law enforcement authorities that the burden of proof of showing that retention is necessary is on them. No statistics, no further retention? That would be the day.

But while we wait for this issue to resolved, here’s a short summary of what Matron considers to be the highlights of today’s report:

1. Very interestingly, the WP interprets the DR Directive as a derogation from the general requirement on providers to erase all traffic data when it is no longer required for billing purposes. It takes this to mean that the list of data to be retained under Article 5 of the Directive is exhaustive and that member states must not require ISPs to retain any additional data categories not mentioned in the Directive. This is likely to come as a bit of a shock to those member states which, like the UK, have shown an interest in using domestic law to impose retention requirements for traffic data generated by users of social networking services and search engines. Of course, things have changed even in the UK and we live in an entirely new political environment now. But Matron seems to remember the write up of a meeting of a parliamentary committee circa 2008 where laws of that nature were demanded by a number of Tory MPs and peers. Despite the coalitions promise that it “will end the storage of internet and email records without good reason”, it all depends – as better minds than Matron’s have already pointed out – on how you define “good reason”.

2. Although, the DR Directive gives member states a choice to impose retention periods from 6 to 24 months, 78% of member states actually require the retention for 12 months or longer. The WP seems quite concerned about the discrepancies in retention periods between the different member states as this impacts on the principle whereby EU citizens “can enjoy throughout the European Union the same level of protection”. It also means that the costs to be borne by providers can differ considerably from country to country which, in turn, may affect competition. Matron is sure that this fact was pointed out to the law makers when the Directive was first adopted but, of course, she may be wrong here.

The interesting question arising from all this is this: if the WP favours a harmonised (i.e. applying in all member states), single (applying to all data categories) and shorter retention term and given that the German Constitutional Court has already quite categorically stated that it deems anything above six months to be unconstitutional under German law, is this the best indication yet that we are heading for a harmonised 6 months retention period? Not ideal, but definitely “bird-in-the-hand” material.

Scarily, the WP also found that there were some serious violations of existing laws by the provider. First, it found that in some cases data is actually stored for longer periods than those set forth in the DR directive. In some cases data was retained for as long as 36 months, and in one case the storage period was found to amount to 10 years. Secondly, the WP found that one EU member state (which was not named) actually used DR Directive to retain the content of SMS messages to which the security services were then given access. Matron can only hope that infringement procedures will be commenced against that member state forthwith.

3. It seems that the security measures taken by individual providers vary wildly with bigger providers generally found to employ higher security measures. No surprise there, given the cost of putting in place such measure, but it’s nice to see that conclusion in black and white nonetheless.

4. The extent to which, and the way in which, access is granted to law enforcement and other public authorities also seems to vary. So much so that the WP calls for inclusion of provisions in a revised Directive that would regulate the modalities of access. Among other things, it recommends that:

a) data should only be accessed by duly authorised staff

b) strong access control to the retained data should be maintained; and

c) detailed tracking of accesses and processing operations by way of log retention, via logs recording at least user identity, access time, file acceded should be carried out.

Another announcement from the Department of the Bleedin' Obvious then but - in the WP’s defence - it has always advocated that access to retained data should be addressed in the same legal instrument as retention. But on this, as on many other issues, opponents were outmanoeuvred during what is still the shortest EU legislative procedure on record. Which plays no small part in the current problems those opponents have in persuading a court – any court – to accept the Directive and its implementing laws for judicial review to establish once and for all its human rights credentials. Maybe, just maybe, the EU institutions will see sense when negotiations of the Directive are opened up once again. And maybe the porcupine flying squad will presently take off at the back of Matron’s garden.

5. We all felt it on some level of inner consciousness, but now we know for sure: the definition of what constitutes “serious crime” (for the prevention of which data may be retained) is different in each member state. Which means that different member states have taken different approaches to the purposes for which retained data may be accessed (unless, of course, you live in the UK or in Germany, both of which have dispensed with the “serious” bit altogether – albeit that Germany was told “nonononono” by its Constitutional Court. No such luck in Britain). The WP recommends that, at the very least, each member state should have an exhaustive list of crimes that it considers to be “serious” and that, at best, this list should be harmonised at European level.

6. The WP thinks that the decision of whether or not law enforcement authorities should be given access to retained data should be up to judicial authorities. It seems a reasonable demand, but, of course, it would generally exclude all those members of the executive (like ministers, police superintendents, senior officers and duty managers) that are currently persons designated to request access to traffic data under the UK Regulation of Investigatory Powers (Communications Data) Order 2010. So what are the chances of this finding its way into a revised Directive? Who knows.

Overall, Matron can't help thinking that the WP’s report reads like a giant exercise in “I told you so”. Will it be enough? Do we have the right narrative this time round? Matron isn't sure. But it’s a start. An opening salvo. Next!

Thursday 8 July 2010

Kylie cocktails all round!

It must be National Common Sense Week. In the last two days, Matron has noted not one but two positive developments in the area of civil liberties.

Today, the Home Office came out with the surprise announcement that it would suspend the dreaded section 44 of the Terrorism Act 2000 under which police officers were able to stop anyone in a designated area without having to show reasonable suspicion. According to the Guardian, the powers were used on more than 148,798 occasions which leads Matron to believe that this includes more than it's fair share of "driving-while-black" incidents. Admittedly, the decision follows a decision by the European Court of Human Rights in January that the powers were too extensive and therefore unlawful. What is particularly heartening, however, is that the announcement was made only a day after the fifth anniversary of the London bombings, normally - Matron would expect - a trigger for the introduction of more security theatre like measures.

Not wanting to be outdone, the Supreme Court then decided yesterday that gay and lesbian asylum seekers have the right to remain in the UK, if there is a danger that they would be persecuted for their sexuality in their home countries. The Home Office has apparently accepted the ruling and has confirmed that the policy would be changed with immediat effect. Of course, the proof of the pudding will be in the eating, but such a quick and humble reaction is sure to be commended. Long may the civil liberties honeymoon of the coalition government continue.

Matron first read about this development in the Guardian, a paper she can generally read without the risk of increasing her blood pressure to dangerous levels. However, even as she read it she wondered what the Daily Mail would make of this. Today she checked and in true form the country's most cherished chip wrapper has its priorities dead right. Gays can stay, it quotes one of the judges (who surely should have known better) because "they must be free to enjoy Kylie concerts and cocktails". Nothing to do with the threat to their life and liberty in countries like Uganda and

On the other hand, Matron cannot shake off the feeling that we are paying a rather high price for these victories. With news of ever more asinine spending cuts, she fears that things in her part of the country will become very unpleasant very soon as a growing number of people experience the direct fallout of policy measures deviced by peole who have no real experience of life on the breadline. So while we still can: Kylie cocktails all round!

Monday 5 July 2010

Pointing out the GRINDRingly obvious

Matron was happy to see that despite the England defeat, Germany’s victory against Argentina prompted much of British media to heap praise on “die Mannschaft” for the quality of their game, their organisation and their efficiency. This idea of quality, organisation and efficiency is one that Matron often encounters when talking about German virtues to her British neighbours (“German cars are the best”), handimen (“I would always only recommend a German [boiler][washing machine][shower]”) and colleagues (“I timed every stop and the train was always on time”). Surely, were we to think of an animal that best represent the national stereotype, it would have to be an ant colony.

Of course, that sort of organisation and efficiency has its downsides when put to the wrong use. Many of the atrocities against the Jews and other minorities were substantially facilitated by the well organised nature of the German authorities’ citizens archives. The totalitarian regime in the former GDR was made possible throught the giant surveillance machinery with which the Stasi controlled ever aspect of the citizens’ life. Many of the documents from the Stasi archives were shredded by the Stasi just before the Wall came down and the remains of those shredded files have been collected in thousands of black bin bags. For the last few years, the documents have been reassembled in a warehouse in Nuremberg in a painfully slow manual process that is expected to take a few more centuries unless current plans to develop a system for virtual reconstruction are successful. Such is the sheer scale of the information held by the regime.

Matron has always wondered what would have happened if both the Nazis and the Stasi had had access to modern day information and communication systems. Centralised or fully networked systems that would have allowed instant access to information to almost ever member of the regime. What would it have meant for German citizens, and what for those who dissented?

Matron – in one of the weird cross-species jumps that her mind sometimes performs - was reminded of this when she read an article in yesterday’s Observer about the rise among gay men in the use of Grindr. Grindr, for those who , like her, are hopelessly out of the popular culture loop, is a “free downloadable iPhone app” which uses GPS technology to permit its members to locate “gay, bi, curious guys for free near you!". It invites you to download its app onto your iPhone and to “upload your pic and build a profile”. After that, each time you switch on the app, up pop the pictures and profiles of any other Grindr user in your immediate vicinity. The app then lets to you chat to them or approach them in person.

Matron strongly suspects that the social encounters resulting from this groundbreaking technology will not take place over a cup of coffee (at least not in the first instance). But before coming over all Daily Mail-ish, let her assure you that it is not the corruption of sexual mores or the leading astray of impressionable young children that she is concerned with.

No, Matron’s initial as-per-usual Luddite reaction was “Are these people insane?” The privacy implications of “proximity dating” technologies like this are mind-boggling in any case. Combine that with the fact that these guys are effectively broadcasting their sexuality to the nation and this should be enough to bring anyone with a slightly above average level of paranoia out in hives.

So, before everyone lines up in an orderly queue to follow Stephen Fry over a cliff (God knows, Matron loves the guy, but his gadget obsession and his love for all things Apple make her despair sometimes), here’s a few questions, Matron would like Grindr users to ask themselves:
  1. How much do you actually know about the guys you’re about to meet? It’s a free app that requires little in terms of identity verification, least of all verification of the fact that they are actually “gay, bi, curious”. It can be used by anyone. That hot guy coming on to you? His mates could be waiting around the corner and their sole aim of using Grindr may be to kick your head in. According to the BBC, homophobic crime in London has risen by nearly a fifth in 2008/09 with gangs attacking people outside gay bars in east London on a number of occasions. In the US, which in these things - as with most new technologies - is a step ahead of us, LGBT groups have already voiced concern about an increase in “pick-up violence” targeting gay men “who use websites, chatlines and phone applications to meet other men for dates”. Of course one could argue that you take a similar risk by using other gay dating services. But at least those services do not require you to emit a rainbow coloured beeping signal to every passing thug looking for a bit of fun on a Saturday night.
  2. How long is it going to take until technology like this is used by younger people, particularly those still in school? And how much longer, again, until it becomes a tool for homophobic bullying? Cyber bullying is on the rise in the UK. A recent survey showed that 20% of Year 6 students had experienced some form of online harassment from other students. At the same time, according to Stonewall, “almost two thirds (65 per cent (75% in Faith schools)) of young lesbian, gay and bisexual people experience homophobic bullying in Britain’s schools”. Put the two together and you have a potentially explosive combination.
  3. What is Grindr going to do with your data? And who might be interested in that data in the future? Remember, you are effectively adding yourself to a giant list of gay people that is held in a database owned by someone over whom you have no control. Grindr, Matron repeats, is a free service. How does it make money? It will most likely be able to track with whom you have been chatting, thus building up a picture of your social network that it may be able to exploit commercially. It may decide to sell that information (have you read the Terms & Conditions?). Its database might be hacked. The police, security services or other public authorities may decide that they should have access to it (there are already developments under foot to force social media providers to retain, and provide public authorities with access to, certain traffic data generated by their members). It’s the sort of information, for which homophobe totalitarian governments would literally kill. Imagine how convenient this would be for a government in a place like Uganda?
Of course one could argue that the existence of an app like this is also a sign that we may finally have reached a point where gay people feel able to live openly in a society that has become more acceptable of homosexuality. It is true, homosexual acts are no longer criminalised, we have anti-discrimination laws and the straight community has at long last agreed to share their constitutional right to state-sanctioned misery with us by granting us the right to enter into civil unions (and to dissolve them pronto, as we see fit). Some of us may feel a slight feeling of unease at the thought of the ConDem Alliance, but very few seriously believe that the new coalition will try to turn back the tide on gay equality. But it ain’t all cavorting bluebirds and melting lemon drops yet, folks. We are still a long way from Emerald City. Religious fundamentalism is on the rise in Britain. Certain employers can still sack you or refuse to employ you because of your sexuality. The social stigma prevails in many communities. In the US, gay men are still not allowed to give blood. And the number of people who are too afraid to be out to their families remains far too high.

And we none of us have a chrystal ball to show us what the future brings either. Things have gotten better for so long now, that we have forgotten that there may come a time where they get worse again. It seems unlikely now but shouldn't we at least be prepared for the possibility? So this is a reminder to all gay men out there to not let yourself be ruled by your appendage to a point where it clouds your sense of caution and self-preservation. It’s a brave new world out there. Be safe, don’t be stupid!