Nude scanners, suspicionless travel surveillance, gene patents and other stories

I had plans this week to comment on US Supreme Court oral arguments in AMP v Myriad Genetics on the dispute over the BRCA1 & BRCA2 gene patents, the Court's refusal to hear the email privacy case, Jennings v. Broome, the Report of The Constitution Project’s Task Force on Detainee Treatment, Privacy International's OECD complaint against Gamma International for supplying surveillance technologies to Bahrain, the US Supreme Court decision last month, in Kirtsaeng v. John Wiley & Sons,  to allow the parallel importation of copyrighted works. I also intended to complete a long overdue analysis of the NLA v Meltwater appeal decision which is now so late that the UK Supreme Court has got round to referring it, this week, to the European Court of Justice. Sadly the day job left no space. 

So I'll refer you instead to KEI's and Scotusblog's analysis of AMP v Myriad, Ritika Singh's thoughts on the Constitution Project report, KEI's analysis of Kirtsaeng, IPKat's persective on the NLA v Meltwater ECJ referral, and PI themselves on the Gamma complaint. (Jennings v Broome I haven't got any detail on but thanks to Caspar Bowden for alerting me that it had happened).

I'd also recommend a CATO Institute event on travel surveillance with Edward Hasbrouck, (also PapersPlease.org) and Ginger McCall Director, Open Government Program, Electronic Privacy Information Center. Video embedded below.



Hasbrouck focused on the suspicionless surveillance dragnet that now surrounds multiple modes of travel and the massive government coerced transfer of personal data to the travel industry; to which the US government has open unrestricted access. (His slides for the talk are available in full at http://hasbrouck.org/articles/Hasbrouck-Cato-2APR2013.pdf).  He provided multiple examples of permanent and growing files retained by the US government of personal travel throughout the US, Europe and Canada by air, train, bus, private car and even Shank's mare. He accused US companies doing business in Europe of "almost totally" ignoring data protection law and EU data protection authorities of completely failing to enforce the law. On what to do about all this he argued:

" We don't get rights by appealing for them...

We retain rights by exercising them.

The only way is to say no to illegal orders and demands, take the rap and fight it.  Unless people stand up and say no this is not going to move forward. "

Ginger McCall was there to talk about digital strip search machines at airports and EPIC's partial success in challenging the TSA on them. She believes the TSA's public comment process provides a unique opportunity to influence TSA policy on the scanners and that it's really important that ordinary people as well as experts with deep understanding and empirical data participate. She also spoke eloquently about the government and TSA attempts to control the language of the debate on the machines. Over the years "full body scanners" became "body scanners" and now "advanced imaging technology" which they define as "screening technology used to detect concealed anomalies without requiring physical contact with the individual being screened". So much more sanitised that latter terminology don't you think?

Both Hasbrouck and McCall agreed that conditions imposed on the exercise of a right - in this case to travel freely without undue interference from the government or its agencies, public, semi-private and private - must be subject to scrutiny and oversight. In particular, such conditions must be proven to be actually effective in achieving whatever public interest objective is being pursued but also be shown to be the least restrictive approach to achieving that objective. Not only has mass surveillance of travellers not proven effective but it is not clear what the objective of that surveillance is. Additionally, by definition, mass surveillance can never be the least restrictive approach.

In response to a question from the audience Hasbrouk insisted the only mechanism for interference with an individual citizen's right to travel should be a legitimate court issued injunction.

The video runs for 1 hour 18 minutes but the two talks take about 45 minutes, time that won't be wasted engaging with Hasbrouck's passion and McCall's clear analysis.

Bublé advice: steal

There's a short Q&A with Michael Bublé in the Guardian today.

I've always enjoyed traditional jazz music - Bing Crosby, Frank Sinatra, Nat King Cole, Louis Armstrong, Gene Kelly, Fred Astaire et al and modern day incarnations like Harry Connick Jr, Kevin Spacey (yes he can sing as well as act) and Bublé.  I don't know much about Bublé as an individual other than he once worked in the Oxford fish market but noted his advice in the Guardian piece to 'a singer':

"Steal from as many people as possible. Rip off one person and you're a thief – but if you steal from everyone, you can tell people it's research."

Always interesting when one of the successful stars bucks the music labels' party line about all piracy being evil and destroying artists' livelihoods. If it wasn't for the distorted rhetoric in the music industry then advising people to draw inspiration from others which is essentially what Bublé is doing here wouldn't be controversial. Still nice to see him be explicit about it.

Home Secretary loses Abu Qatada deportation appeal

The Home Secretary has predictably lost her appeal against the the Special Immigration Appeals Commission (SIAC) decision blocking Abu Qatada's (aka Omar Othman) deportation to Jordan. The Court of Appeal's ruling today, Othman v Secretary of State for the Home Department, [2013] EWCA Civ 277 is available online.

The key to understanding the decision is to separate the notion that Abu Qatada might be a really nasty bad guy who wishes us ill will and harm from the issue before the court i.e. did SIAC err in law in concluding there is a risk that Qatada will not get a fair trial in Jordan due to a "real risk" that evidence obtained by torture would be used in such a trial. SIAC said -

"78. The Secretary of State has not satisfied us that, on a retrial, there is no real risk that the impugned statements of Abu Hawsher and Al-Hamasher would be admitted probatively against the appellant."

They also stated -

"87. We remain convinced that the government of Jordan can and will fulfil its assurances about the treatment of the appellant on return...Like the Strasbourg Court, we remain satisfied that those assurances provide, in their practical application, a sufficient guarantee that the appellant will be protected against the risk of ill-treatment by or at the behest of Jordanian state agents."

SIAC, like the UK government and the European Court of Human Rights, did not believe Qatada would be tortured in Jordan. However, SIAC did decide that his trial in Jordan, should he be deported, may be tainted by evidence obtained by torture.

The Court of Appeal note right up front that Abu Qatada is considered dangerous but that the key question is the risk that evidence obtained by torture would be used in his trial in Jordan:

1. Omar Othman is regarded by the United Kingdom government as an exceptionally high risk terrorist. For a number of years, the Secretary of State for the Home Department has been seeking to deport him from the United Kingdom to Jordan under section 5(1) of the Immigration Act 1971 (“the 1971 Act”) as a person whose deportation is deemed to be conducive to the public good. He has already been tried and convicted in his absence in Jordan for offences of the utmost seriousness. If returned to Jordan, he will face a retrial. The issue that lies at the heart of the present (and earlier) proceedings is the proper assessment of the risk that the evidence against him at the retrial would include statements that have been obtained by torture and, if so, what effect this has on the lawfulness of his deportation."

The burden on the Home Secretary's lawyers before the Appeal Court was to prove that SIAC had made errors in law in concluding that there is a real risk that a trial of Abu Qatada in Jordan would include evidence obtained by torture. Essentially they could not prove that SIAC made such errors, so the Court denied the appeal.

"Overall conclusion

56. Mr Othman is considered to be a dangerous and controversial person. That is why this case has attracted so much media attention. It is entirely understandable that there is a general feeling that his deportation to Jordan to face trial is long overdue. But the principles that we have to apply do not distinguish between extremely dangerous persons and others who may not constitute any danger in the United Kingdom and whom the Secretary of State wishes to deport to face trial in another country. The fact that Mr Othman is considered to be a dangerous terrorist is not relevant to the issues that are raised on this appeal. It would be equally irrelevant if we were deciding the question whether there was a real risk that he would be tortured if he were returned to Jordan.

57. Strasbourg recognises that it is only in a very rare case that a state should be prevented by the ECHR from deporting persons to face trial in the courts of another country. The fact that there is a risk that the deported person will not have a fair trial is not enough. There must be a real risk that he or she will suffer a flagrant denial of justice. Strasbourg has rightly set the bar very high. The unfairness must be of a very high order. What is required is a real risk of a breach of the principles of a fair trial guaranteed by article 6 which is “so fundamental as to amount to a nullification, or destruction of the very essence, of the right guaranteed by that article”.

58. Torture is universally abhorred as an evil. A state cannot expel a person to another state where there is a real risk that he will be tried on the basis of evidence which there is a real possibility may have been obtained by torture. That principle is accepted by the Secretary of State and is not in doubt. That is the principle which SIAC had to apply in the present case in the light of all the evidence that it heard and read. This included evidence as to what had happened and what there was a real risk would happen if Mr Othman faced a retrial on the very serious charges that he faces. SIAC found that there was a real risk that evidence obtained by torture would be admitted at the retrial and that, as a consequence, there was a real risk that he would be subject to a flagrant denial of justice.

59. In order to succeed in this appeal, the Secretary of State has to show that SIAC erred in law. It is not sufficient to persuade us that we would have reached a different conclusion on the facts and Mr Eadie rightly recognised the difficulty of such an exercise. The Secretary of State accepts that SIAC directed itself properly as to the general legal test to apply. Her case that SIAC nevertheless erred in law is based on a detailed examination of a careful and comprehensive judgment. As we have stated at paras 5 and 6 above, criticisms of this kind of a decision by a specialist tribunal are particularly difficult to sustain. For the reasons that we have given, we are satisfied that SIAC did not commit any legal errors.

60. This appeal must therefore be dismissed."

I suspect the declaration that the "fact that Mr Othman is considered to be a dangerous terrorist is not relevant to the issues that are raised on this appeal" will have some people scratching their heads in wonder and the Home Secretary, the usual mass media suspects and the angry mob decrying 'out of touch' judges.

Yet the Secretary of State herself, if the submissions of her lawyers before the Court of Appeal are to be believed, accepts in law that a "state cannot expel a person to another state where there is a real risk that he will be tried on the basis of evidence which there is a real possibility may have been obtained by torture." That fundamental principle is blind to whether the person involved is considered dangerous or indeed any other idiosyncratic personality traits and for the time being at least it means that Abu Qatada will remain in the UK.

Cheat note for the occasional reader who enjoys legalese chomping - if you're short on time, try skimming paragraphs 1, 14, 17-18, 23-29, 33-34, 46 and 55-60 of the Court of Appeal's ruling to get a reasonably rounded understanding of the thinking of the Master of the Rolls, Lord Dyson and his compatriots Lord Justices Richards and Elias.

Update: Conor Gearty, a professor of human rights at the London School of Economics, has an excellent piece in Thursday's Guardian on the case, Abu Qatada: the law won.

Leveson did't intend to regulate bloggers, SMEs or social networkers

I've written, ineloquently, to the Prime Minister about the ConDemLabour Leveson fudge.

Following years of unfettered and illegal behaviour by certain elements of the press, Lord Leveson concluded large news publishers should be regulated. His target was powerful oligopolistic news companies, not small websites and internet users slipped into the 3 party deal last weekend.

You can't control the worst excesses of the tabloid press by dangling the sword of regulatory Damocles over the heads of the nation's individual content creators. It merely creates a chilling effect on speech at a time when the internet has putting an affordable printing press in the hands of the masses.

As an academic blogger since 2001 I'd ask you to tread carefully with your dangerous blogs bill and focus on Leveson's specific recommendations not the intoxicating notion of controlling the internet.

I have little confidence that the Cameron, Clegg or Milliband or the thin paper you could slip between them on their plans to implement Leveson would have a great deal of influence on the unethical behaviour of parts of the press. Murdoch shut down the News of the World and re-opened the equivalent Sunday edition of the Sun once the dust had settled. Thus he re-acquainted his coffers with the funds millions of people are prepared to throw at him for access to the stories, ill-gotten or otherwise, those publications provide. As long as there is a mass market and that market doesn't care about the source of the stories, the incentive for bad press behaviour will remain.

To pluck internet regulation from the garbage can of issues surrounding Leveon's review of the press, however, is only likely to lead to unintended pain for bloggers, SMEs, social networkers and other internet users who had nothing whatsoever to do with phone hacking.

I'm naive enough to believe we live in an age where we can facilitate the production of freedom enhancing technological architectures, laws, social, physical and economic environments. Privacy enhancing technologies and carefully crafted regulations are good for privacy and freedom of the press and by extension conducive to a healthy society.

I'm also seriously concerned that we're not just compromising that opportunity to evolve towards a healthier society but doing precisely the opposite; partly through apathy and lack of engagement with politicians of zeal, occasionally well meaning, invariably charged with self-interest, almost always without understanding when it comes to modern technologies. The political classes are dangerously clueless about technology and those who do understand it really have to get our act together to educate them. Answers on a postcard or electronic equivalent please on how we can develop several orders of magnitude improvement on our performance to date.

Catt v ACPO & the Met

The Independent and Guardian reported yesterday that 88 year old John Catt, an anti-war campaigner with no criminal record, had won his appeal to have his details removed from the police database of suspected extremists. The 'National Extremism Database' was maintained by the National Public Order Intelligence Unit, originally under the supervision of the Association of Chief Police Officers (ACPO) and since June 2011 under the supervision of the Commissioner of Police of the Metropolis (the Met).

The full judgment by the Master of the Rolls, Lord Dyson, along with Lord Justices Moore-Bick and McCombe, is now availble at the British & Irish Legal Information Institute, BAILII, and makes interesting reading.

The good Lords quote repeatedly from the European Court of Human Rights decision, S & Marper v UK, where the Court held that the systematic blanket indefinite retention, by the police, of the DNA and fingerprints of people not charged with or convicted of a crime, was in breach of of Article 8 of the European Convention on Human Rights, relating to respect for privacy. They also rely on R (Wood) v Commissioner of Police of the Metropolis [2009] EWCA Civ 414 where an employee of an association campaigning against the arms trade was followed and photographed by police and "the element of surprise and the claimant's uncertainty about the purposes of the police in taking his photograph and the use to which it might be put meant that article 8 was engaged."

They essentially conclude that the treatment of Mr Catt is disproportionate and constitutes an unjustified interference with his article 8 right to respect for private and family life.

From my reading of it, which I hope has been more careful than the erroneous quote I attributed to the Court yesterday evening on Twitter (thanks, btw, to the several folks who alerted me to that), the key elements of the decision relating to Mr Catt are in paragraphs 23, 24 and 41 through to 46, the core of the judgment coming in paragraph 44 (I've emphasised this in bold print in para 44 below).

1. However, it was also recognised in S, that in cases which concern the collection and retention of personal information relating to private individuals the issue of legality turns to a large extent on the circumstances and manner in which that information is collected, processed, stored and ultimately destroyed. Questions of that kind are closely related to the broader issue of whether the interference with the right to respect for private life is necessary in a democratic society (see paragraph [99]). In S itself the court found it unnecessary to consider the question of legality having held that the retention of the information was disproportionate to the aim sought to be achieved and in those circumstances we turn to the question of proportionality.


2. [...] The overriding principle is the need to strike a fair balance between the personal interest of the claimant in maintaining respect for his private life and the pursuit of a legitimate aim in the interests of the public at large: see, for example, S, paragraph [118]. In order to justify the collection, processing and retention of personal information the state must be able to satisfy the court that each of those steps is governed by clear rules of law or policy which are both accessible and intelligible and do not give the authorities an excessively broad discretion over the manner of their implementation. In such cases it is therefore necessary for the court to pay careful attention to the nature of the information in question, the circumstances under which it can be obtained, the ways in which it can be processed and by whom, the period for which it can be retained (together with any arrangements for interim review) and the arrangements for its destruction.

[...]

1. Having seen copies of various reports in which Mr.Catt  is mentioned and the information provided in response to his subject access request, we are left with the clear impression that police  officers who attend protests organised by Smash EDO for the purpose of gathering intelligence record the names of any persons whom they can identify, regardless of the particular nature of their participation.
2. The Divisional Court held that the continued retention on the Database of information relating to Mr. Catt  was in accordance with the law and proportionate to the aim sought to be achieved. As to the latter, the court held that any interference with Mr. Catt 's rights was minimal [...] The court regarded as "wholly unworkable" the suggestion that the respondent should be required to trawl through reports in order to consider each person named in them in isolation with a view to weeding out information no longer of value.

[...]

1. Proportionality involves striking a fair balance between the rights of the individual and the interests of the wider community. In paragraph [83] of his judgment in Wood Dyson L.J. drew attention to the fact that in striking that balance the court must have regard to the nature of the Convention right in issue, its importance for the individual, the nature of the interference and the object pursued by the interference.

[...]

1. We do not doubt the importance to modern policing of detailed intelligence gathering and we accept the need for caution before overriding the judgment of the police  themselves about what information is likely to assist them in their task. For present purposes that task is to obtain a better understanding of how Smash EDO is organised, to be in a position to forecast the place and nature of its next protest and to anticipate the number of people likely to attend and the tactics they are likely to adopt. It is not easy to understand how the information currently held on Mr. Catt  can provide any assistance in relation to any of those matters. Mr. Tudway states in general terms that it is valuable to have information about Mr. Catt 's attendance at protests because he associates with those who have a propensity to violence and crime, but he does not explain why that is so, given that Mr. Catt  has been attending similar protests for many years without its being suggested that he indulges in criminal activity or actively encourages those that do. The systematic collection, processing and retention on a searchable database of personal information, even of a relatively routine kind, involves a significant interference with the right to respect for private life. It can be justified by showing that it serves the public interest in a sufficiently important way, but in this case the respondent has not in our view shown that the value of the information is sufficient to justify its continued retention. It is striking that Mr. Tudway does not say that the information held on Mr. Catt  over many years has in fact been of any assistance to the  police  at all. The Divisional Court considered that it was not practically possible to weed out from time to time information held on particular individuals. There is, however, no evidence to support this conclusion and we are not satisfied that it is correct. It should not be overlooked that the burden of proving that the interference with Mr. Catt 's article 8 rights is justified rests on the respondent.


2. That leaves the question whether the interference with Mr. Catt 's rights is in accordance with the law. This is very much a live issue given the relatively vague nature of some aspects of the regime contained in the MoPI Code and Guidance [...] However, in the light of the conclusion to which we have come on the question of proportionality it is unnecessary for us to reach a final decision on the point.


3. For these reasons we have reached the conclusion that the interference with Mr. Catt 's right to respect for his private life has not been justified and that the appeal must therefore be allowed.

For those ill-inclined to read the full judgment in detail, note that the Mr Tudway referred to in para 44 is Detective Chief Superintendent Tudway, a serving officer with the Met and a previous incumbent of the post of National Co-ordinator for Domestic Extremism ("NCDE") - effectively the guy who was in charge of the National Public Order Intelligence Unit and, therefore, the 'National Extremism Database'.

It's impossible to over-emphasise the key section of paragraph 44:

"The systematic collection, processing and retention on a searchable database of personal information, even of a relatively routine kind, involves a significant interference with the right to respect for private life. It can be justified by showing that it serves the public interest in a sufficiently important way, but in this case the respondent has not in our view shown that the value of the information is sufficient to justify its continued retention. [...] The Divisional Court considered that it was not practically possible to weed out from time to time information held on particular individuals. There is, however, no evidence to support this conclusion and we are not satisfied that it is correct. It should not be overlooked that the burden of proving that the interference with Mr. Catt's article 8 rights is justified rests on the respondent.

Impossible to over-emphasise because this is where we are losing the privacy wars - to the public and private sector armies of determined, hardworking, occasionally efficient, often well-meaning, silo-mentality, target driven, sometimes sociopathic/psychotic and ambitious bureaucrats who are just doing their jobs in their routine systematic, purpose-fuzzy collection, processing and retention on searchable databases of personal information. Their default assumption is that such activity serves the public and/or their organisational/personal interest in a sufficiently important way.

Society's passive acceptance of the consequent emergent normalisation of organisational sociopathy constitutes a clear and present danger to the right to respect for private and family life. As Justice Brandeis put it much more eloquently in his dissent in the 1928 US Supreme Court wiretapping case, Olmstead v. United States:

"Experience should teach us to be most on our guard to protect liberty when the Government's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding."

And those persons of zeal lurk not just in government but also out there in the real world.

Government ministers "unhinged" on ECHR

In the wake of the Eastleigh by-election defeat the Tories "human rights are the root of all evil" brigade are on the march again. Home Secretary, Theresa May and Justice Secretary, Chris Grayling have been variously reported as threatening to withdraw from the European Convention on Human Rights and abolish the UK Human Rights Act.

With all the dangerous rhetoric blowing out of prominent rear ends on this subject which the usual mass media outfits are happy to promote, it's worth again returning to the actual statistics published by the European Court of Human Rights in particular, in the very accessible report, European Court of Human Rights Statistics on judgments by State: Statistics 1959 - 2010. It even has pictures:

Only 3% of the cases that the UK faces in the European Court of Human Rights (ECrtHR) ever get to a judgment. If you drill into the figures, between 1959 and 2010 the UK lost about 2% of the all cases brought against it to the ECrtHR. They had an even better record in 2011 and 2012 losing just 0.8% (8 out of 955) and 0.5% (10 out of 2082) of the cases brought respectively.

When politicians in significant positions of influence wield anti human rights rhetoric in the way that Ms May and Mr Grayling do, they are playing a dangerous game. Leading QC, Ben Emmerson, hits the nail on the head in his thoughts for the Independent today:

“The increasingly shrill rhetoric from Theresa May is beginning to sound decidedly unhinged. There is not the slightest prospect of the UK pulling out of the European Convention before the next election.”

“In Europe and the UN the UK is seen as having lost the plot. The UK’s international reputation as a leader on the rule of law and human rights is plummeting at an alarming rate and with it our ability to influence other states. I cannot recall a time since 2003 when the UK’s international reputation has fallen farther and faster”

...

Mr Emmerson urged the Prime Minister not to let UKIP and “little Englanders” dictate policy: “May and Grayling, and the people who are supporting them, are the barmy brigade of the Conservative Party. They are undermining the Foreign Secretary’s attempts to portray the UK as pursuing an ethical foreign policy and they are undermining the Prime Minister’s standing with the international community.”

Update: Lord Neuberger, President of the UK Supreme Court, reportedly agrees, though in a decidedly understated fashion. The learned judge is also less than enamoured with the government's secret courts and cutting of legal aid, in addition to being concerned about a possible subconcious bias contributing to the gender imbalance in the judiciary. The Guardian's editorial one day on is interpreting Lord Neuberberger's intervention on human rights as a shot across the bows of the little englander Tories branch of government.

Security Minister on CDB

My MP Nicola Blackwood has had a response from Home Office Security Minister, James Brokenshire, to her -

"letter of 7 February to the Home Secretary on behalf of your constituents who wrote to you to express concern about proposals for the collection and retention of communications data."

Ms Blackwood posted me a hard copy of Mr Brokenshire's letter, a scan of which I include below.

Excuse the formatting. We're locked into Microsoft imaging files with the scanners in the office and Blogger and Microsoft don't play nicely.

The letter is largely a repeat of the usual distorted, evidence-free, political justifications for the Communications Data Bill. Starting at paragraph 2 he re-iterates the "communications data is the context not the content of a communication". If he read Peter Sommer's written submission (starting at page 412) and followed his oral evidence to the Joint Select Committee on the Communications Data Bill he'd realise what a meaningless claim this is nowadays. If he has read and understood Prof Sommer's evidence then he is being deliberately misleading here. If he hasn't read and/or understood it then he is not doing his job.

Paragraphs 3 & 4 highlight the Data Retention Regulations, regulations arising from the Data Retention directive which the UK government actively pushed through the EU and which has been challenged on constitutional grounds in several EU jurisdictions.

Paragraph 5 is the standard claim that the police need comms data to catch terrorists. As I've said before, law enforcement need, through targeted data preservation regimes, to engage in technological surveillance of individuals about whom they have reasonable cause to harbor suspicion; said surveillance to be carried out, as the Intelligence & Security Committee said in their special report on the CDB, in carefully controlled circumstances and with appropriate authorisation. That is not the same as building an infrastructure of mass surveillance, in parallel with a continuing absence of the widespread human intelligence and institutional skill sets required to be able to understand or deal with the technology or the avalanche of data noise the CDB would generate. And subcontracting the technological operations to the private sector without a deep institutional criminal justice system understanding of the technology and the digital forensics is reckless and dangerous for society.

Paragraph 6 of Mr Brokenshires's letter says the Regulation of Investigatory Powers Act (RIPA) ensures comms data use by approved authorities is above board. I won't comment on this other than to say the proportionality of the RIPA powers has been repeatedly questioned, as indeed has the Interception Commissioner's oversight of the operation of RIPA.

Paragraphs 7 and 8 say "its not fair" - the technology is moving fast, there's loads of useful data and police and intelligence services can't get at it. Well get this - you do not make their job easier by building an infrastructure of mass surveillance with compulsory back doors for government and run by the private sector which "may do so from abroad". Architected back doors intended for government access become nice big security holes for tech savvy attackers with nefarious intent. And swamping your technically challenged law enforcement services with mountains of data noise, necessitating the target based mass pursuit of false leads, will make their job harder not easier. Sure they need the tools to do high tech surveillance but they need the skills to do it too, in intelligent targeted ways and in accordance with properly constituted oversight and due legal process.  International telcos are not, no matter how much the government believe they can or want them to, I repeat not going to create magic digital surveillance machines which work perfectly and magically point out the bad guys every time; leaving law enforcement with the simple task of picking up the miscreants and sticking the handcuffs on.

This stuff is too important to be left to the Blair era 'fix it with a £billion magic computer/database' mentality (without ever specifying what the 'it' actually is).

Paragraph 9 trots out the old favorite "It is the first duty of Government to protect the public." That lazy sound bite is repeatedly rolled out to justify liberty bashing laws and government actions but is a paternalistic fiction. In the UK under the Magna Carta the first duty of government is, as I understand it though I'm not a constitutional lawyer, to protect the freedom of the English church.

"FIRST, THAT WE HAVE GRANTED TO GOD, and by this present charter have confirmed for us and our heirs in perpetuity, that the English Church shall be free, and shall have its rights undiminished, and its liberties unimpaired...This freedom we shall observe ourselves, and desire to be observed in good faith by our heirs in perpetuity."

In the US the first duty of government is to protect the US Constitution and the Bill of Rights. Both the UK and US governments have a duty to protect the public from arbitrary, unrestrained, government authority.

The final three paragraphs of Mr Brokeshire's letter refer briefly to the Report of the Joint Committee on the Draft Communications Data Bill and the Intelligence & Security Committee report on same. He makes no mention of the scathing criticisms of the committees but does state clearly that:

"The Home Office has considered the Joint Committee's recommendations carefully and accepts the substance of them all."

Strangely he doesn't make any mention of accepting the ISC's recommedations. What accepting the substance of all the recommendations actually means in practice we will have to wait and see but the CDB is currently being redrafted and

"the Home Office is engaging with interested parties on our revised proposals."

In a separate letter to the Open Rights Group following the publication of the Joint Committee report in December, Mr Brokenshire said:

"The Committees have highlighted the need for further consultation, particularly with communication service providers, but with others too and we will be taking this forward."

I may not have been paying enough attention due to the pressure of other things and the last milestone I noted on this was the official publication of the ISC report on the 5th February but has anyone any further information on who, aside from the CSPs, the "interested parties" and "others too" might be?

CDB and the need for better technology narratives

I've had a response from my MP, Nicola Blackwood, to my email of 11 January, drawing her attention to the report of the Joint Select Committee on the Draft Communications Data Bill. Basically she tows the party line, repeating the Home Office spin which she appears to find convincing. I have further responded to Ms Blackwood this morning.  

Academics and tech experts have to get better at explaining the realities of technology to policymakers. It is not just the politicians that are failing badly in this arena.

Even the Head of MI5 is on record as saying the snoopers' charter rests on "pretty heroic assumptions" yet the Home Office plows on with the same unchanging fictions because we can't get traction for a better, more accurate and nuanced narrative.Maybe we need a centre for the public understanding of and engagement with technology? Including a team of dedicated storytellers exclusively focused on educating policymakers and the public through better technology narratives.

A copy of the exchange with Ms Blackwood is below.

Dear Nicola,

No, I'm not reassured.

I understand you will be under pressure to take the party line on this but the narrative being spun by ministers and the Home Office does not stand up to any kind of evidence based scrutiny. There is a long technology loaded answer to your response and a shorter narrative version.  Let me try the latter since I realise your time is limited and the Home Office story has been well dissected via evidence to the Joint Committee.

Yes law enforcement and security services need to be able to move with the times and through targeted data preservation regimes - not a mass surveillance regime - engage in technological surveillance of individuals about whom they have reasonable cause to harbor suspicion. That is not the same as building an infrastructure of mass surveillance.

When the automobile came along the security services did not put a man in every car in case it might be used in committing a crime. They learned to drive. Law enforcement and security services need to hire more computer technology experts. You cannot cure a law enforcement and security services skills deficit by hoping mandated mass surveillance technology will somehow magically point out the bad guys. Real computers don't work the way they do in Hollywood films or TV crime dramas.

We already live in the most spied upon society in the history of the planet. The Home Office are complaining, like a petulant child, that it's not fair that they don't have access to the ocean of personal data flowing around the internet. So they stamp their feet and scream they want it and more. And they are going to get it not by hiring technology experts but by building (or forcing telcos to build) a magic machine that gives it to them. Sadly, when you strip away all the spin that is level of analysis you are dealing with here.

It will cost billions and not only will it not cure the crime fighting problem it will make the situation worse and create all kinds of other problems.

The 9/11 attackers were known to the FBI prior to the event. They were not picked up because the law enforcement authorities were so swamped with data about suspected bad guys that the 9/11 attackers didn't surface as a priority group. Crime and terrorism detection is a needle in a haystack problem. You don't find the needle by throwing more data hay on the stack. By making every internet using member of the population a suspect - by mandating total personal data retention - you make the security services' and law enforcement authorities' jobs more difficult not less so. The resultant industrial scale pursuit of false leads will be bad for everyone apart from the criminals cute enough to hide behind the relentless electronic data noise.

When people like Ross Anderson, Caspar Bowden, Peter Sommer,  Duncan Campbell - people with a deep understanding of computing and network technologies - are telling the government that the Communications Data Bill is a really bad idea, then they rather than ministers - not best known for their proficiency with technology - are the ones you should be listening to. Ross et al are emphatically not saying we should not use technology for crime detection and prevention, rather that we should use it and we should do so intelligently. If you have £billions to spend then spend it on building tech savvy law enforcement and security services not mandated dangerous mass surveillance infrastructure.

Regards,

Ray

________________________________________
From: BLACKWOOD, Nicola

Dear Mr Corrigan,
Thank you for contacting me regarding communications data, and I do apologise for the delay in my response. I know you have previously shared with me the response you gave to the Joint Committee consultation on this issue, and I am grateful to you for taking the time to contact me further.
As someone who regards themselves as a libertarian, I do appreciate your concerns on this issue. Having said that, there has been some confusion about the actual extent of the Government’s proposals in this Bill. Clearly no one wants a ‘Big Brother’-style attempt to open up the content of private individuals’ communications. Instead, any changes should be aimed at protecting the current, long-standing ability of police and security services to gather crucial information about communications between suspects across the multiple new forms of online and telecoms media, while striking the delicate balance between privacy and security.
Ministers tell me that legislative change in this area is necessary to maintain national security and protect the public in the face of changing technological circumstances, whilst continuing to protect and uphold civil liberties. In short, security services must be able to move with the times to maintain their ability to gather vital intelligence, without which public freedoms are at risk.
The communications data at issue includes, for example,  the identity of participants in a communication and when it took place, not the content of their conversation. This data can already be collected from phone records, and has been a crucial element of many police investigations by linking suspects, disproving alibis and so on.
Of course, access to data of this kind is an important tool for law enforcement, especially when dealing with organised crime gangs, paedophile rings and terrorist groups, and it has played a role in every major counter-terrorism operation by the security services and in 95 per cent of all serious organised crime investigations.
With communications technology rapidly changing, I understand that criminal and terrorist activity is increasingly moving away from landline and mobile telephone communications to the internet, including voice over internet services, like Skype, and instant messaging services. Ministers estimate that security services are now only able to access some 75% of the total communications data generated in this country, compared with 90% in 2006.
In matters of intelligence, where information is so precious, I think the Home Office is right to highlight the problem of diminished access, and I think we need to be debating all reasonable steps to ensure that the people who are employed to protect the British public are properly equipped to do so.
There is further information about the proposed use of communications data available on the Home Office website at http://www.homeoffice.gov.uk/counter-terrorism/communications-data/.
Given the pace of technological change, our future capability is uncertain. Ministers tell me that this is why, in the Government’s Strategic Defence and Security Review, published in October 2010 and available online at http://www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/@dg/@en/documents/digitalasset/dg_191634.pdf, a commitment was made to ‘introduce a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain data and to intercept communications within the appropriate legal framework’. It was also made clear that in seeking to ensure our law enforcement agencies continue to retain capabilities to protect us from harm, civil liberties would be respected and protected.
I understand that the Government therefore proposes to require internet companies to collect and store certain additional information, such as whom an individual has contacted and when, which they may not collect at present. As I have outlined, this information would show the context, but not the content, of communications, which would extend the arrangements which currently apply to telephone conversations to online communications.
Under the proposals, the data collected would be available only to designated senior officers, on a case-by-case basis, authorised under the Regulation of Investigatory Powers Act, and the process will be overseen by the Interception of Communications Commissioner. It would be available only if it is necessary and proportionate to a criminal investigation.
I hope you may be reassured that, unlike under the previous Government’s proposals, there would be no government database and the data recorded would be strictly limited and regulated and will be destroyed after a year. The police and security services would not be able to intercept the content of calls and emails, except as they already do, when it is necessary as part of an investigation relating to serious crime or national security and only when they had obtained a warrant signed by a Secretary of State.
I have written to the Home Secretary to pass on constituents’ concerns on this issue following the publication of the report of the Joint Committee on the Draft Communications Data Bill, and I shall of course be pleased to pass on any substantive response I receive in due course.
Thank you once again for contacting me and for your patience in awaiting this response, and I hope this is helpful.
Kind regards,
Nicola

-----Original Message-----

Dear Ms Blackwood,
I hope you’ve had a good Christmas and New Year holiday.
You will be aware the Joint Committee on the Communications Data Bill (or Snoopers’ Charter) published its report last month. Copy available at
http://www.parliament.uk/business/committees/committees-a-z/joint-select/draft-communications-bill/news/full-publication-of-report/
The Joint Committee say the draft Bill pays “insufficient attention to the duty to respect the right to privacy, and goes much further than it need or should.” They are also extremely critical of the Home Office, highlighting their lack of consultation and labelling their figures “fanciful and misleading.” Additionally they find the Home Office estimate of £1.8 billion in relation to the implementation of the Bill likely to be exceeded  “by a considerable margin.”
It seems very clear therefore that the Communications Data Bill should be dropped. The report would in its entirety suggest the need for a fundamental, full and public review of digital surveillance. Nevertheless in the first instance I would just request that you encourage the Home Office to drop the Communications Data Bill.
Thank you,
Ray Corrigan

Open University turn to Blackboard Collaborate

After a long and complex tendering process, in line with the EU guidelines on public procurement, The Open University has chosen Blackboard Collaborate as its new synchronous online learning platform.

The OU has been using Elluminate since 2008.  Blackboard bought out Eluminate and its main competitor Wimba in 2010. Collaborate appears to be a combination of the slightly less cluttered interface of Wimba and the greater functionality of Eluminate.

The plan is for a phased implementation/transition to Blackboard Collaborate with our use of Eluminate finishing in the summer of 2014. Collaborate, from the demos I've seen, seems relatively straightforward to use and resources developed for use on Eluminate are reported to be seamlessly interoperable with the new platform.

Associate lecturers and students won't be expected to switch platforms midstream.  The idea is that Blackboard Collaborate will be introduced between the end of one presentation of a course/module and the begining of the next.

The significant operational change from my perspective is not the specific tools which are, in effect, quite similar but that the hosting will be done externally by Blackboard, on servers within the EU, rather than internally by the OU on servers in the UK.

Blackboard are a US multinational but with the hosting firmly within EU borders the data will be subject to the more stringent EU privacy protections. It does mean, however, that the ongoing EU-US free trade agreement negotiations take on a sharper meaning for the Open University than they historically might have done, given the long time efforts of the US to dilute the EU's privacy regime.

"Next generation of surveillance..."

TarenSK on why Aaron Swartz died

Taren Stinebrickner-Kauffman - Why Aaron Died:

"I believe that Aaron’s death was not caused by depression.

I believe Aaron’s death was caused by exhaustion, by fear, and by uncertainty. I believe that Aaron’s death was caused by a persecution and a prosecution that had already wound on for 2 years (what happened to our right to a speedy trial?) and had already drained all of his financial resources. I believe that Aaron’s death was caused by a criminal justice system that prioritizes power over mercy, vengeance over justice; a system that punishes innocent people for trying to prove their innocence instead of accepting plea deals that mark them as criminals in perpetuity; a system where incentives and power structures align for prosecutors to destroy the life of an innovator like Aaron in the pursuit of their own ambitions."

Medical privacy a losing/lost battle?

I learned indirectly early last week that over 2500 GP practices have outsourced the management of their websites to the self styled "number one website provider for GP surgeries in the UK", My Surgery Website. The surgeries use the website for e.g. the administration of repeat prescriptions, so it would be useful to know the who, what, where, why, when and how of data flows, processing, storage, protection and control.

From the 'About Us' section of the website:

"The 'My Surgery Website' product was developed in 2006 to offer professional, sensibly valued websites with pertinent content to primary care providers in the UK. We have worked on many large-scale NHS IT projects over the last fifteen years and have the experience in the health sector that is necessary to appreciate fully the needs of Primary Care professionals.

Now the largest supplier of websites and intranets to the Primary Care market, My Surgery Website has developed into the most successful provider for GP online services in the UK. Our systems deliver the very latest information and interactive services to more than ten million NHS patients, so you know that we have the expertise and the commitment to help you.

My Surgery Website has become part of First Practice Management (FPM) which is a member of the SRCL Group of Companies. FPM is the UK’s premier information and support resource for GP practice managers. Visit the website www.firstpracticemanagement.co.uk for further information."

The privacy link is at the bottom of the page and leads to (I've highlighted some key elements in green font for readers susceptible to the soporific effects of legalese):

"

1. Website Availability

We cannot guarantee uninterrupted access to this website, or the sites to which it links. We accept no responsibility for any damages arising from the loss of use of this information.

2. Data Collection

We collect information from users who communicate with us via the website, aggregate information on which pages users access or visit, and information volunteered by the viewer (such as survey information).

3. Cookies

You can be assured that My Surgery Website does not use cookies to track your activity online.
3.1 My Surgery Website Limited does not set first party cookies on this website containing any personal data unless specifically instructed to do so by the user. For example, if a user requests to be remembered on a form then a cookie is set to retain the form data for next time.
3.2 The Web Site uses third-party Cookies to collect anonymous traffic data about your use of this website. This information is stored by Google and subject to their privacy policy, which can be viewed here: http://www.google.com/privacy.html. Google Analytics collects information such as pages you visit on this site, the browser and operating system you use and time spent viewing pages. The purpose of this information is to help us improve the site for future visitors.These cookies are not used to track you or your activity but if you do not wish these cookies to be stored on your computer, disable cookies in your browser settings.
3.3 You may delete Cookies at any time. See the help in your internet browser to find out how to delete your cookies.

Cookies Used

The following cookies are set by Google Analytics:
__utma Cookie
A persistent cookie - remains on a computer, unless it expires or the cookie cache is cleared. It tracks visitors. Metrics associated with the Google __utma cookie include: first visit (unique visit), last visit (returning visit).
__utmb Cookie & __utmc Cookies
These cookies work in tandem to calculate visit length. Google __utmb cookie demarks the exact arrival time, then Google __utmc registers the precise exit time of the user.
Because __utmb counts entrance visits, it is a session cookie, and expires at the end of the session, e.g. when the user leaves the page. A timestamp of 30 minutes must pass before Google cookie __utmc expires. Given__utmc cannot tell if a browser or website session ends. Therefore, if no new page view is recorded in 30 minutes the cookie is expired. This is a standard 'grace period' in web analytics. Ominture and WebTrends among many others follow the same procedure.
__utmz Cookie
Cookie __utmz monitors the HTTP Referrer and notes where a visitor arrived from, with the referrer siloed into type (Search engine (organic or cpc), direct, social and unaccounted). From the HTTP Referrer the __utmz Cookie also registers, what keyword generated the visit plus geolocation data. This cookie lasts six months.
__utmv Cookie
Google __utmv Cookie lasts "forever". It is a persistant cookie. It is used for segmentation, data experimentation and the __utmv works hand in hand with the __utmz cookie to improve cookie targeting capabilities.
The following cookies are set by My Surgery Website:
cookieAccepted
Cookie lasts "forever". Indicates that user has acknolwledged the 'cookie information' banner and so prevent the banner being shown again.
apps
Cookie lasts until the next time the creating form is opened. It is created when user ticks the box to request that form data is retained for next time in the appointments or appointments cancellation forms. Prevents user having to type in all their details again.
dList1,dList2,repeatPrescriptions,repeatPrescriptions2
Cookies last until the next time the no-registration verion of the prescriptions form is used. Cookies are created at request of user to retain form data for next time. Prevents user having to type in all their details again.
userPoll
Cookie lasts 30 days. Records that user poll has been answered so that the poll is not displayed again.
other cookies
Other cookies are used when editing or when logged on to the staff section to enable the editor to function correctly and to assist with retaining state.

4. Data Storage

This Surgery Website uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run the website services.

5. Changes to this Policy

My Surgery Website Limited reserves the right to change this Privacy Policy"

First Practice Management's (FPM)  privacy policy is here.  FPM is a division of SRCL Ltd. SRCL's privacy policy is here. Selected highlights from FPM's:

"We will only use the information that we collect about you / your practice / organisation lawfully and in accordance with the Data Protection Act...

By using this website you agree that we may store and access cookies on your device.
This website uses the following cookies:
Google Analytics - Collects information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Further information can be found in Google Analytics Privacy Policy...

Users contacting this website and/or it's owners do so at their own discretion and provide any such personal details requested at their own risk... Your details are not passed on to any third parties...

Resources & Further Information

• Data Protection Act 1998
• Privacy and Electronic Communications Regulations 2003
• Privacy and Electronic Communications Regulations 2003 - The Guide (Easier to understand)
• Twitter Privacy Policy
• Facebook Privacy Policy
• Google Privacy Policy
• Linkedin Privacy Policy
• Campaign Monitor Privacy Policy

If you have any questions about our Privacy Policy or the way we collect, store or use any data we collect about you/your practice/organisation, please email us at mail@firstpracticemanagement.co.uk."

Likewise for SRCL's:

"We take our commitment to your privacy seriously and treat any information you supply to us with care...

BY USING OUR SERVICES, YOU GIVE US YOUR EXPRESS CONSENT TO PROCESS YOUR PERSONAL DATA AS DESCRIBED HEREAFTER
Examples of the data we may collect and analyse include the Internet protocol (IP) address used to connect your computer to the Internet, connection information such as browser type and version, the full Uniform Resource Locators (URL), your clickstream to, through and from our website (including date and time), cookie number and pages you viewed. In using our website  you accept that your personal data may be used for such purposes.
We will not sell, distribute or disclose information about you or your personal usage of our website without your consent or unless required or permitted to do so by law...

We may monitor customer traffic patterns, website usage and related information in order to optimise your use of the website and we may give aggregated statistics to a reputable third party, but these statistics will include no information personally identifying you...

Sharing Data
We comply with, and are registered under, the Data Protection laws in the United Kingdom. We take all reasonable care to prevent any unauthorized access to and use of your personal data. In case any fraudulent activity is detected on the website, or, without limitation, in connection with the breach of intellectual property rights through the use of the website, we may release personal information in order to comply with any applicable law or regulation, or assert our rights as well as those of our business partners.
We will not provide your details to any third party without your consent, except where we are required to do so by law...

Your Consent
By submitting your information you consent to the use of that information as set out in this Policy. If we change our Privacy Policy we will post the changes on this page, and may place notices on other pages of the website, so that you may be aware of the information we collect and how we use it at all times.  Continued use of the service will signify that you agree to any such changes...

Governing Law & Jurisdiction
Any matter arising from or in connection with these Conditions of Use shall be governed by and construed in accordance with English law and the English courts shall have jurisdiction to resolve any disputes between us."

I don't propose to dissect these privacy policies in detail. This group of companies at least appear to have put some thought into the issue of privacy and there is no evidence to suggest that these policies are anything but well intentioned. But I would like to highlight one of the selected highlights above from the My Surgery Website policy i.e.

This Surgery Website uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run the website services.

So in relation to my original question we don't actually know the who, what, where, why, when and how of data flows, processing, storage, protection and control. Services and data relating "to more than ten million NHS patients" is in the hands of unspecified third party economic actors, unless I've misunderstood something here?

Just as highlighted in the excellent EU study, Fighting cyber crime and protecting privacy in the cloud, the issue here is the loss of control over personal data released into the Cloud. The risk arises from the management of the data. When treasure troves of personal data become the object of negotiation between self interested commercial and/or political actors, the privacy of individuals not party to the negotiations will be compromised.  All modern technological, social, economic and organisational systems that process and store sensitive personal data are leaky, in many cases seriously so.

So, if I can make some minor edits/adaptions to the executive summary of the EU study and apply it to this context it might say:

Patients’ rights are subsumed into a complex mesh of contracts among private
entities. Therefore, from a legal perspective, the challenge of jurisdiction is central.
The legal determination of both the responsibilities and legal liabilities of data
controllers and processors and the rights of the individual as ‘data subject’ are
paramount.

Lack of legal certainty surrounding the legal frameworks of cloud-based health service commerce, as well as inadequate tools to safeguard privacy and data protection, increase the potential for mismanagement, misuses and abuses by economic and political actors and agencies. European citizens’ data are not sufficiently protected in this regard.  In this case, the question of the legal framework of data transfers/processing to third countries is critical.
These elements have been neglected in UK and EU policies and strategies, despite their very strong implications for UK/EU data sovereignty and the protection of citizens’ rights.

In fairness, SRCL make an effort at the end of their privacy policy to say UK law applies and UK courts have jurisdiction over disputes but they are unlikely to be able to pursue or have such a declaration enforced in all such eventualities.

We also learned last week that the Health Secretary has swallowed hook, line, sinker and mindset of the Blairite 'go forth and multiply thy giant database cures for all ills' black holes for privacy and resources, in the push for an "Everyone counts", no opt-out, 'biggest data grab in history', central health database.

This could almost considered to be funny if it wasn't so reckless, given the grief the coalition parties dished out to the previous Nu Labour government about their disastrous National Programme for IT in the NHS; and how they came to power with promising promises about dismantling the previous gang's database state.

As Ross Anderson, professor of security engineering at Cambridge University, said last week, ‘Under these proposals, medical confidentiality is, in effect, dead and there is currently nobody standing in the way.’

Commerce, politics, security services, public service bureaucrats of multiple ilks, are all more or less alligned - through ignorance, well meaning or malign intent, or mere sociopathic/psychopathic ambition - on pulling down the historic sociological architecture of personal privacy. When we combine these forces with the pathological calculus that is -

Privacy vs Convenience/attraction/gratification/access/community/conformity/convenience?

whereby so many individuals give up so much personal data for so little so often, is the medical privacy battle already just one lost vital organ in the decomposition of the value that once was personal privacy?