Wednesday, December 19, 2012

DPP social media prosecution guidelines

The Director of Public Prosecutions has issued an interim set of guidelines on prosecuting cases involving communications sent via social media.

Social Media Dpp

He has also launched a public consultation on these guidelines. Section 36 of the guidelines says:
"Against that background, prosecutors should only proceed with cases under section 1 of the Malicious Communications Act 1988 and section 127 of the Communications Act 2003 where they are satisfied that the communication in question is more than:
  • Offensive, shocking or disturbing; or
  • Satirical, iconoclastic or rude comment; or
  • The expression of unpopular or unfashionable opinion about serious or trivial matters, or banter or humour, even if distasteful to some or painful to those subjected to it.
If so satisfied, prosecutors should go on to consider whether a prosecution is required in the public interest."
There's a lot of sense in the guidelines which suggests that maybe the Paul Chambers case would not have been pursued but what does "more than offensive, shocking..." actually mean? The police and CPS still have to make a judgement call and will still be under media and political pressure to "do something" when the next infamous offensive idiot is given his 15 minutes of fame in the press and broadcasting studios.

Let's just make it simple and get sections 1 & 127 of the Malicious Communications and Communications Acts respectively off the statute books.  And while we're at it, for a bonus, we can bin section 4 of the Public Order Act too. The police and CPS have more than enough to do and should not be making routine judgment calls on what might constitute acceptable speech.

Tuesday, December 11, 2012

Joint Committee declare CDB unworkable

The Draft Communications Data Bill Joint Committee have issued their damning report on the Bill - "the draft Bill pays insufficient attention to the duty to respect the right to privacy"; “too sweeping”; goes “further than it need or should”; Government "have a duty to respect the right of citizens to go about their lawful activities, including their communications, without avoidable intrusions on their privacy."

The committee are particularly critical of the Henry VIII clause 1 of the Bill giving the Secretary of State a blank cheque to change the law how and when s/he feels like it, without any reference to parliament or any checks and balances. The Home Secretary has said we should trust her because she has no intention of using such powers e.g. to issue secret notices to communications service providers (CSPs) requiring them to retain and disclose potentially limitless categories of data. Why on earth would you want to put such powers on the statute books if you had no intention of using them? And even if that intent was sincere [sic] why would you give future governments such freedom to abuse such powers?

Report summary:
"It is the duty of Government to maintain the safety and security of citizens. This is not only in the public interest; it is in the interest of law-abiding members of the public. For this the law enforcement agencies must be given the tools they need. Reasonable access to some communications data is undoubtedly one of those tools. But the Government also have a duty to respect the right of citizens to go about their lawful activities, including their communications, without avoidable intrusions on their privacy. These duties have the potential to conflict.
More than a decade ago the Regulation of Investigatory Powers Act 2000—RIPA—set out the conditions which the law enforcement agencies and others have to satisfy if they wish to access communications data—the details about communications, but not their content. The Act specifies what data can be accessed, by whom, for what purposes, and subject to what conditions. Since 2000, however, methods of communicating have changed, and the volume of communications data potentially available to public authorities has increased very significantly. The draft Bill which we have been considering is the Government's endeavour to bring the law up to date.
We accept that there is a case for legislation which will provide the law enforcement agencies with some further access to communications data, but we believe that the draft Bill pays insufficient attention to the duty to respect the right to privacy, and goes much further than it need or should for the purpose of providing necessary and justifiable official access to communications data. Clause 1 would give the Secretary of State sweeping powers to issue secret notices to communications service providers (CSPs) requiring them to retain and disclose potentially limitless categories of data. We have been told that she has no intention of using the powers in this way. Our main recommendation is therefore that her powers should be limited to those categories of data for which a case can now be made. If in future a case can be made for the power to be increased, this should not be done without effective Parliamentary scrutiny. We recommend the procedure for this.
The same procedure should apply if the power to request communications data is to be given to more authorities than the police, intelligence and security services, SOCA, HMRC, FSA and UKBA. If data is required for wider purposes than at present, this needs primary legislation.
We believe that the current safeguards on the authorisation of applications for access to data are working better than is often thought, but we make recommendations for improving them, and for strengthening the roles of the Interception of Communications Commissioner and the Information Commissioner. We suggest amending the definition of "communications data" which no longer meets current needs. We have looked at jurisdictional problems which will face overseas network providers in particular. We criticise the Government's estimates of the cost of the Bill and the benefits to be derived from it; some of the figures are fanciful and misleading.
We believe our recommendations would result in a Bill which would give the law enforcement agencies the essential tools they need to tackle serious crime and terrorism but at the same time limit the risk of intrusion into the privacy of the vast majority of honest citizens."
It's the top story in the Guardian and over at the BBC.

How can any government that supposedly opposed Nu Labour's appalling ID card scheme actually support this unconstrained federated mass surveillance? It would be hilarious if it was not so serious. Could I finally just emphasise the importance again of the evidence given by Ross Anderson, Peter Sommer, Caspar Bowden and Duncan Campbell and the Information Commissioner, Christopher Graham, to the Joint Committee. From the report it would appear that they have at least taken some of it on board.

Update: Pdf of full report available here. Best Storify analysis of a parliamentary report I've ever read here by Glyn Wintle () and Phil Booth (), plus
 "Bottom line #ccdp bill is over-reaching, poorly drafted, ill-defined, not based on evidence or proper consultation & misleadingly costed... in other words, a dangerous costly disaster waiting to happen."

Friday, December 07, 2012

Russian report on EU record on civil rights

The Russian government has published a Report on the Human Rights Situation in the European Union, seriously criticising the EU's record on human rights. The report reads as though it has been put together by a team of people tasked with trawling the national press in member states. They have included a range of stories critical of each particular jurisdictional authority's behaviour which have a civil rights angle/s. They are  not always accurate in their reporting of the cases - take this at the bottom of page 17:
"On April 2, 2012 a 21-year-old student Liam Stacey from Swansea was sentenced by a British court to the a 56-day imprisonment for his insulting comment on the social network "Twitter" about an exhausted football player who had African roots. In spite of support provided by the Council of Europe Commissioner for Human Rights, Liam Stacey did not manage to appeal the sentence."
The claim that Fabrice Muamba was "exhausted"is a little strange is it not?!

But they have chosen a relevant selection of cases - Stacey, the torture of Omar Awadh, the killing of Baha Mous, MI6 alleged involvement in torture of Abdel-Hakim Abu Qatada, Abu Hamza, Babar Ahmad, Moazzam Begg(former Guantanamo Bay detainee), News International phone hacking, Matthew Woods (jailed for Facebook obscenities about murdered little girl April Jones), alleged untrammeled police surveillance of protesters, and a selection of others on alleged racism, discrimination, immigration, child protection, homophobia and general lack of engagement with several international instruments associated with human rights.

Liam Stacey, for example, behaved like a moron.  But he was not a criminal and should not have been jailed.

Yet this kind of reaction by the British authorities in this and other similar cases and the mass production/implementation/normalisation of rights abusing laws and behaviours by the public and private sectors in the UK act as an absolute gift to governments and regimes with, to Western eyes, nominally less respect for human rights. Civil rights activists have been pointing out for years that it is hypocritical to lecture Russia or anyone else on about the speck in their eye on human rights when the Russians believe they can point our the plank in ours. President Putin would greet with glee the notion that the UK government were driving through a measures like the Communications Data Bill.

The authors devote 6 pages to the UK - more than any other country with Germany being the nearest challengers with 4 - but the cases they choose, at least in the UK context, have raised significant rights questions. So there is little surprise that they are highlighted even if the report is occasionally a bit fuzzy to say the least on the details. So when the government panders to the 'tough' (aka stupid) on crime, stupid on the causes of crime mob, they do substantial damage that extends way beyond the UK's borders.

I can't comment on the detailed cases chosen in a lot of the countries highlighted but I was a little disappointed that my homeland merited a mere half a page in the report:
"In general, the human rights situation in Ireland can be described as satisfactory. At the same time, the following problems exist in this area.
In Ireland, the continued marginalization of the Romani that form an unrecognized ethnic minority is a rather stringent social issue. In spite of the State adaptation policy, in daily life they often face discrimination in employment, medical care and education.
There are some problems for refugees and internally displaced persons, in particular, the excessively long bureaucratic procedures for registration. As a result, persons of that category have to wait for their residence permit for much longer than 6 months provided for by law.
National and international human rights activists pay special attention to the implementation of human rights during the extradition of criminals, including those suspected or accused by the U.S. authorities of belonging to terrorist organizations, from European countries via the airport of the city of Shannon to the United States. The Irish Human Rights Commission has repeatedly proposed to launch its own monitoring of foreign aircrafts to exclude cases of torture and degrading treatment of prisoners. The Irish authorities do not allow it referring to relevant provisions of the national legislation.
The media has repeatedly touched the issue of human rights violation in national prisons. It mainly consists in exceeding the number of prisoners in cells determined by law, inconsistency of places of detention with health and conditions of detention standards.
Since the end of 2008, due to the economic difficulties, the Irish government has conducted a number of budget cuts in the area of activities of public authorities related to human rights implementation in Ireland. For example, the National Consultative Committee on Racism and Interculturalism and the Combat Poverty Agency were disbanded. National human rights activists have expressed serious concern about those actions of the government. According to them, the measures taken caused serious damage to the national human rights institutions and to Ireland’s international image in the human rights sphere."
"Satisfactory"! That's an insult.  I demand a recount.  They really could do with some serious lessons in the history and contemporary politics of the beautiful Emerald Isle.

Tuesday, December 04, 2012

Irish Data Protection Commissioner still a Facebook friend

The Irish Data Protection Commissioner's Information Officer, Stewart Fennell, has responded to my communique of 12 November.
"Dear Mr. Corrigan

Thank you for your email highlighting a concern over items of personal data which you believe were not provided by Facebook Ireland (FB-I) in response to your access request.

The issue of FB-I responding to access requests for personal data was a key focus of the audit carried out by this Office, a report of  which was published in December 2011 (available on our website www.dataprotection.ie ).  In that Report it was indicated that " the key requirement in response to an access request is to ensure that a user has access to their personal data.  Therefore, either the data must be available on the requester’s profile page, their activity log, which is a feature of the new user Timeline, or via the download tool.  From a transparency perspective, it is desirable that most, and ideally all, of a user’s data should be available without having to make a formal request.  FB-I therefore will be implementing a number of enhancements to the activity log to provide users with access to and control over information about them.”  Given the complexity of the engineering task to extract and make available or supply the personal data available to users, the report outlined a detailed schedule specifying when different data sets would be provided.  That process is now complete.  The one exception up to end of October was in relation to metadata associated with uploaded photos to the site.

Facebook has produced detailed help on how to access personal data on the site together with a detailed description of the data that is available either from a user's Activity Log or via the download tool https://www.facebook.com/help/326826564067688.  We have worked extensively with FB-I on this help page.

Based on our audit and follow-up work with FB-I, it is our position that there is no personal data that can be supplied by FB-I that is not now available to users.

We hope that the above comprehensively addresses the matters which you have
raised.   However, if  there are specific items of personal data that you
have not received and believe are retained by Facebook-Ireland,  we would appreciate it if you could give us details so that  we can consider the matter for  further investigation.

Yours Sincerely,

Stewart Fennell
Information Officer
Office of the Data Protection Commissioner Canal House Station Road Portarlington Co. Laois

Ph: 057 868 4800
Fax: 057 868 4757
E: info@dataprotection.ie
www.dataprotection.ie"
He again asks me to give him details of "specific items of personal data" that I "have not received and believe are retained by Facebook-Ireland".

I haven't got the time to provide a considered response today but my first question again is how can I provide him with specific information on data that is not made available by Facebook?

If Facebook is holding “information constituting any personal data of which that individual is the data subject” that  it does not disclose - and it has admitted in its auto-response to my original complaint that this is the case - how do I find out what that data is, so I can tell the Irish Data Protection Commissioner specifically what the company is withholding?

Mr Fennell seems to be suggesting that his office is sympathetic to Facebook and the only way they will order complete disclosure is if someone somehow (legally, I presume) can determine what data Facebook are withholding, either deliberately or because of the technical complexities involved. So the DP Commissioner will consider further investigation, only if I can find out what is being hidden and let them know. This is real chicken and egg stuff. Why would I need the DPC to engage in "further investigation" let alone then consider actually ordering disclosure, if I had already found the data?

Maybe I should consult my favorite data expert...?

Update: It looks like the Europe v Facebook group are planning to tackle the Irish Data Protection Commissioner on this issue through the courts.

Monday, November 26, 2012

Privacy v Convenience/attraction/gratification/access/community/conformity

Thanks to Martyn Thomas via the invaluable FIPR Alerts list for the pointer to the European Network and Information Security Agency (ENISA) report on Privacy considerations of online behavioural tracking published on 14 November.  ENISA have been fairly active on the privacy front this year with four reports, a study on monetising privacy and one on data collection and storage in the EU both published in February, the tracking report from a couple of weeks back and one last week on the right to be forgotten.

The data collection study highlighted "the clear contrast between the importance of the privacy by design principle on the one hand and the reality of lax data protection practices with many online service providers on the other hand" and aimed "to conduct an analysis of the relevant legal framework of European Member States on the principle of minimal disclosure and the minimum duration of the storage of personal data." The authors recommendations, in brief, were:
  • the national Data Protection Authorities should provide clear guidelines to data controllers;
  • the Article 29 Data Protection Working Party, the European Data Protection Supervisor and ENISA should do the same for specific areas of processing of personal data with pan-European impact;
  • the Data Protection Authorities should aim to improve user awareness relating to the rights stemming from the data protection legislation and on the possibilities offered to users by the legal system to exercise these rights, including by complaining in cases of excessive collection and storage of personal data, and
  • the Member States should identify and eliminate conflicting regulatory provisions relating to the collection and storage of persona data."
The monetising privacy report said that the uptake of privacy enhancing technologies is low and there are not many options, possibly because only a small number of people are prepared to pay for them.

The tracking study notes "Internet users are being increasingly tracked and profiled and their personal data are extensively used as currency in exchange for services. It is important that this new reality is better understood by all stakeholders if we are to be able to support and respect the right for privacy." It provides a technical perspective on behavioural tracking, asks "Why are users tracked? What techniques are used? To what extent are we tracked today? What are the trends? What are the risks? What protective measures exist? What could regulators do to help improve user privacy?" and recommends:
"- Development of anti-tracking initiatives and solutions for mobile applications; the users of mobile devices are more exposed as most anti-tracking initiatives are not focusing on mobile devices
- Development of easy-to-use tools for transparency and control; awareness is important but there is a need to enhance transparency tools to allow the users to know how their personal data is collected, managed and transferred
- Enforcement solutions should be deployed to block misbehaving players and to force compliance with rules and regulations regarding personal data protection; mechanisms should be defined by regulatory bodies both for compliance and for monitoring and detection of violation of the rules
- Privacy-by-design should be promoted; regulations have an important role in boosting the adaptation of privacy-preserving solutions, i.e. by enforcing the rules, and by ensuring the existence of complete, compliant, concrete and meaningful privacy policies."
The right to be forgotten paper focuses on technical limitations and challenges when trying to enforce such a right.
"The recommendations of the paper cover multiple aspects:
  • Technical means of assisting the enforcement of the right to be forgotten require a definition of the scope of personal data, a clarification of who has the right to ask for the deletion of personal data under what circumstances, and what are acceptable ways to affect the removal of data. Data Protection Authorities, the Article 29 Data Protection Working Party, the European Data Protection Supervisor, etc. should work together to clarify these issues. Furthermore, when providing the above mentioned definitions, the technical challenges in enforcing the right to be forgotten (and the associated costs) for a given choice of definition should be considered carefully.
  • For any reasonable interpretation of the right to be forgotten, a purely technical and comprehensive solution to enforce the right in the open Internet is generally impossible. An interdisciplinary approach is needed and policy makers should be aware of this fact. 
  • A possible pragmatic approach to assist with the enforcement of the right to be forgotten is to require search engine operators and sharing services within the EU to filter references to forgotten information stored inside and outside the EU region. 
  • Particular care must be taken concerning the deletion of personal data stored on discarded and offline storage devices. 
  • Data controllers should be required to provide users with easy access to the personal data they store and ways to update, rectify, and delete data without undue delay and without cost to the user (to the extent that this does not conflict with other applicable laws). 
  • Research communities, industry, etc. should develop techniques and coordinate initiatives that aim at preventing the unwanted collection and dissemination of information (e.g., robot.txt, do not track, access control).
As mentioned above, this paper is complementing two other recent publications of ENISA in this area. In this broader context, given the findings of this paper, ENISA recommends that policy makers should ensure the use of technologies supporting the principle of minimal disclosure in order to minimize the amount of personal data collected and stored online. We also recommend the use of encryption for the storage and transfer of personal data. Particular attention should be focusing on tracking and profiling online, and enforcement solutions should be deployed to block misbehaving players and to force compliance with rules and regulations regarding personal data protection.

At the same time, Data Protection Authorities, the Article 29 Data Protection Working Party, the European Data Protection Supervisor, etc. should work together to clarify pending definition issues taking into account the practical implementation aspects while Member States should eliminate conflicting regulations."
They are all worthy studies by smart people with sensible recommendations. When reading them I found myself nodding and mumbling "absolutely!" and "couldn't agree more" and "you got that one right - it is impossible"  and "somebody gets it!".

Then, as increasingly with these things, I turn the final page and depressingly ask what difference is this going to make?

We have a fundamental problem with privacy and the human condition. We say, when asked, we care about it - and we do - but we act like we don't. That's down to:
  • attraction - we like the stuff we (non-transparently/invisibly) give up our data for
  • gratification - we enjoy and find useful the stuff we (invisibly) give up our data for and we get at it easily and quickly on the Net
  • access - we get at services and deals on the internet and offline (e.g. supermarket "loyalty" card schemes) that we would not otherwise get without (invisibly) giving up our data
  • community - we get access to communities by (invisibly) giving up our data
  • conformity - we get the chance to fit in by (invisibly) giving up our data
  • convenience (and this one beats everything) - it's easier on the net even if we have to (invisibly) give up our data
The payoff is instant or at least quick and visible. Yet the damage to privacy at an individual, community, regional, national and global level is abstract, invisible, long term and undermines the fabric of our society.

So how do we deal with the pathological calculus that is -
Privacy vs Convenience/attraction/gratification/access/community/conformity/convenience?
Put another way, how can so much be given up by so many for so little so often?

And how do we begin to evolve towards a situation where a significantly greater proportion of the population realise and act according to the exponentially invaluable value of our personal data currency?

Tuesday, November 20, 2012

Irish Data Protection Commissioner Facebook friend

The Information Officer at the Irish Data Protection Commissioner's Office has responded to my complaint about Facebook.
"Dear Mr. Corrigan

Thank you for your email received by our office on the 16th November, 2012.
The provision of personal data by Facebook Ireland either on a user's account, activity log, the download tool and the enhanced archive is considered by this Office to fully meet the requirements of the Data Protection Acts in relation to access.

If you consider that specific data is not available we need specific information from you as to what data in particular you consider was not made available.

Yours Sincerely

Stewart Fennell
Information Officer
Office of the Data Protection Commissioner Canal House Station Road Portarlington Co. Laois

Ph: 057 868 4800
Fax: 057 868 4757
E: info@dataprotection.ie
www.dataprotection.ie"
Interesting trick that.  The Irish Data Protection Commissioner's Office believe Facebook "fully meet the requirements of the Data Protection Acts in relation to access" and require me to detail the specific data that Facebook have about me that they have not made available.

Yet I don't know the data they hold on me and want to find out. If I can borrow from a certain Mr Rumsfeld, this is a known unknown the details of which are unknown to me and therefore unspecifiable by me.

I've replied to Mr Fennell as follows.
"Dear Mr Fennell,


The point of my original data access request was to find out what information Facebook hold on me.

The company has made clear in its automated response, despite your apparent belief to the contrary, that it does not provide all the data it holds on users through its download tools:

"One tool provides the most common data users are seeking when they make data requests. The second tool, called “expanded archive”, contains additional data.  We will continue to add data to your expanded archive over the next few months."

Could you explain how I provide you with specific information on data that is not made available by Facebook, without having any way of finding out the specific data it does not provide through its download tools?

I would remind you again of the plain wording of section 4(a)(iii) of the Data Protection Act which refers to entitlement to “information  constituting any personal data of which that individual is the data subject”,

I fail to see how a link to a couple of data download tools with restrictive licences and an instruction to use these to mine the Facebook site to see what I might find can be considered by the Data Protection Commissioner to “fully meet the requirements of the Data Protection Acts in relation to access.” Could you therefore provide me with evidence of this and details of the Commissioner’s ruling to the effect that these Facebook tools do fulfil the company’s obligations under the Acts and how and why they do so.

Regards,

Ray Corrigan"
Update 21 November 2012:  At 10.10am this morning I got another acknowledgement from the IDC's office identical to the first one they sent - they have not yet categorised my communication as a 'query' or a 'complaint' with the same warning in Irish and English that I should not share it with anyone but they will get back to me within 15 days.

Monday, November 19, 2012

Acknowledgment from Irish Data Protection Commissioner

I've received a boilerplate response from the Irish Data Protection Commissioner's office to my complaint about Facebook. The haven't even looked at it closely enough yet to determine whether it is a "query" or a "formal complaint". This kind of 'we have to respond within x days to meet our target' rule is such a waste of time and energy when it leads to automation of these non-responses.

The non response includes a sign off warning I should not share it with anyone else - in Irish and English. Here it is in full:

"To Whom It May Concern

I acknowledge receipt of your e-mail to the Data Protection Commissioner.
Where your email relates to a query (as distinct from a formal complaint under the Data Protection Acts),  you should be aware that in line with our Customer Service Charter we aim to reply within 15 working days and usually much sooner.
 In doing so, we will communicate clearly, providing you with a full response to your query.

If we are not in a position to issue a reply within that period, we will inform you of its status.Regards

Office of the Data Protection Commissioner Canal House Station Road Portarlington Co. Laois

LoCall: 1890 252 231                         Ph: +353 (0)57 868 4800                 Fax: +353 (0)57
868 47 57


**********************************************************************************
Is le haghaidh an duine nó an eintitis ar a bhfuil sí dírithe, agus le haghaidh an duine nó an eintitis sin amháin, a bheartaítear an fhaisnéis a tarchuireadh agus féadfaidh sé go bhfuil ábhar faoi rún agus/nó faoi phribhléid inti. Toirmisctear aon athbhreithniú, atarchur nó leathadh a dhéanamh ar an bhfaisnéis seo, aon úsáid eile a bhaint aisti nó aon ghníomh a dhéanamh ar a hiontaoibh, ag daoine nó ag eintitis seachas an faighteoir beartaithe. Má fuair tú é seo trí dhearmad, téigh i dteagmháil leis an seoltóir, le do thoil, agus scrios an t-ábhar as aon ríomhaire. Is é beartas na Roinne Dlí agus Cirt agus Comhionannais, na nOifígí agus na nGníomhaireachtaí a úsáideann seirbhísí TF na Roinne seoladh ábhair cholúil a dhícheadú.
Más rud é go measann tú gur ábhar colúil atá san ábhar atá sa teachtaireacht seo is ceart duit dul i dteagmháil leis an seoltóir láithreach agus le mailminder[ag]justice.ie chomh maith.

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.  It is the policy of the Department of Justice and Equality and the Agencies and Offices using its IT services to disallow the sending of offensive material.
Should you consider that the material contained in this message is offensive you should contact the sender immediately and also mailminder[at]justice.ie."
They haven't even bothered to address me by name. Let's see what comes next within 15 days - my guess is an auto acknowledgement that my communication is not a query but a formal complaint which they will be required to address within the requisite time period set out in section 10 of the Irish Data Protection Act.

Friday, November 16, 2012

The Truth About Dishonesty

MIT's Dan Ariely talking about dishonesty, beautifully illustrated by RSA Animate:
 

Facebook data access experiment

On 30th November last year I deleted my Facebook account. The account and all the data associated with it were supposed to be purged within 14 days.

Nearly 12 months on I wanted to test that, so as an experiment I've signed up for Facebook again. I don't intend to use the account so please do not message me or send friend requests etc. as I won't be responding to them.  I've locked down the privacy and security settings in an effort to block Facebook from harassing people they think I know that I'm back but I don't have a lot of time, didn't go through all of them and this will be leaky.

Apologies in advance, therefore, if Facebook do hassle anyone about my (non) return.

The sign up process was tedious and, amazingly, Facebook eagerly invited me to become friends with a whole host of familiar names and faces. How did they know?!

So suspicion has already set in that what I remember as a promised data purge (I knew I should have checked/recorded the wording more closely at the time), on account deletion, was not as thorough as the warning that it might be implied. Looking at the current wording on the delete my account page it hints at data deletion but then again not really:
If you do not think you will use Facebook again and would like your account deleted, we can take care of this for you. Keep in mind that you will not be able to reactivate your account or retrieve any of the content or information you have added. If you would still like your account deleted, click "Delete My Account".
The data won't be retrievable by me and the capacity to reactivate the account won't be within my control but the fate of data generated by and about the deleting account holder is left unspecified.

In any case, now I'm a fully fledged Facebook devotee [sic] again, (though I don't necessarily have to be an account holder to do so), I can send them a subject access request which I have duly done, in the hope of finding out what deleted/ irretrievable/retained data they inadvertently or otherwise might have about me, since the cancellation of my original account:
Dear Sir/Madam,
I wish to make a data access request, under section 4 of the Data Protection Act 1988 as amended by the Data Protection (Amendment) Act 2003, for a copy of any information you keep about me, on computer or in manual form.
Thank you,
Ray Corrigan
Email: **@**
Birthdate: ** *** *****
Since Facebook's European headquarters is in Dublin I've made the request under the Irish data protection regulations and Facebook are obliged to respond within 40 days. If anything interesting emerges I'll report back.

In the meantime if you'd like to pursue Facebook's ongoing compliance with EU data protection regulations you can find the Irish Data Protection Commissioner's audit of the company here. Further details of how well Facebook are doing on the EU privacy front are available at Europe v Facebook and Ars Technica has a prominent profile in recent days of the student behind the site. Thanks to Eoin O'Dell for the link.

Update: Facebook's automated response has arrived:
"Hi,

Thank you for contacting us to make a data request. You can access your data on Facebook in several ways.  First, your account itself, including your timeline and activity log, contains the vast majority of your personal data.  Second, we have two tools that allow you to download your data. They are both available by going to your Account Settings. One tool provides the most common data users are seeking when they make data requests. The second tool, called “expanded archive”, contains additional data.  We will continue to add data to your expanded archive over the next few months.

Your expanded archive may include:

• Pending friend requests
• Your mobile telephone numbers
• Account status changes – if, for example, you deactivated and then reactivated your account • Birthday visibility • City and hometown info • Data cookie info – cookie used for security purposes • Events info • Family members (listed by you or your family) • IP addresses stored by Facebook • Spoken languages • Login info, including a list of the logins we have stored • Logout info, including a list of IP addresses we've stored, from which you’ve clicked Log Out • Poke info • Previous names • Relationship info

You may also use the main download your information tool, as well as your Wall or timeline and activity log to access your:

Comments on others' posts, photos
Posts on others' timelines or Walls
Others' posts on your timeline or Wall
Various apps’ activity
Open graph activity –listened to a song, read an article, and so on Status updates Likes Posts in groups Posts on pages Shared links, photos and other info Added friends

To learn more about specific types of personal data that Facebook uses and how you can access your own data, please read on.

Personal Data Processed by Facebook

To learn more about your data on Facebook, please read the Data Use Policy: https://www.facebook.com/about/privacy/
This policy describes:

• Categories of data being processed by Facebook • Personal data that Facebook receives from Facebook members • Sources of this info, if known • Reasons for processing this data • Recipients or categories of recipients to whom Facebook members’ personal data are or may be disclosed

Accessing Your Facebook Data – Active Account

To download your information or your expanded archive:

1. Click the V menu at the top right of any Facebook page.
2. Choose Account Settings.
3. Click "Download a copy of your Facebook data." To access the new categories of info, click “expanded archive.”

To check to see whether your credit card information is storied on Facebook, go to Account Settings > Payment Methods. From there, you may choose to change or delete stored credit card information.

Please note that you’ll be asked for your account password in order to start your download. Your downloaded file may contain sensitive information. You should keep your downloaded info secure and take precautions when storing, sending or uploading it.

You can also access personal data from your current timeline and activity log anytime. Just log into Facebook to edit this info. If you have trouble logging in to your account, please visit our Log In and Password help page:

https://www.facebook.com/help/?page=174

Accessing Your Personal Data – Without an Account

If you can’t access your account or don’t have an account, please follow the link below to complete a form and request your data:

https://www.facebook.com/help/contact_us.php?id=166828260073047

You may be required to provide additional information to authenticate your identity.

Thanks,
The Facebook Data Access Request Team"
This does not address the company's obligation under section 4 of the Irish Data Protection Act to provide me with the data they hold on me.  So I've contacted the Irish Data Protection Commissioner at 'info@dataprotection.ie' to complain.
"Data Access Request unsatisfactory response: Facebook Ireland Ltd.
FAO
Office of the Data Protection Commissioner.
Canal House,
Station Road
Portarlington ,
Co. Laois
Eire

Dear Sir/Madam,


I sent the initial request by email today, 16 November 2012.

I got an automated response by e-mail from the company, saying that I should use two tools to download “common data” and additional “expanded archive” data.  The company says they “will continue to add data to your expanded archive over the next few months”. By the company’s own automated admission, therefore, they have not provided me with full access to “any personal data” they hold about me.

These tools mentioned in the response are not sufficient to discharge Facebook’s obligation in law to provide me with access to “any personal data” the company holds and processes about me, in intelligible form.  Under section 4 (a)(iii) of the Data Protection Act,

an individual shall, if he or she so requests a data controller by notice in writing—

(iii) have communicated to him or her in intelligible form—

(I)  the information constituting any personal data of which that individual is the data subject, and

(II) any information known or available to the data controller as to the source of those data unless the communication of that information is contrary to the public interest,

and
                       
(iv) where the processing by automatic means of the data of which the individual is the data subject has constituted or is likely to constitute the sole basis for any decision significantly affecting him or her, be informed free of charge by the data controller of the logic involved in the processing,

I therefore ask you to take the necessary steps to make Facebook Ireland Ltd comply with my personal data access request and section 4 of the Irish Data Protection Act. I would appreciate your formal decision on this complaint as soon as possible.

Yours faithfully,

Ray Corrigan"

Thursday, November 15, 2012

B2fxxx turns ten today

B2fxxx is ten today.

I started posting here in November 2002, under a pseudonym, to provoke discussions amongst my internet law students about contemporary issues and cases that hadn't made it into the original course materials.

Day 1, 15th November, 2002, covered:
  • A movie executive believing movie piracy deserves as much attention as the war on terrorism; claiming the film making business would be dead within three years. 
  • Princeton professor, Ed Felten, suspending daily entries in his 'Fritz's Hit List', where he listed examples of the kind of things which would need copyright protection built in, if the then proposed Consumer Broadband Digital Television Protection Act (CBDTPA) ever became law in the US. It included digital dog collars, sat navs, cockpit voice recorders,a remote controlled fart machine, baby monitors, Barbie toys, robot dogs and many others.
  • UNESCO's then Information Society Division director Philippe Quéau's worries about telecoms monopolies.
  • An American Library Association conference on the USA/PATRIOT Act
  • The risks ethical hackers could be exposed to in helping the FBI track down child abusers.
All of those generic issues are still live (not the CBDTA specifically, about which the EFF did a terrific parody song at the time, but it has been regularly resurrected and partly implemented in various forms in different jurisdictions and international instruments in the course of the ensuing decade).

The blog very quickly became too useful as a personal notebook and I dropped the pseudonym.

This is my 4504th post here with the peak years, quantitatively at least, being 2005, 2006 and 2007 which saw 934, 921, and 718 contributions respectively. Last year was down to 64.

The site has had a relatively small and eclectic readership with, if the Blogger and Sitemeter statistics are to be believed, visitors (or bots) from well over a hundred countries, today headed up by the US, followed by Norway and then the UK, Russia and Ukraine.

I've been largely focussed on digital rights and education, but have strayed into football and pretty much anything else that's piqued an interest. If you have dropped in, thank you and if you've come back thanks again. Hopefully you've found something useful, engaging or thought provoking, at least in the material I've pointed to.

In that spirit and particularly if you're a digital rights junkie, could I emphasise the importance again of the oral evidence given by Caspar Bowden and Duncan Campbell to the Joint Committee conducting pre-legislative scrutiny of the draft Communications Data Bill. Caspar Bowden's written evidence (pp73 - 92) is also essential reading, as is that of the Open Rights Group (pp358 -373), Peter Sommer (pp 433 - 449), the Information Commissioner (pp504 -511), Ross Anderson (516 - 518) and the Foundation for Information Policy Research ((pp146 - 151).

Some highights from Caspar Bowden's oral evidence to the committee on the 30th of October:
"Q1018
...
Caspar Bowden: ... I think the Committee should be clear that this proposal for ISPs to log websites visited is intrusive and, frankly, it lacks a legal basis. There is no basis for doing this currently, as I understand it, under UK laws or secondary legislation that has currently been enacted, nor is there any legal basis for doing this under the European data retention.
...
Q1024
Dr Huppert: So the IP data can be done without the legislation and the weblogging, you say, is very hard to do.
Caspar Bowden: I think it is legally hard and in terms of human rights it is hard, because if I understand your point correctly, it is about whether we take the premise of Clause 1: that there shall be blanket retention for everybody in the country of certain categories of data. That is still extremely problematic in human rights terms, so I would want to refocus the question on whether the fundamental methodology is collecting data about people about which there is reason to collect—whether there is some basis of suspicion, whether they are in vulnerable groups. To take a rough figure, it is about whether we are talking about 1% of the population, as opposed to recording data about 100% of the population. That seems to me the essential principle at stake.
...
Q1028
Mr Brown: Have any of you given any thought to what elements might be involved in post-legislative scrutiny arrangements were we to recommend such a thing?
Caspar Bowden: ...
I think that I would like to see a much closer connection between Parliament and the oversight and continuous review of any internet surveillance legislation. In particular, in my written evidence, I made reference to a recent European Parliament report that did a comparative analysis of different countries, how they have set up their oversight machinery and their relationship to Parliament. The UK did particularly poorly in that; the European report was very critical of, shall we say, too close links between the oversight role and the executive. That seems to me a syndrome that we indeed have.
...
Q1045
...
Caspar Bowden: ... I have referred to a problem in my written evidence that I call “schizoid jurisdiction”. This occurs when an international provider decides to respond, say, to a RIPA Part 1, Chapter 2 request or demand for communications data and they fulfil this through their local office and they give this to the local law enforcement agency, exactly as would occur with a domestic communications service provider. But when a data subject—an individual—makes a request to exercise their privacy or data protection rights, then the company will say, “Oh no, I am sorry. That data was transferred to the United States”, and now falls under something like the Safe Harbor Agreement where, in practice, the individual’s rights are much less.
...
Caspar Bowden: ... I think what we are asking is for law enforcement to look at their task progressively in a different way, which is instead of assuming that somehow there can be blanket recording of this data about the entire population, it is going to be more of a question of beginning, as it were, with the threads that are available and then developing an investigation. You would widen the circle of interest and cumulatively broaden the use of the powers of preservation until you were in a position to acquire the evidence and intelligence you need. This could be something of an upheaval for the way law enforcement has proceeded so far and I think this must be accepted, but honestly, we have to give data preservation a chance. We have to develop a credible regime with which law enforcement can live to try and make this work before we go to the stage of saying that somehow it is acceptable to perform this blanket preservation on everybody in the entire country.
I will offer, perhaps, a slightly dramatic example of how far we have come in 10 or 15 years. In communist Albania, the secret police, the Sigurimi, used to have a ritual where every year they would require every citizen to come and have a chat with their secret police. Each person would be required to co-operate in building what was called a “biografi”. This was, as it were, a personal dossier in which they would have to record all of their social relationships, social contacts and main meetings that had happened to them over the previous year. In terms of the way we live our lives now, particularly the way in which social relationships are expressed, through the internet, we are effectively allowing the Home Office to build a biography on everybody in the country on their pattern of social relationships and on the fabric of everyday life. It seems to me, just taking a step back, it is extraordinary that we have got to this situation at all and we are even contemplating it.
Q1048
Craig Whittaker: Mr Bowden, can you honestly believe for one minute, though, we are talking about an Albania situation here in the UK? We are not talking about building a profile. We are talking about securely storing information. The profile-building, if you will, will be in the access and the safeguards put in place to get that access. I think that is a little bit scaremongering, from that point of view.
Caspar Bowden: With respect, not. Look at the testimony of William Binney; I also referred to in my written evidence, and his video to a hacker conference in New York is available online. William Binney was a senior National Security Agency engineer who has now become a whistleblower, objecting to these types of practices conducted in the US. The technology that he, as a senior engineer, was building 10 years ago was in fact precisely an automated biography file; it was not merely a question of leaving this data passively in place. And there is a direct correspondence between the sort of machinery that he engineered 10 years ago and what is proposed in the filter. Of course, it depends exactly how the filter is going to be implemented and what lies behind the filter, but I do not think it is correct to
imagine that somehow these are, as it were, passive piles of data sitting around. Even if that was the case, there is certainly case law at the European Court of Human Rights to show that blanket retention of this kind of data, particularly if it is going to be used for pattern analysis and traffic analysis, is well beyond what the European Court has tolerated so far.
...
Q1061
Baroness Cohen of Pimlico: If we could get the subscriber data definition satisfactory, you would not feel that needed a magistrate. You would be happy with a SPOC doing that. I do not mean to put words in your mouth; I am trying to check.
Caspar Bowden: With other qualifications, that is broadly my position, because I think that represents something that is doable. That would have to be done, in my opinion, with a move towards a preservation methodology by law enforcement.
 Q1064
Stephen Mosley: We have heard diametrically opposed views on the filter. On the one hand, I know, Mr Bowden, you have described it as a “hyper-Orwellian menace”, while the Home Office would let us believe it is a way of protecting people’s privacy by eliminating people who they are not interested in. I guess it could be either, depending on how it is used, so the oversight and the control of the filter is going to be incredibly important. What kind of oversight do you think the filter should have to ensure the protection of people’s privacy?
Caspar Bowden: Perhaps it will not surprise the Committee to say that I do not think the filter should be built under any circumstances for domestic surveillance. It is understood that GCHQ have had these sorts of capabilities for many years for international communications, but I simply think that the kind of capabilities described in the filter are intrinsically incompatible with a modern democratic society—on the basis of blanket data retention, you understand. If we are talking about preservation of data about designated targets, where for each designated target there is a reason and a justification—even if that is a reasonable belief or a reasonable suspicion—that is still a far smaller 1% of data than one would be talking about on the basis of blanket retention. But for anything to do with the so-called filter—I would call it data mining—of particularly traffic data, which is so prejudicial to private and intimate life, I think safeguards and oversight are irrelevant. I just do not think it should be done in a democracy."
There is no doubt that targetted data preservation, on the basis of intelligence-informed reasonable suspicion, is far more useful from a security, intelligence and law enforcement perspective than blanket data retention. Mr Whittaker's umbrage at Caspar's comparison of UK proposals to the situation in Albania is one of the fundamental problems with trying to expose the dangers of this stuff. "How dare you compare us to despots" is the outraged response to a deeply informed, careful analysis, demonstrating the government are effectively proposing to build intimate digital profiles of the entire population. It becomes fingers in the ears, la la la, not listening time for some of the key characters who really have to understand what it is they are doing.

Some highlights from Duncan Campbell's evidence to the committee on 23rd October:
"Duncan Campbell: I found it difficult to hear the Home Office complaining of unfairness when what they are putting forward to Parliament and this Committee is something that has really been stewing around for at least 10 years, being pushed forward in various ways, and yet when the witnesses come here it seems that no one in the telcos knows what they plan to do or how they will implement it. I was also gravely concerned that Mr Farr in his evidence, and within almost his first interchange with Mr Ellis, completely misled the Committee about the situation with communications data. I put a note in to expound on this should it be necessary, but the statement that 30 years ago BT was collecting communications data, and the implication that they will now not be making that sort of information as available, is the exact opposite of the truth. So, he is extremely badly informed, and passing on poor information and misrepresenting the situation as it is seen now in terms of the amount of information that is available, which has been increasing. It has been increasing as devices become available and new forms of data, for example location and cell-site analysis, come into the system. So I see the Home Office as having mis-served itself very badly from the very title of the presentation of the Bill as remedying a gap. No, they are not. Perhaps proportionately there are things that could be done, areas that can be addressed, but they have left themselves wide open to this accusation of it being a snoopers’ charter.
I would not quite endorse that title yet, because what they are creating, if Parliament were to give them the powers in this form, would really be a universal surveillance engine attached to the mass or all of the British internet. Now, what you do with it, and whether it does become a universal snooping engine, is withheld from us, because none of the orders, none of the codes of practice, none of the facilitating instructions, some of which may come to Parliament, some which may remain classified, are before us. So, again, given the degree of obscurity, the surveillance engine could be the snoopers’ charter or it could be reined in.
I would just, finally, say that the important point of human rights, which seems to have been overlooked in the way the Bill was drafted, has been formed. It has been formulated for us by the European Court and really supports the apprehension that perhaps is seen as coming too stridently from some journalists. “The mere existence”—and I am quoting now from the judgment—“of legislation which allows a system for the secret monitoring of communications entails a threat of surveillance for all to whom the legislation may be applied. This threat necessarily strikes at freedom of communication between users,” which
is Henry’s point and I would absolutely and strongly endorse that for the special case of journalists seeking confidential sources and secure communications to them when those sources act and come in the public interest. The Court finally said the mere existence of legislation of this type is an interference with Article 8 rights irrespective of whether there were to be measures taken against an individual person. So that is a very powerful legislative Act, longstanding in the European jurisprudence, that really does go to help understand why epithets like “snoopers’ charter” have had widespread currency.
Q752
...
Duncan Campbell: ...What is it that my police colleagues would like to be bringing into court that they could get from communications data that they do not now get? There are relatively few things, given the richness of material from other sources, and if you take, for example, whether we can go to Skype, it has been laid out that there is a completely alternative route for going to Skype, so we do not need to worry about Skype in this context.
They have also eschewed looking at things that could be simply explained to Parliament and public. Way, way, back, 12 years ago, we were working on Chapter 2 of RIPA and soundings were taken, views were expressed, as to how you proportionately apply the surveillance of weblogs. Chapter 2 of RIPA does provide some powers, but it has never really been put into practice. Now, since the new provisions, excluding the additional filtering requirement, necessarily embrace all of that, that whole debate could have been laid out in the open. The Home Office could have briefed on it, they could have addressed the arguments that were put for both sides then, expressed a position, allowed Parliament to take its view and so on and so forth. So they have missed a lot of areas where, without needing to have recourse to national security considerations, they could have been open.
Q753
Lord Strasburger: I was going to ask you why you think the Home Office have got it so wrong.
Duncan Campbell: I think they have insulated themselves too much into a very small group that really only essentially talk to themselves and a few others, a few key engineers, and not sought to access even, perhaps, their own Ministers in getting an understanding of what might be required and what might be developed. They are operating in too small a world. I went myself to one of the Home Office briefings a couple of years ago when we were looking at the previous Bill and asked them to try to explain some simple points, and they struggled. They did not seem to know their brief and they did not seem to be very enthusiastic about learning their brief. It was very disappointing.
Q754
The Chairman: You said in your opening remarks, Mr Campbell, that there are areas that could be addressed. It would be helpful if you could elaborate on those for us, please.
Duncan Campbell: First of all, I referred to weblogs. Now, internet service providers do not routinely obtain a log of what happens when a user, any one of us, is using our browser. In fact, a very rich trail of information is generated, many entries per page, on your computer, and for a certain time it would also be held by the communications service provider. So a step that the Home Secretary could take is, by order, to have that data held. It would be huge; it would be difficult to process, but we all know what it is. It comes into the courts every day, because it is also found on suspects’ and defendants’ computers. So it is a kind of evidence that need attract no secrecy. The businesses do not want it because beyond, say, a few weeks to do an engineering study of whether your server is working, you absolutely do not want to store that kind of data. But there need be no secrecy about those kinds of records or how they might be filtered or how they might be used and, indeed, the previous debate on RIPA addressed that. I think Professor Anderson’s evidence also covered some points about that and probably Professor Sommer’s too.
Then there are those areas where the solutions cannot exist realistically. The Information Commissioner mentioned virtual private networks; I would agree with that. There is the problem of Tor. It is a problem from the point of view of UK law enforcement, but, although I did not put it in my CV, I go and work for the other side on occasions, in that respect, bringing the knowledge of what you can hide. I have done that quite specifically in support of the Syrian insurrection and people who are struggling to overthrow the Assad regime and, of course, they have high dependency on Tor, their lives are at risk and if this Government were to, by some method—and I think Tor would say it is impossible—make that not available to them, we would bring about a far greater deficit in human rights in other parts of the world.
You have things like Skype, which have set out a model that works if you address the mutual legal assistance treaty things, and I have seen products come into the courts from MLAT. It is effective; it is what you want; it is the communications data that is asked for. All of that is not being considered.
Q755
The Chairman: There are criticisms that MLAT is a bit slow.
Duncan Campbell: I have never seen MLAT work fast, but I think already comments have been made as to the way the Foreign Office could be encouraged to speed that up.
Q756
Lord Strasburger: You talk about the request filter. Is it the case, in your view, that the distributed database that this Bill foresees combined with the request filter is going to be any different from the centralised database that was proposed in previous legislation?
Duncan Campbell: It appears to be larger, notwithstanding that it is distributed. I say that because the centralised database would ingather the communication service providers’
records at the specified times and hold them nationally with, no doubt, automated access, and that is required to come into being by the first part of the Bill. So basically, you have the national database within the Bill anyway, save that it will be held, in this model, by the CSPs. You then layer onto that the DPI devices that will hang on the key points of the United Kingdom network and mine as yet unspecified classes of data, presumably into similar local databases, but they will, by their nature, have to be integrated nationally, and I think this was conceded by the Home Office witnesses. You are going to data match across things that you see in the content derived from different nodes on the internet with different companies in order to try to get a match to generate communications data. So, if that analysis is correct, this is the national database of the previous scheme plus the additional databases supporting the need to retrospectively look at, I would imagine, a year’s data taken from whatever the filtering system turned out to be. So, a bigger database.
Q757
Lord Strasburger: This is for Mr Campbell specifically. Back to the filter. We have had evidence querying whether the results from the filter will meet evidential standards. If you were working with defence counsel on a case that relied on filter results, how would you go about questioning the admissibility of evidence derived from the filter and the weight to be attached to it?
Duncan Campbell: Lord Strasburger, my expectation is that the courts would probably never get to see the kind of information passed out of the proposed request filter. I will explain why in a minute, but the obvious point that goes to is how useful this can really be for prosecutions. The evidence given specifically in Liberty v the United Kingdom was that we are not going to discuss filtering, it is too complicated, you will not understand it, it is all classified, and we are not going to reveal our methods. The main reason for doing that, I suspect, is that the driving problem—which they never quite admitted until they came here and said, “We are never going to get one in six communications”—is that they do not want people to figure out what it is that they cannot get, because, fairly obviously, the bad guys will navigate through that. So their clear position in Liberty v the United Kingdom was that they do not want to explain how filtering works and they are trying to protect not their strengths but their weaknesses.
...
Q758
Lord Strasburger: That was quite a long answer to a short question. Could I just try to distil that back and see if I have understood you correctly? You seem to be saying that, because the authorities are unwilling to disclose the mechanism behind the filter, it is not possible to validate the effectiveness of the filter and it is not possible, therefore, to put the evidence that falls out of it before the court in any meaningful way. Is that right?
Duncan Campbell: I believe they would not produce it in the first place, because they would foresee the issue of technical difficulties.
Q759
The Chairman: So whatever other use the Security Service or the police could make of a filter, using it is as evidence in court is unlikely to be one of its main functions.
Duncan Campbell: On the basis of as much information as we have as to how it would work, which is, of course, little, that is my view. ...
Duncan Campbell: ... It is fit, proper and necessary that interception of communications and processing of communications data be available as part of the armoury to combat all the things you have mentioned. That is not my problem with this Bill. My problem is that it is not fit for purpose. It has not been thought through and it is not going to work. Leaving aside human rights, we are required to test issues like proportionality and necessity, and, in this forum, we are also required to test value for money and technical efficacy...
Duncan Campbell: ...So once you have accepted... that there will always be the dark areas and that, therefore, the proper area for debate is fitness or proportionality, necessity—necessity given the other types of data that can be used in investigations—technical effectiveness—can it work—and cost efficiency. Then come all the human rights criteria—the fact that you do terrify people by creating powerful laws.
...
Duncan Campbell: In response to your question about senior officers signing on necessity and proportionality, that is necessary but it may not always be sufficient. I think, and some witnesses have put forward, that a much better scheme would be a multi-level surveillance authorisation, which, to some extent, already exists in terms of intrusive surveillance. That should be applied to the communications data schema, so that you have a signing off at higher levels or a warrant from sufficient authority, depending on the degree of intrusion involved. But these are the appropriate and necessary processes.
Just two minor points: although it was not required by law, the police sensibly adopted a scheme whereby assistant chief constables would be required to sign off on location data requests. They have dropped that now, but they saw the degree of intrusion necessary and they said, “A chief superintendant is not enough; we will go to ACPO rank.”
The other point I would make is that the European Court has required that the procedures for examining, using and storing gathered communications material should be in a form that is open to public scrutiny and knowledge, and along with authority that is an important part of the process.
...
Duncan Campbell: ...
I know there has been a well tested argument about bringing intercept data into the courts. I have seen it. I have worked on it when it comes from overseas jurisdictions, and it is very hard to understand the degree of resistance, except a sort of primal fear of letting the adversaries know that we cannot do some things. So you could really quite usefully do an overarching surveillance scheme with officers of different ranks, judges of different authorities, and a surveillance commission that would act as the check and balance on whether the wide remits on all fronts had been followed.
...
Duncan Campbell: ... Mr Brown’s point about the sensitivity of data and the risk it could leak would, in my view, flow largely from creating this database in advance or these databases that are required. Again, rather than the obscurantism of the Home Office approach, we can address this quite specifically in the case of weblogs. In my expert capacity, I have to sometimes look at weblogs that, when seized from computers, can sometimes go back years and years and, frankly, they terrify me. The intimacy with which you can see what somebody is doing, what somebody is thinking, you can infer when their attention has strayed from their partner to some other prospective sexual target—it is written there to be seen. Now, if that person is under that degree of surveillance, because their device has been seized by the police because of a suspicion, then you can at least see how that comes about, and the rest of the population can be reassured that is never going to come to pass unless officers do come through their door for whatever reason. If you move to what was envisaged under RIPA and which will be reconstructed here, then, at the very least, the big internet service providers are going to be asked to store that kind of data, although we have no clue as to the depth of knowledge, and that degree of intimacy. That means that, if anyone wants to go on a trawl, whether authorised or unauthorised, whether the purpose might be approved or not, they can trawl to see who has been accessing special clinics. They can trawl for who has been going to particular websites. They can trawl to draw up profiles and demographics just in the same way as Google does. Clearly, most or all of that would not be proportionate. How do you stop it? Do not do it in the first place. Stick to what you get on people’s computers.
...
Duncan Campbell: That is a concern with the filter. There is no detail, as ever. We start from ignorance, but it is, to my mind, inconceivable that the tasks anticipated for any filter could be done on data as it streams past. Therefore, what you are left with is the elephant in the room that surrounds this Bill, which is we must not call it a national database because that is what the last Government did. Therefore, database is avoided, but in fact database is essential.
I fear the Home Secretary has not been well served by her officials on this. One is not privy to what goes on, but the sense is, “Do not worry about this; it is all techie stuff you really do not need to know. Parliament does not need to bother its head. It is the big complex internet; we will sort it out.” Even if it was not this very sensitive and important area of legislation, what you look at with any knowledge of large public sector IT projects is massive expenditure, billions of pounds, on a future that is untested and on technology that seems incapable of being specified and that has not been described to the people whose equipment it will attach to. Let aside all of our other worries, the total gap in the information about how this will work means that there must be a very high probability that this will become yet the latest public sector, massive, cost-overrun IT boondoggle.
...
Duncan Campbell: I think this Bill is future-proof, but in the worst possible way. It is future-proof in the sense that the Home Secretary seeks to have the power to her and her successors, in the words of the Bill, to do anything they like once the universal surveillance engine is connected up to the entire national internet. So, for that reason, it is additionally terrifying.
The alternative would be to reset the mechanisms of surveillance and allow that there would need to be fluidity as new data sources came along. A surveillance commission, if that were to be recommended, with access to both human rights advocates and technical experts as well as senior judicial figures, could address that—and with as much transparency as possible, which is the opposite of where we are now. And it will not be Twitter that we will be talking about in six years’ time, it will be something completely new that no one has thought of now. So I do not think you can put in place a good future-proof Bill, but you could put in a transparent, thoughtful, representative system of reviewing how you adapt access to intercept and communications data as the technology changes."
What can I add except that this is incalculably important advice on and analysis of what is a really terrible bill.

The Open Rights Group, incidentally, are holding a joint event with Index on Censorship, on Saturday 24 November, 2pm - 6pm, at the Free Word Centre, Farringdon, London, to campaign against the Communications Data Bill. Author, activist, visiting senior lecturer and honorary graduate of the Open University, Cory Doctorow, is the headline speaker. Tickets are free and there will be other presentations by Liberty, Index, Big Brother Watch and FIPR plus workshops to explain the Bill.