Paul Bernal is Lecturer in information technology, intellectual property and media law at the University of East Anglia Law School. His blog and tweets bring us interesting and often trenchant material on privacy, human rights and the Internet.
His article today is called A few words on ‘Internet connection records’, and looks at some of the implications of the UK government’s draft Investigatory Powers Bill known to many, to the fury of its promoter, Home Secretary Theresa May, as the Snoopers’ Charter (“Do you want their names?” asks the policeman in Morten Morland’s cartoon in the Times, which you will find, among others, here.
The Bill raises serious concerns about the proposed requirement that communications providers must store, as Bernal puts it, “a rolling record of a year of everyone’s browsing history” at least at the top level of websites.
There are eDiscovery and cybersecurity implications here which are relevant to my audience.
As well as talking to lawyers about technology, I also get the opportunity to talk to eDiscovery technology providers about the law. Yesterday, I was talking to such an audience about EU concerns at the implications which arise when EU data, including personally identifiable information, travels to the US under the so-called Safe Harbour framework. Safe Harbour has, of course, been declared invalid by the Schrems decision, but the EU has been voicing concern for some time about the lack of any effective policing by the US authorities, the absence of anybody to complain to, and the inevitable incompatibility between discovery under the Federal Rules of Civil Procedure and the protection which EU laws give to private data.
Another implication, I said, was that advances in big data analytics meant that data supplied under Safe Harbour could be aggregated with other data to fill in the gaps and make a complete picture from disparate fragments. There is a story doing the rounds that South Korean data scientists have effectively de-anonymised medical data by using such technology. An audience of lawyers gapes at this stuff in blank incomprehension; my techie audience understood immediately.
Paul Bernal considers the same point in looking at the requirement for communications providers to hold browsing histories. By an accident of timing, the UK-based communications provider TalkTalk has just mislaid tens of thousands of customer records through inadequate security of unencrypted data. The government is proposing to force companies like TalkTalk to accumulate data which, thanks to sloppy security, could fall into the hands of the wrong people – I do not mean to imply that even governments are the “right” people for these purposes, but potential users of data like this include commercial entities who want to map our lives for the benefits of their businesses, as well as more conventional crooks who can raid bank accounts, target unoccupied homes, gain blackmail material, and engage in identity theft by applying analytics to multiple sources of data.
It is quite clear from the quality of their speeches on the subject that Theresa May and other government proponents of the “Snoopers Charter” have not the first idea about the technology and security implications inherent in the draft legislation; the Home Office has been a hotbed of lax incompetence for years; Parliamentary draughtsmanship is not what it used to be. Add all this together and a set of wholly foreseeable risks emerge.
The eDiscovery parallel lies in the ever-increasing volumes of data which companies keep, either because they are required to as a regulatory matter, or because they never quite get around to culling it. Quite apart from anything else, the cost of analysing all this data with every eDiscovery exercises is enormous. Companies perhaps shrug their shoulders at that; they ought to be more concerned about the risks which lie buried in the mountains of unsorted data.
Paul Bernal also talks about “function creep”, saying this:
Where systems are built and data gathered for one purpose, it is hard to resist using it for another, seemingly obvious and sensible reason. That’s how RIPA [The Regulation of Investigative Powers Act] ended up being used for dog fouling, fly-tipping and school catchment enforcement when it was intended for terrorism and serious crime. If you build it, it will be used, and not just for the original purpose.
It is one thing for data to be used by the intelligence services and police. It is quite another for it to be made available to local authorities. There are exceptions, but by and large English local authorities are the place where the ratio of IQ to power is at its worst – extremely stupid people given extensive authority over our lives. My own local authority, the City of Oxford, has form here. A couple of years ago it had to withdraw a proposal for forcing taxi-drivers (at their own expense, naturally) to install video cameras in taxis; the dim little creatures at the council were seemingly oblivious to the privacy implications. Similarly, Oxford City Council recently chartered an aeroplane to fly low over Oxford photographing every house and garden. The expressed excuse for this was to find unauthorised living quarters in gardens; one of the many objections to it was the potential for the resulting photographs to be used for purposes which had nothing to do with the collection. This may not be personally identifiable data as defined in the EU legislation, but there is obvious potential for abuse at the hands of people who are too stupid to think through the implications and who think that their title “officer” exempts them from the rules which apply to everyone else.
EU data protection rules require that personally identifiable data be used only for the purpose for which it was collected and that it should be destroyed when the purpose is at an end. This is one of the fundamental objections to its use in discovery, particularly US discovery, which was clearly not one of the purposes for which it was collected. It will be hard for government ministers to resist using the Snoopers’ Charter data for other purposes. This, by the way, is not a political point aimed just at the present government – Labour zealots are yet more prone to using their power to impose their own social norms on the rest of us.
As an aside, it is hard to see how EU countries can maintain their criticism of US laxity in the management of personal data when governments like the UK are enacting the Snoopers’ Charter. You didn’t hear me say that.