Straw vetoes publication of Cabinet minutes

For the first time since the introduction of the UK's Freedom of Information Act, the Justice Secretary has decided to use the ministerial veto option to prevent the publication of Cabinet minutes from 2003. The minutes in question relate to the Cabinet's discussion of the legality of going to war with Iraq.

The Information Commissioner had already ruled that the minutes should be released; the Government appealed to the Information Tribunal for a review of that decision, and the Information Tribunal rejected their appeal. Interestingly, the Justice Minister had a choice: he could have taken the Information Tribunal's decision to the High Court - but instead has peremptorily vetoed it, guillotining the legal process.

This will do little to quell the suspicions of those who believe that the minutes would show that the public were misled about the decision to invade Iraq.

See clauses 152-154

The British Computer Society (BCS) has issued a bluntly-worded critique of the data-sharing proposals buried in the Coroners and Justice Bill. Buried in the Bill are clauses which set out powers for any government minister to make an order for the sharing of personal data "in order to secure a relevant policy objective".

The BCS document notes that these powers are wide-ranging and general, and that the Bill does not set out any corresponding checks and balances to curtail their inappropriate use.

The BCS further notes that the Bill is likely to contravene UK and EU Human Rights legislation, that it undermines the fundamental principles of the Data Protection Act 1998, that it weakens the independence of the incoming Information Commissioner (welcome to your new job, Mr Graham...), and that it will do further damage to the public's condifence in government's ability (and willingness) to process personal data with due regard to personal privacy.

The BCS' position is neither trivial nor new. As David Evans points out in his blog post here, it is based on, among other things, a programme of consultation going back to 2006. The current Information Commissioner, Richard Thomas, expressed his deep concerns at the Bill last year, both in formal statements from his office, and in his keynote speech at the Privacy By Design conference.

It seems clear that, at one level, the intention of clauses 152-154 is simplification. Someone, somewhere must have concluded that the current position on data-sharing is just too complex, and that what is needed is a straightforward clause which cuts through all the nonsense and says "here's why we want to share this data, it's obviously sensible for us to do so, let's get on with it".

The issue is that, complicated and confusing as it may be, the patchwork of privacy-enhancing legislative measures we have in the UK consists of elements which are there for a reason, and are intended to protect both individuals and the public good. The main effect of introducing a 'simplfying' clause which allows ministers to over-ride existing protections is actually to make matters more complicated and more confusing - because these conflicting laws will now have to be played off against one another, both in plans to implement public policy and (with a grinding inevitability) in the national and European courts.

Quite apart from any other consideration, it ought surely to arouse the most lively scepticism when an existing Act (the Data Protection Act) is fundamentally modified by clauses buried deep in a separate bill ostensibly about 'Coroners and Justice'. Clauses 152-154 deserve to be flushed out of their obscure hiding-place in the Coroners and Justice Bill, and into that sunlight which Justice Louis Brandeis described as "the best disinfectant".

Incidentally, Justice Brandeis said a couple of other things which bear repeating in this context:

"Electric light [is said to be] the most efficient policeman" - which, given that he said it in 1913, was as accurate a harbinger of the technological surveillance society as one could ask for. Today he would have referred to CCTV, communications interception and automatic numberplate recognition, but the underlying principle is the same.

He also said, though, that "if we desire respect for the law, we must first make the law respectable." In that regard, clauses 152-154 set a regrettably poor example.

The world through Redmond-tinted glasses...

There's an interesting piece on ZDNet today about Microsoft's imminent IE8 browser and the "Compatibility List" it includes. The background to this is that, as the article's author May Jo Foley puts it, most websites are written so that they will work 'correctly' with previous, non-standards-based versions of IE. In fudging things so that they would work with IE, apparently a lot of web site creators have ended up with sites which now may not display correctly with IE8.

Foley goes on to make the following Sibylline observation: "I doubt the compatibility experience is going to change much, if at all, between now and the time IE 8 is released. For months, Microsoft has been banging the drum for site owners to update their code — either by adding compatibility tags or redoing sites to take into account the changes in IE 8."

Well, who can blame the site owners? I have recently had to build two websites of my own, for the first time in a few years. I used standard, opens-source site creation tools provided by my hosting company, and frankly, if IE8 can't or won't render the results properly, I have a hard time seeing how that is my problem to fix. I can't get rid of the mental image of a dog being vigorously wagged by its tail. The situation is, as so often, most elegantly summed up by the late Douglas Adams: "In cases of major discrepancy [it's] always reality that's got it wrong".

Incidentally, there is practically no prospect of my discovering, first-hand, whether or not my site is IE8-compatible or not - so if you find out, please be so kind as to let me know (and I'll pass the message on to the IE8 folks...).

Foley also says, in a rather uncharacteristic burst of MS-antipathy:

"I’m at the point now — if a site looks weird, is slow or just doesn’t seem to be working right — I simply assume it is IE 8’s fault. [...] The bottom line is I’ve come to expect a rocky browsing experience when using IE 8."

Well - the obstacles to an alternative are really not that high.

Newly discovered blog...

Just a quick post to alert you to a new discovery: the Cybermatron blog, here.

The blog looks new, but the blogger looks experienced and knowledgeable; good, detailed analysis of the interplay between UK and EU law on privacy and related matters. Well worth a read/subscribe.

GSS Identity and Privacy Conference, 2009

This year, in May, Global Security Solutions will be running its second Identity Management (IDM) and Privacy Conference (Johannesburg, 5th-7th May). Full details are online here, 'early bird' registration is still available until the end of this month, and there are combined conference/travel packages available for UK/European attendees.

I will have the pleasure of speaking at the conference, but that isn't why you should go; GSS have an unusually comprehensive and thorough approach to this area, in that they look at the whole IDM life-cycle (from risk assessment through policy and implementation to governance and audit...), and at IDM's relevance to the full range of business functions (audit, change/BPM, compliance, HR/provisioning and so on). This year, privacy is s strong theme - as, of course, is the question of how to manage identity and privacy risk effectively when resources are being squeezed.

This conference comes at a time when GSS is expanding its operations into the Northern hemisphere, with a new office in the UK. It's an exciting time for them, and I'm sure that excitement will rub off on this year's conference - it should be great fun, and I hope some of you can make it...

UK tax lawyer found guilty in Italy... and absentia

There's news today that David Mills, tax lawyer and estranged husband of Tessa Jowell MP, has been found guilty of accepting a bribe, allegedly paid by Italian Prime Minister Silvio Berlusconi. Mills, who was sentenced to 4 1/2 years' imprisonment, was not in court and is expected to appeal against the judgement.

If this rings a bell, it may be because the bribe surfaced in 2006 as part of the "Jowellgate" scandal. If you recall, a few weeks after Mr Mills received these funds, he and his then wife happened to pay off a £408,000 mortgage. Mr Mills has variously confirmed and denied that the money in question came from Mr Berlusconi.

During the investigation into whether Ms Jowell had broken the rules of the Ministerial Code of Conduct at the time, she said that her husband had received a sum of money "which he thought he had reasonable grounds to believe was a gift". A phrase so circuitous that it alone ought to give one reasonable grounds to believe that some wool is being spun.

Apparently Mr Mills did not mention the gift to his wife (who was a co-signatory on the mortgage), and she therefore did not know to declare it under the Code of Conduct. Both the Cabinet Secretary, Gus O'Donnell, and the then Prime Minister Tony Blair, concluded that Ms Jowell had done nothing wrong.

Ms Jowell is currently the government's Paymaster General and is Minister for the 2012 Olympics, a project whose budget is about £9.3bn.

Is privacy total deniability?

The debate on privacy has matured to the extent where it is increasingly (though not universally) appreciated that privacy and security are not the same goals or the same disciplines. However, occasionally something crops up which reveals that the concept of privacy is still a slippery one, treated very differently in different cultural and legislative contexts.

The case of Sir Max Mosley is an illustrative one. Sir Max (who is the head of the FIA - the international governing body of motorsport) is currently suing a number of media organisations in various European countries, because they alleged that he had taken part in a Nazi-themed sado-masochistic session with a number of prostitutes. Last year he succeeded in convincing a court that the sado-masochistic orgy in which he had been involved in had had no Nazi theme - and he was awarded £60,000 on the basis that his privacy had been breached by the publications. The 'Nazi' allegations may have struck a particularly sensitive nerve as Sir Max is the son of the late Sir Oswald Mosley, leader of the UK's fascists in the years before the second World War; presumably that's also why the media thought it might sell more papers.

Sir Max' position, as I understand it, is that as long as an individual's private activities are irrelevant to the activities of their public persona, there is seldom if ever a public interest argument in favour of publishing them, to the detriment of the individual's privacy.

There are two problems with this superficially plausible argument.

Both are very well put here by Ian Hislop, editor of the satirical magazine Private Eye, which has been around for as long as I have, and has carved a niche for itself by exposing the differences between the actual and claimed behaviour of our public figures. He's well qualified to have a view, incidentally; as the Wikipedia entry for "Private Eye" notes, he's the most sued man in Britain.

The first problem, then, is that there will always be a legitimate judgement as to whether the individual's private activities are, indeed, irrelevant to their public responsibilities. In Sir Max' case, for example, as the head of a multi-billion pound industry, he is often involved in adjudications over whether other motorsport figures have behaved honourably, ethically, and/or in compliance with the sport's rules. That seems to me to call for a degree of personal integrity rooted in the individual's behaviour, both private and public. As Ian Hislop puts it:

"I don't think we're yet at the point where we have a Mosley-style consensus that all forms of sexual activity, including paid prostitution, are acceptable behaviour in your private life.

"I think a lot of actions head into a grey area, where they help you assess character in those who are either in public office or who have official duties to perform."

The second concerns the way in which this principle is already being put into practice in UK law. There have been a number of cases in which individuals have not only sought the suppression of material which a journalist intended to publish, but have gone further and sought injunctions against mentioning the fact that they have sought injunctions against publication. (If that has made your eyeballs spin, think of it this way: "Not only are you not allowed to say that I molest dormice, but you are not allowed to say that you have been forbidden to publish someting about me").

That seems to me to be entirely a step too far. Even if we accept that publishing allegations about me and dormice would violate my privacy, I find it hard to give the same weight to mentioning the fact of the allegations without mentioning their substance.

The picture it sketches is of a media organisation which - perhaps repeatedly - threatens false allegations against an individual, complies with the injunction against publication, and then publishes articles to the effect that "Mr Volestrangler has repeatedly sought injunctions against this publication, and we can't say what they were for, but as we all know, there's no smoke without fire... nudge nudge".

The question is, does that happen? And if so, does it happen frequently enough and with such damaging consequences that it justifies restricting the media in the way Sir Max is pressing for?
Frankly, I doubt it. I'm sure there are many ways in which the UK's privacy laws could be improved, but this isn't one of them.

Monument re-opens

For a while, from 2000, I worked in an office right next to the Monument, in the City of London. In fact, our office had a balcony which was overlooked by those hardy individuals who made it to the top of the Monument's 311 steps. We, on the other hand, had lifts.

The Monument has just been re-opened to public access after an 18-month restoration project, and as the back-story goes, its 202-foot height was Christopher Wren and Robert Hooke's nod to the starting-point of the Great Fire of London; not at the site of the Monument itself, but 202 feet away in Pudding Lane.

Before moving to that office I worked in one in Clerkenwell, just north of Smithfield meat market. Just south of Smithfield there is a much less well-known (and shorter) monument commemorating the same fire. This one, mounted about 10 feet up on the corner of Cockspur Street, is called the Golden Boy of Pye Corner. He is a chubby little cherubic figure, and his statue was apparently erected by non-conformists who drew the following moral: the great fire of London started in a bakery and ended at Pye (Pie) Corner, thus indicating that it was God's admonition against the sin of gluttony.

If I remember correctly, the Golden Boy was not contemporaneous with with construction of the Monument; but apparently, neither was the installation of a carved panel on the East face of the Monument (1681) which ascribes the fire not to divine punishment for gluttony, but to rather more direct action by Papists. Fitting the religious sub-text to suit the political message is not a 21st-century invention.

It's official - spam is not kosher

As far as I can tell, this meme has resurfaced recently because the law in question came into force in December 2008 - though I believe it was originally proposed back in 2005. Anyway, under the new law, the originators of spam can be fined NIS 1000 (about $250) per unsolicited message. If the Securitem blog entry is correct, the law applies if the originator of the message is Israeli, or if the entity which would benefit from the mail is Israeli.

The interesting thing, from a UK/EU point of view, is that under the Israeli law the sending of the unsolicited traffic is regarded as a nuisance in itself: the recipient does not have to show actual harm resulting from it.

Former MySQL CEO to leave Sun

I see from this article on CNET news that Marten Mickos, CEO of MySQL until its acquisition by Sun, will be leaving the corporation as part of the current reogranisation.

Let me say first, I never met Marten or had anything to do with the MySQL team - but over the 8 years I was at Sun, I saw many repeats of what looks like a familiar cycle, particularly in the software division:

• Sun acquires sexy-looking technology company to complement its existing portfolio;
• Chief Exec finds life increasingly frustrating not being at the top of the pyramid;
• Chief Exec takes first opportunity to leave (sometimes, I suspect, gated principally by the timetable on which various options and cash tranches pay out...).

I saw it with the JCP Trustbase acquisition which brought me into Sun, and I saw it subsequently with senior people from other companies. It doesn't necessarily mean something is wrong with the acquisition: plausibly, the skills and drives which make you the CEO of an attractive acquisition target are very different from those needed to prosper inside a larger and more bureaucratic corporation.

All the same, I observed that that process was also often accompanied by a steady erosion of much of the value and expertise which the acquisition had been designed to bring into Sun, and to me, that was more of a danger sign than the departure of an entrepreneurial CEO. Making an acquisition work, after all, is not just about keeping the same staff: it's also about learning from what they know, and propagating that through the rest of the organisation.

For all the acquisitions it has made over the last decade, I'm afraid I am still not convinced that message has sunk in at Sun.

Interpreting the EU laws on privacy

In the preceding blog post, I mentioned the difficulties which arise when trying to work out exactly what "personal data" means in UK and EU legal terms. Thanks to the very useful EU Privacy and e-Commerce Alert from Hunton and Williams, I have an example. It concerns a recent ruling by the European Court of Justice, which found in favour of a Mr Huber and against the German Government.

Mr Huber (an Austrian citizen working in Germany) started out by contending that the German Government was discriminating against him (relative to German citizens) by keeping a record of his personal data in a central database of non-residents.

Here's a quick summary from that part of the case records:

Mr Huber, an Austrian national, moved to Germany in 1996 in order to carry on business there as a self-employed insurance agent. The following data relating to him are stored in the AZR:
– his name, given name, date and place of birth, nationality, marital status, sex;
– a record of his entries into and exits from Germany, and his residence status; – particulars of passports issued to him;
– a record of his previous statements as to domicile; and
– reference numbers issued by the Bundesamt, particulars of the authorities which supplied the data and the reference numbers used by those authorities.

Since he took the view that he was discriminated against by reason of the processing of the data concerning him contained in the AZR, in particular because such a database does not exist in respect of German nationals, Mr Huber requested the deletion of those data on 22 July 2000. That request was rejected on 29 September 2000 by the administrative authority which was responsible for maintaining the AZR at the time.

As it happens, that claim didn't go anywhere, but Mr Huber pressed on, and the ECJ has now ruled that recording his details in such a database is incompatible with the Data Protection Directive and fails the applicable test of 'necessity'. I don't know if the German Government can or will appeal against the ruling.

Rather than recite the rest of the case, I'll let you link to the judgement if you are interested. Be warned, though, unless you are fluent in Eurospeak (the 24th official language of the European Commission) the references to this or that article, recital or preamble of various Directives will probably make your head spin.

Here, you will find links to three documents about the case.

I recommend you start with the document labelled "Opinion", as that sets out the basic arguments in more human-readable terms. If that isn't enough for you, take a deep breath and dive into the "Judgement". Enjoy.

Surveillance, citizens and the state

A bit like the snow, some news stories are piling up almost too fast to blog about... so rather than include links inline as usual, I will put them all at the end of this post.

The House of Lords Constitution Committee has released a report entitled Surveillance: "Citizens and the State", in which considers whether the pervasive nature of surveillance in 21st century Britain has fundamentally altered the relationship between the citizen and the state. If that seems to echo the Information Commissioner's 2004 comment that the UK was in danger of "sleepwalking into a surveillance society", and his subsequent 2006 report setting out some of the ways in which that was happening, that's no accident. The Constitution Committee acknowledges that that was the impetus for its inquiry from 2004-2007 and subsequently the current report.

The report's opening paragraph is clear and concise enough to deserve quoting in full:

"Surveillance is an inescapable part of life in the UK. Every time we make a telephone call, send an email, browse the internet, or even walk down our local high street, our actions may be monitored and recorded. To respond to crime, combat the threat of terrorism, and improve administrative efficiency, successive UK governments have gradually constructed one of the most extensive and technologically advanced surveillance systems in the world. At the same time, similar developments in the private sector have contributed to a profound change in the character of life in this country. The development of electronic surveillance and the collection and processing of personal information have become pervasive, routine, and almost taken for granted. Many of these surveillance practices are unknown to most people, and their potential consequences are not fully appreciated."

That sounds to me like a "yes". However, and I in no way mean this as a criticism, the report continues with a further 129 pages of analysis. It examines the issue from a number of different stakeholder perspectives: regulators, government, parliament and citizen, and also looks at Privacy Enhancing Technologies (PETs) and the closely-related issue of where the boundary between technology and policy should most sensibly fall. As far as the citizen perspective is concerned, it stresses the importance of consent, and notes the extent to which that depends on adequate information. All in all, it's a very thorough piece of work.

One of its more worrying sections is Chapter 7, on the role of Parliament. It notes that witnesses to the inquiry described Parliament as being the only body which can block undesirable legislation, and act on behalf of the citizen in determining how far surveillance powers should be able to go. It goes on to say that Parliament is often prevented from giving privacy-related legislation the necessary scrutiny, because the laws are enacted in the form of vaguely-worded primary legislation, with the details put through later as secondary legislation (the Identity Cards Bill 2006 being a prime example). Parliament cannot amend or vote on secondary legislation.

The report also presents a valuable analysis of the Committee's perspective on constitutional factors, including:

• The laws which enable surveillance, data collection and data sharing;
• The laws and regulations which are intended to protect the citizen;
• The events which, over the period of the Committee's work, have shaped policy in this area.

It is absolutely clear from the report that the legislative and regulatory environment is an extremely complex one, with multiple agencies able to collect and share data under the provisions of multiple laws (for example, the Regulation of Investigatory Powers Act, the ID Cards Act, and the Coroners and Justice Bill (!)), and with protection for the citizen correspondingly fragmented and piecemeal.

If you do read the full report, I'd offer one piece of advice: don't be tempted to leap straight to Chapter 9 (Recommendations) in search of the quick précis. The body of the report is also punctuated with very specific and highly relevant recommendations.

In short, the report presents ample factual evidence in support of the opening paragraph.

The government's reported response is rather more succinct. According to today's BBC news article, Home Secretary Jacqui Smith 'has rejected claims of a surveillance society as "not for one moment" true and called for "common sense" guidelines on CCTV and DNA.

She recently announced a consultation on possible changes to the Regulation of Investigatory Powers Act, under which public bodies can conduct covert surveillance and access data, to clarify who can use such powers and prevent "frivolous" investigations."'

On the face of it, this looks like a perpetuation of some of the shortcomings described in the Constitution Committee's report.

Links:

House of Lords Constitution Committee's report - (from the ICO website)
ICO response to the Committee's report

ICO memorandum on data-sharing provisions in the Coroners and Justice Bill

ICO report on the Surveillance Society


Another useful couple of documents:

ICO paper on "what is personal data" - drafted in 2007, so good but probably a little out of date regarding the Article 29 Group's current position;

ICO paper on "what is data". May seem a daft question to have to ask, but that in itself gives an indication of how difficult it can be to work out whether information about a citizen is indeed protected by the law. (Let alone what to do about it if it is...)

Differences of approach

President Obama does not seem short of things to say about the US economy and his stimulus package. Much of it seems to be (a) constructive and (b) well-received. Though, as the NY Times points out today, imposing a cap on Wall Street bonuses is unlikely to lose him the popular vote in the present climate.

Over here in the UK, it has fallen to recently re-appointed serial Cabinet Minister Peter Mandelson, the Business Secretary, to get tough with our own financial institutions' bosses:

"Please be mindful about how this looks and what public opinion will be", he is quoted as saying, warning that exorbitant bonuses 'could alienate ordinary people'. Stick it to them, Pete.

Today's headlines don't appear to carry any comment from the Prime Minister or his Chancellor. In Mr Brown's case, he may be keeping quiet in case he inadvertently refers to the world economy as being in "depression" again.

It's strange to see no comment from our leaders, though, on the day the Bank of England cut its interest rate to an all-time low of 1% - the first time it has fallen below 2% in its 300-year history.

According to this BBC article, neither businesses nor lenders report a boost in confidence from the steady fall in the interest rate, and the Institute of Directors' chief economist reckons that the interest rate has now lost most of its effectiveness as an economic lever. In other words, the outlook remains grim and the independent Central Bank can't do much more with the tools at its disposal.

Under those circumstances, it seems that the next move would have to be a political one... which makes the silence all the more deafening.

What's read and goes at 30 miles an hour?

An RFID-chipped passport, it seems...

Chris Paget, a security researcher in California, successfully read the data off US electronic passports from a range of 20 feet while driving past at 30 mph in a San Francisco street.

The bickering about how close to an RFID passport chip one has to be in order to read it has been going on for years... In 2006, when the implementers were saying that the chip and reader had to be no more than 2 cms apart, Dutch researchers had scanned chips at a range of 30 cms. Even back in 2004, Bruce Schneier reported RFID chips being read from 20 metres (about 70 feet), though from this article it's not clear whether they were ISO 14443 e-passport chips - and different chips use different radio frequencies.

Given that even Visa Waiver candidates (such as UK citizens travelling to the US) now have to stand at the DHS officer's counter for long enough to provide all 10 fingerprint biometrics and a facial photograph, what exactly is the legitimate requirement for contactless access to the passport chip?

For what it's worth, I am still using the Faraday wallet I bought back in 2006...

The Year of the Ox has got off to an interesting start - though oxen being what they are, we should probably be taking the long view about 'slow and steady progress'. The UK certainly hasn't been characterised by much movement in the last couple of days. It's snowing again as I write this post. Today has been mostly clear and sunny here, and a good deal of yesterday's snow started to melt - the white, fluffy stuff on every twig sliding off and joining the increasingly ice-like layer on the ground...

However, I'm not going to join the general moaning about how 1/2 inch of snow brings the UK to its knees. I tend to agree with those who say that it's not worth having a fleet of snow-ploughs standing by in every county, if they only get used every 20 years or so. I wonder how many of the moaners have invested in a set of snow tyres. After all, many of our continental neighbours switch between summer and winter tyres every year - there's no technical issue there, just one of cost and convenience.

Another complaint I heard yesterday was from people who had tried, before setting out, to check the travel information sites of their respective train, bus and airline companies, only to find that the site was swamped with requests or didn't have any useful information on it. Could it be that the person responsible for keeping it up to date either couldn't get to work, or couldn't get hold of current data about conditions...?

Either way, those interested in this kind of problem might like to have a look at the SCADA guidelines, here on the website of the CPNI (Centre for the Protection of National Infrastructure). SCADA (Supervisory Control and Data Acquisition) is becoming a bit of a buzz-word, and seems likely to become more of one in 2009 as the new US regime turns its attention to the themes of transparency and accountability.

It's not far-fetched to assume that SCADA principles will reach into diverse aspects of information technology, including identity, privacy and governance. If 2009 is the year in which digital identity and personal privacy achieve recognition at the level of 'critical infrastructure' elements, it could be a very interesting year indeed.

Ontario IPC publishes new guidelines

Last November I attended a "Privacy By Design" workshop, hosted by the UK Information Commissioner's Office to mark the launch of a report on that topic, produced by the excellent Toby Stevens of EPG. For once, the UK ICO was ahead of its Canadian counterpart ;^)

You may also have seen that the ICO has issued guidance to the effect that UK public sector bodies must now do a Privacy Impact Assessment for any project which involves the processing of personal data... in that instance, though, I have to report that the Ontario Commission beat them to it. Dr Ann Cavoukian and her team have been using PIAs for some time now (see, for instance, this 2005 paper applying PIA principles to the processing of personal healthcare information... a practice, incidentally, which might give many of us reassurance if applied to the UK's Electronic Patient Record initiative).

The Ontario Commission is in the lead with its latest press release, too: this one is about what to do if your project not only deals with personal data but also crosses organisational boundaries. The answer is the F-PIA, or Federated Privacy Impact Assessment. This starts with the initial privacy principles for data-at-rest and extends them to apply to data-in-motion.

A recommended read... and here's a link to the requisite page on the IPC website.