Police retention of surveillance photos "breached privacy right"

A man, who is a shareholder of a company, attends the company's AGM and asks a question from the floor, about the company's recent acquisition of another firm - one which organises trade fairs for the arms business. On the way out of the shareholder meeting, the man is followed by police, photographed repeatedly and asked for his personal details.

He is not detained, arrested or charged, and there is no suggestion that an offence has been committed.

The police create a new dossier on their 'Crimint' system and use it to retain the man's photographs.

This is what allegedly happened to Andrew Wood in London in 2005. At the time, Mr Wood was in charge of media relations for CAAT - the Campaign Against the Arms Trade; according to their account here, that organisation had taken the precautionary step of liaising with the Metropolitan Police before the AGM, and it had been agreed that two of their members would leaflet attendees in front of the meeting. Several other accounts are available online, including this one by the Guardian, and this one written by Wood himself.

The reason the story is back in the headlines is that Mr Wood has just won an Appeals Court case against the police retention of his photographs. The court ruled that while the surveillance itself could be justified, the retention of the photographs represented an infringement of the Human Rights Act. Interestingly, when Mr Wood appealed for judicial review of the case, the police barrister denied that such a record had been made.

The Appeal Court judges ruled that the Privacy right "was important to the individual", and the the "object pursued by the interference" was not sufficient to justify keeping the photographs. Specifically, Lord Collins rejected the idea that they could be kept in order to make it possible to identify the perpetrators of any crime which might have been committed at the AGM... This would not, he said, justify retention beyond a few days. In a conclusion which is likely to have far-reaching effects, he also rejected the idea that the photographs could be retained in case Mr Wood subsequently committed an offence at an arms fair some months later. This justification, he said, had nothing to do with the decision to take the photographs and was "plainly an afterthought".

For a much more detailed legal analysis of this distinction between "taking" and "retaining" the photographs, I recommend this document, which is the judgement in Mr Wood's application for judicial review of the case (given in 2008). While it is paragraphs 51 onwards which set out that judge's opinion on "taking" versus "retention", paragraph 37 of the judgement (which, slightly confusingly, cites paragraph 51 of an earlier European Court of Human Rights finding) sets out the principles in a particularly interesting way. Here's what the ECHR says:

50. The Court reiterates that the concept of private life extends to aspects relating to personal identity, such as a person’s name, or a person’s picture.

Furthermore, private life, in the Court’s view, includes a person’s physical and psychological integrity; the guarantee afforded by Art.8 of the Convention is primarily intended to ensure the development, without outside interference, of the
personality of each individual in his relations with other human beings. There is therefore a zone of interaction of a person with others, even in a public context, which may fall within the scope of “private life”.

This, as clearly as anything, draws a distinct line between "privacy" and "secrecy". It is clear, here, that privacy rights can apply to an individual's exercise of relations with others. Privacy, in other words, is about disclosure - but disclosure with appropriate control and consent on the part of the individual.

Back to the current UK Appeals Court ruling, though, which specifically cited Article 8.2:

"There shall be no interference by a public authority with the exercise of this right [to a private and family life] except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or ... for the prevention of disorder or crime ... or for the protection of the rights and freedoms of others ...".

As I say, it was the retention of the photographs beyond any reasonable period associated with the AGM itself which was considered to be a disproportionate interference with Mr Wood's Article 8.2 rights.

Interestingly, the judge in the judicial review held that Article 14 was not applicable in this case, and the Appeal Court did not overturn that conclusion Article 14 establishes "the right to exercise the other rights without being subject to discrimination" ... "on any ground such as sex, race, colour, language, religion, political or other opinion, national or social origin, association with a national minority, property, birth or other status".

To be frank, I don't yet grasp the logic behind that decision, but will keep at it. It seems to me that, as Mr Wood was not suspected of having done anything illegal before or at the meeting, he was indeed being discriminated against (relative to other attendees who were not photographed) on the basis of actions which arose directly from his ethical opinions about the arms trade - but then, I'm not a judge.

The case is particularly relevant from a privacy/policy/technology perspective because of what Lord Justice Dyson had to say in his summing-up:

"In deciding whether the interference is necessary, the court must have regard to the nature of the Convention right in issue, its importance for the individual, the nature of the interference and the object pursued by the interference."

" ... the protection of personal data is of fundamental importance to a person's enjoyment of his or her article 8 rights and the domestic law must afford appropriate safeguards to prevent any such use of personal data as may be inconsistent with the guarantees of article 8. The need for such safeguards is all the greater where the protection of personal data undergoing automatic processing is concerned, not least when such data are used for police purposes."

The "cost of privacy" equation is still out of balance

Yesterday's Guardian had an article about patients' right to have their Summary Care Record (SCR) deleted from the national NHS database. According to the article, Connecting for Health (CfH) and the Dept of Health had, until recently, argued that individuals should not be entitled to have their SCRs deleted on the grounds that the cost of deleting records selectively would be 'prohibitive'. Instead, they had apparently offered to 'mask or suppress' the records of people who expressed concern.

Frankly, that sounds like so much eyewash to me. Whether you want to mask, suppress or delete an individual record, you still have to locate it in the first place; and having done that, deletion once and for all must be less costly, over the life of the information, than keeping it under some restrictive access regime.

Apparently this current concession results from talks between CfH and the Information Commissioner's Office. It's good to see common sense prevail. That said, the picture is still not completely clear:

• If your record on the national database has not yet been created, you can express your wish not to be added;
• If your record has been added but not yet used, you can ask for it to be deleted;
• If your record has been created and used, you can't ask for it to be deleted, because "it will have been archived for 'medico-legal' reasons".

That last exclusion only makes sense, of course, if the records held by your GP are no longer considered to be the authoritative version of our healthcare history. Otherwise it would suffice to take a copy of that archive, forward it to your GP and delete the original.

Something, somewhere, still doesn't add up.

Ethics, spirituality and religious conviction

Intelligent atheists (Jonathan Miller being probably the most articulate) often remark on the asymmetry between religious evangelism and the lack of any equivalent voice from the 'opposing' camp (by which, here, I mean atheists rather than satanists...). It is, after all, to build a compelling PR campaign on the strap-line "You know all that stuff which you believe...? Well, I don't".

It's articles like this which illustrate how easily that asymmetry becomes the default. Here we have a pro-Christian politician arguing that "Half a century of corrosive and aggressive secularisation has created a selfish, superficial and materialistic culture amongst decision-makers and opinion-formers that is appropriately reflected in those we have elected to Parliament" and proposing a more overtly Christian political option as the solution.

In the absence of an atheist voice, there is no-one to counter the argument that religion provides the only basis for an ethical system - or, indeed, to argue that religion is often as badly flawed a basis as any other. One need only look as far as the current revelations about the Catholic Church in Ireland for an example of that.

Please don't get me wrong; I'm not arguing that either religion or secularism has a moral monopoly. But as far as Alan Craig's argument goes, I'd want, for instance, a little more evidence of how many of the 'secular' MPs he mentions are regular church-goers, or gave the oath of allegiance by swearing to God Almighty.

Here's my prediction of what a little research would reveal:

- some people who claim to be religious act in immoral ways;
- some people who claim to be irreligious behave strictly morally;
- some of those who claim to be either sometimes behave well, and sometimes badly...

and I don't think that's good or bad - it's just the way things are.

Here's my more pessimistic prediction: if you elect someone to political office simply because they profess profound religious belief, and expect the outcome to be better than if you elect anyone else capable of getting to the point of being elected, don't expect a radically different outcome.

I also think that some people are essentially benevolent, and would be so if they were Christian, agnostic, atheist, aspiritual or anywhere in between. Others aren't, no matter what belief system they profess or deny.

By a strange quirk of timing, now is a good time to assert that William Heath is one of the former. He happens to be a practising Quaker. I'm profoundly happy for William that he has found that spiritual community which best reflects his own view and motivation - that doesn't come to everyone. But I also happen to believe that "being a Quaker" is more or less incidental. William could have been an agnostic ditch-digger and still hold the same core values - albeit possibly for different reasons.

And there's the nub, I suspect. I, for one, think that the moral question is one of how people act, rather than of why they act one way or another. If someone acts morally because they believe in the Easter Beagle, so be it. If someone acts evilly because they believe that's what something in the Bible tells them to do, then again so be it. I remain unconvinced that the way to sort moral human beings from immoral or amoral ones is to ask them about their religious convictions.

Thank heaven for little URLs...

Sorry, couldn't resist that title for the post.

I've been updating the Future Identity website with some diary entries for "Recent Events", and some "News" entries about events I'll be speaking at in London over the next couple of weeks. It's nice that the speaking invitations continue to come in.

As you may have noticed if you follow my Twitter feed, I've also been using the "tinyarro.ws" service for shortening URLs - and it occurred to me, belatedly, to generate a custom one for the FI website - so here it is: www.➡.ws/fi.eu. (The full URL still works too, of course).

If you haven't encountered it, tinyarro.ws makes use of the fact that double-byte character set (DBCS) characters are valid in URLs, even if the binary value doesn't render to anything useful. This gives them a huge range of characters which they can use to create a short URL which they then map onto whichever URL you submit. Suffice to say, it's a lot easier to use than to explain! There are other similar services, such as TinyURL and bit.ly; Twitter users use them a lot so as to be able to include URLs in tweets while sacrificing as little as possible of the allotted 140-character message length.

All of which raises the question: what is the correct name for a little URL? A viscount, perhaps? [groan]

Freedom of Information - a retrospective

I just had to post this quotation from Martin Rosenbaum's "Open Secrets" blog on the BBC site. Looking back on the MPs' expenses row with an FoI perspective, he concludes:

"(8) Finally, in keeping with the spirit of the times, an apology of my own. In the past, I expressed the opinion that the persistent attempts by the House of Commons to prevent full publication of material about expenses was doing more harm to its reputation than would probably be caused by the eventual release. Doubtless there are cases where the reputational damage from insisting on secrecy is greater than that potentially resulting from release of the material in question - but this isn't one of them. Sorry I got that wrong."

Lovely.

What do Electronic Patient Records mean?

OK, it's a trick question. The answer, as with much data and all personal data, is "it's contextual"... which is basically a fancy way of saying "it depends". This CNet News article from yesterday throws up some of the questions, in a US-centric context, though there are many more, and even those it raises, the article doesn't necessarily resolve.

So, what do I mean by contextual? Well, I've already given one example of that; the CNet News article (entitled "What you need to know about e-health records") is fairly useful if you're in the US healthcare system - but a lot of it is irrelevant if you aren't. One huge contextual factor is which country you live in, with the associated factors like that country's attitude towards state- vs. privately-funded healthcare, preventive medicine, health insurance, family doctors, privacy law and so on.

Here are a few more examples of contextuality which the CNet article illustrates:

• at a "political" level, Electronic Patient Records (EPRs) 'mean' money. If you're a techno vendor only interested in cornering a chunk of President Obama's stimulus package for commercial gain, the data is incidental (in fact, paying to secure it only reduces your bottom line): what's important is the subsidy;
• if you're an insurer, EPRs mean being able to get sufficient detail to judge - automatically if at all possible - whether a given treatment is covered under the policy or not. In that context, the distinction between "cancer which has spread to the brain" and "cancer which has spread to the spine" may well be irrelevant, as the article notes;
• if you're the patient or the physician, of course, that distinction might be highly relevant... but in the example given, the data in the EPR was ambiguous because it was designed primarily to meet the insurer's requirements, rather than those of the other relevant stakeholders.

So what EPRs mean depends on things like who you are, what you're doing with the data, where you're doing it, why you're doing it, and very often even when you're doing it... (it's one thing to need data urgently in the heat of emergency treatment - it's another to need it forensically post mortem).

Why's all this an issue? Well, as the CNet article points out, the stimulus package is driving a lot of efforts to standardise EPRs and make them portable, interoperable and consistent. At a syntactic level, that raises one set of problems (which experience suggests are solvable with time and effort). At a semantic level, as the contextual examples show, the problems are of a quite different order of difficulty.

That's the point at which the technical work on interoperability needs to be complemented by work on contextual factors like policy, regulatory measures, user consent and control, and matching purpose of collection against purpose of use. These are the kinds of question we have worked on for some time in the Liberty Alliance Public Policy Expert Group (PPEG), and which I confidently hope will continue to grow into a compelling work stream under the Kantara Initiative. Also in the Kantara structure there is a proposal for a Health Information Assurance (HIA) Work Group, whose draft charter you can find here. I will be adding a draft charter for the Privacy and Public Policy Work Group (P3WG) within the next few days, and that will include a goal of effective liaison with the HIA group.

Precisely because EPRs raise so many issues - both within and between different national healthcare and regulatory systems - this work needs to be able to draw on a broad range of expertise. Please have a good look around the Kantara website; there are many levels at which you can participate in this work, and I would encourage anyone with a stakeholder interest in EPRs to do so.

Two years on...

This is why politicians probably hate blogs, the internet and anything else which counteracts our otherwise fallible memories...

May 18th 2009; House of Commons Speaker Michael Martin says that each and every member of parliament must work hard to regain the public's trust. He wants discussion to centre on, among other things, "early publication" of expenses details.

May 17th 2007; Gordon Brown - accepting his uncontested nomination as Prime Minister - promises to "build trust in our democracy" through "a more open form of dialogue with citizens and politicians". "It's about a different type of politics, a more open and honest dialogue", he said. He was also quoted as saying "I believe government only works when it's dedicated to serving the people".

Perceptive words. Shame about the follow-through.

May 18th 2007; Gordon Brown rejects calls to block David Maclean's attempt to exempt MPs (and their expenses data) from the Freedom of Information Act. Among others voting in favour of a third reading for the amendment tabled by Mr Maclean (£155,609) were the following Labour ministers:

• Parmjit Dhanda (£153,906)
• Maria Eagle (£153,742)
• Caroline Flint (£158,773)
• Ian McCartney (£155,746)
• Tony NcNulty (£134,402)
• Meg Munn (£144,356)
• Joan Ryan (£151,954)
• Phil Woolas (£169,427)

I in no way mean to imply that any of those ministers committed any impropriety in their expenses, but if any were needed, it's a clear indication of why it's a bad idea to have MPs deciding, voting on and overseeing their own remuneration.

The same BBC article reports that:

"Members of the backbench committee of the Parliamentary Labour Party have also emailed colleagues to say they "feel strongly" that the bill's measures were "worthy of support". "

None of this makes it easy to believe that there was a strong line coming from the top, encouraging Mr Brown's subordinates to opt for an "open, honest dialogue" based on the interests of the people.

MPs' expenses... oh, the irony.

When I joined IBM in the mid 80s, there were plenty of alternative interpretations of the corporation's three-letter name. Customers with particularly pushy salesmen said it stood for "I'm Bloody Marvellous", while those with particularly slow mainframes preferred "It's Better Manually"... and so on. Oh, and if you want a genuine example of 'pushy salesman' behaviour: I was once assigned, as a junior systems engineer, to a salesman who took the time to explain to his (financial services) customer that IBM called its customers "customers" because "only banks and whores have clients". Quelle finesse.

Internally it was often reckoned to stand for "I've Been Moved" - so widespread was the corporate culture of "assignments". This was the process of relocating employees, usually to work in another country. It was reckoned to be a great deal by most IBMers, because - apart from the obvious attraction of seeing the world, broadening the mind, etc. - your move was paid for and the assignment usually came with generous financial allowances (and sometimes, if appropriate, a temporary promotion). I tried a couple of times to swing an assignment, once to Rome and once to Stuttgart, but never pulled off anything more spectacular than a stint in Basingstoke. How sad is that?

By the time I was a little more savvy about how to approach that kind of negotiation, Lou Gerstner had taken over and, astounded at the corporation's willingness to send a few dozen people from Tokyo to the US on assignment, while simultaneously sending a few dozen in the opposite direction at similar expense, had done much to stamp out this entertaining but ultimately not terribly profitable practice.

Anyway, I digress through all this ancient history merely to note that assignment allowances (such as the one I got as a sop for my three-year stretch in Basingstoke) came with a number of conditions:

• they were taxable income, and were treated as such through the PAYE system;
• the taxman insisted that an "assignment" should have a duration of no more than 3 years. Any more than that and it was considered to be a permanent job move, and the employee had to be remunerated by some more conventional mechanism.

It's odd, isn't it, that the taxman is not allowed to take any equivalent level of interest in MPs' allowances.

Wind forward to 2008, and I was finally caught by one of the 'reductions in force' which had preiodically swept through Sun throughout my time there. With the P45 came a redundancy payment, and under UK law the employer has to deduct tax at source on any of that which exceeds £30,000.

It's odd, isn't it, that the "winding-up" payment an MP receives if they lose their seat does not have the same condition applied to it.

The irony, then, is that every MP who gets the boot because of constituents' rage at the expenses saga will, as a result, get a tax-free redundancy cheque for £42,000.

Is it just me...?

Following a link from the incisively perceptive @nicoleharris, I read Kim Cameron's blog post on Microsoft's internal adoption of a federated architecture based on its Geneva server. Kim cites a NetworkWorld article, in which I spotted the following sentence:

"Microsoft has nearly 410,000 computers and 165,000 users on its network."

Now, from my time in the employ of various other vendors, I can remember some fairly biting sales arguments about how many IT support staff it took to manage each Microsoft server, and how few actual users each server could support (I think they were attacking the email products that time, but it varied...) - but those folks must be making hay with this bit of data...

A computer-to-user ratio of almost 2.5:1? Wow.

Excellent privacy article on The Register

Hat-tip to @privacyint for the pointer to this excellent piece on The Register.

The article, which cites respectable sources such as the Earl of Erroll (cross-bench peer), Prof. Ross Anderson (Cambridge University Computer Science Dept and FIPR), Chris Huhne (LibDem MP) and James Brokenshire (Conservative MP), concerns the efforts of a South London fetish club to mitigate attempts to capture disproportionate amounts of personal data from patrons.

There are several very pertinent comments about privacy - for instance:

• [The proliferation of one-off security databases spells] "the death of the right to private association" (Ross Anderson);
  

• "A blanket approach to installing ID scanners in clubs raises serious privacy concerns. Introducing these measures where there is no history of criminal activity is disproportionate and likely to breach data protection requirements." (ICO spokeswoman);
  

• "we could be taking real risks by putting vast amounts of personal information in the hands of people at best incompetent and at worst malicious." (Chris Huhne)
  

• "Privacy is being eroded bit by bit, not some single killing blow, but death by a thousand cuts." (Lord Erroll)
  

The article ends by quoting Lord Erroll's view that "that the entire age-checking industry [is] a Trojan Horse for ID", and his intention to raise this issue with ministers and the Home Office.

The Register deserves an extra fillip for stating that "senior politicians from all parties take up an issue first highlighted by The Register", while restraining itself admirably from any "senior politician"/"S&M" cracks.

On the other hand, my reputation for maintaining good taste is so strong that I have no hesitation in predicting that Lord Erroll's lobbying signals the start of a... back lash?

The Grabby Awards, 2009

Welcome to the "Grabbies". And the nominees for "scaliest response to the current scandal over MPs' expense claims" are:

- Harriet Harman, leader of the House of Commons, for arguing that "the level of corruption we see in the UK Parliament is far lower than what you can find elsewhere"; super. I look forward to fiddling my taxes and dodging speeding tickets on the grounds that there are lots of other people who drive much faster than me and are far worse tax-dodgers.

- Michael Martin, speaker of the House of Commons, for instigating a police investigation into who leaked the expenses data to the Telegraph - despite the FoI ruling which obliged the House to publish the information anyway - and claiming that it was necessary because the leaker 'could pose a security risk'.

- Labour peer Lord Foukes, for trying to turn the question back on a news-reader, asking how much she earned and asserting that media attention to the scandal 'undermines democracy'. Actually, milord, most of the digging has already been done, first by those who have abused the system, second, by those who have connived at keeping that system in place, and third, by those who fought so hard to keep the details away from public scrutiny.

- Hazel Blears MP, for saying she understands how angry the public is about the fact that the expenses system is wrong... when actually what the public is angry about is the behaviour of MPs who have abused that system.

And the loser is... the taxpayer.

MPs' expenses - the real point

Beneath all the media sensationalism, there is no doubt that some MPs have, to put it colloquially, been "taking the piss" with their expense/allowance claims.

For those who have been caught with their hands in the till to bleat that "the system is wrong and needs to be changed" should cut no ice with the taxpayer. That line of argument doesn't work with the taxman, the courts or the police, and it should not be allowed to work here. After all, the brokenness of the system has not made it impossible for some MPs to behave ethically and honestly.

The real point is this: the system under which MPs vote on their own pay-rises, expenses and allowances is one established by the MPs themselves - and insofar as it is in any way accountable, it is accountable to a committee of MPs.

The second Parliamentary Commissioner for Standards, Elizabeth Filkin, called them on this and was hounded out of her post. She had pursued investigations into the conduct of a number of MPs whose names may be familiar - among them Keith Vaz, John Reid and Peter Mandelson. She resigned in 2001, shortly after finding out that the Speaker of the House, Michael Martin, had already started advertising for her successor - without informing her. The successor would be appointed for 3 days a week instead of 4, and at a reduced salary.

Seven years ago, in May 2002, Mrs Filkin noted that MPs' expenses and allowances, amounting to an extra £74,000 to £100,000 on top of their salaries,

"by any standards [...] usually involve substantial sums of public money, adding that there was currently 'no rigorous audit of these claims, although guidance has been improved following investigations into misuse'.

'I think that for anybody in a position of public trust, their claims should be very carefully audited to make sure that we, the public, are spending that money correctly. Of course MPs impose that sort of requirement on all sorts of other public office holders. I think it should apply to them."

There is only one group of people who have spent the last seven years arguing that she was wrong.

Government 'will not run ID Card enrolment centres'

Whatever else in the ID Card programme has changed, one message seems to have persisted throughout - that the National ID Card will be the 'gold standard' of identity. Relying parties from the commercial sector, we have often been told, will flock to it in recognition of its reliability.

It now seems that for some commercial organisations, the proverbial mountain will be coming to Mohammed. Rather than operate its own enrolment centres the Home Office apparently plans to invite high street retailers to provide the enrolment service - at least to the extent of capturing applicants' fingerprints, photograph and, eventually, £60 fee.

Like any unexpected mid-flight course correction, this may raise questions and make some passengers uneasy.

For instance, under this arrangement, who would be liable if there was some error in the enrolment process, or if a mis-match later emerged between the holder's attributes and the data submitted via the enroller?

Are retail staff likely to have the level of training and expertise which would equip them to detect attempts to subvert the system? And if they were to detect such an attempt, would they have the wherewithal to abort the process, report the attempt and take the appropriate enforcement actions against the applicant? That seems to me to make an awful lot of assumptions.

If those assumptions turn out to be unfounded, the entry point into the ID Card system could well be compromised - and if the chain of credential issue is weak at its first link, we know what happens to the rest.

A former mentor of mine, Tom Honey, used to say of the e-commerce projects we were working on at the time: "you can have it now, or secure, or in budget: pick any two". It looks to me as though Jacqui Smith has opted for 'now and in budget'.

ID cards: economic fault lines cracking open?

Charles Clarke has been in the headlines again lately, for his public statement that recent events have made him "ashamed to be a Labour MP". Well-founded as that shame may be, we should not leap to the inference that Mr Clarke's past contains nothing to be ashamed of. Let's not forget, for instance, his frankly scurrilous personal attacks on Simon Davies (Visiting Professor at the LSE, and one of 60 contributors to a lengthy and critical report on the then fledgling ID Cards programme).

What has recalled this to memory? Well, a couple of things; Simon Davies has a piece in the Guardian, here, in which he examines some of the entrails which might suggest to a reasonably qualified haruspex that the ID Cards programme is fast approaching its sell-by date. And this piece on the ComputerWeekly site, giving a slightly more cold-blooded financial assessment.

Bottom line: the current government balance sheet puts it as follows -

• Cost of ID Cards: ~£5bn over 10 years;
• Economic benefit of ID cards: £6bn.

Cut and dried, then. Except for one thing. That's apparently now £6bn over 30 years, not 10.

On that basis, the invitation to Manchester citizens to sign up for an ID card looks economically irresponsible.