The Joseph Rowntree Reform Trust
(JRRT) has issued a new report slamming the government’s plans for a Communications Database
(Data Retention), which would intercept and log every UK ISP users e-mail headers, visited websites and telephone history, among other things. The report warns that the public are often, "neither served nor protected by the increasingly complex and intrusive holdings of personal information invading every aspect of our lives.
In all 46 government databases were reviewed by JRRT, which also included the National DNA Database and National Identity Register. These were then grouped into three categories of either RED, AMBER or GREEN, with RED being very bad indeed - possibly even illegal.
Red means that a database is almost certainly illegal under human rights or data protection law and should be scrapped or substantially redesigned. The collection and sharing of sensitive personal data may be disproportionate, or done without our consent, or without a proper legal basis; or there may be other major privacy or operational problems. Most of these systems already have a high public profile. One of them (the National DNA Database) has been condemned by the European Court of Human Rights, and both the Conservative Party and Liberal Democrats have promised to scrap many of the others.
Six years into the Transformational Government programme, the number of green databases is now shockingly low. Just 6 out of 46 (fewer than 15%) were given a green light, while the Communications Database
was among those that received a very firm RED.
The Communications Database
The UK’s intelligence agencies, 52 police forces, HM Revenue and Customs, prisons and 510 public authorities can all demand access to communications data. 519,260 such requests were made in 2007. From 15 March 2009 ISPs and phone companies will be required to retain specified communications data for 12 months.
The agencies have an Interception Modernisation Programme whose focus is a plan to centralise communications data in a government database, where it would be much more amenable to data mining for unusual patterns of behaviour. A typical application would be tracing the structures of individuals’ friendships and communications patterns.
In addition to this, it is planned to field Deep Packet Inspection (DPI) equipment that will look at the content of people’s Internet communications in order to determine who is talking to them in cases where this is not evident from the source and destination of the data packets.
For example, DPI boxes could record people’s coordinates in Second Life, and their webmail inbox screens. It is most unlikely that the average citizen will agree with the intelligence agencies’ argument that this is ‘traffic data’; an attempt to define full URLs as traffic data was defeated during the passage of the Regulation of Investigatory Powers Bill (RIPA).
The Government trailed the idea of taking powers to do all this in primary legislation; the story now is that there will be a consultation in March 2009. Meanwhile we understand that the construction of a prototype of the database is under way.
The fact that communications data is currently kept in separate locations under the control of telephone companies and ISPs provides a practical safeguard against abuse; agencies have to serve notices on these companies to retrieve specific data. They must also cover the costs of doing so, which provides an incentive for officials to consider the proportionality of requests. The
Information Commissioner’s Office has commented that the plans are “a step too far for the British way of life” and that:
“[B]efore major new databases are launched careful consideration must be given to the impact on individuals’ liberties and on society as a whole. Sadly, there have been too many developments where there has not been sufficient openness, transparency or public debate.”
Given this assessment, the public opposition, the huge cost of the exercise, and the intent to reduce the costs of surveillance to the point that instead of being able to watch anybody the intelligence services would be able to watch everybody, we have no choice but to rate this as privacy impact red.
The report found that the UK public sector spends over £16 billion a year on IT. Over £100 billion in spending is planned for the next five years, and even the Government cannot provide an accurate figure for cost of its Transformational Government
programme. Yet only about 30% of government IT projects succeed.
JRRT believes that the benefits claimed for data sharing are illusory and often harm the vulnerable, not least by leading to discrimination and stigmatisation. Instead it recommends that sensitive information should be collected and shared with the subject's consent and or only for strictly defined purposes.
Individuals should also be able to enforce their privacy in a court on human-rights grounds without being liable for costs - the state has massive resources to contest cases while the individual does not. It also recommends that data be held locally and that citizens should have the right to access most public services anonymously.