Friday, March 30, 2007

Enquiry into a "Surveillance Society"

An enquiry is being conducted by the UK Parliament into the surveillance of citizens by the Government. Here is a short extract from the latest press release.

The UK Parliament has launched an enquiry into the surveillance conducted on citizens by the Government. It will investigate the growing number and scope of government databases holding increasing amounts of information on citizens. The Home Affairs Committee will conduct the inquiry, called 'A Surveillance Society?', so that it can produce rules for Government to follow when building up increasing amounts of sensitive and private information on the general public. "The inquiry will consider the growth of numerous public and private databases and forms of surveillance," said a Committee statement. "They either derive directly from the work of the Home Office and its related public functions or are controversial because whilst they offer the potential to play a part in the fight against crime their use may impinge on individual liberty." "The inquiry will focus on Home Office responsibilities such as identity cards, the National DNA Database and CCTV, but where relevant will look also at other departments’ responsibilities in this area, for instance the implications of databases being developed by the Department of Health and the Department for Education and Skills for use in the fight against crime," it said.

Data Protection Resources: new URL

Just a reminder Data Protection Resources has a new URL address. It is now at Please update your webpages.

Royal Academy of Engineers - Report on Privacy

The report on privacy (entitled Dilemmas on Privacy and Surveillance) has finally been published by the Royal Academy of Engineers and can be found here (pdf). The underlying theme is that engineers should design systems that protect the privacy of individuals. The report is about 64 pages long. Here is a short extract from the executive summary:
This study identifies likely developments in information technology in the near future, considers their impact on thecitizen, and makes recommendations on how to optimize their benefits to society. The report focuses on an area wherethe developments in IT have had a particularly significant impact in our everyday lives - the use of IT in surveillance,data-capture, and identity management. It looks at the threats that these technologies may pose and at the roleengineering can play in avoiding and managing these risks.

Tuesday, March 20, 2007

RFID - changes to the Directive on Privacy and Electronic Communications 2002/58/EC

There has been a lot of discussion surrounding the privacy implications through the use of RFID by companies, but in the latest press release, the European Commission is anticipated to introduce changes to the Directive on Privacy and Electronic Communications 2002/58/EC (pdf) to take account of RFID chips. Here is a short extract:

The European Commission will make changes to the Privacy and Electronic Communications Directive to take account of the exploding market in radio frequency identification (RFID) chips, it has said. Amendments will be proposed by the middle of this year. The Commission has published a Communication, intended as "a step towards a policy framework," for dealing with RFID chips, whose usefulness is seen by some to be at odds with privacy and data protection. RFID is a radio technology which allows chips to be identified at short distances by chip readers. The chips themselves are so cheap – just a few pence each – that they are useful in all sorts of commercial applications, from goods transit to stock management and even shop checkouts. It is the application of the chips to people and the things people do with the chipped goods, though, that has always worried privacy activists. Information Society and Media Commissioner Viviane Reding said that the advisory group she was forming to monitor RFID would work in conjunction with the Article 29 Data Protection Working Group, an existing, independent EU advisory body. Reding announced the creation of an RFID Stakeholder Group to help the Commission develop its RFID policy as part of an action plan to address the potential pitfalls and benefits of using RFID technology.

One has still to read the Communication (pdf) issued by the European Commission, but see:

Thursday, March 15, 2007

Search Engine results

Google has decided to anonymise personal data that it receives from its search engine. Whilst the discussion of search results derived from search engines is not new, the privacy implications are important. The types of data that could be held about a user include information such as the search term itself, the IP address, and details of how a user makes searches, such as the browser used and previous queries to Google. Perhaps the question is whether any individuals has put in a request to Google about information held about them from the search engines?
Here is a short extract from the BBC website:
Privacy bodies have welcomed Google's decision to anonymise personal data it receives from users' web searches. The firm previously held information about searches for an indefinite period but will now anonymise it after 18 to 24 months. "This is an extremely positive development," said Ari Schwartz, deputy director of the Center for Democracy and Technology, a US-based watchdog. "It's the type of thing we have been advocating for a number of years." However, governments could still force Google to hold onto data or hand it over to authorities. "By anonymising our server logs after 18 to 24 months, we think we're striking the right balance between two goals: continuing to improve Google's services for you, while providing more transparency and certainty about our retention practices," a statement from the search giant said. It's a step forward, but I would like to see them anonymising data in a much shorter period Richard Clayton, Cambridge University It added: "Unless we're legally required to retain log data for longer, we will anonymise our server logs after a limited period of time." Peter Fleischer, Google's privacy counsel for Europe, said the decision has been taken after consulting with privacy bodies in theUS and Europe. He said: "We believe that privacy is one of the cornerstones of trust. We will be retroactively going back into our log database and anonymising all the information there."

Thursday, March 08, 2007

Privacy law in the US?

I came across a press release whereby Microsoft Chairman Bill Gates urges Congress to pass legislation on privacy:

Microsoft Chairman Bill Gates has added to his legislative wish list, renewing his push for Congress to pass an "all-inclusive" consumer privacy and security law by year's end.

In his keynote speech at a dinner here Wednesday hosted by the advocacy group Center for Democracy and Technology, Gates shifted his focus away from the calls for education and immigration changes that dominated his appearance at a morning Senate hearing. There's a critical need for federal privacy rules that require transparency about data collection practices, grant users access to their own data and dictate what companies must do if a breach occurs, Gates told an audience of about 900 people in a cavernous ballroom at the Ritz-Carlton Hotel here. Microsoft isn't alone in requesting federal privacy legislation. The Windows maker is allied with a number of tech titans, including eBay, Hewlett-Packard, Google, Intel and Oracle, that have begun lobbying Congress to override what they deem a patchwork of disparate state laws.

Privacy in the US certainly seems to be patchy, but whereas the European Data Protection Framework is much stricter in protecting the privacy of individuals (Art. 1 states fundamental rights and freedoms of individuals), this cannot be said of the US. Whether the legislation will be framed along the lines of the European Data Protection Directive is not clear, but for anyone interested in the differences between the US/Europe protection of privacy, see:

  • Kang and Buchner. Privacy in Atlantis, Harvard Journal of Law and Technology, Vol. 18, No. 1, Fall 2004.
  • Reidenberg, R. and P. Schwartz. Data privacy Law (Michie, 1996).

Tuesday, March 06, 2007

Art. 29 Working Party: Opinion on transfer of PNR to US Authorities

The Art. 29 Working Party has issued its opinion aimed at travel agents/airlines that provide travel services to passengers flying to and from the United States. Here is the executive summary:
This opinion and its annexes (frequently asked questions and model notices) are aimed attravel agents, airlines, and any other organisations providing travel services to passengersflying to and from the United States of America. This opinion and the annexes update andreplace the previous opinion of 30 September 2004 (WP97).The current legal framework for transferring PNR information to the US authorities iscovered by the interim agreement of 16 October 2006. Negotiations for a new agreementare expected to start in 2007.There remain obligations on travel agents, airlines and other organisations to provideinformation to passengers about the processing of their personal information, and thisopinion aims to give advice and guidance on who needs to provide what information, how and when. Information should be provided to passengers when they agree to buy a flight ticket, andwhen they receive confirmation of this ticket.The opinion gives advice on providing information by phone, in person and on theinternet. The Art. 29 Working Party has established the model information notices (the annexes tothis opinion) to make providing this information easier for organisations, and to makesure the information provided is consistent across the European Union.The shorter information notice gives passengers summary information about transfers oftheir data to the US authorities, and how to find out more information.The longer notice is in the form of frequently asked questions and has more details aboutthe processing. It explains passenger data more widely, before focusing on PNR data. It also includes links to the interim agreement and other relevant documents.


Monday, March 05, 2007

Data Protection Resources: New URL

Just a note that I have a new URL for my website on Data Protection Protection Resources. It is now Please update your links.

Freedom of information

Some of you may be aware that there are likely to be changes to the UK Freedom of Information Act 2000 and introduce restrictions on information to be requested. In the Times today:
The Information Commissioner will tomorrow demolish one of the main arguments being used by Government to introduce restrictions on people’s right to know about the State. Richard Thomas, who will be appearing before MPs on the Constitutional Affairs Committee, is expected to say that public bodies already have wide-ranging powers to ignore requests that are designed to waste civil servants’ time. The Government believes that laws introduced in 2005 requiring much greater disclosure of information from the public sector place an unfair burden on civil servants. However campaigners say that the proposed restrictions are unnecessary and designed to save the Government from embarrassment after a series of damaging disclosures.
The Freedom of Information Act 2000 already has a provision that does not allow for "vexatious or malicious requests". Are the changes necessary? I leave this with you to decide.

Saturday, March 03, 2007

File Sharing and Privacy

I came across a news report from Sky News yesterday on file sharing and identity theft. Trying to find a repeat of the report (podcast) on Sky News website has proven difficult, but there is a short piece asking for views on file-sharing worries. On the report, though, one user on a peer-to-peer networking found, to his surprise that he was not merely downloading files, but also downloaded personal details belonging to individuals. Although he notified Sky News on this, it raises questions about personal data and protection of individuals' personal information online. No doubt, identity theft is a problem, but is the UK Data Protection Act 1998 or even the European Data Protection Directive 95/46/EC satisfactory in dealing with these difficult issues?
The UK Data Protection Act 1998 places a responsibility on "data controllers" (those who hold our personal information) to make sure that our personal information is carefully safeguarded (not the actual legal terminology, but see Schedule 1 of the DPA 1998 for a start). However, with file sharing, is it always identifiable who the data controller is? Probably technological means such as the data controller's IP address (of their computer) is one way of ascertaining the identity of the data controller, but even then, there is the question of being certain that the IP address belongs to the filesharer. No doubt, these will be issues that will have to be considered by the ICO.