Memorandum submitted by the Intelligent
Transport Society for the United Kingdom
THE TRANSPORT PERSPECTIVE
Transport comprises a major component of the
public realm in the UK. The opportunities for surveillance in
transport are therefore substantial. Furthermore, individuals
tend to have no choice about exposing themselves to surveillance
when using transport. Because of this, the transport environment
constitutes a key focus for both policing and privacy issues.
Technology is affecting transport as much as
any other sphere of UK life. As systems become more powerful,
more mobile, and cheaper, these offer increased abilities for
surveillance to be conducted, both legitimately and otherwise.
This note briefly reviews the nature of transport
and the developing role of technology within it, before addressing
the Committee's questions individually. As ITS (UK)the
respondentis a systems-oriented trade body, our perspective
will be technical rather than political.
1. The transport context
The transport context is large and multifaceted.
Some of its key generic aspects are the following:
Infrastructure: road and rail
networks, waterways, stations, ports and airports. Technology
is used to ensure that these are kept free-flowing, as far as
possible, and any incident quickly identified and responded to.
Public transport: services,
and the operators that provide them. Technology is used to monitor
their progress, and to advise travellers of changes (including
Freight and distribution: goods
and materials are transported by private vehicles and fleets.
Technology is used to track them, particularly where they are
sensitive or hazardous.
Private travel: individual vehicles,
motorised and unmotorised, and individual travellers. Technology
and services in this area are developing particularly rapidly,
as economics make accessible what was previously available only
to corporate users. It is currently used largely to access relevant
travel information, but there are also a range of sensors and
communications systems available.
Regulation and enforcement:
vehicle safety, vehicle/driver/passenger authorisation, and compliance
with transport rules. Relevant use of technology includes reactive
systems (for example, emissions testing at MoT) as well as active
systems (for example, safety cameras).
2. Technology in the transport context
The use of technology in the transport context
started early; ground to air voice communications and ("dumb")
rail/traffic signals have been in existence for a long time. "Intelligent"
controlled systems date from around the 1970s; sensor systems
and the retention of historical data from around the late 1980s;
and video from approximately the early 1990s. Surveillance technologies
in transport are therefore a relatively recent development.
The pace of technology usage has not slackened.
It is routine now for buses to be equipped with a number of CCTV
cameras, and to record up to a month's worth of imagery on a local
hard drive. The imagery might be from within the bus but might
equally well be outward facing. The data provided by this is regularly
exploited by the police and other security agencies. The same
is true of static cameras at roadside or in stations, airports
and filling station forecourts.
Non-imaging technology is also developing and
being deployed rapidly. Smartcard ticketing (such as London's
Oyster) enables identified individuals to be tracked through key
points on the transport network and allows for the collected data
to be stored, processed and shared. Vehicle identifiers do the
same for cars; currently this is available through automatic number
plate recognition (ANPR) systems that use cameras, but studies
on more sophisticated electronic vehicle identification (EVI)
systems have been underway within DfT and at DVLA for a number
Perhaps the most dramatic change in transport
relevant technology is the advent of powerful, personal systems:
mobile phones. These can be used, unregulated, for capturing imagery
throughout the transport system and, with a few excepted locations,
to transmit such images immediately. They can also, as transmitting
electronic devices, be used as trackable sensors, including covertly.
3. Surveillance and the use of third party
The data collected through these means may provide
useful information to those wishing to surveil, either with respect
to specific target individuals/localities or with respect to general
monitoring. This includes:
Public agencies with a security
Private agencies with a security
Agencies and individuals with
no security remit.
In the first two cases, the legitimacy of access
to data depends on the relevance of the data to the agency's operations,
and also on the incidental residual risk of providing the data.
In the third case, legitimacy may be referred to data protection
("I want to know what you have on me") or simply to
freedom of information.
Data collection may "proactive" and
open-ended, where security monitoring is the principal concern
of an agency; or it may be "reactive", targeted and
triggered by specific events, as where enforcement is the principal
concern. It is much easier to put regulatory safeguards into the
latter context, where the default is "no access".
4. Access by public agencies to private databases
"Private databases" come in a number
Data held by organisations as
part of their own management. Scheduling data, engineering records,
etc come into this category; so too do corporate security data,
such as camera records.
Data held by organisations as
part of a public function. This includes data held by PFI management
contractors: for instance, the National Traffic Control Centre,
National Air Traffic Services, etc. It also includes data held
by public bodies which has been provided by private sector organisations
on a restricted use basis.
Data held by individuals.
In the first case, access is normally available
only as part of a warranted investigation, or where the data owner
chooses to notify the public authorities. The lack of guidance
in this area can may both processes cumbersome. A transport operator
can suddenly find his information assets seized for investigation,
and have little recourse to appeal; conversely, policing opportunities
are likely to be lost becausesaya `hot' vehicle
is not identified by a private security system.
A partial exception to this lies in the British
Transport Police operations on the rail network. The close day-to-day
working between BTP and rail operators means that there is much
greater clarity, by and large, over where database information
may usefully be requested and provided. This function does not
exist on the roads network.
In the second case, legitimate access by security
agencies should be contractually assured, and any necessary limitation
on access or procedural requirements applied at that time (with
In the third case there is very little that
can be done without an external reason.
In all three cases, the problem of constraining
access to where it is legitimate is difficult (except where prearranged
processes exist): once a decision has been taken to actively search
a third party database, possibly without consent, the data is
in principal fully available. Restriction at that point can only
relate to the subsequent use of the data (eg how much can
be revealed in court).
5. Data sharing between government departments
The UK is not good at sharing data between government
departments and agencies.We believe that the public holds an expectation
that, where specific information is available to government
(in the widest sense), it should be used for all purposes which
the public regards as legitimate. For instance, if a local authority
street camera captures an image of a known criminal's vehicle,
the police should be made aware of it. There are a number of ways
of engineering this which stop short of allowing all government
bodies full access to each others' databases.
There have been some positive steps towards
information sharing between traffic managers and the police. However,
outside London, this is still tentative; partly because systems
are installed with transport funds for purely transport requirements,
without taking security needs into account. More could be done
to encourage joint projects at local level, for instance through
good practice forums.
The problem of generic access to transport
databases is more problematic. Intelligence and security agencies
are, understandably, willing to ask transport departments to provide
data only when they can be fairly specific and there is a clear
operational urgency. There is potentially valuable information
in operational databases that could be mined (eg for profiling).
However this would require much freer access; it is not clear
that this would have public support, but moreover it would impose
a significant operational burden on both transport and intelligence
functions which would need to be resourced.
6. Existing safeguards for data use
We do not see major problems with the safeguards
currently in place; except to note that the need for caution might
restrain legitimate usage.
We believe that the key driver to limit data
sharing (apart from the need to address public concerns about
privacy) derives not directly from its use in processing and analysis,
but in the actions it might lead to. People are bothered by the
fact that they might be "snooped on", but more bothered
that they might suffer worse consequences as a result of misidentification.
Identification based on smartcard ticketing or on vehicle number
plates are both, of course, open to, and currently subject to,
a number of caveats. Genuine mistakes, inertia by the user, or
deliberate falsification, affect the accuracy of both.
Release of information to public media may need
to be reviewed. In this respect, the Freedom of Information Act
(and the surrounding policies) makes it distinctly harder to sustain
7. Monitoring abuses
Following on from the previous point, abuses
(actual and potential) of available data are a significant reason
that people are uncomfortable with data being shared. Data abuse
therefore holds back legitimate data use.
A clever and determined person can subvert most
operational practices, and it is not possible to prevent the possibility
of (for example) a rogue policeman exploiting information available
to him/her for personal ends.
This is partly a technical issue, but mostly
one of management culture. Organisations need to be tougher on
the misuse of data by their staff. There is an important lesson
here: the current framework concentrates more on institutional
rather than individual misuse.
8. Potential abuse of private databases by
There are two ways in which criminals might
abuse private databases:
They might build their own private
database (legitimately or otherwise), and use them for criminal
They might exploit (openly or
through hacking) or corrupt other peoples' databases.
There are many scenarios that might be envisaged;
in most cases, system design has tried to reduce or mitigate the
risk. For example, smartcard tickets on a bus or train could potentially
be read by a criminal with a device in a briefcase, and personal
data or money obtained; however, the use of encryption makes this
In some cases the risks are simply unclear.
What could be achieved by a private number-plate camera, covertly
positioned by a motorway? Or near a sensitive installationsay,
a lab where animal testing happens? This requires an assessment
of potential criminal opportunity.
9. The case for introducing privacy impact
Privacy is a holistic concept; it is also (paradoxically)
highly contextual to person, place, time, and nature of information.
It is not clear to us that there is a specific
single way in which privacy impact assessment could be implemented
to make it relevant to all circumstances. Therefore, it should
be left up to individual scrutiny to determine whether and how
to address privacy impacts.
Profiling is an operational practice. We have
little to say about this, other than to note that increasingly
complex and sophisticated profiles will be possible as technology
A related concept might be called "reverse
profiling", and relates to differences in systems coverage
or capability around the country. Some abuses might be more prevalent
where detailed information is available to be exploited; others,
where surveillance is less thorough. The traditional UK approach
to thiscreate pilot sites and monitor themseems
to be a sensible approach to this.
The transport environment is only really beginning
to adopt large systems that capture, store and use personal data.
Until very recently travel was largely anonymous up to the UK
border; this is no longer the case.
Because the transport environment is part of
the public realm, it is one in which privacy and database protection
are most vulnerable, and the development of cheap and available
technology is a significant threat.
Surveillance by legitimate public authorities
compromises privacy, but not as much as illegitimate surveillance
or the private abuse of personal data databases. Government should
concentrate on facilitating more sharing of data among legitimate
authorities, while cracking down on unnecessary release and other