Select Committee on Home Affairs Written Evidence


Memorandum submitted by the Intelligent Transport Society for the United Kingdom



  Transport comprises a major component of the public realm in the UK. The opportunities for surveillance in transport are therefore substantial. Furthermore, individuals tend to have no choice about exposing themselves to surveillance when using transport. Because of this, the transport environment constitutes a key focus for both policing and privacy issues.

  Technology is affecting transport as much as any other sphere of UK life. As systems become more powerful, more mobile, and cheaper, these offer increased abilities for surveillance to be conducted, both legitimately and otherwise.

  This note briefly reviews the nature of transport and the developing role of technology within it, before addressing the Committee's questions individually. As ITS (UK)—the respondent—is a systems-oriented trade body, our perspective will be technical rather than political.

1.   The transport context

  The transport context is large and multifaceted. Some of its key generic aspects are the following:

    —    Infrastructure: road and rail networks, waterways, stations, ports and airports. Technology is used to ensure that these are kept free-flowing, as far as possible, and any incident quickly identified and responded to.

    —    Public transport: services, and the operators that provide them. Technology is used to monitor their progress, and to advise travellers of changes (including disruptions).

    —    Freight and distribution: goods and materials are transported by private vehicles and fleets. Technology is used to track them, particularly where they are sensitive or hazardous.

    —    Private travel: individual vehicles, motorised and unmotorised, and individual travellers. Technology and services in this area are developing particularly rapidly, as economics make accessible what was previously available only to corporate users. It is currently used largely to access relevant travel information, but there are also a range of sensors and communications systems available.

    —    Regulation and enforcement: vehicle safety, vehicle/driver/passenger authorisation, and compliance with transport rules. Relevant use of technology includes reactive systems (for example, emissions testing at MoT) as well as active systems (for example, safety cameras).

2.  Technology in the transport context

  The use of technology in the transport context started early; ground to air voice communications and ("dumb") rail/traffic signals have been in existence for a long time. "Intelligent" controlled systems date from around the 1970s; sensor systems and the retention of historical data from around the late 1980s; and video from approximately the early 1990s. Surveillance technologies in transport are therefore a relatively recent development.

  The pace of technology usage has not slackened. It is routine now for buses to be equipped with a number of CCTV cameras, and to record up to a month's worth of imagery on a local hard drive. The imagery might be from within the bus but might equally well be outward facing. The data provided by this is regularly exploited by the police and other security agencies. The same is true of static cameras at roadside or in stations, airports and filling station forecourts.

  Non-imaging technology is also developing and being deployed rapidly. Smartcard ticketing (such as London's Oyster) enables identified individuals to be tracked through key points on the transport network and allows for the collected data to be stored, processed and shared. Vehicle identifiers do the same for cars; currently this is available through automatic number plate recognition (ANPR) systems that use cameras, but studies on more sophisticated electronic vehicle identification (EVI) systems have been underway within DfT and at DVLA for a number of years.

  Perhaps the most dramatic change in transport relevant technology is the advent of powerful, personal systems: mobile phones. These can be used, unregulated, for capturing imagery throughout the transport system and, with a few excepted locations, to transmit such images immediately. They can also, as transmitting electronic devices, be used as trackable sensors, including covertly.

3.   Surveillance and the use of third party data

  The data collected through these means may provide useful information to those wishing to surveil, either with respect to specific target individuals/localities or with respect to general monitoring. This includes:

    —    Public agencies with a security remit;

    —    Private agencies with a security interest; and

    —    Agencies and individuals with no security remit.

  In the first two cases, the legitimacy of access to data depends on the relevance of the data to the agency's operations, and also on the incidental residual risk of providing the data. In the third case, legitimacy may be referred to data protection ("I want to know what you have on me") or simply to freedom of information.

  Data collection may "proactive" and open-ended, where security monitoring is the principal concern of an agency; or it may be "reactive", targeted and triggered by specific events, as where enforcement is the principal concern. It is much easier to put regulatory safeguards into the latter context, where the default is "no access".

4.  Access by public agencies to private databases

  "Private databases" come in a number of types.

    —    Data held by organisations as part of their own management. Scheduling data, engineering records, etc come into this category; so too do corporate security data, such as camera records.

    —    Data held by organisations as part of a public function. This includes data held by PFI management contractors: for instance, the National Traffic Control Centre, National Air Traffic Services, etc. It also includes data held by public bodies which has been provided by private sector organisations on a restricted use basis.

    —    Data held by individuals.

  In the first case, access is normally available only as part of a warranted investigation, or where the data owner chooses to notify the public authorities. The lack of guidance in this area can may both processes cumbersome. A transport operator can suddenly find his information assets seized for investigation, and have little recourse to appeal; conversely, policing opportunities are likely to be lost because—say—a `hot' vehicle is not identified by a private security system.

  A partial exception to this lies in the British Transport Police operations on the rail network. The close day-to-day working between BTP and rail operators means that there is much greater clarity, by and large, over where database information may usefully be requested and provided. This function does not exist on the roads network.

  In the second case, legitimate access by security agencies should be contractually assured, and any necessary limitation on access or procedural requirements applied at that time (with justification).

  In the third case there is very little that can be done without an external reason.

  In all three cases, the problem of constraining access to where it is legitimate is difficult (except where prearranged processes exist): once a decision has been taken to actively search a third party database, possibly without consent, the data is in principal fully available. Restriction at that point can only relate to the subsequent use of the data (eg how much can be revealed in court).

5.  Data sharing between government departments and agencies

  The UK is not good at sharing data between government departments and agencies.We believe that the public holds an expectation that, where specific information is available to government (in the widest sense), it should be used for all purposes which the public regards as legitimate. For instance, if a local authority street camera captures an image of a known criminal's vehicle, the police should be made aware of it. There are a number of ways of engineering this which stop short of allowing all government bodies full access to each others' databases.

  There have been some positive steps towards information sharing between traffic managers and the police. However, outside London, this is still tentative; partly because systems are installed with transport funds for purely transport requirements, without taking security needs into account. More could be done to encourage joint projects at local level, for instance through good practice forums.

  The problem of generic access to transport databases is more problematic. Intelligence and security agencies are, understandably, willing to ask transport departments to provide data only when they can be fairly specific and there is a clear operational urgency. There is potentially valuable information in operational databases that could be mined (eg for profiling). However this would require much freer access; it is not clear that this would have public support, but moreover it would impose a significant operational burden on both transport and intelligence functions which would need to be resourced.

6.  Existing safeguards for data use

  We do not see major problems with the safeguards currently in place; except to note that the need for caution might restrain legitimate usage.

  We believe that the key driver to limit data sharing (apart from the need to address public concerns about privacy) derives not directly from its use in processing and analysis, but in the actions it might lead to. People are bothered by the fact that they might be "snooped on", but more bothered that they might suffer worse consequences as a result of misidentification. Identification based on smartcard ticketing or on vehicle number plates are both, of course, open to, and currently subject to, a number of caveats. Genuine mistakes, inertia by the user, or deliberate falsification, affect the accuracy of both.

  Release of information to public media may need to be reviewed. In this respect, the Freedom of Information Act (and the surrounding policies) makes it distinctly harder to sustain data protection.

7.  Monitoring abuses

  Following on from the previous point, abuses (actual and potential) of available data are a significant reason that people are uncomfortable with data being shared. Data abuse therefore holds back legitimate data use.

  A clever and determined person can subvert most operational practices, and it is not possible to prevent the possibility of (for example) a rogue policeman exploiting information available to him/her for personal ends.

  This is partly a technical issue, but mostly one of management culture. Organisations need to be tougher on the misuse of data by their staff. There is an important lesson here: the current framework concentrates more on institutional rather than individual misuse.

8.  Potential abuse of private databases by criminals

  There are two ways in which criminals might abuse private databases:

    —    They might build their own private database (legitimately or otherwise), and use them for criminal purposes;

    —    They might exploit (openly or through hacking) or corrupt other peoples' databases.

  There are many scenarios that might be envisaged; in most cases, system design has tried to reduce or mitigate the risk. For example, smartcard tickets on a bus or train could potentially be read by a criminal with a device in a briefcase, and personal data or money obtained; however, the use of encryption makes this problematic.

  In some cases the risks are simply unclear. What could be achieved by a private number-plate camera, covertly positioned by a motorway? Or near a sensitive installation—say, a lab where animal testing happens? This requires an assessment of potential criminal opportunity.

9.  The case for introducing privacy impact assessments

  Privacy is a holistic concept; it is also (paradoxically) highly contextual to person, place, time, and nature of information.

  It is not clear to us that there is a specific single way in which privacy impact assessment could be implemented to make it relevant to all circumstances. Therefore, it should be left up to individual scrutiny to determine whether and how to address privacy impacts.

10.  Profiling

  Profiling is an operational practice. We have little to say about this, other than to note that increasingly complex and sophisticated profiles will be possible as technology rolls out.

  A related concept might be called "reverse profiling", and relates to differences in systems coverage or capability around the country. Some abuses might be more prevalent where detailed information is available to be exploited; others, where surveillance is less thorough. The traditional UK approach to this—create pilot sites and monitor them—seems to be a sensible approach to this.

11.  Conclusions

  The transport environment is only really beginning to adopt large systems that capture, store and use personal data. Until very recently travel was largely anonymous up to the UK border; this is no longer the case.

  Because the transport environment is part of the public realm, it is one in which privacy and database protection are most vulnerable, and the development of cheap and available technology is a significant threat.

  Surveillance by legitimate public authorities compromises privacy, but not as much as illegitimate surveillance or the private abuse of personal data databases. Government should concentrate on facilitating more sharing of data among legitimate authorities, while cracking down on unnecessary release and other abuses.

April 2007

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008