APPENDIX 18
Memorandum submitted by NO2ID
A. INTRODUCTION
This submission
1. This submission has been prepared by members
of the national campaign against ID cards and the database state,
NO2ID. Our volunteers study legislation and government proposals
as well as near-government policies and technical developments
as they appear, and endeavour to analyse their implications for
a free society and individual liberty and privacy.
2. The inquiry has scope to begin to address
NO2ID's concerns and we welcome it.
About NO2ID
3. NO2ID (an unincorporated association)
was founded in 2004 in response to the Government's stated intention
to introduce the compulsory registration and lifelong tracking
of UK citizens by means of a centralised biometric database. NO2ID
brings together individuals and organisations from all sections
of the community and seeks to ensure that an informed case against
state identity control is put forward in the media, in national
institutions and among the public at large.
4. NO2ID is supported by parliamentarians
of all parties and more than 100 organisations, including trades
unions, political parties, local authorities and special interest
groups have made formal statements supporting the campaign. More
than 30,000 individuals have registered their support. We are
funded by membership fees, occasional merchandise sales and fundraising
events, as well as grants from the Joseph Rowntree Reform Trust
Ltd, the Andrew Wainwright Reform Trust Ltd and individual and
collective donations.
5. The campaign is staffed entirely by volunteers
and we have a growing network of local groups across the UK, currently
in as many as 100 towns and cities.
NO2ID's remit
6. NO2ID is neutral on most political questions,
and non-partisan. Our concern is the threat to privacy and liberty
posed by mass surveillance, the collection, retention and collation
of information that can be tied to individuals, whatever the ostensible
or intended purpose. Information sharing or matching used to generate
files on individuals without specific and reasonable cause and
independent oversight is a special case of the broader problem.
7. We are not worried by data used in genuinely
anonymised form, or in a statistical or collective manner for
administrative or business planning or to make offers that can
be refused or ignored. We hold that sophisticated market analysis
techniques are not inherently intrusive, because they do not imply
intervention in, or censure of, the lives and lifestyles of individuals.
8. On the other hand, we regard a loss of
privacy or anonymity without good reason as potentially a fundamental
threat to the free society. If you are being watched or followed
over time by someone with the power to discipline you directly
or indirectly, then your freedom of action is reduced. The more
minutely and extensively you are watched, the greater the power
of discipline.
B. GENERAL REMARKS
9. The scope of the threat is, sad to say,
much broader than the Home Office. Overspill into other departments
is not merely incidental, as the terms of the inquiry might be
taken to suggest. We believe that every select committee is potentially
outflanked by a changing culture of government and changing methods
that begin to evade scrutiny.
10. The creation of a surveillance state
is inherent in the strategic conception of "Transformational
Government", which is not simply an attempt to use new technology
effectively, but is built around the idea of breaking boundaries
between departmental functions by collecting and collating information
on citizens across the whole of government. The Department of
Constitutional Affairs's "Information Sharing Vision Statement"
identifies the "barriers" to broad data sharing as human
rights law, data protection, common law confidentiality, and the
fundamental legal principle of ultra vires. NO2ID submits
that if the culture of government is to regard those safeguardswhich
may yet be too weakas problems, then something must be
done about the culture of government.
11. Pending the abolition of all bounds
to state power by Transformational Government, surveillance measures,
particularly database surveillance measures have become routine.
They are added piecemeal by new statutes, which are habitually
drawn extremely widely and provide for extension by statutory
instrument. Drafting will often include a catch-all provision,
in effect permitting arbitrary other use of information. This
is calculated to allow powers to multiply, interact, and evade
proper scrutiny.
12. An example of deceptively broad drafting
is in the Identity Cards Act 2006. The Government made great play
of the use of the scheme being "limited" to the statutory
purposes, but the statutory purposes happen to encompass any conceivable
activity of any future government. Catch-all provisions include
clause 8(2) of the UK Borders Bill which appears to grant the
Secretary of State the power to use information gathered using
very sweeping powers, for any purpose whatsoever. Steady extension
(it is hard to see any diminution) of powers using secondary legislation
can be seen in relation to the Regulation of Investigatory Powers
Act 2000.
13. There is seldom a case made for the
institution of broad data-sharing powers this way. It seems to
be a matter of unconsidered administrative convenience in most
cases. NO2ID would approach the problem from the other direction:
information should not be stored or transmitted without good reason
and limited purpose.
14. This area of public policy has developed
rapidly and quietly, lacking not just a comprehensive legal framework,
but even an adequate conceptual one available to most people.
The promotion of the ID scheme has consistently blurred the distinction
between authentication and identification, as if it doesn't matter.
We urge not just the Home Affairs Committee, but all parliamentarians
to take the question of the database state very seriously indeed.
C. SPECIFIC QUESTIONS
RAISED BY
THE COMMITTEE
Access by public agencies to private databases
15. There is no reason to object to public
agencies using private services on the same terms as private bodies,
given proper protections in private databases. However, we are
very concerned if either information not normally available on
commercial terms is obtained without proper judicial oversight,
warrant or court order, or if it is used for purposes other than
those for which it was obtained, or if commercial datasets are
combined with government ones in datamining exercises for government.
The objections to using private data for government datamining
are precisely the same as those in the following paragraph.
Data-sharing between government departments and
agencies
16. In NO2ID's opinion this is the most
significant threat to liberty we currently face. Our principal
objection to the Identity Card Scheme is that it serves to enable
the broadest data-sharing and data-matching across government.
It is inherent in all such plans that information is used for
purposes other than those for which it was given, which amounts
to the requirement that citizens (and private corporations, too)
give absolute discretion to government every time they provide
information to it.
17. Government appears not to recognise
that data-sharing and data-matching create problems of their own
at any other than a technical level. We believe that it both radically
increases the power of government over the citizen: information,
direct oversight, being power; and that it creates the preconditions
for `suspicion by computer' in which an arbitrary match is interpreted
as cause for government intervention. This is already seen in
embryo in the activities of TV Licensing, which presumes everyone
has a television unless proved otherwise, and will harry the occupants
of any address with no licence attributed to it.
Existing safeguards for data use and whether they
are strong enough
18. Such safeguards as currently exist are
liable to be overridden arbitrarily by statute. The Children Act
2004, for example, casually set aside all rules of confidentiality
or data protection in establishing the Information Sharing Index
(now unfortunately known as Contact Point). Because information
sharing effects cannot by definition be localised, each such provision
causes leakage.
19. We consider that regulatory oversight
and punitive regimes can never be sufficient. This is not just
a question of quantity, though the present Information Commissioner's
Office is clearly overloaded, and would have to be many times
its present size to catch up with the burgeoning database culture.
The nature of the dangers is not susceptible to post-hoc
management by regulation. They are either secret abuse of data
in individual cases or systemic failures arising from the unpredictable
impact of over-broad powers. It is better to use structural institutional
means to pre-empt and limit difficulties, than try to cope with
the consequences.
The monitoring of abuses
20. NO2ID is of the opinion that monitoring
abuses, while it might help assess the scope of problems, is generally
going to be too late. It is very hard to dismantle systems once
established, particularly in the public sector. Better prevent
and minimise abusesboth by avoiding collecting and collating
data unnecessarily, and by technical means to increase securityand
to provide for proper redress for those affected.
21. Proper redress for victims of abuses
is critical in creating an incentive for the design of good systems.
Prescribing punishment for an abuser is of relatively little value
if he doesn't believe he will get caught or if the gain is sufficiently
attractive. Liability for the operators of databases directly
to the victims of abuse is much more likely to be effective in
prevention.
Potential abuse of private databases by criminals
22. All databases are potentially subject
to abuse. The more comprehensive they are the greater potential
for abuse. NO2ID is surprised, therefore, that the inquiry narrowly
specifies private databases. Those cases that we are aware of
involving threats to individuals other than financial loss arose
out of misuse of public databases to obtain personal information.
Private databases place direct value on the information involved,
and can go out of business if they are not trustworthy, so have
incentives to audit use carefully.
The case for introducing privacy impact assessments
23. We do not consider that this is likely
to be of any value. Examination of the regulatory and race equality
impact assessments that appear with existing legislation suggests
that such exercises are uninformative and provide no brake on
government. In some cases (notably that in 2004 for the then Identity
Cards Bill) they are used to propagandise for the legislation
rather than provide useful information. Unless any such assessment
is carried out by a body independent of the department sponsoring
the legislation, and in the light of clear definitions of privacy,
it is hard to see what it could add at all.
Privacy-enhancing technologies
24. NO2ID naturally supports technology
to increase privacy. We note that the principal enemy of privacy-enhancing
technologies has always been government. Government objects to
pseudonymous and anonymous transactions and fungible identities,
often for quite legitimate reasons, but rather than designing
taxation and law enforcement around new technology, or on an assessment
of risk, it has chosen to scotch new technology, or at least has
failed to aid its adoption. In particular government has been
exceedingly hostile to the use of strong encryption in commercial
and private contexts since it became publicly available, and comprehensively
undermined its commercial use in the Electronic Commerce Regulations.
25. Government should remove barriers it has
deliberately set up to distributed trust and encryption technology.
It should be prepared, just as it is in the financial system,
to be an issuer of sound certificates and "lender of last
resort" in that it will underwrite digital identity for those
lacking it otherwiseand then to stand back. Everybody recognises
that it is neither necessary nor desirableindeed completely
contrary to the point of moneyfor the Bank of England to
have a record of every time a note is backs changes hands. The
same needs to be made "obviously" true for authentication
transactions.
Profiling
26. NO2ID's attitude to profiling depends
crucially on what is meant by "profiling". As indicated
in our general remarks, we do not regard data-analysis for market
segmentation or other statistical purposes as harmful. What is
of great concern is patterns in data being used to determine the
treatment of individuals. Creation of suspect- or watch-lists
on the basis of associations or abstract models of behaviour is
dangerous. It erodes the idea that individuals are responsible
for their own actual conduct and free unless they transgress the
law. We submit that any use of profiling that involves direct
or indirect intervention by government agencies (or their proxies)
in individual lives must be justified on a case-by-case basis,
and that it should not be accrued or accumulated in any way. Being
suspected should never in itself be ground for further suspicion.
D. ADDITIONAL
QUESTIONS
27. We would like to draw the committee's
attention to two further causes for concern in the conduct of
government.
28. Quasi-private databases: Official powers
are being used to require private organisations to carry out surveillance
on behalf of the authorities. This can be formal and explicit,
as with telecoms data retention requirements, or, perhaps more
disturbing, indirect as where licensing authorities make participation
in a fingerprinting and ID scheme imposed on customers a condition
of a liquor license.
29. Pseudo-voluntary processing: Whereas third
party use of data without proper permission has largely died out
in the private sector It is commonplace for forms for public purposes
to waive data protection in effect, while being in practice impossible
to decline to fill in. Committee members have an example to hand
in the "security" forms for attendees at party conferences,
where data is not limited to use for the event, but may be used
for any police purpose.
E. NO2ID'S RECOMENDATIONS
30. This area is still not well understood.
We recommend all involved in policy formation and scrutiny exercise
skepticism with regard to claimed trade-offs between privacy and
government efficiency. Modern communications and IT offer scope
to improve efficiency while still maintaining segregation between
separate agencies.
31. The common law doctrines of ultra
vires and confidentiality have grown up precisely as protection
for the individual against abuse of power. They should be guarded.
32. In addition consideration should be
given to new personal privacy and information privity laws, giving
direct redress for improper surveillance or sharing.
33. There should be a presumption against
government data-sharing with case by case approval and external
oversight whenever it is permitted.
34. We beg parliament to be vigilant against
catch-all purposes and broad drafting.
35. Regulatory safeguards; rules, references,
tribunals, appeals, are not likely to be sufficient. Institutional
structures which make those in a position to prevent problems
liable if they fail to do so are desirable.
36. A privacy impact assessment is unlikely
to be of value, more a diversion of scrutiny.
37. Government should assist rather than
attack private use of encryption technologies.
F. FURTHER INFORMATION
This is a vast and growing topic. We will naturally
provide what further information we can on request and witnesses
if required.
April 2007
|