THIS SUBMISSION

  1.  This submission has been prepared for NO2ID, the national campaign against ID cards and the database state. The inquiry addresses NO2ID's central concerns concerning the alteration of the relationship between citizen and state by database government, and we welcome the Committee's recognition of the very serious constitutional implications.

  2.  This is necessarily a very brief summary of the legislative and institutional context and contains some novel legal proposals. Though compressed, it is still rather long. We would welcome the opportunity to present such supplementary evidence, orally or in writing, as the committee wishes to take.

  3.  We have also made a submission recently to the surveillance state inquiry being conducted by the House of Commons Select Committee on Home Affairs. We have tried to avoid repeating ourselves though some of the issues addressed are similar.

ABOUT NO2ID

  4.  NO2ID (an unincorporated association) was founded in 2004 in response to the Government's stated intention to introduce the compulsory registration and lifelong tracking of UK citizens by means of a centralised biometric database. NO2ID seeks to put an informed case against state identity control to the media, to national institutions and to the public at large. More than 100 organisations, including trades unions, political parties, local authorities and special interest groups have either joined or made formal statements supporting the campaign. More than 30,000 individuals have registered their support.

  5.  NO2ID is non-partisan, and neutral on most political questions. Our concern is the threat to privacy and liberty posed by mass surveillance, the collection, retention and collation of information that can be tied to individuals, whatever the ostensible or intended purpose. Information sharing or matching used to generate files on individuals without specific and reasonable cause and independent oversight is a special case of the broader problem.

  6.  We regard a loss of privacy or anonymity without good reason as potentially a fundamental threat to the free society. If you are being watched or followed over time by someone with the power to discipline you directly or indirectly, then your freedom of action is reduced. The more minutely and extensively you are watched, the greater the power of discipline.

  7.  NO2ID's approach is therefore that information on individuals (and implicitly, therefore, on their associations) should not be stored or transmitted without good reason and limited purpose.

SUMMARY

  8.  NO2ID believes that the unconsidered growth of government data-sharing intitiatives, together with advances in technology have inadvertently brought us to the verge of a surveillance state in which every action of the citizen is potentially subject to monitoring, retrospectively via data searches more than contemporaneously after the manner of the traditional police state informer networks.

  9.  Latterly this tendency has been exacerbated by the deliberate policy of "joined-up" or "transformational" government, which perceives the citizen in terms of the manipulation of a personal file, and idealises an integrated total information awareness for government. Such ideas have been seen as so self-evidently good by those proposing them, that they have been willing to subvert basic principles to pursue the policies concerned. The Identity Cards Act 2006, whose prime function is the establishment of a central register of the population, is the key such measure, but not the only one.

  10.  Technological and institutional change has subtly undermined our suppositions about privacy in everyday life, which are taken for granted in the constitution almost as much as they are by ordinary people. In particular we are used to having anonymity and privacy (which are very closely allied and interchangeable for many purposes) by default. They can no longer be taken for granted.

  11.  The threats are novel, and therefore the existing legal protections for the citizen are not adequate (even where they are not being broken down by zealous expansion of government remit). We are open to the equivalent of searches without proper control. And we lack control over information about us once it is no longer secret.

  12.  The existence of a permanent personal record which can be increasingly referred to by others reverses the presumption of innocence and the trust on which our system is based. It threatens to become necessary to prove ones "clean" status constantly, and an innocent incident, once on a record, is liable to be interpreted as grounds for suspicion.

  13.  NO2ID therefore suggests that a more considered approach is adopted in which promiscuous data-sharing is anathema rather than the ideal, and pseudonymity and anonymity are protected. Some specific measures ought to be repealed, but that is insufficient without new controls on the technology and institutions of surveillance.

  14.  We look forward to searches of private data being treated in the same way as physical searches of people and property. We advocate the extension of personal rights in relation to private information, and in particular the examination better defined understanding of privacy and "informational privity" whereby the use made of personal data remains in the control of the individual.

DISCUSSION

Growth of the database state is unconsidered

  15.  There is a naivety in many government statements about data-collection and data-sharing powers. There is seldom a case made that recognises the seriousness of the exercise. Powers of physical search have less profound effects on the individual and society (as discussed below) but they are frequently controversial. It seems to be a matter of unconsidered administrative convenience in most cases.

  16.  Surveillance measures, particularly database surveillance measures have become routine. They are added piecemeal by new statutes, which are habitually drawn extremely widely and provide for extension by statutory instrument. Drafting will often include a catch-all provision, in effect permitting arbitrary other use of information. This is calculated to allow powers to multiply, interact, and evade proper scrutiny.

Technology enables the surveillance state

  17.  Our way of life is predicated on the fungibility of most records and the limited application of others. Your business and personal relationships would historically have been with and through people, who have a limited capacity and desire to store and process information. Copying and transferring a document before digital means became available required human intervention (even to place it on a photocopier or fax), searching archives required human beings to set up indexes, and so archives were constrained to their original purposes.

  18.  It is the ready recording, retention, copying, searching and sharing of information in ways that are effectively permanent and outside the control of the individual concerned, that potentially alters the nature of all relationships mediated by, or observed through, technology.

Constitutional conception of the person

  19.  Our law and constitution have developed in the context of direct relationships between individuals and institutions. They generally answer the question, "Does this person have this right in these circumstances?" and deal with the nature and consequences of transactions between persons. It is the essence of the rule of law that different persons are treated the same in like circumstances.

  20.  The function of law has historically been to adjudicate between persons on factual matters. It has accepted the real world, and managed conflicts within it.

  21.  We suggest that the growing culture of state identification and record keeping is eroding that fundamental assumption of law. When the first question asked is "Who is this person and what is their record?" and the answers condition their rights and treatment, then something has changed.

Bureaucratic conception of the person

  22.  An alternative conception of a person is found in the Identity Cards Act 2006, and is also visible in much recent legislation and regulation.

  23.  First, persons are conceptualised as attachments of official records, and their rights as dependent on registration. The person has been supplanted by the record. It becomes questionable under such a regime whether the natural person is any longer a legal subject.1 The completeness and procedural correctness of records is the primary consideration of a bureaucracy. The law strives to deal with uncertainty, bureaucracy to eliminate it.

  24.  Second, unlike the law, which seeks to determine what are the relevant grounds for decision and does not concern itself with other properties or capacities of its subjects, a bureaucratic framework implicitly requires one file related to one body for all purposes, so that the individual can be efficiently managed by the state. It is intolerant of the multiple roles of individuals, which society and the law built on society can sustain.

Transformational Government

  25.  The notion of "Transformational Government"2 which takes a governmentalist viewpoint for granted, is not simply an attempt to use new technology effectively, but is built around the idea of breaking boundaries between departmental functions by collecting and collating information on citizens across the whole of government. The Department of Constitutional Affairs's "Information Sharing Vision Statement"3 identifies the "barriers" to broad data sharing as human rights law, data protection, common law confidentiality, and ultra vires. There are already frequently explicit statutory provisions setting aside confidentiality4 and or working around data protection legislation.5 Those are not, we submit desirable. But the idea that ultra vires is dispensible is profoundly anti-constitutional.

  26.  Such an approach requires a means by which information on citizens may be readily cross referenced. There is power to do it created by very broad drafting of the Identity Cards Act 2006. The Government made great play of the use of the scheme being "limited" to the statutory purposes, but the statutory purposes happen to encompass any conceivable activity of any future government.

  27.  Since that legislation was passed, the government and the Identity and Passport Service have begun to refer to the "National Identity Scheme" and to "identity management". We note that a governmentalism in which the citizen is deemed to be under the state's management is also foreign to our constitution, which supposes the individual to be at liberty under the law.

THE LOSS OF ANONYMITY AND SURVEILLANCE

Authentication and Identification

  28.  Security analysts distinguish carefully between the authentication of transactions and the identification of entities, between having authority to do something warranted by appropriate credentials, and being a particular person.6

  29.  The law does recognise such distinctions implicitly (in the conception of office for example: the Secretary of State will be a different person at different times, but bear the same authority) but this basic conceptual framework seems to be unavailable to lawmakers and others when it comes to discussing how the individuals interact with the state. The promotion of the National Identity Scheme in particular has consistently blurred the distinction between authentication and identification, as if it doesn't matter. Making individual actions traceable to individual persons is the essence of surveillance.

Discrete transactions versus tracing

  30.  Everybody recognises that it is neither necessary nor desirable—indeed completely contrary to the point of money—for the Bank of England to have a record of every time a note it backs changes hands. The same ought to be "obviously" true for other civil transactions, where authentication of capacity is what is minimally required. Identification, on the other hand, makes our actions traceable, a contribution to a central file rather than discretely legitimate acts. This opens the door to discrimination between different persons in the same circumstances, and to subsequent retrieval of information about individuals.

Ready accessibility of records

  31.  It is implicit in much recent legislation that if information can be retrieved and there is a legitimate reason for doing so, then it ought to be retrievable, with the minimum of formality. We believe that this is a moral delusion arising from the relative ease and invisibility of such processes. If information is hidden to human inspection, because it cannot be discerned among other facts or because it cannot be collated and cross-referenced by a person, then it is to a human mind obscured, and remains private. Uncovering and collating personal information from numerous inadvertent events, may reveal things about individuals that they did not intend on isolated occasions to reveal (and it may give rise to unwarranted suppositions about the meaning of those events). An example might be collecting one's entire Google search history.

Irrevocability of information transfer

  32.  Peter Bazalgette, the UK producer of "Big Brother" recently made the interesting observation that people may be willing to give out information about themselves at one stage of life, but regret it later.7 This is not a large problem in the human world—the number of people who can learn something directly is limited. But the same information in a permanent searchable form can haunt us for ever.

  33.  If Bazalgette's example of Facebook sites seems too trivial, consider the Department of Health's National Programme for IT. There patients are expected to give permission8 once only and irrevocably for their medical records—or their children's medical records—to be uploaded to the "NHS Spine" system, regardless that they cannot possibly forsee, or grasp the social and emotional consequences of future medical events in their life. Someone at 40 may wish to withhold records containing past incident of mental illness or sexually transmitted disease from general circulation; how can the same person at 16 make the same decision beforehand?

Expanded Consent

  34.  Not only is consent in many cases illusory, but consent to information sharing once given can lead to total loss of control for the subject. It is commonplace for forms for public purposes to waive data protection in effect, while being in practice impossible to decline to fill in. Most committee members will have an example to hand in the "security" forms for attendees at party conferences, where the extensive personal data provided is typically not limited to use for the event, but may be used for any police purpose.

LIMITATIONS OF CURRENT PROTECTIONS

Privacy

  35.  Though we are accustomed to refer to it, there is no clear legal conception of nor direct protection of privacy per se in this country.9 The US courts have, controversially, managed to interpolate a substantive right of privacy10 into a Constitution that has none explicitly. This can be explained by noting that until recently no means were available to monitor and record people's activities at a distance or without permission on their own premises. At common law privacy was assured so naturally as a consequence of property rights that no-one thought to separate the two.

  36.  We note that what is often referred to as a "privacy" provision in the human rights convention received into our constitution in the Human Rights Act 1998, Article 8, the "right to respect for private and family life" (1) is not really a privacy provision since it accords a rather vague respect, not privacy itself, and (2) is subject to broad exceptions open to the state to adduce.

  37.  There is a case for creating freestanding privacy rights that cannot be readily abridged by the state without specific cause.

Confidentiality

  38.  The nearest we have to privacy law in Britain is arguably the law of confidence. There are problems with this, however. It is increasingly identified with the protection of commercial interests,11 and it needs to be vigorously pursued because once information is public knowledge it can no longer be protected. Enforcement is also a problem; it requires that the leak be traced back to source, so that breach of confidence can be established, and the main means of enforcement is risky and expensive injunction.

Data protection

  39.  In our view the Data Protection Act 1998 is utterly inadequate to the purpose of protecting individual privacy and liberty against the surveillance. Most obviously Part IV of the Act provides effective exemption for government use of data for many purposes, and can readily be extended. Further it relies on compliance with regulation and guidance not prevention or individual remedy. The Office of the Information Commissioner relies on state funding, and already has great difficulty coping with the amount of work placed before it.

CONSEQUENCES OF DATA SURVEILLANCE FOR CIVIL LIBERTY

Presumption of guilt

  40.  Where one is required to demonstrate a legitimate status in order to perform civil functions12 then that imports a presumption that anyone who does not do so willingly is a suspect. The Home Office itself suggested as much in its "Benefits" paper for the ID scheme in 2005.13 Once there are records to be disclosed they are subject to interpretation, which also may import presumptions, particularly in conditions designed to encourage suspicion. One clear example is of the existence of a record on the national DNA database, which implies prior arrest, which may be prejudicial in investigations.

Self reporting

  41.  The idea of continuous self-exculpation is aligned with the pragmatic consequence of surveillance mechanisms. The records must be complete. Therefore they must be kept up to date. Therefore the citizen acquires new and onerous obligations backed by penalties for non-compliance, to report on himself.

Abolition of rehabilitation

  42.  It may not be an articulated constitutional principle that an offender who has been punished is normally entitled to regard his debt as paid, but it is implicit in custom that people may escape their past. It has been persuasively argued by Simon Cole14 that the idea of identity first came into use in criminal justice not for detection purposes, but because of the fear of recidivism. Where a conviction—or a mere social embarrassment—is permanently on record,15 then we are fated to live in a harsh world.

Information sharing as a search power

  43.  As noted above (29), the identification of a specific act or transaction with a specific person is a disclosure about them beyond that strictly necessary and needs a reason. It is analogous to a police power of search. Currently police do not have the power to require information of people as to their identity or movements without suspecting them of an offence—and the recent suggestion that they might is highly controversial. Yet a data-sharing power granted to a public body doing precisely the same thing—identifying a person and his transactions—is so common that it is scarcely noticed. Because it is a power more easily exercised, ought we not be more concerned, however?

Data matching = general search

  44.  Matching or mining data is correspondingly more serious for privacy, as suggested in 30 and 31. If it is directed against an individual it is analogous to a police search. If it is used to draw conclusions from data-sets about groups, or to look for new patterns, then the only physical-world analogy is Writ of Assistance, which was sufficiently repugnant to liberty be outlawed by the US Bill of Rights, and survives here only as an unusual power of Customs Officers. Yet this is available ad hoc to the authorities under several pieces of legislation and the Serious Crime Bill, schedule 7 would create a general power in relation to the very broad category of fraud.

RECOMMENDATIONS

Repeal of Identity Cards Act 2006

  45.  The Identity Cards Act is designed around a conception of nationalising personal identity. It must be repealed. If identity cards themselves are justified (which we deny), then a system without a centralised register is entirely possible16 and would not subordinate the individual to the state in quite the same way, but this would require new legislation.

Compartmentalised government

  46.  The "Transformational government" strategy, as currently conceived, is a direct threat to the rule of law and should be abandoned. This does not mean abandoning the use of technology for improving the efficiency of government activity; it means systems should be constrained to well-defined purposes.17 We would prefer a compartmentalised government in which each department of state maintained a separate relationship with those citizens in its sphere. This is no inhibition to the coordination of policy, but is protective of individuals.

Recognition of privacy rights

  47.  In addition consideration should be given to new personal privacy and informational privity (see below) laws, giving direct redress through the courts and possibly criminal penalties for improper surveillance or sharing. The common law position, where one may use any name provided there is no fraud, may need to be updated and strengthened to permit anonymity and pseudonymity to survive.

Informational Privity

  48.  We suggest that there is a missing concept in relation to the sharing of information, and that it ought to be analogous to the grant of rights in forms of property, in that information is received from a particular source for a particular purpose, and it ought therefore to be the case that the use of personal information depends on a chain of title. A supplier ought not to be able to grant greater usage than he has himself has. Though potentially complicated in detail, this model offers a coherent way to place control of personal information ultimately where it belongs: in the hands of the subject.

Government sharing and matching subject to judicial control

  49.  Just like physical searches, we believe that data-sharing and data-matching or -mining exercises by government should be permitted only with good reason (such as reasonable suspicion of an offence) and subject to due authorisation depending on the reason. Matching and mining in particular are of the nature of general search warrants and ought to be permitted only on judicial authority. Fishing expeditions, where there is no evidence of a crime or other pressing reason, ought to be barred.

Protection of common law standards

  50.  The common law doctrines of ultra vires and confidentiality have grown up precisely as protection for the individual against abuse of power. They should be guarded.

8 June 2007

REFERENCES

1  See discussion in Guy Herbert The Biggest Christmas Tree Garden Court News, Autumn 2005, where it is argued the Identity Cards Bill confers the power of civic life and death on the Home Secretary.

2  See, Cabinet Office paper Transformational Government—enabled by technology Cm6683, November 2005 http://www.cio.gov.uk/transformational_government/strategy/

3 DCA, September 2006 http://www.foi.gov.uk/sharing/information-sharing.pdf

4  Eg Children Act 2004, s 12.

5  Eg Serious Crime Bill, as brought from the Lords 2007, cl.66 which modifies the Data Protection Act 1998 to vitiate any relevant protection.

6  See, for example, Bruce Schneier, Secrets & Lies: digital security in a networked world, Wiley, 2000.

7  "Your honour, it's about those Facebook photos of you at 20"—The Observer, 20 May 2007. http://observer.guardian.co.uk/comment/story/0,,2083798,00.html

8  Which is to say, they are assumed to consent if they fail to object, though this is now banned in relation to commercial data-sharing.

9  The beginning of one might be found in the new "voyeurism" offence under the Sexual Offences Act 2003. The notional common law offence of eavesdropping is often referred to, but I have been unable to find a case in English law.

10  Following the US Supreme Court in Griswold v Connecticut, 1965.

11  "I see no reason why there should not be an obligation of confidence for the purpose of enabling someone to be the only source of publication if that is something worth paying for" Lord Hoffman in the Hello! case (http://www.publications.parliament.uk/pa/ld200607/ldjudgmt/jd070502/obg-5.htm at 120.)

12  As for example intended by the Identity Cards Act 2006, see Regulatory Impact Assessment, November 2004 http://www.homeoffice.gov.uk/documents/ria-identity-cards-bill-251104?view=Binary or pursuant to Criminal Records Bureau disclosures.

13  ID Cards—Benefits Overview, p12 http://www.identitycards.gov.uk/downloads/2005-06-27_Identity_ Cards_Scheme_Benefits_Overview.pdf

14  Simon A Cole Suspect Identities Harvard UP, 2001.

15 As the Criminal Records Bureau enhanced disclosure procedures imply.

16  Eg that described in the LSE Identity Project Report, June 2005 http://identityproject.lse.ac.uk/identityreport.pdf

17  Which incidentally means they are likely to work better in practice.