Memorandum by NO2ID
1. This submission has been prepared for
NO2ID, the national campaign against ID cards and the database
state. The inquiry addresses NO2ID's central concerns concerning
the alteration of the relationship between citizen and state by
database government, and we welcome the Committee's recognition
of the very serious constitutional implications.
2. This is necessarily a very brief summary
of the legislative and institutional context and contains some
novel legal proposals. Though compressed, it is still rather long.
We would welcome the opportunity to present such supplementary
evidence, orally or in writing, as the committee wishes to take.
3. We have also made a submission recently
to the surveillance state inquiry being conducted by the House
of Commons Select Committee on Home Affairs. We have tried to
avoid repeating ourselves though some of the issues addressed
4. NO2ID (an unincorporated association)
was founded in 2004 in response to the Government's stated intention
to introduce the compulsory registration and lifelong tracking
of UK citizens by means of a centralised biometric database. NO2ID
seeks to put an informed case against state identity control to
the media, to national institutions and to the public at large.
More than 100 organisations, including trades unions, political
parties, local authorities and special interest groups have either
joined or made formal statements supporting the campaign. More
than 30,000 individuals have registered their support.
5. NO2ID is non-partisan, and neutral on
most political questions. Our concern is the threat to privacy
and liberty posed by mass surveillance, the collection, retention
and collation of information that can be tied to individuals,
whatever the ostensible or intended purpose. Information sharing
or matching used to generate files on individuals without specific
and reasonable cause and independent oversight is a special case
of the broader problem.
6. We regard a loss of privacy or anonymity
without good reason as potentially a fundamental threat to the
free society. If you are being watched or followed over time by
someone with the power to discipline you directly or indirectly,
then your freedom of action is reduced. The more minutely and
extensively you are watched, the greater the power of discipline.
7. NO2ID's approach is therefore that information
on individuals (and implicitly, therefore, on their associations)
should not be stored or transmitted without good reason and limited
8. NO2ID believes that the unconsidered
growth of government data-sharing intitiatives, together with
advances in technology have inadvertently brought us to the verge
of a surveillance state in which every action of the citizen is
potentially subject to monitoring, retrospectively via data searches
more than contemporaneously after the manner of the traditional
police state informer networks.
9. Latterly this tendency has been exacerbated
by the deliberate policy of "joined-up" or "transformational"
government, which perceives the citizen in terms of the manipulation
of a personal file, and idealises an integrated total information
awareness for government. Such ideas have been seen as so self-evidently
good by those proposing them, that they have been willing to subvert
basic principles to pursue the policies concerned. The Identity
Cards Act 2006, whose prime function is the establishment of a
central register of the population, is the key such measure, but
not the only one.
10. Technological and institutional change
has subtly undermined our suppositions about privacy in everyday
life, which are taken for granted in the constitution almost as
much as they are by ordinary people. In particular we are used
to having anonymity and privacy (which are very closely allied
and interchangeable for many purposes) by default. They can no
longer be taken for granted.
11. The threats are novel, and therefore
the existing legal protections for the citizen are not adequate
(even where they are not being broken down by zealous expansion
of government remit). We are open to the equivalent of searches
without proper control. And we lack control over information about
us once it is no longer secret.
12. The existence of a permanent personal
record which can be increasingly referred to by others reverses
the presumption of innocence and the trust on which our system
is based. It threatens to become necessary to prove ones "clean"
status constantly, and an innocent incident, once on a record,
is liable to be interpreted as grounds for suspicion.
13. NO2ID therefore suggests that a more
considered approach is adopted in which promiscuous data-sharing
is anathema rather than the ideal, and pseudonymity and anonymity
are protected. Some specific measures ought to be repealed, but
that is insufficient without new controls on the technology and
institutions of surveillance.
14. We look forward to searches of private
data being treated in the same way as physical searches of people
and property. We advocate the extension of personal rights in
relation to private information, and in particular the examination
better defined understanding of privacy and "informational
privity" whereby the use made of personal data remains in
the control of the individual.
Growth of the database state is unconsidered
15. There is a naivety in many government
statements about data-collection and data-sharing powers. There
is seldom a case made that recognises the seriousness of the exercise.
Powers of physical search have less profound effects on the individual
and society (as discussed below) but they are frequently controversial.
It seems to be a matter of unconsidered administrative convenience
in most cases.
16. Surveillance measures, particularly
database surveillance measures have become routine. They are added
piecemeal by new statutes, which are habitually drawn extremely
widely and provide for extension by statutory instrument. Drafting
will often include a catch-all provision, in effect permitting
arbitrary other use of information. This is calculated to allow
powers to multiply, interact, and evade proper scrutiny.
Technology enables the surveillance state
17. Our way of life is predicated on the
fungibility of most records and the limited application of others.
Your business and personal relationships would historically have
been with and through people, who have a limited capacity and
desire to store and process information. Copying and transferring
a document before digital means became available required human
intervention (even to place it on a photocopier or fax), searching
archives required human beings to set up indexes, and so archives
were constrained to their original purposes.
18. It is the ready recording, retention,
copying, searching and sharing of information in ways that are
effectively permanent and outside the control of the individual
concerned, that potentially alters the nature of all relationships
mediated by, or observed through, technology.
Constitutional conception of the person
19. Our law and constitution have developed
in the context of direct relationships between individuals and
institutions. They generally answer the question, "Does this
person have this right in these circumstances?" and deal
with the nature and consequences of transactions between persons.
It is the essence of the rule of law that different persons are
treated the same in like circumstances.
20. The function of law has historically
been to adjudicate between persons on factual matters. It has
accepted the real world, and managed conflicts within it.
21. We suggest that the growing culture
of state identification and record keeping is eroding that fundamental
assumption of law. When the first question asked is "Who
is this person and what is their record?" and the answers
condition their rights and treatment, then something has changed.
Bureaucratic conception of the person
22. An alternative conception of a person
is found in the Identity Cards Act 2006, and is also visible in
much recent legislation and regulation.
23. First, persons are conceptualised as
attachments of official records, and their rights as dependent
on registration. The person has been supplanted by the record.
It becomes questionable under such a regime whether the natural
person is any longer a legal subject.1 The completeness and procedural
correctness of records is the primary consideration of a bureaucracy.
The law strives to deal with uncertainty, bureaucracy to eliminate
24. Second, unlike the law, which seeks
to determine what are the relevant grounds for decision and does
not concern itself with other properties or capacities of its
subjects, a bureaucratic framework implicitly requires one file
related to one body for all purposes, so that the individual can
be efficiently managed by the state. It is intolerant of the multiple
roles of individuals, which society and the law built on society
25. The notion of "Transformational
Government"2 which takes a governmentalist viewpoint for
granted, is not simply an attempt to use new technology effectively,
but is built around the idea of breaking boundaries between departmental
functions by collecting and collating information on citizens
across the whole of government. The Department of Constitutional
Affairs's "Information Sharing Vision Statement"3 identifies
the "barriers" to broad data sharing as human rights
law, data protection, common law confidentiality, and ultra
vires. There are already frequently explicit statutory provisions
setting aside confidentiality4 and or working around data protection
legislation.5 Those are not, we submit desirable. But the idea
that ultra vires is dispensible is profoundly anti-constitutional.
26. Such an approach requires a means by
which information on citizens may be readily cross referenced.
There is power to do it created by very broad drafting of the
Identity Cards Act 2006. The Government made great play of the
use of the scheme being "limited" to the statutory purposes,
but the statutory purposes happen to encompass any conceivable
activity of any future government.
27. Since that legislation was passed, the
government and the Identity and Passport Service have begun to
refer to the "National Identity Scheme" and to "identity
management". We note that a governmentalism in which the
citizen is deemed to be under the state's management is also foreign
to our constitution, which supposes the individual to be at liberty
under the law.
Authentication and Identification
28. Security analysts distinguish carefully
between the authentication of transactions and the identification
of entities, between having authority to do something warranted
by appropriate credentials, and being a particular person.6
29. The law does recognise such distinctions
implicitly (in the conception of office for example: the Secretary
of State will be a different person at different times, but bear
the same authority) but this basic conceptual framework seems
to be unavailable to lawmakers and others when it comes to discussing
how the individuals interact with the state. The promotion of
the National Identity Scheme in particular has consistently blurred
the distinction between authentication and identification, as
if it doesn't matter. Making individual actions traceable to individual
persons is the essence of surveillance.
Discrete transactions versus tracing
30. Everybody recognises that it is neither
necessary nor desirableindeed completely contrary to the
point of moneyfor the Bank of England to have a record
of every time a note it backs changes hands. The same ought to
be "obviously" true for other civil transactions, where
authentication of capacity is what is minimally required. Identification,
on the other hand, makes our actions traceable, a contribution
to a central file rather than discretely legitimate acts. This
opens the door to discrimination between different persons in
the same circumstances, and to subsequent retrieval of information
Ready accessibility of records
31. It is implicit in much recent legislation
that if information can be retrieved and there is a legitimate
reason for doing so, then it ought to be retrievable, with the
minimum of formality. We believe that this is a moral delusion
arising from the relative ease and invisibility of such processes.
If information is hidden to human inspection, because it cannot
be discerned among other facts or because it cannot be collated
and cross-referenced by a person, then it is to a human mind obscured,
and remains private. Uncovering and collating personal information
from numerous inadvertent events, may reveal things about individuals
that they did not intend on isolated occasions to reveal (and
it may give rise to unwarranted suppositions about the meaning
of those events). An example might be collecting one's entire
Google search history.
Irrevocability of information transfer
32. Peter Bazalgette, the UK producer of
"Big Brother" recently made the interesting observation
that people may be willing to give out information about themselves
at one stage of life, but regret it later.7 This is not a large
problem in the human worldthe number of people who can
learn something directly is limited. But the same information
in a permanent searchable form can haunt us for ever.
33. If Bazalgette's example of Facebook
sites seems too trivial, consider the Department of Health's National
Programme for IT. There patients are expected to give permission8
once only and irrevocably for their medical recordsor their
children's medical recordsto be uploaded to the "NHS
Spine" system, regardless that they cannot possibly forsee,
or grasp the social and emotional consequences of future medical
events in their life. Someone at 40 may wish to withhold records
containing past incident of mental illness or sexually transmitted
disease from general circulation; how can the same person at 16
make the same decision beforehand?
34. Not only is consent in many cases illusory,
but consent to information sharing once given can lead to total
loss of control for the subject. It is commonplace for forms for
public purposes to waive data protection in effect, while being
in practice impossible to decline to fill in. Most committee members
will have an example to hand in the "security" forms
for attendees at party conferences, where the extensive personal
data provided is typically not limited to use for the event, but
may be used for any police purpose.
35. Though we are accustomed to refer to
it, there is no clear legal conception of nor direct protection
of privacy per se in this country.9 The US courts have,
controversially, managed to interpolate a substantive right of
privacy10 into a Constitution that has none explicitly. This can
be explained by noting that until recently no means were available
to monitor and record people's activities at a distance or without
permission on their own premises. At common law privacy was assured
so naturally as a consequence of property rights that no-one thought
to separate the two.
36. We note that what is often referred
to as a "privacy" provision in the human rights convention
received into our constitution in the Human Rights Act 1998, Article
8, the "right to respect for private and family life"
(1) is not really a privacy provision since it accords a rather
vague respect, not privacy itself, and (2) is subject to broad
exceptions open to the state to adduce.
37. There is a case for creating freestanding
privacy rights that cannot be readily abridged by the state without
38. The nearest we have to privacy law in
Britain is arguably the law of confidence. There are problems
with this, however. It is increasingly identified with the protection
of commercial interests,11 and it needs to be vigorously pursued
because once information is public knowledge it can no longer
be protected. Enforcement is also a problem; it requires that
the leak be traced back to source, so that breach of confidence
can be established, and the main means of enforcement is risky
and expensive injunction.
39. In our view the Data Protection Act
1998 is utterly inadequate to the purpose of protecting individual
privacy and liberty against the surveillance. Most obviously Part
IV of the Act provides effective exemption for government use
of data for many purposes, and can readily be extended. Further
it relies on compliance with regulation and guidance not prevention
or individual remedy. The Office of the Information Commissioner
relies on state funding, and already has great difficulty coping
with the amount of work placed before it.
Presumption of guilt
40. Where one is required to demonstrate
a legitimate status in order to perform civil functions12 then
that imports a presumption that anyone who does not do so willingly
is a suspect. The Home Office itself suggested as much in its
"Benefits" paper for the ID scheme in 2005.13 Once there
are records to be disclosed they are subject to interpretation,
which also may import presumptions, particularly in conditions
designed to encourage suspicion. One clear example is of the existence
of a record on the national DNA database, which implies prior
arrest, which may be prejudicial in investigations.
41. The idea of continuous self-exculpation
is aligned with the pragmatic consequence of surveillance mechanisms.
The records must be complete. Therefore they must be kept up to
date. Therefore the citizen acquires new and onerous obligations
backed by penalties for non-compliance, to report on himself.
Abolition of rehabilitation
42. It may not be an articulated constitutional
principle that an offender who has been punished is normally entitled
to regard his debt as paid, but it is implicit in custom that
people may escape their past. It has been persuasively argued
by Simon Cole14 that the idea of identity first came into use
in criminal justice not for detection purposes, but because of
the fear of recidivism. Where a convictionor a mere social
embarrassmentis permanently on record,15 then we are fated
to live in a harsh world.
Information sharing as a search power
43. As noted above (29), the identification
of a specific act or transaction with a specific person is a disclosure
about them beyond that strictly necessary and needs a reason.
It is analogous to a police power of search. Currently police
do not have the power to require information of people as to their
identity or movements without suspecting them of an offenceand
the recent suggestion that they might is highly controversial.
Yet a data-sharing power granted to a public body doing precisely
the same thingidentifying a person and his transactionsis
so common that it is scarcely noticed. Because it is a power more
easily exercised, ought we not be more concerned, however?
Data matching = general search
44. Matching or mining data is correspondingly
more serious for privacy, as suggested in 30 and 31. If it is
directed against an individual it is analogous to a police search.
If it is used to draw conclusions from data-sets about groups,
or to look for new patterns, then the only physical-world analogy
is Writ of Assistance, which was sufficiently repugnant to liberty
be outlawed by the US Bill of Rights, and survives here only as
an unusual power of Customs Officers. Yet this is available ad
hoc to the authorities under several pieces of legislation
and the Serious Crime Bill, schedule 7 would create a general
power in relation to the very broad category of fraud.
Repeal of Identity Cards Act 2006
45. The Identity Cards Act is designed around
a conception of nationalising personal identity. It must be repealed.
If identity cards themselves are justified (which we deny), then
a system without a centralised register is entirely possible16
and would not subordinate the individual to the state in quite
the same way, but this would require new legislation.
46. The "Transformational government"
strategy, as currently conceived, is a direct threat to the rule
of law and should be abandoned. This does not mean abandoning
the use of technology for improving the efficiency of government
activity; it means systems should be constrained to well-defined
purposes.17 We would prefer a compartmentalised government in
which each department of state maintained a separate relationship
with those citizens in its sphere. This is no inhibition to the
coordination of policy, but is protective of individuals.
Recognition of privacy rights
47. In addition consideration should be
given to new personal privacy and informational privity (see below)
laws, giving direct redress through the courts and possibly criminal
penalties for improper surveillance or sharing. The common law
position, where one may use any name provided there is no fraud,
may need to be updated and strengthened to permit anonymity and
pseudonymity to survive.
48. We suggest that there is a missing concept
in relation to the sharing of information, and that it ought to
be analogous to the grant of rights in forms of property, in that
information is received from a particular source for a particular
purpose, and it ought therefore to be the case that the use of
personal information depends on a chain of title. A supplier ought
not to be able to grant greater usage than he has himself has.
Though potentially complicated in detail, this model offers a
coherent way to place control of personal information ultimately
where it belongs: in the hands of the subject.
Government sharing and matching subject to judicial
49. Just like physical searches, we believe
that data-sharing and data-matching or -mining exercises by government
should be permitted only with good reason (such as reasonable
suspicion of an offence) and subject to due authorisation depending
on the reason. Matching and mining in particular are of the nature
of general search warrants and ought to be permitted only on judicial
authority. Fishing expeditions, where there is no evidence of
a crime or other pressing reason, ought to be barred.
Protection of common law standards
50. The common law doctrines of ultra
vires and confidentiality have grown up precisely as protection
for the individual against abuse of power. They should be guarded.
8 June 2007
1 See discussion in Guy Herbert The Biggest
Christmas Tree Garden Court News, Autumn 2005, where it is
argued the Identity Cards Bill confers the power of civic life
and death on the Home Secretary.
2 See, Cabinet Office paper Transformational
Governmentenabled by technology Cm6683, November 2005
3 DCA, September 2006 http://www.foi.gov.uk/sharing/information-sharing.pdf
4 Eg Children Act 2004, s 12.
5 Eg Serious Crime Bill, as brought from the
Lords 2007, cl.66 which modifies the Data Protection Act 1998
to vitiate any relevant protection.
6 See, for example, Bruce Schneier, Secrets
& Lies: digital security in a networked world, Wiley,
7 "Your honour, it's about those Facebook
photos of you at 20"The Observer, 20 May 2007.
8 Which is to say, they are assumed to consent
if they fail to object, though this is now banned in relation
to commercial data-sharing.
9 The beginning of one might be found in the
new "voyeurism" offence under the Sexual Offences Act
2003. The notional common law offence of eavesdropping is often
referred to, but I have been unable to find a case in English
10 Following the US Supreme Court in Griswold
v Connecticut, 1965.
11 "I see no reason why there should not
be an obligation of confidence for the purpose of enabling someone
to be the only source of publication if that is something worth
paying for" Lord Hoffman in the Hello! case (http://www.publications.parliament.uk/pa/ld200607/ldjudgmt/jd070502/obg-5.htm
12 As for example intended by the Identity Cards
Act 2006, see Regulatory Impact Assessment, November 2004 http://www.homeoffice.gov.uk/documents/ria-identity-cards-bill-251104?view=Binary
or pursuant to Criminal Records Bureau disclosures.
13 ID CardsBenefits Overview, p12 http://www.identitycards.gov.uk/downloads/2005-06-27_Identity_
14 Simon A Cole Suspect Identities Harvard
15 As the Criminal Records Bureau enhanced disclosure
16 Eg that described in the LSE Identity Project
Report, June 2005 http://identityproject.lse.ac.uk/identityreport.pdf
17 Which incidentally means they are likely to
work better in practice.