The Home Secretary's announcement of plans to increase the capacity for interception and retention of all forms of electronic communication records has - as one might expect - prompted a wave of articles in which the words "massive database" and "Orwellian" are de rigueur.
Whether or not I end up resorting to those terms, there are at least two things about the announcement which concern me. Both are reported in the BBC article linked to above.
The first is alluded to by Lord Carlile (a QC, Liberal Democrat peer and also the government's independent adviser on terrorist legislation), when he says that ""The raw idea of simply handing over all this information to any government, however benign, and sticking it in an electronic warehouse is an awful idea if there are not very strict controls about it." [my italics]
I suspect that what he meant was that it is an awful idea in the "all your eggs in one basket" sense, and that by "strict controls" he meant defences to keep unauthorised users out. However, experience suggests that the greater risk actually arises out of authorised access requests - and that these are much harder to control effectively. I have had more than one conversation with data controllers in large organisations which went something like this:
"Oh, yes... we've had Section 29 requests from the police. Sometimes I just can't believe what they think they can ask for. I've made myself quite unpopular a few times by refusing an inappropriate request and telling them to go away and come back when they can do it properly. Thank goodness the request came to me, and didn't just land on the desk of someone who hadn't had any DPA training - I mean, a junior member of staff probably wouldn't have the nerve to say "no" to the police, and we could have ended up breaking the law".
Section 29 is the part of the Data Protection Act (DPA) which allows a data controller to disclose a third party's data for law enforcement purposes... but it is not a blanket exemption from applying the Act: for instance, it does not give the data controller permission to disclose data in response to a 'fishing' request (that is, a non-specific request such as 'tell me the details of all your employees who live in Middletown').
The same data controllers often then go on to say things like this:
"In the end, I had to go to the police and say 'look, if your people don't use Section 29 properly it just wastes our time and theirs; let's get some proper processes sorted out, so that you've got some trained, nominated people in place who can contact trained, nominated people in our organisation, and then we'll know it's being done right. We may still have to say no occasionally, but you'll know that you're getting a considered response, and we'll know we're only getting qualified, legitimate requests for access'. These days it all works pretty well... but it takes a lot of ongoing effort and training to make sure our people are kept up to speed - and the volume of requests certainly isn't going down."
The picture which emerges is one where technology (authentication, authorisation, access control, etc.) plays an important but only partial role. The larger, more difficult and more expensive part is creating a substainable culture of awareness, expertise and good practice. In the absence of that, you can throw all the technology you like at the problem and still fail to meet the real objective.
The Home Secretary says she wants to legislate, but only after a period of consultation. The important question is: if that's the message, will she want to hear it?
The second aspect which concerns me is one of the examples she cites to justify this increase in surveillance capability. She says
"If [the way in which we intercept communications and collect communications data] does not [change,] we will lose this vital capability that we currently have and that, to a certain extent, we all take for granted. The capability that enabled us to convict Ian Huntley for the Soham murders..."...
I read that a couple of times and then went searching for anything which explained how communications interception contributed to Ian Huntley's arrest. After all, what that case is perhaps most notorious for is the failure of different law enforcement agencies to make effective use of information which they already had; the Bichard Inquiry was abundantly clear on that principle. Eventually I found mention (on the ever-incisive Spy Blog, here) of three relevant factors:
- Ian Huntley's girlfriend, Maxine Carr, said she was with Huntley in Soham on the evening when his two victims went missing. According to the phone records, her phone was used in Grimsby at the time, thus undermining the credibility of her statement and - by implication - his alibi.
- Phone records were also used to trace the last known mobile phone mast with a connection to the handset of one of the two murdered girls, Jessica Chapman; however, as the Spy Blog post indicates, there appears to be at least five miles-worth of room for doubt about the accuracy of that information as an indicator of exactly where the phone itself was at that time.
- This data was retrieved and used within two weeks of the crime - which raises the question of whether it is proportionate to legislate for such data to be retained for two years.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
Robin, you encourage me to have hope by giving examples of people who have the courage to say no to the police. Level-headed people, not people “like chickens running with their heads cut off”. I also (tongue in cheek, a bit) take hope in the bureaucracy that, like the scene in the Indiana Jones movie where the covenant of the arc got placed in the Smithsonian warehouse, the valuable information they might really want and need will be overwhelmed by the sheer volume of everything else. :^)
Posted by Carolyn on October 17, 2008 at 01:50 PM GMT+00:00 #
Thanks Carolyn. I like your Indiana Jones analogy. The problem with it these days was explained to me by someone who referred back to the older "needle in a haystack" analogy. In principle, he said, finding a needle in a haystack is not that difficult: you just need a simple algorithm for identifying and discarding hay. If you repeat that often enough you will find the needle.
And that's the problem: computers make it comparatively easy to run simple algorithms for identifying and discarding hay - so it gets harder and harder to hide something even in a huge warehouse full of identical crates.
Posted by Robin Wilton on October 17, 2008 at 02:14 PM GMT+00:00 #