Politics of Privacy Blog

Again: loss of personal data by public officials in the UK

2008-01-18T21:26:00.001Z

Less than two months after the loss of the personal details of 25 million people by the UK's tax authorities (see this blog entry), another substantial loss of personal data has occurred in Britain. As the BBC website writes, a laptop containing personal details of 600.000 people has been stolen from a Royal Navy officer in the Birmingham area.

The data are from people who have expressed an interest in, or joined, the Royal Navy, Marines, or Air Force, and they are the more detailed the further progressed the wish for joining was:

For people who had actually submitted an application, data held on that laptop may include passport details, National Insurance numbers, drivers' licence details, family details, doctors' addresses, National Health Service numbers and bank details.

For people who had merely made a casual enquiry, only a name may have been on the record.

The BBC gives no details as to the relative sizes of these two groups, but mentions that the Ministry of Defense is about to write to 3.500 people whose bank details were on the laptop's database.

Apparently the laptop was stolen from the officer's car which was parked overnight in the Edgbaston area of Birmingham.

One can only hope that hard questions will be asked of those responsible for this failure, questions like the following:

Why was the data on that laptop?

Was there authorisation for the data to leave whatever MoD premises they were originally collected in?

Was the data protected through encryption?

Why, in the light of the sensitivity of the data, did the officer choose to leave the laptop in the car?

Was he authorized to do that?

And: why was he not shackled to the laptop?

In the old days (and in movies) that was how they used to protect valuable things…

Update: The British Secretary of Defense, Des Brown, had to acknowledge before the House of Commons that already in 2005 two laptops had been lost containing personal data of members of the armed forces. He also said that on the present laptop had been the detailed data of only 153.000 people, but admitted that they had not been encrypted. Furthermore he said that in this case MoD security regulations had been breached, but did not go into details.

He also announced — yet another security review! (After each of the data debacles of the last weeks, the Brown government has promised one of those...). You can find a summary of his points and the full text of his statement to the House of Commons here.

Technorati Tags: owl-content, politics, privacy

Jeremy Clarkson and identity theft

2008-01-07T14:05:00.000Z

Well, first of all, a happy new year to my readers! And I am glad to be able to report that page visits to this blog more than doubled in 2007 over 2006, to well over 5000 pageviews. I am very happy about this and will take it as a reminder to update this blog more often than I have recently done (take that with a grain of salt, like all new year's resolutions...).

Another reason to be upbeat is a story reported by the BBC today. It concerns Jeremy Clarkson, a British TV presenter specialising in motor journalism, and in my personal view one of the most unhappy examples of British jingoism-cum-machismo, someone who revels in almost every conceivable sort of public insult, especially against foreigners. Even his employer, the BBC, has described him as "not a man given to considered opinion".

Clarkson has a column in the tabloid The Sun, in which he recently made fun of the concerns about the lost personal details of 25 million British people due to negligence of the British tax authorities some six weeks ago (see this blog entry). Clarkson, alleging that this was all unnecessary fuss about nothing, proceeded to prove his point by publishing his account details (including account number and sort code) as well as instructions about how to find out his address in the newspaper.

"All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing," he teased his readers. But not so, as he had to find out: when opening his bank statement recently, he found that someone had used that information to set up a direct debit to a charity which took £500 out of his account.

It is to Clarkson's credit that he published the mishap, and even admitted: "I was wrong and I have been punished for my mistake." And: "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."

While losing £500 will not ruin this wealthy man, he had to learn the hard way (and some may be surprised he is capable of even that). But will it turn him into a champion of data protection in the future? Only time will tell...

Technorati Tags: owl-content, privacy

British tax authorities lose personal details of 25 million people

2007-11-20T21:54:00.001Z

A crass case of neglect and breach of data protection legislation has led to the loss of discs containing the names, addresses, dates of birth, bank account details and National Insurance numbers of 25 million people in the United Kingdom, it was revealed today (see reports by the BBC, the Financial Times, the Guardian and The Times).

The data (they are the complete records of all 7.25 million families in the UK with a child under 16 years of age) were on two CD-ROMS which the tax authority (Her Majesty's Revenue & Customs or HMRC for short) shipped on 18 October 2007 with the courier TNT – who operate the HMRC's post system. However, they were neither recorded or registered, and failed to arrive at their destination, the National Accounting Office.

As sending the data in this way constituted a breach of rules (which was repeated a few days later, although this time as a registered parcel which reached its destination), the chairman of HMRC, Paul Gray, has resigned his post. British Chancellor of the Exchequer Alistair Darling told the House of Commons today that there was no evidence "that this data has found its way into the wrong hands". But he also admitted that the millions of families concerned were at risk from fraud and identity theft and advised them "to monitor their accounts and guard against any unusual activity."

It is difficult to understand why the HMRC chose to transfer these data at all in a physical manner rather than transferring them in encrypted format over a secure high-speed data link, as one would expect to be standard in the early 21st century. This is a massive blunder which will bring anxiousness and discomfort (to say the least) to countless British citizens for some time to come.

Regular readers of this blog will recall previous examples of private sector data security breaches (for example, the TJX case, or that of Marriott International, with links to more cases covered in this blog). Today's episode shows that the public sector is similarly careless and incompetent in this respect. For any observer of British e-government and its long record of failures, this will be no surprise.

One probably needs no special prophetic powers to predict that the Labour government's plans for a National Identity Register and for an equally comprehensive electronic health care records system will now again come up for discussion and under increased scrutiny. But so far, one has to say, the British government has not let the rather dismal past record in this field (or reasoned argument) come in the way of its grand plans for the future...

Technorati Tags: owl-content, politics, privacy

Google offers olive branch to privacy activists

2007-09-17T17:44:00.000Z

Google, the data behemoth and "internet superpower" (The Economist) has recently suffered from extensive sympathy withdrawal. Founded by two Stanford graduate students and rising meteorically to utter domination of the internet search market (recent market share: 48 per cent), the company originally managed to present a public face that endeared it to many, summed up in its corporate slogan "don't be evil". This translated nicely into healthy corporate profits: in the first quarter of 2007, Google earned 1 bn. US $ (up 69 per cent on the previous year) on a turnover of 2.53 bn. US $.

But popularity can fade quickly, the company had to learn. Criticisms were mounted about Google's acceptance of the Chinese government's censorship demands, and the unparalleled data collection of the firm triggered sceptical questions as to its goals. These questions became more pressing as Google came bottom in a privacy ranking of internet service companies conducted by Privacy International this summer.

Now Google has decided to reclaim the moral high ground by publicly calling for new international laws to be set up to protect personal information online (see reports by the Financial Times, the BBC, and c't [in German]). At a UNESCO conference on "Internet Ethics", the firm's Global Privacy Counsel Peter Fleischer called for a harmonisation of international privacy standards, noting that the existing situation without global standards left consumers largely unprotected — but that it also harmed economic progress.

Fleischer advocated the adoption of the rules agreed by APEC (Asia-Pacific Economic Cooperation) in 2004. While the head of the EU's "Article 29" working group of data protection commissioners, Germany's Peter Schaar, welcomed Google's initiative, some scepticism is perhaps in place. One of Australia's leading experts on data protection, Graham Greenleaf from the University of New South Wales, expressed great caution at the time the APEC proposals were discussed and passed. And the summary of the standard given on the APEC website looks rather simplistic.

Of course buzz words like "global standards" sound attractive, but ultimately the quality of that standard is decisive. How do they compare against what many so far regard as the "gold standard" in privacy protection, the EU directive of 1995? If someone knows the source of a comparative analysis of the two, I'd be grateful for a hint! Until then, I reserve my judgement on the merit of this initiative.

Technorati Tags: owl-content, politics, privacy

Senior UK judge wants everyone on DNA database for fairness reasons

2007-09-05T17:41:00.000Z

One of the United Kingdom's most senior judges, Lord Justice Sedley, today demanded that every UK resident and every visitor to the country should have their DNA recorded on the national DNA database (see, respectively, the BBC news website, the Guardian, the Daily Mail, and the Daily Telegraph on this).

Sir Stephen Sedley, a senior appeal court judge, described the current system as "indefensible" and argued that to fix it there were only two ways. Reducing the database could lead to serious offenders escaping conviction when they would otherwise have been brought to justice, so this would be "a disaster". Therefore, the only option was to expand the database to cover the whole population and all those who visit the UK. (The population is about 60 mio., and another 33 mio. visit the UK per year [see National Statistics website]).

The UK's national DNA database is already the world’s largest: Two years ago, in 2005, almost 3.5 mio samples were on that database – or 5.2 per cent of the overall population. Next year, the database is planned to cover 4.25 mio samples or 7.5 per cent of the population. (For comparison: The EU average is currently slightly above 1 per cent, and in the United States, the respective figure is 0.5 per cent. The UK, in other words, is literally miles ahead of other, similar countries in this area, holding the data of between 6 and 15 times as many of their citizens as other countries.)

Judge Sedley (who, interestingly, is also President of the British Institute of Human Rights) received a mix of criticism and support for his views. Home Office minister Tony McNulty said on the Today programme that he was "broadly sympathetic" to the judge's views which had "a real logic" to them; Prime Minister Gordon Brown's spokesman, however, denied this morning that there were any plans to introduce a universal database; opposition politicians from the Liberal Democrats and the Conservatives strongly criticised the idea. The Information Commissioner, Richard Thomas, warned that it raised serious issues around the criminal justice system: "if you get the knock on the door saying 'we’ve found your DNA’, you’ve got to start proving your innocence". And Liberty director Shami Chakrabarti called it "a chilling proposal, ripe for indignity, error and abuse".

Technorati Tags: owl-content, privacy, surveillance

Back at the blog — and a job vacancy to fill!

2007-07-04T16:01:00.001Z

This is the first entry to the blog in two months, and first of all I have to apologize for not writing earlier. Lots of interesting things have been happening in the area of privacy, from EU decisions about cooperation and data sharing in law enforcement to Germany debating online-searches of citizens' personal computers to a leading UK police officer expressing fears about the impact of CCTV to the Privacy International ranking of Internet Service Companies to the EU and USA agreeing on a new data sharing deal for flight passenger data.

But closer to home, things have been rather frantic, and that has kept me busy. The two main things were

an international workshop on the subject of "Privacy and Information: Modes of Regulation" that I conducted with my colleague Charles Raab (Edinburgh University) under the auspices of the European Consortium for Political Research in Helsinki. Our call for papers drew an international and interdisciplinary response, and Charles and I were very happy with the papers presented and the discussions that ensued in the week in Helsinki. Another memorable thing is that our stay in Helsinki coincided with the finale of the European Song Contest, which meant that while hotel rooms were at a premium, we were entertained by loud music and the sight of hordes of international fans supporting their home music teams! If you are interested in the papers presented at the workshop, you will eventually be able to find them at the ECPR website's list of workshops. Our workshop is number 26, so you have to scroll all the way down. We hope to produce a publication in a special issue of an academic journal, or in a book from this.

The other big news is that the Economic and Social Research Council (ESRC) has granted me an award for a two year project on research into privacy policy. The project will run for two years and will eventually have its own website to disseminate information. For the time being, there is a small project page on my website that has a brief description of the project (the full title is "Coping with innovation: The regulation of personal information in comparative perspective", and it will compare the United States, the United Kingdom, Germany, and Sweden across three topics of regulatory policy: RFID chips, CCTV cameras, and biometric passports).

But most importantly, I have a postdoc position to fill for that project. The deadline for applications is 6 July, so if you're interested, hurry up! You can find details about the tasks, remuneration etc. via the links at the project page. The job will be based in the Department of Politics and International Relations of Oxford University, one of the leading politics departments in Europe. So, if you know of someone who might fit the bill, please forward this information and encourage them to apply!

Technorati Tags: owl-content, politics, privacy, surveillance

Germany to introduce unique personal identifier — for tax purposes

2007-05-04T21:09:00.000Z

It has been a long time in the making — since 2003, to be precise, when the Tax Bill passed in December of that year created the provisions, but it is only now that the implementation takes place: on 1 July 2007, the German Federal Tax Office (Bundeszentralamt für Steuern) will start building a new database which will have an eleven digit unique identifier (or "tax ID") for every person in the Federal Republic of Germany. The details can be found in § 139b of the Tax Code (Abgabenordnung).

This is the first time that a central register of the whole population will be created, and it will contain the person's number, name, doctoral title (if present — I always knew Germans were nuts about these…), the day and place of birth, the gender, the residential address, and ultimately also the day of death. For these data will only be deleted twenty years after that fateful event. The taxt ID will be created at birth, not only when the person becomes liable for tax.

German data protection officers have been very critical of this — most recently, the Federal Data Protection Officer in his annual report 2005/06 which was presented only two weeks ago (see page 100 of the report which can be downloaded here). But these interventions only limited the use to taxation issues so far — whether any "mission creep" will set in once this wonderful data pool exists, remains to be seen. There have been other cases in which it was tried to extend the purpose ex post, most recently the Autobahn road toll data (see this blog post from November 2005).

What seems remarkable is the complete public disinterest in what is arguably a more serious and concrete threat to every single German citizens' privacy than many other cases which are far more in the public spotlight, especially since it has been announced for more than three years which would have allowed plenty of time to mobilize against it. But then, my experience as a political scientist has always taught me that it is foolish to assume a linear relationship between facts and public perception... Or is it just that activists don't read the tax code?

Technorati Tags: owl-content, politics, privacy

House of Commons and House of Lords launch inquiries into the "surveillance society"

2007-05-02T21:36:00.001Z

The subject of privacy and surveillance has been moving up the United Kingdom's political agenda since last autumn, as I have argued in this blog on various occasions (see here, here, here and here). Now, it seems, the debate has reached the Houses of Parliament, after various reports and many newspaper stories (as well as some recent accidents) have drawn substantial attention to it.

Both the House of Commons and the House of Lords have recently launched inquiries into questions of surveillance and data collection. The House of Commons does it under the auspices of its Select Committee on Home Affairs, and its inquiry will be concerned with the question "A Surveillance Society?" The inquiry (the oral evidence phase of which started yesterday, 1 May, with evidence being given by the Information Commissioner) will

"focus on Home Office responsibilities such as identity cards, the National DNA Database and CCTV, but where relevant will look also at other departments’ responsibilities in this area, for instance the implications of databases being developed by the Department of Health and the DfES for use in the fight against crime."

The Lords inquiry "to investigate the impact of surveillance and data collection" takes place through the Constitution Committee and will focus

"on the constitutional implications of the collection and use of surveillance and other personal data by the State and (insofar as they can be used by the State) private companies, particularly with regard to the impact on the relationship between citizen and state."

A "call for evidence" has been issued, and anybody who has something to offer can write to the House of Lords by Friday, 8 June 2007. Twelve Lords will conduct the inquiry, and my colleague Charles Raab from the University of Edinburgh has been appointed as Specialist Adviser for the duration of the inquiry.

The transparency of the procedures and the breadth of (especially the Lords') inquiry is certainly laudable, and it will be very interesting to observe the deliberations of the committees and read (and compare!) their respective results.

Technorati Tags: owl-content, politics, privacy, surveillance

UK health agency erroneously publishes doctors' personal details online

2007-04-27T09:58:00.001Z

The body responsible for recruitment into Britain's National Health Service, the NHS Medical Training Application Service or MTAS, has mistakenly published the confidential personal details of junior doctors on its website.

The breach of security was revealed by Channel 4, who report on their website: "This is astonishing. Not only can we see what they wrote in their applications; their addresses; their phone numbers; who their referees are. We can also see if there were white, heterosexual, gay Asian, Christian, Jewish or Hindu, and we can also see if they have got police records and what the crime was."

The incident was widely reported in the UK (see websites of the BBC here and here, as well as the Guardian and the Times), and it is likely to add further to the troubles of a government keen to convince its citizens that both the planned ID card and patients' medical records databases will be safe.

For anyone interested in the political science perspective on the issue of why the UK government has so much trouble with IT systems, I recommend my colleague Helen Margetts' work, and especially her new co-authored book on "Digital Era Governance".

Update: Channel 4 reports that there was a further security problem with doctors' personal data. As of writing this, the MTAS website is still offline "due to planned essential maintenance work"...

Technorati Tags: owl-content, politics, privacy

Massive theft of credit card data at TJX in US and UK

2007-03-29T19:43:00.001Z

As the Boston Globe reports in its online edition today, retail firm TJX Companies, Inc. has been the subject of a hacker attack that has resulted in the biggest theft of credit and debit card numbers ever.

TJX operates around 2500 stores and owns T.J. Maxx, Marshall's and A.J. Wright in the United States as well as Winners in Canada and T.K. Maxx in the UK and Ireland.

As the firm disclosed in a regulatory filing to the SEC yesterday, the hacker(s) had been active since 2005 in its system. It was only in December 2006 that the intrusion was detected and stopped. TJX estimates that at least 45.7 mio. credit and debit card numbers were compromised in computer systems at its headquarters in Framingham, Mass. and Watford (UK). An apologetic letter from the company's CEO on its website dates from February 21 and gives information on contact numbers and recommended steps for customers. It als says that it is sending letters to the estimated 455,000 customers whose driver's license numbers, state identification numbers, or military identification numbers and names and addresses were believed to have been stolen.

Technorati Tags: owl-content, privacy

Further evidence of privacy and surveillance debate moving up the agenda in the UK

2007-03-28T11:11:00.000Z

The British Royal Academy of Engineering (self description: "we bring together the country’s most eminent engineers from all disciplines to promote excellence in the science, art and practice of engineering") has just published an extensive report on "Dilemmas of Privacy and Surveillance" (available as a pdf file here).

The 64 page report, drawn up by 12 strong working group over the course of the last year (which included my colleague Bill Dutton from the Oxford Internet Institute), puts the focus on the ambiguities of the technological developments rather than predicting either Utopia or Dystopia. But rather than having to choose between liberty and security, the report argues "that, with the right engineering solutions, we can have both increased privacy and more security." And, of course: "Engineers have a key role in achieving the right balance." Who would have thought that, coming from this source ;-)

But more seriously again, the report gives a serious and balanced discussion, and lots of information on topics such as CCTV, loyalty cards, mobile phones, but also technology to protect privacy. Concluding with 10 recommendations (which include a call for increased powers for the Information Commissioner and for technology to be designed with privacy protection in mind), it is well placed to inform public debate on the topic in the UK.

As I argued previously in this blog (see here and here), we can see a broadening of the political and societal debate around privacy and surveillance in the United Kingdom in the last months, and this report is further evidence of it.

Technorati Tags: owl-content, privacy, surveillance

UK reveals record number of telephone, email, and post monitoring

2007-02-20T16:31:00.000Z

The United Kingdom is checking on its citizens' telephone conversations, email exchanges, and posted letters like never before (and — as far as I know — like no other country democracy). A report in todays The Times reveals that 439,000 requests were made by secret agencies and other authorised bodies to monitor people’s telephone calls, e-mails and post in a 15-month period from 2005 to 2006.

The newspaper article draws on the report of the "Interceptions of Communications Commissioner" — a somewhat Orwellian sounding title for an office about which I had never heard before and for which a quick google throws up nothing except two references in debates at the House of Lords many years ago. More detailed investigation, however, reveals that the person in question is Sir Swinton Thomas, a former High Court Judge, who has been said Commissioner since April 2000, and that his office is created by Section 57(1) of the Regulation of Investigatory Powers Act 2000.

The report (apparently his first in seven years in office) covers no less than 795 bodies that are empowered to seek out communications data. Besides the usual suspects such as MI5, MI6 and GCHQ, the signals intelligence centre in Cheltenham, they also include 52 police forces, 475 local authorities and 108 other organisations such as the Serious Fraud Office and the Financial Services Authority. The report also reveals that 4,000 errors were reported, of which 67 were mistakes concerning direct interception of communications. Sir Swinton Thomas is quoted by The Times as describing that figure as “unacceptably high”.

This is where I disagree. I think that 67 mistakes in 439,000 is as good a ratio as you can get — some 0.016 per cent. It is not 67 that is unacceptably high; it is 439,000!

Update: The present Interception of Communications Commissioner is Sir Paul Kennedy, who was appointed in 2006 for three years, writes Spyblog (see also here). So it was his predecessor who wrote the report and not the present Commissioner; I am sure there is a reason for this, even if I can't think of one right now…

Further Update: Spyblog points out that the date of the report (available here) is 19 December 2006 and speculates that the original report may have been toned down which would account for its delayed publication. The letter accompanying the report also makes clear that this is the 6th Annual Report, although The Times in the article referenced above calls it "the first report of its kind". As I have not had a chance to go hunting for the other reports, I cannot solve the contradiction between these two claims.

Technorati Tags: owl-content, politics, privacy, surveillance

Tories warn industry that their government will scrap ID card project

2007-02-06T23:10:00.000Z

The British Conservative Party has issued a warning to companies intending to tender for work in the multibillion Pound ID card scheme that a future Tory government would "immediately" cancel the project.

As the Financial Times reports today, shadow home secretary David Davis also wrote to the government asking for that position to be taken into account when entering into contracts. (See here for the official announcement on the party's website.)

This is an interesting move. On the one hand, it increases the party politicisation of the privacy issue that I have speculated about in this blog in the past (see here and here). This is all the more so since the Tories are presently launching a web- and print-based campaign against ID cards. The main arguments put forward are that ID cards "won't work", "are a waste of money", and "an invasion of privacy". The campaign also includes an online petition to the Prime Minister "to scrap the proposed introduction of ID cards". (As of 6 February 2007, 16,143 signatures have been added).

On the other hand (and speaking as a political scientist), it is an interesting procedure for a weak opposition to try to exert influence on an all-powerful government. While most experts would at the moment probably think a hung parliament more likely than an outright Conservative majority in a future UK general election, it must hearten the Tories see firm announcements of what they will do once they return to power — whenever that may be…

Technorati Tags: owl-content, politics, privacy

German Federal Court of Justice bans state hacker attacks on computers

2007-02-06T22:35:00.000Z

The German Federal Court of Justice — the highest appelate court in the country for civil and criminal cases — yesterday banned the online search of home and business computers of suspects by state agencies through specialised computer programs such as trojans, spyware, or specially programmed computer viruses.

The case before the Court concerned Germany's Federal Prosecutor who is investigating a terrorist suspect and had applied for permission to smuggle a specially designed program onto the suspects PC or laptop. The program would then search the computer and copy data to the prosecturing authorities. The Court ruled that such a procedure would substantially infringe a person's fundamental rights and had no basis in law. The thrust of the Court's decision is against the covert character of the search: while it can be unannounced, it cannot be secret. (The decision — in German, of course — is available online.)

The decision has triggered an intense political row. Germany's Interior Minister, Wolfgang Schäuble (CDU), immediately announced that he would table a bill that would create a legal basis for such covert online searches. In his view, such an instrument is indispensable in the fight against global terrorism that is using online media, and the head of Germany's Federal Criminal Police Office agrees, arguing that "99.9 per cent of the population in Germany would not be affected by this".

Schäuble's colleague, the Justice Minister Brigitte Zypries (SPD) was more cautious, calling for a measured approach in line with constitutional requirements. Since computers were used for many private things that authorities would then have access to, too, privacy rights might be violated substantially.

The opposition parties Greens and Left Party welcomed the Court's decision, while the Liberals stance was ambiguous: on the federal level (where they are in opposition), politicians like Jörg van Essen embraced the decision, stating that the Court had strengthened citizens' rights. Yet the state of North-Rhine Westfalia passed a bill only in December 2006 that allows covert online searches of computers. The minister in charge there is Ingo Wolf (FDP) who argued that this represents a "quantum leap".

If this is pursued further by politicians, it will be an interesting case to follow. The fight against terrorism has been used in the past couple of years in Germany to bring in substantial new powers for state agencies and prosecutors and curtail civil rights. Under the Schröder government, the Social Democrats were the driving force (with largely tacit acceptance by their small coalition partner The Greens), while the CDU's opposition waned and FDP opposition to infringement on civil rights grew. Now, the two parties which favour a "strong state" approach in law enforcement, the CDU and the SPD, are united in a Grand Coalition.

If you had to bet money, which do you think will succeed?

Technorati Tags: owl-content, politics, privacy

Germany's National Ethics Council publishes opinion on privacy and health information

2007-02-03T09:56:00.000Z

Germany's National Ethics Council has published an opinion setting out guidelines about privacy rights and health information, warning against private health insurance companies demanding ever more detailed diagnostics from new customers.

The 55 page opinion (English language version probably soon available here) argues that private health insurance companies' desire to know ever more about their customers' current state of health before offering them protection has to be balanced against the individual's privacy rights. While the Council acknowledges that insurance companies have a legitimate interest to know about the risks they are taking on, it argues that individuals also have rights that must be protected. It is especially (but not only) modern genetic diagnostics that makes prediction of an individual's future health trajectory possible. While this information can be used to engage in preventative measures, it can also be used to exclude individuals from health insurance.

The Council thus argues that the amount of information requested must be proportional to the protection offered — for very high levels of insurance, higher information requirements are acceptable. Problems arise, however, if individuals seeking normal levels of protection are subjected to tests that may lead to information the individual would prefer not to have — such as knowledge about an incurable disease that will afflict them in the future. Individuals, the Council argues, also have a right to ignorance that must be taken into account. The Council links this to the "right to informational self-determination" established by the German Constitutional Court and consequently advocates restrictions on insurance companies' information requirements.

Social science analysis of insurance has always pointed out problems of information asymmetry and adverse selection. The Council's opinion (which has only consultative force) highlights the fact that these issues must be revisited and given special attention in the light of new diagnostic methods and information technology, and that individual rights must be carefully balanced against corporate (and state!) interests of cost reduction.

Technorati Tags: owl-content, privacy, politics

Support for civil liberties declines in the UK

2007-01-24T20:22:00.000Z

Britons tend to think of themselves as the natural supporters of civil liberties, but as empirical research published today shows, support for them is waning in the face of terrorist threats.

The British Social Attitudes Survey, an annual survey that has been conducted for almost 25 years, shows that majorities of 70 to 80 per cent now see compulsory identity cards, longer police detention of terror suspects without charge and the phone tapping and tagging of terrorist suspects as a price worth paying for security, as the Financial Times writes today.

However, while, as one of the study's authors, Prof Gearty of the LSE, says, the "very mention of counter-terrorism makes people more willing to contemplate giving up their freedoms", it is worth noting that support for civil liberties has been eroding long before the present terrorist outrages on 9/11, 2001 in New York and 7/7, 2005 in London. To a considerable extent, this seems due to society forgetting just why civil liberties were considered important in the past. In Prof Gearty's words: People "know they should care" about civil liberties, "but cannot for the life of them articulate why".

Another interesting aspect of the survey (and linking nicely to the previous blog post mentioning an increasing party-politicisation of privacy issues) is that it is mostly Labour Party supporters' views that have changed on key issues such as police detention and identity cards, while Tory supporters are turning more to libertarian views.

Technorati Tags: owl-content, privacy

Britain: the privacy and surveillance debate broadens

2007-01-21T23:27:00.000Z

First of all, a happy new year to all my readers! And apologies if this blog is currently being updated less often than in the past. Overload at work is one reason — the other is more positive and described in the first post of 2 November :-) Also, I am happy to report that page visits in 2006 were up about a third over those of the year before.

Perhaps this really is a sign for an increased interest in the topic of privacy by the general public. In line with the last post about the increasing discussion in Britain about privacy and surveillance, the magazine The Economist diagnoses in this week's issue that "the public wakes up to the surveillance society". In an article the magazine (known for its sober, no-nonsense and fact based reasoning) writes about

"development of extensive government and commercial databases—less visible, and so less noticeable—that is truly worrying. Britain leads the world here, too. Its police-run DNA database is the biggest anywhere; the government has plans to track and monitor all 11.7m children in the country; and a scheme for a £5.4 billion system of national-identity cards is under way."

Another interesting development is that the topic is slowly becoming party-politicized. The Tories under David Cameron have begun to pick up the popular discontent about privacy infringement, and are attacking the Labour government that is "eroding the privacy of law-abiding citizens", as Shadow Constitutional Affairs Secretary Oliver Heald put it last November in a reaction to the Information Commissioner's report mentioned in the last blog post:

"From plans for a national ID cards database, to chips in wheelie bins to check your rubbish, to council tax inspectors knocking on your door, its clear that under Labour the liberties and privacy of honest law-abiding citizens are being eroded."

On the more recent story mentioned above by The Economist about linking government databases together, Mr Heald warned

"that examples of 'Big Brother' intrusion included the detailed property database of every home being built by Gordon Brown's Valuation Office Agency in advance of council tax revaluation; Government plans for compulsory ID cards involving a series of databases; the Department for Education & Skills £224 million database of every child; the fitting of microchips in household dustbins in preparation for the introduction of new bin taxes; and the connection of local traffic cameras and CCTV to create a nationwide, real-time database to monitor every number plate in Britain."

David Cameron himself used a speech to the International Institute for Strategic Studies to warn of the dangers that the introduction of ID cards with their accompanying data infrastructure would pose to citizens privacy rights, particularly given the past record of failures in mega-sized government IT projects in the UK. (The speech is available here and here).

Given the Tories long-standing reputation for somewhat heavy-handed law-and-order policies, this may surprise some readers. But on the one hand Cameron is keen to demonstrate that the Tories have changed under his leadership; on the other hand this reflects to some degree the logic of Britain's two party system — once the other party has stolen your policies, you have to move towards their vacated position. Labour did the same in the past, for example, when they suddenly turned pro-European after Mrs Thatcher had abandoned her party's traditional position and turned against European integration in the late 1980s…

Technorati Tags: owl-content, privacy

Britain starts discussing privacy and surveillance

2006-11-02T15:42:00.000Z

The UK is one of the countries with the greatest amount of surveillance taking place and consequently faces threats to its citizens' privacy. This is the gist of a report that the Office of the Information Commissioner has published today, on the occasion of hosting the 28th International Data Protection and Privacy Commissioners’ Conference in London.

The 102 page "Report on the Surveillance Society" has been written with the help of leading academics in the field, and it is supplemented by expert reports focusing in detail on specific areas such as Citizenship and Identity, Consumption and Profiling, Crime and Justice, Public Services, and Workplace Surveillance. Both reports can be downloaded from the Information Commissioner's website.

The report has created quite a bit of public attention, with the BBC reporting at length on it and the underlying topics and developments (see here), and the Daily Telegraph devoting more than two whole pages to it under the headline "Britain: the most spied nation in the world". The paper's leader links the developments to government action and thus politicises it:

"History will record that the most baleful legacy of New Labour is […] the way in which it has destroyed our privacy. We are the most spied-upon society in Europe, with more CCTV cameras than the rest of the EU combined. In the international rankings calculated by the human rights organisation Privacy International we are near the bottom of the table, marginally above Russia and China but below the Philippines and Thailand."

The article ends by calling upon Conservative Party leader David Cameron to "lead a full-throated and sustained attack on New Labour's surveillance society".

The report and its debate comes only a day after the Nuffield Council on Bioethics launched a public consultation exercise to draw the British public's attention to the fact that the National DNA Database currently holds more than 3.5 mio samples, and that 40000 citizens are added each month to the database. This makes the NDNAD by far the largest DNA database in the world. Since DNA contains a lot of information about each individual (which also means that comparing it to a fingerprint, while often done for convenience, is factually wrong), serious ethical, social and political questions are being raised by this. The consultation paper can be found online here, and comments are invited until 30 January 2007.

On the same day, the Guardian's headline read "Warning over privacy of 50m patient files", discussing the giant £12 bn NHS IT project that will make all patient health information centrally available — with access for law enforcement and security services, and without the right for the individual to withhold that information.

Might it be that we are presently witnessing the start of a comprehensive debate about the politics of privacy in the United Kingdom?

Technorati Tags: owl-content, privacy

Back at the blog

2006-11-02T15:05:00.000Z

Hi — just to say that I am back blogging on privacy issues again. The Busch household has had a new member four weeks ago in the shape of little Benedict, and the start of the new academic year has demanded my attention. Apologies for not adding anything for two months!

And thanks to all my readers — the blog has see the number of its readers steadily increase over its lifetime, and page hits are up around 30 to 50 per cent over a year ago. About 46 per cent come from Europe, 44 per cent from North America, 4.5 per cent from Asia, and 2.2 per cent from Australia.

Technorati Tags: owl-content, privacy

Academic workshop on privacy at ECPR in Helsinki, May 2007

2006-08-31T16:42:00.000Z

My ongoing academic interest in questions of the politics and governance of privacy has led me to team up with my colleague Charles Raab of Edinburgh University, one of the leading experts on the subject. Together we have developed the program for a workshop to be held at the next annual meeting of the European Consortium for Political Research (the European level political science association which, however, accepts departments from around the world for membership).

Charles was a pioneer in directing a workshop on the topic at ECPR some 25 years ago, so for him it is a coming back. Next year, our workshop will focus on "Privacy and Information: Modes of Regulation". We are interested in how recent technological developments — that increased personal data massively and made them cheaply storable and transferable — have challenged and altered the political regulation of privacy around the world. Issues such as biometrical passports, the establishment of DNA databases, the use of CCTV cameras in public space, and the use of RFID chips have spawned political debates in many countries as well as theoretical reflection.

We hope to attract good proposals from colleagues around the world who work on the issues of privacy and information policy from either a theoretical or empirical perspective, and we look forward to meeting with them and discussing their and our work in May next year.

You can find the leaflet with the detailed information and workshop abstracts here. If you are interested and have questions, feel free to contact me!

Technorati Tags: owl-content, privacy

Legal expertise: surrender of SWIFT financial data violated German and European data protection laws

2006-08-25T16:35:00.000Z

After 9/11, the U.S. administration obtained massive amounts of data about financial transactions worldwide from a Belgian cooperative named SWIFT for the purpose of tracking terrorist financial flows (see a previous blog entry). Now a German data protection agency has published a legal opinion arguing that the surrender of the data to American authorities violated both German and European level data protection laws.

The agency in question is the "Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein" or ULD, an independent data protection agency in one of Germany's 16 federal states, operating under public law and acting as a promoter, protector, and auditor of data protection standards. It has long been at the forefront of the public debate on data protection issues in Germany (see its website here, in German language).

ULD argues that SWIFT (the Society for Worldwide Interbank Financial Telecommunication) acts as subcontractor to German (and other) banks who are therefore obliged to force SWIFT not to pass its data on to unauthorized others. Specifically, data concerning intra-European financial transactions must not be mirrored to SWIFT branches in the United States. ULD has asked German banks to report by the end of September about measures they have undertaken to fulfill their obligations.

The expert opinion can be found here (in German language).

In European business papers, concerns had been expressed that the data transmitted to the United States might be used for purposes of industrial espionage (see the German daily Handelsblatt report on 11 July 2006 here and the Austrian daily Die Presse on the same day here). The European Parliament on 6 July 2006 passed a resolution warning against such misuse of the data and strongly criticizing the U.S. action (see also here).

Technorati Tags: owl-content, privacy

If you're looking for a contract killer, use Google, not AOL…

2006-08-08T09:34:00.000Z

…seems to be the lesson of the latest hiccup concerning data privacy on a big scale. What has happened?

As is widely reported (see the stories in the New York Times, on slashdot, or CNET), AOL released the search data of 658000 users on the internet — 20 mio searches done in the March to May 2006 period, or 0.3 per cent of all searches, overall 2 Gigabyte of data. While AOL user names have not been included, users have a unique identifier which makes it possible to identify the searches submitted by the same user. And since many people submit search terms that gives clues to their identity (so-called "vanity searches", e.g. for their own name, firm, or city), it may be possible to identify some of them.

This may be highly embarrassing, because many people are submitting searches for such unsavoury things as drugs, child porn, or a contract killer for their wife. Or they may reveal deep trouble — see some examples here.

Why has AOL published these data? For research purposes, and not for commercial use. Will spammers keep to these terms? You bet... Apparently the company now regards it as a mistake. The data were taken from the web and the spokesman has apologized.

Some interesting background: last August, the US administration subpoenaed AOL, Yahoo and Google for user data. But of the three companies, only Google chose to fight that order in the courts and won, earning lots of reputational brownie points on the way. So, are user's search data safer with Google than with AOL? Only time will tell.

The case, in my view, has the potential to be scandalized -- both by US lawmakers intent on regulating the internet more to fight evil use of it, and by civil rights campaigners who may call for European style data protection legislation regulating private sector use of data. But it could also spark new rows between the European Union and the US about data privacy.

Update: A website through which you can search and analyse the AOL user data has been set up for example here (there are also several others), and The New York Times has the story how they traced one of the users here. How did they find her? She had repeatedly looked for specific places in a small town in Georgia, searched for a name (which turned out to be also hers), and when asked by a reporter who had tracked her down admitted that the searches were hers. “My goodness, it’s my whole personal life,” she said. “I had no idea somebody was looking over my shoulder”, the NYT quotes her as saying.

Technorati Tags: owl-content, privacy

SWIFT affair: European data protection agencies join forces

2006-07-31T08:48:00.000Z

In the affair about US appropriation of detailed data on world financial transactions from SWIFT — the Society for Worldwide Interbank Financial Telecommunication — after 9/11/2001 (see details in this blog entry), European data protection agencies have now decided to join forces. As the German data protection commissioner writes on his website, the so-called Article 29 group have decided to contact their respective banking organisations to find out about the extent and scope of surveillance and data transmission to the United States.

The commissioner (who is also presently the chair of the Article 29 group) points out that customers of all financial institutions have a right to know how their confidential data were being treated, for the processing of their data according to data protection rules is a fundamental right.

As a previous reaction to the SWIFT affair, on 6 July 2006 the European Parliament had adopted a resolution strongly disapproving of "any secret operations on EU territory that affect the privacy of EU citizens" and expressing its deep concern "that such operations should be taking place without the citizens of Europe and their parliamentary representation having been informed". Furthermore, the Parliament urged "the USA and its intelligence and security services to act in a spirit of good cooperation and notify their allies of any security operations they intend to carry out on EU territory".

Technorati Tags: owl-content, privacy

Data security — a bureaucracy's solution

2006-06-29T09:54:00.000Z

Reacting to the recent problems (see here and here) about federal data getting lost, the US Office of Management and Budget (OMB) has now issued guidelines about how to protect sensitive agency information in the future. As the Washington Post reports, civilian agencies will have 45 days to implement the new measures which essentially are encryption of all movable data (on laptops and handheld computers) and keeping detailed records of all information downloaded from databases containing sensitive information.

The guidelines are available as a pdf document here, and they are instructive less for their substance (see above) than for the insight they provide into the workings of a bureaucracy's mindset: One page of instructions is followed by nine (!) pages of a security checklist that includes a flowchart, a checklist and excessively detailed prescriptions about procedures that I can only describe as mind-boggling...

Care for a snippet? Here is one chosen at random:

"Action item 2.3: Revise/develop organizational policy as needed, including steps 3 and 4.

Guidance: Based upon the results from the previous action items, the organizational policy is revised or developed to fully address the questions posed in the previous action items.

Related SP 800-53 controls and associated SP 800-53A assessment procedures:
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
SP 800-53A: AC-1.1, AC-1.2, AC-1.3, AC-1.4 (for high impact add: AC-1.5, AC-1.6, AC-1.7)"

And this goes on page after page after page…

Update: Fiittingly, today it was announced that the stolen laptop with the soldiers' and veterans' data that triggered this all has been recovered (see CNN report here). Apparently there are have been no reports of identity thefts from the data concerned so far. And since much of the blame was initially put on the analyst from whose house the laptop was stolen, it is interesting to note that this employee apparently had approval dating back from 2002 to use the data with specially written software in his home. He now is challenging his dismissal from the Dept. of Veteran Affairs.

Technorati Tags: owl-content, privacy

US administration obtained international financial records in fight against terror

2006-06-23T09:46:00.000Z

The Bush administration obtained records about financial transactions from a Belgian cooperative that routes money between international banks in an attempt to fight terrorists, the New York Times writes today in a big story. The Society for Worldwide Interbank Financial Telecommunication or SWIFT is described by the NYT as "the nerve center of the global banking industry" as it passes $6 trillion daily between banks, brokerages and stock exchanges.

After 9/11, the CIA subpoenaed SWIFT and initially obtained their whole database of transactions. After 2003, SWIFT managed to insist on there being SWIFT representatives present when records were analysed and to block searches they considered inappropriate.

While safeguards seem to have been imposed to protect against unwarranted searches of Americans' records, no such protection seems to exist for citizens of other countries. It also seems that American laws restricting government access to private financial records do not apply because SWIFT is considered a messenger service and not a bank or financial institution.

This case links to the Bush administration's other high tech snooping operation that came to light some six weeks ago, namely the NSA building up a giant database of phone calls in America (see the blog entry here). Whether any of these massive data mining operations have yielded valuable information against terrorists that could not have otherwise been obtained we do not know at this point. What we know for certain is that millions and millions of records containing private information have been obtained by government officials, and that the further uses these records will be put to are unknown. Will they get lost, like those of the Army veterans and currently serving personnel?

Update: In the meantime, SWIFT has published a statement on its compliance policy on its website, detailing the process from its point of view and emphasizing that its role was not voluntary. And the NYT reports that Vice-President Cheney has assailed the press for publishing the story, implying that this endangered US national security (a point strongly refuted by the NYT's executive editor). Cheney also described the administration's actions as "good, solid, sound programs" that are "absolutely essential in terms of protecting us against attacks". Privacy advocates like Privacy International's Simon Davies have complained that "our data has been effectively hijacked by the U.S. under cover of secret agreements and entirely undisclosed terms."

Technorati Tags: owl-content, privacy

The European Parliament: a pyrrhic victory on passenger name records?

2006-06-19T18:28:00.000Z

It looks as if the European Parliament's much touted victory in the case of the US-EU agreement on passenger name record (PNR) transmission (see the blog entry from 3 weeks ago here) may turn out to be a pyrrhic one. The reason is that the European Commission has today adopted two initiatives that will renew the agreement, but under a procedure that excludes the European Parliament from the decision making (namely Art. 38 of Title VI of the Treaty on European Union for the Euro-experts among my readers).

Much as data protection aficionados will not like this, it is not a sinister move by the Commission. Rather, as the European Court had declared the legislation invalid under internal market rules, a new way had to be found, and that is now in the "intergovernmental" part of the European Union — the part where governments agree among themselves without participation from the European Parliament.

However, the Court did not pronounce on the compatibility of the PNR agreement with European level data protection legislation. It may thus be that a new attempt will be made to bring the agreement before the Court, disputing its substance. Since the Commission wants to keep the content of the agreement with the US as it stands at the moment, privacy action group lawyers can already sit down and start writing their briefs…

Technorati Tags: owl-content, privacy

US Army data loss also affects active soldiers

2006-06-07T14:16:00.000Z

Two weeks ago it emerged that a laptop and an external hard disk containing the data of some 26 million US veterans had been stolen from the home of an employee in early May 2006. The employee had violated Department of Veteran Affairs rules in taking the data home. (See the blog posting covering that event here and the latest information from the US government here).

Now the US Department of Defense has announced that the hard drive may in addition have contained the data of as many as 1.1 million active-duty servicemembers, 430,000 National Guardsmen, and 645,000 members of the Reserves.

In the meantime, the political battle over legislation concerning the issue of identity theft continues. Interestingly, a bill before Congress (HR 3997) seems to weaken rather than strengthen consumer rights in this field.

Update: As the Washington Post writes, the data stolen cover nearly 80 per cent (!) of the active duty force. Using them would enable the targeting of service members and their families in the U.S. through ZIP codes, or on foreign travels. There is a $ 50,000 reward for information allowing authorities to recover the laptop. And apparently heads have been rolling in the Department of Veteran Affairs, including that of the employee (who had been taking data home for three years) and his boss. A class action suit has been filed, demanding $ 1,000 for each veteran affected. At 26 mio. records, this could become very expensive for the administration if successful!

It is still not known whether the burglars know of the nature of the data in their possession; however, I would assume that not only the law enforcement side is now urgently interested in this hard disk...

Technorati Tags: privacy

Passenger flight data: European court blocks EU data deal with US

2006-05-30T09:54:00.000Z

The European Court of Justice has today anulled the European Council's decision regarding an agreement to provide US authorities with the data of European flight passengers, and the European Commission's decision that this agreement complies with with the European Union's data protection requirements. (More information about the details can be found in the ECJ's press release).

Such an outcome had been expected since the court's Advocate General had recommended the anulment in November of 2005 (see my respective posting on this blog).

Now both aforementioned institutions, the Council and the Commission, are left with the proverbial egg on their faces. This is a victory for the European Parliament which had brought the case before the court, arguing that the Commission was violating the European Union's own data protection legislation.

The full text of the ruling will soon be available here. The BBC, the New York Times, and SPIEGEL Online already have reports on this up.

Since the United States have threatened to withdraw landing rights from any airline not complying with the agreement, it will be interesting to watch further developments in this case. However, the ECJ has ruled that the agreement can stay in effect until 30 September 2006. I would expect intense negotiations to start now between the EU and the US…

Technorati Tags: privacy

German constitutional court declares dragnet searches unconstitutional

2006-05-24T19:54:00.000Z

The German Federal Constitutional Court (FCC) yesterday ruled that dragnet searches through through databases are unconstitutional if there is no concrete danger involved.

After 9/11, authorities in the German state of Northrhine Westphalia had initiated such a search to track down "sleepers" who might become Islamist terrorists. University student databases were used as well as communal registration office data and the central database of foreigners. Criteria used included male gender, age between 18 and 40, present or former enrollment in higher education, Islamic faith, and country of birth. The persons who met these criteria (apparently some 32000) were then investigated further by the local policy forces. No "sleepers" were detected as a result of this exercise. (A German language press release from the FCC is here, an International Herald Tribune summary here, Deutsche Welle English language service has it here).

A Moroccan student (at the time) of Islamic faith complained against having been subjected to this procedure, and took his case all the way to the FCC which eventually ruled in his favour. The Court ruled that the dragnet search had violated the student's "right to informational self-determination", a right the Court had developed from the Basic Law (the German constitution) some twenty five years ago. The Court ruled further that a dragnet search was such an intrusion to the student's fundamental rights that it would only be admissible if there was a concrete danger. While this could in principle also apply to the case of a terrorist threat, more concrete information about the threat was required than had been present in the post-9/11 dragnet searches.

The ruling has met different echoes in German political life. While Bavarian interior minister Beckstein (a law-and-order supporter) called it "a black day in the fight against terrorism", civil rights groups and the liberal press have praised the FCC for upholding civil rights that have been under threat in recent years. The latter also pointed out that dragnet searches like this can lead to hysteria as whole groups of the population are sweepingly suspected of presenting a terrorist danger.

Technorati Tags: owl-content, privacy

If you're a US veteran, your data have been stolen

2006-05-23T17:37:00.000Z

Bad news for some 26 million US veterans: their names, Social Security numbers and birth dates are among the data that were compromised when a laptop with an external drive was stolen in Maryland some three weeks ago. Identity theft on a gigantic scale now is another problem the US armed forces have to worry about.

As the Department of Veteran Affairs announces on its website, an employee took the data home (a violation of the Department's policy), and his home was burglarized. As CNN reports, the loss was kept secret for three weeks in order not to alert the thieves of the content of their booty, fearing that they might then try to sell it to interested parties.

Some 26.5 million veterans and some of their spouses are concerned, apparently every living veteran discharged between 1975 and the present. The Department has set up a major information operation, including a call centre, to provide information. The call centre can handle up to 260000 calls per day, so if everyone calls — well, you can do the maths for yourself.

Law makers have expressed concern about the stolen data. As the New York Times writes, the problem is that the data concerned may enable the thief "to begin trying to open new accounts, secure loans, buy property and otherwise wreak havoc on the victim's credit history."

As regular readers of this blog will know, this is only the latest in a long string of incidents of major data theft, including as victims US firm ChoicePoint, Lexis-Nexis subsidiary Seisint, Bank of America, Retail Ventures subsidiary DSW Shoe Warehouse, the hotel chain Marriott, and the Pentagon.

Technorati Tags: privacy

Does the Bush administration use phone records to track leaks to the media?

2006-05-15T21:38:00.000Z

Maybe this is from the just-because-you're-paranoid-doesn't-mean-they're-not-after-you-Department, but today's entry in ABC News' Chief Investigative Correspondent Brian Ross' blog sounds worrying.

Ross writes that he has been warned in personal conversation by a senior law-enforcement official to "get some new cell phones, quick" because the numbers of their existing ones were being tracked. Given the recently uncovered giant NSA phone call database, the administration would be in a position to establish patterns of calls from journalists to officials, providing material for leak investigators.

And perhaps damaging an important function of the media — scrutinizing the government and holding it publicly to account — on the way. Uncovering problems often relies on the activities of "whistleblowers" — both in the public and in the private sector. It is here that personal privacy interfaces with an important function for society as a whole.

Frank Rich, in an op-ed piece in yesterday's New York Times, draws the parallel with the 1971 publication by his newspaper of the "Pentagon Papers" which uncovered lies by the Johnson administration in the Vietnam war. The Nixon administration tried to stop publication, but failed. Today, Rich writes, the situation is similar with regard to the Iraq war:

"The administration's die-hard defenders are desperate to deflect blame for the fiasco, and, guess what, the traitors once again are The Times and The Post. This time the newspapers committed the crime of exposing warrantless spying on Americans by the National Security Agency (The Times) and the C.I.A.'s secret ''black site'' Eastern European prisons (The Post). Aping the Nixon template, the current White House tried to stop both papers from publishing and when that failed impugned their patriotism."

By the way: reading the comments reacting to Ross' entry makes it quite clear that the above analysis is not shared by everyone, to put it mildly...

Technorati Tags: privacy

NSA builds up massive database of Americans' phone calls

2006-05-11T14:47:00.000Z

In the land of the brave and the free, Big Brother knows who you've called. That is the bottom line of a report published by USA Today.

The National Security Agency, the country's most secretive intelligence agency (it used to be joked that its acronym NSA stood for "No Such Agency") has been collecting phone call records of tens of millions of Americans, apparently since shortly after the 9/11 attacks in 2001. It seems that the NSA has obtained the data directly from the United States' three biggest telephone companies, AT&T, Bell South and Verizon who collectively service more than 200 mio customers. The result is apparently the biggest database in the world.

Remarkably, this giant data collection exercise seems to have taken place purely on a voluntary basis — since no court orders exist which would require the companies to hand over the data. Apparently the NSA's claim that national security was at risk was all that it took for the companies to oblige with the request. Even though a procedure exists to protect American citizens' rights in this area (the FISA court named after the Foreign Intelligence Surveillance Act of 1978, passed after an illegal snooping operation by the NSA had been uncovered), it was not used.

Denver-based phone company Qwest, however, refused to hand over data, after the company's request to obtain FISA authorisation had been turned down by the NSA, who also refused to provide the firm with a letter of authorization from the U.S. attorney general's office.

My personal comment: if I lived in the States, I know which company would get my telephone business. And I am curious whether this story (if it turns out to be completely correct) will cause the public outcry it deserves.

The most serious question this raises, in my opinion, is: What is the point of installing protection mechanisms for civil liberties like FISA if public authorities collude with private companies to bypass them?

Update: Further reports on this can be found (in German) at Spiegel Online and on the BBC Website. The BBC reports that US senators have announced that they would order the phone companies to testify about this. It also points out that the NSA's director when the operation was launched was General Michael Hayden, who this week was nominated to head the CIA. These revelations may endanger his confirmation in the Senate.

Further update: CNN has the story here, and President Bush's remarks concerning it are here. He emphasizes that "the privacy of ordinary Americans is fiercely protected in all our activities. We're not mining or trolling through the personal lives of millions of innocent Americans. Our efforts are focused on links to al Qaeda and their known affiliates."

Yet another update: A poll conducted by the Washington Post and ABC shows that a majority (63%) of US citizens thinks that the NSA's data collection is an acceptable way to investigate terrorism, while only 35% thought it unacceptable. The poll (more details here) also shows that 65% of those interviewed said it was more important to investigate potential terrorist threats "even if it intrudes on privacy."

Technorati Tags: privacy

Pentagon victim of data theft attack

2006-05-03T15:37:00.000Z

The Pentagon, home of US defense, has become the latest victim of a data theft attack. As UK newspaper The Guardian and German IT newsservice heise online report, the health care information of more than 14,000 employees has been compromised. Apparently this includes credit card and social security numbers as well as private addresses, telephone numbers and email addresses.

The Pentagon's own statement (for which you have to dig deep into a website full of optimistic news coverage and a depressingly long line of statements identifying dead soldiers in Iraq) says that individuals affected have been informed by letter that the incident may put them at the risk of identity theft.

Yet again: U.S. firm announces loss of customer data files

2006-01-02T12:48:00.001Z

Before I start with this post, let me wish all my readers a Happy New Year!

Washington D.C. based hotel conglomerate Marriott International, Inc. announced a few days ago that their time-share operations firm Marriott Vacation Club International is missing backup computer tapes of its customers (see the stories in Slashdot and The Washington Post).

The tapes contain credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company. So far it is unclear whether the tapes were stolen or lost. They have been missing since mid-November, but the firm informed the U.S. Secret Service only two weeks ago.

This incident is only the latest in a long string of stories about loss of customer data in U.S. firms in 2005. Previous similar cases covered in this blog include those of ChoicePoint, Lexis-Nexis subsidiary Seisint, Bank of America and Retail Ventures subsidiary DSW Shoe Warehouse. The main problem arising from these cases is that the data may be used for criminal "identity theft".

As a political reaction to this, U.S. Senators Schumer and Nelson have introduced a bill for a Comprehensive Identity Theft Prevention Act which proposes to establish an Office of Identity Theft, to set limits on the sale or transfer of sensitive personal information, and to require data merchants to register with the Office. The bill is currently being considered by the Senate Committee on Commerce, Science, and Transportation.

Mission creep par excellence? Germany considers using road toll data for police purposes

2005-11-28T01:01:00.000Z

Once personal data have been collected, new ideas will emerge about useful things that could be done with them — even if that flies in the face of data protection. This is often alleged by privacy advocates, and once more about to be proven true by authorities in Germany.

When the country installed its admirable (and long delayed) high tech system for automatizing road toll data handling about a year ago, using 300 cameras, GPS positioning and mobile control teams on 12000 kilometers of autobahn for charging or controlling trucks' payments, it was clear that the data thus gained would not be allowed to be used for other purposes. Indeed, a paragraph in the law establishing the system states explicitly:

“These data can only be processed and used for the purpose of monitoring the compliance with the rules laid down in this law. A transfer, use or confiscation of these data is inadmissible.”
(§ 7, 2 of Autobahnmautgesetz [version of 2.12.2004]).

Now, barely a year after the system has come into existence, a death case involving a truck driver on an autobahn truck stop is being used as an excuse to move the goal posts and give policy access to the data collected by the system. As SPIEGEL online and tagesschau report, authorities may be allowed to use the data to fight terrorists (!) and capital criminals. They are following a demand from the Association of German Detectives who claim that cases like the aforementioned one could more easily be solved if existing restrictione on toll data use were being lifted.

Politicians from the opposition Green and Leftist parties have already protested against the plans; but Germany's Federal Data Protection Officer in an interview with national television seemed not to mind very much. Experts, however, have questioned the usability of the system for monitoring traffic in real time as its data processing capability was too restricted for this (see the report in today's Sueddeutsche Zeitung, pp. 1 and 4).

If the rules will be changed to allow police to make use of them, it would indeed be an excellent case of “mission creep” — compare the case of US airline passenger data in this blog.

Passenger flight data: European Court might annul EU / US agreement

2005-11-22T21:08:00.000Z

In the case about the transatlantic transfer of flight passenger name records (PNRs), the European Court may annul the agreement between the European Union and the United States.

The case had been brought before the Court by the European Parliament in June 2004. It argued that the agreement between the European Commission and the United States signed in May 2004 about transferring no less than 34 variables from passenger name records to US authorities, ranging from names and addresses to meal preferences and health information, was violating the European Union's own data protection legislation.

Now the Advocate General has published his opinion on the case, and he recommends that the Court annul the agreement (see his vote in English language). While the opinion of the Advocate General is not binding on the Court, the Court often follows his or her opinion.

UK plans "24x7 vehicle movement database"

2005-11-22T20:30:00.000Z

A strategy document written by Britain's Association of Chief Police Officers (ACPO) and obtained by the Sunday Times (see article online) indicates that the UK will soon have a system in place that makes it possible to monitor the movement of every car on the road around the clock. (See also the article in The Register).

Cameras are to be installed "every 400 yards on motorways, as well as at supermarkets, petrol stations and in town centres". The system will work by combining CCTV cameras with automatic number plate recognition (ANPR) software and linking it to existing databases not only on the police national computer, but also to the DVLA (Driver and Vehicle Licensing Agency) database that carries information about tax and insurance status. It is planned to extend that to a database that lists vehicles without a valid MOT certificate.

Given that details of any vehicle passing a camera will be stored in a database for at least two years — even if the owner has not committed an offence — this will indeed create a mobility profile for every driver in the United Kingdom. It seems noteworthy that the system will largely come about through the linking of existing systems such as speed cameras, ANPR software, and online-accessible databases. However, this demonstrates how through the linking of existing systems a new quality of data can be obtained.

It is further planned that officers investigating crimes will be able to access the information from the new system from computers anywhere in the UK, although they will require clearance from senior managers. How effectively such a system can be used was demonstrated last Friday in the case of the shooting of a woman policy officer in Bradford: within minutes of the incident, a combination of a network of CCTV cameras and ANPR software was used to track the suspected getaway car (see BBC report and the discussion on slashdot).

As a West Yorkshire Police spokeswoman describes it: "When a car is entered on the system it will 'ping' whenever it passes one of our cameras, which makes it a lot easier to track than waiting for a patrol car to spot it." The local police chief described the system upon introduction last May as the "best investigative tool we have had since the introduction of DNA analysis."

UK: Labour government survives ID card rebellion

2005-10-19T07:32:00.000Z

In the long-going affair of national ID card legislation in the United Kingdom (see previous entries here, here, here, and here), the Labour government yesterday managed to get the House of Commons to pass its bill. However, due to a substantial rebellion by its own MPs, it did so with a substantially reduced majority: MPs gave the flagship ID Cards Bill a third reading by 309 votes to 284, a majority of just 25 (the lowest since the general election). See the reports by the BBC and by Spy Blog.

It would seem that no major concessions were won by rebels in the committee stage of the bill, but that Home Secretary Clark responded to worries about the price of ID cards by indicating that they would cost £ 30, which is substantially lower than previous figures that had been given by both the government and its opponents (see the previous entries on this topic).

The bill will now go forward to the House of Lords where resistance will likely be substantial. But since the ID card bill was included in the Labour Party manifesto for the general election in May 2005, it would seem unlikely under the Salisbury Convention that the Upper Chamber would move to block it.

Former U.S. Health Secretary advocates RFID implants in humans

2005-08-06T19:44:00.000Z

Although this may sound like science fiction, it apparently is not: President Bush's former health secretary Tommy Thompson is reportedly advocating that U.S. citizens should have a radio frequency identification (RFID) chip inserted under their skin, Dallas, Texas based website RedNova reports. (See also the discussion at Slashdot.)

According to the report, the RFID capsules would be linked to a computerised database being created by the U.S. Department of Health to store and manage the nation's health records. Thompson, who plans to have a chip implanted himself in the next weeks, believes the capsules could help save thousands of lives every year.

Examples given include paramedics being able to access patients' medical records when they have lost consciousness following an accident, or being able to prevent people with allergies or adverse reactions to certain medicines from being given wrong medication.

The company VeriChip, which produces such chips, is much in favour of the plan, with its spokesman John Procter saying that around 98,000 people die needlessly in the US every year after being given inappropriate treatment because their medical history was not available. He concludes: “In fact, virtually everyone could benefit from having a chip inserted.”

So far, RFID chips have primarily been used for implantation in livestock, but implanting them in humans would mean that there is no need to issue them with ID cards any more. Wouldn't that be a nice solution to a controversial political issue, both in the U.S. and the UK? Sorry if I sound slightly sarcastic…

P.S. In the interest of full disclosure it should be mentioned that Tommy Thompson is now a director of Applied Digital Solutions, the company that makes such chips. Honni soit qui mal y pense.

ID cards back on the agenda in the UK

2005-06-27T10:08:00.000Z

In the United Kingdom, the issue of ID cards is back on the political agenda now. Prior to the general election of May 2005, the previous bill had to be abandoned when parliament was dissolved (see previous blog entry).

Now the government is bringing it back, and tomorrow (28 June) the bill will have its second reading in the House of Commons. This will be very interesting for a number of reasons:

The government will for the first time face a vote on a contentious issue with its now reduced majority of 67 in the House – since both Conservatives and Liberal Democrats have pledged to vote against it, and in the face of an as yet unknown number of Labour MPs who may rebel against it (19 did the last time around).
The UK's largest trade union, Unison, has joined seven other unions such as the Transport and General Workers Union, in opposition to the ID cards scheme. This is important for two reasons: on the one hand, many Labour MPs are union members, and the unions will lobby these MPs to vote against the bill; on the other hand, implementation of the bill may be threatened if key public sector workers may not cooperate (see the report in The Observer).
The London School of Economics and Political Science today published a report assessing the government's plans and finding that the scheme will cost much more than the figure given by the Home Office, which is some £ 6 bn. over ten years. The LSE report (downloadable here) estimates the costs to be more likely in the region of £ 15 bn. Since the main concern in the UK with regard to the ID cards bill has so far been costs and especially how much every citizen would be charged, this may turn out to be a crucial controversy. Accordingly, the government have tried to refute the claims (listen to the Home Office minister Tony McNulty and the LSE's Patrick Dunleavy on the Today program of BBC radio 4).
Since all ID card data will also be entered into a nationwide database, rumours about government plans to sell these data to help pay for the costs of the scheme (see the report in the Independent on Sunday) will not be helpful for the government's plans either.

It should be noted that opposition to the bill so far largely centres on the costs, not least to the individual citizen (for which figures varying between £ 100 and £ 200 are mentioned by the government and its opponents). Civil liberties concerns play a minor role compared to that, at least in public discourse so far.

U.S. Social Security Administration gives FBI access to data post 9/11

2005-06-23T07:36:00.000Z

The Social Security Administration in the United States has relaxed its privacy restrictions and turned over information on thousands of people to the FBI as part of terrorism investigations since the Sept. 11 attacks, newly disclosed records and interviews show (see reports on the New York Times and International Herald Tribune websites).

As documents obtained by the Electronic Privacy Information Center (EPIC) under a freedom-of-information request show (pdf accessible here), Social Security officials authorized a policy allowing the FBI to gain access in some cases to the documents, including earnings and employer information. Normally, Social Security's privacy rules prohibit the agency from disclosing information to law enforcement officials unless the crime involves Social Security or similar government benefit program, or the individual had been indicted or convicted of a violent crime.

Apparently the rules were changed through the exercise of “ad hoc” authority by the agency's commissioner.

As EPIC put it on their website: “The new policy undermines the Privacy Act and permits disclosure of personal information held by a federal agency with little accountability.”

Huge security breach of credit card user data

2005-06-18T12:16:00.000Z

As MasterCard International reported in a press release yesterday, a huge breach of security was detected at a third-party processor of payment card data. According to this, as many as 40 mio credit cards were potentially exposed to fraud, of which about 14 mio are MasterCard branded cards. (See further reports by CNN here and BusinessWeek here). Apparently the data potentially compromised include names of cardholders and banks, and account numbers, but no addresses or Social Security numbers. American Express card holders are also affected, Visa did not yet comment.
The company that processed the data, CardSystems Solutions, Inc., sounded very apologetic in a press release (pdf):

“We understand and fully appreciate the seriousness of the situation. Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter. Our goal is to cooperate fully with the FBI to complete the investigation and ensure that we do nothing that might compromise the investigation.”

Apparently the data were compromised through a virus-like computer script that infiltrated the company's network and captured customer data.

This is only the latest incident in a series of similar breaches of data security to take place in financial institutions such as ChoicePoint, Bank of America, LexisNexis, and Retail Ventures. And that are only the ones this blog reported about in the last four months… I will this time not repeat my musings about whether this will trigger legislative reactions. Let's just say: watch this space!

U.S. ID card through the backdoor?

2005-05-11T19:51:00.000Z

As slashdot reports, the U.S. Congress has passed a bill that includes tight rules for state issued driving licenses, effectively turning them into national ID cards.

The $82 bn. “Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005” (H.R.1268) includes in H.R.1268.EH, Division B the “Real ID Act of 2005” (you can access the text as summarized by the Congressional Research Service here -- look for “Title II”).

According to the law, driver's licenses have to include a person's full legal name, date of birth, gender, the driver's license or ID card number, a digital photograph, the address of principal residence and the signature (thus effectively creating a national standard for them). Furthermore the driver's license has to be machine readable, and states have to agree to the linking of databases that contain the driver's license data.

Effectively, this means a centralised national database of all people in the U.S. holding driver's licenses. The provisions set down in this law will become effective in three years' time.

The National Governors Association has joined the National Conference of State Legislatures, The Council of State Governments and the American Association of Motor Vehicle Administrators in expressing opposition to this law and threatened legal action to challenge the constitutionality of the law.

TimeWarner “lost” employee data tapes

2005-05-03T18:56:00.000Z

Today's blog entry on the problem of identity theft concerns TimeWarner, the U.S. media giant. As the company reports in a statement backup tapes with data on TimeWarner employees are missing.

These data include, according to a TimeWarner FAQ

“names and U.S. Social Security numbers of: current and former U.S.-based employees of Time Warner and its current and former affiliates (and U.S. citizens working for the company abroad); some of their dependents and beneficiaries; and certain other individuals who have provided services to the company.”

So the news this time -- if one were to adopt a slightly sarcastic attitude -- is that it's not company customers but company employees that are hit. The frequency with which this blog has reported about such incidents in the last months points to this becoming an ever more pressing issue -- even if no malicious intent may have been present this time, but sheer negligence. But that is not certain either: after all the U.S. Secret Service was asked to investigate the matter, no less.

According to German news magazine SPIEGEL no fewer than 600.000 employees of the media giant are affected by this incident. The contractor who handled the backup tapes, Boston MA based Iron Mountain so far has nothing on this incident on its website.

Yet another large scale customer data theft in the U.S.

2005-04-19T13:25:00.000Z

After the cases of ChoicePoint, Seisint and Bank of America, another large scale theft of customer data has surfaced in the United States.

As German IT news service heise reports, the Ohio-based chain Retail Ventures Inc. acknowledged yesterday that customer data had been stolen from its subsidiary DSW Shoe Warehouse. The data include transaction information involving 1.4 million credit cards (used in 108 DSW stores during the period November 2004 to February 2005) and 96.000 checks.

With this accumulation of cases of serious data theft, this has become a significant political issue, and (as noted in the blog entries referenced above) a couple of politicians have promised action to prevent such occurrences in the future. Like in the case of DNA testing and Germany, a “policy window” may open for an attempt at regulation in this area in the United States over the next couple of months...

Stolen U.S. customer data -- news from LexisNexis

2005-04-13T13:42:00.000Z

Relating to the theft of U.S. citizens' profiles at LexisNexis subsidiary Seisint (see blog entry from about a month ago here), there is now additional (and bad news).

As parent company LexisNexis reports in a news release yesterday, no less than 59 incidents have been uncovered in the last two years (which is the time span that had been analysed) where personal data may have been obtained by unauthorized persons. As a consequence the company will notify an additional 280000 individuals about whom information may have been acquired. A month ago, LexisNexis estimated the number of affected individuals to be 30000, only a tenth of the number given today.

As German IT news service Heise reports, Senators Schumer (NY) and Nelson (Fla.) now plan to submit a Comprehensive Identity Theft Prevention Act that will strongly restrict trading with US citizens' personal data and outlaw the sale of Social Security Number related information.

UK ID cards bill probably lost

2005-04-05T15:30:00.000Z

Britain's Prime Minister Tony Blair today called a general election in the UK for 5 May. This means that the UK Parliament will be dissolved next Monday. As a consequence, all bills that have not been passed by then will be lost. As the BBC reports, this will likely include the contested ID cards bill (about which more in this blog here and here).

Against that bill, the House of Lords had serious reservations. As the Earl of Erroll (a cross bencher) put it in the second reading of the bill two weeks ago:

“In conclusion, an ID card is basically an internal passport. It gives the authorities huge power to control our future movements and other things. It will irretrievably alter the balance between the citizen and the state. Millions have died defending our freedoms. Just because we are frightened of some terrorist attacks, we should not throw away those freedoms lightly.”

You can find that quote and the text of the Lords' deliberations here.

German authorities backing down over financial privacy issue

2005-03-22T16:18:00.000Z

In a posting a in November 2004 I had written about a new law -- the somewhat Orwellian sounding “Law for the Advancement of Tax Honesty” -- that would allow German tax authorities, social services and the employment office to find out about citizens' financial accounts -- and how that seemed to contradict Germany's long-standing tradition of being a champion of data protection (you find the original posting here).

As already mentioned in that earlier post, a small German cooperative bank (Volksbank Raesfeld, more information here) brought that topic before the German Constitutional Court. Now that the Court is about to pronounce on the case in the next couple of days, German authorities seem to become more flexible in their interpretation of the law -- perhaps in order to avoid defeat. As Sueddeutsche Zeitung, one of the country's leading newspapers, reports today (no online version available unfortunately), the Federal Finance Ministery has now issued guidelines for the procedures to be used with respect to the law.

Citizens are now to be informed after the query of the account has taken place, and they may even be invited to pass on the information themselves. It is now also planned that citizens will have the right to legal action against the query. Furthermore, any query will have to be authorised by a superior in the authority demanding access to the data, and reasons will have to be given.

None of this was initially planned or can be found in the wording of the law. The interesting question now is whether the Constitutional Court will deem this sufficient to attest that the law does comply with the German constitution.

Update: Today (23 March) the German Constitutional Court announced that it will not declare the law unconstitutional for now but await further developments. An application had been made to grant an interim measure before the law enters into force on 1 April. Interestingly, the Court explicitly referred to the Financial Ministry guidelines mentioned above. Further information can be found on the Constitutional Court website.

More U.S. customer data stolen

2005-03-10T17:21:00.000Z

After the ChoicePoint case, another large scale data theft has been uncovered in the United States.

As Yahoo and slashdot report, approximately 32,000 U.S. citizens' profiles have been stolen from LexisNexis subsidiary Seisint. Apparently, the information accessed includes names, addresses, social security numbers and driver's license information -- but not credit histories, medical records or financial information.

It is likely that this new incidence of (potential) identity theft will increase the propensity of the political system to take counter measures. As reported in a previous entry of this blog, members of the Senate have already reacted to this and plan to hold hearings. Florida Democratic Sen. Bill Nelson has introduced a bill that would impose tougher regulations on the data industry.

The accumulation of problems in this area might create a policy window for tightening regulation -- but that remains speculation at this point.

US bank 'loses' customer details

2005-02-26T15:27:00.000Z

Hot on the heels of the ChoicePoint case (see below), another large-scale problem with customer data being compromised: as the BBC reports, the Bank of America has revealed it has lost computer tapes containing account details of more than one million customers who are US federal employees. Apparently the tapes went missing while being shipped to a back-up data centre.

The interesting things is that several members of the US Senate are among those affected, who could now be vulnerable to identity theft. Details of Vermont Senator Pat Leahy's credit card account are among those missing, the Senator's spokeswoman Tracy Schmaler said.

This will certainly increase the Senate's propensity to hold hearings on this problem…

U.S. Congress to hold hearings in ChoicePoint case

2005-02-25T11:09:00.000Z

As CBS reports, a Senate committee said it will hold hearings on identity theft and information brokers. This follows the revelation that a databank of ChoicePoint (see previous blog entry) with information on millions of people was accessed by criminals.

The report also states that California authorities estimate the number of people affected by the breach is 500,000 rather than the 144,778 ChoicePoint has stated so far.

The fate of one person affected, a retired banker, and described in the report makes instructive reading to find out just what horrible (and long term!) consequences such an event can have. Democrat Senators Dianne Feinstein of California and Charles Schumer of New York are planning to introduce legislation to alter the situation.

ChoicePoint, ID theft and Californian Law

2005-02-19T13:06:00.000Z

The dangers of large scale collections of private citizens' data became evident again today. As CNN and others have reported, U.S. firm ChoicePoint was tricked into disclosing information (names, addresses, Social Security Numbers etc.) about 140,000 people in the United States. ChoicePoint had initially denied that anything untoward had happened to its data, but a Californian law mandates it to disclose the problems it had by being tricked into by criminals who posed as customers. Apparently ChoicePoint was less than careful in ascertaining the identities of their customers. (See also the story on Slashdot here and here which claims that no less than 750 cases of identity theft have resulted from this).

This is ironic since ChoicePoint claims to have in its possession no less than 19 billion public records, including driving records, sex-offender lists and FBI lists of wanted criminals and suspected terrorists. It also maintains personal profiles of nearly every U.S. consumer, which it sells to employers, landlords, marketing companies and about 35 U.S. government agencies.

The Alpharetta, Ga.-based firm notoriously during the 2000 presidential election had given Florida officials a list with the names of 8,000 ex-felons to “scrub” from their list of voters. But it turned out none on the list were guilty of felonies, only misdemeanors.

Update: ChoicePoint's own information on the event is here. It confirms the number given above of so far 750 cases of identity theft. In addition, the webpage also gives a breakdown of cases on a state-by-state basis and the total as 144,778.

Further update: WiredNews reports that a Californian woman has filed the first lawsuit against ChoicePoint for fraud and negligence in this case. Maybe this will help establish some sort of data protection regulation in the private sector that (in an encompassing way) is so far lacking in the U.S. -- especially if this lawsuit is granted class-action status.

Yet another update: The Electronic Privacy Information Center has created a special webpage with information on the ChoicePoint case.

UK ID card bill about to be passed in House of Commons

2005-02-01T16:13:00.000Z

Concerning the aforementioned UK Identity Card Bill, Spy Blog reports that it has finished its House of Commons Committee stage, with virtually no amendments, and it looks as if the Report and Third Reading are provisionally set to be on Thursday 10th February 2005 -- i.e. next week.

Thanks to new “Freedom of Information” legislation that was introduced in the UK, it is now possible to learn more about the goings-on of the bureaucratic-legislative machinery. A request has made clear that there is heavy involvement of consulting firms (who charge an enormous amount of money for their services) in the ID card process, and more than 60 meetings with the business side of ID cards have taken place so far. Interestingly, there is up to now no indication that any meetings have taken place with people or groups who are worried about the privacy and security of the proposed scheme, or who are opposed in principle to some or all aspects of it.

Customer loyalty cards and crime-fighting

2005-01-29T08:11:00.000Z

An interesting example of how data gained through the use of a customer loyalty card can be quite problematic for the individual customer can be found at slashdot today:

“Tukwila, Washington firefighter, Philip Scott Lyons found out the hard way that supermarket loyalty cards come with a huge price. Lyons was arrested last August and charged with attempted arson. Police alleged at the time that Lyons tried to set fire to his own house while his wife and children were inside. According to KOMO-TV and the Seattle Times, a major piece of evidence used against Lyons in his arrest was the record of his supermarket purchases that he made with his Safeway Club Card. Police investigators had discovered that his Club Card was used to buy fire starters of the same type used in the arson attempt. For Lyons, the story did have a happy ending. All charges were dropped against him in January 2005 because another person stepped forward saying he or she set the fire and not Lyons.”

What if the person who really committed the arson had not had the decency to step forward? What if the crime in question had been a murder where the actual murderer might face the death penalty if he or she came forward? The above story demonstrates the problem that “objective” traces such as data from customer records are taken to be sufficient when investigating a crime, and that alternatives may then no longer be pursued.

Update: A similar story, albeit not about crime, where a customer loyalty card was used to the clear disadvantage of the owner, can be found here.

On Murder, DNA Profiling, and Policy Windows

2005-01-19T02:11:00.000Z

A high profile murder case in Germany has led to a growing debate about easing restrictions on DNA profiling.

Last week, flamboyant fashion designer Rudolph Moshammer (his private website is offline at the moment, but you can find some pictures and a German language report here and an English language summary here) was found murdered in his villa in Munich. Moshammer being a major local celebrity, this spawned a big police operation -- and only two days later, a suspect was arrested.

According to police reports at a press conference, the quick identification of the suspect was possible through the use of DNA profiling: DNA found at the crime scene was analysed and a query in the German Federal Bureau of Investigation DNA database threw up a name. The suspect was quickly arrested and confessed to the murder after a night of interrogation.

This quick success has now led to an intense debate about increasing the use of DNA profiling in law enforcement. Politicians from both big German parties (CDU/CSU and SPD) have called for an extension of the use of DNA samples in police identification of suspects, and an easing of the present restrictions on them (see examples here and here, both in German).

A couple of quick observations on this:

It seems a classical case of non sequitur to ask for an extension of DNA profiling when the case at hand has proven that the present state of affairs is sufficient.
Interestingly, this topic divides both the government and opposition political "camps", for both the Green Party (coalition partner of the Social Democrats) and the Liberals (potential coalition partner of the opposition Christian Democrats) oppose such an extension.
John Kingdon (in his classical work on "Agendas, Alternatives, and Public Policies", 2nd ed. 1995) used the notion of a "policy window" which seems useful to understand the present debate. Let me quote: "An open policy window is an opportunity for advocates to push their pet solutions or to push attention to their special problems. Indeed, advocates in and around government keep their proposals and their solutions at hand, waiting for an opportunity to occur." (p. 203)

It would seem that the Moshammer murder is just such an opportunity for those who want to push for more use of DNA profiling in Germany -- politicians of various persuasions and the police. Already the state of Bavaria has announced that it will propose a bill for the more widespread use of DNA profiling in law enforcement in Germany. According to the Minister President "DNA analysis has to become the fingerprint of the 21st century". Let's see how long the policy window stays open and whether this initiative will succeed.

UK Identity Cards Bill blog

2004-12-21T09:35:00.000Z

For the aforementioned UK ID cards bill, a special blog has been set up to disseminate information, facilitate scrutiny of the bill and exchange among its opponents.

As the blog's initiators (from Spy Blog which you can find in the list of links at the right hand side of this blog) write about their motives:

“We have to do this, because our politicians in Parliament seem to be incapable of reading the detail, let alone understanding the implications of the Government's attempts at technological magic fixes to social problems.”

ID cards -- a rethink in the UK?

2004-12-20T09:47:00.000Z

Will the ID card plans of the British government -- that I mentioned in an entry about two weeks ago -- go through after the resignation last week of Home Secretary David Blunkett, or will his successor Charles Clarke have to change or even abolish the bill?

As the BBC writes here, Labour Party backbenchers threaten to rebel against the bill. Clarke has already accused opponents of the bill of “liberal woolly thinking and spreading false fears” (in a piece in today's The Times) and has ruled out pausing the bill. He is though expected to lower the price for the cards for the elderly and those on lower incomes from the initial £85. Time will tell whether this will remain his only concession.

Interestingly, Conservative leader Michael Howard, who promised the government support for the ID cards bill also faces a backbench rebellion from some of his supporters who oppose the government's alleged authoritarianism in this. The Liberal Democrats -- the third major party in the British parliament -- are the only party who are united in opposition to the ID cards bill.

This demonstrates again the interesting politics that characterize privacy issues -- with a split between the more “libertarian” and the more “law enforcement” minded wings in both big parties. It is a topic which does not easily align with the normal party geography -- which is of course what makes it such interesting stuff for a political scientist...

Update: The vote in the House of Commons produced 385 to 93 in favour of giving the bill a second reading -- the rebellion, in short, did not materialize. It seems that only 19 Labour MPs, 10 Conservative MPs and all Lib-Dem MPs voted against it, in addition to about 150 MPs not turning up for the vote. Apparently the Labour government is firmly in control of its backbenchers, which shouldn't be too much of a surprise given the forthcoming election which will probably take place in early May 2005.

Civil Society, the WSIS and RFID chips

2004-12-10T16:06:00.000Z

Back in Oxford for a few days, I attended a seminar at the Oxford Internet Institute today which dealt with the role of civil society in the World Summit on the Information Society (WSIS) -- part of a series of seminars that the OII runs with help from the ESRC. We had a very interesting discussion on the involvement of non-governmental organisations (NGOs) in the preparatory meetings for and the main summit of the WSIS that took place last year in Geneva. (You can find papers and presentations here and there is also a webcast available that tries to provide a summary of the results.)

What stuck in my mind were primarily two things:

On the one hand, how difficult it is to define “civil society” (e.g., are companies a part of it or not? What about single activists?), how unclear the basis for the legitimacy of its involvement is (even among NGOs -- with “established” NGOs challenging “specialist” NGOs about their involvement and the “specialists” conceding that it was always the same people talking to each other at the meetings), how hazy the notion of “democratisation of global governance” is and yet how much effort was put into getting involved by a host of different groups and people -- although severe cases of “post summit fatigue” were also reported and have led to withdrawal by some (which makes you wonder how the learning processes both within participants and between them can have continuity then).

On the other hand (and speaking as a political scientist here) I am impressed how much participation by NGOs has become the norm in international processes in the last decade or so. Compared to the exclusiveness of state diplomacy that used to dominate this sphere literally for centuries, changes here seem quite impressive to me.

Another thing that I found reading the papers (and that relates to the main subject of this blog): at the summit, participants were issued with badges that contained “radio frequency identification” (RFID) chips -- without their knowledge, and without a privacy policy being in place. When researchers questioned summit officials about the use of the chips and how long information would be stored they were given no answers. (See the story in more detail here and here).

Since these chips allow tracking people's movements in real time, two scenarios unfolded in my mind. One was that social scientists could use such information to analyse the interaction in negotiations based on who meets whom, when, and where and thus to learn a lot about the tactical behaviour of negotiation participants in international diplomacy. The other was that this information could of course also be very interesting to one or more of the negotiating parties themselves, allowing them -- through constant surveillance -- a more complete picture of what is going on and perhaps even making preemptive action possible based on that information. All that is needed are RFID readers in all doors that people can pass through in the conference area so that you always know their precise location at any point in time. Advantage host nation, I assume.

This again demonstrates the inherent ambiguity of many technologies that have privacy implications: they have dual use, as it used to be called in weapons technology.

Funny Bavaria

2004-12-08T14:31:00.000Z

Today's entry has nothing to do with the grave issue of privacy and the politics thereof. I just wanted to share a discovery:

The Accounting Office of the state of Bavaria in its annual report 2004 has criticised the waste which comes from using no less than 16 different software systems for personnel administration throughout the state of Bavaria (in addition to -- hear hear! -- index card systems).

This in spite of the fact that since 1980 a unified system has been in development (by the Office of Statistics and Data Processing) which was meant to be used throughout the state. It was meant to be modern and encompassing, catering to all needs and so on. Its name is “Dialogorientiertes Personal- und Stellenverwaltungssystem” (dialogue-oriented personnel and job administration system) -- DIAPERS in short.

I hope someone gives them an English language dictionary for Christmas ;-)

ID cards and passports: the fight in the U.S. and the UK

2004-12-07T21:53:00.000Z

One of the fascinating things about the politics of privacy is that people who worry about privacy differ so much: in the UK, for example, nobody seems much to worry about the approximately 4 million CCTV cameras which watch your every step (according to some estimates, you'll be caught no fewer than 300 times on camera when walking through London these days), but as soon as the government wants to introduce a national ID card, everybody is up in arms yelling “big brother”. That people could worry about one but not the other can be considered inconsistent, but there you go...

Some people such as Peter Hitchens (in The Spectator, 10 April 2004) have even claimed that the introduction of ID cards would be “the end of England”. Precisely that is though what the Labour government under David Blunkett has in mind (when his mind isn't occupied with other things these days, to add an inappropriate aside...).

This is not the first time the government has tried to introduce ID cards -- in 1996, for example, then Home Secretary Michael Howard (now the leader of the opposition) had to shelve his respective plans because of opposition from within his own party. No, not concerns about privacy -- the Eurosceptics were opposed that the ID card would be accepted as a passport for travel within the European Union -- horror of horrors.

The focus on what the ID card should be good for strangely changed with the times: in April 2001, for example, Tony Blair argued in favour of its introduction because it would curb fraud and reduce bureaucracy. Later it was hoped to help against underage drinking. Then it was meant to help against illegal immigration and to check the entitlements for welfare payments. And after 9/11 -- you probably guessed it -- it was advocated on the grounds that it would help to fight terrorism.

Now that the ID card legislation is before parliament (you can find the bill here -- an instructive read), protest has sprung up -- such as the group no2id with its helpful website (another interesting website on the topic is the Spy Blog).

Interestingly, the transatlantic “special relationship” seems to hold in this area as well: just as the Brits are debating the introduction of ID cards, their American cousins will be treated not to ID cards, but to fancy electronically enabled passports -- passports with RFID chips. Scheduled to be issued by the end of 2005, they will lack privacy protection, which has enraged the American Civil Liberties Union (ACLU, website here, and the press release on the subject), as Wired News writes. ACLU claims that the information in the passports could be read electronically from as far away as 30 feet. This could be avoided simply by encrypting the information contained, thus preventing dangers like identity theft or the targeting of Americans travelling abroad. But, says Frank Moss, the deputy assistant secretary of state for passport services, encrypting the data might make it more difficult for other countries to read the passports: “It flies in the face of global interoperability,” as he puts it, thus coming down clearly on one side in the conflict between U.S. citizens' rights of privacy and the convenience of bureaucracies and other, more shady elements.

One should keep in mind that many countries use ID cards (11 of the 15 old EU member states have ID cards) without having turned automatically into surveillance societies or police states -- so there is no reason to become paranoid. But it will be interesting to see how the two processes will end up -- whose interests will primarily be served, which concerns will be taken into account, and which interpretation of the necessary balance between privacy and security will ultimately prevail.

All Your (Airline) Data Are Belong To U.S.

2004-11-26T14:55:00.000Z

Been to the United States this summer? Well, then all your data may now be in the hands of the (only slightly Orwellian sounding) Transport Security Administration, as this article in Wired News reveals:

“U.S. airlines turned over a month's worth of passenger data Tuesday to Homeland Security officials, who want to test a massive, centralized passenger-screening system.
The Transportation Security Administration ordered America's 72 airlines to turn over their June 2004 domestic passenger flight records by Tuesday afternoon. The airlines had initially questioned the order because of privacy concerns, but they all complied.
The agency wants the records -- which can include credit card numbers, phone numbers and health information -- to test a system called Secure Flight.”

This is hoped to save you from terrorism in the future. In the meantime, a couple of people may be tempted to use this cache of data for browsing purposes: linking names with credit card numbers, linking phone numbers with addresses, checking where someone really went that June morning... Ever heard of “mission creep”? Once the data are there, one can think of so many useful things to do with them.

You think I'm being paranoid? Did you know that between 1989 and 1998, more than 1500 employees of the US Internal Revenue Service had been investigated or disciplined for using government computers to browse through tax returns of friends, relatives, neighbors, enemies, and celebrities?

[Source: “The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom?” (David Brin), p. 55]

Germany and privacy: change is under way

2004-11-18T13:55:00.000Z

Germany -- or more precisely: the Federal Republic of Germany -- used to be a shining example of privacy and data protection. Undoubtedly spurred on by the experience of Nazi totalitarianism in the 1930s and 40s and the example of the Communist surveillance state GDR as next door neighbour, (then) West-German politicians were early adopters of comprehensive data protection legislation in the 1970s. In the early 1980s the Federal Constitutional Court further strengthened German citizens' protection by acknowledging a "right of informational self-determination". But now Germany's position as a country with one of the strictest privacy protections in the European Union is about to change -- and there is little public debate about it.

In two areas that are central to informational privacy, legal changes will soon alter the landscape substantially: the state will soon have comprehensive access to citizens' financial information, and it will be able to monitor email communications. To add insult to injury, none of this will be paid for by the state -- the citizens themselves will have to foot the bill for being snooped upon.

According to the "Telekommunikations-Überwachungsverordnung" (see here for some [German language] information) all ISPs have to install "spy boxes" that filter all email traffic for addresses of suspects and then copy the respective data packets straight to the authorities. While that regulation entered into force already in May 2003, implementation had been delayed until now. But from January 2005 the German state will be able to monitor all email traffic. What little public debate there is on this does not centre on what this means for privacy or civil rights; the only voices present are those of the ISPs complaining about the cost burden this places on them (more information here).

Three months later, in an effort to root out tax evasion, German inland revenue, social services and the labour office will gain access to citizens' financial accounts -- with the help of BaFin, the German financial services regulator. Information about financial accounts can be had without cause or concrete suspicion -- which German weekly Der Spiegel likened to issuing spare keys to citizens' houses on the reasoning that they might hoard stolen goods there. And again the costs of all this have to be borne by the banks -- who will likely pass it on to their customers. Do citizens have to be informed of the act, at least afterwards? No. And no judge will be involved either.

A small German cooperative bank (Volksbank Raesfeld, more information here) has now brought the issue before the Federal Constitutional Court. Interestingly the various German banking associations have remained silent on this (where are you, Josef Ackermann, when you are needed? one is tempted to ask...). When the judges will decide (probably some time in late 2005) we will see more clearly whether they uphold their views on the "right to informational self-determination" or not -- and whether Germany's position on privacy and data protection will really have changed.

Update The German Data Protection Officer, at a conference aptly entitled "20 years after Orwell", today bemoaned these developments. You can find the text of his speech here.

How privacy may be detrimental to your health -- if you're a hostage in Iraq...

2004-10-19T10:28:00.000Z

Sorry for the slightly cynical headline -- but this piece of news caught my eye today:

BBC NEWS | Asia-Pacific | Google 'saved' Australian hostage:

An Australian journalist kidnapped in Iraq was freed after his captors checked the popular internet search engine Google to confirm his identity.
John Martinkus was seized in Baghdad on Saturday, the first Australian held hostage in Iraq since the US-led invasion.
But his captors agreed to release him after they were convinced he was not working for the CIA or a US contractor. [...]
His executive producer at Australia's SBS network, Mike Carey, said Google probably saved freelance journalist Martinkus.
'They Googled him and then went onto a web site - either his own or his book publisher's web site, I don't know which one - and saw that he was who he was, and that was instrumental in letting him go, I think, or swinging their decision,' he told AP news agency.
Martinkus told the Australian Broadcasting Corporation that he was snatched at gunpoint from outside a hotel close to Australia's embassy in Baghdad by Sunni Muslims, and that they had threatened to kill him.

So the lesson seems that Mr Martinkus would likely have been killed had his name not been on a website. See how privacy can be detrimental to your health?!?

U.S. Senate Wants Database Dragnet

2004-10-07T08:29:00.000Z

From Wired News:

"The Senate could pass a bill as early as Wednesday evening that would let government counter-terrorist investigators instantly query a massive system of interconnected commercial and government databases that hold billions of records on Americans.
The proposed network is based on the Markle Foundation Task Force's December 2003 report, which envisioned a system that would allow FBI and CIA agents, as well as police officers and some companies, to quickly search intelligence, criminal and commercial databases. The proposal is so radical, the bill allocates $50 million just to fund the system's specifications and privacy policies.
The Senate will likely have its final vote on the bill, sponsored by Joseph Lieberman (D-Connecticut) and Susan Collins (R-Maine), Wednesday night. The draft of the bill was based on recommendations of the so-called 9/11 Commission, which investigated the United States' lapse in intelligence and security procedures prior to the Sept. 11, 2001, attacks."

It will be very interesting to see whether this bill (the National Intelligence Reform Act of 2004) will be passed or amended before it comes to the final vote!

On another note, I have safely arrived in Berlin and am connected to the 'net again. I much look forward to my period of research here -- although even before me some work arrived that menacingly awaited me in my new office :-(

Update from Secondary Screening:

"On Wednesday, the Senate passed it's version of the 9/11 recommendations by a vote of 96-2.
The bill is big, not just in size, but in the changes it will make to the country's intelligence service, information sharing and civil liberties/privacy atmosphere."

The House version will be voted on later this week -- then reconciliation of the Senate and House versions will take place in the conference stage. Watch this space!

Busy moving to Berlin

2004-10-02T12:13:00.000Z

This is just to say that I am presently busy packing things to move from Oxford to Berlin. Thus there will likely be no entries for a few days -- so don't think I abandoned this blog ;-)
I expect to be up and running in Berlin around the middle of next week.

Telefonüberwachung: Rot-Grün legt Abhör-Gesetz auf Eis

2004-09-30T10:44:00.000Z

SPIEGEL ONLINE:

"Ursprünglich wollten SPD und Grüne heute das Gesetz zur Überwachung von Telefondaten verlängern. Doch das Vorhaben wurde kurzfristig zurückgestellt, weil sich die Koalitionäre nicht über eine Evaluierungsklausel einigen konnten. Dabei eilt das Vorhaben - denn Ende des Jahres läuft das Gesetz aus. "

The German red-green government has postponed a renewal for collecting data about telephone connections, because they are at odds about an evaluation procedure.
If they fail to reach an agreement, the respective law will lapse at the end of the year. The Greens insist on having an evaluation clause in the new bill since it is a "substantive infringement on fundamental rights".
The fact that this comes a few days before the Green party convention may be of interest -- they are expected to take issue there with the hard-line policies of Home Secretary Otto Schily. He is now a Social Democrat, but was a prominent member of the Green Party until he left the party in anger in late 1989...

Flight Passenger Data -- and the problem of "mission creep"

2004-09-29T14:48:00.000Z

As I wrote in an earlier post, one of the core problems with privacy -- given today's technological possibilities -- is that once the data have been collected they will invariably give rise to temptations. Ever new purposes how the data could be used will be found.
Thanks to the people at the Electronic Privacy Information Center there is now firm proof that the data collection for CAPPS II was subject to exactly this sort of "mission creep" -- a slow shifting of the goals that are to be accomplished with the program.

As the New York Times summarizes it (19.9.2004, p. 35):

"But what began as a program intended to focus narrowly on terrorism in air travel expanded greatly as it developed. The agency developed a series of 'Privacy Impact Assessments' for Capps 2 as required by federal law. These assessments are the documents that the privacy center obtained. The first draft of the privacy assessment stated the purpose of the program in one concise paragraph, saying that Capps 2 information 'may be disclosed to federal, state, local and international law enforcement officials who have jurisdiction over the airframe and/or the individual who is a known or suspected foreign territorial or who is a threat to aviation safety, civil aviation or national security.'
By the third draft, in July 2003, there were 15 paragraphs, saying the system could be used in other cases of violent crime by 'appropriate federal, state, local, international, or foreign agencies or authorities.' The third version of the privacy statement also included contractors, consultants, 'other federal agencies conducting litigation, as well as the General Services Administration and the National Archives.' The expansion of the program's mission has been reflected in public statements by Homeland Security officials, as well."

The new "Secure Flight" program is, according to the Transportation Security Administration, not to be subject to such a development. Surely EPIC will have made a mental bookmark to check on that some time in the future...

(The complete text of the NYT article can be found here. The CAPPS II privacy assessments obtained by EPIC under the Freedom of Information Act are here, here and here).

USA nimmt Fingerabdrücke von deutschen Reisenden

2004-09-28T10:13:00.000Z

Aus der Financial Times Deutschland:

"Die USA haben die Ausnahmeregelung für Einreisende aus Deutschland und 26 anderen Ländern zurückgenommen, auch sie müssen ab Oktober Fingerabdrücke und Fotos abgeben. Trotzdem seien die Reisenden weiterhin willkommen.
Ab Oktober müssen auch deutsche Reisende ihre Fingerabdrücke abgeben, wenn sie in die USA einreisen
Die neuen Einreise-Vorschriften in die USA werden ab Donnerstag gelten. Darauf verwies der Staatssekretär im Heimatschutzministerium, Asa Hutchinson, am Montag (Ortszeit) in Washington. Betroffen sind rund 13 Millionen Reisende im Jahr.
Grenzbeamte machen ein Foto und nehmen Fingerabdrücke ab. Die Bilder werden mit Datenbanken abgeglichen, in denen Verbrecher und mutmaßliche Terroristen gespeichert sind. Die neuen Einreisebestimmungen gelten bereits seit Anfang des Jahres, doch waren Reisende aus den 27 Ländern, die kein US-Visum beantragen müssen, bislang ausgenommen. Diese Ausnahmeregelung wird mit dem 30. September gestrichen."

The question is obviously: what happens to all these data? And: will this be effective? Imagine an error quota of a mere 1% (probably far too low) -- that means that no less than 100 000 people will be terror suspects each year. And that counts only those from the countries initially deemed not dangerous...

From Wired News: Pentagon Revives Memory Project

2004-09-27T10:59:00.000Z

Wired News:
"It's been seven months since the Pentagon pulled the plug on LifeLog, its controversial project to archive almost everything about a person. But now, the Defense Department seems ready to revive large portions of the program under a new name.
Using a series of sensors embedded in a GI's gear, the Advanced Soldier Sensor Information System and Technology, or ASSIST, project aims to collect what a soldier sees, says and does in a combat zone -- and then to weave those events into digital memories, so commanders can have a better sense of how the fight unfolded.
That's similar to what planners at Darpa, the Pentagon's research arm, had in mind for LifeLog, its ambitious electronic diary effort. However, ASSIST's aspirations are more modest, its battlefield focus is clearer, and its privacy concerns are more manageable, military analysts and computer scientists say. All of that combines to give the project a better chance of taking off where LifeLog crashed."

On languages in this blog

2004-09-26T20:56:00.000Z

One more thing on the rules for this blog: while its beginnings are, as you can see, in English, it is meant to be bilingual - namely English and German.
One of the reasons is that Germany is one of the cases in my investigation (besides the UK and the U.S.A.); another is that some of the material posted may well be in German - newspaper cuttings, for example; and lastly, as I will mostly work on this blog from Berlin, it would seem the polite thing to do...

The Politics of Privacy - what does it mean?

2004-09-26T19:28:00.000Z

In recent years, revolutionary technical innovations in the areas of telecommunication, data transmission and computerisation have changed the availability of data fundamentally. Today, any sort of data is available everywhere and immediately in principle. At the same time the capacity for storing data has grown tremendously, and the fact that stored data can be digitally processed and linked to each other means that new data can be generated from very diverse sources of information, giving them a new quality.
The question who exerts control over such "flows of data", who has access rights, and what purposes they can be used for, is one of immense political importance, and raises a host of problems. To an increasing extent, this topic is getting onto the political agenda in many countries - see the debate surrounding the PATRIOT Act in the United States, for example. Political science, however, has so far hardly dealt with these questions both in their normative and empirical dimensions, although this is a very promising area of potentially fruitful research. Potential areas of inquiry range from questions of data protection and civil rights to that of the introduction of (machine readable and biometric) ID cards and CCTV camera coverage of large parts of public spaces and the availability of passenger travel data for anti-terrorism purposes or questions of e-commerce.
Technological developments in this area are inherently ambiguous and therefore need to be politically assessed before their potential application. Some examples may serve to illustrate this: does the combination of computers, face-recognition software and CCTV cameras, for example, constitute a step towards more efficient crime fighting (which would be positive), or a step towards an Orwellian surveillance state (which would be negative)? Does general access to strong encryption of data traffic spur up the development of e-commerce (and thus economic growth), or will it facilitate the execution of organised criminality without the fear of detection (and thus needs to be stopped)?
I am starting a research project dealing with some of the questions touched upon above, and I start this blog as an experiment. I hope that it will be a source of information and discussion for people interested in this subject, that it will serve as a place to exchange views and thoughts, and that it will make a positive contribution to the debate - and my research project. So I extend an invitation to all comers to comment on the postings and links they find here. And if you want to become a contributor, let me know -- just mention it in a comment!