Wednesday, 23 April 2014

Botched EU communications data retention rules quashed

How many people really care about how long their communications data is retained for national security and law enforcement purposes?

Beyond the readership of this blog, probably not very many.

I remember first becoming involved in this issue some 15 years ago, when working for what was then known as the mobile company One2One. It was my job, amongst others, to understand just what the company needed to use these records for, and for how long they needed to be retained. I remember conferring with colleagues in the mobile (and fixed) telecoms field, exchanging ideas as to what retention standards ought to be appropriate.

I won’t list the (then) retention standards in this blog, as I would only be opening a can of worms - suffice to say that today’s retention standards differ greatly from that practiced by certain providers then.

I also remember working with the Home Office on the issue of mandating certain retention standards – really to ensure that data that was actually required for an investigation could readily be made available when it was proportionate and necessary to do so.

And finally, under the stewardship of the then Home Secretary Charles Clarke, I remember the UK Government being primarily responsible for the Communications Data Retention Directive (2006/24/EC), which broadly tried to set common retention standards throughout Europe. Why? Just in case communication records generated by, say, British customers in the UK, were to be held not in the UK but in a central European records database. Given that, back then, the parent companies of Orange, One2One, O2 & 3 were based respectively in France, Germany, Spain & China, there was a real possibility that Britain’s law enforcers might have lost out if British mobile phone records were to have been held outside the UK.

It can also be said that we all knew that the Communications Data Retention Directive, especially as it applied to IP records, really was not fully fit for purpose when the time came for the final note on approving the thing. But what was better – a botched job, or no agreement at all? The European parliamentary timetable was such that there was a real prospect that all work on the measure would have been wasted had a final vote not have been made by a particular date. 

The Governments of the Member States, and the members of the European Parliament, took the view that any agreement would be better than no agreement.

Now, some 8 years later, the European Court of Justice has taken the view that the original job was so botched that the Directive ought to be annulled.

In essence, the court has held that the retention limits (which allowed Member States to individually set periods of between 6 and 24 months for various types of data) were disproportionate. Why was this time period originally agreed? Principally because it was a timeframe that suited the requirements of a large majority of the European law enforcement bodies that were using significant volumes of communications records for investigative purposes back then. 

Readers with a keen sense of irony will know that one of the successful appellants in this case was Digital Rights Ireland. Yet, the Irish Government was originally opposed to the Directive because they wanted to keep communications records for 36 months, not the 24 months that was finally agreed. The Italian Government were even more opposed to the Directive, because they originally wanted to keep certain records for 48 months (and even longer in some of the cases that involved Mafia investigations).

The German Government was very opposed to the concept of keeping records even for as long as 6 months. Basically, this was because it knew it would come under considerable pressure to pay the providers in that country the costs that would be incurred in setting up the relevant records retention databases and, thanks to the recently disgraced former East German administration, it also had direct experience of state abuse of communications records.

Readers with a keen sense of irony will also know that the first four communications providers to announce that they have reduced their retention periods, in light of the judgment, hail from Sweden, which is one of the 4 Member States that originally sponsored the Directive.  And it was the same European Court of Justice that fined Sweden 3 million Euros in May 2013 for delaying implementation of the Directive in that country. Where’s the justice in that? (Presumably, though, the Swedish Government will now be able to appeal that fine.)

Anyway, what will happen in Blighty as a result of the judgement?

Probably, not a lot. Certainly not soon, anyway.

Given the speed with which the Home Office moves on such weighty issues, it could be some time before an official announcement will be made. Discrete calls have already been placed to the key UK providers, inquiring whether the judgement is likely to change their current retention plans. Such is the relationship between Home Office and said providers that it didn’t take long before the relevant reassurances were received. Home Office attention will now focus on the overseas providers (yes, the usual suspects) to better understand what steps they intend to take.



Tuesday, 22 April 2014

Snowden allegations stuffed by official report

Supporters of Edward Snowden will probably doing their best to ensure that a report recently published by the Interception of Communications Commissioner is read by as few people as possible.


Because it sets out, in a pretty accessible way, just why it is that we Brits have so little to fear about the capabilities that the Government actually has in terms of abusing our communications records.

I appreciate that this is not a very popular thing to say amongst some circles, but it still needs to be said. And I also appreciate that, as this is a good news story, it’s unlikely to be picked up by the mainstream media channels. But I don’t write this blog to attract the attention of the mainstream media.  

What am I talking about?

I’m talking about Sir Anthony May’s first annual report as the Interception of Communications Commissioner.

It was published on 8 April and largely ignored by the media as it coincided with the news that the European Court of Justice had quashed the Communications Data Retention Directive (2006/24/EC), which had broadly required European Communications Service Providers to retain various types of data for certain periods for the purposes of tackling serious crime. (I’ll address this issue in another blog.)

In a courageous departure from previous practice, Sir Anthony has been more open in communicating with the public on the big issues of the day. Technically, this has been a challenge, as his statutory role is to report to the Prime Minister, rather than offer a running commentary on relevant issues to the media. But it is an incredibly welcome step, as he is someone who actually knows, from firsthand experience, what really goes on. Most people are hazy about the details of this complicated set of laws, and comment from a position of what they perceive to be going on, rather than what has really been going on. He really knows.

Let’s focus on what Sir Anthony has actually said:

“I have full and unrestricted access to all information from public authorities, however sensitive, sufficient for me to be able to undertake my statutory functions.

Public authorities do not misuse their powers under RIPA Part I to engage in random mass intrusion into the private affairs of law abiding UK citizens. It would be comprehensively unlawful if they did.

I am quite clear that any member of the public who does not associate with potential terrorists or serious criminals or individuals who are potentially involved in actions which could raise national security issues for the UK can be assured that none of the interception agencies which I inspect has the slightest interest in examining their emails, their phone or postal communications or their use of the internet, and they do not do so to any extent which could reasonably be regarded as significant.

British intelligence agencies do not circumvent domestic oversight regimes by receiving from US agencies intercept material about British citizens which could not lawfully be acquired by intercept in the UK.”

If I were on the Pulitzer Prize Committee, I might now be having second thoughts about awarding the Washington Post and the Guardian their recent bauble for printing so many of Edward Snowden’s revelations. Yes these stories have stoked up a huge array of global interest in the issue, but they have also indicated the extent to which the relevant authorities have tried so hard to seek assurance from suitably qualified lawyers that whatever was going on was in accordance with local laws.

The outcome (in America, at least) will probably be new laws, further restricting current capabilities of the US law enforcement community. I don’t see the outcome resulting in any officials facing criminal prosecutions for having approved various programmes that may well have involved the collection of communications records.

And the outcome in the UK?

Given Sir Anthony’s views, probably not a lot, as he is already satisfied with many of the controls that are already in place.

On receiving it, the Prime Minister commented:

“The report makes clear the Commissioner’s view that RIPA is fit for purpose, despite advances in technology. He also finds that interception agencies undertake their roles conscientiously and effectively, and that public authorities do not engage in indiscriminate random mass intrusion.

The report also publishes, for the first time, a detailed breakdown by public authority of the number of communications data authorisations and notices issued. I welcome the greater degree of transparency that this report brings, without harming national security, and look forward to the Commissioner’s further work on the volume of requests.

In light of concerns about the activities of the intelligence agencies, the quality of oversight, and a number of public concerns and myths that have developed in the light of media allegations linked to Edward Snowden, I believe his report provides an authoritative, expert and reassuring assessment of the lawfulness, necessity and proportionality of the intelligence agencies’ work. I thank Sir Anthony for the rigour of his scrutiny.”

So, a rigorous scrutiny from the most impartial expert we are likely to get has resulted in a pretty clean bill of health for the law enforcement community.

Not that all parts of the media will necessarily report it that way, though – if they bother to report it at all.

Sunday, 13 April 2014

DP compliance checks: what to look for

What does “good data protection” look like?

I’ve been asked that question several times over the past few weeks as I’ve carried out data protection health checks for a range of organisations.

It’s caused me to pause and reflect on what controls I’m really looking for in an organisation, and the extent to which these controls deal with real or potential threats that exist with regard to the organisation’s processing of personal data.

It’s also caused me to review a number of the audit methodologies that appear to be in use right now, and to refine my own approach, which appears to have been well received. My own approach now focuses much less on compliance with specific elements of data protection legislation, and much more on helping the client develop an oversight structure to give them the assurance they require when assessing how good they are at data protection.

It’s so nice to visit a client and barely mention the data protection principles. Instead, I’m following the ICO’s current thinking, which is to break data protection compliance down into a number of bite size chunks, and get the client to agree which “chunks” are most significant, as far as their organisation is concerned.

A close read of the audit reports currently published on the ICO’s website gives a good indication of what really really matters. So, organisations that have addressed these issues are going to be in a pretty good shape.

Write to me if you want more information about my methodology.

What has struck me, as I’ve carried out the latest series of health checks, is how insignificant the proposed (well, deceased) Data Protection Directive actually is.  I use the term “insignificant” in the sense that I really can’t see how it might realistically improve data protection standards beyond what might reasonably be expected of anyone who was taking their current obligations seriously.

Putting this thought into a different set of words, current data protection compliance levels could so easily be improved if people just managed to understand and follow the existing rules. I have no confidence that the imposition of an even more complicated set of rules would motivate significant numbers of data controllers to “up their game”, as it were. If they lack the resources to deal with the basics, then all they are likely to do is to fall even further behind, in terms of legal” expectations, if the impossibly high standards commended by the European Parliament ever see the light of day .

Of course, the draft Regulation does have some uses. It gives some people the opportunity to enhance the importance of data protection (and in doing so enhance their own status), by becoming an international talking head on this stuff. It gives teams of professional advisers the opportunity to sell their services to the (relatively small band of) clients that can afford to pay for such data protection wisdom.  Proposals for legislative change also create more noise and opportunity for policymakers to earnestly consider what new rules ought to be put in place. But so many of these proposed changes simply tinker at the edges, rather than seek to fundamentally review what controls are really important for this and the next generation.

The controls that are really important are those that reward good behaviours.

We data protection folk have a lesson to learn from our financial services chums. Try as I can, I find it really hard to identify a link between, say, the volume and intensity of regulation in the financial services sector, and an increase in consumer confidence and trust in the integrity of financial services institutions. To generalise (and most unfairly, perhaps) it seems to me that certain awful standards in the financial services industry exist independent of the rules. I am appalled at the rate of return my (meager) investments are realising, but there is very little I can do about it.

The more I think about it, that Emperor of a Draft Regulation never really had any clothes. And, it had no more realistic chance of changing many data controllers’ behaviours than has the ICO chorus of winning “Britain’s Got Talent”.

So what should be done today?


For a start, organisations should look at their current controls and ask themselves if they are happy with what they see.

And, if they don’t know what they really ought to be looking out for, then all they have to do is drop me a line and ask me to outline my own approach towards pragmatic compliance with the ICO’s expectations.

Image credit:


Thursday, 13 March 2014

Messages from Manchester

Those with a keen pair of ears at last week’s Data Practitioner Conference in Manchester (3 March) would have detected a subtle shift of emphasis of the ICO's enforcement policy. It was a shame that traffic - or business commitments - had prevented some 50 or so delegates from taking their allotted seats in the main conference hall. Yes, they had also prevented some 50 or so others from the opportunity of attending. But, the ICO knows who the miscreants are, and I'm assured that their names will prominently feature on the mailshots that the ICO's audit team will be sending to prospects who may benefit from an ICO advisory visit.

Even a cursory  glance at the delegates indicated that ICO data protection practitioner conferences have been radically transformed since Christopher Graham held his first event at the Lowry Hotel in December 2009. And who remembers attending Richard Thomas's conference on Privacy by Design at the same venue the previous year?

Gone (mostly) is the cohort of what the mighty Eduardo Ustaran has politely termed: "an elite of nerdy specialists". In their wake, a new class of compliance professional has emerged. A class of professional who appears less interested on discussing philosophical issues around various theories of privacy.

Perhaps we now have a more submissive class of privacy professional, a class more willing to be told what good practice is, rather than a class seeking to become intimately involved in designing these practices. Perhaps this is also due to hugely increased burdens of work within the office environment, which prevents so many data protection officers from physically having sufficient time to become more engaged in strategic policy work.

The main message of the day was that responsible organisations should focus on the needs of the customer, and on achieving good privacy outcomes, rather than focusing on compliance with the strict letter of the law. Good practice mattered more than strict compliance with legal requirements. This was not a day for the legal purists.

The second message of the day was that the ICO was not afraid of taking on the public sector, and that accountability for information governance failures would be placed firmly at the door of the political leadership at local government level, rather than at the level of the engine room. If statutory responsibilities were being ignored, resulting in potential harm to individuals, then it should be the officials who took the political decisions to refuse to allocate sufficient resources that should be held accountable.

This message placated a few public servants, but then late int he afternoon David Smith reaffirmed his view that, in light of the personal data breaches that had been reported to the ICO, data handling standards in the public sector were not equivalent to the standards that generally prevailed in the private sector.

That certainly gave many of the delegates something to think about as they returned to their homes.



Saturday, 1 March 2014

Tweaking surveillance laws won’t necessarily lead to many changes


I’ve just declined an invite to attend a keynote speech on surveillance that Yvette Cooper, the Shadow Home Secretary, will be delivering on Monday in Central London. Instead I’ll be with some 700 chums at the Information Commissioner’s Data Protection Practitioner Conference in Manchester.

Evidently, Yvette Cooper’s speech will outline the challenges of navigating a new digital world and the implications for security and privacy.  She will be discussing the role of the police and security and intelligence agencies, as well as the safeguards needed to protect our privacy and liberty.

In the light of recent revelations about the way GCHQ has been collecting images taken from Yahoo! webcam conversations, including very considerable volumes of sexually explicit images of the users, I do hope that Yvette gives some thought as to how such activities should be regulated in future.

I also hope that Yvette makes the point that law reform may not be a necessary or sufficient means of more appropriately regulating such activities. Whatever the law is (or is to become), it will in any event be deliberately drafted in a flexible manner, to cater for future contingencies.  

It is not the law that is necessarily the “problem”.

The “problem” lies in the oversight.

Even though what GCHQ may have doing was “lawful”, the really critical point is that the activity was (or would have been) known to the appropriate oversight bodies, and such techniques would have been carefully discussed and formally approved.

Let me go one step further.

I find it incredibly hard to contemplate sensitive and intrusive techniques, such as the Optic Nerve technique, being considered and approved just at an operational level. They would also have been carefully considered and approved at a very senior political level.  

The “problem” lies in the political oversight.

So, we should not blame RIPA or other surveillance laws  - or just the spooks - for developing sensitive and intrusive techniques. We should place the accountability (if there is to be any accountability) firmly at the doors of those who took the political decision to authorise the deployment of the techniques. Parliament would not have known. But a small group of very senior politicians would. In a decade’s experience of working under both Labour and Coalition Governments, I never saw a difference of view between senior Labour or Coalition ministers when political approval for any intrusive sensitive techniques that I might ever been made aware of was sought.

This is why I’m looking forward to hearing comments from former Home and Foreign Secretaries such as Margaret Beckett, David Blunkett, Charles Clarke, Alan Johnson, David Miliband, John Reid, Jacquie Smith, & Jack Straw about what changes have to Britain’s surveillance laws are appropriate. Oh, and also from the current incumbents, Theresa May and William Hague.

Now, what might actually happen if surveillance laws were to be changed?

Probably, not a lot.

And this is because the really sensitive decisions will still be made by senior Ministers, on the basis of evidence that is presented to them which is sufficiently persuasive of the need to approve whatever is being asked of them.

To think that we Brits might face a less intensive level of surveillance simply because the surveillance laws had been changed is an interesting concept, but perhaps a misguided one.

Given the operational control they have over what does go on, until a small group of senior Ministers change their behaviours (and their attitudes) towards surveillance, no amount of tweaking with the surveillance laws is likely to result in significant change.



Friday, 28 February 2014

Adolph Hitler: his part in’s downfall

The NHS data sharing opponents have implemented a cunning plan to disarm the supporters of the project. It’s called humour, and it comes by means of a genuinely funny video that aims to undermine those who (like me) believe that data sharing within the health sector is a good thing.

How will NHS England respond? Perhaps they’ll come up with something just as funny. I do hope so. Otherwise, I fear that the opponents will continue to win hands down on the publicity front.

NHS England wants to do a great amount of good. But, do enough people trust it? 



Monday, 24 February 2014

Online Reputation Management

How do you maintain a good on-line reputation? What can you do when others post extremely embarrassing comments (or images) about you? How can they be removed – or at least made less visible to search engines, to prevent others from stumbling across the relevant links?

I've recently been advising someone who is very concerned about what has happened to them: "For years there has been an offensive post about me on the internet. It is embarrassing and I have wished for years that it would get removed. However, the website where it was posted has closed down and I have no means of contacting them."

Despite Google's efforts to remove the offending material from its search results, the victim remains concerned that others will find it.

Not even the fabled "right to be forgotten" proposal in the Data Protection Regulation would have been of much help in this instance - as the material was originally posted by an American company that has folded - but who passed their data assets to another US company before  closing down.

How can victims be reassured that embarrassing material won't be shadowing them for  years to come?

Of course I appreciate the tension between freedom of expression, on the one hand, and censorship, on the other. But I also appreciate the anguish that victims feel when it appears (at least to them) that they are being unfairly hounded.

Perhaps, in time, the shadow from the embarrassing material will slip down search rankings, as more favourable information about an individual is posted.

But the internet (and particularly the Internet Archive) does not forget. Somehow we have to come to terms with this reality. Just as we need to accept that data controllers have rights, too. Particularly in terms of the information assets they have legitimately acquired.

What’s most poignant is that the person I’m advising is just 17 years old. Having had the shadow of this material around their neck for a few years already, you can imagine how they might feel if they were told that there was no hope that this material would ever be placed beyond the reach of internet users.  

If you can’t afford the services of reputation management companies like Iginyte, then who can you turn to?

Image credit: