I have suggested in two blog articles, that the should the UK’s security services build their proposed internet surveillance system, that it will be accessed illegally by the well resourced and technically savvy, and legally by those that can afford the lawyers, mainly big business or the sensitive libel litigators. There is well proven precedent that laws designed for a narrow purpose will bleed into broader areas.
We already have example of the Norwich Pharmacal case, where HMRC were subpoenaed to release records to a party in a civil case. This has bled from intellectual property to other cases. It should be noted that giving HMRC the facts they require is mandatory. It’s this bleeding of law from its original purpose to others that often makes the worse law.
The inland revenue refused point blank to take on the Child Support Agency’s collection duties and also fought tooth and nail to keep its data private from the CSA. They felt that many men would tell the truth to them, but seek to avoid co-operating with the CSA; inter-agency co-operation would in their eyes make their duties more difficult; they’d loose co-operation of many of taxpayers.
The decennial Census is mandatory. The privacy guarantee is that neither individual returns nor micro-sets that allow the identification of individuals will be published, yet this was run by Lockheed Martin, an organisation subject to Patriot Act supervision?
The establishment of the Criminal Records Bureau (CRB) has also created another luge, from the specific to the general. It was created to ensure that staff in schools criminal records were known. It is now used for parent volunteers and it is becoming common place for large employers to ask for a criminal records check before offering work. The CRB won’t release their data to organisations with no child protection roles without the permission of data subject, so guess what the options are if you want or need the job.
(That’d be quite a good caveat, no non law enforcement organisations can access the snoopers database without permission of the data subjects, but we need to change RIPA, since very large number of organisations can issue.)
This is all an interesting contrast as private (i.e. legally confidential) data is made available to the interested, but public data is being privatised.
Actually the Tories seem conflicted, their manifesto promises and early actions suggest they’d like to live with and act on the view that public data should be made available to allow the crowd-sourcing of innovation using the data, such as TFL and the train locations, enabling the private sector to create jobs and income on the back of a public sunk investment. They were persuaded that the public or the taxpayer as they like to see it had already paid for the data. However, the cutting of the Universities funding system weakens the public claim on the research output of these institutions; enabling the enclosure of this research by the academic publishers.
Alec Muffett has performed a sterling service in a bunch of articles at Crypticide, including reviewing the evidence presented to Parliament to pointing out that at the time, the Home Office consider Facebook and Twitter to be UK ISPs and seem to plan to require them to retain message data, not message header data for 12 months.
As a penultimate point, someone called Derek, writes and explains how the technology works. His article is quite simple and so a good point to start; he explores the ease of adoption of encryption technology, which is quite useful, but this is why the Home Office asked questions in their consultation as to how and if encryption technology should be restricted.
My final comment is that the recent hacking of Twitter and the NYT is further proof that the growing amount of literature that “brute force” attacks on password systems are getting cheaper and cheaper is right; at least if you are a state actor. To keep a site secure, you have to do everything right, to hack it, they need to have forgotten or been cheap once.