Labour and Surveillance (#lab18)

In case anyone wants to try and take surveillance and privacy to #lab18. Here are some words.

Investigatory Powers to be subject to Human Rights Law.

Conference notes the report in the Register on 6th August that US Senators are challenging the NSA destruction of 4 years of phone usage records as they believe that this is in order to destroy evidence of illegal collection.

Conference notes the complete absence from the NPF report on the surveillance society and the illegal investigatory powers regime introduced by the Tories in 2016.

Conference notes that the Investigatory Powers Act 2016 legalised the use of bulk powers to allow the UK intelligence services to collect all the UK phone usage and internet usage records.

Conference notes that the intelligence services have made data on UK citizens available to the USA.

Conference notes that the exact terms of the data sharing between the UK & US are unknown

Conference notes that the Investigatory Powers Act has been ruled as contrary to EU law as it contravenes the Charter of Fundamental Rights which is the EU’s commitment to the European and Universal Declaration of Human Rights.

Conference resolves that a Labour Government will ensure that private and public surveillance technologies will conform to laws that meet the requirements of the European Convention on Human Rights.

Conference instructs the NEC/NPF to draw up a human rights based policy for the regulation of British law enforcement authorities and their investigatory powers.

218 words …

Surveillance, ignorance and a chilling effect

The Guardian, not exactly disinterested, publishes a leader on regulating Apple and its competitors. I would argue, Apple is the example of the 5th Industrial Revolution monopoly and we need to learn how to regulate it and is competitors and it is a problem for the US also. The authors  completely miss the fact that there are new forms of oppression, that of surveillance, caused by the datenkraken.

We need new forms of protest and defence even though we’ve know about it forever. It’s for this reason that we established the rights of privacy and free speech as part of the universal declaration of rights.

This quote is important, it establishes commonalities with their predecessors,

All [ the datenkraken] use remarkably few workers to generate their enormous profits. All operate an internal class system, which concentrates power in very few hands. None have any unions worth speaking of. All rely on the unglamorous work being done far from California, usually by subcontractors. All shuffle their profits around the world in an endless game of “Find the lady” with national tax authorities – a factor that should not be overlooked when it comes to asking why they are so immensely profitable. If this is the model of the company of the future, it will have consequences we have not yet learned how to manage.

They finish with,

The downside of the oil-based economy is now obvious all around us. The symptoms of apparently uncontrollable climate change have become undeniable. Cities are choked with polluting traffic while the seas are choked with plastics made from oil. Whole countries have been devastated by oil riches. The digital revolution seems, so far, much more benign. But the loss of trust that social media both causes and exploits may one day be seen as another form of unforgivable pollution.

I think this is weak, the threat is surveillance, ignorance and a chilling effect. …

Eternal vigilance

I have been pointed at China’s Social Credit Scoring plans via two routes. The first is this extract published at Wired from Rachel Botsman’s book, “Who can we trust”. This details the Chinese Governments plan to build a social credit scoring scheme, but the sources and incentives are horrendously comprehensive, including their leading match making agency. (It’s taken me some time to read this article, an I have bookmarked and annotated it in my diigo feed.) Worrying things about the Chinese scheme is that voluntary participation becomes mandatory; while rewards and incentives are at the forefront of everyone’s mind today, control and punishment is planned, in the Chinese case in the short term they are talking about foreign and domestic travel restrictions but as I note, the countries leading dating agency is one of the surveillance agencies. There is also talk of social investment loans (helicopter money) which become available on the basis of social scores.

The second route was an article on Medium by someone who got banned from AirBnB. He pointed at an article on Buzzfeed, “A Chinese-Style Digital Dystopia Isn’t As Far Away As We Think” where a series of regulatory decisions in the USA seem to be paving the way to something similar, a powerful illustration that the argument that surveillance is OK if it’s private sector is horrendously false.

One worrying aspect of the proposed Chinese system is that your reputation is as good as that of your friends and we have idiots trying to replicate it with peeple, and reading up on that has started me worrying about Linkedin and its competitors and we all know we should get off facebook.

The wired article came before machine learning and massive scale AI became a hot topic, but it’ll be interesting to see what happens to social credit scores when they let rip with the application of machine learning. The automated derivation of reputation scores also raises issues of safeguarding, libel and context. Safeguarding and libel laws require the machines to tell the truth, in fact safeguarding may require machines to hide the truth. Context requires a level of nuance that we are unsure if machines will ever have, but even if they get there, justice and judges must remain human and the code must be open; China’s & Facebook’s is not!. The GDPR gives data subjects rights, perhaps its time to revisit the seven principles.

Of course in the UK, we have our very own examples of machines and data sharing getting it wrong. Sajid Javid, the Home Secretary has suspended the intra-government and some of the other immigration data sharing as a result of the backlash on the Windrush scandal. (I wonder if this I an excuse to look again at the DPA Immigration Exemption clauses.) Much of what is happening in China and the USA is also happening in the UK, it’s just that the surveillance agents are the US owned datenkraken and the British State have legalised the hacking of their data streams.

What’s happening in China is terrible, but our governments are following suit! The price of freedom is eternal vigilance. …

On Adequacy after Brexit

I attended the Home Affairs Committee on Europol and the European Arrest Warrant yesterday. Don’t say I don’t know how to have a good time. One of the members, suggested that since we have passed a new Data Protection Law, we will be compliant from Day 1, or Day 0 as we engineers call it. I think  not and here’s why. In short, the Government say they’ve implemented the GDPR into British Law, but once we’re a third country, it’s the Commission that has the last word, and they have questions we need to answer. …

Firstly, I don’t think the Commission would act that quickly and they’d need to issue an adequacy decision and there are four questions of substance that the Commission would need to consider.

  1. The European Data Protection Supervisory Board’s predecessor, the Article 29 Working Party and the Commission had outstanding issues with the UK’s implementation of 95 Directive, to the extent that it seems the Commission had started infraction proceedings. (I find it very hard to get explicit data on this, and much of what is available reads like conspiracy theories, but the most vocal campaigner published his views in the Register, here. The author argues that the infraction process proposes to carry forward to the 2018 DPA. ) The author checkpointed his findings in a 2011 blog article, called “European Commission explains why UK’s Data Protection Act is deficient”, he also points to an Out-law Article, “Europe claims UK botched one third of Data Protection Directive” 17 Sep 2007.
  2. The House of Lords Committee on Data Protection found that as a 3rd Country we may be required to meet a higher standard than as a member state. (This is because we will lose the powers granted to member states under Article 23 Restrictions of the GDPR. These powers relate to the exemption of national security organisations and the courts (and others) from some aspects of the GDPR). This is why there is concern with the Investigatory Powers Act, already declared deficient by the UK Courts and the DPA immigration service exception will jeopardise any attempt to obtain an adequacy finding. i.e. a member state might be able to have these laws but a 3rd country may not.
  3. The loss of member state status and privilege means that our intelligence sharing arrangements with the US, a country which still has the death penalty, and operates under a different military legal doctrine may be deemed to be a critical problem in granting adequacy. (We should note that Tom Watson MP, obtained a barrister’s opinion on the legality of sharing intelligence and wrote to the Prime Minister at the time on the legality of this activity; it was taken up by Rights Watch who are pursuing this through the courts.)
  4. Depending on the withdrawal agreement, and it seems that no-one is thinking about this, we may cease to be covered by the US Privacy Shield agreement, and thus will be prohibited from transferring EU citizens personal data to the USA, and they to us. (Actually prohibited is a bit strong, participants in cross border data transfer would need to be covered by model clauses, or binding corporate rules and both of these are under judicial review (Schrems II) and create a barrier to entry because of cost to SMEs).

It should be noted that the ECJ has required the US Safe Harbour agreement to be re-negotiated; its successor allows US corporate self assessment, but also requires EU citizen access to the US Court system. The important thing here is that the Commission consider protections of EU citizens’ personal data, and the establishment of rights against the State’s intelligence, security and police services to be part of an adequacy findings and since the EU is not frightened of a row with the US; it wont be with us. …

Investigatory Powers revisited

Investigatory Powers revisited

In December, the CJEU stated that the British and Swedish investigatory powers laws were in contravention to the EU’s Charter of Fundamental Rights. This was in the case of the UK partly based on the litigation started by Tom Watson MP, initially with David Davies MP. This was reported in the Register, here, and the Guardian here.  The Open Rights Group have asked for people to engage in the Home Office consultation; they propose to put a judicial warrant requirement on investigation requests for suspect internet data. This blog discusses my contribution. If you want to follow me, you’ll have to be quick the consultation closes tomorrow. …

The Data Flow implications of Brexit

The Data Flow implications of Brexit

Project Fear or Project Reality about Brexit continues and while risks to banking, air travel, radio-therapy and the pan-European integrated manufacturing supply chains are all making the headlines, there is also a serious problem with maintaining data flows particularly of personal data, which underpins both secondary & tertiary sector industries.  This article looks at the threat to trade involving data flows posed by Brexit and looks at the likely shape of US/EU data flow and privacy regulation. …

No safe space

No safe space

I made a storify after the election, and its terrorist disruption about the, mainly Tory response in blaming the internet. I don’t make the point that the Northern Ireland “troubles” were pre-internet but I do talk about the Tories, and May’s instinctive response is to censor and silence dissidents. I also point to Amnesty International’s critical report on the UK’s surveillance laws. I transferred this to the blog, as at the original date of publication, once Storify announced they were abandoning their service.

 …

Why you should be bothered about the Snoopers Charter

Why you should be bothered about the Snoopers Charter

Late last year, the UK Parliament passed the Investigatory Powers Act 2016. This law builds on the Regulation of Investigatory Powers Acts and the Data Retention Laws. This law allows the Government to store all our electronic communications traffic, read the content and meta data and co-opt the product and service vendors to help them. I describe this in more detail below.

The Law was written in the aftermath of Court of Justice of the European Union’s (CJEU) ruling in the Schrems vs. Facebook case that the EU’s Data Retention Directive and hence the member state implementations were in contradiction to the EU’s human rights law, the Charter of Fundamental Rights. Parliament had considered aspects of these proposals twice before under the two previous administrations and rejected them.

This article looks at the new Law, criticises it on Human Rights grounds in that it jeopardises the right to privacy, the right to organise, the right to a fair trial and rights to free speech and on IT Security grounds in that the new regulation of encryption products jeopardises access to electronic trust and privacy. It also examines the likely impact of the recent CJEU ruling on the legality of its predecessor law, and in passing, likely conflicts with last year’s passage of the General Data Protection Regulation (GDPR) by the European Union.  …

Oi!, You! No snooping on my emails and chat!

Oi!, You! No snooping on my emails and chat!

Earlier this week, the Court of Justice of the European Union delivered its judgement on the legality of the UK & Swedish data retention and surveillance laws. They confirmed their ruling from 2015 that general monitoring is illegal, that retention must be specific and is only allowed to combat serious crimes, that access to surveillance records must be authorised by independent authorities and that EU data subjects must be have access to legal remediation if their rights to privacy are breached. The Guardian report on it here, the Independent here ,the Register here and even  the Daily Mash comments here. The UK’s Investigatory Powers Act also gives the government the right to mandate backdoors in UK operated communications products; these powers may also fall foul of the prohibition on general monitoring and the need for independent review. While the ruling is specific to the UK’s DRIPA law, which has now been replaced by the Investigatory Powers Act, it poses a clear challenge to the legality of the new Law. …

Last Chance

Last Chance

Given Dianne Abbott’s appointment as Shadow Home Secretary I feel there is an opportunity to change and challenge Labour’s position of abstention on the Regulatory Powers Bill. There is some urgency to this as today is the last day in which Peers can place amendments to the 3rd Reading.

The arguments in favour of passing the RPB is that the current surveillance laws are inappropriate for today’s technology and the current regulatory regime is insufficiently powerful. The arguments against are that the legalisation of past illegal practice and the authorisation of new powers are a massive breach of the rights to justice and privacy, there is zero proportionality and the proposals are of unknown effectiveness. …