A Joint Select Committee is currently reviewing the Draft Communications Data Bill, also affectionately known as the Snoopers’ Charter. This Bill would compel “telecommunications operators” – everyone from your ISP to your mobile phone company to Royal Mail – to collect and share with the government certain data about your communications: who, where, when, how. There are, unsurprisingly, a number of privacy issues with this approach.
The Joint Select Committee is running a consultation, which you can access here. The deadline for written evidence is tomorrow, August 23rd. You can also submit a written response to the consultation through 38 Degrees, which is what I did. For reference (and reapplication if you want), my response, particularly to questions 2 and 3 of the consultation, is below.
My response to the Joint Committee Consultation on the Draft Communications Data Bill
2. Has the Government made a convincing case for the need for the new powers proposed in the draft Bill?
There already extensive provisions under the Regulation of Investigatory Powers Act (RIPA). There is currently no convincing case for an extension of data gathering and surveillance powers as proposed in the Draft Communications Data Bill. The proposals are likely to generate vast amounts of additional data, and rather than looking for a needle in a haystack, the effect would be akin to adding more hay to the stack. This also increases the risk of “false positives” – flagging perfectly legitimate behaviours as suspicious, thereby turning us all into a nation of suspects. Rather than introducing the Communications Data Bill, the government should focus on tightening up RIPA, making it more transparent and limiting the number of often frivolous requests granted under that Act.
3. How do the proposals in the draft Bill fit within the wider landscape on intrusion into individuals’ privacy?
Both of the likely uses of the data generated under the Communications Data Bill are problematic from a privacy point of view:
Data mining: This is the practice of looking at the entire data set to spot suspicious behaviour patterns and proactively take steps to prevent an individual from doing something as a result. A possible action that could be taken as a result of data mining is, for instance, putting someone on a no-fly list. We are therefore likely to end up with law enforcement agencies making life-changing decisions about individuals on the basis of data which is likely to be inaccurate, generate false positives and which individuals will have very little or no access to in order to appeal and overturn such decisions.
Data filtering: This is the practice of tracing one individual’s activity through the entire data set. A remarkably detailed picture of an individual’s life can be generated from records such as who they have contacted by phone or email, what websites they have accessed or where they have been, based on location data from mobile phone networks. Simply by existing, this data set becomes a target for malicious activity by criminals, corrupt journalists or other parties not authorised to access the data. Rather than increasing our safety and security, this data set would expose us to additional risks.
Both data mining and data filtering at the scale proposed in the Draft Bill give the state unprecedented powers to invade individual’s privacy. They extend well beyond the sphere of digital communications and into our physical day-to-day lives. There are also additional concerns over the extent of the intrusion into content of communications, as well as potential future secondary uses of the data set.
Intrusion into communication content: While the Draft Bill is intended to only track headline communications data (who, where, how, when) rather than content, the proposed implementation would potentially give access to communication content. For instance, in the case of data on which websites an individual has visited, content is implicitly included in this information. Remarkably accurate conclusions about content may be also be made by putting together different pieces of information from the data set, e.g. if an individual looked up medical terms on the Internet and then went to see their GP.
Secondary uses: We have seen a number of cases where data sets collected by companies or governments for one purpose have later been used for other purposes without gaining consent from individuals. A recent example comes from Germany where the government is in the process of legalising the sale of citizens’ data acquired through the mandatory registration programme to private companies for marketing purposes on an opt-out rather than opt-in basis. Therefore invasion of privacy is unlikely to remain limited to the state and law enforcement agencies.

A bunch of questions came in this morning for Open Rights Group board election candidates. I’m sure my answers will go out to the election mailing list in due course, but I’m putting them up here for general reference.
1. Do you believe that individuals have the right to collect and manage their own personal data and control who they share it with using what ever tools and technology they feel most appropriate to their needs
The short answer? Yes. The long answer is a bit more complicated. I believe that digitisation of information and personal data poses new challenges to our concepts of privacy and identity. It has significantly altered the balance of power between the state and the individual as well as corporations and the individual. Addressing this, while still harnessing the power of digital information is the problem we are faced with. This goes beyond technological tools. It involves creating the right legislative framework, encouraging corporations to innovate and create business models which do not infringe individuals’ rights, as well as educating the general public on digital rights issues and enabling them to take back control of their privacy and identity.
2. do you believe an individual should be if they wish an active participant in processes which make use of their own personal data rather than simply being described as the subject in such transactions as currently defined in data protection legislation.
If they wish – yes. Having said that, I believe the systems we put in place – technological, legislative and commercial – should actively encourage and facilitate such involvement, making it as easy as possible for the individual. A good example is the recent EU directive on cookies which came into force earlier this year. So far I have seen only two websites even attempt to comply with it, and even those simply pointed users at their privacy policy which in turn told them how to turn off cookies in their browser. While this is definitely a step in the right direction, it is hardly an approach which encourages active engagement or makes it easy for the user to make an informed choice. There is a key distinction between giving someone the right to do something and actively involving them in the process. It is that extra mile that we need to encourage businesses and legislators to go.
3. how will you ensure that the Open Rights Group continues to work for individuals rights without imposing restrictions on those rights through any form of assumption that individuals are not sophisticated enough to take care of themselves or able to learn how to.
I think ORG’s ongoing move to become a more representative organisation with a much more involved membership (for instance through direct elections to the board and the creation of a Supporter Council) is key here. Having members’ views represented at all levels in the organisation and in key decision-making processes will help us ensure we are not making incorrect assumptions and we focus on the right priorities in the right way. I intend to support this organisational transformation and ensure it is as effective as possible in giving our members a voice.
Of course, ORG is not there simply to represent the views of its members but to campaign for digital rights for all. This is where I believe outreach and education are hugely important. Everyone is able to learn how to safeguard their existing rights, or how to use technical measures to safeguard their privacy on the internet. Yet not a lot of people bother. As a campaigning organisation we need to reach out to the general public and raise awareness of digital rights issues as well as tools which may help individuals look after themselves.
When it comes to effecting real positive change, however, an organisation such as the Open Rights Group is far more effective at lobbying and campaigning than individuals can be. This is where – with appropriate involvement from members – we need to make use of that strength of ORG to educate policy makers and influence corporations to enable us to create a digital rights environment that is fit for purpose for all.
4. What is are the three most important things you will endeavour to achieve during your first 12 months if elected
My key passion is around building diverse, sustainable, collaborative relationships and communities. The three areas I would focus on all fall under that general heading.
I want to fully support the democratisation process that ORG is going through at the moment. To me that means enabling a fast start-up of the Supporter Council, integrating it within ORG’s structures and decision-making processes. It also means enabling ORG to reach out beyond its traditional London base and creating a network of regional organisations.
I also want to look at how ORG uses volunteers, as I have had feedback from members indicating that there are perhaps more barriers to getting directly involved with ORG’s work than there should be. I want to encourage people to volunteer with us, while also putting the structures in place that enable us to make use of every minute of volunteer time we can get.
Finally, as I already mentioned in my candidate statement, I want ORG to become a more diverse and inclusive organisation, allowing us to build bridges with communities who may not have digital rights as their primary interest but whose interests still overlap with ours. This will enable us to raise awareness of digital rights issues among a much wider audience and to build much broader, stronger alliances, thereby increasing our influence.
5. What do you love doing that you are brilliant at and how will that help the open rights group succeed in its mission
Perhaps it’s my background as a technology manager at a multinational consumer goods company, but I have a passion for creating sustainable processes and organisations – either from a blank piece of paper or by improving existing ones. My experience as a trustee of national LGBT domestic violence charity Broken Rainbow UK has taught me that there is always something an organisation could be doing better, and it’s those opportunities that I want to find help ORG realise.
I also genuinely love evangelising about digital rights, be it in writing on ORGZine and my blog, through talks at organisations like Skeptics in the Pub, or in one-to-one conversations. Technology is changing our world on a daily basis, in more than just the obvious ways, and I firmly believe that digital rights are one of the defining political issues of our time. I fully intend to continue these activities if elected to the board and to help ORG gain a wider, more diverse audience for its message in any way I can.
6. What are the top three actions that you think open rights group members should be doing to support open rights group now?

1. Spread the word. Find a friend who’s not into digital rights and ask them what they think Google knows about them, or how they’d cope without access to the internet once a rightsholder decides to get them disconnected on no evidence at all.
2. Consider starting or joining a local group. Richard, one of my fellow candidates, has already started up ORG Sheffield. If you’re in his part of the world, join him. If you’re somewhere else, read Richard’s HOWTO and start up a group yourself.
3. Support ORG’s ongoing campaigns by signing petitions, talking or writing to your MP/MEP or responding to government consultations as appropriate.