Surveillance State Kerplunk

The Conservatives have unveiled their plans for reversing the rise of the surveillance state. Seeking to pull the surveillance infrastructure out of government, their views are commendable, but it will be difficult to pick out the undesirable straws from the necessary ones – in the manner of Kerplunk – without bringing the infrastructure down around us. What are they calling for, and what are the consequences?

The state of the database state

The document describes a stark reality: that New Labour ignored the warnings of the Information Commissioner and the Director of Public Prosecutions, and rubbished the findings of Privacy International and the Joseph Rowntree Reform Trust (JRRT), to push ahead with a new relationship paradigm between citizens and the State – one in which central and local authorities command and control individual’s lives.The Conservatives recognise that this approach ignores technology developments, failing to incorporate federation mechanisms and proper security controls in system designs. That last point is vividly demonstrated by quoting the Prime Minister’s response to public sector data losses in 2008:

“We can’t promise that every single item of information will always be safe.”

From a security perspective, that is of course true, but it should not become a design aspiration in a new system, as appears to be the case with a long list of system failures and data losses listed in the Conservative report. The Conservatives pay particular attention to the National Identity Service, quoting Microsoft’s former National Technology Officer Jerry Fishenden when he said that the National Identity Register will create

“a ‘honey pot effect’ for hackers, fraudsters and terrorists…” [leading to] massive identity fraud on a scale beyond anything we have seen before”.

They also point out the failure of the plans for the Communication Data Bill (although that particular policy item is still very much alive on the government’s agenda), attempts to undermine data sharing controls in the Coroners & Justice Bill, the rollout of ContactPoint, and the JRRT’s conclusion that a quarter of public-sector databases are almost certainly illegal. Ironically, one of their best quotes comes from former Home Secretary David Blunkett, the original champion of big databases:

“If we tolerate the intolerable, the intolerable gradually becomes the norm.”

Rolling back the Labour years

The Conservatives define eleven policies to extract the State from its current position, underpinned by five guiding principles, which are worth quoting in full:

  • We want to see fewer – not more – giant centralised databases, amassing personal information on the citizen.
  • Government should be guided by the principle of proportionality, which means that fewer personal details are accurately recorded and held by specific authorities on a need-to-know basis only, and for limited periods of time justified on the basis of operational necessity.
  • Wherever possible, personal data will be controlled by individual citizens, who have the power to decide which agencies can access or modify this information.
  • We need greater checks on data-sharing between government departments, quangos and local councils.
  • We need stronger duties and sanctions on government, to ensure that the private information it gathers is held securely and that government databases are properly managed.

These are powerful principles, which represent a reversal of much of current government policy. The stated policies are as follow:

  1. Scrap the National Identity Register and ContactPoint databases, flawed systems that will create greater – not less – public exposure to risk.
  2. End the permanent retention of innocent people’s DNA on the National Police DNA database.
  3. Restrict and restrain council access to personal communications data.
  4. Reviewing protection of personal privacy from the surveillance state as part of a British Bill of Rights.
  5. Strengthen the audit powers and independence of the Information Commissioner.
  6. Require Privacy Impact Assessments of any proposals for new legislation or other measures that involve data collection or sharing at the earliest opportunity. Require government to consult the Information Commissioner on the PIA and publish his findings.
  7. Immediately submitting the Home Office’s plans for the retention of – and access to – communications data to the Information Commissioner for pre-legislative scrutiny.
  8. Require any new powers of data-sharing to be introduced into law by primary legislation, not by order, so that they are properly debated and scrutinised in Parliament.
  9. Appoint a Minister and senior civil servant (at Director General level) with responsibility for operational data security.
  10. Task the Information Commissioner to publish guidelines on best practice in data security in the public sector.
  11. Task the Information Commissioner to carry out a consultation with the private sector, with a view to establishing guidance on data security, including examining the viability of introducing an industry-wide kite mark system of best practice.

It’s reassuring to see that the Conservatives haven’t fallen for the spin that the UK has obligations under EU law to build the NIR for passport purposes (it hasn’t), or that it would be more expensive to scrap the NIR than to build it (it wouldn’t). An Information Commissioner who reports to Parliament rather than the Ministry of Justice, and will be given the task of auditing government departments and other public bodies, should finally be in a position to take affirmative action when it’s needed, in much the same way as we see in the likes of Germany or Canada.

The Conservatives are extending the requirements of the government’s own Data Handling Review to ensure that not only are new systems subject to a PIA, but also new legislation: there is little point in conducting a PIA on a fundamentally unjust system when it has been mandated in law and there’s no scope to change the deliverables (for example, the Information Commissioner publicly dismissed the idea of PIAs on some or all of the National Identity Service). This is definitely a welcome move.

Setting party politics aside, the Conservatives should find sympathetic ears north of the border, where the Scottish government has long been ahead of the rest of the UK in its understanding of the challenges and consequences of surveillance technologies, and is currently consulting on a set of detailed principles to control government use of personal information.

Consequences of Conservative policy – what does all this mean?

Oliver Letwin’s team is developing Tory policy for their (anticipated) first 100 days in power, and that plan will have to deal with both the stated policies and some of the anomalies that may arise from them. I broadly agree with the document, and certainly welcome it as an alternative to current government policies, but there are some loopholes and areas that will need particular attention. A few of these include:

  • At the broadest level, the Conservatives wish to scrap the National Identity Register. Whilst I would endorse that policy, we must not abandon the provision of population-scale authentication services, which is duty of government and an essential service for the UK if we are to compete in the online economy. We can’t just have ‘no ID at all’ – there are plenty of examples of proportionate, population-scale authentication schemes out there, and we should consider how a citizen-centric scheme, built primarily to service individuals and industry, rather than the needs of the State, could promote economic growth and protect against fraud. The government’s own advisor, Sir James Crosby, made this point in his report to the then-Chancellor, Gordon Brown. We shouldn’t ditch the idea of strong authentication, just the current fundamentally flawed plans.
  • If the NIR goes, then decisions will have to be made about whether to also disband the Identity & Passport Service, and how to unwind the current supplier agreements and procurement contracts. We will also need to decide the fate of biometric visa documents issued by UK Borders, which have been pitched as ‘ID Cards’ to the public, since keeping them in that form would risk the creation of a two-tier identification society, where immigrants are discriminated against using these cards.
  • If we scrap the NIR and ContactPoint, then government will require clear guidance on what should be used as the ‘trusted index’ for delivering transformational objectives, or even whether those objectives are still desired. If we are to drop the National Insurance number as a pan-government identifier (which I hope we will) then there has to be a strategy to facilitate accurate and privacy-friendly data sharing where it is necessary and reasonable. Without such guidance, departments will invent a host of fresh ID schemes.
  • We have many other ID schemes being developed by different departments, local authorities and healthcare providers. If we are to save money, then these should be condensed into the minimum number – ideally just one. Some of that money saved will be needed to help fund the Information Commissioner’s new audit team that is called for elsewhere in the document.
  • From a security and liberty perspective, ContactPoint is indefensible, but we need to create a framework for the discussion of child protection issues without putting children at risk or resorting to the current draconian measures again.
  • The government just this week announced the appointment of Sir Joseph Pilling as the Identity Commissioner. Do the Conservatives plan to scrap that role?
  • The Conservative policy document refers to ‘ad hoc powers of inspection and financial penalties for the deliberate, reckless of grossly negligent management of data.’ I can’t really see the point of such punishments within the public sector, since the citizen loses once when their data is misused, and again when the department is fined and left with less money to fulfil its duties. The public sector needs to face up to the current reality of commercial practices – such an offence would be considered a gross breach of contract of employment, and result in dismissal for the responsible individuals.

These are just a few of the points that spring to mind, and if the Conservative policies are to come to fruition, then they need to be resolved before next May. Much of the policy document has been drawn up in partnership with pressure groups and selected experts, and the right move now would be to open it up to public consultation.

If we’re serious about handing the balance of power back from the State to the individual, then it’s time for individuals and companies to define what – if anything – they want from identity technologies; what a proper and proportionate role for government would be; and how we play Surveillance State ‘Kerplunk’ without bringing the whole information infrastructure crashing down around it.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

So, only 1, 2 and 8 of the "stated policies" actually contain anything substantive, and 2 leaves room for simply moving the existing information somewhere other than the current database. If they're going to get rid of said data, why not say so? All of the rest seems to boil down to pleasant-sounding platitudes. Not particularly impressed, I must say.
Would "bringing the infrastructure down" be all that bad? My main criticism of the Tories' approach is that it is reactive cherry picking, rather than tackling the underlying culture of state registration of every damn thing. "[W]e must not abandon the provision of population-scale authentication services, which is duty of government and an essential service for the UK if we are to compete in the online economy." - Sorry, but that's just tosh. It would be nice to have some better authentication services available (a variety of them), but it is undesirable to let the state planners (which includes anyone who believes in national competitiveness) anywhere near them, if you want them to develop as needed. The present lack of convenient ones is as much to do with the lack of real demand as anything else.
Thanks for the response Guy. I'm not sure this is cherry-picking, but we do need to develop a great deal more detail if the plans are going to stack up properly. My biggest worry is that a future government ditches the ID scheme then 'accidentally' builds it again because they discover a conflicting policy need that requires a central register. I have to disagree with you on your second point. Note I used the word authentication, not identification: lessons from Scandinavian nations in particular show that when individuals have a trusted mechanism to assert credentials online then entire new commercial and public service ecosystems evolve. Government should be 'just another customer' of such an approach (as per the Crosby model) rather than the owner, but someone has to ensure that there is a foundation of trust underneath the scheme. I'd have no problem with a scheme in which the government controls uniqueness within a central register - which itself holds no biographic information, and does not require any breeder documents at all for an individual to register - to support a further federation of many database systems from private and public sectors. Commerce has been awaiting an ID scheme for over 5 years now, and has underinvested in this area because of a fear that whatever the Home Office develops won't be compatible with a particular commercial approach. My worry is that if we simply tear out the scheme, without neatly tying off the loose ends, then something unpleasant will fill the gap (although I struggle to imagine how it could be more unpleasant than the current approach!).
You might be right that there has been a crowding-out effect, but I'd suggest that it is really no big deal technologically or economically. If you really need something, you know what job you want it to do, and you don't stick around indefinitely in the hope government pursuing its own objectives might build something vaguely similiar that might work. The scheme has already left a number of would-be contractors with painful losses from abandoned bids because of procurement delays and lack of specification. 4+ years slippage on a (notionally) ten-year programme is nothing to a Home Office that has wanted a national register for decades. It is an age in e-Commerce. The real danger is regulatory exclusivity where a dog-in-the-manger government demands central identification, and independent authentication methods are deprived of validity by fiat. We have already seen this in checks on entitlement to work. I agree with your biggest worry, and fear that if it happens it won't be an accident. Computer Weekly has already covered how the IPS is working (and has been for some time) to defend its raison-d'etre against cancellation by maintaining the components are necessary parts of the passport system and upgrades to DWP systems. That's why we need an incoming government to understand what it needs to do about the civil service approach to IT is radical, and that the database state is a deeply embedded adminstrative approach whose acolytes will defend it. Superficial cancelling of headline programmes and regulatory tinkering, will scotch the snake not kill it.
I think we've found agreement here :-) The waiting effect has, I believe, stifled innovation: for example, the finance sector has sat on its hands rather than sort out its own KYC problems, since they know that the government will mandate use of an ID card sooner or later, so what's the point in them investing? You're very right about 4 years being a long time in technology. Particularly when the system specification was buried in Roman/Medieval/Victorian (insert really old historical era here) ideals of the State controlling information about individuals, and then mandated in the legislation...
"The waiting effect has, I believe, stifled innovation" I think you've made a key point here Toby. We do need population-scale authentication services, but it doesn't make business sense for (eg) banks to invest in this if they think the government is going to build something. But surely part of the problem has been that even if the current scheme is the best possible solution to whatever the problem is, no-one knows what they are building -- you can't go to the web site and download the spec -- so no-one is able to start building on it either. We need a much more open approach and perhaps the incoming administration might be persuaded to try and find ways to work with the grain of the sector (OpenID and the like) to find a practical implementation.
Yes, not a very substantive document really. Away from the more esoteric arguments about what data government should or shouldn't hold, and the partisan nature of the evidence quoted, and down to the nitty gritty of practicalities. There are some serious holes in the analysis of identity cards and the Register. It's not clear from this document where passport data would be stored if the National Identity Register is to be scrapped. The old passport system is obsolete, the software is ten years old, and it's already being replaced. So, is the suggestion a new passport register? Or is it that there simply wouldn't be any record of who had a obtained a passport? The latter would clearly be an excellent way to encourage identity fraud on a massive scale. For example, how would you know if someone hadn't applied for twenty passports in different names if you have no existing application records to check a new application against? Or are we to adopt the German system of regional passport databases, rather than a national one, which might be workable, although more bureaucratic and expensive? In your analysis, Toby, you seem to hint that it might be necessary to disband the Identity and Passport Service if the NIR is scrapped. I can't really see the logic behind that, unless you are suggesting that we move to a regionalised basis for issuing passports? This of course does break a fundemental rule of good business - 'if it ain't broke, don't fix it'. The existing system for issuing passports works extremely well, and is self financing. If you were starting with a blank piece of paper, then I you might want to consider a system like the German one, as one option, and evaluate it for effectiveness and cost against the other models, but that's not where we are. And, in true Yes Minister speak, it would be a brave politician who decided to change the passport system to a radically different model for purely philosophical reasons, when the existing one works. The spectre of the system change in 1999 which caused huge passport queues and a great deal of public anger still haunt popular memory, both public and political, and doing something as radical (and incidentally expensive) as that would certainly be a high wire act for any politician. And of course, finally, there's the suggestion of cost. As we all know, passport and ID cards are self financing systems so they don't make any call on the public purse to run them - the system is funded through the sale of passports, and shortly ID cards - however cancelling them could well make a contribution in entirely the wrong way to the Government's budget deficit (whichever government that might be). Not only would you have to write off all the money that went into designing the system and the Register as well as the costs of setting it up, but how would you compensate all those people who have cards already, and which you've cancelled? Even if you only look at foreign nationals (and they pay considerably more than £30 for thiers)there's a considerable number of cards in circulation already. Put up the passport fee? Very popular. Ask the Treasury for the cash? Dream on. Cut the policing budget? Yeah, right. Or I suppose you could argue that we keep ID cards for foreigners but not for UK nationals, on that basis that they supposedly infringe civil liberties. Very egalitarian, I must say. Of course this document sets out what an incoming Conservative administration would do regarding ID cards and the NIR, namely cancel them, but it doesn't explain the second part: where it would find the money from to cancel them, and what it would do to replace the passport register functions that are in the NIR being developed at the moment, and how it would cope with the fallout (political and otherwise) if it didn't.
Many thanks for your comment. I do of course disagree with most of it, but respect your right to those views. You may have missed my point that I'm not at all opposed to the principle of a population-scale authentication infrastructure - what I object to is building an outdated and monolithic scheme that is designed to serve the needs of the State without taking into account the needs of the people or commerce. And I fundamentally disagree with integrating ICAO travel document requirements (which are designed to work properly in developing nations) with what is supposed to be a 'high-tech' scheme - even if the NIR survives the next election, it should be used solely as a test of uniqueness for passport applicants, and not as the biographic/biometric database for the passport scheme. Our current design aspires to ICAO standards - with which we already comply, the issue is around visa requirements - when we could do so much better. As for scrapping IPS: I didn't call for that, but history shows that new governments like to be seen to take decisive action, and since so much of IPS is structured around the ID scheme, there would be a case to argue for ditching much of it (including the name) and starting again. Of course, I'm not privy to what that might cost. I do agree with you about the courage of an incoming minister to scrap the ID scheme when inevitably the new opposition will capitalise upon the first terrorist/child protection/miscarriage of justice incident that might just possibly have been prevented, or at least resolved more quickly, if ID cards had been involved. Whether or not that would be the case wouldn't matter, I'm sure they'd find a sympathetic ear somewhere in the media, and it would be a tough one to ride out. As for cost: I'm afraid the idea of a 'self funding' public scheme is a myth. It's simply tax raised in a different way. If we're going to tax people then we have to deliver public service value, and the ID card in its current incarnation seems unlikely to do so. The opposition have largely dropped the hollow argument of "we'll spend the money on police instead," which is a good thing since that money doesn't exist until it's been raised through taxation. You seem to accidentally imply some discrimination against foreign nationals in your argument, so for the avoidance of doubt: whilst there is a legitimate case to argue for biometric visas to support immigration controls, I do not like the idea of branding biometric visas as ID cards. These are issued to support a very specific relationship between the individual and the government, and should not be encouraged for use with a plural of relying parties. The concept of 'labelling' foreign nationals in their day to day lives here disturbs me deeply, and I assume you weren't implying that was what I intended. Finally, on that public funding note: a quick google reveals that Vespasian was the inventor of the paid public convenience, in other words the first leader to tax taking the p*ss. No relation I assume?
Privacy Impact Assessments have been mandatory for all Government IT systems handling "citizen or personal data" since the introduction of Information Assurance Standard 6 in Oct 2008 (compliance with IAS6 is specified in Mandatory Requirement 14 of the Security Policy Framework V2, May 2009 although it was also at the same place in V1). The same rules apply to commercial systems processing government data. As accreditation reviews are now annually, these will need to be applied retrospectively to existing systems, whether part of the NIS or any other government department or contractor. I would note that this is Cabinet Office direction, rather than within the powers of the Information Commissioner.
Vespasian wrote: "The old passport system is obsolete, the software is ten years old, and it's already being replaced." That is a shocking indictment of the government's IT philosophy. A database set up to record documents with a 10 year validity being replaced after just 10 years?! In what way is the software obsolete? All that is required is a list of names and dates against passport numbers. Why should that require a new IT system?
I would be seriously worried that, even after incoming Tory Government scraps the NIR and ID Card scheme, the Home Office will continue to devise default requirements for identification that make life problematic in the British Isles without a passport. A key example of this is the reform of the Common Travel Area (CTA) that was proposed in the Borders, Immigration & Citizenship Bill. Although 'officially' this reform has been shelved the Borders Agency is preparing a further attempt to get the legislation through Westminster before the next Election. Essentially, it is proposed to make it very awkward for British Citizens traveling between Ulster, the Crown Dependencies and the mainland UK unless they carry a passport. The default power will lie with the Borders Agency who intend to use 'Operation Gull' type stop and search powers in a variety of locations. There is a subtle fear factor being built into 'in country' travel that, without some form of ID your journey may be impeded. This encourages the ownership and carrying of some kind of de facto ID of which the most recognised document is the passport. I, for example, am British and live in the Isle of Man. Yet I face the prospect of having to hand my fingerprints to the state and carry a passport just to travel between Belfast, Dublin, Liverpool and Douglas. At present I just hop on the boat to the UK in the same manner as a resident in, say the Isles of Wight and Mull. The system design for CTA reform seems designed to incubate a culture of 'ID for travel' on local journeys. For my present ID free travel continue I would need to see that the Tories abandon CTA reform, scrap biometric fingerprinting and the hold only a basic database of the machine readable zone of the passport. It strikes me that the key issue for the Tories is to present the Home Office with a clearly understood and well argued culture regarding the ancient right to travel freely across Britain.
"... the ancient right to travel freely across Britain." And for British Citizens, in and out of Britain. That's one of the things the Home Office, was caught trying to change in its draft 'simplification' (read: 'complete rewrite') of immigration law at the end of last year. I've heard Dominic Grieve talk passionately on the topic of a passport *not* being permission to travel, but that is not how the Home Office would like it to be.