Privacy, Surveillance and Internet Safety in the Queen's Speech

Those in the IT industry who regard the Queen’s Speech as anodyne have failed to notice the potential interaction of the Civil Liability and Data Protection bills. We can expect lawyers to soon seek to replace their whiplash and PPI businesses with actions for loss of privacy, failure to act against on-line abuse, aiding and abetting fraud and the behaviour of rogue IoT devices. Once the e-Commerce and Consumer Protection Directives are transposed into English Law we can also expect a sharp rise (as specialist claims firms discover the revenue potential) in the number of civil actions for the consequences of non-compliance, e.g. failure to provide the registered address for legal notification of complaints/abuse on websites. I would prefer to see Trading Standards Officers funded by the pirates and predators they detect but, if such reform is not on the table, we need to make it easier for victims to obtain redress themselves.

There are also a number of interesting snippets in the Queen’s Speech, such as

  • the extension of compulsory motor vehicle insurance to cover the use of automated vehicles (in the Automated and Electric Vehicles Bill)
  • the “operation of the national data and communication service to safeguard smart services at all times” in the Smart Meter Bill.
  • “a more robust authorisation process for new companies who wish to enter the market” in the Financial Guidance and Claims Bill [impact on Fintech]
  • “digital services that will allow businesses to pursue their cases quickly, enabling them to recover debts more easily” in the Courts Bill.

The headline comments on the Data Protection Bill  focus on the implementation of the GDPR but the quoted headlines were:

  • gives people new rights to “require major social media platforms to delete information held about them at the age of 18”
  • allows police and judicial authorities to continue to exchange information quickly and easily with the UK’s international partners in the fight against terrorism and other serious crimes
  • modernises and updates the regime for data processing by law enforcement agencies. The regime will cover both domestic processing and cross-border transfers of personal data
  • updates the powers and sanctions available to the information commissioner

Perhaps more significant is that, after Brexit, implementation will come under UK, as opposed to EU, law. Hence the importance of the  Civil Liability Bill. This supposedly:

  • “cracks down on fraudulent whiplash claims and is expected to reduce motor insurance premiums by about £35 per year
  • ensures a fair, transparent and proportionate system of compensation is in place for damages paid to genuinely injured personal injury claimants
  • ensures full and fair compensation is paid to genuinely injured claimants
  • applies to England and Wales” [not Scotland or Northern Ireland – so much for the Union!]

It will almost certainly apply to civil action for non-physical injuries.

The diversion of police resources (including their on-line expertise) into anti-terrorist activities  at a time when the evidence as to the rising cost of on-line impersonation and fraud is improving has already led to a sharp rise in the number of law firms offering “asset recovery” services, including to the clients of insurance companies who now mandate such contracts as a part of the incident management processes central to modern cyber insurance. Soon we can expect a spread to the UK of the US plague of calls to victims from “asset recovery” firms . Now let us assume that every data breach notification is a source of new leads for the call centres currently drumming up Whiplash or PPI claims …

It is a year since the report of the Culture Media and Sport Select Committee enquiry in Cybersecurity identified the need for guidance from Citizens Advice on how to sue, and from the Law Society to its members on how to help them. Its main point was, however, on the need to focus any data breach fines on those without effective processes to enable potential victims to make contact to check whether contacts purposing to come them were genuine.

At the time we thought, but had no quotable evidence, that predators already had access, via the dark web information markets, to all they needed to acquire genuine credentials in the name of those worth defrauding. A few weeks ago I was told that profiles on over half the UK’s over 65s are now known to be available, to enable predators to decide if they are worth defrauding – and if so how (accounts, passwords etc.).  Yesterday I received a press release using the fears raised by  the data available to impersonate ministers and government officials to promote biometric ID technology to serve others at similar risk.

When it comes to the sharing of legitimately acquired data, the paranoia of the digiterati over the surveillance powers of GCHQ palls beside that of parents who have just discovered how vulnerable their Snapchat obsessed children are to being not only spied on but tracked in real time on their days out . Then we have the Internet of Sh*TVint Cerf’s clip has 39,000 views, the Re Publica video on the legal implications has 1,000 but the “Internet of Sh*t Song” has nearly a million. We could have a lively time in both Lords and Commons if Government decides to allow free debate on such issues in between the Brexit Bills.

Will we see all parties unite in wanting to make the UK the safest place to go on-line and a global hub for both trusted identities and robust privacy and anonymisation? If so, that will mean debating governance rather than technology.

How do we, could we, should we, “know” that Google is or more, or less, trustworthy than GCHQ? And if we cannot … how should we proceed? Unlike the Open Rights Group,  I happen to trust the processes of GCHQ … but I do not trust those of its US or continental counterparts, let alone those of the commercial Big Data operations hoovering up everything they can while trying to avoid legal liability for the consequences of their actions.

And returning to the Queen’s Speech – while I like the idea of smart meters I will not install one until it does something useful for me … under my  control – not that of my energy supplier.

In the meantime I look forward to hearing what the members of the Digital Policy Alliance make of the Queen’s Speech. A side effect of the DPA work supporting PAS 1296 is that the membership includes those who are serious about delivering data minimised front ends to robust and secure world-wide (not just UK- or Euro-centric) identification and authorisation systems. Their collective experience of practical (as opposed to theoretical) security and governance, not just within the UK, is impressive