UK’s quest for a fair and rational privacy law

The government's decision to scrap identity cards relieved privacy advocates but did not solve the basic problem, which is that citizens need a cheap, reliable, easy to use and universally accepted way to assert their identity.

The government's decision to scrap identity cards relieved privacy advocates but did not solve the basic problem, which is that citizens need a cheap, reliable, easy to use and universally accepted way to assert their identity.

This is crux of a series of meetings between interested parties hosted by the Law Society on privacy, surveillance and the rule of law. The society believes that the "database state" poses huge threats to civil liberties and the rule of law.

The meetings are held under Chatham House rules, which allows Computer Weekly to report on discussions, but not to identify speakers. They are aimed at providing government with advice on how to avoid unintended consequences of new legislation.

From the discussions it is clear that there are at least two distinct strands to the issue. One is that the state has a legitimate but limited interest in identifying individuals. The other is that private sector organisations have a similar but more limited interest.

There is a huge grey area between the two, and civil rights advocates are deeply concerned about the growing use of IT to assemble information quickly and easily from public and private sources.

One delegate said they wished the UK had the same cultural heritage as Germany. They said the German constitution provides citizens with a pre-emptive right to their personal data, and the ability to enforce those rights against the state if it abuses its collection and use of that data.

"We have nothing like that," they said.

ICO critics

Instead, the UK has the Information Commissioner's Office, which is responsible for enforcing the Data Protection Act. Since its formation the ICO has used a softly-softly approach, calling for companies to implement privacy impact assessments and to build "privacy by design" into their information systems. Moreover, it has not yet used its new power to fine firms that breach the law up to £500,000.

The ICO's approach was seen as weak by some delegates. Evidence of this was in the widespread abuse of the Regulation of Investigatory Powers Act (Ripa), particularly with respect to close circuit television surveillance and automatic number plate recognition. Ripa was brought in to fight terrorism, but local councils have used it to monitor minor law-breakers such as fly-tippers, dog owners and parents who lie about their address to get their children into better schools.

Several delegates pointed to the difference between personal information that is collected because the person chooses to give it in opening a bank account, for example, and surveillance, which is non-consensual data collection of personal behaviours.

Business use of private data

The distinction is highlighted by the current furore created by Google's collection of data on Wi-Fi hot-spots as its cars cruised streets, photographing suburbs for its Street View map application. Everyone accepts that what's visible from the street is in the public domain; but the location of a Wi-Fi access point, especially if it is not open to the public, is a private concern.

Google has agreed to hand over information on this data collection activity, which it says was accidental and unintentional, to European officials. But it faces acute scrutiny and possible legal action in a growing number of jurisdictions.

Google CEO Eric Schmidt sought to distance the search company from the scandal by pointing to an unnamed "rogue" engineer in a Financial Times interview. "We screwed up. Let's be very clear about that," Schmidt told the FT.

Schmidt promised to announce next month the results of an internal audit of all Google's privacy practices as well as the codes related to collecting data.

This is Google's second privacy cock-up in six months. Early in 2010 it introduced Buzz, a social networking application, which revealed subscribers' contacts to the public automatically. Google changed the way Buzz allows subscribers to change their privacy settings within days of the resulting outcry.

Google's dominance in search engines worries many people. Although the company's motto is "Don't be evil", there are concerns that commercial needs may encourage Google and indeed all private sector firms to use the data they collect in as many ways as they can invent. This contravenes two of the ICO's principal tenets, namely that companies collect data for only one purpose, and destroy it once that purpose is fulfilled.

Privacy for Facebook generation

Search engine businesses appear to operate on the view that if information is on the internet it is in the public domain. This is simplistic, say others. They say that many people naively put up personal comments and images on social sites such as Facebook and Twitter, not realising that prospective employers trawl these sites for background on job candidates. Candidates may be refused job interviews because of what may be found, and may never be told why.

This is unfair, say the civil liberties advocates. People should not be held liable for youthful indiscretions perhaps decades later, they say. They would like to see a mechanism whereby people can delete such information or at least add information that provides context and perspective to subsequent viewers.

Others want even stronger protection. They believe that anyone going on the internet should automatically have a new avatar to represent them online for that session, and that all record of the avatar and who it represented should be destroyed when they log off. Critics note this would reduce the convenience of the net to the user because tracking cookies would not work the next time they logged on.

Bottom-line profits

It would also make it much harder for marketing firms to build up profiles of users' interests and behaviours. It would harm the search engines' business model, which relies on understanding those attributes well enough to ensure that users see only the information, including advertisements, most relevant to them.

Without that data, companies such as Google have no way to price their ads. Instead of relying on advertising to fund the free search and other services, they would have to get users to pay for them. That would be a step back to the traditional way of publishing and distributing information. That might please the press barons, but it would increase users' costs and slow the distribution of information.

While it might offer greater protection to individuals' privacy, it might come at too high a price for the economy as a whole.

Read more on IT legislation and regulation