Where is your data? Redacted and Locked away

The Government who pioneered “open government” and the Freedom of Information Act, are certainly not living up to spirit of the law they created. In 1996 Tony Blair stated, in a speech about open government, that “The only way to begin to restore people’s trust [in Government] is therefore to be completely open“.

However despite this laudable goal, and numerous other assertions of “open government, a request to access the cabinet record minutes in relation to the Iraq war has been refused by the Labour Government.

This is particulary interesting as both the Information Tribunal and the ICO have stated that the minutes should be released.

The Information Commissioner, Richard Thomas has publicly stated that:

My Decision to order disclosure of the Cabinet minutes was made under the Freedom of Information Act on public interest grounds. It was upheld by the Information Tribunal. It was made clear by the Tribunal and by me that this was an exceptional case.

The government has chosen not to appeal the Tribunal’s decision to the High Court, but instead has exercised its right of veto under the FOI Act. However, it is vital that this is also an exceptional response. Anything other than exceptional use of the veto would threaten to undermine much of the progress made towards greater openness and transparency in government since the FOI Act came into force.

I shall be studying the text of the Secretary of State’s Certificate and Statement of Reasons which I received today. Using the power available to me under section 49(2) of the Freedom of Information Act, I will shortly lay a report before Parliament to record the circumstances leading to this outcome. This will be in line with previous commitments I have made and the interest shown by past Select Committees in the potential use of the veto.

This case of the government of refusing to release data, follows quickly on from the “torture case“, where the UK government has evidence of torture, which is redacted, but will not allow the redacted text to be seen, despite the trial judge stating its in the public interest.


Data Misuse: Police Chief Constable Arrested

In January 2009 the ex-Assistant Chief Constable of West Yorkshire police, Andy Brown was arrested for breach of the data protection act.

In an odd story involving ex-police officers, serving police officers, and a missing dog, it appears that Andy Brown gained access to the PNC  (police national computer) to check the registered owner of a vehicle, in an attempt to locate a friends dog.

This latest case of data misuse does not appear to be  particularly sinister, just a case of of an “ex-job” guy helping out a friend, rather than going throught the police channels, which would have resulted in the same information being obtained. What is it does remind us of is how easy it is for people to get information out of PNC. In fact if there had not been a complaint in this case, nobody would have known.

How often does this happen, and nobody gets caught?

Data Loss Sanctions: NHS

The NHS has been sanctioned by the ICO, after being found guilty of breach of the data protection laws, in relation to loss of a laptop in April 2008

5,000 patients records were lost on a laptop which was not encrypted. This is the first ICO sanction against the NHS this year, but with so many cases of data loss last year by the NHS, there are probably many more to come.

No doubt many other government departments will be facing criticism by the ICO this year.

Data Loss: Home Office Enforcement Action: ICO

The Home Office has been censored by the ICO for their handling (or lack of it) in August 2008, when prisoner details were lost on a USB stick, which were in control of the consulting company PA Consulting.

The news, released by the ICO on Thursday states that the Home Office was required to sign an undertaking, (signed by David Normington, the Permanent Secretary for the Home Office) in relation to future security of data.

This, similar to the undertaking by the HMRC for their data loss, shows that the ICO is starting to crack down goverments as well as the private companies.

Data Misuse: Police (2004)

In 2004  police worker, Leanne Thomas, from Gwent looked up the police records of her “friends”, on the Police National Computer (PNC), because she was “bored”.

Leanne Thomas was later convicted of breached the data protection act and suspended from her job.

It is incredibly easy for people with accesses database to misuse data and there are numerous examples of data misuse in the UK, and and the police have misused data on several occasions.

It should be remebered that these are only the cases that people get caught, which is a fraction of the amount of real crime.

Junk Mailers and the Data Protection ACt

The ISBA ( Incorporated Society of British Advertiser) complained that the Data Protection Act (DPA) will stop the junk mailers – the people who send out millions of junk mail adverts every year (the industry name for it is direct mail) – from doing their job

Updates to the Data Protection Act means that the marketing people can no longer use the electoral register as means to mail out huge volumes of junk mail/marketing material.

With no hint of irony the ISBA stated that the electoral register allows to  the marketing companies to be environmentally friendly. As it allows them to “target people” (rather than empty address), and if they can no longer use the electoral register they may get a few wrong houses.

It should go without saying that sending out millions of unwanted letters with a very low success rate(1% to 2%) is not the most environmentally friendly method of advertising in the world.

Should you want to avoid junk mail here are some tips

File Sharing – Where do you stand?

Earlier this year the UK’s ISPs have hand over information about names and addresses, following court action by those who feel their copyrights have been infringed, e.g the games and music industry.

These companies try and track those using file sharing technologies such as bit torrent or other peer to peer programs. What the investigators end up with is an IP address, e.g they can show that has been sharing specific music files.

As the IP address are, generally, from home users, they only reveal the company providing the line, e.g BT, not the end user.

The IP address does not identify the person who was actually using the IP address at a given time. In addition to this most home IP addresses are also dynamic, which means that different people can have the same IP address at different times.

The only people who can resolve the IP addresses to a given person are the ISPs. E.g BT can identify who had IP address on Saturday 25th October 2008 and who had it on June 1st 2008.

The ISP will not provide this information by a simple request, but they need to be compelled by a court order. Which is what happened earlier this year, and thousands of home addresses were resolved from IP addresses, by the ISPs. It is suggested that up to 25,000 home addresses were identified as part of these court orders. 

Once the investigators and their employers e.g BPI (British Phonographic Institute), games industry, etc, had identified the home addresses  these companies took different actions.

Some companies wrote to the home address trying to “educate” the users. Others wrote, via the solicitor Davenport Lyons, to the registered owners of the IP addresses identified and demanded that the users pay a £600 fine or face additional action.

Where do you stand?

So, the games and music industry is now getting tough. But where do you stand?

Firstly any firm is on a very sticky wicket if they try and issue a fine based purely on an IP address. It is entirely unreasonable to suggest that you can identify a user from a IP address. For example, a house with one computer may have multiple users. A home may have a family computer, the father pays the bill but its the son who is down loading the music (without his father’s knowledge). The father can not be held reasonable for that action any more than he can if his son goes out and steals a car.

Secondly most homes now have multiple computers, and the IP address just shows the house that was down loading music, and not which computer.

Think of a student house with 4 people living in it, one person pays the bill but another person down loads the music, one student can not be responsible for another, just because they live in the same house.

The first and second problem can be combined. E.g a house can have four people living it in, but the girl friend of one of the students stays over regularly and down loads music files, on her account on one of the computers in the house. Can the person who pays the bill in the house really be held responsible for the actions of the partner of a person he lives with? Of course not.

There is then the third option, insecure networks. Most routers come with wireless networks running as default and it is insecure. If your neighbor uses your network to down load music, should you be held responsible for this?

If the UK government cannot maintain control of critical information, how can a home user be expected to secure data?

Can they get more information?

As shown above the IP address is not enough to ensure a conviction/fine, the company would need to gain more information, from investigating the the suspected home computers. This is possible, legally.

A company, e.g BPI, could request an order/warrant to search a suspected house based on the IP address/home address provided previously, and that would could well be reasonable. 

If that did occur BPI would need to get the order, then attend the address, make an exact copy of the suspected hard drive(s) and then take the data away for analysis. This sort of operation would be conducted by contractors, so it is entirely technologically and legally possible. But the cost of doing this would be so expensive, probably £10,000s on per address, that it would be cost prohobitaive on a massive scale. But, the BPIs and the like could consider doing this on a selective scale to send out a message – it depends on how much they value their PR.

Is it legal?

Currently the ISPs have passed over the information, via a High Court order, and so it is entirely legal.

There have been no morning raids or Anton Piller orders, at home addresses reported in the press so far, but they would also be legal if they did occur. The ICO has not commented on the issue either, again showing that this is legal in the UK and there is no objection.

However, on 29th January 2008 the European Court of Justice in the case of “Productores de Música de España Promusicae vs. Telefónica de España“ the ECJ stated that the provision of traffic information for civil reasons, i.e resolving the IP address to the home address,  was not required by member states, but it could be required if necessary at a national level.

In this case the exact same court procedures started in Spain as they did in the UK: The music industry demanded information on users, from the IP addresses they had collected. The difference is that in Spain the ISP Telefonica refused to do this, stating that this information was there for criminal purposes only. Spain then referred the case to the ECJ for advice.

The ECJ agreed with Telefonica. Sadly the the UK ISPs are not inclined to defend their users as much as the other countries, but if an ISP did decided to make a stand for their users they are almost certain to win following the ECJ ruling.