Privacy. And a tale of headless riders, Police blogs and security theatre

When dealing with data privacy, we need to think about proper use of Personally Identifiable information (PII) - the kind which can be used to identify someone and which tells us something about them. In the UK, the Information Commissioner , oversees operation of the Data Protection Act, which has principles and conditions for processing information. Everyone in Microsoft does mandatory privacy training to ensure that we use you information only in ways which comply with the Act and often go further.

A macabre case of PII misuse has been in the news recently. Telling to the press about their "Arrive Alive" campaign, North Wales Police used what they termed "Harrowing Pictures". These included a decapitated motorcyclist in a T-Shirt telling the police to " p*** off And catch some REAL criminals." . The T-shirt slogan, had been publicized at a biker's inquest - so it identified the man (and his family). Stories appeared with his name and the fact of his decapitation – which his father had kept from the rest of his family, and they had no idea this was coming. There is to be an investigation into the behaviour of the police although the not of the press.

I've said before that Inspector Gadget's blog helps to develop public understanding of what police officers go through - his piece "The rich girls are weeping" is full of pathos and almost poetic, so is his one from this week. Seriously you should follow those links. I'm not interested in other Police blogs so I was surprised to learn from the BBC that the North Wales Chief Constable has a blog with his side of the biker story. He seems robust, his message boils down to "Want to portray me as a Speed Obsessed loony? First you should know what we have to clear up "

Sadly the Chief Constable is engaged in "Safety Theatre" . We encounter Security theatre on a daily basis, whether it's as air travellers required to stand in large groups (read "target formations") to perform strange rites before boarding, as photographers shooting in a public place being accused of being terrorists on reconnaissance or being child abusers , or as Computer users required to change (complex) passwords so often we write them down. Steve has a post on the logic of "buy [this security product] or the sky will fall down". It is taboo to criticize anything, however bogus, linked to safety or security. In Britain the government tells us ID cards will protect us from terrorists, but they would not have prevented 9/11, the Madrid Bombings, the 7/7 London bombing or helped to catch the recent "Crevice" plotters. The Information commissioner seems like another robust chap; he has said that the UK could sleepwalk into a Surveillance Society as a result of ID cards, other opponents talk about a database state.

Part of the theatre effect is rebranding Speed Cameras as "Safety cameras". Some accidents (maybe up to 1/3) are caused by excess speed: so making people slow down removes that cause: so the argument runs keeping to speed limits must increase safety. Evidence to the contrary is buried. Reality is more complex; cameras only address one aspect of irresponsible driving, unfortunately, drivers tend to do more stupid things shortly after passing a camera and watching the speedo instead of the road makes accidents of inattention more likely. Published figures show the number of road deaths has stopped falling in recent years, while the number of cameras has rocketed.

Safety theatre means the North Wales Police can show a corpse with the implication "Speed cameras could stop this". It's not true: the biker was caught on camera doing 125MPH, six hours before he died; cameras have meant automated processes replace human enforcement, so he wasn't stopped. A court summons would have been sent out - although it's alleged that the number plate on the bike had been altered so perhaps not. In any event he had no license to lose; Cameras had no effect on him.

 Cameras may not save lives, but they are part of the Surveillance Society; last year the BBC reported the information commissioner again, saying 'Fears that the UK would "sleep-walk into a surveillance society" have become a reality' with a link to an Academic report - here's a quote

The intensification of surveillance of the motorist is set to expand rapidly. In March 2005, the Association of Chief Police Officers demanded a national network of Automatic Number Plate Recognition (ANPR) 'utilising police, local authority, Highways Agency, other partner and commercial sector cameras including the integration of the existing town centres and high street cameras, with a National ANPR Data Centre, with an operational capacity to process 35 million ANPR reads every day increasing to 50 million by 2008 (paragraph 9.5.5)

Who's in charge ACPOs policy on Road Policing? The Chief Constable of North Wales! Whilst he may be keen on implementing the "surveillance society", but he is against a Police state: in his blog exchange with the BNP he says joining the police means ... "not being able to play an active part in politics... It is precisely because I want to live in a parliamentary democracy, and not a police state, that I actively welcome this restriction on my private life.". It's a fine distinction because "Police State" and "Totalitarian" go hand in hand and as that report says

Our image of state surveillance is often shaped by novels and films. [Like Franz Kafka's The Trial or George Orwell's Nineteen-Eighty-Four ] These highlight the crucial role of information (or lack of it, for the surveilled) within bureaucratic governments, alongside the constant threat of totalitarianism (paragraph 3.6)  

So on the one side we have the Chief Constable wanting Cameras to keep us safe and secure, and on the other side the Information commissioner seeing their use in a the Surveillance Society. As well as ID cards he worries about facial recognition cameras (the ID cards database will hold facial data) as well as the ANPR cameras mentioned above. Last week he issued a press release saying he was

"proposing new safeguards – including privacy impact assessments and inspection powers – to ensure public confidence in initiatives and technologies which could otherwise accelerate the growth of a surveillance society. Giving evidence before the Home Affairs Select Committee the Information Commissioner will also call for stronger powers to allow his Office (the ICO) to carry out inspections and audits."

If you've read this far you may be thinking But what has this got to do with Microsoft ? Well there a couple of obvious basic points about protecting PII - One of the data protection principles is "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." Which recognises it is a matter of process as much as technology. Of course when I read Staff at M&S have been warned they may be at risk of identity crime after the theft of a laptop I did think "Bitlocker would solve that." {I'd love to hear from anyone looking at a large scale implementation of bitlocker by the way}

On the same day as they said the Information Commissioner's fears had become a reality the BBC published a piece called "How to hide in a connected world" and in the middle the heading "Microsoft as a privacy leader ?" The BBC repeats criticism of the initial incarnation of passport - it was good at "Oiling the wheels" in identity transactions but lots of people, including me, didn't like a single organization to amassed so much PII. New systems like Card space can give users control of which details they share in any given situation. (Notice that we don't trust people to follow the data processing principles of only doing with it what people consented to when they provided it, and only keeping it as long as necessary to do what they consented to.)
But what about the wider questions ? Neither Kafka nor Orwell foresaw technology's ability to retrieve and cross reference information about us. A colleague from the former East-Germany describes the surveillance we have in Britain today as beyond the dreams of the Stasi. The BBC piece had a quote "It is very easy to collect all of our data and the fact that it is there means governments will come up with a good list of reasons as to why they need access " it came from Caspar Bowden - who joined Microsoft with a reputation for being tough on governments and industry over privacy issues. I'm curious to know what people, in the UK especially, think. Do you think this is domestic politics, and Microsoft as a US company should keep out, or you think as the worlds biggest player in IT we should have an opinion and voice it. ? Do post a comment.

 Updateanother case where bit locker would have protected peoples privacy