In 2004, Richard Thomas, the information commissioner, warned that Britain was ‘sleepwalking into a surveillance society’. In 2006 he suggested that we were ‘waking up to a surveillance society that is in fact all around us’. He hasn’t said much this year, but by implication it must be around breakfast-time in the surveillance society by now.
It’s easy to get worked up about surveillance. By definition, the surveillance society is not a democratic society in which surveillance is pervasive. It’s one in which surveillance is so pervasive that it threatens the very fabric of democracy. The libertarian intuition that we are ‘descending into a police state’ is borne of this concern. As ever more laws are introduced to regulate social and material life (not least the 3,000 new criminal offences said to have been introduced by New Labour), and ever more aspects of our lives are monitored and recorded, the more we are asked to account for ourselves and the more we can be held accountable for.
In a nutshell, the problem is that it is but a few discrete steps from the information society we cherish to the surveillance society we fear. To avail ourselves of today’s hi-tech goods and services we have little choice but to allow those who provide them to collect more and more information about us. And let’s be honest: as long as they keep this information secure and confidential, we’re not all that bothered. Secretly, we may even quite like being profiled, targeted and ‘rewarded’ with Amazon book recommendations, discounts and freebies.
Although unwanted ‘spam’ has gotten beyond a joke, the principles of ‘data protection’ appear to work reasonably well in the private sector. The 1995 and 1997 EC directives, and the 1998 UK Act, have imposed clear legal obligations on ‘data controllers’ to protect personal information, while ‘taking your privacy seriously’ has become a corporate mantra.
So far so good: things to hide, but little to fear. Bring the state into the debate, however, and the equation quickly changes. A new generation of surveillance technologies, population databases, identity management systems, ‘dataveillance’, data-sharing and data-mining tools are providing the state with the capacity to construct an almost unimaginably detailed picture of our private lives. At the same time, our celebrated data protection laws are being systematically circumvented and unravelled in order to legitimise the very practices they were designed to prevent.
Who’s tapping your phone?
A few years ago, the police needed a warrant to access your telephone records – now all they need is your phone number. This revolution in communications surveillance was carefully orchestrated. In 2000, parliament adopted the misleadingly titled Regulation of Investigatory Powers Act (RIPA) which, rather than regulating state surveillance, bequeathed to the police and a host of other public bodies the spook-like power to access directly the records held by communications companies. In place of a judicial warrant, an ‘authorisation’ by a senior officer would now suffice. In accordance with data protection rules, telecoms companies were also duly deleting our phone records after we had paid our phone bills (a matter of a few months at most). ‘Not so fast,’ said the Home Office, using the 2001 Anti-Terrorism, Crime and Security Act (ATCSA) to introduce a voluntary code on ‘data retention’, under which the major ‘telcos’ would not only retain their records for up to one year, but provide the police with direct access to their databases. The House of Lords did its level best to restrict the purpose of the Act to ‘serious crime’ but this would inevitably prove meaningless once data had been retained.
Not content with the voluntary code, the Home Office now demanded mandatory data retention by all telecoms companies and internet service providers (ISPs). But rather than returning to parliament, which had already judged ATCSA a bridge too far, the UK government went to the EU to seek an agreement with the force of European law. A discreet amendment to EU data protection rules followed in 2002, and an EC directive on data retention was eventually adopted in 2006.
In 2007, the Home Office returned to parliament to make its voluntary code mandatory by statutory order (meaning no debate), with the justification that the UK was merely fulfilling its obligations under EU law. This is a flagrant case of ‘policy laundering’. Just as ‘money laundering’ describes the passage of illegitimate funds through outside institutions and back into legitimate circulation, policy laundering involves the use of intergovernmental organisations to agree policies that lack political legitimacy in order to bring them into practice.
The cumulative effect of mandatory data retention cannot be understated. All our telephone and internet traffic data must now be stored for at least 12 months (perhaps longer in future – up to three years as in Ireland, or five as in Italy) in case the police or other state agencies need to look at it. The list of other agencies includes, among others, the Tax Office, the Food Standards Agency, the Department of Health, the Immigration Service, the Gaming Board, the Charities Commission and 475 local councils.
Should the police wish to see your telephone records today, they no longer need to show ‘probable cause’ to a judge. They just need to turn on their computers (or phone a friend). In 2005/6, this power was used a staggering 439,000 times over 12 months – a figure certain to rise with mandatory data retention and its extension to internet usage by 2009. The lack of independent scrutiny means we can only guess what the police were up to, but in accessing records more than 1,200 times a day, we can be certain that their activities went far beyond the scope of organised crime and terrorism.
Pulling a Swift one
Telecommunications data retention is but one example of the state placing legal obligations on the private sector to facilitate surveillance. ‘Policy laundering’ is again in evidence, somewhat ironically, in the EC money laundering directives of 1991, 2001 and 2005. These directives have effectively reversed the principles of banking secrecy and privacy in financial transactions by placing a legal obligation on financial institutions to retain data for five years and report all ‘suspicious financial transactions’ and customers to the police. In the UK, ‘failure to disclose’ those suspicions is now a criminal offence punishable by up to five years imprisonment.
The money laundering directives now also apply to auditors, accountants, tax advisors, estate agents, lawyers and notaries, dealers in high-value goods and casinos (not that this has done anything to curb systematic tax evasion and corruption by the rich and powerful), while under the UK Terrorism Act 2000, we are all now liable to prosecution for ‘failure to disclose’ any suspicions we may harbour about terrorist activities. As these so-called ‘due diligence’ obligations come to represent the wholesale privatisation of surveillance, government whistle-blowing, as David Kelly and Craig Murray can testify, is positively discouraged.
Further obligations have been placed on the airline industry to provide states with information about their passengers (so-called ‘passenger name records’ or ‘PNR’). Under successive EU-US PNR agreements – which the European Parliament voted against on four occasions – US agencies now have direct access to European passenger reservation databases. There are few meaningful restrictions on the use or onward exchange of the data they extract. This means that even if you’re only taking a BA flight from London to Amsterdam, up to 35 categories of personal information that you supply could find themselves in the US Department of Homeland Security’s inbox. Perhaps it’s time to start reading the ‘terms and conditions’ before ticking that box? Except that if you don’t tick that box, you can’t book the ticket.
In other cases, corporations are simply handing their data over to state agencies in the absence of any lawful requirement to do so. In 2006 the New York Times broke the story that the US was secretly monitoring every transaction sent through the global Swift money transfer organisation – which is based in Brussels – via an illegal ‘mirror’ in the US. The EU responded by formally granting the US access to the Swift data.
It is suggested that the use of ‘mirrors’ by the US government is widespread, and endemic where US-based multinationals are concerned. This begs a question: when corporations are requested to hand over or provide states with access to their data in the name of combating terrorism or some other evil, are they really going to refuse in practice? The same question applies to public bodies, with Transport for London apparently all too ready to provide the security services with a ‘backdoor’ into the congestion charge and Oystercard systems.
The debate about ID cards masks far more insidious developments. Over the coming decade, the vast majority of the EU’s law-abiding population will be fingerprinted, registered and placed under de facto surveillance. Once again, governments have taken advantage of the EU to ‘harmonise’ national policy on the introduction of ‘biometric’ passports, ID cards, resident permits and visas. Article 18(3) EC of the EU Treaty should have prohibited EU legislation from the outset as it states clearly that the power to adopt legislation ‘shall not apply to provisions on passports, identity cards, residence permits or any other such document’. The member states simply ignored this provision and then used the new ‘reform treaty’ to belatedly add these powers to the EU mandate.
Under the ID Cards Act of 2006, from around 2010 everyone renewing their UK passport will be required to attend one of 69 ‘enrolment centres’, where they will be fingerprinted (all ten), photographed and asked any of the 200 questions designed by the Home Office to test the applicant’s identity, provenance and entitlement to remain in the country. Under EU rules, applicants for a visa to any EU member state will soon be subject to an almost identical process in their own country (with data retained in EU databases even if the visa is refused).
Your new biometric passport will contain an embedded radio frequency identification (RFID) chip that includes your fingerprints and other personal data, an identity card (with another RFID chip) and a number. The RFID chip is there to transmit your data, from distance, to special airport scanners, which scream ‘hack me’ to all those so inclined.
Your special number relates to your record in the UK national identity register (NIR), which links you to every other piece of information the state has ever collected about you. As the campaign group NO2ID has explained, the NIR will become ‘an index to all other official and quasi-official records. Through cross-references and an audit trail of all checks on the register, the NIR [will] be the key to a total life history of every individual, to be retained even after death.’
At the same time, a new generation of ‘e-borders’ will mean that all entrants are fingerprinted upon entry and given a de facto police record. The UK ‘e-borders’ system is to contain up to 90 specific categories of data on individuals and will record all movement into and out of the UK.
Shocked by the Stasi analogy in the subheading? You may be missing the point: the Stasi didn’t ask many questions because they already knew all the answers. Nor is it simply a case of ‘Business or pleasure, sir?’ making way for some rather more direct questioning. As more and more data is collected on the premise of border control, the techniques and technologies deployed at the border are simultaneously being deployed on the streets. ‘Multi-agency’ police checks (basically roadblocks with benefits, tax, immigration and DVLA inspectors in attendance), massive immigration raids and collective expulsions, hand-held fingerprint scanners, mobile access to police computer systems – these are all now matters of policy rather than legislation, and the subject of little if any debate.
You are a security risk
States are also investing heavily – and usually secretly – in the kind of predictive algorithms developed for direct marketing purposes in the belief that ‘risk profiling’ will help identify terrorists, criminals, psychopaths, problem children (see ‘Generation ID’, opposite) and other dangerous people before they have the chance to do us harm. This corresponds to more and more ‘preventative’ police powers – Asbos, security-based detention and so on. As EU policies, ‘terrorist profiling’ and computer-assisted passenger screening are now being introduced across Europe.
These types of programmes raise several fundamental objections. Primarily, by using assumptions about ethnicity, religion, nationality, lifestyle, education, health, wealth or criminal record as indicators of risk, these systems are intrinsically discriminatory. In turn, they inevitably lead to actions against large numbers of innocent people on a scale that renders the exercise both unacceptable and pointless. In the wake of the discovery of the Hamburg cell’s involvement in the 9/11 conspiracy, for example, German federal police agencies collected and analysed data on some 8.3 million Muslims (and suspected Muslims) in Germany but failed – despite hundreds of surveillance operations, arrests and interrogations – to find a single terrorist.
As Douwe Korff, international law professor at London Metropolitan University, points out, it is important to stress that this is not something that can be fixed by better design: ‘Attempts to identify very rare incidents or targets from a very large data set are mathematically certain to result in either an unacceptably high number of “false positives” (identifying innocent people as suspects) or an unacceptably low number of “false negatives” (not identifying real criminals or terrorists). This is referred to scientifically as the “base-rate fallacy”; colloquially, as “If you are looking for a needle in a haystack, it doesn’t help to throw more hay on the stack.”‘
Despite the fact that the judicial regulation of surveillance is fast disappearing, many liberals have faith that the surveillance society can be somehow ‘democratised’ – a few new data protection rules here, a little bit more accountability there. This is disingenuous to say the least: mass surveillance, data retention and risk-profiling are the very things data protection law was designed to prevent. Once these practices are introduced, the law can give little practical effect to the supposedly fundamental right to protection from undue or arbitrary interference by the state.
Others suggest that the very same technology used to hold the citizen to account can be turned inwards, so that ‘glass citizens’ are governed by transparent states, as it were. But in a country that won’t even allow telephone intercepts as evidence in court because the police and security services don’t want to compromise their secret listening programmes, this appears a remote proposition.
So the job rests firmly with what remains of society. But in the absence of any rational appraisal as to the desirability and effectiveness of surveillance systems, never mind more concerted efforts to halt the march of the surveillance state (particularly via the EU), there can be little cause for optimism. And if you tolerate this, your children really will be next.