Wednesday, January 30, 2008

Leaked documents show UK government plans to "coerce" take up of "voluntary" ID Cards

Details have trickled out during the last week or so of the UK Government's plans to compel people to use what has been promised to be a "voluntary" ID card. These have been based on leaked government documents. The NO2ID campaign has now published a full version of the most important document, with its own annotations. This is available here (locally hosted copy). One of the most important passages is this:
Various forms of coercion, such as designation of the application process for identity documents issued by UK ministers (eg passports) are an option to stimulate applications in a manageable way.

There are advantages to designation of documents associated with particular target groups, eg young people who may be applying for their first driving licence.
The Register has an insightful analysis:
"Various forms of coercion" could be used to accelerate the rollout of ID cards, the idea being that ID cards will remain 'voluntary' for as long as possible, while not having an ID card will become more and more uncomfortable. This, precisely what the government has intended to do all along, is stated baldly in an Identity & Passport Service leak cited by the Sunday People.

The IPS gives designation of a document under the ID Cards Act as an example of "coercion", and suggests driving licence applications as an area where this approach could be used. Effectively, this would mean that new applicants for licences would be forced to get an ID card...

'Coercion' could therefore be applied here via the delivery of a speedier service online with the aid of a digital passport or ID card, or (heavy coercion) by abandoning the post office end of the service for 'reasons of security.' Similarly, speed of processing can and has been used to illustrate how ID cards can 'help' people working with children and vulnerable groups get their CRB check processed faster. Next stop, compulsory ID cards for teachers? But as it won't be "universal compulsion", they're still not compulsory, right?

Tuesday, January 29, 2008

Data retention - "The innocent have nothing to fear" edition

The Economic Times of India has this worrying report:
MUMBAI: The wrongful arrest and the 50-day incarceration of an innocent software professional on charges he uploaded offensive pictures of Shivaji on Orkut were probably the result of a wrong internet timestamp and has raised concern over the over-dependence of police on Internet Protocol (IP) addresses as evidence in online crime, cyber experts said.

A couple of months ago, Lakshmana Kailash K was arrested, denied bail and given a taste of harsh prison life at Yerawada as the IP details given to police by his internet service provider, Bharti Airtel, matched his user identity. It later emerged that they had the wrong man. Police confirmed the faux pas and Mr Kailash was released. Now, the professional has sent legal notices to Bharti, police and government officials claiming damages for the agony he went through.

Sunil Phulari, the DCP with the cyber crime cell Pune said: "Nothing went wrong in the investigation. It was carried out according to the legal procedures. I cannot speak for Airtel."

Tuesday, January 22, 2008

The case against data retention

I've written a piece for today's Irish Examiner on the Government's data retention proposals, which it published under the headline (not chosen by me!) "Big brother will be watching... everyone". Full text:
How would you feel if someone followed you every day, writing down your movements, making a note of everyone you talked to, jotting down the address of every letter you post, and then storing that information for three years? What would you think if that system of surveillance was extended to every single person in the country? While this might sound like the stuff of science fiction, since 2002 the Government has required telephone companies to track the movements of all their users, to log details of every telephone call made and every text message sent and to store that information for three years. The Department of Justice now proposes to extend this further, to require ISPs to monitor everyone’s internet use, including details of every email or instant message we send, and every time we log on or off, and to store that information for up to two years. What’s more, it intends to do this by the stroke of a ministerial pen, with no debate before the Dáil or the Seanad.

The rather dull name for this surveillance is “data retention”. But it might be more informative to talk of “digital footprints”. As technology comes to be more and more part of our everyday lives, we leave a trail of digital footprints recording almost everything we do. Activities which once would have been private (posting a letter) may now leave a record (sending an email). Data retention laws – by storing these digital footprints – mean that the rights to privacy and freedom of expression we take for granted in the offline world might be lost in the digital age.

Of course, it is legitimate that police should have access to some call or internet data. This information can help in investigations and prosecutions. But the information stored and access to that information must be reasonable and proportionate. In particular, information should not be stored on everyone, but only on a targeted basis. Access should be granted only on the basis of a warrant, and only in respect of terrorism or serious crime. And the information should be stored for as short a period as possible, and certainly for no more than six months except in exceptional circumstances.

Indeed, in 2001 the Government accepted the need for safeguards by signing up to the Convention on Cybercrime, which achieved international agreement on a far less intrusive “data preservation” system, which would preserve evidence in individual cases without the blanket storage of information on all citizens. But the Government has since ignored that system and instead put in place laws which contain almost none of these safeguards.

Laws requiring monitoring of the entire population are astonishing in a democracy. Yet so far there has been very little public debate. One reason might be that this surveillance happens invisibly in the background. But compared to traditional surveillance it is potentially far more intrusive, and carries much greater risks of abuse. In the United Kingdom we have seen the loss of data on many millions of individuals. Here officials in the Department of Social Welfare have been found to be engaged in the systematic leaking and selling of personal information from government databases. There is no reason to think that this information will be treated any differently.

Public awareness has also been stifled by the tactics adopted by the Government. In 2002 data retention was initially brought in by a secret ministerial order, which the telephone companies were forbidden to reveal. Only after pressure from the Data Protection Commissioner was it made public. In 2005, the Minister for Justice again avoided public scrutiny by changing the law using a last minute amendment to an unrelated Bill – breaking a promise that there would be full consultation and a separate Bill for the Oireachtas to debate. Now the Department of Justice is proposing to implement a European Directive on data retention using a statutory instrument – again excluding the Dáil and the Seanad. They claim that the matter is urgent and that there is no time for legislation. But that Directive was passed in February 2006. The Department has had nearly two years to prepare a Bill and cannot now rely on its own delay to justify sidelining democratic scrutiny.

Digital Rights Ireland has brought a High Court challenge to these Irish and European data retention laws, which will ultimately decide whether surveillance of the entire population can be compatible with the rights to privacy and freedom of expression under our Constitution and the European Convention on Human Rights. Until then, however, there should at a minimum be full public awareness and discussion. And in the case of the Department of Justice proposals, at the very least any extension of these laws to the Internet should be by primary legislation and following a debate in the Oireachtas.

Monday, January 14, 2008

Supreme Court ruling on electronic discovery - Orders may extend to extracting and analysing data

In an important decision - Dome Telecom v. Eircom - the Supreme Court has held that the courts, as part of the discovery process, have the power to order a litigant to carry out data analysis to extract, collate and analyse records from a database and to produce a report containing that information. While this is not the first case on this point (the High Court made a similar order in 2006 in Used Car Importers of Ireland v. Minister for Finance) this is the first case to consider the issue in detail and the first time that the matter has been ruled on by the Supreme Court.

By way of background, Irish law on discovery is contained in Order 31 of the Rules of the Superior Courts, which gives the courts power to order parties to disclose to the other side those "documents" which are relevant and necessary to the case. This rule has been applied without difficulty to situations where what is sought is a specific document stored in electronic format - cases such as Clifford v. Minister for Justice have accepted that computer files should be regarded as "documents", and electronic discovery is now common.

What presented a problem in Dome Telecom was the traditional understanding of discovery as being limited to disclosure of existing documents. As Fennelly J. put it:
"a court will only order discovery of documents or records which exist. If no record has been made of a relevant conversation, meeting or event, a court will not, for the purpose of discovery, require a party to make one."
Here Dome Telecom alleged that Eircom had damaged its call card business by charging on a discriminatory basis for calls made from mobile phones to its 1800 freephone number. To put a figure on the damage suffered, Dome Telecom sought discovery of the total number of minutes of calls made to specific 1800 freephone numbers operated by its competitors. This was granted by the High Court, notwithstanding Eircom's claims that this would go beyond merely disclosing an existing document, but would require it to engage in an expensive analysis and filtering process to create an entirely new document. Eircom appealed, claiming:
1. That the power of the High Court to order discovery of documents does not extend to directing a party to create documents for the purposes of the action.

2. That the power of the High Court to order discovery of documents does not extend to directing a party to create documents that do not exist at the time that the order for discovery is made.

3. That the creation of the documents directed by the High Court imposes a disproportionate burden on the appellant where an order to comply with that order it would be required

(a) to extract in excess of 20 billion call data records from the tapes on which they are currently stored;

(b) to record the said records onto a parallel data base;

(c) to collate and analyse the records on the parallel data base in order to correlate them with the 1800 freephone numbers the subject matter of the order for discovery;

(d) to create therefrom a document containing a report of the total monthly volume of freephone minutes traffic per month from the 1st July 2000 to the 7th April 2005 in respect of each 1800 number by reference to access method by the appellant to international carriers – limited for the time being to those identified and set forth in the Schedule where the volume of minutes trafficked to that international carrier in any given month exceeded 5,000 minutes.
On appeal, the Supreme Court agreed by a majority (Fennelly and Kearns JJ, Geoghegan J dissenting) that the discovery was unnecessary and disproportionate in the particular circumstances of the case. However, on the matter of principle - whether the court could make an order of this type, and whether this amounted to requiring a party to create an entirely new document - the majority (Fennelly and Geoghegan JJ, Kearns J reserving his position) rejected the arguments of Eircom and held that the court could make orders requiring a party to analyse data in their possession and to present it in a certain form. Per Geoghegan J:
The Rules of Court are important and adherence to them is important but if an obvious problem of fair procedures or efficient case management arises in proceedings, the court, if there is no rule in existence precisely covering the situation, has an inherent power to fashion its own procedure and even if there was a rule applicable, the court is not necessarily hidebound by it. It is common knowledge that a vast amount of stored information in the business world which formerly would have been in a documentary form in the traditional sense is now computerised. As a matter of fairness and common sense the courts must adapt themselves to this situation and fashion appropriate analogous orders of discovery. In order to achieve a reasonable parity with traditional documentary discovery it may well be necessary to direct a party "to create documents" within the meaning of the notice of appeal. It may indeed also be necessary to direct a party "to create documents" within the meaning of the notice of appeal even if such "documents" "do not exist at the time the order is made". I am deliberately using quotation marks because I do not intend to adjudicate on the quasi-metaphysical argument of Mr. Paul Anthony McDermott, counsel for the respondent, that the "documents" do in fact "exist". At any rate that matter can probably be argued both ways but I would be firmly of opinion that an order of discovery can be made which involves the creation of documents which do not exist, made in the kind of context in which it is sought in this case. Otherwise, potential litigants could operate their business computers in such a way that they would be able to evade any worthwhile discovery.
This promises to be a very significant decision, and will certainly make electronic discovery more attractive for litigants while at the same time increasing the burden on those from whom discovery is sought.