The NY Times puts a face on one of AOL's victims

A Face Is Exposed for AOL Searcher No. 4417749 - New York Times:

Buried in a list of 20 million Web search queries collected by AOL and recently released on the Internet is user No. 4417749. The number was assigned by the company to protect the searcher’s anonymity, but it was not much of a shield.

Thelma Arnold’s identity was betrayed by AOL records of her Web searches, like ones for her dog, Dudley, who clearly has a problem.

No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from “numb fingers” to “60 single men” to “dog that urinates on everything.”

And search by search, click by click, the identity of AOL user No. 4417749 became easier to discern. There are queries for “landscapers in Lilburn, Ga,” several people with the last name Arnold and “homes sold in shadow lake subdivision gwinnett county georgia.”

It did not take much investigating to follow that data trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga., frequently researches her friends’ medical ailments and loves her three dogs. “Those are my searches,” she said, after a reporter read part of the list to her." ...

Ms. Arnold, who agreed to discuss her searches with a reporter, said she was shocked to hear that AOL had saved and published three months’ worth of them. “My goodness, it’s my whole personal life,” she said. “I had no idea somebody was looking over my shoulder.”

In the privacy of her four-bedroom home, Ms. Arnold searched for the answers to scores of life’s questions, big and small. How could she buy “school supplies for Iraq children”? What is the “safest place to live”? What is “the best season to visit Italy”?

Her searches are a catalog of intentions, curiosity, anxieties and quotidian questions. There was the day in May, for example, when she typed in “termites,” then “tea for good health” then “mature living,” all within a few hours.

Her queries mirror millions of those captured in AOL’s database, which reveal the concerns of expectant mothers, cancer patients, college students and music lovers. User No. 2178 searches for “foods to avoid when breast feeding.” No. 3482401 seeks guidance on “calorie counting.” No. 3483689 searches for the songs “Time After Time” and “Wind Beneath My Wings.”

At times, the searches appear to betray intimate emotions and personal dilemmas. No. 3505202 asks about “depression and medical leave.” No. 7268042 types “fear that spouse contemplating cheating.”

If this story disturbs you, you might want to visit Digital Rights Ireland and support our campaign against data retention.

Your personal information is for sale, episode 8,763 - AOL reveals users search history

From Techcrunch :

AOL must have missed the uproar over the DOJ’s demand for “anonymized” search data last year that caused all sorts of pain for Microsoft and Google. That’s the only way to explain their release of data that includes 20 million web queries from 650,000 AOL users.

The data includes all searches from those users for a three month period this year, as well as whether they clicked on a result, what that result was and where it appeared on the result page. It’s a 439 MB compressed download, expanded to just over 2 gigs. The data is available here (this link is directly to the file) and the output is in ten text files, tab delineated.

The utter stupidity of this is staggering. AOL has released very private data about its users without their permission. While the AOL username has been changed to a random ID number, the abilitiy to analyze all searches by a single user will often lead people to easily determine who the user is, and what they are up to. The data includes personal names, addresses, social security numbers and everything else someone might type into a search box.

The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with “buy ecstasy” and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless.

Marketers are going nuts over the possibilities, users are calling for a boycott of AOL, and others are just enraged:

User 491577 searches for “florida cna pca lakeland tampa”, “emt school training florida”, “low calorie meals”, “infant seat”, and “fisher price roller blades”. Among user 39509’s hundreds of searches are: “ford 352″, “oklahoma disciplined pastors”, “oklahoma disciplined doctors”, “home loans”, and some other personally identifying and illegal stuff I’m going to leave out of here. Among user 545605’s searches are “shore hills park mays landing nj”, “frank william sindoni md”, “ceramic ashtrays”, “transfer money to china”, and “capital gains on sale of house”. Compared to some of the data, these examples are on the safe side. I’m leaving out the worst of it - searches for names of specific people, addresses, telephone numbers, illegal drugs, and more. There is no question that law enforcement, employers, or friends could figure out who some of these people are.

There is some really scary stuff in this data.

Bear in mind that this was not an accidental or inadvertent disclosure - much less a security breach. AOL took a deliberate and planned decision to release this information.

Today's outrage - Millions of children to be fingerprinted

The Observer reports that:

British children, possibly as young as six, will be subjected to compulsory fingerprinting under European Union rules being drawn up in secret. The prints will be stored on a database which could be shared with countries around the world.

The prospect has alarmed civil liberties groups who fear it represents a 'sea change' in the state's relationship with children and one that may lead to juveniles being erroneously accused of crimes. Under laws being drawn up behind closed doors by the European Commission's 'Article Six' committee, which is composed of representatives of the European Union's 25 member states, all children will have to attend a finger-printing centre to obtain an EU passport by June 2009 at the latest.

The use of fingerprints and other biometric data is designed to prevent passport fraud and allow European member states to meet US entry visa requirements, but the decision to fingerprint children has disturbed human rights groups.

The civil liberties group Statewatch last night accused EU governments of taking decisions in which 'people and parliaments have no say'. It said the committee's decisions were simply based on 'technological possibilities - not on the moral and political questions of whether it is right or desirable.'

'This is a sea change,' said Ben Hayes, spokesman for Statewatch. 'We are going from fingerprinting criminals to universal fingerprinting without any real debate. In the long term everyone's fingerprints will be stored on a central database. You have to ask what will be the costs to a person's privacy.'

[Edited to add]

It's not clear what effect this may have in Ireland. The legal basis is Regulation 2252/2004 which is a Schengen act and therefore not binding on Ireland. The Government's current policy is not to include fingerprints on passports - see the Dept. of Foreign Affairs FAQ. However, if and when Ireland does enter Schengen this will be a fait accompli.

When surveillance meets bureaucracy

"Innocent People Placed On 'Watch List' To Meet Quota":

You could be on a secret government database or watch list for simply taking a picture on an airplane. Some federal air marshals say they're reporting your actions to meet a quota, even though some top officials deny it.

The air marshals, whose identities are being concealed, told 7NEWS that they're required to submit at least one report a month. If they don't, there's no raise, no bonus, no awards and no special assignments.

"Innocent passengers are being entered into an international intelligence database as suspicious persons, acting in a suspicious manner on an aircraft ... and they did nothing wrong," said one federal air marshal. ...

What kind of impact would it have for a flying individual to be named in an SDR?

"That could have serious impact ... They could be placed on a watch list. They could wind up on databases that identify them as potential terrorists or a threat to an aircraft. It could be very serious," said Don Strange, a former agent in charge of air marshals in Atlanta. He lost his job attempting to change policies inside the agency.

(via MetaFilter)

UK Government implements "Minority Report" - Department of Pre-Crime awaits

The Register reports that the UK government plans to tackle crime at birth by means of yet more entries in the proposed "Children's Index" database:

Children's Minister Hilary Armstrong was due today to outline what could become one of Project Blair's most ambitious, misguided and hubristic projects yet. The Government will attempt to identify children at risk of failure, violent behaviour or criminality at birth, and take the necessary corrective actions to steer them onto a law-abiding and successful path.

Ironically, Armstrong is floating these proposals just as this same predictive approach to future behaviour patterns is becoming discredited. A couple of national newspapers, the Independent and The Observer, appear to have seen outlines of the plans. According to the Independent, midwives, doctors and nurses are to be "asked to identify 'chaotic' families whose babies are in danger of growing up to be delinquents, drug addicts and violent criminals." The plan will be backed up by "research" which "shows that children from the most dysfunctional families are 100 times more likely to abuse alcohol commit crimes or take drugs", and a "source" close to Armstrong says: "It is the 'supernanny' model.' There is no reason why midwives who ask mothers lots of questions anyway can't ask a few more about the family circumstances and identify families where there may be problems. We need to intervene early to stop the cycle that leads to social exclusion."

The Register has some interesting comments about the quality of the data we can expect this database to contain:

The information they're sharing, meanwhile, will become more junk-like as the boxes they need to check and the fields they need to fill in multiply. Social workers, police, anyone who's given the job of spotting early warning signs will feel the need to put something in the box, for all too obvious reasons. What's it going to look like in five years time when some kid on your books gets beaten to death, and it turns out you didn't notice anything? The empty box clearly indicates negligence on your part. So the slightest, part-imagined 'signs' will go down, the people you're sharing the data with will see this 'concern' flagged and put in some 'signs' of your own. And as Brian Sheldon, Emeritus Professor, University of Exeter and former director of the Centre for Evidence-Based Social Work puts it, once social workers decide people need visiting, "they need visiting a lot." Or as Hine says, "if you're looking for problems, you will find problems."

The cases will tend to build themselves, the effect much magnified by the 'share and deploy' approach, and they'll also tend to focus on the easier cases. The ones who're easier to get at and who're on the receiving end of self-generating warning signs will get lots of attention (despite quite possibly never having needed any in the first place), and quite possible acquire real problems because of this, while harder cases of real need may not get any attention at all.

At ground level, midwives (and one presumes other professionals) are beginning to see the collateral damage of the Blair Project's data kleptocracy (Sheldon diagnoses this as symptomatic of a country suffering from obsessive-compulsive disorder). Some of the women midwives are dealing with have noticed that their histories can be taken down and used against them, and that it does not matter whether or not they have successfully coped, or are successfully coping with whatever the problem might have been. If you tell someone, it will be flagged as a 'concern' and will breed more concerns, and turn you into a 'case'. So they're starting to withhold information, and as midwives, and other professionals continue to ask "a few more" questions, people on the receiving end of the data kleptocracy will start to go underground.

Leaving systems built on junk science sharing junk data in pursuit of imaginary concerns and a pre-defined criminal underclass, while the rest of us hide.( Emphasis added)

For another perspective see the proceedings of the LSE conference "Children: Over Surveilled, Under Protected".

Online Anonymity - Ryanair Edition (continued)

The Irish Times reports that Ryanair has lost its action seeking to identify pilots posting to a bulletin board under pseudonyms. While the judgment doesn't seem to address the privacy issues involved, it does look at motive behind the action, and notes that "when Ryanair set up an investigation to find out who was behind the website, the real purpose of that investigation was to 'break the resolve' of pilots to seek better terms and conditions." This is an important finding - it indicates that actions to identify internet users should be assessed carefully to see whether there is some improper purpose underlying the application. From the Irish Times:

A High Court judge has rejected claims by Ryanair that its pilots or their unions had engaged in bullying, intimidation or isolation of other pilots over conditions imposed by Ryanair relating to training on new aircraft.

The only evidence of bullying was by Ryanair itself, Mr Justice Thomas Smyth stated yesterday. He described as "most onerous and bordering on oppression" a condition requiring pilots to pay Ryanair €15,000 for training on new aircraft in 2004. The €15,000 was payable by pilots if they left the company within five years or if Ryanair was required to engage in collective bargaining within the same period.

In a strongly worded reserved judgment, the judge dismissed a bid by the private airline for orders aimed at identifying pilots who posted messages under codenames, such as "ihateryanair" and "cantfly, wontfly" on a pilots' website. Ryanair had claimed the messages showed evidence of wrongful activity against it and its employees.

The judge also made a finding of false evidence in relation to two members of Ryanair management who had given evidence at the hearing. He held that, when Ryanair set up an investigation to find out who was behind the website, the real purpose of that investigation was to "break the resolve" of pilots to seek better terms and conditions. There was no warrant for Ryanair's action in seeking assistance from gardaí on the matter, he added.

He rejected as "baseless and false" the evidence of Ryanair director of personnel Eddie Wilson in relation to the setting up the investigation. The judge also said there was no conspiracy in relation to the setting up of the website and it was not engaged in anything unlawful. There was "no actionable wrong", he held, and dismissed Ryanair's application.

Dutch court upholds refusal to disclose file-sharers' identities

The Register reports that the Dutch decision in BREIN (holding that information about alleged filesharers had been obtained in breach of data protection law) has been upheld on appeal. The result is that litigation by the music industry will be unable to proceed.

A Dutch appeals court has thwarted attempts by the Dutch anti-piracy organisation BREIN to get the identities of file-sharers from five ISPs, including Wanadoo and Tiscali.

The court found that the manner in which IP addresses were collected and processed by US company MediaSentry had no lawful basis under European privacy laws. A lower court in Utrecht had reached a similar conclusion last year.

The court also argued that the software MediaSentry uses can't properly identify users or provide evidence of infringement.

Last year, expert witnesses at Delft University of Technology criticised MediaSentry's software for being too limited and simplistic. For instance, MediaSentry took filenames in Kazaa at face value. More importantly, the software scans all the content of the shared folder on the suspect's hard disk. In that process, it breached privacy laws.

The Dutch Protection Rights Entertainment Industry Netherlands (BREIN) represented 52 media and entertainment companies and has been investigating 42 people suspected of swapping song files. Nine file-sharers decided to settle with BREIN.

BREIN says it will go to a higher court, but lawyer Christiaan Alberdingk Thijm, who represented the ISPs, sees the decision as an important victory.

UK government abusing copyright to silence whistleblower

The Foreign Office is now seeking to misuse copyright law to stop a former ambassador from publishing material showing British involvement in torture. From the Guardian:

The government is threatening to sue former ambassador Craig Murray for breach of copyright if he does not remove from his website intelligence material that was censored out of his newly published memoirs.

Mr Murray has posted full texts of all passages the Foreign Office ordered deleted from the book version of Murder in Samarkand, the former Tashkent ambassador's account of alleged British complicity in torture by the despotic Uzbekistan regime. His book contains links to the website.

The passages detail CIA intelligence reports that Mr Murray says were false, and accounts of US National Security Agency intercepts and conversations with John Herbst, the US ambassador in Uzbekistan at the time. The Foreign Office says release of the material is damaging. ...

The Foreign Office is also demanding, in a claim that breaks new legal ground, that Mr Murray remove from his website the text of Foreign Office correspondence which he says he obtained officially through Freedom of Information Act and Data Protection Act requests.

The Treasury solicitors, the government lawyers, wrote to Mr Murray last week claiming: "Even if a document is released under the Freedom of Information Act or the Data Protection Act, that does not entitle you to make further reproductions of that document by, for example, putting them on your website."

Mr Murray said yesterday: "If the media do not react to this, they will lose the ability to report in any detail material released under the Freedom of Information Act. The documents in question are the supporting evidence for my book. The government continues to claim my story is untrue."

It is unacceptable that a government can silence its critics by relying on copyright law. The approach taken by US law is preferable, under which government publications don't benefit from copyright protection. After all, this material has already been paid for by the taxpayer.

Henry Porter on ID cards

Henry Porter gives an eloquent statement of the case against ID cards in today's Guardian:

Some, like the editor of Prospect, David Goodhart, have attempted to portray the cards as "badges of citizenship embodying the idea of the contract between citizen and state". The argument is superficially comforting. "They help us to know who is in the country and what their status is and to protect the precious entitlements of all existing citizens." There is no mention in his recent essay of the database or the terrible potential for intrusion and control. And of course the idea of this being a contract is ridiculous when one party is being forced to sign or face penalties. The notion of a badge of citizenship is codswallop being put about by people who are too impressed by authority and too weak to oppose it.

When reading the ID card bill I am constantly struck by its minatory tone - the threats of fines and the general contempt for the average citizen. There's a reason for this. Rather than being something that is designed to help us, the card and the register are, in fact, tools of government control and surveillance. Over and above the information you have supplied at enrolment (please note the voluntary connotations of the word enrolment ) your file on the NIR will build an entire picture of your life - your hospital visits, your children's schools, your driving record, your criminal record, your finances, insurance policies, your credit-card applications, your mortgage, your phone accounts (and, one presumes your phone records), and your internet service providers.

Every time you get a library card, make a hire-purchase agreement, apply for a fishing or gun licence, buy a piece of property, withdraw a fairly small amount of your money from your bank, take a prescription to your chemist, apply for a resident's parking permit, buy a plane ticket, or pay for your car to be unclamped you will be required to swipe your card and the database will silently record the transaction. There will be almost no part of your life that the state will not be able to inspect. And it will be able to use the database to draw very precise conclusions about the sort of person you are - your spending habits, your ethnicity, your religion, your political leanings, your health and even perhaps your sexual preferences. Little wonder that MI5 desired - and was granted - free access to the database. Little wonder that the police, customs and tax authorities welcome the database as a magnificent aid to investigation.

But know this: from the moment the database goes live, we will become subjects not citizens and each one of us will be diminished in relation to the state's power.

Something enormous and revolutionary is about to happen to us. We are giving the most precious part of ourselves to the government, allowing it complete freedom to roam through our privacy. And it's not just to this government, but to the governments of the future, the nature of which we cannot possibly know. And it's not just our privacy - it is the rights and privacy of future generations. While we are comfortable about handing this information over to the state, the citizens of the future may feel strongly about our complacency and our faith in the British government. We have a duty to those people, just as all the people who fought for the rights we enjoy today felt a sense of obligation to us.

The prime minister asks us to trust him and implies that abuse of a database would be unthinkable in Britain. But after the lies before the invasion of Iraq, the revelations of the Hutton inquiry and the evidence about rendition flights using British airspace I would suggest that we treat these sorts of assurances and appeals with the utmost suspicion.

Remember this government's attack on liberty. Remember what we have already lost - the campaign that has diminished defendants rights, introduced punishment without a court deciding that the law has been broken, restricted protest and speech and even assembly. Blair is unabashed about his record and has taken to describing civil liberties as a privilege that may be removed from someone the moment they become a suspect or a defendant.

I am afraid I do not trust the government's motives - nor do I trust its competence. The past decade is littered with failed government IT projects - the Child Support Agency, the immigration records, the working tax credit database, the farmers' single payment scheme are a few that come to mind. This is to say nothing of its record on security. The NIR will literally have thousands of entry points where the information on your file can be accessed.

One of the worst failures of a government database came to light a few weeks ago when the Home Office admitted that the Criminal Records Office had wrongly identified 2,700 people as having criminal records. I cannot think of a clearer case of defamation and it is surprising there is not some kind of class action against the Home Office. Not only were these people's reputations seriously damaged, many were turned down for jobs as a result of the CRO's mistake and can therefore argue for a serious loss of earnings. But the Home Office did not even apologise. It is exactly the arrogance that I fear will come to characterise all government dealings with the person in the street once this database is operational.

As I said, I am instinctively - genetically, as I put it - opposed to ID cards and the Identity Register. I am also politically opposed because as the government database grows, I believe there will be a commensurate lessening in the state's respect for each one of us. We will be reduced to the great mass of classified specimens, pinned down and itemised like dead butterflies in a showcase. Because of the power it possesses over us, I believe the government will gradually become less accountable and less responsive to the needs and wishes of the people. Whereas once politicians were our servants, they will become our masters and we their slaves.

I have philosophical objections, too. In a free country I believe that every human being has the right to define him or herself independently and without reference to the government of the time. This, I believe, is particularly important in a multicultural society such as ours. The ID card and NIR require and will bring about a kind of psychological conformity, which is utterly at odds with a culture that has thrived on individualism, defiance and the freedom to go your own way.

And it will remove the right of those who for whatever reason wish to withdraw from the cares of the world and the influence of society, to resort to the consolations of solitude and privacy without inspection from a centralised authority. Privacy, anonymity and solitude are rights, and we are about to lose them for ever.

People say that everything about you is known already. Someone has calculated that each of us appears on up to 700 databases. But the real point is that everything that is known about you will become linked up on the NIR. The register will take on a life of its own, for once you set up a system like this it becomes ineluctably compelled to find out more and more about you. That will be its hardwired purpose.

Imagine handing over the keys to your home when you are out at work to allow some faceless bureaucrat to rifle through your desk and drawers, your photograph albums and children's school reports, your bills and love letters. That is the kind of access they are going to have, and it is going to grow as time goes by and we become accustomed to this unseen presence in our lives.

Well, it's not for me. I cannot do it. I will not do it, and I hope you won't either.

Does Irish law protect your voicemail?

The Irish Independent has a story about wrongful access to mobile phone voice mailboxes. Although the story claims that access to voicemail messages is "a crime under the Postal and Telecommunications Act 1983", it's not clear if that is true. Section 98(1) of the 1983 Act provides:

A person who-
(a) intercepts or attempts to intercept, or
(b) authorises, suffers or permits another person to intercept, or
(c) does anything that will enable him or another person to intercept,
telecommunications messages being transmitted by [a person deemed to be authorised under the Authorisation Regulations] or who discloses the existence, substance or purport of any such message which has been intercepted or uses for any purpose any information obtained from any such message shall be guilty of an offence.

The reference to telecommunications messages being transmitted suggests that stored messages, such as voicemail messages, may not be protected by section 98.

There are two counter arguments. First, it might be said that such messages are "being transmitted" until they are first listened to. This is an incomplete solution, however, at best it would only protect new messages, with those already listened to having no protection.

Second, it could be argued that the act of dialing into the voice mail itself causes the message to be transmitted, and the interception takes place where you listen to such a message. This is given support by the very wide definition of "interception" contained in section 98:

In this section, "interception" means listening to, or recording by any means, or acquiring the substance or purport of, any telecommunications message ...

Again, though, this is an incomplete solution. If we adopt this argument, then the mobile phone company employee who listens to the message at work would not be guilty of an offence, as the (locally held) message would not be transmitted.

This article highlights, then, one problem with Irish interception law. Whatever view we take, it seems that stored messages such as voicemail do not enjoy adequate protection - and it is long past time that the 1983 Act was updated to take account of technological changes in the meantime.

You couldn't make it up: Part 2

BBC NEWS - Guantanamo suicides 'acts of war':

"The suicides of three detainees at the US base at Guantanamo Bay, Cuba, amount to acts of war, the US military says.

The camp commander said the two Saudis and a Yemeni were 'committed' and had killed themselves in 'an act of asymmetric warfare waged against us'.

You couldn't make it up

George W. Bush, 2002: "I just want you to know that, when we talk about war, we're really talking about peace."

George Orwell, 1984: "War is Peace"

via the entertaining Students for an Orwellian Society

Amnesty launches Irrepressible.info

Amnesty International have launched a campaign against online censorship called irrepressible.info. From that site:

Irrepressible
Adj. 1) Impossible to repress or control.

Chat rooms monitored. Blogs deleted. Websites blocked. Search engines restricted. People imprisoned for simply posting and sharing information.

The Internet is a new frontier in the struggle for human rights. Governments – with the help of some of the biggest IT companies in the world – are cracking down on freedom of expression.

Amnesty International, with the support of The Observer, is launching a campaign to show that online or offline the human voice and human rights are impossible to repress.

Amnesty's UK director Kate Allen explains:

'Open your newspaper any day of the week and you will find a report from somewhere in the world of someone being imprisoned, tortured or executed because his opinions or religion are unacceptable to his government.'

So began an article in this newspaper 45 years ago called 'The Forgotten Prisoners'. The author, Peter Benenson, urged people to call on governments to stop this persecution. The 'appeal for amnesty' that he started went on to become Amnesty International, a movement that now has 1.8 million supporters in more than 100 countries around the world and continues to stand up for freedom and justice wherever it is denied.

Much has changed in those 45 years. The Iron Curtain has been torn down and apartheid has ended; we have witnessed genocide in Rwanda and ethnic cleansing in the Balkans. And the world has moved on technologically: in 1961 people were expressing their opinions in books and newsprint; Amnesty members responded to their repression by writing letters. Now we have the internet; and Amnesty is able to mobilise its supporters online to lobby governments with emails and web-based campaigning.

Sadly what remains the same is that people are still being imprisoned for peacefully expressing their beliefs. Benenson started Amnesty after reading about two students arrested in a Portuguese cafe for raising a toast to freedom: 45 years on, we were recently made aware of three young Vietnamese people arrested after taking part in an online chatroom debate about democracy.

Governments still fear dissenting opinion and try to shut it down. While the internet has brought freedom of information to millions, for some it has led to imprisonment by a government seeking to curtail that freedom. They have closed or censored websites and blogs; created firewalls to prevent access to information; and restricted and filtered search engines to keep information from their citizens.

China is perhaps the clearest example. Its internet censorship and clampdown on dissent online is sophisticated and widespread. But Amnesty has documented internet repression in countries as diverse as Iran, Turkmenistan, Tunisia, Israel, the Maldives and Vietnam.

Another massive change since 1961 has been the rising power of multinationals, but some companies have been complicit in these abuses. So Amnesty is increasingly lobbying not just governments but powerful firms to respect the rights of ordinary people.

The internet is big business, but in the search for profits some companies have encroached on their own principles and those on which the internet was founded: free access to information. The results of searches using China-based search engines run by Yahoo, Microsoft, Google and local firms are censored, limiting the information users can access. Microsoft pulled down the work of one of China's most popular bloggers who had made politically sensitive comments. Yahoo gave information to the authorities that led to people being jailed for sending emails with political content. We do not accept these firms' arguments that it is better to have a censored Google, Yahoo or Microsoft in China than none at all.

So Amnesty International is again calling on Observer readers to join with us to take a stand for basic human freedoms. The internet has the potential to transcend national borders and allow the free flow of ideas around the world. Of course there is a need for limits to free expression to protect other rights - promoting violence or child pornography are never acceptable - but the internet still has immense power and potential.

Just by logging on to my computer I can exchange views with someone in Beijing or Washington. I can read what bloggers in Baghdad think of the situation in Iraq. I can find a million viewpoints that differ from my own on any topic. It is the greatest medium for free expression since the printing press, a meeting of technology and the social, inquisitive nature of human beings and the irrepressible force of the human voice. This is the new frontier in the battle between those who want to speak out, and those who want to stop them. We must not allow it to be suppressed.

As part of the campaign they've produced some clever html which allows you to display examples of the censored material on your own site, like this:

US Government pushing internet data retention

ZDNet reports that:

U.S. Attorney General Alberto Gonzales and FBI Director Robert Mueller on Friday urged telecommunications officials to record their customers' Internet activities, CNET News.com has learned.

In a private meeting with industry representatives, Gonzales, Mueller and other senior members of the Justice Department said Internet service providers should retain subscriber information and network data for two years, according to two sources familiar with the discussion who spoke on condition of anonymity.

The closed-door meeting at the Justice Department, which Gonzales had requested, according to the sources, comes as the idea of legally mandated data retention has become popular on Capitol Hill and inside the Bush administration. Supporters of the idea say it will help prosecutions of child pornography because in many cases, logs are deleted during the routine course of business.

The Justice Department appears to be seeking "voluntary" data retention, but there are also proposals to introduce federal legislation:

Two proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could only be discarded at least one year after the user's account was closed.

The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, a close ally of President Bush. Sensenbrenner said through a spokesman last week, though, that his proposal is on hold because "our committee's agenda is tremendously overcrowded already."

If you haven't already thought about protecting your privacy online, now would be a good time to start. At the moment, the best way of ensuring anonymous communication is probably the EFF's Tor system. If you're running Windows, Torpark is a quick and easy way of getting started. From the Torpark FAQ:

Installation Instructions

1. Download and run the exe, it will extract Torpark.
2. Put the Torpark directory where you want it, like on a USB drive.
3. Run Torpark.exe

What is Torpark, exactly?

Torpark is a fully configured combination of Tor (The Onion Router) and Mozilla's browser technologies, enabled by John T. Haller's Portable Firefox. As of v1.5, the whole package is wrapped up in a nice single executable with file directory. No installation, no registry keys, no files left behind.

How can this be used?

Lots of ways! It can be used to circumvent censorship firewalls, like at work or in China. It can be used to bypass paying for internet access at a wifi cafe. It can be used at school computers so you can get full access to the internet. And best of all, if there is no key loggers secretly installed on the machine, nobody is going to know where you went, what you saw, who you spoke to, or what you said. It is all encrypted in a tunnel between your computer, and at least three others somewhere in the world. Only after your data has passed through the encrypted and constantly changing tunnel (a tor circuit) will it reach the internet as unencrypted. The data from surfing the internet goes through the same tunnel as well, passing back to you encrypted, where your computer uses Tor to decrypt it to the Torpark browser. When you need a secret and secure tunnel to surf the internet, Torpark is your mobile solution.

Online Anonymity - Ryanair Edition (continued)

Ryanair are back in the High Court seeking to identify pilots who have anonymously criticised them online. According to the Belfast Telegraph:

Ryanair went to court yesterday to find out who is behind messages on its pilots website. The airline wants to know the identity of those people who go under the codenames 'ihateryanair', 'cantfly-wontfly' and others on the Ryanair European Pilots Association (REPA) website. The REPA website was set up two years ago to give "an anonymous and secure way for Ryanair pilots throughout Europe to communicate with each other". According to the website, it "allows Ryanair pilots to freely express their views on a range of industrial safety and professional issues". The membership is exclusive to Ryanair pilots, including those on contract and trainees.

In the action, which opened yesterday in the High Court, Ryanair is seeking a number of orders against Neil Johnston, an official with the trade union IMPACT; the Irish Airline Pilots Association and its British counterpart, BALPA. The airline contends it has a duty to identify the persons behind the codenames. It claims the website was established by and is controlled by IALPA and BALPA. This is denied by both pilots' associations. Ryanair is also seeking an order requiring the defendants to disclose all information within their knowledge relating to threats, intimidations and harassment of Ryanair pilots. The airline claims the defendants have refused Ryanair's requests to identify the persons behind the codenames and alleges they have sought to destroy records, registration details, databases and information relating to REPA members. Ryanair claims that unknown persons, allegedly known to the defendants, are engaged in a concerted process of intimidation, bullying, harassment and criminal activity. In an affidavit, Eddie Wilson, director of personnel with Ryanair, said that REPA, which was not a registered trade union, was set up in 2004 and its web site was designed to allow Ryanair pilots communicate with one another in a manner designed to obscure the identity of the person communicating through the use of codenames and password procedures. The defendants deny the claims and say REPA was established to facilitate the organisation of pilots employed by Ryanair in order to protect those pilots and their employment within the industry. The case continues today.

I've blogged about this case before. The defendants have already accused Ryanair of seeking to intimidate pilots from engaging in legitimate debate. It will be very interesting to see whether the High Court gives adequate weight to the freedom of expression issues at stake.

Yet another argument against ID cards: Error exposes 26m US veterans to ID theft

Just in case you were wondering we worry about vast government databases, the Times gives us a reminder:

AS IF war wounds and post-traumatic stress were not enough, millions of US military veterans face the risk of identity theft.

Personal data on 26.5 million veterans fell into the hands of criminals when a laptop and computer disks were stolen from a government official who had taken the information home without permission. The data contains the name, date of birth and social security number of everyone discharged from the American Armed Forces since 1975.

The security breach is second in scale only to the hacking attack on CardSystems Solutions last June, which compromised the accounts of 40 million credit card holders. But it is potentially even more damaging because the stolen information contains social security numbers, which can be used to obtain credit cards and loans in a victim’s name.

Veterans reacted with fury at the prospect of having their identities stolen by criminals who might run up huge debts in their names.

Innocent people branded criminals on government database: the victims' stories

The Mail on Sunday has more on the victims of the UK Criminal Records Bureau:

One of those whose lives have been ruined by the CRB is 19-year-old Emma Budd, from Maesteg, Glamorgan, who is still fighting to have her records amended after being wrongly accused of having two convictions for theft. She was rejected for two jobs teaching disabled children as a result of the mistake and has now spent almost two years trying to have the error rectified.

In 2004, she applied for a position at the National Children's Home and paid £34 for the CRB check - only to be told to her horror that she had two alleged 'convictions' for theft.

Emma said: 'I have never stolen anything in my life. But I was devastated - I felt like a criminal even though I knew I wasn't one. I disputed the results. I had to go down to the police station and have my fingerprints taken. It was mortifying.'

She added: 'The police blamed the Criminal Records Bureau for the mistake and the CRB blamed the police. It was all down to the bureaucracy. Nobody would take the blame.'

Finally the police told her that her name had been cleared and she applied to work as a home carer - but to her amazement, the required criminal records check again listed her as a convicted thief.

She has now been reassured that her records have been amended but says she will not believe this until she sees it working in practice.

David Mansfield, 58, was prevented from taking up a post as an assistant for children with learning difficulties at a local college after the CRB wrongly identified him as a peddler of hardcore pornography.

Mr Mansfield, from Hertford, who spent a lifetime working in the transport division of the NHS before taking early retirement, said: 'The CRB record claimed I had been convicted for selling hardcore pornography in Bournemouth in 1972. It was absolutely ridiculous.

'It was a horrible slur on my character and I was determined to clear my name. But you find you're dealing with a nebulous, faceless bureaucracy which makes it worse.

'It was hard work to get any replies and I was always chasing them. But I was determined to have my name cleared because it meant I would be debarred from doing any community or social or voluntary work.

'Eventually, the CRB admitted they had made a mistake and sent me £150 as an ex-gratia payment, but there was no apology.'

The Mail on Sunday editorial draws the obvious conclusions:

The apparatus of vigilance cannot be trusted to use its existing powers well or wisely. After all the recent revelations of Home Office incompetence, the disclosure that almost 1,500 citizens have been wrongly said to have criminal records is less shocking than it would once have been.

Even so, the scale of this bungle ought to be a strong warning against the Government's halfcompleted and so far voluntary plans to put us all on a national identity database.

Such a system would be far larger, far more all-embracing and far more open to misuse and confusion than the Criminal Records Bureau. And, given the gullible reliance of bureaucrats on official records, imagine the endless battles to clear names and overcome identity confusion that are bound to result.

Thousands of us will be constantly having our fingerprints retaken to persuade inflexible jobsworths that we are not terrorists or child molesters.

On the basis of its performance so far, the official claim that ID cards will be a protection against identity theft may well turn out to be the opposite of the truth. The State, whose job it is to safeguard the people, instead stole the good names from hundreds of decent individuals. Those who had nothing to hide turned out to have plenty to fear.

Your personal information is for sale: Job applicants subjected to illegal record checks

The Times has revealed yet more abuse of UK government databases:

THOUSANDS of people have been subjected to illegal background checks when they applied for jobs that did not require vetting, according to a report on the Criminal Records Bureau.

As demand for checks from the bureau grows, there are increasing concerns that employers are misusing the system.

Job applicants have been subjected to scrutiny when they applied to be refuse workers, dog wardens, car park attendants and train drivers. On one occasion checks were sought on people applying to take part in a television game show.

Disclosure of information should occur only when people are applying for jobs that involve working with children and vulnerable adults or certain financial and security- related occupations.

Yet another reason to oppose ID cards: Innocent people branded criminals on government database

Reuters reports that:

The [UK] government, already under pressure over a series of blunders in its immigration and prison services, has confirmed it wrongly branded around 1,500 innocent people as criminals due to a computer mix-up.

It said the Criminal Records Bureau (CRB), which carries out checks on people who have applied for jobs working with children or vulnerable adults, had confused the innocent people with convicted criminals because they had similar or identical names.

The names were stored on a police database.

Bear in mind that these are just the mistakes we know about: the people who were persistent or lucky enough to establish the truth. How many other people have had their reputations and careers ruined because of government incompetence? And the official response to this outrage? Apologies? Vows that it will never happen again? Far from it:

"We make no apology for erring on the side of caution. We are talking about the protection of children and vulnerable adults," a Home Office spokesman said.

There you have it. Far from being sorry, the government feels that it is appropriate to ruin the lives of the innocent. Exactly how branding innocent people as criminals protects children is left to the imagination of the reader.

Lib Dems: UK Government unable to protect existing databases, new ID card database an even juicier target

From Silicon.com:

"Organised crime will try and crack the identity cards database — the National Identity Register (NIR) — the Liberal Democrats have warned.

Last year it was revealed that the identities of 13,000 civil servants had been stolen and used by criminals to make fake tax credit claims.

Liberal Democrat home affairs spokesman, Nick Clegg, said the theft was a 'terrible omen' for the forthcoming ID cards scheme.

Clegg said, if organised criminals are capable of infiltrating the Department for Work and Pensions (DWP), 'it is clear they will target the identity cards database, where the stakes are even higher.'

Clegg said in a statement: 'The government's claims that ID cards will cut identity fraud look increasingly unrealistic. If the ID cards database is breached, people could find their iris scans and fingerprints — as well as personal data and national insurance numbers — stolen.'"

Irish users most aware of data retention

According to Google Trends Irish users are most likely to search on the terms "data retention" - outstripping the next country (the UK) by over two to one.I'm going to take this as a sign that Digital Rights Ireland is succeeding in raising public awareness of the issue.

UK plans to put your bedroom online - literally

The Labour party seems to have forgotten its past campaigns to keep the State out of the bedroom. From Contractor UK:

Digital pictures showcasing the interiors of taxpayers’ homes will be posted on the internet under freshly laid plans to be considered by the Deputy Prime Minister.

Under the scheme to revaluate 22 million homes, council tax snoopers could be given digital cameras to snap inside people’s homes, including their bathrooms, bedrooms and conservatories.

Confidentiality inside the home is an “old fashioned attitude” and taxpayers should feel no need to “hide” their expenses or value of their property, said Paul Sanderson, director of modernisation for the tax inspectors.

Instead, photographs of the property, details and “everything” about how much residents paid for their house, or rent, should be posted on publicly accessible website.

His suggestions have caused outrage among politicians and taxpayer alliances, while also raising fears among internet commentators.

Their concern centres on property information, including photographs, being sold in bulk to junk mailers and marketing companies, in light of the government’s decision to sell private data provided by the DVLA.

“Householders are already angry at the fact that camera-wielding tax inspectors can barge inside their family homes to record the number of bedrooms, size of their garage and their conservatory,” said Caroline Spelman, the Conservative minister.

“I suspect that people will be further shocked to discover that this private information would then be published on the internet for anyone to see and sold to junk mailers.”

The internet plan aims to reduce the number of people appealing against council tax payments by letting them use the website to compare their home’s value with neighbours’.

"Confidentiality inside the home is an 'old fashioned attitude'"? Words fail me. Fortunately, the drafters of the European Convention on Human Rights had something to say about this: "Everyone has the right to respect for his private and family life, his home and his correspondence."

More generally, this episode illustrates how seemingly unrelated areas of public policy impact on privacy. If a tax system requires disproportionate amounts of private information in order to function, the solution is not to put that information online for the world to see but to reform the system so that it is less privacy invasive, and to carry out privacy impact assessments before new tax policies are adopted.

High Court gives disappointing decision on video surveillance

In Atherton v. DPP the High Court has considered, apparently for the first time, the admissibility of evidence obtained by video surveillance.

The case concerned a defendant accused of damaging a neighbour's hedge. The neighbour resorted to video surveillance to catch the perpetrator, and placed a video camera in an upstairs window of a house across the street. From there, the camera recorded the neighbour's front garden, but also the front garden, driveway, door and windows of the defendant's adjoining semi-detached house.

The defendant argued that the resulting video footage of him was obtained unlawfully and in breach of his constitutional rights, particularly where it involved surveillance of his dwelling. This was rejected, however, by Peart J. who held that:

I am satisfied that the taking of video footage of the hedge and in so doing the front of the accused’s house is not an act which constitutes an unconstitutional invasion of the right to privacy as contended by Mr O’Higgins. First of all, it is obvious that the front of the accused’s house is something which is visible from the public road – perhaps only with the use of a ladder, but nonetheless visible. It is certainly visible from the upstairs of the house opposite, from which the footage was taken. In my view there is no meaningful distinction between the evidence of what was happening to the hedge in the garden opposite that house being given in the form of video footage, and that very same evidence being given by the owner of the house opposite if he arranged things so that he was standing at the same window as the camera was set up at and observing himself what was happening. He would undoubtedly be permitted to give evidence viva voce of anything which he observed happening in the garden into which he was looking, and it could not possibly be seriously contended that if that person also saw the accused re-entering his house through the front door, and while the door was open saw also into the hallway, that in some way that person had breached the accused’s right to privacy by seeing what he saw. The camera has done no more and no less than that.

Of course, a different view might easily be taken if the act of setting up the camera in the required position involved a trespass upon the property of the person to be observed. That is a different matter altogether. But that is not the position in this case. The point was made by Mr O’Higgins that this camera in the way it was set up had the capacity to see into rooms at the front of the accused’s house if the curtains were open. But in my view the problem with that submission is that the same arises if a person were to place himself at the window opposite and in the event that the owner happened to leave the curtains open.

I do not believe either that the accused’s application is assisted by the evidence given by the Garda that up to 70% of the footage contained in the frame of the video is taken up with the front of the accused’s house, rather than the hedge itself. One way or another I cannot see that there has been any breach of the accused’s right of privacy in relation to his dwelling and its curtilage – especially in the absence of any trespass or other unlawfulness. It is not necessary in these circumstances to consider whether the balancing of the rights was correctly undertaken by the District Judge was correctly carried out. There simply has been no breach as far as I can see, and therefore no justification of a breach need be investigated and considered.

This judgment is unusual, to say the least, and it is significant that no authority is cited by Peart J. for his ruling. Three points are particularly problematic. First, it relies on the fact that the area was visible from the public road (with the aid of a ladder!) or from the facing houses to deny that any privacy interest existed. This approach is entirely inconsistent with the caselaw of the European Court of Human Rights which made it clear in Peck v. the United Kingdom that privacy rights could subsist even in respect of CCTV footage of public areas. Secondly, it focuses on the fact that there was no trespass to the defendant's property. It is unclear, however, why this should be relevant. The tort of trespass deals with property rights - not privacy rights. Whether there is a physical invasion of the defendant's space should not be determinative. Indeed, the "trespass doctrine" has, after an ignoble history, been long since abandoned in the United States - see Katz v. United States, and there is no apparent reason why it should be resurrected here. Finally, the decision equates video surveillance with the view of a person who might place themselves at the window. This is to overlook, however, the pervasive and permanent nature of video surveillance - there is a qualitative difference between occasional transient views and continuous, permanently recorded, surveillance.

Instead, this appears to be a case where a balancing exercise would have been appropriate: and such a balancing exercise would probably have come to the same conclusion - that the video surveillance was not especially intrusive and was justified in the circumstances. By denying that any privacy right exists, however, the court sets an undesirable precedent.

[It may be worth contrasting this decision with the views of the Data Protection Commissioner in respect of CCTV cameras on the Luas line. In that case it was accepted that there was a breach of the Data Protection Acts where back gardens were being monitored by the Luas CCTV cameras. While there is certainly a greater expectation of privacy in a back garden, those gardens were presumably visible by travellers on the Luas line, which would have ruled out any privacy interest if we were to apply the reasoning of Peart J.]

Update (16/8/2007): Eoin Carolan has a very interesting piece in the Dublin University Law Journal ("Stars of Citizen TV" (2006) 13(1) DULJ 326) discussing Atherton.

Your personal information is for sale: Eircom and Garda computers edition

Billy Flynn (the private detective who exposed much of the Garda wrongdoing being investigated by the Morris Tribunal) has recently confirmed that your Eircom telephone records are for sale to the highest bidder, and that there is corrupt access to the Garda Pulse computer system. In an interview with Village Magazine he gives further details:

Central to the success of Billy Flynn in the McBrearty affair was his acquisition of the phone logs of Garda John O'Dowd, from whose phone extortionist calls were made to associates of the McBreartys. In all, he obtained the phone logs of over 30 people, most of them related to Garda phones. In the course of the extended interview with Village he disclosed that another investigator, a retired garda, is able to tap into the Garda Pulse system (ie, the Garda computer), but he (Billy Flynn) is not in a position to do that.

Billy Flynn explained: 'I was driving home from Dublin to Enfield and I gave a hitchhiker a lift. He was not a usual hitchhiker, something had happened his car and he was in a hurry to get to a destination before public transport would get him there. On the way I discovered he worked in Eircom and as he was getting out of the car I asked if he could help me. I told him what I had in mind and he said he would.

'Afterwards I would meet him in an agreed location. I would drive up and we would exchange envelopes, his containing the phone logs I needed and I remunerating him.'

Does anybody really believe that data retention information (including details of your emails and internet use) won't be abused in the same way?

US Data Retention Exposed

USA Today has revealed that the US has been engaged in secret data retention of telephone calls since 2001:

The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.

The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans — most of whom aren't suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.

"It's the largest database ever assembled in the world," said one person, who, like the others who agreed to talk about the NSA's activities, declined to be identified by name or affiliation. The agency's goal is "to create a database of every call ever made" within the nation's borders, this person added.

For the customers of these companies, it means that the government has detailed records of calls they made — across town or across the country — to family members, co-workers, business contacts and others.

The three telecommunications companies are working under contract with the NSA, which launched the program in 2001 shortly after the Sept. 11 terrorist attacks, the sources said. The program is aimed at identifying and tracking suspected terrorists, they said.

The sources would talk only under a guarantee of anonymity because the NSA program is secret.

A disturbing aspect is the way in which the telecom companies agreed to voluntarily (and apparently illegally) hand over this information (in return, it should be noted, for substantial payment). Credit should be given to the one major company which resisted:

One major telecommunications company declined to participate in the program: Qwest.

According to sources familiar with the events, Qwest's CEO at the time, Joe Nacchio, was deeply troubled by the NSA's assertion that Qwest didn't need a court order — or approval under FISA — to proceed. Adding to the tension, Qwest was unclear about who, exactly, would have access to its customers' information and how that information might be used.

Financial implications were also a concern, the sources said. Carriers that illegally divulge calling information can be subjected to heavy fines. The NSA was asking Qwest to turn over millions of records. The fines, in the aggregate, could have been substantial.

The NSA told Qwest that other government agencies, including the FBI, CIA and DEA, also might have access to the database, the sources said. As a matter of practice, the NSA regularly shares its information — known as "product" in intelligence circles — with other intelligence groups. Even so, Qwest's lawyers were troubled by the expansiveness of the NSA request, the sources said.

The NSA, which needed Qwest's participation to completely cover the country, pushed back hard.

Trying to put pressure on Qwest, NSA representatives pointedly told Qwest that it was the lone holdout among the big telecommunications companies. It also tried appealing to Qwest's patriotic side: In one meeting, an NSA representative suggested that Qwest's refusal to contribute to the database could compromise national security, one person recalled.

In addition, the agency suggested that Qwest's foot-dragging might affect its ability to get future classified work with the government. Like other big telecommunications companies, Qwest already had classified contracts and hoped to get more.

Unable to get comfortable with what NSA was proposing, Qwest's lawyers asked NSA to take its proposal to the FISA court. According to the sources, the agency refused.

The NSA's explanation did little to satisfy Qwest's lawyers. "They told (Qwest) they didn't want to do that because FISA might not agree with them," one person recalled. For similar reasons, this person said, NSA rejected Qwest's suggestion of getting a letter of authorization from the U.S. attorney general's office. A second person confirmed this version of events.

In June 2002, Nacchio resigned amid allegations that he had misled investors about Qwest's financial health. But Qwest's legal questions about the NSA request remained.

Unable to reach agreement, Nacchio's successor, Richard Notebaert, finally pulled the plug on the NSA talks in late 2004, the sources said.

"The world was a safer place before t'internet. Oh yes. No risk out there in the real world, that's mad talk."

Media and government share a vested interest in hyping alarmist fears about the internet - fears good both for filling newsprint and justifying draconian laws. Eclectech neatly skewer the scaremongering in this hilarious animation (to the tune of the Teddy Bears' Picnic):

Dolores McNamara update: Social Welfare and Revenue snoops receive slap on wrist

The Sunday Times reports that one hundred officials who deliberately and consciously set out to snoop on the affairs of a private individual will escape with nothing more than a slap on the wrist:

MORE than 70 officials in the Department of Social and Family Affairs who breached the confidentiality of Dolores McNamara, the EuroMillions winner, when they accessed her files have been given a warning about their behaviour.

...

Officials at the department examined 106 cases where its staff logged onto McNamara’s records in the days after her record €115m jackpot win last July. It found that 72 of them had no reason to call up her details and, by doing so, breached department rules designed to protect the privacy of personal records.

The offending civil servants have been sent a formal letter pointing out that they are only supposed to consult such information as part of their assigned duties. They have also been warned that they will face disciplinary action, up to dismissal, should they ignore this advice.

A spokeswoman for the department said it was still looking into a further 19 cases where staff are believed to have wrongly accessed McNamara’s records.

...

The accessing of the files was revealed in The Sunday Times last September after details from McNamara’s tax and welfare records appeared in another newspaper. It claimed, wrongly, that the lottery winner was being investigated for welfare fraud and alleged she had been claiming payments while working.

The reports, which included dates, suggested the information could only have come from somebody close to McNamara or from people familiar with her records.

Under set procedures, staff are only supposed to access people’s records when they have a genuine business reason for doing so. In this case, only 34 employees were able to provide a reasonable explanation for examining the files, which included private welfare and benefits details.

...

The Irish Council of Civil Liberties also welcomed the outcome of the investigation. Malachy Murphy, its co-chairman, said: “Some people might say the civil servants got away lightly here, but we would respect the fact that the department has set disciplinary procedures and has to issue warnings to people, before going any further.”

He raised concerns, however, about the high number of staff who were able to call up McNamara’s records in the first place. “This case raises serious questions about the computer systems in use in government departments. It appears that excessive numbers of people are able to access detailed personal files and maybe this shouldn’t be the case.”

...

Earlier this year the Revenue Commissioners found that 28 of its staff looked up McNamara’s tax records after her win, even though they also had no reason for doing so. Thirty-two staff were originally under suspicion for accessing the files, but four were found to have valid reasons for doing so.

More on the Revenue invasion of privacy here.

More CCTV voyeurism

The Register points out that:

Tyneside police are investigating two civilian CCTV staff as part of a complaint into the 'possible misuse' of 'close-up' footage of naked participants in Spencer Tunick's mass nude shoot on the banks of the Tyne last July.

The Times has more details:

It is alleged that two police employees used the zoom lenses on the CCTV cameras to take close-ups of subjects and touted the images in pubs in the Tyneside area.

As I've said before the Irish Law Reform Commission warned about the abuse of CCTV in 1996 and again in 1998. To date, the Department of Justice has taken no steps to act on these warnings, despite rolling out extensive CCTV systems throughout Ireland.

More Australian moves towards Internet Censorship

The Herald Sun is reporting a Labor commitment to require ISPs to censor the material viewed by users:

INTERNET service providers (ISPs) will be forced to block violent and pornographic material before it reaches home computers if Labor wins the next federal election.

Under the policy, announced by Opposition Leader Kim Beazley today, international websites would be banned by the Australian Communications and Media Authority if they contained graphic sexual or violent material, rated R or higher.

The bans would be maintained by ISPs.

It appears from the report that this would be a mandatory filtering system subject to a possible user opt-out. I've mentioned the Australian proposals before and Electronic Frontiers Australia has more on the existing system of internet censorship.

Update: More on the politics behind the proposals. Via BoingBoing

Quis custodiet ipsos custodes?

The head of the Metropolitan Police in London has been caught illegally recording telephone calls:

The Attorney-General, Lord Goldsmith, has accepted an apology from the Metropolitan Police Commissioner Sir Ian Blair for recording a private telephone conversation, the minister's office said today.

Lord Goldsmith was said last night to be "extremely angry" at the revelation that a conversation he had with Sir Ian last year - ironically about the subject of phone-tapping - was one of a number that Sir Ian had secretly recorded.

[...]

Shami Chakrabarti, director of human rights group Liberty, went further in condemning Sir Ian’s actions. "I think that his behaviour appears to be unconstitutional, unethical, quite possibly unlawful," she told the BBC Radio 4 Today programme.

"No doubt he has an explanation, perhaps he has already given his explanation to the Attorney. I think now we all want to hear it, and if it doesn’t ring true and it’s not adequate, I think it’s very hard for any of us to have trust in him as the senior law enforcer, police officer in this country.

"The bitter irony of this is that is a governnment that has has made great play of its support for the police. In my view it's given them too many unchecked powers and here it is on the receiving end of this most appalling abuse of police power."

The recorded call with the Attorney-General is believed to have taken place last September, and concerned the admissibility of wire tap evidence in court - although it did not relate to any particular case.

An IPCC spokesman said the taped conversations with three of its senior officials came to light as part of its inquiry in the aftermath of the Stockwell Tube station shooting of Mr de Menezes. One call was with its chairman, Nick Hardwick.

The calls had been recorded "without our prior consent", the spokesman said, adding: "We are surprised about the recording of calls and now have the recordings. We are dealing with this issue."

Function Creep in Action: CCTV cameras used to generate revenue from motorists

The Sunday Times has the story:

When a London council decided to locate a CCTV camera in a quiet area of Camden the residents were delighted, especially as its declared purpose was to make the streets safer from muggers, drug dealers, burglars and car thieves. The £25,000 swivelling spy camera made them feel they were at last getting a tangible benefit from Camden’s rising council tax.

But it didn’t take long for them to discover it was going to cost a lot more — in ways they hadn’t expected. The camera proved not very good at identifying suspects lurking in the shadows but it was very good at reading residents’ car numberplates.

Since the Albert Street camera was installed last year its operators have issued 2,558 penalty notices for a range of minor motoring offences, such as double parking to unload groceries or allegedly blocking the flow of traffic.

CCTV images, left, record Jonathan Futrell pausing to pick up a friend in Albert Street. The car is stopped for less than a minute, but the result is still a fine.

Digital Rights Ireland is looking for your support

On the 6th December, Digital Rights Ireland formally launched. Our stated mission is to protect civil, legal and human rights in a digital age.

Now we're asking people who share that aim to help us out by pledging their money to DRI. If you're in a hurry and don't need to know more, here's where you can sign up:

www.digitalrights.ie/support

Since our launch, and without funding, we've managed to do the following;

Focus attention on data retention, by lobbying, use of parliamentary questions and encouraging media scrutiny of the European Parliament's vote to bring in a Data Retention Directive.

We've established ourselves as a point of contact for the media on digital rights issues. This is important, as editors are much more likely to run a story where they are able to present two competing views to their audiences. We've raised the profile of these issues across the entire range of media, including the Pat Kenny show, Newstalk FM, the Irish Times, Six One News, 2FM, Metro Ireland, the Star on Sunday, various local stations and (of course) internet news outlets such as The Register.

We have intervened in the filesharing debate to speak up for the privacy rights of innocent parties. We have also attempted, with some limited success, to inform the courts of relevant precedent.

We've started producing reliable, readable, guides to users' rights. So far, we have pamphlets on SMS Spam and Online Libel completed. More are in the works.

We have begun to introduce DRI to the other players involved in rights protection. We've met with the Data Protection Commissioner and with the Irish Council for Civil Liberties, and have been in contact with the Human Rights Commission. We've made a formal submission to the European Commission on Irish privacy laws.

We've also established DRI as Ireland's point of contact internationally in the digital rights sphere. We've joined EDRI , and have close relations with the Open Rights Group in the UK. We have also established informal links with other groups, such as the EFF, Liberty and Privacy International.

At the same time, we're working away behind the scenes on researching some of the issues which we expect to have to tackle in the months to come, such as the planned DNA Database and the proposals to introduce ID cards in Ireland.

Not a bad record for a three month old voluntary organisation working on a shoestring.

However, we're now reaching the limits of what we can do with no euro and no cent behind us. With your support, we could launch a flotilla of Freedom of Information requests, seeking information in targeted areas. We could raise awareness of digital rights issues in the professional spheres with a public conference. We could ship a representative to Brussels for crucial votes, to lobby our MEPs face to face. We could even pay for tea and coffee at our press conferences.

And, if needs be, we would be in a position to consider the possibility of seeking to block unconstitutional measures through the high-stakes gambles of the courts, as other advocacy groups regularly do.

Our suggested subscription rate is €10 per month. That is the cost of 2 pints. If we get 100 members willing to pledge that much to us, we will have a solid income base to work from.

We also have a concession membership of €5 a month. We aren't going to be checking IDs or anything like that - if you don't think you can afford to forgo both pints every month, then we'll happily spare you the effort of drinking one of them.

We have both a Paypal subscription option and our bank details for standing orders. Or if you like, you can bung us your full year's subscription in a single lump sum. And if you're not sure where you'll be for the next year, but know you'd like to send us something, we'd be most grateful.

Mechanics: Where does the money go? Money pledged to DRI will go to a bank account owned by Digital Rights Ireland Limited, a company limited by guarantee, registered with the Companies Registration Office in Dublin. As such, annual accounts will be filed for the company, which will be publicly available.

Who are Digital Rights Ireland Limited? Our Directors are listed here with links to their personal sites. Full details can be inspected via the Companies Registration Office.

[Cross-posted from digitalrights.ie]

Your personal information is for sale - Mobile Phone Location edition

The Guardian has an interesting story by Ben Goldacre entitled"How I stalked my girlfriend":

For the past week I've been tracking my girlfriend through her mobile phone. I can see exactly where she is, at any time of day or night, within 150 yards, as long as her phone is on. It has been very interesting to find out about her day. Now I'm going to tell you how I did it.

...

First I had to get hold of her phone. It wasn't difficult. We live together and she has no reason not to trust me, so she often leaves it lying around. And, after all, I only needed it for five minutes.

I unplugged her phone and took it upstairs to register it on a website I had been told about. It looks as if the service is mainly for tracking stock and staff movements: the Guardian, rather sensibly, doesn't want me to tell you any more than that. I ticked the website's terms and conditions without reading them, put in my debit card details, and bought 25 GSM Credits for £5 plus vat.

Almost immediately, my girlfriend's phone vibrated with a new text message. "Ben Goldacre has requested to add you to their Buddy List! To accept, simply reply to this message with 'LOCATE'". I sent the requested reply. The phone vibrated again. A second text arrived: "WARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you." I deleted both these text messages.

On the website, I see the familiar number in my list of "GSM devices" and I click "locate". A map appears of the area in which we live, with a person-shaped blob in the middle, roughly 100 yards from our home. The phone doesn't go off at all. There is no trace of what I'm doing on her phone. I can't quite believe my eyes: I knew that the police could do this, and telecommunications companies, but not any old random person with five minutes access to someone else's phone. I can't find anything in her mobile that could possibly let her know that I'm checking her location. As devious systems go, it's foolproof. I set up the website to track her at regular intervals, take a snapshot of her whereabouts automatically, every half hour, and plot her path on the map, so that I can view it at my leisure. It felt, I have to say, exceedingly wrong.

...

Your mobile phone company could make money from selling information about your location to the companies that offer this service. If you have any reason to suspect that your phone might have been out of your sight, even for five minutes, and there is anyone who might want to track you: call your phone company and ask it to find out if there is a trace on your phone. Anybody could be watching you. It could be me.

This particular service isn't available in Ireland just yet. But other mobile phone location services are. MyHome.ie use similar technology to advertise houses based on their proximity to your mobile phone. 02 sell companies the ability to monitor the movements of their employees via their mobiles. And of course our Department of Justice has ensured that the movements of every mobile phone owner are tracked and stored for three years. It's time to make sure that adequate safeguards are put in place to control mobile phone location data - and by that I mean independent monitoring with teeth, not the ineffective and unaccountable internal administrative practices of mobile phone operators.

Dutch biometric passport cracked - personal details vulnerable

Biometric identity cards are being sold on the basis that they're supposedly secure. Before this debate comes to Ireland, it's worth noting that the Dutch biometric passport has already been cracked - allowing anyone to intercept your date of birth, facial image and fingerprint. To do this, they don't have to ever see your passport - merely come within 10 metres of a place where it is being used. (via The Register)

The innocent have nothing to fear: CCTV edition

We're often told that the innocent have nothing to fear. That extraordinary powers of surveillance won't be abused. This lady might disagree. From BBC News:

Two council CCTV camera operators have been jailed for spying on a naked woman in her own home.

Mark Summerton and Kevin Judge, from Sefton Council, Merseyside, trained a street camera into the woman's flat.

[...]

The images from the camera, including the woman without her clothes on, were shown on a large plasma screen in the council's CCTV control room in November 2004, Liverpool Crown Court heard.

Over several hours, she was filmed cuddling her boyfriend before undressing, using the toilet, having a bath and watching television dressed only in a towel.

[The trial judge said:]

"You only have to read the impact statements of the lady to realise the harrowing effect that this had on her.

"Her life has almost been ruined, her self-confidence entirely destroyed by the thought that prying male eyes have entered her flat."

It's worth noting that the Irish Law Reform Commission warned about the abuse of CCTV in 1996 and again in 1998. To date, the Department of Justice has taken no steps to act on these warnings, despite rolling out extensive CCTV systems throughout Ireland.

[Edited to add:] The Garda Siochana Act 2005 does address CCTV operations in section 38. That section provides no real safeguards however, and certainly does not meet the recommendations of the Law Reform Commission. It authorises the installation and operation of CCTV by the Garda or Community CCTV schemes. It does not prohibit others from putting CCTV in place to monitor public areas, nor does it require any permission before they can do so. Although authorisations to install Garda / Community CCTV systems can have conditions attached to them, those conditions are not backed by any criminal or civil sanction - the worst that can happen is revocation of the CCTV authorisation. The activity referred to in the above story, if it happened in Ireland, would most likely see the perpetrators escape any punishment.

Garda Traffic Surveillance - Privacy Implications for Motorists?

The Irish Times reports that the police are proposing to bring Automatic Number Plate Recognition (ANPR) to Ireland:

The computer will be installed in Garda Traffic Corps vehicles and is due to be introduced in the coming months, The Irish Times has learned.

The computer and camera system will allow for the instant reading and analysis of registration plates of all traffic passing a Garda car. The system will be linked to the Garda's Pulse computer database.

It means any vehicles which are not taxed or insured or which have been reported stolen will trigger a warning notice on an in-car computer screen.

A warning will also be triggered for cars which have not passed the National Car Test (NCT) or which have any other outstanding infringement.

This will allow gardaí to give chase and issue a fine to the motorist. It will also allow gardaí to instantly identify repeat offenders who have ignored previous fines and other sanctions and to put them off the road.

Currently, if gardaí want to check on a vehicle they must call their local station via in-car radio and ask a colleague to manually check the registration on the Pulse system. This is time-consuming and means only a small number of checks can be carried out.

Under the new system, 50 Garda Traffic Corps vehicles will be fitted with two small in-car cameras. One camera will face to the front of the vehicle and the other to the rear.

The two cameras will allow for instant analysis of registration plates of all vehicles passing in both directions, whether a Garda vehicle is moving or parked by the roadside.

This scheme raises many questions. Will the Gardaí have access to the name and address of every motorist passing by? (In the US, where systems like this have been in place for some time, it's common for police to look up the details of an attractive woman in a passing car - known as "running a plate for a date".)

Given that the vast majority of motorists scanned will be entirely innocent, what happens to their data? Will it be retained? If so, for how long? What privacy safeguards have been built into the system? Has legal advice been taken on the data protection issues of ANPR? Will this be a precursor to a much wider system?

ANPR has already been controversial in other countries - notably England - so there is no excuse if it turns out that the Gardai and/or the Department of Justice have failed to consider these issues.

Last Chance to Fight EU Data Retention

Next Tuesday, the 13th of December, the European Parliament will vote on a Data Retention Directive. This proposes to extend data retention to the Internet, and will result in your ISPs logging every email you send, every web page you visit, and everything else you do online and storing that information for several years.

We urge you to email, fax or phone your MEPs as soon as possible to express your opposition to this measure, which will introduce mass surveillance of every man, woman and child in the EU.

As to what you should say, it is best if that comes directly from what you consider important. However, Privacy International and EDRI have adopted a position (which DRI has endorsed) setting out five key criticisms of the Directive. Feel free to copy and paste these if you wish.

1. This Directive invades the privacy of all Europeans. The Directive calls for the indiscriminate collection and retention of data on a wide range of Europeans’ activities. Never has a policy been introduced that mandates the mass storage of information for the mere eventuality that it may be of interest to the State at some point in the future.

2. The proposed Directive is illegal. It contravenes the European Convention on Human Rights by proposing the indiscriminate and disproportionate recording of sensitive personal information. Political, legal, medical, religious and press communications would be logged, exposing such information to use and abuse.

3. The Directive threatens consumer confidence. More than 58,000 Europeans have already signed a petition opposing the Directive. A German poll revealed that 78% of citizens were opposed to a retention policy. The Directive will have a chilling effect on communications activity as consumers may avoid participating in entirely legal transactions for fear that this will be logged for years.

4. The Directive burdens EU industry and harms global competitiveness. Retention of all this data creates additional costs of hundreds of millions of Euros every year. These burdens are placed on EU industry alone. The U.S., Canada and the Council of Europe have already rejected retention.

5. The Directive requires more invasive laws. Once adopted, this Directive will prove not to be the ultimate solution against serious crimes. There will be calls for additional draconian measures including:
* the prior identification of all those who communicate, thus requiring ID cards at cybercafes, public telephone booths, wireless hotspots, and identification of all pre-paid clients;
* the banning of all international communications services such as webmail (e.g. Hotmail and Gmail) and blocking the use of non-EU internet service providers and advanced corporate services.

Helpfully, we in Ireland are in a unique position to lobby our MEPs - because the Government has already stated it is so opposed to this particular draft that they will bring a case to the European Court of Justice to block it if the European Parliament approves it. Thus even MEPs from the Government Parties have no reason to support the proposed text in Tuesday’s vote.

It is not too late to stop this law: please join us by contacting your MEPs to say no to a surveillance society.

[Cross-posted from Digital Rights Ireland.]

Digital Rights Ireland Launches

Next Tuesday, December 6th sees the formal launch of Digital Rights Ireland, with a press conference in the Conference Room, Pearse St. Library, Dublin 2 at 11.00am. (Directions). We would like to formally invite to you to come along - we'd welcome your support, and the chance to chat with you about your concerns after the main conference. Please feel free to invite anyone else who you think would be interested in digital rights.

Your personal information is for sale - Motorists edition

The Mail on Sunday headline says it all: "DVLA sells your data to criminals"

The Government is selling the names and home addresses of motorists on its drivers' database to convicted criminals, a Mail on Sunday investigation has revealed.

The Driver and Vehicle Licensing Agency (DVLA) tells would-be wheel-clampers there is "no problem" with them buying drivers' home addresses - even if they have a criminal record.

Indeed, the two bosses of one clamping firm on the list of companies to whom the DVLA is happy to sell drivers' details are currently serving seven years' jail between them for extorting money from motorists.

The Mail on Sunday has now forced the DVLA to hand over its list of 157 firms which can buy personal information about drivers at £2.50 a time. All the companies need do is tap in a registration plate, and back comes the full name and address of the vehicle's owners.

The dossier shows that details of millions of drivers have been made available to bailiffs, credit control companies, debt collection agencies, property management firms, leisure centres, solicitors - and even one of the world's biggest loan and financial services companies.

A number of other companies on the list appear to be dissolved or simply not to exist.

The revelations, which suggest that the DVLA is in flagrant breach of data protection laws, last night caused a storm of protest, with MPs demanding an immediate end to the practice.

In Ireland the bodies which hold this information are the motor tax offices of each local authority. Queries have to be made by letter, and they charge somewhat more per query at €6. The legal basis for disclosure is Regulation 23 of the Road Vehicle (Licensing) Regulations, 2003:

A licensing authority shall, upon application, supply particulars from the licensing records or the joint licensing records:
(1) upon payment of the relevant amount specified in the Third Schedule to these Regulations, to any person who satisfies the licensing authority that he has reasonable cause therefor

The Regulations don't define "reasonable cause", leaving this up to the judgment of the manager in the relevant local authority. There doesn't appear to be any particular system in place to vet applications for release of these details. There may be scope for an enterprising journalist to put in a freedom of information request to see whether any similar abuses have taken place over here.

Introducing Digital Rights Ireland

I've been involved recently in helping to set up Digital Rights Ireland, a civil rights group which will focus on issues such as privacy and freedom of expression online. We're now working towards a launch, and as part of the pre-launch publicity I recently did a podcast interview with Tom Raftery.

The interview covered how DRI came to form, what are our core beliefs and where we'll be taking the campaign for online civil and human rights. You can listen to the mp3 of the podcast here:
http://www.tomrafteryit.net/everything-you-blog-is-false/