After TalkTalk hack, should the government think again on plans to expand personal data retention?

On Thursday, I blogged about why you should be concerned about the government’s plans to expand online surveillance as part of the forthcoming Investigatory Powers Bill, even if you subscribe to the “I’ve got nothing to hide” school of privacy.

By unhappy coincidence, on the same day I was writing about how obliging internet service providers and other communications providers to collect and retain more information about its customers will create golden opportunities for criminals, TalkTalk first announced it had been the victim of a cyber-attack and personal and banking details of current and past customers may have been accessed by hackers.

Impacts of personal data theft

In the days since TalkTalk went public with the news, more details of the attack have emerged and there have already been reports of money going missing from people’s banks as well as the all-too predictable scam phone calls. It’s also terrible but not exactly a great shock to read that TalkTalk may not have even taken steps to encrypt all its sensitive data. As I sat down to write this around Saturday tea time, I’ve just read that TalkTalk are now saying the hack may not have been as bad as initially feared, breaching their website but not their core system.

Investigatory powers bills: mo data, mo problems?

However bad the TalkTalk eventually hack turns out to be (and we may never know precisely how much personal data the criminals got away with), I hope this latest incident focuses the minds of MPs and the wider public on the wisdom of ever greater personal data collection and retention.

Should the Investigatory Powers Bill becomes, communications companies including TalkTalk will be required to store detailed customer records, covering everything from browsing history, email conversations, social media use and WhatsApp messages. If it turns out TalkTalk has not adequately secured the much more limited information information it collects on customers at present, can we realistically trust them and other companies to do a better job when faced with managing far larger amounts of personal data?

3 Reasons why you should be worried about the Investigatory Powers Bill

Last Wednesday I arranged for Jim Killock, Executive Director of the Open Rights Group, to give a talk to Open Rights Group Birmingham about the threat mass surveillance poses to our human rights and democratic society.

I was spurred on to organise the talk because of the UK government’s plans to introduce new surveillance legislation this autumn, known as the Investigatory Powers Bill, which will (amongst other things) give the government legal power to collect, analyse and retain in a gigantic database for 12 months everyone’s electronic communications interactions (phone, email, web history, text and WhatsApp messages, etc) regardless of whether you are suspected of committing a crime.

The surveillance debate – even boring by  C-SPAN standards?

Photo of old mattress left out on the street. Photo by colleen_elizabeth
Bulk data collection or bulk waste collection. Remind me what’s the difference again? Photo by colleen_elizabeth

Cleverly, the government has managed to couch the surveillance debate in language that is, to quote Jon Oliver, “even boring by C-Spann standards”. Talk of bulk data collection is more likely to evoke a service your local council might offer to help you get rid of an old mattress than a scene from The Lives of Others. And even if you can get your head around the opaque language being used, most of the attention in the debate focuses on the (rightly) emotive issues of terrorism and serious crime, leaving little time to consider the effect mass surveillance has on innocent citizens and the health of our democratic society.

In the interests of balancing out the surveillance debate ,  I’d like to borrow liberally from Jim’s talk to share with you 3 reasons why you should be worried about the government’s plans, especially if you think the Investigatory Powers Bill won’t affect you.

1. Mass surveillance undermines democratic accountability

An aerial image of the Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire. Photographer: GCHQ/Crown Copyright
Aerial photograph of the Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire. Are MPs in a position to hold GCHQ to account if they didn’t even know their communications were being eavesdropped? Photographer: GCHQ/Crown Copyright

Up until last week, MPs and members of the House of Lords believed their communications were protected by the so-called ‘Wilson Doctrine’ and so were not subject to the same eavesdropping as the rest of the general population.

Last week, the Investigatory Powers Tribunal announced these assurances had been:

“a political statement in a political context, encompassing the ambiguity that is sometimes to be found in political statements”

Furthermore, even if the statements of protection had been given in good faith, it is not technically possible to offer these assurances in an era of bulk data collection of the entire population’s electronic communications.

The tribunal’s ruling has, predictably, led to much soul searching by politicians of all stripes, with Labour’s Chris Bryant even managing to secure an emergency debate on the issue on Monday.

For me, the confusion caused by the ruling reveals the extent to which the surveillance agenda has managed to circumvent conventional democratic accountability.

Essentially, all of us, including the vast majority of elected politicians, are told to trust the authorities who tell us mass surveillance is necessary to protect national security and not to ask too many questions.

In this culture of secrecy, asking questions is deemed to be undermining the effectiveness of the authorities’ work and giving tacit cover or support for terrorists. Consequently, it becomes impossible to have an open, democratic debate about how we best go about balancing the security needs of our country with respect for our human rights.

We should be extremely wary of allowing the Investigatory Powers Bill to pass without having an open and democratic debate about the kind of country we want to live in and where the balance lies between the powers of the state and the rights of individual citizens.

2. The Investigatory Powers Bill will undermine the free press and civil society

3 police officers guarding Downing Street. Photo: Egghead06
3 police officers guarding Downing Street. Should the police have used surveillance legislation intended for anti-terrorism work to investigate the Plebgate scandal? Photo: Egghead06

While you may feel you don’t have much to worry about in terms of the authorities accessing your records, there are and will always be people who do need privacy protection.

Journalists need privacy protection. Imagine, for example, you are a journalist and you have received a tip off about Police wrongdoing. Would you be brave enough to investigate the allegation if you thought your communications could be accessed by the very same organisation?

This is precisely what happened in the case of the Plebgate scandal.The Metropolitan Police were able to use existing surveillance legislation known as Ripa, which was intended to be used in terrorism cases, to access the mobile phone records of The Sun’s political editor without first getting a warrant. By doing so, they were able to discover which officers inside the police had been talking to the journalist and take disciplinary action against them.

Whatever you think of The Sun and Rupert Murdoch’s News International operations, I hope you’ll agree that it’s not right that the UK’s surveillance legislation can be used to hamper the media. If that is what is possible under today’s legislation, we should think carefully before expanding the amount of data authorities can gather on all of us.

Even if you think that journalists by virtue of the job they do are fair game for the authorities, their sources still need to be protected. The Investigatory Powers Bill, by expanding data collection and giving the police and other authorities more rights of access, will make normal, everyday people more reluctant to come forward and report wrongdoing.

3. Mass surveillance is a golden opportunity for criminals

Illustration of a thief running away with a bag containing 0s and 1s of data. Photo: Perspecsys Photos
Will increased personal data collection and weakened encryption create more opportunities for criminals? Photo: Perspecsys Photos

Even if you are personally comfortable with the idea of the government passing more surveillance legislation without proper democratic debate and don’t care all that much about the rights of journalists and whistleblowers, chances are you wouldn’t be too keen about criminals getting hold of your personal information.

By obliging Internet Service Providers and other communications companies to collect greater amounts of personal data and store it for longer periods of time, the government risks creating more tempting opportunities for criminals to steal our data and use it to facilitate a range of crimes.

As well as increasing the total amount of personal information for criminals to target, government efforts to weaken encryption will make it easier for criminals to break into that data. While the government may wish to believe it can demand a special key or ‘backdoor’ to unlock encrypted that only it can use, the reality is criminals will discover this vulnerability and, in so doing, undermine the encryption that not only protects our privacy but is essential for online banking and secure e-commerce payments.

Day For Failure: What I Learned from ‘Deferred Success’ at Islington Council

Green direction signs giving directions to Success Lane and Failure Drive. Photo: Chris Potter / Stockmonkeys.com
Green direction signs giving directions to Success Lane and Failure Drive. Photo: Chris Potter / Stockmonkeys.com

So apparently today has been declared International Day For Failure (hashtag #DayForFailure), where we’re encouraged to share our tales of failure in order to challenge our collective reluctance as human beings to acknowledge and learn from our mistakes. To borrow a phrase from the tech start up world, we should all be aiming to ‘fail fast’, figure out what’s working and what’s not and then take steps to improve.

As a former local government officer, it’s taken me a while to come round to the idea of being comfortable acknowledging one’s failures. I certainly don’t remember this being covered as part of the National Graduate Development Programme. Still, if I’ve learned anything in the five and a bit years since I left the sector (and some days I do question whether I have), it’s the importance of being honest with yourself at least about how projects went, what my contribution was to the deferred success and what I would do differently (given the chance).

To celebrate Day of Fail, I would like to share with you with you the fail I think about the most. I’m not sure if it’s my biggest fail (after all, it’s never wise to rule out unconscious incompetence) but it’s the one I have learned from the most.

Can you relate to my fail? If so, I’d love to know what happened and what you’ve learned from the experience.

Do you think failure can ever be honestly acknowledged or is the tendency to airbrush our pasts too great?

You can share your own fails (and what you learned from them) on Twitter using the hashtag #DayForFailure.

Failure to launch: Implementing a Disability Equality Scheme at Islington Council

Between 2007 and 2009 I worked as lead officer for disability equality at Islington Council. My overarching responsibility was to ensure the council took a pro-active approach to advancing equality for disabled people when delivering its functions.

Essentially, I was attempting to move the council’s approach to disability from one where staff would try to help individual disabled people who had difficulty accessing a library or leisure centre to one where the council worked with disabled people to design accessible services and identify barriers BEFORE an individual had to complain or ask for help.

So far, so simple. Unfortunately, for much of my time at Islington I found myself bogged down in the process of developing ambitious departmental action plans and getting these signed off. This took up energy and attention on both side – the time spent negotiating and renegotiating what actions would go into the action plans would have been much better spent actually getting out there and working with disabled people to make real world improvements to services.

Looking back on the episode with the benefit of hindsight, I can see both what I did wrong and the scale of the challenge I faced in trying to advance disability.

The way I approached the task contributed to the Disability Equality Scheme becoming bogged down. As a young(ish) and idealistic council officer, I sincerely believed in disability equality and was optimistic about the role the council could make to enabling disabled people to play a full and equal role in society. I naively assumed other officers would be on my wavelength or, at the very least, quickly come round to my way of thinking and make disability equality a priority.

I eventually realised that this was an unreasonably optimistic worldview. In the majority of cases, disability equality was but one of many priorities which departments were responding to. The more experienced senior managers I often found myself negotiating with got this and understood that whatever the letter of the law stated Islington Council should be doing on disability equality, local political priorities came first.

It also goes without saying that in any change process you should never under-estimate resistance that comes from fear of the new and possibly apathetic tendencies.

My passion for disability equality, together with my natural tendency to be a stickler for the letter of the law, led me to push for commitments from departments that were never going to fly. Were I to have my time again, I would like to think I would be more realistic about how much I could change the council and what tactics I would use to secure changes.

My top 3 lessons from my failure are:

  1. Be realistic about how much you can change and how much authority you have. 

Just because the law says an organisation should be doing 10 things, don’t hold out for complete implementation. Form a realistic assessment of how much change is possible right now. Have frank conversations with senior leaders (both political and managerial) and agree with them how far they are prepared to go, explaining to them the risks they will have to assume if they should be deemed to not meeting their legal requirements

2. Get some early  quick wins in early

This point is pretty obvious but when faced with a complex task, it’s easy to get bogged down in the more contentious aspects. I did partly achieve this at Islington, securing important improvements to the accessibility of public buildings and council information. I wish I had spent less time negotiating action plans and more time making sure staff were supported to spot and address the little barriers which collectively make a big difference.

3. Recognise and work with the grain of different personalities

I mentioned earlier how I assumed most people would be committed to disability equality. I was wrong about this. It’s not that people were hostile to equality, it was that it was not top of their list of priorities.

At Islington I got over my initial naivety and used a variety of carrots and sticks to secure change. With any change project it is necessary to use different tactics to bring on board supporters or neutralise blockers but looking back now I wish I had spent more time working with those people who were amenable to disability equality, rather than spending time and energy trying to persuade more reluctant departments and individuals.

Can you relate to my fail? If so, I’d love to know what happened and what you’ve learned from the experience.

Do you think failure can ever be honestly acknowledged or is the tendency to airbrush our pasts too great?

You can share your own fails (and what you learned from them) on Twitter using the hashtag #DayForFailure.