In spite of our previous post about the NHS, this blog is concerned primarily with data in general, and the impact of technology on personal information in particular.

So, at the risk of appearing to stray off topic, we’ll start today with Gordon Brown’s plan to liberalise the UK’s rules on organ donation. The prime minister wants everyone in the UK to be automatically included in the organ donor register under a system of “presumed consent”. Anyone who objects to having their kidneys re-used after their death would have to opt out of the system.

The thorny issue of organ donation provokes visceral (sorry) reactions in most, if not all, of the population: some see it as inherently selfish not to let others use your lights after you’re dead; others see it as yet another example of the creeping nanny state robbing citizens of jurisdiction over their own bodies.

There are, of course, powerful arguments both for and against presumed consent, and it’s beyond the remit of this blog either to defend or denounce Gordon’s plan.

But the principle of consent, and specifically the opt-in / opt-out debate, sits at the very heart of the continuing debate about the protection of our personal data, especially on the web.

Should services that use our personal data be opt-in or opt-out? Most people would instantly and decisively declare that any Internet service which collects, processes, uses or stores our personal data should naturally be opt-in.

We strongly disagree.

Regular readers will know that this blog tries to champion people’s right to privacy, whether online of offline, so there might be some who are surprised that we feel so strongly against the opt-in model. After all, shouldn’t we have to give our express permission, based on thorough information, before allowing others access to our private lives?

Ah, but indeed; and therein lies the problem.

Every time we tick the checkbox accepting terms and conditions – be it for a website, a new online service, or to set up an email account – we are giving our consent to everything in the small print.

When was the last time you read through a website’s Ts&Cs? In fact, have you ever done so? Do you know what you consented to when you signed up to watch YouTube or set up a Google Mail account? No, but you checked the box without thinking, just because you were impatient to get on with it.

And that’s where the danger of opt-in lies. Irresponsible sites – unlike YouTube and Google Mail – can use the opt-in mechanism to obtain people’s explicit consent for any number of nefarious activities by slipping new services into their terms and conditions, knowing that the vast majority of people will blithely tick the box without reading them.

Much better, then, to obtained people’s informed consent before they sign up – let them know exactly what they’re consenting to by having an unavoidable notice, explaining any changes to service, on the log-in page.

No reasonable person can argue that it should be easy as possible for people to see what they’re signing up to; yet most campaigners on this issue seem still to be in thrall to the sanctity of opt-in, which makes it so easy for people to bury nasty surprises in the Ts&Cs.

This visibility, this informing of stakeholders, is what’s lacking from the prime minister’s plans for presumed consent. While presumed consent is fair to the educated, literate and informed, it ignores the much greater majority of people who are not au courant and thus are in no position to give informed consent to organ donation.

Of all the categories of sensitive data, it is information about our health and our medical histories that is perhaps the most personal and private.

For example, you wouldn’t want a stranger – or worse, a colleague – knowing that you’re being prescribed Anusol Ultra for your chalfonts, would you? Nor would you want your boss to know about the methadone prescription, or your mother to know about your latest suicide attempt. Unless, of course, it was a cry for help.

But even if it contains nothing as dramatic as an overdose, we tend to guard our medical history very jealously.

So it may come as a shock to learn that not only has the NHS amassed a central database of around one billion confidential records of patient visits to hospital, it is routinely sending some of these records to an academic organisation outside the NHS. These records contain personally identifiable information, such as postcodes and NHS numbers, as well as medical information, including diagnoses and any treatment given.

Now, a certain breed of querulous privacy advocate will start whining the moment they hear the words “giant database” in conjunction with “confidential data”. Not so data grub: we understand that there are often the very best reasons for aggregating personal data, as long as stringent measures are in place to ensure absolute confidentiality.

In this case, the aim is to use this vast resource of information to improve the NHS’s service and treatment outcomes, which I think we can agree is a Good Thing.

The other good news is that both the NHS and the academic organisation that uses this data, the inanely-titled Dr Foster Unit, seem to have taken decent precautions to protect patients. All data is held on encrypted discs and is sent by secure courier, which is a pretty good start. Then, at the Dr Foster Unit, the data is kept in secure offices, on disc-less workstations which have no link to the Internet.

While this compares pretty favourably with the cavalier approach towards data security shown by other public sector bodies, among them the Ministry of Justice, the MoD and the Department for Work and Pensions, it’s certainly far from perfect.

Our main gripe is that personally identifiable information (PII) is contained within the data that’s being sent out of the NHS. While PII such as postcodes may be vital for making distinctions between different areas of a town or the country, surely the NHS should secure people’s informed consent if they are to use their data in this way?

So, two cheers for the NHS and the Dr Foster Unit for at least trying to apply best practice to the use of sensitive data. But, as we asked at the beginning, why should anyone other than one’s doctor be able to look at your confidential medical history, even if it’s just some academic at Imperial College?

Now, if they anonymised this PII irreversibly, ensuring that records cannot be traced to an individual, while at the same time remaining useful to the bean counters (all perfectly possible with today’s technology), well – that would be just what the doctor ordered.

We’re big fans of Richard Thomas here at data grub.

Mr Thomas, as any fule kno, is the UK’s Information Commissioner and head of the Information Commissioner’s Office. They’re the independent regulatory office dealing with all sorts of privacy legislation like the Data Protection Act, the Freedom of Information Act and many others too numerable and mind-numbing to mention.

Put succinctly, Mr Thomas and his team are there to prevent the creeping threat of a Big Brother state, and also to stop any attempt by private companies to read our emails, share our data or plant transponders in our brains that constantly remind us that Sud-U-Like Washes Even Whiter.

It’s a pretty thankless task, but one that he and his team have been doing pretty bloody well, at least in my opinion. They’re not afraid to stand up for citizens’ privacy when it’s genuinely threatened by big business or big government, while at the same time ever-ready to slap down spurious, misinformed petitions from bleating, single issue, self-important “privacy experts”. (I think you’ll know whom I’m referring to, Alex…)

So even though the latest utterance to pass the Commissioner’s lips could have come from the Department of The Bleeding Obvious, at least it’s being said by someone whose words carry weight.

In a speech yesterday Mr Thomas warned that the proliferation of ever larger centralised databases is increasing the risk of people’s personal data being lost or abused.

He also drew attention to bears’ predilection for sylvan defecation and raised questions about the Pope’s dedication to Islam.

But sometimes you do need to state the obvious, loudly and often. This is one such time.

Because on Tuesday, Jacqui Smith was forced to admit that the Government will soon begin technical work on its giant database of all email, text, phone and web traffic – even though the legislation has yet to be passed by Parliament.

Of course, the present Government is completely contemptuous of Parliament and will go ahead with its plans whatever Richard Thomas, or anyone else, says.

Which is a shame, because much of Mr Thomas’ speech was given over to a report on how reported data losses have soared in the past year. The number of data breaches – including lost laptops and memory sticks containing sensitive personal records – reported to him has risen to 277 since the loss of 25 million child benefit records was disclosed nearly a year ago.

The new figures show that the information commissioner has recently launched investigations into 30 of the most serious cases. The 277 breaches include 80 reported by the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities and 47 by the rest of the public sector.

Mr Thomas pointed out that as new technology is harnessed to collect vast amounts of personal information, the risks of it being abused increase: “It is time for the penny to drop,” he said. “The more databases that are set up and the more information exchanged from one place to another, the greater the risk of something going wrong.”

“The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made.”

It is not difficult to grasp this concept, Jacqui. It is a simple, elegantly expressed and indisputable fact. But why listen to boring old Richard Thomas?

Sir Ken Macdonald, the director of public prosecution (DPP), speaking after Smith’s admission, weighed in to warn that the government was in danger of “breaking the back of freedom” with the relentless pressure of a security state.

But I think Richard Thomas’ point is the stronger – if we can’t trust the government with our private data now, how the hell are we supposed to trust it when it holds details of all electronic communications in the UK?

By the way, have a look at  http://www.guardian.co.uk/technology/2008/oct/29/data-security-breach-civil-liberty for Thomas’ table on this year’s data breaches.

Ta ta for now, data chums!

I’m delighted to announce that this week we have a guest editor, a Ms H.W. from somewhere in the South East. You’ll immediately notice the balance, reasoned argument and tolerance of other nationalities that has, until now, been so clearly absent from this blog. So, without further ado, I give you Ms H.W.:

A German Court has given permission for website operators to store internet protocol (IP) addresses of their visitors, claiming it does not violate data protection legislation. Surely not? I hear you cry. Yet they say that without additional information IP addresses can’t be classified as personal data because they cannot be easily obtained and used to determine a person’s identity. Note they said data cannot be easily attained therefore it is in fact still possible. The court in Munich did present a good case by ruling that ISPs could not present information to third parties regarding who had been using a certain IP address at a particular time without a court order.

The German court ruling is in fact consistent with the advice issued by the UK’s Information Commissioner last year. However, this did point out that IP addresses could constitute personally identifiable information (PII). This has resulted in people including The Article 29 Working Party (a reference to the 29th article of the European Directive concerning the protection of EU citizens’ personal data) to argue that if it could become personal data it should be treated this way regardless.

As a nation we put a certain amount of our trust in online actors including behavioural targeting firms, internet service providers and search engines, to use our data correctly and appropriately. The big question is: does using this data breach our privacy laws? The German court obviously thinks not.

I wonder if Pythias Brown, 48, from New Jersey agrees. He used to be a baggage screener at an airport and in charge of people’s property. He admitted to stealing regularly from his workplace and selling the stolen items on eBay using the handle “alirla”. Brown was found by investigators who tracked down this alirla account using Brown’s IP address for his home computer. This case provides a great argument against the claim that IP addresses cannot be counted and used as personal data. It would appear privacy here has most certainly been invaded.

Camden Town Council has more than quadrupled its surveillance of local residents since the introduction of the Regulation of Investigatory Powers Act (RIPA).

While the Act allows for the interception of communications and the use of covert human intelligence sources to prevent crime, including terrorism, it appears that Camden Council are using this legislation to spy on low-level offences, such as dog fouling, littering and checking whether or not a child lives in a certain catchment area.

Admittedly, Camden is the haunt of some of the most loathsome Untermensch that inhabit this fair city, from strutting, skinny-jeaned new media types to coin-eyed rip-off merchants selling “legal highs”.

But while I personally would be glad to sweep this whole swathe of faux-bohemia into the Regent’s Canal, I grudgingly have to admit that, owing to a loophole in the law, these people have the right to exist without being persecuted by the local council.

Of course, if the police and security services have reasonable grounds to suspect someone of planning a terrorist operation, that’d be a great time to start tapping the phones. But if you think that someone is mis-using a disabled parking badge, I would suggest that surveillance is both disproportionate and a fatuous waste of time and money.

Glad to see that this blog’s starting to have a bit of influence. Phorm has taken my advice (see previous post) and has drawn up a list of incentives for customers who opt-in to their Webwise targeted ad service.

Suggestions include:

(More information here: http://snipurl.com/3xi6t)

My next blog posting will contain details of how to solve the worldwide banking crisis, rid the world of HIV/AIDS and how to achieve a lasting resolution of the Israeli / Palestinian conflict.

A few Christmases ago, I was given a fascinating little book in my stocking. It was a facsimile of a booklet given to every American GI posted to Britain during the Second World War.

“Instructions for American Servicemen in Britain” is a wonderful, humane and charming insight into the British character and a revealing portrait of how the Englishman is perceived by his cousins.

For example, under the heading ‘British Reserved, Not Unfriendly’, the book warns that Britons will not strike up a conversation on a busy train because “…[living] on a small, crowded island, the British have learned to guard their privacy carefully.”

Not much has changed since then, has it? Britons are as apt to strike up a conversation with a stranger as the French are to take daily baths. And in the Internet age, with the perceived intrusions into our private lives and threats to our personal data, we’ve learned to guard our privacy even more jealously than before, haven’t we?

Not exactly. A new survey has found that 60 per cent of those questioned were happy to hand over computer password data which might be useful to potential ID thieves in exchange for a £5 M&S gift voucher.

In return for the voucher, Joe Public happily divulged how they remember their password and which online websites (from a range of email, shopping, banking and social networking sites) they most frequently use. Almost half of respondents (45 per cent) said they used either their birthday, their mother’s maiden name or a pet’s name as a password.

What we learn from all this is that the Englishman, rather than keeping a tighter grip on his privacy than a Scotsman keeps on his wallet, is more than happy to whore out his sensitive private data for a derisorily small pecuniary reward. This has important implications for many in the technology sector.

In this blog I’ve mentioned several companies and services which, fairly or unfairly, have had obloquy heaped upon them by so-called privacy advocates who claim (often in the face of overwhelming evidence to the contrary) that it impinges on their privacy. The answer for these companies is simple: gain consent for a “controversial” new service by offering a small financial enticement. Hell, there are people out there willing to hand over their banking passwords to a clipboard-wielding survey monkey in exchange for a lunch voucher.  I’m sure the same people would find “controversial” new technologies much less objectionable if they were given the smallest of incentives.

The British are, we are told with mind-numbing regularity, the most watched people in the world, with more CCTV cameras per head of population in the UK than any other nation in the world. (Though I hear the Chinese are catching up – the city of Shenzen will soon have two million surveillance cameras watching over a population of 12 million.)

Now, I read today in the paper (a real newspaper which you have to buy, like a grown-up) that the police are to expand their car surveillance operation that will allow them to record the details of millions of journeys every day, and to store this data for up to five years. 

I don’t have a visceral, knee-jerk antipathy to surveillance cameras. I do find them somewhat creepy and I am concerned about the centralisation of data detailing exactly where I’ve been all day. (Yes, I do have an Oyster card and yes I am aware that this too tracks me.) I’m also concerned about who has access to this data and how it’s used. For example, I’m not particularly impressed with councils using hardcore anti-terrorism legislation to snoop on litter droppers.

But unlike the witless graffiti vandal Banksy, I don’t think all surveillance is a bad idea. Cameras do occasionally help the police to foil a crime in progress; it has been known for CCTV recordings to lead to successful prosecutions in court. I would argue that this is not altogether a bad thing.

I’m sure that the cops’ plan to record 18bn number plates in 2009 will probably help them to solve and prevent more crimes. What I doubt is whether the scheme is proportionate, value for money or safe. If the database goes ahead, it will store a colossal amount of information on the private lives of identifiable individuals. Of course, GCHQ listens to our phone calls and if they cared to they could probably reveal you penchant for dirty phone calls and casual drug use. But they’re spies and are pretty good at keeping hold of information. (Rather too good at keeping hold of information, if the Omagh story is to be believed…)

My point is that before the Home Office implements a new, massive repository of citizens’ data, it must first show that they can be trusted with large amounts of highly sensitive information. Or small amounts, for that matter.

While I don’t necessarily deny a need for the police’s car surveillance plan, I do think the government needs to win the public debate on the need for such surveillance. Whether they will even engage in such a debate on this issue remains to be seen.

This week we’ve seen lots of talk about two flashy new browsers that have recently been launched in beta versions. First up, we have the latest iteration of Microsoft’s Internet Explorer, IE8, with which it hopes to gain ground on – among others – Mozilla’s successful Firefox application.

Hot on the heels of Microsoft comes Google’s first foray into the browser market with its own beta, called Chrome. (Chromium is the name of the open-source project which led to its development, for all you curtains-closed bed-sit dwellers out there.)

Of course, both these betas come with spangly new features and functions – higher speeds, more robust security, clearer user interfaces and so forth. It’s a shame, then, that most of the public and press have focused on their respective privacy features: Google’s Incognito and Explorer’s InPrivate modes. When activated, these settings prevent the browser from storing any history information or cookies from websites visited. Inevitably, this has been dubbed “porn mode” by…well, everyone.

Of course, both companies attempted to re-define their “porn modes” with spurious alternative reasons for use. Quote of the week comes from a spokesman for Google who (presumably sticking a needle into his thumb to stop himself from dissolving into giggles) straight-facedly claimed Incognito was “…for times when you want to…plan surprises like gifts or birthdays.”

No – it’s to stop the wife from knowing, rather than merely suspecting, that you look at some of the most repulsive pornography on the web.

Hairy-palmed husbands will no doubt welcome both browsers, as will the latest generation of gangly girl-shy teenagers who still use their parents’ Internet connection.

But will the “porn modes” prevent Microsoft and Google from storing your search terms and IP address? As we know, search engines already store records of who you are (IP address), where you’ve been (URLs) and what you’ve looked for (search terms). What’s to stop, say, Google from identifying you and your browsing behaviour for definitely-not-evil-at-all uses?

Er…nothing. Users who leave Chrome’s auto-suggest feature on and have Google as their default search provider will be giving Google access to any keystrokes that are typed into the browser’s Omnibox, even before they hit enter. Google have been good enough to admit to this: a representative said that that about “two per cent” of the data would be stored along with the IP address of the computer that sent the information.

In theory, that means that if one were merely to type the address of a site into the Omnibox, even without hitting enter one could leave incriminating evidence on Google’s servers.

I’ve got no problem with anyone – website publisher, search engine, browser – knowing where I’ve been. My problem is in them knowing who I am. Since they store IP addresses – and God knows what other personally identifiable information – that’s exactly what they do know.

Google says that turning on the Incognito mode will prevent it from harvesting your search queries alongside your IP address. If that’s true (and why would anyone doubt good-guy-Google’s word?) then the privacy modes could have an audience outside of the dirty mac brigade; I for one.

http://www.theregister.co.uk/2008/09/02/google_chrome_comic_funnies/

Another day, another data loss. This time, it’s Charnwood Borough Council in the spotlight with the news that one of their hard drives, containing taxpayers’ personal details, has turned up on eBay.

I’ll admit that news of yet another disastrous data loss by government is less than surprising. What is interesting is a piece in The Register which shows that these recent data losses are the result of the government’s failure to set and publicise standards for wiping data. This, El Reg claims, makes future and more serious incidents much more likely.

Now, as Gary Glitter and the staff of PC World Bristol can attest, when you “delete” a file on your computer it ain’t necessarily gone for good. To ensure that any sensitive or incriminating data is irrevocably removed from a device, be it a politician’s palmtop or a pop star’s laptop, it needs to be “wiped”.

The trouble is, the government doesn’t have any guidelines for the wiping of data.

Let me repeat that: the government doesn’t have any guidelines for the wiping of data.

So, government bodies, agencies, departments and so on are setting their own standards for preventing unauthorised disclosure of data. And bless them, I bet they try their best, but they’re getting sod all help from central government.

Instead, they’re bizarrely borrowing bits from US government guidelines. That’s what happened in Charnwood Council’s case. Lacking a UK standard for data wiping, it seems that the Council instead required third parties to apply (deep breath) DoD Standard 5220.22M (exhale) to all data erasures.

To cut a long and tedious story short (and to save you from a plethora of Yankee acronyms and initialisms), this standard is from a manual published by the US Department of Defense which addresses the issue of preventing unauthorised disclosure of classified information.

On the surface, this looks like quite a smart move by Charnwood Council: after all, they were modelling their data security standards on one of the most successfully secretive organisations on the planet.

Unfortunately, when Charnwood Council set its criteria for supplier selection, the edition of this manual didn’t specify any particular method for securely wiping data.

You’ve got to give a sleepy, bucolic council like Charnwood full marks for effort for cribbing guidance off the US Department of Defense – it’s just a shame the bits they borrowed didn’t give tell them how to go about wiping data.

 The guidelines for data wiping were finally published in this year’s manual, along with an enhanced “Clearing and Sanitization Matrix”, which sounds like a rather sinister euphemism for the Department of Defense’s day-to-day work.

Until the UK Government pulls its finger out and issues clear and comprehensive methods for wiping information, we can expect more, much more, of the same…

(The full Register article is here, in all its complexity: http://www.theregister.co.uk/2008/09/01/gov_data_standards_arent/)