Ruth Davis is Head of Cyber, National Security and Criminal Justice at techUK. She is a former as a Research Fellow at Policy Exchange, and adviser to both the Home Affairs Select Committee and to the then Shadow Minister for Home Affairs and Counter Terrorism, Crispin Blunt.
How many emails, tweets or texts have you sent today? What have you ‘liked’ or posted on Facebook? Where have you been? Whatever your answer, you have created a digital map of your contacts, movements and views, which you have left behind online, stored by the companies whose services you use.
Many people seem to be content to let this data build up. After all, we upload much of it ourselves. And in fact, storing your search preferences and using cookies can enable companies to offer a better and more personalised service.
But our attitudes change when we consider the access that law enforcement and other government agencies might have to our data. Controversies over the National Security Agency’s PRISM programme, recent parliamentary legislation and the protection of journalist’s sources, have caused concern about the extent of government surveillance. There is much debate about intelligence agencies operating ‘outside the law’, free to routinely monitor phone and internet communications and their contents. For many people it has become impossible to discern between myth and reality when it comes to the government’s surveillance powers.
So what does the law say? Communications data stored by service providers can only be accessed by a warrant made under the Regulation of Investigatory Powers Act (RIPA). Access is authorised by stated senior officials within specified public authorities and can only be for particular purposes. Access to the content of communications is only granted by a warrant from a Secretary of State. Use of RIPA is scrutinised by independent commissioners, who provide annual reports to Parliament.
However, there is now a perception that government exceeds these powers. This is a concern for a tech industry that depends upon consumer trust. Future growth will be driven by data and increased connectivity. Gartner estimates that 26 billion devices will be connected to the internet by 2020. Therefore, trust in the use of personal data is as fundamental to this growth as broadband and mobile infrastructure.
So far, concerns have not translated into a reduction in the use of digital services but that doesn’t mean this couldn’t happen. As our lives move more online, ensuring an appropriate balance between privacy and security will become an increasingly important issue for democratic societies.
In order to restore trust in the way government uses technology, there need to be some fundamental changes.
First, the government must make a strong, evidenced case for the powers it seeks in the collection and storage of data – not simply assert that more powers are needed. As the volume of data increases, the temptation to store as much as possible, ‘just in case’ must be resisted. We need proper debate and scrutiny of future legislation. People put a high price on privacy, and intrusions must be proportionate to the security benefits gained.
Second, there must be absolute confidence that the government’s access to data is governed by a clear legal framework with full democratic oversight.
Third, the public and industry need to have an unambiguous, concise explanation of the powers available to authorities and how they might use their data.
We need a simple, ethical and legal framework that governs the collection and use of personal data online. Many companies have proactively established a strong and transparent approach to data use. This is no simple task; consumers need to know what information companies store and how they use it, without wading through hundreds of pages of terms and conditions.
That is why techUK is working with the Information Economy Council to develop a code of practice for companies to sign up to when handling data. This approach should be mirrored across government. The recent announcement of a Privacy and Civil Liberties Oversight Board to ensure that counter-terrorism policy is formed with proper consideration of civil liberties is welcome, but it does not go far enough. The board should have wider responsibility to create a consistent ethical code for responsible data use across the public sector. It should be chaired by a new Chief Privacy Officer responsible for ensuring that appropriate privacy requirements are built in by design as all public services are digitised.
If we are to harness the powers of data driven technologies, we must be willing to build trust today, to secure our digital future in an open and democratic society tomorrow.