Re: ULE: covert vs overt

From: Charlie Stross (charlie@antipope.org)
Date: Wed Apr 18 2001 - 05:44:10 MDT


On Tue, Apr 17, 2001 at 01:32:33PM -0400, Michael Wiik wrote:
>
> ULE = ubiquitous law enforcement
 
To draw lessons about the legal ramifications of ULE, it is useful
to examine the UK, with its three million CCTV cameras in public
areas.

Recently, an alternative comedian (of the kind who get TV shows --
we're not talking amateurs here, I just wish I could remember his name)
decided to play a little game. He got a group of people to act out a
little drama in public, in full view of some cameras. He then identified
the owners of the cameras -- and whacked them with Data Disclosure Orders
under the terms of the amended Data Protection Act (1998) in the name
of the individuals on camera.

The Data Protection Act (DPR) is a fascinating bit of law. Originally
passed in 1992 (IIRC) it was designed to regulate commercial databases.
If you want to keep a personal address book or a club membership list
you're exempt, but any other database holding details of people is
subject to the Act. You have to fill out a form and send it to the Data
Protection Registrar -- the form lists the type of information you hold
and the purposes for which it is retained. Thereafter, any member of the
public can serve a Data Disclosure Order on you and, in return for a fee
to cover the cost of data retrieval, you are legally obliged to show them
what information (if any) you have on them. (Note: the maximum level of
the fee is capped by law to stop companies saying "okay, that'll be a
thousand quid then" to deter the public from examining their records.)

The amendments to the act passed in 1998 (or thereabouts) removed
exemptions for paper-only records, added exemptions for things like
usenet and personal email boxes, and included multimedia stuff. NB: it's
a moderately serious crime (as in -- you can go to prison) to refuse to
register a database or to refuse to let people see data you hold on them,
or to refuse to amend their details if they're incorrect, or to sell the
data to other companies without obtaining prior permission. The whole
thrust of the law (and the Data Protection Registrar's office) is to
protect privacy and to allow consumers to correct rumours or outright
falsehoods about them stored in, for example, credit agency databases.

The effect of a disclosure notice on the operator of a CCTV network --
and they're mostly run by private companies subcontracted by local police
forces -- is apparently most entertaining. Especially seeing as the notice
refers to named individuals and there's no obvious way of matching up names
to faces fleetingly glimpsed on camera.

Even more interesting are the implications of the Bill of Rights (you
didn't know the UK had one, did you?) which has an explicit right
to privacy. Put the two together in a lawsuit and you could conceivably
nail a CCTV operator -- if they don't answer a DDO when you *know* you
were on camera, you can nail them for violating the DPA, while if they
*do* respond to it, you can probably nail them under the Human Rights
Act.

To say the law's messy at present is an understatement. I have some hopes
that the right to privacy will survive the cameras; moreover, the DPA --
which is indispensible, for other reasons -- gives people a powerful tool
to bash camera operators with. The real point is that the interaction
between technology and the law is still in a state of flux, and I suspect
the eventual equilibrium condition (which *will* entail ULE) exhibits
sensitive dependency on prior conditions.

Better get your constitutional amendment for a right to privacy in place
now, rather than later ...

-- Charlie



This archive was generated by hypermail 2b30 : Mon May 28 2001 - 09:59:47 MDT