Previous Section Back to Table of Contents Lords Hansard Home Page

Our legislation is geared towards the creation of a central register and the powers to issue identity cards for everyone living permanently in the United Kingdom. The status of the scheme is that foreign nationals will need biometric residence permits from 2008. From 2009, identity cards will be issued to British citizens on application for a passport or driving licence. The Government are at present intent on introducing in

23 Apr 2009 : Column 1656

due course a universal identity card system for all persons aged 16 and above legally resident in the United Kingdom.

The Government have sought to justify the ID card system on the grounds of security considerations. This is an unwarranted premise. ID cards will have no value as far as security is concerned. ID cards and the national identity register are, of course, identity-related, but there is absolutely no evidence that they will improve security. If that view is right, the case for an ID card scheme is gravely emasculated, and the Home Office attempt to sell the concept of ID cards to the public as a weapon for controlling immigration is quite misconceived. A drastic invasion of our civil liberties cannot be justified on grounds of mere administrative convenience.

If there had been a real security justification, one would have expected the Government to bring the Identity Cards Act 2006 into effect with some alacrity, but the Government are aware that there is strong and ever increasing public opposition from all sectors of the political divide to the introduction of ID cards. The Government hope that they can soften up public opposition by a phased introduction. They underestimate the robust common sense of the British people. The tide of public opinion is running against the Government on this matter. Since May 2007, there have been losses of data on a massive scale, of which some details are given in an article that I wrote which is due to be published in Public Law 2009. It is part of the evidence that the Government have not mastered the way to competently run an identity card scheme.

A central concern about the creation of a national identity register is the privacy implications that flow from having millions of individuals’ personal data contained in the scheme. Moreover, if there is an inopportune time for the introduction of an unnecessary ID card scheme, it must be now as we head into what may be a prolonged economic downturn.

It is true that there are countries, such as France, Germany and other western European countries where, due to their different historical or cultural developments, ID card systems are in place, but our heritage is different. In one of his famous English letters, Voltaire said that the civil wars of Rome ended in slavery and those of the English in liberty. The English are jealous of their liberty, he said. Our commitment to the European ideal does not require us to adopt an ID card system. The British public have no confidence in the introduction of a national identity card system and wish the Government to speak for Britain.

3.18 pm

The Earl of Erroll:My Lords, I thank my noble and gallant friend Lord Craig for giving me the opportunity to speak. I probably ought to declare some interests. I sit on the business advisory board of the PGP Corporation, which deals with software encryption and security, and the International Council of the Global Trust Center in Sweden. I am paid to speak on information security issues from time to time.

Like the noble and learned Lord, Lord Woolf, I shall talk about the balance of power between the citizen and the state, because that is where this entire

23 Apr 2009 : Column 1657

debate lies. We must factor into this the legacy of socialism in the expectation that the state will protect and provide for its citizens. On one hand, I accept that we must maintain the capability to trace, track and terminate terrorist and criminal activities. We must do that to protect people. At the same time, however, we must be aware that there are huge dangers. Some people say that the Government are trying to achieve freedom from fear, but we must be careful that that does not translate into a fear of the protectors. We therefore need to be aware of these dangers and to maintain strong and inviolable structures to try to protect people, privacy and freedom.

I shall deal first with the dangers that I envisage arising from the enormously enhanced executive powers that are being given at the moment. Then I shall talk about how those powers can be applied inappropriately, given the technology of today, and the danger of misinformation and disinformation that will arise from these huge databases.

Some of the history and the extension of powers stems from little incremental things. We used to distinguish between border police and internal police. Customs and Excise used to patrol our borders looking for goods and immigrants coming in, and they had hugely enhanced powers of seizure and arrest, whereas our internal revenue service was much more restricted in what it could do. Our internal police used to have to go to a magistrate or a judge for warrants to do certain things. Then we gave VAT to Customs and Excise and said that, because it was a duty, Customs and Excise must have powers inside the country, and suddenly we had an internal police duty for border police with border policing powers. There were moments in the early days when they probably exceeded what they should be doing, but they soon realised that their powers would be taken away from them if they did, and so things became reasonable. Now we seem to accept quite happily that we make no distinction between internal and border police, and these powers extend in a mishmash inside the country.

I think back to other things that I find interesting, such as how some people understand these dangers. In the United States, the Sarbanes-Oxley Act contains the rule that every company must set up a whistleblower line. The line must be anonymous because they do not trust people to reveal the secrets of senior corporate people if their identity cannot be kept private. In France, the Data Protection Act insists that any whistleblower line must identify the whistleblower. The two Acts are in direct conflict very simply because of the Second World War. In France, the quickest way of acquiring your neighbour’s land and property was to report them to the Gestapo. Your neighbour would be removed and you just walked in. That happened all too often: a fact that is not widely thought about today.

I watched “Dr Zhivago” the other night with my daughter and wife and looked at the whole business of the state manipulating people and information, who was where and related to whom, and people controlling other people’s lives. If you think about it, in the last century our forefathers fought for freedom from tyranny. They were very worried about the centralisation of

23 Apr 2009 : Column 1658

power and the fact that the state wanted to tell people what to do. Dictatorships were seen as bad. The thing that worries me as we enter a time of instability, which some people suggest might last longer than others hope, is that that is when the charismatic leaders emerge. We need only look at the emergence of leaders back in the 1930s. There can be huge dangers there, and saying simply that it would not happen in Britain is not good enough. We must think about this. There was a very good short series last year on, I think, the BBC called “The Last Enemy”, which was very much on this subject. I certainly enjoyed it greatly and I hope the BBC shows it again.

On the technology, I am very happy that there should be the closely targeted tracking and acquisition of data and information about people when the security services and the police need to have them. I am, however, very much against the blanket acquisition of data which the security services and the police can trawl through and look at. On such blanket acquisition, I ought to make a distinction—and the security camera issue is interesting here. If it cannot be indexed and you cannot simply be tracked through it, I am not nearly so worried about it. Surveillance cameras that are not indexed and do not track me going through the streets every day are no concern; if something happens, they can work backwards and find it out. If they are indexed and it is possible to mine them for people’s data, then I have concerns. While facial recognition technology is still in its early days we have no serious problem with those cameras, but that could change very easily and rapidly. We should start thinking about the problems that come from that—controlling how that information is kept and used, and who has access to it.

In the same way, I have no problem with the Regulation of Investigatory Powers Act—RIPA, as it is often called—and the lawful intercept. I fully accept that the security services should be able to look at the content of e-mails and telecommunications and to intercept and eavesdrop. That is carefully and tightly regulated and signed off by a proper person who is not a member of the security services. I start having a problem when it comes to telecommunications data that simply record who you rang up and when, which website you visited and who you sent an e-mail to and when. That can easily be mined for data, and a picture can be built up of someone’s life—their interests, what they do and who they deal with—both at the individual and corporate level.

Here we get into the issue of business espionage. I am very worried about the issue because the Government can start tracking things down by looking at people and their behaviours or at the behaviour of their friends and family. Equally, foreign Governments or perhaps rivals could get people with access to information to look for things. So if a company were tendering for a defence contract with a foreign country, a rival in another country might, for example, be interested to see who its key account people were dealing with. If they thought you might be subject to a takeover bid, looking at telephone and e-mail traffic could reveal a lot about what was going on. Such information is very sensitive, much more so than people realise. The fact that it is susceptible to data mining really worries me.

23 Apr 2009 : Column 1659

Some people would say, “There will be too much data. Yottabytes of it will be out there”. Interestingly, quantum mathematics suggests that there are ways of finding patterns much faster than we currently can by orders of magnitude. If that comes along, it will change the picture or the equation again, so we have to be very careful who has access to the information and how it is used. We know, for instance, that a European Government admit that 60 per cent of their intelligence budget goes on business intelligence—spying on friendly countries, in other words. So we have to worry about that.

Another thing that I worry about is that if I am a criminal or a terrorist and I know that there will be mining for information and things will be tracked down, I can easily create red herrings. For instance, I could pick out your mobile telephone when it is inadvertently or casually left in a pocket, make a quick call to a known criminal or terrorist while you were not looking, and drop it back into your handbag or pocket. I could then get someone to do the same thing a week later to reinforce the link. I could, perhaps, be quite clever and do that in two or three places. We must be very careful about the interpretation of the intelligence that we get.

Ultimately, the people who operate these systems are not highly paid. I fear that individuals can be found in any large organisation who can be suborned, blackmailed, or frightened into doing things for one reason or another—or even to think that they work for a different side than they do. Those are all traditional things; we have all seen them in the films. It may well be found that private investigation agencies and the media will also start getting access to that information; that has already been happening on a large scale with telecoms data, as we know from the Information Commissioner’s report of a couple of years ago which was entitled What Price Privacy Now?.

We will also inadvertently be setting up the thin end of a wedge. For instance, at present, because the people who own the rights to music and films have a lot of money and have been lobbying around the place, they discovered that the IPO—the intellectual property office that used to be part of the Department for Trade and Industry—is open to the idea that we should perhaps have a crackdown on people who download films and music. To do that, they want the internet service providers to start looking at what is being downloaded so that they can report on people. There is a lot of talk about three strikes and you’re out. However, the root of that is that people who are currently not permitted to look at the content of what goes through their systems will be asked to do so in order that they can say whether there is illegal file-sharing.

That thin end of the wedge is dangerous, because where do we then extend that power? It is changing the law through the back door, without people considering the consequences of effectively being allowed to open other people’s communications and mail. That is illegal in the physical world and is currently illegal under various EU and UK directives in the electronic world. But there are backdoor ways in which people try to open this up, which is another of the dangers.

23 Apr 2009 : Column 1660

The accuracy of the data really concerns me. In the information and insurance world, we talk about confidentiality, integrity and availability—CIA. People are dealing with confidentiality and worrying about availability but it is integrity that concerns me. Fairly recently, when the Audit Commission did an audit of the National Health Service and the police, it found that 40 per cent of the data were inaccurate. I do not know how serious it was, but the point is that a lot of this information is incorrect.

There was a sad incident of a father who wanted to help to coach some children in sports. His enhanced Criminal Records Bureau check failed. Why? It was because years earlier his five year-old daughter had been heard in the playground by a teacher to say, “Oh, Daddy bonked us last night”. Immediately social services were rung up and the police were informed. It was quickly established that a game had been played with a plastic mallet bought at a funfair and everyone had bonked each other on the head. There was no problem. Social services expunged the record and no one thought any more about it. The police did not think to expunge the record, whether they knew that they should or not. Years later, that record showed up on an enhanced CRB check. The police did not tell the chap why. It is very difficult to get that type of record expunged. The real problem is accuracy and the consequences for the citizen of some of the data that are out there.

The easiest way to employ people who will not show up on an enhanced CRB check—people who did not have a little fight in the playground when they were young or foolishly accepted a reprimand which stays on your record for ever—is to employ foreign nationals who have been here just long enough. They probably do not have any record that goes back very far. There is the very odd, unintended consequence that the easiest people to employ are those whom you know least about.

My message is that we need to be sceptical and not believe that technology gives a truthful picture. It can easily happen that incorrect inferences inspire investigators to target innocent individuals. The problem is interpretation. Earlier we talked about DNA. I believe that the stored bit of DNA is called junk DNA, which is not of interest to medical records. But the challenge is that it is a digital match of something real. It is limited by the accuracy of the laboratory tests and the equipment that measures it. There will be template matches with people who are different.

There is also the problem of a hair that gets translocated to a crime scene. You must know how it got there. You cannot assume that because there is an apparent DNA connection, there is a real or criminal connection or whatever between the two. We must stop believing that technology is showing us the way. For example, on relationship mapping, I should warn you that you are all three removes from Osama bin Laden. I used to think that I was about four or five removes until I said it in a lecture and someone stood up and said, “Terribly sorry Merlin. I taught him in school”. Therefore, I am two removes and you are three, as is everyone who has met me. I have now discovered a second link of someone who did business with his brother in America. Clearly, I am guilty of something.

23 Apr 2009 : Column 1661

The pressure of meeting centrally set targets is dangerous because people look for things that are not there in order to meet them. That could be very dangerous because on an average day in the summer probably 1 million tourists are wondering around Britain with foreign issued identity. Can we really track everyone in and out of the country all the time?

We need good protections. We need a stronger version of the role of Information Commissioner which would be answerable only to Parliament, protects the system and watches out for breaches of rights. We need to forbid internal authorisation or self-authorisation by departments. We must always have someone outside who can authorise things that go on. We cannot have people saying, “It’s okay because I’m a senior member of the department”. Lastly, we need to keep things in silos. I like Chinese walls. One government department should say to another, “This is what I am up to”. If things are going wrong, someone will say, “I think this should be looked at”. If there is an emergency, such as someone being kidnapped, you can break the rules. People can justify that afterwards. But at least two people would have looked at the situation and we would know what rules were being broken. We must avoid getting a J Edgar Hoover II (UK), with huge powers to look at everyone’s data, starting here.

3.35 pm

Baroness Miller of Chilthorne Domer: My Lords, Members on these Benches pay tribute to the noble and gallant Lord, Lord Craig of Radley, for introducing this debate, for the benefit of his considerable experience in talking about the balance that has to be struck between national security and civil liberties, and for his excellent introduction. I am glad that we are able to have a second bite at the cherry since unfortunately I missed the debate initiated by the noble Earl, Lord Northesk, because I had to be elsewhere. It was excellent, but there is plenty of room for a continuation of the debate in general. Further, I am particularly glad to note that the noble Lord, Lord West of Spithead, is to answer our debate today because many of the questions that have been raised are for the Home Office, while of course the debate of the noble Earl, Lord Northesk, was answered by the Ministry of Justice. Within a month, we shall have heard from both government departments on these issues, which is important.

A number of the themes considered in the debate held shortly before Easter have been repeated today. Noble Lords have commented on the sheer quantity of data being kept, and indeed the noble Earl, Lord Northesk, cited an interesting figure when talking about the national identity register. He pointed out that there would be 960 billion data fields just for that one database. The scale is almost unimaginable. The heart of the first debate was the balance between the Government’s responsibility to reap the benefits of technological improvements along with the ability to keep data for beneficial reasons, and the need to safeguard the right of British citizens to privacy. Quite rightly it has again been a theme of our debate today. The noble and gallant Lord, Lord Craig of Radley, spoke of balance, and all speakers have agreed that at the moment the Government are failing to maintain

23 Apr 2009 : Column 1662

that balance. Indeed, on two occasions recently the European Union has had to step in and call into question the inability to do so.

I am grateful to the noble and learned Lord, Lord Woolf, for his terrific speech on the issues surrounding DNA retention because I had intended to speak on that, but following his excellent explanation of the issues I shall not. The Government have made a commitment to review the rules on data retention in the forthcoming forensics White Paper, but qualified it by saying that they would examine the ways in which the retention of samples and fingerprints should take into account the age, risk and nature of the offences involved. My problem is that if a person is innocent, it is hard to imagine risk factors that would actually justify their personal information as if they were guilty. If the person already has a criminal record, it is likely that they will already be on the system, and other risk factors to do with social and economic demographics are far too hazy to justify turning an individual into a suspect. The conclusion is that there really does need to be a wide public debate about a national DNA database, which is something that the Government have avoided so far. However, the contribution of the noble and learned Lord, Lord Woolf, certainly points us in that direction, and surely a wide and open debate would be welcomed.

The contribution of the noble and learned Lord, Lord Steyn, on the national identity register was equally riveting, and he will not be surprised to learn that Members on these Benches agree with every word he said. Again, he has saved me considerable time because he set out very clearly many of the points that it is so important to make when debating these issues. I agree absolutely with his comment that it is particularly regrettable that the Government have chosen basically to soften up public opinion by rolling out the register on people such as foreign nationals who do not have the vote and are therefore unlikely to object.

The noble Earl, Lord Erroll, again made an interesting speech. I appreciate his comments on the dangers of the use of face recognition; he is right to be concerned. The other day, I raised briefly with the Minister the practice of the police filming people. I was filmed in Brighton on a protest outside the council offices and, when I asked why, I was told that it was in case I committed a criminal activity. That film was retained and, of course, it is now there for face recognition in the future. It was not taken with my permission and I objected; nevertheless, it is there now. That is another area of activity that we have to question very strongly.

In the debate before Easter, the noble Baroness, Lady Neville-Jones, put her finger on a couple of points to do with the scale of the databases. She said that the point is not always about the scale but about having separate disaggregated databases rather than centralised databases. She is absolutely right.

I would like to comment on two closely related issues: the weak regulation of private sector data collection and storage, and the increasingly porous boundaries between data storage systems and between public and private data.

In the earlier debate, the Minister, Lord Bach, commented that the legislative framework for data protection and privacy is the Data Protection Act and

23 Apr 2009 : Column 1663

the Human Rights Act, but of course we need to add in the Regulation of Investigatory Powers Act. Since that debate on 14 April, the European Commission has launched infringement proceedings against this country for the way in which the Government are implementing the EU directive on privacy and electronic communications. The public controversy has centred on the technology company Phorm and the secret trials of its systems by BT in 2006. The noble Lord, Lord Soley, spoke about private use for private profit. That is exactly what we are dealing with here, where a private company intends to intercept, through new technology, people’s web traffic for private profit. Providing that is within the regulatory scheme, there would be nothing wrong with it. But the regulatory scheme has been unable to cope with whether or not it is legal and, as the EU proceedings show, the real issue is that the UK Government have been willing to leave open a grey area of uncertainty about the legality of Phorm’s technologies.

I have asked the Minister numerous questions about this and I am sure that he is fully prepared for my questions today. BT was never brought to book for conducting the secret trials and, in answers to Parliamentary Questions, Her Majesty’s Government have called the legal opinion published online by a Home Office official “informal advice”.

The letters from the EU Telecoms Commissioner, Viviane Reding, led the Commission to conclude that there were structural problems in the way in which the UK had implemented the EU rules ensuring confidentiality of communications. The problem is that the responsibility for these issues has been passed between the Home Office, the Information Commissioner’s Office, the police and others. I am sure that the Minister will remember responding to me by saying that this matter would have to be settled in court.

Next Section Back to Table of Contents Lords Hansard Home Page