10 April, 2004: Various

Not a lot to say right now, but I think I should draw your attention to an excellent comment by Chris Williams on my previous ID cards piece:

Here's the killer argument against ID cards - the Vienna 1938 one. Pass it on:

In 1938 the Gestapo were presented with a glittering prize. The Anschluss- the unity of hitherto democratic Austria and Nazi Germany - put them in charge of the Vienna headquarters of the ICPC, the forerunner to Interpol. Thus, they had access to thousands of files on convicted or suspected criminals and their associates. Since many of the files on suspects dealt with politically-motivated crime, they were a godsend to an organisation that was about to take over most of Europe. ICPC knowledge helped them compile arrest lists. Even more useful for repression, deportation and terror were the captured police files of the conquered governments.

Why is this historical fact important? Because its a warning about the dangers that lurk in the scheme now being proposed by the government to create a national database and an ID card system. This might solve some crimes: it will certainly hand a weapon to any future ill-intentioned regime. Rather than being a move to increase safety and get rid of risk, it is a huge gamble. To adopt it would be to bet that nothing as nasty as Nazism will ever get close to state power again. Its also to bet that nothing as nasty as Al Quaida or pIRA never gets its hands on a copy of the database. Forever is a long time....

Read the whole thing -- and do pass it on.

To tidy up a loose end, I'll describe the response I got a few weeks ago after I complained to the Information Commissioner about spam from a UK company.

About three weeks after sending my complaint, I received an email reply from the Information Commissioner asking me for permission to give the spammers, UK Software House, my email address so that they could remove it from their mailing list. So I consented:

Thank you for your email of 24th February requesting permission to pass on my email address to the spammers, UK Software House. Obviously I am not happy about this, but as you say it is necessary for further processing of my complaint, I hereby consent to you passing on that information to the spammers.

I rather swiftly received another reply in which the Information Commissioner said,

I have written to UK Software House requesting them to suppress your email address. I would expect this to take a maximum of 28 days and should you receive any further emails from them I would be grateful if you could let me know. I have also reminded the company of their obligations under the Privacy and Communications (EC Directive) Regulations 2003.

So, another small victory for bureaucracy and legalism. I'm very unlikely to see any other emails from UK Software House, since my spam filter will now have learned that anything they send is to be dropped on the floor, so the chances of the Information Commissioner getting a chance to visit their boundless wrath on the talentless spamming wankers are pretty small. And, sad to say, the Information Commissioner felt it necessary to remind me that,

You should be aware that a breach of the Regulations does not constitute a criminal offence and complaints will be dealt with on an individual basis. The Information Commissioner aims to ensure that organisations comply with the Regulations by providing advice and guidance on their responsibilities Further action will only be taken against organisations who persistently fail to meet their obligations under the Regulations.

I'm not sure what the `further action' would take, but I'm rather afraid that it's likely to consist of providing further advice and guidance, rather than, for instance, a sharply-delivered kick up the backside followed by confiscation of assets and exile to Daily Mail Island. Oh well.

(Note that I'm not going to link to the UK Software House site -- you can probably figure out its URL -- because I have no interest in driving traffic to them. But if you get any spam from them -- it's likely to be advertising a product for, err, sending EVEN MORE SPAM -- please do send off a copy of the over-long complaint form. Hopefully enough complaints will result in some real boundless wrath being visited upon them.)

Comments

Posted by Roy Badami, Sunday, 11 April 2004 16:16 (link):
It would appear that the Information Commissioner can serve an enforcement notice on them, detailing the specific steps that he requires them to take in order to comply with the regulations. Failure to comply with an enforcement notice is a criminal offense.

It would also appear that you can sue someone for damages if they breach the regulations. How likely you'd be to succeed, I don't know...

-roy

Reply to this.
- Posted by Chris Lightfoot, Sunday, 11 April 2004 16:58 (link):
  What, including the breach of the regulations which the original sending of the spam constitutes? Or failure to obey a Notice from the Information Commissioner? I'd got the impression that you couldn't sue spammers in general.
  
  Reply to this.
  - Posted by Roy Badami, Thursday, 15 April 2004 12:21 (link):
    See The Privacy and Electronic Communications (EC Directive) Regulations 2003 S.I. 2003/2426
    
    Regulation 30 section (1) says:
    
    A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage.
    
    -roy
    
    Reply to this.
Posted by Tom Steinberg, Monday, 12 April 2004 18:52 (link):
Oh Chris, you can do better than highlight that dreadful analogy. It is so full of holes I h

Reply to this.
- Posted by Chris Lightfoot, Monday, 12 April 2004 21:40 (link):
  Hmm. Did my comments script eat the end of that comment, or did the thought police get to you before you finished typing it?
  
  I'm not sure which bit you think is a `tired old analogy'. It's trivially true that if you build a big intrusive database of personal information, it is a hostage to fortune in the way that Chris Williams identifies; the ICPO files are just a convenient historical example. I am sure that the people who compiled them -- like members of the Home Office Entitlement Cards Unit -- did not intend that the records be used in the service of tyranny. But as Chris says, times can change.
  
  What are the holes of which the analogy is full?
  
  Reply to this.
  - Posted by Tom Steinberg, Tuesday, 13 April 2004 22:50 (link):
    Hmm - problems posting from a Treo I think. What I was trying to say was that the problem is related to a total lack of cost benefit analysis. As in the 1930s, Police records currently exist in both national and international contexts, presumably hugely more extensive than those the Nazi's captured. Is he seriously suggesting that we bin these? If he is, then I think we can pretty much dismiss his ideas out of hand as deeply undemocratic. If he isn't, then he has conceded there is a cost-benefit analysis to everything in politics, something which his 'killer argument' doesn't try to evaluate at all.
    
    Reply to this.
    - Posted by Chris Lightfoot, Wednesday, 14 April 2004 21:26 (link):
      Well, none of that means that his point constitutes a `tired old analogy'.
      
      Seen in cost-benefit terms, I think Chris's point is that building a centralised, on-line population register has such huge expected costs that any cost-benefit analysis should reject it. This is especially true given that (see rants passim) the expected benefits of the scheme are mostly nebulous or illusory.
      
      As he writes,
      
      Rather than being a move to increase safety and get rid of risk, it is a huge gamble. To adopt it would be to bet that nothing as nasty as Nazism will ever get close to state power again. It’s also to bet that nothing as nasty as Al Quaida or pIRA never gets its hands on a copy of the database. Forever is a long time.
      
      Now, in your cost-benefit analysis, there's a legitimate question as to how you treat `tail risks' (that is, events which have extremely large costs but low probabilities of occurence; the classic example is how to insure against the risk of getting squashed flat by an enomous meteorite -- not that you'd care, if you'd just been squashed flat by an enormous meteorite). But he continues by pointing out,
      
      The message of the past is that political stability is the exception, not the rule. Europe has a history of wars and political upheavals. Even the Swiss had a civil war just 150 years ago.
      The `liberal democracies', some of which have more than two hundred years (just three lifetimes) of political continuity, have from time to time pursued highly illiberal and undemocratic policies, as members of racial minorities (such as ethnically Japanese US citizens) or victims of Cold War paranoia will testify.
      
      If you want to consider this in cost-benefit terms, let's assume that the interval between ghastly political upheavals is of order a few times the interval since the last one, so let's say we expect one within the next five hundred years (this is needlessly optimistic, I'd say). Let's assume that the cost to society of having a person oppressed by an awful tyranny is of the same order as the `cost of a human life' (this is legitimate, since we saw during the last century that western governments -- and the populations they ruled -- were happy to accept the risk of, e.g., total annihilation in a nuclear war, in order to avoid being subjected to an authoritarian government); say £1 million per person. And let's say that our future authoritarian government might want specifically to oppress 1% of the population.
      
      So the potential cost of the national population register over the next fifty years is of the order £60,000,000,000,000 × 0.1 × 0.1 × 0.01, or another £6 billion; this approximately doubles the cost of the scheme for no added benefit. And of course the above estimate is subject to a huge variance, since we Just Don't Know what the future holds. I've also assumed that all the factors are independent, but that's clearly wrong, since the existence of a population register might make a tyranny easier to establish. Etc. Picking a figure out of a hat, I think you could argue sensible for a ×/÷100 error bound on there.
      
      And once you've decided how your potential cost is distributed, you need to worry about what summary statistic you're going to build in to your analysis. I guess that's a question of public choice; it certainly can't be swept under the carpet.
      
      Chris's point certainly didn't include an explicit cost-benefit analysis, but that doesn't mean the issue he raises can't be considered in that framework.
      
      Reply to this.
      - Posted by Tom Steinberg, Friday, 16 April 2004 15:17 (link):
        If it is an extra £6 billion over the next half century (and I understand how hypthetical that is) it remains an absolute bargain. If national ID databases can squeeze even a single percentage point improvement out of the efficiency of govt service delivery then that weighs in at a not inconsiderable £4bn per year, or £200bn over fifty years. Remember, ID card coverage may be all about terrorism and migration, but don't be fooled into thinking that is by any means the main reason the government wants (or should want) a national citizen database. They are both relatively tiny uses that this data will be put to.
        
        Reply to this.
        Posted by Chris Lightfoot, Friday, 16 April 2004 16:46 (link):
        (The hypothetical £6 billion is an estimate of the net present value, rather than the integrated cost, so it should be compared to about £20 billion, assuming a 5% discounting rate. The error bounds on the estimate are pretty wide though.)
        
        The bit I don't understand is why you would need a database that contains information down to the individual level to improve service provision (or where the 1% figure comes from, apart from being a nice round number). Surely what is required there is aggregate information about the distribution and movement of the population, rather than information about individuals? You -- probably -- can derive the latter from the former, but it's hardly the cheapest way to do it even before you consider the other societal costs of the ID card scheme.
        
        Services which do need information down to the personal level -- say medical provision or disbursement of benefits -- already have that data, so it's not clear why creating a new database would help, since all those services would have to retain their existing databases anyway. (Or is it seriously proposed that, say, medical records, are stored on the ID cards database to save GPs' practices from needing their own? If so, well, I hope those Capita employees are trustworthy....)
        
        And we haven't considered the other costs yet. How much will it cost to compensate the victims of this cock-up and similar ones in the management of the Criminal Records Bureau database? According to the Guardian, the CBD contractors are mistakenly associating criminal records with innocent people at a rate of about 100 per month; they're working from Police data which apparently are erroneous in 60% of cases. Is it really likely that an accurate national population database can be built, given the trouble encountered building much smaller, simpler systems? As Owen Massey points out, the last Census was off by c. 1 million people, suggesting that even an aggregate population database is an ambitious target.
        
        Reply to this.

Post a new comment.

Comments copyright (c) contributors and available under a Creative Commons License. See also the comments policy.