Privacy: Surveillance and Poor Security Practices

Today I read with interest an article in the U.K.’s Guardian Unlimited, “Surveillance ‘intrudes on our lives‘.”
I am doing some research into various surveillance methods, such as with CCTV, key loggers, and other methods of surreptitiously recording the activities of individuals, typically without their consent, and often without their knowledge.

The article discussed the wide range of electronic surveillance and the invasiveness it can have into people’s lives, invading on their privacy.
I believe surveillance, misused, certainly can invade privacy. However, used wisely, it can strengthen security, record activities that can be used for evidence, as well as log actions that can be used to comply with numerous laws and regulations and demonstrate due diligence. The important point is to balance the use of surveillance with privacy rights, and then implement appropriate safeguards for the data collected.
In this article the discussion started by providing a couple of examples of “surveillance”:
1) Barclays using the personally identifiable information (PII) of customers without their consent.
2) NHS Medical Training Application Service website posting medical student applicants’ addresses, telephone numbers, criminal convictions, sexual orientation and religion.
The term “surveillance” is not being applied correctly to these particular two situations, at least from a U.S. perspective. These two examples show the organizations involved did not have good information security procedures and practices in place.
Obtaining consent to use PII for purposes other than that for which it is collected is a legal requirement in the U.K. Barclays was not performing what we would consider as surveillance, they were likely breaking the law that requires them to obtain consent to share information.
Posting PII on a website is also likely breaking the safeguards and data sharing legal requirements in the U.K. that requires organizations to safeguard information and not allow anyone other than those with related business responsibilities to access it. Someone at the medical training organization either was not following the procedures, or the procedures did not exist.
Other than these two rather inappropriate examples used to support the argument, the rest of the article does address surveillance activities and how they may be used to detriment for data mining and other such activities.
This Tuesday, Richard Thomas, the U.K information commissioner, is presenting a report to parliament’s Home Affairs Select Committee detailing his concerns.

“While accepting that there are significant benefits in the use of surveillance, chiefly in helping to combat terrorism and crime, Thomas is becoming increasingly alarmed at the amount of information that is being collected on individuals.
He is expected to claim that ‘the risks that arise as a result of excessive surveillance affect us individually and affect society as a whole’ and to warn MPs ‘there can be excessive intrusion into people’s lives with hidden, unacceptable and detrimental uses’.
With the greater use of electronic surveillance and personal record keeping comes an increased threat that mistakes will be made and individual lives disrupted, Thomas believes. In addition, he thinks breaches of security are creating greater potential for discrimination, social sorting and social exclusion, as more institutions are able to ‘mine’ individual’s personal data.
Thomas fears that the growing use of surveillance is leading to a mass of personal information that is inaccurate, insufficient or out of date. Often, he believes, information held on individuals is excessive or irrelevant. Sometimes it is disclosed to those who should not have it; on some occasions it is used in unacceptable or unexpected ways.
At a wider level, the repercussions of a slide to a surveillance society will be extremely damaging, the information commissioner argues. This will lead to growing concerns that there is an excessive intrusion into private lives and a feeling that personal autonomy and dignity are under threat. With more and more institutions holding personal data, this will lead to an increase in the number of ‘faceless’ organisations that can make arbitrary decisions about individuals which can result in them being stigmatised or excluded.
Ultimately, Thomas believes this growth of excessive organisational power creates ‘a climate of fear, suspicion or lack of trust’, and he will call on the government to give him new powers and a wider role to combat the threat.”

These issues are worldwide, and the concerns are also shared globally.
One issue that is very possible, and has occurred multiple times, is misinterpreting data. Remember the episode of Seinfeld where his girlfriend drove by him, and as she looked over at him in his car it appeared to her that he was picking his nose, when in realty he was scratching the outside of the opposite side of his nose. As a result she, quite disgusted, dumped him and he spent most of the show declaring, “It was not a pick!” Similar things can certainly happen with electronic surveillance; when CCTVs are filming only one angle, you are only seeing one perspective of the situation. This can certainly be enough to be able to convict certain types of crimes and verify certain types of activities, but it can also lead to accusations that are wrong.
Another thing that has concerned me for the past few years is the accumulation of PII within huge databases, mingling PII of criminals with non-criminals and then using data mining to try and find suspects for crimes or other purposes. Suddenly a large portion of innocent individuals have become suspects, and mistakes within their PII, or mistakes in interpreting them, could result in major disruptions in their lives because of wrong accusations; these events have already occurred many times. And as PII databases continue to grow bigger and proliferate incorrect information about individuals, wrong accusations will continue to increase, at the expense of innocent folks.

“The increasing use of surveillance is becoming a concern to parliament. The House of Lords Constitution Committee is to launch an inquiry into the impact of government surveillance and data collection on the privacy of citizens and their relationship with the state.
The inquiry – which is set against a backdrop of increased use of CCTV, the creation of the national DNA database, the new NHS IT system and the proposals for ID cards – will seek to find out if increased surveillance and data collection by the state have fundamentally altered the way it relates to its citizens.”

There are many privacy implications with all these activities. The DNA database alone could open a Pandora’s box leading to all kinds of family disruptions, personal angst and break-ups.
The major problems I see with surveillance data are that proper safeguards are rarely implemented for it, access to it is too often lax and inappropriate, and incorrect data never gets deleted or corrected, it just continues to be endlessly proliferated.

Tags: , , , , , , , , , ,

Leave a Reply