• silicon.com
• Technology
• Security

By Tom Espiner, 23 March 2009 16:13

NEWS

A group of privacy and security experts has charted the proliferation of UK government databases and concluded that some of them could be illegal.

The Foundation for Information Policy Research (FIPR), an independent technology thinktank, published a report on Monday entitled Database State. The authors described 46 government databases, labelling a quarter of them "fundamentally flawed and almost certainly illegal". The report was commissioned by the cross-party Joseph Rowntree Reform Trust.

One of the report's authors, Ross Anderson, told silicon.com sister site ZDNet UK that, if used in conjunction with each other, the databases could have a serious impact on citizens' privacy.

"It's the first time someone's tried to put together the big picture, and it's scary," said Anderson, who is professor of security engineering at Cambridge University. "Some of the systems are so privacy-invasive that they almost certainly break European law, and spending taxpayers' money on computer systems that will fall at the first legal challenge is foolish."

Anderson said 11 of the databases that are currently used or in the process of being developed by the government may contravene the European Convention on Human Rights (ECHR).

"To collect sensitive information [on a person] and use it without consent, under the [ECHR], the data needs to be used for a narrowly defined legal purpose, and needs to be necessary and proportionate," said Anderson.

The report's authors looked at each of the major databases used by the government and ranked them using a traffic light colour-coding system. Eleven government databases were coded red, and should be "scrapped or substantially redesigned", according to the report. These include the National Identity Register, the communications database behind the Intercept Modernisation Programme, and the National DNA Database.

The National Identity Register - the database behind the government's plan to record all UK citizens' biometric and personal details for its identity cards scheme - was criticised by the report's authors for breaking down privacy barriers.

"A National Identity Number will make it easier to link together information held on individuals across other public-sector databases," said the report. "This is worrying because in the UK, unlike other EU States with strong constitutional protection, there are few safeguards against excessive data exchanges."

Anderson said that the National Identity Register will be "a central spine on which to hang all information about a citizen, available to open access".

A national identity card that became essential for government and financial transactions would also establish an audit trail to which the intelligence services and much of the police would have unrestricted access, the report added.

The government has put forward plans to monitor all UK citizens' communications by intercepting all online data traffic, including email, instant messaging and social networking communications. These details would be combined with details of telephone calls and stored in a centralised database. A government consultation about this communications database, which is part of an intelligence-service IT overhaul dubbed the Intercept Modernisation Programme, was due to begin in March, but has not yet taken place.

The report said that this kind of mass surveillance is overly expensive and antithetical to principles of privacy, and pointed out that the idea had already been criticised by the information commissioner.

"The Information Commissioner's Office has commented that the plans are 'a step too far for the British way of life'," said the report. "Given this assessment, the public opposition, the huge cost of the exercise, and the intent [to allow] the intelligence services... to watch everybody, we have no choice but to rate this as Privacy impact: red."

The National DNA Database was also criticised by the report's authors. Currently, the police in England have the power to hold the DNA of everybody they take into custody, regardless of whether or not they are then charged with a crime.

"The DNA database was found to be illegal by a European Court," said Anderson. "There's no way round that for the government - samples from innocent people will have to be purged."

The Home Office, which oversees these three databases, denied that government databases contravened the ECHR.

"We recognise the absolute necessity of striking the balance between the rights and privacy of the individual and the ability to disrupt, prevent and investigate crime effectively," a Home Office spokesperson told ZDNet UK. "That is why the Home Secretary has made clear that a 'common sense' test must be applied to every action in this area to make sure it is proportionate, transparent and robust safeguards are in place."

The spokesperson claimed the National Identity Scheme and ID cards will have independent oversight built in from the start, with every citizen given the right to see their data and who has accessed it. According to the Home Office, "technology such as DNA and CCTV is providing clear benefits in deterring and detecting crime, securing convictions and reducing fear of crime".

The Home Office spokesperson added that Home Secretary Jacqui Smith wanted to debate measures such as Home Office plans for the centralised communications database.

"The Home Secretary has said she wants open and reasoned debate about these issues and we remain committed to ensuring law-enforcement agencies have the right tools to protect the public, while at the same time ensuring effective safeguards and a solid legal framework that protects civil liberties," said the spokesperson.