The scheduled drug raid was a joint operation with MI5, MI6, the US Drug Enforcement Agency and organized by the Serious Organized Crime Agency.  SOCA received £416 million in funding for 2006 (about $625 million), but did not release how much of that budget went for the covert operation.  An internal source claimed to The Times – London that the aborted operation cost over £100m ($150M). The agent responsible for the loss, referred to only as ‘T’, lost her purse somewhere between the airline terminal, the immigrations checkpoint and a bus from El Dorado airport in Bogota, Columbia.  She was heading to her new office at the British Embassy.

A Soca spokeswoman said: “Soca has introduced its own clearly defined data handling and security policies. During the year to March 2009 — the first year we have been required to report any breaches — there wasn’t a single breach of personal or sensitive data by Soca staff.”

The agencies took the first steps by defining data handling policies and measuring/reporting against them.  An inquiry and formal investigation into the event occurred, and remedies put in place appear to be working.  The obvious question – why was encryption not used for this sort of situation?

The secure computer on a USB key was developed for just this sort of cloak and dagger thing. There are encryption routines built into every commercial operating system available today.  Dozens of security vendors sell encryption software, ranging from Full Disk Encryption, to mobile device encryption, to file level and storage encryption.  The US National Security Agency helped Microsoft with Windows Vista. They designed a security enhanced version of Linux.  The British Intelligence folks have their hands in a few secured systems as well.

Encryption ought to be just another wicket in the engrained security processes of an intelligence operation.  In fact, encryption ought to be a requirement for every organization that processes private or mission critical information.  Security product provider Checkpoint points out the dire situtation best in a February 2009 UK survey: “…less than 50% of the UK public and private sector organisations use any form of data encryption.”

As a privacy professional, knowledge of information security and its ramifications to privacy are paramount to successful data protection.  Personally Identifiable Information, Private Health Records, Personal Financial Information – it’s all only as confidential as the protections surrounding it.  If the security provisions do not guarantee the data are available and the integrity’s intact, there could be more than fines or company reputation at stake.

The BBC reports Amazon UK spokesman Craig Berman released a statement: “We have contacted Webwise requesting that we opt out for all of our domains.”  The company declined further comment on the decision rationale.  “All we’re saying is we’ve chosen to opt out,” he said. “I don’t know if they’ve even implemented anything yet.”

In an email posted to the Wikimedia tech blog Thursday, Wikimedia stated:

“The Wikimedia Foundation requests that our web sites including Wikipedia.org and all related domains be excluded from scanning by the Phorm / BT Webwise system, as we consider the scanning and profiling of our visitors’ behavior by a third party to be an infringement on their privacy.”

In a statement, Phorm said: “There is a process in place to allow publishers to contact Phorm and opt out of the system, but we do not comment on individual cases.”

The Open Rights Group urged major Internet companies to opt out of Phorm each time more circumstances come to light, said it was very pleased with Amazon’s move.

“By choosing to block the contentious online advertising system from scanning its Web pages, these firms have taken the positive choice to protect their users’ privacy and their own brands.  We expect more sites to block Webwise in the near future and ISPs to drop plans to snoop on Web users.”

As the European Commission moves further with their case against the United Kingdom, and more publicity surrounds Phorm and Webwise, everyone should expect more companies trying to distance themselves from the situation.

Each EU country elects or appoints a data protection authority (“DPA”) who heads the compliance and regulation of privacy. The UK passed the Data Protection Act of 1998 to comply with the EU’s Directive, establishing an Information Commissioner as their DPA.  The Commissioner is appointed by the Queen and reports directly to Parliament.

The current commissioner, Richard Thomas began prosecution of Ian Kerr, a private investigator used extensively within the UK construction business. An investigation of Mr. Kerr revealed he compiled a database of 3,213 workers used by 40 construction companies for vetting potential employees. The very prominent construction companies would pay Mr. Kerr £3,000 annually for access to the database and use the information to make decisions on hiring. After an eight month ICO investigation, Commissioner Thomas said he has documents which

“… show that files on individuals included comments on individuals such as ‘communist party’, ‘ex-shop steward, definite problems, no go’, ‘do not touch’, ‘orchestrated strike action’ and ‘lazy and a trouble-stirrer’.”

In a statement, Deputy Information Commissioner, David Smith, said:

“This is a serious breach of the Data Protection Act. Not only was personal information held on individuals without their knowledge or consent but the very existence of the database was repeatedly denied. The covert system enabled Mr Kerr to unlawfully trade personal information on workers for many years helping the construction industry to vet prospective employees. The Data Protection Act clearly states that organisations must be open about how they process personal information, and in most cases those processing personal information must register with the ICO – Mr Kerr did not comply with the law on either count.

British intellectual property lawyer Steve Kuncewicz said:

“What employers cannot do is use data in the way they have. If they’re not careful, the directors of the construction company concerned could end up facing a criminal charge as well as a civil action.” The EU Directive gives employees the right to see and correct inaccurate personal data their employer may hold about them.

This case suggests the Phorm incident is simply a discrepancy or oversight rather than a disrespect for British Citizens’ privacy.  Commissioner Thomas snared a clear violator and a large sampling of the UK construction companies.  Deputy Commissioner Smith states quite clearly,

“We will prosecute Mr Kerr and we are also considering what regulatory action to take against construction firms who have been using the system. I remind business leaders that they must take their obligations under the Data Protection Act seriously. Trading people’s personal details in this way is unlawful and we are determined to stamp out this type of activity.”

The complete list of construction companies may be found at the end of the ICO’s statement on the matter. For a privacy professional or CIPP candidate, a quick review of several of Mr. Kerr and the construction companies’ violations of the Data Protection Directive is in order.

The Section I, Article 6, of the Data Protection Directive requires private data collected be

• (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
• (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

While Section II, Article 7, states that, as criteria for making data processing legitimate, personal data may not be processed unless:

• (a) the data subject has unambiguously given his consent; or
• (d) processing is necessary in order to protect the vital interests of the data subject; or

In Section V, Article 12, data subjects are guaranteed specific rights:

• (a) without constraint at reasonable intervals and without excessive delay or expense:
  • confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
  • communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
  • knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred .to in Article 15 (1);

• (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
• (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

Member States shall provide that personal data may be processed only if:

• (a) the data subject has unambiguously given his consent; or
• (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
• (d) processing is necessary in order to protect the vital interests of the data subject; or
• (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
• (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

This treatment of personal information held quite a bit of headache for multi-national companies with sensitive HR data or customer relationship information. These problems were eventually ironed out between the EU and the US Department of Commerce through the passage of the Safe Harbor program in 2000. The Center for Democracy and Technology gives a tidy summary of the Directive and international responses.

Intra-EU privacy was supposed to be quite well understood. Except by the British it appears. The European Commission began legal action against the United Kingdom Tuesday for failure to “ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user’s consent.”  In other words, not following Article 7.  To be fair, the 27 EU Members have had 90 cases of some sort of action brought against them, so the British are not in the minority.

The action, says EU Telecoms Commissioner Viviane Reding, relates to behavioral advertising company Phorm, and Internet Service Providers (ISPs) usage of the technology.  Apparently, British Internet users complained about interception and surveillance of their surfing habits.  The Federal Trade Commission brought similar behavioral US marketing problems to light in February.

“Technologies like Internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules,” Reding said in a statement. “We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of the EU rules on the confidentiality of communications.”

For the United Kingdom, there has to be some question of sovereignty mixed in with the privacy lapses. EU Member States “cede part of their sovereignty under treaties which empower the EU institutions to adopt laws”. If Britain fails to come in line with the privacy protections from the Directive, Reding has the power to force the country to appear before the EU’s highest court, the European Court of Justice. The Court of Justice can thereby force Britain’s compliance.