header image

Big data: better services, individual privacy and cyber security

Published: Monday, 23rd November 2015

Ditchley/BAPG panel discussionAround 80 members of both Houses and outside guests gathered in the Speaker’s House for the latest in our series of discussions on major topical issues of relevance to both sides of the Atlantic, jointly hosted by the Ditchley Foundation and the British-American Parliamentary Group. The event was introduced by Lord Robertson of Port Ellen, the Chairman of the Ditchley Council of Management, and chaired by Sir John Holmes, the Director of The Ditchley Foundation. The four panellists spoke for a few minutes each before the floor was opened for wider discussion.

Matthew Kirk, Group External Affairs Director at Vodafone, saw four broad areas of challenge in the huge possibilities for big data opened up by modern computing power. These were changing the way we lived in dramatic ways:

-    The world of work was being transformed, as it had been by the industrial revolution, but much faster. If workforces in a particular country were not reskilled to match, the resulting resistance would mean that country missed the boat and the opportunities for the future.

-    Privacy and security concerns: the results of putting datasets together were unpredictable. Encryption was a valuable tool but the more data was encrypted, the less usable it became. The balance between the benefits and downsides was hard to draw.

-    Ownership of data was a tricky concept and hard to establish – and could be a red herring. A more important question was the purpose of collecting and holding data, which would then define how it could be used subsequently.

-    Jurisdiction issues: things were often happening in several jurisdictions simultaneously, which posed big problems for those responsible for consumer protection etc at national level. Governments and legislatures needed to get to grips with this issue more than they had so far.

There were also concerns about infrastructure, and for example a worry that Europe was lagging behind the US, Japan and China in the quality of what was being provided. It was currently difficult to make an investment case for modern infrastructure. This could lead to a significant competitive disadvantage over time.

Hugh Stevenson, Deputy Director of the Office of International Affairs at the US Federal Trade Commission, explained that the FTC’s role was to protect the privacy and security of consumers in the private sector, with enforcement actions taken against major private sector companies. They relied heavily on their ability to detect and prevent deceptive practices, using administrative orders or court proceedings, and cooperated a good deal with other agencies. They were also much engaged in policy issues. On big data, they were very conscious of the benefits eg in healthcare, but also of the accelerating risks to privacy from the rapid accumulation of vast amounts of data, and data security concerns related to the internet and new technologies. Key challenges were how to keep up with the technology, making sure enforcement remained effective, and extending international cooperation. One key issue was transparency about who was collecting what and for what purpose. The FTC had been studying the practices of data brokers and their potential use in aiding discriminatory practices by, for example, charging people with low credit scores more for specific goods or services. They had also been focussing on the need for companies which stored a lot of data to ensure they had appropriate security protections in place. On the international front, the recent Safe Harbour European court ruling raised a lot of issues which they were trying to work through. Cooperation with the Information Commissioner’s Office in the UK was also increasingly close.

Anthony Walker, deputy CEO of techUK, suggested that the future of our economy depended on how we made use of big data. We needed a smart, open, risk-based approach to avoid talking ourselves into a position where it became impossible to innovate. A country like the UK should be looking to shape the debate and good practice, not take the lead from others. Trust and confidence would be fundamental to this, which meant that private companies had a big incentive to be transparent and accountable. He was following new data legislation in Brussels very closely. There were some good things in it but too much emphasis on the consent of individuals rather than a risk-based approach could be the wrong way forward. If individuals were bombarded with endless requests for consent, they would either be frightened off, or not take such requests seriously. It could also have the perverse consequence that companies needed to store personal data they would not otherwise want or need just so that they could ask their customers for consent! The ECJ ruling on the Safe Harbour provisions was another major concern because of the lack of legal clarity and it had created, particularly about data transfers between countries. It had already had a chilling effect on the market in some areas. On the cyber security front, an economy wanting to lead the digital field needed to be secure at all levels. The risks otherwise had been clearly shown by the recent TalkTalk incident. So every CEO in the country, including those who ran small companies, needed to take another look at how well protected his or her own company was. The technology to protect companies was there but needed to be used properly.

David Omand, Visiting Professor at King’s College London, said that the digital intelligence capabilities of GCHQ should be harnessed to protect against criminal and malicious cyber attacks, including against the critical national infrastructure. These capacities (including bulk access to Internet traffic and the interference with the computer equipment of the adversary) were what would be regulated by the new draft Investigative Powers Bill to come before Parliament soon. This was an opportunity to set the gold standard in combining effective security with protection of privacy. If the bill was neutered, on the other hand, this would deprive the UK of our best tool to counter cyber threats. Intelligence operations, for example to take down botnets set up by serious criminals or to stop industrial -scale criminal trafficking using the dark web, needed the right kind of access to the internet. On the terrorism front, analysis of bulk data relating to known individuals could lead to new leads on the members of their networks and facilitators overseas and trigger new investigations, and had indeed done so in recent cases where potentially lethal terrorist activities had been stopped. Parliament therefore needed to recognise that these capacities were not a threat to the liberties of citizens but an essential way of protecting them, and to endorse stronger oversight as would be provided for in the Bill ensuring, and reassuring people, that these powerful digital tools could not be misused. Recent reports by the House of Commons Intelligence and Security Committee, by David Anderson QC the reviewer of counter-terrorism legislation and by an independent panel convened by the Royal United Services Institution  contained the necessary material.

The following issues were covered in the Q and A which followed the presentations:

-    How could different jurisdictions cooperate better to combat use of the dark web, and fraud across borders?  The difficulties were real. One answer was more transparency of domain information. Greater harmonisation of data storage end retention requirements would also be valuable. Perhaps the striking down of the Safe Harbour provisions could be seen as an opportunity as well as a threat, by provoking a more mature debate between the US and Europe, and arrangements which were less of a one-way street. The MLAT multilateral arrangements also needed to be strengthened and speeded up further. Direct agency-to-agency cooperation could be fast when required.

-    What should the new UK legislation look like to be a success? Its provisions should be open and simple, and roll up the previous messy legislation in one single law. On the particular point of who should sign warrants, government ministers were often best placed to take decisions and be held accountable for these decisions, but judges should be involved in reviewing warrants more than was currently the case, and should be given appropriate support, including technical support, to help them carry out such roles. Independent parliamentary oversight should be beefed up further. Rights of redress for individuals should be improved, including through provision for the right of appeal from the Investigative Powers Tribunal. In practical terms, restraint would continue to be required from the agencies – not everything which could be done should be done, and the Intelligence and Security Committee should be robust about this where necessary, not least with the agency heads themselves.

-    How could greater trust be instilled into the public, so that they did not object to sharing eg their health data when this really could do good, and had some faith in the consents they were being asked for? This was the key problem. There had to be a relationship of transparency between companies and their customers, on a continuous and informed basis, about the purpose of collecting data. Companies should communicate like human beings, not like compliance lawyers. Consents had to be meaningful, not just legal process, and respected once given. If this did not happen, the big data economy would be still-born. At the same time, the responsibility for deciding on ethical questions of right or wrong should be for the legislators, not private companies.

Sir John Holmes
23 November 2015