Police Officer Amerdeep Singh Johal has been sentenced to 6 years in jail for blackmail.

Johal, pictured, was using one of the Met Police’s intelligence database to blackmail sex offenders. Pc Amerdeep Singh Johal was demanding money from the offenders for his “co-operation”.

While the police have investigated and convicted this man, quite rightly, it appears it is another example of data guardians misusing the information.

The police stated that “There are strict guidelines in place regarding the use of intelligence databases and if anyone abuses it that is taken extremely seriously.”.

But the reality is that this occurs more often then we would hope, or others are willing to admit:

In 2008 there were two cases of police officers accessing data for their own purposes. One police officer used information to harass and intimidate an innocent woman; another used his access to criminal records to gain access about his partners’ family.

In 2008 the Liverpool Lib Dem council obtained the phone records of the leader of the council opposition

In 2008  councillors used the RIPA Act to put a family undersurvellience, including being followed, to see which school they should attend.

In 2007 CCTV operators in Cardiff turned the cameras onto people’s homes and hotel rooms when they were supposed to be guarding the Welsh Assembly.

In 2006 council CCTV operators were involved in taking zoomed in photos of people appearing in naked in photo shoots.

In 2005 CCTV council operators in the UK used their cameras to repeatedly spy on a woman in her house and bedroom.

in 2005 NCP CCTV operators were accused of filming a couple having sex and copying the film onto DVD.

In 2004 police, along with a private detective agency, were involved in illegal phone tapes.

In 2002 a BT employee was involved in tapping a celebrity’s phone

In 2002 a WPC used police databases to locate a woman she believed was having an affair with her husband

Tags: CCTV, Data Misuse, Law

The Bar Council has been the victim of data theft, in this case it is literally a case of theft of a computers containing the data.

The theft occurred on 12th December 2008, in the Holburn Office of the Bar Council.

Despite the usual protestations of the data controllers, who were the victims of the data theft, the data does not appear to have been secured with Encryption

The data contains information about Barristers names and home addresses, which will probably be of some concern for barristers involved in prosecuting criminals, as that data is now in the hands of criminals (though they may not know that, or have the wherewithal to even access the data), but that will not provide much comfort to the Barristers involved!

Tags: Data Theft, Encryption, Law

After case after case of data loss relating to social security numbers in the US, the FTC has taken a decision – stop making social security numbers so critical as a form of identification.

Hats off to the FTC, as by this it effectively admits that data theft will always occur, all you can do is try and limit the effects.

Tags: Data Loss, Data Theft

According to ScanSafe hackers are getting better, with 26 % of attacks in November 2008 being “Zero Day” attacks, compared with 16% in October 2008.

From these statistics it is implied that there is an increase in the number of zero day attacks.

However the research is slightly skewed (an IT security company skewing stats about IT security, surely not!).

The 26% of attacks, is not actually 26% of all zero day attacks, but the % of attacks blocked. I.e the number of attacks blocked increased from 16% to 26%.  Obviously the number of stats for the attacks which got through are not widely published!

Following the farce of the Internet Watch Foundation banning a page on Wikipedia, and then standing by its decision, it has now changed its mind.

Though the decision not to ban the image only applies to the image being held abroad, and possibly not in the UK. The IWF says “Any further reported instances of this image which are hosted in the UK will be assessed in line with IWF procedures.”

While nobody (sane) wants to allow access to child abuse images, the question of IWF, and by proxy CleanFeed, making blanket decisions about how can access what, from child abuse to racist content, and possibly in the future D-Notices, is somewhat concerning.

What else have they banned that we do not know about? How many sites about political issues are we, in the UK censored from? Perhaps its not many now, but do we want to have a system in place that could, at any point, stop access to information about elections or taxation?

Below are some examples of internet censorship within the UK:

• UK has a “firewall”, similar to the Chinese “Golden Shield”
• UK to try and block sites that include “D-Notice” information
• Censoring the Internet – banning terrorism
• Wiki Page blocked by ISPs
• Down loading a copy of the Jolly Rodger CookBook

Tags: Terrorism

Another month, another official getting caught misusing data (with a very low detection rate the concern is how many are not getting caught).

In Columbus Ohio, Erin G. Rosen, who worked as  general counsel within the Attorney General offices, has been accused of using the company databases to find information about colleagues.

It appears that this is not the only case to have occurred in the office with another person resigning this year over improper conduct in the office.

Source

Tags: Data Misuse

The UK has operated a firewall for sometime now, similar in many ways to the Chinese firewall (Golden Shield), though the content that is filtered out is different, for now – though that may change

The UK firewall, controlled largely by the Internet Watch Foundation, and therefore the UK Police and Government is designed to block illegal pornography and other offensive material. However, due to the way it works nobody really knows what’s blocked. There is no published list, there are no published guidelines for what is and what is not blocked, web pages just disappear.

The end user is, in general, unlikely to know if a page has been removed as the error returned when visiting a removed web page is the standard 404 missing page error, implying it could be the hosting company that has the error, not state censorship.

Despite the obvious concerns of this technology being rolled out about across the UK there has been relatively few complaints about the subject in the mainstream media. But now the firewall, CleanFeed, has blocked a page on Wiki, causing widespread interest in the subject.

• PC Pro: Brits blocked from Wikipedia over child porn photo
• Brand Republic: Wikipedia page banned in UK over controversial child image
• The Register: Brit ISPs censor Wikipedia over ‘child porn’ album cover

The pictures are not pleasant (and even on news web sites, which are not blocked), but they have been on the album cover since the 1960s and 70s, and have been sold in record shops and book shops since then. Never, has there been a prosecution in relation to those covers.

So, is it the place of government to start censoring the internet? Well the UK government thinks so.

EUROPEAN COURT OF HUMAN RIGHTS

880

4.12.2008

Press release issued by the Registrar

GRAND CHAMBER JUDGMENT
S. AND MARPER v. THE UNITED KINGDOM

The European Court of Human Rights has today delivered at a public hearing its Grand Chamber judgment¹ in the case of S. and Marper v. the United Kingdom (application nos. 30562/04 and 30566/04).

The Court held unanimously that:

· there had been a violation of Article 8 (right to respect for private and family life) of the European Convention on Human Rights;

· it was not necessary to examine separately the complaint under Article 14 (prohibition of discrimination) of the Convention.

Under Article 41 (just satisfaction), the Court considered that the finding of a violation, with the consequences that this would ensue for the future, could be regarded as constituting sufficient just satisfaction in respect of the non-pecuniary damage sustained by the applicants. It noted that, in accordance with Article 46 of the Convention, it would be for the respondent State to implement, under the supervision of the Committee of Ministers, appropriate general and/or individual measures to fulfil its obligations to secure the right of the applicants and other persons in their position to respect for their private life. The Court awarded the applicants 42,000 euros (EUR) in respect of costs and expenses, less the EUR 2,613.07 already paid to them in legal aid. (The judgment is available in English and French.)

1.  Principal facts

The applicants, S. and Michael Marper, are both British nationals, who were born in 1989 and 1963 respectively. They live in Sheffield, the United Kingdom.

The case concerned the retention by the authorities of the applicants’ fingerprints, cellular samples and DNA profiles after criminal proceedings against them were terminated by an acquittal and were discontinued respectively.

On 19 January 2001 S. was arrested and charged with attempted robbery. He was aged eleven at the time. His fingerprints and DNA samples² were taken. He was acquitted on 14 June 2001. Mr Marper was arrested on 13 March 2001 and charged with harassment of his partner. His fingerprints and DNA samples were taken. On 14 June 2001 the case was formally discontinued as he and his partner had become reconciled.

Once the proceedings had been terminated, both applicants unsuccessfully requested that their fingerprints, DNA samples and profiles be destroyed. The information had been stored on the basis of a law authorising its retention without limit of time.

2.  Procedure and composition of the Court

The application was lodged with the European Court of Human Rights on 16 August 2004 and declared admissible on 16 January 2007. The Chamber to which the case was assigned decided to relinquish jurisdiction to the Grand Chamber on 10 July 2007³.

The National Council for Civil Liberties and Privacy International were granted leave to intervene in the written procedure before the Grand Chamber.

A public hearing took place in the Human Rights building, Strasbourg, on 27 February 2008.

The judgment was given by the Grand Chamber of 17 judges, composed as follows:

Jean-Paul Costa (France), President,
Christos Rozakis (Greece),
Nicolas Bratza (United Kingdom),
Peer Lorenzen (Denmark),
Françoise Tulkens (Belgium),
Josep Casadevall (Andorra),
Giovanni Bonello (Malta)
Corneliu Bîrsan (Romania),
Nina Vajić (Croatia),
Anatoly Kovler (Russia),
Stanislav Pavlovschi (Moldova),
Egbert Myjer (Netherlands),
Danutė Jočienė (Lithuania),
Ján Šikuta (Slovakia),
Mark Villiger (Switzerland)⁴,
Päivi Hirvelä (Finland),
Ledi Bianku (Albania), judges,

and also Michael O’Boyle, Deputy Registrar.

3.  Summary of the judgment⁵

Complaints

The applicants complained under Articles 8 and 14 of the Convention about the retention by the authorities of their fingerprints, cellular samples and DNA profiles after their acquittal or discharge.

Decision of the Court

Article 8

The Court noted that cellular samples contained much sensitive information about an individual, including information about his or her health. In addition, samples contained a unique genetic code of great relevance to both the individual concerned and his or her relatives. Given the nature and the amount of personal information contained in cellular samples, their retention per se had to be regarded as interfering with the right to respect for the private lives of the individuals concerned.

In the Court’s view, the capacity of DNA profiles to provide a means of identifying genetic relationships between individuals was in itself sufficient to conclude that their retention interfered with the right to the private life of those individuals. The possibility created by DNA profiles for drawing inferences about ethnic origin made their retention all the more sensitive and susceptible of affecting the right to private life.

The Court concluded that the retention of both cellular samples and DNA profiles amounted to an interference with the applicants’ right to respect for their private lives, within the meaning of Article 8 § 1 of the Convention.

The applicants’ fingerprints were taken in the context of criminal proceedings and subsequently recorded on a nationwide database with the aim of being permanently kept and regularly processed by automated means for criminal-identification purposes. It was accepted that, because of the information they contain, the retention of cellular samples and DNA profiles had a more important impact on private life than the retention of fingerprints. However, the Court considered that fingerprints contain unique information about the individual concerned and their retention without his or her consent cannot be regarded as neutral or insignificant. The retention of fingerprints may thus in itself give rise to important private-life concerns and accordingly constituted an interference with the right to respect for private life.

The Court noted that, under section 64 of the 1984 Act, the fingerprints or samples taken from a person in connection with the investigation of an offence could be retained after they had fulfilled the purposes for which they were taken. The retention of the applicants’ fingerprint, biological samples and DNA profiles thus had a clear basis in the domestic law.

At the same time, Section 64 was far less precise as to the conditions attached to and arrangements for the storing and use of this personal information.

The Court reiterated that, in this context, it was essential to have clear, detailed rules governing the scope and application of measures, as well as minimum safeguards. However, in view of its analysis and conclusions as to whether the interference was necessary in a democratic society, the Court did not find it necessary to decide whether the wording of section 64 met the “quality of law” requirements within the meaning of Article 8 § 2 of the Convention.

The Court accepted that the retention of fingerprint and DNA information pursued a legitimate purpose, namely the detection, and therefore, prevention of crime.

The Court noted that fingerprints, DNA profiles and cellular samples constituted personal data within the meaning of the Council of Europe Convention of 1981 for the protection of individuals with regard to automatic processing of personal data.

The Court indicated that the domestic law had to afford appropriate safeguards to prevent any such use of personal data as could be inconsistent with the guarantees of Article 8 of the Convention. The Court added that the need for such safeguards was all the greater where the protection of personal data undergoing automatic processing was concerned, not least when such data were used for police purposes.

The interests of the individuals concerned and the community as a whole in protecting personal data, including fingerprint and DNA information, could be outweighed by the legitimate interest in the prevention of crime (the Court referred to Article 9 of the Data Protection Convention). However, the intrinsically private character of this information required the Court to exercise careful scrutiny of any State measure authorising its retention and use by the authorities without the consent of the person concerned.

The issue to be considered by the Court in this case was whether the retention of the fingerprint and DNA data of the applicants, as persons who had been suspected, but not convicted, of certain criminal offences, was necessary in a democratic society.

The Court took due account of the core principles of the relevant instruments of the Council of Europe and the law and practice of the other Contracting States, according to which retention of data was to be proportionate in relation to the purpose of collection and limited in time. These principles had been consistently applied by the Contracting States in the police sector, in accordance with the 1981 Data Protection Convention and subsequent Recommendations by the Committee of Ministers of the Council of Europe.

As regards, more particularly, cellular samples, most of the Contracting States allowed these materials to be taken in criminal proceedings only from individuals suspected of having committed offences of a certain minimum gravity. In the great majority of the Contracting States with functioning DNA databases, samples and DNA profiles derived from those samples were required to be removed or destroyed either immediately or within a certain limited time after acquittal or discharge. A restricted number of exceptions to this principle were allowed by some Contracting States.

The Court noted that England, Wales and Northern Ireland appeared to be the only jurisdictions within the Council of Europe to allow the indefinite retention of fingerprint and DNA material of any person of any age suspected of any recordable offence.

It observed that the protection afforded by Article 8 of the Convention would be unacceptably weakened if the use of modern scientific techniques in the criminal-justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such techniques against important private-life interests. Any State claiming a pioneer role in the development of new technologies bore special responsibility for striking the right balance in this regard.

The Court was struck by the blanket and indiscriminate nature of the power of retention in England and Wales. In particular, the data in question could be retained irrespective of the nature or gravity of the offence with which the individual was originally suspected or of the age of the suspected offender; the retention was not time-limited; and there existed only limited possibilities for an acquitted individual to have the data removed from the nationwide database or to have the materials destroyed.

The Court expressed a particular concern at the risk of stigmatisation, stemming from the fact that persons in the position of the applicants, who had not been convicted of any offence and were entitled to the presumption of innocence, were treated in the same way as convicted persons. It was true that the retention of the applicants’ private data could not be equated with the voicing of suspicions. Nonetheless, their perception that they were not being treated as innocent was heightened by the fact that their data were retained indefinitely in the same way as the data of convicted persons, while the data of those who had never been suspected of an offence were required to be destroyed.

The Court further considered that the retention of unconvicted persons’ data could be especially harmful in the case of minors such as the first applicant, given their special situation and the importance of their development and integration in society. It considered that particular attention had to be paid to the protection of juveniles from any detriment that could result from the retention by the authorities of their private data following acquittals of a criminal offence.

In conclusion, the Court found that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, failed to strike a fair balance between the competing public and private interests, and that the respondent State had overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention in question constituted a disproportionate interference with the applicants’ right to respect for private life and could not be regarded as necessary in a democratic society. The Court concluded unanimously that there had been a violation of Article 8 in this case.

Article 14 in conjunction with Article 8

In the light of the reasoning that led to its conclusion under Article 8 above, the Court considered unanimously that it was not necessary to examine separately the complaint under Article 14.

***

The Court’s judgments are accessible on its Internet site (http://www.echr.coe.int).

Press contacts
Adrien Raif-Meyer (telephone: 00 33 (0)3 88 41 33 37)
Tracey Turner-Tretz (telephone: 00 33 (0)3 88 41 35 30)
Sania Ivedi (telephone: 00 33 (0)3 90 21 59 45)

The European Court of Human Rights was set up in Strasbourg by the Council of Europe Member States in 1959 to deal with alleged violations of the 1950 European Convention on Human Rights.

¹ Grand Chamber judgments are final (Article 44 of the Convention).

².  DNA stands for deoxyribonucleic acid; it is the chemical found in virtually every cell in the body and the genetic information therein, which is in the form of a code or language, determines physical characteristics and directs all the chemical processes in the body. Except for identical twins, each person’s DNA is unique. DNA samples are cellular samples and any sub-samples or part samples retained from these after analysis. DNA profiles are digitised information which is stored electronically on the National DNA Database together with details of the person to whom it relates.

³ Under Article 30 of the Convention, where a case pending before a Chamber raises a serious question affecting the interpretation of the Convention or the protocols thereto, or where the resolution of a question before the Chamber might have a result inconsistent with a judgment previously delivered by the Court, the Chamber may, at any time before it has rendered its judgment, relinquish jurisdiction in favour of the Grand Chamber, unless one of the parties to the case objects.

⁴ Judge elected in respect of Liechtenstein.

⁵ This summary by the Registry does not bind the Court.