Turning the tables on the surveillance society: can we find out what they've been looking at on the internet?

Chris Hutt draws our attention to an “interesting” Freedom of Information request.

So can it be done? Can we find out what the great, the good, the powerful – the people that run our lives – are doing on the internet?

Here’s the easy to follow flow chart published by the Information Commissioner on the subject (and further information is available in their publication The Exemption for Personal Information [pdf]):

Not beyond the realms of possibility is it? Mr McNamara will be busy when he gets back from his extended break won’t he? ‘Cause they’re not gonna like it up ’em are they?

This entry was posted in Bristol, FOI, IT, Local government, Politics, Twitter and tagged , . Bookmark the permalink.

37 Responses to Turning the tables on the surveillance society: can we find out what they've been looking at on the internet?

  1. Bristol Dave says:

    Interesting, although I strongly suspect this would be denied under the reason that it would take longer than 18 hours to gather and collate the data.

  2. thebristolblogger says:

    A lot of the groundwork for a request like this has been laid by Heather Brooke’s MPs expenses request.

    If you can get over 600 MPs’ expense claims through, you can get this through.

    Obviously they’re gonna knock it back to start with but the law’s in place to get this stuff.

  3. Anon says:

    That is one sad man!!

  4. inks says:

    Hmmmm I think Mr Wren’s request will get bounced. Staff with access to the internet can use it to a limited extent for personal use legitimately, just as they can use the office telephone. Browsing at lunchtime, that sort of thing.

    Some of the sites looked at may, just from the IP address, be personal information. Someone looking at a relative’s facebook page, for example, or booking a holiday flight.

    The list will need to be filtered to remove any IP addresses disclosing personal information. Which will take a lot of work, too much for a FOI request.

    Part 3 of the request should get answered but it’ll probably be bounced along with the rest.

  5. Bristol Dave says:

    I’m with Inks on this. They might be able to pull the data off within the time but removing any personal data from it is a mammoth task.

    However, I very much doubt they’ll be able to supply a list of URLs as requested in point 3, after all with a commercial filtering product like Websense the URL list is basically what you’re paying for, so it’s probably encrypted. Normally you allow or disallow access based on categories rather than sites (though you can set exceptions for individual URLs).

  6. thebristolblogger says:

    information is not automatically exempt just because it is personal data

    The Exemption for Personal Information

  7. Interesting…

    Being a database engineer, I have had a long interest in civil liberty aspects of information collecting – hence my anti ID-cards motion in 2005 and anti fingerprinting motion in January of this year:
    http://cabot-liberals.org/index.php?ward=Cabot&id=Cabot/motions/motion001
    http://cabot-liberals.org/index.php?ward=Cabot&id=Cabot/motions/motion004

    Since getting into the Cabinet I have been doing some work on tightening up the authorisation of RIPA applications in the Council, and also reviewing the storage and eventual deletion of other data collected by the council on citizens. This came to fruition last week, so look out for some publicity (hopefully) in the next week announcing improvements for citizen privacy.

    On the post subject, I have to say I’m a bit uneasy about the information on websites visited by officers being released generally. It should be remembered that it is (Labour) MPs not local gov officers who have continually expanded the amount of legal snooping and surveillance that the State can inflict on its citizens, so if anyone should be subjected to this kind of retaliatory intrusion, surely it is MPs?

    I thought the Guardian’s work to unravel Tony Blair’s personal accounting subterfuge was absolutely excellent. Blair was himself trying to evade a law that HE brought in in 2000.
    http://www.guardian.co.uk/politics/2009/dec/17/mystery-tony-blairs-money-solved
    In my opinion, this is the kind of hypocrisy that should be the subject of surveillance retaliation, not the ordinary work of civil servants.

    There is a possibility that some websites visited could be extremely compromising. For example, what if a senior officer was looking at wikileaks.org or some similar website that might indicate a public interest activity? The knowledge that any such viewing in future could become public knowledge could drive officers into a culture of fear that wouldnt be in the public interest.

  8. thebristolblogger says:

    I have to say I’m a bit uneasy about the information on websites visited by officers being released generally.

    Who are you in favour of it being released to? Themselves? This is a typical example of powerful, unaccountable state employees being accountable to, er … Themselves!

    it is (Labour) MPs not local gov officers who have continually expanded the amount of legal snooping and surveillance that the State can inflict on its citizens

    It is invariably employees of the state that implement these laws. Why should they not find out what it’s like to have them inflicted upon them? Indeed why are you having to tighten up “the authorisation of RIPA applications”? Who decided to authorise them untightly (without much sign of accountability)?

    There is a possibility that some websites visited could be extremely compromising.

    So the information shouldn’t be released because it might be embarrassing? The FoI strictly precludes this view.

    The knowledge that any such viewing in future could become public knowledge could drive officers into a culture of fear that wouldnt be in the public interest

    Surely that’s true of anyone who has their affairs monitored? Or is it special rules for special people?

    Your giveaway phrase is:

    the ordinary work of civil servants

    If you view these people as fundamentally benign, paternalistic and objective then I suppose their work is “ordinary”.

    Many of us have a vastly different view of the state, its employees and how they operate.

    However, ultimately, the principle of this request and the fact that surveillance equipment and data laws can work in the citizens’ favour as well as the government’s is what is interesting here, not who it’s aimed at.

    If this works then you can go after Labour MPs can’t you?

  9. thebristolblogger says:

    ps. As you’re interested in in civil liberty aspects of information collecting, how do you feel about the fact that your Websense software is also sold to the Chinese government to censor the internet? How very liberal ….

    http://www.amnesty.org/en/library/asset/ASA17/001/2004/en/a0288a98-d64d-11dd-ab95-a13b602c0642/asa170012004en.html

    Who made that procurement decision then?

  10. Come on BB, Google censors China too – are you suggesting we shouldnt use Google? I note you use Google a lot in your posts…

    Filtering software is by definition censorship software, so it isnt surprising that it is also used by oppressive regimes. However, I am interested in this subject, so if you can find some “ethical censorship software” (if such a thing exists!) then I’d be interested in investigating whether using it is a possibility.

    But I’m not going to argue that the Council should unblock all staff computers to every website. Remember we are spending tax-payers cash here, and the public I think expects the Council to block porn and other inappropriate sites while workers are in office. It prevents people getting sacked for silly reasons, for one thing.

    Re your earlier reply, I think you conflate compromising with embarrassing. The latter is not a reason to prevent FoI, but the latter is – if it hindered the public interest (you didnt answer my point about wikileaks.org ).

    I get your point that citizens can make surveillance laws work for them too – I’m just not sure that local gov officers are the right target for such action. I repeat that I am uneasy about it. The mark of true civil libertarians is that they defend the rights of their opponents as well as their friends. If officers were lapping up surveillance with glee then they might be deserving of such retaliation, but I dont think they are.

    We’ll wait and see what Mr MacNamara responds with on the FoI issue…

  11. thebristolblogger says:

    There’s 2 issues here BLOCKING and MONITORING.

    The software you use is enabled to do both. (They’re even monitoring you!)

    What’s the score with library users then Mark? There’s nothing about privacy (I can see) on your libraries website. Are they being monitored?

    Is that legal?

  12. Jon Rogers says:

    This has been discussed before.

    There was discussion of the three levels of blocking on council web access on Charlie Bolton’s website back in April 2009.

    http://bit.ly/8LPQeJ

    Jon

  13. Bristol Dave says:

    I think there’s 3 issues BB, Blocking, Monitoring, and Logging.

    Just because web access is logged, it doesn’t mean it’s ever looked at (which is monitoring), and even then, it doesn’t mean anything is done about it (blocking).

  14. Good spot Jon. Here is the relevant text you put up:

    “Our internet filtering regime is quite mature having developed over the last decade.”It details three levels of use. These are “Business access”, “Business plus access”, and “public access” and explains the rationale for each.

    Councillors have “public access”, which is the same as is available on Council library computers and BCC staff rest area internet areas.

    BB is right that blocking and monitoring are different things. For blocking to occur, there must obviously be real-time monitoring by the software. Dave correctly points out, the issue is then: is this information stored (logged).

    I would say that in libraries, any web access that isnt blocked should be discarded from the logs. I.e. only blocks should be recorded. For the rest of the Council, I think it’s fair that those records can be kept for some period of time, as this is standard in most other workplaces also. How long – I’m not sure. I’ll raise this as part of the data-retention review…

  15. Bristol Dave says:

    As for Libraries access being logged: I think I’m right in saying that that Jihadist nutter in Westbury-On-Trym was busted partly due to the logs of his BCC Library internet access. I doubt the kind of stuff he was searching for (how to make bombs) would have been blocked. Not using this as justification for public access being logged, just saying that on the basis of news reports that he was fingered, internet access on these public PCs *is* logged. If you want to look for particularly dodgy shit I’d go to one of those seedy looking internet cafes in Stokes Croft as I doubt they log it 🙂

  16. thebristolblogger says:

    I would say that in libraries, any web access that isnt blocked should be discarded from the logs.

    But you don’t know? And you have no policy on it?

    So basically quite low-level civil servants – without telling anyone – are logging public library users and democratically elected representatives internet use with no apparent permission or democratic oversight?

    What did you say about “officers … lapping up surveillance with glee” Mark?

    There’s an emerging scandal here. Military quality surveillance software deployed by unelected people in the shadows against elected politicians and the public?

    Wow!

  17. AATON says:

    The Big Brother is everywhere.

  18. Bristol Dave says:

    So basically quite low-level civil servants – without telling anyone – are logging public library users and democratically elected representatives internet use with no apparent permission or democratic oversight?

    Well, they’re logging internet access from public library computers, but since you don’t have to “log onto” one of these PCs to use it, it can only be logged on IP address. Mapping this to a user based on what, CCTV footage, must be next to impossible.

    I’d wager we’re alright.

  19. dreamingspire says:

    From reading material on lists where people who do forensic analysis of PCs post, I’m sure that Windows s/w stores activity data in more places than you think, plus deleted files can often have part or all of their data recovered. Mapping this to user ID may be not quite ‘next to impossible’.
    But you can’t reasonably expect every LA to have expertise at this level (i.e. to ensure all trace of user activity is deleted when it ought not to be retained), so this problem is really part of the national problem of not having a proper security agency to instruct public sector bodies at this level. CESG isn’t really charged with doing this, and nor are other Whitehall depts such as DCLG. Remember that for a long time DfT refused to give clear instructions to LAs about not storing personal data in the bus pass data area in the chips that are in those Diamond Travelcard bus passes – the line taken was that bus pass Data Protection is the responsibility of LAs, even if they don’t understand the technology but are required to deliver on time.

  20. thebristolblogger says:

    Dave,

    I don’t use library computers but I’m told you need to log on with a library card number to use them. I do use the 24 hour library on the council’s website and you definitely need to log on for that.

    A data subject access request will be going in to the council to find out exactly what is logged. The results will be published in due course.

    Spire,

    there’s a whole lot of difference between a complex, forensic analysis of a hard drive and installing military quality surveillance software with a simple user interface than can be operated by a lowly systems administrator.

    If I walk into a room I leave forensic traces (DNA, fingerprints etc.) but that’s hardly the same as being subjected to secret listening devices and hidden CCTV for instance.

    this problem is really part of the national problem of not having a proper security agency to instruct public sector bodies at this level

    This is true and I doubt the council logging the public, councillors and their staff in this way is in the slightest bit compatible with Article 8 (HRA), which they so ostentatiously quote at every opportunity.

    Where’s the policy on this where our rights have been taken into account and properly protected? There isn’t one. There’s just been a quiet procurement decision taken and silence.

  21. BristolDave says:

    military quality surveillance software

    Military Quality? From what I’m told, Websense isn’t that great in terms of what you get for how much it costs.

    This is true and I doubt the council logging the public, councillors and their staff in this way is in the slightest bit compatible with Article 8 (HRA), which they so ostentatiously quote at every opportunity.

    But what Corporation, or indeed Local Authority in the country doesn’t use internet filtering/logging software? Normally if you purchase a filtering product, you get logging capability as well, it’s certainly standard with the major players like Websense, Smartfilter, Netsweeper, etc. Maybe it’s a legal requirement for them to log internet access from public computers under RIPA? Who knows.

    I’d be interested in the results of the FOI request.

  22. thebristolblogger says:

    Do you know how much it costs?

    Maybe it’s a legal requirement for them to log internet access from public computers under RIPA? Who knows.

    You might have thought the people using it might know and be explaining themselves to library users (and parents of children in schools for that matter).

    It’s unlikely to be RIPA which is concerned with ‘interception’ of communications and and data from commercial service providers.

    I assume this is all being done under DPA which is based on the concepts of consent, scale and fairness …

    Subject access comes under the DPA by the way:

    http://www.ico.gov.uk/what_we_cover/data_protection/your_rights/how_to_access_information.aspx

  23. BristolDave says:

    Do you know how much it costs?

    Yank prices, but gives an idea: http://www.connectworld.net/cgi-bin/websense/index.html

  24. thebristolblogger says:

    Hmm. Even the more expensive versions over 3 years still slip under the ÂŁ0.5m level where the cabinet has to take the purchasing and implementation decision.

    However you might have thought the officer who took the delegated decision to implement the mass surveillance of the public and his elected political bosses might have thought:

    the matter would have such an effect on communities, businesses or individuals such as the matter ought to be considered/determined by councillors;

    or

    there is evidence that the public or councillors have a significant actual or potential interest in the matter such as would give rise to a desire or expectation that it be determined by councillors

    or

    the matter is likely to involve consideration of disputed or uncertain matters of fact or law or whether the decision gives rise to a fine balance between various options such as might reasonably give rise to an expectation that the matter will be considered by councillors

    And the delegated officer who ignored all of this this advice and took a unilateral, personal decision instead? Step forward Carew Reynell.

    A man so arrogant, high-handed and convinced he was above the law, he ignored his own financial standing orders to keep information from politicians.

    Now we learn he hadn’t bothered telling them about his mass surveillance plan … Of them!

  25. MJ Ray says:

    Cllr Mark Wright asked “Come on BB, Google censors China too – are you suggesting we shouldnt use Google?”

    Yes, that’s exactly what lots of groups ask: from Green Party Conferences to Students for a Free Tibet. Google is a large private-sector US corporation which is primarily interested in making money. If that means collaborating with repressive regimes, so be it. They are not a social enterprise.

    Avoid Google. Reduce, replace, recycle. Keep your own bookmarks, try some alternatives, use scroogle.org when you need to use google’s engine.

  26. BristolDave says:

    Avoid Google

    Why? Microsoft and Cisco also have helped China, but if we avoided them most people wouldn’t have a computer or an ISP.

    They’re not supposed to be a social enterprise, they’re a search engine. China will be an oppresive communist regime whether I search the web with Google or not.

    Fuck sake.

  27. Badger says:

    anyone would think you had some kind of hidden agenda with their filtering software, surely there’s more news worthwhile reporting on?

  28. ConfusedATXmas says:

    I have recently come back from Norway (a town simular size to Bristol), there they had a debate about using websense and other products.

    In the end they saved the money, spent it on better things and told school children, the public and their equivilent of cllrs not to abuse it.

    You know what, the few idiots that did, were soon fired/told off and the VAST majority enjoyed access and the money saved went to more important things than stopping one or two idiots.

    Why do BCC spend money on websense or anything else, what exactly is the point? Can anyone justify its expense? Please no “scare hype responses”

  29. Bristol Dave says:

    ConfusedATXmas:

    They need to firstly because I imagine they have a legal requirement to filter access on public PCs that will be used by children, can you imagine the stories that the burning torch & pitchfork brigade would run to the Daily Mail with if a child accessed a porn site?

    Secondly, in order to implement the solution you propose of “telling off” the people who abuse the open access you’d need logging that TBB has such a problem with.

  30. inks says:

    “Why do BCC spend money on websense or anything else, what exactly is the point? Can anyone justify its expense? Please no “scare hype responses”

    In 2004 Bristol’s councillor for Easton, John Astley, was jailed for downloading child porn. From memory I think he used a computer supplied by the council and possibly their internet connection as well (might be wrong about that). Quite a scandal at the time and I can understand why BCC would want to use filtering software to stop anything similar in future.

  31. SteveL says:

    The “Great Firewall of China” taints all of us in computing. Cisco do a lot of it. Yahoo! identified “subversives” who were then arrested. Google just filter some of their search terms, make sure only the right queries in Tianamen Square come back. The only way you can be sure you aren’t tainted is if you work in “Adult Web Site” business. I don’t, but I know people who do.

    If you really want to have a fun FOI request, someone should ask for the list of banned sites.

  32. Mordy says:

    BB can you explain why at the top of the page you say Chris Hutt brought this to your attention, yet the on the “Linked In” site Bill Wren is described as a “Worker at the Bristol Blogger”?

  33. thebristolblogger says:

    No shit Sherlock.

    Are Karen Eliot and Luther Blisset on there too?

  34. Pingback: Tidings of comfort and joy « The Bristol Blogger

  35. MJ Ray says:

    Avoid Google

    Why? Microsoft and Cisco also have helped China, but if we avoided them most people wouldn’t have a computer or an ISP.

    They’re not supposed to be a social enterprise, they’re a search engine. China will be an oppresive communist regime whether I search the web with Google or not.

    I think most people could use a computer with Microsoft. Cisco is a bit more difficult to influence with consumer choice, granted.

    China is less likely to be an oppresive communist regime if you don’t search the web with Google. If we agree that Google is asocial, then the main thing that influences them is increasing profit: so if helping an oppressive regime reduces their profit by more than they get from helping the Chinese regime, then logically they should stop doing it.

    This is basic private corporation theory: they should respond to the market.

  36. MJ Ray says:

    I meant without Microsoft, obviously.

  37. Steve says:

    You can have an MS-free desktop with ease, I would recommend Ubuntu 9.04 over version 9.10 for reasons to complex to go into. Free, and way more secure than the windows series.

    Cisco? There are other people who will sell you routers: HP ProCurve, Extreme, and Brocade for example, all with sFlow flow-management by an ex-bristol team, inMon. The other option is go away from proprietary ASICs and closed-source OS/router software stack; OpenFlow is the area of interest there. Nick McKeown of Stanford Uni who is behind it also used to work in Bristol.

    But if you work in open source, you have to accept that people whose politics and policies you don’t agree with will use your code. If it’s good, that is.

Leave a Reply

Your email address will not be published.