The tell-tale signs are everywhere. You can see them in our buildings and our transport networks. You can read them in your morning paper. You can hear them echoing down the corridors of Whitehall. Galvanised by fear whipped up by the media, to which our politicians pander persistently in pursuit of power, we’ve changed our society into one where nobody dares take a decision. We live in a post-accountability world where bureaucracies ruin lives for the want of someone – anyone – displaying a bit of courage or leadership or common sense.

Nowhere is this illustrated more starkly than in the case of Paul Chambers.

In the snowy depths of January 2010 Paul sent a message of frustration to his Twitter friends when he discovered the weather could affect his travel plans: “Crap! Robin Hood Airport is closed. You’ve got a week and a bit to get your shit together or I’m blowing the airport sky high!!”

A member of staff at Robin Hood Airport saw the tweet because they were searching Twitter for their employer’s name (goodness knows why). They judged it to be harmless, but reported it anyway, presumably so their ass would be covered if it turned out to be otherwise; and anyway, it didn’t cost them anything personally, so why not? Especially since the consequences of inaction might have proved career-limiting.

I imagine similar thinking drove the airport security team’s decision to tip off the police about the message, or rather, their decision to make it their policy to report every tip-off they receive no matter how improbable it seems. After all, it would have been no skin off their noses to include Paul’s tweet in their routine report, and the consequences would have been unthinkable if they’d failed to mention something that might, just might, have been important. Same with the police: it’s no problem for them to investigate any possible threat. They could have decided Paul’s tweet was a foolish act of bravado, yet if they had declined to act and something bad had happened, it would have been be their responsibility. Far be it for the police to take responsibility. That’s what the Crown Prosecution Service is for, right? Wrong.

At least when cases like this are blown out of proportion by a bunch of jobsworths, they’re usually set straight by the courts, aren’t they? Not this time. This was ass-covering at it’s finest, all the way down the line. Paul was convicted of sending “a message or other matter” which is “grossly offensive or of an indecent, obscene or menacing character” by means of a “public electronic communications network”. His fine currently stands at £384 plus £2600 in costs. He’s been given a criminal record and has lost two jobs as a consequence.

This is bigger than one man’s misguided message. Other tweeters have been arrested under section 127 of the Communications Act 2003 since Paul’s conviction, which was upheld unequivocally by Doncaster Crown Court last Thursday, and those people are still waiting to learn their fate. The chilling effect this ruling could have on freedom of expression is no laughing matter.

This is how the War on Terror has ended. Not with the capture of Osama Bin Laden and the routing of Al-Qaeda. Not with world peace nor by treating each other as we would wish to be treated. Instead, it’s ended with innocent people looking over their shoulders, thinking twice about what they say online and being thankful for every day they escape the dreaded knock that could ruin their lives.

There may be hope yet. Paul and his legal team are considering whether to appeal to the high court. Nobody would blame Paul if he decided to draw a line under this sorry affair and turn his energy towards rebuilding his life. If he decides to continue though (and I hope he does) he deserves our full support.

That’s why some of us are having a rally in Sheffield, tomorrow, to express solidarity with Paul, to protest against his conviction, and to champion the cause of free speech on the Internet.

If you fancy joining us the information you need is here: http://bit.ly/jokesontrial – but be quick. You’ve got less than 24 hours to get your shit together, and if you don’t make it, I’m gonna blow you sky high!!!!1

1. Scrap the ID card scheme, the National Identity register, the next generation of biometric passports and the ContactPoint Database.
2. Outlaw the finger-printing of children at school without parental permission.
3. Extend the scope of the Freedom of Information Act to provide greater transparency.
4. Adopt the Scottish approach to stopping retention of innocent people’s DNA on the DNA database.
5. Defend trial by jury.
6. Restore rights to non-violent protest.
7. A review of libel laws to protect freedom of speech.
8. Safeguards against the misuse of anti-terrorism legislation.
9. Further regulation of CCTV.
10. Ending of storage of internet and email records without good reason.
11. A new mechanism to prevent the proliferation of unnecessary new criminal offences.
12. End the detention of children for immigration purposes.

Oh my!

As a digital- and civil-rights campaigner this list fills my heart with joy. The successful passage of this Bill through Parliament would not end the need to champion human rights in the digital era* however it would be a famous victory for that cause: we could say with certainty that this election, that the ousting of Labour from Government, was the point at which the high-water mark of authoritarian social policy in Britain was reached.

Some fellow campaigners have today urged caution and are reserving judgement until the details of the Bill are published. I cannot fault them for their cynicism however I am filled with hope that today we have seen not only the dawn of a new politics in Britain, but a new era of liberty, freedom, privacy and respect for human rights in the UK.

I shall be raising my glass to the death of ID cards and the Database State tonight!

* Three omissions stand out: repeal clauses 11-18 of the Digital Economy Act; make the NHS Summary Care Record opt-in rather than opt-out; end the Vetting and Barring scheme, abolish the Independent Safeguarding Authority and reform CRB checks to make them fair. It’s possible that these will be included in the detail of the Bill.

British civil liberties have been dismantled systematically since 2001. The National Identity Register, biometric passports, the NHS spine, Contactpoint and the Vetting and Barring Scheme are just a few of the most egregious privacy invasions we have suffered.

Our every move is watched with suspicion by the authorities. ANPR systems record every journey we make. Video and audio Surveillance Systems (SS) watch us in every public space and many private ones too. Thousands of public bodies abuse their RIP Act powers to spy on us for trivial reasons. The police can stop us and search us arbitrarily, and they keep “pre-crime” databases on the innocent. Our private communications are monitored, analysed and recorded both by the Government and private companies.

Yet often MPs want one rule for us and another for them. The children of MPs can be “shielded” on ContactPoint to protect their privacy – but ours can’t. Very few MPs have an ID card even though ministers have been doing everything in their power to coerce the public into “volunteering” for them. Many MPs voted to exempt themselves from the Freedom of Information Act, to protect their “privacy”, whilst passing laws that erode ours.

When it comes to liberty in Britain today, all animals are equal, but some are more equal than others. This hypocrisy has to end and the systematic assault on our civil liberties must be reversed.

The Power2010 campaign is conducting a letter writing campaign asking Prospective Parliamentary Candidates to:

…commit that, if you are elected, you will vote to repeal the Identity Cards Act 2006 and will defend our privacy as fiercely as you would defend your own and that of your family.

The above reproduces what I sent to Sheffield Central PPCs. You can take part in the campaign here.

Now Ross Anderson and Steven Murdoch, computer security researchers at the University of Cambridge, have published a paper [PDF] analysing 3D-Secure. Announcing the work on his blog, Prof. Anderson said,

From the engineering point of view, [3D-secure] does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace? Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. … This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.

The paper concludes by recommending technical measures that would improve security for card-holders. It also calls for regulation to protect consumers from being forced to accept liability for online fraud.

I hope that the academic rigour of Anderson and Murdoch’s work, backed by the formidable reputation of the University of Cambridge Security Research Laboratory, will help to focus mainstream attention on Visa and Mastercard’s selfish treatment of their customers.

The title of the talk was “The Future of Privacy” and Schneier’s treatment of his topic was comprehensive. He started by listing some technologies and practices that can threaten our privacy: overt surveillance systems; mobile phones, RFID tags and the like that produce personal information as a byproduct; automatic identification technologies such as ANPR; and unique identifiers in gadgets such as digital cameras or colour laser-printers.

Schneier reminded us of his famous saying, that just as greenhouse gasses are the polution of the industrial age, data is the polution of the information age. Data is generated when we transact business, swipe our loyalty cards, use a travel card or drive through an automatic toll-booth. We give it away when we socialise by email, instant messenger and Facebook. Sometimes other people release data about us – possibly without our consent. As the cost of processing and storing all this information falls to zero even data of marginal value becomes worth keeping. In fact it’s often cheaper to keep everything than to decide what should be deleted! Data that was ephemeral 20 years ago is now stored.

In the information society most data about us isn’t controlled by us. In the US, laws protect the data that is under our control, but in the information society it tends not to be. Our Gmail, phone records, medical records, financial transactions and photos of us on Facebook are all controlled by someone else. EU law is substantially better in this area but it could still be improved.

Such a wealth of data enables new forms of surveillance. For example, surveillance can now occur backwards in time. This was done in London after the 7/7 bombings – the people responsible, and the route they took on the day, were identified after the fact from surveillance-system footage. Pervasive data collection also enables wholesale surveillance – not “follow that car” but “follow every car.”

What will be the privacy impact of our society’s continuing technological advancement?

Schneier believes a step change is coming. We live in a unique time: cameras are everywhere AND we can see them; identity checks happen all the time AND we know they’re happening. However technology is a great distrupter of equilibriums and Moore’s law is a friend of intrusive tools. Soon face-recognition software will obviate the need to carry ID – when you walk into your workplace they’ll already know who you are and whether you’re supposed to be there.

New invasive technologies will emerge and become pervasive: digital video surveillance with automatic face recognition; networked cameras that can track people through a city automatically; better tracking of our personal devices through their radio signatures or RFID tags; better quality images from cameras. Our era will herald the death of ephemeral conversation. Soon everything we say and do will be on the record. We could try to reject these technologies, but once general adoption occurs, opting out starts to look suspicious. In some cases the authorities have already argued that, “They left their mobile phone at home, which shows they didn’t want anyone to know where they were going.”

What can we do about these threats to our privacy?

Schneier doesn’t believe we can engineer our way back to a more private world. Privacy-enhancing technologies already exist and they could go a long way towards retoring the balance if they gained widespread adoption. However people are seduced by convenience so they tend to make bad privacy trade-offs. We’re on Facebook because our friends are, and while we’re chatting to them we’re focused on the conversation, not on how much data we’re releasing or to whom.

A lot can be done by paying attention to the default settings of software and systems. Most of us won’t change these so if they are secure from the outset any loss of privacy will be minimised. However companies like Facebook make more money the more public we make our data so there’s no incentive for them to set privacy-enhancing defaults.

We need to press for legislation that protects privacy: comprehensive laws regulating what can be done with personal information about us and more privacy protection from the police. However the law finds it difficult to keep up with the pace of technological change.

We also need to start talking about the value of privacy. We want it as a social good. Individual privacy protects us from those in power and it’s also a fundamental human need. Privacy is a part of dignity.

Schneier rejects the security versus privacy notion as a false dichotomy. Only identity-based security reduces privacy and the effectiveness of this is limited. Physical security measures such as locks and burglar alarms don’t reduce privacy. Nor does knowing that you might have to fight back if terrorists hijack your flight. We don’t need to know who’s sat next to us on an aeroplane – we just need to know know whether they’re planning to blow it up! However checking intent is difficult so we check identity instead and pretend that’s the same thing.

Privacy and openness have different effects on Governments and citizens. Government secrecy increases its power whereas transparency and openness reduces it. Conversely, forced openness in people increases the inbalance in power between them and the state, yet forced openness in Government reduces the gap. The balance we need to strike is between liberty and control not privacy and security. Real security comes from having both liberty and privacy.

The above notwithstanding, sometimes we are forced to trade between security and privacy, for example when we give the police the power to search our homes. In such cases we can maintain the balance of power through audit and oversight. Search warrants are a security measure that restrict police searches to only those cases where a magistrate – an impartial advocate for the suspect – can be convinced there are reasonable grounds for suspicion.

Schneier concluded that the death of privacy is over-stated. Left unregulated and unconstrained, technology tends to tip the balance of our society against individual privacy, however it doesn’t make the balancing act go away. Society can choose to deliberately reset the balance with legislation.

We may ultimately have to wait for a new generation of digitally-savvy lawmakers to take office before the the future of privacy can be guaranteed in the information age.