What database?
Last week, the Home Office confirmed to The Register that the system would be used by public authorities to make a "complex request for communications data". Which, put another way, is a database query.
The Register appear to think that the small matter of who owns and maintains a database is apparently not even worth mentioning. But surely it's relevant.
The National ID Card and Database thing that the Coalition stopped was to be a government database owned and maintained by the state, with all subjects' details kept in it compulsorily, available to state employees to peruse. There were also plans to add facial-recognition software and plug it into the CCTV network, so that the state could keep tabs on every one of us every minute of every day.
The new filter things proposed in Theresa May's new plans mean that the state makes a request to (say) a telco for some phone records and the telco then applies the filters before providing the data to the state, so that the state don't end up holding extra data that they don't need. The example given by the Home Office in response to The Reg's last article was very clear:
· The assertion that the request filter in the draft Investigatory Powers Bill is a “secret database of citizens’ personal lives and habits” is plain wrong. The Request Filter is a safeguard that means when public authorities make a complex request for communications data (i.e. police seeking to find out which mobile phone was at three crime scenes at the relevant times) they only get back data that is absolutely necessary.
· Currently, public authorities might approach CSPs for location data to identify the mobile phones used in those three locations at the relevant times, in order to determine whether a particular phone (and a particular individual) is linked to the three offences. This means the public authority may acquire a significant amount of data relating to people who are not of interest.
· The request filter will mean that when a police force makes such a request, they will only see the data they need to. Any irrelevant data will be deleted and not made available to the public authority.
Well, I think it's clear, but apparently The Register can't understand it.
Current system: Police ask telco for the details of every user of every mobile phone in range of three crime scenes at given times. The police receive a ton of data and start filtering it themselves. The police therefore incidentally receive details of your whereabouts and phone activity even though you're not even remotely a suspect, just because you happened to be near one crime scene at one time.
New system: Police ask telco for the details of the users of any mobile phones in range of three crime scenes at given times. The telco filter the data accordingly and send the police the filtered data, containing only details of phone users who were at all three crime scenes at the given times. The police never receive your details just because you were near one crime scene at one time.
There is no unified state database of everything here. This is quite explicitly a move to allow the authorities to access data they need while limiting their access to data they don't.
There is a principled position to be taken against all these separate corporate databases, of course, and no doubt there's a lot of overap between people who object to a unified state database and people who object to separate corporate databases, but they're still two different things. And there are surely plenty of people like me, who object strongly to the unified state database but are content to accept corporate databases. I for one don't hanker for the days when you'd ring British Gas and they'd go away to look up your details in a filing cabinet. Telcos have to organise our billing somehow.
But The Register's position appears to be simply that a database query is involved so OMG SECRET GOVERNMENT DATABASE! Even when the database in question isn't the government's. This is puerile stuff.
But – if you obey Whitehall – no one is allowed to use the word "database". Indeed, it's not mentioned once in May's proposed law.
Obviously, because May's law doesn't concern databases; it concerns requests by the government to corporations to give them data. While it is of course convenient for those corporations to keep their data in databases rather than filing cabinets for their own purposes, that is no concern of Whitehall's. When the police request some data, they don't care whether it was being kept in a database or an Excel file or a dog-eared cardboard folder; they just want the data. And surely any law that specifically mentioned databases and therefore allowed companies to dodge it by printing some data out and deleting a few rows from the DB would be a badly and downright stupidly drafted law.