TCW
Sunday, April 21, 2024
TCW
HomeCulture WarWhose data is it anyway?

Whose data is it anyway?

-

ON March 1, Wednesday this week, a consultation about digital identity verification and data sharing between public authorities comes to a close. Should the average person stumble across the consultation and give it only a cursory glance, the changes will likely sound insignificant, just another administrative step along the road to progress in the digital age. In fact, the proposed changes represent the first stage in creating a centralised digital ID gateway to online public services. The idea is that people will have to provide the details needed to, for example, renew their passport, only once. From then on all the public authorities they deal with will know who they are because the data initially submitted will be visible to all of them.

So far, so convenient. But the consultation fails to make clear that, under the proposed legislation, individuals will lose control of data that has hitherto been regarded as personal. The long list of public bodies that will have access to personal information can be found at the end of the consultation documents under Annex B. It includes HM Revenue and Customs, the Land Registry, the Disclosure and Barring Service, the Home Office, Departments for Work and Pensions, Justice, Education, Levelling Up, all councils and the major regional authorities.

Crucially, the list also includes ‘any organisation which provides services to a specified public authority in connection with the specified objective’ – a catch-all which presumably covers any company or other body with a contract with a public authority.

By now, the ears of the thinking citizen should be well and truly pricked up: all sorts of organisations can be involved in public service delivery, from large, profit-driven corporations to small charities partially run by volunteers. Government no doubt has agreements with other governments and organisations in other jurisdictions, making the data sharing potentially global. But there’s more. The data includes not just the name, date of birth and address of traditional ID verification but ‘photographic images’, ‘the outcome of identity checks previously performed on a user’ and ‘transactional data, for example, income’.

The test adds: ‘Other data items may be processed as identity verification services develop,’ For this, I read biometric data such as finger prints and iris scans and just about anything public authorities see fit to request in future.

In short, the proposed data sharing will enable a wide range of public authorities and third parties to build comprehensive profiles of individuals and their behaviour. There is the potential for widespread data breaches. And, in a change of an importance that is hard to quantify, control of the data will have shifted from the citizen to the state.

The current British government has form in creating schemes to avail itself of large amounts of data. In May 2021, NHS Digital launched a project to collect 61million medical records from GP records, giving people just weeks to opt out. As this article points out, the scheme created huge potential for data breaches. Have they happened before? Do a quick internet search under the term ‘NHS data breach’ and you’ll find out.

Could things be done differently? It so happens that, while being the least techie of writers, I have a bit of useful background in this area. In 2019, as part of research for a book, I spent some time in the Estonian capital of Tallinn. The tiny Baltic nation has developed in leaps and bounds since shaking off the shackles of Russian occupation in 1991 and has been leading the way to the digital society. In Estonia, a state-issued digital ID card is compulsory, and citizens log into a single platform to do all their business, from paying their taxes to getting their medical prescriptions.

The government is so proud of Estonia’s pioneering approach to digitalisation that it has created a centre to showcase its work to politicians, journalists and other visitors. At the e-Estonia Briefing Centre inÜlemiste City, a personable young German called Florian told me how the system is built on transparency and trust. A citizen’s data is not held centrally, moving between servers along encrypted pathways so that no one can access it illicitlyEvery time a public official such as a doctor, police officer or minister checks someone’s data, the search is recorded for the data holder – the citizen – to see. Looking at someone’s secure data for no reason is a criminal offence: ‘The citizens are given the tools to check back up on the government.’

The decentralised system allows the privacy of health records to be maintained. ‘If my doctor gives me a diagnosis that I’m schizophrenic, and fifty per cent of me doesn’t agree with that, I can block it,’ joked Florian, showing me his own record. ‘It’s just visible for me now.’

*

Since 2019, the context around the global trend of digitalisation has changed dramatically. Governments, corporations and supra-national bodies openly discuss new ways of using digital technology to create the kind of human life they think best. Estonia’s vision of the digital society looks rather less liberal than it did pre-Covid: the country was in the vanguard of developing the technology for vaccine passports with the World Health Organisation.

The idea of imposing medical interventions and removing rights through digital means has not gone away. At this year’s World Economic Forum in Davos (attended by Labour leader Sir Keir Starmer) the UK’s own Tony Blair, a long-standing advocate of digital ID, called for ‘a proper digital infrastructure’ to keep track of people’s vaccination status.

In a 2022 report, according to this media summary, the WEF called for a digital ID based on a comprehensive picture of the person to be used as a way of allowing or withholding access to a wide range of services:

‘Once the digital ID has access to this huge, highly personal data set, the WEF proposes using it to decide whether users are allowed to “own and use devices,” “open bank accounts,” “carry out online financial transactions,” “conduct business transactions,” “access insurance, treatment,” “book trips,” “go through border control between countries or regions,” “access third-party services that rely on social media logins,” “file taxes, vote, collect benefits,” and more.’

Gathering the data would be the first step: ‘A data collection dragnet would allow a digital ID to scoop up data on people’s online behaviour, purchase history, network usage, credit history, biometrics, names, national identity numbers, medical history, travel history, social accounts, e-government accounts, bank accounts, energy usage, health stats, education, and more.’

*

The Cabinet Office’s timetable for legislation to introduce a centralised system of ID verification and data sharing in the UK is short. Coming to law via statutory instrument (so it’s unlikely there’ll be a Parliamentary debate) the government plans to implement it by the end of this year.

I was so baffled by the brevity of the consultation and lack of media coverage compared with the huge implications of this proposal that I consulted a professional. Alastair Johnson, CEO of decentralised identity and payments company Nuggets, reassured me I was not going insane. With the data held in a single pot, held by a large and growing number of organisations and no clear vetting procedures for data administrators, he said, the government’s proposed centralised system opens the way for potentially anyone to get hold of your personal details.

‘It’s beyond the data breach problem [where] everyone’s trying their best to keep it secure and then it gets breached anyway. But this is saying: “actually I’ve got an open back door for anyone who wants to come in and get the back door and get the data.” You probably wouldn’t even need to do the security attack, you could just ask to be given access. We’re building a ticking time bomb in terms of a data hoard that could be used, abused and breached – even with the best of intentions.’

Prior to the Covid crisis, he told me, the government had been keen to sign up to a decentralised model for verifying identity such as eIDAS, as favoured by the EU and many other countries. So why, I wondered, the change of heart – and the haste to introduce a centralised system? Johnson suspects that the government may be listening rather too hard to the businesses interested in developing ID verification frameworks – large consultancy firms who are effectively preparing their bids for contracts: ‘You’ve got to be a bit careful about who the consultants are and who they’re prepping up for the next bit of work. Is it truly for the good of all, or is for the good of the consultants?’

A good question. If you’re concerned about the government gaining control of your data, here are some suggestions for Things To Do:

Fill in the consultationRichard Vobes does a friendly walk-through of the questions here. Although I’m used to reading policy documents and consultations, my own experience of trying to answer the questions was like being wrapped in over-cooked spaghetti. Part of the reason, I think, is that the consultation is not really aimed at the public at all: the phrasing suggests it is essentially designed to elicit a conversation between different public authorities to pick up potential problems of interest to them – a reflection of the anti-democratic spirit of the times in which decisions are taken on behalf of the general population without much regard for what we think.

Anyway, I recommend ignoring the spaghetti-like qualities of the consultation and focusing on your own concerns. The requests for reasons and examples provide an opportunity to state these. Here are my responses to a couple of questions in case they are useful.

Write to your MP. I know. Many say that their MP shows no interest in hearing views from constituents which are at variance from those they already hold. But politicians do actually care – if not about the people they represent, their own position! So a short, to-the-point email can serve as a useful reminder that the power they hold is temporary and conditional.

Share information about the government’s plans with any individuals or groups you think might share your concerns. Feel free to share this post. I write on this subject as a concerned citizen, not a digital expert and welcome contributions from the better-informed.

Finally, forget about this and do something practical that will make you and your household less dependent on public authorities in future. You can find links to suggested organisations to help get started here.

This article appeared in Ways of Seeing on January 23rd, 2022, and is republished by kind permission. 

If you appreciated this article, perhaps you might consider making a donation to The Conservative Woman. Unlike most other websites, we receive no independent funding. Our editors are unpaid and work entirely voluntarily as do the majority of our contributors but there are inevitable costs associated with running a website. We depend on our readers to help us, either with regular or one-off payments. You can donate here. Thank you.
If you have not already signed up to a daily email alert of new articles please do so. It is here and free! Thank you.

Alex Klaushofer
Alex Klaushofer
Alex Klaushofer is an author and journalist who has written extensively on social affairs, religion and politics in Britain and the Middle East.

Sign up for TCW Daily

Each morning we send The ConWom Daily with links to our latest news. This is a free service and we will never share your details.