This article is from the January 2003 issue of Update.
At first sight, working with information seems to be entirely about making it as public as possible. However, the counterbalancing principle of information privacy has come to be seen as more and more central in recent years. The profession has been comfortable working within the paradigm of freedom of access to information for decades, so why should we start thinking about privacy now?
One strong reason can be found in recent British legislation. The Human Rights Act of 1998 incorporated the European Convention on Human Rights into British law and, in doing so, it reaffirmed the treasured right of freedom of expression and the right ‘to receive and impart information and ideas’.
A more concise statement of the reasoning behind information and library services could hardly be desired.
At the same time, the act affirmed a right of privacy, previously not at all clear in British law, stating that ‘Everyone has the right to respect for his[/her] private and family life, his[/her] home and his[/her] correspondence.’ The act pointed the way towards the Freedom of Information Act 2000 and retrospectively underpinned the Data Protection Acts of 1984 and 1998.
The two principles don’t necessarily sit comfortably together, as those who are struggling to prepare the country’s ‘public authorities’ for the full implementation of freedom of information in 2004 will tell you. Nevertheless, there are compelling reasons why respect for privacy should be a high priority for information professionals.
Industrial society and a taste for privacy
First of all, there is the nature of privacy itself. It is true that privacy may well not be a universal human need. In ancient and medieval times people, of necessity, tended to live lives in which the physical and mental separation from others that privacy requires were only really available to those cut off from others by their occupation (e.g. goatherds in the mountains) or by an eccentric choice (e.g. hermits in their lonely cells). Today in the rural communities of less developed countries, traditional lifestyles are still rooted in the communal rather than the private.
It is also true that today some people reject privacy in favour of being noticed, and obviously enjoy various forms of exhibitionism, public confessions and the constant scrutiny of others (the Big Brother syndrome). But, having admitted all that, the development of modern industrialised society has been closely linked to the growth and refinement of a widespread taste for privacy.
A room of one’s own, a house and a little piece of land around it for one’s family have become increasingly possible in industrialised societies, and people plan their lives around obtaining them.
Printing and private study
But privacy is not just a consequence of industrial society, it helped create industrial society. A crucial industrial development — the invention of printing with movable type in the 15th century — had more far-reaching consequences than might be obvious at first. By putting books in the hands of the masses it made widespread literacy practical and provided a basis for mass schooling. This in turn made it possible for just about everyone to study individually and privately if they preferred this to learning by open discussion with their peers. The consequence of private study was that more and more people became likely to see themselves as developing original ideas of the kind that might be protected as intellectual property. The private mind was where the information explosion of the late 20th century was generated and it is the private mind that the information profession serves.
Civil liberties threatened
But all of this makes only a very unspecific case for the respect for privacy by information services. It is the sense that privacy is under threat that gives this concern its urgency. As a news item in the October 2002 Update pointed out, ‘governments in the developed world have used terrorism as an excuse to override democracy and civil liberties’, particularly in the period since the atrocities of 11 September 2001.1 Various aspects of privacy have been swept up in governments’ responses to the fear and anger these events caused.
In the US, the Patriot Act was passed to increase the powers of surveillance available to law enforcement and security agencies and reduce the procedures regulating these powers. In Britain, the Anti-terrorism, Crime and Security Act 2001 obliges telecommunications providers to retain data so as to safeguard national security and prevent crime. Neither may seem to affect libraries directly but both would, at least indirectly, enable surveillance of the use of electronic information facilities provided by libraries to take place.2
Reactive legislation of this type supplements measures already on the statute book, such as the Regulation of Investigatory Powers Act 2000, and adds greater powers for the official invasion of privacy. These are made possible by the existing capacity of major monitoring facilities, such as that at Menwith Hill, which permit the deployment of signals intelligence systems such as Echelon. This threatens privacy as a universal right, and information services are not exempt from intrusion.
Report on privacy and human rights
The October Update story reported a conference organised by Privacy International at the LSE on 6 September 2002 as a (near) anniversary response to 11 September. Part of the purpose of that conference was to launch Privacy and Human Rights: an international survey of privacy laws and developments, the latest update of a series that began in 1997.3 At the conference a distinguished group of speakers, including Geoffrey Robertson QC, George Radwanski (Privacy Commissioner of Canada), and Maurice Frankel (Director of the Campaign for Freedom of Information), addressed a wide range of privacy-related issues and expanded on themes introduced in the survey. Sarah Andrews, Research Director for the Electronic Privacy Information Center (Epic), the originators of this edition of the survey, suggested that four main trends emerged from the nearly 100 pages of the document devoted to summarising privacy developments.
These are: a widespread increase in the application of surveillance measures; a general weakening of data protection powers; increased data sharing, particularly by government agencies; and an increase in the use of profiling, identification and tracking technologies. The amount of detail provided in the report, and the content of all the presentations at the conference, give a strong sense that this is not mere paranoia.
Extension of powers
The post-11 September measures in the US and Britain, mentioned above, are prominent examples of governments expanding and strengthening their surveillance capacity, but they are not isolated responses. The report identifies measures in New Zealand, France, Germany, Australia, Canada and India that carried direct or indirect implications for privacy in their anti-terrorist and crime provisions. Resolutions by the United Nations, Nato, the OECD and the G-7 group of countries all pointed in the same direction. The Council of Europe’s Parliamentary Assembly called for extension of police powers to intercept and decode messages connected with terrorist activities, and the Commission of the European Communities suggested measures including increased intelligence activity and police co-operation.
A common theme of most of this activity was increased powers for law enforcement and security agencies to intercept and seize data, with greatly reduced authorisation requirements. The fear that enormous amounts of perfectly innocent activity will be swept up, investigated and disrupted as a consequence of this is an important one for information professionals. As the writer Robert Hughes put it in the US context, such powers expand
‘the already excessive powers of the FBI to poke and pry and rummage into the conduct of private lives, by systematic data-mining. It can investigate where there is no pertinent cause for suspicion — for instance, by going into the use made of internet facilities by the library-using public’.4
The individual can look to data protection laws for protection from misuse of personal data by official as well as private bodies, but aspects of such protection have also been under threat since before the events of 11 September. The European Commission initiated a new directive on privacy in electronic communications in 2000. In the process of developing the directive, provisions were introduced that would require internet service providers and telecommunications operators to store logs of electronic communications for law enforcement purposes. Although these were strongly opposed in the European Parliament, by its completion in June 2002 the Electronic Communications Privacy Directive contained clauses permitting states to pass measures requiring the retention of communications data. The survey suggests that there is also a tendency for subject access rights to be reduced so as to protect sensitive investigative and intelligence data. The powers in the directive, when shielded by such a tendency, make the fears summed up by Hughes look even more worrying.
‘Purpose creep’
Increased data sharing between government agencies and also the private sector is highlighted by the survey because of the tendency towards what it calls ‘purpose creep’. That is, data collected and shared for one purpose is gradually put to other uses. A striking example of this were the proposals by the British government in June 2002, under the Regulation of Investigatory Powers Act, to allow virtually any official body to obtain data on the communications traffic of individuals. Although the proposals were withdrawn in the face of public outcry, they were merely the less acceptable face of the ‘joined-up government’ that is central to the present government’s intention to deliver better services to the public.
An example relating to a specific category of information is the moves towards granting law enforcement agencies, in countries including the UK and Canada, access to passenger data for both international and domestic flights. The European Union has also considered measures on passenger information. The general trend, if it continues, is unlikely not to include requirements on information services to share data on information use with some agency or other.
Profiling individuals
Finally there is the employment of new technologies for identification and profiling of individuals. Again this is naturally most commonly proposed for data on travellers, with biometric identification used as a basis for data-mining of previous travel data, and data from official bodies and private sector bodies such as credit monitoring agencies. In countries without a system of national identity cards, the issue is high on government agendas, as witnessed by proposals for a system of ‘entitlement cards’ in the UK. Experience of national identity cards in other European countries suggests that they function well as a means of obtaining access to entitlements in the health and social security fields, but this does not remove the fear that they can function equally well as a basis for various, less reassuring, types of data sharing. In case this seems distant from the concerns of information services, the outcry over the introduction of biometric identification in the management systems of some UK school libraries during 2002 reminds us that it is not at all remote.5
Library users expect privacy
If we accept the argument that true freedom of information is only finally achieved when information can be used in genuine privacy, the issues raised by the Privacy and Human Rights report should be central concerns of the information profession. The report shows that information professionals are faced with a legal climate that increasingly conflicts with user-orientated professional values. At the same time, research on user privacy by the Legal and Policy Research Group at Loughborough University reveals that users have high expectations for the protection of privacy by libraries.6 Worryingly, the research also suggests that library services are not quite as well prepared for providing this as they might be. This makes it even more of a priority for information professionals to be alert to the changes that are emerging. As the report puts it, ‘None of the above trends are necessarily new; the novelty is the speed at which these policies gained acceptance, and in many cases, became law.’7
The message that information professionals can draw from the report is that it is not enough that they should have good policies and procedures in place in their own institutions. They need to become campaigners on privacy issues if they want to continue working in an environment in which the private use of public information is properly protected.
References
1 ‘Liberties at risk in ‘war on terror’.’ Update, 1(7), October 2002, p. 5.
2 Karen Schneider. ‘The Patriot Act: last refuge of a scoundrel.’ American Libraries, 33(3), March 2002, p. 86.
3 Privacy and Human Rights: an international survey of privacy laws and developments. Electronic Privacy Information Center and Privacy International, 2002. (www.privacyinternational.org/survey/phr2002/).
4 Robert Hughes. ‘Free libraries, free society.’ American Libraries, 33 (7), August, 2002, p. 49.
5 ‘School libraries computerised ‘fingerprinting’ system criticised.’ 23 July 2002 (www.ananova.com/news/story/sm-634778.html?menu=news.technology).
6 Paul Sturges et al. Privacy in the Digital Library Environment. Library and Information Commission Research Report 135. Resource, 2002. Available from British Thesis Service, BL DSC, Boston Spa, Wetherby LS23 7BQ.
7 Privacy and Human Rights... p. 27.
Paul Sturges (R.P.Sturges@lboro.org.uk) is Professor, Department of Information Science, Loughborough University.