My checklist for data collection mechanisms
The discussions about data collection and reuse is blooming after the incidents last couple of weeks. Of course, same things has happened now and then in Sweden since 2008 (I think it was) when we in Sweden started to get some discussions nationally on privacy, wiretap etc – related to Internet.
I have got asked what I think is ok and not, and here is one version of my checklist. If I write it a different day it is slightly different, but the overall architecture is the same.
These are the checkpoints I use when I am looking at “something”:
1. Is the activity based on a law that have passed a democratic process?
This includes “secret” legislation as long as the legislation is created according to a process that is accepted by for example a democratically elected parliament.
2. Is the activity only for law enforcement to use, or everyone?
This includes cases where court case or LEA decision is needed for the thing to get effect. For example if something should end up on a block list, or if a specific individual is to be wiretapped.
3. Is there a targeted individual there is some suspicion against that is affected?
This is a bit more complicated. It has, in the case of blocking, to do with whether a filter is something individuals can choose to have on their access, or if the filter is for everyone. Similarly and maybe easier to understand, if data collected is about everyone, or if the data collected is for only targeted individuals.
4. Is there a specific intended use?
This has to do wether the data is under some NDA and only can be used for a specific purpose. This can either be listed in the legislation itself, or it can be part of the court order (see 2).
5. Is there an independent oversight body?
This has to do wether an independent third party is looking at whether whoever is using the tools is following the rules there is or not.
If I now check this against the Swedish FRA I see:
-
Y
-
Y(?)
-
N
-
N
-
Y
PRISM:
-
Y(?)
-
Y
-
N
-
N(?)
-
N(?)
The Swedish filter for child abuse:
-
N
-
Y
-
N
-
Y
-
N
Data retention directive:
-
Y
-
Y
-
N
-
Y
-
N
Data from invoicing (cellphone invoice for example):
-
Y
-
N
-
N
-
N
-
N
Traditional wiretap in Sweden:
-
Y
-
Y
-
Y
-
Y
-
Y
My thesis is that there must be an “Y” in all of these for people to feel comfortable.
You can also see an interview with me (in Swedish) on the topic from Almedalen 2013.