David Davis MP is commenting on the strict “no cameras” signs up all over Parliament – even though smartphones, which all have good cameras built-in these days, obviously aren’t banned: “It’s bonkers. I took a photograph in the [chamber of the] House of Commons just the other day with my phone. Technically, it’s a breach of the rules, but so what? If you can break the rules, you will,” he says.
Unlike many MPs these days, Davis had a proper career prior to going into politics, which took him from studying a joint degree in computer science and molecular science at the University of Warwick – in the early 1970s, back in the days of punch-card data entry – to a number of senior executive roles at sugar company Tate & Lyle, including a stint as IT director.
As a senior MP, Davis might be able to get away with taking the odd picture in Parliament on his Apple iPhone, but, he believes, such outdated rules reflect how MPs – and the authorities more broadly – are struggling to keep up with the march of technology. As a result, MPs have also struggled to comprehend the nature of the data-driven world today, underestimating the consequences of much of their rule- and policy-making in the area: from the way in which government casually absorbs, analyses and trades personal data, to the extensive surveillance by the security services of people’s internet use.
Part of the reason for security services’ extensive mass data collection, argues Davis, is that turning them around from their post-war focus on the Eastern Bloc in order to penetrate, understand and get the measure of potential Islamist terrorism, whether in the UK or elsewhere, has proven to be a harder challenge than spying on the Soviet Union.
“Agencies have had changing missions over the years. And when you change the mission, it disproportionately affects the human-resource intelligence gathering. For example, when we were up against the Soviet Union, which was a much more significant threat than the one we are facing now, we had a whole operation pointed at them – not just the UK, but the whole of Western Europe and the NATO alliance.
“We all had agents in place, recruits, systems of protecting those recruits and so on. But all of a sudden, in 1990, that ceased to be the prime threat,” says Davis. The security services spent the next decade flailing around looking for a convincing role. But the Islamist terror threat, which they are currently focused on, requires entirely different skills and people to counter it on the ground compared to the old Soviet threat.
“The problem is that most of the guys we’d recruit in Moscow would be recruited at embassy cocktail parties. But mullahs don’t go to embassy cocktail parties. Similarly – bluntly – the active part of the agencies were also very white and very male,” says Davis.
In other words, the average MI5 recruit from Trinity College, Cambridge, would’ve struggled to fit in among the kind of circles that the security services now needed to penetrate. But expanding data collection processes and compromising backbone internet links could easily be done from someone’s desk, with a little help from Whitehall persuading networking companies to comply. “It’s much easier to change your mass data-collection… it was easier, faster and most expansive for the agencies to go down that route,” says Davis.
The trouble is, he says, quite apart from privacy implications, the security services now have too much data to sift through, while the tools for automating the analysis of that data – regardless of all the hype over big data – remain unequal to the task. They therefore have more data than they can ever hope to comprehend, but respond not by targeting their surveillance activities more closely, but demanding ever-more resources – as well as more powers and more rights to access more data.
Care.data, on the other hand, is a prime example of the way in which government and bureaucracy do not quite understand what they are dealing with when it comes to personal data, says Davis. “The people doing it do not really understand the implications of what they are doing. First, they don’t understand ‘anonymisation’,” says Davis.
He points to the example of his own medical records, which ought to be pretty easy to find if what is in the public domain is cross-referenced with what ought to be in his medical records, including his age, which eliminates a vast number of people, and the fact that he’s broken his nose five times. “That takes it down to about 50… even if they take out all postcodes, there will be other things in the public domain, which have been in the newspapers,” says Davis.
“Second, they say that there’s never been a loss of healthcare data. Have there, buggery! There’s been lots of lots of medical records lost – small amounts so far – and not all these data losses are published on the internet,” says Davis.
The data itself needs to be held by an organisation that fully understands the value of medical data, while users of it need to be licensed, with greater restrictions in its use, with the licensees being held to much higher standards than those proposed by the Health and Social Care Information Centre, the organisation responsible for Care.data.
[Please turn to page two]