HMG undertaking mass data collection exercise through two unnamed ISPs.
A newspaper article - link below - disclosed that HMG is working with two ISP's, legally it seems, to track the locations used by their customers.
What should we do?
How do or should professional firms, with secrecy written into their contracts with clients, feel about this? How does it fit with Cloud based activities - remembering that under GDPR businesses were pushed towards the security of Cloud based functions?
I should say that I have also read the article linked from that in the Guardian.
Enquiries of our ISP and the ICO
I've made some enquiries of my ISP (no response) but also the Information Commissioners' Office in the UK. I have a transcript of my conversation with the ICO, but do not intend to publish it here. I will share some of the information gained, but will not quote directly - i.e. this is not gossip.
"Just" browsing history?
First of all, according to the newspaper article, the data collected appears to be "just" browsing history. I have no doubt that the powers taken by the UK Government to snoop on citizens and businesses permit this for individual cases. But I do not know what data this includes - and I'd like to know. For example is it purely that I have been on to www.gov.uk twenty times a day, or will it show the pages searched (recently, brexit, brexit and brexit)? Or will it pick up signing in to a UK tax online account, and will it merely report that I've been to tax online, or will it provide more details including clients' sign on information? Will it follow me into tax online where I am inputting client confidential information? I'd like to know and I would like to be able to tell my clients as well.
The browsing data belongs to the ISP?
Peculiarly the ICO told me that the information belonged to the ISP. I do not see that but the ICO would know better than me (hence asking the ICO so many "stupid" questions).
Does UK law permit mass observation?
Secondly, this is mass observation - all customers, all sites visited. I am not so sure that HMG's powers extend to mass observation.
There was an issue in the UK a few years back with a facial recognition camera being installed at a London railway station and used for mass observation and recognition. I recall that the mass recognition was found to have exceeded the law in the UK. I don't know if mass observation of internet movements would be wrong, but it needs to be tested. The ICO did not appear bothered.
Notifying clients and contacts
I am concerned that some of my clients might be bothered - hence this article - and I am also writing to some I know to be very sensitive, much in these terms, but I will also provide them with the transcript of my conversation with the ICO.
Contractual Confidentiality
At this stage, I can imagine the conspiracy theorists and the Big Brother botherers getting very agitated.
I don't give a damn about HMG seeing me looking at news on Coventry City, or reading news from other countries (I don't think that's illegal in the UK, yet).
I do worry about my professional rules requiring confidentiality in client matters and the resultant client confidentiality clauses within our (standard) letters of engagement.
And I do worry about not being in control of data when I believed I was browsing safely on the internet.
Am I at risk if HMG snoops on client data?
On the control of the data - it seems that it is not mine to control (big shock) and that as the Government has taken powers to snoop, it is in no way my problem (I wish it was that simple).
I have also established that by warning my clients of what I see as an abuse of their data (as I see it) by HMG (as I see it) I am not committing an offence - the equivalent of "tipping off" in Anti-Money Laundering legislation in the UK.
The dark web?
So what do I do?
Do I instruct all team members to use "private browsing", if that is any more secure?
Do I use a VPN (sorry, Virtual Private Network) to hide our browsing?
Seriously these are the next steps I am considering, dependent upon responses from our clients (who are a pretty robust bunch to be fair).
Do I slip onto the dark web? I think I'll avoid that, thank you very much, but you can see the dilemma. Indeed, probably wrongly, I'd see someone using the dark web as having something to hide.
Managing risk
Commercially, I do not believe that we as professionals are required to eradicate risk, but we are required to take reasonable steps to manage risk.
So, I have partially answered those questions at the start of this article. Those of you in larger firms may wish to push this towards your data controllers - I think that gets you out of the frame if things go pear shaped. And do we tell clients that HMG may be snooping on them - my view is yes? Hence this article and other measures I will take for our businesses.
ICO - friend or foe?
One last point for you to bear in mind.
One of our online cloud based really, really secure products got hacked a few years back. We traced the hackers as far as we could and provided the information in a report to the ICO. I then spent twenty four hours writing to our clients to inform them of the hack, confirm no data had been lost (based on evidence from our supplier), and the steps we had taken to make the system more secure (and it was supposed to have been very secure!).
The ICO did nothing to get on to the trail of the hackers.
Indeed, the ICO was clearly not interested.
All it did was issue us with a warning as to our behaviour, and inform us that on this occasion we would not be prosecuted because of the prompt action we had taken. We were a victim here and the ICO was victim blaming in my opinion. Indeed, it did appear to be a "low-hanging fruit" mindset.
So once again, I find the support available on an issue such as this to be pretty poor - now that is likely to be because their hands are tied, and I do wonder whether that is the correct way for them to proceed.
Steve Botham
12 March 2021