On June 10th I blogged about one way in which straitened economic circumstances can influence policy – and some of the likely effects that could have on governance. I used the example of the Government’s plans to make ISPs and telcos to collect and retain data about users’ visits to third-party sites such as social networking services.
As I mentioned yesterday, I was at the House of Commons today for the first open meeting of the All Party Parliamentary Group on Privacy (Privacy APPG), as a result of which I need to reframe part of what I said in that previous post. Today’s meeting was to discuss the implications of IMP – the government’s proposal for an Interception Modernisation Programme, extending their current phone-tapping capabilities into the worlds of VOIP and social networking, among other things. You can read their background paper on IMP http://www.privacyappg.org.uk/Meetings.html. (Contrary to rumour, IMP does not stand for “Inspect More Packets”…)
My original analysis was this: in an attempt to save the cost of setting up and operating a centralised repository of this telecommunications data, recently-departed Home Secretary Jacqui Smith announced that the responsibility for collecting and storing the data would be passed on to commercial network operators – who would hang onto it for a specified period in case the law enforcers wanted to trawl it for evidence. I felt this mov eto a distributed system was likely to increase risk by making the governance regime very much more complex.
However, it turns out that there is a precedent, in the implementation of the Regulation of Investigatory Powers Act (RIPA), for the government funding the telco operators for their part in putting the legislation into practice. One participant estimated the current government funding for this activity at between £30-£40 million pounds a year.
If the same approach were to be adopted for IMP, then I would have to change my analysis to run as follows: by devolving responsibility for IMP operations to the telcos and then funding them to do it, the government would not only increase the risk of ineffective governance (and therefore the risk of privacy violations and inappropriate access)… it would do so without saving any money. In fact, managing the governance regime for a distributed, heterogeneous system operated by various third parties would be most likely to cost more.