42,000 Days of Snooping By Local Councils.

Between 2012 and 2015 Councils have snooped on local Citizens for 42,000 days, which is equivalent to 115 years. Council’s The Police, Social Services, the DWP et al already have powers to run amok over your Facebook account.

In Today’s Telegraph it enlightens us to what punishment Council officials could face if they abuse these powers.

“Town hall/Council  officials will face up to two years in prison if they abuse snooping powers under a crackdown on council surveillance to be unveiled today.

A new offence is to be created to target public authorities who inappropriately access phone and email records.

Local authorities will also be banned from accessing the web histories of members of the public when ministers publish the biggest overhaul of spying laws for 15 years.

The power of Council staff to target phone and email records has been subject to growing concern for many years, amid accusations of abuse.

Officials are supposed to use laws designed to combat terrorism and serious crime to crack down offences such as benefit fraud, rogue traders, scams against the elderly and illegal waste dumping.

But there have been high profile cases where the powers have been abused to combat minor or trivial matters.” Telelgraph Wed 04 Nov 2105

See: → Council Snooping

See: → The Guardian

The Tories now wish to the store everyone’s internet connection records for a year, tracking the websites they have visited, which is banned as too intrusive in the US and every European country including Britain. So, think once stored how safe will this collected and stored information be? Think Ashley Madison, Talk Talk, Sony, CIA Director, Experian, Vodafone, Barclays and on and on and on. All Hacked.

What Powers does Tory led SDC have to snoop on your online world already?

“Local authorities have turned to the online world, especially social media, when conducting investigations. There is some confusion as to whether the viewing of suspects’ Facebook accounts and other social networks requires an authorisation under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA). The  Chief Surveillance Commissioner states

“Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.”

There are two types of surveillance, which may be involved when examining a suspect’s Facebook or other social network pages; namely Directed Surveillance and the deployment of a Covert Human Intelligence Source (CHIS). Section 26 of the Act states that surveillance has to be covert for it to be directed:

“surveillance is covert if, and only if, it is carried out in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is or may be taking place”

If an investigator decides to browse a suspect’s public blog, website or “open” Facebook page (i.e. where access is not restricted to “friends”, subscribers or followers) how can that be said to be covert? It does not matter how often the site is accessed as long as the investigator is not taking steps to hide his/her activity from the suspect. The fact that the suspect is not told about the “surveillance” does not make it covert. Note the words in the definition of covert; “unaware that it is or may be taking place.” If a suspect chooses to publish information online they can expect the whole world to read it including law enforcement and council investigators. If he/she wants or expects privacy it is open to them to use the available privacy settings on their blog or social network.

The Commissioner stated in last year’s annual report:

“5.31 In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should. The same considerations of privacy, and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances.”

The gathering and use of online personal information by public authorities will still engage Human Rights particularly the right to privacy under Article 8 of the European Convention on Human Rights. To ensure such rights are respected the Data Protection Act 1998 must be complied with. A case in point is the monitoring last year of Sara Ryan’s blog by Southern Health NHS Trust.

Facebook Friends – A Friend Indeed

Of course the situation will be different if an investigator needs to become a “friend’ of a person on Facebook in order to communicate with them and get access to their profile and activity pages. For example, local authority trading standards officers often use fake profiles when investigating the sale of counterfeit goods on social networks. In order to see what is on sale they have to have permission from the suspect. This, in our  view, would engage RIPA as it involves the deployment of a CHIS defined in section 26(8):

“For the purposes of this Part a person is a covert human intelligence source if—

(a) he establishes or maintains a personal or other relationship with a person for the covert purpose of facilitating the doing of anything falling within paragraph (b) or (c);

(b) he covertly uses such a relationship to obtain information or to provide access to any information to another person; or

(c) he covertly discloses information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship”(my emphasis)

Here we have a situation where a relationship (albeit not personal) is formed using a fake online profile to covertly obtain information for a covert purpose. In the case of a local authority, this CHIS will not only have to be internally authorised but also, since 1 November 2012, approved by a Magistrate.

This is a complex area and staff who do not work with RIPA on a daily basis can be forgiven for failing to see the RIPA implications of their investigations. From the Chief Surveillance Commissioner’s comments (below) in his annual report, it seems advisable for all public authorities to have in place a corporate policy and training programme on the use of social media in investigations:

“5.44 Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.”

In conclusion, our non-legal view is that RIPA does not apply to the mere viewing of “open” websites and social network profiles. However in all cases the privacy implications have to be considered carefully and compliance with the Data Protection Act is essential.” Act Now.

Shepwayvox