A bit more government non-communication

About a month ago* I wrote about the Home Office’s non-response to my FOI request asking for details of information given to Communication Service Providers (CSPs) about the Communications Data Bill. As you can see from that article, and the request itself, the request was refused. So I asked for an internal review into their handling of one section of it.

Specifically, I challenged their refusal to provide me with copies of documentation supplied to CSPs. This is what I wrote:

I feel that your justification for refusing to release copies of documentation supplied to CSPs is not supportable. CSPs are not law enforcement operators, and any information supplied to them must, of necessity, be widely disseminated among their technical staff in order for it to be evaluated and implemented. Unless all members of CSP staff and their contractors are required to sign an undertaking committing them to maintaining confidentiality, there can be no expectation that the material will not be made public in any case via other means. There is, therefore, no reason not to supply it to me directly.

The response to my internal review arrived today. As expected, the review has upheld the original decision to withhold the information. It would have been surprising had it not done so, and I’m not particularly disappointed that it has. But the review has itself revealed a bit more that we didn’t previously know, and that’s useful information even without the data that’s been withheld. Paragraph 12 of the response states

With regard to the information supplied to CSPs/ISPs, I have established that due to the sensitive nature of the information only certain individuals within the companies are able to view it. Mr Goodge’s contention that the information is disseminated widely within the companies is therefore incorrect.

Again, that’s not entirely surprising, and to be honest my initial contention otherwise was a little disingenuous. What I was really after – and got – was written confirmation of the fact that the information has been supplied under security restrictions. But the review response went on to tell me something that, while still not all that surprising, wasn’t something I’d been fishing for. In paragraph 13, I was told

I can confirm that at least some of the information was supplied by or relates to one of the security bodies listed in section 23(3) of the Act.

“The Act”, in this context, means the Freedom of Information Act 2000, and section 23(3) lists some organisations which are effectively exempt from it. That list comprises, effectively, the intelligence services (MI5, MI6 and GCHQ), the National Criminal Intelligence Service (NCIS) and the Serious Organised Crime Agency (SOCA) as well as various tribunals relating to them. Given that the tribunals are unlikely to be the source of any information, that means that at least one of the crime or intelligence agencies have contributed to it.

That being the case, it means that this particular issue is genuinely impenetrable via freedom of information legislation. There’s a blanket opt-out for anything related to the intelligence and serious crime agencies, and no internal review or appeal to the ICO can change that.

That doesn’t mean the exercise has been worthless, though. We have learned a few things:

  • The Home Office has issued information to some CSPs/ISPs related to Internet traffic monitoring.
  • That information has been supplied under security restrictions.
  • The recipients of the information do not want to be identified because they fear that it will damage their commercial reputation.

You can draw your own conclusions about what that means in practice. One thing is certain, though, and that’s that it’s going to be deeply unpopular with the electorate.

* Any article about an FOI request usually begins with the words “About a month ago”, because that’s how long it takes to get an answer.

An interesting bit of government non-communication

About a month ago, Channel 4 News carried a report about the Communications Data Bill which mentioned that

the Home Office has held meetings with the UK’s largest ISPs and mobile network operators, and has given them information about the hardware which companies will have to use to monitor traffic flowing through their systems.

I wondered what that information might be, so I put in a Freedom of Information request about it. In particular, I asked the Home Office to

a) Confirm whether the report is accurate, and, if so,

b) Tell me which ISPs and mobile companies attended these meetings,
and

c) Provide me with a copy of all documentation supplied to the ISPs
attending.

The response came back this week. And the answers were interesting – not so much for what they said, but for what they didn’t say.

Firstly, they stated that the C4 report was, in fact, wrong:

the Home Office has not held any meetings to issue hardware or software specifications to any ISPs or mobile network providers as part of the draft Communications Data Bill which was implied in the report.

That was the only straight answer I got. The other two questions weren’t answered directly, because the information was considered to be exempt.

I didn’t get a copy of any documentation supplied to ISPs (or, as the Home office calls them, CSPs – “Communication Service Providers”), because it was deemed to be exempt under the provisions for matters related to law enforcement. I wasn’t particularly surprised to get that response, and I’ve already challenged it by means of a request for an internal review. It’s still a response worth noting, though, because it confirms that material has, in fact, been issued to CSPs. If it had not, there would have been unnecessary to rely on any exemption – the response would be “Information not held”, rather than “Refused”, in terms of the WDTK classifications.

So, at the very least, we’ve established that, even if it hasn’t been in the form of specific meetings as alleged by Channel 4 News, the Home Office has issued at least some material to CSPs which is detailed enough to be considered a threat to law enforcement if made public.

(I’d still quite like to know what’s in that material, even if I’m unsuccessful in my review request. If you work for one of the CSPs that has received it, please feel free to leak it in my direction if you can do so without actually breaking the law).

The other refusal did surprise me a bit, though. I had expected that the list of attendees of any meetings would not be particularly confidential, especially since it’s possible to guess at the identities of the majority of them. But no, I wasn’t to be told. And the reason why not is possibly even more telling:

Providing a list of the ISPs and mobile companies the Government has met with would reveal which communications service providers (CSPs) the Home Office works with. The Home Office has received representations from Industry partners arguing that they should not be publically identified because of the risk that customers would transfer their business to services (or companies) who do not work with the Home Office voluntarily.

The disclosure of the names of those who have worked with the Home Office would cause financial and reputational harm to them.

I think that’s really significant. It seems that the CSPs themselves believe that their customers don’t want them voluntarily cooperating with any online communication monitoring. Or, possibly more plausibly, they believe that even if customers don’t care much now, they will when the extent of that monitoring becomes known. And I think they’re absolutely right.

Why are they cooperating voluntarily at all, then? Well, probably because they know that if they don’t they’ll simply be forced to do so by legislation, and it’s simpler and (more importantly) cheaper just to go along with it anyway without needing too much arm twisting. I don’t particularly blame them for that; that’s the way of the commercial world and choosing the path of least resistance is usually a sensible corporate strategy. Their accountants and lawyers will certainly argue that way, even if their techies disagree.

Whatever the underlying reasons, though, the fact that the CSPs are concerned enough about the potential unpopularity of the proposed monitoring to want confidentiality is a key admission from the Home Office. I don’t think that whoever drafted the response to my FoI request was doing it deliberately, but it has confirmed that they know the proposals are, or are likely to be, unpopular. Unpopular enough that the risk of “financial and reputational harm” to cooperating CSPs outweighs the public interest test when it comes to deciding whether to release their names.

I’ve blogged before on why I think that the Communications Data Bill could be a PR disaster for the government. This response only serves to confirm that. If it will cause reputational harm to CSPs, how much more will it damage the reputation of the government which introduces the legislation? Coalition MPs, I suggest you start agitating now. Your chances of still being in the Commons after the next election could depend on it.

Santa and FOI – it’s the silly season for news

A widely reported press release by the Local Government Association tells us of the “top unusual Freedom of Information (FoI) requests submitted to local authorities”. Here, for your delectation, is that very top 10:

1. How does the council plan to help the brave soldiers of our infantry if and when Napoleon and his marauding hordes invade the district? (West Devon District Council)

2. What preparations has the council made for an emergency landing of Santa’s sleigh this Christmas? Who would be responsible for rescuing Santa? Who would be responsible for rounding up the reindeer, and who would have to tidy the crash site? (Cheltenham Borough Council)

3. How many drawing pins are in the building and what percentage are currently stuck in a pin board? (Hampshire County Council)

4. What preparations has the council made for a zombie attack? (Bristol City Council and Leicester City Council)

5. What plans are in place to deal with an alien invasion (Merseyside Fire and Rescue Service)

6. How many holes in privacy walls between toilet cubicles have been found in public lavatories and within council buildings? (Cornwall Council)

7. How does the council manage to cope with the vagaries of Heisenberg’s Uncertainty Principle? How does it function given the inherent unpredictability? (Wealden District Council)

8. How much money has been paid to exorcists over the past 12 months? (Cornwall Council)

9. Provide details of uniforms worn by Civil Enforcement Officers including descriptions of embroidered logos and markings, as well as any difference between summer winter wear. (Allerdale District Council)

10. What is the total number of cheques issued by the council in the past year, and how many did it receive? (Scarborough Borough Council)

The first thing to note here is that not all of these are stupid. The last one, about cheques, is entirely pertinent given the banks’ proposals to phase cheques out. Number 6, about holes in toilet cubicle walls, may seem rather strange until you discover that it’s actually a very real problem. And, while it may be somewhat arcane, if a local council is paying exorcists (number 8) then it’s entirely reasonable to ask how much they’ve spent doing so.

As a silly season story, this may seem rather harmless. Some of the questions are clearly intended as jokes, and in some cases the FOI office has responded in the same vein. But there is a serious side to this. The Freedom of Information Act (FOIA) is unpopular in many sectors of officialdom and there are a lot of people who would like to roll the clock back to a culture of secrecy and lack of openness. And press releases such as this, which give the impression that public money is being wasted by frivolous requests, only serves to support that view. As one MP put it,

May we have a debate on the Freedom of Information Act? In my area, public bodies have been asked a range of questions, including on witches, werewolves, wizards, ghosts, vampires, zombies and demons. Even the star signs of local car thieves and the chief constable’s lottery choices have been asked for. It is a waste of time and money, and may we review it?

The reason this matters is that the Ministry of Justice has recently published a document titled, rather drily, “Post-Legislative Assessment of the Freedom of Information Act 2000” in which it looks at how effective the FOIA has been since it was introduced. The purpose of the review is to see whether or not the FOIA needs to be amended in the light of experience, and any proposals for change will follow on from this.

Now, there clearly are some flaws in the FOIA and its implementation, so a measured review is to be welcomed. There may well be some things which are currently subject to FOI that, in restrospect, should not be. And there are certainly things which ought to be that currently are not. Equally, it’s not unreasonable that some means of discouraging frivolous or vexatious requests should be considered. But the danger here is that the strongest opinions, and the loudest voices, will be those calling for the FOIA to be more restrictive than at present (or even abolished entirely).

Any changes to the FOIA which makes it more restrictive, other than clearly justifiable minor tweaks, would be a bad thing. The most important change the FOIA needs is to bring more authorities into its scope. We need more openness in public affairs, not less.

A wet Wednesday in Hartlepool

An article in the Guardian Organ Grinder blog, titled “Local newspaper industry needs radical action now if it is to survive” laments the incipient passing of much of the country’s local newspaper industry. I don’t disagree with the article’s analysis of the issues, but it ends with a question that I think deserves an answer:

Bloggers will have their part to play, but the fundamental question remains: who will cover Hartlepool magistrates court on a wet Wednesday afternoon? It will not be a well-meaning amateur and has to be a professional journalist – the issue is how will it be paid for?

Hartlepool Magistrates Court
Hartlepool Magistrates Court

I think there’s a flawed assumption in the question. Namely, the belief that Hartlepool magistrates court needs to be covered on a wet Wednesday afternoon, because otherwise nobody will know what happened and what verdicts were handed down.

In the past, that would have been the case, simply because there was no easy way of disseminating that information other than via the press. But it isn’t the case any more. Now, court decisions don’t need to be restricted to dusty tomes in a legal library, they can be published on the Internet and made available for everyone to see. For example, here’s a case from Hartlepool magistrates court. That’s on the web here because it happens to concern a celebrity, but the basic information exists for every case.

There is no technical reason why every court in the land should not, as a matter of routine, publish all its decisions on the web. At the top, the Supreme Court already does. Most other higher courts, including the High Court of England and Wales, make their judgments available to the third-party website operated by the British and Irish Legal Information Institute (BAILII). But it’s still a piecemeal approach, and it doesn’t extend to lower courts such as the crown courts, county courts and magistrates courts – the places where the vast majority of cases are heard.

In the past, this didn’t matter so much, because the majority of courts are attended by the media and anything interesting does get reported. But we can’t rely on that in the future, as the Guardian article makes clear. That’s why it’s all the more important now to start taking steps towards a consistent and universal system of judgment publication.

I’ve blogged in the past about how the court system seems to go out of its way to avoid open publication of things like court listings. I still think it’s bordering on the scandalous that the court service has no in-house publication department which can maintain a web-based database. Give that the department already has a website which could carry the data, I don’t believe that the marginal cost of doing so would significantly exceed the amount paid by the Ministry of Justice to BAILII to publish judgments on the MoJ’s behalf. But the benefits to the public interest would be immense. Apart from nothing else, it would mean we’d no longer need to rely on journalists to tell us how much a pop star was fined by a magistrate for speeding on the M6. Instead, they could do more useful things, like attend local council meetings….

Government domains update

I blogged a little while ago about the rather bizarre situation whereby neither the government nor their domain registrars were willing to tell us which government domains had been registered. In that post, I mentioned another FoI request that I’d sent which attempted to obtain the information via a different route.

Possibly as a result of this, it would appear that sanity has prevailed and the government has now published a full list of .gov.uk domains. You can download the list in csv format from the Cabinet Office website.

I’m still a little intrigued, though. The original refusal by JANET (the academic and government domain registry) to release the list was justified on the grounds that release of the material in full is considered to “present a risk to the commercial interests” of JANET’s customers. Now that we have the list, is there anything in there which might support such a view? Are there any gov.uk domains which could be considered commercially sensitive? If so, which ones, and why? And why was JANET so determined not to release the list in the first place?

Update: I’ve taken the list of domains, put them in a database and added some meta-data about them (sourced from whois and DNS). You can see the results at http://govdomains.markgoodge.com/

Why aren’t we allowed to know which domains the government has registered?

If you’ve already read this, you might want to skip to the end where I’ve added some extra information.

You’d think, wouldn’t you, that there ought to be no problem finding out which official domain names (ie, those ending in .gov.uk) have been registered by government departments and organisations at both national and local level. It is, after all, one of things that, even if it isn’t directly published anywhere, should be amenable to a simple Freedom of Information request.

Unfortunately, this isn’t the case. And the various excuses given for not revealing the list are, to say the least, increasingly bizarre.

The story starts with an FoI request by John Cross to the Central Office of Information (COI) for a list of domain names ending in .gov.uk. The COI responded, not unreasonably, that they don’t hold the information themselves. However, they noted that it could be obtained from JANET, the organistion respondible for registering .gov.uk domains. Other people have made similar requests to COI, and got the same answer.

John didn’t immediately follow this up himself, at least not via WhatDoTheyKnow.com, but in April 2010 a similar request was sent to The JNT Association (aka JANET) by Steve Elibank. Entirely unreasonably in this case, the request was refused. JANET gave two reasons for their refusal:

1. The material is already available via the whois service (refusal under section 21 of the FOIA),
and
2. Release of the material in full is considered to “present a risk to the commercial interests” of JANET’s customers (refusal under section 43 of the FOIA).

As was pointed out in annotations to that request, these two reasons are mutually incompatible – if it’s already available, then releasing it can’t be a commercial problem. More relevantly, it simply isn’t true that the material is already available – whois will give you information about domains that you know about, but isn’t helpful for discovering the existance of domains that you don’t know about.

Not to be deterred, David Batley made a similar request in April this year. This, too, was refused on exactly the same grounds.

At this point, John Cross re-entered the fray with another request in which he detailed the reasons why neither section 21 nor section 43 were valid reasons to refuse the request. It’s also worth noting here that other requests for a full list of .ac.uk domains (ie, those owned by further educational establishments) and .police.uk domains had been successful.

After much to-ing and fro-ing, JANET eventually responded with the answer that, as a list of central government websites was online at the Cabinet Office website, they were refusing the request under section 21 (maerial available elsewhere). John pointed out that this wasn’t an answer to his question, and in the light of JANET’s continuing refusal to answer it, sent a formal complaint to the ICO. We still await the outcome of that (which may take several months, the ICO is not noted for the rapidity of its investigations).

That’s where I got involved. I was intrigued enough to wonder why JANET didn’t want to release the full list, so I submitted an FoI request to try to get some background information. In particular, I wanted to see the wording of the advice given that releasing the list would be a risk to commercial interests, and also to see if they had any documentation which explained why a list of .ac.uk domains can be released but not a list of .gov.uk domains. JANET’s response to this one, so far, has been to simply ignore it. They are now beyond the legal maximim period of time in which to answer FoI requests, but I’ve still got nothing.

More intriguingly, though, while trawling through the COI website, I came across the minutes of a meeting of the .gov.uk Naming and Approvals Committee in 2009. These contained a couple of action points:

JANET to notify COI of all domains for renewal at least 3 months in advance.

and

Review current list of .gov.uk domain names to check for redirects

Assuming these action points to have been, well, actioned, this rather gives the lie to the original claim by the COI that they don’t have the data as the committee cannot have carried out the second without it and, since this started in 2009, the first will have given them a full list by now (although, to be fair, this is a rather obscure reference and it’s entirely possible that the staff member who gave the original response was simply unaware that the committee might have the data). What I’ve now done, therefore, is go back to the COI with a new FoI request to see the contents of these notifications and the list. They’ve got until the 3rd October to answer that, so we’ll have to wait and see how that pans out.

In the meantime, John Cross has submitted yet another FoI request to JANET, this time asking just for a list of domains which aren’t included in the list available on the Cabinet Office website. That was sent on the 17th August. It’s now the 7th September, and the response is due no later than the 15th of this month. Despite that, John hasn’t even had the courtesy of a acknowledgement from JANET.

I would really like to know what’s going on here. Why is a list of government domain names considered commercially sensitive, when a list of educational and police domain names isn’t? Why has JANET suddenly become so unresponsive? Does anyone outside JANET have a clue? Does anyone inside JANET have a clue?

Update: A couple of things have transpired since I wrote the above. Firstly, by making enquiries elsewhere I discovered that JANET had, in fact, replied to these requests but the replies hadn’t got through – because they’d sent them with the destination address in the Bcc: header and nothing in the To: header, meaning that it inevitably got caught by spam filters. After having a certain amount of clue applied, the responses were re-sent. You can follow the link back to the request if you want, but here’s the response in full:

Dear Mark

The legal position is that JANET(UK) is not a body that is required to respond to requests under the Freedom of Information Act. We have helped as far as we can and will provide no further information on this request.

Tim Kidd
Operations Director

The same response has been sent to John Cross here and here.

Unfortunately, this statement is contradicted by JANET’s own documentation. Their publication scheme states:

The Freedom of Information Act received Royal Assent on 30 November 2000. The Act requires all public bodies to adopt and maintain a publication scheme. JANET(UK) is a public body for the purposes of this legislation, since it is a company wholly owned by bodies that are public authorities viz. the UK education funding councils.

Oddly enough, that document is no longer linked from the website. Just in case they decide to remove it, I’ve kept a copy here.

So, what do we make of this? I’d really like to know more. If anyone inside JANET wants to be a mole, then please get in touch.