Engineers must take responsibility for privacy, says report

Computer engineers should be taught to design systems with privacy protection built in, according a report by the Royal Academy of Engineering (RAE). The report also says that people who misuse data should face jail terms.

The report suggests using systems similar to the digital rights management which record companies use to try to stop music piracy to protect the identity of individuals.

In the face of ever-more powerful systems which gather and store data on people for governments and corporations, the RAE report said that engineers have a duty to design systems that protect the privacy of individuals.

"Just as security features have been incorporated into car design, privacy protecting features should be incorporated into the design of products and services that rely on divulging personal information," said the report, entitled Dilemnas of Privacy and Surveillance: Challenges of Technological Change.

"ID or 'rights' cards can be designed so that they can be used to verify essential information without giving away superfluous personal information or creating a detailed audit trail of individuals' behaviour [or] sensitive personal information stored electronically could potentially be protected from theft or misuse by using digital rights management technology," it said. "Engineering ingenuity should be exploited to explore new ways of protecting privacy."

The report takes a new approach to privacy protection. While most campaigns focus on pressurising politicians or executives, the report emphasises the duty that the people who build systems have.

The report also said that the powers of the Information Commissioner should be increased, and that people who abuse private data should face jail. "The powers of the Information Commissioner should be extended. Significant penalties – including custodial sentences – should be imposed on individuals or organisations that misuse data," it said. "The Information Commissioner should also have the power to perform audits and to direct that audits be performed by approved auditors in order to encourage organisations to always process data in accordance with the Data Protection Act."

The RAE has published the report because it believes that engineers bear some of the responsibility for the way the technology which they design is used. "Advances in technology have the potential to do great good, but they also carry the risk of doing damage if they are introduced without proper care and forethought," said Nigel Gilbert, the chairman of the RAE's group on privacy and surveillance.

"One of The Royal Academy of Engineering's priorities is to lead debate on matters of engineering by guiding thinking, influencing public policy making and providing a forum for the exchange of ideas. This report is a contribution to the public debate on information technology and its possible impacts on our privacy," said Gilbert.

The report was written with the involvement of a group from the UK Academy of Social Sciences, which added a social policy perspective to the report.

The RAE said in the report that it believed that the digitisation of some data gathering, such as closed circuit television (CCTV) recording, changed the nature of the surveillance. "Digital surveillance means that there is no barrier to storing all footage indefinitely and ever-improving means of image-searching, in tandem with developments in face and gait-recognition technologies, allows footage to be searched for individual people," it said. "This will one day make it possible to 'Google spacetime', to find the location of a specified individual at some particular time and date."

That means that the stakes are higher than ever when it comes to the effects that mistakes or malice can have on an individual. "Loss or theft of personal data, or significant mistakes in personal data, can have catastrophic effects on an individual," it said. "They may find themselves refused credit, refused services, the subject of suspicion, or liable for debts that they did not incur. There is a need for new thinking on how personal data is stored and processed."

The report proposed that individuals be permitted to be more involved than previously in the viewing of stored information, gaining access, for example, to CCTV footage in order to better understand the scope of the surveillance.

It also said that many systems which currently identify individuals do not actually have to, they only need authentication that a person is, for example, over 18 years-old. "Systems that allow automated access to a service such as public transport should be developed to use only the minimal authenticating information necessary," it said. "When organisations do desire identification, they should be required to justify why identification, rather than authentication, is needed."