The
report suggests using systems similar to the digital rights
management which record companies use to try to stop music piracy
to protect the identity of individuals.
In the face of ever-more powerful systems
which gather and store data on people for governments and
corporations, the RAE report said that engineers have a duty to
design systems that protect the privacy of individuals.
"Just as security features have been
incorporated into car design, privacy protecting features should be
incorporated into the design of products and services that rely on
divulging personal information," said the report, entitled Dilemnas
of Privacy and Surveillance: Challenges of Technological
Change.
"ID or 'rights' cards can be designed so that
they can be used to verify essential information without giving
away superfluous personal information or creating a detailed audit
trail of individuals' behaviour [or] sensitive personal information
stored electronically could potentially be protected from theft or
misuse by using digital rights management technology," it said.
"Engineering ingenuity should be exploited to explore new ways of
protecting privacy."
The report takes a new approach to privacy
protection. While most campaigns focus on pressurising politicians
or executives, the report emphasises the duty that the people who
build systems have.
The
report also said that the powers of the Information Commissioner
should be increased, and that people who abuse private data should
face jail. "The powers of the Information Commissioner should be
extended. Significant penalties – including custodial sentences –
should be imposed on individuals or organisations that misuse
data," it said. "The Information Commissioner should also have the
power to perform audits and to direct that audits be performed by
approved auditors in order to encourage organisations to always
process data in accordance with the Data Protection Act."
The RAE has published the report because it
believes that engineers bear some of the responsibility for the way
the technology which they design is used. "Advances in technology
have the potential to do great good, but they also carry the risk
of doing damage if they are introduced without proper care and
forethought," said Nigel Gilbert, the chairman of the RAE's group
on privacy and surveillance.
"One of The Royal Academy of Engineering's
priorities is to lead debate on matters of engineering by guiding
thinking, influencing public policy making and providing a forum
for the exchange of ideas. This report is a contribution to the
public debate on information technology and its possible impacts on
our privacy," said Gilbert.
The report was written with the involvement of
a group from the UK Academy of Social Sciences, which added a
social policy perspective to the report.
The RAE said in the report that it believed
that the digitisation of some data gathering, such as closed
circuit television (CCTV) recording, changed the nature of the
surveillance. "Digital surveillance means that there is no barrier
to storing all footage indefinitely and ever-improving means of
image-searching, in tandem with developments in face and
gait-recognition technologies, allows footage to be searched for
individual people," it said. "This will one day make it possible to
'Google spacetime', to find the location of a specified individual
at some particular time and date."
That means that the stakes are higher than
ever when it comes to the effects that mistakes or malice can have
on an individual. "Loss or theft of personal data, or significant
mistakes in personal data, can have catastrophic effects on an
individual," it said. "They may find themselves refused credit,
refused services, the subject of suspicion, or liable for debts
that they did not incur. There is a need for new thinking on how
personal data is stored and processed."
The report proposed that individuals be
permitted to be more involved than previously in the viewing of
stored information, gaining access, for example, to CCTV footage in
order to better understand the scope of the surveillance.
It also said that many systems which currently
identify individuals do not actually have to, they only need
authentication that a person is, for example, over 18 years-old.
"Systems that allow automated access to a service such as public
transport should be developed to use only the minimal
authenticating information necessary," it said. "When organisations
do desire identification, they should be required to justify why
identification, rather than authentication, is needed."
