At the IAB’s Mobile Engage conference, and ICO manager of business and industry, Dave Evans, said: “Consumers are not interested in privacy but they become interested if you get it wrong.” He added: “If you give them what they want but you get it wrong in the process then they [consumers] start to care where the data came from.” However, having taken a look at the ICO’s own research it seems like Evan’s isn’t even a little bit right!

A 2011 survey commissioned by the ICO showed that: almost nine out of ten respondents were concerned about the way personal information is handled, with 89% of respondents being concerned about protecting people’s personal information. This makes protecting personal information the second highest concern in terms of social issues raised in the survey, and it has been every year since 2007. There was also a high level of concern from respondents (59%) that they have lost control over the way their personal information is collected.

In a 2008 survey, again commissioned by none other than the ICO, 53% said they were not confident in the way that organisations, such as banks, councils and the government, look after your personal details. 72% said that they felt powerless over how their personal information is looked after, whilst 77% said they worry more about the safety of their personal details now than they used to and 85% said they were now much more aware of the value of personal information.

Those figures seem pretty concrete in terms of consumers having concerns about privacy, but they just complain when something goes wrong, right? Well, it appears that consumers are taking proactive steps to protect their privacy: 88% said ‘I have started to regularly check my bank statements’, 85% said ‘I now refuse to give out my personal details as much as possible’, 81% said that they now shred their documents, 45% changed their PIN number/s, 36% said they had asked organisations to remove their details from their databases, and 31% said they has taken information about themselves off internet social networking sites, blogs or forums.

Our own research showed that the majority of the British public are concerned about their online privacy (68%) with nearly a quarter (22%) saying that they are very concerned. People are more likely to say that consumers are being harmed by big companies gathering large amounts of their personal data for internal use (46% than they are to say that this enhances consumer experiences (18%).

Well, that seems pretty conclusive. From the ICO’s own research it appears that consumers are very concerned about the way that their data is used and how it impacts on their privacy, and are willing to independently take proactive steps to protect themselves. Perhaps it is internal attitudes like this at the ICO, that helps explain why in cases like the Phorm scandal, Google Spy-fi, and even the row over phone hacking, that the ICO has been accused of burying its head in the sand.

In an age where our personal information is becoming more and more valuable as a commodity, it is clearly sensible that people shouldn’t share information unless it is absolutely necessary. However, businesses also need to reassess how much information they request from consumers as it is when large amounts of data are collected that it becomes more likely for it to be open to abuse.

UPDATE: We have received a response from the ICO, stating that the comments “have been taken out of context”, commenting that:

“There’s no suggestion from the ICO that consumers aren’t interested in privacy, and our own research has shown year after year that this is a key issue for consumers. It’s important to see this comment in the context it was made, in a discussion of targeted advertising. Prior to the discussion, one of the panellists had suggested that in the context of digital content, privacy is not the most exciting topic. The point being made was that while no-one would suggest consumers’ main focus when browsing a website is privacy, those concerns come to the fore if consumers think their information is being used in the wrong way. The issue being raised was that while some businesses might not see privacy as a priority, the consequences of handling personal data poorly is reputational damage, as well as potential enforcement action.”

Whether taken out of context or not, it remains that Evans’ comments don’t quite inspire the confidence in privacy that we would hope for from the ICO.

When news broke of the US Government’s wholesale request for data on Associated Press journalists,

The New Yorker quickly highlighted how US law allowed the Department of Justice to go straight to the phone companies, without notifying AP (although it’s own guidelines said this should not normally happen.) Because of this, there was no opportunity to test the justification for such a massive intrusion on the freedom of the press.

Ryan Gallagher writes on Slate:

“The AP incident involved the DoJ obtaining two months of reporters’ phone records, which listed outgoing calls for the work and personal phone numbers of AP journalists and editors. AP said in a report published Monday that it was not clear whether the records also included incoming calls or the duration of the calls, but noted that “the government seized the records for more than 20 separate telephone lines assigned to AP and its journalists in April and May of 2012.”

He goes on to highlight the same warning we made during the debate on the Communications Data Bill – it isn’t always necessary to see content to figure out enough of the picture.

“Typically, phone records obtained by the feds will show date, time, and duration of incoming and outgoing calls and/or text messages, according to the ACLU. While the data do not reveal the actual content of a call, they can be used to show a network of contacts and reveal relationships between people—information that is particularly sensitive for journalists working with confidential sources.”

Under British law, no external authorisation is required – it goes to a specially-trained officer, then a senior ‘authorised’ officer, all within the same police force doing the investigation. No court challenge is possible and you have no right to be informed about your communications data being accessed, even retrospectively when nothing has been found. Only local authorities – less than 0.5% of the annual requests for data – are required to seek external approval from a magistrate.

As we and the Bar Council, have previously highlighted, British surveillance law fails to recognise legal privilege, MP-constituent confidentiality or even medical confidentiality. Equally, protecting press freedom or the identity of whistle-blowers is not a factor, which is particularly worrying given the massively disproportionate investigation in Cumbria that was widely criticised.

As we have repeatedly argued, the existing regulation of surveillance in Britain is increasingly out of date and not fit for purpose. Preventing an AP-style investigation in the UK should be a priority of anyone committed to a free and open press.

The paper would clearly have not published without a sufficiently high standard of evidence and the Met police’s reaction – to suddenly announce it was abandoning the plans, despite high-level meetings in recent weeks – suggests a nerve has been touched.

The paper’s evidence is clearly damming.  “Documents to promote the data reveal that it includes “gender, age, postcode, websites visited, time of day text is sent [and] location of customer when call is made”. They state that people’s mobile phone use and location can be tracked in real time with records of movements, calls and texts also available for the previous six months.”

We have already made Freedom of Information Act requests for these documents, and urge IpsosMori to publish them urgently to allay public concerns.

Everything Everywhere needs to come clean on what data it is releasing, and why it is storing this data where there is no business purpose.

Earlier this year, the two companies signed an agreement that will allow Ipsos MORI to analyse anonymised mobile phone usage data from the telco, which has 27 million customers, and offer insights to businesses and local authorities. However, as we have previously warned, the UK’s definition of “anonymised” is far from meaning that data cannot ever be re-identified.

This loophole in the definition of “personal data” stems from the Data Protection Act 1998, which failed to fully implement the Data Protection Directive. (EC95/46) By omitting the caveat that if data could be reasonably likely to be identifiable by “any other person” then it was not anonymised.

The data that Ipsos MORI would be able to analyse includes individuals user’s location to the nearest 100 metres. By removing user and account details we expect the company’s lawyers would argue this is “anonymised” – however, anonymity in large datasets is only as good as the other data it can be combined with, as this paper from the University of Texas warns. This follows from a paper last year highlighting how 80% of mobile users could be “precisely identified” by comparing their location data with their social graph – i.e. their Facebook friends. Cambridge Computer Lab also produced this excellent poster for an event on re-identification last year, while Natutre published a scientific report on how with the right data, 95% of people can be re-identified from a data set of 1.5m “anonymous” people.

This smacks of a shameless attempt to turn customers into cash-cows by selling of data about how they use the services is an affront to privacy and the principle that when people pay for a service, they should control the data about them. IpsosMori stated that “Ipsos MORI only receives anonymised data without any personally identifiable information on an individual customer. We do not have access to any names, personal address information, nor postcodes or phone numbers”

This data can paint an incredibly detailed picture of your life, and the idea that because names were omitted it is somehow acceptable to cash in is frankly offensive to EE customers whose privacy has been sold out on a spectacular scale.

This case highlights the huge amounts of data already held about us by companies, often with scant justification for it to be retained after the initial technical need. Customers are kept in the dark about how much information is collected, how long it is stored and how it can be used and the law needs urgently strengthening to give consumers proper control over this data and to ensure companies are not prepared to do shady deals like this.

We suspect EE is not the only company looking to cash in on our our private lives like this and are very concerned that were it not for the Sunday Times uncovering these plans customers may never have known what was going on.

As the paper reports, “Hardwicke Parish Council duo Fran and Lyn Welbourne have been so pro-active in monitoring the village youth shelter that they have the live footage beamed right into their home.”

It beggars belief that someone thought it appropriate to allow Councillors to have public CCTV of a youth centre piped into their living rooms.

These people are not trained employees, nor licensed CCTV operators. It smacks of taxpayer-funded voyeurism and will do nothing to actually tackle the problem that is causing concern. It would be more effective to have the councillors actually stood at the youth shelter, if they are so keen to keep an eye on what is going on.

As we have repeatedly highlighted, CCTV does little to deter or prevent crime, and at best displaces the activity a short distance.

Perhaps the Councillors should spend some of their evidently quiet evenings asking why there is a problem rather than indulging their new hobby of sofa snooping.

An IP address is (put simply) the address you access the internet through (although ways of masking this are nothing new nor particularly technically challenging). We think it reasonable that the issue is investigated so that where the police have an IP address from a service provider, they are able to trace that back to the person using the service. It may be possible to address this through small, technical changes to existing legislation, rather than a new Bill. Indeed, the draft Communications Data Bill went far, far beyond being a focused attempt to solve this problem.

If such a change is required, then it should be properly thought through before being subject to the widespread consultation and comprehensive scrutiny that has been sorely lacking to date with industry, civil society and the wider public. It should also include the safeguards and revisions to existing law recommended by the Joint Committee on the draft Communications Data Bill.

Indeed, in 2008, the Home Office published a response to it’s consultation on the transposition of the Data Retention Directive into UK law – which covered IP addresses. It included a recognition that “Some respondents from the public communications providers stated they had little or no dialogue with the Home Office concerning the complex issues surrounding internet related data and the DRD” – exactly the same criticisms that were regularly made of the draft Communications Data Bill.

The same consultation found that the implementation of the Regulations was inappropriate for Internet data due to “particular technical and resourcing issues” such as “increased difficulties in replicating the ‘end to end’ picture of communications data, the difference in the cost profile for storage and retrieval of Internet communications and the need for a strong business case, if the retention period for IP data is set at 12 months.” It is far from clear these challenges have been overcome.

The biggest challenge facing the police is making use of the huge volume of data that is already available, including data from services like Skype and Facebook. The Snoopers Charter would not have addressed this, while diverting billions from investing in skills and training for the police.

The legality of the Directive is still far from clear – with legal challenges now pending from Ireland and Austria, with several European countries deeming it incompatible with their constitutions. Equally, the United Kingdom’s statistics are ominously absent from the European Commission’s review of the Directive published in 2011.

So, if proposals are to be brought forward then they must be based on a full and frank discussion with industry, be technically workable and not introduce by the back door excessive or unwarranted obligations for data to be collected. We also hope the Home Office takes a far more proactive response than we have seen to date to engaging with Parliament, civil society and the public to explain their intent and to address legitimate concerns.

Last year we highlighted that more than three million authorisations under the Regulation of Investigatory Powers Act (2000) were issued, leading to questions about how and why the powers are being used.  We also published research that shows that HMRC made 41,351 snooping requests for details of phone calls and mobile texts between 2009 and 2011. The only police forces to make more requests in the same period were the Metropolitan police and Merseyside police.

It has since come to light that HMRC has used surveillance legislation to identify a whistleblower who uncovered a ‘sweetheart’ deal with Goldman Sachs. Osita Mba had used the Public Interest Disclosure Act to write to the National Audit Office and two parliamentary committees in 2011 saying that the head of tax, Dave Hartnett, had “let off” Goldman Sachs from paying at least £10m in interest. The identity of Mba was then revealed to HMRC by the clerk of the public accounts committee, who sought clarification that he was a genuine revenue employee.

Following the story appearing in the Guardian in October 2011, Mba was put under internal investigation by the revenue, useing RIPA to access the emails, internet search records and telephone calls of a revenue solicitor, and his wife, Claudia.

Perhaps shockingly for many, RIPA allows HMRC the ability to view highly personal information of taxpayers, including the websites accessed, the mobile calls made or received, the date and time of emails, texts and phone calls. Despite the revenue claiming that RIPA powers “can only be used when investigating serious crime”, it is very clear from the use of the powers in this case, that this isn’t always so.

We have seen how new surveillance powers that are created, intended only for the most serious of crimes, very quickly becomes available to everyone from councils to the Health and Safety Executive. It is unacceptable for public authorities to keep secret details of why they are spying on the public and their own employees and to do so without seeking a court’s approval. Judicial approval for spying on us should be the norm, not the exception and the public have a right to know why and how these powers are being used.

On Friday, the Secretary of State confirmed that this will not be the case.

We have worked closely with MedConfidential and Privacy International to ensure this and it is another victory for Big Brother Watch campaigning to protect privacy.

Jeremy Hunt said on Friday: “”GPs will not share information with the HSCIC if people object…people will have a veto on that information being shared in the wider system”

He then went on to say that “We’re not going to cancel the opting out that has already happened. There may be a process of re-contacting people to explain the new arrangements, and that’s a detail which we’ll work through in operational terms. We will respect the people who have already said they wish to opt-out of any data sharing.”

We also understand people who opt out after their data has been uploaded will be able to have their data deleted.

This is a significant victory on both counts, and an important one. We believe that opt-in systems remain the best way to protect patient trust in their medical information being kept confidential, however given the new system goes live in a few weeks these two changes were essential.

It is absolutely right that the Government has affirmed its commitment to patients controlling their own medical information and respecting the choice of those patients who do not wish to have their medical records used for purposes outside direct care.

The concern remains, however, that patients have not been given adequate information about how this system will work or how they can opt out. We urge NHS England to rapidly address this and ensure patients are able to exercise this opt-out if they choose to and make clear how patients can inform the NHS of their choice without overburdening GPs with patients trying to opt-out before the system goes live.

Big Brother Watch led the charge against these plans, giving evidence to Parliament, urging our supporters to write to their MPs and being the central force in the media campaign against the so called Snoopers Charter. We highlighted how the Home Office had misrepresented the work of the Child Exploitation and Online Protection Centre to support the bill, demonstrated alternatives were available – and that was before the technology companies tore into the proposals.

When the Joint Committee on the Draft Communications Data Bill published our report, we hosted a press conference that included David Davis MP, Jimmy Wales, Sir Chris Fox and Lord MacDonald.

Last week, we published 15 reasons why the Bill was the wrong approach.

The Deputy Prime Minister, Nick Clegg, has just announced that the Communications Data Bill is dead. He said on LBC : “What people dub the snoopers’ charter, that’s not going to happen – certainly with Lib Dems in government.”

(Governments by convention never comment directly on the content of the Queen’s speech so it is impossible for it to be explicitly ruled out, however “not going to happen” is a fairly clear signal.)

Nick Clegg has made the right decision for our economy, for internet security and for our freedom.

Last year Skype gave British police more data than any other government, including the USA. To say that the police can’t get data from the internet without this bill is simply wrong.  Where security or child safety is at risk, companies already comply with police requests and there was a real risk this bill would make the situation worse by driving dangerous people underground into encrypted services.

 Recording the websites we look at and who we email would not have made us safer, as some of the country’s leading cyber security academics argued this week. It would have made Britain a less attractive place to start a company and put British companies in the position of being paid by the Government to spy on their customers, something that oppressive regimes around the world would have quickly copied.

Rather than spending billions on another Whitehall IT disaster that tramples over our civil liberties and privacy on an unprecedented scale, we should focus on ensuring the police have the skills and training to make use of the huge volume of data that is available. If small, technical changes to existing legislation are required, then they should be properly thought through before being subject to the widespread consultation and comprehensive assessment this plan sorely lacked.

There has been widespread criticism in Parliament from MPs of all parties.

Rt Hon David Davis MP has said: “It was a long time coming, but the Deputy Prime Minister has done the right thing by blocking the Snoopers’ Charter.  This draconian law would have been a massive, unnecessary extension of the state’s power.  It would have trampled all over the privacy of innocent people without improving our security one jot.

“This of course begs the question as to why the Home Office spent over £400 million of taxpayers’ money on the Snoopers’ Charter when it clearly never had enough support within government to go ahead, and when there are many better uses of the money that would actually enhance the public’s security.”

Dr Julian Huppert MP, Lib Dem spokesperson for Home Affairs and a member of the Joint Committee on the draft Communications data Bill, said: “I am delighted that Nick Clegghas stood up for the British public on this. He was right to demand that these proposals be published as a draft, which gave us all a chance to see just how badly thought through the Home Office proposals were. And he is now right to say that what the Home Office propose is unacceptable. Spending billions of pounds to keep track of every website we go to, and what we do on facebook or google, is simply wrong. If we want to actually cut crime, spend the extra money on the police.”

Dominic Raab MP said: “This Orwellian scheme should be buried for good. For the billions it would cost, there are far better ways to strengthen law enforcement without snooping on every law-abiding citizen.”

Nick de Bois MP said: “It’s good news that this Bill is dead. The proposals would not have worked, would not have made us safer and yet would have carried massive costs. The Bill’s scattergun approach to monitoring personal data would have made us all suspects.”.

The Bill proposed to record every website visited, email sent and social media communication by every British citizen, and has been heavily criticised by business groups, security academics, civil liberties campaigners around the world. On Monday this week it was revealed leading computer science academics had written to the Prime Minister urging him to drop the bill.

Last year a Big Brother Watch/YouGov poll found almost three-quarters (71%) of Britons say they do not trust that the data about internet use will be kept secure and four in ten (41%) people said they would be less likely to use online services and websites if they knew their activity was being recorded.

We couldn’t have won this victory without your support – more than ever before, Big Brother Watch is a leading voice defending civil liberties and protecting privacy and we hope you can continue to support us.

As our Freedom of Information request shows, Between 2009 and 2011, HRMC made 41,351 snooping requests for details of phone calls and mobile texts. The only police forces to make more requests in the same period were the Metropolitan police and Merseyside police.

Given how often these powers are being used by HMRC, it’s strange that nobody has mentioned the Government’s Snoopers’ charter will give the taxman access to who you email or chat online with and what websites you visit.

Indeed, this is before the Communications Data Bill comes in, the taxman is making more than 1,000 snooping requests every month – and clearly if it does ever become law, that number will explode.

The taxman doesn’t need to know if you’ve been reading the Sun online, nor does any other part of Government. But if the data is collected it’ll be a stampede for people to have a look, from the Health and Safety Executive to parking wardens.

Nick Pickles, director of privacy campaign group Big Brother Watch, said: “This has rightly been described as one of the biggest data protection breaches ever. Yet again Google has played fast and loose with people’s personal information, but there is a real risk that the amount of money they have being fined is largely insignificant and totally fails to act as a deterrent to other businesses.

“As the regulator has also pointed out, this case highlights the problem with maximum fines for privacy breaches being incredibly low compared to the turnover of the companies responsible for these kind of services. The UK regulator must now follow suit and take action, but he is limited to a fine of £500,000.

“We urgently need consumer protections that make businesses like Google think twice before they jeopardise people’s personal information and is a meaningful penalty for those who do not sufficiently respect our privacy.”