The London charge zone, the DP Act, and MS .NET

It may not entirely work, and its data protection registration looks more dubious by the day

Data Protection Act breaches by London's traffic congestion charge system may be numerous and varied, even if you exclude all of the ones that are committed if Mayor Ken's security ring of steel exists. And a report by one of the many (we presume) journalists who've infiltrated the system suggests a) that it doesn't work to anything like the extent claimed; b) that conduct and training of camera operators is inadeqate and in breach of CCTV legislation; and c) that the whole shooting match will fall over if too many recipients of penalty charges contest them.

Oh, and while we're about it we might mention that it's one of the largest Microsoft .NET project so far; but we'll get back to that.

On the subject of the congestion charge the London Evening Standard has, we accept, been coming on like some crazed petrolhead's implementation of Der Sturmer, but yesterday's report, detailing the experiences of a worker in one of the charge zone's mobile camera units, seems well-grounded. The vehicles housing the mobile cameras, which are intended as backup for the fixed cameras, are claimed to be unreliable, number recognition is ineffective, and the visual checks intended to deal with recognition failure are not being carried out.

A BBC Radio reporter broadcast from one of the zone's control rooms earlier this week, counting up in excess of 30 correct identifications before the first failure, but for the mobile units the Standard claims a failure rate of around 40 per cent. Note that this doesn't automatically translate into an overall failure rate of 40 per cent, because the mobile unit cameras have to be hand-sighted, while the fixed ones should already be trained on the right area. However, poor light, dirt and personalised plates should have a similar effect in both cases. Says the Standard:

"In dim light it fails to read three out of five registration plates. Muddy ones are almost always misread. It takes almost an hour of tinkering before the stubborn system works."

We should mention that if the charge zone system is acting as a CCTV system then that BBC reporter probably should not have been in the control room. The staff of the mobile unit certainly show no signs of having been briefed on CCTV good practice: "I've just seen David Dimbleby drive past on the camera," says one of the workers. Which would seem to us to be a clear invasion of the good Dimblebore's privacy, and a source of some trouble for Transport for London if he features in the video archive. Pay your tenner and find out, David.

Failures of the automatic system are intended to be checked visually. It's not clear if, in the case of the mobile units, the local visual check was the only one, but if it was then many errors will not have been picked up; the Standard reports the crew as watching videos and playing computer games instead. The presence of unauthorised VCR tapes or equipment is incidentally also a CCTV breach.

Staff in the control rooms for the fixed cameras clearly will not be allowed to watch LOTR II instead of working, but if the system there is also relying on visual checks in real time, then a likely weak spot of the system emerges. Penalty notices sent out under the system do not as a matter of course include the "capture" picture of the offending vehicle. This can be obtained on request if you send £10, and we feel sure it could also be obtained for free if you make them take you to court.

However, if plate readings of non-paying vehicles were being automatically matched up with the correct piece of archive video, then it would be easy for TfL's agents to send out the picture with the penalty notice. They're not doing this, QED the archive isn't being matched up, and TfL probably won't know if a snap exists or is usable until it's requested, or needed for a court case.

As regards Data Protection Act compliance, quite a lot - although not all - hinges on whether or not you class the system as CCTV, and on whether it can be deemed to be identifying individuals. TfL has however already put its hands up to one blooper - making it mandatory to fill in your phone number, while not telling people it wants the numbers for a customer satisfaction survey. We are told the number is now no longer mandatory, and that TfL proposes to change the layout in accordance with this in due course. But it still intends to use the numbers it's got, which sounds to us like promising to commit a second offence in the act of owning up to the first.

One Data Protection compliance consultant who contacted The Register said that it was clear to him that the congestion zone is a CCTV system, and noted that it is not correctly signposted as such. "Without the correct signage the congestion charging cameras are a covert system, and can only be used for a temporary period in response to a specific pre-identified criminal activity... and footage of other criminal activities caught on a covert system is extremely unlikely to be admissable in court. Hence the use of the cameras for activities other than congestion charge administration is certainly unlawful."

Another data protection professional says that if TfL's Data Protection registration is wrong (which it is if it's being used for security, CCTV or casually observing the movements of David Dimbleby), then the local authority "could well be acting "ultra vires.'" And he adds that requests under the Act for personal data held need not be particularly specific. "All they need say is they were travelling in a green Mondeo ABC123D between 9 and 10am on such and such a date at location X."

As there are cameras throughout the zone, some of them mobile, checking all footage for possible pictures could be a massive task, even if only a few requests were made, never mind 10,000. TfL would likely argue that the footage didn't qualify because it didn't personally identify anyone, but that argument may not be sustainable (see Dimbleby, above).

Export of personal data outside of the EU may also be an issue, and this is where we finally get to Microsoft .NET, by way of Mumbai. Charge zone contractor Capita is not exactly overburdened with successful case study reports, and its sub-contractors also seem somewhat shy and retiring. However Mumbai, India-based Mastek allows itself a small boast about using .NET to implement the charge zone scheme for Capita. "This will be one of the largest projects to be developed under the Microsoft DotNet [sic] platform and will be executed over a period of 16-18 months," says its 2002 annual report. And here, you will see that "Capita is... the largest client for Mastek in the UK." The annual report also describes Capita as "our business partner" and mentions another project, a 'frequent flyer for schools' project called Connexions. Capita meanwhile says nice things about Mastek here, but it is unclear which of Capita's many UK success stories were contributed to by Mastek and .NET.

There will undoubtedly be other non-EU contractors (NB, Mastek does have a London office) covered by TfL's catch-all "worldwide" Data Protection register entry for personal data distribution. In the case of US companies, these should be registered under the US-EU "Safe Harbour" scheme, whilst it is illegal under EU law to export data to companies outside of the EU or of the Safe Harbour scheme, where local data protection legislation does not match EU standards. As we don't know who the companies are, then TfL's compliance here can't yet be assessed. However, if the scheme turns out to be exporting personal data which TfL has wrongly categorised as not being personal data, then contractors' data protection status might suddenly become more relevant than TfL had anticipated.

We're also led to believe that TfL's record on CCTV data compliance in general might have be somewhat inglorious. But perhaps more of that another day. ®

Other stories you might like

  • Meg Whitman – former HP and eBay CEO – nominated as US ambassador to Kenya

    Donated $110K to Democrats in recent years

    United States president Joe Biden has announced his intention to nominate former HPE and eBay CEO Meg Whitman as Ambassador Extraordinary and Plenipotentiary to the Republic of Kenya.

    The Biden administration's announcement of the planned nomination reminds us that Whitman has served as CEO of eBay, Hewlett Packard Enterprise, and Quibi. Whitman also serves on the boards of Procter & Gamble, and General Motors.

    The announcement doesn't remind readers that Whitman has form as a Republican politician – she ran for governor of California in 2010, then backed the GOP's Mitt Romney in his 2008 and 2012 bids for the presidency. She later switched political allegiance and backed the presidential campaigns of both Hillary Clinton and Joe Biden.

    Continue reading
  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading
  • Aircraft can't land safely due to interference with upcoming 5G C-band broadband service

    Expect flight delays and diversions, US Federal Aviation Administation warns

    The new 5G C-band wireless broadband service expected to rollout on 5 January 2022 in the US will disrupt local radio signals and make it difficult for airplanes to land safely in harsh weather conditions, according to the Federal Aviation Administration.

    Pilots rely on radio altimeter readings to figure out when and where an aircraft should carry out a series of operations to prepare for touchdown. But the upcoming 5G C-band service beaming from cell towers threatens to interfere with these signals, the FAA warned in two reports.

    Flights may have to be delayed or restricted at certain airports as the new broadband service comes into effect next year. The change could affect some 6,834 airplanes and 1,828 helicopters. The cost to operators is expected to be $580,890.

    Continue reading
  • Canadian charged with running ransomware attack on US state of Alaska

    Cross-border op nabbed our man, boast cops and prosecutors

    A Canadian man is accused of masterminding ransomware attacks that caused "damage" to systems belonging to the US state of Alaska.

    A federal indictment against Matthew Philbert, 31, of Ottawa, was unsealed yesterday, and he was also concurrently charged by the Canadian authorities with a number of other criminal offences at the same time. US prosecutors [PDF] claimed he carried out "cyber related offences" – including a specific 2018 attack on a computer in Alaska.

    The Canadian Broadcasting Corporation reported that Philbert was charged after a 23 month investigation "that also involved the [Royal Canadian Mounted Police, federal enforcers], the FBI and Europol."

    Continue reading
  • German court rules cookie preference service that shared IP addresses with US firm should be halted

    Schrems II starts to be felt in Europe

    A German court has ruled that sharing IP addresses with US-based servers for the purpose of cookie consent is unlawful under EU data protection law and the EU Court of Justice Schrems II ruling.

    The university Hochschule RheinMain in Germany was this week prevented by Wiesbaden Administrative Court from using a cookie preference service that shares the complete IP address of the end user to the servers of a company whose headquarters are in the US.

    A complainant had alleged that the CookieBot consent manager from Danish provider Cybot transmitted data such that IP addresses were shared with US-based cloud company Akamai Technologies.

    Continue reading

Biting the hand that feeds IT © 1998–2021