 We'll just give it a couple of minutes to allow more people to join and then we'll get cracking. Well, good afternoon and thank you for joining us for KCL's Intelligence and National Security Research Themes Slot at this year's conference. We are delighted to be hosting this in collaboration with our friends at Seencepo and Paris. A few pieces of housekeeping just before we get going is that we are being streamed live on YouTube today and the video will be online for those that wish to have a second look later on today. We're on Twitter this afternoon at KCL Security and we're using the hashtag order and disorder should you wish to join in. Panice will keep their cameras on when they're speaking but will be behind the scenes when they're not. Each of our speakers is going to speak for about 15 minutes. I will interrupt them when we get to about minute 13 just to keep everything to time. For those of you in our audience who wish to participate in the Q&A session towards the end, please feel free to feed your questions in throughout the afternoon using the Q&A function at the bottom of your screens. As I say, we've got 30 minutes at the end and I will curate those and put those to different panelists. We're delighted to be joined this afternoon by Madeline from Big Brother Watch who was a legal and policy officer for them. Abigail, a former KCL alum and a cyber threat specialist for DWP. Sir David, one of our visiting professors here at War Studies as well as a former director general of GCHQ and other senior civil service positions. And last but certainly not least, Professor even Didier who is currently doing a research project looking at oversight and its various guises for intelligence networks. We're going to go to each of them individually for 15 minutes as I say and then we'll come back at the end. If we can go to Didier first, that would be great. Thank you. Hello everyone. Thank you very much to have invited me to have this intervention for the School of Security and the connection also with the Spock Network of Paris. I will try in this intervention to highlight some elements of answers to the key question which were posed by Jules and Barry when they prepared this session. I will in particular highlight the rise in the scale of surveillance of individual have been subjected to both voluntarily and voluntarily. The question for me is less this momentary rise than the possibility of its continuation after the current period by arguing of its necessity and legitimacy. Pandemics could be with us for years and come back regularly. So does it justify a new normal with less freedom, more travel restriction, or even some ban of movement of some persons? In my view, an important part of the answer lies in the discussion between the government to agree in organizing a regime of safety based on free movement that they will all respect and not on ad hoc measures based on national or local political will, contradictory with other policies while arguing that the answer is the same pricing. As per the guide from Queen Mary has developed this point and discussed it concretely about the Schengen rules and the debate between the council and the commission on this topic which include of course the neighbors and the UK in particular. The disconnection between local and national politics with a global health care situation is certainly a first element to take into account. Coordination is a key word. Solidarity is another one. Competition and profits, egoistic policies will almost certainly backfire. Structural reform for health condition and hospital over the world with a change from a neoliberal management of beds to a public service providing care to people by building more and better hospitals need to be discussed and discussed at the UN General Assembly and decisions have to be done. Regional organization can also do something for the social people including health and the 27 EU member states of the EU with some of their neighbors and here I think especially of the UK have also to take decisions. Answers are global and structural not managerial policies by each country. I recommend if I may the reading of the piece of Carlo Kadoff with Professor of Medicine and Global Health at Kings College London and was published in my journal Paris Grill a piece about this structural element. Of course the discussion on the future of surveillance which is at the core of this topic is dependent from this answer as surveillance is certainly not a solution instead of health and care but a way at his best to give a bit more time to test solutions and in some way to give the possibility to the by the confinement to limit the progression of the virus. It has helped until the until the discovery of a vaccine and hopefully medicine hitting the covid it will be important. Nevertheless the slowness imposed by confinement by lockdown if you prefer has been in many places indiscriminated blocking all the individual including the same with the sick in a place. This is a form of governmentality of the plague imposing the discipline to the individual to refer quickly to mission to go and this form of surveillance is of course nothing new it's on the contrary a very old one so this is far to be a new and high tech form of surveillance even if some manager have tried to present a digital version of smart borders as a way to deal with the situation and as an equivalent to the future of freedom. Elif Mendoz Kurskommas from Portsmouth University analyzing the tool of contact tracing in the UK and Turkey as well as Felix Treger from Sciences Po analyzing the French ones have concluded in their reports for the institutions that these tools presented as a solution for more fluid circulation have not been very efficient in convincing or obliging individuals to do self-isolation or to prevent anything what are they doing they are recording data of an expert and quite inaccurate their usefulness is therefore presented by the promoters as the possibility to collect information to share them internationally to use big data analytics and AI algorithm in order to predict the evolution of the pandemic this may be true and that's important but if no institution independent from the state government is set up it will depend from each government to agree or not and this data may become interesting for pharmaceutical competition and not for genuine global health and progress of science in addition these data concerning health are recognized as sensitive data by most of the courts in liberal regime they are not just data about consumer desire they affect life of group of person and make conduct to a biopolitics against some minorities having a specificity just to give a very well-known example far before this pandemic Korean ice Korean Iceland and have specific DNA genetic and the police Japanese authorities has tried to prevent them by looking at this DNA we know also that some EU database exist on sharing of DNA and other are elaborated with the help of private company on generic facial recognition and lying behavior via sensitive data access therefore even if sedomized this collection of data and their use may change the lives of some minorities and may create specific bias I will not insist here on the fact that in addition pseudonymization of medical data do not resist seriously attempt to repersonalize them and some data brokers on the dark web but also in their commercial activity make profits with these reassociations between data coming from different sources so the interest of these digital tools busy contact tracing or data sharing of sensitive data has to be balanced with the dangers they create and a blind face in technology needs to be tempered by an analysis of their social youth who is using them how and for what purpose national courts are often poorly equipped to discuss this element often mixed with economic interest of a specific country the so-called trade-off with economy in one country is an obsolete geopolitical imaginary to use this terminology set up by albina Hoffman on her phd I will finish very quickly with my own contribution of the topic which address the question of obedience in time of covet and after this question of obedience is not the one of surveillance to policies of nudging declaration of an emergency and exception even of course if these elements play a role this is a reflection on the governmentality of the needs that the pandemic has accelerated and renewed this governmentality includes our own self-behavior and reflexivity into the way we adjust to the situation how far are we complicit voluntary or not of our compliance with rules that are both criticized in general but sometimes enforced via peer-to-peer surveillance or more exactly as a liquid form of surveillance where each individual switch role from watcher to watcher with a certain form of pleasure. Zygmunt Baumann David Lyon and myself have named this DIY for do-it-yourself surveillance where the voluntary part is not an evil choice but the result of the relation of interdependence in a society and the position of the person inside the chain of complicity to use Etienne de la Bœuf's terminology of servitude volontaire which is not a will to serve this is what creates a specific situation of a strong a need different from the politics of fear generating also resistance where everybody feel embedded into a situation in which he is both victim and responsible but everybody doesn't mean equally some individual own group of by far more objectively victims and other responsible I have called this a bad uptickle the governmentality of Venice the concept I developed 30 years ago about the politic concerning the change of perception of refugee and travelers in EU countries as to be partly reframed but may explain the current situation if one accept to take into account three crucial dimension first analyzing how the states see a pandemic by following the lessons of James Scott and John Agnew on the territorial trap in which the decision maker almost falls systematically especially in hyper nationalistic country second to analyze how bureaucrats fights for control of the frame of the policies and how the virus has been presented as a pandemic independent of policies of environment of growth as something radically new even as a new enemy in countries where the decision making was concentrated in the console of defense like France serve and finally to analyze how the lead experience of the potentially infected a danger to other has configured a specific image of the politics of suspicion which may stay with us for a while thank you did you many many thanks to you for that um David I think it's you next please thank you very much and thank you for the invitation to join you on this panel I'm particularly pleased that we've got to see on the line because I teach an annual course there on on digital intelligence I want to use my limited time just to explore in a very tentative way some of the ethical issues around the balance of rights and responsibilities through the lens of the covid experience of health surveillance which dda has has described a natural starting point of course would be the UN declaration on human rights and the european convention on human rights which which which followed it and those conventions have played a hugely important part in the debates which we've all had over privacy over the last 20 years the emphasis on the upholding of those universal individual rights is still needed today but I wonder if such a convention were being drawn up today would we want to recognize in it the responsibilities that go with being a citizen in the 21st century not least at times of acute stress on society you can imagine that that was not in the minds of the framers of the UN declaration after the second world war certainly British social cohesion was probably then at its highest and the collective responsibilities to others didn't really have to be spelled out instead they were embodied in the atley government's creation of the welfare state universal education and the national health service but since then we've probably become more solipsistic almost narcissistic in our embrace of individualism in the digital age we've been influenced subconsciously I suspect by the ideals of the west coast internet pioneers John Perry Barlow with his manifesto I come from cyberspace the new home of mind on behalf of the future I ask you of the past that's people like me to leave us alone you're not welcome among us you have no sovereignty where we gather but we do have responsibilities to others in our personal response to the covid pandemic to public health there are types of responsible behavior as a citizen that need to be reinforced by norms vaccination for example even given that comes with recognized risk not behaving in a way that causes a health threat to others I'm not talking here about legal compulsion but about shared norms of good behavior as a member of a civilized society there are always going to be exceptions you have to recognize those the law has to recognize them but there are times when the norm should be to prioritize our wider responsibilities to others the european convention when it comes to privacy will be very very familiar to all of us there should be no interference by a public authority with respect for private and family life except as in accordance with the law and necessary and then there's a list of things like national security and public safety so far so familiar but the convention goes on to list as a justification for interference by a public authority with the exercise of respect for private and family life a justification for the protection of health or morals and for the protection of the rights and freedoms of others and there's a long established precedent here with sexually transmitted diseases where a patient's privacy can be overridden in the interests of public health the official instructions to uk medical staff state confidentiality is an important duty but it's not absolute and the general medical council guides doctors on patient confidentiality and potential situations in which disclosure may be appropriate as required by law for the protection of patients and the protection of others such as disclosure for health protection so there's built into the structure of human rights and indeed in our own human rights act in the uk the important concept that the exercise of the rights of the individual has to be tempered at times by our responsibility for the collective benefit of the community at large and we find in the human rights convention of course that no one shall be deprived of his liberty save in accordance with the procedure prescribed by law but one of the cases in the convention is the lawful detention of persons for the prevention of the spreading of infectious diseases that is it's not only privacy but its individual liberty that can be interfered with provided that it's necessary in the interests of the protection of health and of course done in accordance with the law and that's the provision that underpins the lockdowns we've all experienced and the quarantine restrictions following travel overseas now we can have legitimate arguments over how exactly that balance should be strapped between the rights of the individual to privacy and the rights of the community to public health if we were of the confusion tradition we might argue as no doubt many in China would that our duty to the family should bear more weight in a pandemic than our rights as individuals and that of course could be extended to our rights to the duties to the community on the other hand we would I hope see as unacceptable pursuing that argument to what some might see as a logical conclusion of constant state surveillance that will go on long after the pandemic is over some countries have conducted too little populations surveillance in response to covid others I would suggest far too much an example of the former is the failure to construct an app for our phones that would let us know if we'd been in bluetooth range of the phone of somebody discovered later to have tested positive to the disease apple and google refused to allow the app they built to register the location of this close encounter thus reducing its potential usefulness for public health to identify hotspots where transmission of the virus was more likely I suggest that was a poor decision even if taken for the laudable motive of protecting the privacy of phone users and it was also one taken by a completely unaccountable us corporation not by any democratic legislature let's suppose as a thought experiment that such an app did exist that was capable of registering the location of the close encounter with a covid-19 sufferer with reasonable accuracy like lateral flow tests it doesn't have to be 100 percent accurate to be useful picking up for the thread of what did you was saying what safeguards would we insist on if such an app existed first I suggest there should be an expectation that we should all upload such an app as a norm of good behavior not compulsory but a norm of good behavior would be you would have such an app I would suggest the individual with the phone has a right to know where it was that the possible close encounter took place that would allow the individual to assess their risk to get a test for example and if necessary isolate and crucially it would allow the medics to warn others who might have been in the same location but who didn't have the phone or the app switched on warn them that they ought to get tested what about automatic notification of the public health authority as well as the individual of the location my instinct tells me that if there was value for public health you would do that but only on condition that the legislation limits access to the information for the purpose of public health and not for example for national security or crime detection so the intelligence agencies would not be allowed access to this health information and that could be verified by the surveillance commissioner anonymization and hard encryption protocols could be employed on the data with strict rules on when de-anonymization could be authorized by a doctor for medical reasons and and so on I hope that just gives you a glimpse of how within a democratic society we could within the provisions of the european convention and human rights use digital technology to help track and trace the important thing as we see today with the national health services medical database proposal is transparent so we all need to know what the rules are for the use of information and in the case I'm describing parliament would have had to give an informed consent on our behalf we could envisage a similar debate over the use of electronic tagging to enforce quarantine which is something that's been used in Singapore that probably in the british case is not necessary but if a worse situation were to arise it might become necessary so that is something the the ethical framework within which you would have such a thing needs to be discussed now we will have future pandemics we need to learn the lessons from the current pandemic and think about how we can do things more effectively in in future other questions arise over giving public health access for example under strict safeguards to personal data held by the tech companies when for example track and trace staff are trying to pin down covid contacts these are all examples of in the end pragmatic judgments as long as we accept the ethical principles of transparency of proportionality of necessity right authority and the rule of law my time is up I will pause and hand you back to Bernie thank you very much David before we go to Abigail just a quick reminder that if you have any questions we'll be taking them at the end and can you please put them in the q&a function thank you very much Abigail your turn thanks Bernie thanks for the introduction and it's great to be here today so I'm Abigail Wilson I'm from PWC cyber threat operations team specifically I'm from our cyber threat intelligence team where I analyze the activities of different cyber threat actors and by this I essentially mean the tracking of sets groups and individuals who conduct malicious cyber activity so for example disinformation campaigns information operations as well as the intrusions themselves so we track cyber criminals as an example actors who are financially motivated such as ransomware operators who deploy ransomware against a victim organization but we also track threat actors who are espionage motivated and they typically seek to steal information that can provide their benefactor with an economic or political advantage these are often called apts in public discourse for example advance persistent threats and the operations of these groups commonly align to the strategic interests held by specific nation states so my perspective on how the coronavirus pandemic has created very security challenges one of many issues that we've discussed here today is based on what we've observed in the threat landscape in which these threat actors operate within and I'll go into some of the impacts of what happens when our data is accessed for malicious purposes so from the onset of the pandemic we observed an explosion of activity we observed that threat actors all over the globe have leveraged the pandemic as a guide for example using it as a lure to trick victims into handing over their credentials for their own email accounts for their employers access to their own organizations including financial information but we've also seen it being used as a guide to commit targets to install surveillance while malware onto their devices in one instance this was under the guise of a mobile app designed to measure body temperature which in fact was malicious and did not offer that functionality but I'll dive into activity directed towards healthcare that we've seen based on today's theme and also to complement some of the points that the other panelists have made given its global impact the coronavirus pandemic has really driven intelligence gathering in sectors involved in tackling navigating it we observed a heightened interest in targeting healthcare and pharmaceutical sectors we've also observed actors from multiple regions target organizations involved in coronavirus research also vaccine research and development as well as the NGOs related to global health for example it has been reported in open source publications the specific individuals working in medical and healthcare fields including employees of the world health organization we're targeted by such however it's worth highlighting that this activity can be expected as we know intelligence gathering has always taken place unlikely we'll continue we commonly in the front intelligence team observe espionage behavior and activity that strongly aligns to or surges in response to major global events especially disruptive events such as the pandemic for actors will highly likely to continue to strive and obtain valuable data to the benefactors it gives them an upper hand it can be used to accelerate their own domestic domestic health programs for example relevant to the coronavirus crisis but it's also we typically see a lot of activity that supports a specific economy through commercial espionage which is often widespread the motivation has always been there although wider events dictate trends in who and also what industries and in particular these front actors choose to target although we can also link this to the wider trend because front actors can obtain sensitive information from victims due to the vast amount of data that's increasingly available stored online or stored on electronic devices email accounts as well as stored with different companies who hold that data who can then be targeted as a means of conducting surveillance on individuals of interest we've previously observed front actors target airlines uh hospitality and travel sectors to track the movements of specific individuals to achieve this so this is not something new this is part of the wider trend that will likely continue moving forward as much of cyber espionage activity is essentially independent supported by data being generated processed and accessed online the opportunity presented to front actors during the coronavirus pandemic is also driven by increased usage and reliance on these online services at the onset of the pandemic many organizations and businesses needed to rapidly adjust to these changing circumstances for example local lockdowns and as part of this they accelerated their migration to online services for example to accommodate remote and flexible working to do business online or to serve their customers remotely many of the services we use daily including education and healthcare services have migrated online and this is essentially widened the potential attack service for front actors to exploit it's given them an opportunity to collect more data because more data is being generated which essentially contributes towards intelligence gathering but I like to talk to about a second trend emerging in the front landscape that's showing to pose a real critical threat to our data and that's perhaps demonstrated by what's going on in the cyber crime space and it's especially how it's evolved over the last year and this is ransomware and ransomware is highly prevalent it's currently trending in the news this week um I believe it was trending in the news last week and it will likely continue to trend within the news in the following weeks to come and previously major ransomware operators that we would track would deploy ransomware onto their victims rendering their systems unusable and inaccessible which would essentially shut down business operations and until the ransom would be paid as many in the audience are probably familiar with these types of attacks are widespread and have significant knock on effects but the pandemic has certainly increased the impact and severity of these attacks due to the increased reliance on online services however in 2020 the the techniques that we observe some of these productors used appear to shift as part of the attack during the deployment of ransomware we observe that the data belonging to the victim organization would be stolen and we increasingly observe the productor responsible for the attack threatening to expose the data online after if the victim didn't agree to pay the ransom demanded now this trend has increasingly resulted in stolen data of being regularly exposed or leaked online either is a sample leaked as part of the attack itself where the productor demonstrates their capability and motivation to leak such data or when it's leaked on mass or in bulk when the victim fails to pay the demanded ransom as an example of data leaked in these ransomware attacks you could expect business information as the victim is an organization or a private sector business but this is increasing resulting in sensitive personal information being leaked online this data belongs to customers of an organization or those who've had their data stored by the the victim organization itself and this is increasingly resulting in sensitive health for example health related information being leaked online previous examples include serious illness and medical treatment including invoices and paperwork as well as data related to surgeries and data of this nature is also being impacted more widely it's not just within the healthcare sectors in one instance where a law firm was compromised in a ransomware attack this attack resulted in data relating to witness statements from an ongoing trial being posted online productors we're seeing are also directly interacting with victims who've had their data breach or compromised in these attacks earlier this year ransomware operators sent emails to customers of a victim organization that they had compromised and in this email which they obtained during the attack of course told the victims that the company had been hacked they had stolen their data and that they planned to release it online so what this trend tells us is that our sensitive and personal information and data is increasingly being used as the extortion mechanism within the cybercrime landscape in a recent in this one of these recent attacks the ransomware operator didn't actually deploy ransomware or encrypt the victim's files which would impact their business operations instead the threat actor chose to rely on the threat of exposing stolen data in order to quest the victim into paying the ransom so what this trend showed us also shows us is that the value of our data has not only increased in its usefulness in conducting data analytics or to inform product development as well as its use in marketing and advertising which is well documented but it is also now being used for financial gain by threat actors we continue to generate this data and this criminal activity is perceived by these threat actors as lucrative so it is a trend that will likely continue the acceleration towards online services which collect data including the acceleration that's taken in response to the coronavirus pandemic risks relying on immature processes because of this landscape we really need to consider the long-term impact of the opportunity taken during this period to move everything online and to live life as we would normally offline but we also need to consider what the final state is what final state will organizations lead themselves in it's not enough to hastily adopt poor processes during a time of crisis and operate like this is business as usual I believe that there needs to be some self-reflection to consider how our data is governed and secured as we are only going to continue to continue living life online and continue to generate this data which will then ultimately in some instances be exploited thanks for listening to me and I will now hand over back to Bernie thank you Abigail and our final panelist is Madeline Madeline are you ready hello hi thanks also for having me my name is Madeline I'm from Big Brother Watch which is a UK based civil liberties and privacy campaigning organization and we've been covering the spectrum the huge spectrum of civil liberties infringements and privacy infringements in the UK over the last 18 months in monthly reports so if there's anything that I mentioned or that you want to dig a bit more into this issue I would really recommend taking a look at those reports because they're quite detailed and provide a lot of analysis of some of the things that I'm going to mention so I think if we're going to talk about privacy in the context of COVID we need to talk about privacy in the context of what has been landslide of civil liberties so the rule of law has taken a huge hit over the last 18 months for anyone who's been following some of the new legislation that's been put in place you'll know that there have been masses of unlawful prosecutions, unlawful fines, some legislation has been introduced which has actually seen a totally unprecedented 100% unlawful prosecution rate, we've seen policing take on an entirely new role in society protest has effectively been banned and throughout all of this parliament has been almost entirely sidelined when it's come to some of the most critical decisions making so for example with the introduction of lockdown and actually virtually throughout the past 18 months every time there's been a new iteration of some form of lockdown parliament has not really been involved it hasn't been approved in parliament it's been signed in to law at the stroke of a minister's pen so it's important when we're looking at surveillance and privacy in this time to kind of contextualise what else is going on in the civil liberties space and in the human rights space and of course this is just in the UK I'm looking at but there are you know hundreds of examples of this going on around the world and obviously in some cases in a far far worse way I don't think you can talk about this time without looking at the post-911 years where we saw a similar civil liberties landslide but of course that for for the the brunt of that the visible brunt of that was seen mainly in the Middle East and also the Muslim populations of the Western world they saw the real brunt of that but this is kind of a bit more visible I think for everyone although a lot of the surveillance systems are not visible which is of course part of the problem so you know tragedy was used to introduce the kind of total surveillance system that ultimately reconfigured society and I think that is of course the danger that privacy campaigners and civil liberties campaigners are warned about are warning about this is a this could see a kind of restructuring of society and in many ways that has already begun if you look at those things that were introduced in the wake of 9-11 the surveillance systems and whenever you think of them obviously I'm personally pretty opposed to them and there's no denying that they have been cemented into normality and this is the the concern about COVID and so just like post-911 we had whole populations treated like potential terrorists so programs like tempura or optic nerve which reverse the traditional approach where you have a suspect and you find out about them this turned entire populations into suspects whether or not they could be committed to anything through something like bulk interception the risk with COVID is that we're all be reconfigured as kind of these walking bio hazards that need to be managed and monitored that need to be checked in checked out and be that of venues be that of countries and of course this is not an argument for for not taking action in a crisis it's obviously critical that governments take swift action and as David talked about there are obviously within law justifiable reasons to interfere with the right to privacy if you take something like contact tracing I think that many of us would be you know rightly unhappy if a government representative rang us up and asked us for all our contacts for the last two weeks where we've been at what time but obviously in the context of COVID that's totally acceptable and positive and something that we should welcome but the problem comes with all of these interventions is when they are expanded when they become disproportionate and that is what we have seen time and time again here in the UK so to take contact tracing it's not something I would object to but what I object to is the fact that the NHS wants to store this sensitive health information for 20 years it's that it's being fed into vast data stores run by private companies who you know the details of which are very murky it's the fact that this data is being passed on to police forces for COVID enforcement it's this continuous expansion or mission creep that is is the real danger here and as I've said in the post sign 11 years we know that these powers expand that they tend to stick around we know that governments will take whatever space is given to them and fill it and they will only return those powers if they are pushed so if we look at legislation again for example something like the coronavirus act which was rushed through parliament in just three days contains some of the most extreme powers ever given to a UK government in peacetime and there are parts of this legislation that we know have never been using awfully and as I've said have only ever been used for unlawful prosecutions powers to suppress protests which have never even been activated and yet the government is reluctant to give them up and there have been two reviews through parliament that I'm keen to relinquish them even though they know full well that they're not being used they're either not being used at all they're not being used normally there's nothing to suggest this will change so it is so critical that there are time limits that we keep an eye and we watch for this continuous expansion another UK example of expansion is the COVID-19 data store the NHS COVID-19 data store that has been built in collaboration with numerous big tech companies so most controversially Palantir the US tech giant which has been embroiled in sort of controversial human rights scandals all across the world notably within with ICE in America and Amnesty International has flagged their concerns about their practices all around the world also built with Amazon with Microsoft with faculty AI and this data store highly secretive so it actually took a legal challenge to reveal the contracts for this we know that masses of sensitive data are being fed into it and we know that it contains data relating to religious and political opinions criminal records employment information this isn't just health data this is this is a vast data store location data as well we know it's being fed into there but the clarity around where these these data is coming from is not there initially it was intended to be a short-term project so NHS X to oversee the digital arm of the NHS the founder of this posted when it was first introduced that this would be a strictly time-limited project that once the pandemic was over which you know in itself is quite a problematic phrase we don't really know what the end will look like but nonetheless said that once the pandemic was over this data would be deleted and the project would be sort of disbanded but unsurprisingly after a few months new contracts have been renewed and now a contract for the kind of data store the long-term data store working with Palantir and NHS has expanded to encompass other flus other pandemics brexit planning it's getting bigger and bigger and there are parts of the contract which can also be it says in the contract can be repurposed for business as usual so this is a really clear example of something that I think within that post by saying that it would be sort of broken down at the end of the pandemic there was an acknowledgement there that this kind of data store is quite alarming for citizens that it does represent an infringement of privacy and yet it has been expanded so Mission Creepers is a real risk here making the argument for privacy I suppose there are two kind of broad arguments to be made during a time of crisis and firstly there is the kind of more utilitarian argument so you know ever since we've had the concept of kind of doctors here in the UK we've known that medical confidentiality is the bedrock of public health we are rightly you know cautious about our medical data being shared it can often put people off if they know that their medical data will be shared and secrecy and excess data collection are actually actively harmful in a public health crisis because it's so critical that there is public trust and not just for that particular program that you might be trying to introduce so I'll talk a little bit about the app in a second if you want people to engage with the contact tracing app it's important people trust it but it can also have a knock-on impact for other public health interventions if people have in their mind you know I'm not sure about this app and they're actually you know I'm not sure about this other thing that the NHS might be doing it's a kind of snowball effect so actually you know ignoring privacy or making it something you tack on at the end of your plan can be really damaging in a context where public health is so unbelievably critical so referring back to the app that David mentioned briefly as he said the initial app had to be scrapped and this was partly due to Apple and Google because they wanted to use more privacy preserving technology but there was also huge backlash against this app because the government wanted to use a centralized database so basically that all of the kind of Bluetooth interactions would be logged on a government database contact tracers could dip into this at will and use it for contact tracing purposes and people were you know very suspicious of this and I would argue rightly so in the context of you know hacking as we've heard about and and also kind of the repurposing of this in the future potentially by the government themselves and so because the you know NHSX tried to go down this path of creating this centralized app they actually wasted about 12 million pounds and squandered a huge amount of public trust they also put themselves on a further back timeline to develop the new app which is far more privacy preserving which is decentralized it only stores information on the user's device and the government can't access it and that has actually been quite sort of well embraced by the public it's actually done a great job you know I personally use it as a privacy campaigner because I feel like it it is trustworthy and so there can be real success when you center privacy at the heart of your of your interventions and public health another example which is actually extremely pertinent it's just been heard in the news is the NHS what's being termed the NHS data grab and this is the plan that NHS medical records will be centralized and of course there are undeniably fantastic benefits to that if it's being used for the benefit of the patient but the secrecy surrounding it the opt-out process rather than opt-in process has caused real public concern and again a real public backlash a lot of people I've seen sort of you know purely anecdotally saying that they're not opposed to the idea of a centralized NHS database but it's the fact that it's been so secretive makes them in terms of key distrust it and therefore they're more likely to opt out and now the reason it's been in the news is because the government has sort of started to back down somewhat and I said they're going to delay the sorry extend the opt-out instead nine so again this is a real example of the keenest of public trust another example this is something that Big Brother Watch has been campaigning hugely on is around the push for Covid vaccine passports or Covid status certification aside from all the issues around you know whether this actually would be a helpful public health intervention whether it would be useful the World Health Organization currently doesn't support the idea of Covid status certification because there are just too many questions around immunity how long it lasts different vaccines or those kind of things vaccine distribution there is a real concern from the public health professionals that again this will fuel public distrust a kind of intervention which asks you to display or sensitive health information just to access you know spaces hospitality spaces or events or it was even posted at one point that it could be used to access churches or supermarkets and has a really it's become a bit of a I would argue a kind of politically toxic idea actually and this is you know public health experts are really concerned that those who already are maybe you know have reasons to distrust the governments and marginalised communities homeless people undocumented migrants and some people of colour may feel that these kind of interventions push them further away from engaging with the vaccine effort and I do think there is a question to be asked about how effective these sort of surveillance interventions are there are you know concerns around the idea of tech solutionism so or kind of shiny shiny app syndrome as I call it the idea that there is an app for everything and that will automatically get you the best results so to return to contact tracing for example there has been far greater success actually with localized efforts where people on the ground who know the people who are working with local authority to know their area are delivering far better results than this kind of top heavy data collection sort of machine that is now operating and hasn't been hugely successful again partly because of the lack of trust because people are concerned about what's how the data is being used another example of a shiny thing syndrome would be something like thermal bias surveillance which is something that again with Big Brother Watch has been campaigning on this idea that taking people's temperatures I mean we've seen it in airports in schools hospitals workplaces cameras that are fitted with temperature sensors often people won't even know they're being surveilled and it's the kind of security theater companies want to give the impression that they're doing they're doing more they're doing the most they're making their venue really safe they're safe from liability they want to get the kind of the business up and running again which is obviously understandable but there are real risks about privacy data protection here sensitive medical data that's being collected that in our research almost nobody has really considered and most critically of all it doesn't work these thermal scanners cannot accurately predict fever they cannot accurately predict coronaviruses for me that the government themselves have actually made clear so before rushing headlong into these surveillance solutions as Professor Didier said often surveillance is not the most beneficial solution and quite often a kind of attitude of care and emphasis on in hospitals testing those kind of things are where the real benefits lie and so this kind of tech solutionist approach where technology will be our savior often doesn't deliver the results and can be hugely expensive and squander public trust so finally I just want to address some of the questions that were raised in the event blurb briefly so I think the question was posted that you know are we seeing a decline in the embrace embracing a privacy as a virtue and I would kind of respond to that by saying that that privacy is not a virtue in terms of it's not a nice to have it's not a kind of a little tick box that we put at the end which is so often the reason we see these squandering of trust because privacy is not centered it's seen as this kind of nice notion that it's nice to have if we can have it but if not never mind privacy is a right that we are all entitled to it's protected under the national and international legal systems and actually it's so crucial to human development to flourishing without privacy there is no democracy and there is no personal life and it's also a gateway right to things like expression of religion, sexuality, the right to family life, the right to work and when we curtail it in times of crisis we need to remember that and I think there has been a bit of a I suppose in the wake of 9-11 again a kind of drum beat that privacy is the kind of irritating thing that stops us from getting things done it throws a spanner in the works of you know productivity and the spanner in the works of you know effective health measures when actually it is so so crucial and very lastly the then asks us do people actually care you know are people apathetic to all of this is everything I'm saying you know no one's really that interested outside of a small circle of privacy campaigners and unsurprisingly I would say that they do care and what I think we actually see is not apathy it's not a lack of caring people don't click on these um you know terms and conditions because they just don't care about their privacy I think it's a demonstration of the powerlessness of people in the face of these huge systems of surveillance be that government surveillance be that private company surveillance people are very aware of how they're being surveilled and the threat to their privacy but I think people feel incredibly powerless and that can sometimes look like apathy to some um but I think the real question we should be asking is how have we got into this position where these where these you know governments and where these private companies have amassed so much power where they can surveillance so easily with so little checks and balances without parliament getting involved you know just to a great degree especially in terms of covid why has the balance of power shifted um so much in favour of these um of these huge actors and how can we bring it back that's the question that I think we should all be thinking about in the context of covid so thank you very much for listening to me Madeline thank you very much I'm particularly for gifting us the phrase shiny apsyndrome which I am definitely guilty of whilst we wait for some questions to trickle in I'm going to abuse my position as chair if that's okay with everyone we've spoken a lot about the UK government and touched upon briefly um large international corporations such as amazon and facebook and I wondered if any of our panellists had particular views on whether or not those institutions were um good or evil in um very simplistic language about helping or hindering as the case may be our rights and access to privacy versus our rights and access to data and information um I'm going to go to david first if that's okay with david yeah sure thank you um the first thing I think we need to say is that uh international companies and palantir was one of those mentioned that neither good nor bad the problem with what we've got to look at is uh how are they using the enormous scale power that they have and are they subject to uh any form of democratic oversight uh to which the answers are obviously very little indeed although there are the first signs for example with facebook and its ethics panel that uh at least public opinion is beginning to to filter through but if you want expertise in these areas those are the companies you're going to have to go to and I don't think allowing uh such companies access to data under strictly controlled conditions is in itself a bad thing what you have to do is to think about what exactly is it for what are the limitations how are they going to be supervised uh and so on shiny act syndrome does exist and there are lots of companies out there that want to make a living and they want to promote their particular whizzy thing we've just got to be sensible about this um the the slogan I would like is something like privacy by design as Madeleine very rightly said you don't head it on at the end after you've introduced the system and then panic and start to think about how we're going to oversee this and supervise it you build it in at the very beginning and there are tools and advanced mathematics that can be used that reduce the risk very considerably even if there is a determined hacker trying to uh get into the database you can have conformal encryption all sorts of issued things you can do we have to cut a little slack we have to be just a little sympathetic for the poor officials around the world who were suddenly confronted with the worst crisis that the globe has had for a very very long time and certainly in the UK the worst crisis we've had since the second world war and they had to make a lot of stuff up as they went along and some of it they all undoubtedly not have done uh as well as they should have done and they haven't used technology in the way that it could have been used safely and so I think my my plea Madeleine made some excellent points these are ones that the inquiry into Covid that we've been promised the statutory inquiry that our prime minister uh uh said we would have next year it ought to start earlier but let's say next year must tackle because we may have had to do a lot of stuff in a hurry and some of the track and trace uh centralized system may not have been well founded at all but we're going to have more pandemics there will be other crises and we've got to learn the lessons so that would be my immediate immediate response on uh uh we've got to work it is in these uh tech companies that the real depth of expertise and knowledge and power of scale exists we've got to work out ways in which we can work with them and not see them as the enemy thank you very much David we've had a couple of questions in so I will read them out and anybody can jump in if that helps um question number one how much independent research is being done into how to ensure data gatherers holders and users are not able to use this power or economic profitability before it is too late I don't know the answer to that question uh I doubt anyone has actually collated that but it's not just independent research I would say how much effort is going on on the part of governments to ensure that this data is being used properly the questions that dda quite correctly posed a lot has been done in a rush and we now need to step back and start to ask some awkward questions uh about it or again the fact that some of the uh data uh will be of value commercially isn't of itself a bad thing if it hadn't been for the commercial pharma industry we wouldn't have the range of vaccines which we currently have and the reason that companies have put so much effort into it is because they have a tradition of making money out of pharmaceuticals uh you could envisage a world in which that was all different but that's the world we've got so again don't write off the commercial interests of companies of being inherently a bad thing it's about how we organize it did anyone else want to jump in on that particular question well yes did you well uh I agree with you David concerning uh the fact that it's really important that uh pharmaceutical industry uh is in the game what we can also and it has been done by public research was to be sure that the price of the vaccine for example would would be be sufficiently low that they have a legitimate interest but they don't benefit from the situation and you know uh that the Oxford University for example has given its participation in relation to that and that's why AstraZeneca vaccine was less uh less expensive that Pfizer for example so I think it's always very important that the government also uh gives the rule of the game and if we continue I can accept that the pharmaceutical industry use some of the data for their own research if it's controlled but if they they themselves use that for advertisement and through uh through using data brokers transforming uh these data for them to advertise uh different people without their concept then I consider that it's a not an action that the government can allow but I suppose you agree to so it's not a question that they can have access to private data it's a question of concept as a way did Madalena or Abigail have anything they wish you wished even to answer that question sorry I'll mute myself um I mean I would say I think it's if you look at what's happened in the in the UK and maybe the questioner is aware of this but with those Palantir contracts for the data store initially it was in the contract that Palantir would be able to profit off of this data um and it's not just you know as I said it's not just medical data it is you know a huge amount of data um spanning you know criminal records employment data religious and political beliefs um and it was only when you know the government was legally forced by a little legal challenge from a group called Fox Club who are doing really good work on this if you're interested um that they release those contracts and it was revealed that um that they'd be profiting off of this of this data and then it was hurriedly altered so that they couldn't profit off it so I think there is a you know by that very altering there was some recognition there that it maybe wasn't the best thing but this huge tech company was having access to all of this sensitive data you know and of course it's it's a question of trust isn't it ultimately um you know I personally wouldn't trust an organization like Palantir who's his founder has said that I think he said that um you know democracy and freedom was is incompatible something that degree and once that you know women shouldn't have the those those kind of things I mean that's one example of one particularly um controversial company um but ultimately these these companies are running for a profit they're not doing this out of the goodness of their own heart and um you know I I and many people wouldn't be comfortable with them you know enriching their algorithms or on my kind of sensitive medical and personal data um but of course some people are really more trusting than others just add a comment to that uh which is I mean I don't know anything about the Palantir case but given if the government has indeed backtracked rather rapidly to me that suggests that those responsible for actually drawing up this and negotiating this contract simply didn't think through what it was that an aggressive commercial company was trying to sell them um and there's a big lesson there I think uh for for all of us in dealing with those companies if I just give practical example which I heard about a while ago which is one of the big uh tech companies and I won't mention which because I haven't this was a conversation I but they've been working on early Alzheimer tests and dementia tests from keyboard strokes and these companies know every stroke we've ever typed on a keyboard when using their programs it's all anonymized they don't know who we are but they have the data and they've done some experimentation running that across health records not in the UK and it does appear that it would be possible if you combined their vast data on how people type that down to the microseconds uh with health data you could actually devise an algorithm which would allow early detection of some of the signs now we've just heard the breakthrough in Alzheimer research but the drug concern you have to catch the patient early so you put all that together and you say is there a case for that kind of research and for me it seems a no-brainer I'm getting old enough to begin to worry about the things like that that but it does require careful negotiation it requires transparency with the public it requires consent for data but if you haven't got the bulk data uh available both from the health side a large population and the tech companies you can't actually do this kind of work uh so there are some quite big issues there and some great benefits as well as dangers and I agree with all the dangers that Madeline has pointed out if we can I will move on to a second question which concerns the NHS app that we were all mentioning in passing earlier that the question is about how it's an opt out rather than an opt in which is the norm do the panellists have any comments on why the NHS is choosing to do an opt out policy rather than an opt in well I think um so I think it's referring to the data grab I think they're referring to the um the new attempt to create a centralized data store which isn't actually related to COVID although um perhaps there was a feeling that the public health the public approach to data collection after COVID has changed um you know what I would say is they did try this um before several years ago and there was uh such a kind of a big backlash again that they had to abandon the plans um so perhaps it's an opt out process perhaps it's been the secretive process because they were you know maybe somewhat cynically hoping that no one would sort of notice and they could get away with it um that's that's my feeling um you know maybe there is a I'm sure you know of course the opt out process would mean that they get more data so that is you know what they're after um but as we've kind of talked about repeatedly the you know the importance of transparency the importance of consent is so critical and abandoning that you know we'll only see a decline in public trust and it could damage the kind of NHS's kind of brand and reputation which is so well trusted in the UK any kind of dent in that could be so damaging for all public health implications not just COVID. I mean it is you can imagine what would go on in the conversation can't you within the the health establishment which is if we have opt in the numbers will probably be much much lower particularly given the kind of questioning that people like DDA and Madeleine would say gosh this is all you would very quickly build up resistance so why not have the opt out so that would be the thought process and you know one aspect of that is that you could make a case for an opt out system if you regarded parliamentary authority as a collective opt in in other words if you had a proper debate fully transparent really knowing what the data would be used for what the controls were you could have a debate in parliament and you could have a vote and if that said it's in the national interest the health of the nation to have this system parliament will take that decision on behalf of everyone else that's really the only way you can get away with an opt out system rather than just trying to keep it rather quiet and hoping that people won't notice we've been through all this with organ donations for example and opting in and opting out. One element is as always individual consent I would be even a little bit uneasy if a government who has a majority considers that it's an easy solution to vote a law where he's almost sure to have the majority and to say that they have chosen for me that it's a collective opt in so I think that you have international law you have these ideas that privacy come with access with the fact that it's really individual consent which is important because the owner of the data are the individuals and not the one who create the added value from this data and I think as you say David said one of the problem is that some bureaucrats consider because they have done the statistics on data that the data belong to them and not anymore to the individual and that's where lie one of the democratic problems of this kind of discussion. David I see that you're nodding did you want to come back under the eighth point? No I agree with them there are cases times when and the 2016 Investigatory Powers Act in the UK is such a case where for practical reasons you can't have individual consent to be surveilled or you destroy the whole purpose of surveillance so society has to make a collective judgment but the only disagreement I have with Didier is that it's easy for governments to think they can simply use their majority because what they will have to do is really expose their thinking there will be a political row it's not an easy thing to do and it's what's necessary we had to go through all of this with our own surveillance legislation and it was a very very lively argument indeed and that's the kind of argument we should have had over NHS data rather than suddenly waking up to discover it's happening. Perfect thank you we've had a couple more questions in one is talking about Palantir but they're more broadly about a range of IT contractors that HMG tend to turn to and how their products are not necessarily providing the best public value. I wondered if anybody had any comments on such consultants and external organisations being used on behalf of HMG? Well as a former public servant I would expect me to say this I would always rather have the expertise inside government with a public service ethos attached to it than have to buy it in from the private sector but particularly in the digital realm that it's outside where the expertise is and you have to find safe ways of drawing on that expertise I don't think there's an alternative. We will discover no doubt next year when we have the public inquiry and the statutory inquiry just what went on for example with track and trace and why it was that so little benefit seems to have come from such an enormously large sum of money being spent. Consultants at a thousand pounds a day is not to me very sensible use of public money. Madeleine Lipters if you had something to say during that? I think I have sort of already addressed this to some degree. Of course there are fantastically clever people out there who are working in the corporate sector who can be really helpful but there is always that risk especially in a crisis period that ministers will as we've seen lean on their friends perhaps. As the question raised we don't always know the kind of benefit of this and it's going to be good that we're going to have a public inquiry but it's a little bit too late for those billions of pounds that have been spent on this system and test and trace being the example. There's not really kind of that transparency. As I said multiple times the contracts with Palantir have to be legally pushed to be published. There is a kind of allergy to scrutiny at the moment in government even from their own MPs or from parliament as a whole and it's within that context that we know so little about how useful these tools are. I mean to take another example of a contract we know that the Department of Housing I think it was contracted faculty AI who've been contracted repeatedly to conduct social media scraping so to scrape basically all the content, public content off of them, social media accounts relating to coronavirus relating to I think housing and jobs to kind of track public response to measures. That contract only lasted a few months it was you know hundreds of thousands of pounds we have no idea if that was good value for money we have no idea what they were really looking for I mean there are you know concerns that was more of a kind of political are people happy with what the government's doing rather than a kind of public health intervention you know we just don't know and that's kind of just another I mean there's you know myriads of contracts like that that we don't really know the benefits are sold if they're if they're helping the government hasn't really been very keen to scrutinize as they've gone along obviously kind of kicking it down the road a little bit with this inquiry hopefully we'll have some information come out of that but you know the way things have gone over the past 18 months I'm not being too confident and of course it would have been far more preferable to have this scrutiny and transparency the whole way along and I think that would have led to better government decision making as well. I think Madeleine just made a very important point because is there the capability within the British government and the DM I'd like to comment on the French government is there actually the capacity within the government to analyze the effectiveness of the policies that they agree on various attempts have been tried in the past in the UK policy review staffs and so on most of these experiments haven't really lasted so much more effort goes in at the front end rather than at the back end saying well we had the policy did it work what were the results we tend to rely here on the national audit office and the public against committee to come along with a report as they've done on track and trace and say it's had negligible impact on the pandemic but we shouldn't have had to rely on the auditors to do that you know the policymakers should have been tracking that all the way through. I think one additional question is the right of private property on algorithm because it's not that the people working for the civil service are less knowledgeable than the one on the private companies and most of the time if you look in detail on their trajectories they have done a back and forth at least this kind of strategy is obvious in France where the private is not so much a private it's a mostly private with public interest and some people are straddling between the position they come from a private company and they become public and then they go back it's even more important in the US in many situations so the problem is the secrecy which is linked with the property on algorithm which are really more and more the key element certainly you you heard you heard that the EU commission and the new commission is working on that topic especially to try to give the possibility at least for some experts to verify what is what is inside the algorithm how much the algorithm is trained with previous data which are coherent and which respect the fact that they are seeking the goals they are seeking to do because you had a lot of data where the algorithm were trained and we know that with predictive policy in the US for example where the bias at the end where the bias at the beginning with the data that's also something which is really important concerning health data and you have inquiries about that because it depends also about what would be the people who have been used at the beginning to do the research and to to build intelligent artificial intelligence so here it's different from big data it would be to have selected data but with predictive algorithm so here also the private looks in others but it's more because he has a paradox that through this private property of some algorithm that nobody can change or can look at the big companies can continue to impose their own framing of the data. Thank you Juliette have we got time for one final question I think we probably do there was one final one that I really really liked of how do you bring all these various different actors around health data or data more generally versus public sector private sector academia government together around the table to really get into the detail of the various different aspects and avenues that this debate can go down. I venture a couple of thoughts don't underestimate how much of this reaching out goes on at the moment it's I think if you in comparison with say even five years ago there is much more readiness to get around a table some of the harms that Abigail was talking about are now so evident that discussions have had to be sort of stimulated so we mustn't assume we're starting from zero but it will be a slow process trust will need to be built up information will need to be shared from all sides and there'll need to be some thought leadership you can't just put a selection of senior people around a table and say go on talk there has to be preparation and I think that's where I'd look to academia that's where I'd look to the academics to start producing the ideas the concepts framing some of the issues companies and governments may not agree but that will be a starting point so the more as DDA said the the more work that is done the European Union does a lot in this area and I'd like to see more my only regret is that the United Kingdom is not around the table joining in but some of the ideas to have more people on global health and pandemic as special rapporteur in the UN and are also very important because I think that one of the difficulty with these global pandemics is that's European but also the western countries think about themselves and they think that if they are out of the pandemic it will be finished and that's even more the case now in some countries which consider that they are out of the situation so I think it would be really important that you have more and more implication which means also more and more money for for some element of infrastructure for example the idea to look at the situation of hospitals as public services in every country in the world to fund hospitals in many countries and not only in your own country could be a huge discussion of course because that's the rich never like to pay for the poor and some of the people in the middle plays a game also to say that they are poor when they are not so poor if we compare with for example the budget of other elements but this kind of elements would be certainly necessary what we have seen unfortunately with the world health organization has been a little bit disappointing to say the least I mean if my kids say something very briefly something nearly finished you know absolutely there are times when it's so critical that everyone is around the table and that can be incredibly beneficial and I think that somehow actually all too often I think there have been times when there have been promises that they'll bring together all these different shareholders and actors and you know different perspectives but I think unfortunately very often that is treated as a kind of take box exercise so we've made our decision this is what we're going to do we're going to have a couple of round tables at the end and say that you know take we've consulted with ethicists or we've consulted with privacy or you know data protection specialists and in that case sometimes there is some narrative actually being outside of the 10 and I think that's something that big brother watch often does you know sometimes a compromise can't be reached there are some technologies that we believe which are kind of so oppositional to kind of basic rights something like facial recognition that we would simply never accept you know no matter what the safeguards were no matter what the you know the discussions around it sometimes you need someone outside of the 10 who just says actually no we don't agree with this we don't want this not now not ever not in any form and I think there's a place for that as well and I hope that's what big brother watch can be sometimes of course sometimes it's beneficial you know to have that collaboration but sometimes I think you need the people who just say actually you know we're outside the tent we're sitting out on this we're going to cause a fuss from the outside as well thank you very much Abigail did you have anything you wish to add before I do some completing remarks yes um related to the last question around public private partnerships I think from a security perspective there are numerous benefits it can be gained from government private sector and academia at collaboration with academia especially when it comes to tackling the cyber threats um collect that something referred to as collective defense where the more parties there are in the room sharing threat data and monitoring different angles it's putting those pieces of the puzzle together and that creates maximum benefit whereas if all of these individual parties are tackling the same thing on their own um especially when identifying and monitoring threats um a commercial for example entity might have a very different risk profile they might be looking at different risks different emerging threats than the government can and it's all about sharing that expertise and not necessarily making meaning that we're limited because for example the government might not have that expertise in house but there needs to be these mechanisms and there often are as David pointed to kind of operating quietly behind the scenes um but there is there are massive successes that can be had of those especially when tackling technology problems which the private sector seems to be doing more of than the government currently is so that's just my perspective on it thank you very much I just wanted to say thank you to all of my palace and everybody at home who sat inside with their wi-fi signal rather than outside getting some vitamin d um thank you all very much