What the MCLU is asking for¶

The following requests have been submitted formally to the parties the MCLU has been able to identify. They have also been submitted to the regulatory bodies with the closest applicable mandate, the guild oversight structures with relevant members among the affected clients, and the Patrician’s office, from which we have received a reply that was courteous, brief, and entirely without content. We are treating this as a response and noting it accordingly.

Full disclosure to affected clients¶

Every client of the cloud provider should receive a written account of the surveillance arrangement: when it began, which systems were in scope, what categories of data were collected, to whom the data was transmitted, and for how long the arrangement has been in operation. This account should be provided without requiring clients to submit a formal request, because requiring a request places the burden of disclosure on the party that was not informed, which is precisely the wrong place for it to sit.

The MCLU anticipates that the parties involved will argue that full disclosure is not possible because the scope of the arrangement is not fully documented. We accept that this may be true. We note that it is a consequence of the arrangement being deliberately undocumented, and that the inconvenience of disclosure is not a reason to avoid it. It is a reason to avoid undocumented arrangements, which is a lesson the parties might usefully apply going forward.

Identification of the third party¶

The clients are entitled to know who received their data. This is not a complex request. It has a simple answer, which the parties involved have not provided. The MCLU has its own assessment of who the third party is and will publish that assessment when the evidence supporting it is sufficient to withstand the scrutiny it will receive.

In the interim, we ask that the third party identify themselves, state the legal basis on which they received the data, and explain what they have done with it and what they intend to do with it going forward. We expect this request to be declined. We are making it anyway because the refusal is itself informative and belongs in the record.

Retention and independent audit¶

All data transmitted under the arrangement should be retained and made available to an independent auditor with appropriate technical capability and no connection to any of the parties involved. The audit should establish the volume, nature, and destination of the data, and produce a report that is made available to affected clients and to the public.

The MCLU is aware that “independent auditor with no connection to any of the parties involved” is a more demanding specification in Ankh-Morpork than it would be in a city where the relevant institutions are less thoroughly interconnected. We have identified candidates. We have not yet secured agreement from the parties who would need to cooperate with the audit for it to be meaningful. This process is continuing.

A legal framework that requires consent¶

The arrangement described in this report is not unique. It is an instance of a general pattern in which surveillance capability is distributed through commercial relationships without the knowledge of the people whose data it produces. The pattern will recur in different forms unless the legal framework surrounding it changes.

The MCLU is asking for legislation, or its nearest available equivalent in Ankh-Morpork’s governance structure, that requires any party deploying surveillance-capable technology on behalf of a client to disclose the full chain of data custody to that client before deployment begins. Not in a terms of service document. Not in language that requires a legal specialist to parse. In plain terms, to a named person at the client organisation, in writing, with a record kept by both parties.

This is the minimum. The MCLU would prefer more. We are asking for the minimum because the minimum is achievable in principle, and because establishing the minimum creates the foundation for the rest.

What we expect to happen¶

We expect to receive no substantive response to our formal enquiries for a further period. We expect that one or more parties will suggest, through intermediaries, that the matter is more complicated than the MCLU appreciates and that there are considerations we are not in a position to understand. This has happened before. Our position is that the considerations we are not in a position to understand should be explained to us, at which point we will assess whether they change our analysis. The offer stands.

We have been in this position before. We have a pamphlet about that too.

What should happen¶

The clients should be told. The arrangement should be disclosed. The data should be accounted for. The legal basis should be established, or if none exists, that fact should be established instead.

These are not radical positions. They are the minimum conditions under which the phrase “trusted provider” means anything at all.

The data cannot be unflowed. Everything else is still in question.