Collecting information and profiling people are widely practised all over the world. In Italy, though, a provision of the Testo Unico delle Leggi di Pubblica Sicurezza (TULPS) dating back to the Mussolini’s rule prohibits activities of this kind. Open-source intelligence and data-brokerage are at risk? Prof. Monti’s analysis – published in Italian by Formiche.net
The “Zhenhua case”, involving a Chinese company accused of creating the Oversea Key Information DataBase (Okid) to catalogue data from public sources relating to people of millions, was presented as yet another hostile action by China towards the rest of the world. In reality, however, Okid is no different from its Western equivalents which, at least in Italy, could be prohibited by the Public Security legislation.
The Okid case, therefore, poses a problem that could go well beyond the role and limits of open-source intelligence and put in crisis the entire ecosystem of the western data-economy. As Prof. Caligiuri pointed out on Formiche.net the collection and analysis of data coming from open sources are techniques widely practised in every part of the world, by public and private subjects. The fact, therefore, that a Chinese company with more or less strong ties with the government is involved in such an activity should not be surprising.
On the other hand, the entire ecosystem of US big tech (and of the many others who, elsewhere, try to replicate the results) relies upon the same activity. Enlightening, for example, is the reading of The Victory Lab, Sasha Issenberg’s book that analyses the sophisticated and expensive profiling techniques used by Barack Obama’s staff. Alternatively, more mundane but equally instructive, is to study how big commercial profiling companies create creditworthiness profiles: they do not just collect data from traditional protest bulletins, business registries or public risk centres, but, especially for private subject profiling, they also draw on “open sources”. Finally, digging into the practices of what is euphemistically called business intelligence, it is discovered that behind an anodyne definition there are powerful tools for collecting and analysing data not different, most likely, from those put in place by the Chinese company.
From a pure business intelligence perspective, Okid and its western counterparts do not present particular problems. They are an element of the continuum of the information collection process available to a State and spontaneously grow, fed by the enormous amount of personal information that each of us spontaneously (and often unnecessarily) makes available through blogging or social networking platforms. From a regulatory point of view, however, it is necessary to articulate more.
When dealing with information analysis on individuals, the first rule that stands out is undoubtedly the General Data Protection Regulation (Gdpr) whose aim is to protect the fundamental rights and freedoms of individuals from illegal processing of personal data. Paradoxical as it may seem, however, in the case of the various Okids, the Gdpr offers less strong protection than one might expect. The data collected has been made public either by the person concerned or for legal obligations, and therefore, there is no problem of access to confidential information.
In theory, one may argue that by intersecting data of people not directly connected it would be possible to get “something more” and therefore obtain a “sum of information” that is greater than the individual parts. However, then also very Western analysis platforms like Maltego or similar should be as “critical” as Okid.
Article 134 of the TULPS, according to which “Without a license from the Prefect, it is forbidden for entities or individuals … to carry out investigations or research or to collect information on behalf of private individuals”, creates different issues.
Although traditionally applied to private investigation activities and commercial information, the provision is not limited to these areas and works too for profiling, open-source intelligence and even digital marketing purposes.
Article 134 of the Tulps, in fact, refers generically to the “gathering of information” without further qualification. For public security purposes, such a wide range of action is understandable: the private dossier-building is the basis of any subversive activity or otherwise directed to the destabilisation of public order. Little matter if this activity is the result of legitimate activities like, for instance, the data-brokerage or commercial profiling. What matters is that, in one way or another, the outcome of these activities can work against national interests. The logic of this conclusion is, in part, the same followed by the European Court of Justice with the Schrems II judgment issued on 16 July 2020, which affirmed the right of European citizens to be protected from “institutional intrusion” into their (also) public data processed in the USA by the various platforms.
The Schrems II judgment and article 134 of the Tulsp, therefore, represent two insuperable limits to the information gathering activities on Italian citizens. If the violation of public security rules were configurable, it would allow immediate actions not only to the data protection authority but also to prefectures and police headquarters against all subjects who, for various reasons, run open-source intelligence business without the prefectural authorisation.
The Zhenhua case, therefore, has the merit of exposing the (dis) respect for the protection of public security by an enormous industrial sector, that of data-economy, and the inevitable difficulty in intervening, now late, in the field of privatisation of intelligence in Europe and the USA.
One could ask oneself what sense is there in asking for a prefectural license to carry out digital marketing activities, considering such a prescription completely anti-historical. Though, this is not the case because control over the circulation of registered and cross-connected personal information wherever it is and however happens is a critical factor for national security.
So true is this, that with the Cloud Act the US authorities can access data anywhere held by their companies against a possible and non-automatic judicial control and limited to “respect for privacy” but not, for example, the procedural guarantees.
Recognising that “commercial profiling” falls within the scope of article 134 of the Tulps would, at the same time, increase the level of the legal protection of individuals and contributing to the growth, for the Institutions, of controlling non-compliant uses of the enormous information assets managed, mostly independently, by private entities.