| | | Effective PR

Solicitors and ID "badge" requirement.

Nigel Morris-Co...

The Solicitors Regulation Authority (like the trendy lot they are they don't use the apostrophe that good grammar demands) seems utterly determined to set itself at odds with the profession it regulates. A litany of complaints against its seemingly never-ending list of demands, many of which are costly, is playing out over the requirement that solicitors' practices with a website add a so-called "badge" to their website. The SRA seems to be functioning in a dangerous state of ignorance and arrogance. Solicitors are growling but they are toothless in the face of an autocratic and often incompetent regulator.

The history is simple: as the latest iteration of the regulatory body for solicitors in England and Wales, the SRA started life in a chaotic condition. I know. I'm a solicitor, albeit non-practising, and therefore at the pointy end of some of their activities.

There were two sets of circumstances that arose at the same time. The first was that the regulator moved from its old home to a new den in a business park. But the SRA couldn't get the contact details consistent across the printed letter head and the body of their correspondence resulting in utter frustration in trying to deal with them. Secondly, they tried to build a brand-new computerised registration system. After several months and a great deal of expenditure and disruption, they gave up. Apparently external providers could not cope and, in particular, could not cope with on-line account maintenance. Tongue in cheek, I told them that I could build one for them, using open source CMS platform Drupal in an afternoon. It wasn't intended to be taken seriously but it happened to be true. The Register is not technically complicated.

Amazingly, the response was to, amongst other things, decide that the data which was being collected would be truncated, that there would no longer be any requirement for solicitors who wish to maintain their standing but no longer practise to make that known to the SRA. Now no one knows if a solicitor is dead or alive once he ceased practice - he's on the Roll for ever, it seems.

In the past few days, the SRA has required us to visit the "MySRA" website and confirm our details. A series of garbled e-mails says that some information will be made public. They do not say

"this information is public


This information is not public

3. "

On the Register, my home address is shown. I cannot tell if it's public or private. I do not disclose a practising address because I don't practise. But nowhere is there a box to tick to say "non-practising." I asked. They implied that this is implied i.e. if there is no practising address, then the solicitor does not practise. Why is this left open to interpretation when total clarity can be made in the simplest way? Just give me an effing box to tick and display that on my public record.

The Roll or Register is the single source of authoritative information as to whether a person is a solicitor and whether he is permitted to practice.

Which brings us onto the "badge." At its simplest, a badge is a logo. A logo can be clickable and that click can take the visitor to the firm's entry in the \SRA's register and, thereafter, to the solicitors within that firm. Want to know how? It's a single line of simple code that starts with an address that the click goes to and another address from which the logo is called.

The SRA doesn't do simple: it does messy, complicated and expensive. Never learning from its mistakes, it has appointed external consultants to manage its badge and they have done as so many do and deployed routines made by Google. Routines made by Google are usually free of financial cost because Google collects data to add to its already disturbingly large database.

The battle over the "badge" has reached fever pitch as the SRA has issued an order that all firms must place a personalised example on their website on or before 25th November. Some firms are refusing, arguing that the use of the badge demonstrates a fundamental lack of understanding - and breach of - the General Data Protection Legislation. The SRA has after some time made what, on the face of it, is a retreat: it will disable the data collection by Google, it says, but only for the time being. It is not unreasonable to imagine that someone has a plan: remove the cause of the objections, then once everyone has a badge, quietly re-introduce it. The SRA says that the data collected is not personalised, is not used for analysed. Then it is not unreasonable to ask why it is collected in the first place.

Some have focussed on the use of cookies: many simple websites do not use cookies in any shape or form. They are, simply, not needed. However, when websites include e.g. advertising, then cookies are an inevitable consequence. Others have focussed on the far more insidious use of tracking cookies which is at the heart of "Google Analytics." It is hard to see what data the SRA can reasonably expect to gather and use from the use of analytics on the tracking cookies placed by Google. In any case, if all it needs is to know the IP address of the visitor and the IP address of the referring site, that's all totally achievable from a local, not remote, data collection. I know - I have it and guess what - it comes with that open source CMS I mentioned earlier. Do we use it? Yes but only for the purposes of identifying and blocking those who visit with demonstrable malintent or granting login-free access to paid-for services. But if the SRA wanted more detail, then it can get it with, again, open source and free software running on its own servers and therefore private. An example is Matomo, previously Piwik.

The SRA has not disclosed its underlying purposes for the collection of data via badges. Will it, for example, reveal "hits" so that the SRA is able to learn how popular a particular website is? Will it identify those firms that have frequent international business or, even, receive visits from countries subject to sanctions? Will the SRA be able to identify those firms that have a high concentration of contact from one or a small group of IP addresses?

All of these are possible and solicitors simply do not know what information is being collected nor the precise purposes to which it is being put.

Worse, as more and more solicitors are pointing out, it's not even secure. The "badge" can be copied and placed on a fraudulent website in a worrying form of identity theft. Logos are a piece of cake to copy - I once had an item pulled from BBC News because the Corporation's lawyers were nervous that criminals would find out how easy it was to do by watching my demonstration. That was in the 1990s. I had produced, on camera, a fake website for a real bank using the original logos in less than five minutes.

There is considerable resistance building in the profession against the SRA which is seen as becoming too big for its boots, conspiring with a range of other bodies to reduce the professional standing of solicitors while simultaneously adding requirements that are expensive and even disruptive to an already over-burdened profession while failing to protect the profession against anti-competitive practices imposed by external forces.

In the meantime, some solicitors are threatening to refer the SRA to the Information Commissioner's Office (ICO) and that, it seems to me, is a good step. Let the ICO decide whether the data collected by the SRA's agents and google as a result of a badge on a solicitor's website might create a liability for the firm (on the face of the legislation it seems that it does because the firm owns the website).

One law firm, it is reported, has put the badge on a separate page so that it is not automatically loaded every time someone visits and, therefore, the data is not automatically collected. Others are placing warnings next to the badge inviting people to make sure their settings block tracking cookies (in theory, that can be done before the first set of data is collected).

Is this enough? Probably not but it's a start. The only other methods are to sue the SRA and seek judicial review of its policies or civil disobedience, a course of action that the SRA will not take lightly.

---------------- Advertising by Amazon and others helps pay for this site ----------------

| | | |