OGC releases Gateway Reviews of ID Card project

On one of my bookshelves, there's a copy of Peter Wright's memoir, Spycatcher. Published in 1987, the book spurred the then government into frenzied attempts to ban it. Those attempts were fatally undermined by the government's inability to prevent publication elsewhere - and eventually in 1988 the Law Lords ruled that the book no longer contained anything which could be classified as a secret. I got my copy during a visit to the States in 1987, early enough that I probably broke the law by bringing it back to the UK - though apparently had I declared my contraband on re-entry, customs officers would have been under no instruction to confiscate it.

Oh, how wicked I felt. That sense of mischief faded fairly rapidly as I read the book, though, and the sheer banality of much of its contents became apparent. Don't get me wrong, it was interesting enough... but to anyone brought up on espionage fiction later than the Joseph Conrad or Erskine Childers vintage, it was all pretty tame stuff. Even real life, in the form of the unfortunate Georgi Markov (assassinated with a poisoned umbrella in London, ten years earlier), outstripped most of Peter Wright's revelations about MI5's domestic counter-espionage operations. And did its publication shake our national security apparatus to its very foundations, impairing its very ability to protect us from the foreign menace? Not noticeably, no.

Wind forward two decades, and after a lengthy legal struggle, the Office for Government Commerce (OGC) has finally acceded to a request originally made in early 2005 for the "Gateway Reviews" of the ID Cards project to be made public. The wrangling over whether or not the reviews could be published went to the Information Commissioner, thence to the Information Tribunal, and ultimately to the High Court - and according to SpyBlog cost the OGC at least £120,000 in legal fees, not to mention the administrative time and effort.

Naturally I fell on the released documents in a state of high excitement, eager to see what damning findings they contained. To put it briefly, there is no smoking gun. The Gateway reviews do not contain the secret details of the ID Scheme's fatal flaw, or evidence of diabolical intent on the part of the Scheme's proponents. That's not to say they include no basis for criticism: see SpyBlog's succinct analysis here for a clear indication of some of the shortcomings revealed.

The reports do contain clear evidence that the fundamental objectives of the scheme evolved substantially between the two reviews (notably, from "Entitlement" to "Identity" cards) - but then, that much has been blatantly obvious despite, or perhaps because of, the whirl of departing and arriving Home Secretaries over the years.

One can also see the review team's concerns about the complexity of the project in organisational and technical terms, and gauge whether subsequent moves have mitigated those risks.

Finally, the first review in particular also includes revealing comments about who the scheme's principal beneficiaries are expected to be, and what level of user consent is assumed. There is no mention of the sharing of citizen data - something which is now surely an unavoidably large feature of the landscape.

None of these revelations, though, is fundamentally surprising - though it would be newsworthy if subsequent releases showed that the reports had been ignored as the policy and its implementation were taken forward.

In the Spycatcher case, arguably, far worse than anything which resulted from publication was the damage done to the Government's credibility by its frantic attempts at a ban. Its pursuit of the matter through the courts made it, and the law, look increasingly asinine.

In the Gateway Review case, the OGC has been at pains to state that its decision to abide by the High Court's decision does not set a precedent.

cnet review of a week trying IE8

I've just been reading Steven Shankland's review of his week using Internet Explorer 8 as his default browser. I haven't tried it yet, so I am in no position to offer an opinion of my own. That said, there are a couple of things which stood out when I read the review.

"The sluggishness problem got worse as my Lenovo dual-core laptop's 3GB memory was taxed by running the 10 or 12 programs I need to do my job. Most days, I shut down my Windows XP work machine once a day without thinking much about it. But during IE 8 week, I found myself craving a fresh start by mid-afternoon. IE 8 didn't bear the load as gracefully as rivals, especially as the tabs piled up. "

A dual-core machine with 3Gb of memory...? Shut it down once a day...? Mid-afternoon re-start...? Whatever the relationship may be between running 10 or 12 programs and IE, and sluggish performance, I suspect that a lot of Linux users will be raising a quizzical eyebrow at that paragraph. For example, I run Ubuntu on a 2.6GHz Pentium 4 with 1Gb of memory. Before Ubuntu, the same machine ran Java Desktop System. I frequently use the 'multiple desktop' feature so that I can have email on one desktop, browser on another, OpenOffice on a third, and so on - though I freely admit I rarely have more than half a dozen applications active at any one time.

However, performance is not an issue, and I have long since forgotten what it's like to have to reboot a machine part way through the day just to get it to run faster again.

Quite possibly what the cnet review uncovers is a set of parameters for which IE8 was not designed or optimised... but all the front-end gloss in the world is not much use if it's too slow, or if you have to structure your working day around the need to jump-start it from time to time. I had a 1974 Mini like that once (except without the front-end gloss).

MPs expenses - another useful lesson

Whatever my feelings about some MPs and their expense claims, I have to be grateful to them for providing, today, yet another good case study on personal data. Yesterday, I remarked in passing that 'there are many other ways in which that information can reach the public domain'.

Today's news story reveals one of the more powerful - the pull of money: apparently £300,000 will get you a leaked copy of all their receipts.

Back in November 2007, in the wake of the HMRC data breach, I referred to the bon mot which Willy Sutton apparently never uttered - that he robbed banks because "that's where the money is". Whether he did or did not, the principle holds good: the theft of personal data is attractive because there's money in it.

Home Secretary "shocked" by digital footprint

I don't really care whether the Home Secretary claims her ISP costs without remembering to cross out the "personal use" items - though as someone who has occasionally had to distinguish between personal and business elements on a single phone bill, I am at a loss to see what is so hard about doing so.

I care even less who watches which films in the Smith/Timney household - and if those give rise to frank exchanges between the couple, that's entirely a matter for them.

However, I wonder if this has had any effect on the Home Secretary's awareness of her digital footprint. Our online activities, whether by mobile phone, landline, broadband, cable or satellite, all leave a track, whether we intend them to or not - as Mr Timney has discovered. Admittedly, that doesn't necessarily result in Daily Express coverage for every one of us, but the information is there nonetheless, and there are many other ways in which it can make its way into the public domain.

I doubt, though, whether this will materially affect current plans for the mass interception of communications data and the rumoured monitoring of social networking sites.

"[T]he EU Data Retention Directive, under which ISPs must store communications data for 12 months, does not go far enough" - Home Office security minister Vernon Coaker (March 16th 2009).

Will the real Ceadúnas Tiomána please step forward?

Thanks to Richard Veryard for spotting this and Twittering about it...

Apparently the Gardai noticed that a disproportionate number of motoring offences were being committed by a Mr Prawo Jazdy. On investigation, this turns out to be the Polish for "driving licence".

It reminded me of my father's stories of English army officers trying to map the interior of southern Arabia with the help of native guides. The officers typically didn't speak much Arabic (beyond useful map-maker's phrases like "what's this called?"), and the guides, soon growing bored, started to give frivolous and sometimes coarse answers. As you might well do, given the priceless opportunity to put one over on the colonial intruder.

The mischief was often only discovered when users of the resulting maps, more versed in the Arabic language, found they were navigating via features such as "My *rsehole", "What do you think?" and "Mt. Your Finger". I don't know how the guides could have kept a straight face.

Se non è vero, è ben trovato...

PrimeLife meeting in Frankfurt

Well, as the Twitter channel wasn't working for me at the time, here's a quick update about the PrimeLife workshop I have jsut attended in Frankfurt. PrimeLife is an EU part-funded project which follows on from the PRIME (PRivacy and Identity Management in Europe) project. It seeks, among other things, to turn some of PRIME's principles into practical privacy-protection over (and beyond) the life of the citizen/data subject. I am fortunate enough to have been invited to be on its Advisory Group - hence the trip to Frankfurt.

It's a little unfair to pick specific sessions from what was a very productive and thought-provoking workshop, but I'm going to do so anyway... life isn't always fair, after all. The two discussions which I found particularly interesting were on 'identity and privacy in social networking' and 'managing personal information throughout life'.

I won't try to reproduce either of them here, but for instance, the social networking session raised intriguing questions about implicit and explicit disclosure, and the risk assessments users make on the basis of perceived risk. As you might expect, those risk assessments are often likely to be fundamentally flawed.

Here are a couple of examples which I found particularly striking:

- "I've uploaded some photos from last weekend's party - but it's OK; I haven't labelled who's in them, so the only people who will recognise you are the people who know you anyway". Except that facial recognition software can render that assumption invalid. You might argue that the face-matching capability is not in the hands of every individual... but I'd counter that that's only a matter of time (grid/cloud computing and Moore's Law being what they are), and the photos will still be there when it is. In the meantime, there are plenty of organisations with the capability and the motivation to crawl the web matching faces to individuals and individuals to market segmentation profiles.

- "I have a MySpace account I use for social stuff, and a FaceBook account I use for family stuff. But I want to keep them separate, so one of them is pseudonymous." Apparently not only facial recognition, but also 'background recognition' algorithms are good enough now to start making matches on that basis, and that kind of capability can nullify a lot of other steps you might have taken to try and enforce separation between personas. Even if you're not in the photo, there could well be enough data there (background, time/date) to make it linkable.

Worried? Then you probably shouldn't read this.

The discussion about life-long management of personal data of course raised the issue of what to do when the data subject is not capable of managing either their personal data or their privacy on their own behalf - for instance, through illness, incapacity or, in extreme cases, death. The latter is not a trivial case, and there was much debate about whether systems should be designed with a 'recovery mode' in mind. Not, I hasten to clarify, for reanimating the deceased... but to make it possible for executors and/or trustees to get appropriately controlled access to someone's 'digital legacy'. After all, the more we live our lives online, the more of our information and assets are likely to be found there (rather than in a dusty box of papers in the attic).

Fascinating stuff, and looking at the PrimeLife participants, I think their investigations and conclusions are going to be well worth keeping an eye on over the next two years.

Figures, statistics and cost-of-cancellation

'Home Secretary says undoing ID Cards project will cost £40m"...

I know I'm by no means the first person to have commented on this story, but for the heck of it, here's my 2-penn'orth.

Not unexpectedly, the opposition has taken the opportunity to re-cast one of their objections to the National ID Cards scheme (NIS) as a "how can the Government commit us to £40m of wasted public money at time when the public finances are already is such dire shape?" question.

In some respects I think the criticism is unfair; for instance, it was not Jacqui Smith who (as one might infer from the Computing article I linked to) wrote cancellation clauses into the contracts with NIS suppliers. That happened long before she arrived at the Home Office, and even longer before the effects of the economic downturn really started to bite. If the shadow Home Secretary, Chris Grayling, has only just noticed the cancellation clauses, he must have been asleep for some time.

In other respects, however, the story uncovers all the same confusions and confabulations which have made it so hard to take policy statements on the NIS seriously.

For instance, here's one line of reasoning put forward by the Home Secretary (at least, according to the Computing article):

- Cancelling the ID cards scheme will cost some £40m in cancellation fees;
- Cancelling the ID cards scheme will therefore 'not free up a large fund of money to spend on other priorities';
- Cancelling the ID cards scheme is therefore not worth considering on grounds of cost.

As Richard Veryard has observed, if spending £40m removes the commitment to spend £4bn, that looks like a pretty good net outcome.

The riposte to this appears to be "Ah, but the ID cards scheme won't cost £4bn anyway... the cards actually only account for £1.19bn of the budget, with a further £550,000,000 to £750,000,000 for storage of biometrics".

At the risk of being accused of shooting fish in a barrel... writing off £40m to save £1.19bn, £1.74bn or £1.94bn still doesn't look too fiscally imprudent to me. The broader point, though, is this: yet again, the over-all NIS policy is being justified on the basis of confusing (whether deliberately or otherwise) the authentication functions, the biometric elements, the databases which enable those other parts to work, and the little piece of plastic wich you may or may not end up carrying in your wallet. Or, according to various ministerial statements, your shoe*.

The point is that as long as policy statements perpetuate this confusion, most citizens will tend to assess the risk/benefit of the NIS on the basis of the physical part of it which is tangible to them; the "terrifying, small... plastic card". That is not an adequate basis for informed consent.



* This rather gnomic comment relates to public statements like this, which I and others have heard made at minsterial level (this is not verbatim, but is accurate in essence): "Every weekend, the Passport Service receives hundreds of passports which have been sent in from nightclubs where they have been left behind/dropped by young ladies who needed something to prove their age, but had nowhere to keep something the size of a passport. What those young ladies need is a proof-of-age credential which is credit-card sized and can therefore be slipped conveniently into their shoe."

Problem solved. I don't know why I have been being so selfish. Of course my biometrics can be recorded in perpetuity... as long as it means that all female clubbers who are of legal age but don't look it can have a credential which fits into whatever footwear Young People wear nowadays when they frequent the discotheque. Proportionality, my iris.

Pope Benedict: "Condoms cannot overcome AIDS"

There has, predictably enough, been no shortage of press coverage of His Holiness Pope Benedict XVI's recent remarks about condom distribution in Africa.

Part of his press briefing is reasonable enough: AIDS, he said, 'is a tragedy that cannot be overcome by money alone, and that cannot be overcome through the distribution of condoms...'. However, he went on to add '... which even aggravates the problems' - and that's the aspect which is leading to accusations that he is flying in the face of reason.

His argument, if third party commentators are to be believed, runs like this:

- condoms increase promiscuity;
- promiscuity increases the spread of AIDS;
- promiscuity and AIDS are best reduced through strong social institutions, particularly marriage and fidelity...

There are three fatal problems with this analysis:

1 - the prevailing scientific view, rationally enough, is that promiscuity with barrier contraception such as condoms does not contribute to the spread of AIDS;

2 - in the African context in which His Holiness was speaking, marriage and fidelity are not reinforced by the other strong social institutions the Pope seems to feel he can rely on in his reasoning;

3 - Only 17% of the Pope's African audience is Catholic. Leaving aside whether his statements represent the best pastoral care for them, is His Holiness really entitled to advocate policies which put the other 83% at greater risk?

Here are a couple of articles which give more background and links:

William Crawley on the BBC site.

Ruth Gledhill in the Times.

Archbishops 'dismayed' at Pope's message.

And here is the Avaaz petition urging Pope Benedict to reconsider.

U-turns, u-turns...

Listening to the radio late last night on the way back from London... if I'd done a u-turn every time there had been news of one, I would never have made it home ;^)

Next week sees the Coroners and Justice Bill return to the House of Commons for the Report stage and Third Reading (see here for a summary of the Bill and its progress through the various stages). A quick glance at that page indicates just what a mish-mash of different policies it is trying to put into law:

"Key areas

• Reforms the law relating to death certification and coroners, requiring some inquests to be heard without a jury
• Facilitates sharing of personal data by the public sector
• Amends the defences of diminished responsibility and provocation in homicide cases
• Simplifies language in the offence of assisting or encouraging suicide
• Removes an exemption for ‘discussion or criticism’ in the new offence of inciting hatred on grounds of sexual orientation
• Extends the law proscribing possession of child pornography to include non‑photographic images
• Increases flexibility in the help given to vulnerable witnesses giving evidence
• Changes rules on live links for defendants
• Reforms the system of granting bail in murder cases
• Makes changes to legal aid
• Introduces measures to prevent offenders profiting from accounts of their crimes."

I was gratified to hear an opposition spokesman on legal affairs re-iterate the point I made a couple of weeks ago - namely, that having a clause buried deep in a massive Bill like this which completely over-rides existing statutes such as the Data Protection and Human Rights acts cannot be a good way to make law.

So, u-turn #1: it seems the Justice Miniister, Jack Straw, really does intend to delete the offending clauses from the CJB. I think that is good news - though I cannot believe it signals a complete withdrawal of the Government's plans for an over-arching public sector data-sharing policy, and it remains to be seen whether Mr Straw can come back with something which does a better job of balancing citizens' rights and the public good with his administrative objectives.

U-turn #2: Mr Straw again, this time retreating from proposals that he, single-handedly, should be able to determine whether coroners' inquests should be held in secret. Again, I think this sounds positive - though Isabella Sankey, speaking for the human rights group Liberty, sounds less convinced: "It is a well-established Whitehall trick to draft the most unpalatable law with a view to making supposed concessions at the last minute". Still, it is hard to see how less accountability and transparency in the holding of coroners' inquests would be a good thing.

And u-turn #3: This time it's our old F1 friends Mr Ecclestone and Mr Mosley, who have decided to postpone their last-minute plans to revise the entire scoring and ranking system for the F1 drivers' championship. According to this piece on the BBC site, Ecclestone and Mosely, speaking through the FIA, wanted it done their way, the Formula One Teams Association (FOTA) wanted it done a different way, and the World Motorsport Council (WMC) favoured yet another option.

Presumably, when you have that many stakeholders, the sensible thing is to get their agreement first, through some kind of open discussion... but that just isn't the way the Moslestone duo does things.

Twittering on...

I am fairly sure that "twittering about privacy" is an oxymoron, but to satisfy a colleague and my own curiosity, I'm going to give it a go.

As you will see, for the time being there is a twitter feed on this blog page - or for those of you who already twitter, my ID is futureidentity.

I haven't felt a pressing need to sign up with twitter up to now - but then, when I first started blogging I wasn't sure that was for me either, and I seem to have ended up doing quite a lot of it. We shall see.

(A Little Bit of) History Repeating... (II)

"The profits in bipolar/TCM-based mainframes have been under steady pressure from machines run by lower-cost microprocessors, using CMOS technology.

The price pressure as servers turn into commodity products has prompted the major server makers to move into software and services. They are particularly focusing on supplying the technology and expertise to operate corporate data centers more efficiently and with less power.

“For years, IBM has been fighting against the commoditization wave,” said an industry analyst..."

That is not the text of an article from 1995, but it could well have been. In that year, while at IBM, I worked on a project which involved spending a few weeks at the corporation's Poughkeepsie plant in upstate New York (far nicer than it sounds, believe me!). While we were there, our project manager arranged a tour of the mainframe production facilities for us, and it was fascinating. The first 90 minutes of the tour took us through the TCM (Thermal Conduction Unit) manufacturing process, in which maximum processor density was achieved by mounting chips on a multi-layered ceramic substrate and water-cooling them via a heatsink encapsulated in helium. The ceramic substrate was essentially a 30-layer "mille feuille", run through with a complex 3D array of tiny wires to interconnect the chips. Sometimes this array needed to be hand-patched - a job which skilled operators could do using binocular microscopes and micro-manipulators for a maximum of about half an hour before having to take a break. From there, we went to look at the plumbing which was built into the mainframes to carry all that heat away.

If that sounds complex and expensive, you're getting the picture.

The last 10 minutes of the tour was a brisk trot from one end to the other of a gymnasium-sized hall in which mainframe parts arrived at one end, in cardboard boxes, and completed servers were collected from the other. This was the CMOS mainframe range under construction. It was an assembly line, with little or no specialist labour and no custom-built parts. I could not have been shown a clearer illustration of why the bipolar technology was losing market share so fast to the new CMOS machines. You might as well wonder why all cars today don't still have hand-beaten radiator grilles like a Rolls Royce.

Oh - and here's the real version of that quote I Bowdlerised above... from the NY Times today.

"The profits in proprietary servers have been under steady pressure from machines run by lower-cost microprocessors, made by Intel and Advanced Micro Devices, using personal computer technology. The leading makers of these industry-standard servers are Hewlett-Packard and Dell.

The price pressure as servers turn into commodity products has prompted the major server makers to move into software and services. They are particularly focusing on supplying the technology and expertise to operate corporate data centers more efficiently and with less power. [...]

“For years, Sun has been fighting against the commoditization wave,” said Nicholas G. Carr, an industry analyst and author of “The Big Switch,” a book published last year about cloud computing. "

Big Blue, Big Bang... or Solar entropy...?

Today's business press is buzzing with a story first published by the Wall Street Journal, according to whom acquisition talks are said to be in progress between IBM and Sun. As someone who has worked for both corporations, for 12 and 8 years respectively, I read the stories with a certain wry amusement.

When I joined IBM in the mid 80s, it was suffering from the consequences of its own organic growth into a massive, unwieldy organisation with ossifying hierarchies and paralysing bureaucracy. If I remember correctly, when - as a new hire - I used my 3270 terminal to trace the reporting line from myself right up to John Akers at the top, I had to traverse something like 11 or 12 layers.

Six or so years later, it took radical surgery by Lou Gerstner (brought in from Nabisco, to almost shocked disbelief from many inside the behemoth... "a biscuit-maker...?!?") to lop off the very disparate businesses which IBM had been trying to lump together under a single colossal umbrella (Lexmark, Lenovo and so on were some of the resulting off-shoots). (Incidentally, I was still at the bottom of the reporting chain, but now only about 9 levels from Mr Gerstner...).

When I arrived at Sun at the turn of the millennium, it was suffering from the consequences of extremely rapid growth, much of it through acquisition (especially in the software business) during the boom years of the late 90s. Where IBM had been struggling to function until it split itself up into separate, more manageable business units, Sun was struggling to make what had been self-sufficient businesses behave as coherent parts of a corporate whole.

One of the effects of that rapid growth was that Sun's management layer became widely populated with people who, although perfectly professional, had only learned how to run a business during times of growth and profitability. When the tide started to go out, an awful lot of them simply didn't have the skills to manage the same business under very different conditions. To a large extent, Sun is still suffering from the effects of a market which contracted faster than it was able to. (And before you ask... when I left Sun, yes, I was still at the bottom of my reporting chain, but I had chanced upon a very short one, and was only 4 layers from Mr Schwartz.. ;^)

So, if the rumours prove true and the alleged talks lead to an acquisition, the results are going to be culturally fascinating for both organisations. I shall, as the standard rejection letter puts it, "watch their future careers with interest".

This weekend should be an interesting one in sporting terms: the Six Nations Rugby Union competition reaches its finale with a match between Wales and Ireland which will determine who wins - and whether Wales (playing on home turf) can prevent Ireland from taking the Grand Slam.

And Formula One coverage returns to the BBC after its sojourn on commercial broadcast [Oops. Small correction: this doesn't happen until the 29th]. As usual, there is no shortage of controversy as the new F1 season kicks off, much of it prompted by the announcement that this year's winner will be chosen on the number of races won, not on the current points system. Only if two drivers finish with the same number of race wins will points be used to decide between them.

I can see a number of problems with this approach - not the least of which is that Formula One is not, and has not been for decades, a sport where individual skill and endeavour is the main factor in whether someone becomes champion or not. It is a team sport... and in several senses -

• the driver is only at the wheel by the grace of the army of designers, engineers, test drivers and support crew without whom they would be able to do nothing;
• while blatant moves to 'arrange' the points tally have ostensibly been banned (cf. Ferrari - Austria 2002, China 2008), there's no doubt, for instance, that a driver's team-mate can often play a vital role in keeping a chasing rival penned in for as long as possible.

That being the case, the biggest issue with the proposed change is simply this: it opens up the possibility that half a dozen different drivers might win some races during a season (but fail to maintain a consistently high performance level) , while one driver consistently comes second. Under the current points system, the consistency of that driver and team's efforts would stand a chance of being recognised, while the intermittent success of the others, rightly, would not.

The other problem, of course, is one of a number of points made in Andrew Benson's excellent blog post here: since 1991, the only season in which the new system would have changed the championship outcome was last year's down-to-the-wire nail-biter. On that basis, why bother?

Well, who can say what ultimately motivates the decisions of F1's ultimate bosses, Bernie Ecclestone and Max Mosley? Much of what they do seems mostly to be a driven by a desire to ensure that the F1 franchise is so complex that it can never be disentangled and made in any way transparent. As I've said in previous F1 rants, I think it's a terrible shame. The commitment, bravery and skill of the drivers - and the innovation and dedication of their supporting teams - provide all the ingredients needed for a genuinely thrilling contest, if only some of the other stakeholders were less Machiavellian.

Will I be watching this year? Perhaps occasionally, but in general, no. I've given up F1 for Lent, and will be reclaiming my Sunday afternoons for something more constructive, like mowing the lawn.

Consent and Revocation

There was some excitement in the Wilton household recently, as Mrs W succeeded in tracing part of her family tree back to the 1500s. The bizarre thing was that, all those generations ago, the baptismal records showed that some of her ancestors were baptised in the same town (and therefore probably the very church) as the most recent generation. Given the extremely peripatetic routes by which Mrs W and I even ended up living in England, let alone Wiltshire, that was quite a discovery.

Of course, records of death, marriage, birth and baptism are a key part of that search, and the extent to which they are now being put online is a factor in how far back you can search with ease.

As one John Hunt is discovering, that record is something it can be quite hard to amend. Mr Hunt was baptised as a child, but gradually became disenchanted with his allotted religion, and withdrew from it before the point at which he would have been expected to convert his baptism into a confirmation of faith. Now he wants to annul the oaths made on his behalf at his baptism, and have the record amended accordingly.

Unfortunately for Mr Hunt, the Church of England appears reluctant to 'qualify' the original record. Its Council of Archbishops apparently responded that 'the Church of England did not regard baptism as a sign of membership, so any amendment to the record would be unnecessary'.

In terms of identity management, this paints an interesting picture. According to the episcopal response above, the baptismal record doesn't signify affiliation ("is a member of"), so the 'issuing party' won't change it. And yet it ascribes a number of attributes to Mr Hunt which he no longer considers to be true.

As those attributes relate to Mr Hunt's religious beliefs (or absence of them), they presumably qualify as Sensitive Personal Information under the Data Protection Act - in which case he would be within his rights to insist that the record held about him is inaccurate and needs to be amended.

Is privacy only for the rich?

At the Enterprise Privacy Group's first annual conference, back in 2007, participants undertook a fascinating "Postcards from the Future" exercise. The idea is that you imagine yourself a number of years hence, sending a postcard back to yourself now, and describing something about how (in this instance) digital privacy looks with the benefit of some time-travelling hindsight.

One of my suggestions was that in the future, digital privacy - like any constrained and valued resource (clean and abundant water, personal transportation, legroom) - would be something only the wealthy can afford.

If we are to go by Max Mosley's remarks to the UK Parliament's Culture, Media and Sport committee, in William Gibson's words, "the future is here". Among other things, he notes that his legal action against the News of the World ended up costing him some £30,000 - but that it was worth it, despite the fact that he considers the damage to his reputation from their revelations to be irreparable.

A couple of his phrases, at least as quoted in the BBC article, suggest a remarkable ability to dissociate cause and effect from one another. For instance:

"I worked hard over a number of years to build up a certain reputation."

He added: "You do this because you want to re-establish yourself and your family as proper people and if something like [the newspaper story] happens it destroys the whole thing."

In philosophical terms, the role of the newspaper story in this is what would be called "an unnecessary and insufficient cause" of Mr Mosley's subsequent loss of dignity.

It's "unnecessary" in the sense that it was not the only way in which Mr Mosley's dignity could have been compromised. For instance, someone could have posted embarrassing videos of the episode on the internet, rather than going to the press with a story.

More to the point, though, it is "insufficient" in the sense that the loss of dignity could not have happened without Mr Mosley having done something - regardless of whether that something was subsequently published by a newspaper or not. And this, surely, is why Mr Mosley's remarks about "working hard to build up a certain reputation" must sound so bizarre. He is keenly sensitive to the negative connotations of his family name - associated for decades with British Fascism - and clearly understands the importance of his public persona in counteracting them. And yet, without his own clandestine behaviour there would have been nothing to undermine his rebuilding efforts.

I, for one, am grateful to Mr Mosley for having provided such a textbook example of two principles.

First: "shared secret" is an oxymoron.

Second: maintaining different 'personas' can contribute to personal privacy - and personal privacy is undermined when the barriers between those 'personas' are broken down. That principle is fundamentally a good one, and deserves to be more widely appreciated. What use individuals make of it is another matter.

If I can mention this without being considered indelicate - Max Mosley turns 69 on Friday.

Government to withdraw "data sharing" clauses

Three weeks ago I blogged about the extraordinary and questionable way in which wide-ranging data-sharing powers were being introduced in the UK, buried deep in a Bill with the innocent-sounding phrase "Coroners and Justice" written on the front.

(Incidentally, you can now instantly tell whether or not you are a sad Hitchhiker fan by noting whether or not the phrase "Beware of the Leopard" popped out of nowhere like a large drinks bill as you read that last sentence...).

If you recall, apart from the worrying breadth of the data-sharing powers proposed, the Bill introduced them through the bizarre mechanism of amending another, otherwise quite unrelated piece of primary legislation (the Data Protection Act 1998). Well, I say "amending"... the effect of clauses 152-154 of the Coroners and Justice Bill (CLB) appeared to be to completely overturn the 2nd Data Protection Principle, namely that data collected for one purpose should not be re-used for another.

Well, the story is now appearing, on VNUnet and in the Telegraph Online, that Justice Secretary Jack Straw is to drop the clauses from the Bill and start a fresh attempt to reach consensus on a less sweeping alternative. If true (and both Phil Booth of No2ID and Simon Davies of Privacy International appear to think that it is), this is a welcome concession to the 30 or so bodies which wrote to Mr Straw last week to tell him what a bad idea they thought the clauses were.

According to the VNUnet article,

"Straw will instead ask the Information Commissioner to lead a public consultation on the issue so that public bodies can share information where there is a clear benefit – for example, previous reviews have highlighted the many different agencies that need to be informed when someone has died."

That's all well and good, but in citing the hoary old 'bereavement' example it almost entirely misses the point. If the proposals are intended to allow public sector organisations to share data where there is supposedly a clear benefit to the citizen, then the key criterion to be satisfied before any such sharing takes place must be: does the citizen in question want it to happen?

If I choose to be obliged to contact multiple agencies should I have to notify them of someone's death, that choice ought to be mine, and I ought to be allowed to make it on the basis of helpful information about the risks, as well as the potential benefits, of allowing my data to be shared. Until the principle of informed consent is more rigorously applied to plans for the sharing of citizens' data, any new proposals are likely to be just as unacceptable as the one which, I hope, is about to be consigned to the drafter's bin.

News from the Far Side

One of the things about running my own business is that there are unlimited opportunities to learn, first hand, the truth of all kinds of stuff you've been told and just thought "well, 'duh...!'".

Today's light-bulb moment: "As a publishing medium, a website is "passive", and therefore not an interactive way to engage with your audience". ["Well, 'duh...!'" Ed.]

As a statement, that reaches (I hope!) new heights of dullness for this blog... (though if not, please feel free not to comment with a long list of other, more boring statements from this blog... ;^). However, the implications are quite interesting.

Unless you expect people to subscribe to a 'feed' of your website you have to rely on them coming back to see if there's new content. For a typical mainstream media site both of those are entirely realistic expectations - they offer feeds and can also expect people to visit regularly because their content is ephemeral in principle. Otherwise, for a 'normal' website, only content like News, Press Releases and Events is ephemeral, and the rest is less volatile and therefore less likely to encourage frequent visits.

Bottom line: I have decided to use this blog to let people know when I post substantial content to the Future Identity website, as you are more likely to be subscribing to or visiting the blog. So, over on the website I have just updated the "Portfolio" section with news from the first couple of months of Future Identity's existence. Just to subvert my own publication model, though, here's a copy of the new content ;^)

January 2009

Consulting engagement

I was delighted to be able to 'hit the ground running', and kick off 2009 (and Future Identity) by closing an order in the first week of January. This was for a consulting engagement with a UK public sector organisation, to do an analysis of plans for integration with a number of other European authentication services.

As you can imagine, a lot of my time currently is spent on developing the foundations of future business, so here are some of the other activities I've been involved in which I hope will result in project work in due course.

GENI programme

In late January I took part in the 'Workshop on GENI and Security', hosted by the University of California (Davis) for the US GENI programme. This brought together academic and commercial researchers to propose projects for the GENI programme. I set out a proposal for a privacy-related work stream to complement the other functional R&D themes in GENI. The formal proposal was submitted in February, so we will see what results from that once the proposals have been filtered and evaluated.

February 2009

Liberty Alliance, Privacy Steering Group

Late February saw the Liberty Alliance's plenary meetings, hosted at Sun Microsystems' Santa Clara campus. I was there to plan the next phase of work for the Public Policy Expert Group (PPEG), and also to host a Privacy Steering Group session in which we brought together representatives of the corporate CPO, legal and technology communities to help define Liberty's future work on identity and privacy. A summary of that meeting will go up shortly, both here and on the Liberty website. (Links to follow soon)

There's great work going on at Liberty, particularly in the areas of Identity Governance, Identity Assurance, and an intriguing project called the Citizen Dashboard. This latter work should make significant steps towards something which has, over the past couple of years, frequently been to subject of my mild-mannered rants: namely, a better way for the individual to see and manage their digital footprint.

I know the phrase "watch this space" is horribly clichéd, but this is a space genuinely worth watching.

EnCoRe project

I have also taken part in two workshop sessions for the EnCoRe project (mentioned on the Links page of this site). EnCoRe is one of a triplet of projects sponsored by the UK Technology Strategy Board, and also aimed at improving the quality of individuals' perception of their online privacy and identity. The simply-stated objective of EnCoRe is to make the issuing and revocation of consent 'as easy as turning a tap on or off'. It will be simpler to state than to achieve, I'm sure, but well worth the investigation, and so far a very lean, productive project.

The grass is not always greener...

This blog post is offered as a public service. There are times when life seems altogether too grim - and at times like those, it's always helpful to be able to look at some other poor blighter's lot and say to oneself "hey ho - it could be worse after all...".

New reaches us of a piece of research fieldwork from 2007, in which two ecologists diligently monitored the deposit of otter faeces along a 28km stretch of Polish river-bank. Among their findings:

• removing otter poo from sections of the river-bank prompted the otters to raise their "drop rate" there by about 50%, at the expense, so to speak, of other sections of the river-bank;
• replacing one otter's poo with another's did not prompt the original donor to retaliate with an increased drop rate.

At one level, that second finding is just interesting; if otter poo is used as a territorial marker, one might think that finding the markers left by a possible rival would unleash an escalating otter poo fight. Not a pleasant thought. However, at another level, it's worth considering the practicalities of this degree of... hands-on specialisation.

The researchers were obviously knowledgeable enough to distinguish different otters' leavings, and dedicated enough to collect and re-distribute them manually.

As I say, every now and then it does one good to know that someone else is probably having a more miserable time than oneself.

Lexicological note:

Although I have used the technical term "otter poo" here, generalists may be interested to know that the English term "spraints" is also correct when referring to the poo of large wild mammals such as deer and otters. This term comes from the French word "épreintes" - a word which they reserve exclusively to refer to otter poo, partly in recognition of its unique and characteristic odour: 'a not unpleasant blend of mead and dried fish'. Not unpleasant, one supposes, if you are fond of a bit of dried fish chased down with mead. Bon appetit. I should perhaps qualify that last quotation by mentioning that it was from the zoology website of a Belgian university.

The prosaic old Anglo-Saxons didn't waste much time or vocabulary on excrement, indiscriminately applying those safe old fallbacks, "dung" or "sh*t", regardless of the precise species concerned - presumably because, by that stage in the digestive process, they didn't think the distinction was worth drawing. The Francophones, on the other hand, invest in a whole taxonomy of turds, including crottes (dog/cat), bouzes (cow), bombes (horse), fiante (bird), etron (among others) for humans ... and probably others I have, thankfully, never had cause to discover.

I can see home from here...

I've been in the States this week, for the Liberty Alliance plenary meetings and also to start setting up a Privacy Steering Group for the organisation, so we can gather expert external stakeholder advice as we define Liberty's privacy strategy for the coming months and years.

Travel broadens the mind, they say - but they don't always add that the resulting perspective may not be that comfortable.

This morning over breakfast, I watched President Obama's Chief of Staff, Rahm Emmanuel being interviewed on "Face the Nation", and the transatlantic parallels were interesting to draw. Not surprisingly, the interview centred around two topics: the economy (and the fiscal stimulus measures currently going through Congress), and US troop commitments overseas. In both cases, the American people are left in no doubt as to what the President wants. They know how much money he wants to pump into the US economy, and they know how much of it is destined for specific projects such as healthcare and electronic patient records. They know what the President's aim is for troop levels in Iraq, when the combat troops are due to leave, and when the support troops will follow.

It's interesting, too, that these policy statements are being made by the President and his Chief of Staff. Secretary of State Hillary Clinton can leave the country on diplomatic business, without leaving behind a conspicuous silence on foreign policy. I have not yet seen or heard any news coverage in which the economic recovery plan - the single most pressing policy topic in the country - was left to the Treasury Secretary: it is all coming right from the top.

Looking East (well, at the BBC News site, anyway), I see that the UK Government is squaring up for a fight over whether privatisation is the only way to bail out the Royal Mail's pension scheme. Frankly (and I've said this before, I know), as a loss-making pension investor in Equitable Life, I have every sympathy for Royal Mail employees, but yet again see the taxpayer being asked to bail out an organisation which could and should have managed its pension arrangements better. And yet again, the sums which would have been required to provide equivalent redress for those who were let down so badly by the regulator on Equitable Life are, as they would put it over here, 'vending-machine change' when set against the other bills for which the next tax-paying generation's future is being mortgaged.

Meanwhile, an old Iraq story has come back to haunt the Government: Defence Secretary John Hutton has had to admit that captives taken by UK forces were indeed handed over to the US authorities back in 2004, despite serial denials by cabinet ministers that the UK had participated in 'extraordinary rendition'. This week's admission 'only' concerned two detainees, but given the categoric nature of the Government's denials at the time, that is not much of a mitigation.

According the BBC site, Mr Hutton says that the two men

"are still being held in Afghanistan, where they are classified as "unlawful enemy combatants".
Mr Hutton said there was no "substantiated evidence" that they had been mistreated or subjected to abuse there".

Apart, of course, from the mistreatment of extraordinary rendition, and the abuse of being kept beyond legal process for five years with no prospect of a fair trial.

As I say, the perspective afforded by foreign travel may be a broader one, but it is not always edifying.