Blunkett's hybrid legacy

I had quite forgotten the extraordinary parallels between the story of the Gordian Knot and our own recent political history. Like me, what you probably remember is that Alexander the Great was challenged to undo the intractable Gordian Knot, and instead of faffing about with bits of string, simply whipped out his sword and hacked the whole thing apart. However, like me you may have forgotten who Gordias was in the first place. So, a brief digression:

The ancient Phrygians, in their mythical past (pre CFC), found themselves in an interregnum. Consulting an oracle, they were simply instructed to appoint as their king the next man who drove an ox-cart into the city. That man was Gordias - and so with no further ado, he was made leader. It was as transparent and representative as that. Plus ça change...

But back to our own times.

Let's face it, an announcement by David Blunkett that the Government should abandon its plans for a national ID Card was always going to be a gift for headline-writers - and they have duly gone for it, mostly along the lines of 'Blunkett says "scrap ID Cards", 8 years after suggesting them'. Other commenters have noted, however, that reports of its death are exaggerated. Over at the Himmelgarten Café, for instance, the improbably-named Costigan Quist points out some of the absurdities of this new approach.

So, how different is the attention-grabbing idea Mr Blunkett aired at InfoSec 2009 yesterday? Well - what he is not suggesting is that the Government should abandon its ambition of a database of unique citizen biometrics, or that it should give up on biometric credentials. What he is proposing is that biometric passports be made mandatory.

I know what you're thinking...

That won't work, because as Jacqui Smith and Meg Hillier have astutely pointed out, a passport is too big to be conveniently carried in the clubbing attire of many of the young people who "can't wait" to get their own ID card.

Blunkett is ready for that one, though - after all, he didn't get where he is today [? Ed.] without understanding the needs of the nightclub generation. [?? Ed.] No - for an extra charge, people who want their "biometric passport" in a more convenient form can have it as, say, a small plastic card.

It's probably just as well that he's suggesting the plastic card option be retained, because on the face of it, that's about all you could fit between the old policy stance and the new one.

In other words, what appeared to be a radical U-turn is actually what is more accurately called a "J-turn". A J-turn is like a classic 'bootleg' turn (think 'Smokey and the Bandit', 'Rockford Files' or the 'Dooks of Hazzard') except that for a J-turn, the car is already going backwards before the manoeuvre is executed. And I suspect that's what we're seeing here. The government has less and less to gain from embarking on the implementation of a multi-billion pound IT project which both opposition parties have said they will scrap if and when Labour lose office... and less and less money with which to begin their attempt.

Time must surely be up for anything overtly labelled as a national identity card - but then, as Blunkett admitted yesterday, that was always a more or less mythical animal. Chimera-like, it was made from bits of several other beasts: a biometric passport (blamed on ICAO), bits and pieces of biometrics (maybe face, maybe fingerprints, probably not DNA), biographical information, name-and-address records, and a cost-case which deliberately sought to weld all those different genetic donor beasts into one - if you'll pardon the name - "Gordian" mess.

What remains to be seen is whether that hybrid can be kept alive until the current government's successors face the decision of whether or not to put it down.

Privacy Good Practice

Over on Twitter, both Toby Stevens and Privacy International have noted this Register article about Privacy Notices... you know - those appalling screeds of text which bury you in useless information, and which are designed to produce enough (virtual) paper to cover the (virtual) backside of the publishing site in case they ever have to argue about your privacy rights.

The Register piece in turn reports on a US Government study into whether privacy notices "do their job of informing consumers and helping them to make a decision", and whether they do it better if expressed as a table rather than as a wall of text.

The study concluded that tables are better - which was good news for me, as that was the approach I adopted back in March when Future Identity Ltd was asked to draft a privacy policy for a local club. Here's a link to the site, in case you're interested: Trowbridge Aikikai - Your Privacy.

Having looked at their site and how it works, I also thought it would be good practice to give members some guidance about what happens if they opt to "Register" via the website. You can view that here: Guidance about registering.

Any questions/comments/suggestions welcome, either via the Comments function here, or by email to me - mail at futureidentity dot eu

"Ayo Gurkhali!" - the shameful irony

[Updated 18:05, 29/04/09 - Gordon Brown (and, indirectly, the policy-owning Home Office) has been defeated in a Commons vote on the Gurkha issue. 28 Labour MPs are understood to have rebelled explicitly, including one who resigned his post as a parliamentary private secretary so as to be able to vote against the Government. A number more abstained as an indirect way of seeing the proposals founder.]

Our Government continues to wriggle and nitpick in a way which goes beyond penny-pinching, and loiters somewhere between callous and despicable.

One might wonder why the proud Nepalis come, generation after generation, to serve and die for our country - remote, indifferent and ungrateful as it must so often seem - but they do, and our armed forces are only too happy to have them. They have served in the British Army for almost 200 years, and with such bravery and distinction that the Victoria Cross has been awarded to Gurkha Regiments 26 times.

Here is one example of such an action, though as you can see here, many others would serve to illustrate the point just as well:

"Ninthoukhong, Burma June 1944

… B Company, 7th Gurkha Rifles, was ordered to counter-attack and restore the situation. Shortly after passing the starting line it came under heavy enemy medium machine-gun and tank machine-gun fire at point blank range, which covered all lines of approach. Rifleman Ganju Lama, the No.1 of the PIAT gun, on his own initiative, with great coolness and complete disregard for his own safety, crawled forward and engaged the tanks single handed. In spite of a broken left wrist and two other wounds, one in his right hand and one in his leg, caused by withering cross fire concentrated upon him, Rifleman Ganju Lama succeeded in bringing his gun into action within thirty yards of the enemy tanks and knocked out first one and then another, the third tank being destroyed by an anti-tank gun. In spite of his serous wounds, he then moved forward and engaged with grenades the tank crews, who now attempted to escape. Not until he hand killed them all, thus enabling his company to push forward, did he allow himself to be taken back to the Regimental Aid Post to have his wounds dressed……."

Gurkhas continue to serve, and die, alongside other British and Commonwealth forces in Afghanistan, and at a time when the Government is prepared to bail out reckless banks and stand by while those bail-outs subsidise collossal pension payouts, its niggardliness in the matter of Gurkhas' pensions and UK residence entitlements is simply breathtaking.

One of the things a Gurkha's opponent probably least wants to hear is their battle-cry "Ayo Gurkhali!". It means "the Gurkhas are coming!". Our country has been profiting from the arrival of the Gurkhas for almost 200 years. That our Government should respond with such discriminatory meanness shames us all.

There is an online petition here on the Gurkha Justice Campaign site.

Home Office launches RIPA consultation

The Home Office has launched a public consultation into aspects of the Regulation of Investigatory Powers Act 2000 (RIPA).

Specifically, the consultation covers "Consolidating Orders", which are the lists of public authorities to make use of covert investigation under the Act. At a rough count, there are some 53 'headline' public bodies in the list - although I use the term 'headline' because some entries in the list actually refer to types of public body which are, in turn, far more numerous. For example, "local authorities" is one of the 53 line items, but that category actually includes 433 public bodies across England, Wales, Scotland and Northern Ireland.

The consultation also covers two Codes of Practice which are to be used to provide further guidance on how the Act is supposed to be used. Presumably this reflects noticeable public concern about episodes such as

- the bugging of MP Sadiq Khan while he was visiting one of his constituents in prison;
- police access to information from the office and home of Damien Green, MP;
- numerous reports of the Act being invoked for dubiously trivial purposes;

and persistent tensions* between, on the one hand, the powers granted under RIPA, and on the other hand, relevant statutory rights on the other - such as those provided by PACE (Police and Criminal Evidence Act 1984), common law, and the European Convention on Human Rights (ECHR) and its national analogues.

If you plan to respond to the consultation, you should probably get down to it soon. The consultation document itself is 121 pages long (not counting, of course, the relevant sections of RIPA itself and any other documents you might want to research and refer to), and responses have to be in by July 10th.

[Oh, and by the way - this is not the same as another planned consultation exercise on the question of how the government will manage the retention of communications data across all commercial carriers and channels of communication.]



*For a fascinating and detailed examination of some of those tensions, I can recommend this report of an appeal case heard in the House of Lords last December. Among other things, it clarifies the difference between the status of a statutory instrument like RIPA and that of a Code of Practice such as the two put forward with the current consultation.

"McDonald [Barry McDonald QC, for the Appellant] pointed out that RIPA came into force on 25 September 2000. The Code of Practice on which the PSNI and Secretary of State’s case were based only came into force two years later, in July 2002. As a Code, it did not require nor receive the attention of both Houses; it was not preceded by a white or green paper; it was not legally binding.

McDonald pointed out that two different codes had been in operation. The first, which provided fewer safeguards around surveillance, was possibly a draft and had been in existence for five years without this fact being noticed by the Surveillance Commissioner. There had been no explanation for this discrepancy or the subsequent introduction of the second, different Code."

The report also includes the following observation by one of the Law Lords, on lawyer-client privilege in police station premises:

"There was a lengthy debate among the Law Lords as to whether it was more or less serious to have overt surveillance (i.e. someone sitting in on a conversation between client and solicitor) or the possibility of covert surveillance such as happened in Antrim PSNI station. After much probing by the Law Lords, McDonald said that in both cases the same unacceptable end was achieved, in that the right to a private conversation between a solicitor and a client was extinguished and a lawyer could thus not obtain complete instructions from his/her client. However, overt surveillance was easier to address as the fact that it had taken place was obvious to all involved. Covert surveillance was very much more difficult to prove and consequently to challenge effectively. Carswell LJ pointed out that he rather doubted that any solicitor of any merit, using Antrim police station, was unaware of the systematic bugging."

True as Lord Justice Carswell's comment might be, it does little to address Mr McDonald's point. After all, if a solicitor sits down with his client in a police cell and opens the conversation with "as an experienced solicitor in the Province, I have to tell you that any conversation in this room is probably recorded by the police", it still prevents the client from fully instructing the lawyer, and does nothing to prove whether bugging is taking place or not.

Verbal ping-pong

I'm told that, in some of the seedier parts of places like Bangkok, one of the louche entertainments involves watching ladies launch ping-pong balls across the room from surprisingly inappropriate parts of their anatomy. Not having been there, I wouldn't know - but although I've never experienced this dubious diversion I think I have some inkling of what it must be like.

I've just been listening to Martha Kearney interviewing former Home Secretaries Michael Howard and Charles Clarke, and asking them if they feel any sympathy for the topical travails of the current post-holder, Jacqui Smith. Charles Clarke said yes, he did; Michael Howard said no, not so much. So far, so straightforward. Bodily orifices and language all being used as normal.

However, Mr Clarke then went on to say that he felt the job of Home Secretary was a difficult one to do if one lacked previous political experience in a high level cabinet post, and "intellectual self-confidence". It was at that point that I heard the sound of a ping-pong ball hitting the floor some distance across the room.

Those ill-disposed towards Mr Clarke will probably reflect that his own "intellectual self-confidence" is seldom lacking and often comes across as plain arrogance. Those ill-disposed towards Ms Smith might wonder if he's accusing her of being thick. With expressions of sympathy like that, who needs critics?

Politicians don't always use their mouths and words the same way as the rest of us. It many not be an attractive sight, but it's an amusing enough diversion if you like these kinds of low entertainment...

Ecclestone pulling the strings again...?

If you were to do a "keyword in context" search for the name Bernie Ecclestone, it's a fair bet that most of the occurrences would be near words like 'supremo', 'ringmaster', 'impresario' and 'puppetmaster'.

His entry in Forbes Magazine's "World's Richest" list describes him thus:

"In 2005 he sold his remaining stake in the racing giant to CVC Capital Partners, a leading European private equity firm, then turned around and reinvested with CVC in a new joint company called Alpha Prema. The new corporation now controls 100% of Formula One Group, and Bernie still gets to direct the empire." (If you have the head for a longer spin on this Financier's Carousel, try this article on ABCMoney).

Experience suggests that whatever changes take place across the franchise, Mr E tends to end up (a) getting what he wants and (b) trousering the proceeds.

With that in mind, what are we to make of the latest wranglings around the UK's Grand Prix - due to start a 10-year contract at Donington Park from 2010, instead of Silverstone? Well, judging by the public statements (for instance, here on the BBC site), Uncle Bernie "doesn't know what the situation is" or "what the details are"... but a little later says that he's "been in talks with Simon [Gillett - current leaseholder of the Donnington facilities] and we've been talking through the money situation". Apparently "what [Simon] really needs is an investor, that's the best hope of saving the race".

Behind this amiable concern and good-natured search for a simple solution to the problem lurk a couple of other layers, though.

Mr Gillett 'needs an investor' because he's being taken to court for rent arrears on the Donington lease by the actual owner, Tom Wheatcroft. Mr Wheatcroft, apparently, is a "close friend of the Formula 1 supremo" [sic]... So from this new perspective, what we have is a close friend of Bernie Ecclestone, suing someone who is being amiably advised by Bernie that what he needs is an investor who can help him out of this little mess.

There's a thing in chess called the Zwischenzug, or double threat. It's a classic particularly with the knight, because compared with other pieces, the knight's final resting-place is rather more 'obliquely' related to his initial direction of movement. Grandmaster Ecclestone is, if anything, achieving a masterly triple threat here.

- He has already had another pop at a favourite target, the Government, for failing to subsidise this multi-billion pound monopoly as it sponsors, say, the Olympics. Under current conditions, it's overwhelmingly unlikely that the Government would have a sudden change of heart and pump money into the Donington facilities, but if they did, Bernie would get what he wanted at the taxpayer's expense;

- Mr Gillett may crack under the threat of legal action and accept Bernie's generous offer of "investment", which is bound to have strings attached relating to increased control over the venue and its Grand Prix receipts - something Bernie has never managed to winkle out of the British Racing Drivers' Club at Silverstone;

- Ultimately, even if the Donington deal does fall through, Ecclestone can rub the BRDC's nose in it by choosing to cross the British Grand Prix off the race calendar rather than return it to Silverstone.

All this may help to explain why, unless you're a grandmaster yourself, chess - for all its ruthlessness and tactical complexity - is utterly absorbing for the players themselves but a pretty lousy spectator sport.

David Cameron on "Today" Programme

David Cameron took the 08:10 "politics" slot on the Today programme this morning, interviewed by Sarah Montague about the budget, the economy and what the Conservatives would do about the deficit unveiled by Mr Darling on Wednesday. Actually, I should put it more strongly than that: 'interviewed about what the Conservatives will do...". It's an interesting sub-current of the media coverage I've seen/heard since the budget, that it is universally based on an assumption that whatever Messrs. Brown and Darling are doing now will, after the next election, no longer be Labour's problem to sort out.

Asked to give some specific examples of areas in which he would cut public spending, Cameron's answer was revealing. Without hesitation, he singled out those areas in which there is an "extension of government"; his first two examples were the National ID Scheme and the ContactPoint directory. Returning to the topic a few moments later, he added the NHS' National Patient Record database. I find this interesting in three respects.

First, he was being asked about cost-cutting measures - so on the economic level, it's clear that he sees these as programmes which should not now be funded from the public purse;

Second, behind the economic rationale, there's clearly an ideological motive based on rolling back the 'extension of government';

Third, politicians don't like to admit to cuts in public expenditure unless they are pretty sure that the things they want to cut are sufficiently unpopular with the electorate. The fact that he singled out three projects which are often characterised as elements of the "database state" is, I think, significant. It suggests he thinks there is a public sentiment to tap into which - for whatever reason - does not favour these kinds of system.

So, what might lie behind this perception? Are the public for or against things like the ID Card scheme? Well, a quick and un-scientific internet search returns the following data points:

• 2002: "four out of five people are in favour of a biometric identity card" (Home Office)
• 2003: "more than 5000 out of 7000 responses to a public consultation were against the scheme" (Home Office response to parliamentary question)
• 2004: 48% against, 31% in favour (Privacy International)
• 2005: 66% against a £6bn scheme (YouGov, Telegraph, before London Bombings)
  
• 2005: 42% against, 45% in favour (No2ID, after London 7/7 Bombings)
• 2008: 48% against, 43% in favour (YouGov)

If one can draw any conclusions from this, they are probably as follows:

1. It depends how you ask the question. (Questions relating each option to a specific cost seem to produce much less equivocal results - the higher the financial cost, the lower the approval rating);
2. It depends how you count the results. (The ">5000/7000 negative responses" were apparently discounted by the policymakers because over 4000 of them came via a single campaigning website...);
3. It depends how reliable you think people's responses are. (Privacy International, for instance, has consistently maintained that the public are not in a position to make an informed decision, notably because possible harm from a comprehensive life-long audit trail is not accounted for in the available information about the scheme);
4. Public opinion is swayed by public events. (Support appeared to increase in the wake of the 7/7 bombings, despite the then Home Secretary's admission that an ID card had not stopped the Madrid bombings and would not have prevented the London ones; support appears to have been eroded by successive public sector data breach revelations).

It's a huge topic. I can recommend two papers which give a fascinating look at the connections between public perception, press coverage and policy in this area. Here are links to both:

"Media and Public Perceptions of Identity Cards, Privacy and Surveillance"; Dr. Edgar Whitley, LSE, December 2008

"ID Cards - A snapshot of the debate in the UK press"; Elisa Pieri, University of Manchester, April 2009

Signs of a classic design flaw?

Thanks to Privacy International for Twittering about this article on issues with the UK e-Borders programme and people with dual nationality. If true, the article suggests that there is a basic and fundamental design flaw in the system. [See Postscript at the bottom of this post]

The issue appears to be this: the new international agreements to collect Advance Passenger Information (APIS) requires airlines to collect passenger-supplied data (including passport details) and associate that with a given journey (and hence a given border-crossing event). However, passengers with dual nationality might well present one passport when leaving one country and another passport when entering their destination country. There's nothing illegal about dual nationality, and nothing illegal about presenting different passports when departing and arriving... provided you're the legal holder of both passports, of course.

From what I can gather (and I only have the Telegraph's word for this...), the UK's e-Borders system can't cope with someone who registers the details of one passport when booking a flight and leaving the country, but presents another passport when returning to the UK. If true, this implies that the system is designed on the basis of a mistake which we really should not still be making - the assumption that there is only ever a one-to-one relationship between people and passports.

At the Brussels Privacy Summit, almost exactly two years ago, this question came up in the context of national identifiers, and we had a revealing discussion about the difference between the credentials issued to a person, and the 'index value' which might be used to organise and locate those credentials. It's not, essentially, a hard design problem, provided the right level of abstraction has been included from the outset.

So, what should you do if it looks likely that this will affect you? I don't have any way of confirming this myself, but one solution might be to enrol in the Iris programme (biometric scan of your iris on arrival in the UK, instead of having to present your passport). There's a list here of the criteria for registering in the Iris scheme, which you do on your way out of the UK (for instance, there's an enrolment office in Heathrow Terminal 1 just after the security scan).

Iris is not without its flaws (as I have described in previous blog posts) but it might be better than being stuck at immigration - or, possibly, put back on a plane to wherever you've just arrived from.

[Postscript: I found the following in the comments on the Telegraph article... part-buried amongst the usual "nothing to hide, nothing to fear" bleatings and the "round up all the illegals and us law-abiding folks won't have any problem" rants.

One reader apparently emailed the e-Border programme a month ago and got the following response:

"Under e-Borders, you should not see any difference in your travel experience, or have to provide any information which you do not currently provide to your carrier, with the possible exception of your passport details which carriers may choose to request at booking stage. The biographical Travel Document Information that is collected will be the same on both passports (i.e. name, date of birth and gender).

As the e-Borders system is rolled out, it will provide additional capability to reconcile electronically where an individual travels using different documents, so that passengers with dual nationality can be identified."

I would interpret that as meaning 'e-Borders can't cope at the moment if you give your carrier one set of passport details and present a different set on arrival, but will be able to later'.]

Expenses incurred and claimed against receipts...

Gordon Brown has promised to overhaul the system by which MPs get their various allocations of cash but - as far as I can see from reports like this one on the BBC - still appears to be missing the point. The sceptics will say this is intentional - just as they are already rather wryly noting that Mr Brown's new deadline for reform happens to coincide with the month in which details of MPs' expense claims (since 2004) are finally to be published after years of legal wriggling.

The point Mr Brown's measures seem to miss is the distinction between expenses and allowances. He proposes, for instance, a flat-rate 'attendance allowance' to be paid to MPs instead of the 'second home allowance' which recent revelations have done so much to discredit.

It's still an allowance.

This reform may change what MPs are paid and how, but it does not seem to do anything to increase their accountability for the funds they take from the public purse. If Mr Brown's aim really is to "restore people's confidence", as he claims, then surely the way to do it is to introduce more, not less of a link between what MPs get paid and what they actually spend.

Kantara Initiative announced at RSA pre-conference

Yesterday, Trent Adams (Internet Society), Eve Maler (Sun/Concordia), Brett McDowell (Liberty), Drummond Reed (ICF) and Nat Sakimura (XRI) were on stage at the RSA pre-conference workshop to announce the launch of the Kantara Initiative.

Anyone who speaks Arabic (or Swahili, apparently) already knew yesterday that Kantara (قـنـطــرة)* means "bridge"; today, a whole lot more people are coming to understand Kantara as a construction intended to bridge the gaps between organisations working on the many and diverse problems of digital identity and privacy.

I include 'privacy' partly because it is so integral to the idea of digital identity, and partly for more self-interested reasons.

I'm delighted to be able to announce that I (through Future Identity Ltd) have been engaged to define, scope and prepare the ground for a Kantara Director of Privacy and Policy (DPP) role. I had originally planned to propose the title of Chief Privacy and Public Policy Officer, but suspected that the novelty value of "C3PO" would very quickly wear thin.

Whatever the label, though, I am genuinely excited by this fantastic opportunity to be at the confluence of so many crucial topics and so many bright, creative people.

To revisit the 'bridge' metaphor for a brief moment - the keystone of Kantara is participation. The organisation and its charter have been intentionally designed to minimise or remove obstacles to participation - so please keep an eye out as we populate the Kantara website with further details of the group to work on matters of privacy and public policy. In my preparatory work, I have set myself some interesting goals relating to stakeholder engagement, so be warned, I will be looking for people to contribute actively to the group...

Of course, I'll also be using this blog, my Twitter account and the FutureIdentity website to alert people to any updates.


*apologies if the Arabic in doesn't render well in your browser. And as a nit-pick - can someone better qualified than me comment on whether the transliteration of "ق" would more correctly be "Q" than "K"? I think I'm right in saying that it is the letter called qaaf (as in Qatar) rather than the one called kaaf (as in Kuwait).

Watching you watching them watching us...

I set off to Wikiquote a couple of minutes ago, in search of the origin of the phrase "The price of freedom is eternal vigilance", with interesting results. Apparently the common attribution of the saying to Thomas Jefferson is not backed up by any record of it in his published writings, but it does appear in those of one John Curran. He wrote:

"It is the common fate of the indolent to see their rights become a prey to the active. The condition upon which God hath given liberty to man is eternal vigilance; [John Philpot Curran- pub. 1808]

Benjamin Franklin is reported as saying "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

What spurred all this research was a rash of posts and counter-posts, all relating to the Metropolitan Police's new anti-terrorism poster campaign. Here are some examples.

• Let's start with Spyblog, who cite one of the posters here; it's the poster which says "a bomb won't go off here, because weeks before, a shopper reported someone studying the CCTV cameras".
• Here is Ian Brown's satirical re-working of the same poster.
• Here is Cory Doctorow's comment on the socially corrosive effect of campaigns like this, citing the "CCTV" poster and the "suspicious chemicals" poster.
• Here is Stuart Langridge's analysis of the "pernicious, paranoid" campaign.
• Here is qwghlm's superb two-word take on it.
  

None of these concerns, though, is particularly new. Here's Andreas Whittam-Smith, writing in the Independent back in 2001, on the introduction of the Anti-Terrorism, Crime and Security Bill. And in the same article, he quotes John Curran's remark about eternal vigilance - referring to the election of the Lord Mayor of Dublin, and uttered in the same decade as the 1798 Rebellion against the British.

Of course, these days the election of public officials in Dublin is a domestic matter for the Irish - which goes to illustrate another of Whittam-Smith's points: legislative powers brought in by one government for one set of reasons are often used to very different purposes by subsequent governments of different political character.

Do you know how much privacy to expect?

Thanks to Toby Stevens for the pointer to this article by Bruce Schneier in Wired. Discussing the US 4th Amendment (which is intended to protect against unreasonable search and seizure), Schneier advances the argument that the "reasonableness" test needs to be revised because it is based on a normative concept of privacy... and society's concept of 'reasonable privacy' has changed to the extent that the reasonableness test is no longer reliable.

It's a plausible argument, but the article doesn't address one aspect which is important. It's this: what one describes as society's 'normative concept of privacy' must surely be tempered by notions not of 'reasonable expectation' but 'informed reasonable expectation'. And arguably, a normative percentage of society is entirely under-informed about the extent of their privacy (or lack of it).

Liberty, pseudonymity and personas

Over on his "Talking Identity" blog, Oracle's Nishant Kaushik recently posed the question "Is a pseudonym the same thing as a persona?" - a question which Dave Kearns then wrote about in his column here.

Nishant quotes from the ID Commons definition of "persona" as follows:

[Comment 1]: "A Persona is something put forward by a user, but how it is perceived, recognized, accepted, rejected, trusted, used etc. by a Relying Party cannot be specified or in any way implied."

I don't disagree with that, but I draw slightly different conclusions from it (Nishant infers from the underscored phrase that a persona and a pseudonym are the same thing). The definition I tend to use for "persona" is: "that subset of personal information which an individual chooses to disclose in a given context". The ID Commons definition, to be fair, does also refer to contextuality and user-selectability, but does so in terms ("agent", "claims") which reflect a particular technological stakeholder perspective.

I think it's important to try and arrive at a definition which is as consistent as possible between 'real' and 'virtual' life. The idea of "choice" is important; for me, personas are a way in which people seek to manage the impression they create when interacting - and 'management' implies some degree of control. Thus - I may choose to appear to my employers as a serious, diligent technocrat, and to my children as a kind, loving parent. (And, arguably, the better those reflect my actual qualities, the more consistently I will be able to give that impression).

Dave Kearns uses the example of Clark Kent/'Superman'/Kal-El, and I think my apporach is consistent with his. The individual who sometimes exposes a Clark Kent persona and sometimes a Superman persona has the same set of attributes regardless (ability to fly faster than a speeding bullet leap tall buildings with a single bound, etc...), but exercises the choice to disclose them selectively depending on context. Thus, Superman is confident and assertive around Lois Lane (while Clark Kent chooses not to be), and Clark Kent tends not to hover disconcertingly above ground level even though he could if he chose.

Translated to the digital world, a persona is that subset of attributes which I disclose in a given context - and as Dave says, the subset may include an identifier. In fact, as Nishant points out, it may be nothing more - pesudonymous email addresses are a good example.

However, a persona can also consist of a number of attribute assertions ("I am male, single and over 20"), without containing either a 'genuine' identifier (Kal-El) or a pseudonymous one (Clark Kent) - therefore I maintain that personas and pseudonyms as distinct rather than identical.

One useful approach is to think of the distinction between a pseudonym and a persona as equivalent to the distinction between an identifier and a set of attributes. One (the pseudonym/identifier) is usually the "index" which allows you to find the other*. This is reflected in a couple of the models for Identity Data which we derived from the Liberty Alliance Privacy Summit series. The topic of "indices" and the special treatment they require (but do not always get) is covered in the report from the Brussles Privacy Summit (April 2007), a copy of which you can find here.

*An interesting by-product of this definition is that it clarifies that, while a persona is the set of attributes displayed by the individual, a pseudonym might well be attributed to that individual by a third party. Thus, a counter-terrorism officer scanning CCTV footage might label repeat appearances of "Suspect B" as such, without knowing "Suspect B"'s real identity. Assigning a pseudonymous index to the individual (requiring neither their knowledge nor their consent) allows the officer to find successive recordings of their attribute data.

Data, information and inference

There's an old and mildly sexist comment I remember from a training course back in the 80s.

"362436", the instructor told us, "is data: 36-24-36 is information". ho ho

James Governor tweets to point to this piece about data models, data reuse and ontology. He asserts, correctly I think, that a comprehensive ontology is not the missing piece without which a data model cannot be the basis for data reuse.

By one of those happy Twitter confluences, Trent Adams (Internet Society) posts from the IDTrust conference to quote Ken Klingenstein (Internet/2) as follows: "Ken Klingenstein points out that assertions themselves will require LOA on top of what is applied to the ID. "

And just to round off the picture, back to James' Twitter feed again for a pointer to the Guardian's article describing the apparent assault by a police officer (since suspended pending further investigation) of a protester at the G20 summit.

The theme which ties all these threads together - albeit loosely - is that initial distinction between data and information. Another way of expressing it is that "data" is, broadly, "raw": uninterpreted and context-free.

Information, on the other hand, is contextual and subject to interpretation and inference. relating this to the various threads I've mentioned:

- A thorough ontology of a data model may explain the relation of one element to another within that model, but cannot realistically account for either context or inference - both of which are external to the data model.

- Assertions of identity are commonly expected to have an LOA (Level Of Assurance), based on factors such as the robustness of the credentials presented, the reliability of the binding between the credential and the holder of the credential, the trustworthiness of the processes for registration, verification and enrolment (RVE), and the accuracy of the credential verification step (authentication). However, in many cases authentication is only the first gating step towards authorisation, which is more often based on assertions of attributes, rather than just identity. ("Now that I know who you claim to be, what inferences can I make about what you are entitled to do?").

- And so back to the apparent G2o assault. There is a certain level of risk involved in making inferences from a limited set of data (such as the video clip showing the apparent assault).

The police themselves used to illustrate a similar problem back in the 80s by showing a picture of a (white) uniformed officer chasing a (black) man in jeans and a t-shirt. Viewers were asked to interpret the picture, and tended to infer that it showed a policeman chasing a criminal. They were then shown the whole picture, in which a third (white) man could be seen, apparently being chase by the other two. This, they were told, was the actual criminal - the man in jeans being a plain-clothes policeman.

I mention this just to reiterate the difference between data and inferences drawn from that data. The Guardian piece describes the G20 police officer in question as having covered up his badge number before striking the protester. I couldn't see that in the video clip, but on the other hand, did notice another piece of data which the article did not mention.

In the clip, the protester can be heard shouting at the police officer before he strikes her: "What [are] you doing, punching a f***ing woman? You scum!". The implication is that the officer had already been seen to strike someone - though not necessarily the same protester.

Law-breakers like to conceal identifiers such as their faces or their real credentials, because it breaks the link between the identifier and the individual, or between the credential and the inferences drawn from it (i.e. you can see that someone stole the car, but not who it was). It is in their interest to do that, because it prevents them from being held accountable for unlawful behaviour.

The same chain of reasoning is not supposed to apply to those responsible for law enforcement. Having made a commitment to uphold the law, they are supposed to act in accordance with it and therefore, by implication, behave in a way which can be audited transparently and without recourse to anonymity. If they have nothing to hide, one might say, they have nothing to fear from being identifiable in the course of their duties.

In the past, I have used Victoria Beckham's credit card, Gordon Brown's fingernails, and Caroline Flint's housing forecasts. Not the actual things, you understand - that would be immoral, gross or both - but the fact that all of them have been the subject of inadvertent levels of disclosure, thanks to the ease with which photos can be instantly published to a virtually global audience.

It looks like I'm going to have to update my presentation to account for the latest in the series: Asst Commissioner Bob Quick's accidental display of a secret document on his way past the paparazzi. As a result of the disclosure, an operation had to be quickly kicked off to round up those identifiable from the document, before they were warned off by the information being released into the public domain.

Still, it could be worse. All I have to do is update my slides. Bob Quick is looking for a new job. This accidental disclosure lark can be serious.

"Digital footprint" case studies

Thanks to the PrivacyInternational Twitterstream for their link to this informative Washington Post article about campus police officers (in itself a slightly strange concept from a UK perspective) monitoring students' social networking pages. This quotation sums up what I think needs to be said more often about the digital footprint of web users in general, not just social networkers:

"An expedition into a thicket of blinking MySpace profiles found high school students discussing drugs, sex and fights. It was all publicly available (although in language that caused a reporter to blush).

"It's crazy, the things they put on there," Loudoun County Sheriff Stephen O. Simpson said. "They seem to think they're invisible.""

As long as users (and citizens, for that matter) continue to believe that they are not leaving any traces when in fact they are, their risk assessments relating to online (and indeed public) behaviour will continue to be fundamentally flawed.

I wonder if that view is shared by the (masked) riot police officer now at the centre of allegations of assault, based on video footage from the G20 Summit protests.

Oh, what a tangled web...

Thanks to Toby Stevens for the pointer to this excellent piece by Tony Collins on the ComputerWeekly.com site, about the entangled costs of UK ID cards and passports.

Tony's headline question is "Are passport fees paying for ID cards?". By the time to get to the part of the article where he notes that the fee for a new passport (at £114) can exceed the unit production cost (£15) by over 750%, there may not be much doubt left in your mind.

I have long argued that policy statements which deliberately merge ID cards, passports and the National Identity Register are misleading and unhelpful. Let's not forget, after all, that much of the current entanglement has its origins in the dark days of Charles Clarke's stewardship of the project - a period which did not reflect well either on his reaction to criticism of the scheme, or on the government's willingness to be open about costs and external assessments relating to the project.

Let's not forget that, long before his subsequent fall from grace on unrelated matters, Sir James Crosby concluded that (i) adoption of ID cards would only gain mass public support if they were free; and (ii) there was no viable financial model for the scheme based on raising revenue from consumers.

For obvious reasons, the public appetite for transparency in the handling of public funds has probably never been greater than it is now. The use of bailout funds, the distinction between MPs' "allowances" and "expenses", and the cost/revenue model for passports versus ID cards would all be good places to start.

And another thing...

While the topic of legally-required data retention is fresh in our minds: it's interesting to introduce the topic of "spam" to sit next to it.

After all, if all email communications are to be monitored, and sender and recipient recorded for posterity, doesn't that give a great basis on which to do something definitive to deter the perpetrators of various forms of email abuse (unsolicited communications, offensive material, viruses/trojan horses)?

And yet, such a citizen-centric application of the law seems nowhere to be envisaged...

Where's your digital footprint today?

Well, it's probably in the same places it was on Sunday. The difference is that, as of yesterday (Monday April 6th 2009) it will remain stored for at least 12 months in some of those places, under the European Commission's Data Retention Directive (to which the UK has signed up).

This augments powers put in place 18 months ago, making it a legal requirement for telecommunications carriers to retain records or mobile and land-line phone connections for 12 months. The new Directive adds internet traffic and internet-borne voice calls to that list of retained data.

The claim is that this policy is proportionate because it requires the retention only of the 'meta-data' about a call (who made it to whom, when and from where; which websites were visited, and so on) rather than the content.

However, in a number of relevant aspects, the proportionality of the policy is clearly questionable.

First, the Directive requires the retention of all users' traffic data: there is no provision for limiting it only to those individuals who are already under suspicion in some accountable way.

Second, as Tom Espiner notes in his piece here, rather than introducing the new laws on a 'minimal disclosure' basis with strict accountability measures in place,

"[c]urrently, covert surveillance, such as accessing the data retained under the Data Retention (EC Directive) Regulations 2009, can be authorised in local authorities by junior executive officers. The Home Office said it is considering raising the level of authorisation to senior executives, with possible oversight by elected councillors."

If that rings a bell, you may recall that RIPA (Regulation of Investigatory Powers Act) was introduced on a similar basis, and was subsequently found to be being abused for purposes such as snooping on misplaced dog-poo. As far as I am aware, the promised Home Office consultation on now RIPA use might be better regulated has yet to happen. Which strikes me as odd, given that the word "Regulation" is prominent in the title of the Act.

For other perspectives on the Data Retention Directive, you may want to read the markedly low-key BBC article here, or the thorough (as ever) SpyBlog analysis here.

Toby Stevens on ID Card contracts

Toby has a couple of good items today on ID card-related matters, here. One is on ID Card contracts, and the other is about false positives/threshold settings in the facial biometrics pilot at Manchester airport.

On the latter, I would take issue with Toby's assertion that "[t]he scheme is still a trial, so there will be a great deal of useful data coming in through the systems, and this will improve performance in the future." Toby also refers to the Iris scheme - and I think that's the counter-example, right there. Whatever useful data has been gained from the initial years of the Iris project, it does not seem to me to have been used to improve performance of the system.

System performance, of course, is composed of many factors - such as the throughput and performance rates of the components (such as the Iris gates, the database, the link between the two, and so on), the competence of the users, the failure/fallback modes etc. etc.

In my experience, the component performance of the Iris gates themselves has remained pretty constant and, all things being equal, they have a maximum throughput rate roughly 25% of that of a human passport officer.

User competence (or lack of it) is the single biggest performance-killer. The worst thing that can happen to someone waiting in the queue for Iris is to find that the person in the gate cannot act on the commands "Please look into the mirror" and "Please move back a little".

That is aggravated by the lack of a well-supported fallback mode. When someone manifestly cannot follow these instructions sufficiently well, there are no staff on hand to offer any additional guidance, so the user has no alternative (being locked in a glass booth) but to stand there while the gate exhausts its sequence of failure steps and finally spits the user out (air-side) to join the back of the non-Iris queue.

All this was true on Day One of the Iris scheme, it was true when I blogged about it in 2007, and it's still true today. Sorry, Toby, but I think you may be being over-optimistic about the facial biometrics pilot...

A cunning plan...

I thought I should write a quick post explaining this afternoon's possibly rather cryptic Twitter about Global Domination... (mwahhahaaa...)

The case study diabolically devised by Mary Rundle for the afternoon session split the OII-IDW workshop attendees into three groups, each of which was instructed to design an identity management system for the education sector of their repective communities. The first two communities were fairly straightforward: one was described as a society which strongly favoured personal privacy, regulation and governance over technical innovation, and the other as a society which had a more laissez faire approach to privacy, trusting in healthy market competition to expose and iron out any difficulties. So far so good.

The group I found myself in had a rather different remit. Rather than a nation-state, we were described as a group of entities with a common interest but no common geographic location. Our common interest was to take over the world by exploiting vulnerabilities in the identity management systems of the other two societies... again, through the design and implementation of our own education identity management system.

So, we had two problems to solve: the first was to work out what weaknesses we might exploit, and how to put the right pieces in place to exploit them; the second was how to convince the other two societies that our solution was not only benevolent, but the perfect interoperability partner for their own two systems, which we expected to evolve as quite dissimilar designs. It was a fascinatingly revealing exercise, and the results were somewhat chilling on a couple of levels.

First, about 20 minutes of thought and discussion suggested a range of goals and end-games, from 'leaving the other societies intact and functional, but providing us with an almost unlimited revenue stream' to 'full information infrastructure warfare, laying the other societies waste'... with a couple of equally entertaining intermediate options. It also raised several opportunities for attack, ranging from network/DNS compromise, social engineering, rogue identity providers/attribute authorities, and insider attacks up to and including enrolment of children into 'host' societies' education systems under false identities. It led us to imagine how creative someone could get if they devoted serious time to this problem with a specific gain in mind.

Second, and perhaps most worrying: the policies and strategies which we found ourselves then advocating to the other two societies were eminently plausible. In fact, they sounded exactly like the kind of thing policymakers tell their citizens every day around the globe. In other words, at the policy and presentational level, there may be no discernible difference between a perfectly benign identity management strategy and a wholly malevolent one.

Full marks, though, have to go to the participant (sorry, nameless to maintain Chatham House integrity) who torpedoed our attempt to get the societies to agree to use a new ".fedu" top-level domain for this identity management traffic, thus opening up the potential to channel network traffic through compromised nodes of our own devising. Foiled again! Drat, and double-drat...

Not the G20 Summit...

Haven't tried this before, so apologies in advance if it is a little rough around the edges. I thought I would post a slide showing an overview of the models we developed through the Liberty Privacy Summits, for guiding and structuring a productive discussion about Identity and Privacy. They seemed to go down well with the Summit participants... at any rate, there were no street riots, and hardly any bottle-throwing to speak of.

The resolution doesn't look too good on the blog itself, I know, but if you click on the image you should get a full-sized version which is much clearer.



In running the Summits, the first big challenge we faced was to get stakeholders with very different perspectives talking the same language when discussiing abstract topics like identity, privacy, trust and so on. These simple models started out as a way to do that.

However, I'm now working on using them as a basis for stakeholder-specific analyses... for instance, how to the models map onto the needs and priorities of a corporate CPO, or a public sector project director. I hope to post those as well, in due course, but in the meantime plan to go through these three basic models as an introduction, giving examples of how they were useful in the Summit discussions.

I'd be interested in people's feedback...