So... it's the Swiss we don't like...

I regret that I have two corrections to make to my earlier post about the UK ID Cards policy.

The first is that, far from being a climb-down or policy course-change, the Home Secretary's cancellation of compulsory ID cards was in fact a re-affirmation of committment to the scheme and the signal for an accelerated roll-out. This document on the IPS website provides further details.

The second is to clarify that, while European Economic Area citizens will not have to be issued with UK ID cards, the exemption does not extend as far as European Free Trade Area citizens. So, while the Norwegians, Icelanders and Liechtensteiners are OK, the Swiss are PNG.

I can only assume this is at once a subtle pay-back to the recently-defeated Stanislas Wawrinka for keeping Andy Murray on court past his bedtime, and a masterly pre-emptive ploy aimed at Roger Federer.

Stephen Potter would be proud

Doctorow's DIY Digital Deed-box

Interesting piece here about Cory Doctorow's search for a solution to the problem of what to do with your "digital legacy". Now that so much of our lives is lived/captured/stored digitally, it's far more likely that our executors and relatives will need to unlock a laptop, disk drive or a file than a desk drawer or a filing cabinet... and yet, as Cory notes, there's not much on the market that provides a simple solution.

The French eID scheme has, for some time, included a 'digital vault' for each citizen to use as a repository, but I don't know what the escrow arrangements are should the citizen die and someone else need access. Perhaps someone could comment if they know the details?

Cory mulls over the compliexity of various DIY options - but fortunately for him, help may be at hand in the form of the EU-sponsored PrimeLife project. At the project's Reference Group meeting in Frankfurt earlier this year, I heard an excellent talk by Sandra Steinbrecher on "Trusted Content and Privacy Throughout Life". The slides are online here, and I recommend them for their clear analysis of the problem.

ID Cards scrapped... but what next?

Home Secretary Alan Johnson has taken advantage of his recent arrival to announce a change of policy: ID Cards will now not be compulsory... for anyone other than foreign nationals working in the UK.

Though, if I remember correctly, it remains illegal under EU law for any Member State to require the citizens of another Member State to carry its (the former State's) identity credential... so actually that means "foreign nationals other than citizens of other EU States..." and possibly European Economic Area/European Free Trade Area States (Norway, Iceland, Liechtenstein and Switzerland) as well, I don't know. "EU Member State" is one of those categories which seems neat and tidy at first glance, but turns out to get a bit fractal the closer you peer at it. Apparently the Falkland Islands, Greenland and Nouvelle Calédonie are not Member States, for instance, despite being overseas dependent territories of countries which are. I apologise in advance to their worthy inhabitants, but I'm not even going to look up San Merino, Andorra and the Vatican...

But I digress. The point is, by the time you rule out UK nationals and "citizens of the European Fractal", I wonder what percentage of the inhabitants of these islands you're left with, who may legitimately be challenged to produce an ID card. However, adoption of a voluntary citizen card, by the rest of us, is unlikely to achieve critical mass unless there is already a sufficient infrastructure (of authentication devices, for instance) to stimulate the development of a service provision ecosystem, which in turn make such a card worth carrying. Carrying that logic through to its conclusion: I cannot, in the current circumstances, see a Home Secretary committing to the investment required in such an infrastructure in the hope that it might stimulate enough demand for the scheme to pay for itself in the end.

When you then consider that anyone who still counts as a "foreign national working in the UK" will have to have their own country's passport, and probably a visa, work permit and/or other documentation in order to get in and stay here, Mr Johnson's announcement is probably sufficient to make the roll-out of any ID card fall below critical mass. What would be the point? A database record, indexed to the individual's immigration record on entry, would satisfy the same purpose without anyone having to issue, carry or check a plastic card.

All that having been said, Mr Johnson's announcement signals less of a policy climb-down course-change than it might appear. There is, for instance, no change to the plans for a National Identity Register, and anyone applying for a UK passport will continue to have their details entered in that repository. Similarly, there's still no apparent change to the policy on DNA retention, despite the European ruling earlier this year... though perhaps it's a little unreasonable to expect two major climb-downs course-changes in quite such short succession.

So where do we go from here? Despite successive Home Secretaries' determination to confuse the two, the National Identity Register and the National Identity Card were never the same thing, and a National Identity Scheme can quite viably continue without anyone having to carry the "terrifying, small... plastic card". The question, then, is what the government plans to do with the Scheme once its plastic card has been virtualized - NIS 2.0, perhaps... (sorry).

I think it's fair to say that the ditching of said plastic cards removes an element which added enormous complexity for questionable benefit. My hope is that that will free enough "policy-bandwidth" to make something sensible and constructive out of the government's citizen ID policy henceforth. For instance, perhaps this signals a shift away from the hierarchical, paper-credential view of citizen identity and towards one based on the selective management and disclosure of attribute-level assertions.

Perhaps we are ready to move away from the policy of:

"Tell me who you are, and I'll look up everything about you" and towards one of

"Approve a minimal disclosure of just enough data to let me grant you access, deliver this service, establish this entitlement...".

That would be a shift indeed, and one which could reflect a far more privacy-positive approach. It may be that I'll have the opportunity to find out tomorrow, at a meeting of the All Party Privacy Group in Westminster.

UK policy and cyber-warfare

A few years ago I was given a very good piece of advice about technologists expressing a view on matters of policy: don't.

"Think of three layers", was the suggestion of my older and wiser colleague: "a bottom layer of technology, a 'good practice' middle layer, and a policy top-layer. Be aware that decisions at the policy layer are driven by all kinds of factors over which you will never have control... and however tempting it may seem to do otherwise, restrict yourself to opinions on the other two layers". I took this advice to heart, and while I have had the occasional lapse, it has not let me down when I have stuck to it.

So, then, what to say about the government's announcement, last week, of its plans to establish a cyber-security operations centre?

Well, I think there are three questions to ask:

1 - is there a pressing need for a cyber-security capability? I suspect the answer to that one is a clear 'yes'. There's no doubt that cyberspace represents an element of the Critical National Infrastructure (CNI), just like the transport, water, power, communications, financial and sewage networks on which our country depends. It may be entertaining to be transported back to the 70s by watching "Ashes to Ashes", but few of us would much enjoy a long spell of being restricted to 70s technology levels.

And just like all those other elements, the UK's cyberspace presence is inextricably linked into the global network. ("Sewage?", I hear you mutter... "How is the sewage system cross-border?" Ask the Dutch... I read a report that, if the Netherlands couldn't export the excrement by-product of its bacon industry, the whole country would be ankle deep in pig-poo before the year was out. And with all those greenhouses, they use a lot of mulch...). So - cross-border cyber-defence capability? Absolutely.

2 - is the government justified in maintaining/using an offensive cyber-security capability? This one is tricky to answer at the policy layer.

• At the technical layer, I have no reservation in saying that I want the security services to know how cyber-attacks work, and even in maintaining significant expertise: after all, they can't mount passive defences if they don't thoroughly understand the attacks.
  
• At the 'good practice' layer, offensive cyber-security capabilities tend to be restricted to getting malicious sites/services taken off the internet - and that only after going through 'due process' with the telcos, service providers, hosting companies and so on. Clearly, the latest policy announcement is based on the assumption that there may be cases where the security services expect to need to go further than that.
  
• At the policy layer, then, I think it boils down to this: what confidence can we have that those responsible for exercising such a capability are doing so proportionately, justifiably and accountably? In other words, it raises all the governance and oversight issues which have been so much in the political searchlight in recent months. There are established structures (such as the Intelligence and Security Committee - ISC) which are intended to make it possible for those 'on the outside' to be confident that those 'on the inside' have to at least tell a cleared and trusted few what they are up to. It is quite possible that those structures, though, are effective at providing policy oversight, but not effective at building and reinforcing public trust. For instance, Tory MP Michael Mates, a long-standing ISC member, has recently said that policy-forming documents he saw in the run-up to the Iraq War would "make people's eyes water" if and when they are made public through the proposed enquiry... and yet, the Iraq War went ahead.

3 - Can the cyber-security team meet the security policy objective, while simultaneously protecting the UK against repercussions from the policy, safeguarding citizens' use of the internet, and providing sufficient evidence of accountability to maintain the public trust?

In policy terms, the cyber-security announcement does include a statement about the appointment of an 'ethics advisory group' to complement whatever other governance measures are put in place. This group is apparently to monitor the 'proportionality' of actions taken under the policy. But the ethical issues don't stop there.

Supposing the cyber-security folks pre-emptively take down a malicious server outside the UK... presumably they would want to do that in a way which leaves no evidence of the attack having originated in the UK (for fear of reprisals...); perhaps they might consider launching the attack from elsewhere, in the hope that any blame (and retaliation) would fall on someone else.

I think the ethics advisory group is going to have a busy time.

Off-track action

It's been a couple of months since my last rant about F1, and in the meantime the franchise seems to have come closer than ever to imploding. In the past, Ecclestone and Mosley have managed to present a united front when dealing with the teams or other interest groups such as the BRDC, but this time even the two of them don't seem to be pulling in the same direction.

Mr Mosley seems to have antagonised most of the teams, not least by allegedly coming to an agreement with them on one day and then unilaterally revising it overnight. According to the teams it is this kind of high-handedness which makes him so unpopular as the sport's titular head... and yet it's Mr Mosley who is threatening to sue the rest of them for (among other things) breach of contract.

Apart from "governance style", the teams are also still fundamentally unhappy with the details of Mr Mosley's cost-cutting proposals. He wants to have two classes of engine; a rev-limited option for teams who wish to ignore the cost caps, and a 'budget' Cosworth with no rev limit. Mr Mosley is quoted as writing that "any engineer will confirm that this will not give the relevant teams any competitive advantage whatsoever"; the reply of at least one engineer was too frank to print on the BBC site.

There's also the point, surely, that this is not what "Formula One" means. It means a single set of specifications which apply to all the cars in the race. I've been to GT races, and to be sure, they are entertaining not least for the different rates at which GT1 and GT2 cars go round the track... but that's not "Formula One", it's cars from two different formulas racing simultaneously on the same track. If Mr Mosley thinks that would be more entertaining, he should come out and say so.

I assume that, at least in part, all this off-track chicanery is Mr Mosley's attempt to give us something more interesting to watch than the on-track chicanes. Dominant though Sebastian Vettel's performance was on Sunday, it was not an exciting race by any standard. The BBC Sports site today promises "The British Grand Prix in 90 seconds". To be honest, I'm surprised they managed to pad the highlights out to a minute and a half.

Speaking of "known unknowns"...

A classic 'information security' case-study is unfolding as the redacted censored facsimiles of MPs' expense claims are finally made public. Comparing what we know some of the receipts said with what the censors thought we should not be allowed to see communicates far more than the data could do on its own.

In some cases the message is simply surreal, as this piece by Martin Rosenbaum illustrates: for instance, apparently we are allowed to know that Tony Blair has a Siemens dishwasher, but details of which model it is have been doubleunpublished... despite the fact that that information had already been released in a 2008 FoI disclosure of the same receipt.

In other cases it is less benign. For instance, it is now established (through the Telegraph leaks) that Margaret Moran MP claimed for dry-rot treatment on a house which was impractically distant from her constituency: the redacted version of the receipts would have allowed that fact to remain concealed. The Fees Office explains this, with some justification, on grounds of security - but there clearly also needs to be some mechanism for preserving accountability where that is the very detail which could reveal abuse of the system.

The classic 'information security' solution to this classic problem would be to rely on a trusted third party, able to see and act on the data in question while protecting it from inappropriate public disclosure. The question is, can the parliamentary admininstration come up with a viable candidate for that role?

I'm having a Rumsfeld moment

I always thought that, for all his faults, Donald Rumsfeld was unfairly mocked for his famous remark about "known unknowns". Here's the passage in question:

"as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know."

It may not be a classically dumbed-down sound-bite, but it is entirely logical. It has echoes of the wisdom of another oft-derided sage, Neddie Seagoon:

"If only I knew what little I know, I would know a little."

As usual, there is a connection (however twisted) between this and a recent piece of news... in this instance, an article about the apparent dropping of a law-suit between US trade representatives and a number of other parties from countries including EU members states.

If that sounds vague, have a look at the article in question and you'll understand why. Information about an "Anti-Counterfeiting Trade Agreement" has apparently been withheld on grounds of national security, scuppering any enquiry into what it is about. It has been turned into an "unknown unknown". We aren't allowed to know what we don't know.

The newly-arrived Obama administration proclaimed goals of transparency, accountability and communication. In the UK, serial 'politics survivor' Gordon Brown has stated his commitment to rebuilding public trust and confidence in the political system as a whole, and our elected parliamentarians in particular. Allowing the "Rumsfeld philosophy" to persist does little to build the credibility of those postures.

"What a fine train"

Further to my post on Tuesday about UK biometrics and ICAO:

Guy Herbert, writing in the Guardian today, makes this observation:

"There is no need to reconstruct passport procedures around fingerprint and biographical databases designed with the ID scheme in mind. The British e-passport already meets the International Civil Aviation Organisation standard. This international standard applies to documents and does not require centralised databases of personal details."

He goes on to say that "A Cameron administration will have to tackle this subterfuge."

No emperor’s clothes were ever more admired. “But he has nothing on at all,” said a little child at last. From child to parent to bystander the word was passed, and by and by the crowd took up the cry: "He has nothing on! Nothing on at all!".

It seemed to the emperor that they might be right, but he thought to himself "I must carry this through now, regardless". And still his chamberlains solemnly strode on, bearing his non-existent train with ever more dignity.

"The Emperor's New Clothes" - Hans Christian Andersen (1837)

ID cards scheme "in the long grass"?

There's a nice, succinct article in the FT today (also available online here) reading the runes on the Home Office's contractual arrangements for parts of the ID Cards scheme. At the heart of the story is the issue that contractual timescales and the policy-making calendar don't always align very tidily, particularly when a general election has to be factored in within the next 350 days.

As the FT article notes:

"The Home Office has already signed four contracts in the ID programme: a pilot scheme run by Thales; a passport and ID card application system being developed by US-based CSC; an IBM contract to build a database to store fingerprint and facial biometrics; and a De La Rue contract to produce biometric passports.

These, however, could be left largely untouched by the Tories, because much of the technology would be needed to introduce biometric passports, which the party supports."

So the current ID Card implementation policy may indeed have been 'kicked into the long grass' for the time being... but when the next election rolls around, I suspect the public will be looking much more closely than they did last time at any manifesto commitments relating to national-scale databases of identity data, facial/fingerprint/iris biometrics, DNA and the like.

PS - I should also include a link to this article in today's Guardian, partly because it raises very lucid points about the future of a database state, and partly to note that any similarity between their opening paragraphs and my blog post of Monday 15th are doubtless entirely co-incidental :^)

Kantara Initiative formally launched

Great news from yesterday; the Kantara Initiative (KI) has been formally launched, with the Board of Trustees and the Leadership Council established and in place, and a number of working groups either already chartered or awaiting approval of submitted charters.

As you probably recall, I'm currently engaged by the Liberty Alliance, which is one of 13 Trustee Members of Kantara, to define and scope the role of Director of Privacy and Public Policy for the new organisation. As part of that work, I'm also setting up a Privacy and Public Policy Work Group to reflect the critical importance of those two topics to Kantara's work.

More details in due course... in the meantime, here's the announcement on the KI blog.

Challenging the accepted truth about iris biometrics

I promised some more notes from the recent LSE workshop I attended on Identity in the Information Society (IDIS), and have finally got around to it.

The opening keynote of the workshop was given by Prof. Kevin Bowyer, chair of the Dept of Computer Science and Engineering at Notre Dame University, who spoke on the topic "When Accepted Truth About Iris Biometrics Turns Out To Be False".

One of the accepted truths he examined was that iris biometrics remain constant over the life of the subject. While he didn't cite this article specifically, it's a good example of how the accepted truth becomes established:

"Iris scanning is the most reliable of the three biometric technologies the UK government is considering. The iris is the most distinctive part of the human body, and does not alter with age."
[...]

"Cons:

It is possible to fool iris scanners with artificial irises made by printing monochrome patterns on to paper."

(Maija Pesola, FT article, June 27th 2005 - quoted by International Biometric Group)

This article, though now somewhat old, reveals a couple of closely-related flaws in such a position. First, fooling the scanner with a 'monochrome printed iris' would not work with the industry-standard devices, as these now use "near-infrared" imaging, not visible-light imaging. This passes straight through the surface layer of the iris - which is where the visible, melanin-based coloration is found - and instead records the surface texture of the underlying iris tissue.

What they see, therefore, is not the same as what you would get if you simply printed a picture of your iris... and then, of course, you would have to address the problem of how to interpose it between your eye and the scanner without this being obvious at authentication time.

Second, there's the claim that the iris is 'the most reliable biometric because it doesn't change over time'. As a professional researcher in this field, Prof Bowyer took exception to this claim on the grounds that there is no relevant body of evidence to support it. It comes back to the use of near-infrared imaging. This has only been around for about 5 years... so there is simply no archive of near-infrared iris images to indicate whether or not the underlying tissue structure is indeed life-long. In fact, Prof Bowyer's initial research indicates that the tissue structure does indeed change over time - though he qualified this finding on grounds of small sample size and short timescale.

Sure, you can look at archives of facial portraits and see whether the visible iris coloration changes over the life of the subject, but you're not then looking at the characteristic on which iris authentication is based. In other words, this assertion of life-long reliability is currently founded not on a basis of research evidence, but on an assumption that surface melanin coloration and underlying tissue structure are intimately and causally related.

All this may or may not affect the UK's plans for national biometrics databases. Back in December 2006, the National Identity Scheme plans were amended to drop iris biometrics - though at the time, the stated justifications for that were not to do with reliability. Instead, they were based on a combination of (i) cost reduction arguments and (ii) the standard ploy of claiming "international obligations".

This last phrase is a rather shabby shorthand for "we're claiming that we have to do this because the International Civil Aviation Organization, ICAO, says we must. We're sliding past the fact that ICAO is an international regulatory consortium which recommends what its members say it should recommend, not a global authority which can force a nation state to do something it doesn't want to do...".

There are 190 member states in the ICAO consortium. According to this Wikipedia list, at least 129 of them do not have biometric passports, and of those which do, several use only a facial biometric. In the UK, the ICAO card is still being played in order to support the capture of fingerprint and facial biometrics.

An open letter

Dear Home Secretary,

Welcome to your new post. I hope your advisers have put in your in-tray a copy of the very lucid analysis of the UK's National Identity Scheme which Toby Stevens has written here on his ComputerWeekly blog. His starting point is to wonder whether your appointment as Home Secretary signals the opportunity to abandon the government's ID Card policy, and he then draws out some of the many reasons why that policy has degenerated into a probably irredeemable mess.

As to the first question - I agree with Toby's assessment. It would be a brave Home Secretary, in the current government, who repealed a piece of primary legislation which, in your own words, embodies a manifesto commitment. On the face of it, there seems little sense in handing the opposition, within bow-shot of the next general election, the PR victory of being able to claim that Labour has finally accepted what the Conservatives and Lib Dems have been saying all along... that the Identity Cards Act 2006 has got to go.

However, as the rest of Toby's post goes on to illustrate, this is by no means just about the Act. The Act itself is a product of the government's policy objectives, and has to be reflected in policies and implementation if it is to have any practical effect. That relatively flexible relationship between the primary legislation and the practicalities of ID Cards is at once your opportunity and your burden.

It's an opportunity in the sense that it leaves the way open (as this Guardian article suggests) for you to pay lip service to the Act - implementing it in a couple of well-circumscribed instances - while investing no effort in rolling out a comprehensive national ID Cards scheme.

But it's a burden in many senses. First, as I say, the Act is a product of the government's policy objectives... but so many years and Home Secretaries have passed since those policy objectives were first conceived, and political necessities have forced so many twists, tweaks and back-trackings on them that it is, fundamentally, no longer clear why the government wants a National Identity Card, what benefits it expects from one, and what it would do with it if it had one.

Second, your choices are constrained by the flaw which is built into the Act's very title: it is, unusually, a piece of primary legislation explicitly framed in terms of a specific technology - an identity card. And yet, when push comes to shove, you would doubtless ditch the card itself, if that gave you the leeway to, as Toby puts it, carry on with "biometric passports and the centralisation of biometric and biographical information into the National Identity Register. In other words, all that will change is that we won't receive the bit of plastic - everything else will continue regardless".

How can it have come to this - a national identity infrastructure which omits the very thing named in its own primary legislation? On one level, the answer to that question is simple: we've arrived at this state of affairs because successive justifications of the National Identity Scheme have sought to portray it as different things. It's a counter-terrorism measure; it's to prevent benefit fraud; it's to cut health-care costs; it's to secure the UK's borders; it's an entitlement card (remember that one?); it's "the gold standard of identity", which businesses will queue up to trust... and my favourite: it's a conveniently portable alternative to a paper passport, for young ladies who want to carry proof of age when they go clubbing.

Unfortunately, these justifications are all ad hoc, and range from the politically expedient to the absurd. They have never been underpinned by a clear, robust and explicit statement of principles to which all the legitimate stakeholders have signed up. And there are multiple legitimate stakeholders here: public admininstration, law enforcement, commerce... oh, and the citizen/cardholder.

My plea is this: be explicit about who the stakeholders are, and acknowledge their legitimate interests, even if those are many, varied and sometimes conflicting. Have the courage to call out the fact that the Act, as drafted, is fundamentally flawed. Explain to the citizen that the small piece of plastic is actually entirely irrelevant, and the important, useful and dangerous part is the National Identity Register.

Be open and honest about the policy purpose of the National Identity Scheme, and what the National Identity Card and the National Identity Register have to do with it. Set out a clear statement of principles which reflects the aims of the government and the interests of the stakeholders - and be prepared to ditch anything which does not put those principles into practice, whether that's the Act, the Card, the Register or the policy.

Yours sincerely,

Robin Wilton

UK Information Commissioner's swan song?

The Information Commissioner, Richard Thomas, is fast approaching his departure date, and opportunities for major announcements must be dwindling. However, today's announcement of a Code of Practice (CoP) for Privacy Notices would not make a bad coda.

First, there's no doubt that guidance is needed: many sites still publish privacy notices whose goal seems to be a blend of FUD (Fear, Uncertainty and Doubt) and covering the corporate backside with enough legalistic paper to ensure that they can do what they want with your data without risk of a serious challenge.

Second, the guidance given here is actually pretty good: there are practical suggestions as to what you should do, complemented by examples of good and bad practice.

It's not perfect: for instance, real life is often not as simple as the examples might make out... if I use Google Analytics to track traffic on my website, then the privacy-respecting promises I make to my users depend, in some respects, on the policies and behaviour of a third party.

Also, although it recommends a "layered" approach to informing users (short, clear introductory information backed up by links to more detail), it stops short of current US Govt research findings, which suggest that the best way to do this in practice is by judicious use of tabular layouts.

However, balancing that, there is detailed guidance here for small businesses, presented in a way which makes it approachable and clear. The ICO's Code of Practice deserves to be read, and end users deserve to get better privacy outcomes as a a result.

Granular Content Distribution...

(I thought that was what you got when they grit the motorway...)

Have you ever wanted Future Identity's insights into digital identity and privacy, but without Racingsnake's tedious socio-political ravings?

Well, here's the solution: my identity/privacy-related posts are now being 'syndicated' on the Kantara Initiative blog, where I post in my role as Director of Privacy and Public Policy for the Liberty Alliance. I've graciously agreed not to cheapen their brand with my rants. You'll still get opinion and analysis as well as the occasional fact, but the posts will be more specifically related to my privacy and public policy work - plus, you'll see posts from other Kantara contributors.

On this blog, you'll get everything I post to Kantara, plus the usual sarcasm and indignation. Enjoy... and I mean that sincerely. ;^)

The Privacy Experiment

One of the points I was happy to have been able to make at Tuesday's beingdigital event was this: privacy is not about keeping all my data to myself, it's about disclosing it, but doing so under conditions of control and consent which reflect a specific context.

I've said that before, I know, and will doubtless say it again. The novel part, though, was to look at social networking from that perspective. When you do so, it becomes clear that our 'online life' - what James Governor has referred to as "declarative living" - is actually a mass experiment in what happens when we uncouple disclosure from all the normal contextual constraints which we allow to guide us in real-world social interactions.

Not only is social networking an experiment, I would go so far as to argue that it is a consensual hallucination; we're jamming together two terms and hoping that the resulting phrase makes sense, when actually it does no such thing. As things stand today, you can have "social interaction" as human beings have understood it for millennia, or you can have "networked interaction". If you want, you can behave as though your networked interactions are exactly equivalent to your social ones, but if you do, you're deluding yourself.

I was therefore reassured to see that view echoed in comments by Prof Peter Fader and Prof Alessandro Acquisti - of Wharton and Carnegie Mellon University respectively - in this article on the Wharton site.

The article quotes Prof Fader as follows:

'Research on online social networking and how it may alter privacy norms is just beginning, according to technology observers. "Our kids today will give everything [in terms of personal information] away, but it's not at all clear how this will shake out in the long run,"'

and Prof Acquista as follows:

'"Privacy decision making and valuations are malleable," but it's unclear what factors lead to more disclosure. One of those factors might be a "herding effect," he said. In one study, Acquisti found that that people will divulge information when they see others doing so. That tendency, he believes, may explain why so many people are willing to dish out personal information on the networks.'

I'm not trying to claim that privacy norms are immutable - certainly, they will change as a result of the ways in which we experience the effects of social media - but let's not blindly go along with the assumption that social and networked interaction are the same thing. Yet.

Beyond reasonable doubt

I've finally cracked the business model for my new venture, and like all great ideas, it's devastatingly simple. I simply lock 16 million people in a room, and charge them to be let out. Awesome.

Well, if it works for Connectivity, why shouldn't it work for me..?

In case you're concerned about the privacy implications - worry not. Connectivity cleared their scheme with the ICO beforehand, and got the following guidance:

"We made it absolutely clear to Connectivity that they should not use numbers where there was any doubt about whether the consumer was happy for their information to be used in this way."

I'm OK, then; as Connectivity haven't asked me whether I'm happy or not for my information to be used in this way, doubt is definitely present.

beingdigital 2009 event

Challenged to sum up "digital footprints, personas and privacy" in 30 seconds at the end of yesterday's panel, I rather lamely blathered on about 'governance', and rounded off with the example of CCTV cameras. Why isn't there a law (as opposed to a rather weedy code of conduct) which makes it obligatory to label any CCTV installation with the contact details of its owner/operator?

I am delighted, therefore, to see that theme reprised in this Guardian article from yesterday evening; Alan Travis cites CCTV regulation as a potential "quick win" for new Home Secretary Alan Johnson. (Along with ditching the ID Card scheme, revising the DNA retention policy and curbing the extent of access to telecomms data).

I'd love to think there was some connection between that and the presence of Mike Bracken (the Guardian's Head of Consumer Facing Technology) on yesterday's closing panel, but I very much doubt it.

In retrospect, I should have led with the telecomms data example - it beautifully illustrates the way in which a changing economic and policy climate can lead to a less workable regulatory environment and worse privacy outcomes. This is a slide I've used to make that point recently (click on the image to enlarge it).


You can see the rest of that presentation here; Identity and Privacy in an Economic Downturn.

Just two other notes on yesterday's event: first, congratulations and thanks to Tony Fish and Simon Grice for a really good event - good speakers and lots of audience interaction.

Second, sincere apologies for wrongly attributing the "Thelma Arnold" breach to Yahoo!, and my thanks to Gary Gale of Yahoo! for pointing out that that distinction belonged to AOL.

Millionth English neologism imminent?

I read this article on the Beeb with interest; there's a company which monitors the frequency with which words crop up online, and it reckons that about every 98 minutes an English term reaches the 25,000-hit criterion for them (at least) to declare it a 'new word'.

So here's the challenge: a couple of years ago I used the word "digilante" to describe someone who, basically, uses technology to snoop on their neighbours. At the time, I don't think it returned any hits on an internet search. Even today, it only registers asade over 3,000 hits...

With your help, we might be able to bump that up over 25,000 and get it into the English language. How about it?

Thank goodness my middle name isn't Bin

Thanks to the IDIS Journal folks for their Twitter post about new formalities to be introduced by the US Transport Security Administration (TSA). According to this article from the San Jose Mercury, the TSA's watch list is compiled in "full name" format - i.e., according to US conventions: first name, middle name, last name - and they will expect all air travel bookings to document passenger names in the same format.

The twist is, apparently, that what they will really be looking for is a passenger name in the booking record which exactly matches the passenger name in the accompanying identity document (passport, US 'enhanced driver's license', etc). However, what I didn't know is that it is also valid for those to be issued with the holder's name in the format "first name, middle initial, last name"... thus opening up the possibility of a mis-match between the credential and the watch-list format, even though the credentials in question are valid.

In my case the fun will include the question of whether the TSA's new matching system can cope with people who have two middle names.

I always got a laugh out of those US police shows where a 'perp' with only two names was automatically given a set of police-issue initials... "NMI", standing for "No Middle Initial". There's something glorious about that level of recursive absurdity.

UK policy on DNA sampling

It's not unusual to hear criticism of UK law enforcement policy on the taking/retention of DNA samples; the National DNA Database (NDNAD or "nidnad", as I suppose it should be pronounced) has generated controversy and even attracted a ruling from the European Court of Human Rights that the retention of the DNA profiles of innocent people is illegal.

Tellingly enough, UK policy in that regard has not changed since the ruling, which is now more than 6 months old. Some 850,000 people are reckoned to have their DNA profiles on the database and their samples stored, despite the absence of either an arrest, a charge or a conviction.

Not that this has been a short-term issue. In one sense, it started 3 1/2 years ago with the introduction of the Serious Organised Crime and Police Act 2005, which removed from English and Welsh law the notion of an "arrestable offence". Essentially, it made all offences arrestable. The measure was described, in December 2005, as maintaining " the crucial balance between the powers of the police and an individual's rights"... by the recently-departed boat-rocker Hazel Blears (then a minister at the Home Office).

In March 2009, a retired senior police officer, David Gilbertson was quoted as follows in this Guardian article:

"People can now be (and have been) arrested and detained under Section 110 for not wearing a seatbelt, dropping litter, shouting in the presence of a police officer, climbing a tree, and building a snowman."

The relevance of 'arrestable offences' here is that if you're arrested, you can be required to give a DNA sample. So, if a police officer really wants a sample from you, all he or she has to do is wait until you do something which can be described as giving rise to an offence (such as climbing a tree, building a snowman or, presumably, stepping on the cracks in the pavement), nick you and swab away.

The police can also ask witnesses and victims to provide a sample "to eliminate them from enquiries"... but once that purpose has been served, current practice has apparently been to retain the samples. In December 2005 the NDNAD included over 15,000 profiles from witnesses who had provided them voluntarily.

So much for context. I mention all this because the latest criticism also comes from a police officer - this time, it's an officer from the Met, who is quoted (here) as saying that people as young as 10 are being targeted for arrest (and therefore DNA profiling) on the following basis:

"It is part of a long-term crime prevention strategy. If you know you have had your DNA taken and it is on a database then you will think twice about committing burglary for a living." [Thanks to the folks at Privacy International for Twittering a pointer to the story]

Aside from the possibility of a challenge under the UK Human Rights Act 1998 (which, as noted above, can end up in front of the ECHR), it seems to me that this policy, if it's real, also violates the data protection principles relating to "purpose of collection" and "purpose of use".

It is, as far as I know, still illegal to require a DNA sample on the basis that someone "might be thinking of committing burglary for a living"; therefore that cannot be a justifiable purpose of collection, and yet it is being cited here as the "purpose of use".

If these news stories accurately reflect the state of UK law enforcement policy in this area, they paint a depressing picture, not least because the ECHR ruling on DNA retention was so unequivocal:

"In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society."

The court dismissed all arguments brought by the UK Government, stating that "England, Wales and Northern Ireland appear to be the only jurisdictions within the Council of Europe to allow the indefinite retention of fingerprint and DNA material of any person of any age suspected of any recordable offence".

Common Sense. Departing now from Gate 14...

Last November the government announced its plan to use air-side airport staff as the test subjects in an ID Card pilot programme...

At the time, I thought it was a slightly daft and discriminatory way to test the ID Card scheme. Even the chief exec of London City Airport, Richard Gooding, was quoted as saying that "U.K. airports already have compulsory biometric identification systems" - which seemed to make this a rather pointless change to a presumably working existing system.

The logic hasn't improved over the intervening months, if this article on The Register is anything to go by. Now, it appears, ID Cards will only be issued to new employees - not to existing staff. Let's have a look at some of the possible consequences of this policy:

- those checking identities will have to deal with two different sets of credentials, presumably with different authentication mechanisms and different underlying technology, devices etc.; that is likely to lead to cases where valid credentials are mistakenly refused, or invalid ones accepted. Ironically, in the States, the is keen to reduce the variety (and hence complexity) of credentials like Driver's Licenses, in the interest of more reliable authentication.

- authentication is more likely to revert to 'fall-back' mode: if the card reader for the credential in question is missing/faulty, the card-holder will have to be identified by 'fall-back' means. Ill-intentioned persons will exploit (and even induce) this potential weakness.

- 'duress' attacks on existing employees with legitimate IDs are more likely - because the new ones are supposedly harder to spoof. How nice for them. [Side question: if the new IDs are not harder to spoof, what's the point...?]

- the approach will do little to defuse accusations of discrimination; some people may even object to their employment being made conditional on having a compulsory entry in the NIR, when it is voluntary for everyone else.

- far from identifying a willing and sizeable 'test' population, and thereby gaining some positive critical mass for the scheme, the new policy (of cards for new employees only) reduces still further the chances of reaching critical mass. Unless I'm missing something: has air travel suddenly become the boom sector of the recovering economy without my noticing?

There's another sentence in the Register article which really puzzles me. According to the airline pilots' union, BALPA, after the initial 18-month period "the scheme will be rolled out to all pilots and other airside staff in Manchester and then to all airside workers countrywide."

Manchester Airport is an international one, serving destinations from Aruba to Plovdiv. Its website lists some 66 airlines, many of which are non-UK and several of which are non-EU. How on earth are they going to decide which pilots should be issued with ID Cards? (In the EU, for instance, it is illegal for member state A to insist that the citizens EU member state B hold the national ID card of member state A...).

It all sounds like a pocketful of worms to me.