A pointer to "Tech And Law" blog

Some excellent posts on the Tech and Law blog, which deserves to be in your feed-reader (and not just because I get a mention ;^).

Notably good pieces on:

• the sensible and other uses of RFID in credentials;
• the apparent poor maturity of UK ID Card plans relative to those of other EU member states;
• plans for US Government ID schemes to cater for anonymity and pseudonymity;
• Conservative plans to get rid of ID databases, not just ID cards...

There's also a post (21st July) on Daniel Solove's recent comments about privacy, gossip and the indelible Web. This is a theme which I think is going to filter into the collective consciousness - and the sooner the better, I think. It's one which I have summed up recently as follows:

There's no such thing as "social networking". There's "social interaction" and there's "networking". If you assume that both operate by the same rules (regardless of how tempting appearances may make that assumption) you're fooling yourself. Admittedly, that's just what a lot of us are doing these days - but we don't yet know what the implications of that mass consensual delusion are.

Anyway, head over to Tech & Law's new URL and have a read. As Chaucer put it:

"Ye get namore of me, but ye wole rede / Th'origynal that telleth al the cas[e]".

What should appear on an ID card?

Can we really have got this far without a completely clear idea of what human-readable data should appear on a UK national ID card?

It would appear so.

Marketing expertise...

Have been thinking, recently, about how to improve the visibility and image of Future Identity Ltd.. After considerable thought, have concluded that the PR Agency to engage is whoever it was that came up with the term "Athlete's Foot". Think about it...

"Hey, how would you like to have a high-performance, athlete's foot instead of those merely normal feet you have now?"

"Wow... athlete's feet, those sound much better than normal feet... or 'foot fungus', come to that."

See what I mean? By contrast, think of the humble verruca or plantar wart. Clearly didn't engage the same high-calibre team. Otherwise it would be called something like "amphibious foot"...

UK e-Borders faces practical challenges

There's a good piece in Computing today on the UK's e-Borders programme - the project to extend and digitise passport checks on travellers heading for the UK. It rightly raises the prospect of challenges to the system over issues like cost, and compliance with EU laws on data-sharing and freedom of movement.

However, there are some foreseeable practical issues as well, and the commercial carriers who will be responsible for much of the 'front-office' implementation are already voicing their concerns. The programme director, Julie Gillis, is quoted as saying that:

“There is no system yet in place for maritime and that’s why they’re not going live until 2010,” Of those implementers who have gone live, she says “We’ve had no one report to us yet they have suffered problems with queues.”

Facial biometric checking is already included in the system's design, and from 2011 fingerprints are to be added - and the functional requirements mean that the systems to carry out these checks have to be put in place by the carriers at the point of embarkation.

That must be one reason why there's no system in place yet for maritime travellers: the practicalities of checking either facial or fingerprint biometrics for a car-full of passengers - let alone a coach-load - must inevitably mean radical and major changes to the way in which ferry travellers are processed.

With all respect to Ms Gillis, I would say the chance of all maritime carriers going live with such a process in 2010 and reporting no problems with queueing time is zero. If we assume that there is the political will to force through change on the scale (and at the cost) required to meet those objectives, there would still be serious questions to answer about the proportionality of what is being proposed.

UK DNA policy - four uneasy pieces

Some thoughtful challenges to the government's policy plans on DNA retention have appeared recently. The current policy is under review because of a European Court of Human Rights ruling that the retention of DNA from those who are arrested but not subequently charged breaches EU law.

- Article in the Guardian, arguing that the current policy proposals are based on flawed evidence and interpretation;

- Paper by two professors from Lancaster University, cited in the Guardian article;

- Blog post on Dr Ben Goldacre's "Bad Science" blog with some trenchant criticisms of the Home Office research into the statistics of criminal activity;

And here's the Home Office consultation paper referred to by Dr Goldacre.

Here are a couple of statements I found in these sources, which indicate some of the difficulties of formulating policy statements on the basis of statistical investigation:

"innocent people who have been arrested are as likely to commit crimes in the future as guilty people" - Assertion from the Home Office paper

"half of all crimes are committed by something like 6% of persistent offenders" - comment by Prof. Keith Soothill (University of Lancaster)

I find it hard to see how both of those statements can be true... but then, that's probably why statistics and I have never really got on.

Is 118800 a red herring?

You know what? I'm actually starting to feel twinges of sympathy for the folks at Connectivity. There are two pieces in the Guardian devoted to the suspension of their mobile directory enquiries services, one from yesterday and one from today.

Now, I'm not trying to argue that basing the service on an "opt out" principle was a good idea - it wasn't. But at least Connectivity set it up in such a way that you would first find out that someone had looked you up, then have the opportunity to decide whether or not to take the call, and then have the option of asking to be removed from the list. All this would happen without the requesting party being told your number. So in a way, there was at least a certain amount of privacy-friendliness built into the protocol. Whether that made it a good idea for Connectivity to be sitting on a database of numbers which might get shared with other service providers is another question entirely.

However, any slight twinges of sympathy at Connectivity's plight are (and should be) rapidly displaced by a concern that all this high-profile coverage is distracting us from a more significant issue: namely, the means by which Connectivity were able to populate their directory in the first place. As I've suggested above, the way they set up their enquiry protocol show at least some concern for the data subject's privacy. The same cannot be said for those data brokers who handed over their subscriber lists to Connectivity in the first place.

It's just that, as they are not in a part of the food chain which is normally visible to the data subject, they don't come under the same kind of scrutiny as the company which delivers a service direct to the consumer.

For all the focus on Connectivity, we should not pass up on this opportunity to shine the spotlight on the behaviour and regulation of the intermediaries who made Connectivity's business model possible.

Detica MD describes UK privacy debate as "immature"

The MD of UK defence contractor Detica, Martin Sutherland, is quoted in this Register article as saying that the UK privacy debate is 'immature'. (Thanks, by the way, to @privacyint for the pointer to the article).

The argument - at least, as it comes across in the article - is roughly this: the pace of technological advance means that huge amounts of data can and will be collected about you... so there's no point bleating on about data collection: the debate needs to move on to more productive topics, such as controlling what's done with the stored data.

With respect, I think Mr Sutherland's got it the wrong way round. If the current state of affairs is that lots of data about lots of people is collected by default but not well managed thereafter, then fair enough, one step towards maturity would be where lots of data about lots of people is collected by default but is well managed thereafter... but a more mature approach still would be to pre-empt the indiscriminate collection of lots of data by default in the first place.

I agree with him from a technology perspective, but not from a privacy one.

From a commercial perspective, of course, I can see where he's coming from. The article goes on to explain how Detica's data mining and pattern detection products improve the accuracy with which data can be processed and interpreted, and fair play to them - I've seen some of the examples, and it's impressive stuff. But it's only tangentially to do with the UK privacy debate.

What about the policy perspective? Well, this is where I think the article is potentially quite damaging. I have no doubt that Detica's "confidential accounts" use these tools diligently and with great care as to data security, access control and so on. After all, that's what the intelligence services are supposed to be good at. But what about those other organisations who, through departmental dysfunction, crippling bureaucracy, inadequate governance, insufficient resources, poor training or even indifference, do not or cannot do as good a job of managing the data they collect?

For these organisations (and, more important, the citizens and consumers they interact with), the message that 'data collection is going to happen anyway, so take that as read and focus your efforts on data management and access control' is not one which moves the privacy debate any closer to maturity.

It's unfortunate, then, that that message appears to be coming from the head of a contractor in whom policy-makers and government departments (albeit rightly) place so much faith.

UK ID Cards: Tory policy still confused?

Thanks to Privacy International (@privacyint) again for pointing me to this article about UK ID Card costs in Computing.

The material on costs is interesting, of course, given that that aspect of the scheme has been beset with political wrangling from the start. However, there was another quotation further into the article which caught my eye. Shadow Home Secretary, Chris Grayling, is quoted thus:

"Furthermore, they are not opposed to collecting the information stored on the passports, according to shadow home secretary Chris Grayling. “If we had to have biometric passports, the data would clearly have to be stored."

Am I being dense, or is this somewhat missing the point of biometric passports?

Let's take two use-cases: one with a plain paper passport, and one with a chipped biometric one. In both cases, let's assume we want to use, say, a facial biometric to establish that

[P]: the person presenting the passport is the same person to whom it was issued (which is still not a bad definition of "identity" in this context).

For the sake of simplicity, let's also assume that we're dealing, here, only with new-issue passports - in other words, we're not trying to retro-fit a facial biometric check to existing holders of paper passports. It's not a necessary constraint, it just simplifies the example.

In both use-cases, the passport-issuing process involves capturing the facial biometric in question.

1 - paper passport case: on capture, the facial biometric obviously can't be stored in a chip in the passport, so we'll store it in a database, indexed using the passport number. When the passport is presented at the border, we'll capture the holder's facial biometric there, and use the passport number to look up the record we have centrally. If the passport-holder's facial biometric matches the one we have stored against that passport number, it's a pretty good indication that we have established [P].

2 - chipped passport case: this time, when we capture the facial biometric, we'll write it to the passport's chip and issue the passport. When the passport is presented at the border, we'll again capture the holder's facial biometric, but this time we'll compare it directly with the stored value in the passport's chip. Again, if they match, we have reasonable proof of [P].

Anyone notice the missing element in that example? The primary function of the passport can quite satisfactorily be met with no central store of the holder's biometrics. The fact that the user happens to carry their biometrics around with them means that, provided the passport offers a robust and reliable comparison, there's no need to store them anywhere else.

Of course, if they are stored centrally as well as being written to the passport's chip, it may make it easier for a lost passport to be replaced, but that would be a matter of policy choice, not policy necessity. I don't think it is "clearly" the case that biometric passport data "would have to be stored" - certainly not in order to meet the primary functional requirement of the passport.

Fortunately, there is still time for Conservative policy here to evolve before there is any prospect of it getting a shot at implementation.

Mobile Directory Enquiries still broken

Over the weekend, prompted by a message from @wendyg, I had another go at checking whether my details are on 118800, the UK online directory of mobile phone numbers which has excited so much comment over the past few months. Their website was down, though, and according to this article in today's Guardian, it had been laid low by the number of people trying to unsubscribe.

Well, I think that tells us what we need to know.

1 - if the sheer weight of "negative demand" is enough to crash the site, it should seriously call into question whether the subscribers (who are, after all, the data subjects here) want this service to exist;

2 - it should certainly raise serious doubts - not least with the Information Commissioner's Office - about whether it's acceptable for a service like this to be established on an "opt-out" basis, rather than making it the default that people should have to opt in if they want to be included in the directory.

To me, this suggests that 118800's operating model is broken, not just their website.

In their defence, I expect that 118800 will make two points: first, that they don't disclose the data subject's phone number: they only offer to connect the caller, and that only if the data subject consents to receive the call. Fair enough, but I'm afraid my reaction the first time I receive one of those requests will be to decline it and request that they take me off the system.

Second, they will probably repeat that the numbers they hold are inthe public domain alreday, having been obtained from (among others) market research companies and list brokers. The issue here, to my mind, is one of informed consent. I can honestly claim that I have never knowingly disclosed my mobile number for the purpose of having it listed in a directory enquiries service.

That, if nothing else, should give the ICO some basis on which to look at the legality of the system, under the second Data Protection Principle:

"Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."

I think mobile subscribers could also expect the ICO to give a view on whether the proposed 118800 service represents good practice, whether or not they consider it to be legal.

US RFID credentials - update

I blogged back in February about Chris Paget's successful attempts to read US-issued RFID credentials while simply driving past their owners... so I was a little surprised to see the same "news" cropping up in this article from Saturday's LA Times. However, by the fourth paragraph they did acknowledge the date of Paget's experiment, so I read on - and there's plenty in the rest of the article to make that worthwhile.

I owe @haroonalrasheed, by the way, for the link to the LA Times article, and I regret that, like him, I am quite unable to come up with a sensible interpretation of this quotation from the CPO of the Dept of Homeland Security:

The purpose of using RFID is not to identify people, says Mary Ellen Callahan, the chief privacy officer at Homeland Security, but rather "to verify that the identification document holds valid information about you."

There I was thinking that the clue was in the acronym.

The article is particularly interesting on the subject of read distance. It seems that each time the implementing departments publish a figure, researchers have consistently succeeded in reading the cards from much further away - whether that's a yard instead of 4 inches, or 30 feet instead of a yard (1 metre, 10 cms, 10 metres respectively, if you are decimalised).

Those are just the numbers for trying to read the chip directly. In another experiment, the researcher went for the communications link between the chip and the reader instead, and is reported as having intercepted that traffic successfully from 160 feet away (50 metres). I haven't tracked down the research paper in question, so can't check, for instance, whether that was direct interception or whether, as proposed in this 2005 paper by Hancke and Kuhn, it makes use of 'relays' to extend the distance between the eavesdropper and the chip. Bear in mind, though, that in the most common places you would expect to show your passport - that is, at an airline check-in counter or at an airport security check, there is generally somewhere within 160 feet where it is perfectly legitimate for someone to be using a laptop...

(If anyone has a link to the "160 foot intercept" paper, perhaps you could include it in a comment).

Apart from the continuing bickering over read distance, then, what conclusion can one draw? Principally, I think, that any form of remote reading raises significant and legitimate concerns over user awareness and therefore consent. It's clear that the confidentiality of embedded RFID chips has to reside in factors other than distance - and equally clear, from the article cited, that different implementations are being designed with different levels of protection against interception. I have yet to see one, though, which offers the user any information about or control over when the chip is read, and I think that is a fundamental design flaw.

An accurate (non-biometric) picture

At last, there's an article which thoroughly exposes some of the nonsense which has been talked about ICAO (International Civil Aviation Organisation) 'requirements' and biometric passports. It's by John Lettice, writing in The Register, and was rightly tagged as "UK ID article of the week" by the folks at Privacy International.

While John's primary purpose was to compare the stated policies of the 3 main UK political parties on ID cards and the National Identity Register, in doing so he offers a lucid and compelling analysis of the difference between what ICAO requirements for travel documents are intended to achieve, what they actually mean for the UK, and what we have been being told about them.

The reason this is worth drawing attention to (and the reason it exercises me so much) is that for several years now, UK policy statements have been made which go roughly like this:

"We understand (but don't necessarily care) that proposals for the capture and storage of citizen biometrics excite distrust and concern, but our hands are tied... we're just doing what ICAO requires".

Rather than try to re-hash John's excellent analysis, I will simply recommend that you read the article.

IP@ = PII v ¬PII?

Apologies for the rather opaque title of this post. In its expanded form, it would read something like this: "IP addresses: are they personally identifiable information within the meaning of the law, or not?"... but that would be a bit long.

The question is prompted by the latest legal ruling on the subject, this time from a US federal judge in Seattle, issuing a written decision in a class-action case between consumers and Microsoft. The judge ruled that they are not: IP addresses identify computers, not people, he concluded, and therefore do not constitute personally identifiable information.

I think there's a technical and a pragmatic side to any discussion of this conclusion. Technically, the argument could well rumble on; after all, if I tell you the IP address "192.168.1.1", does that identify anything, let alone a person versus a computer? It is probably recognisable as the default starting point for the IP address range behind the average domestic firewall/router. So, the address "192.168.1.1" doesn't uniquely identify any computer... but then again, the address the firewall/router exposes to the ISP doesn't uniquely identify any of the computers it shields, either... so on examination, the judge's argument doesn't stand up - as presented, at least.

Does the pragmatic approach fare any better? Well, in some jurisdictions the argument has already moved on. In some EU member states, the current position is closer to this: IP addresses constitute personally identifiable information if the entity processing them can reasonably be considered to have access to data, linkable to the IP address, which would identify an individual. That makes a certain amount of sense, in that ISPs, for instance, need to establish enough of a link between an IP address and an individual to send them a bill. On the other hand, it doesn't prove that the person responsible for paying the bill has anything to do with the internet traffic terminating at that IP address (for instance, I might pay for my child's broadband subscription while they are at college). As a little experiment, try visiting Dave Birch's blog, here. While you're there, incidentally - check out the content; it's excellent. Then have a look in the right-hand margin, and see how close Feedjit gets to personally identifying you. In my case, it gets as far as the neighbouring town - about 5 miles away - and therefore lumps me in with a population of over 60,000 people.

In the sense of "IP addresses being sufficient to uniquely identify an individual", then, the pragmatic approach doesn't look too healthy either. However, where I think it scores is in its ability, potentially, to make the decision conditional on other factors - such as, in this case, how much other data the IP address can be linked to by any given party who sees it. After all, it's reasonable to assume that the ISP, in this case, can more easily work out who a given IP address is assigned to than could the man on the proverbial No.38 bus (Victoria to Clapton, via Piccadilly and Angel, incidentally).

In other words, if you are the data controller for both the IP address and the billing data, you would do well to behave as though the IP address was PII. That seems reasonable enough. In some cases, it may mean being able to prove that you have taken steps to prevent one from being linked with the other. That seems reasonable enough, too.

Looking a little further down the line, though, the pragmatic approach will run into some interesting obstacles. The same logic, after all, will mean that in some circumstances the words "Yes" and "No" will need to be treated as personally identifiable information. For example, suppose you are in a position to link the following pieces of data:

• Individual (subscriber, patient, etc)
• Question (Is this individual over 18?)
• Answer (Yes/No).

Good practice (read Dave Birch's piece on Psychic ID for a great example) is to reduce disclosures of personal attributes to Yes/No answers to closed questions... and that's both a laudable ambition and a good design objective. It won't solve the "what is PII?" riddle, though.

Life at the sharp end

There is probably an old rural proverb to the effect that, if you go into a bramble-patch head first, sooner or later you will only be able to get out of it again arse-first.

The continued wrangling between opposition and Government spokesmen on the National Identity Scheme confirms a couple of things: first, that it's a complex and contentious topic, and second, that having woven further complexity into aspects such as the cost justification and the cost structure of the scheme, it is now extremely hard for the government to back out of any specific area without appearing to be leading with its posterior.

For example, today comes the news that the price of a new passport is to rise by 7%; this is ascribed to a 'shortfall in revenue because of lower-than-expected demand'. Ah, the traditional market-led response: if fewer people are buying your semi-distrctionary product, the thing to do is bump up the price for those saps who are still your customers. Unfortunately, the price of passports is not market-led: it is, at least in part, tied to plans for the National Identity Scheme... a linkage which has its origins back in the days when the then Home Secretary was keen to hide chunks of the cost of the ID Card among the figures for other credentials.

The current Home Secretary, heckled and harried by Messrs Grayling and Huhne, is being challenged to ditch many of the previous justifications for the ID Card (now that that will no longer be compulsory), and fall back on 'prevention of identity fraud' - this being a goal which seems to offer a pay-off to both the individual citizen and the economy as a whole. But do the implications of this position bear scrutiny?

For example, if I suffer from identity fraud (say, someone runs up debt in my name), will the National Identity Scheme stand liable to make good my losses? And will it do so only if I have voluntarily registered for an ID Card, or will it also do so even if I have 'only' been involuntarily included on the National Identity Register by virtue of having, say, applied for a passport or other 'designated document'?

If not (as seems more likely), then who will pick up the ID fraud tab for those who have ID Cards? And for those who don't but are on the NIR?

The trouble with backing out of a thorn bush is that you encounter many of the same thorns as you met going in... but in a rather more tender part of the anatomy.

In the interests of balance...

Given that I've posted a couple of times about Alan Johnson's recent ID cards announcement, it's only fair to point you to his piece on the Guardian site today. It certainly refutes any allegation of a U-turn in one respect; the opening sentence is one we've seen from every Home Secretary since the Scheme was conceived:

"Our identity, the information that makes us unique, is something that we get called upon to prove each day, when we are opening a bank account, renting a flat, proving our right to work."

Please, Alan, can I stop you there? Two counter-examples to this assertion:

1 - 2/7/2009: Went to local chartered accountant to see if they would be a good firm to do the books for Future Identity. Needed to provide proof of identity for anti money-laundering compliance (compliance on his part, that is... I have no idea if he's a money-launderer...). No problem. One passport (already got one), one page of bank statement. Job done.

2 - 1/7/2009: Went to Houses of Parliament to attend Privacy APPG meeting. No need to prove identity. Their priorities are:

1. have you got anything dangerous in your briefcase/briefs, and
2. do you know the number of a room in the Palace of Westminster?

Having satisfied themselves on those two points, they let me straight in.

OK; in the first instance, I needed to prove my identity, but had no difficulty doing so without an ID card - and I could have presented my driving licence or either of a couple of other photo IDs I already possess. Net value-add of ID card: zero.

In the second case I didn't need to prove my identity at all, despite wanting to gain access to one of the most protected buildings in the country. I had to indicate my entitlement (and that only in the vaguest possible terms), and that I did not present a threat. Net value-add of ID card: zero.

Of course, these two examples are entirely unfair and un-representative. Normal passport use aside, it is extremely rare that I have to prove my identity at all. The last 36 hours have just been most uncommon in that regard.

Now, there may indeed be people who daily apply for a new bank account, flat, job or passport. My advice to the Home Secretary is... those are the buggers you want to keep an eye on.

Main-stream, Schmain-stream...

I know it's trendy to bitch about the Main-Stream Media, but in my opinion they are spot on sometimes:

"A glance at some of the papers yesterday [sic] might have led you to believe that something truly momentous had happened: Alan Johnson, the shiny new home secretary and sometime last-resort leadership hope of desperate Labour MPs, had finally rid the government of its self-imposed policy millstone and binned the ID card scheme. If only. What Mr Johnson did instead was something much more modest, but which nevertheless erodes yet further the government's case for the identity database.

...

Of all the bits that go towards the £5bn ID project, however, the bit of plastic was both the most visible and the least important. Two other aspects were considerably more important: the biometric technology which is anyway going into new passports and driving licences, and the identity database." The Guardian (Editorial, 2nd July 2009)

"Mr Johnson's announcement is probably sufficient to make the roll-out of any ID card fall below critical mass.

...

All that having been said, Mr Johnson's announcement signals less of a policy climb-down course-change than it might appear. There is, for instance, no change to the plans for a National Identity Register, and anyone applying for a UK passport will continue to have their details entered in that repository. Similarly, there's still no apparent change to the policy on DNA retention, despite the European ruling earlier this year... though perhaps it's a little unreasonable to expect two major climb-downs course-changes in quite such short succession." Future Identity (blog post, 30th June 2009)

Come on, chaps... keep up! ;^)

Intrusive Money Pit?

On June 10^th I blogged about one way in which straitened economic circumstances can influence policy – and some of the likely effects that could have on governance. I used the example of the Government's plans to make ISPs and telcos to collect and retain data about users' visits to third-party sites such as social networking services.

As I mentioned yesterday, I was at the House of Commons today for the first open meeting of the All Party Parliamentary Group on Privacy (Privacy APPG), as a result of which I need to reframe part of what I said in that previous post. Today's meeting was to discuss the implications of IMP - the government's proposal for an Interception Modernisation Programme, extending their current phone-tapping capabilities into the worlds of VOIP and social networking, among other things. You can read their background paper on IMP http://www.privacyappg.org.uk/Meetings.html. (Contrary to rumour, IMP does not stand for "Inspect More Packets"...)

My original analysis was this: in an attempt to save the cost of setting up and operating a centralised repository of this telecommunications data, recently-departed Home Secretary Jacqui Smith announced that the responsibility for collecting and storing the data would be passed on to commercial network operators – who would hang onto it for a specified period in case the law enforcers wanted to trawl it for evidence. I felt this mov eto a distributed system was likely to increase risk by making the governance regime very much more complex.

However, it turns out that there is a precedent, in the implementation of the Regulation of Investigatory Powers Act (RIPA), for the government funding the telco operators for their part in putting the legislation into practice. One participant estimated the current government funding for this activity at between £30-£40 million pounds a year.

If the same approach were to be adopted for IMP, then I would have to change my analysis to run as follows: by devolving responsibility for IMP operations to the telcos and then funding them to do it, the government would not only increase the risk of ineffective governance (and therefore the risk of privacy violations and inappropriate access)... it would do so without saving any money. In fact, managing the governance regime for a distributed, heterogeneous system operated by various third parties would be most likely to cost more.