Lord Meddlesome?

Somewhat to my surprise, "three strikes and out" turns out not to be Lord Mandelson's latest contribution to the postal dispute.

Considering all the state roles which encumber Lord Mandelson, Baron of Foy in the County of Herefordshire and of Hartlepool in the County of Durham (at the last count: First Secretary of State; Secretary of State for Business, Innovation and Skills; President of the Board of Trade; Lord President of the Council), I suppose he can hardly be blamed for taking his "disconnection of downloaders" policy out of the oven while it was still only half baked.

Still, it does seem unusually hapless, for reasons including those set out in Lilian Edwards' excellent post here.

As Lilian suggests, the proposed law seems to place an enforcement burden on a householder, to compensate for ISPs' inability to narrow down exactly who might be responsible for a given download.

It looks to me as though the proposals will need to include the creation of a new offence, viz. "Failure of the subscriber to control the behaviour of any individual who gains access to the subscriber's domestic internet connection". That should give rise to some fascinating case law.

Then there are the other, slightly more esoteric technical options - such as infecting a home PC with malware capable of downloading material and then forwarding it to the attacker's destination of choice via a peer-to-peer connection; or an insider attack at the ISP - associating illegal download activity with the domestic account of someone who had nothing to do with it...

These may be less probable attacks, but they are certainly feasible - and the higher the stakes, the greater the incentive for an attacker to consider ways of landing some unsuspecting, legitimate subscriber with the disconnection notice. After all, what tools does the average householder have at their disposal with which to disprove such an accusation from the ISP? Again, I look forward to the first court cases on those ones.

I appreciate, of course, that this is 'just' another of those classic instances where there's a fundamental fracture between the policy-makers' understanding and what is realistically feasible in terms of the technology. That said - if Lord Mandelson claims the mandate to set out a strategy for a Digital Britain, I think we're entitled to expect that the strategy should be well-founded on a robust understanding of the technology involved.

Nominated for ComputerWeekly blog awards 2009...

Very happy 8^)

I got shortlisted last year, which was fantastic (but of course there was the factor that I could trade off Sun's reputation as well as anything I wrote...). Since I set up Future Identity, this blog has only been going for under a year, so I am all the more delighted to be nominated this year on my own account.

This year I'm in the IT Consultant and Analyst category. Typing that and reading it back still has a slight aura of unreality about it... but in a good way.

Fingers crossed to make it onto the shortlist... but whatever happens, I'm already chuffed.

One other thought...

The BBC (and David Dimbleby) have also been criticised for putting on what some people saw as little more than an exercise in "bear-baiting".

It reminded me of a quotation cited by the luckless tutor who had to prepare me for an Ethics paper years ago:

"The puritan hated bear-baiting, not because it gave pain to the bear, but because it gave pleasure to the spectators." (Thomas Macaulay)

OK... the BNP on Question Time thing...

I'd been wondering whether to say anything about this, but on balance I think there are a couple of points worth drawing out.

As some of my Twitter Fellows* have been remarking, it's all too easy to be seduced into thinking that, just because all the opinions you might happen to see might happen to co-incide with yours (and why not, since that's probably why you follow each other in the first place), that must reflect the broader view. As it is, there also appears to be plenty of evidence, via online comment channels, that quite a number of people either agreed with Griffin's views anyway, or disagreed with them but felt he was not given a fair ride.

It's also interesting that someone, somewhere, sees a villain in every single player in this little drama. Here are some of the criticisms I've seen so far:

• the BBC should not have given the BNP such a publicity platform in the first place;
• Dimbleby should have been more even-handed and protected Griffin from some of the gang-ups (and not weighed in with a couple of deft jabs of his own, to boot...);
• Jack Straw's got no business cricitising anyone else's immigration policy, because Labour have made such a hash of their own one;
  
• The rest of the panel (with the possible exception of Bonnie Greer) are hypocrites for papering over their own differences to gang up on Griffin;
• The audience were un-representatively hostile (which is either their fault, or the BBC's, or both...);
• The protesters outside were interfering with free speech, or Griffin's opportunity to be held accountable, or both...
• ... and so on.

If I have a criticism of the BBC it is that, having decided to go ahead with the programme, they then did as shameless a job of padding and puffing it as any X-Factor final. Driving back from the airport last night, every news bulletin trailed the broadcast, and such a slab of "The World Tonight" was dedicated to it that, by the time it actually aired I felt that I'd heard most of the material already.


I suspect the bottom line is this: I have yet to see anything, anywhere, from anyone to say that the programme changed their mind with respect to Mr Griffin's views - either in one direction or the other. Even in our televisually-mediated society, then, you can put a racist, revisionist bigot on air for an hour and still not convince his sympathisers that he's beyond the pale.

On that basis, it has to go down as a failure.


*Fellow (n): someone who is either a 'follower' or 'followee' of yours on Twitter... (if someone else hasn't already coined it, you saw it here first, folks ;^)

Identity versus attributes

I've had several conversations recently, including one at the TERENA/EMC2 (higher education federation) workshop in Rome yesterday, which suggest that we are gradually overcoming some of the adoption barriers to attribute-based authorisation.

That might sound a bit dry and esoteric, but actually it's a Good Thing, and intuitively simple. To try and put it in a nutshell: for an awful lot of service access decisions, it's not actually important to know who the service requester is - it's usually just important to know some particular thing about them. Here are a couple of examples:

• If someone wants to buy a drink in a bar, it's not important who they are, what's important is whether they are of legal age;
• If someone needs a blood transfusion, it's more important to know their blood type than their identity...

In the past, of course, unique identifiers have been used as a way to index that attribute data. You tell me who you are, and I'll look up the record which associates that identity with all the attribute data I hold about you. Then I'll make an entitlement/access control decision based on that information.

For understandable reasons, that approach tends to lead to a very disclosure-heavy design. If the first thing I have to provide you with is the index to all the data you hold about me, every request for a service implicitly unlocks everything about me, rather than only that information relevant to this request. In simple and/or hierarchical relationships, and when communication between multiple parties is difficult or impossible, this is a rational (and sometimes perhaps the only) way to do things.

However, the internet undermines some of those assumptions: online service provision relationships are often neither simple nor hierarchical; multi-party communication and transactions are the norm.

The problem is, we've ended up by default with the worst of both worlds. We have all the disclosure-heaviness of the previous model, plus the promiscuous communication of the web. And that's why I think the increasing awareness of attribute-level assertion is so important. It offers far better ways of having multi-party transactions take place with selective disclosure of the user's data.

That's not to say that attribute-level assertions are the panacea. There are still knotty problems to resolve, even if we adopt that approach; for instance:

• managing user consent and control;
• making selective disclosure appropriate to each given context;
• defining and enforcing 'sticky policy', to protect users' preferences even after the data has been disclosed;
• catering for transactions which involve multiple different levels of assurance;
• defining appropriate metaphors to represent all this to the user...
  
• ... and so on.

But the signs are positive. Awareness that attribute-level assertions are a key component is a vital first step, and it is heartening to see that awareness rising and becoming increasingly widespread.

Retention versus rehabilitation

There's news today about five UK police forces who appealed against a ruling that they should delete information about criminal offences from their databases. According to the appeal court judges:

"If the police say rationally and reasonably that convictions, however old or minor, have a value in the work that they do, that should, in effect, be the end of the matter"

With all due respect to their Lordships, I don't think it should.

They found that if the data retained could be of use to the police, no matter how old or minor the offences in question, then retention was permissible.

Let's look at the question of 'minor offences' first. In one instance cited in court, the police still held a record of the theft, in 1984, of a 99p packet of meat - for which the offender was fined £15. Under those circumstances, keeping a record of the offence 25 years later is surely just disproportionate.

But what of the age of the offence? This is the aspect I find most confusing, and in conflict even with the police's own FAQ database. Here's what that says about spent convictions. It clearly states that the purpose of the 1974 Rehabilitation of Offenders Act is to ensure that former offenders' lives are not permanently blighted by their past actions if they are subsequently law-abiding. It also notes that there are circumstances when a conviction may never become spent (if it has resulted in more than 2 1/2 years in prison), and that for some kinds of work (such as work with children or vulnerable adults) you may have to disclose past convictions even if they are spent. Those conditions aside, though, the website is unequivocal:

"a person who has spent convictions does not have to disclose the conviction to prospective employers"

And there's a page which says that, if you have been given a caution, that caution is considered to be spent immediately:

"This means that if you are asked on an application form if you have a caution you can reply 'no'. "

There's even a page on the Police FAQ which explains what you can do to request that information about spent offences be removed from the record.

The Police FAQ also links to this Liberty table, which sets out the time-table according to which different offences are regarded as spent. In the case of the person fined £15 for taking the packet of meat, that would have been 5 years, halved to 2 1/2 years because the person was under 18 at the time of the offence. And yet, information about the offence is still on the record, 23 years after it was legally non-existent.

Let me just repeat their Lordship's ruling:

"If the police say rationally and reasonably that convictions, however old or minor, have a value in the work that they do, that should, in effect, be the end of the matter"

Dickens had Mr Bumble assert that "the law is an ass". In this case, though, the law appears to be quite sensible and clear. The same can't be said for the way in which it has been interpreted.

Ethics and warmth

I just found this quotation from David Hume:

“it is only from the selfishness and confined generosity of men, along with the scanty provision nature has made for his wants, that justice derives its origin.”

Scanty provision, eh? Is this why so many ethicists come from the barren northern climes*, and rather fewer from Hawaii and other places where nature's provision is less scanty?

*Descartes, for instance, used to withdraw to the interior of a large oven to work in warmth; Diogenes (who came from balmier latitudes, but lived in a barrel) was once asked by Alexander the Great whether the latter could do anything for him - "Yes", said the philosopher... "get out of my sunlight".

Economic forecast: cheap rugs and healthy eating ahead

Parliament convened yesterday for (among other things) the first Prime Minister's Questions since MPs' summer break. Liberal Democrat MP Bob Russell called on Gordon Brown to 'take some leadership in encouraging the export of goods from Afghanistan'.

Although the Prime Minister and other speakers had mentioned the matter of Afghan heroin, it's worth just putting things in perspective. According to the IMF, the principal 2006/2007 export figures for Afghanistan were:

• Carpets: 187,000,000
• Dried fruit: 126,000,000
• Fresh fruit: 39,000,000

According to a recent report by the US Congressional Advice Service, the UN estimate for 2008 (which it describes as having fallen from "all-time highs" [sic] in 2006/2007 was:

• Opium and derived narcotics: $3,000,000,000

That's an awful lot of fruit and carpets.

Counting 'em in; counting 'em back out again

According to this article in the New York Times, Congress is concerned that US Immigration and other law enforcement officers are having a hard time tracing those foreigners who enter the country and then stay beyond the period specified by their terms of entry. To be honest, I can't see why that is a surprise to the elected representatives; if anything, it simply suggests that they have no experience of the entry process in question. As someone who has been through it a few times now, perhaps I can offer some enlightenment:

• on entry, the visitor is invited to give a street address for their first night's stay in the US. A hotel address is fine... and of course the chances that the Immigration officer will be able to spot a non-existent or invalid address are zero.

• the visa waiver form offered to UK citizens has been revised this year, and now asks for a mobile phone number and an email address where you can be reached. Frankly, I thought this was an impertinence and left it blank... but I have not yet been challenged for doing so.

• on exit from the US, as the NY Times article points out, visitors are supposed to hand in the counterfoil of their entry form... but the process for doing so is unreliable. In my experience, the check-in clerk usually removes it from my passport - though these days, with self-service check-in, home-printed boarding passes and so on, I have no idea what I would do with the counterfoil if I were travelling with just hand-luggage.
  

In fact, a couple of visits back, my counterfoil was left in my passport on exit. I pointed it out to the Immigration officer on my next arrival and got mildly reproached, but was still allowed in. According to the Dept of Homeland Security, most counterfoils (92.5%) are returned correctly. But if one were to rely on that figure alone, the number of people whose exit status is indeterminate would be some 2,925,000.

As you may gather, I tend to be horribly law-abiding in this regard (mainly because the authorities can make your life disproportionately grim if they think you're arsing about) - but even so, I have at least once (as above) ended up in that 'indeterminate' immigration status. On that basis, imagine how easy it must be for someone who is intent on dropping out of the system.

No smoke without fire...

The NASA mission to belt the moon really hard with a large hammer seems to have excited just about everyone:

• The astronomy geeks are excited because it could tell us interesting stuff about the moon, the possible presence of water in some form, etc.
• The scientists are just excited because it's making somthing go ka-boom, which is what they like best, let's face it, whether we're talking about sub-atomic particles, dynamite or caravans.
  
• The policy wonks are excited because they're trying to work out whether this violates a UN Treaty regulating "activities on the Moon and other celestial bodies".
• The conspiracy theorists are having a field day, because for them, this is a de facto declaration of war on the extra-terrestrials who shadowed every moon mission...

As for me, I can't shake the image of a couple of NASA planners having a meeting:

Bob*: "Say, what do we know about the moon... I mean, really know... not just from staring at it, or scratching around on the surface?"

Bill: "Unh, I dunno... not much, I guess. Like, is there water there, but it's just stuck to all the particles of dust instead of being an underground lake...?"

Bob: "Like in Dune, right?"

Bill: "Right... underground lakes would be cool"

...

Bill: "So... how about we pound on it with, like, a really big rocket?"

Bob: "Yeah... let's do it!"

And the tragedy is, the caricature wouldn't leap so readily to mind if there weren't a germ of truth in it somewhere.

There's no smoke without fire... and apparently there's no plume of steam without a big ****ing explosion.


*Thinking of Bill and Bob... the names were not chosen entirely at random. Some years ago I was sent for a couple of 5-week projects to IBM Poughkeepsie. While there, my co-assignees and I noticed that periodically the PA system would come to life, and a pleasantly-modulated female voice would say: "Bob Molson: 13-12-24; Bob Molson: 13-12-24". Or, another day, "Bill Molson: 14-29-37; Bill Molson: 14-29-37".

Out of idle curiosity we checked the online employee directory, but found no Molsons... and the numbers didn't appear to correspond to internal extensions either.

We never did find out what the PA announcements were about. Perhaps it was just someone's little Dada-ist "jeu d'esprit", like the mysterious radio announcements in Jean Cocteau's "Orphée".

A nice distinction

I see from this article on Pinsent Masons' excellent "Out-Law" site that UK online banking fraud was up by 55% to £39m for the first six months of this year (relative to the same period last year). The payment card figures are down - which the acquirers will doubtless attribute to chip and PIN, and suggest that that is 'squeezing' fraudsters towards more lucrative attack vectors. Though, to put that in perspective, fraudulent 'card not present' transactions still accounted for £134m of reported loss.

According to the article, the vehicles of choice are phishing (up 26% on last year) and malware attacks on users' computers.

The Financial Fraud Action group of the UK Payments Association had this to say:

"The increase is largely due to criminals employing more sophisticated methods to target online banking customers through malware scams – which target vulnerabilities in customers’ PCs – rather than the banks’ own systems which have proved more difficult for the fraudsters to attack."

And there's where I have a nit to pick. After all, if a bank extends its service, online, so that the point of delivery is the customer's PC, the distinction between "attacking the user's PC" and "attacking the online banking system" becomes a pretty fine one.

Up to a point, I see exactly where they're coming from: after all, if someone manages to get a keystroke logger onto my PC, the damage is done to a component which is not under my bank's control. On the other hand, if that is going to be used to justify transferring liability from the bank to me (as happened with chip and PIN) for transactions undertaken through my PC, then I would not be happy at all.

Online banking is convenient for me, yes - but it also saves the bank an enormous amount of cost, effort, staff, premises and so on and so forth. Most banks' retail branch networks are now so skeletal that if everyone switched back from online banking to branch-based transactions, the banks would simply collapse under the workload. Don't get me wrong - I'm not suggesting that bank clients either want to or should do that: just that the online banking benefit flows both ways, and the banks need to acknowledge that when they consider how to mitigate the risk of PC-mediated fraud.

What a croc

There's a characteristically entertaining and acerbic piece from Maureen Dowd on the NY Times site at the moment. As usual, it's spiked with barbs of insider-ish gossip, but this time they are quoted, rather than culled directly by her.

One of her sources is Matt Latimer's "Speech-less" - an account of his time as part of George W Bush's speechwriting team (also reviewed, as it happens, on yesterday evening's edition of Radio 4's Front Row - podcast available here). One vignette Dowd picks out is of W 'padding around the White House in Crocs' - an image which, as she says, is hard to get out of your mind once it's in there.

It reminded me of the last time I arrived at Narita airport: at the top of the first escalator we encountered after getting off the plane, there was a warning (in English) to wearers of "vinyl shoes" that they should take care not to get snagged in the escalator and mangled to death. Well, it didn't actually spell out that last bit, but there was a helpful picture of a Croc-clad foot.

Now, I have no wish to be gratuitously insulting to Croc-wearers, but I couldn't help thinking that those of us with other footwear (even shoes with laces, forsooth) have mostly worked that out for ourselves by the time we're old enough to walk on and off a plane.

Then again, W's mental edifice was always dogged by accusations of being somewhat sparsely tenanted. After all, it bodes ill when an adult human is bested by a small pretzel, for instance. I did love the irony that "Bonesman" Bush should have been laid low by the closest thing the biscuit world has to a miniature skull-and-crossbones.

Those publication deadlines...

Thankfully, I completed my writing assignments in the time I ended up being able to devote to them - one article was actually in by the requested deadline (!) and the other one was late, but not so late that the editor gave up on me. Phew.

This is what comes of promising people an article/chapter/white paper when there's no fee-paying work in the pipeline... and then having to deliver after said fee-paying work has turned up with its own little set of imperatives. Still, such is life; no-one said it would be easy, and - as the archetypal British infantryman puts it - "if you can't take a joke, you shouldn't have joined up...".

I'll let you know when the articles in question are in the public domain - though, of course, the other thing I'm learning is that they end up hedged about with copyright clauses limiting what I - the author - am entitled to do with my output. What's that all about, in the age of personal internet publishing?

One is about "What's happened to PETs?" (Privacy Enhancing Technologies) and the other is a more general look at Identity Management: where is it, how did it get here, and where might it be going next.

The last thing I'm finding is that the whole process of doing the research (literature review, collecting references and citable material) - and then reviewing your own thoughts in the light of other people's - is a sure-fire way of generating yet more thoughts which just add to the backlog of papers to be written. Sigh. That said, the next paper should be a cracker. As to its subject - well, given what I've just said about the bizarreness of having to cede copyright just to have someone else transfer my work to sheets of compressed vegetable matter, you'll just have to wait and see. I may just crack and publish it here first.