Racingsnake - Robin Wilton's Esoterica

Time for a rant...

2012-01-27T18:42:00.008Z

... about some really irritating developments in TV advertising.

I apoplogise in advance, but I think some of these peeves have been simmering for a while now, and it would be healthier all round if I can permit myself a little vent. There are two advertising trends at the moment which are really starting to grate.

The first is when the advertiser treats us like imbeciles, incapable of logical thought. Two examples:

1 - the dishwasher tablet which is sold on the premise that, if you don't use it, filth accumulates in your dishwasher's plumbing tubes and is then swilled around your cutlery and crockery, bathing them in a vile brew which is, by implication, not far short of raw sewage. Of course, being imbeciles we fail to notice that the pipes into the dishwasher come from the water main, and are presumably not already clogged with sewage; and the pipes out of the dishwasher do not convey anything back into it.

2 - the kitchen soap dispenser whose great selling point is that it includes a sensor, so that you can get your dollop of soap without having to do anything insanitary like press down on a squirter. Again, being imbeciles, we have never noticed that the first thing you do after pressing down on a (presumably plague-ridden) soap dispenser is... wash your hands.

Here's the enigma: are these advertisements fatally flawed, foolishly insulting their target market... or are they perfectly crafted, aimed precisely at a market of imbeciles?

The other irritant is a variant on the old "vox pop" technique. Classically, this involves a reassuring third party, such as an interviewer or someone in a white coat, getting totally spontaneous product endorsements out of enthusiastic consumers who are totally surprised at the effectiveness of the product.

The variant (toothpaste being far and away the worst offender) is that when sound-editing your vox pops, you have to remove tiny snippets of silence from between random words. The result sounds something like this:

"I had never realisedthat some things I eatevery day, suchas battery acid, can eataway at tooth enameland cause cavities andbrain rot."

Why? Why do they do this?

I am seriously considering applying for that job, snipping out the tiny gaps between words in fatuous vox pops. Then, like one of my literary heroes, Doktor Murke, I would splice them carefully together again and luxuriate in the resulting silence. Listening to it might even bring my blood pressure down again...

Un-bricking a System76 Starling netbook

2011-06-09T18:16:00.003+01:00

In case it may be of help to someone else in the same situation...

I have a System76 Starling netbook, which until this week was running Ubuntu 9 (Karmic Koala). That's the release it came factory-installed with, and as long as it was getting patched and updated, I was sticking with the "ain't broke, don't fix" principle. Previous experience has taught me that the tiniest tweak to an otherwise working Linux system can lock you into a death-spiral of dependencies, upgrades, super-dependencies and so on, until you have no option but to press on because you can't retreat.

However, when the system updater warned me this week that Ubuntu 9 would not be getting any more patches, I decided it was time to take a deep breath and upgrade to an LTS (Long Term Support) release of Ubuntu 10 (Lucid Lynx). I also reasoned that as Lynx has been out for a while, System76 would have had time to get their hardware-specific driver for the Starling good and ready. So, after backing up all my data to an external drive, I hit the Upgrade button.

All went well, at least in terms of fetching all the packages. Unfortunately, the installation process hung part way through, and after leaving it frozen for half an hour or so (just in case) I sighed, turned the power off, and resigned myself to re-installing from scratch. As I now have an un-bricked Starling running Ubuntu 10.4, this post is simply to point you to the set of resources which worked for me, if you're in the same position.

Here are some starting assumptions:

You have a Windows machine with which to create your bootable USB image (it can be done with another Linux machine or a Mac, but you'll have to find your own path in those cases)
Obviously, as the Starling has no CD drive, you'll a nice big USB stick handy (they say 2Gb, but if you have 3-4Gb I think you'll be safer, for reasons I explain below)
A wired network connection... this will just make it a lot easier to auto-update with the most recent software updates and the System76 driver.

And here, in the order you will probably encounter them, are the pages which got me through it. There are others, but I found some false trails, and these are the pages which worked for me.

System76's "How to Upgrade to Lucid Lynx" page
The Ubuntu Lucid releases - you want the Netbook Live CD .iso
The Ubuntu help page on creating a bootable USB image
Two tools from PenDriveLinux: USB-Installer and Persistent-Filespace creator
Ubuntu support thread on Lucid/wireless just in case...

If step (3) works OK, you may not need the tools from step (4); however, the first time I tried it, the USB image boot failed because it couldn't find a writeable filespace. This error is listed on the Ubuntu help page above, under Known Issues, as "Can not mount /dev/loop1 on /cow". The Persistent Filespace creator will help you make one of those on the USB stick... which is another reason why I think a 3 or 4Gb stick is probably a good idea.

You may or may not need step (5): frustratingly, when I first booted Lucid Lynx my wireless connection came up flawlessly: I ran the System76 driver and my wireless connectivity disappeared. The thread had some suggestions about making sure the C/C++ libraries (gcc) are definitely installed on your machine, and re-running the System76 driver. I followed those suggestions and it still didn't work, but after a couple of re-boots and tweaks of the 3G-Wifi switch on the front of the Starling, it all worked again.

Good luck...

EU cookie regulations and consent

2011-05-31T11:05:00.005+01:00

As you are probably aware, a revision to the EU's e-Privacy Directive was recently transposed into UK law as the Privacy and Electronic Communications Regulations 2011, or PECR. PECR means that, as of May 26th 2011, UK websites are required to obtain users' informed consent before tracking their online behaviour through means such as cookies.

Well-meaning though this legislation may be, there are a number of practical issues with its implementation. As it has never been my intent to invade, subvert or otherwise compromise your privacy, this post is a brief indication of some of those issues, and the possible impact on you as a visitor to this blog.

First, jurisdiction: is this a UK site? Well, I'm located in the UK, and it's my blog, so I'm going to behave as though it is and assume that PECR 2011 applies to it and to me. However, as Blogger belongs to Google, and Google are notoriously reticent about revealing the location of their data-centres, I have no idea where this blog is actually hosted. I suspect a lot of individuals, small/medium enterprises and organisations are in the same position: wherever they are, their websites may or may not be hosted in the UK, and that may give rise to some question as to whether or not PECR can be enforced.

Second, enforcement. The UK ICO has, allegedly, been 'pressured' by the UK government not to enforce PECR, at least for a year while companies figure out what to do about the law. On the one hand, I have little sympathy with this: EU legislation moves at a pretty normal pace for law-making, and PECR has been inching its way down the legislative alimentary canal for many months now. Its emergence should not have come as a surprise to anyone.... but let's not take that analogy any further. On the other hand, there's no doubt that the mechanisms for doing a good privacy-respecting job of gathering user consent are sadly lacking. Of course, as the only viable candidate for deploying such mechanisms is the browser, and as the dominant browsers on the planet are all developed outside the EU, that shouldn't come as a surprise either. On the third hand (as Zaphod could have said) why in Zarquon's name didn't Viviane Reding and her merry band of legislators think of that when they were designing the amendment?

Third, practicality. I do use a couple of counters to track visits to the blog: as you can see, there's a ClustrMaps graphic on the page, and though you can't see it, Statcounter is also enabled. For those two tools, I can give you the following assurance: I never use them for anything other than an occasional look at how site traffic is trending over time. I sometimes look at the per-country breakdown of visits, and if I'm getting persistent spam comments I may look at the IP address of a specific visitor. However, I never use the tracking details for any other purpose, and never knowingly disclose them to any other entity. I don't use Adwords or Affiliate Network, nor is it my intent to do so.

However... it is entirely possible that Blogger, as the host of the blog, gathers statistics about both my use of it and your visits to it. Over that, I have no control. Again, I suspect that many, many individuals, organisations and small/medium businesses are in the same position - and as 'cloud' computing continues to grow, that situation will grow with it.

That leaves me with two problems:

1 - if you don't like the relatively minor use of cookies I do make on this site, and/or don't trust my promise not to abuse the data collected, I'm afraid I don't have any practical way of gathering your consent (or withdrawal of it). Nor do I have a way of turning cookies off for you while still somehow keeping an eye on site usage. By all means block or delete my cookies at your end, if you have the means to do so; I won't be offended (in fact, I won't even know), and as far as I am aware, it won't affect your ability to browse the site.

2 - if you don't like the idea that my hosts (either for this blog, or for my website, for instance) may also be setting cookies, I can sympathise, but there's very little I can do about that. Nor do I think there's any reasonable expectation that they will ask for your consent via my blog. If you have a problem with that, please leave a comment, and then we can both stare at it and wonder what to do next...

So, what can we expect from the PECR 2011 amendment?

Will it immediately change the way in which companies track your online behaviour? No.

Will it change the way browsers handle cookies and consent? Possibly, over time.

Will it advance the debate over online privacy: I sincerely hope so, even if it's only through increased discussion, as opposed to immediate improvement.

Will it resolve the tension between technologists who see the law as an inconvenient obstacle to commercial progress, and legislators who don't understand the technology but want to be seen to be doing something? No. That, regrettably, is something we're stuck with for the foreseeable future. Welcome to Aldous Huxley's world.

Marking Commissioner Malmström's homework

2011-02-03T12:12:00.005Z

Julian Huppert MP has broken new ground today (as far as I'm aware) by "crowd-sourcing" views on the newly-announced proposal for an EU Directive on Attacks Against Information Systems.

Having looked at the press release, my first impression of the Directive is that it is seriously unbalanced and needs to be substantially re-worked. As my teachers used (frequently, I'm afraid) to write on my prep: "Adequate as far as it goes, but I need to see more."

I don't deny that botnets and the like represent a potential threat to computing infrastructures, and thereby indirectly to interests such as consumer safety, commerce, and even national security - though one should also note that in their recent report for the OECD, Professor Peter Sommer (LSE) and Dr Ian Brown (Oxford University) argue convincingly that the majority of such threats are both localised and short-term in their effect. Let us not, then, rush to fling the cyber-baby out with the bathwater.

If we step back for a moment and balance the cyber-war rhetoric with Sommer and Brown's more qualified perspective, the obvious shortcoming of the proposed EU Directive is that it focusses entirely on measures to prevent "illegal interception" and legislation against the use of malware... entirely ignoring the point that the technology to abuse online systems is often the same as the technology used to control it. The difference between lawful and unlawful interception is the prefix "un-", not the means used.

With that in mind, the EU Directive comes across as a piece of work less than half finished. While the policymakers and drafters were considering how to prevent the activities they don't want, they should have been devoting at least as much effort to considering how to regulate the activities they don't want. Badly or insufficiently regulated, those activities do every bit as much social and economic harm as the threats the Directive is keen to stress.

This is by no means just about EU citizens, either. Every instance of bad or incomplete regulatory oversight in our own house is an excuse for repressive regimes to point to that bad example and say "look: that's how they do it in the EU, so it must be acceptable". We need only look at the suppression of internet services in Iran, Tunisia, Pakistan, Egypt and elsewhere to see how this leaves the door open to profound and damaging abuse of citizens' rights and self-determination.

So, for every paragraph about the prevention of illegal activity, the Directive should contain a paragraph about the protection of legitimate activity - including legitimately anonymous and/or pseudonymous activity - and a paragraph about the regulation of law enforcement interception, data retention, content filtering, packet inspection and so on.

Regrettably, the Directive comes from the office of Cecila Malmström, the EU's Home Affairs Commissioner, and her reported views on this kind of thing do not inspire optimism. At the recent CPDP2011 conference in Brussels, she was quoted as having said "data retention is here to stay". When the captains of industry say things like "privacy is no longer the social norm", it makes them look ignorant. When policymakers simply acquiesce with such views, it makes them look dangerous.

As Hielke Hijmans (Head of Policy and Consultations for the EDPS) succinctly put it, at the same conference: "It's not good enough for governments and policy-makers to say 'privacy is dead, get over it': the challenge for them is to work out how social privacy norms can be protected in an information society."

I'm afraid that, in the margin of Ms Malmström's prep, I can only write "B minus. A fair effort, but must try harder."

Privacy of emails

2011-01-27T20:57:00.005Z

By coincidence, the theme of the previous blog post (expectations of privacy in correspondence, electronic or otherwise) also crops up in an article by Simon Jenkins in the Guardian today. Jenkins' piece is actually about media ethics, but it's prompted by the renewed media feeding frenzy over a now slightly dusty scandal... revelations that the News Of The World had been hacking into the voicemails of people who they thought might thus provide juicy material for the presses.

At one point, Jenkins notes, the Crown Prosecution Service (i.e. the agency responsible for prosecuting alleged criminals on behalf of the state) advised the police that it was "illegal to hack into a message before, but not after, a recipient had heard it"... much as the 11th US Circuit Court ruled in Rehberg v Hodges.

As the number of forms of electronic communication continues to grow, and governments' appetite for retention, interception and retrieval of those communications grows correspondingly, let's just pick that concept apart and see why it's so absurd - because absurd it surely is.

The idea of an expectation of confidentiality in communications probably has its origins in the establishment of monopolised state postal services. Before that point, you had to have a good reason to trust anyone to whom you gave a letter to deliver to someone else... though in practice those with something particularly sensitive to say also put their trust in means such as encryption and tamper-evident technology. The advent of a universal postal service meant that people had to feel that they could entrust their letters to - essentially - a complete stranger and still be confident that the letter would arrive intact.

There was, then, a clear expectation that a universal postal service should demonstrate great integrity in the handling of the correspondence put into its care - and sure enough, most such services are protected by specific laws to deal with 'interference with the mails'. In other words, and not to overburden the word "confidence", a letter from Sandra to Reece is entrusted to Pat as an intermediary. The contents of the letter are intended to be confidential between Sandra and Reece. Pat has no legitimate expectation of reading the letter for himself, because Sandra's clear intent and expectation is that she is communicating only with Reece.

Now, what happens once Reece receives and opens the letter? Does that act somehow revise Sandra's intention in sending it - so that, onceit is opened, she intends it to be read by people other than Reece? I don't see why we should make that assumption. But just for the sake of it, let's imagine that what Reece finds when he opens the envelope is another envelope: this one has written on it "Confidential: for Reece only". So in this instance Sandra has made her intention and expectations explicit.

Reece opens the second envelope and finds inside a message which says "Dear Reece, I don't want you to tell anyone else this, but I have discovered that I have a fatal disease, and probably only months to live". Again, I don't see anything in the act of Reece opening the inner envelope which revises Sandra's intention and expectations in writing to him and him alone. She even says, in the contents, that she wants Reece to keep this information to himself... and that seems to me to be a legitimate expectation.

Of course, merely by disclosing the fact of her illness to Reece, Sandra is making it possible for Reece to disclose it to someone else - but I think there's a clear difference between making that disclosure possible, and expecting or intending it to take place.

That is why I think it's so perverse to rule that the act of opening a letter changes the sender's legitimate expectation of the confidentiality of the contents. It's also why I wonder whether initiatives like the Privicons plug-in - while doubtless well-intentioned - might have preverse consequences. After all, if there's a button you can click which says "don't share this email", won't that be taken to imply that - if the email has no such icon attached - you don't mind it being shared? All in all, I think I'd be happier if we start with no "this email is sent in confidence" button - because I think the fundamental assumption should be that emails are confidential unless it's explicitly stated otherwise.

It's possible that that assumption is broken; but if so, that argues in favour of mending it, not discarding it.

With that in mind, I wish you a happy Data Privacy Day for tomorrow, Jan 28th.. I encourage you to spend it considering what digital footprints you leave in the course of the day, and to what extent they involve any consent and control on your part.

The Privacy of Emails

2011-01-07T14:35:00.003Z

A colleague has alerted me to a December 2010 ruling on email privacy, in the US 6th Circuit court. There's a brief article here from DC law firm K&L Gates.

The 6th Circuit delivers a welcome reversal of the July 2010 ruling in Rehberg v Hodges, in which the 11th Circuit court somewhat bizarrely concluded that Mr Rehberg’s “privacy interest in emails held by his ISP was not clearly established”. Even in that case, although the ruling itself denied Mr Rehberg’s right to privacy, the court did amend previous statements as follows:

“The Court had written that a "person also loses a reasonable expectation of privacy in emails, at least after the email is sent to and received by a third party" and that "Rehberg's voluntary delivery of emails to third parties constituted a voluntary relinquishment of the right to privacy in that information." This is not the law, and the incorrect statements are no longer precedent.”

Article here on the EFF site.

Note the court’s use of the phrase “third party”. I would be interested to know if this ruling has any effect on a law enforcement request for access to received emails still in the possession of the intended recipient (as opposed to an intermediary). The reason for my interest will be clear in a moment...

Broadening the context beyond email: the legal implications of disclosures via online networking sites are still, in my view, a long way from being conclusively worked out in case law. There was the ruling in Romano v Steelcase Furniture, in which Mrs Romano's Facebook photo showed her apparently happy and smiling in front of her home. Steelcase’s lawyers argued that that was prima facie evidence she was not suffering as badly as she had maintained in an injury suit against them, and successfully got a ruling that Mrs Romano’s private Facebook pages should be disclosed in case they revealed further incriminating evidence.

The twist in that latter part was that not only had Mrs Romano obviously decided that she wanted some of her Facebook disclosures to be more private than others, she had in fact also deleted some of her private pages. At least, she thought she had. In fact, they were still on disk somewhere in Facebook’s storage, and as a result, they were disclosed in evidence. I blogged about that in October, here.

So, in the social networking case, it seems the law still has to catch up with the notion that disclosure is not a binary thing. I keep quoting danah boyd on this, because I can’t improve on her way of putting it:

“Making something that is public more public is a violation of privacy”

(Making Sense of Privacy and Publicity, SXSW 2010; text available here)

In the email case, I’d argue that the same gap still needs to be bridged. US case law seems to be taking the following line: an email from Sandra to Reece embodies an expectation that it is sent in confidence by the sender to the recipient. It is intended to be kept confidential from the ISP who conveys it. (As an aside, that’s interesting if you reflect that an unencrypted email is much more like a postcard than a letter sealed into an envelope...).

That’s fine as far as it goes... but what about the non-binary shadings? Legally, what expectation can a sender have in the confidentiality of, for instance:

The contents of an email which the recipient has opened?
The contents of an email still unopened in the recipient’s inbox?
Copies of the email archived by the sender (for instance, in a “Sent Mail” folder) on the sender’s system, on an employer's email system or on one operated by a third party, say, in the cloud?

There may be many instances of a single electronic disclosure, and I don’t think the legal privacy status of these instances has been fully explored yet in any single jurisdiction, let alone in cloud computing and multi-jurisdictional contexts. Of course, if you know different, let me know via the Comments field.

Anonymity on the Net

2011-01-05T15:04:00.004Z

There's an interesting piece on the New York Times site by Professor Stanley Fish, titled "Anonymity and the Dark Side of the Internet".

A quick disclaimer to start with, though: bear in mind that what you're reading here is my comment on an article in which Prof. Fish reviews a collection of essays by academics citing various principles and legal precedents. This discourse has more layers than Inception... and that's before you get to the comments readers have left on Prof. Fish's article itself.

The collection of essays is called "The Offensive Internet" - and based on Prof. Fish's portrayal, the contributors are writing from the standpoint that anonymity online is a Bad Thing, about which Something Must Be Done. Second disclaimer: I haven't actually read "The Offensive Internet"... but as much of the discussion apparently revolves around the dangers of unsubstantiated online gossip, it would be contrary to let a mere lack of factual knowledge stop me blogging about it, wouldn't it?

The position of the anti-anonymists is (at least, as far as Prof. Fish represents it) riddled with arguments from the particular to the general - principally along the lines of "here is an instance where online anonymity has undesirable consequences - therefore all online anonymity is undesirable". In part, the picture painted is of an ecosystem polluted by irresponsible comment, libel and misinformation, riding on the back of instant, mass publication with total immunity from being held to account.

Some of the quotations Prof. Fish includes are such gems I almost wonder if he isn't part of some fiendishly cunning marketing ploy, designed to convince us that the only way to stem our incredulity it to read it for ourselves. Out of context or not, what are we to make of a statement like: "autonomy resides not in free choice per se but in choosing wisely"? So, I can have (or at least call it) autonomy, but only if I agree not to make foolish, capricious, ill-informed or simply bad decisions. And who decides which of my free' choices qualifies as autonomous? Someone else, you say....? Hmm.

Even if we accept that the essays, Prof. Fish himself, or both, are being deliberately polemical, it does the argument against anonymity no credit to ignore valid counterexamples. For instance, The Times and The Economist both have a long tradition of anonymous publication (The Times for its leaders and The Economist in general). That has a number of consequences: it means that the credibility of what is written depends first (and foremost) on its content and second (and less) on the brand under which it appears. The second factor, the brand or reputation of the publication, is critically interdependent on the credibility of the content. This virtuous circle encourages the anonymous to write in such a way as to enhance the credibility of their host publication. It is not true, then, that anonymity necessarily means a lack of accountability or an immunity from the consequences of irresponsible writing.

Prohibition of online anonymity would also damage the interests of those whose identity - if disclosed - would expose them to various forms of abuse. Take the case of Harriet Jacobs (not her real name, QED...) whose personal safety depends at least in part to online pseudonymity. Presumably in the brave new world of enforced identifiability, those who fall victim to domestic violence, rape or persecution simply forfeit their entitlement to the means of online expression available to the smug majority. It is not true, then, that anonymity serves only the interests of those who have something libellous, shameful, malicious or just plain wrong to say.

The examples of journalists and Harriet Jacobs illustrate a principle which does not come across in Prof. Fish's article - that the Internet is quite capable of supporting various levels of identifiability.

There is the relative anonymity of being 'one of a number of journalists publishing under a given title'; of course the editor knows who wrote what, and who to hold responsible if the article turns out to be libellous. Second, there is the pseudonymity of publishing a blog under a pen name. Ultimately, through a combination of the registration process for the blog itself, the formalities of having a billable IPS account and so on, the author of most blogs could, ultimately, be identified by a third party able to correlate the right identifiers - and most legislation in this area makes provision for law enforcement access (ideally subject to justifying conditions and with some degree of oversight). The real issue, then, is not whether online anonymity can or should be banned, but how to maintain and manage these various levels of anonymity, pseudonymity and identifiability.

The bottom line is that, if the authors of "The Offensive Internet" were looking for an analogy, they could and should have done better than "cesspool" or "graffiti-filled bathroom wall". The Internet is like electricity. It can be put to good purposes, bad purposes, trivial and misguided purposes, and indeed purposeless uses. You will find anonymity in all those categories, and ruling it out of all of them because of its occasional role in one of them is just perverse.

Speaking of electricity, it's interesting how frequently writers (Prof. Fish included) quote Justice Brandeis' comment that "Sunshine [sic] is the best disinfectant" without going on to complete the aphorism. When I give it in full, perhaps you will see why:

"Sunlight is said to be the best of disinfectants, electric light the most efficient policeman" (Other People's Money - Chapter V: What Publicity Can Do)

Note the implicit characterisation of sunlight as clean, natural, healthy and life-giving. Who could object to that? By contrast, electricity may create an atmosphere in which people obey the law, but it does so by offering cut-rate panopticality. People will behave because they live under the floodlights. Not such a utopian image.

Mind you, Brandeis' thesis certainly has its modern resonances; the problem he goes on to address in Chapter V? Excessive bankers' commissions...

UK Govt plans to "turn off" internet porn

2010-12-19T13:19:00.002Z

Back in April, I ceded the following hostage to fortune:

" [...] to accusations of political partiality I will say only this: I've only ever blogged under a Labour government.

If a non-Labour government fails to provide just as much blog-fodder, I will supplement that dwindling diet with my hat."

If this story on news.com.au is to be believed, I think my headwear is safe. The UK government plans to legislate to make households "opt in" to be able to access porn on the internet. ISPs are expected to put some kind of registration, age-related classification and/or filtering mechanisms in place.

If the report is true, it suggests that UK policymakers have managed to come up with something which is at once populist, paternalistic, naive and utterly impractical.

It is populist in the sense that the stated goal of the policy is to safeguard children from inadvertent (or worse, deliberate) exposure to pornographic material. In other words, a goal which has been framed so that to disagree with it is to mark oneself out as a child-abusing pervert. One can instantly understand how this will appeal to a slightly right-of-centre, instinctively conservative but not overly intellectual middle class demographic. It's not for me to caricature that demographic as "Daily Mail readers", however apophetically, but if you like tabloid-based stereotypes, that's one shorthand for it.

The ethical 'argument' here is from the same in-bred stock as the pernicious "nothing to hide, nothing to fear" line on personal privacy: "if you're not ashamed of looking at smut, you shouldn't be ashamed of having to register to look at smut, therefore we'll make it illegal not to register". Once again, the valid distinction between the illegal, the shameful and the merely embarrassing is being elided.

It is paternalistic because it is based on the assumption that the best way to protect children within a household is to cede decision-making to entities outside the household (policymakers and ISPs) about what content is suitable for which audiences, and what should be allowed into the house through the cable modem.

Actually, of course, this simply ensures that the citizens' ethical faculties atrophy through disuse... because any decisions about appropriate content are 'someone else's responsibility'. I'm disappointed, because I thought a decade of New Labour's Orwellian tendencies had moved (even) the Tories on from that kind of pernicious molly-coddling.

It is naive because there is no precedent to show that the way to enforce any given ethical principle is to impose a technically-mediated solution. 20th century 'received wisdom' is that every technological innovation is swiftly turned to pornographic purposes (the internet, the Betamax video cassette, the photograph, the engraving, the fresco...). Never mind Pompeii (Approx. 79AD): the Egyptians were using wall-painting technology to depict sexual acts around 1500 BC; by the 1200s BC they were exploiting the newer medium of papyrus... which was doubtless rather more conveniently portable.

The point is, even as the means to produce and disseminate (sorry) pornography have become more and more technologically mediated, the ability to impose technological restriction on such publication has, again and again, proved futile.

But however long one may care to debate that hypothesis, the fact is that the legislation proposed just won't achieve the goal being used to justify it. Think of some of the practicalities:

Are households which contain no children also obliged to register?
Is registration rendered unnecessary once children in a household achieve majority?
Who counts as "the householder" in, for example, a university hall of residence?

But more crucially: in so-called "toxic" households, where children are deliberately exposed to pornography by adult perverts... how is the new legislation to have effect? If the householder "opts in", what protection does the law then provide to any children in that household?

None.

On that basis, there isn't even any point starting an analysis of the potential downside of such a legislative measure - the proposal is just a stupid idea masquerading as a moral crusade (and with all the success of an unconvincing transvestite).

My first Burton IT1 report is out...

2010-12-15T19:11:00.002Z

Something of a milestone day today, as my first IT1 analyst report has finally made it through the gastric tract of the corporate publishing animal, and now appears under the IT research category on the Burton Group repository, here. (You'll need an IT1 subscription to get the full document, I'm afraid... that's the world we live in though). I may not approve of paywalls for daily newspapers (or blogs...), but that doc took me a couple of months to create - so I hope it's worth the price of admission.

It's on the topic of "Changing a Privacy Policy Statement"... my colleagues Ian Glazer and Bob Blakley and I took a look at some of the more interesting ways in which changes to privacy policy statements have been 'got wrong' in recent months, and tried to come up with a model for getting it right.

Obviously, it's not just about changing the privacy policy statement; if that isn't mirrored in corresponding changes to the organisation's privacy policy itself, and in appropriate communication to the data subjects, something is going to go awry - it's just a question of when, and how embarrassingly.

Anyway, if you are a subscriber, please have a look and let me know what you think. This is meant to be the first of many such reports, so for goodness' sake let me know if I'm getting it wrong!

Wikileaks and diplomacy

2010-11-30T18:53:00.003Z

I have, over time, heard two definitions of the word “diplomat”:

1 – a man sent to lie abroad for his country;

2 – someone who can tell you to go to Hell in such a way that you feel you would benefit from the journey.

(By way of disclaimer, I should point out that I heard both from my father, who was himself a career diplomat... ;^)

To me, what the current Wikileaks "cablegate" incident reveals is this: as individuals and social animals, we all understand the fine nuances of truth-telling, lying and hypocrisy (from ‘white lies’ to ‘social convention’, ‘good manners’, ‘gentlemanly or ladylike behaviour’, ‘discretion’ and so on and so forth). When you scale that up to ‘social’ scale, it tends to become simplified and polarised - as we see from the press coverage and the political rhetoric.

Diplomats are intelligent tools of the political system (in German, a single word - Botschafter - serves for both “messenger” and “ambassador”). In the sense of 'messenger', the diplomat is there only to convey what his or her government wishes to be said. However, in representing their government’s wishes, it is also their job to exercise judgement about when the national interest is best served by the truth, a lie, a lie which is known to be a lie, an apparently accidental indiscretion, an unpalatable truth told in jest... or any of the million shades of grey along that spectrum.

Often, the value of diplomacy lies precisely in the ability to convey one thing while saying another. That way, an official position is publicised, without preventing what is pragmatically necessary from being communicated.

The leaked cables will, of course, reveal that what diplomats say to their colleagues and their political masters is often not what they say to their counterparts in post. That should surprise no-one...

German authorities strangely schizophrenic about ID Card security

2010-11-17T11:23:00.003Z

The German Interior Minister, Thomas de Maizière commented in an article for Die Welt yesterday that the new generation of German ID Cards is "100 times more secure" than the Card it replaces. That may or may not be true - but if it is, the parallel announcement is rather puzzling. German ID Card law has been amended so that (as of the beginning of November), it is illegal to request that a card-holder leave their card in your safekeeping.

As the article went on to say, this is going to affect many little personal transactions which have become the de facto norm over past years. Even visitors to the Bundestag, Germany's legislative seat, have previously been used to swap their ID Card for a visitor's pass on entry. It is now illegal for them to do so.

It is a strange reflection on the security of the German ID Card implementation, if the cards cannot safely be left with a third party, for fear of being hacked, illicitly read and/or manipulated. That fear is at odds with Mr de Maizière's bullish assertion of its security.

Here's the relevant snippet from the article on Die Welt, with translation interleaved:

[Das neue] Personalausweisgesetz, das seit Anfang des Monats in Kraft ist. Darin steht: „Vom Ausweisinhaber darf nicht verlangt werden, den Personalausweis zu hinterlegen oder in sonstiger Weise den Gewahrsam aufzugeben.

[The new]ID Card Act, which came into force at the beginning of the month. It states: "The card-holder may not be asked to leave the ID card behind or otherwise place it in safekeeping."

Diese Passage bedeutet nach Auskunft zuständiger Behörden ein Verbot – und zwar ganz egal, ob es sich um einen neuen oder um einen alten Personalausweis handelt. Das wird den Alltag nicht weniger Deutscher verändern. Für sie war es bislang selbstverständlich, den Personalausweis als Pfand einzusetzen – etwa am Tresen der Autovermietung oder an der Rezeption des Hotels. Selbst den Schlüssel für den Spind in der Sporthalle bekam man auf diese Weise ohne Kaution.

According to the relevant authorities, this represents a prohibition - and it makes no difference whether you're talking about a new ID Card or an old one. This will make a difference to everyday life for no small number of German citizens. For them, it has long been commonplace to leave one's ID Card as a 'deposit' - whether at the car-hire counter or at a hotel reception. ID Cards are often left in exchange for a locker key at the sports centre, without anyone raising an eyebrow.

Elektronikexperten vermuten, mit dem Verbot wolle der Gesetzgeber verhindern, dass der neue Personalausweis in aller Ruhe elektronisch ausgelesen oder manipuliert wird. Innenminister de Maizière betont hingegen, das Dokument sei 100 Mal sicherer als die bisherige Ausführung. Warum dann die Hinterlegung verboten wurde, bleibt sein Geheimnis.

Electronics experts suggest that the legislators' aim, with this law, is to make it harder for the new ID Cards to be electronically read or manipulated by a potential attacker. Nevertheless, Interior Minister de Maizière maintains that the new document is 100 times more secure than the one it replaces. Why, then, one should be forbidden to leave it with someone else remains his secret.

#TwitterJokeTrial: an update

2010-10-03T14:25:00.003+01:00

Just a brief post to link you to David Allen Green's "Jack of Kent" blog, where he gives an account of what happened in Day One of Paul Chambers' appeal hearing (the appeal has yet to re-convene and conclude). Three factors leapt out at me from David's summary:

First, there's a very strange incongruity in the way the police and CPS interpreted Mr Chambers' Twitter message. They took his remark about 'blowing Robin Hood Airport sky high' absolutely literally. They were prepared to give it no other interpretation than that it meant he intended to blow up the airport. On the other hand, they clearly did not take so seriously his statement that the airport 'had a week to get its act together' to pre-empt his alleged threat of revenge...

If they took that phrase as literally as the rest of the message, surely it was an act of utter recklessness on their part, that they left it until the afternoon of the seventh day following his tweet before having him arrested. After all, a competent and determined master criminal would, presumably, already have planted his bomb by that stage and retired to a safe distance with an alibi and a long-haired white cat.

Second, there is the following passage from David's blog:

The police appear to accept Paul's account. The police case file states:

"There is no evidence at this stage that this is anything other than a foolish comment posted on Twitter as a joke for only his close friends to see."

For some reason, the CPS did not disclose this file note at the original trial and it was only disclosed to the defence for the appeal on 23rd August 2010.

That, more than anything else, must surely damage the credibility of the CPS' case beyond repair.

And third, if that doesn't do it, then surely the police press office statement should. Among other things, the statement says that:

"due to the wide-spread interest in the use of Twitter in this way, the case was referred to CPS to make the decision on disposal. Based on this “public interest test” it was not appropriate for police to make this decision."

That reflects a fundamental misunderstanding and misapplication of the "public interest test". The police have, here, chosen to use the phrase to mean what I call the "tabloid defence". This is what you see when a newspaper says something like "we acknowledge that the paparazzi photographs of this footballer snogging someone else's wife violated their expectations of privacy, but we were justified in publishing them because of the enormous public interest in his sexual antics".

The critical distinction here is between the phrase "in the public interest" and "of interest to the public". They are not at all the same, and for the police to be confusing them in both their decision-making and their public statements is absolutely shocking.

In this case, a proper application of the"public interest test" should have concluded that the public interest was in no way served by prosecuting Paul Chambers, because it was an inappropriate and wasteful use of public money, for no rational purpose and with no reasonable prospect of achieving a productive outcome. As it is, because the "public interest test" was incorrectly formulated (at least according to the police press office statement) and incorrectly applied, the net outcome has been a further, avoidable drain on the public purse so that Mr Chambers can pursue his appeal.

Paul Chambers and the #TwitterJokeTrial

2010-09-24T14:40:00.002+01:00

In case you haven't been following this extraordinary excursion by the British legal system, here's a quick update:

Paul Chambers sent a light-hearted (but superficially violent) tweet when inclement conditions threatened to prevent him flying to a rendezvous with his young lady. The tweet was eventually taken at face value by someone with law enforcement responsibilities, kicking off a train of events which has cost untold time, effort and money to bring legal proceedings for something which should not have occupied the legal system for any time at all.

Paul Chambers' appeal case is being heard today at Doncaster Crown Court. Aptly enough, you can follow the proceedings via tweets from interested parties here: http://www.guardian.co.uk/uk/2010/sep/24/twitter-joke-trial (Just remember not to say anything remotely threatening, however facetiously, if you feel moved to tweet your own view of proceedings).

For more analysis of the oddities of this case, have a look at the blog posts where Matt Flaherty has set out 10 reasons why District Judge Bennett's ruling in the original case was either wrong, ill-informed or simply perverse. Matt's blog prompted the following thought on my part:

I wonder if there's an argument to be made, on appeal, that the judge simply acted "ultra vires" in deciding that the Paul Chambers' original tweet was "menacing in context"? After all, he is a law-court judge, not an airport security officer. He might argue that what matters is not his profession but his ability to form a judgement. I wonder how he would fare if he had to swap jobs with either of the following two people:

1 - the airport security officer who assessed the comment as non-threatening, but felt he had to pass it on to law enforcement for procedural form's sake;

2 - the police officer who assessed the comment as non-threatening.

To my mind, they are the experts in a position to make the definitive assessment as to whether or not the message was "threatening in context" - not the judge - and both of them concluded that it was not.

Risk mitigation

2010-07-16T13:34:00.004+01:00

One of today's news stories is that several of the firms responsible for the colossal explosion at the Buncefield oil depot have been hit with fines totalling almost £10m. The judgement centred around 'slackness' in operational practices at the site, resulting in serious breaches of health and safety law.

It has taken a while for the penalties to be applied: the explosion happened early on Sunday 11th December 2005. On that day, I was on a flight from Heathrow to San Francisco. Buncefield (near St Albans, north of London) is a little way east of the long-haul flight path from Heathrow to North America, and the gigantic plume of smoke from Buncefield was clearly visible from the right hand side of the plane.

The reason for my trip was to take part in my first team meeting with the group I had recently joined, in Sun Microsystems' Chief Technology Office. That new role also marked the beginning of my increasing interest in matters of online privacy, and the way in which privacy and identity technology have to interact with corporate and public policy.

I thought of that when I heard an oil industry specialist being interviewed today about the lessons learned from the Buncefield disaster. He said that companies needed to be asking themselves three very simple questions (as opposed to the traditional "one question... do you feel lucky...?"):

Do we understand clearly what can happen when something goes wrong?
Do we have systems in place to prevent and/or manage such failures?
Do we have metrics which tells us whether we are getting it right?

I come back, once again, to Michelle Dennedy's key principle: organisations which process personal data should treat it as if it were toxic waste. Exactly the same principles should apply:

Does the organisation's strategy or business plan take into account what can happen when personal data is mishandled, when there is a containment breach, or an explosion of negative publicity?
Are there systems in place to constrain the collection of personal data, manage its retention and prevent inappropriate disclosure?
Do the organisation's staff and managers get the information which would tell them whether or not personal data is being well managed?

Here's what I suspect:

Some organisations have a reasonable handle on (2)... but a lot more probably have far less of a grasp than they like to believe.
Fewer organisations actually weave 'personal data and privacy risk management' into their strategy at a corporate, executive level.
Still fewer actively seek external evidence of data breaches and reflect that in a 'data management dashboard' to inform and guide day-to-day operations.

Of course, if you know otherwise, I'd be delighted to be proved wrong... who knows, I might even end up writing an analyst report on cases of good practice. If you've got a good story to tell, you know where to find me...

New role...

2010-07-12T13:38:00.003+01:00

As of July 19th, I start a new full-time role as a Research Director with Gartner Group (more specifically, in the Identity and Privacy Services team under the 'Burton Group' brand).

I am absolutely delighted to have this opportunity. Not only will I be continuing to explore the same topics (digital identity, online privacy, access management and security...), I will also be joining a fantastic group of people - including the likes of Bob Blakley and Ian Glazer - for whom I have enormous respect. If there's a downside, it's that they set a formidable standard to match up to.

This is going to be a fun ride, though, so I hope you will stick with me and join the excitement!

Step One: I'll be at Catalyst in San Diego again this year, so if you're going to be there please come and say hi. If you're not going to be there... naughty, naughty!

Some housekeeping:

Obviously, I will not be doing any more consulting work through Future Identity - but for continuity reasons, the Future Identity website will persist, as an archive of presentations and published papers. I'll also continue to blog and tweet using the Future Identity persona*, though I expect there a gentle separation will emerge between that and any blogging I do in my corporate role via the Gartner Blog Network.

*I have been saying, for several years now, that sensible use of different personas is key to maintaining control over our digital footprint. I do generally point out, in the same breath where possible, that doing a good job of persona management takes thought, time and effort.

Establishing, maintaining and killing off discrete personas are the most obvious use-cases. The real trick, though, is to be able to segue one persona into another, while maintaining your control and your audience. The more you work on establishing a brand, the harder it can be to 'unhook' brand awareness and attach it to something new. As "social network" services enter their second and third generations, that's something they will have to come to terms with.

Large ISPs broaden attack on Digital Economy Act

2010-07-08T13:54:00.003+01:00

I read with interest that BT and TalkTalk have requested a judicial review of the Digital Economy Act 2010 before it is brought into force. As readers of this blog will be aware, opposition to the Digital Economy Bill was vociferous, widespread, and based on both principle and detail.

Interestingly, BT and TalkTalk have opted to attack implementation of the Bill on a wide front - at least, as far as I can infer from this article on the BBC News site. Here are some of the points on which I understand they will seek clarification through the judicial review process:

- does the Act unfairly restrict competition in the telecomms market, by applying a Code of Conduct only to network service providers with more than 400,000 subscribers? (TalkTalk argue that the result of this could be a flight of customers to smaller, less regulated ISPs);

- does the Act conflict with EU legislation, which rules that ISPs are "mere conduits" of the information they transmit and thereby limits their liability arising from that information?

and perhaps most fundamental of all,

- did the way in which the Bill was passed undermine its legitimacy? (They argue that it was rushed through with insufficient parliamentary debate, in a truncated process far short of the normal legislative timetable - and it's hard to dispute that point: the Bill was passed in a matter of hours, instead of the 3-4 weeks of Committee Stage deliberation and revision normal for a Bill of this scope).

If the judicial review finds in their favour on that point, it could set a fascinating precedent.

Privacy and bindweed

2010-07-01T10:23:00.004+01:00

This being the height of the growing season in our garden, it is also the time when too much attention to any given part of a flower-bed is likely to reveal that bane of the gardener's life, a vigorous, thrusting tentacle of bindweed (convolvulus arvensis). The worst thing about bindweed is its deeply-buried, brittle and highly regenerative root system. No matter how diligently you dig and rummage and loosen, chances are you will leave a fragment of root behind - and in due course the whole grisly process starts again from the tiniest remnant. As one of my uncles used to put it, it's enough to make a man kick his grandmother.

That's rather how I feel about another pernicious and unwelcome part of the landscape: the often-repeated claim that "if you have nothing to hide, you have nothing to fear".

Just like the bindweed, this is impossible to eradicate, and just like the bindweed, it stifles and chokes more desirable things, such as rational debate about privacy and why and how to protect it. If I had my way, I'd recruit a small army of bindweed eradicators, and we would periodically blitz the garden; we might not wipe the bindweed out, but we would probably at least keep it from strangling the flowers.

With that in mind, I'd like to recruit all my readers (yes, both of you ;^) as privacy pest controllers, armed with these handy tools to counter the "nothing to hide" argument.

1 - "A virtuous person cannot be the victim of crime". That's obviously nonsense, isn't it? Just because I have no murky secrets in my past,and my life is a model of probity, doesn't mean I have nothing of interest to the criminal. Indeed, in the online world I might, as a result, have a spotless reputation. Just the thing, if you're looking for a clean ID to hi-jack.

The point is that the "nothing to hide, nothing to fear"argument glibly - and fatally - skims over the question "from whom do you have nothing to fear?". Fatally, because when that question is answered, it becomes obvious that the people you should fear can harm your interests whether or not you have 'anything to hide'.

2 - We are social animals. Personal privacy is a social concept. If you have nothing to hide from anyone, you are not a social being as the rest of us understand it.

Please... whenever you encounter the 'privacy bindweed', attack it at the roots with these weedkillers. Just be warned: one go is not enough. This requires long-term and repeated effort - but the privacy garden will thank you for it.

Peony "Pink Sorbet"
(larger images available here)

Can you have federation without trust?

2010-06-22T14:43:00.003+01:00

Back in olden days, when I worked for IBM, its sales & marketing people weren't allowed to use the word "risk"... because it might be taken (by customers) to imply that there was any form of risk associated with the corporation's products (this is long enough ago that it hadn't really cottoned on to 'services' yet...). And so the word was carefully expunged from the corporate lexicon (as evidence, I cite Mike Cowlishaw's seminal IBM Jargon Dictionary... look up "exposure" in the pdf file here).

This made things quite tricky for the poor souls who had to write a Project Risk Checklist for IBM's project managers... without using the word "risk" anywhere. So, "Project Assessment Checklist" it was, then...

That said, when we in the field were given our first training session by a proper project manager, he was blunt about it to the point of political incorrectness. "A project which involves no business risk", he intoned, "is unlikely to deliver any significant business benefit".

Which is a fair enough comment, and worth making (if your vocabulary permits you to do so, that is...).

I thought of this as I read a Tweeted Q&A from the Burton Catalyst conference currently under way in Prague. Bob Blakey asks Tony Nadalin "Can federation exist on the internet without trust frameworks?".

My initial thought is that not all kinds of trust are equivalent; for instance, when I conduct banking transactions online from my laptop, I place different kinds of trust in the bank and in the telecommunications infrastructure. I hold them responsible, respectively, for different aspects of the transaction's success, and I would expect different forms of recourse if something went wrong.

So, if I intend my organisation and your organisation to conduct high-value business over the internet, but choose to do so with no kind of trust framework in place, I'm probably taking quite a risk. In some forms of business, I might be happy to do that. I might even be insured or re-insured against some kinds of failure. My safeguards against "transactional" risk for that high-value business are not necessarily the same as my safeguards against, say, the network suddenly dropping out of service.

On the other hand, some networks are not meant for 'high value business'. What are referred to as 'social networks' (and I still don't like that phrase) get their value from the network effect, rather than from the exchange of financial value - again, that doesn't mean there's no need for trust - but the risks and appropriate mitigations involved are different.

I'm not going to go for the CEM Joad response ("Well, I suppose it all depends on what you mean by 'federation' and what you mean by 'trust frameworks'"), but it did occur to me that a federation, constructed over the internet, which has absolutely no element of trust is unlikely to deliver significant benefit.

There's another interesting question, of course: can you have a federation which successfully meets the goals of all its stakeholders even if they don't trust each other? (Strategic arms reduction, for instance). But that's another discussion...

Google wi-fi-gate rumbles on

2010-06-22T12:57:00.004+01:00

Yesterday's Tech Daily Dose announced (rather optimistically, I feel) that Google had 'cleared the air over wi-fi-gate'. The rest of the article went on to sum up Google's position as "we haven't broken US law". A spokeswoman is quoted as saying "it's legal to receive information from networks configured to be open to the public".

I am not in a position to comment on US law in that regard, but I have looked at the potentially applicable UK legislation.

I turned first to the Computer Misuse Act 1990, Section 1 - Unauthorised Access to Computer Material:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at—

(a) any particular program or data;

(b) a program or data of any particular kind; or

(c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

At first glance, 1(a) appears to offer an "out", in that it refers to data held in a computer, not data wirelessly broadcast by it. However, paragraph 2(c) specifies that it is not necessary for data held in any particular computer to have been targeted in order for an offence to have been committed. Potentially, that opens the way for a charge that the SSID which I set in my wireless router (a computer which I own), although not specifically targeted by Google's StreetView sniffer, would nonetheless be accessed by that device, as the router went about its intended function.

The intended function of the router is a factor, in the sense that I set it up (including broadcast of the SSID) for a specific purpose: namely, to enable members of my household to distinguish between my wi-fi network and neighbouring ones.

Paragraph 1(b) must be held to apply in any case. There is no way, simply through the SSID broadcast mechanism or the wireless router configuration, to notify third parties of my intent, or for third parties to be granted authorisation to access my wireless network: therefore I would argue that they must presume they have not been authorised to do so (and Article 8 of the European Convention on Human Rights would seem to back up that assumption).

However, arguably by its narrow definition of "computer", and its failure explicitly to define "computer systems" and "systems composed of computers and network connections", the Computer Misuse Act might be too tightly scoped to include wireless links.

So next I looked at the Regulation of Investigatory Powers Act 2000 (RIPA). This is explicitly aimed at 'data in motion' as opposed to 'data in computers'. While its primary purpose was to provide a legislative basis for the authorities to intercept citizens' communications traffic, it also contains provision to protect "our" communications too.

Thus, Part 1, Chapter 1, Section 2 "Meaning and location of interception etc." says:

(1) In this Act: [...]

“private telecommunication system” means any telecommunication system which, without itself being a public telecommunication system, is a system in relation to which the following conditions are satisfied—

(a) it is attached, directly or indirectly and whether or not for the purposes of the communication in question, to a public telecommunication system; and

(b) there is apparatus comprised in the system which is both located in the United Kingdom and used (with or without other apparatus) for making the attachment to the public telecommunication system;

Sub-sections (2) and (3) continue as follows:

(2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—

(a) so modifies or interferes with the system, or its operation,

(b) so monitors transmissions made by means of the system, or

(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,

as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.

(3) References in this Act to the interception of a communication do not include references to the interception of any communication broadcast for general reception.

Which seems clear to me. Even my SSID (let alone the traffic I exchange between my workstation and the wireless router) is not broadcast for general reception. It is broadcast for reception within a strictly limited geographical area, and by a strictly limited set of devices.

Some may argue that I have the option of not broadcasting the SSID of my domestic network. The practical problem with that is that, if a neighbour adopts the same policy, there is a risk that users will try (in vain) to connect to the wrong network. That is inconvenient and time-consuming - and, of course, in the event that they thus inadvertently connect to the wrong wireless router, could even result in them breaking the law. There's irony for you.

Again, as long as the mechanisms for that broadcast do not enable me to specify more precisely the intended use of the system, or to grant explicit authorisation to third parties to gain access to it, any third party must proceed on the assumption that their access is unauthorised.

In the absence of such mechanisms, it is hard to see what else a householder can do to make their intended purpose clear - so here's an alternative attempt:

I hereby give notice that the purpose for which I set a public SSID on my domestic wi-fi network is so that members of my household can distinguish it from visible neighbouring access points. I do not intend that SSID to be available to third parties beyond the transmission range of my wi-fi-router. In the absence of a mechanism for third parties to seek authorisation to access my domestic wi-fi network or the data carried over it, any such access should be assumed to be unauthorised.

Smart meters and privacy

2010-05-28T14:06:00.002+01:00

Belatedly, I've spotted a good post on the Big Brother Watch blog, here, on the subject of smart metering of utilities such as electricity, gas and water. I tried to leave a comment, but for some reason it got rejected... so here you go:

An awful lot of this debate needs to hinge on transparency. If smart metering is 'something "they" do to "us" for "their" reasons and benefit', it will run into considerable opposition, fail to generate the buy-in of household energy consumers, and therefore ultimately fail to reduce energy consumption/carbon footprint etc.

That principle has to guide the energy companies, as they consider design factors such as:

- what are the full range of purposes for which energy consumption data is collected, processed and shared with other organisations?

- what's the balance of interests between the householder, the energy supplier and third parties?

- exactly what data items are collected by the meters?

- how much of that data is transmitted to the energy supplier?

- how much of it is visible to the householder?

- what degree of control does the householder have over what data is sent and what is kept solely for the householder's use/convenience?

I really worry when I see the Director of Energy UK, on behalf of the UK Energy Industry, quoted as saying, essentially, "consumers' security is paramount, and all information will be handled in strict accordance with the Data Protection Act".

Frankly, if those are the success metrics, the privacy outlook is grim.

1 - Security is not the same as privacy, and a system can be designed to provide great security but trample all over users' privacy. Privacy needs to be an explicit design goal in its own right from the outset.

2 - Data Protection law applies to the subset of data currently classed as "personally identifiable"... and there is still plenty of argument over what that means. As others have pointed out, you don't need to personally identify someone in order to burgle their house when energy consumption data indicates they are not at home. DP law is an interesting starting point, but is not sufficient to guarantee a privacy-respecting implementation which protects householders from the range of possible threats.

I am also increasingly wary of promises such as that offered by Mark Daeche of First Utility, who says that information should be "secure and anonymous". The work, particularly, of Vitaly Shmatikov and Arvind Narayanan has made it increasingly clear that anonymisation of consumer data is extremely hard to guarantee. Their papers should be required reading for anyone involved with supposedly "anonymised" datasets - required, but probably not reassuring. (See Arvind's excellent blog here, aptly named "33 Bits of Entropy", for well-informed and well-reasoned thoughts on data and privacy).

The question of "entropy" in personal data is going to be a key one, as we speed ever faster into the world of grids, sensors and smart devices. As I mentioned in a Tweet earlier today, it means that, as a perverse consequence, the more users pare their electricity consumption down to the bare essentials, for instance, the more identifiable the resulting usage pattern will be.

Guardian Tech interview with Eric Schmidt

2010-05-26T12:15:00.004+01:00

Some of my readers are probably old enough to remember the occasion in 1984 when President Ronald Reagan stepped up to a microphone for a sound check and uttered the memorable words:

"My fellow Americans, I'm pleased to tell you today that I've signed legislation that will outlaw Russia forever. We begin bombing in five minutes."

This week's Tech Weekly audiocast on the Guardian site (here) includes a brief interview with Eric Schmidt (it's in the first 10 minutes, followed by analysis/discussion from the Tech Weekly team).

In the excerpt, Eric Schmidt explains to Jemima Kiss how Google happened to capture some network traffic as its rather inaccurately-named camera cars "sniffed" wireless SSIDs as well as StreetView image data.

Unfortunately - at least on the basis of this part of the interview - I am still not convinced that Mr Schmidt really has as firm a grasp on the privacy issue as I would have hoped for from Google's CEO. Here's why:

1 - the problem of cross-border jurisdiction. One of the examples Schmidt cites, of 'how much data we all happen to disclose', is that of mobile phone location data. He describes it as a 'legal requirement' that your ISP should be able to locate your mobile phone (in case it is needed for emergency services, for instance). As I understand it, that is a legal requirement in the US, but not in the UK, for example. I don't claim to know which jurisdictions do and don't require it, but that's beside the point - the point being that the legal status of your mobile phone location data varies by jurisdiction.

When the CEO of a company with Google's global reach and colossal processing capacity uses examples which suggest he thinks the regulatory regime is homogenous world wide, that does not instill confidence. Not all countries have the same cultural, legal or regulatory approach to privacy as the US, and it is dangerous to proceed on the assumption that they do.

2 - the issue of privacy and harm. At one point, Schmidt essentially argues that we need to keep the wi-fi data snarfing in perspective, and bear in mind that, as no harm has arisen out of it, it's not really a privacy breach. Again, if one is in Schmidt's position, I think that is a very dangerous position to espouse. For instance, there is (as yet) no indication that harm has arisen from the UK HMRC "2 CDs" data breach... so is that entirely privacy neutral? Of course not; it would be absurd to conclude that absence of provable harm means that no action need be taken as a result of the HMRC data breach.

Harm is one factor in assessing actual or potential data breaches, but it is absolutely not a sufficient metric for gauging privacy risk.

And finally, there's the question of Google's reaction to the wi-fi incident. What will they do as a result? Well, according to Schmidt's comments, it's predominantly a matter of "education" and addressing the fact that "people don't like it".

Those are part of the picture, for sure - but again, they are not enough. There are laws in this area - and if those are not given due consideration, the fact of whether or not people like your behaviour is somewhat secondary.

The point of my opening reference to Reagan is that often it's not just a question of what is said, but by whom and in what context. It may well be that Schmidt's heart is in the right place and has "Don't be evil" tattooed on it - but I come back to the point that, because of the post he occupies, his pronouncements on these topics have a very particular weight and resonance. On that basis, I think we are entitled to less about 'educating us about why we should like it', and more about building respect for our privacy into Google's business model.

O'Reilly gets contrarian on Facebook privacy

2010-05-22T15:53:00.005+01:00

[This is a slightly extended re-post of a comment I left on Tim O'Reilly's blog, here.]

First, I should make it clear that I congratulate Tim O'Reilly on managing a contrarian post which is thought-provoking without being inflammatory... a balance which is hard to strike on this topic.

I have to say, though, that over-all I disagree with Tim's argument. We are (or should be) way past the stage, with social networks, of just innovating "because it's possible"; a more evolved attitude is to ask not just whether we can do something (because after all, these days online, pretty much anything is possible) but rather whether we should do it. Innovation does not trump ethics.

By comparison, think what the reaction would be if, instead of personal data, Facebook's raw material was genetically modified bacteria. Would we really be happy for them to be playing around with a 400 million-person petri dish, all in the name of "innovation"?

No - if Mr Zuckerberg wants to push his agenda of "radical transparency", he should be doing it with the knowing, informed and explicit consent of whatever subset of users want to take part, not with the vast majority of users who don't have the information or the tools with which to make rational decisions about the privacy of their information online - and who, in many cases, signed up under a radically different set of terms to those which have since replaced them.

As a more general principle, what this suggests to me is no different from what has been happening for decades in other fields of innovation (and I think of things like medicine, nuclear physics, gene technology and so on): we are quite accustomed to having discrete and very different governance regimes for the "research and development" phase and the "mass consumer roll-out" phase. Facebook's model (and the one Tim O'Reilly seems keen to endorse) it that it's OK to conflate the two, treat the "mass consumer roll-out" phase as your personal horde of lab rats, and innovate in ways which put them at risk.

My former colleague Michelle Dennedy, then CPO at Sun Microsystems, used to advise organisations to treat personal data like toxic waste. From that perspective, I don't think what Mr Zuckerberg is doing with 400m people's personal data is at all healthy. Not for the individuals concerned, and ultimately not for the rest of us either.

Missing the point on Facebook and privacy

2010-05-20T09:18:00.003+01:00

B.L. Ochman writes here about Facebook's privacy issues, arguing that actually, the fault lies with all of us for consistently oversharing on the internet, rather than with Facebook. While admitting that Facebook has made a PR mess of the way it has introduced and communicated some of its changes, the article says, in part:

"People have made a lot of terrible decisions about what they put online for as long as the internet has existed. It's about time everyone realized that you shouldn't put anything online that you wouldn't want an employer, the government or your mother to see. Facebook never made those decisions for anyone! "

Well, as far as it goes, that's true - but it paints a picture which is partial in two crucial aspects; those of purpose and informed consent.

"Social networking" sites (and I have ranted often enough about why I object to that phrase) create a false reality which users are only too happy to collude in: the illusion that when you go online, just you and your buddies are interacting. In fact, of course, not only are you not alone, there is a third party in the room whose commercial interests lie explicitly in re-selling the byproduct of your social interactions.

Awareness of that fact is growing, thanks in part to the current publicity Facebook's privacy-eroding policies are generating, but not, it must be said, through any informative disclosure by Facebook, to users, about their role in its business model.

Ochman makes the case that we have all been making poor privacy/disclosure decisions for years. Well, if that's so evident, it should be correspondingly obvious how to design systems to help users make better privacy decisions. One cannot credibly argue that Facebook is an example of that.

[Thanks to @N_Hickman for pointing me to the B.L. Ochman article]

XML Summer School 2010, Oxford

2010-05-17T18:35:00.004+01:00

Do you sometimes find yourself watching the commercial break during a TV programme and thinking "sanitary pads? volumizing mascara? chocolate flavoured diet bars? Strange - I thought I quite liked this programme, but I am obviously not supposed to, judging by its target demographic..."?

Well, with any luck, I am not about to induce the same feeling...

The XML Summer School is an event I was introduced to by two former colleagues at Sun Microsystems - Eve Maler and Lauren Wood - both of whom have been formative influences on it since its creation in 2000. The principle is very simple: you assemble a 'faculty' of experts, give them topics to lecture on, add congenial surroundings and extra-curricular activities, and stir in a generous mixture of participants. The result, in my experience, is quite exceptional...

There is deep technical expertise in abundance, in domains ranging from cognitive science, software and user interface design through to the nitty-gritty of RESTful applications and XML Schemas. There are also plenty of opportunities to engage with the faculty members, whether facilitated by a pint or a punt, so this is a very long way from the run-of-the-mill classroom course. As what I can only assume is a bit of (relatively) non-technical light relief, I will be talking about future directions in digital identity and privacy, as part of the Web Services and Identity course.

The whole thing is ably masterminded by John Chelsom, an experienced software developer and entrepreneur, who asked if I would extend this invitation. I am delighted to do so:

XML Summer School
5th - 10th September 2010
St Edmund Hall, Oxford.

The XML Summer School is a unique event for everyone using, designing or implementing solutions using XML and related technologies. Our speakers are some of the world’s most renowned XML practitioners and teachers, who enrich the learning experience with their enthusiasm and expert knowledge, and are always on hand to make sure that delegates receive the very best XML training available.

As always, the XML Summer School is packed with high quality technical XML training for every level of expertise, from the Hands-on Introduction through to special classes devoted to XSLT, XQuery, Semantic Technologies, Web Services and Identity. The Summer School is also a rare opportunity to experience what life is like as a student in one of the world's oldest university cities.

To find out more and to register your place on the XML Summer School please visit www.xmlsummerschool.com

=============================
Dr John Chelsom
Partner, Eleven Informatics LLP

So there we have it; I'll be there along with John and the rest of the faculty, and I hope you can join us at "Teddy Hall" in September!

Privacy and SSIDs - in more than 140 characters

2010-05-15T14:58:00.004+01:00

[ I don't normally do this, but I'd like to point to Steve Wilson's comment on this post, because I think his analysis is exemplary. The quote Oscar Wilde - "I wish I'd said that" ;^) ]

I really value the immediacy and 'connectedness' of Twitter, but now and again I get into a Twitter discussion which really suffers from having to be conducted in 140-character bursts. I was in one earlier today with @dakami and @roessler which arose from news coverage of Google's admission that they had been 'inadvertently' collecting wireless network data in the course of capturing Streetview images.

To be fair to Dan Kaminsky, I did rather open things up by describing him as "disingenuous" - in that what he was reported as saying (here, on the BBC site) boiled down to "well, if you broadcast wireless data, you can hardly be surprised if someone picks it up". Dan pointed out via Twitter that actually that quotation had been somewhat selective, and that the article did not accurately portray the real thrust of his comment, which was more along these lines:

"Given that WIGLE and Skyhook have both been mapping wireless networks since the turn of the millennium, it's a bit daft to treat Google as an egregious offender in this area".

(I hope I've done Dan's position justice here - I'm extrapolating from a couple of tweets...)

OK - so here's my position in the kind of detail which Twitter really doesn't lend itself to.

First; fair enough - as Thomas Roessler pointed out (also via Twitter) - is there a real privacy issue in logging the SSIDs of wireless networks? Arguably not - particularly as one has the option not to broadcast an SSID in the first place. However, I struggle to see the utility of logging domestic SSIDs, or indeed commercial ones, if they are not the SSIDs of networks intended for public access. Who stands to benefit from that data? And if it is anyone other than the owner of the network, what's the deal with that?

Second; similarly, Dan rightly points out that an SSID is something which is broadcast... so it's perhaps a little churlish to gripe when someone notices it. On the other hand, even in my not-very-densely populated neighborhood, there are half a dozen 'visible' networks. For the sake of the people who I do wish to be able to connect to my domestic wifi network, it is more convenient to have a broadcast SSID which distinguishes it from the others. Under some circumstances, it might also help them avoid getting suckered into connecting to a rogue access point.

Third; there's the matter of intent. I set up a domestic wireless network for a very clear, well circumscribed purpose: it is there so that members of my household can share access to the cable connection. That's all. I didn't install it, or name it, so that it could be plotted on a map. It is there for a specific purpose which is limited to my immediate family. As such, particularly if interfered with, it engages Protocol 1, Article 1 of the European Convention on Human Rights (ECHR) - "the entitlement to quiet enjoyment of one's possessions". By default, that is the legal position.

Now, I fully accept that, as far as the SSID alone is concerned, and given that it is a broadcast value and that broadcasting it is a matter of choice, it is arguable that no harm arises from collecting and publicising it. I still question what the utility is of doing that, for domestic networks.

However, the point is that that is not what Google were obliged to own up to, because what the German authorities uncovered was that they had also been capturing data packets from domestic networks, not just identifiers. In that case, we're not dealing with just the ECHR - we're talking about unauthorised access to computer systems, which (in the UK) is an offence under the Computer Misuse Act.

You might retort that it's the network owner's fault anyway for being stupid enough to leave their network unsecured. I have two issues with that response.

1 - The fact that I have left a window open does not make it less of an offense to climb into my house and steal my stuff. It might affect my insurance status, but it doesn't mean theft is not a crime.

2 - There is no contract of any kind in place between companies like Google, WIGLE, Skyhook etc and the householder whose data is being recorded through these initiatives. As the German instance makes clear, there are regional and national differences of view as to what the 'rules' are, in the absence of such a contract. For my part, I simply note the practical difficulty faced by the householder in making his/her preference known. For example, if I wished to make it clear that I do not consent to unauthorised access to my domestic wireless network, there is no mecanism for "posting" and explicit notice to that effect, in the way that I might post a 'please keep out' sign at the boundary of my property.

As long as the householder has no viable technical means of making his/her preferences known, I would argue that the default should be a presumption of privacy, not a presumption that such data is free to be broadcast to the world.

Some of you may have seen danah boyd's presentation at SXSW this year. I wasn't there myself, but have since been lucky enough to see a video of it (authorised, I hasten to add...). One of the many points danah made with admirable clarity was this: taking data which is in the public domain and making it more public (for instance, by broadcasting it widely, or making it globally accessible where it was not before) is not privacy neutral. Actually she put it more strongly and said that it is a violation of privacy.

What I think we need to learn - from companies like Google, WIGLE, Skyhook and others - is that privacy is seldom a binary concept. It does make sense, as danah has done, to describe some data as 'public' and other data as 'more public'. It does make sense to talk of graduated consent to disclosure, rather than bald 'consent' or 'refusal'. And it makes sense to think in terms of conditional disclosure, not just free-for-all or nothing.

Privacy, when it comes down to it, is not a technological construct: it is a personal, social and cultural construct, and a nuanced one at that. Inescapably, as more of our lives are technically-mediated, we face the challenge of mapping that shaded, complex social view of privacy onto a rather crude, binary set of tools. Companies like Google have shown themselves to be fantastic innovators in so many ways; it's time they turned that ingenuity to the privacy question.

UK jobless total continues to rise...

2010-05-14T15:12:00.002+01:00

As I reported yesterday, the new Coalition government spelled disaster for the employment prospects of Elizabeth Henderson, the human face (sic) of the UK ID Cards Scheme.

Regrettably, the jobless total seems set to soar still further, since if there's no ID Card scheme, there's not much need for an Identity Commissioner either. Bad news for the relatively recently appointed Sir Joseph Pilling.

Rumour has it that his office is already politely cancelling his upcoming engagements.

Spare a thought for Elizabeth Henderson

2010-05-12T17:15:00.004+01:00

On the day Cameron and Clegg shook hands, and the national unemployment figure rose to over 2.5 million, spare a thought for Elizabeth Henderson* - one of the first identifiable people to lose her job under the Coalition.

It's only Day One but already the Conservative/LibDem coalition agreement has confirmed both parties' long-stated intention to scrap the ID Cards Scheme. I have to admit, some of my previous scepticism was misplaced: the Coalition will scrap the Scheme as a whole (including the National Identity Register), not just the plastic cards.

The measure comes under the general rubric of Civil Liberties, and is accompanied by statements in a number of other policy areas:

"- A Freedom or Great Repeal Bill.

- The scrapping of ID card scheme, the National Identity register, the next generation of biometric passports and the Contact Point Database.

- Outlawing the finger-printing of children at school without parental permission.

- The extension of the scope of the Freedom of Information Act to provide greater transparency.

- Adopting the protections of the Scottish model for the DNA database.

- The protection of historic freedoms through the defence of trial by jury.

- The restoration of rights to non-violent protest.

- The review of libel laws to protect freedom of speech.

- Safeguards against the misuse of anti-terrorism legislation.

- Further regulation of CCTV.

- Ending of storage of internet and email records without good reason.

- A new mechanism to prevent the proliferation of unnecessary new criminal offences."

Indeed, that list actually goes further than my recently-posted "celery-free manifesto", though I did score a reasonable number of hits. I think, on balance, I am now cautiously optimistic, as opposed to ecstatically jubilant. After all, one doesn't celebrate the passing of a migraine by cracking open the nearest bottle of champagne... and as migraines go, this one has been persistent.

It is now almost a decade since then Home Secretary David Blunkett set out his plans for a national "Entitlement Card" - compulsory, and in all but name, a national ID card. When challenged in Parliament by opposition MPs, he dismissed the argument as "descending into a contest with intellectual pygmies".

Sorry, Mr Blunkett - one of the harsh realities of the information society is that, once comments like that get onto the record, they are easy to find, easy to re-publish, and impossible to delete. That, incidentally, is a critical design factor of modern identity systems which your party's identity policies determinedly ignored for the ensuing decade.

A lot has changed in that decade, in the realms of digital identity and privacy. We have a decade's experience - admittedly, as ever, mostly of things which turned out not to work, or not to work as well as hoped - and a decade of further technological advances. Anyone setting out to design a national identity scheme now would probably look rather foolish if they came up with a 2001-vintage design for it.

However, what I really hope we have learned that those technological advances must, if they are to succeed and be adopted, fit into an ecosystem of related elements: elements such as appropriate policy, governance and regulatory control; the right legal framework; practical, scalable deployments backed up by adequate training and resources... and a culture in which adoption by users is a rational and attractive step. As the recent history of Privacy Enhancing Technologies [PETs white paper] illustrates, if that ecosystem is absent or hostile, the best of technologies will fail to thrive.

With that in mind, I hope that the headline use of words like "freedom", "responsibility", "fairness" and "civil liberties" hints at something broader than just the scrapping of a number of centralising, data-intensive government programmes. Now is an opportunity to go back to the foundations of policy and re-examine the relationship between government and citizen, and the role of digital identity in that relationship. One of the persistent failings of the ID Cards scheme was that the government decided what it intended to do, and then cast around for policy objectives which might be put forward to justify that course of action.

If there is clarity of purpose, the appropriate policy goals flow naturally.

As a consequence, another failing of the ID Cards scheme was that the relationship between its stated goals and the proportionality of the scheme became ever more tenuous. If the stated principle of "fairness" leads to proportionality in measures such as public sector identity, DNA retention, data retention and data-sharing, that is to be welcomed.

A lack of proportionality in compulsory measures severly undermines the culture of adoption.

Finally, and fatally, the ID Cards scheme failed to take any account of the fact that identity in online transactions is not a universal good. There are clear and valid instances when identity is neither necessary nor beneficial, and where pseudonymous or anonymous interaction is the most desirable option. The ID Cards scheme looked backwards at traditional notions of "identity as credentials", and in doing so failed to design for what is likely to be the majority of online activity: digital identity as a multi-faceted representation of (equally multi-faceted) digital life. Other countries have looked forwards; Costa Rica, for instance, amended its constitution so as to establish citizens' rights to a digital identity - taking a perspective which put the citizen's interests at the centre of legislation, policy and technological innovation.

Some forms of state-issued digital identity may have a role to play in such a system, for sure. However, a policy based on the assumption that no other forms of identity are relevant (including pseudonymity and anonymity) is doomed to be blind-sided into irrelevance by the relentless evolution of our online lives.

This holistic view requires that identity be considered in close conjunction with its siblings - privacy and self-determination. So my third hope is that the word "freedom" in the Coalition agreement will include those classic tropes of privacy:

freedom to be let alone
freedom to preserve intimacy
freedom to retain anonymity
freedom to exercise discretion

Those, it will be readily apparent, are social, political and cultural goals, not technological ones. In the information society, though, many of them will be technically-mediated, much of the time - so the policymakers cannot afford to make under- or ill-informed decisions. It is, if I may be cruel, no time for policy to be made by people who think that the "IP" in "IP Address" stands for "Intellectual Property".

Fortunately, the last decade has also grown a community of committed, engaged, privacy-aware and technically-literate specialists who can translate between the policymakers and the technologists. Let's hope the policymakers are willing to listen.

*[In case you're wondering about the title of the blog post; Elizabeth Henderson is the name on the 'sample' UK ID card. She is no relation of Erika Mustermann].

The Celery-free Manifesto

2010-05-05T11:08:00.009+01:00

I've been thinking about this whole "party manifesto" thing, and it seems to me that it's just so... well, Web 1.0. Basically what the parties have done is take exactly what they would have printed on paper, and put it on a website instead (in other words, the lowest 'maturity level' for online services).

There are some minor tweaks, of course. The Conservatives win the prize for the most bloated online manifesto, crammed with images which add massively to the file size, but not the policy content. Labour seemed reluctant to let you get to the document itself, luring you instead towards some little video clips, like those supermarkets who tempt the short-of-attention with copies of "Oy!!" magazine in the checkout queue. At least the Lib Dems formatted their online manifesto so that it displayed in landscape format on a PC display.

The manifestos obviously aren't really an attempt to set out a distinguishing political philosophy... if they were, it would be easier to get a psephologist's cigarette-paper between the main parties' poll ratings. Rather, they are a grab-bag of policy aspirations, crammed in in the hope that enough of them will hit the mark to attract your vote. That, too, is a symptom of the "Web 1.0" approach. Where parties could have been using Web 2.0 and Social Media to define policies which reflect the priorities of the electorate, they have instead seen it only in terms of getting their own messages in front of more people, through more channels.

For all that the ground-breaking leadership debates raised public awareness, as an exercise in communication they were entirely, unapologetically and wastefully one-way.

I went out for dinner yesterday evening, and happened to order something with a salad attached. It was a pretty good salad, as salads go; fresh, smartly dressed, and an alluring blend of the innovative and the reassuring. Unfortunately it was studded with crescents of celery, which I can't stand.

And that's essentially how I feel about most manifestos. For all the bits I like (or at least don't mind) there's always too much celery.

To get my unhesitating vote, a manifesto would need to:

- Seriously question whether a UK nuclear deterrent contributes to any realistic security goal, and, bluntly, whether we can afford it. The nuclear threat from rogue states and terrorists is not effectively countered by a Cold War nuclear defence;

- Break the government's insane dependence on tax revenue from destructive behaviours like consumption of alcohol, tobacco and petrol;

- Be prepared to ring-fence healthcare budget for the care of an aging population... even if that means increasing individuals' responsibility for the healthcare consequences of their own lifestyle in earlier years;

- Recognise that we need not just a unified transport policy, but a transport policy which is unified with a national energy strategy (and that includes, of course, things like food miles);

- Scrap the plans to build two new aircraft carriers: we can't afford the ships needed to keep them safe if they were deployed; consider reducing the scale of Britain's commitment to buy Eurofighters, opening up more options for helicopter or Harrier procurement;

- Re-instate tax relief on pension investment income;

- Scrap ID Cards and the Identity Register; legislate for the statutory recognition of pseudonymous and anonymous online personas;

- Challenge the rationale and the risk assessment for the Contact Point database;

- Destroy the DNA profiles and samples of all those on the National DNA Database who have not been convicted of an offense;

- Ban the installation of CCTV systems in public places, unless and until a costed, sustainable and accountable legislative framework can be put in place to manage their deployment;

- Give a clear commitment that the UK will neither commit nor connive at torture;

- Repeal the Digital Economy Act and invest the time and effort in legislation which actually addresses the future of Britain's Digital Economy;

- Omit celery.

You'll notice that, although none of those policy statements is explicitly economic, most of them have a clear economic dimension. Economic policy is not an end in itself; it's a tool. On a good day, Gordon Brown knows that and acts accordingly. He has not had many good days in the last 13 years.

My wish-list is a very partial one, I know, and there are any number of policy areas it doesn't even touch on. Some of the suggestions would, if the current government is to be believed, put us all at risk in one way or another. However, I am convinced that if you treat citizens with trust and dignity, they repay that faith. If you legislate on the basis that all citizens are venal chancers who are only looking for their next opportunity to break the law and get away with it, you breed a culture founded on mistrust and indignity.

Learning from Legend... the System Minotaur

2010-04-30T12:33:00.004+01:00

Personal computers used to be fairly simple things. They had a CPU which did the work, some memory for it to keep things in, and a Basic Input/Output System to let it move things around. Anything more than that was usually up to the capabilities of whatever application you launched from the command line.

Nowadays, our PCs are complex structures, with abstract user interfaces which shield us from the underlying complexity of hundreds of concurrent and inter-related processes. Sometimes we must stray beyond the user interface, making our way - like Theseus - into the labyrinthine interior. And, like Theseus, we may well encounter a strange and fearsome beast in there... the System Minotaur. Although early PCs didn't have a System Minotaur inside them, the current Minotaurs are actually atavistic successors of those in the computers of bygone, and more hostile times.

The first System Minotaur I ever encountered lurked at the heart of the IBM 4700 Finance Controller. It was a powerful and deeply unfriendly creature which responded only to arcane and complex incantations. One small mistake in these esoteric rituals, and it would - as likely as not - kill you, rip out your backbone and, in all probability, trample all over your discs. The current System Minotaurs in mazes such as Window and Linux have, through years of selective breeding and genetic modification, been made superficially more docile. If you handle them with care and point them in the right direction, you can use them to kill other, lesser vermin in the maze. But be warned: it doesn't take much for the savage genes of their ancestors to surge to the surface and run amok - killing processes, crippling applications and, by all accounts, slaughtering virgins of either sex.

These legends tell of the hard lessons learned by our predecessors, and we ignore them at our peril...

Algerian concerns over biometric passports

2010-04-29T09:45:00.004+01:00

Thanks (again) to the LSE's Aaron Martin for spotting this article about reactions to the introduction of biometric passports in Algeria. I wanted to reproduce and translate a paragraph from the conclusion, because what the author argues is this: what has tended to grab the Algerian headlines about the biometric passport programme is the backlash from those who say it offends their religious sensibilities. Specifically, they object to the fact that women will have to remove their veil to be photographed and subsequently authenticated - exposing their face and ears. Men also object to the fact that ICAO specifications do not permit photographs in which the subject's beard extends beyond the lower border of the photo (the author refers in particular to the long beards affected by 'hundreds of thousands' of Salafi adherents - a sect of Sunni muslims).

However, says Cherif Ouazani, this pre-occupation with beards and veils is obscuring the real issue, which is the assault on privacy. He goes on to describe the requirements imposed on passport applicants at the time of registration:

"In addition to photos and digital fingerprints, the application includes a birth certificate with the barbaric designation "12 S", signed by the mayor, and a duly completed 12-page form. School and university career must be documented, and one must give the names, addresses and telephone number or email address of three classmates. Men must provide information about their national service with, there too, names and contact details of three former comrades from their unit. On top of that, when submitting the application, the applicant must be accompanied by a "co-respondant" attesting to the truthfulness of the information presented."

Here's the original text:

"Le dossier du requérant comprend en effet, outre les photos et la prise d’empreintes digitales, un acte de naissance à la dénomination barbare, « 12 S », signé par le maire et un formulaire de douze pages dûment rempli. Le cursus scolaire et universitaire doit être détaillé, et l’on doit donner les noms de trois camarades de classe, leur adresse, leur numéro de téléphone ou leur e-mail. Pour les hommes, des informations sur le service national sont requises, avec, là aussi, une référence à trois anciens camarades du contingent, avec leurs coordonnées. En sus, au moment d’effectuer ces démarches, le demandeur devra être accompagné d’un « répondant », attestant de la véracité des informations données."

What I find interesting are the multiple respects in which the ICAO requirements, the practicalities and the Algerian cultural context all clash. For pragmatic and (principally) airline security reasons, the ICAO requirements are drafted without regard for cultural or gender nuances. ICAO don't care what the social position of women is, or who does or doesn't have a military national service requirement... and yet in the implementation, those factors result in gender-based differences in the levels of proof required, and the intrusion into the privacy of third parties.

In theory, in the UK, the deployment of biometric passports would be subject to a Privacy Impact Assessment, which in turn would - in this instance - presumably at least raise questions of gender/religious discrimination, even if it didn't resolve them. That's what I'd like to imagine, anyway. But then, as you know, I am an incurable optimist.

Reality checking the reality check...

2010-04-28T19:10:00.003+01:00

Many thanks to Aaron Martin of the London School of Economics (LSE), for pointing me to the BBC site, where Daniel Sandford (Home Affairs Correspondent) offers a "Reality Check" on Labour and Conservative approaches to CCTV surveillance and DNA retention. Unfortunately, the section on DNA retention is rather undermined by the strange decision to omit any mention of the European Court of Human Rights (ECHR) ruling in the case of UK vs S and Marper.

Whatever the preferences of the police and the political parties, they will have to be tempered by the fact that the present government has already suffered a damning and unanimous defeat in the European Court of Human Rights over its DNA retention policy.

That judgement - handed down in November 2008, by the way - criticised the the 'blanket' and 'disproportionate' nature of the government's actions in forthright language. A year later, in November 2009, the government's position still had not shifted enough to convince the ECHR that it was compliant. Arguably, even now, the government has yet to comply with the ruling - we just haven't had any test cases to see whether the ECHR agrees. Yet.

For background, if you're interested, here is a link to my analysis of how things stood in November 2009, and then in December.

Shame on you, Mr Home Secretary

2010-04-28T11:09:00.006+01:00

The current Home Secretary, Alan Johnson, has used a pre-election press conference to promote the use of CCTV for law enforcement, accompanied by Katie Piper, who was the victim of an acid-throwing attack. Based on the BBC report, the implication is that CCTV played a part in the arrest of her attackers - though this is not explicitly stated. Nor does the article mention the conspiracy between Katie Piper's violent boyfriend and the accomplice who threw the acid (in other words, the attack was instigated by someone already known to, and close to Katie Piper).

Her story is tragic, and the violent assaults on her despicable and repellent. I have deep sympathy for her, and huge admiration for the courage and determination with which she has rebuilt her life and established a charity to help victims of disfiguring injuries. I cannot blame her for wanting to publicise her perspective on CCTV.

That said, there are things about this press conference which make me profoundly uneasy. Clearly, it would be wrong to say that the Home Secretary is exploiting Ms Piper. She has her own clear agenda, and is obviously confident in expressing her independent view - and all credit to her for doing so.

I think my unease is more about the use the Home Secretary is making of Ms Piper's case. First, as I say, the strong implication is that the criminals were caught and identified because of CCTV footage. The account and images reproduced in this article, though, suggest that CCTV can have been, at best, an incidental part of the evidence leading to the identification of the acid-thrower; there is no mention of Ms Piper's boyfriend himself appearing on CCTV footage at all - because according to her testimony, he telephoned her to ask what she was wearing, so that he could pass that information on to his accomplice to identify her.

In other words, the link between the attacker and the boyfriend is most likely to have been established by police investigation, not through CCTV evidence.

The Home Secretary also weaves a bizarre path between claiming that Britain is getting safer and safer, and warning that unless CCTV is spread still further, we are all at risk, by implication, of having acid thrown at us. The Conservatives, he says, are guilty of a 'fundamental deceit' in claiming that Britain is 'broken', and David Cameron is wrong to use 'a series of tragic incidents to try and paint the worst possible picture of our society'.

Forgive me if I'm misunderstanding this, Mr Johnson, but aren't you using a tragic incident to try and convince us that the future of our society depends on ubiquitous CCTV coverage, in the face of factual evidence from the Metropolitan Police and the Home Office itself that its effectiveness has decreased even with increased deployment?

It is also, I think, deeply regrettable that Ms Price, either of her own will or prompted by the Labour PR team, resorted to the "nothing to hide, nothing to fear" argument. As I say, I have no right - or wish - to question her motivation for doing so, but I feel entitled to question the Home Secretary's right to legislate on that basis - and here's the logic for doing so:

More cameras mean more information, about more citizens, being viewed by more watchers. If that is not the case, the cameras are pointless and, arguably, illegal. If it is the case, it increases the probability of CCTV data being inappropriately used - in some cases, to enable or commit crime rather than prevent it. As for "nothing to hide", think of this: is it a matter of public record when you are in your house and when you are not? Can you think of any circumstances under which that information might put you or your property at risk?

It is disingenuous of the Home Secretary to formulate the policy argument with no reference to this risk and others like it. It is dangerous for him to formulate policy on the basis that CCTV can be deployed without corresponding spending on governance measures - at a time when we know we face spending cuts which will cut exactly that kind of job.

The Home Secretary proposes that people should be allowed to petition for the installation of more CCTV cameras. It's tempting to write that off as a piece of pre-election headline-grabbing - but that would be irresponsible.

If Mr Johnson is serious, the serious response is this:

any measure allowing such petitions should be balanced by legal requirements to define and cost the governance regime which will apply to the installation over its lifetime;
it should explain how the data captured will be managed under applicable data protection and human rights law, and who will meet the costs of doing so over the lifespan of the data [NB - not just the lifespan of the camera installation];
it should mandate the labelling of all CCTV installations (whether privately or publicly operated) with the purpose of the system, and the identity and contact details of the operator;
it should explain what regulatory body is responsible for regulating CCTV data collection, retention, disclosure and deletion;
it should explain what regulatory body would be responsible for identifying and shutting down 'orphan' CCTV installations;
and it should establish a corresponding right for citizens to petition for the removal of CCTV systems.

If he is serious, he should explain why the UK has no legal framework for the governance of CCTV installations, just an unenforced and widely-ignored code of conduct.

I should stress - I'm not inventing anything new here; others, including graphiclunarkid and SpyBlog havewritten excellent pieces on what is wrong with UK CCTV and what could be done to improve matters. Indeed, given that some of their advice is two years old now, it is depressing that the Home Secretary has disregarded it in favour of a superficial pre-election PR gesture.

Allowing the proliferation of unregulated cameras is cheap and easy - especially if you are not concerned about increased risk and lack of effectiveness. If the Home Secretary were serious, he would ban the further deployment of CCTV until there is a governance regime in place which makes it safe and effective. The problem is, he could not afford such a regime even if it existed.

Putting the DE Bill in perspective

2010-04-08T21:04:00.003+01:00

It's tempting, particularly as a subject matter expert, to take parliamentary reverses personally.

The recent "wash-up" treatment of the Digital Economy Bill attracted the attention of geeks and techies like few parliamentary issues I can remember, with 20,000 people reportedly writing to their MPs to object; a world-wide "trending topic" on Twitter (#DEBill); uncounted people watching the "debate" on TV or live via the web; and so on.

Many of those people remarked that it was the first time they had paid such close attention to the passage of a Bill through our legislature - and many also remarked that those debutants will have been dismayed and discouraged by what they saw. Just to recap:

- the sponsor of this Bill, Lord Mandelson, is an unelected participant in our government - promoted to a peerage so that he could be given a place in Gordon Brown's cabinet;

- the Bill itself, regardless of party political affiliations, is widely acknowledged to be complex and far-reaching... attempting to address a swathe of unrelated issues including broadband coverage, regional news broadcasts, radio frequency allocation, the statutory role of Channel 4 (!), copyright, and illegal file-sharing;

- ordinarily, a Bill of this scope would expect to go through 3-4 weeks of line-by-line examination in the Commons Committee Stage. This Bill did not (the Committee Stage was compressed to a couple of hours as part of the "wash-up");

- The "wash-up" itself meant that the Government's business managers deliberately put into the 'fast-track, compromise process' a Bill which they knew was too large, complex and contentious to receive adequate consideration;

- like few issues to date (but more and more in future, I suspect) it brings public policy-making increasingly close to technology specifics. Too close, one suspects, for the MP who apparently thinks that the "IP" in "IP Address" stands for Intellectual Property. (Stop sniggering at the back... and no, it doesn't stand for Intellectual Pygmy either, Molesworth);

- and those tuning in to watch the proceedings will instantly have been struck by the pathetically insignificant percentage of MPs who even attended, let alone contributed to the debate. When the electorate is constantly blamed for failure to engage with the political process, or turn out to vote, the sight of a 6% turn-out by our elected law-makers sets a poor example as few other things could.

As will be clear by now, there is ample material for anyone who wants to show what a dismal farce our parliamentary process can be. For those of us who live in the digital domain, it is depressing and de-motivating to see our pet subject treated so shabbily.

And yet...

And yet... just because it is our pet subject, we should do what we can to keep this in perspective. For instance, even in the relatively short time I have been interested in the public policy dimensions of IT (or indeed any other topic), there are other examples I can point to which aroused exactly the same feelings of outrage, powerlessness and depression. In the spirit of helping us all come to terms with the DEBill fiasco, here are a few of them:

(1) Pride of place must surely go to the ID Cards Bill; how many pieces of legislation lead the Home Secretary to launch personal attacks on individual academics from the safety of their ministerial and parliamentary position? The unspeakable in defence of the indefensible. But the Government's obduracy on ID Cards persists even to the 2010 budget: they would sooner cut the budgets for education, healthcare and law enforcement than the ID Card scheme.

(2) 90-day detention without trial; defeated by a single vote in the House of Commons on 9/11 (that's November the 9th... 2005 - and incidentally, Mr Blair's first Commons defeat). This, despite [the then perennial Chancellor] Gordon Brown having been recalled from the tarmac at Ben Gurion so that he could vote, rather than mediate between Ariel Sharon and Mahmoud Abbas. What far-sighted and statesmanlike prioritisation.

(3) exemption of MPs' expenses and correspondence from the Freedom of Information Act; David Maclean's contemptible bid to ensure that MPs not only set and vote on their own remuneration, but that the results should be beyond scrutiny.

(4) the Audit Commission's blanket discriminatory treatment of local government employees' payroll data and banking details; using the "National Fraud Initiative" legislation to compel local authorities (but not other public sector bodies such as central government departments, teachers, healthcare workers or forces personnel) to disclose the banking details of their employees - whether or not that included joint bank accounts.

(5) the egregious National DNA Database, which continues to be stocked in contravention to a damning and unanimous ECHR ruling that it "overstepped any acceptable margin" of proportionality. By the way, the ECHR is due to have reviewed, in March, the Government's progress towards compliance with the ruling. I wonder what they will have made of the current Home Secretary's decision to make DNA retention an election issue.

Oh, the list could go on and on. And to accusations of political partiality I will say only this:

I've only ever blogged under a Labour government. If a non-Labour government fails to provide just as much blog-fodder, I will supplement that dwindling diet with my hat.

So, the DEBill is a child of many parents, none of them loving. Its offspring, the DEAct, is an orphan work which will mate (unnaturally, of course, for it is an unnatural Act) with the next government and give birth to many more little mutant offspring, many of them midwived by the law courts, and each as misconceived and grotesque as the next.

Probably not even their own progenitor, Lord Mandelson, could love them.

But we shall, because, hideous as they will all undoubtedly be, each one will remind us that we told them the Bill was flawed, badly drafted and unworkable, and we will feel vindicated.

Why they say "No" and vote "Yes"

2010-04-07T12:04:00.004+01:00

Thanks to all on Twitter who ReTweeted the link to the previous post - much appreciated! A couple of people have asked why an MP would speak opposing the Bill and then vote for it... There are as many answers to that question as there are voting MPs (especially on yesterday's dismal attendance), and they vary depending on how cynical you want to get - but at the heart of it are these two principles:

Parliamentary (and legislative) procedure is a game. It's a process with rules.
As @iglazer so pithily put it recently: "in any game, gaming the rules is one of the rules of the game".

Voting for something you apparently oppose, at its second reading, may look irrational to us, but then, so might a chess player who sacrifices a piece early in the game; they may know something we don't about the subsequent moves.

To take the analogy a little further: in the parliamentary chess-game, we are pawns (if that). That may be an uncomfortable idea, but think of it like this: have you ever written to your MP? The vast majority of people have not. If you have, have you written more than once? Still fewer voters have written to their MP on more than one issue.

In other words, to MPs, the vast majority of constituents are either completely silent (off the board) or 'single-issue lobbyists' (pawns, with only one move). [Oh boy, this analogy is getting scary: how to pawns make a difference? Either by acting in concert with each other, or by making that long and risky journey to the other side of the board and getting elected. Sorry, promoted.]

Anyway, back to the rules. An MP like Austin Mitchell can honestly say that he stood up in the house, made his own objections clear, and represented the views of those of his constituents who wrote to him. Knowing that Labour have an over-all majority, and that the party whips had made it clear members were expected to support their party's policy, he can then also say that a single rebellious vote would not make any difference to the Bill's passage.

While their constituents are 'single-issue lobbyists', MPs have to live with their whips throughout their career - and deal with them on every issue, not just one. If you are of the philosophy that "it's the squeaky wheel that gets oiled", that may be a good thing. If your view is that "the nail which stands out gets hammered in", it is less appealing. (By all accounts, Mr Mitchell is a serial nail, by the way - and much respect to him for it. I would say "more power to him" - but that's not how it works).

When I said above that "a single rebellious vote wouldn't make any difference to the Bill's passage", I chose my words carefully. In particular, I didn't say that it would make no difference to the Bill's contents. There is clearly a delicate line to tread, particularly in the early readings of a Bill, between obdurate opposition and careful negotiation.

By expressing strong reservations about some clauses, but agreeing to the over-all tenor of the Bill, some MPs will clearly be hoping to get concessions on some of the specifics. As one insider put it to me: "There is horse-trading, but very little and generally around fine detail". Again, the government's over-all majority simply means that, by the rules of the game, there is minimal chance of overturning the legislation as a whole. Those MPs who can be bothered can at most hope to press for some deferrals or qualifications.

Regrettably, most of them are already captivated by the new shiny thing (an election campaign) or slinking away from the old, tarnished thing (a bankrupt government, presiding over a discredited parliament).

I've quoted this before (Otto von Bismarck, disputedly), but it doesn't get any less apposite:

„Je weniger die Leute wissen, wie Würste und Gesetze gemacht werden, desto besser schlafen sie!“

"The less people know about how sausages and laws are made, the better they sleep".

Yesterday in Parliament

2010-04-07T10:01:00.004+01:00

Apologies to BBC Radio 4 for plagiarising what is probably their copyright programme title. Still, it seems everyone is at it these days, so if the BBC does decide to get litigious, there are bigger targets ahead of me in the queue - notably Lord Mandelson himself, sponsor of the Digital Economy Bill.

We have all grown used to politicians bemoaning the lack of public engagement with politics, and asking why so few people - especially "the young" - see voting as a vital civic duty. Indeed, from 1955 to 1992, UK voter turn-out at General Elections oscillated in a fairly narrow band between about 72% and 78%. In 1992 it was 77.7%; in 1997, 71.4%; then in 2002 it fell to 59.4% and in 2005 it stayed at 61.4%. In the context of the previous half-century, electoral participation fell off a cliff.

61.4% voter turn-out may or may not seem like a lot, but it comfortably outstrips MPs' participation in yesterday's proceedings. Out of 646 MPs, about 40 turned up: that's 6.2%.

A small handful of MPs both made sense and expressed their (and voters') opposition to the Bill - notably Austin Mitchell, Tom Watson and John Redwood. John Grogan was widely cited on Twitter for pointing out the dubious circumstances under which established media industries gained access to Lord Mandelson in the run-up to the Bill's submission.

Still more MPs condemned the way in which the Bill (a far-reaching, complex and controversial piece of legislation by any standards) has been rushed through the parliamentary process - describing it as 'a shameful piece of rail-roading', 'squalid collusion between the three front benches', 'a disgrace'. One MP - otherwise a vociferous supporter of the Bill, said they had been "thoroughly let down by the Government's business managers".

For more detailed analysis and reaction, see this commendable post by internet law specialist Lilian Edwards and this fulminating open letter by web developer Mo McRoberts.

On the face of it, then, objecters to the Bill seem to have got their point across - if only to a few MPs. I know, too, that there were people following yesterday's debate who have never done so before - on television, over the internet, via Twitter and so on. So much the better, you might think, for that elusive 'voter engagement'.

Regrettably, yesterday's debate cast our parliamentary process in the worst possible light. The sight of that almost empty chamber makes an instant and damaging impression. The incoherent ramblings of several of the contributors, interrupted by mostly pointless (or worse, point-scoring) demands for the speaker to "give way" don't help. The pinnacle of debate was reached, it seemed to me, by the softly-spoken Derek Wyatt (Lab - Sittingbourne). "The DEBill is not perfect", he said, "but I think we should give it a try". What kind of a basis is that for legislation, for goodness' sake? I wonder if he would say the same thing about mephedrone.

By far the most damaging aspect, though, is this:

Out of 646 MPs, a scant three dozen turned up;
Of those, about a dozen made substantive speeches - most just sat there;
Of those who spoke, some criticised the substance of the Bill, but even those in favour of it frequently condemned the way in which it has been shoved through Parliament...

and yet all of them, without exception, voted it through its second reading.

There we have it. Members of all three parties expressed opposition to at least some parts of the Bill, and objected to the abuse of process which will see it evade proper scrutiny, debate and revision.

But they still voted in favour - and to most of those watching (especially if it's for the first time) that is utterly incomprehensible.

This will affect "voter engagement", without a doubt - but just like the DEBill itself, the consequences are entirely unpredictable. Judging by the Twitter traffic, a lot of people were simply angered enough to vote against the Bill's proponents, regardless of political affiliation.

Many, though, will simply shrug their shoulders and turn away in disgust, wondering why they bothered to take an interest. The opposite of love is not hate, I was once told. It is indifference.

The DEBill and why it should go.

2010-03-31T13:49:00.003+01:00

Lilian Edwards (well, her Pangloss persona, anyway) offers another characteristically trenchant analysis here of the shocking mess that is the Digital Economy Bill. The DEBill* appears to be yet another in the growing list of legislative measures in which the Bill is drafted so as to confer disproportionate powers, while we are assured by the sponsoring Minister‡ that they will either never be used, or be used only for good.

Unfortunately both principle and practice tell us that that is simply not believable. Principle, because if the intent of the law is not clear in the legislation itself (but must be set out in some other entirely non-statutory document, such as an "open letter" from the Minister) the legislation is clearly deficient; and practice, because we have ample evidence that such assurances are seldom worth the open letter they are printed on. Once the Bill is enacted, the powers it confers will be used, whether or not their use is appropriate, proportionate, or even - in some cases - unlawful under other supervening provisions such as the Human Rights Act. It's as simple as that.

Think, for instance, of the use of powers granted under the Terrorism Act to protect Jack Straw from being heckled by an 82-year-old pacifist...

Or the many documented instances of the inappropriate use of RIPA (Regulation of Investigative Powers Act) to gather evidence of, say, fly-tipping or dogs pooing on the pavement...

Or the officious use of SOCPA (Serious Organised Crime [sic] and Police Act)to arrest a lone man for reading out a list of Iraq war fatalities in front of the Cenotaph without police permission...

Or the pre-emptive (and presumptive) detention of people based on what they might do, not on what they are doing or have done...

... and so on, and on, and on.

The DEBill is wrong on almost every level.

It contains measures which actively inhibit or damage the prospects of a viable digital economy, while failing to legislate in areas which might contribute to one: for example, it will actively discourage the provision of internet access in places like libraries, schools and universities, but it has absolutely nothing to say on the topic of, say, a smart grid for consumer energy usage.

It enshrines measures which undermine or over-ride due process. For instance, it will allow commercial companies to force the disconnection of households, businesses and other organisations without going to court, and regardless of who (if anyone) within those households, businesses or organisations has or has not committed what the DEBill defines as an offence. In my case, for example, that could mean that I was cut off from my ability to earn a living because of untested and unproven allegations - against someone else - by a third party.

It actively discriminates against, for instance, individuals who upload photographs to sharing sites such as Flickr - making it possible for third parties to exploit such materials on payment of a fee to the UK government. Not only is this manifestly unfair, it reflects a fundamental misunderstanding of how the internet works... let me take a moment to explain why I say that.

I want to upload photos to Flickr so that other can see them, but I don't necessarily want to publish my identity along with the photos... so I have a pseudonymous account. Flickr has my true details, of course, but there is no reason for those to appear alongside my photos. If I use Flickr's Creative Commons options to specify, for instance, that my photos may not be re-used in any way, that ought to be as far as I need to go. There is no need for a third party to establish who I am, because I have made clear my preference for my photos not to be re-used.

However, the DEBill, as drafted, would entitle such a third party to claim that my photos were orphan works (because the "copyright holder" could not be identified). That third party could then apply for permission to exploit my photographs - not to me, but to the government. The fee for that permission would go, not to me, but to the government. Anyone see an issue with this? Thought not.

The DEBill is wrong at the meta-level, too. Not only does the Bill itself enshrine evasions of due process (as described above), it is also about to be pushed through Parliament without debate, as part of the inappropriately-named "wash-up" process in the closing days of the legislative session.

On April 6th, the Bill will be given its second reading and then become a bargaining chip in an unaccountable and undemocratic haggling session amongst MPs whose chances of forming part of the next legislature are entirely uncertain.

I urge you to let your MP know that you object to the Bill and its passage through Parliament.

* And as I have noted on Twitter, that name must have our Francophone colleagues rolling in the aisles... "débile" being French slang for "nuts/crazy/daft"...

‡In this case, reassuringly, that is Lord Mandelson, Baron of Foy in the County of Herefordshire and of Hartlepool in the County of Durham; First Secretary of State; Secretary of State for Business, Innovation and Skills; President of the Board of Trade; Lord President of the Council.

Adonis: children must go through 'naked' scanners

2010-03-29T17:40:00.003+01:00

Transport secretary Lord Adonis is quoted as saying that exempting children from the 'naked' scanners at airports would risk undermining the security measures.

I have a number of issues with that assertion.

One is to wonder, in passing, why a decision of that nature (which seems to me to be far more about social ethics than about transportation) should fall to the transport secretary.

The other, contrary to what you might expect, is not about whether capturing such images of children is in itself appropriate. Rather, I question the longer-term effects of adopting this approach.

Once, as a child, I was on a flight from the UK to the Middle East when it made an unexpected landing at a major European airport because of a technical fault. While the airline investigated what he problem was and how to fix it, we were all transferred off the plane and into a transit lounge. At no stage was there any suggestion that we would be allowed anywhere other than the transit areas of the terminal. Despite that, I was given a full and thorough pat-down by a security officer on reaching the building from the plane. At the time, I was irritated - it seemed to me to be an unnecessary and entirely gratuitous measure.

As you can tell, it stuck in my mind. Over time, my feeling of irritation has been replaced by one of wondering why on earth I was singled out, and whether there was some motivation other than security. That's not a pleasant feeling, even in retrospect, but it does highlight, for me, one foreseeable but probably unintended consequence of the 'naked scanner' policy.

At least, in my case, there was something which served to remind me that something untoward might, conceivably have happened. In the current context, we will be educating a cohort of children to submit themselves to potentially intrusive and inappropriate procedures which - to all intents and purposes "don't happen" - a four-year-old child, say, will simply think they have been told to stand in a small room for a moment.

Then again,to pre-empt the likely comment from Richard Veryard - maybe that is the purpose of the system (POSIWID).

Twitter niceties

2010-03-15T15:37:00.004Z

I noticed some Twitter correspondents prefixing their messages with ".@username" rather than plain "@username", and having been unable to find an explanation online anywhere, did the sensible thing and asked via Twitter...

I got several responses, which mostly tallied with each other (!), and with any luck I have worked out what the deal is. The only clear way I could think of to express it was (and Eve will be so happy)... a Venn diagram. Here you go.

So - if I have got it right:

D username: visible only to the sender and recipient;
.@username: visible to the sender, sender's followers and the recipient;
@username: visible to the sender, recipient, and the intersection of their followers.

[Post updated, 16/3/2010]

A further note: as usefully pointed out by NishantK (see comments below), unless you have set your twitter stream to be private and non-searchable, of the three types of message above, only D(irect) messages do not appear in your profile page and search results.

In general, I still have two issues with this at the design level:

1 - When a humble full stop can make such a subtle syntactical difference, is it any wonder we find it hard to grasp how to manage our online personas effectively?

2 - I started out by being frustrated at why searching for ".@" didn't produce any useful help with definitions; I graduated to exasperation when I learned that the "." is actually arbitrary, and any other character would have the same effect. Is it just me, or is that really daft? It means there is, essentially, no practical way either to index or to search for information about a Twitter function which makes a difference...

I spent some time trying to think of a good word for "arbitrary, un-documentable feature" - but the only one I could come up with was "bug".

What is copyright for?

2010-03-14T21:12:00.002Z

Something is rotten, it would seem, at the heart of copyright legislation.

Otto von Bismarck definitely had a point when he remarked (allegedly, at least), that "the less people know about how laws and sausages are made, the easier they sleep at night". That said, if there are unnatural acts being committed in either process, there must be a point at which it's better to know than not to know.

This article, by Bill Thompson, rightly highlights the dangers of allowing copyright law to degenerate into an unregulated mess, devoid of due process and subject to partisan abuse. That far I agree with him. However, I disagree that the best response is to re-draft the law so that it redresses the balance in favour of the data consumer, as opposed to the copyright holder.

The problem with that approach is that we are all, increasingly, publishers of data and (ideally) copyright-holders... of the information we disclose about ourselves. In fact, I have often made the comment that the rights which so irritate us when they are officiously enforced by media pubishers, are exactly those rights which we would dearly love to be able to enforce when they relate to our personal information. If the laws are to be re-drafted, the aim should not be to rebalance the rights of data consumers and data publishers per se... but to ensure that the rights currently accorded to the 'traditional' holders of copyright are extended to all of us.

In other words, it's time that the laws on publishing were extended to protect all those who publish, and not just those who published before Web 2.0 came along.

Unfortunately, if we adopt Bismarck's attitude to the law-making process, instances such as the international Anti-Counterfeiting Trade Agreement (ACTA) and the UK Digital Economy Bill (DEBill) make one thing quite clear: if you wait until the process has finished before worrying about the result, it will be too late.

Niche market...

2010-03-01T16:48:00.005Z

Knowing how Eve loves a Venn diagram, I thought this was the best way to gauge interest in my new line of badges. Plus, I wouldn't want you to think I had launched a new product without doing a thorough market segmentation exercise first. So here it is, fresh from the back of the envelope...

The back-story is here, on Eve's blog. It occurred to her (and who am I to argue?), that a healthy mind-set for data sharing these days is not to try and prevent it ever happening, but to work on ways of ensuring that it only happens with the consent of the data subject. That in turn put her in mind of Luc Besson's "The 5th Element" [Ian Holm, Milla Jovovich, Bruce Willis].

Hence the new line of badges - based on Leeloo's reaction when unexpectedly kissed: "ecto gammat!", meaning "never without permission!". It's not that it can never happen... it had just better be with prior consent.

The hidden risks of biometric credentials

2010-03-01T14:28:00.005Z

Over on the Hawktalk blog, Chris Pounder has a characteristically incisive analysis of some of the privacy problems which arise out of the deployment of biometric passports. If you don't follow Hawktalk already, I'd recommend it. In the meantime, here's a copy of the comment I've added on Chris' post, setting out some of the further implications.

In many of the early discussions about the NIS/NIR[1] it was just noted, as an "inconvenient side-effect" of biometric enrolment, that individuals who legitimately need an assumed ID (intelligence officers, undercover police officers, endangered witnesses, victims of domestic abuse) would need to be specially handled by the NIR. The implication was that the NIR would (need to) be designed so as to allow an alias to be registered against a given biometric record.

However, the Dubai episode reveals that this initial analysis is flawed and does not fully reflect the risk involved.

It is one thing for the NIR to be able to respond as if a valid alias were a real ID - unfortunately, that's not the only valid use-case... as Dubai clearly illustrates. In practice, suppose my passport says that I am Oscar Wilde, and my biometric is registered against the name "Oscar Wilde" in the NIR; I may well have travelled to the States several times, for instance, and their immigration systems will have registered my fingerprints and facial biometric against the name "Oscar Wilde".

But imagine I then have to adopt a (legitimate) alias:

my NIR entry is changed to associate my biometric with the name "William Gladstone";
I'm issued with a new, valid passport in the name of William Gladstone.

How the hell am I going to explain that to a US immigration official, whose database (totally beyond the control of the NIR) clearly shows that my biometrics belong to "Oscar Wilde", not "William Gladstone"?

To put it more simply: once a foreign government has linked your biometric with one name, the fact that the NIR links it with a different name is likely to do you more harm than good.

This will clearly be both inconvenient and possibly dangerous for intelligence officers, but it also raises serious safety, privacy and practical concerns for, say, victims of domestic abuse or jury-tampering, who may be obliged to disclose that fact (quite unnecessarily) just in order to cross a frontier. If they are doing so in order to begin a new life away from the source of the abuse, that is not a happy start to the process...

Just to put the icing on the cake, of course, a likely perverse consequence of this is that suspicious foreign governments will start to assume the worst of anyone explaining that their Id/biometric don't match because they're a fleeing victim of domestic abuse - simply because that's the easiest way for travelling spooks to game the system.

[1] See, for instance, this blog post and comments, from Nov 2006.

Insalubrious premisses

2010-02-23T19:23:00.007Z

From time to time, someone points out that the security of most ID/password-based website authentications actually depends on the (quite unrelated) security of the user's primary email account... in the sense that that's where most of the password reset confirmation messages get sent.

In fact, it's worth assessing the risk of just how many sites you could be locked out of, if (say) you could no longer access the email account(s) you specified when you registered with them.

I see the folks at Facebook have thought that problem through, though: one of the options you have on Facebook is to recover access to your account if (i) your Facebook password has been lost/compromised; (ii) the email account you registered with has also been hacked.

Under that unhappy combination of circumstances, you will be relieved to know that all is not lost... you can ask for your password reset confirmation to be sent to a completely new email address. To do this, you will need to know:

the email address you originally registered;
your full name on the Facebook account;
your date of birth;
the URL of your hacked profile.

It doesn't take much research to conclude that those four pieces of corroborative data are freely published by quite a lot of users, either elsewhere or on their Facebook profile itself. And that, therefore, this procedure is also open to anyone sufficiently motivated to hi-jack your Facebook account.

Perhaps this is the design you end up with, if you start from the premise that "privacy is no longer the social norm".

Identity, Privacy and the Post-bureaucratic Age

2010-02-23T14:49:00.006Z

I was at a fascinating (if chilly) conference yesterday to hear a gratifyingly diverse bunch of panellists express their views on the so-called "Post-Bureaucratic Age" (PBA... Twitter hash-tag #pbage in case that's how you prefer to get fed). A strong "draw" for the morning session was the appearance of David Cameron to set out how a Post-Bureaucratic strategy could help square the circle of improving public services while wrestling with colossal budget constraints.

I'm not going to try and define what the PBA is, or re-visit yesterday's speeches - there's plenty of coverage of that online (here's as good a starting-point as any, and William Heath's comments here set out the identity and privacy landscape with commendable eloquence).

What I will try and do, though, is look at this through the eyes of a privacy/policy technologist well-used to promises that the latest technology will fix all our ills. Here are some of the pitfalls I think this policy strategy will need to negotiate if it is to deliver the kind of benefits being cited in its support.

First, I should make it clear that I agree with many of the concepts. The PBAge is to be founded on the idea that public data should be more visible; processes more transparent; decision-making more accountable. Arguing against that is a bit like making the case against motherhood and apple pie.

However, whatever the potential benefits of a PBA approach, I think it's absolutely critical that we understand the basis on which we're opting for it, if we do. For instance, I suspect that a large part of the purely emotional appeal of PBA is in reaction to the undeniably adverse perceptions of "Bureaucratic Age" programmes such as the National Identity Scheme, ContactPoint, Connecting for Health, the Independent Safeguarding Authority, the Digital Economy Bill and so on. In short, we need to be very clear-headed about whether we're signing up to PBA "on the rebound". That's not a healthy basis for a long-term relationship...

Second, there's the risk of believing our own hype about this sparkly new technology. Too often, this takes the form of a stampede to novelty, with thoughts of security/privacy only after it's too late. As regular readers can imagine, I do not subscribe to Mr Zuckerberg's recent contention that "privacy is no longer the social norm". It will be a strange day indeed when the last word on "privacy as a social norm" comes from a 25-year-old white male American billionaire college drop-out.

So, by all means consider ways of making household energy consumption figures more visible... but think equally carefully about whether there might be some issues of personal privacy involved in printing your household energy numbers on your neighbour's bill (as was suggested yesterday).

If the concepts are poorly implemented, they encourage 'gaming' of the system. After all, public sector performance/league tables were also proposed with the best apparent intentions of 'transparency', 'choice and 'accountability' in mind, yet yesterday Prof McGurk's plea to manage outcomes, not processes, could not have been more heartfelt.

If the implementations are badly deployed, they lead to perverse consequences. For instance, current guidance on the implementation of ISA "safeguarding" measures appear to require employers to compile - and disclose - dossiers which intrude substantially into the private lives and personal history of their employees - regardless of the provenance or reliability of that information, or its relevance either to the employee's job, or to the stated purpose of protecting vulnerable third parties.

Third, governance. All the use-cases proposed yesterday were conspicuously cuddly. Energy-saving; better public services; reducing public debt; plan and fund the development of your own neighborhood. Bless. Here are some things which weren't mentioned: counter-terrorism; anti-money-laundering; immigration and border controls; taxation; reduction of benefit fraud... My point is, as well as empowering us to do the things we would like to do, the PBAge will also have to include those things which we don't like, but which the state occasionally has to do to us.

In terms of identity, privacy and personal data, the way I usually describe this is as follows:

Think of "the government" as having a number of sources of information about you, by virtue of the various relationships it has with you as a citizen.

The PBAge suggests that you, as a citizen, can benefit from better services if you or someone else is able to join together various now-to-be-published sources of data. Presumably it will still, though, be important that that only happens as and when you consent to it (either the data-joining, or your making use of the resulting service).

On the other side of the 'cloud' are the less cuddly things government is expected to achieve; protecting public funds and services against fraud, delivering effective law enforcement, preserving national security, and so on. Many of these things, let's face it, are often based on the non-consensual joining-together of information about you... and some of that information is from exactly the same sources as are to be used for the cuddlier purposes of PBAge.

In other words, what is required is the ability to manage two different and conflicting views over what may often be the same data. That implies a level of data management expertise which I don't see in many places in the commercial sector, let alone in the public sector.

I do not think we understand, yet, what is the appropriate governance regime for data (including personal information) in the PBAge... bearing in mind that there's no reason to suppose the current governance regime is fit for its current purpose, let alone applicable to the emerging requirements of the future.

With that in mind, whither PII?

Current notions of online privacy are, for the most part, based on legislation which seeks to list a finite number of pieces of data, which are to be considered "personal", and which are therefore to benefit from special protection. Nowhere in those lists will you find pieces of data like "mobile network presence", "time-stamp", "network cell location", "search history", "browser profile", "browser history". And yet there is ample evidence to suggest that these are more than enough to compromise the individual's privacy, anonymity and indeed self-determination. (I also hear, incidentally, that from the pattern of energy usage reported by a smart meter, the electricity company can tell the make, model and age of your washing machine... How long before the manufacturers start offering money for that data so that you can be spammed with "it's time to replace your washer" messages...?).

Among the questions I think PBAge proponents are going to have to address with some urgency are these: in an age where "all data is personally identifiable", how is personal privacy to be managed? How are factors such as informational self-determination to be incorporated in the resulting policies? And, echoing Prof McGurk again... how are we to manage data, but measure outcomes?

Google Buzz: what's the appropriate reaction?

2010-02-17T10:22:00.004Z

I must admit, I'm so undecided over this one that two hands are no longer sufficient...

On the one hand, I am actually grateful to Google for the fact that their botched implementation and deployment of Buzz has brought some of the flaws of "social networking" to the fore. There's intelligent, rational and perceptive comment from John Pescatore at Gartner, for instance.

The term "social networking" perpetuates a deception in which users, myself included, have been too happy to collude... the idea that "social networking" operates by the same rules as face-to-face personal interaction, and that there is no 'third party in the room' when you interact with your online buddies. The sooner that particular emperor is revealed to be naked, the better.

On the other hand, it frustrates and even angers me that Google have not, among the various changes they have made since the launch, done the single, simple thing which would most clearly illustrate that they acknowledge there's a problem: make Buzz an explicit opt-in service. I see from this article in the Guardian that that is what EPIC have asked the FTC to rule - and rightly so.

On the third hand... I still can't decide whether Google's approach here is just naive, or breathtakingly disingenuous. I mean, imagine you read the following in a news article:

"We only released the crocodiles into the primary school building a week ago. We've already made a few changes based on user feedback, and we have more improvements in the works. We look forward to hearing more suggestions and will continue to improve the primary-school crocodile experience, with user transparency and control top of mind."

Is there nothing in that which might ring a few alarm bells, in terms of risk, duty of care, and considering (in advance...) whether you're about to do something with irreversible consequences?

[Here's the actual Google statement, for clarity's sake: "Buzz was launched only a week ago. We've already made a few changes based on user feedback, and we have more improvements in the works. We look forward to hearing more suggestions and will continue to improve the Buzz experience with user transparency and control top of mind."]

One of the commenters on John Pescatore's blog expressed the view that Google had forgotten "the cardinal rule of social media: Assume anything your members do is private until they tell you otherwise".

With respect to that commenter, I don't think that is the cardinal rule at all. I think the game operates more like this:

Rule One: Maintain the illusion that the user is interacting only with their chosen parties; as long as you don’t spook them, users will be happy to connive at this pretence.
Rule Two: Under no circumstances force the user to acknowledge that there’s a third party in the room… whether that’s you, as the “social network” provider, or the others with whom you exchange data about the users.
Rule Three: Keep calling it “social networking”, to reinforce the impression that it operates by the same rules as face-to-face interaction between friends. (It doesn’t, but see Rule One).

Privacy by design, privacy by default

2010-02-12T09:13:00.004Z

Well, the online reactions to Google's Buzz innovation ("organising the world's address books and making them visible"?) continue. Among others -

- Sharon Machlis gives some specific examples of why it's a bad idea to treat email as if it were the same as other 'networked interaction' tools;

- Harriet Jacobs gives a crucial perspective on the dangers of promiscuous data-sharing (warning: contains lively language and references to sexual violence);

- Tom Krazit provides an update on some of Google's first tweaks in reaction to the negative feedback.

So it's not that Google is doing nothing. However, I still haven't seen the most important change - namely, from "default opt-in by presumption" to a proper, explicit opt-in based on informed consent.

I blogged a couple of months ago in response to Eric Schmidt's ill-chosen words on privacy, and noted that they came particularly badly from the CEO of a company with such global reach and power, and the ability to have such a fundamental effect on individuals' privacy.

I would say the same thing about the Buzz implementation. It is extremely unhealthy for the online eco-system as a whole (users, service providers, developers and so on) if a stakeholder such as Google demonstrates a willingness to ignore privacy fundamentals such as informed consent, explicit opt-in, and 'opt-out by default'.

Please, Google: you're never slow to trumpet the philanthropic potential of your innovations; live up to that PR by setting a better example: privacy by design, privacy by default.

WARNING! LARK'S VOMIT

2010-02-11T17:07:00.002Z

If, like me, you assumed that saying "No thanks" to the invitation to try Google Buzz meant that you had opted out, you should definitely read this guidance from Robert Westervelt.

For non Python fans, the "lark's vomit" reference originates in their "Crunchy Frog" sketch about the highly dubious "Wizzo Chocolate Assortment":

Inspector Praline:	I'm not interested in your sales! I have to protect the general public! Now what about this one: [...] Number five Ram's Bladder Cup. What sort of confection is this?
Mr Milton:	We use choicest juicy chunks of fresh Cornish ram's bladder, emptied, steamed, flavoured with sesame seeds, whipped into a fondue and garnished with lark's vomit.
Praline:	Lark's vomit?
Milton:	Correct.
Praline:	Well it don't say nothing about that here.
Milton:	Er, yes it does... on the bottom of the box, after monosodium glutamate.
Praline:	Well, I hardly think this is good enough. I think it'd be more appropriate if the box bore a great red label: "Warning! Lark's vomit!"

No such thing as bad publicity...?

2010-02-11T15:38:00.004Z

Well, Google just doesn't seem to be able to stay out of the spotlight at the moment. I'm not going to try and comment on how much of the adverse attention is merited, as opposed to feeding-frenzy - but having just heard Google's Alma Whitten present at the Trust in the Information Society conference this morning, some of the news items did have a little more resonance than usual.

First, a quick note to the Marketing Dept at Google: Alma has certainly taken the corporate messaging on board. The phrase "organizing the world's information and making it accessible and useful" occurred more than once, believe me.

Hence the first hum of resonance, when I read that a number of bloggers on Google-hosted services have had their blogs summarily removed, archives deleted etc., for alleged violation of terms of service relating to music copyright. According to the article, some of the blogs were in fact only publishing music with the consent (and in some cases outright collaboration) of the artists and/or publishers.

Far be it from me to play devil's advocate, but one reply might be that Google is only doing its best to winnow out offenders in the interests of copyright holders. The trouble is, that sits ill with Monday's Radio Five Live programme about the Google Books project; in that broadcast, several authors made the argument that their work had appeared without their consent on the Google Books project (copyright page and all), and expressed their fundamental objection to the notion that they should be required to opt out explicitly if they wished their (prior and existing) assertions of copyright to be honoured.

So, is this just Google being "damned if they do and damned if they don't"? Or does this illustrate that if you want to either re-publish copyright works or prosecute copyright violations on the scale to which Google aspires, a blanket approach will always fail?

And so to resonance number three: those authors who objected to the implicit opt-in are unlikely, on that basis, to be signing up for Google's new Buzz service. Molly Wood gives a damning analysis, here, of several of the ways in which that, aggressively and by default, assumes a comprehensive opt-in on the part of the user. From what she says, in a number of instances that assumption goes well beyond the reasonable[*].

As I say, I'm not going to pass judgement on whether this is just the media laying into their favourite whipping-boy of the moment, but I think it's legitimate to ask how these anecdotes contrast with some of the stated aims, goals and indeed values which Google professes.

As I heard repeatedly this morning, Google wants to innovate and satisfy user requirements. On the face of it, who could argue with that? But innovation is not sufficient justification for compromising users' privacy. And in that respect, there is an absolutely critical difference between satisfying the requirements which users apparently express via whatever privacy-related options they may be offered, and satisfying the requirements which lead to the privacy outcomes which users would choose if they were in a position to do so.

In a piercing analysis, Mireille Hildebrandt of the Vreie Universiteit Brussel pointed out that a user's behaviour (and the data that implicitly discloses) often reveals a far more accurate picture of their real attitudes than are their answers to questions about what they want. Why's that relevant here? Well, because if you give users the option of not explicitly disclosing personal information (for instance, name, address and so on), but you collect (and even anonymise) behavioural data without giving the user the ability to opt out of that, you have created an illusion of privacy-respecting choice while in fact providing no such thing.

In other words, users' behaviour may be at odds both with their stated preferences and their best interests. It might sound as though I'm calling for data custodians in general to adopt a very paternalistic attitude towards user privacy - but I'm not. What I am calling for is a much more mature approach to the responsibilities which data custodians take on, when they gather data which users don't even know they are disclosing, and which reveal things about the user which they may not even be aware of.

I've posted and ranted elsewhere about the inadequacy of the term 'ownership' to describe our relationship to data about ourselves, and that is as true here as anywhere. I'm not calling for data custodians to take (or relinquish) 'ownership' of such data, and I'm not calling for 'ownership' of it to be assigned to the data subject. But I do think there needs to be a lot more transparency in the following areas:

- what data is collected about users, either explicitly or (more important) implicitly;
- what categorisations and inferences are made on the basis of that data;
- what actions are taken, which affect one user, on the basis of inferences from data about other users;
- what rights a user is assumed to have concerning data about them;
- what responsibilities a data custodian is assumed to have regarding that data and those rights.

Admittedly, this is a long way from anything you would find in the current generation of Privacy Statements and Privacy Policies (let alone privacy laws) - but that doesn't mean we shouldn't be seeking to improve as we eye the next generation of privacy measures.

As the European Commission, the OECD and other bodies review the current set of Data Protection Principles, these are among the questions they should be seeking to address. Frankly, the initial reaction suggests that Google Buzz has set off in entirely the other direction.

The mission statement of "organising the world's data..." is a goal which sets Google up to have a lot of stakeholders - and individually or in aggregate, those stakeholders have rights and expectations which deserve to be satisfied. "The world's data" is not a privacy-neutral concept, and "organising it" is even less privacy-neutral.

The danger of favouring commercial objectives over the other stakeholder rights is that it creates the impression of selling out, rather than shouldering the responsibility of satisfying the non-commercial stakeholders to the appropriate degree. Rudyard Kipling described "Power without responsibility" as "the prerogative of the harlot". That's not an alluring brush with which to be tarred...

*[A further brief update: the introduction of Buzz, in its simplest form, consists of a 'splash screen' as you log into your gmail account. This offers you the choice of "Trying Buzz" or "No thanks, just take me to my inbox". Simple enough - except that if you choose the latter, Gmail will turn Buzz on anyway. I'm at a loss to understand why that is the appropriate unilateral action for Google to take, especially after clearly giving the impression that you have already opted out.

It cannot be good practice that we have to rely on third party sources to instruct users on how to disable the Buzz service. Nor, surely, can it be good practice to turn the service on, by default, before the user even gets a chance to turn it off.]

Paying for Privacy...

2010-01-30T18:50:00.004Z

There's a good article on cnet news, to co-incide with Data Privacy Day - thoughtful and though-provoking.

"It's been 10 years: Why won't people pay for privacy?", by Declan McCullagh

I've left some feedback on it, but as I'm about 40th in the comment stack, I don't imagine it will attract much attention there - so here it is:

"Congratulations on a well-timed article with a lot of thought behind it.

I've been working on digital ID and privacy for the last 7-8 years, and I suspect that, if you're looking at the commercial aspects, there are two reasons why "privacy protection" has largely failed to offer a compelling value proposition. One is comparatively old, the other is a little newer.

The older reason is that "point" privacy protection products can usually do little or nothing about the elephant in the room... the vested and mostly-invisible commercial interests behind online advertising are so huge, so entrenched and so opaque to the user that it is all but impossible to change the balance of power between the 'data subject' and the 'data gatherer'. As an example, look at the difficulty some very bright people have had with turning VRM from concept into reality. (VRM, or "Vendor Relationship Management" was coined as a flip-side to "Customer Relationship Management" - CRM - ... the idea being that my interests would be better served if I took control of my data and used it as the leverage to change vendors' behaviour). The idea, the principles and the technology might all be fine, but those factors are not enough to convince/persuade/force vendors to do things your way instead of theirs.

The second, and newer, reason has to do with the increasing ability of data-miners to build an extremely accurate model of you (and your behaviour and preferences) without needing to know exactly who you are.

And here's the worrying point, in the light of that second reason. Most of us think we have a reasonable handle on what our privacy is, and what we might do to protect it. The problem is that most of us are still thinking in terms of the risks arising from reason number 1. Very few of us have any notion of what the risks are which arise from reason number 2, let alone how to mitigate them."

It was a rather hastily sketched-out response, and probably raises more questions than answers - but I wanted to make it promptly, partly because I hope it will tie in nicely with some of the comments I'll be blogging in due course about the CPDP conference I've just got back from. More later...

Privacy, personas and consent

2010-01-26T13:49:00.005Z

Followers of this blog will instantly recognise the three things in the title... I've gone on about them often enough. Some may be wondering if (or indeed how) I can have more to say. Well, there's always another twist, another perspective, so here goes.

Usually, I'm promoting "personas" as a useful privacy tool: that is, if you can segregate and selectively reveal different aspects of your online identity, you can probably manage your privacy better. The people who know you as a "soccer mom", for instance, don't necessarily know that you're also an Army reservist... and why should they - unless you tell them?

It's that 'consent' aspect which I'd like to take a fresh look at today. After all, I usually use an example like the one above: where the person concerned wishes, for whatever reason, to separate one aspect of their life from another. However, let's look at the flip side: hypothetically, let's assume you have a university academic who is known to his students as a specialist in IT law, a lecturer and in some cases perhaps a PhD supervisor. In other words, he has a pretty clearly-bounded, if multi-faceted 'persona' as a 'professor'. Let's call him Professor Dent for the heck of it; I. Dent, of course, because the Prof. has an academic and practical interest in questions of online identity and privacy.

Naturally, Prof. Dent tends to see a correspondingly bounded 'persona' of his students, delineated by their areas of study, their essays, their behaviour in lectures and so on.

Now, these days it would by no means be considered unusual if those students were also socially active online, in the course of which they might exchange news, photos, gossip etc and even comments about their studies (hey, it could happen...). Prof. Dent, being an up-to-date sort of academic, has accounts on MyBook, FaceSpace and so on, and some of his students even reckon they can "friend" him without losing too much credibility. In fact, he turns out to be (rather endearingly) a huge Dr Who fan... though of course in his case that really means Jon Pertwee, not these rock-star Johnny-come-latelies.

However, the University authorities find out about Prof. Dent's online presence and are not at all happy. Not because of any of the content, I hasten to add... there's nothing in the least bit prurient or reprehensible to be found there. No - they just don't think it's appropriate for the Prof to be generating this discourse, accessible to people who are 'supposed' to see him in his professorial persona only.

So, here we have rather the converse of the original problem. Rather than keep specific personas strictly segregated, Prof. Dent has decided that his professorial persona might actually benefit from being made slightly more multi-dimensional. Those of you who originally followed this blog's precursor on blogs.sun.com might see reflections of Sun's enlightened 'blog anything' corporate policy in that. But Prof. Dent is essentially being told, not only that he must segregate his various personas, but that he must not continue with his online presence.

In other words, regardless of the privacy and persona aspects, his consent is being over-ridden.

Of course, all this is purely academic (ha ha): after all, what University would be daft enough to think that such a policy was (a) a good idea or (b) practical. What's more, I think I would have reservations about trying to impose it on a bunch of academics - especially IT-literate lawyers. Thank goodness it's all hypothetical.

The "German TV, body-scanner" meme

2010-01-22T16:52:00.004Z

There's been lots of traffic about a programme from German TV station ZDF, generally under a headline like "German TV programme shows naked scanners don't work". When something like that gets onto Twitter, BoingBoing and Bruce Schneier's blog, it's clearly reaching a heck of an audience.

It's unfortunate, then, that even Schneier (and I realise this is close to heresy) is jumping from a set of premisses to a conclusion which they really do not support... certainly not in the terms which most readers will assume. Put in its simplest form, the logic readers might be tempted to follow on reading Schneier's post is this: "this type of full-body scanner failed in certain respects in this demonstration, therefore all full-body scanners are useless in any implementation". The shame of it is, of course, that Bruce has a well-deserved reputation for debunking exactly that kind of bogosity.

The title of his post is: "German TV on the Failure of Full-Body Scanners". Now, I appreciate an eye-catching lede as much as the next blogger... but that one is just bound to create some very misleading impressions (and it's not helped, frankly, by Schneier's implication that you will pick up the relevant gist of the video even if you don't understand German).

Sure, we've all seen the media footage of those millimeter-wave "naked scanners", and most of us have seen some of the resulting privacy-related fallout. But if you thought that the ZDF programme would give you the evidence for why those scanners are useless, you're going to be disappointed. OK, so I'd better put my iconoclastic money where my blasphemous mouth is. Here are some of the factors which Bruce might usefully have pointed out...

- the scanner used for the programme is not an X-ray device; in fact, it's an entirely passive device which generates an image based on the subject's radiated body-heat. Things placed between the body and the detector, and which obstruct the radiation of body-heat, will show up because of the difference in temperature between them and the body itself. In some respects it can reveal more than an X-ray-based scanner (for instance, it was obvious if the subject was wearing a tie or not, because that forms a partial heat-shield in front of the chest); in other respects, it shows less than an X-ray scanner (for instance, it did not clearly show objects which were in the subject's jacket pockets, because those were not between the body and the scanner). Neither did it reveal Wolfgang Bosbach's pacemaker... because that is subcutaneous.

- As you will have gathered from the previous point, some of the items which weren't detected would have been found under airport security conditions, even by this scanner... either because
the subject would have had to take off his jacket, or because he would have been scanned from the side as well as front and back.

I'm not saying that makes this scanner good, by the way - I'm just clearing up some of the things which anyone just reading the blog/Twitter traffic might not be aware of.

There are a couple of other interesting points which come across if you listen to the programme.

- Mr Bosbach, one of the participants, is Chair of the Bundestag's Home Affairs Committee. I make no comment about his broader policy position, but just note that he explicitly states three criteria which full-body scanners will have to satisfy before he will consider deploying them in Germany:

They must deliver a quantifiable benefit in terms of increased security;
They must do so in a way which adequately respects passengers' privacy;
They must do so without risk of causing harm.

Those seem like a pretty rational set of pre-conditions (though they also still leave plenty of wiggle-room about what the benefits might be, how much respect for privacy, and so on).

- Bosbach also notes that even the high-resolution millimeter-wave scanners can be implemented in ways which are more privacy-respecting than the kinds of image we have all seen on the news. For instance, if a scan detects nothing suspect, it can simply respond to the operator with a green "OK" symbol. If something untoward is found, its location can be indicated on a simple stick-figure representing the passenger. No graphical representation of the passenger is needed for either of those steps.

Again, I'm not saying that makes such a system desirable - nor am I suggesting that that makes it impossible for the scanner (as opposed to the operator's display screen) to capture, store, transmit and otherwise process the images it generates.

So, the points about side-scanning and detection of items in jacket pockets illustrate that a failure in this demonstration do not necessarily imply that this scanner (let alone all types of full-body scanner) must be ineffective in all implementations; the points about pre-conditions for implementation, and how data is presented to the operator, illustrate that not all deployments need be equally privacy-intrusive.

Don't get me wrong: I'm all for railing against the idiocies of so-called airport "security" measures which maximise passenger inconvenience for no (and in some cases negative) security benefit. For example, I've blogged in the past about what is probably the most dangerous place in any airport: that massive queue for the security scanners, where you have a higher density of people than almost anywhere else in the system, and guess what... at that point, no-one has been scanned, and neither has their hand luggage.

I've also commented on the arbitrary nonsense which passes for risk mitigation - such as the time when a (lethal and subversive) tennis ball was confiscated from my carry-on luggage on the grounds that it would harden under low air pressure and could be hurled at someone. This, when the Harrods shop in the same terminal would happily sell me a box of golf balls (and a stylish Argyle sock to pop them into), or some nice [censored, I'm not giving you any more free advice on how to arm yourself pre-flight...].

The best technology will fail if it is poorly implemented and badly deployed; and the best deployments can fail to achieve good outcomes if they reflect a fundamentally flawed policy. I seriously doubt that all deployments of full-body scanners (whichever technology they use) will be either effective or privacy-respecting. But I don't think the argument against them is best conducted by leaving a swathe of relevant factors out of the analysis.

"Data ownership", "social networking" and other nonsense

2010-01-22T15:59:00.006Z

Joe Andrieu, who co-chairs the Information Sharing Work Group at the Kantara Initiative, has written a superb piece here, neatly summing up why taking about personal data in terms of "ownership" just doesn't work.

I'm certainly not going to try and re-hash Joe's analysis; it stand perfectly well in its own right. All I will offer is this: language and thought are closely intertwined... somewhere on the spectrum between Chomsky and the Neuro-Linguistic Programmers, there's a happy medium where the thoughts we have are intimately influenced by the ways in which we are able to articulate them... and vice versa.

There are times when a simple phrase takes over as a convenient shorthand for a complex set of concepts - and once that happens, it seems it's all too easy to ignore the underlying complexity and collude in the belief that what we're talking about is as simple as the phrase we're using to talk about it. I notice, in passing, that Noam Chomsky refuses to refer to "the war on drugs", insisting instead on calling it "the war on certain drugs". That's pretty much what I'm getting at here, and I'd argue that the phrase "data ownership" is a prime example.

We know what "data" is, right? It's a simple enough word. And we all know what "ownership" means... so "data ownership" must mean something correspondingly simple. Except that (as Joe's piece lucidly explains) if you start by asking questions framed in terms of "data ownership", it leads you down a path which is neither long nor fruitful.

So, here are two 'thought experiments' I'd like to recommend, when you are faced with a couple of these deceptively simple shorthand phrases. Whenever you encounter a question like "who owns my personal data?", try re-framing it in different terms.

"What rights do I have over data about me?"
"What rights do others have concerning data about me?"
"What duties do I and others have concerning that data?"

You should find that these questions, which acknowledge that you can have rights and duties quite aside from any notions of "ownership", generate a far more practical and productive conversation.

Here's the second "shorthand phrase", and it relates to another one of my current bugbears: "social networking". You've probably heard my micro-rants about this before, online or elsewhere, but in essence... I think the phrase "social networking" is actually encouraging us to blind ourselves to the fact that "networked interaction" and "social interaction" work by entirely different sets of rules - and that if you engage in networked interaction while assuming that you're playing by the rules of (face to face) social interaction, you're deluding yourself and probably putting your privacy and self-determination at risk.

Consider this: have you ever heard two children having an animated conversation in another room, and walked in there only to have their previous conversation come to an abrupt end and be replaced with something entirely innocuous? Quite.

The things they were happy to talk about one-to-one are not the same as the things they are happy to talk about with a parent in the room. Surprise, surprise. We know that. We all know that. We've known that ever since that day a teacher walked into the room just too late for us to abort the punch-line of a dirty joke. Human beings are social animals, and learning these things is part of being human.

So why do we blithely ignore the fact that there's a third party involved in all our supposedly "friend-to-friend" interactions in "social networks"? And why are we surprised that their interests do not necessarily co-incide with ours? We want to share gossip and photos with our friends, and the third party wants to monetize that relationship.

OK - so please, when you encounter the phrase "social networking", try replacing it with "networked interaction masquerading as social interaction". My hope is that that will encourage you to bear in mind that, despite all appearance to the contrary, you are engaged in something which does not follow the normal rules of face-to-face personal interaction. That should be healthier for your privacy and, over time, who knows - it might even encourage networked interaction sites to be a little more up-front about the hidden side of what they are offering.

Slight change of role

2010-01-08T16:06:00.003Z

I thought I would post an update to let everyone know about a gentle shift in direction...

As readers you're probably aware, for the last 10 months I've been the Liberty Alliance's Director for Privacy and Public Policy. One of my duties was to define an equivalent post for the Kantara Initiative; I also helped recruit and establish Kantara's Privacy and Public Policy Work Group (P3WG), which I have chaired since its foundation.

I'm happy to say that, since it was chartered in June 2009, P3WG has rapidly attracted a growing and influential core of members - currently up to 52. The Work Group has a weekly conference call, and held face-to-face sessions at the Kantara plenaries in Las Vegas in September, with strong representation from our Japanese and New Zealand colleagues as well as the US public sector.

The Group's work has also been evolving well: we produced ad hoc responses to the US General Services Administration (GSA) ICAM team on their Identity Assurance plans, and the Public Voice civil society organisation on their Madrid Declaration on Privacy. Perhaps more important: as well as the ad hoc work, we have been assembling and prioritising our candidate work items for the coming months, so that we have a clear and robust structure for meeting the Group's strategic objectives.

As the Kantara Initiative moves forward, I have been invited to take up the equivalent Director of Privacy and Public Policy post I mentioned earlier, and I accepted without hesitation. I decided that that was a good time to step down as Chair of the P3WG, so that we can maintain a clear separation of duties between those two roles and avoid any perception of conflict of interest.

Accordingly, P3WG ballotted for a new Chair, and I am delighted to say that the post will be filled by Dr Abbie Barbir, whose professional background and experience in OASIS and ITU-T make him an outstanding person for the job. Abbie will enjoy the excellent assistance of Jeff Stollman and Darrell Shull, both of whom have said they will carry on as officers of the Group. I'm handing over the reins of P3WG to a strong and extremely competent team, which is very gratifying.

Of course, as DPP for Kantara, I will continue to have a very direct interest in P3WG's work, and look forward to taking that forward with the team. The work programme is strong, relevant and innovative, and exciting times lie ahead.

Gartner acquisition of Burton Group

2010-01-05T17:28:00.002Z

I was emailing a couple of people involved in this, and unsurprisingly they said that the phrase "living in interesting times" was getting a real work-out in their office today.

As it happens, over the last 14 months I have worked with some of the identity management specialists from both firms; late in 2008 I was invited to run a Privacy Summit on the eve of the Gartner IAM symposium in Orlando (as far as I know, the first time a third party had been asked to do something like that). Then, last summer, I had the opportunity to speak at Burton Catalyst in San Diego - which obviously also involved some detailed discussions with the identity team there.

Having attended both events, and had a level of contact with some of the analysts in each case, here's my forecast for the merger of the two: handled right, it could deliver some really compelling synergy. Again, this is based solely on my partial contact with the two firms, but my superficial and subjective assessment is that the Gartner IDM team are strong on the "implementation and governance" stages of the IDM lifecycle, while the Burton team - while by no means ignoring that phase - really shine in the conceptual and system design phase.

Of course there's overlap, and of course there are differences of perspective and differences of opinion... for instance, there are some interesting internal meetings ahead as Bob Blakley and Andrea DiMaio get together to thrash out the corporate line on online privacy ;^)

But that, of course, is also where some of the best conceptual work comes from. If the merger of the two teams leads to better insights into how to progress from concept, through implementation to governance, we all win...

Here's hoping that's how it plays out.

UK DNA retention policy

2009-12-31T12:40:00.002Z

Back in November, I blogged about the grudging way in which the current government appears to have reacted to the European Court of Human Rights' unanimous verdict, over a year ago, on the retention of DNA samples of those who are arrested but not subsequently charged or found guilty.

The government would doubtless argue that this is a complex issue, in which the ECHR's verdict must be balanced against the needs of law enforcement; that they have judiciously carried out a consultation exercise; that their proposals create a proportionate retention policy... and so on.

Unfortunately, as I noted in November, the ECHR already disagrees - based on the information which is in the public domain - and in March 2010 it will review the UK's progress towards compliance with the judgement issued in November 2008.

Legally, then, the situation we have is this: the current policy (of indefinite retention at the discretion of Chief Constables) is reinforced by guidance from the Association of Chief Police Officers (ACPO) that such discretion should be exercised only under "exceptional circumstances". In other words, the policy position is that the DNA of innocent people should normally be retained indefinitely. That, of course, is what the law still provides for, pending the passing of any new legislation which takes the ECHR's 2008 ruling into account.

You might think that that leaves police forces in a clear position: the law is unchanged from before the ECHR ruling; ACPO guidance is that the default should be indefinite retention; until new legislation is introduced, the police have to enforce the current law.

Except that that doesn't fit the observable facts - at least, according to the figures published in this BBC piece today. What it shows is that police forces across the country are responding to DNA deletion requests in ways which vary from "never" (0% of requests granted) to "almost always" (over 80% of requests granted). Of course, one should be wary of reading too much into as bare a set of statistics as those published in the article... For instance, most of the forces which have refused all requests have also had the lowest number of requests for deletion.

However, when I see forces with comparable volumes of requests reacting in widely different ways, the simplest interpretation is that some forces have a default policy of refusal (for instance, in the case of Nottingham and Sussex: 0/16 and 1/28 requests granted, respectively) and others have a default policy of granting (for instance, Cleveland and Cumbria, with 12/17 and 15/19 requests granted, respectively).

So, what conclusion would I draw, as we look forward to 2010 and the March ECHR review of UK policy in this area?

Well - the law as it stands is clear, and has been ruled to be disproportionate. Despite its clarity, it is equally obviously being applied in radically different ways by different police forces across the country. The Home Secretary's proposals introduce - in the name of proportionality - a wider range of retention periods, depending on the offence committed (or not committed... the DNA of innocent people will still be retained under his proposals).

I can see no prospect that that will result in a more consistent or more uniform application of the law across the country. If anything, it seems bound to worsen the arbitrary inconsistencies which the current statistics appear to demonstrate.

An end-of-year update

2009-12-23T15:29:00.004Z

As Future Identity completes its first year, it's the obvious opportunity to do a quick round-up of some of the year's highlights.

First, "collateral"... on the website (under Portfolio/Resources) you can find three white papers and a couple of slide decks, all on the theme of digital identity, privacy and related topics.

The most recent white paper is one I wrote for the ISTR (Information Security Technical Report); it looks at the difficulty Privacy Enhancing Technologies seem to have had in taking off, and suggests a "maturity model" for working out what the inhibitors might be. The version on the website is a pre-print copy; for the published one, you need to go to Elsevier (who hold the copyright of the version which went to print).

I've also got a book chapter coming out in "Financial Cryptography" early next year, on the more general topic of identity management. I'll post again when that is published.

Second, lots of people kindly comment that I need to get out more ;^) so I have done my best to keep visible and spread the word. It's ironic how visible you have to be if you want to be a privacy advocate.

It's a little invidious to pick out specific events for mention, but I'm going to do so anyway. The ones which leap to mind from the last 12 months are:

the GENI workshop at UC Davis, California: many thanks to Chip Elliott and Matt Bishop for making it possible for me to attend that so early in Future Identity's existence;
the last Liberty plenaries, in Santa Clara... but also the first Kantara plenaries in Las Vegas;
the Burton Group Catalyst conference in San Diego: thanks to Gerry, Bob and Ian for all their help and support with that - here's to Catalyst EU 2010, in Prague in April;
the NetID conference in Berlin;
the EU e-Government conference in Malmø
and the TERENA and JISC events in Rome and Cardiff... for being such a fun bunch of people to work with...

And third, the people. It's been fascinating moving from the corporate environment (where, by and large, your colleagues have to work with you) to the consulting world, where people have to want to work with you. With that in mind, I'd just like to thank some of the many people who have been so important to Future Identity in its first year of life:

Toby Stevens, Brett McDowell, Jim Purves, Gus Hosein, Edgar Whitley, Dervla O'Reilly, Britta Glade, Ian Glazer, Bob Blakley, Dave Birch, Trent Adams, Lucy Lynch, William Heath, Adriana Lukas, Sverre Bauck, Lizzie Coles-Kemp, Iain Henderson, Nicole Harris, Alan Stevens... and more others than I can sensibly mention.

Thank you to all of you - and here's to 2010.

A bitter cup ... proffered to us year by year

2009-12-09T14:02:00.005Z

There's a piece in today's Guardian Online by Michael Wills MP, Minister of State at MiniJust. It's a very reasonable, well-argued article in favour of a balanced dialogue between the government and other stakeholders about public sector retention of personal data.

Reasonable and well-argued, that is, if you haven't really taken any notice of this topic over the last seven years or so, and have been too busy chewing small pieces of the Daily Mail and shoving them into your ears.

On the other hand, if you have been watching this topic for a while, the article is more likely to come across as a rather sententious, smug bit of policy-laundering. Mr Wills calls for rational, respectful discourse, and accuses critics of the government's data retention and data sharing policies of resorting to rhetoric instead of looking at the evidence.

I hope he won't find me too rhetorical or disrespectful if I offer a counter-example.

On the National Identity Scheme, academics and researchers dug for all the evidence it was possible to uncover (while the government did its utmost to prevent its costings of the scheme from becoming known), published their findings in a dispassionate and constructive way, and for doing so, were personally vilified in parliament by the then Home Secretary, Charles Clarke.

On the National DNA Database, the government resisted attempts to persuade it that its collection and retention policies were disproportionate, and continues to drag its feet towards any grudging change of policy, despite an unequivocal, unanimous and scathing judgement against it by the European Court of Human Rights over a year ago.

On ContactPoint, the government has been able to offer no rational explanation of the risk assessment which leads it to conclude that the interests of vulnerable children are best served by centralising data about them and making it accessible to a population of some 330,000 users - the overwhelming majority of whom will have no reason to access the records of any given child.

Mr Wills - when there is so much evidence in the public domain that the government will not engage in constructive debate about its policies on personal data, why should we believe your promises of a new, rational and respectful dialogue?

On a nothing to hiding...

2009-12-08T16:27:00.005Z

I wasn't going to write another blog post today - but some things really wind me up, and a particular trivialisation of the privacy debate comes very high on the list.

While I was still at Sun, and had some responsibility for online identity and privacy, I spent years dealing with the fall-out from Scott McNealy's observation that "you have zero privacy... get over it". Now, I wouldn't wish the same fate on those Google employees who I know, because it doesn't take long to get tired of the smug smirk on the faces of those who throw your chief exec's remark back at you when you're trying to argue for better privacy.

That said, I do think Google CEO Eric Schmidt's recently-quoted remarks on privacy deserve a good deal of push-back. Whatever the full context - and I'm not assuming that that context is reflected in the press coverage - here's the bottom line; no-one's privacy interests are served by feeding the media with a sound-bite like this:

"If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place"

And he goes on to hide behind the petticoats of the Patriot Act, casually sliding past the notion that any of Google's users might live in regulatory regimes with non-US privacy norms, and abdicating the kind of responsibility one might feel entitled to expect from a global corporation.

The real issue with Mr Schmidt's remark is the way in which it trivialises the concept of privacy - thus ensuring that the issues just won't get a serious airing. The point about privacy is not that it concerns those things you don't want anyone to know: that is somewhere else on the scale... somewhere between secrecy and paranoia.

No: the point about privacy is that it's about the things which you want to be known to some people, but not to others. If Eric doesn't understand that, then Google deserves a far rougher ride on privacy issues than it has been given to date.

The broader problem - as other articles have observed - is that Mr Schmidt's statement is basically a re-hash of the old chestnut that "if you've got nothing to hide, you've got nothing to fear". Again, no-one's privacy interests are served by saying things which give even a grain of credibility to that ridiculous expression - unless you like your life to be run on the philosophical principles of the average Christmas cracker motto.

More specifically, here's why that particular saw irritates me so much. "Having something to hide" expresses a relationship, not a state; you have something to hide from someone. If you've got nothing to hide from anyone, you probably don't live what the rest of us would consider a normal life. Similarly, if you have "something to fear", you have something to fear from someone.

Now - to spell it out for Mr Schmidt and the other "nothing to hiders": I have nothing to hide from my bank about my bank account, and how I access it, and what I do with it. I have plenty to hide from a fraudster about my bank account, and how I access it, and what I do with it... and plenty to fear from a mugger who takes me to an ATM at knifepoint and demands that I withdraw cash. A relationship of healthy disclosure from me to my bank is not the same as a relationship of fear, coercion and exploitation with a mugger.

There's a more insidious influence at work here, too. The idea that "if you have something to hide, you have something to fear" is founded on a presumption that "something to hide" is "something illegal". It's something you "shouldn't be doing in the first place"; others have either a right to stop you doing it, or no moral responsibility to prevent your behaviour from being publicised. That seems to me to elide, quite dangerously, the distinction between what is illegal and what is merely shameful. At its worst, that attitude is intolerant, and culturally insular to the point of arrogance. If that's the set of social norms Mr Schmidt wants to live by, he's welcome to it... just as long as I retain the option to be elsewhere.

Proportionality, privacy and pubs

2009-12-08T13:11:00.005Z

There's another of those news stories today which makes me wonder if I've read it right. It concerns Lancashire Police, who are apparently exercising their power (under licensing laws introduced in 2005) to refuse a license to pubs which, in their view, have "inadequate security camera coverage". A PC from the licensing department of Preston police is quoted as saying:

"It's for public safety and their own safety to detect crime. The pub had minimal CCTV – it wasn't recording. If an incident had happened and we needed to get evidence and locate an offender, we couldn't have from there. Even the staff aren't safe in those conditions."

A little research reveals that this isn't the first time something similar has been done. This blog post from Canadian privacy lawyer David Fraser describes a similar case in Halifax (Nova Scotia, not West Yorkshire), and also refers to one in the Borough of Islington.

To my mind, these cases raise several questions, perhaps the most important of which is this:

- if the lack of CCTV can be cited (on grounds of public safety and the detection of crime) as a reason for closing down a pub, what locations cannot, logically, be similarly covered? Anywhere I go - whether indoors or outdoors, whether in a public place or someone's house, I could presumably fall victim to some kind of theft or assault. Why single out pubs?

- Second, there's the question of evidence. It may well be that the Lancashire police insisted on CCTV in this particular pub because of some history of criminal activity there... but as the piece on the BigBrotherWatch site points out, there are also cases where the presence of CCTV footage has failed to deliver the promised evidence in support of effective law enforcement. Where are the criteria and facts which would support the decision to insist on CCTV in one place and not another?

And that brings us to the third point; given that the police have been granted power over the licensing conditions, the power to insist on disclosure of the personal data collected, and the authority to use that to arrest people, why do they not have a corresponding responsibility to ensure that such systems are operated correctly and accountably? As a simple example - why don't the police, as part of their licensing responsibilities, have a duty to ensure that any CCTV installation is appropriately labelled with the identity and contact details of the owner/operator, and the purpose for which the cameras are used?

With any other form of data collection, the data controller would be legally obliged to issue a fair processing notice, be identifiable, and be accessible to Subect Access Requests. With any other form of data collection, the notion of informed consent would be applicable. Why is CCTV treated differently?

When it comes down to it, the balance of the Police's powers in this instance is simply wrong: as thing stand, they have the power simply to compel a landlord to install CCTV or be shut down; surely it would be more appropriate for the police to have to show, as a condition of refusing a licence, that it is appropriate, in this instance, for them to make use of the powers and duties available to them under RIPA. This would impose a requirement to show that the surveillance is proportionate and accurately reflects a need to act on specific risks. It would also introduce an obligation to consider the balancing imperatives of the Human Rights Act.

Whether or not you feel that CCTV in and around pubs is a sensible law enforcement mechanism, there is surely a gross imbalance here between what is currently deemed proportionate in terms of surveillance, and what is considered necessary in terms of accountability and subject access.

Reding [sic] the tea-leaves

2009-12-03T12:49:00.002Z

In Jose Manuel Barroso's recent reshuffle of the European Commission, there were a couple of moves which bear some further inspection, from a privacy/identity perspective.

The former Commissioner for Information Society, Viviane Reding, is promoted to one of the Vice Presidents of the Commission, and given a new portfolio as Commissioner for Justice, Fundamental Rights and Citizenship. She has also been given the task of overhauling the Data Protection Directive (now 15 years old...).

Her former role passes to Neelie Kroes, who was previously Competition Commissioner (and oversaw, for instance, some of the Commission's fiercest battles with Microsoft - on media player bundling, IE/Windows bundling, publication of technical interoperability documentation, Microsoft Office "Open" XML, and so on, and so forth...).

She has a reputation for being able to dive into the detailed technicalities of a brief, and for being extremely tenacious in pushing towards her intended goal.

There's no doubt in my mind that, had the task of reviewing and revising the Data Protection Directive been left on the Commissioner's desk at DG InfoSoc, Dr Kroes could have taken it on with competence and determination... which leads me to wonder what the implications are of Commissioner Reding taking it with her to her new role.

With the background of her four years heading DG InfoSoc, Commissioner Reding should have all the subject-matter expertise needed to make a proficient job of revising the Directive. However, what is perhaps more significant is the departmental context in which she will now undertake that work.

Instead of doing it from within DG InfoSoc, she will now do it in the same DG as is responsible for programmes such as this; the development of a framework for a European society based on notions of fundamental rights and rights derived from EU citizenship.

That suggests to me that, if anything, the revised DP Directive will be founded on even stronger links to notions of fundamental human rights and the social/citizenship context.

I foresee some lively discussions of principle between the EU and its partners, particularly where those partners either take a different view of what are fundamental rights, or of how great a role they should play in determining policy on the processing of personal data.

If Commissioner Reding wished to live in interesting times, I think her wish may have been granted.

Compounding errors and debit interest

2009-11-28T16:48:00.004Z

Well - good news on the home finances front; now that my offspring's student loan cheque for this year has come through, I've been able to pinch it and pay off a chunk of my credit card debt. After all, she's got a whole working life ahead, during which to pay off the debt, so why not? Plus, it's not really her money to start with, so she probably won't miss it much.

Actually, I made that up. Would I pull such a scurrilous trick? Well, that might depend whose example I was following.

I saw on the news yesterday that Gordon Brown has joined with Nicolas Sarkozy to propose a $10bn fund to help developing nations mitigate the impact of climate change measures. Laudable as that goal may be, the proposal does smack of what Mr Brown said as Chancellor ten years ago about writing off third world debt...

At the time, he derived huge political capital from the move, and yet by 2004 the tangible results hardly reflected the rhetoric:

"Zambia, which receives the maximum relief available under the scheme, still paid out £313m in 2003 - three times its combined education and health budgets of around £100m" - Third Sector website, 24/3/2004

As I say, the goals are laudable, but Mr Brown's pronouncements on the world stage must surely ring hollow to an electorate which has seen him make so many generous gestures... with other people's money. We've had his notorious and irreparable raid on the pension investments of millions of taxpayers, and of course more recently his massive programme of bail-outs and stakeholdings in UK banks, funded by the public purse. Whatever the policy imperatives, these mvoes have ensured that our children will shoulder a burden of debt throughout their economically active lives, and will finish with even worse pension prospects than the current generation.

Even this current proposal (to offset poorer countries' climate change measures) has attracted criticism; according to the Ekklesia site here, the way the deal is structured may simply aggravate developing countries' debt problems - while still allowing the funds to be used, for instance, to build coal-fired power stations. That sounds a lot like a lose-lose to me.

ComputerWeekly IT blog awards...

2009-11-28T16:33:00.004Z

So, no cigar this year in the ComputerWeekly IT blog awards, but it was an honour to be shortlisted for a second year running, especially as this year it was for the relatively infant blog of Future Identity. Thanks so much to all those who voted for it.

Many congratulations, then, to Alim Ozcan, whose blog on ITP Report won the IT Consultant/Analyst category, and Graham Cluley of Sophos, who won the IT Security category and the "Best of the Best" award.

UK DNA policy (still) fails proportionality test

2009-11-28T11:13:00.005Z

It is now a year since the European Court of Human Rights' (ECHR) ruling on UK vs. S and Marper. The court's ruling in that case was clear: the UK government's policy of systematic and indiscriminate retention of DNA samples, DNA profiles and fingerprints of those acquitted of any offence is disproportionate. The government had, it says,

"overstepped any acceptable margin of appreciation in this regard".

Grudgingly and slowly, the government is considering amending its policy - but only to the extent of conceding on indefinite retention. [Editorial update: as of December 9th, the Council of Europe expressed its concern that the new proposals probably still fail the proportionality tests required by the ECHR. They are keeping the dossier open, and will review the UK position again in March 2010].

Under the Home Secretary's current proposals, the data and samples of the innocent are now only to be held for 6 years (there's an excellent summary paper here, on the House of Commons Library website). The ruling in full is accessible online here. It's well worth a read; almost every paragraph contains something to back up the view that the policy on DNA retention is intrusive and obnoxious. For instance, how about this section on the Police and Criminal Justice Act 2001 (my emphasis):

27. As to the retention of such fingerprints and samples (and the records thereof), section 64 (1A) of the PACE was substituted by Section 82 of the Criminal Justice and Police Act 2001. It provides as follows:

“Where - (a) fingerprints or samples are taken from a person in connection with the investigation of an offence, and (b) subsection (3) below does not require them to be destroyed, the fingerprints or samples may be retained after they have fulfilled the purposes for which they were taken but shall not be used by any person except for purposes related to the prevention or detection of crime, the investigation of an offence, or the conduct of a prosecution. ...

(3) If - (a) fingerprints or samples are taken from a person in connection with the investigation of an offence; and (b) that person is not suspected of having committed the offence, they must except as provided in the following provisions of this Section be destroyed as soon as they have fulfilled the purpose for which they were taken.

(3AA) Samples and fingerprints are not required to be destroyed under subsection (3) above if (a) they were taken for the purposes of the investigation of an offence of which a person has been convicted; and (b) a sample or, as the case may be, fingerprint was also taken from the convicted person for the purposes of that investigation.”

Even the ECHR judges somewhat understate the case against retention - for instance, in this paragraph:

"78. It is common ground that fingerprints do not contain as much information as either cellular samples or DNA profiles. "

Unfortunately, that is not accurate. The fingerprints themselves (as opposed to any scanned or photographic record of them) consist of natural oils and skin cells - which of course contain the subject's DNA. There is plenty of published material on the practicalities of small-sample DNA analysis, and the technique has been used by UK law enforcement agencies. In other words, fingerprints not only contain the same information as cellular samples, they contain cellular samples in a very individual layout - the fingerprint itself.

But I digress...

What I really wanted to do was point to three excellent blog posts on the "justification" for DNA collection and retention in the UK system.

The first is this one from Privacy law specialists Amberhawk - correlating the government's own re-offending statistics with their assertions about the benefits of 6-year retention.

The Tech and Law blog has further analysis of the Amberhawk piece, here, including a link to a trenchant letter questioning both the practicality and the proportionality of the current policy.

And finally, Toby Stevens adds his excellent analysis here, setting out (among other things) four fundamental flaws with the current approach. In passing, he notes that the UK's national DNA database is (perhaps thankfully) unique; no other country has one like it, or uses DNA in the same way.

Which brings us back to the ECHR's judgement in UK vs S and Marper. Sections 47 and 48 of that judgement bear repeating in full (my emphasis):

"47. The United Kingdom is the only member State expressly to permit the systematic and indefinite retention of DNA profiles and cellular samples of persons who have been acquitted or in respect of whom criminal proceedings have been discontinued. Five States (Belgium, Hungary, Ireland, Italy and Sweden) require such information to be destroyed ex officio upon acquittal or the discontinuance of the criminal proceedings. Ten other States apply the same general rule with certain very limited exceptions: Germany, Luxembourg and the Netherlands allow such information to be retained where suspicions remain about the person or if further investigations are needed in a separate case; Austria permits its retention where there is a risk that the suspect will commit a dangerous offence and Poland does likewise in relation to certain serious crimes; Norway and Spain allow the retention of profiles if the defendant is acquitted for lack of criminal accountability; Finland and Denmark allow retention for 1 and 10 years respectively in the event of an acquittal and Switzerland for 1 year when proceedings have been discontinued. In France DNA profiles can be retained for 25 years after an acquittal or discharge; during this period the public prosecutor may order their earlier deletion, either on his or her own motion or upon request, if their retention has ceased to be required for the purposes of identification in connection with a criminal investigation. Estonia and Latvia also appear to allow the retention of DNA profiles of suspects for certain periods after acquittal.
48. The retention of DNA profiles of convicted persons is allowed, as a general rule, for limited periods of time after the conviction or after the convicted person's death. The United Kingdom thus also appears to be the only member State expressly to allow the systematic and indefinite retention of both profiles and samples of convicted persons."

Three-way translation

2009-11-27T11:56:00.004Z

In my previous post on cookies and privacy in the new EU Directive, I mentioned, in passing, the question of user consent. I think it's time to return to that for a closer look. First, a couple of references to set context:

Ralf Bendrath's comment, here, on the recently-adopted Stockholm Programme. This, he notes, includes an amendment in which the European Parliament

"... stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective".

This is a clear indication of the way the Parliament thinks that balance ought to tilt.

This analysis from Pinsent Masons' Out-Law blog, in which they compare the text of the new cookie law with the interpretation of the same by some online advertising bodies. The advertisers point to a clause in the preamble of the telecom package, which says:

"Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC [the Data Protection Directive], the user's consent to processing may be expressed by using the appropriate settings of a browser or other application."

According to the advertisers, this lets them off the hook - because a user's consent can be inferred from the fact that their browser is set to allow cookies or block them.

However, there are several rather fatal flaws in that argument. A couple are pointed out by Struan Robertson (whose previous analysis I quoted in my other post):

"Most browsers don't default to blocking all cookies and most people don't change their browser settings, so it's hard to say that effective consent is conveyed by browser settings," said Robertson. “Also, browsers can’t tell you the purpose of a cookie."

On a strict interpretation, the point about "purpose" ought to be fatal in itself: it would generally mean that relying on the browser setting to imply consent would fail the test of compliance with the Data Protection Directive (purpose of collection == purpose of use); if the user has no indication of purpose of collection, how can they meaningfully consent (and how can inappropriate use be detected)?

Next - given the number of people who pay little or no attention to the default cookie settings of their browsers (assuming they are even aware of them in every browser or internet terminal they use), it would be tough for a website owner to prove that the setting in effect on a given visit was chosen by the user, as opposed to merely being a default setting. What's more, the new law repeatedly mentions the need for the user to be clearly informed before access is effected to their device - so this law isn't just calling for implied consent, it's calling for informed and explicit consent. (Note the clear qualification in the preamble: "Where it is technically possible and effective...").

Now, it's fair to argue that explicit consent is an unreasonable expectation unless and until there is a general change in people's awareness of cookies... and advertisers will doubtless maintain that it's not their fault we like to ignore or dispense with cookie warnings in the interests of convenience. But that argument can also reasonably be countered by saying that poor consent-seeking practice up to now can hardly be used to excuse it in future.

Finally, the Pinsent Masons article makes one other extremely valuable contribution to the debate, in quoting Commissioner Reding's clarificatory comments on the question. I use the word clarificatory in its loosest possible sense.

According to the Commissioner, there are two kinds of cookie: "technical cookies", without which the internet would cease to function (and which, therefore, we are presumably to allow without question), and "spy cookies", which are the ones this law is clearly intended to regulate.

This reminds me of that Not The Nine O'Clock News sketch in which a disgruntled aide induces his president to include phrases like "cupcakes" and "big, floppy, dangly bits" in a public address.

Quite apart from the glaring absurdity of browser manufacturers now having to enhance their products to include a Privacy Settings option which allows users to turn "spy cookies" off while leaving "technical cookies" in place, there's also the minor (though not entirely unexpected) problem that the law itself does not, of course, make any mention of these mythical creatures.

We all understand the difficulties which can arise when a legislator tries to express technical concepts in terms which are meant to be accessible either to other legislators or to the general public - but the perfectly-coiffured Commissioner has been in post now for almost exactly five years. Surely that - and her professional career as a journalist - must have taught her the danger of such ill-conceived dumbing-down?

Revenue Protection Support Staff

2009-11-25T14:08:00.002Z

This blog post is named for the people First Great Western employ to make sure no-one travels on their trains without paying.

Although I live only 20 minutes' walk from the nearest station, and used to use FGW to commute 2-3 times a week from there to Paddington, I no longer do so - preferring to drive 50 miles and take a (South-West) train to Waterloo instead. It takes the same time, door to door, and saves me £50 compared to the cost of a standard return ticket with FGW. And yes, I am including the cost of the petrol for the 100-mile round trip drive. It's insane.

To get to last week's e-Government conference, I took the train from Copenhagen airport across to Malmo. Unfortunately I cocked up the ticket-buying process in most respects: what I thought was an "open" return turned out to be only a 24-hour one, and in any case I didn't realise, in my rush to board the train, that I was supposed to validate the ticket in a machine on the platform.

To make matters worse, I didn't discover any of this until the return rail journey, when a ticket inspector was doing his rounds of the carriage. As the various errors emerged, my heart sank. Having seen other people go through the equivalent process at the hands of FGW's Revenue Protection Support Staff, my immediate reaction was "this is going to be expensive". However, he assured me there was no need to worry, explained about the ticket validation and return period, endorsed my ticket with a date/time of outward journey, wished me a pleasant journey, and that was that.

Oh, and incidentally, that service runs every 20 minutes, all day, every day.

If you travel by FGW, they don't call it a train - they call it a "service" - or at least, they did when I last used one. I don't think that word means what they think it means.

Notes from Malmø eGov2009

2009-11-19T16:26:00.004Z

Earlier today I Twittered from the Ministerial eGovernment Conference in Malmø (#egov2009), expressing the hope that the press release would contain a bit more substance than the keynote announcement of the Ministerial Declaration. I am delighted to say, having got my hands on a copy of the full text, that it does. (PDF of the Declaration available online here.)

First, though, here were the policy priorities announced by Mats Odell, Sweden's Minister for Local Government and Financial Markets:

Use eGovernment services to empower citizens and businesses;
Improve mobility in the single market;
Improve efficiency and effectiveness in eGovernment.

On that basis, you can probably see why the initial announcement left me somewhat underwhelmed. Was this, I wondered, really the culmination of four years' policy and implementation work since the Manchester Declaration (which, at the time, I had actually thought was quite good...)?

Second, I have to say there is also still quite a lot in the full text which mostly prompts the reaction: "Oh.... well, weren't you either doing, or supposed to be doing that anyway?". For instance, Article 13 promises to involve stakeholders in public policy processes. Well, good.

Incidentally, while we're on page 3 of the document, Article 12 will raise more than a few hollow laughs:

"We will explore how we can make our administrative processes more transparent. Transparency promotes accountability and trust in government".

Not 10 days ago, the Court of Auditors declined to sign off the accounts of the European Commission for the 15th year in a row. Is it facile to suggest that as a starting point?

That good old standby "reduction of the administrative burden for citizens and business" still gets an airing (Article 17) - and rather disappointingly, "respect for privacy and data protection" gets buried under that heading, whereas I would have thought it deserves to headline in an article of its own.

Artcile 18 is a bit "meh" as well: policymakers should "consider how organisational processes could be improved". Laudable, but it doesn't exactly make me want to run out and have it printed on a t-shirt.

OK, so having got some of the gripes off my chest, what did I pick out as being positive aspects of the Declaration?

Well, actually, the opening Background statement is pretty good. It notes that the economic, social and environmental landscape is grim, and that despite (or perhaps even because of) that, citizens' expectations for open, flexible and collaborative government are high.

It goes on to acknowledge that eGovernment extends beyond national boundaries, and across the divide between the public and commercial sectors.

It also suggests - which I think is fair - that some of the progress to date in e-government, and in collaboration between different member states, has happened because of the political will expressed through the precursors of this year's Declaration.

Other positive signs:

The tone of the Declaration is one which acknowledges that the eGovernment services of the future will be co-produced by citizens and third parties. That might not be going far enough, of course: there's already evidence that citizens and third parties are creating public services without the direction or collaboration of government - so the latter might find that it needs to re-calibrate its notion of "open and collaborative" quite radically.

There's an explicit call, in Article 19, for public administrations to exploit IT in their efforts to reduce carbon footprint.

Article 21 is explicit about the benefits of using open specifications - not least, to stimulate effective and open competition in the market. If the political will persists to enforce that effectively over time, the potential benefits are huge.

There's more (if you count the nested lists, there are about 40 paragraphs in total), and in essence the full text does a lot more than the keynote suggested. I compared it rather unfavourably with the Manchester Declaration earlier; in retrospect that's probably not giving a fair picture.

The current Declaration treats some of the key Manchester themes almost as "solved problems": for instance, "trustworthy electronic identifiers" for citizens pops up only in Article 26 (d) - in the final recommendations - with a note that "activity should be intensified" and "gaps closed in cross-border interoperability and mutual recognition".

The way I see it is this: there are definitely eGovernment problems to solve today, which only present themselves because of the increased sophistication of some current implementations (and those implementations, of course, are based on previous progress). In other words, solving one set of problems usually just raises you within reach of the next set. To extend that analogy a little: previous work has built a ladder which means we can reach out towards the next set of goals. My worry is that some of the rungs below us (and, if we're unlucky, bits of the ladder itself) are either missing or not very well put together.

However, we are where we are - and the heartening thing about this year's exhibition area was the sophistication and practicality of many of the systems being shown. To me, they suggest that there is good practice out there in abundance, if the rest of us are only prepared to look and learn.

A live stream of the awards announcement is running in another tab even as I type, so I there is just time to list the winners (hot off the feed):

EU OPA - the European Order for Payments Application

Genvej - Gentofte Kommune's citizen services project

MEPA - Italian eMarketplace for Public Administration

AFN/MB - Portuguese project to issue hunting licenses via the Multibanco ATM network.

And a "public vote" prize goes to the Turkish Ministry of Justice project on SMS messaging for legal cases which are in progress.

EU to legislate on cookies

2009-11-16T15:31:00.007Z

UK readers will probably remember one of those legal wrangles which make for such easy satire - the protracted argument over whether a Jaffa Cake is a cake or a biscuit (for VAT purposes, of course...)

It looks as though the European Commission is heading towards a similar argument about cookies - though there may not be much discussion, as the Directive in question has apparently already been approved and merely awaits a few signatures and a rubber stamps or two.

This is about amendments to 2002/58/EC; the Directive on Privacy and Electronic Communications. There are amendments to several areas of the original Directive, but the one which is currently exercising an articulate group of higher-education identity federation experts is nicely summarised here, by Struan Robertson of law firm Pinsent Mason. I recommend a read of his blog post; it isn't often you see a lawyer describe proposed legislation as "breathtakingly stupid"... but I should also point out that he makes that comment off his own bat, so to speak, and not on behalf of his employers.

The amendments in question are apparently intended to regulate the storing and use of cookies on end users' devices. I say "apparently", because the further one gets into the practicalities of it, the less clear it is how the legislation could be put into any meaningful practice.

I've no doubt the intent of the amendments is both clear and laudable: to improve privacy outcomes for (EU) citizens going about their online life. In practice, though, there are pitfalls which the legislation seems doomed to encounter - several of them probably fatal.

The way the amendment is phrased (it's a replacement of Article 5.3, for those who like to read that kind of thing - see Struan's post, or read p.77 of the document here if you prefer the unexpurgated version) makes it fairly clear to me that what they are trying to regulate is access to the end user's machine. In other words, if you want to put something on my PC, or read something you put there earlier, you will need to be able to show that I gave my consent. As I say, laudable and straightforward. Until you start to go through the permutations:

What if I'm using my PC outside the EU?
What if I'm inside the EU, but accessing a cookie-setting site which is outside the EU?
What about non-EU citizens, in the EU, accessing EU sites?
Or non-EU citizens accessing EU sites from elsewhere?
Or non-EU citizens accessing non-EU sites via a mobile device, roaming through an EU telco?
... and so on and so on...

There are many other aspects one could dive into similarly - such as "what counts as consent?", or "how on earth will users cope with all those pop-ups" - but we haven't got all week.

Before long, a yawning gap opens up between what the legislation is capable of saying, and what it would take to describe something implementable. Depressingly, this really should not have come as a surprise either to the legislators or their drafters. After all, this is merely the next evolution of some quite long-standing network-mediated problems:

the advent of satellite broadcasting introduced us to the problems of whether such services were to be regulated at the "up-link", the "down-link", or some combination of both;
internet e-commerce has given us plenty of opportunities to work out how you establish distance contracts, between parties under different regulatory regimes.

On that basis, there seems to me to be no excuse for this current legislative initiative to be so woefully half-baked.

All of which brings us back, in a way, to the humble Jaffa Cake; and why not? For those who didn't follow the saga, this went as far as a court case between leading manufacturer McVitie and Her Majesty's Customs and Excise, as they were at the time. The conclusion was that legally, they are cakes. The court found that a cake is something which starts off soft and goes hard when it gets stale... whereas a biscuit, they found, starts off hard and goes soft as it gets stale. The majesty of the law leaves me awe-struck sometimes, it really does.

What the Home Secretary didn't say

2009-11-04T11:35:00.002Z

All of us, from time to time, have something which we want to avoid saying: "I'm sorry", "I was wrong", "Let's do it your way..." and so on.

There are some tried and tested tactics for these situations. For instance:

1 - Change the subject - "Oh look, there's a gecko in my cereal!";

2 - Completely ignore the subject:

Bored offspring: "Mum... mum... I need £10, Michael and I are going to the park to drink cider"
Parent (from behind newspaper): "Mmm? That's nice, dear"... (no tenner is forthcoming, naturally).

3 - Boldly assert exactly the opposite of what we don't want to say: "That new tie of yours is superbly tasteful".

Politicians, of course, are no different. If anything, they have to be all the more careful about what they do say, because of the enormous scrutiny applied to their every utterance. They have the same techniques at their disposal, and I have the impression of having been given an object lesson in their use by Alan Johnson, the current Home Secretary, at Monday's RSA event.

He was speaking on the topic of "Security in the 21st Century - Global, National, Local" (which, now that I type it, I realise looks a lot like the marketing strapline for a recovering bank...).

OVer the course of about 20 minutes, Mr Johnson discoursed - fluently, it has to be said - on immigration policy (about 10 minutes), and then about 2 minutes each on counter-terrorism, how rubbish Tory policy is (tactic No.1, while we're here), RIPA and proportionality, Control Orders and proportionality, and the Human Rights Act.

You may have seen my brief reactions/quotations on Twitter - but the 140-character format doesn't really lend itself to a more reasoned critique.

So here's the big problem I had with the Home Secretary's performance yesterday, competent exercise though it was: in essence, much of his argument was that, although the privacy rights of the individual need to be balanced against the powers of the State, there is, as he put it "no grand contest" between the two. His argument was that provisions such as the Human Rights Act do a good job of that. He also cited RIPA (the Regulation of Investigatory Powers Act) as a positive step - casting it as an Act which curbs the authorities' ability to abuse existing powers of interception. A creative interpretation, and not one I have heard before - even from the law enforcement representatives I heard arguing for the new IMP (Intercept Management Programme) at the All-Party Parliamentary Group on Privacy back in July (Tactic No.3 in operation, one suspects).

In glossing over the government's policies on biometrics and ID Cards (he mentioned them only by reference to foreign nationals, not UK citizens), and in avoiding any mention of the National Identity Register, the National DNA Database, ContactPoint or any of the other aggregations of personal data this government has established, the Home Secretary simply avoided any possible discussion of the real practical issue underlying his claims of balance and proportionality (A positively textbook deployment of Tactic No.2).

All the policy objectives he mentioned - better management of migration and immigration; counter-terrorism; 'protection of our way of life' against local, national and global threats - all these are predicated, more or less explicitly, on the aggregation, connection and sharing of data about individuals and citizens. For Mr Johnson, the counter-balance to that is the idea that 'our way of life' might be founded on principles of respect for the individual and the individual's rights to privacy, self-determination and so on, as set out in the Human Rights Act. All well and good - but in the digitally-mediated world which Mr Johnson depicted, those rights depend precisely on the opposite of what he's using to achieve his first set of objectives.

In the digitally-mediated world, privacy and self-determination depend on the individual's ability to exercise consent and control over the disclosure, aggregation and sharing of their personal data. Most online services, as they currently stand, do a pretty poor job of that, even in the limited use-case of delivering whatever service it is they provide. For example, as someone shrewdly pointed out recently, most so-called "Privacy Policy Statements" are actually nothing of the sort: they are in fact invitiations for the consumer to waive their privacy rights.

When you then try to combine the goals of privacy-respecting service provision (control, consent) with parallel goals of law enforcement, the two sets of objectives clash directly. One requires you to segregate and compartmentalise data, granting access only as specified by the data subject; the other requires you to aggregate and share data, whether or not the data subject knows or consents.

Simultaneously meeting those conflicting objectives requires information management disciplines for which UK public sector organisations are, regrettably, anything but a showcase. I don't mean that as a criticism of them, by the way: those information management disciplines are rare indeed, and no organisation I can think of has mastered them all. In many cases, the technology to underpin them just isn't in the market.

The Home Secretary does no-one a service by either behaving as if that problem doesn't exist, or - possibly worse - ploughing ahead in the delusion that our public sector bodies have already cracked it.

Shameless vote-mongering... moi?

2009-11-04T11:26:00.002Z

Woo hoo! Have made it onto the shortlists for the Computer Weekly blogging awards again this year - presumably karmic compensation for going to the dentist this morning :^#

Putting me up against the likes of Redmonk (James Governor) is probably a bit like shoving Nick Griffin into the ring with Mike Tyson: entertaining, sure; desirable, quite possibly - but only ever going to end one way. That said, honour is honour... so I have no hesitation whatsoever in grovelling and pleading for your vote. Here's the page in question.

Thank you - and may the winner pay for the loser's orthodontic work.

Lord Meddlesome?

2009-10-28T13:46:00.004Z

Somewhat to my surprise, "three strikes and out" turns out not to be Lord Mandelson's latest contribution to the postal dispute.

Considering all the state roles which encumber Lord Mandelson, Baron of Foy in the County of Herefordshire and of Hartlepool in the County of Durham (at the last count: First Secretary of State; Secretary of State for Business, Innovation and Skills; President of the Board of Trade; Lord President of the Council), I suppose he can hardly be blamed for taking his "disconnection of downloaders" policy out of the oven while it was still only half baked.

Still, it does seem unusually hapless, for reasons including those set out in Lilian Edwards' excellent post here.

As Lilian suggests, the proposed law seems to place an enforcement burden on a householder, to compensate for ISPs' inability to narrow down exactly who might be responsible for a given download.

It looks to me as though the proposals will need to include the creation of a new offence, viz. "Failure of the subscriber to control the behaviour of any individual who gains access to the subscriber's domestic internet connection". That should give rise to some fascinating case law.

Then there are the other, slightly more esoteric technical options - such as infecting a home PC with malware capable of downloading material and then forwarding it to the attacker's destination of choice via a peer-to-peer connection; or an insider attack at the ISP - associating illegal download activity with the domestic account of someone who had nothing to do with it...

These may be less probable attacks, but they are certainly feasible - and the higher the stakes, the greater the incentive for an attacker to consider ways of landing some unsuspecting, legitimate subscriber with the disconnection notice. After all, what tools does the average householder have at their disposal with which to disprove such an accusation from the ISP? Again, I look forward to the first court cases on those ones.

I appreciate, of course, that this is 'just' another of those classic instances where there's a fundamental fracture between the policy-makers' understanding and what is realistically feasible in terms of the technology. That said - if Lord Mandelson claims the mandate to set out a strategy for a Digital Britain, I think we're entitled to expect that the strategy should be well-founded on a robust understanding of the technology involved.

Nominated for ComputerWeekly blog awards 2009...

2009-10-27T16:36:00.002Z

Very happy 8^)

I got shortlisted last year, which was fantastic (but of course there was the factor that I could trade off Sun's reputation as well as anything I wrote...). Since I set up Future Identity, this blog has only been going for under a year, so I am all the more delighted to be nominated this year on my own account.

This year I'm in the IT Consultant and Analyst category. Typing that and reading it back still has a slight aura of unreality about it... but in a good way.

Fingers crossed to make it onto the shortlist... but whatever happens, I'm already chuffed.

One other thought...

2009-10-23T18:36:00.005+01:00

The BBC (and David Dimbleby) have also been criticised for putting on what some people saw as little more than an exercise in "bear-baiting".

It reminded me of a quotation cited by the luckless tutor who had to prepare me for an Ethics paper years ago:

"The puritan hated bear-baiting, not because it gave pain to the bear, but because it gave pleasure to the spectators." (Thomas Macaulay)

OK... the BNP on Question Time thing...

2009-10-23T15:03:00.002+01:00

I'd been wondering whether to say anything about this, but on balance I think there are a couple of points worth drawing out.

As some of my Twitter Fellows* have been remarking, it's all too easy to be seduced into thinking that, just because all the opinions you might happen to see might happen to co-incide with yours (and why not, since that's probably why you follow each other in the first place), that must reflect the broader view. As it is, there also appears to be plenty of evidence, via online comment channels, that quite a number of people either agreed with Griffin's views anyway, or disagreed with them but felt he was not given a fair ride.

It's also interesting that someone, somewhere, sees a villain in every single player in this little drama. Here are some of the criticisms I've seen so far:

the BBC should not have given the BNP such a publicity platform in the first place;
Dimbleby should have been more even-handed and protected Griffin from some of the gang-ups (and not weighed in with a couple of deft jabs of his own, to boot...);
Jack Straw's got no business cricitising anyone else's immigration policy, because Labour have made such a hash of their own one;
The rest of the panel (with the possible exception of Bonnie Greer) are hypocrites for papering over their own differences to gang up on Griffin;
The audience were un-representatively hostile (which is either their fault, or the BBC's, or both...);
The protesters outside were interfering with free speech, or Griffin's opportunity to be held accountable, or both...
... and so on.

If I have a criticism of the BBC it is that, having decided to go ahead with the programme, they then did as shameless a job of padding and puffing it as any X-Factor final. Driving back from the airport last night, every news bulletin trailed the broadcast, and such a slab of "The World Tonight" was dedicated to it that, by the time it actually aired I felt that I'd heard most of the material already.

I suspect the bottom line is this: I have yet to see anything, anywhere, from anyone to say that the programme changed their mind with respect to Mr Griffin's views - either in one direction or the other. Even in our televisually-mediated society, then, you can put a racist, revisionist bigot on air for an hour and still not convince his sympathisers that he's beyond the pale.

On that basis, it has to go down as a failure.

*Fellow (n): someone who is either a 'follower' or 'followee' of yours on Twitter... (if someone else hasn't already coined it, you saw it here first, folks ;^)

Identity versus attributes

2009-10-23T13:20:00.002+01:00

I've had several conversations recently, including one at the TERENA/EMC2 (higher education federation) workshop in Rome yesterday, which suggest that we are gradually overcoming some of the adoption barriers to attribute-based authorisation.

That might sound a bit dry and esoteric, but actually it's a Good Thing, and intuitively simple. To try and put it in a nutshell: for an awful lot of service access decisions, it's not actually important to know who the service requester is - it's usually just important to know some particular thing about them. Here are a couple of examples:

If someone wants to buy a drink in a bar, it's not important who they are, what's important is whether they are of legal age;
If someone needs a blood transfusion, it's more important to know their blood type than their identity...

In the past, of course, unique identifiers have been used as a way to index that attribute data. You tell me who you are, and I'll look up the record which associates that identity with all the attribute data I hold about you. Then I'll make an entitlement/access control decision based on that information.

For understandable reasons, that approach tends to lead to a very disclosure-heavy design. If the first thing I have to provide you with is the index to all the data you hold about me, every request for a service implicitly unlocks everything about me, rather than only that information relevant to this request. In simple and/or hierarchical relationships, and when communication between multiple parties is difficult or impossible, this is a rational (and sometimes perhaps the only) way to do things.

However, the internet undermines some of those assumptions: online service provision relationships are often neither simple nor hierarchical; multi-party communication and transactions are the norm.

The problem is, we've ended up by default with the worst of both worlds. We have all the disclosure-heaviness of the previous model, plus the promiscuous communication of the web. And that's why I think the increasing awareness of attribute-level assertion is so important. It offers far better ways of having multi-party transactions take place with selective disclosure of the user's data.

That's not to say that attribute-level assertions are the panacea. There are still knotty problems to resolve, even if we adopt that approach; for instance:

managing user consent and control;
making selective disclosure appropriate to each given context;
defining and enforcing 'sticky policy', to protect users' preferences even after the data has been disclosed;
catering for transactions which involve multiple different levels of assurance;
defining appropriate metaphors to represent all this to the user...
... and so on.

But the signs are positive. Awareness that attribute-level assertions are a key component is a vital first step, and it is heartening to see that awareness rising and becoming increasingly widespread.

Retention versus rehabilitation

2009-10-19T16:28:00.003+01:00

There's news today about five UK police forces who appealed against a ruling that they should delete information about criminal offences from their databases. According to the appeal court judges:

"If the police say rationally and reasonably that convictions, however old or minor, have a value in the work that they do, that should, in effect, be the end of the matter"

With all due respect to their Lordships, I don't think it should.

They found that if the data retained could be of use to the police, no matter how old or minor the offences in question, then retention was permissible.

Let's look at the question of 'minor offences' first. In one instance cited in court, the police still held a record of the theft, in 1984, of a 99p packet of meat - for which the offender was fined £15. Under those circumstances, keeping a record of the offence 25 years later is surely just disproportionate.

But what of the age of the offence? This is the aspect I find most confusing, and in conflict even with the police's own FAQ database. Here's what that says about spent convictions. It clearly states that the purpose of the 1974 Rehabilitation of Offenders Act is to ensure that former offenders' lives are not permanently blighted by their past actions if they are subsequently law-abiding. It also notes that there are circumstances when a conviction may never become spent (if it has resulted in more than 2 1/2 years in prison), and that for some kinds of work (such as work with children or vulnerable adults) you may have to disclose past convictions even if they are spent. Those conditions aside, though, the website is unequivocal:

"a person who has spent convictions does not have to disclose the conviction to prospective employers"

And there's a page which says that, if you have been given a caution, that caution is considered to be spent immediately:

"This means that if you are asked on an application form if you have a caution you can reply 'no'. "

There's even a page on the Police FAQ which explains what you can do to request that information about spent offences be removed from the record.

The Police FAQ also links to this Liberty table, which sets out the time-table according to which different offences are regarded as spent. In the case of the person fined £15 for taking the packet of meat, that would have been 5 years, halved to 2 1/2 years because the person was under 18 at the time of the offence. And yet, information about the offence is still on the record, 23 years after it was legally non-existent.

Let me just repeat their Lordship's ruling:

"If the police say rationally and reasonably that convictions, however old or minor, have a value in the work that they do, that should, in effect, be the end of the matter"

Dickens had Mr Bumble assert that "the law is an ass". In this case, though, the law appears to be quite sensible and clear. The same can't be said for the way in which it has been interpreted.

Ethics and warmth

2009-10-16T10:13:00.003+01:00

I just found this quotation from David Hume:

“it is only from the selfishness and confined generosity of men, along with the scanty provision nature has made for his wants, that justice derives its origin.”

Scanty provision, eh? Is this why so many ethicists come from the barren northern climes*, and rather fewer from Hawaii and other places where nature's provision is less scanty?

*Descartes, for instance, used to withdraw to the interior of a large oven to work in warmth; Diogenes (who came from balmier latitudes, but lived in a barrel) was once asked by Alexander the Great whether the latter could do anything for him - "Yes", said the philosopher... "get out of my sunlight".

Economic forecast: cheap rugs and healthy eating ahead

2009-10-15T10:26:00.003+01:00

Parliament convened yesterday for (among other things) the first Prime Minister's Questions since MPs' summer break. Liberal Democrat MP Bob Russell called on Gordon Brown to 'take some leadership in encouraging the export of goods from Afghanistan'.

Although the Prime Minister and other speakers had mentioned the matter of Afghan heroin, it's worth just putting things in perspective. According to the IMF, the principal 2006/2007 export figures for Afghanistan were:

Carpets: 187,000,000
Dried fruit: 126,000,000
Fresh fruit: 39,000,000

According to a recent report by the US Congressional Advice Service, the UN estimate for 2008 (which it describes as having fallen from "all-time highs" [sic] in 2006/2007 was:

Opium and derived narcotics: $3,000,000,000

That's an awful lot of fruit and carpets.

Counting 'em in; counting 'em back out again

2009-10-12T12:50:00.002+01:00

According to this article in the New York Times, Congress is concerned that US Immigration and other law enforcement officers are having a hard time tracing those foreigners who enter the country and then stay beyond the period specified by their terms of entry. To be honest, I can't see why that is a surprise to the elected representatives; if anything, it simply suggests that they have no experience of the entry process in question. As someone who has been through it a few times now, perhaps I can offer some enlightenment:

on entry, the visitor is invited to give a street address for their first night's stay in the US. A hotel address is fine... and of course the chances that the Immigration officer will be able to spot a non-existent or invalid address are zero.

the visa waiver form offered to UK citizens has been revised this year, and now asks for a mobile phone number and an email address where you can be reached. Frankly, I thought this was an impertinence and left it blank... but I have not yet been challenged for doing so.

on exit from the US, as the NY Times article points out, visitors are supposed to hand in the counterfoil of their entry form... but the process for doing so is unreliable. In my experience, the check-in clerk usually removes it from my passport - though these days, with self-service check-in, home-printed boarding passes and so on, I have no idea what I would do with the counterfoil if I were travelling with just hand-luggage.

In fact, a couple of visits back, my counterfoil was left in my passport on exit. I pointed it out to the Immigration officer on my next arrival and got mildly reproached, but was still allowed in. According to the Dept of Homeland Security, most counterfoils (92.5%) are returned correctly. But if one were to rely on that figure alone, the number of people whose exit status is indeterminate would be some 2,925,000.

As you may gather, I tend to be horribly law-abiding in this regard (mainly because the authorities can make your life disproportionately grim if they think you're arsing about) - but even so, I have at least once (as above) ended up in that 'indeterminate' immigration status. On that basis, imagine how easy it must be for someone who is intent on dropping out of the system.

No smoke without fire...

2009-10-09T13:01:00.003+01:00

The NASA mission to belt the moon really hard with a large hammer seems to have excited just about everyone:

The astronomy geeks are excited because it could tell us interesting stuff about the moon, the possible presence of water in some form, etc.
The scientists are just excited because it's making somthing go ka-boom, which is what they like best, let's face it, whether we're talking about sub-atomic particles, dynamite or caravans.
The policy wonks are excited because they're trying to work out whether this violates a UN Treaty regulating "activities on the Moon and other celestial bodies".
The conspiracy theorists are having a field day, because for them, this is a de facto declaration of war on the extra-terrestrials who shadowed every moon mission...

As for me, I can't shake the image of a couple of NASA planners having a meeting:

Bob*: "Say, what do we know about the moon... I mean, really know... not just from staring at it, or scratching around on the surface?"

Bill: "Unh, I dunno... not much, I guess. Like, is there water there, but it's just stuck to all the particles of dust instead of being an underground lake...?"

Bob: "Like in Dune, right?"

Bill: "Right... underground lakes would be cool"

...

Bill: "So... how about we pound on it with, like, a really big rocket?"

Bob: "Yeah... let's do it!"

And the tragedy is, the caricature wouldn't leap so readily to mind if there weren't a germ of truth in it somewhere.

There's no smoke without fire... and apparently there's no plume of steam without a big ****ing explosion.

*Thinking of Bill and Bob... the names were not chosen entirely at random. Some years ago I was sent for a couple of 5-week projects to IBM Poughkeepsie. While there, my co-assignees and I noticed that periodically the PA system would come to life, and a pleasantly-modulated female voice would say: "Bob Molson: 13-12-24; Bob Molson: 13-12-24". Or, another day, "Bill Molson: 14-29-37; Bill Molson: 14-29-37".

Out of idle curiosity we checked the online employee directory, but found no Molsons... and the numbers didn't appear to correspond to internal extensions either.

We never did find out what the PA announcements were about. Perhaps it was just someone's little Dada-ist "jeu d'esprit", like the mysterious radio announcements in Jean Cocteau's "Orphée".

A nice distinction

2009-10-09T12:36:00.002+01:00

I see from this article on Pinsent Masons' excellent "Out-Law" site that UK online banking fraud was up by 55% to £39m for the first six months of this year (relative to the same period last year). The payment card figures are down - which the acquirers will doubtless attribute to chip and PIN, and suggest that that is 'squeezing' fraudsters towards more lucrative attack vectors. Though, to put that in perspective, fraudulent 'card not present' transactions still accounted for £134m of reported loss.

According to the article, the vehicles of choice are phishing (up 26% on last year) and malware attacks on users' computers.

The Financial Fraud Action group of the UK Payments Association had this to say:

"The increase is largely due to criminals employing more sophisticated methods to target online banking customers through malware scams – which target vulnerabilities in customers’ PCs – rather than the banks’ own systems which have proved more difficult for the fraudsters to attack."

And there's where I have a nit to pick. After all, if a bank extends its service, online, so that the point of delivery is the customer's PC, the distinction between "attacking the user's PC" and "attacking the online banking system" becomes a pretty fine one.

Up to a point, I see exactly where they're coming from: after all, if someone manages to get a keystroke logger onto my PC, the damage is done to a component which is not under my bank's control. On the other hand, if that is going to be used to justify transferring liability from the bank to me (as happened with chip and PIN) for transactions undertaken through my PC, then I would not be happy at all.

Online banking is convenient for me, yes - but it also saves the bank an enormous amount of cost, effort, staff, premises and so on and so forth. Most banks' retail branch networks are now so skeletal that if everyone switched back from online banking to branch-based transactions, the banks would simply collapse under the workload. Don't get me wrong - I'm not suggesting that bank clients either want to or should do that: just that the online banking benefit flows both ways, and the banks need to acknowledge that when they consider how to mitigate the risk of PC-mediated fraud.

What a croc

2009-10-07T12:46:00.002+01:00

There's a characteristically entertaining and acerbic piece from Maureen Dowd on the NY Times site at the moment. As usual, it's spiked with barbs of insider-ish gossip, but this time they are quoted, rather than culled directly by her.

One of her sources is Matt Latimer's "Speech-less" - an account of his time as part of George W Bush's speechwriting team (also reviewed, as it happens, on yesterday evening's edition of Radio 4's Front Row - podcast available here). One vignette Dowd picks out is of W 'padding around the White House in Crocs' - an image which, as she says, is hard to get out of your mind once it's in there.

It reminded me of the last time I arrived at Narita airport: at the top of the first escalator we encountered after getting off the plane, there was a warning (in English) to wearers of "vinyl shoes" that they should take care not to get snagged in the escalator and mangled to death. Well, it didn't actually spell out that last bit, but there was a helpful picture of a Croc-clad foot.

Now, I have no wish to be gratuitously insulting to Croc-wearers, but I couldn't help thinking that those of us with other footwear (even shoes with laces, forsooth) have mostly worked that out for ourselves by the time we're old enough to walk on and off a plane.

Then again, W's mental edifice was always dogged by accusations of being somewhat sparsely tenanted. After all, it bodes ill when an adult human is bested by a small pretzel, for instance. I did love the irony that "Bonesman" Bush should have been laid low by the closest thing the biscuit world has to a miniature skull-and-crossbones.

Those publication deadlines...

2009-10-05T13:51:00.003+01:00

Thankfully, I completed my writing assignments in the time I ended up being able to devote to them - one article was actually in by the requested deadline (!) and the other one was late, but not so late that the editor gave up on me. Phew.

This is what comes of promising people an article/chapter/white paper when there's no fee-paying work in the pipeline... and then having to deliver after said fee-paying work has turned up with its own little set of imperatives. Still, such is life; no-one said it would be easy, and - as the archetypal British infantryman puts it - "if you can't take a joke, you shouldn't have joined up...".

I'll let you know when the articles in question are in the public domain - though, of course, the other thing I'm learning is that they end up hedged about with copyright clauses limiting what I - the author - am entitled to do with my output. What's that all about, in the age of personal internet publishing?

One is about "What's happened to PETs?" (Privacy Enhancing Technologies) and the other is a more general look at Identity Management: where is it, how did it get here, and where might it be going next.

The last thing I'm finding is that the whole process of doing the research (literature review, collecting references and citable material) - and then reviewing your own thoughts in the light of other people's - is a sure-fire way of generating yet more thoughts which just add to the backlog of papers to be written. Sigh. That said, the next paper should be a cracker. As to its subject - well, given what I've just said about the bizarreness of having to cede copyright just to have someone else transfer my work to sheets of compressed vegetable matter, you'll just have to wait and see. I may just crack and publish it here first.

This one's for the Prof...

2009-09-28T13:25:00.002+01:00

In my previous post I mentioned the very engaging lecture I attended last week, by Prof David Lyon - who spoke about "Identity as Surveillance - Security, Surveillance and Citizenship".

I do hope he has seen this article from the BBC, on the opening day of the Labour Party Conference: "Lord Mandelson denied entry to conference", because I'm sure it would give him a good laugh.

Apparently, the Noble Lord, First Secretary of State, Secretary of State for Business, Innovation and Skills, President of the Board of Trade and Lord President of the Council could not, initially, get into the conference because there was a problem with his pass. Maybe they couldn't fit his title onto it. The press were naturally quick to savour the irony that the man perhaps most identified with New Labour should be unable to identify himself to the satisfaction of the party's gatekeepers.

What this has to do with Prof Lyon's talk is this: one of his themes was the way in which identity systems (particularly national ones) permit, enable and encourage judgements to be made about individuals on the basis of "actuarial criteria", even if other methods would be more reliable (and more respectful of personal privacy).

An example Prof Lyon gave was this: research work by John Taylor and Miriam Lips (full text of paper available online here) investigated the use of online identity data by the DVLA when someone applies online for a driving licence. The researchers noted that the DVLA submits the applicant's details to the credit reference company Experian, which attempts to corroborate the applicant's identity assertions by matching them against databases of Credit Applications and Addresses. Experian then applies a weighting which assigns a 'trust score' to the applicant's assertions, based on the apparent quality of the applicant's digital footprint (as revealed by the database enquiries). These actuarial measurements are then used by the DVLA to govern the subsequent processing of the application transaction.

Prof Lyon's point was that this 'trust score' mechanism goes beyond a simple assessment of whether or not the applicant's address can be corroborated. The score is enhanced more, for instance, if the applicant's records indicate that they have had a lot of interactions with clearing banks, than if the indication is that the applicant has had a lot of interactions with mail-order companies.

The implication of this is that subsequent processing of the DVLA application is determined not just by past records, but by inferences based on supposed future behaviours of the applicant - whether or not those inferences are in fact accurate.

Basically, this is what starts to happen, the more you architect systems on the basis of actuarial criteria in support of the categorisation of individuals, and the more you remove notions of human judgement and discretion from the process. Admittedly, that's not always a bad thing - after all, humans are fallible too. But if you design humans into the process rather than out of it, you get fewer embarassing incidents such as the sight of Labour's "eminence grise" being locked out of his own conference...

Hostages to fortune

2009-09-25T10:18:00.002+01:00

It's time for that seasonal blog post in which I apologise for the low post-rate, mumble about the holiday season etc. and promise to post more frequently over the coming weeks...

So I thought I would leave some hostages to fortune, in the form of one-liners about what has been keeping me from more frequent posting over the past few weeks. That way I will have to re-visit some of these topics soon and give you some more details. Oh, and it hasn't just been holiday absence... nice though that was.

Looking at the diary, this current and seemingly constant stream of activity stretches back to the Burton Catalyst conference in San Diego at the end of July; I gave a talk there about concepts of identity and privacy, and it seemed to go down well. One participant was even so kind as to say that it was "the most intellectually stimulating presentation" he'd seen at the conference, which was a fabulous piece of feedback.

Since then, what else has kept me busy:

- two pieces of chargeable work for new consulting clients - one commercial, one academic, which is really good news for Future Identity as a business;

- the Kantara plenary meetings in Las Vegas, including the first face-to-face sessions of the Privacy and Public Policy Work Group, which I am currently chairing through its infancy;

- another presentation, this time at the Society for Computers and Law's Policy Forum in London. If there's one thing scarier than public speaking, it's public speaking to a room full of lawyers...

I've also attended two events at which I have, for once, been in the audience rather than on the other side of the podium:

- the Information Security Specialists' Group of the British Computer Society held a privacy workshop day, including an excellent presentation on Privacy Impact Assessments, given by Toby Stevens of the Enterprise Privacy Group;

- I heard a fascinating lecture at the LSE by Professor David Lyon on "National Identity Schemes as Surveillance: surveillance, security and citizenship", which was a perfect blend of reinforcement of some of my existing assumptions, challenges to other existing assumptions, and new thinking in several areas. I will do my best to transfer my written notes to a future blog post, because it really was a great talk. Prof Lyon also has a book out on the same topic, which I would heartily recommend on the basis of the lecture.

Oh, and I have a couple of publication deadlines at the moment (count this blog post as a frantic last-ditch piece of displacement activity before I get down to work again...), one for a white paper, and one for a book chapter. Oh, the joys of 'vanity' publishing...

So yes, the holiday in the wilds of Turkey was fantastic, warm, scenic, relaxing... and the beneficial effects survived about 30 seconds of contact with the horror that is Gatwick Airport.

Airport security nonsense

2009-09-20T12:59:00.006+01:00

Those of you following my Twitter feed may have spotted my micro-rant last Monday about the confiscation of a potential weapon from my hand-luggage at Gatwick Airport. I thought I should follow up with a little more detail. OK - no cheating now: we're going to see if you can identify the object in question from a number of characteristics which I will describe.

It had already passed successfully through the compulsory hand luggage scan at the main security checkpoint;
It was in the external mesh side-pocket of my laptop bag;
It has travelled by air many times in the same place;
It was confiscated in a further, random screening at the boarding gate;
It is hollow, with a mass of almost exactly 2oz (approx. 56 grams), and a diameter of about 2 1/2 inches (approx. 6.5 cms);
According to the security staff, it is not a risk at ground level, but in the reduced air pressure of an aeroplane cabin, becomes hard and potentially dangerous (!).

OK, I'll put you out of your misery - the lethal object in question is... a tennis ball.

And why do I carry a tennis ball in my hand luggage? Well, it's not because I'm a deranged fundamentalist hell-bent on taking over the aircraft; it's on the advice of my physiotherapist, who recommends I use it to apply targeted pressure to specific areas of my back - especially during or after long-haul flights. On the other hand, you can take on board items such as the following:

lap-top power supply adapter and cable (solid 14 oz./380g weight on a handy lead);
lap-top security cable (6ft steel cable with a metal lock on the end);
bottle of duty-free vodka (1 kg weight with a neck for a handle - also contains lots of sharp glassy bits and flammable stuff);
4oz can of foie gras... hard and solid, with sharp edges when opened;
and so on and so on...

I'm going to stop at that, because mulling over the absurdities of this can quickly drive you round the twist. And to the security guys - I know you're only doing your job, but thanks for the back-ache. To whoever does the risk assessment: get real.

Back at my desk...

2009-09-13T19:14:00.003+01:00

... for a few hours, at least.

Apologies for the lack of posts in the last few weeks: I've been travelling a lot (and haven't finished yet); just returned from two weeks of very relaxed holidaying in the wilds of the Turkish coast, and tomorrow I'm off again - this time for work. Going for Total System Shock, in the space of about 48 hours I'll go from GMT+2 to GMT-8; holiday to work; and rural solitude to... the Vegas Strip.

Next week sees the Digital ID World (DIDW) conference there, and running in parallel with it, the first plenary sessions of the Kantara Initiative. I'll be chairing the Public Policy Work Group there, and I'm hoping we'll have great participation from Kantara and DIDW folks alike. The conference will also be the setting for this year's Identity Deployment of the Year (IDDY) awards, now in their fourth year, and re-designed to take in a wider scope of entries.

I'm unashamedly going to go for the Nevada metaphor here: the privacy landscape (and the policies which shape it) continues to be red-hot, so come and join us as we explore and document it...

Kantara P3WG and Levels of Assurance

2009-08-28T13:49:00.001+01:00

As you may know, I've recently set up the Privacy and Public Policy Work Group (P3WG) for the Kantara Initiative, and as we start mapping out the areas in which the Group wants to exercise an influence, one topic has generated more discussion than anything else on the mailing list. It goes by the rather uninformative name of "LOA", or Level of Assurance. Even if you've never heard of LOAs, they have played a major part in your life online and off.

I've blogged before about what I call the "Chain of Trust" - namely, the sequence of events all of which need to be working if a credential is to work properly when you present it. In other words, for instance, if you apply for a passport in the name of Michael Mouse and the passport office doesn't bother to check whether there's any evidence that that is your name, the resulting passport won't be that reliable as an indicator of your identity (even though people may assume that it is). Similarly, driving licences would not be much use as an indicator of which vehicles you're entiteld to drive, if it was possible for you to alter what the licence says... and if you tell someone the PIN of your ATM card, it is no longer effective as a way to ensure that only you can take money out of your account (in fact, the bank is likely to take it as de facto evidence that you must have been responsible for the transaction, even if it wasn't you who actually used the card and PIN...).

These are just three examples of the many ways in which the Chain of Trust can fail, at the Registration/Verification phase, over the life of the credential, and at the authentication step, respectively. There are many other points at which the Chain can be compromised and the reliability of the credential (or the assertions made using it) undermined.

LOA is about protecting the first of these - the point at which someone decides whether or not to issue a credential which represents you in some way. In other words, if you can present a relying party with not just a credential, but a 'score' which indicates how reliably that credential was issued to you, can judge whether it's more likely that you are actually Michael Mouse, or that whoever gave you a passport saying so was not doing their job very well.

That, in turn, will give them useful information about what decisions to make next, particularly if they decide that the answer to your authentication question is "yes".

The UK and US governments both have relatively simple 4-level LOA models (though, inconveniently, one runs from 0-3 and the other from 1-4...). Omitting the 'index value' for a moment, the four levels look remarkably similar. In fact, if I adopt a slightly different scale, just to paper over that difference, we might get something like this:

Rare

UK: no authentication of identity

US: little or no confidence in the asserted identity

Medium rare

UK: basic authentication

US: some confidence in the asserted identity

Medium

UK: greater level of assurance (e.g. credentials based on proof of identity to a third party)

US: high confidence in the asserted identity

Well done

UK: identification beyond reasonable doubt

US: very high confidence in the asserted identity

So far so good. However, when it comes to putting this simple model into practice, and because we're talking about assurance here (and therefore judgement), a couple of different approaches emerge.

One is to give a technical specification of the kinds of authentication technology which should or must correspond to an implementation claiming to be at a given LOA level.

Another is to relate the LOA levels to levels of risk, and allow the implementer to work out how they think that risk is best mitigated.

You might think that a third, better solution would be to combine the two... define organisational risks in a way which allows them to be assessed against the four-level model, and then have a technical specification list which says: "if you face this level of risk and you want this level of assurance, you need technology such as 'x', implemented with the following governance measures.

Actually, I have a better idea... if you have opinions on this question (better still, if you have a good answer), come and sign up to the Kantara P3WG and join the discussion. We'd love to hear from you.

Proving that ID Cards can't be cracked

2009-08-17T12:54:00.004+01:00

Thanks to @cheshire_puss for the pointer to this ZDNet article about Home Office plans to "engage with the industry to show that we have a 'gold standard' card which cannot be changed, modified or cloned".

On one level, I'm delighted to have an opportunity, at last, to use the word "epistemological" in a blog post (who wouldn't be...?). Because, on the face of it, the Home Office plans look like a doomed attempt at that epistemological impossibility, the proof of a negative proposition. Industry experts could help the Home Office show an ID card being cracked, could show that it's possible but difficult, or could show a card successfully resisting a finite number of attempts to crack it... but they can't demonstrate that the card cannot (ever) be changed, modified or cloned.

On another level, I'm puzzled as to what's in it for a couple of the stakeholders, should these experiments go ahead. It seems to me that the industry experts are being invited to endorse the security of something which they will then neither implement nor rely on. In other words, the success or failure of the ID Cards they have certified as "gold standard" will depend on factors entirely outside their control.

If they are to bear no liability for this (and let's face it, why should they), then what is gained by having them 'initial' the tests? If they are to be expected to bear some liability for the eventual outcomes of ID Card issue and use, I look forward to seeing what kind of industry experts step forward. Brave fellows, all.

And what's in it for the citizen-stakeholder? Assuming that the tests fail to prove the negative proposition, will citizens trust the technology more, or will they simply question whatever liability model on which the cards are rolled out?

Lastly, I'm also bemused by the Home Office's reported explanation of why it doesn't want to see whether or not Adam Laurie's claimed attack is genuine: they do not wish to be "overwhelmed by individuals wishing to demonstrate ID card cracks." Do they think the cards are so insecure that every Trent, Bob and Alice is queuing up to have a go? Or that there are enough nutters out there to mount some kind of Denial of Service attack with a series of trivial attempts? ("Hullo children - and today on Blue Peter, we'll be showing you how to make your own Home Office ID Card reader, using just this egg carton, some sticky-backed plastic and a roll of tinfoil").

Seriously, though - why do the Home Office say they are looking for a suitable way to engage with industry to demonstrate that ID cards are secure? I thought CESG had a whole programme to do just that, and that the "E" in CLEF stood for "Evaluation"...

But perhaps I'm very old-fashioned.

"... down to the ball game"

2009-08-12T12:26:00.002+01:00

A belated word of thanks to Rich Goodwin of PinnaclePoint technologies, who had the brilliant idea of rounding off Burton Catalyst '09 with an outing to the Friday night baseball game between the San Diego Padres and the Milwaukee Brewers. And a fabulous evening it was, too. The home crowd were happy, because their team recovered from a dismal few innings to take the match 11-7, and I was happy because it's the first live baseball game I've been to, and I had Rich on hand to explain the finer points.

About halfway through the game, a foul ball went into the front row of the stands directly between us and third base, and into the left hand of a spectator... who was on his cellphone at the time. Cool as a cucumber. However, I think even he would have to acknowledge the superior coolness of an Arizona Diamondbacks fan who, the previous evening, managed this one... In the left hand, the baseball; in the right hand, the offspring and the giant soda. Nice.

Home Office riposte on ID Card hack

2009-08-07T14:43:00.003+01:00

Those of you with any interest in cricket will know that today is the first day of the 4th Test Match between Australia and England for the Ashes. With the series standing at 1-0 to England (2 matches having ended in a draw), the 4th Test (out of 5) could be the clincher. Not that I'm a cricket buff in any way - but it's a good excuse to get a couple of those bewildering sports analogies into the blog post. (See bottom of post for approximate baseball translations...)

The Home Office appeared to have been bowled a bit of a googly [1] yesterday, when it was reported that Adam Laurie had not only hacked the access controls on an ID Card chip, but had successfully copied the data onto another chip, modified an existing field and added new data in another. However, this piece on the Kable site reports that the Home Office played a straight bat [2], denying outright that there was any evidence of a successful or viable attack.

According to the spokesperson:

"This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson.
"The identity card includes a number of design and security features that are extremely difficult to replicate. Furthermore, the card readers we will deploy will undertake chip authentication checks that the card produced will not pass. We remain confident that the identity card is one of the most secure of its kind, fully meeting rigorous international standards."

What's not quite clear is whether the phrase "personal data on the chip" has again been carefully chosen to allow for the possibility that personal data, once off the chip, could be modified successfully.

As for the comments about authentication checks between the card, the chip and the reader: I remember studying a similar design exercise when I was working with the IBM 4753 device family in the early '90s. The 4753 was a smart card reader with an encrypting PIN pad; it included the option to connect to a 4755 cryptographic adapter (PC card), and also to have a biometric pen attached to it to produce a 'digitised signature'. The pen incorporated three sensors (one for pressure, and one each for the two dimensions of movement across the page), which it used to generate a digital 'map' of your signature and thence a cryptographic hash of the resulting data. The ratio of false accepts/rejects to correct accepts/rejects was pretty impressive, and seemed consistent whether you 'enrolled' with your signature or with some other pass-phrase. Unfortunately it was all a bit pricey.

The other feature of the system was that each of the devices in a setup (the card reader, the crypto adapter and the smart card) was able to establish a pairwise, DES-encrypted session with each of the others.

This meant that the session keys had to form part of a standard DES key hierarchy (session/data keys, key-exchange keys, and master keys). The role of the master key in this hierarchy is to encrypt/decrypt the key-exchange keys. Good practice says that your master key should be unique to each hardware device, and should never leave a protective hardware key-storage module, or KSM. (Bear with me... this is going somewhere relevant...)

In the PC adapter and the card reader, that KSM was about the size of a pack of cards, had a long-life battery back-up and several hardware protective mechanisms to prevent physical attempts to extract the keys. My favourite was the low-temperature sensor; it had been observed that, if you cool a memory chip sufficiently and then slice away at it with a microtome (thing used for preparing stuff you want to put under an electron microscope... makes very thin slices...), you could reveal the physical record of ones and zeroes and, in principle, recover the keys (a bit like reading the pattern of pits on the surface of a CD through a microscope). The low temperature sensor was there so that, if the KSM thought someone might be trying this, it would wipe the keys from memory.

The point is that in the corresponding smart card format, the size constraints meant that it was impractical to apply several of these physical security measures - such as the temperature sensors or the battery backup. Lack of the latter meant that instead of being stored in volatile RAM, the smart card keys were written to EEPROM so that they could persist in the card.

The adapter/reader KSMs also had a Faraday shield to prevent attempts to 'eavesdrop' on the module while it was at work. Obviously, that's not very practical in the smart card implementation, though, if you want to use contactless communication between the card and a reader.

The bottom line is that, at least back then, the security of the key-store smart card depended to a great extent on the fact that it was very small, and was physically sandwiched between other parts of the chip. It was still more vulnerable to physical attack than its larger siblings, and such attacks were demonstrated by Ross Anderson and his students at the Cambridge University Computer Laboratory. (Incidentally, these physical attacks - and much more - are described in Prof Anderson's 600-page book on Security Engineering, freely available online here, which is a belter of a read if you're at all interested in this sort of thing).

The point is that whatever authentication protocols the smart card and reader undertake, the security of that communication is very likely to depend, ultimately, on the physical security of the smart card - and that imposes design constraints which can be extremely hard to overcome, especially if you want a card which is affordable at population scales of deployment.

Adam Laurie's current attack may or may not be fatal in principle, and may or may not be viable in practice. It's impossible to tell, from the level of information in the public domain - but by the same token, it is also impossible to conclude, from that information, whether or not these ID card chips genuinely increase the security and integrity of the bearer's data.

All in all, a very sticky wicket [3].

[1] googly : a ball which appears to be heading in one direction, but instead breaks the other way. Rough translation - a pitch which starts out looking like a Sinker, but turns into a Cutter (remember that in cricket the ball can hit the ground before reaching the batsman... which gives an opportunity for an abrupt change of direction).

[2] play a straight bat : to maintain a resolute defence, often by playing a 'blocking shot' - though offensive strokes can also be played with a straight bat. 'Keeping a straight bat' is a general principle which relates to the wisdom of keeping your bat well aligned with the (vertical) stumps it is used to defend. No direct equivalent in baseball, because in cricket the batsman has the option of hitting the ball and not running... but technically, the closest equivalent might be a bunt.

[3] sticky wicket : an unpredictable or difficult playing surface - hence, unpredictable or difficult circumstances. Again, no direct equivalent, because it refers to the area the ball bounces off before reaching the batsman.

PS - at the time of writing, England are all out for a paltry 102 runs, while Australia have scored 79 for the loss of just one wicket. Not looking good for England.

The relentless march of progress

2009-08-06T12:04:00.004+01:00

March 2006 - UK introduces RFID-enabled, ICAO-compliant 'e-passports';
March 2007 - Adam Laurie demonstrates ability to unlock e-passport chip data for 'read' access;
August 2008 - Jeroen van Beek demonstrates ability to clone e-passport chip and implant bogus images;
August 2009 - Same techniques applied to clone UK ID card and modify its data.

Technological progress being what it is, we can already see - over the 3 years since their introduction - the erosion of some of the security features of the RFID implementation: for instance, in response to the August 2008 attack, the Home Office responded that

"it had yet to see evidence of someone being able to manipulate data in an e-passport. A spokesman said: “No one has yet been able to demonstrate that they are able to modify, change or alter data within the chip. If any data were to be changed, modified or altered it would be immediately obvious to the electronic reader.”

Note the careful phrasing there: "data in an e-passport". What the attacks have demonstrated is that you can read the information off a chip, write it to another chip, and modify that version in such a way that it fools the standard UN/ICAO "Golden Reader" software. These two pages give more details and are a useful counter-balance to the "e-passports cracked, nation doomed" headlines:

Q&A about Jeroen van Beek's hack, from 2008;
Register article on "how to clone an e-passport", from Aug 4th 2006 (yes, 3 years ago last Tuesday!)

So, should we be surprised at this sequence of hacks? In one sense, no: essentially, all it illustrates is one of a set of basic principles about credentials. The diagram below shows how these attacks fit into that set of principles: in this instance, the 'weak link' comes when an authenticating party relies exclusively on the RFID chip to establish the connection between the credential and the person presenting it.

This diagram is just the latest embodiment of something I've been using since about 2005 to illustrate what I call the "chain of trust". That is: the purpose of a credential is to provide some level of proof that the person presenting it now 'is identical with' the person to whom it was issued. This is a narrow but very useful definition of the term 'identity'. What level of proof the credential can provide depends on the strength of several factors over the lifetime of the credential (and, indeed, its bearer).

In the current sequence of hacks, what is being tested is the integrity of the credential as a whole (can bogus data be successfully encapsulated in a credential which appears genuine?), and the robustness of the authentication step (does it rely solely on the credential, or does it also involve comparison with an 'authoritative' repository?).

The Home Office, IPS and ICAO have all pointed out that the attacks fail to overcome some of the safeguards built into the system as a whole. For instance, ICAO note that the passport hack would be revealed by a check against their PKD database; the UK authorities point out that a cloned ID card with the user's details modified will fail a check against the National Identity Register (assuming that that repository still contains the details of the user to whom the card was originally issued). Those defences are all true - but they do not prove that the implementation of these RFID chips is secure as a whole. They show that it is secure in certain use cases - for instance, when the card is not used as a stand-alone authentication mechanism, but is used in conjunction with online access to other components of the system (such as the PKD or the National Identity Register) - and that checks against those components are, in turn, secure. The also show that in some entirely realistic use-cases - for instance, where an online check against the NIR or deployment of full-function card readers would be prohibitively expensive - the level of proof the credentials can deliver is substantially reduced.

Again, the answer to the question 'should this surprise us?' is probably 'no'. On the other hand, let's not forget that successive proponents of the ID card scheme have given a hostage to fortune in the form of the phrase "the gold standard of identity". Some of them have even referred to commercial organisations "queueing up to rely on it as proof of identity". It is one thing to proclaim this as a political aspiration; it is, as the hacks have demonstrated since the chips' introduction, quite another to translate that into a comprehensive implementation which delivers the same 'gold standard' to all relying parties.

Can the National Identity Scheme be operated safely?

2009-08-04T14:03:00.004+01:00

Several people I've spoken to recently have remarked that real-time social media like Twitter seem to reduce the frequency with which they blog... and I suspect it's the same for me. It's partly because Twitter soaks up time, and partly because it also soaks up some of those spur-of-the-moment ideas and comments which otherwise might have developed into fully-fledged postings. However, looked at the right way, I guess that might also signal a flight to quality rather than quantity of blog posts. Here's hoping...

But I digress - or whatever a digression is called when it comes at the beginning, rather than part way through.

I've just got back from last week's Burton Catalyst conference in San Diego - an excellent event, by the way, and congratulations to the Burton Group analysts who did such a good job of adding value, both through their own subject-matter expertise and by making introductions and connections so constructively between attendees. Over lunch, I got into a discussion with one of the analysts about the UK National Identity Scheme (NIS), whether or not it was a good idea, and whether or not there are reliable grounds for opposing it. As ever, discussing UK policy while abroad gave a great opportunity to look at it from a different perspective.

The view he expressed was, essentially, that there isn't a good reason to oppose ID Cards on the basis of their use for e-government service delivery - the benefit of reliable authentication for joined-up government is worth having; however, there's a risk involved if you suspect that the government lacks the competence to run such a scheme securely, and that risk might outweigh the potential benefit.

There were two other points which we noted and then moved on:

first, that there are those who feel the National Identity Scheme is currently unaffordable;
second, that cancelling the 'small, visible, individual plastic card' component of the system does nothing to mitigate the risk of operating the large, invisible, mass-scale repositories' component of the system.

So, what of the question of competence? Well, the picture revealed by ComputerWeekly's FoI requests is not entirely reassuring. They list a number of breaches involving inappropriate insider access to records in the CIS (Customer Information System) database, one of the three major repositories in the Scheme. On the one hand, some breaches are indeed being discovered and those responsible are being disciplined (including dismissal). A DWP spokesman is quoted as saying that "the small number of incidents shows that the CIS security system is working".

On the other hand, the article questions whether all breaches are actually being noticed (and/or reported), and suggests that many were only discovered after sample checks, rather than through alerts being triggered.

There's also the issue of how many people have, or will have, access to the data held in the NIS. Currently it stands at about 200,000 civil servants, across 480 local government bodies and a number of central government departments. That figure will increase as data-sharing between the CIS and other departments such as the DVLA (Driver and Vehicle Licensing Agency) is put in place. Interestingly, a case study on the DWP's own website gives this description of the DVLA's 'purpose of use' for access to the CIS:

"to confirm receipt of higher rate mobility component of Disability Living Allowance for entitlement to exemption of vehicle licensing duty"

That's really quite specific. Indeed, it might lead one to wonder whether that purpose makes it proportionate to expose the CIS' 92,000,000 records to the DVLA user population. It's not easy to find out the size of that population, but according to the DVLA's annual report for 2007-2008 there were about 6,500 people on their payroll (this does not necessarily include those employed as part of 'contracted-out services', a separate item in the accounts).

The stated purpose also makes it legitimate to wonder what safeguards are in place to ensure that the data are not accessed for other purposes. The DVLA itself does not have an especially happy history where data sharing is concerned. After it reported £6.3m of income from selling motorists' information to third parties, the government drafted new rules on acceptable use and sharing.

Returning, then, to the question of competence to run the National Identity Scheme securely: the DWP says it's doing a good job of keeping the CIS secure, despite a small number of identified insider breaches; but the CIS is only one of three major repositories in the Scheme, each owned by a different department. All three of them need protecting if the whole is to be meaningfully secure. Then there's the issue of securing access by 'user' departments such as the DVLA: the difficulty of doing that grows with each department added, and the growth is almost certainly exponential rather than linear.

A pointer to "Tech And Law" blog

2009-07-27T10:49:00.003+01:00

Some excellent posts on the Tech and Law blog, which deserves to be in your feed-reader (and not just because I get a mention ;^).

Notably good pieces on:

the sensible and other uses of RFID in credentials;
the apparent poor maturity of UK ID Card plans relative to those of other EU member states;
plans for US Government ID schemes to cater for anonymity and pseudonymity;
Conservative plans to get rid of ID databases, not just ID cards...

There's also a post (21st July) on Daniel Solove's recent comments about privacy, gossip and the indelible Web. This is a theme which I think is going to filter into the collective consciousness - and the sooner the better, I think. It's one which I have summed up recently as follows:

There's no such thing as "social networking". There's "social interaction" and there's "networking". If you assume that both operate by the same rules (regardless of how tempting appearances may make that assumption) you're fooling yourself. Admittedly, that's just what a lot of us are doing these days - but we don't yet know what the implications of that mass consensual delusion are.

Anyway, head over to Tech & Law's new URL and have a read. As Chaucer put it:

"Ye get namore of me, but ye wole rede / Th'origynal that telleth al the cas[e]".

What should appear on an ID card?

2009-07-25T21:11:00.002+01:00

Can we really have got this far without a completely clear idea of what human-readable data should appear on a UK national ID card?

It would appear so.

Marketing expertise...

2009-07-24T22:06:00.003+01:00

Have been thinking, recently, about how to improve the visibility and image of Future Identity Ltd.. After considerable thought, have concluded that the PR Agency to engage is whoever it was that came up with the term "Athlete's Foot". Think about it...

"Hey, how would you like to have a high-performance, athlete's foot instead of those merely normal feet you have now?"

"Wow... athlete's feet, those sound much better than normal feet... or 'foot fungus', come to that."

See what I mean? By contrast, think of the humble verruca or plantar wart. Clearly didn't engage the same high-calibre team. Otherwise it would be called something like "amphibious foot"...

UK e-Borders faces practical challenges

2009-07-23T13:55:00.002+01:00

There's a good piece in Computing today on the UK's e-Borders programme - the project to extend and digitise passport checks on travellers heading for the UK. It rightly raises the prospect of challenges to the system over issues like cost, and compliance with EU laws on data-sharing and freedom of movement.

However, there are some foreseeable practical issues as well, and the commercial carriers who will be responsible for much of the 'front-office' implementation are already voicing their concerns. The programme director, Julie Gillis, is quoted as saying that:

“There is no system yet in place for maritime and that’s why they’re not going live until 2010,” Of those implementers who have gone live, she says “We’ve had no one report to us yet they have suffered problems with queues.”

Facial biometric checking is already included in the system's design, and from 2011 fingerprints are to be added - and the functional requirements mean that the systems to carry out these checks have to be put in place by the carriers at the point of embarkation.

That must be one reason why there's no system in place yet for maritime travellers: the practicalities of checking either facial or fingerprint biometrics for a car-full of passengers - let alone a coach-load - must inevitably mean radical and major changes to the way in which ferry travellers are processed.

With all respect to Ms Gillis, I would say the chance of all maritime carriers going live with such a process in 2010 and reporting no problems with queueing time is zero. If we assume that there is the political will to force through change on the scale (and at the cost) required to meet those objectives, there would still be serious questions to answer about the proportionality of what is being proposed.

UK DNA policy - four uneasy pieces

2009-07-20T15:06:00.006+01:00

Some thoughtful challenges to the government's policy plans on DNA retention have appeared recently. The current policy is under review because of a European Court of Human Rights ruling that the retention of DNA from those who are arrested but not subequently charged breaches EU law.

- Article in the Guardian, arguing that the current policy proposals are based on flawed evidence and interpretation;

- Paper by two professors from Lancaster University, cited in the Guardian article;

- Blog post on Dr Ben Goldacre's "Bad Science" blog with some trenchant criticisms of the Home Office research into the statistics of criminal activity;

And here's the Home Office consultation paper referred to by Dr Goldacre.

Here are a couple of statements I found in these sources, which indicate some of the difficulties of formulating policy statements on the basis of statistical investigation:

"innocent people who have been arrested are as likely to commit crimes in the future as guilty people" - Assertion from the Home Office paper

"half of all crimes are committed by something like 6% of persistent offenders" - comment by Prof. Keith Soothill (University of Lancaster)

I find it hard to see how both of those statements can be true... but then, that's probably why statistics and I have never really got on.

Is 118800 a red herring?

2009-07-18T11:30:00.003+01:00

You know what? I'm actually starting to feel twinges of sympathy for the folks at Connectivity. There are two pieces in the Guardian devoted to the suspension of their mobile directory enquiries services, one from yesterday and one from today.

Now, I'm not trying to argue that basing the service on an "opt out" principle was a good idea - it wasn't. But at least Connectivity set it up in such a way that you would first find out that someone had looked you up, then have the opportunity to decide whether or not to take the call, and then have the option of asking to be removed from the list. All this would happen without the requesting party being told your number. So in a way, there was at least a certain amount of privacy-friendliness built into the protocol. Whether that made it a good idea for Connectivity to be sitting on a database of numbers which might get shared with other service providers is another question entirely.

However, any slight twinges of sympathy at Connectivity's plight are (and should be) rapidly displaced by a concern that all this high-profile coverage is distracting us from a more significant issue: namely, the means by which Connectivity were able to populate their directory in the first place. As I've suggested above, the way they set up their enquiry protocol show at least some concern for the data subject's privacy. The same cannot be said for those data brokers who handed over their subscriber lists to Connectivity in the first place.

It's just that, as they are not in a part of the food chain which is normally visible to the data subject, they don't come under the same kind of scrutiny as the company which delivers a service direct to the consumer.

For all the focus on Connectivity, we should not pass up on this opportunity to shine the spotlight on the behaviour and regulation of the intermediaries who made Connectivity's business model possible.