Robin Wilton's esoterica

Well, without any great fuss or fanfare, I've had a couple of 'firsts' in the last few days. Last Thursday I met Kim Cameron for the first time, along with Caspar Bowden and Jerry Fishenden, and we had a very engaging chat about identity, liberty (with and without a capital L ;^), privacy and related matters. Many thanks to Jerry, Microsoft's UK National Technology Officer, for hosting that one. And yesterday I had my first visit to Microsoft's UK campus at Thames Valley Park. In the interests of 'breaking them in gently', I felt I had to wear my "Sun Java Web Services" shirt. Well, I think they are going to need to get used to seeing a Sun logo onsite a lot more than it would have been in the past! And no, the shirt did not spontaneously ignite as I walked through the badge-locked doors... And on the 'flammability' theme, I have to report that our hosts didn't have horns, tails or little pointy forks. In fact, we had a very positive and relaxed meeting and made huge progress. Thanks this time to Gary Kelly for hosting us and making us feel extremely welcome. I genuinely look forward to working with you and your colleagues over the coming months... I probably should have handed this in at reception on the way out, but under the circumstances it seemed a good souvenir!

My colleague Chris Gerhard has raised concerns about whether the UK ID Card Bill requires one to carry the card. Charles Clarke seemed adamant this morning that it actually rules that out - so I thought I had better have a look. Section 18 of the bill actually prohibits anyone from requiring one to produce the card as a means of identifying oneself. Seems pretty clear-cut... except that, as usual, there is then a series of internal references to the exceptions to this rule, documented in other parts of the bill. I think these go as follows: Section 18 says that its own Subsection 2 sets out the exceptions. Subsection 2 says you can be obliged to identify yourself by producing your card if... it's for a reason set out in Section 15, OR you are offered a reasonable alternative way of identifying yourself (!?), OR if you are "the kind of person who is subject to compulsory registration". So let's follow the trail. Section 15 says that you can be obliged to identify yourself by producing your card IF the person asking you to do so is asking because they are then going to provide you with some (public) service. In other words, service provision can be made conditional on identifying yourself. There will be services you cannot have if you choose to remain anonymous. That's interesting, because I believe you cannot normally be required to forfeit a constitutional right for contractual purposes... (but I'd have to ask a lawyer). So clearly the government believes we do not have a constitutional right to anonymity. I think this provision fails to recognise the clear difference between "asserting my identity" and "asserting my citizenship" - whereas I think it is quite possible to assert my citizenship without having to reveal my identity. The European Commission's policy is much more citizen (and privacy) friendly in this regard, as are a substantial number of other European countries. But back to the trail: it seems very odd to say "you may be obliged to identfy yourself by producing your card IF you are offered an alternative and reasonable way of identifying yourself", and yet that's exactly what Section 18(2)(b) seems to say. It's hard to read it any other way. Finally, the Home Secretary can define "a description of individuals" who can be obliged to register for an ID card... and anyone who falls into such a category can then be required to produce their card. Sections 6 and 7 of the Bill describe what he has to go through in terms of parliamentary oversight in order to define such a category. Clear? Phew... Technorati Tag:identity

UK Home Secretary Charles Clarke, using the BBC Radio 4 "Today" programme to try to defend his National ID Card proposals, today launched an extraordinary personal attack on Simon Davies, one of the authors of the LSE report I cited yesterday. He described Davies as "partisan", the report as "technically incompetent" and its cost estimates as "fabricated". Whereas the ID Card Bill itself is, as we know, entirely non-partisan, technically flawless and based on a transparent and comprehensive cost analysis. [hollow laugh]

Of course, in the spin-heavy world of politics, resorting to such personal attacks usually means the rational argument has been lost. So let's look at specifics. The example Mr Clarke used when disputing the LSE report's cost estimates was that of the expected lifecycle of the ID Card.

The report notes that current UK passports expire every 10 years, and therefore that if an ID card has to be renewed every 5 years, the cost of issuing can be expected to roughly double. The relevance of linking ID cards and passports is that the Government proposals have had to combine the two in order to reduce the cost of ID Cards to anything remotely acceptable. According to Mr Clarke, the cost of issuing an ID Card if done at the same time as registration for a biometric passport will be £20-£30. The cost of the passport itself is about £65. Although asked, he would not give a figure for the cost of issuing an ID Card without a passport.

So is a 5-year lifespan a realistic estimate? The report issued by Justice and law firm Clifford Chance in December 2004 is a useful course of comparative data on this topic. Their research into ID Card schemes in other countries found the following:

• Germany: 5 year lifespan from age 16 to 26 (i.e. 3 cards in the first 10 years); thereafter, 10 years.

• Hungary: no biometrics... card only costs €6

• Spain: 5 year lifespan from age 14 to 30 (i.e. 5 cards in the first 16 years); thereafter, 10 years

• Thailand: 6 year lifespan

• Finland: 5 year lifespan, card optional, no biometrics.

A working estimate of 5 years doesn't look out of line to me. Then there's the technological factor. The Justice report also notes that the performance of biometric systems for facial recognition "degrades at around 5% per year". So after 5 years you could expect a facial recognition system to have a one in four chance of returning an incorrect authentication response (assuming it ever achieved 100% in the first place, which is currently impossible). The House of Commons' own research report into ID Cards is similarly pessimistic about the ability of facial biometrics to perform on a large scale.

But what of biometrics other than facial recognition (I hear you mutter...)? The Justice report points out that Iris recognition performs best, but unfortunately is 'owned' by a single patent-holder, and is therefore extremely costly. Fingerprint recognition appears to be, if anything, worse than facial: it is easily spoofed with "gummy fingers" made from gelatine, and there is a high incidence of inconsistency if different readers are used for registration and verification. The remedy for this being: premature re-enrolment (with all the cost and inconvenience that implies).

I'm sorry Mr Clarke, but on that basis, a personal attack on Mr Davies does more to undermine your ID Card Bill than almost anything... short of actually reading the Bill itself. Technorati Tag:identity

Tomorrow (June 28th 2005), the UK ID Card Bill will go before parliament. Today, the London School of Economics (LSE) publicly launched its report on the ID Card proposals. Here's a link to their summary web-page . I have copied several quotations from the 'overview' version of the report, below. One of the most telling comments in the report is perhaps also one of the more oblique: "There is a surprising degree of agreement between the findings of this report and the conclusions of the Home Affairs Committee on the draft Identity Cards Bill. This report agrees in whole or part with 79 of the 85 relevant recommendations in the HAC report (these are set out in detail in Appendix 1). This concurrence is a crucial test of the strength and validity of both reports." Now, if you look at the HAC report, it is in favour, in principle, of an ID Card scheme, but makes dozens of recommendations as to how the draft Bill should be amended. 63, to be precise. I know that, because those nice people at Privacy International counted them for me... ;^) You can find PI's analysis here. It may depress you, because they note that of the 63 recommendations, two were adopted and three partially adopted - in other words, 92% were ignored. In case you suspect that's because the HAC's report was simply unrepresentative, PI's analysis also notes the following: "Prior to the general election the Joint Committee on Human Rights, the Constitution Committee, the Home Affairs Committee and the London School of Economics each published authoritative reports that analysed the original Bill. In total, these reports contained 105 concerns and recommendations that were critical of the original Bill. The government has adopted or partially reflected 9 of those 105 recommendations in the wording of the new Bill." So what kind of things does the LSE report say? Here are some quotations, which I will admit are selective; but I challenge you to read the report and conclude that they are un-representative: "The report's conclusions are first, that, the scheme will involve considerable expenditure. Second, the proposals will alter the nature of British society. The proposals involve important choices that necessitate a wide ranging national dialogue. The LSE's report is an important contribution to that dialogue. The report also outlines a possible alternative system that promises to be flexible, less expensive and as friendly to civil liberties and privacy as any card system can be in the modern age. It also creates a consumer based platform for the development of egovernment and e-commerce services." Howard Davies, Director, LSE (Howard Davies ought to know something about the enforcement of complex policies - he was the first head of the Financial Services Authority, a body set up to unify regulation and enforcement across the whole UK financial services industry). "I have expressed my unease that the current proposal to establish a national identification system is founded on an extensive central register of personal information controlled by government and is disproportionate to the stated objectives behind the introduction of ID cards. I am pleased that [the LSE] report has been able to identify a blueprint for a national identity system that does not involve the creation of an extensive central register and government held data trail of each time a card is used. The report makes clear that a system which minimises the amount of personal information generated and held by the government on card holders can be established without sacrificing the essential attributes of security, reliability and trust in the system." Richard Thomas, Information Commissioner (Richard Thomas ought to know something about the implications of the ID Card Bill - he's currently the head of the body responsible for monitoring the Data Protection and Freedom of Information Acts in operation.) From the summary report itself: "The risk of failure in the current proposals is therefore magnified to the point where the scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals." And are ID Cards the answer to the problem? (Bearing in mind that the Information Commissioner considers it to be disproportionate). "The Report does not challenge or debate the principles that underpin the proposals. The goals of combating terrorism, reducing crime and illegal working, reducing fraud and strengthening national security are accepted a priori as legitimate responsibilities of government. The report does, however, challenge assumptions that an identity card system is an appropriate, safe and cost-effective way to achieve those goals." Well, that depends what you mean by 'problem'... "There is no evidence to support the use of identity fraud as a justification for the current identity card model." "Benefit fraud through false identity is relatively rare and we believe the cost of introducing an identity card in the benefits environment would far outweigh any savings that could be made." ... and what you mean by 'answer': "From a security perspective, the approach to identity verification outlined in the Identity Cards Bill is substantially, perhaps fatally flawed. In consequence, the National Identity Register may itself pose a far larger risk to the safety and security of UK citizens than any of the problems that it is intended to address." That aside - is it legal? The LSE report summary cites 9 instances where the Bill may contravene or infringe on existing legal rights, including the following: "EU Directive 68/360 governing the rights and conditions of entry and residence for workers may make it unlawful for the government to require non-UK EU citizens to obtain a UK identity card as a condition of residence." The report also notes that: "The Government has consistently asserted that that biometrics proposals, both in the new UK passport format and in the identity cards legislation, is a harmonising measure required by international obligations, and is thus no different to the plans and intentions of the UK s international partners. There is no evidence to support this assertion. We find that the Government is unnecessarily binding the identity card scheme to internationally recognised requirements on passport documents. By doing so, the Government has failed to correctly interpret international standards, generating unnecessary costs, using untested technologies and going well beyond the measures adopted in any other country that seeks to meet international obligations. Even in countries with identity cards, numerous safeguards prevent the development of a system similar to the one proposed here." Most of the headlines on this today have been about the projected costs, but as I've mentioned those in a previous post, I won't re-iterate the argument. All in all, it is hard to find any way of interpreting this as a well-thought out piece of legislation deserving of the support and trust of an adequately informed public. Technorati Tag:identity

Last week I had the chance to be on a speaker panel at the Delivering Effective Innovation event hosted by Osney Media. First one of their events I have taken part in, and I found it very interesting. Unlike the standard conference format, Osney set theirs up on a 'round-table' basis, so in between each presentation the tables 'convene' to discuss some aspect of what they have just heard, and then feed back to the room as a whole, with thoughts, comments or further questions. As a panellist, I found this gave the whole thing a great dynamic: it's a real ice-breaker, and there's very little of the "us and them" feeling which the standard auditorium presentation set-up often creates. Many thanks to Osney, and of course to all the other participants, who could not fairly be called an 'audience'! It was also good to have to devote some thought to the "Innovation" theme, rather than my more usual "Identity" gig. I thought about some of the innovators at Sun: John Gage (who encapsulated Sun's strategy, "The Network Is The Computer"); Whit Diffie (co-inventor of public key cryptography, and one of the first Sun speakers I ever shared a stage with); Bill Joy (inventor of Java); not forgetting Scott McNealy and Jonathan Schwartz, who consistently push us to innovate in the way Sun does business. I don't want to get mushy here, but it occurred to me that, of the places I have worked, Sun is probably the closest to what I would call a "Commercial Technocracy". It's a company where a genuine value is placed on techies, and they have the opportunity to contribute to the company at the highest level. You really can have an MBA and a ponytail. Which is a bit worrying, as I have neither... Technorati Tag:innovation

Usually I just add a one-liner to my "Bookworm" list in the right-hand sidebar with whatever I'm reading at the moment, but yesterday I found a book which is worth a post, given its topic. The book is "Spying with Maps" by Mark Monmonier, published by the University of Chicago Press. Prof. Monmonier applies a great deal of subject-matter expertise to the topic of maps, geographic information systems (GIS) and geospatial technology, and explains how it works, how it has evolved, and how it can be applied in areas as diverse as law enforcement, agriculture, traffic management and of course intelligence. He then adds the social dimension and looks at issues of privacy, consent and instrusion, ending with a postscript on the question of whether locational privacy is (or should now be recognised as) a basic right. It's only 200 pages, interesting and nicely written (though the proof-readers missed a few things) - and even in the first couple of chapters, full of those moments when you look up from the page and mutter "Good Lord! Can they do that?" or "Hmmm... so that's how it works...". I think he gets the balance just right between geeky (well, it is a potentially techie subject...!) and readable. Here's a link to it on amazon.co.uk And on amazon.com The Disclaimer: I have no commercial/financial/other stake in amazon, University of Chicago Press or Prof. Monmonier's royalties. My only purpose in recommending this book is to alert you to a published work which I found interesting.

Here's a link to the FIA's response to the charges levelled at it in the row over the Indianapolis Grand Prix fiasco. To be fair, Mosley has a point with some of what he says. If there is a tried and tested process for approving the layout of each circuit, then there's a liability associated with applying changes to a circuit at short notice. That said, some of the commentators at the Brickyard on the day were saying that the circuit itself had procedures for installing temporary chicanes, so I don't think we're getting the full picture on that one. I still find it hard to believe that the FIA, with all its protestations about safety and liability, was seriously suggesting that 6 cars should go through the banked corner with the tap full on, while the other 14 went through it at some lower, but unspecified speed. Entering a chicane at the same point on the track each lap just has to be safer than going into a corner wondering which of the other 60% of runners you're suddenly going to be closing on at upwards of 80mph. Or the other alternative was that they should by-pass that corner by taking to the pit lane on every lap instead... thus generating a sustained traffic through an area which isn't designed for it. Clusters of pedestrians, other cars actually on pit-stops, not drive-throughs. If anything, even more likely to cause an accident. Lunacy. However, none of the FIA's remarks address the key point of governance. For all their regulations and procedures, they were unable to cope with the failure of a business-critical component. And in an industry of their size and value, that's an unacceptable failure both of management and of accountability. But enough of this. I will simply say the one thing guaranteed to inflame anyone with a serious view on the topic: It's only a game. ;^)

I thought I would have cooled off about this by now, but I have today had a chance to read the correspondence which passed between, on the one hand, Michelin and the racing team bosses, and on the other, the FIA (Formula One's governing body). The Michelin letter explained that there was a safety problem with the tyres it had supplied, acknowledged that was their problem, and on safety grounds said they could not let teams race using their tyres at full speed on the Indy circuit's unique banked section. They recommended reducing the cars' speed over that section of the circuit - in their subsequent letter they clarified that this should be through a change to the configuration of the circuit (i.e. the safety chicane which was under discussion). Michelin-FIA correspondence The FIA's response was uncompromising. They pointed to the rule book. Track layout can't be changed. Cars could race with tyres other than those which they qualified on, but that would be a rule breach for consideration by the stewards and a heavy penalty. These arguments have some weight, in that F1 is, and needs to be, a heavily-regulated sport. However, they fail to address two major factors:

• - The sport's huge community of paying stakeholders: the fans, who were utterly let down;
• - The state of the FIA's contingency planning, as a multi million dollar enterprise.

The FIA sets the rules; it has a massive rule-book which sets out all the race procedures, and is frequently used to penalise drivers and teams for infractions which can be technical, procedural, safety-related etc... but they always find something in there they can cite. But not, apparently, in case of the failure of a major critical point: one of the two tyre suppliers to the whole enterprise. If the FIA were your business, and you couldn't run it without two of your key vendors, would you have a fallback? And if you had no fallback and the worst happened, would you expect to take the blame? Last, let's look at the safety aspect: as most people have acknowledged, Michelin, having identified the problem (and seen two of their tyres fail at speed on the circuit during practice), did the only thing they could: recommend that the tyres should only be used if speed is reduced on the key part of the circuit. The teams, given that advice (and having seen tyres fail after very little track time), did the only thing they could: tell the drivers not to race. Here's what the FIA suggested by way of mitigation, in their letter (I am quoting a part of the letter, but this part is reproduced in full): "... No doubt you will inform your teams what is the maximum safe speed for their cars in Turn 13. We will remind them of the need to follow your advice for safety reasons. We will also ask them to ensure their cars do not obstruct other competitors. Some of the teams have raised with us the possibility of running a tyre which was not used in qualifying. We have told them this would be a breach of the rules to be considered by the stewards. We believe the penalty would not be exclusion but would have to be heavy enough to ensure that no team was tempted to use qualifying [sic] tyres in the future. Another possibility would be for the relevant teams repeatedly to change the affected tyre during the race (we understand you have told your teams the left rear is safe for a maximum of ten laps at full speed) ..." So their response is to have some cars driving through the (unmodified) banked corner at some speed specified by the tyre manufacturer, while the other cars come through it flat out. Or to play Russian roulette with each set of tyres, coming in "just before they let go" for a safety-related tyre change. And these recommendations are signed by Charlie Whiting, the Race Director, responsible for the safety of those concerned. I find that hard to believe. I'm afraid I stick by yesterday's judgement - this was a shameful farce, and the fans and competitors deserve better. For a more measured but equally angry comment, see Bill's blahg, here.

I was hoping to settle down with a malt-based beverage and enjoy the US F1 Grand Prix at the Brickyard today, but that ain't happening. Thanks to a foul-up by the major tyre supplier, Michelin, and the intransigence of those who declined to allow an extra "safety" chicane to be added to the track, 70% of the cars have withdrawn from the race, leaving two Ferraris a free run at the podium. Realistically, they cannot be seriously challenged by the Jordan and Minardi teams who are the only other runners left. Well, I know there are many Formula 1 fans in the US these days, and all I can say is, I am embarrassed, ashamed and dismayed at the way the sport has treated them all at Indianapolis today. My "blogpal" Bill Walker is a keen supporter, I know, but today's fiasco must surely dent even his enthusiasm. Personally, I am not interested in watching a 6-car "formality" race, so I thought I would vent some spleen into the blogosphere instead. What a farce. Do I want to watch the rest of the season? Frankly, no. I am no longer interested in the result of the championship after this debacle, though I have to admit, the prospect of a new circuit in Turkey might lure me back out of curiosity.

The Gilbert and Sullivan "Model of a Modern Major-General" song has been recycled more than once, often memorably (Tom Lehrer's "Song of the Elements" being a great example). In that fine tradition, here's one I was alerted to today which looses several accurate barbs at the current UK ID card plans. Enjoy... UK ID Cards - What the Singing Dog Thinks Technorati Tag:identity

I was on a panel yesterday at this very informative conference, and one of the questions from the audience was "does the panel think that the City of London is a good or a bad place to practice money-laundering?". The response was that it's both... it's bad, in that it is quite highly-regulated. It's good in that it has a huge throughput of transactions into which to insert those of a more dubious nature. And because it has a reputation for probity and integrity, if you do manage to subvert the system, your dubious transactions could appear all the more trustworthy for that. Naturally it occurred to me that the same principles can be applied to identity (and happily, I got a chance to say so... ;^) : a single, highly trusted credential (say, for instance, a national ID card) becomes a very attractive target for fraudsters, because it's all the more exploitable if they ever manage to subvert it. It could well be that the ability to federate multiple credentials becomes one of the more powerful tools against the subversion of individual credentials. I was entertained and privileged to share the panel with (among others) Kenneth Rijock, whose name is well worth a Google. His perspective was that relying parties should be prepared to insist on as many credentials as they feel are necessary to mitigate their risk, to check back with the issuer of those credentials, and (interestingly) be prepared to reject credentials which are known to be susceptible to easy subversion, even if the one in question looks good.

Great announcement this week for Liberty, as eight companies get their products successfully through the Liberty interoperability test and certification process. The companies in question are Axalto, Entr'ouvert, Epok, Nokia, Novell, Sun Microsystems, Symlabs and Trustgenix, many of whom have already had Liberty-compliant products on the market for some time. The next interoperability event will take place in July 2005, and will reflect the convergence of the Liberty ID-FF (Identity Federation Framework) specification with SAML 2.0. For further details of this week's announcement, see this article at Yahoo. For a list of all the products which have been through Liberty conformance testing, see this table on the Liberty site.

I think this is potentially ground-breaking. I'm not normally one for hyperbole... in fact I have to look it up each time I encounter it. But this idea, put forward by Lance Piper, is very interesting. I have noted before that there is a disconnect between the way in which current online systems try to embody 'trust', and the way that concept tends to operate in the 'real' world. I think Lance's idea is a genuinely visionary step towards the way it might work. Identity >

In my May 25th post, I promised to revisit the question of why I think the current fad of referring to a UK National ID Card as "a defence against ID theft" is misleading. Recent reports, including this article in the Guardian, have picked up on the following quotation: A recent poll showed that half of people questioned believed ID cards were the best weapon in combating identity theft, which is estimated to cost Britain £1.3bn a year. That's an interesting reflection of public perception, but not a convincing argument for a national ID card. Three forms of ID Theft I have had categorised for me recently, by an authority on the subject, are:

• - Mass data compromise
• - Credit card fraud
• - 'Classic' Identity Theft

The last of these is the case where an attacker gathers enough information about their victim to be able to transact instead of them. Those are the headline cases of "Man has credit refused, discovers he has £48,000 of (someone else's debt". Credit card fraud might be cases of individual theft of cards and PINs, or it might result from mass data compromise. Mass data compromise is the other typical 'headline' ID theft - where an organisation loses hundreds of sets of customer data, including payment details, and these are fraudulently exploited. That data compromise might be electronic or physical... you have probably seen "Theft of laptop exposes thousands of customer accounts" stories. These are indeed the kinds of ID Theft the public express concerns about. But preventing them does not require a National ID card. It might be a good argument for including biometrics in bank-issued cards, but to date the UK banks, at least, seem to be of the view that Chip and PIN is the appropriate response. What it comes down to is this: saying that "ID Cards are good for citizens because they will guard against ID Theft" responds to a popularly-perceived threat: but if the specific kind of ID Theft in question is actually benefit fraud, then the bottom line is that the resulting payback to any given citizen is extremely remote. In fact, on some calculations I would have to pay far more for the compulsory card than I could ever hope to see in the form of a 'prevented benefit fraud' tax rebate. Then there's the question of whether ID Cards would save more in benefit fraud than they would cost to operate. But as long as the Home Office refuses (on grounds of commercial confidentiality) to say what the system will cost, we won't know, will we?

It's hard to avoid media reports of the French "Non" last weekend in their referendum on adoption of the draft EU constitution. Here in the UK, our government has yet to confirm whether we will be allowed to vote in a similar referendum. Normally, I am all for the referendum as a tangible way of increasing direct democratic participation, but this example does seem to reveal some real problems. For instance, what does the French "No" vote mean? How should their government react so as to deal with the disagreement it expresses? If anything seems clear, it is that there is no one answer to this - which in turn indicates one of the problems with a referendum. It has to ask a 'closed' question. The only possible answers are Yes or No. There is no "Why?" (to paraphrase a Jedi koan). Thus, there are those who voted "No" in France because they felt the Consititution goes too far in exposing the French economy to the vicissitudes of an "Anglo-Saxon market-driven" model. There are others who voted "No" because they felt it did not go far enough to further the social (and Socialist) ideals of the Union's original founders. It's hard to find a remedy which will satisfy both those camps. Then there are those who voted "No" because they wanted to express a personal dislike for President Chirac, Prime Minister Raffarin or both. Again, it's going to be hard to express that political choice in a French policy on Europe. So what would a 'Yes' or a 'No' mean in the UK (if we were allowed to choose?). I think I can accurately predict that it will be no easier to tell than in the French case. I could vote 'Yes' on pro-European principle, but I don't want that to be interpreted as a blanket endorsement of the UK's current policy on Europe; I could vote 'No' as a protest, but I would not want that to be interpreted as a rejection of collaboration with our European partners in all their valuable diversity. I know... I'll vote for the inclusion of a "Comments" field.