Robin Wilton's esoterica

Thanks to Toby Stevens over on his HighWest blog, for pointing me to this Information Age article in which Katherine Courtney (Director of the Home Office's ID Card programme) sets out some of her thoughts on how the scheme will operate.

I hope this isn't indicative, but in my opinion, one of the examples she gave suggests a flawed conception of what the NIR ought to deliver on the citizen's behalf. Here's what she said; spot the deliberate mistake:

 “Not all businesses require six pieces of identification information from their customers,” said Courtney. “Instead, they can make a risk-based decision. If you are hiring an airline pilot, for example, you would want to check that the person standing in front of you is the person they claim to be, and that they have the credentials to fly the plane. But if you are checking proof of age for someone buying alcohol, you just need to be able to look at the picture and the date of birth.”

That really ought not to be the paradigm. If you are using a national identity scheme which consists of credentials and a centralised database, then you should not require access to someone's date of birth in order to establish their entitlement to buy alcohol.

You require access to a trusted assertion that the person is over the legal age for buying alcohol. Anything beyond that is an unnecessary violation of the person's privacy. Provided my date of birth was more than 18 years ago, it's none of the publican's business which date it was.

If I can grab the opportunity for a bit of name-dropping: this is exactly the example which Dr. Richard Walton gave me on Tuesday evening. Dr. Walton is an Honorary Professor at Royal Holloway College (University of London), and former director of the government's Communications-Electronics Security Group (CESG); not only does he know whereof he speaks, but he speaks of it with charm and eloquence.

The point is, we keep being told that protection of the citizen's personal data is a key design point for this system, so it worries me that the programme manager should choose an example in which that privacy is unnecessarily eroded.

I had the car radio on for about 30 seconds yesterday evening and caught the following quote off Radio 4 (just before 8pm, but apologies for the lack of any further attribution):

[American Voice]: "The whole reason America fought for independence was that we didn't want to be ruled by an idiot called George who only got the job because he was the son of the previous idiot called George" 

Yesterday, on the topic of the failure to deport convicted foreign nationals, I balanced the criticisms of Charles Clarke's departments with the comment that the majority of the releases had happened under his predecessors. However, the more recent details to come to light siggest that Mr Clarke is perhaps not as squeaky clean has he might have liked to suggest.

The strong impression he sought to give on Newsnight on Tuesday evening was that this was an inherited problem, and that once he was alerted to it he started the process of clearing up the mess. Indeed, when opposition politicians called for his resignation, his response was (and still is, incidentally) that it was far better that he be allowed to stay on and sort it all out.

It all sounds great. But here are some of the factors which he did not make clear during the Newsnight interview, and which have since found their way into the public domain:

- Of the 1,023 offenders (and I'm now going to qualify this as 'those known to have been involved in the mix-up'), 288 were released after Mr Clarke knew about the problem in July 2005. Not the majority, by any means, but if you consider the picture across Mr Clarke and his two predecessors, that means that on average they (Blunkett and Straw) were responsible for 360-odd releases each. In other words, in percentage terms, Mr Clarke's record at roughly 28% of the total is not much better than theirs at 36%...

- It also turns out that the problem should not have come as a surprise to either Mr Clarke or Mr Blunkett: the chief inspector of prisons between 1995 and 2001 reported to the latter that the number of foreign nationals in UK prisons was increasing, and his report specifically recommended that in such cases, the extradition process should be started while the inmate was still in prison, and should not be postponed until the point at which they had to be handed over to another agency.

Mr Clarke is still saying he wants to stick with it and fix the problem, but there are two issues with that:

First, his critics are no longer inclined to view him as the blameless inheritor of someone else's foul-up;

Second, with local elections imminent across much of the country, Tony Blair probably doesn't want his party to suffer a twin credibility blow on immigration and law and order... not to mention the ongoing discontent over health service reforms, education reforms, public sector pensions, private sector pensions, the Legislative and Regulatory Reform Bill, cash for peerages, Mr Prescott's extramarital affair... am I missing any?

 

Mr Blair must be wondering if he's slipped into some parallel universe in which the English speak Polish. They say a week is a long time in politics: in Polish, the word 'wiek' means a century.

... as someone sang on the soundtrack of The Great Gatsby.

There's only one mildly depressing thing about working in the team I currently inhabit in Sun, and that is that fairly regularly, one of the other team members will come up with something which illustrates the depth of the technical gulf between me and them...

On the other hand, maybe I should just flip that around and see it as an honour that they are prepared to put up with a glib salesy type like me ;^)

I blogged back in December about Gerry Beuchelt's Java-RMI-controlled model railway, for instance. In the same post I hinted at Marc Hadley's work on WADL (Web Application Description Language). I think by now most of us have, in one form or another, come across interactive applications built on 'lowest common denominator' technical components - think of Google mapping 'mash-ups', RESTful web services and the like. There's no doubt that this evolution of the software development environment is a fertile and extremely fast-growing phenomenon.

Like any such 'young' technologies, though, youth and exuberance can often outstrip other practical considerations (like "how am I going to make this interoperable", or "what should I do to expose external interfaces in a consistent way?"). Questions like that are going to characterise a lot of web services development and adoption... 

Cue Marc's most recent contribution on WADL, which has just been published as a Sun Labs technical report.

Here's an excerpt from the summary:

"This TR describes a new XML-based language that can be used to describe Web site APIs in a concise and machine process-able format. Use of this language promotes more precise description of Web site APIs and (with the availability of suitable tools) frees site owners from the effort of developing programming language APIs for their sites." 

You can find the full report here. Enjoy...

 

If ever a fire got a fresh shot of petrol, it must have been this one. Yesterday morning's papers were already continuing the row between Home Secretary Charles Clarke and the 'liberal media'; the Independent had progressed to the 'rebuttal of the rebuttal', revisiting Clarke's answers to some of Simon Carr's criticisms I referred to in Monday's blog. Then news broke that over the last 6 years or so, more than 1,000 foreign nationals imprisoned in the UK for serious offences (such as murder, rape, paedophilia, drug smuggling and assault) had been released at the end of their sentence and, rather than being deported, had simply been allowed to vanish into the population.

Apparently the primary cause was a failure of communication between two of Mr Clarke's departments: the prison service and the immigration service. Home Office rules apparently state that people from outside the European Economic Area ("the EU plus a few...") should be considered for deportation if they are sentenced to more than a year in prison.

To be fair to Mr Clarke, the majority of the releases happened under the stewardship of his predecessors, Jack Straw (now Foreign Secretary) and David Blunkett (I'm sorry, I've lost track of whether he's in the Cabniet this week or not). To be fair to the rest of us: when interviewed by the dependably sardonic Jeremy Paxman on Newsnight yesterday, Mr Clarke was unable to give any reassuring details about whether released individuals had re-offended, or the whereabouts of all but a hundred or so of them. Here's how the Independent summarised the numbers:

"The crisis began when Mr Clarke disclosed that 1,023 foreign national prisoners had been released in the past seven years without any consideration of whether they should be deported. They included three murderers, nine rapists, five paedophiles, 34 other sex attackers and 93 robbers, as well as 41 burglars, 20 drug smugglers and 54 convicted of assault.

The vast majority were serving sentences of at least 12 months, and in 160 cases the courts had recommended deportation.

The releases occurred between February 1999 and last month, covering time in which Jack Straw, David Blunkett and Mr Clarke have been Home Secretary.

Mr Clarke acknowledged that only 107 of the former prisoners had been located and questioned, with 20 of them being deported. Officials were unable to say how many of the offenders were serving life sentences or whether any had reoffended after their release."

Mr Clarke also said that all those released 'were being monitored under the normal arrangements for prisoners following their release'. But as the 'normal arrangements' for these particular prisoners was supposed to be that they should have been considered for deportation and more sort of weren't, I find it hard to see what that statement is worth. 

For broader comment on the relationship between Clarke, Blair, the media and civil liberties, I can recommend this leader in the Guardian, and this comment piece by Simon Jenkins in the same paper. 

All in all, it has not been a comfortable week for the government:

- Health Secretary Patricia Hewitt was greeted alternately with boos and stony silence as she told health workers the NHS was having 'its best year ever' (despite record investment, record budget overspends, and a rash of job losses and hospital closures); 

- the election expenses of all the major parties were flushed onto the front pages, and make depressing reading. Most of the money goes on consultancy fees for pollsters and spin doctors, a fair chunk goes on personal transport of various kinds, and much of the rest seems to be spent on clothes and make-up. And that's just the men.

- Deputy Prime Minister John Prescott hit the headlines today for admitting that he had an affair with his diary secretary. I'm sorry, but that's definitely in the 'dog bites man' category. The 'man bites dog' story would have been 'apparently normal woman admits to having affair with Deputy Prime Minister'. 

And it's only Wednesday. 

 

There's been plenty of coverage of the McNealy-Schwartz handover, so I don't want to add to it unduly. It raises a smile, though, when I see comments like "Scott isn't stepping down, he's just stepping out of the limelight". Uh hmh. I think it's a little early to be writing Scott's PR epitaph; unless it's a <em>really</em> good soundbite.

I know a straw poll of press articles about Scott tends to throw up words like 'brash', 'opinionated' or in the case of a yesterday's Forbes piece 'easy to dislike' --- but few deny his vision, commitment and drive.

The equivalent scan for Jonathan tends to return words like 'intelligent', 'astute', 'articulate', and certainly on the occasions when I've heard Jonathan speak, he's been all of those. That trademark ponytail is attached to a very keen commercial brain. I'm also totally confident of his commitment and drive. The first time I met Jonathan was at an internal training event, where over a hundred techniical pre-sales people were being trained as 'Network Identity Champions'. Given that this was back in 2002, that was a sizeable and, arguably, visionary investment for Sun to be making. Jonathan heard about the event at short notice, and although he was at home with a high fever, came in to speak to us about the importance of what we were engaged in. I was impressed by that.

I was even more impressed that he was able to motivate us with a clear and cogent case as to why network identity was such a key strategic opportunity for Sun --- especially as, at the time, his head must have been feeling like a wasp's nest in an oven.

Oh, and as you can see, he's long since attained the first badge of Sun seniority: being recognised when referred to by just his first name.

One other thing really impresses me about Jonathan: his ability to engage with a huge range of audiences, from deep techies to global corporate execs and, from his recent blogs, heads of state.

I think we're in good hands.

There seems to be a rather polite brawl going on between the Home Secretary and The Independent newspaper. Apparently it started with this article by Simon Carr, in which he cast an eye back over some of the legislative measures which have had an actual or perceived impact on civil liberties during this government's period in office.

The baton then passed with all the smooth precision of a Bentley gear-change to Tim Worstall in the Times, who had a go at the Home Secretary's recent decision to revoke the scheme for compensating those who are found to have been wrongfully imprisoned on a first appeal.

Mr Clarke published a list of comments on Simon Carr's original points, via the Home Office website, and today the Independent replies with both a front page spread and a leader article.

There were two points which stood out for me, one because of what I blogged about yesterday, the other because it was such a corker.

The first was this quote from Mr Clarke's riposte, on the subject of the NIR:

"The National Identity Scheme is being introduced to safeguard people’s identities, not track their lifestyle or activities.  The information that can be held on the National Identity Register is strictly limited to that listed within Schedule 1 of the Identity Cards Act 2006 which is roughly the same as that needed to be issued with a passport.

The National Identity Register covers only basic personal identity information and will not contain any of the following:

• details of withdrawals of cash from bank accounts,
• applications for mortgages
• insurance applications
• details of any financial or tax records
• details of drugs prescribed to individuals
• any other form of health or medical records
• details of whom an individual has voted for." 

As we saw yesterday, there are indeed plans for citizens to be able to lodge a form of medical or health record in the NIR, namely their blood type, allergies and organ donation preferences. And as far as I am aware, none of those data items is included in a passport application.

Mr Clarke is also being disingenuous about the question of 'tracking someone's  lifestyle or activities': while the NIR may not contain all the details of what a citzen does online, it has the clearly-stated purpose of maintaining an audit trail of all those entities who submit verification requests against a citizen's NIR entry. That in itself will amount to a great deal of information about what a citizen is doing, where and when.

The second point which jumped out at me like a badger intent on roadside immolation was this (I cite it in full, including the quotation of Simon Carr's original assertion):

"10. “The presumption of innocence is no longer a fixed legal principal [sic - see comments]”.

This is complete nonsense. In this country you are innocent of an offence until proven guilty.

Of course there is also a need to try and prevent criminal acts occurring in the first place ranging from vandalism to terrorism and including extreme violence perpetrated by people with previous convictions. This is a complex area but is the reason for ASBOs, for laws giving the Courts the right to control dangerous criminals for life in certain circumstances and for aspects of counter-terrorism legislation.  All these measures are fully compatible with Article 6 of the ECHR, the right to a fair trial."

 

What Mr Clarke doesn't spell out is the logical conclusion of this line of reasoning: that the powers he has introduced provide for people to be imprisoned without having been proven guilty. In other words, for people to be imprisoned while still benefiting from the presumption of innocence. As we have seen in practice:

•  the government detained terror suspects indefinitely in Belmarsh Prison until that practice was ruled illegal;
•  it turned to the mechanism of Control Orders to impose effective house arrest on suspects without charge and trial: the High Court has ruled that practice "conspicuously unfair";
• until forced to compromise by sustained parliamentary opposition, it proposed measures to increase the period for which terror suspects could be held without charge from 14 to 90 days. The compromise period of 28 days is, I believe, longer than in any other western democracy.
  

That would rile any civil libertarian under the best of circumstances, but coupled with the plan to save £5m by cutting back on compensation for wrongful imprisonment (remember that line about "complete nonsense"?), it takes some beating. As Tim Worstall rather acidly points out: wrongful imprisonment can ruin your life, while £5m a year would not quite cover the subsidy of  food in the Houses of Parliament.

Provided you read this within a few hours of posting, Takashi will still be up in the air...

OK, that's a slightly weird sentence, but it's a slightly weird scenario.

Takashi Shitamichi, one of my Sun colleagues and a fellow Liberty Alliance participant, is on his way from Japan to the plenary sessions. Being Takashi, he isn't frittering away the flight time sleeping. Oh no.

He's got online and is emailing, Skyping and blogging - including this post just to prove it ;^)

Just one of those times when all of a sudden you sit back and think... yikes, it's that 'technology' stuff again. And I remember when it was hard to configure the dial-up client on a PC...

 

Here's another slightly bizarre piece of ID Card Bill fall-out, as reported in the Guardian last week.

Apparently, a project to create a centralised government repository containing every citizen's "name, address, date of birth, sex and a personal identifying number which could be shared across the public sector" has been withdrawn, on the basis that its functionality should now be delivered by the National Identity Register. Given that it looks like a precise subset of what the NIR is supposed to do, that looks pretty sensible.

What look odd are the cost implications: apparently the original scheme was expected to cost £400m; now that it is to be 'folded into' the NIR, the cost of the latter is expected to rise by £200m. What I wonder is... why would it increase the cost of the ID card scheme at all?

I can propose a couple of guesses, for which I have absolutely no evidence:

--- First, it may be that someone stuck a finger in the air and halved the number first thought of;

--- Second, it may be that someone is keen to bulk up the cost forecasts for the NIR, especially if the increase can be laid at the door of another department.

What concerns me is this: if it adds a couple of hundred million to the ID Cards project every time a department decides not to have a national-scale identity repository, that's going to add up quite quickly. Also, the £200m transferred cost, by definition, will not include the cost to the ONS of integrating its own systems with the NIR.

Of course, if that should happen to end up being, say, about another £200m then the whole process will have been a "zero sum game".

This is an interesting and, in my personal opinion, worrying development.

The government seems to be backtracking on previous statements about what kinds of data are to be held on the centralised national database which is tightly coupled with their ID Card plans.

At the House of Lords ID Cards briefing last November, Home Office Minister Andy Burnham acknowledged that the most rational design for a national system was for the NIR to contain identifiers only, and for those identifiers to be the means of accessing specific details about the citizen held by the service-providing organisation.

For instance: driver and vehicle details should be held by the Driver and Vehicle Licensing Agency; tax details should be held by Her Majesty's Revenue and Customs... and healthcare details should be held by the healthcare provider.

Now it appears that detailed information about the citizen is indeed to be held on the register, specifically: blood group, allergies and organ donation preferences. The Times article says that there is to be no element of compulsion in whether citizens should register this data or not. Anyone who followed the ID Card debate itself will be wondering what meaning of 'compulsion' the government is using this time around.

What's more, with all due respect to Mr Burnham, whether or not it is compulsory for citizens to add this data to the NIR is not really the point. As soon as it is made an option for them to do so, the design of the system must be amended to ensure that any such registration of medical data is adequately secured and managed.

Professionally speaking, I have had a little exposure to discussions about the storage and exchange of healthcare details, and every impression I have suggests that it is one of the knottier areas of identity management.

There is a lot of focus on gaining very fast access to certain details "in an emergency". That can seem like a rational reason for over-riding some of the normal privacy and access control measures one might expect for such sensitive data, but also raises serious concerns about what to do with the data trail created by such access and the resulting treatment.

There's also the question of who counts as an 'emergency healthcare professional': for instance, in some countries first-response staff such as ambulance crews are classified as healthcare providers; in others they are classified as transport staff.

These are not insurmountable issues, even in a cross-border architecture, but neither are they straightforward questions to resolve on a national scale. In my view, adding healthcare data to the register increases the complexity of the design, creates copies of data in places other than the service-provision organisation, and introduces requirements which are better addressed by federation than by centralisation.

I think it should also concern citizens that Charles Clarke's initial 'bullishness' following the passage of the Bill is metamorphosing into what looks like a somewhat rash approach to the system's functional design.

I got an interesting new variant on the phishing email today. As usual, it purported to be from a financial services provider, inviting me to follow a link "in order to confirm my account details", this time for a "scheduled software upgrade" by the technical services department. A couple of twists on the standard approach: First, the email subject appeared to be an advertisement for "Identity Theft Solutions from" the bank in question. Second, rather than a logo, some text and a bogus URL, the body of the email was just one big .gif file of a logo, some text and a bogus URL... so clicking anywhere on the email would take you to the link in question. Some things hadn't changed, though: the URL was only superficially plausible. One to watch out for, though. "I see bad people"

It has been pointed out to me that I left you rather in suspense at the end of Day One: at that point Anna and Lorna were 4 minutes behind the leading all-girl crew. You know that they finished, but I suppose I should fill in the details for you. On Day 2 they and the other girls, who came from Kelly College, were making very similar speed --- the latter crew helped by some seriously quick portaging (where you carry the canoe round locks and weirs). You can see the Kelly crew in action here. However, towards the end of the canal, which joins the Thames at Reading, Anna and Lorna overtook the other girls and started to draw out a lead. Over the next 27 miles (roughly between Aldermaston and Reading) the gap increased to just over 40 minutes at the end of Day 2. On Day 3, from Marlow to Teddington, Anna and Lorna had a really good day, averaging just under 5 1/2 miles an hour and extending their lead to a shade over 2 hours. By the finish line at Westminster, they led the junior all-girls class by a convincing 2 hours, 29 minutes 45 seconds. Their times over the three days were: Day 1: 34.5 miles: 7:09:43 Day 2: 35.5 miles: 7:34:30 Day 3: 37.5 miles: 6:53:04 Day 4: 17.11 miles: 2:07:46 Their finishing time was 23:45:03... comfortably under 24 hours for the full course, which was a great target to beat. Now, as we all know, you can make statistics say almost anything you want to, and I don't know what lies behind this set of results, but here's something which made me smile when I saw it: Junior Doubles 123 Wilton, Anna : Female : Dauntsey‘s School : 23:45:03 Ritchie, Lorna : Female : Dauntsey‘s School : Place: 31 Senior Doubles 393 Ethell, Dave : Male : Royal Marines : 23:42:23 Tarnowski, Tom : Male : Royal Marines : Place: 30 Look out, guys... the 100-pound girls are right behind you... Oh, and in case you were thinking the distance, the competition and the elements are all the crews have to deal with, take a look at this.

Well, they did it! The photo below shows Anna and Lorna arriving at Westminster yesterday, still in good form and paddling strongly. As you can see from the moderately accurate timepiece in the background, they arrived at 08:20, after a good final 17-mile stretch from upstream of Richmond. That last stretch is on the tidal part of the Thames, so the start has to be timed to coincide with high tide. That meant we were all up at 4pm for the crews to be ready to start. At 06:12 they were off (photo to follow...); 2 hours and 8 minutes later our two passed under Westminster Bridge, so they did this piece at about 8 1/2 miles an hour. Even given the help they get from the outgoing tide, that's not a bad speed. When you consider that by the end of Day 3 they have already paddled 107 miles, camping overnight for three nights and preparing their own supper and breakfast, I find it mind-boggling. For us as a support crew, it was a long weekend, logistically challenging and sometimes stressful, but we could not help but be exhilarated by the scale of their achievement. In a word, I'm so glad she put us through it!

Girls completed Day One in a respectable time of just over 7 hours. They were tired but in good spirits after a long day, the first half of which was in fairly persistent and sometimes heavy rain. They finished second of the Junior Ladies' class, about 5 minutes behind the leaders and over an hour ahead of the third-place crew... so guess who they have in their sights today... Day One is probably the toughest paddle: over 35 miles, all on the canal, and with the infamous 200-yard tunnel, followed by a brutal portage over the best part of a mile, so they are glad never to have to do that again! Day Two starts on canal, then joins the Thames at Reading, so from that point on at least they will have the current with them. Pictures will have to follow later...

Well, Good Friday is approaching, and with it the Devizes to Westminster canoe race (see the logo in the sidebar for details...). Anna and her crewmate are in good spirits, and all the crews spent this morning checking their kayaks to make sure nothing's going to fall off. They are apprehensive, I guess, and who wouldn't be --- they are about to canoe more than a marathon distance every day for three days (34; 35; 38), and then 17 miles on the Thames tideway at dawn. It's a pretty awesome prospect. If you want to check their progress, you can do so via the "DW" website, here. It will have daily results charts, and there's a query function so you can track individual crews. You will need to search on Anna's race number, which is "123". As before, anyone inclined to offer sponsorship would be heartily welcomed: all proceeds will go to the charity "Facing Africa", so not only will you be supporting a good cause, but the crews are really spurred on by the support too. I'll try and find time to post some photos, but it's going to be a busy weekend, so bear with me...

Last November, on what coincidentally would be 9/11 in English notation, the government finally overcame parliamentary opposition to new anti-terrorism laws which make it an offence to 'glorify' terrorism, distribute 'terrorist publications', train or be trained in terrorism, and so on. Those laws have now come into effect. Concerns over the laws at the time included prolonged opposition to a proposal for 90-day detention without charge --- a time limit which was subsequently reduced to 28 days (double the 14-day limit which had been in force until then). There remain concerns about interpretation of the concept of 'glorification'... a term felt to be too nebulous to underpin such a far-reaching law. There's also the reliance on how supposedly terrorist exhortations are to be interpreted; the bill places reliance on how the audience could be expected to interpret what is said, not necessarily the intent of the speaker, which seems to offer wide scope for ambiguity. Interestingly, in the light of this and the judicial rulings I commented on in yesterday's post, I also spotted this article today: the Regulatory Reform Bill is to be scaled back amist concerns that it gives Ministers too much power to alter legislation, effectively bypassing the parliamentary process.

Looking back over the last year's headlines, this government seems to have had a penchant for record-breaking in parliamentary debate. Control orders (punitive measures without judicial review), Prevention of Terrorism Act (proposals for 90-day detention without charge...), the ID Cards Bill (five rejections by the House of Lords), have all in their various ways exceeded the norms of parliamentary process. Marathon sittings in the Commons, record opposition by the Lords, compromises on parliamentary review and so on. Regrettably I think they see that as a good thing. We have just reached the anniversary of the 'Control orders' legislation; the compromise in that case was that the Prime Minister agreed that the law would be reviewed one year on (and by MPs, rather than by a single Queen's Counsel). Well, I don't know what MPs have concluded, but a high court judge has just ruled against the Home Office in the first of a dozen control order cases. Mr Justice Sullivan described it as "conspicuously unfair" that the control order was not independently reviewed, and said that the defendant was denied a fair hearing. The judge further commented that the effect of this Act was that defendants' rights were determined "by executive decision-making, untrammelled by any prospective of effective judicial supervision". In other words, that the Home Secretary is executing the law directly and without recourse to the courts. It's not clear to me whether the other 11 or so control orders will be similarly reviewed, but the judge's ruling is that the Act is incompatible with the applicable Human Rights laws. The government has stated its intention to appeal against that ruling, but if it is upheld, the laws must either be amended or the Act returned to Parliament. A similar fate has befallen new regulations intended to prevent alleged 'sham' marriages. "People born outside the EU and some bordering European nations who have only six months' permission to be in the UK must seek special permission from the Home Office to marry, irrespective of the status of their partner. The application costs £135 and only 76 specially selected register offices can deal with the proposed marriage. If the home secretary refuse[s] permission to marry, there is no right of appeal, other than to apply to the High Court. The only exemption is for people who marry in the Church of England. Another High Court judge, Mr Justice Silber, ruled this week that those measures were unreasonable, incompatible with the applicable human rights laws, and discriminated against some people on religious grounds. That declaration again means that the rules must be amended or the act returned to parliament. Amnesty International has commented frequently that the recent Anti-terror laws in particular have undermined the extent to which the UK system respects human rights. What I find strange is the obduracy of the government in the face of such High Court rulings. In the 'sham marriages' case, the Home Office has at least said it will partially suspend the rules pending an internal review. In the case of the control orders, however, their stated position is this: "The Home Office said it did not accept the judge's ruling [...] A spokesman said the act 'contains rigorous safeguards to protect the rights of the individual, including judicial oversight and reporting and reviewing requirements'. He said the ruling would not force the government to revoke any current control orders, nor would it be prevented from issuing any further orders." I'm forced to wonder what a High Court judge would have to say to prompt any actual change...

As jurors in the sentencing trial of Zacarias Moussaoui continue to hear avowedly emotive evidence from the 9/11 attacks, we ought to bear in mind the admonition they heard a month ago from the Judge, Leonie Brinkema: “In making this very difficult decision about punishment, you must be guided by reason and your sense of justice and not by bias, prejudice or sympathy for or against the defendant or the victims”. The prosecution plans, as part of its argument, to read out (one by one, each one accompanied by a photograph) the names of 2,972 people killed in the attack. I am still not sure it is humanly possible to comply with the Judge's instruction, and I wonder what happens if it somehow becomes obvious that a juror has failed to do so.

I've heard about mixing your metaphors, but this one really takes a biscuit off the old block: blogging is described first as a bullet corporations may have to bite, if the reality is not quite as their marketing and PR people would have one believe; then, at the end, it's 'virgin snow'... uncharted territory where everyone is learning the 'rules' as they go along. The article looks specifically at two areas of blogging, both of which illustrate aspects of the Participation Age: corporates who suffer blogger-induced consumer backlashes, and corporates who are getting savvy about 'recruiting' bloggers to evangelise on their behalf. It says less about the effect corporate bloggers can have on their own organisations. What I think is interesting in the latter case is this: I know of people who successfully use 'normal' corporate methods to become recognised outward-facing evangelists. Simon Phipps (sunmink) is a great example, and has been since former days at IBM, in the years before blogging (remember them?). However, Simon's exceptional in more ways than that, and there are many more people with stuff to say who, in the normal course of events, would never find an outward-facing 'route to market' for their views. The great thing about blogging is that it makes it possible for those people to reach the global audience to whom their content is relevant. That subverts the traditional view of the grip corporates like to exert (or think they exert) on public perceptions of their activity, but subversion is not necessarily a bad thing. An uncrafted but honest portrayal of corporate activities is good PR... provided the activities themselves are good. It's good news for blog consumers. Consume all the virgin snow you want: it's yellow snow you should avoid.

I have finally got around to splicing and uploading the whole set of my father's Qatar reminiscences. It has been great to see what a positive response this series got, and it seems to have been of particular interest (not surprisingly) to a lot of people currently living and working in the Gulf.

Here's a link to the pdf file, and I will also put it in my "Bookworm" list so that it can be found without having to search the blog. (The "Bookworm" list is on the front page of my blog, in the right-hand column).

I'm by no means the first person to comment on this week's announcement from Sun and Lucent, but just wanted to add 2 penn'orth from my perspective. 

In fact, as I happened to be away from email most of Tuesday and Wednesday, the first I heard about this was when a customer asked me about it yesterday [blush]. Still, that's life in the Participation Age for you  ;^).

The reason I wanted to comment was because the Sun/Lucent announcement reflected so closely what the customer had been hoping to talk to us about anyway: how to put together a coherent and realistic enterprise identity strategy, given the foreseeable set of internal and external drivers.

In that case, the internal drivers included the usual cost-reduction/RoI imperatives, the combining of large organisational units, and the desire to deliver compelling customer-facing services across a full range of delivery channels. (The Sun/Lucent piece mentions wireline and wireless, web, mobile, IPTV and IMS, for example).

Among the external drivers, this customer needed to make sense of the very diverse technology landscape which is evident in identity management; how should they factor in things like SXIP, YADIS, Infocard, Higgins and the like? What about the relative roles of identity management, prevention of ID theft/ID fraud, and building systems which deliver privacy protection as a discernible consumer benefit?

The first challenge is that this is a complex area. No-one owns all the pieces of this jigsaw, so it's up to us vendors to play nicely. In that context, collaborative work like the Sun/Lucent example is absolutely critical.

The second challenge is to reduce that complexity to a set of simply-expressed goals, messages and criteria, so that board-level decisions can be both informed and accurate.

What I find interesting in that respect is this: eighteen months ago, the equivalent discussions positioned federated identity as a future, but achievable enterprise goal. Now federated identity is a reality, and the 'future but achievable' goals tend to centre around identity theft prevention and privacy.

Eighteen months ago, most of the discussions were about server-side management of identity (whether for provisioning, policy definition or enforcement), and the 'future but achievable' horizon was populated with increasingly diverse and numerous 'edge' devices. These days, the original set of assumptions still holds good, but the focus on 'edge' devices has morphed into the discussion of 'user centric' identity. But then, you know what I think about that phrase.

From my (admittedly bigoted) identity-centric perspective, several things have not changed:

1. there is a steady progression from management of computer accounts, to management of users, to management of identities (and things have identities too);

2. the three-layer model of identity data (credentials, entitlements and assertions) has remained both useful and valid;

3. the 'security cycle' has also proved itself to be a reliable and durable model: that's the one which describes an ongoing sequence of Risk, Policy, Implementation, Administration, Audit and back to Risk again. It's not mine, by the way, I 'adopted' it from an ISO standard, (ISO 7498-2). It's still good, though.

So looking back, what has changed?  I think there's been a huge leap in the sophistication of the identity management debate. Concepts like federation and user-centricity, which simply didn't mean anything five years ago, are now common currency (even if they don't always mean the same thing to eveyone ;^). And from a technology perspective, there's no doubt that provisioning, account management and policy enforcement benefit from improved support by technical tools. It's also true that, sometimes, the effect of improvements in techhnology is to allow us to try and address new kinds of problem.

We also continue to discover that 'the successful implementation of technology depends on many non-technical factors'. If I had a bigger chest, I'd be tempted to have that printed on a T-shirt.

A few weeks ago Tanya Candia interviewed me for a piece on ID Theft, and quoted me using the 'blind men and the elephant' simile. I should have known that Paul Madsen would not only 'see' my elephant but then substantially raise the stakes, with this gem of a parody. Nice one, Paul.

The UK has a (probably justified) reputation for being the most CCTV-surveilled society on the planet. My suspicion is that many of the privacy-related practicalities of this have not been thoroughly considered. For instance, I believe I have a legal right to request the operators of a CCTV scheme to provide me with a copy of any identifying data they hold concerning me - and presumably that would have to include CCTV images of my face. On the other hand, they also have a duty to safeguard the personally identifiable information of others, and that presumably includes those people's facial images too. It could be knotty area both legally and practically. For instance, if I ask for a copy of any images of myself, will they send me only those images, or just a copy of the tape for that whole time-period? Will they scan the tape looking for me, or just ask me for a date/time range and send everything for that period? Will they pixillate the faces of any other people caught in frame along with me? So here's the thought experiment: you're walking down the high street, and at the end of the road, perhaps on the side of a panel-van, you see a large flat-screen display, on which I am replaying the video of the CCTV footage which the scheme operators sent me. Then you see yourself on the screen, and it jogs your memory... that was the day you called in sick. Does it still feel like your privacy has been adequately respected by this process?

I remember when the much-reviled 'sus' laws were abolished in 1981, in the wake of the Brixton riots. I remember when 'stop and search' was introduced shortly afterwards, to the disgust of many who had campaigned against the way in which 'sus' had become a by-word for injustice. The problem was less with the laws, and more with the way in which they were enforced. I have to wonder whether the latest "stop and search" enforcement powers are a step in the same direction. I agree: fewer knives make for safer trains --- but this is routine and indiscriminate searching of everyone who wants to use public transport, and I question whether that's proportionate. There's another point, too. It's hard to shake off the feeling that this is being brought in under the umbrella of a general climate of 'war against terror'. After the 7/7 London bombings, there was a much-publicised wave of community resilience, and a feeling reminiscent of William Henley's 'Invicta'*. That is not exactly the tone of this piece of enforcement, is it? *"In the fell clutch of circumstance, I have not winced nor cried aloud: Under the bludgeonings of chance My head is bloody, but unbowed."

Fingerprints must be one of the oldest biometrics in use; forensic research is increasing the range of information which a fingerprint will reveal. Your age, the substances you ingest... all affect the traces your fingers leave behind. Apparently one of the key tools in this work is a 'Scanning Kelvin Probe', which is used to measure not the traces of the prints themselves, but the minute electro-chemical changes these produce in the objects touched. I guess the question then is what can be used to link the electro-chemical change to a specific individual.