Robin Wilton's esoterica

... and nobody came?

Somewhat to my embarrassment, I note (belatedly) that October 16-20th was National Identity Fraud Prevention Week in the UK.

That said, it doesn't appear to have exactly captivated the mainstream media's attention - apart from a win-a-shredder competition in the Guardian Online and a piece on Tiscali's site (both in the 'Money' section), it mostly cropped up on a number of regional and metropolitan police websites. And I don't know about you, but those aren't usually my first choice when browsing the web ;^)

However, it does seem to have been a rallying-point around which a number of interested parties have published information about ID theft, ID fraud and various approaches to hindering it, so here's a brief bibliography of some of those:

- Comment and raw data from CIFAS ('The UK's Fraud Prevention Service'), relayed by PublicTechnology.net, including the CIFAS Protective Registration Service. (I did go and look at the online page for this, but interestingly registration seems to require that you send them a lot of personal details including the names of everyone else in your household... and there's no privacy policy statement on their website..........).

- ID Fraud Prevention Week page - including advice and a number of links to related sites.

- APACS Press Release: "Chip and PIN reduces UK card fraud losses".

- Earlier article in the Guardian (2004): "Preparations for Chip and PIN create boom in 'non-receipt' credit card fraud". (Non-receipt fraud is where your card gets intercepted somewhere between the bank and your doormat). According to APACS' figures, it looks as though that 'mini-boom' amounted to about £28m of fraud. Their March 2006 figures for non-receipt fraud were as follows:

2003: £45m
2004: £73m
2005: £40m


The various links and resources offer a range of advice about how to protect your identity data from being stolen or abused... but there are still some holes.

For instance, we are advised to shred identity-related paperwork at home; but what about personal data on PC disks and the like? Who has their home address stored in the GPS unit in the car, under "Home"?

We're advised to check bank statements for transactions we didn't initiate; but wouldn't it be nice if more banks offered a weekly SMS mini-statement, or even better, an SMS alert for any transaction exceeding a given limit?

We're warned to look out for 'mail that doesn't arrive'.  Hmm.

We're advised to avoid using things like 'Mother's Maiden Name' as a password for online sites; but wouldn't it be nice if service providers were better at exchanging assertions rather than personal data? For instance - supposing my bank could pass a trustworthy assertion to a merchant to the effect that "This customer can afford to make this purchase"? Then the merchant wouldn't need to have, know or store my credit card number in the first place.

I'm not saying ID Fraud Prevention Week is a bad idea - on the contrary, if it builds awareness and suggests practical risk mitigation measures, I'm all for it. But I also think the service providers could be doing more to reduce the risk they have to manage (which is, after all, a cost which hits their bottom line).

Calling it "ID Fraud Prevention Week" kind of creates the impression that "it's your Identity... if it's stolen, it's your fault". While that's doubtless true in some cases, in others the risk arises out of the data custody practices of those to whom you entrust your identity data. I wonder if we'll get a "National Data Custody Week" any time soon.

I suspect it might be something the UK Information Commissioner would approve of - he is currently investigating a number of organisations whose disposal methods for customers' personal data appear to have involved leaving it in bins outside their branch offices.

This is not original content, I'm afraid, but I've only just picked up a number of emails from Simon Davies, Jerry Fishenden and others. It seems Simon experienced a little difficulty recently when trying to renew his passport in time to attend a UN Internet Governance Forum.

Here's Jerry's blog post on the subject, and here's Ian Brown's.

Conspiracy theorists (and fans of alliteration) will no doubt marvel at the miracles of miniaturisation achieved by UK security services. A remote-controlled killer wasp, no less!

Jerry apologised in advance for the pun potential of this story, but you'll find no such coyness here. I mean, I know Simon is accustomed to stirring up a hornet's nest of controversy, but who would have thought he'd run into such bumbling bureaucracy? Maybe the wohle thing was a honey-trap. I mean, [That'll do... Ed.]

This has been my first visit to Hong Kong, and along with all the usual things you would expect me to notice (the skyscrapers, the neon, the humidity, the fact that over here they don't call them Chinese restaurants, they just call them restaurants... ;^) I've also seen a couple of other things which made me stop and go back for a second look.

One was a poster giving the dates during which holders of Hong Kong Smart Identity Cards should present themselves to have the cards replaced. It's interesting to see that a country has already got to the stage of replacing a national smart-card, and it would be even more interesting to know what lies behind the replacement programme, and what practical issues it is raising. If I can find out, I'll let you know.

The other was a methadone clinic. There's something you don't necessarily see every day... The one in question was part of the Violet Peel Health Centre, which it turns out is named after the wife of a former governor (1930-1935) of Hong Kong. It started me thinking about methadone (about which I know the bare minimum), and about the strange logic of addiction and illegal substances. Apparently some methadone addicts report that although it produces much the same effects, it is harder to 'kick' than heroin - so the principal difference is that they are getting one from a clinic, while they are probably having to fund the other habit through criminal activity.The wikipedia article on methadone doesn't give figures, but says that methadone is cheap to produce (possibly implying that it is cheaper to produce than heroin...). So is the argument for supplying methadone to an addict primarily an ethical one or an economic one... or both? I don't know.

The article also notes that, while treating someone with methadone may stop them from having to support a heroin addiction, it won't necessarily prevent them from having other drug habits which entail criminal activity, and it certainly won't guarantee that they are able to find any kind of productive employment.

As I say, this is a topic about which I know very little, but the more one looks at it the more complex the problem appears. Whatever the benefits or otherwise of operating methadone clinics, at least it's made me think about the issue..

If you haven't visited Pat Patterson's blog recently, it's well worth doing so. I think it's a case-study of the benefits of corporate blogging; he's covering Sun's open source initiatives in the identity management area, and providing a great resource centre for anyone looking to engage with Sun on this.

As you'll also see from recent entries, he's about to take part in a huge Liberty workshop arranged and hosted by the Liberty Japan SIG in Tokyo. They had to cap registrations for that event at around 300, which bears witness to the great work the SIG has done in driving Liberty awareness and adoption in Japan.

More posts soon on what I've been up to at the Liberty plenaries in Hong Kong, where the Business and Marketing, Public Policy and e-Government groups had some extremely productive joint meetings. It bodes well...

Sorry about the picture quality, but aircraft windows don't make very good lenses. This is from the flight back from Milan this week; clouds on the northern Italian plains washing up against the southern foothills of the Alps.

I was in Ispra earlier this week, at a W3C Privacy Policy workshop jointly hosted by the EU's Joint Research Centre (JRC). It was an extremely interesting event - at least for the bits I was able to attend. Much to my regret, I had to leave before the end of the workshop, so I'm hoping that the conversations I was able to start will be resumed as time goes by.

On the way out to Milan through Heathrow I noticed an extremely understated sign, just after all the security checks, pointing to a small office labelled "IRIS". It turned out to be the enrollment office for the immigration iris-recognition scheme under the e-Borders programme. I got their leaflet, which explains what they do with the data they collect and hold, and what elements they will disclose to other entities. It looks relatively sensible, in the sense that:

• It's a single-purpose database
• The 'pay-off' for the passport-holder is simple and clear, in the form of reduced queueing time on the way back into the country*
• It's voluntary, and there's a built-in commitment to remove your data from the system by default, if you don't use the service
• They make an explicit commitment that they will not disclose iris scans or the 'hashed verification code'... though of course other existing passport data is presumably fair game

*If the passport hall on the evening of Friday 6th is any indication, this in itself might be the compelling factor... ;^)

From a privacy perspective I'm not yet sure where I stand on this. On the one hand, the citizen doesn't, ultimately, control the use of their Iris scan data - in fact they don't even hold it. On the other hand, that's a fairly strong argument that, if the said data crops up somewhere unexpected, it can't have been the citizen who disclosed it.

Whether I still have the same views when iris data is more widely used, I sincerely doubt.

Here's looking at you...

A fairly regular recurrence these days... there's an item on the BBC site about 'dumpster diving' in the UK (i.e. the practice of going through - in this case domestic - refuse to find personal information as a step towards identity theft). Here's a link to the piece in question. And here, for the heck of it, is a link to the post I wrote almost exactly a year ago on the same subject. No-one can accuse me of not recycling ;^)

The picture painted by this year's article is one of poor control over 'data at rest'. In other words, we are not taking enough care of our PII (Personally Identifiable Information) when it's in our hands. Quite apart from any 'social engineering' attacks, phishing, pharming and the like, there's a basic risk of your identity data being

• recovered from the rubbish;
• lifted from your bag or wallet;
• stolen in the course of a burglary.

The economics are not exactly difficult: which would you rather lay your hands on, assuming you've resolved to break into someone's house? A £700 TV which you'll have to carry, store and sell, or a carrier-bag full of assorted bits of paper which will enable you to open up lines of credit?

To keep this in perspective - the anecdotal evidence, at least, still suggests that your data (particularly your payment details) are at greater risk when under the control of a third party than when on paper in your house... but that's hardly an excuse to be lax.

The article concludes by observing that the problem of ID theft in the US is exacerbated by over-reliance on the Social Security Number as an identifier, and notes that in some cases, the remedial measures forced on victims of identity theft amount to 'pseudocide'... killing oneself off as what the law might refer to as a 'moral person', leaving the 'natural person' to reconstruct a 21st century identity.

I believe this should set off alarm bells in the mind of anyone who now hears mention of increasing reliance on the UK National Insurance Number (or NINO) as part of the ID card strategy. This, too, is not a new point. Jerry Fishenden made it very eloquently last year on November 9th.

That date (9/11 in English format...) also happened to be the day on which I took part in a House of Lords briefing on identity cards, and Mr Blair suffered his first defeat in the House of Commons - over plans to allow 90-day detention for terror suspects.

Rather disturbing news from the enquiry into the 2005 crash of a Helios 737 in Greece; it seems that because of a combination of human errors (including the maintenance crew and the pilots), the cabin pressure in the plane steadily decreased as the aircraft climbed... resulting in oxygen starvation and blackouts for all those on board.

So much for that friendly assurance that "oxygen masks will drop from the panel above your head".

Presumably the safety announcement will now have to be re-scripted: "In the event of a gradual loss of cabin pressure, oxygen masks may drop from the panel above your head, provided no-one has turned the cabin pressure sensors down to the 'Forget It' setting".

Isn't this the kind of thing which the fail-safe philosophy is supposed to address?

A couple of weeks back, Home Office minister Liam Byrne started semaphoring a possible reduction in the estimated costs of the ID Cards project. The BBC and Independent today both carry articles with a little more detail... but not much.

If you remember, the magic number bandied about back in the days of Charles Clarke's spell as Home Secretary was £584m per year over 10 years, i.e. £5.84bn. You may also remember that the details of how that figure was arrived at remained veiled with burka-like comprehensiveness (there's a thought - why not just have Jack Straw ask them to lift it...?).

So what's the latest figure (qualified by the Home Office as a "likely cost" and an "estimate")?

£5.4bn.

" However," says the Independent's piece  "the report excluded some set-up costs that were included in a previous report published by the Home Office in May last year, which put the annual total at £584 million, or £5.8 billion over a decade." In other words, even without the exclusion of those set-up costs, the difference between last year's estimates and this year's estimates is about £0.4bn, or a shade under 7% of the total budget. In the scheme of things, that's practically a rounding error.

As far as the cost projections are concerned, then, I don't see any significant news here. What about the justification put forward for the scheme? According to the BBC site,

'Mr Byrne said combating illegal immigration was at the centre of the ID card scheme.
"Illegal working will become far more difficult as the National Identity Scheme is rolled out," he said. "Any employer would be able to check a person's unique reference number against registered information about their identity to find out whether someone is eligible to work in the UK."'

I think this raises a number of issues:

1 - I thought that's what a UK National Insurance Number was for;

2 - As I understand it, European law forbids EU member states from requiring the nationals of other member states to hold identity cards other than those of their country of origin. I could be mis-remembering that, but if anyone has chapter and verse, please post a comment...

3 - Mr Byrne is, from a technical perspective, eliding 'assertions of identity' with 'assertions of entitlement', where there is no requirement to do so. Technically speaking (I can't speak for the politics of it...) there is no need for an applicant to be able to present a UK-issued credential in order to assert their entitlement to work in the UK.

Indeed, point (2) illustrates just such a case; a French citizen has, under EU law, the right to live and work in the UK. To establish that right, she or he needs to prove French citizenship, not produce a UK-issued identity card. Again, technically, it is perfectly possible to link a French-issued credential with a UK-registered entitlement to work. It's called federation, and I have been going on about it for some time ;^)

And here's the "Emperor's New Clothes" question... which I'm not too proud to ask: "If what you want to do is identify illegal immigrants and workers, why is it necessary to issue the rest of us with ID Cards?"

If what you're looking for is a needle, you don't have to positively identify each wisp of hay... just the needle.


Bottom line? I'm afraid this looks like a re-hash of headline items which does not, essentially, move us on from where we were 18 months ago. Over that period, we have seen senior civil servants' leaked emails expressing grave concern about the viability of the whole project, and balanced, rational criticism from Jerry Fishenden and others.

It's disappointing to see a minister take the time to comment publicly on the plans, but leave those substantive issues unaddressed.

Just a quick weekend post to pull together a few related blog entries, tied back (loosely) to the silicon.com CIO Forum I blogged about last week. The common theme is UK ID card plans, currently still going through something of a re-evaluation process.

First, here's a well-deserved plug for the excellent "Tomorrow's Fish and Chip Paper" blog (like it needs one from me), and its take on the CIO Forum. Here's silicon.com's Will Sturgeon with his summary of the John Suffolk interview referred to, and which I mentioned briefly a few posts back.

Tomorrow's F&C Paper also notes that Jerry Fishenden, Microsoft's NTO for the UK, continues to blog constructively, thoughtfully and fearlessly on this topic. Here's a dose of common sense from Jerry. It would be a big mistake to ignore the advice of someone with his nous and experience.

It's a very '2006' thing, but there seems to be an identity element to so many news stories these days. A quick skim of the BBC site today turns up a couple of examples.

A story about more sophisticated DNA testing for police forensics makes the front page.

The 'spy in your dustbin' story has re-surfaced too, with news that a number of councils are considering charging by weight for refuse removal. If you remember, I commented on this one back in August.

Interestingly, although the potential costs to the householder are starting to become clearer, the serious issue of 'perverse incentives' still does not appear to have been considered. Paul Bettison, chairman of the Local Govt Association's Environment Board, reckons that residents who want to insist on keeping a weekly (as opposed to fortnightly) collection of 'landfill' waste could have to pay an extra £100 a year in council tax. The numbers are interesting. That figure implies that £2 a week is enough to pay for the collection and disposal of each household's weekly landfill waste... which I find somewhat hard to believe.

So the implication is this:

- some residents will see this as a pretty good deal and pay a surcharge to go on producing non-recyclable waste at the same rate as before; a surcharge which I think is unlikely to cover the cost of collection and landfill.

- some residents will continue to produce more waste than the fortnightly collections will take away, but will then drive to the tip to get rid of the surplus. Their non-recyclable waste will still have to go into landfill, but the 'only' cost to the householder will be the petrol for the round trip to the tip. Net effect: no compelling incentive to reduce waste, and an increase in carbon emissions, relative to having a single diesel truck do the collection rounds.

- some residents will actually try and cut their waste output... though as far as I can see, this will be out of pure altruism and despite the external 'incentives' (of which there are, as far as I can see, very few).

I can't help feeling there must be a better way, as Pat's comments on my previous post indicate.