Robin Wilton's esoterica

This article from the BBC today neatly illustrates one of the paradoxes of modern life. What is a frontier? We are usually given the impression that it is something inviolate (hence the bullish assertion about "tougher border controls" - yet actually the value of a frontier lies in "manageable porosity".

In other words, the trick is not to make it hermetic, it is to succeed in managing who you let in and out.

Today's article highlights a case in point: the UK's closest partners are its EU neighbours... but as I have noted in the past, EU law prohibits national governments from requiring the citizens of other EU states to carry an 'immigrant' identity credential. Therefore, any use of compulsory identity cards for UK immigration control can only be applied to non-EU citizens.

The classic 'counter-example' case is, of course, the one which contributed crucially to the downfall of former Home Secretary Charles Clarke; the thousand or so convicted foreign prisoners who were not deported from the UK on completion of their sentences. There was a failure of case-management for individuals who were actually incarcerated; the idea that that problem could be fixed by issuing 'immigrant identity cards' looks unduly optimistic.

It seems to me that the question is not so much one of what credentials someone may be able to present, but the intelligence and effectiveness with which the authorities are able to act on the available data.

I'm in the States at the moment, for multiple meetings - each of which is quite capable of spinning off a 'full-time' programme of work. For example:

- Monday: an internal workshop on global government strategy. Talk about 'looking at the big picture'; the workshop facilitators were encouraging us to think 20 years out, and to look at issues as diverse as demographics/longevity, 'energy independence', climate change and so on.

- Tuesday-Thursday: Liberty Alliance plenary meetings, working in the Public Policy group as it considers topics like Privacy Policy Expression Languages (PPELs), contractual frameworks for Circles of Trust, and liability issues in public/private sector collaboration.

- Thursday-Friday: catching up with the rest of the team in the latest of our occasional face-to-face meetings. That's always a challenge, because the expertise in the group is both varied and deep. I'll have to get my head around topics as diverse as Microsoft interop, XML directions, AJAX and RESTful service development, WADL, and lots more.

The combination of information overload and residual jet-lag rather puts me in mind of Keanu Reeves' data-storage difficulties in the William Gibson story "Johnny Mnemonic"... I think I need an upgrade ;^)

Those who think it is a good idea to increase the use of the UK National Insurance Number (NINO) as a trusted identifier might want to take note of one of the probable outcomes. Since the middle of last year, the FBI website has been warning of a scam which has already been sighted in 11 US states.

A caller tells prospective victims that they are the subject of an arrest warrant for failing to attend for jury service. The caller then pumps the victim for date of birth and Social Security Number (SSN) "for verification purposes". The con relies on the initial accusation rattling the prospect enough that they want to disclose the data and 'set the record straight'.

Whatever the mechanism for getting hold of it, the valuable part of this is the SSN... and that's because it is over-relied on as a secure identifier.

Eve Maler and Dave Kearns have been commenting recently on some of the apparently age-related differences in the way people treat online accounts (how many to have, how frequently to change them or open new ones, what kind of 'handle' or name to choose, and so on).

With that in mind, I would like to propose a new term:

persistonym (n): a relatively persistent identifier which may have little or no inherent 'strength' in terms of identifying its owner, but is nevertheless useful to an extent proportional to the duration of its use, and to the reputational information which may arise as a result.

Examples: blog 'handles', eBay trading accounts, online gaming personas.

Here are some observations about persistonyms to give you an idea of what I have in mind:

- If you find a "racingsnake" online, it's not necessarily me, but it might well be.

- I have no idea 'who' "Scott Burgess" is in Real Life(TM), though I know him as 'the author of The Daily Ablution' (a mothballed blog).

- There are online gaming characters with whom I have built up a level of 'trading' trust (albeit virtually). In some cases that has involved, to all intents, an exchange of consideration which is almost contractual ("Collect 200 cow-hides for me and I'll pay you 10GP per hide... on delivery"). Regardless of any trading transaction protocol enforced by the MMORPG, there has to be a level of trust if I am to invest the time it takes to amass all those cow-hides.

- I am conscious of the limitations of eBay reputations, but still tend to believe their value is greater than zero.

- I trust the Amazon CD reviews of some specific reviewers, who I recognise by their 'handles'.

A user can have multiple persistonyms. I have at least three.

A persistonym may actually be as non-volatile as a real identity... it just happens not to be the real identity.

There's a continuum from anonymity and 'single-use' personas, through persistonyms of varying duration,
to 'real' identities.

Much of what Eve and Dave were writing about concerns the fact that young people these days are entirely comfortable with running multiple online personas and changing them frequently - "forgot the password, didn't like the 'handle' any more, wanted another account so as to be able to 'trade' with it, wanted to avoid someone online, wanted to change my image" (or indeed gender...), and so on.

I'd be inclined not to class as persistonyms those cases where the owner's intention (in creating a new identifier) is to break the link of continued association between their past and future actions.

Those who keep an eye on the comments posted to this blog will hav enoticed that some of the better-informed ones come from the people at SpyBlog ("Watching Them, Watching Us"). They generally demonstrate a good grasp both of the technology of privacy and the legal details of privacy protection.

They have generated a good deal of media comment, therefore, by probing into the details of the "Threat Alerts by e-Mail" service recently launched by the domestic security service, MI5.

I'm not going to re-hash the details, because it looks as though most of the stable doors have now been at least shut (if not locked), and it's possible that the horse is still in there somewhere - though there is rather a whiff of horse-apples... If you want the details, have a look on the SpyBlog site here, and The Register here.

I'm not going to carp on about the timeline and the remedial details, but what's worrying is this:

- This was not a sudden deadline externally imposed on MI5; they (or someone) decided that an email 'terror status alert' service would be a nifty thing to offer the public.

- There's the obvious point that one would have expected the security services, if anyone, to be alive to the possibilities of encrypting sensitive data before transmitting it.

- Then there's the question of whether it is appropriate for a UK Government department to roll out a system which ships UK citizens' personal details overseas. Here's what the Data Protection Act 1998 says about that, according to the Dept for Constitutional Affairs' website:

"The Act prohibits the transfer of personal information from the UK to other countries unless those countries can ensure a similar level of data protection. However, you can consent to your personal information being transferred anywhere in the world. Organisations can also set up contracts with overseas organisations receiving personal information which impose higher standards of protection than there might be under the national law of the receiving country.

Organisations in the UK which have personal information processed overseas on their behalf remain responsible for the security of that information. The UK company is required to ensure that the overseas processing company complies with the UK Data Protection Act."

On the face of it, starting out with a system which transmits the data unencrypted to the States doesn't look much like 'remaining responsible' for its security; whether or not there was a contractual agreement in place to ensure that the hosting company complied with the UK DPA I cannot tell - but in the absence of one, US laws on the protection of personal data do not, by default, equal or exceed those of the UK. Nor is it clear, now, whether registrants were invited to consent to their personal information being transferred overseas... but the tenor of the media coverage is such that I would bet that they were not.

No, the real issue is that the legal and technical aspects of securing registrants' personal data appear to have played no part in the 'go live' plan - for whatever underlying reason. As I say - this was a project which the department in question opted to undertake; contrast that, for instance, with all the e-government implementations which were pushed through with an enforced deadline of 'the end of 2005', but with exactly the same constraints on the privacy and security of citizens' personal data.

The MI5 'security alerts' implementation was surely an opportunity to showcase best practice...

Try as I might, I can't make this post come out as anything other than a string of homilies, one after another... but as I'm convinced the basic argument is a good one, I'm think I'm just going to have to go for it anyway.

You may have seen the row currently embroiling the UK Home Office, concerning a failure of the process whereby criminal details about UK citizens who have committed offences abroad are passed back to the UK and then acted on accordingly (for instance, making sure that people whose offences were violent and/or sexual are added to the register of offenders who should not be allowed to work with children). Some 27,000 cases just piled up somewhere at the Home Office, while the people concerned went unsupervised and unregistered, some of them committing further offences, assuming new identities and/or leaving the country again.

It's creating a problem for the Home Secretary, because although he knew he was inheriting a disfunctional department, he appeared to promise that the remedial actions he had initiated on taking over the job had fixed the major issues. It's also now resulted in the suspension of a senior civil servant, according to this article today. But while those are clearly significant aspects of the story, they aren't the ones which my "identity goggles" zoomed in on. Rather, it was these paragraphs which caught my eye:

"He has also instigated a root-and-branch review of Britain's criminal databases.

His spokesman said Mr Reid was writing to Cabinet colleagues to get agreement for a review of British databases which received information about criminality, and how information was recorded on them.

BBC correspondent Robin Brant said the Home Secretary was seeking to full review of how information on criminal databases in the UK is recorded and shared.

This includes systems such as the police national computer, the Criminal Records Bureau and lists of football hooligans, as well as the way information is shared and exchanged between the UK, the rest of the EU and other countries.

He also wants to review how to respond to the information when it is received.

...

Meanwhile, minister Joan Ryan is to meet EU counterparts in Dresden to discuss improving systems for sharing information.

She is expected to ask for biometric information, such as fingerprints, to become part of the data on criminals passed between EU governments."

Then recall the announcement back in December that the Government intends to scrap the plan for a centralised National Identity Register in favour of a more 'federated' approach, in which three existing departmental systems will be used to store different aspects of each citizen's identity data. Under the new scheme, biographical data will be stored on the Department for Work and Pensions (DWP), biometrics will be stored on systems 'currently used for asylum seekers', and the rest will go onto the existing Identity and Passport Service (IPS) system.

Now part of this is, I think, good news. Sir David Varney, who was recently asked to produce a report on identity and data-sharing between the DWP, HM Revenue and Customs and local authorities, did not appear to include in his discussion departments who already have detailed experience of national-scale issuing of credentials (such as the IPS and the Driver and Vehicle Licensing Agency - the DVLA). That worried me at the time, so I'm glad to see that the IPS are at least involved in the NIR plans, as one would expect.

However, I think there's also a lot in this (and the paragraphs I've quoted above) which should seriously concern us. Unfortunately, this is where the whole thing rather breaks down into platitudes - so with apologies to all grannies who are already accomplished in the art of egg-sucking, here we go:

- in any IT project, getting the technology right is no use if you ignore the process (or get it wrong);

- it seems likely that there are still processes in the Home Office which fall far short of being 'fit for purpose' (I have to admire John Reid for having used that phrase, but boy I bet he regrets it more with every passing day...);

- as the Iris biometric pilot outcome suggests, some of the technology is not yet ready for mass-scale roll-out - and has apparently been dropped from initial NIR plans as a result (other technology sub-systems have yet to be tested to the extent the iris biometrics have been); 

- the system and process which have come to light in the various Home Office incidents have all been on a far smaller scale than what will be required for the NIR, because they have been systems to manage offenders, asylum seekers and the like, rather than the entire population; 

- if you combine (or for that matter, federate) several systems in which the process, the technology or both are sub-standard, then the outcome is highly unlikely to be better than the sum of the parts. In fact, I think it's guaranteed to be worse.

In that context, two things strike me as both optimistic and premature:

- increasing the extent to which citizens' identity data are exchanged cross-border (whether outwards to Europe or inwards to the UK);

- assuming that a 'fit for purpose' federated system can readily be assembled from the systems and processes currently in operation.

Don't get me wrong: after all the bleating I've done about federation rather than centralisation, it would be perverse of me to say the government is wrong to go with a federated approach, and I'm not saying that. I'm just noting that if the existing systems and processes already contain significant flaws (and are on a far smaller scale than the plan calls for), then it is unrealistic to expect those problems to be fixed by federating what is in place and 'ramping it up' to national scale.
 

So much to blog, so little time......

Some people in central government had a busy December, one suspects; several documents have come out in quick succession in the New Year.

1 - Transformation Government Annual Report, 2006: John Suffolk (UK Govt CIO) presents the first annual report on what the public sector has been doing since the preceding e-Government strategy was all neatly dealt with and buttoned up by the deadline of 31/12/2005. Mostly.

Incidentally, John was able to launch the report at an excellent all-day conference organised by Kable yesterday. Hats off to William Heath and all the Kable team for a first-rate event, with an exceptional level of participation from public sector representatives.

2 - Strategy Plan for the National ID Card Scheme: Home Office Minister Liam Byrne publishes a 30-pager on the plans for operation, security, delivery and governance of the planned scheme. I'm saddened to see this document perpetuate the implication that 'we have to do this because the ICAO says so', but perhaps a more detailed read will throw up more positive points. If so, I'll post again.

3 - Iris recognition pilot results: remember that iris-recognition pilot I mentioned at Heathrow last Autumn? According to The Register, the results of the project are not very promising, and as a result iris scans will now not be collected from those being registered for the National Identity Register. Part of me is thinking "well, a lot of credible people have been saying for a long time that iris scan technology isn't up to the job yet, for national-scale deployments with high throughput".

But another (much smaller and quieter) part is saying "that's what pilots are for... if you start a pilot and refuse to acknowledge that one possible outcome is that you abandon the technology in question, then don't call it a pilot project: call it Phase 1 of your roll-out. If you don't dare do that, then admit that one possible outcome is that you abandon the technology in question...".

A wise old systems engineer once said to me: "any project which involves no appreciable degree of risk is unlikely to deliver any appreciable benefit". Interestingly, he was an employee of what was, at the time, possibly the most risk-averse organisation you could hope to find outside the public sector.

I know that inside the public sector, there is often a view that it is inappropriate to put at risk the funds which public bodies spend on the citizen's behalf - but this is to ignore the alternative downside: that money spent on risk-free projects may deliver only benefit-free outcomes.

1 - Just before Christmas, I got tagged by Gerry Beuchelt in the '5 Things' meme; I tagged James Governor, and he tagged Jonathan Schwartz. Not only has Jonathan played along, but he's gone and tagged Greg Papadopoulos, our CTO. Interesting piece of netiquette... what do you do if your boss sends you a chain letter? ;^)

2 - DNA and the things one might be able to do with it are seldom far from the headlines these days, and the phrase "DNA fingerprinting" is often bandied about. But think about it: if you wanted to uniquely identify one of a number of identical siblings, DNA wouldn't work. Iris scans would probably be more reliable, given the necessary time and effort... but see my next post.

This article in yesterday's Guardian gives a summary of what Guantanamo Bay is, and why its legal status (and that of its inmates) should cause serious concern.

As each anniversary of this shameful institution rolls around, with no change to its status or operation, I wonder what purpose it is supposed to serve. Richard Veryard would presumably respond: "POSIWID"... 'Purpose Of System Is What It Does'. That's a depressing thought in itself.

Rather than rehash the details again this year, here is a link to the Wikipedia article about Guantanamo Bay.

Both the Guardian piece and this article in the New York Times note that after the US Supreme Court ruled that the detainees' status does entitle them to the protection of the Geneva Conventions, the Bush administration amended the law (Military Commissions Act 2006) to remove detainees' right to a challenge their detention through the civil courts, thus ensuring that the Supreme Court decision could have no practical effect.

Finally, here is a link to the Amnesty International page which gives details of practical steps you can take if you wish to express your disapproval of Guantanamo Bay.

This Sunday's Observer reported that US immigration controls plan to start capturing all ten fingerprint biometrics of visitors (as opposed to the current two). Relevant facts appear to be:

- this reflects a change in the 'purpose of collection', from authentication to forensic and deterrent (see Secretary Chertoff's comments at the end of the article);

- the data is to be shared with the FBI (interoperability with their fingerprint database is cited in support of the change);

- further, cross-border exchange of the data is expected.

I find this worrying for a number of reasons:

- the forging/planting of fingerprint biometrics has received enough plausible publicity recently to suggest that there is a significant risk in having all your prints disclosed to numerous third parties. Once the data is out there, that risk will be ongoing and will increase with time;

- it is a mistake to think that the biometrics of innocent travellers cannot be obtained by a motivated criminal;

- current experience of identity theft clearly indicates that the route of preference for such criminals will be to obtain biometrics in bulk from a third party database;

- one can therefore expect the number of 'false positives' to increase, undermining the utility of the mechanism and the civil liberties of those wrongly identified. It's not clear what mitigations are planned regarding this risk.

- the arrangement appears to be unilateral. At some stage it will become clear that possession of a US passport can co-incide with terrorist intentions. In the meantime, this would seem to me to increase the incentive for those ill-disposed towards the USA to get hold of a US passport.

I wanted to try and put together a list of "10 favourite films", but it was too hard. I ended up feeling like whoever it was who apologised for writing a long letter, on the grounds that he 'didn't have time to write a shorter one'.

So in the interests of time, here's a provisional list of 10 entertaining thrillers. I've got the makings of a list of comedies, but that will have to wait for a bit.

- Bladerunner (Ridley Scott, 1982)
- Dirty Harry (Don Siegel, 1971)
- Fargo (Joel & Ethan Coen, 1996)
- Hammett (Wim Wenders, 1982)
- Jackie Brown (Quentin Tarantino, 1998)
- La Balance (Bob Swaim, 1983)
- Leon (Luc Besson, 2000)
- Southern Comfort (Walter Hill, 1981)
- The Conversation (Francis Coppola, 1974)
- The Third Man (Carol Reed, 1949)

I noticed a few things as I looked back over the list:

- generally, those films contain little or no 'superfluous' footage. Usually what's in there is in there for a reason, and does what it's there for;

- several of them have music which is great in its own right, and just happens also to be well used as soundtrack material;

- there's a bit of an 80s bias, but that happens to be when I spent most time at the flicks...

I see that the Prime Minister made the following remark as part of his New Year's message:

"It is a measure of how much has changed that no party which wants to be in government now questions the existence of the National Health Service funded by us all and free at the point of use ... "

This comes only a couple of days after his party chairwoman, Hazel Blears, was accused of hypocrisy because she took part in a protest at the closure of a maternity unit in her consituency (while, of course, being a member of the cabinet whose policies are making such closures more likely).

There's a promising thread there about 'collective responsibility' in cabinet decision-making... I mean, presumably the cabinet reached its descision based on some compelling argument which Ms Blears could use to try and convince her constituents of its wisdom. Or maybe they failed to convince her, but when it came to the vote she simply found herself in the minority.

For the time being, though, I just want to make the following observation. Through the letterbox today I got a leaflet from an insurance company, advertising their private healthcare scheme. I live in an area increasingly affected by hospital closures, without any sign that the proposed replacement services are close to coming into existence, let alone that they could deliver equivalent levels of treatment and convenience. What plans have been published suggest that for most people, the 'point of use' will become more distant and less comprehensive.

As a result, the insurers are able to make a compelling advertisement out of the simplest concept; their leaflet simply reads "Go local at the BMI clinic". Whatever claims Mr Blair is inclined to make, private healthcare has, over the last twenty years, generally been a luxury in this area (albeit sometimes an attractive one); I suspect that it will become an increasingly necessary alternative to such provision as is available 'locally' through the NHS.

The prudent course of action would appear to be not only to subscribe to a healthcare insurance scheme, but to become a shareholder in the insurance companies which underwrite them. Even with Mr Blair using his speech to urge his party to 'stay New Labour', that's a pretty bizarre behaviour for Labour policies to be encouraging.

Richard Veryard and Dave Walker kindly commented on my previous post, so I'm happy to trackback to them and add a few more observations on anonymity.

I was looking at 'panopticality' again the other day (you may remember a brief mention of panopticality in this 2005 blog post), because I saw an interesting example of it on the telly.

The examples I had already found were those of some military barracks and prisons, both designed so as to use panoptical observation of the inmates as a way of modifying their behaviour. The reasoning was that, if prisoners/soldiers knew that all their actions were visible in principle, and did not know whether or not they were being watched at any given time, they would behave more manageably whether or not anyone was actually watching. Clearly, this made it possible for a large-ish population to be policed by a much smaller number of watchers. The principles were set out by, among others, Jeremy Bentham, who apparently used architectural designs drawn up by his brother Samuel for a military academy in Paris.

However, I think I was wrong to describe Strangeways Prison in Manchester as an example of a panoptical building. It seems that that 'tower and spokes' design actually reflects the Victorian "separate system", in which inmates were generally confined to their cells for most of the day -essentially in solitary confinement. It, too, allowed a substantial prison population to be controlled by a comparatively small number of warders, but the basis of the behavioural control was different.

Fortunately, I think I now have a new example, from a documentary about the Topkapı palace in Istanbul. It seems that the Divan Salonu (Imperial Council Chamber) had a grille through which the Sultan could (if he wished) keep an eye and an ear on the proceedings of his ministers. Crucially, they never knew whether or not he was at the grille... so when he subsequently quizzed them about their discussions, the only safe course of action was to stick strictly to the truth.

Yesterday I had to collect one of the offspring from a friend's house in the aftermath of New Year's Eve. I hadn't been there before, but armed with a postcode and streetmap.co.uk I got some directions, headed off, and found it with no problem.

Which is why I was surprised to read the following advice on a Home Office leaflet I got through the letterbox this morning. The leaflet is about reducing vehicle crime, and is marked with a nice "Let's Keep Crime Down" logo. Among the other tips (use approved car parks, don't leave belongings on display in the car, keep your keys safe, and so on) it says:

"Arrange to have your vehicle registration number etched onto all glass surfaces including the headlamps. Alternatives are to use the last 7 digits of the Vehicle Identification Number (VIN), or your postcode."

Super. So that way, if someone does manage to steal your car (and even worse, your keys), they can pretty accurately pinpoint your house... and know that they'll have free run of the place while you walk home.

Incidentally, for similar reasons, I would not recommend storing "Home" in your satellite navigation device. At least call it something else if you do...

Interesting article here on the BBC site, with three pundits' predictions for 2007. The main themes seem to be:

• User-centricity and social networks
• Growth in web services
• Another explosion in 'edge' devices

Obviously, from an identity perspective, web services and 'edge' devices are themes which Sun and Liberty have embraced for several years... but what about social networking? Well, one thing we discovered fairly promptly was that social networking paradigms don't 'break' any of the principles of federated identity, even if different networking models call for variants of the protocols between Identity Providers, Service Providers and the individual. Where a difference does seem to emerge is in the nature of the trust relationships which underpin social networks (by contrast with those which underpin other kinds of online service provision).

My prediction for 2007 - and I apologise for the fact that I think it's a pretty low-risk one - is that as the principles and technology of federated identity sediment further into systems and awareness, the discussion will centre increasingly around notions of trust, privacy and the like. It's a low-risk prediction because it's already started...

Some things don't change with the turn of the year. You might remember from posts back in September 2005 and May 2006 that the air passenger data access scheme unilaterally introduced by the US was ruled unlawful by the EU Data Protection Commissioner.

In October 2006, therefore, they had to come up with a replacement. Today's BBC article here suggests that it has not materially reduced the extent to which passengers' privacy is compromised. I was hoping to link to the Privacy International website so you could get an informed opinion, but their site appears to be having some problems. I'm sure that has no connection with the critical analysis Simon Davies offered for the BBC article.

It may be a little late for this (or about 360 days too early), but... if you're wondering what to buy the pedant who has everything, may I suggest the BTQ thong? One of the more obscure pieces of underwear I think I've ever seen, this garment is tastefully printed with a "btq" logo, the letters standing for "Beg The Question".

They are merchandise from a rather good website which explains that the phrase "to beg the question" does not mean "to raise the question", despite frequent abuse for that purpose.

Happy New Year.