Robin Wilton's esoterica

Proposals are once again being considered to increase the UK's already-egregious limit on detention without charge, using the Backgammon method. This little-known technique simply involves doubling whenever you think you can get away with it... from 7 to 14, from 14 to 28, and now potentially from 28 to 56.

A comparative analysis of other countries' policies, carried out by the Foreign Office in 2005 at Jack Straw's request, revealed little beyond the extent to which the UK's 28-day limit already outstripped that of any of the democracies examined.  Nothing has changed since, in that regard. We could always adopt the approach of Myanmar and simply "not call it detention".

Of the six people who have so far been held for the maximum, three have then been released without charge. I wonder what the effect is on someone's employment prospects, mortgage/credit status and social life of having been held without charge for a month. The presumption of innocence must lead us to conclude that they have been significantly punished 'on suspicion'. I admit, hindsight is always pellucid, but one has to wonder what kind of restitution can or should be made in cases like that.

In other news: IATA has criticised the current security screening policy at UK airports, under which passengers must take only one item into the security check area. (And it must not contain any liquids or gels in quantities greater than 100ml, and those must be in a single separate re-sealable clear plastic bag, which must be taken out of the hand luggage for scanning, and so on).

In one sense this requirement is farcical. If I have a bomb in one piece of hand-luggage, it will still be there if I cram all my other carry-on items into the same bag. In another sense, it is simply frustratingly, unnecessarily bureaucratic. I have seen people reduced to tears because they have been told that they must either jam things like handbags, carrier bags and so on into an already full piece of hand-luggage or simply leave their possessions behind. Not that long ago, the carry-on allowance included the proper accoutrements of any lady (one item plus handbag or vanity case, parasol etc.) or gentleman (one item plus binoculars, umbrella or walking stick, briefcase, etc.). Those days, alas, seem as long gone as button-hooks and spats.

Bear in mind that all this happens after the passenger has already checked in and contributed their hold baggage to the luggage mountain. The baggage-retrieval system they've got at Heathrow* has already gone into crisis twice this year: this was the situation in January, and this is the picture six months later.

*Which so worried Monty Python's Terry Jones that he wrote a song about it...

Amidst all the scandals in the Tour de France (two teams, and three riders, pull out after drug tests) the most revealing news may have escaped your attention. The Predictor team, sponsored by a product which accurately measures hormone levels, has successfully completed the Tour without having any riders disqualified for drug abuse. I Predict that other teams may be queueing up for their sponsorship. I don't know why - I just feel it in my hormones.

Several other teams repeatedly denied allegations that your chances of pregnancy are increased by pumping away frantically on a bike saddle for three weeks.

As you may have seen/heard/experienced, there's been some flooding
in the UK over the last few days. We were unfortunate enough to get
caught up in some of it - with the exception of The Boy, who has,
somewhat ironically, escaped the effects of the rain by taking a
post-exam trip... to Ireland.

The rest of us were coming back from Warwick, trying to find a passable route and getting nudged further and further off-course as we ran into one flooded road after
another. Generally, there seemed to be three types of obstacle:

1 - flood-water with an obvious beginning and end - negotiable with care; 

2 - flood-water with dead cars in it - somewhat more off-putting;

3 - flood-water  with no visible 'far bank' (e.g. a 12-foot
wide stream of water following a lane round the corner). I don't know
whether this one was negotiable, as I didn't fancy finding out the hard
way. I certainly didn't see anything coming through it in the opposite
direction, though.

After successfully negotiating a dozen or so Type 1 obstacles, I noticed an engine warning light for low oil pressure, and that was it, basically. We pulled over and parked, and spent the next 50 hours waiting for a break-down truck. Finally got the
car home at about midnight last night. Well, I say "home". Actually a
local garage discovered this morning that they had had a night visit
from the Dead Saab Fairy.

It all sounds pretty grim, but on the plus side:

- The trip to Warwick was for Mrs W to receive her Master's Degree in
Public Administration; not only a great achievement in itself, but also
(if the omens are correct), the prelude to a PhD. 

- When we did get stuck, we found ourselves in a place full of friendly and helpful people: village life as it ought to be;

- We were put up by a wonderful B&B host who really went 'above & beyond': thank you, Stan!

- The local pub was superb: thank you Mike!

- We even had supper one evening in the hotel made famous by The Pudding Club.

So, although I don't usually do commercial endorsements, here are three:

- First and foremost,  Old Barn House B&B:  Stan, you're a star. Really sorry about that 1:30am phone-call from the AA to tell us they had no idea when they might be able to send someone!;

 - The King's Arms, Mickleton: very good food and service, and a friendly crowd behind and in front of the bar;

- Three Ways House Hotel: more puddings than you can shake a fork at. Post-prandial stroll definitely recommended.

Oh, and when we got home we found that the tarpaulin over the hole in the roof had been leaking, and the resulting wetness had blown one ring-main circuit. On the plus side, it had tripped the appropriate fuse rather than setting fire to the house. Mind you, that would have taken some doing in this weather.

You may be starting to wonder if we're safe to be around. If you ask nicely, I'll tell you when and where we're going on holiday, and you can make your plans so as to be elsewhere...  

Thanks to an invitation from Simon Davies at the LSE, I was at an event yesterday where Jack Straw (recently-appointed Lord Chancellor and Secretary of State for Justice) was to address us on the government's plans for constitutional reform.

There was a king-size helping of irony in the fact that he was in fact unable to come to the meeting, because he had to be in Parliament to deal with the fact that the Corporate Manslaughter Bill had just been rejected for a fifth time by the House of Lords. Apparently the remaining bone of contention between the two houses is that the Lords think that Corporate Manslaughter legislation ought to include deaths in police or prison custody, whereas the government does not. With its current overwhelming majority in the Commons, the government must be wondering whether the solution to this 'ping pong' of bills between the houses is not simply to reform the constitution so as to curtail the upper house's power even further. (As it is, the Lords can only delay a government Bill, not veto it).

What it reveals, though, is that Representative Democracy is a game. It's not the same game as dicatorship or a plebiscite, but it has rules and processes. The players of the game know more than anyone else about how to use (or bend) the system to get the results they want. One has only to look at the chicanery around David Maclean's Private Member's Bill to see that, or the extent to which government policy relies on getting primary legislation through in vaguely-worded terms, so that the policy detail is put in place later through secondary legislation.

The key difference between primary and secondary legislation is that secondary legislation does not go through the parliamentary process of debate and voting. Basically, once the primary legislation is in place, the ability of parliament to influence the practicalities is effectively at an end. Primary legislation is often referred to as 'enabling' legislation... presumably because it enables the government to do pretty much whatever it wants, within the scope of the primary Act.

So my question about constitutional reform is this: will it actually change the rules of the game in such a way that the electorate gets the benefit of the spirit of representative democracy, rather than the letter of it? Or will it, as one is tempted to suspect, simply give the Whitehall village a new game to play and a different rule-book to exploit?

The rather oxymoronic House of Commons Local Government Committee has reported that it doesn't think fortnightly rubbish collection is suitable in all cases, or that it necessarily improves recycling rates. Neither does it think proposals to link rubbish volumes to some form of financial incentive are likely to work.

The Dept for the Environment expressed disappointment that the Committee didn't appreciate its efforts to find "new and innovative" [sic] ways to encourage 'sustainable waste behaviour' - as opposed, presumably, to 'old and innovative' or 'new and unoriginal' ways...

Let's just run through the logic one more time from a householder's perspective in this district:

- the current regime allows for one grey bin every fortnight, and one green bin plus small crate every fortnight;

- the grey bin is for non-recyclable, non-compostable waste... plus cardboard (which used to be compostable but now is not) and plastics (which you might think, as a non-biodegradable fossil fuel product, ought to be high on the list for recycling if at all possible);

- the green bin is for compostable waste (another oxymoron for anyone with a garden and a compost heap). Ours is consequently always empty;

- the small crate (about 2' x 1' x 18", or 60cm x 30cm x 45cm if you prefer) is for 2 weeks' worth of bottles, jars, cans and paper.

So, the rubbish you can have collected from your home as part of the service funded by your council tax payment bears little or no relation to the rubbish actually produced. If that leaves you with piles of surplus cardboard, bottles, jars, cans and paper you have a couple of options:

1 - Use the town-centre recycling bins. These have been full to overflowing since the introduction of fortnightly collections... which you would have thought might be a clue to something. They must be a source of constant joy to the residents nearby.

2 - Drive your rubbish to a household waste recycling site - from here, roughly 10 miles round trip, open during normal office hours (9am-5pm) except on Weds and Thurs evenings, when it's open until 7pm. Except in the winter, when it shuts at 4pm every day.

Part of me just can't shake off the suspicion that this is all some arcane inter-Council bureacratic competition to see who can get the most convoluted and counter-productive scheme into operation without actually provoking a 'Rubbish Riot'. Our lot may be scoring pretty low for style and artistic impression, but you've got to give it to them for technical merit...

I've had a number of meetings and conversations recently, with the Crosby Review team, the new Department for Business, Enterprise and Regulatory Reform, the European Commission's Information Society, the OECD's Computer and Communications Policy Unit, the CBI's Information Security Working Group, and so on...

There's a theme which is strong and consistent in all these discussions. The logic goes something like this:

- For people to manage their identity and privacy in a context of informed consent, they need the ability to disclose only those attributes necessary to the task and relationship in hand;

- Disclosures of this kind are usually intentional and consensual... as far as the first 'step' is concerned (that is, you disclose willingly to the first counterparty);

- In that first step, you may have the option of expressing your preferences as to how your data is treated, whether technically (by means of something like a Privacy Preference Expression Language) or non-technically, through a privacy policy agreement with the counterparty;

- The tricky problem is - once you have made that initial disclosure - whether it's possible to continue to express and enforce your privacy preferences.

This is what's often referred to as 'sticky' policy - that is, it 'sticks' to your data even after that data has passed beyond any controls associated with the initial disclosure.

I've seen some proposals for technical solutions to this problem, but they tend to be complex, and they suffer from the drawback that ultimately, your 'digital disclosure' can always end up as 'analogue data'... at which point, it's very hard for a technical control to persist.

I've seen some proposals for non-technical solutions too, but the drawback there tends to be how you 'watermark' your data so as to ensure that a non-technical policy can be reliably applied to it.

To me, this is one of the interesting areas in which identity management needs to evolve over the coming months. The solutions are unlikely to be either 100% technical or 100% non-technical; neither are they likely to be 100% new - so some or all of the necessary pieces already exist. The question is, which pieces are they, and what are the missing ones?

In many European countries, the idea that "e-" is something you 'do' to 'normal' government has largely been replaced with a view that you can't, to coin a phrase, take the 'e' out of government. Huge challenges still remain, though.

For instance, there's the tendency towards a huge semantic gulf between policy-makers' language and implementers' language. As an example of the former, take the European Commission's desire to use e-government "to reduce the administrative burden by 25%". It's great at face value: who would object to the idea of reducing the administrative burden... I certainly don't want it increased. And 25% may not be huge, but it's better than no quantifiable target at all, surely?

The gap the implementer has to bridge is how you answer practical questions like "which administrative burden, on whom, and how should it be reduced...?".

One of the other statistics I have heard recently (expressed at the policy-maker level) is that "35% of European citizens don't use e-government services at all". What was not clear was which 35% and why.

One factor might be the sheer scale of the activity involved in a lot of e-government initiatives, as this article about a recent National Audit Office report starts to indicate. Apparently the average UK government website contains around 17,000 pages. Or it could be a matter of how close the e-government service is to home; local authority sites account for some 180m visitors a year. Or it could be a matter of whether the people in question actually has internet access: 40% of UK citizens don't have internet access.

Or it could simply be that some people are happier the less interaction they have with the public sector. The problem is when that is combined with a dependence on public sector services, and a lack of internet access. If that's the citizen profile, one could spend a lot of time reducing the complexity of existing websites to little effect...

"Where [public authorities] receive requests for the disclosure of correspondence that involves Members of Parliament, first, in every case the Member of Parliament must be consulted and, secondly, it is probable that in almost every case such correspondence is covered either by the exemptions, which are absolute in respect of confidentiality, or by data protection or by many of the other qualified exemptions within the Freedom of Information Act 2000. ...

I underline that Members of Parliament, for very good reasons, are not public authorities and therefore are not subject to freedom of information legislation. That was agreed without argument eight years ago."

--- Jack Straw, House of Commons, 14 June 2007

At the time of that statement, Mr Straw was the Leader of the House, and therefore responsible for managing the order of business in the Commons. If his view on the exemption of MPs' correspondence from FoI was so clear-cut, it is rather odd that he repeatedly went to such extraordinary lengths to schedule time for an opposition MP's PMB in a busy parliamentary schedule.

By my calculation, any potential sponsor in the Lords would have to give notice by Tuesday of next week if they indended to try and revive this PMB in this parliamentary session, and that would leave only two days for it to be presented... though the CFoI website notes that the Bill could ultimately be brought back yet again in the October session.

This incredible defiance of death was made possible because no MP raised a single dissenting voice when that would have sufficed to kill the Bill off in its early stages.

MPs have approved the continuation of 28-day detention without charge, as provided for by the Terrorism Act 2006. The requirement to take this review decision was added to the original Bill as an amendment, to answer some of the concerns raised at the time.

I really wish I could tell you what the future of this bill holds:

- will there come a point where that 28-day limit can be rolled back?

- will it only ratchet upwards. towards the 3 months originally aimed for by the legislators? (To date, the Home Office reports that 6 people have been held for the maximum 28 days. Three of them were released without being charged.)

- will there be a further review point in twelve months time?

That last question sounds as though it ought to be pretty easy to answer: just go back to the Bill and look at that amendment.

Well, I tried that and I'm none the wiser. You're welcome to have a go - let me know if you can figure it out. Here's the passage in question:

(1) The Secretary of State must appoint a person to review the operation of the provisions of the Terrorism Act 2000 and of Part 1 of this Act.

(2) That person may, from time to time, carry out a review of those provisions and, where he does so, must send a report on the outcome of his review to the Secretary of State as soon as reasonably practicable after completing the review.

(3) That person must carry out and report on his first review under this section before the end of the period of 12 months after the laying before Parliament of the last report to be so laid under section 126 of the Terrorism Act 2000 before the commencement of this section.

(4) That person must carry out and report on a review under this section at least once in every twelve month period ending with an anniversary of the end of the twelve month period mentioned in subsection (3).

Clear?

And no, I don't mean Park Lane and Mayfair with a hotel on each (Park Place and Boardwalk if you adhere to the Atlantic City sect...).

I'm referring to a very interesting point raised by Caspar Bowden at yesterday's workshop. His question to one of the IPS (Identity and Passport Service) representatives was, roughly, this: "Why do you insist on capturing all 10 fingerprint biometrics at enrolment - particularly when only two of them are actually stored on the ID card. Shouldn't there be provision for users to have at least some of their biometrics for their own exclusive use?"

There are a couple of very interesting principles there.

First, 'who owns my biometrics'? (And on that basis, who has the right to compel me to disclose which of them and why?)

Second, aside from the question of ownership, is it reasonable for the government to insist in capturing all the practically-usable biometric identifiers for each individual (fingerprint, palm, iris, face and so on)?

As things stand now, the assumption seems to be that the government may insist on capturing and storing any and all biometric indicators as it sees fit. I think that if it is unchallenged now, that is an assmuption which we may well live to regret within the next 5-10 years.

The implication is this: every biometric means you have of proving your identity is also shared by the government. In automated authentication systems, that means there is always the theortical possibility that your biometric identifier may be electronically introduced into an authentication process whether or not you are present. Not necessarily maliciously, and not necessarily by the government; but conceivably by someone who has obtained the electronic representation of your biometric identifier from a government-operated system.

Isn't it very odd to envisage a world in which there is no biometric over which I alone exercise sovereignty?

Hmm. That last post was actually supposed to be about something completely different, but the 'preamble' just grew and grew until it was pretty much a post in its own right. So here's what I was going to ask you about in the first place: fingerprint biometrics.

Whatever the scepticism about iris, palm, ear and/or DNA-based biometric systems, fingerprint biometrics feeature prominently in the ID Cards programme, which calls for all 10 of an applicant's fingerprints to be captured at enrolment.

One of yesterday's participants was Andy Smith, Chief Security Architect for the ID Cards programme. When asked, he confirmed that the ID card will hold encrypted images of two of the holder's fingerprints. They will be actual pictorial images, he said, not templates (i.e. abstract representations derived from the pictorial image). Let me say right at the outset that I do not know much about the details of fingerprint biometrics, so this is a genuine request for information, and certainly not intended as an implied criticism of any sort. (For instance. I don't know whether the encryption in question is symmetric or public key, and that makes a difference to some of the risk profile).

It seems to me, first, that there is an inherent risk in encrypting the fingerprint images themselves and storing them on the card for its lifetime. The security of that encryption must be measured on the assumption that the encrypted data could be copied off the card and then subjected to an exahustive attack at the attacker's leisure. The initial, relatively crude "jelly finger" attacks on fingerprint biometric systems have been countered, but who knows what tricks and technology the attackers will apply to the problem next, to spoof metrics such as pulse and body heat. Also, once cracked, possession of the keys in question might enable an attacker to replace the original images with apparently validly-encrypted images of their own choosing.

Second, depending on whether symmetric or public key encryption is in use, there are issues with distributing the keys in question to all those parties who need to be able to verify the fingerprints. If symmetric, there's a riks that a malicious recipient could generate spurious validly-encrypted images. If PKI-based, that risk is lower, but there's an implied key-mamagement burden in the distribution and management of certified public keys from each issuing authority.

For all I know, the IPS, Foreign OFfice, Consular Services and so on may have long since cracked the problem of key management in distributed cross-border systems - but these days things probably need to move a little faster and more frequently than a Queen's Messenger on a commercial airliner.

Third, I asked why store the fingerprint images themselves, rather than capturing the biometric, hashing it or a template, and then signing that and writing it to the card. The answer (and here's where I'd be grateful for your comments) was that cryptographic hashes are too sensitive to bit-level discrepancies between the image capture at enrolment and the subsequent image capture at verification time.

My problem with that assertion is that if it is really true, I can't see how non-human fingerprint matching could ever work in the first place.

Any ideas?

I went to a very interesting event yesterday; a workshop hosted by the DTI Department for Business, Enterprise and Regulatory Reform, and jointly run by the hugely capable team from Kable.

Among other things, it reinforced the fact that there is a healthy, well-informed and experienced UK community of interest around identity and privacy; at the risk of offending someone (whether by inclusion or omission!), my list of the 'usual suspects' would include Dave Birch, Caspar Bowden, Stephen Crane, Conn Crawford, John Harrison, William Heath, Mark Lizar, John Madelin, Luke Razzell and Toby Stevens.

There was also a lot of participation from the academic community, which I found very encouraging; Royal Holloway was represented by Fred Piper, and I also met people from UCL and the Universities of Reading, Edinburgh, Hertfordshire, Newcastle and elsewhere (apologies if I have left you off the list!).

The purpose of the workshop was to help the DBERR's Technical Strategy Board (TSB) air its plans for the Network Security Innovation Platform's programme of work - and as such it represented an extremely welcome opportunity for open and constructive dialogue between stakeholders such as the TSB itself, the Identity and Passport Service, the Information Commissioner's Office, and the academic and vendor communities. Specifically, we were looking at the issues of Privacy and Consent in Identity Management Infrastructures, which is a topic close to my heart.

We also had a series of breakout sessions to consider a list of 17 challenges (only 17, I hear you cry... what lightweights!). I'll cut &N paste them here (so apologies if the formatting is crummy - I'll try and tidy it up if so). Answers, naturally, on a postcard, please...

Challenge 1 - Do the public care about Privacy? How do they define Privacy and Identity Information and measure the value or loss? Are people too trusting, ill informed or just complacent?
Challenge 2 - Can technology help to replicate the risk based decision making seen between two parties in a face to face scenario, in remote online scenarios and what privacy enhancing technologies are available ‘before the fact’ versus ‘after the fact’?
Challenge 3 - Can technology and process really reduce harm (and risk) to an acceptable level and what inconvenience would individuals be prepared to bear to re-gain control and trust?
Challenge 4 - What human interface options could assist the individual to understand the difference between being informed versus participative consent?
Challenge 5 - What consent and technology models exist to allow an individual to consent and understand how his data is collected, stored and disseminated?
Challenge 6 - How can technology aid an individual to revoke his consent such that he has confidence and assurance that no further use or dissemination can occur?
Challenge 7 - If the advance of technology has been a catalyst for the privacy debate, which technologies when combined can answer the range of privacy concerns? (Privacy of what, from whom and at what cost)
Challenge 8 - What harms (risks) exist to an individual’s privacy in the differing identity management approaches and what technology options might mitigate such harms?
Challenge 9 - How can privacy enhancing technologies applied to one identity management architecture be inter-operable with another? (i.e. Centralised non shared translated to Federated)
Challenge 10 - What technologies are privacy protecting, and what ones can detect and respond to breaches in policy including alerting the individual to a breach?
Challenge 11 - If the individual has corroborating evidence of their identity or entitlement how can technology support exposure of only that information specifically required to complete the transaction?
Challenge 12 - If trust and consent models are technically possible, what is the market failure in developing commercial applications, or are there other influencing criteria? (What are the barriers to practical implementation?)
Challenge 13 - What are the limits of technology in privacy and consent schemes being discussed? Beyond those limitations what else would be required to bring realisable solutions? (Can you design technologies which are non discriminatory?)
Challenge 14 - How can technical functionality be supported by legislation to meet the range of privacy needs now and in the next 5 years?
Challenge 15 - Can we and how do we come together to provide more technology enabled services which people want to use because they feel their privacy and consent is foremost?
Challenge 16 - What extra measures/role  for the Information Commissioner Office and what required governance would engender and build trust by the public in any scheme and why?
Challenge 17 - How can privacy policies be both realised and inter-operable across the range of Identity Management approaches and national boundaries?

I blogged last year about the introduction of an immigration 'fast lane' at Heathrow airport, based on iris pattern recognition. I noted at the time that scalability and throughput of the system would be a key factor, and have had a few opportunities since then to observe it in practice.

I wish I could show you some photos or a movie clip of what was happening on Friday night, for instance, but as cameras are forbidden in the immigration area I'll have to stick with words. Frankly, the 'customer experience' sucked. Here were some of the factors in play:

- there were queues at both the IRIS channel and the 'human being' channel;

- there was one IRIS machine (Heathrow Terminal 4) and 4 immigration officers;

- the queue for the IRIS machine was about 10-12 people; 

- it's hard to judge, but I would estimate that the queue for the 'human being' channel was about 150.

Despite appearances, the 'human being' channel was, hands down, the one to join. Here are some of the problems with the system:

1 - the basic fact is that on average, the immmigration officers always work much faster than the IRIS machine (and there are more of them at every terminal);

2 - the IRIS machine was 'rejecting' about one in 4 people - as far as I could tell, usually because of 'user error'. The machine works by asking you to look into one of three cameras mounted in a vertical row, but the ergonomics are not good, and it's easy to get confused about which camera you're supposed to be looking at;

3 - rejection follows multiple attempts and therefore takes even longer than a successful verification;

4 - if you're rejected, there is no 'error handling' option... you just have to come out, cross over to the 'human being' channel and join the back of the queue. NB - from memory, I don't think that is the case at Terminal 1, where I think there's a 'fallback' immigration officer by the IRIS channel to mop up the rejects; can't remember about Terminal 2.

5 - The immigration officers' supervisor did emerge from her glass box at one stage, but was extremely unhelpful when asked if the 'rejects' could be handled by a human being and thereby speed up the whole process. Her response was simply "you have the choice of which queue to join in the first place". By the time the complainant in question had finally made it through the gate, the supervisor had retreated to her lair once again.

So whatever the merits or otherwise of the technology, this is currently a system which is set up to fail simply because of the way it is being operated. The throughput is worse than the non-technical alternative, there's no provision for scalability, and there's no failover.

B-, could do better.