Robin Wilton's esoterica

The Queen has launched her own channel to publish the Christmas Broadcast (among other things). I suppose she could call it "OneTube". Most thoughtful; it saves having to plan the Christmas stupor for either 'before' or 'after'.

Best wishes to one and all.
 

'On the frozen lake' - Norway, 31/12/2003

Well... what to pick from today's crop of news headlines...?

The media show interest in Tony Blair's conversion to the Catholic faith... leading the uncharitable part of me to wonder whether that's because its doctrine of confession offers his conscience an anti-inflammatory pre-med in this world, thus neatly kicking into touch the twin questions of answering to his maker and his fellow man.

Or perhaps the 'big target'... the news that nine NHS trusts report data breaches involving the loss of an unspecified number of patient healthcare records...

No, on balance I think it has to be a follow-up visit to that long-running saga, the Al-Yamamah arms deal, and the persistent hint of political expediancy which continues to hang around it. To refresh your memory briefly: the Serious Fraud Office was carrying out an investigation into allegations of corruption in a 1980s armaments deal between BAe and the Saudi government. Potentially at stake was a current bid to sell nearly £4.5bn worth of Typhoon fighter jets to the Kingdom.

The SFO were instructed to halt their investigation, but accusations that Downing Street had called off the dogs because of the jeopardised fighter deal were met with denial. It was a 'matter of national security': bluntly, p***ing the Saudis off could weaken Britain's alliance with them in the "War on Terror", so the Saudis must be kept onside, and if that meant no more rooting around in the details of a 20-year-old business deal, so be it.

Except that a recent legal challenge has resulted in the revelation that Tony Blair wrote to his Attorney General, Lord Goldsmith, a few days before that decision to call off the SFO, expressing serious concern about 'critical difficulties' which might affect ongoing business negotiations over the fighter deal.

This Catholicism jag might be off to a sticky start... 

"Bless me, Father, for I have sinned..."

"Go on, my son..."

"How long have you got...?"

I blogged back in February about the technique of "Low Copy Number" (LCN) DNA testing, and the extent to which a seemingly conclusive 'Yes or No' result can hide a bewildering array of procedural and interpretive variables. The topic has hit the headlines again today, as the police have said that they will halt all use of the LCN technique. The Crown Prosecution Service and the Northern Ireland Chief Constable have announced a review of all cases which relied on the technique, which has been 'routinely used' since 1999.

The announcements come in the wake of a not guilty verdict for Sean Hoey, cleared of 56 charges relating to the Omagh bombing of 1998. Whatever the merits or otherwise of the testing method, the judge was also highly critical of police procedure concerning the forensic evidence. He described findings of "deliberate and calculated deception".

It's as good an illustration as any of the way in which law (in this case criminal law), technology (the techniques of LCN) and governance (the way in which the evidence was handled) are inextricably related. In this instance, the alleged identification of Sean Hoey as the maker of a bomb detonator was crucial to the prosecution's case. Eight years elapsed between the bombing and the start of the court case, and the case itself has run for over 14 months. Extensive police and forensic resources were devoted to trying to prove a link between recovered DNA and Mr Hoey.

As biometric authentication techniques start to become more and more widespread, the same elements - law, technology and governance - will surface and re-surface. In most cases, a failed or flawed authentication may be a mere inconvenience. In others, they will be in some way comparable to the Hoey case - an overturned verdict, a decade on from a bombing in which 28 people died.

In some cases they will be more serious. The time to review the way in which technology, policy and law interact is now - before, rather than after such a case arises.

I've blogged a few times about the distributed, cross-border nature of technology-mediated criminal activity. If there's such a thing as joyless gratification, it is perhaps to be found in this BBC news story, which tends to confirm that analysis.

"For Sharon Lemon, head of e-crime at Soca, the way Shadowcrew worked - remotely, without ever needing to meet - is typical of how the new e-crime networks operate compared to the old-style "top down" organised crime groups.

"People have been used for specific skills, rather than the usual pyramid structure," she says. "With one person providing the documents, another would buy credit card details, another would create identities while another would provide the drop address.

But it is the international scale of the such borderless networks that serves as the biggest challenge for authorities. For Soca, this makes liaison between countries - mostly resource-rich nations where most e-crime is carried out - essential."

One thing I would quibble with is that I think there's a risk in focussing exclusively on 'resource-rich' nations. It's far more likely that these ad-hoc criminal networks will extend across a variety of countries, depending on the skills they need to tap into. The effect of the resulting fraud might be felt in a 'resource-rich' nation, but previous "enabling" links in the chain might well reside elsewhere.

the example I heard was of a credit card "double swipe" in North America, from which the data was consolidated in the Far East; it was transferred to fake credit cards in South Asia, those were shipped to Southern Europe and used to buy high-value consumer goods for shipment to Central Europe.

I honestly can't decide which is the dumber part: the fact that the BBC news site has picked up on Sony's inclusion (at #63) in the Fortune "101 Dumbest Moments in Business" list, the fact that Sony's gaffe qualified them for it, or the basis of the original row, which was that Manchester Cathedral objected to the use of their building as the 'set' for a 'shoot 'em up' video game.

The Dean of the Cathedral responded to Sony's apology with a stern reminder that the church was "against violence and especially the gun violence seen in this portrayal of the cathedral". Well, I hope that clears up any uncertainty on that point, for anyone who feels the church's position on violence is a bit ambivalent.

So what's next...?

Presumably TS Eliot's "Murder in the Cathedral" will have to be banned until it can be re-written in a secular setting.

The airbrushes will be deployed to obliterate the 2002 Church of the Nativity seige from the historical record.

The 1997 flick "The Peacemaker" will have to be edited because it suggests that terrorists may leave nuclear weapons inside a chapel.

That ugly little incident with Samson and the temple of Dagon didn't happen either. Or was that one OK because it was a heathen temple and therefore doesn't really count as a religious site?

I can't find a transcript of the Prime Minister's Press Conference speech from this morning, though if you want to sit through over an hour of it in online video format, there are a couple of links here. As a result, I can't put any context around his reported view that 'recent scandals to have hit the government, such as data loss and proxy donations, will be "quickly forgotten"'.

If that is really his view, it suggests that the issues I described in my previous post are at least as serious as I suggested, and possibly more so. One of the points I was trying to make was that, although it is all too easy to remain unaware of an identity breach (or, as Gordon Brown hopes, forget that it happened at all), that doesn't mean the risk of subsequent harm has gone away.

If we revisit the analogy between PII and fissile material, one way to look at this might be in terms of half-life... For some "isotopes" of PII, the risk of fraud can be mitigated over time, even if you're unaware of the compromise. For instance, if you get issued with a new credit card, the risk associated with any compromise of the previous card number drops off sharply. For others (such as your biometrics, National Insurance number or other details which can't be re-issued) the risk arising from an inappropriate disclosure might persist longer than you.

Maybe Mr Brown was hoping to plant subconscious seeds of forgetfulness in our brains while they are rendered mushy by end-of-year fatigue and the pre-Christmas frenzy... there to stratify through the mid-winter.

However much he might wish it from a PR perspective, Gordon's fond hope seems to me a rather rash counsel of carelessness. If, as a result, the data custodians don't learn from these breaches, and the data subjects forget to look for the signs of fraud, the future of our digital privacy is bleak indeed.

"Our Gord, Heaven cannot hold him, nor Earth sustain..."

[Apologies - this should have gone up on the blog yesterday, but thanks to a combination of technical reasons and user error didn't quite make it...]

This started out as a reply to William Heath's comment on my previous post, but it grew to the extent that it only made sense as a post in its own right. William was wondering whether the current rash of data breach admissions signals an endemic problem in the UK.

Well, looking across at the US, it seems to me that as more states enact Breach Notification legislation, the initial reaction of data subjects tends to be one of shock, as they are presented with evidence of the unexpected ubiquity and frequency of data breaches. Then, as everyone you speak to has either had their own notification letter or knows someone else who has, a certain anaesthesia sets in.

In large part, this is attributable to some characteristics of identity theft which distinguish it from the theft of physical objects. If someone steals your car, the absence of the car (and the resulting inconvenience) is immediately apparent. If someone inappropriately discloses your identity data, there may be no sign that it has happened. It can be similarly difficult to associate any subsequent identity-related fraud with a specific data breach. Indeed, thinking of the recent HMRC breach, several commenters have recently noted that a competent identity thief would be likely to sit on the data until it is cool enough to risk exploiting it.

The looseness of that link between cause and effect can make for some strange decision-making; as long as it is 'better' for a civil servant to disclose massive amounts of PII than to spend £5,000 on a database query, we can only realistically expect further breaches. There is, incidentally, a whole essay to be written on that equation - another time, perhaps.

This aspect seems to have escape the Chancellor, Alistair Darling, who continues to make reassuring noises to the effect that 'there is no evidence that the data has fallen into the wrong hands'.

In fact, if one looks at the tone of the public statements made about the data breaches, there's a fairly consistent theme of trying to beat that empirical axiom that you can't prove a negative. There's 'no indication of criminal intent'; the disks 'weren't necessarily stolen - they just weren't found where they were expected to be'; it was probably 'a simple case of data room maladministration'... a 'dreadful accident that shouldn't have happpened'... 'just one of those things'. The minister in charge at the time the initial Driving Standards Agency (DSA) loss assumed that 'the subcontractors would get back to his successor with the results of their investigation' - but after being reshuffled, didn't take any positive steps to check that that was the case. According to the Iowa City police spokesman it was "probably unlikely" that the missing disk would be found "but one never knows". Indeed.

Our CPO, Michelle Dennedy, has a short but indispensable rule of thumb: PII is toxic.

Let's use that as the basis for a short logical argument:

P1: A great deal of today's consumer activity and e-government activity is predicated on the exchange (sometimes in mass quantities);

P2: There is currently often no provable link between a given fraud and a specific prior disclosure;

P3: A single data breach can irrevocably nullify any number of other instances of good data custody;

P4: Taken together, P1-P3 can undermine economic activity on a national scale.

C1: The cost-risk analysis for the handling of PII is ripe for a radical review;

C2: It looks increasingly appropriate to treat PII as a 'controlled substance' - much like a Class A drug, fissile material, or the kinds of materiel covered by arms limitation agreements during the Cold War... storage, transfer and destruction would be events subject to positive verification, their release (disclosure) controlled, and limited by design rather than only discretion.

That looks substantially different from today's common practice, culturally, technically and procedurally. It also seems to imply a degree of improvement which will require more than the default 'evolutionary' rate of change.

Now, a mini-rant about something which is increasingly irritating me. It is simply impossible to draw sensible conclusions from the public statements made so far about the protection applied (or not) to the various sets of comromised data. It's also impossible to tell whether those statements reflect a basic ignorance about the technical principles involved or a determination not to reveal the facts (which would have its own involuted irony).

For instance, in the HMRC case, we were told that the data was 'password-protected but not encrypted'. Dave Walker has explained, with his usual thoroughness, why that statement is nonsensical. Dave also links to the evidence submitted to the House of Commons Treasury Select committee lookiong into the breach. This includes the assertion that the inter-departmental transfer of files like this is secured by passwords which are 20-30 characters in length. The Committee will have been left with the impression that the system uses passwords substantially longer than any average user would choose. Anecdotally, though, that is far from the whole story. It was not made clear, for instance, whether the passwords are unique to each data transfer, or chosen from a shared list... and if the latter, whether that list is unique to each pair of sharing departments, or widely shared among public sector bodies. Any of those factors could reduce the effective security of the transfers far below that the Committee might assume to be in place.

In the DSA case, Transport Secretary Ruth Kelly is reported as saying that the lost data was 'formatted specifically to meet the security requirements of the private contractor' and would not be "readily accessible of usable by third parties". With all the respect that statement merits - I haven't smelled so much fudge since I went on the Willy Wonka ride at Alton Towers.

- First, why is it being left to the sub-contractor to specify the security applied to the data, rather than the requirements being determined by the original data controller, which remains legally responsible for ensuring that the data are adequately protected once shipped off-shore?

- Second, what kind of 'specific formatting' renders data 'not readily accessible or usable'? If it's encrypted, say so. If it's not encrypted, its security will not be materially affected by saying so at this stage. Weasel-worded obfuscation does nothing but damage the credibility of the speaker.

Stop Press:

I had hoped to finish writing this post before news broke of another public sector data breach, but alas, it was not to be. Today's story about an HMRC data breach concerns the loss of the personal details of 6,500 customers of a pension provider after the data cartridge in question had been received and signed for at the tax office.

An HMRC spokesman said: "It is very unlikely that any unauthorised person would be able to access the customer information due to the nature of the medium on which the data is held", neatly glossing over the notion that the cartridge dropped out of any system of control in a building which contains exactly the device/s which are capable of reading it, and some number of people with legitimate access to those machines.

I'd be willing to bet that neither that spokesman nor Ms Kelly have read Bruce Schneier's paper on "security through obscurity", but it would be an admirable investment of a few minutes of their time.

Obviously, any public sector data breach is tending to go straight to the headlines at the moment, so the news that 3 million driving theory test applicants have had their personal details compromised has been widely reported today.

The primary failure again appears to have been one of governance (the physical loss of a disk drive from an out-sourcing company in the States), rather than technology - though the implication is that the data was not digitally protected.

The Data Protection Act 1998 prohibits the transfer of data outside the European Economic Area unless adequate safeguards have been put in place to ensure that there is no drop in the level of protection as a result. The safeguard might be, for example, a 'binding corporate rule', a 'safe harbour' provision, or an implementation of the model contract drafted by the European Commission... but there has to be one, and presumably the recipient of the data must be aware of and understand what it is.

It's alarming, therefore, to hear in today's radio news reports that the discovery of the data breach was not immediately reported to the Driving Standards Agency because staff at the sub-contractor "didn't think any law had been broken"... Under those circumstances, neither the sub-contractor nor the Agency seems to have discharged its duty of care to the data subjects.

Here's where I was today - for part of the day, at least - and it was time well spent. A video of the event should go up on YouTube in due course, so I'll keep an eye out and post a link when I see it. The press was also well represented... I noted eWeek, Business Week, the San Jose Mercury and San Francisco Chronicle... so hopefully there will be some good coverage to watch out for.

What I found most heartening was that across both the panel and the audience, the level of awareness and lucidity about privacy was consistently high. Chatting with participants over lunch, any given conversation could very rapidly get down to the niceties of 'user consent and control', the relevance of 'contextual integrity' to privacy protection, or protection 'beyond first disclosure'.

Although it can still (a year on) often feel as though privacy is 'the new green', it's clear that it is also a discipline of increasing maturity, represented by a community of increasing depth. And a fascinating bunch they are, too.

Which of the following is the odd one out?

- Reginald Iolanthe Perrin

- Oleg Zhukovsky

- John Darwin

- Mexican cichlid fish

It's Oleg Zhukovsky. All the others have faked their own death by drowning (the Yucatan cichlid fish, Parachromis friedrichsthalii, feigns death and then attacks smaller fish which come to scavenge on it).

The unfortunate Mr Zhukovsky, banker to Russia's lumber industry, was found dead in his dacha swimming pool, his arms and legs bound. Police are, apparently, treating his death as 'suspicious' despite finding a suicide note nearby. All I can say is - if he had the determination to write his goodbye letter, tie his own hands and feet and then hop along to the pool like a competitor in some diabolical sack race - he must have really wanted to end it all.

I was at the Enterprise Privacy Group's (EPG) "Postcards from the Future" workshop yesterday, and as you might imagine, a lot of our discussion was driven by the highly topical matter of the HMRC data breach. This time last week, I blogged about some of the foreseeable long-term liability issues which might arise if the missing disks are either discovered to have fallen into malicious hands, or simply never turn up again. I also mentioned the readiness with which the Chancellor assured us that the banks would pick up the tab for any resulting identity fraud.

Yesterday, in the course of an extremely constructive workshop, one of the participants made the following very interesting observation: Section 13 of the Data Protection Act 1998 runs as follows (the italics are mine):

13 Compensation for failure to comply with certain requirements

(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if -
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes.

(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned."

Of course, in the absence of some kind of forensic meta-data this still appears to leave the onus on the data subject (in however many years' time) to establish the connection between this data breach and any damage suffered, but the prospect of that potential liability cannot be a comforting one for the data controllers in question.

Do you remember 9/11? Not the 9/11, that is, but 9th November 2005. That was the day Tony Blair first lost a vote in the House of Commons - and it was on his proposals for 90-day detention without charge of terrorist suspects. For those who like the numbers, the vote was 322 against, 291 for, 49 Labour rebels.

Here are some other numbers: 1, 2, 2, 2, 2, 3, 3, 4, 5, 5, 6, 7, 7.5, 12, 42.

42?? How did that get in there? I know 42 is a number of enormous significance, but it does rather stick out in that company. And yet, that's the profile of the UK's proposed limit on detention without charge, compared to 14 other countries' current limits. (The 12 is Australia, the 7.5 is Turkey... at the other end of the scale, the 1 is Canada and the 2s are the South Africa, Germany, New Zealand and the US). The numbers come from a study published in November by the National Council for Civil Liberties. You can find the report and other information here.

And here are yet more numbers: 28, 42, 58, 72.

These are the numbers you get depending on how you interpret the government's various statements on how long it needs. It got 28 days originally, but under the government's own Civil Contingencies legislation, another 30 days could be added to that (giving 58). That could only happen under extreme circumstances (i.e. if a state of emergency is declared...) but then, that's exactly the kind of exceptional circumstances ministers say they are trying to cater for by pushing for an extension of the current limit.

42 is the limit announced yesterday in the Home Secretary's proposals. This time, the extra 30 days which bring us up to 72 would come from her plan to propose that any 42-day detention "must be approved by Parliament within 30 days". Shadow Home Secretary David Davis made the point yesterday that this raises the extraordinary prospect of Parliament holding a debate to discuss the details of a case involving terrorist suspects who have been detained by the police but not yet charged; what on earth the effect of this would be on any subsequent legal proceedings was something the Home Secretary didn't explain yesterday.

Confused? I'm not surprised. It's possible you'll find enlightenment in Nick Robinson's post on the subject... but then again, he's only a journalist, not a miracle-worker. He does make the interesting point that there may be no objective rationale for settling on "42", beyond the notion that it's the highest Jacqui Smith could get away with without provoking a fatal rebellion of Labour MPs. That could make for some interesting human rights test-cases to explore the proportionality of the detention period.

A couple of interesting twists to the 'concealed donations' story over the last 24 hours:

- this morning on Radio 4 there was a report of allegations that not only did multiple Labour Party staff members know about the donations, but that they conspired in order to come up with the mechanism through which those payments could be made without revealing Mr Abrahams' identity... i.e. that he should give cheques to people in his immediate business circle, such as his solicitor and his secretary. Blimey. If that's the most devious plan they can come up with through "conspiracy", the smart money must surely be gravitating towards "cock-up".

- yesterday, it emerged that Mr Abrahams is unlikely to get his money back, despite Gordon Brown's initial statement on Nov 27th that the cash would be repaid. Apparently there's a 30-day limit, and once that has elapsed donations are not repaid to the donor, but must go instead into the Treasury's "Consolidated Fund". Which is nice for them.

At any rate, it seems pretty clear that the Labour Party shouldn't get the money; and until it's clear whether there's a link between the donations and any alleged form of political advantage - such as the granting of planning consent for his construction projects - neither should Mr Abrahams. That said, it would be nice if there was some transparency over where it ends up going from the Consolidated Fund. It seems there are only four legally permissible recipients of payments from the Fund: the government Paymaster General, the Commissioners of the National Debt, the Chief Cashier of the Bank of England, and the Commissioners of HM Revenue and Customs (the HMRC...).

I wonder if the latter would believe it if they were told their cheque was in the post.

Intriguing headlines on the BBC site today, concerning the story of a man who disappeared (leaving only a washed-up empty canoe), was eventually considered by the coroner to be 'probably dead', and has now re-appeared at a police station claiming to have no recollection of the last seven years. The police have since announced that they had, over the last couple of months, re-opened investigations into the disappearance.

OK, so maybe this is more "identity suicide" than "identity theft"... but I bet he'll have a hard time opening a bank account in the short term.

(With apologies to JB "Beachcomber" Morton)

Disclose : (n) To reveal, publish or make widely available. (A portmanteau word formed from the words "disc" and "lose")

Another fundamental legal change is apparently being considered in the UK;

The proposal is in a report commissioned by the former Justice Secretary, Lord Falconer. Written by Lord Carter, the report will apparently recommend that prison sentences be imposed only if jail cells are available. Unfortunately, the wikipedia entry for Lord Carter is so brief as to be almost non-existent... but I'm willing to bet he has not been a great student of game theory. I mean, if that policy is put in place, isn't the 'rational' criminal strategy for as many people to commit crimes as possible?

All the prison places would then soon be occupied*, whereupon the risk of being jailed if caught would approach zero.

*In fact, in October of this year they already were... 

...well, Ginger Alert, strictly speaking ;^)

Paul Walker has started a blog here on b.s.c.. If you're already a fan of Superpat's blog, you'll definitely want to keep an eye on Paul's. You know those Special Forces blokes who you can shove out of a plane (preferably with a parachute) anywhere, and they'll just land, get on with it, and turn up a few days later looking fit and well fed? Well Paul's sort of like that, but for Identity Management...
 

Oops. I didn't get around to posting a Friday Travel Story yesterday, so here's a short one from the Age of Rail.

Back when I was a kid, and my father was working in Belgrade, my younger sister was looked after by a nanny. This was just about 1970, and the nanny was, I would guess, in her early 20s.
(Though obviously at that age I thought anyone over about 17 was so
ancient that their precise age was pretty irrelevant...).

When the time came for us to leave Yugoslavia, the nanny said she would take the opportunity to travel back to England over-land... It wasn't quite the Orient Express, but certainly the train from Belgrade ran up through Zagreb and Trieste to Venice and thence Paris, so it was a good trip to do.

The tickets were arranged, and on the day in question we all went down to Belgrade station to see her off. In those days, Belgrade station was somewhere you could still see the occasional Thomas-style steam-engine, though they were all black, rather than bright blue. With us, we had a 'fixer'; a Yugoslav employee of the embassy who would do things like help negotiate any bureaucratic mysteries, ensure that the right officials had stamped the right slips of paper, and so on.

The nanny duly boarded and found her allotted berth - though thinking back, I have no idea whether this was in a couchette or a sleeper... A few moments later her worried face appeared at the window and she beckoned us over.

"I think there's a bit of a problem with my reservation..." she said, in a state of some agitation; "There's a man in my compartment!".

The fixer was swiftly despatched to see what he could do to sort out this potential threat to tender English virtue. In due course his face too appeared at the window, beaming Slavically from ear to ear.

"Nema problema! ['There's no problem']", he exclaimed reassuringly... "Zis man iss a friend of mine!"

A National Identity Register containing biometric authentication data is, as we all know, the solution to many things, including the terrorist threat, benefit fraud, and the risk of identity fraud arising from massive government data breaches. We know this because at various times, various ministers have told us so.

In a week where the dominant news story has been that of covert donations to the Labour Party (displacing the HMRC data breach and the Northern Rock collapse from the headlines), it's a little strange that no minister has leapt to assure us that the best way to ensure transparency in the party funding process is... to insist on biometric authentication of all donors.

Except, of course, that it wouldn't make any difference. Let's just work through an example to illustrate the problem.

In the current funding scandal, what is alleged to have happened is that one donor (let's call him "A") wanted to give money to the party of Mr "B", but wanted to do so through a third person - Mrs "D". If we had a system where "D" could only make a donation if she biometrically authenticated first, we would 'know' that only "D" could have made that donation. We would have no idea - from that alone - that "A" was standing behind her shoving cash into her handbag by the fistful.

If we were able to audit the bank account/s of any donor, we might wonder why "D"'s normal salary had been augmented by a payment from "A" which happened to match the amount which "D" subsequently gave to "B"... but of course if we had access to that audit trail, then we would be able to infer that something fishy was going on without any need for the biometric authentication.

"Ah ha..." I hear you say... "but someone who really wanted to hide his identity wouldn't be that daft. He'd make sure that either he or "D" has opened a bank account in a different name to hide the connection - and if the banks were all able to check a biometric register, that would be impossible to conceal."

Unless "D" just paid "A" in cash. Or through a holding company. Or by the 'gift' of some form of realisable asset, like a Fabergé egg or a baroque sideboard.

The point is, biometrics on their own just can't prevent a concerted attempt to make a dodgy payment - you need probing and robust audit processes and access to a lot of data which you can search for correlations... and if you can do that to the required degree, the biometric authentication starts to become less and less relevant.

I keep looking back to Lance Piper's work of a couple of years ago, and concluding that it really was visionary in many respects - not least, because it recognises a fundamental shift in the way identity is conceived. Over the last few centuries, we have moved from a purely social concept of personal identity, to a concept of personal identity mediated through credentials issued by a trusted third party (principally, the state), and now to a concept of personal identity where those mediating credentials compete for importance with the broad spectrum of data available about an individual in the public domain.

That introduces two problems. The first that it requires better interpretation, audit and governance of many disparate pieces of data, instead of the comfortable preceding model of total reliance on a "high-trust" credential. The second, as we have found out in the last ten days, is that in the absence of that capability, the old systems are likely to have a real problem dealing with the mass compromise of those "high-trust" credentials.

I fully appreciate, that's a difficult basis on which to build public policy - but I don't think ignoring it as a factor is the answer either.