It seems Gordon Brown went AWOL briefly when it was time to sit down for dinner with the Queen and President Sarkozy.
Her Majesty was apparently heard to remark that "the prime minister got lost".
No.10 Downing Street responded that Gordon Brown "does what he's told on these state occasions".
The inference seems inescapable.. did the Queen really tell him to get lost?
"I think indeed there is no nation under heaven, in which so much has already been said upon [the] subject [of Toleration] as ours. But yet certainly there is no people that stand in more need of having something further both said and done amongst them, in this point, than we do.
Our government has not only been partial in matters of religion, but those also who have suffered under that partiality, and have therefore endeavoured by their writings to vindicate their own rights and liberties, have for the most part done it upon narrow principles, suited only to the interests of their own sects.
This narrowness of spirit on all sides has undoubtedly been the principal occasion of our miseries and confusions. But whatever have been the occasions, it is now high time to seek for a thorough cure. We have need of more generous remedies than what have yet been made use of in our distemper. It is neither declarations of indulgence, nor acts of comprehension*, such as have yet been practised or projected amongst us, that can do the work. The first will but palliate, the second increase our evil."
John Locke - A Letter Concerning Toleration (1689)
Interestingly, "comprehension" here is used in the sense of 'comprehend or comprise' - "to include or embrace", rather than the more usual modern sense of "to understand".
Locke goes on to argue - albeit in a partisan way - for a nation-state in which multiple religious sects are tolerated, but in which there is a clear separation between civil powers and religious practice. He argues for broad rights on behalf of Protestants, while seeking to restrict them for athiests, Catholics and 'Mahometans'. It all casts an interesting side-light on the arguments advanced more recently by the Archbishop of Canterbury.
At least, not if you were one of the unlucky ones affected by "teething" problems at Heathrow's new Terminal 5.
I haven't used T5 yet, but from the press reports the keywords appear to range from "glitch" (BBC) to "farce" (FT). I know it's a huge undertaking, had to be achieved without disrupting the normal operation of the rest of the airport, and so on, while moving huge quantities of materiel and large numbers of staff from one end of the airport to the other, so it's possible that these were indeed just a few initial problems with the use of a new large-scale and complex system.
Nevertheless, it does seem that some of the problems are ones of,shall we say, 'questionable competence' rather than complexity. For instance, one wheelchair-bound passenger arrived on an inbound flight and then found he couldn't get into the air-side part of the terminal because there was a step. The Disability and Discrimination Act legislated on this back in 1995 - and its provisions became mandatory in 2004.
Then there's the question of whether passengers should be fingerprinted in order to get into the departure lounge. The airport operator, BAA, is reported as saying this (you may need to register to view the full article):
"Fingerprinting of passengers postponed
The introduction of fingerprinting for some passengers at Heathrow’s Terminal 5 was postponed on Wednesday, just hours before the opening of the building for commercial operations.
The data protection watchdog said at the weekend it had launched an investigation into the plans to fingerprint domestic passengers and international passengers transferring on to domestic flights at T5.
BAA, Heathrow’s operator, said on Wednesday that following meetings with the Information Commissioner’s Office and the Border and Immigration Agency, the introduction of fingerprinting would be delayed temporarily.
It added that Terminal 5 security would be opened on Thursday using a photographic identification process, which was similar to one used for several years at Gatwick. “We will be working closely with the information commissioner and the Home Office over the next few weeks to agree the best approach going forward.”
It wants to carry out fingerprinting to ensure its common departures lounge did not breach border controls."
Several things need to be called out, here.
Now, I've heard the same logic applied at Gatwick, Manchester and Bristol airports, where they photograph you at outbound passport control. There, though, I was told that it was to ensure that domestic passengers couldn't borrow the boarding cards of international passengers and use them to take advantage of the tax breaks on discounted booze and ciggies... as the two categories of passenger are not segregated in the departure lounge.
1 - If the purpose of fingerprinting (or photographing) is to stop unauthorised access to tax-free shopping, then say so. It's illegal to say you're capturing personal data for border control purposes and then use it to stop people buying discounted perfume.
2 - Solve the problem by means which do not require the unnecessary disclosure of personal data: if the real issue is about tax-free shopping, then require people to show that the name on their boarding pass matches the name on their identity document. Capturing their biometrics is entirely unnecessary for the purpose, and that violates the Third Data Protection Principle - that the data collected should not be excessive in relation to the prupose for which it is collected.
3 - As Richard Veryard pertinently wonders... is capturing a facial biometric any less privacy-intrusive than taking your fingerprints? Arguably, it is more privacy-hostile, as it can be done passively with little or no user awareness, whereas fingerprinting at least requires a rudimentary 'disclosure protocol' between the official and the traveller.
4- Design the airport better... for goodness' sake - this is not the first airport terminal which has ever been built. Other European airports have to cope with the distinction between EU and non-EU travellers, and many of them have had to do so without the advantage of having been built from scratch. Some have retro-fitted physical barriers to make that distinction enforceable (for instance, Madrid and Venice) because they were built before the Schengen principles were brought into force.
As seems all too often to be the case, though, the default policy is based on undervaluing the citizen's personal data and assuming that capturing it harms no-one. At least, no-one of any consequence.
Aircraft, currently still a welcome refuge, may soon be as full as everywhere else of those people whose mobile phone manner seems to render the phone itself unnecessary.
Long before Dom Joly hit on it as satirical fodder, I remember hearing a passenger who had just taken the one-hour flight from Heathrow to Glasgow; no sooner was he in the glass walkway between the aircraft and the terminal than he just had to phone someone to tell them the earth-shattering news that.... "The breakfast on the flight was really quite good. Omelette and bacon, with sausages and hash browns."
Wayne Horkan has helpfully pointed out that my blog is rendering OK in Firefox and Safari, but not so well in Opera. Sorry about that: the problem is almost certainly buried somewhere in the style-sheets, and if I can find it, I'll fix it.
I wonder, sometimes, I really do. The BBC news site today carries a report that "many hospitals across England had to turn away women in labour last year because they were full". Of course they were full, you ninny... they had babies in their tummies.
In other news: the NHS has come under heavy criticism, after government figures show that its policy of contracting its courier services out to DHL has resulted in 25 million babies being delivered to the wrong mother.
In his comment on my previous post, "ed" hints at a very relevant issue. I was talking about plans for law enforcement access to Oyster and other travel-card databases. It's worth just unpicking some of the implications of that a little further.
The stated aim is to aid pre-emptive counter-terrorism by making it possible to mine the whole travel data trail for suspicious patterns of activity. However, as it is still possible to travel on urban public transport without leaving an identifiable Oyster audit trail - for instance, by buying a ticket - there is no guarantee that all potential terrorists will choose the option of using an auditable contactless card. So there's a serious flaw in the assumptions about how effective the mitigation can be.
Second, one has to assume that, in order to do the data mining, the security services will either have to be given access to the database, or a copy of it (or both). In terms of system design, that means that either an additional 'hole' has to be opened up in whatever secure perimeter currently protects the database, or that the data will be duplicated... potentially doubling the 'threat surface' which it exposes. Each of those represents a potential weakness to be exploited by an attacker.
Third, the original Observer article makes the point that this whole risk mitigation strategy is based on the assumption that attacks on physical targets (such as the Underground) are likely to be accompanied by cyber-attacks as a 'force multiplier'.
One set of implications is clear. If an attacker is able to get access to the same audit trail of identifiable journey details, several 'force multiplier' attacks become possible. For instance, how many of the decision-making civil servants, COBRA personnel, first responder staff and civil contingency teams depend on public transport to get to where they need to be in the event of a large-scale emergency? The same data as is being exposed and mined for security purposes could be used to identify and track those staff. Potentially, this could compromise their ability to respond precisely when they are needed most.
They must be working overtime down at the Ministry of Perverse Consequences.
There's a contactless payment card scheme for public transport in London (the Oyster card); it's one of a number of ways in which you can pay for journeys on the tube, buses and various other forms of public transport in the capital. (You can still buy individual tickets with cash or credit cards, or have an underground fare payment added onto a rail ticket bought for a journey into London, for instance).
A couple of years ago, The Register commented on the privacy implications of granting individuals access to the audit log of their journeys, and noted the risk of other indivduals gaining access for uncharitable purposes. Last year in Tokyo (where there are several contactless payment card schemes for public transport, including Suica, Pasmo and others) I noticed that one could buy Faraday shields to prevent hackers leaching the e-cash off your contactless card.
Nevertheless, regardless of the potential for 'peer-to-peer' attacks arising out of such schemes, there's no denying that many people feel their convenience outweighs the risk.
I wonder, though, whether they will have second thoughts if this report is accurate; acccording to the last Sunday's Observer newspaper, the security services are to seek mass access to the Oyster scheme's repository of travel records. This would extend beyond their current power to inspect the records of specific individuals already under investigation, and create the opportunity for profiling, pattern-matching and behavioural prediction across the entire database (apparently amounting to some 17 million users).
To put this in context, we should remember that the principle recommendation of Sr James Crosby's report into the National Identity Register was as follows: its primary purpose should be to enable citizens to assert their identity "with ease and confidence". This is dramatically at odds with the scheme's multiple purposes as set out in the primary legislation and public statements of policy.
If Sir James' recommendation were followed, function creep on the scale being contemplated for Oyster records would be far more obvious than it might be if the scheme proceeded on the basis of the original welter of proposed justifications (fraud reduction, counter-terrorism, benefit access, border security, etc. etc.).
In 1939, UK Identity Cards were introduced for the three specific purposes of conscription, rationing and security enforcement. By the time they were abolished in 1952, some 39 public sector agencies were making use of citizens' identity records. Lord Chief Justice Goddard's summary in the case of Wilcock v. Muckle is frequently cited in this context, including in this concise paper by Dr. Jon Agar at Cambridge University.
"It is obvious that the police now, as a matter of routine, demand
the production of national registration identity cards whenever they
stop or interrogate a motorist for whatever cause. Of course, if they
are looking for a stolen car or have reason to believe that a
particular motorist is engaged in committing a crime, that is one
thing, but to demand a national registration identity card from all and
sundry ... , for instance, from a lady who may leave her car outside a
shop longer than she should, or some trivial matter of that sort,...is
wholly unreasonable.
This Act was passed for security purposes, and not for the purposes for
which, apparently, it is now sought to be used. To use Acts of
Parliament, passed for particular purposes during war, in times when
the war is past, except that technically a state of war exists, tends
to turn law-abiding subjects into lawbreakers, which is a most
undesirable state of affairs."
It seems quite legitimate, then to examine very critically proposals to take a scheme which was introduced to make urban transport payments quicker and more convenient, and turn its audit records to predictive law-enforcement on a mass scale.
You've probably at least heard of the 16th-17th century philosopher Thomas Hobbes, whether or not you've read any of his works. Unless you have studied political theory, you may be less likely to have come across one of his junior contemporaries, the German jurist and philosopher Samuel von Pufendorf. Both were concerned to discuss and formulate ways of establishing a better relationship between the citizen and the state; the time was ripe for such thinking, in the wake of the Civil War in England and the Thirty Years War across most of Europe.
Both were mentioned in a fascinating discussion recently, in which a small part of Hobbes' and von Pufendorf's views were characterised very roughly as follows: in any (liberal) society in which there is a diversity of views, one has to accept that either
- no-one has the right to claim the absolute authority of their viewpoint; (von Pufendorf - 'the state is no more than the sum of the individual wills which constitute it') - or
- someone (in Hobbes' scheme, the 'Leviathan') must be granted the right to assert absolute authority, if one is to avoid a state of permanent civil conflict.
Then, of course, there's the question of how the Leviathan acquires what would these days be called the 'mandate' to exert authority over everyone else. Is it through some kind of more or less benevolent tyranny, or is it with the consensual compromise of the conflicting parties - who come to accept that 'agreement on a common ruler' offers better outcomes than peer-to-peer conflict?
As usual, the parallels between this and schemes for the management of citizens' identity leapt to my one-track mind. Here's the analogy, which I accept simplifies almost to the point of caricature:
| ID architecture | Characteristics |
| <<>>"User Centric" approach> | No 'over-arching' source of definitive identity; diverse ecosystem of peer-to-peer schemes which have to 'fight it out' as to whose identifiers and attributes are more 'meaningful', reliable, useful or otherwise pre-eminent. (von Pufendorf) |
| Federated approach (Liberty style) | Stakeholders reach mutual agreement to establish a source of authoritative identifiers (IDP) and a 'social contract' between IDPs, data subjects and relying parties. (Hobbes) |
| Compulsory (national) identity scheme | The state assumes the role of authoritative source of identifier information, and unilaterally sets the 'contractual' rules which apply to data subjects (citizens) and the exchange of identifiers and attributes. (Macchiavelli?) |
Important Update, 19/3/2008: I have amended the route directions to reflect advice just received from the race organisers concerning access to Bray Lock. Please ensure you are using a copy of the directions which reflects this advice. Otherwise you could be putting your crew at risk of disqualification.
Access to Bray Lock is strictly on foot only. There is no vehicle access. The last point at which you may be able to find limited parking is in Old Marsh Lane. Under no circumstances should you turn into, or park in, the private lane which runs from Old Marsh Lane to the lock itself.
Under no circumstances should you obstruct Old Marsh Lane, or access to the houses, campsite or the lock itself. If you do so and your vehicle details are reported to the race organisers, you may find your crew is disqualified.
You may conclude that it is less hassle to simply omit Bray Lock and support at Boulter's Weir and Dorney boathouses instead.
You can download an amended .pdf file of the driving directions for the Devizes to Westminster race (4-day event) here.
This story on the BBC site today embarrasses me into admitting that I missed an obvious point earlier this month when the Home Secretary combined the release of her own ID Cards strategy with the publication of the somewhat less... optimistic? Crosby Report.
Apparently airside workers are not entirely convinced that they are the ideal guinea-pigs for compulsory ID cards. According to the airport workers' union boss: "We are not opposed to improved security, but we see no measure in the identity cards that will improve security."
Well, as a pilot project I guess it has a certain merit; overcoming their antipathy might be good practice.
It appears that at some stage in the lifecycle of MoD credentials, rather a lot of them have been going missing. According to this Computerworld article, nearly military ID cards 4,500 went missing in 2006 and nearly 7,000 in 2007 - out of a population of 200,000 service personnel. That's an average of 2.75% of MoD credentials over the two years.
Extrapolated to National Identity Scheme scales, that would represent 1.1 million lost/stolen ID cards a year. Even if one assumes - for the sake of argument - that not a single one of those losses results in identity-related fraud, the ongoing costs of replacing over a million cards a year, over and above those which need to be re-issued through 'natural causes', must be a significant extra burden on the planned scheme.
Of course, one difference between the ID Card Scheme and the MoD credentials is that one assumes that MoD ID cards tend to live a life which is rather more... well, 'regimented'. They are allocated to a closed and unified community which is relatively highly disciplined, and trained in matters relating to the security of their persons and assets. At least, given the weapons and munitions they routinely use, one would hope so.
On the one hand, that alone might make MoD credentials a more than usually attractive target. On the other hand, balanced against the relative indiscipline of the national population at large, I would say that 2.75% of credentials lost, stolen or otherwise compromised is probably a very optimistic forecast.
Now that I've had a chance to see the National ID Card Delivery Plan 2008, as announced today by the Home Secretary, here are some initial reactions.
What's better:
- There's a recognition that in the vast majority of cases, an ID Card would offer no sigificant benefit to the citizen over what a passport can already provide;What's still not so good:
- The report could do more to clear up the confused picture the public has been given to date, of the National Identity Scheme as a whole, the National Identity Register and its components, the different credentials involved, and the relationship between the NIS 'delivery partners' and the expected 'consumers' of NIS services;The Plan reflects a complex scheme with many actors, including:
- the Identity and Passport Service
- the Department for Work and Pensions
- the Border and Immigration Agency
- UKVisas
- the Foreign and Commonwealth Office
- the (proposed) NIS Commissioner
- The citizen
- The 'consumers' of NIS services:And any or all of these may be non-UK entities.
The resulting web of departmental charters, policies and processes, public- and private-sector organisations, the divergence between citizens' and law enforcement interests, and the applicable legal and regulatory regimes can not be reduced to a simple, compelling implementation plan, however seductive that idea may appear to the policymaker. Nor do I think, in terms of governance, that it is sufficient to point to the Data Protection Act 1998 and assume that it provides the safeguards required to ensure that the Identity Cards Bill is put correctly into operation.
As the decade since the DPA's introduction has unfolded, our understanding of digital identity has evolved and - I would hope - matured.
We can now see, for instance, how much a successful identity register would have to rely on the abilitty to make highly-selective disclosures of identity attributes; we can appreciate the importance of finding ways to make some kinds of data 'evaporate' after use; of finding far more sophisticated ways of using meta-data to control the way in which personally identifiable information is stored, exchanged and processed; of finding better ways to protect data privacy 'beyond first disclosure', in a highly distributed and globally networked environment.
The DPA has nothing to say on any of those topics.
Of course, the announcement of a period of public consultation is welcome, and I sincerely hope it reflects a desire to listen carefully and change the Scheme where it needs to be changed. That said, it's now five years (and 3 Home Secretaries) since David Blunkett announced the plans for a national ID Card, and two years since the enabling legislation was enacted. How did we get this far down the line without it?
Unsurprisingly, Home Secretary Jacqui Smith bagged the 08:10 'main political interview' slot this morning on Radio 4, for a trailer of her statement on ID Cards later today - though it must have been an editorial toss-up between that, and covering yesterday's rejection of calls for a referendum on the EU Constitution Lisbon Treaty.
Ms Smith acknowledged a couple of the major changes in the Government's thinking on ID Cards, but was less clear about some of the ways in which it has remained the same. For instance she referred to the decision, sneaked out in the 'dead season' just before Christmas 2006, to base the National Identity Register (NIR) on a federation of three existing departmental databases, rather than on a single monolithic repository.
She also hinted at some of the difficulties the Government has faced - particularly under Tony Blair - over its inability to come up with a consistent and compelling justification for the NIR... is it to protect against benefit fraud and illegal working (remember the Entitlements Card?), is it a counter-terrorism and immigration measure, or is it the cornerstone of joined-up e-government... all for the comfort and convenience of you, the decent, hard-working taxpayer and law-abiding citizen?
She outlined plans for compulsory ID Cards to go first to foreign nationals from outside the EU, then to those UK citizens who work in sensitive places such as the 'airside' areas of airports, and then to be offered to students on a voluntary basis. This at least suggests a willingness to adopt a more 'segmented' approach to ID Card deployment, based on a more flexible range of perceived and potential benefits (some relating to public safety, and some to personal convenience).
She used the terms 'ID Cards', National Identity Scheme and 'NIR' more or less interchangeably in the course of the interview - which I find extremely unhelpful. It serves no-one else's interests to continue to blur the picture of how the National Identity Scheme, the National Identity Register, the Identity Card itself and the biometric passport are inter-related.
But the lack of clarity really sufraced under questioning from James Naughtie about whether the NIR would simply be a honeypot for hackers, or a massive data breach waiting to happen. She reverted to a defence of "this database" (as opposed to "these databases"), making it unclear which repository she was referring to, and assured Mr Naughtie that the scheme would not require 'large amounts of data to be kept on one database'; she described the required data as a 'relatively thin amount of information', 'roughly the same as the amount kept on the passport database'.
With respect, this simply fudges the issue. I take the point that federating multiple databases potentially reduces the amount of personal data which needs to be held in each about any given individual, but first, a 'small' amount of data about each of 70 million people (and rising) is still a large amount of data.
Second, the enabling legislation for the NIR, introduced back in 2005, defines a substantial swathe of information which may be recorded in the Register - there's a list here of what is included. It's quite obvious that it includes more than is currently stored in the UK passport database (for instance, it can include the index numbers of any other credential issued to the individual). Then there's all the metadata regarding the audit trail of requests for access, changes to the data, a separate identifier/password pair which the citizen will use when making an access request, details of "a method of generating such a password or code", and a set of questions and answers to be used as an alternative means of verifying the individual. Presumably those will be of the nature of 'password recovery' questions - that is, something sufficiently personal for the applicant to be able to remember indefinitely. I don't have any such information in place relating to my record/s in the passport database. Dave Walker has written very persuasively about the notion that the greatest threat to the security of large-scale databases arises out of poor management of precisely this kind of meta-data.
The NIR will include the citizen's principal address, and the address of any other place where they have a place of residence, whether inside the UK or not. By contrast, the Passport service said in 2005 that "we do not ask passport
applicants to keep their address given at the time of the application up
to date throughout the 10 year life of the passport."
Then we got to the interesting bit. Ms Smith said that access to the database of biometric data would be available only to a very small number of highly security-cleared individuals, and that the database would not be susceptible to hacking because 'it will not be online'.
That implies some very basic principles of system design and functionality. For instance, it means that all validation of biometrics will be done by matching the holder's biometric against the card itself, not against the centralised database. I believe there is already a European country in which that approach has been taken to its logical conclusion: the citizen's biometrics are stored only on their card, and no cental record is kept. It also creates a small community of people who could become the targets of coercive attacks, or could themselves instigate an insider attack for wathever reason. I agree that it's probably better that that community should be a small one than a large one, but I entirely disagree that taking a database offline guarantees that it can't be hacked.
I also wonder whether it will indeed be 'offline'; that again implies some quite fundamental design and implementation principles: the architecture of a federated database system is materially affected if one of the databases you expect to federate is not networked with the others.
Maybe Ms Smith didn't really mean 'offline', but meant that the biometrics database would only be network connected to the other NIR repositories, and would not itself be directly connected to other networks. The other repositories, though, presumably do have network connections, and therefore represent potential routes into the biometrics database from the outside world. Saying that a database 'is not online' is not the same as saying that it 'is connected to the network but only via other databases which are online'.
As long as even comparatively benign questioning such as Mr Naughtie's is sufficient to reveal, within a few minutes, these kinds of lack of clarity, I will continue to worry about the prospects for a national identity system being implemented in a way which does not simply increase the risk to the citizen.
POSIWID
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}