Robin Wilton's esoterica

Computerweekly.com have announced the winners of their "Best IT Blog" awards for 2008, and in the 'Law and Governance' category, the honours went to:

- The IPKat team, for their blog on IP, IT and privacy/confidentiality issues; a worthy winner; IPKat comments on a wide range of aspects of patent law, copyright, and so on... guaranteed to be a lively topic for years to come, in this world of global asset mega-brands and the information economy.

- McKenna Long and Aldridge, for their blog on RFID law - runners-up. This blog has a weekly newswire, supplemented by occasional specific blog posts.

Many congratulations to both teams for their well-earned recognition!

Last month the Home Office announced that 'crime maps' would be published for the whole of the UK by the end of this year. The announcement seems to have prompted the full range of reactions, from 'so what?' to 'it won't work' to 'flog them flog them all!'. Actually, not quite the last one... though I have seen a suggestion that it's offenders' home addresses which ought to be mapped.

Many of you will probably remember chicagocrime.org, one of the first things to be labelled as a "mashup". It cross-referenced Chicago PD crime reports with a map and a number of indices like location, crime type and so on. Now, I don't know what effect this has had on crime in Chicago, and I've only ever visited that city once (I thoroughly enjoyed the visit, by the way). What I can say is this; if I were of evil intent, and on my next visit wanted to plumb the various available depths of depravity, the current incarnation of the crime map mashup, called http://chicago.everyblock.com/crime/ would give me a pretty good indication of where I would be most likely to find drugs, firearms or prostitutes. At a charitable reading, you could argue that it would tell me where I'd be most likely to get arrested for having anything to do with any of them, but that's another matter...

A BBC piece on the UK plans leads with the question: "will [crime maps] help cut crime, or could they have unforeseen consequences?". I'm not sure about the former, but I think I can guarantee the latter.

After all, who would reason that the introduction of cable TV would lead to an increase in burglaries? There doesn't seem to be much of a connection - but when you think about it, your cable viewing behaviour is logged, and it reveals vastly more about you than your faithful old CRT and aerial ever did. Anyone with access to your cable logs will know if you suddenly stop watching TV in the summer, despite the Olympics, and will probably draw the conclusion that you're away from home. On that basis, who would have foreseen the potential of TiVo as a burglary preventer, rather than a burglary target? (Usual disclaimer, I have no connection with TiVo, commercial or otherwise).

Ouch. Well, if I had wanted an example of the flexible and sometimes porous boundary between policy and technology in the protection of sensitive data, I couldn't have expected one much better than this, as reported on the BBC site today. According to the news item, a memory stick with personal data has gone missing after being populated with personal data in the course of work undertaken by PA Consulting: "The memory stick contained un-encrypted details about 10,000 prolific offenders as well as names, dates of births and some release date of all 84,000 prisoners in England and Wales - and 33,000 records from the police national computer."

The Home Secretary, Jacqui Smith, is reported as saying that this was data which had been 'held in a secure form' by the government, but downloaded by the contractor despite contrary provisions in the contract under which they were working. The point, surely, is that whatever technical security measures had been applied to the data, the contractors were able to access it (legitimately, one assumes, in the course of their contract work), but that when it came to preventing the resulting information from being copied onto removable media (in this case, a memory stick) the only protection in place was contractual. The Home Secretary appears to have had no reservations about placing the blame squarely on the contractor for an alleged breach of contract. Under the circumstances, I expect a number of people at PA are wondering whether the Home Office had taken all reasonable steps to secure the data technically, as opposed to relying so heavily on the contractual provisions she refers to.

One person ought to be happy, though - Michelle Dennedy, our CPO, will surely enjoy seeing one of her trademark phrases recycled* by the Deputy Commissioner at the UK's Information Commissioner's Office. David Smith is reported as saying that 'the latest loss showed that personal information could be a "toxic liability" if not handled properly'.

*In fact, on investigation, I notice that the metaphor has also been appropriated by Cory Doctorow and, indirectly, Hal Stern.

Went to see "Dark Knight" today... well, I have to do something while waiting for Quantum of Solace to come out. I thought Dark Knight was pretty good. Given the increasingly complex canon of existing stories it somehow needs to fit into, it does a fair job of working in the Harvey Dent theme. Heath Ledger's performance as the Joker is very good. I know a lot of people are already assuming that it will win him a posthumous Oscar - but I can't help feeling that a certain amount of that is based on sentimentality because of his untimely death.

Compared to, say, previous Bat-villain performances by Jim Carrey (as the Riddler) or Tommy Lee Jones (taking his turn as Harvey "Two-face" Dent), Ledger's is perhaps more edgy and less camp, but then so is the current Christian Bale franchise. The Joker does get the quote of the film, though, for my money:

"Do I really look like a guy with a plan?"

Any more, and I'd have to put in a "spoiler" warning. But it's a good flick, and at a macro level, the plot keeps on building and building...

A couple of weeks ago I blogged about the Human Genetics Commission's report into the UK's National DNA Database (NDNAD), and its criticism of the lack of clarity surrounding the collection, use and retention of DNA.

Last week the BBC published this article, which included Home Office figures for the number of people between 10 and 18 years of age who have not been charged or cautioned (let alone convicted), but whose DNA profiles are still on the national database.

Quite apart from the figures themselves - according to which nearly 40,000 people under 18 are on the database despite being innocent - two things struck me as worrying in the article, both by implication.

Dominic Grieve, the Conservatives' shadow home secretary, was quoted as saying that it was time there was a Parliamentary debate on the issue, and the DNA database should be put on a statutory basis. In other words, the current use of the database is not directed by any formal law. Given that its principal use appears to be in the detection and prosecution of crime, that seems extraordinary. It certainly would not be considered an acceptable state, for instance, where evidence gathered from police interviews was concerned.

Second, a Home Office spokeswoman was quoted as saying that  "there is no personal cost or material disadvantage to the individual simply by being on [the database]".

To my mind, that reflects a naive and outdated view of personal data and the risks associated with it.  Either it implies that there's no risk to the individual provided the personal data remains secure and is adequately managed, or it implies that there's no risk to the individual even if the data is subject to inadvertent and/or inappropriate disclosure. I don't think either of those two assumptions can be taken as read.

You may have seen the recent announcements about DNS cache poisoning, and the potential effect of this on all kinds of internet-based applications' security. One area in which it can have a particularly significant impact is OpenID... because OpenID (largely for reasons of simplicity and ease-of-setup, originally) was designed to avoid the need for any prior exchange of security information between Relying Parties (RPs) and OpenIdentity Providers (OPs). That kind of prior exchange was seen by some as one of the obstacles to the rapid adoption of alternative distributed authentication schemes, like Liberty's Identity Federation Framework (ID-FF), or the SAML protocols that is based on.

OpenID doesn't use such prior exchanges between OPs and RPs, but relies instead on the integrity of the underlying DNS system to ensure that the 'correct' OP is connected to the 'correct' RP. If the DNS infrastructure is compromised by something like a cache poisoning attack, it becomes impossible for OPs and RPs to tell 'real' communicating partners from bogus ones - and any resulting authentication is correspondingly undermined.

You may be wondering what this has to do with a strong Liberty proponent like Sun... (apart from the obvious "told you so" opportunity, which I am not going to stoop to...). Well, last year the CTO group I work in set up an experimental OP server so that we and our colleagues could try it out, and see how it fits into the broader identity eco-system technically, commercially and from a user perspective.

This DNS news, plus a couple of other factors which I'll come to later, was therefore of direct and immediate relevance to us.

Let me clarify at this point that the OP server was set up explicitly as an R&D 'play-pen': it is not connected to Sun's enterprise authentication systems, and it cannot be used to access any Sun applications, sites or resources. Sun employees' ability to authenticate securely to Sun systems is entirely unaffected by it. We also made it clear to anyone registering that this is for personal use only in accessing non-business-related third party sites. (We've added a few other points to that advice recently - more on that in due course).

Another factor, was that we got a polite heads-up from Ben Laurie of Google's Security Group, and Richard Clayton of the Computer Laboratory, Cambridge University. They had noticed that the certificate used by our OP originated in a flawed software crypto module in one of the systems we used during the development work for this project. To be fair to the developers of that module (it was part of a Debian/Ubuntu distribution), the bug in their key-generation routines had been spotted and a patch created in May this year. Unfortunately, by that time, we had already used it to generate what turned out to be a weak public key pair.

Ben and Richard have published a security advisory, which you can find here, succinctly setting out how the confluence of the DNS vulnerability and the certificate bug have a potentially devastating effect on OpenID's security model.

In R&D terms, the whole exercise has been very interesting (even before these recent excitements...). For instance, at the outset, we were able to use the project as a vehicle for a number of other actions:

- We worked with an external OpenSSO committer on an open-source OpenID extension for OpenSSO, which we thought might come in handy for others to experiment with.

- We became the first company to offer a non-assertion covenant on the OpenID spec, and we think that turned out to be influential.

- We raised the question about whether offering "implicit" attributes (like "This OpenID holder is a Sun employee") might be of value or use.

- We performed a formal security review which we feel usefully supplemented the many OpenID security critiques out there even at that stage last year.

So, what are we going to do now, in the light of developments like the 'DNS cache poisoning'  and 'weak key pair' vulnerabilities?

Well, I suppose the first thing to note is - in response to Ben and Richard's alert, we took our OP offline, revoked the weak certificate and generated a strong replacement. However, as Ben pointed out, that doesn't fix things... As long as someone else is in a position to route users to bogus OPs, where they might be fooled by the revoked, weak certificate, the problem persists.  A better solution to that part of the problem might centre around the more effective use of existing security mechanisms - such as Certificate Revocation Lists (CRLs) - by both clients and RPs. I suspect Ben will be writing about those aspects in more depth soon, so keep an eye on his blog, here.

The next point is that taking our own OP off the network doesn't really fix anything, either. So we're going to leave our OP where it is, and Sun employees will continue to be able to register and use it. We are going to increase the guidance we give those employees, about steps they can take to minimise the risk of phishing. Again, that will be a valuable R&D exercise in seeing whether a relatively tech-savvy user community can be educated to change its browsing habits for the better - not a bad pay-off if it works.

We're also thinking about some constructive proposals about ways to improve the security infrastructure in general; after all, masquerade attacks are nothing new, particularly in the world of public key cryptography, and there are several mechanisms already out there which could be brought into play.

So our approach will be to address those parts of the problem we can fix (or at least mitigate) one our own, and where that isn't possible, continue contributing to the identity community based on what we learn.

Thanks, again, to Ben and Richard for handling the "advisory" process in such a co-operative and professional way.

In some respects, the first, long-awaited trial of a Guantanamo prisoner looks normal: it came up with verdicts - not guilty on charges of conspiracy to murder; guilty on the vaguer charge of providing support for terrorism. And it came up with a sentence: 66 months, with remission for time served.

In other respects, it did not look so normal. Both the verdict and the sentence were decided by the jury - the sentence was not separately decided by a judge. And then there's the question of what happens after the prisoner has served the remaining five months of his sentence. According to today's BBC story,

'On time served Hamdan could be released in five months but the Pentagon has said he will still be retained as an "enemy combatant".'

The prosecution had apparently pressed for a sentence of not less than 30 years' imprisonment. The actual sentence is less than that to a degree which leaves it open to interpretation as a deliberate rebuff to the Bush administration. However, that gesture by the jury may end up looking hollow if Salim Hamdan completes his sentence and is still not released.

There are a number of interesting provisions in the Specter-Leahy Bill on Cyber-crime just approved by the US Senate (including, for instance, the ability to prosecute a business used as a cover by identity thieves, as opposed to only the individual identity thieves themselves), but the one which caught my eye was this: it will be a felony to use spyware or keystroke loggers 'to damage 10 or more computers, regardless of the aggregate amount of damage'.

Part of me wonders whether there's a potential legal challenge there around the notion of 'damage' - but I'm also interested to see the felony arise out of the number of computers affected, rather than any resulting harm. In the UK, the Information Commissioner's Office has recently been suggesting a move in the other direction - away from prosecuting for a 'breach in principle' and towards prosecuting on the basis of 'actual harm'. 

As we've seen with the Californian Breach Notification law, a well-intentioned piece of legislation can, in the longer term, produce unexpected consequences even if the short-term results are positive. It will be interesting to see whether these different US and UK strategies produce widely divergent outcomes.

My thanks, incidentally, to Shin Adachi for the initial pointer to the eWeek article.

Picking up news stories - particularly political stories - off the internet and radio, it's sometimes easy to get 'suckered in' by a good headline-writer. I have to keep reminding myself that the news editors want to make compelling coverage, and sometimes that zeal manifests itself in the form of a story which appears to involve, say, a direct conflict between one interest group and another. Occasionally it all goes a bit wrong, and any listener to Radio 4's 'Today' programme will probably have heard something like this from time to time:

Interviewer: "With us in the studio is Professor Gleedle of the University of Farge. Professor Gleedle, these results are a damning indictment of government policy, wouldn't you say?"

Gleedle: "Indeed I would, Ephemera; the figures are shocking, and reflect very poorly on both policy in this area and its execution."

Interviewer: "And joining us from our Bletherton studio, Jean McBrotherson of the think-tank Cumulus. Ms McBrotherson, how do you respond to that criticism?"

Ms McB: "Well, I think Professor Gleedle has a point. We've conducted a number of independent surveys, and all of them show that the public is simply not getting what it expected or wanted from this initiative. Frankly, it's a farcical waste of public money."

Interviewer: " ... "

Co-presenter: "And now, Gary with the sport..."

This makes it all the more reassuring when the initial interpretation of a news story is borne out by subsequent events. For instance, back in December of last year, the impression I got about the government's plans for 42-day detention without charge was that, among other things, the calculation of how long someone night actually spend locked up - and under which legal provisions, and with what judicial or parliamentary oversight - just seemed to be a confused mess. Nor did it seem realistic to assume that Parliament could debate a request for extended detention without seriously compromising any subsequent trial.

The Counter-Terrorism Bill (CTB) passed its first vote in the Commons by 9 votes notwithstanding, and duly went to the Lords for their consideration. The Constitution Committee has published a report here, the first 16 pages of which very clearly set out a number of concerns about the Bill. (This is, incidentally, a quite separate exercise to the concerns expressed by the Joint Committee on Human Rights [JCHR]).

Among other things, the Constitution Committee's report sketches out the complex existing legal picture into which the CTB must coherently fit. They note a number of pieces of legislation which have already defined powers in this area:

- Terrorism Act 2000

- Anti-Terrorism, Crime and Security Act 2001

- Prevention of Terrorism Act 2005 (Remember that? That's the one which introduced Control Orders. They're still around.)

- Terrorism Act 2006

In passing (noting that the JCHR has already commented on the human rights and civil liberties implications of the Bill) they remind us that the European Convention on Human Rights sets out the principle that anyone arrested must be informed "promptly" of the charges against them, and comment that it is questionable whether even the existing period of 28 days would constitute a 'prompt'  notification.

They then turn to the question of whether parliament can offer effective oversight of a process for extending the period of detention in response to a specific case or incident, and conclude that the government's proposals have not been "properly thought through". There are 'significant difficulties', they say, with the presumed need to at least inform Parliament of the "outline of the plot" and the "what, why and when" of it. They note that "Parliament will ... almost certainly need to operate without fully knowing the factual background".

They go on to describe the proposal as "ill-advised", and one which "risks undermining the right to a fair trial".

In other words, as well as the complex legal context set out earlier, the Committee's view is that the process itself is bound to give rise to one legal challenge after another, potentially calling into question the very basis of our legal system. Taking the broad view, it's hard to see how that works to the benefit of the general public, the law-enforcers, or of anyone innocent who is unfortunate enough to get caught up in these measures.

The initial impression  - that this Bill sets out measures which are confused and unworkable - now seems pretty accurate.

Among the various chunks of SPAM in my inbox today was an invitation to get a free copy of my credit report from Experian. I know this has been a legal right for a while in the States, but over here it usually costs money, so I went to have a closer look. Of course, the bait turned out to conceal a hook

Before I can see the report, I first have to supply various bits of personal information (OK, they have to do something to ensure that only the real data subject sees the report...), and the usual other bits of metadata (username, password, mother's maiden name, memorable word, memorable word hint, etc. etc. etc...). Then I have to enter my payment card details.

Huh?

It turns out that what I'm being invited to sign up for is a 30-day free trial of their CreditExpert service... after which it will cost me £6.99 a month (£83.88 a year). It was not clear whether the billing would simply start by default, or whether I would have to take some further step in 30 days' time to start paying. On that basis, I was not prepared to go any further.

A little more investigation revealed that for a one-off payment of £11.95, Experian's largest UK rival, Equifax, will send me a single report.

Irritatingly, both companies seem to think that, just because I want to see my own credit report, I also want a 'customer relationship' with them. I don't. I want a transaction, and that's not the same thing.

[Disclaimer: I have no professional or commercial stake in either Experian or Equifax... though their urlicon indicates that Equifax's website runs on Sun.]

I saw this in a recent newsletter from fastmail.fm, and went for a further look. It's good to see that, among the welter of webmail providers all eager to sell you convenience and free disk space, there is at least one which is thinking seriously about ways to mitigate risk for an increasingly mobile user population.

The options aren't necessarily new; for instance; one is to get a list of random numbers to use as one-time-passwords (OTPs). Users of German online banking systems will have been familiar with this in the form of TANs, or Transaction Authentication Numbers, for years. In some TAN implementations a PIN is also required; in the fastmail implementation they have added a "base password" to protect against the risk of losing your list of numbers.

Clearly, there are those who will not find it convenient to carry a piece of paper around with them just in case they want to check their webmail (paper... it's just so...biological...); for them, there's the option of an out-of-band OTP sent to your phone as an SMS.

The fastmail folks have also come up with some other sensible options; for instance, if you have authenticated using a one-time password, the default session length comes down to one hour - after that you have to re-authenticate (normally their default is to log off inactive sessions after a couple of hours). There's also the option to specify that, if you've authenticated using a one-time password, a number of housekeeping and administrative functions can be made inaccessible.

All in all, in these days where convenience is supposed to be the be-all and end-all, I find it reassuring to see that some service providers are prepared to credit users with a little more concern for security.

Disclaimer: I have no commercial or professional stake in fastmail, though I am a user.

The latest newsletter from Privacy Laws and Business (PL&B) contained a news clip about US/EU negotiations over the exchange of personal data for law enforcement purposes. It prompted me to look for other reports elsewhere online, and these two articles on the IHT website seem as good as any (1, 2).

While I agree that law enforcement access is a valid use-case, a couple of things about this naturally raise  concern. First, there's the obvious problem that this explicitly seems to over-ride EU national data protection laws - and presumably would lead to cases where the US-EU agreement allows data disclosures which would be illegal between (and indeed within) EU member states. Second, the agreement appears (from this coverage, at least) entirely aysmmetric.

In that sense, it would be joining other existing provisions such as the long-standing exchange of Air Passenger Data, or the bizarre extradition treaty in place between the US and UK. And if one were looking for shining examples of good practice, those would not really be candidates.

Last week there were reports that Michael Schumacher had 'totalled' a Ferrari Scuderia  F430 prototype during testing on the Nurburgring's old 'Nordschleife' circuit. The gossip-mags like Bild were all over the story in their inimitable style. Ferrari's spokesman Luca Colajanni 'denied rumours' that Schumi himself had been at the wheel, rather than test-driver Raffaele de Simone; soon after that, Schumacher's own spokeswoman, Sabine Kehm "denied rumours" that Schumacher's 9-year-old son Mick had been in the car at the time.

A less disputed story is that last Sunday in Kent, the former F1 champion had a vehicular altercation with the security barrier at a car dealership, knocking said car dealer onto a nearby car bonnet. Apparently Mr Kingham's first instinct was to phone his business partner:

"You'll never guess who I've been run over by..."