Robin Wilton's esoterica

Back in June of last year, I mentioned that I had found a souvenir in Washington DC... a keychain with a countdown timer to George W Bush's departure from office.

Tragedy of tragedies, I checked it today only to find its little LCD completely blank. It seems it had run out even before George. Strange, I thought... I had expected something American to have more staying power. On inspection, though, I found that its manufacture had been outsourced to China.

I'd better stop there... I don't think this post can cope with any more allegorical layers. 

It seems that what goes in Pakistan doesn't necessarily apply in Syria, according to today's report of a US raid which is said to have killed Abu Ghadiyah, described as "a former lieutenant of Abu Musab al Zarqawi". According to a US intelligence spokesman, "Sunday's attack took place during the afternoon rest period, with a troop assault preferred over a missile strike to reduce civilian casualties".

Presumably the Pakistanis will infer that, in their own case, the risk of civilian casualties is not a factor...

There's a BBC news article today describing plans to introduce mobile, on-the-spot checks of fingerprint biometrics using a hand-held police reader (linked to a national database of 7.5 million biometric records).

Towards the end of the article, there's a helpful graphic describing just how fingerprint recognition works... the fingerprint is analysed for "minutiae"... characteristic features such as the point at which two whorls intersect, or the peak of a particular curve. That data is turned into a set of co-ordinate plots which can be compared against stored values. It all sounds very plausible and relatively straightforward, and the National Policing Improvement Agency describes existing trials as a "stunning success".

Strangely, it's also at odds with what I have repeatedly been told about the way in which the National Identity Scheme will store fingerprint biometrics. I have asked, in the past, why it's necessary for ID cards to hold a facsimile image of the holder's fingerprints (in other words, one which could if necessary be examined by a human and compared with a scan on the spot). I suggested that holding facsimile images on the card is unnecessary and introduces risk.

I have suggested that it's unnecessary because a digest of the data, or a record of the co-ordinate plots of the minutiae, ought to be just as reliable; it introduces risk because it creates the possibility that an attacker could read the facsimile off the card and forge (any or all of) the holder's fingerprints, thus potentially creating a false suggestion the holder had been present.

The answer I have had is that the cards must store a facsimile, not a digest or derived record, because the process of converting a scanned image into a digest is too likely to introduce differences from one scan to the next.

Frankly, I don't know whether this, or the NPIA's endorsement of their trialled technology is the truth - but it seems to me that they cannot both be.

In early September, it was reported that US Special Forces had mounted a ground attack from Afghanistan across the border into and into Pakistan. According to the reports, a couple of dozen people were killed in the attack, some of them civilians. Pakistan's political reaction was apparently touch enough to convince the White House not to launch further ground attacks.

However, according to this article in the New York Times, the policy has been replaced with one based on the increased use of Unmanned Aerial Vehicles (UAVs, or 'drones'). Apparently 5 such strikes were launched in the first 28 weeks of 2008, but in the eleven or so weeks since then, there have been 18 UAV strikes. The same article describes the unpredictable results of some of these missions, including civilian casualties and missed targets, and notes that UAV strikes can never achieve the other goal of capturing Al Qaeda members and interrogating them for information about their leaders.

You may remember some of the earlier reports of UAV use, such as this incident in 2002 in Yemen, in which 6 suspected al Qaeda operatives were summarily executed in a rocket attack on their vehicle. For more technical and political context, see this page on the GlobalSecurity.org website.

What caught my eye in the current story, though, was the reported reaction of Pakistani officials, who have apparently described these attacks as a "less objectionable violation of Pakistani sovereignty" than ground assault. Talk about 'shades of grey'...

In response to Carolyn's comment on the "Future of Identity and Privacy" post, I thought it might be useful to give a little more information about the "Ladder" model I've been using as part of the Privacy Summits. Originally this came out of a discussion with my friend and colleague Peter Lord, of Oracle. The diagram we used to summarise our discussions looked like this:

What we had been trying to do was engage in a productive discussion about the 'high-level' concepts at the top of the 'ladder', with participants from a very wide range of backgrounds, including technical and non-technical ones. What we observed was that it was very easy to set off with the assumption that some technology or other was the right starting point... for example, perhaps smart cards, or cryptography, or whatever. What we then found was that each technology brought along with it a set of concepts and functional capabilities which invariably imposed constraints on the subsequent discussion. Quite unintentionally, in most cases, the mere fact that you start off by saying, for instance, "oh, this is the kind of problem which cryptography can solve" in itself limits the rest of the conversation.

In other words, thinking about it graphically, the result is a 'stovepipe' discussion which progresses up the ladder but never widens. As a result, you may find you address one of the high-order topics, but exclude the others.

As usual, the first step towards fixing this problem was to become aware of what the problem was.

The second step was to acknowledge that, while any given techno-centric approach was unlikely to answer the whole range of 'high level' questions, it was equally likely to have a valid place as part of the solution. That being so, we needed to find a way of taking each participant's input, assuming that it had a valid place somewhere in the discussion, and factoring it in at the appropriate time and place.

This second diagram illustrates some of the different kinds of contribution one might get in the course of a discussion; the trick was to be able to find the right place to note each contribution, so that it could be revisited at the appropriate point.

I think it's fair to say that each successive summit has not only taught us more about the multi-stakeholder approach, it has also validated that approach and confirmed that the models we have developed are a robust foundation on which to build. I hope that in publishing them in the London/Basel summit report, we have contributed something which the identity and privacy communities will find valuable and useful over the coming months.

An article on the BBC site yesterday concerned the British Humanist Association's plans to run a poster campaign on London buses: the posters would read "There's probably no God. Now stop worrying and enjoy your life". The BHA apparently feels that the generally unchallenged presence of religiously-motivated public statements needs some kind of counterbalance. The same article quotes the response from a spokesman for Christian Voice - described as a 'pressure group' - whose reaction is a rather strange one... 'axe the buses, they - and atheism - are a danger to the public'.

On the face of it, that sounded like such a dog-in-the-cradle attitude that I had to go and check Christian Voice's website to see if the BBC had been mischievously quoting him out of context to make him look like an idiot. I found that he had, indeed, been incorrectly quoted, but not necessarily in the way you might expect, and not by the BBC. Christian Voice's webpage on the story includes a most unfortunate typo:

Genital misprints aside, what of the facts? After all, there are indeed people who have been unfortunate enough to lose their lives in collisions with bendy-buses, so is it the sort of thing of which one ought to be making light? Well, on one aspect, at least, the Christian Voice piece is at odds with the BBC article. According to the latter, the Humanists have indeed volunteered to fund the campaign, and to the tune of 5 times what Prof. Dawkins was prepared to contribute personally.

As for the buses themselves - the statistics are inconclusive. This Channel 4 News page seems to have a fairly comprehensive analysis, and it concludes that while bendy-buses have undoubtedly been involved in fatal accidents, they themselves do not appear to be significantly more dangerous (per mile of usage) than other buses. On a scale of 0 to 5, with 0 meaning cast-iron true and 5 meaning utter bunkum, the bendy-bus fatality allegation comes out at 2.5. Presumably Prof. Dawkins will argue that that's 2.5 points more substantiated than God...

A few times over the last year or so, you will have seen me refer to a series of Privacy Summit meetings which I've been helping to organise and run through the Liberty Alliance. So far, we've held summits in Berlin, Brussels, Washington DC, London, Basel, Yokohama, Tokyo and Stockholm, and we're currently planning the first 'return visit' - to Washington - and 'full circle' to Berlin.

Although we have deliberately tried to run summits in a variety of cultures and legislative contexts, the rationale has been consistent: that the identity and privacy issues which face us today are complex, multi-stakeholder problems to which no single stakeholder group has the answer. Our aim has been to create a peer-to-peer forum in which those diverse groups can be represented, and to find a way of factoring their input into a coherent picture of what digital identity and privacy are.

So, I'm delighted to be able to announce that the output report from the London and Basel summits is available online, and can be found here, on the Liberty Alliance website. You'll find the Berlin and Brussels reports on the same page, and of course you're welcome to browse those for completeness, but what I tried to achieve with the London/Basel document was to collect and present all the major lessons from the meetings up to that point, so that they are all in one relatively short document (the paper is 20 pages long, but the essence of it takes up just 11 pages).

What you will find in there is a small set of simple models for understanding what digital identity is, how it relates to identity data, and how that in turn relates to privacy. You will also find another set of conceptual models which explains why it can be difficult for a diverse set of stakeholders to have a sensible, coherent and productive discussion about the important topics - topics like trust, ownership of personal data, privacy policy and so on - and describes how we used the summit programme to find ways of overcoming that difficulty.

The further we go towards a world where distributed, digital representations of all our personal data are more and more prevalent, and where almost every aspect of public policy has some bearing on personal privacy and 'digital self-determination', the more certain I become that the concepts we set out in the Privacy Summit reports are vital ones. If policymakers, technologists, lawyers, academics, technologists, privacy advocates and citizens can sensibly discuss these questions and understand each other as they do so, then there's hope that tomorrow's identity and privacy solutions will strike the right balance between technology and policy, and between individual rights and 'functional convenience'. If, however, we cannot have that mutually understood conversation and strike that delicate balance, then I think it will always be to the detriment of one or more stakeholder groups - and I don't think that is in anyone's interest.

Please feel free to download, distribute and discuss the reports, and if you have any comments, questions, suggestions or protests, do get in touch...

I don't like telesales 'cold calls'. I dislike them when there's a human being on the other end, I dislike them even more when they are 'robocalls' (where a human being only gets put on at the other end if I pick up), and I'll turn the antipathy up another few notches if it's a 'silent robocall'... the kind Barclays have just been fined for, where the robocall gets put through, but all the telesellers are busy, so no-one actually bothers to call the punter. It's the telephonic equivalent of ringing the doorbell and running away.

Now, bad as telesales calls are, I can imagine worse kinds. For instance, imagine getting cold-called, but by a political campaign firm; then imagine that you get a political campaign cold-call consisting entirely of negative spin about 'the other guy', rather than positive stuff about the campaigner in question. That's just bound to make a great, convincing impression, isn't it? I mean, if someone did that to me, I'm sure I'd switch my vote to the cold-calling critic without a moment's hesitation.

No?

I didn't think so.

The Home Secretary's announcement of plans to increase the capacity for interception and retention of all forms of electronic communication records has - as one might expect - prompted a wave of articles in which the words "massive database" and "Orwellian" are de rigueur.

Whether or not I end up resorting to those terms, there are at least two things about the announcement which concern me. Both are reported in the BBC article linked to above.

The first is alluded to by Lord Carlile (a QC, Liberal Democrat peer and also the government's independent adviser on terrorist legislation), when he says that ""The raw idea of simply handing over all this information to any government, however benign, and sticking it in an electronic warehouse is an awful idea if there are not very strict controls about it." [my italics]

I suspect that what he meant was that it is an awful idea in the "all your eggs in one basket" sense, and that by "strict controls" he meant defences to keep unauthorised users out. However, experience suggests that the greater risk actually arises out of authorised access requests - and that these are much harder to control effectively. I have had more than one conversation with data controllers in large organisations which went something like this:

"Oh, yes... we've had Section 29 requests from the police. Sometimes I just can't believe what they think they can ask for. I've made myself quite unpopular a few times by refusing an inappropriate request and telling them to go away and come back when they can do it properly. Thank goodness the request came to me, and didn't just land on the desk of someone who hadn't had any DPA training - I mean, a junior member of staff probably wouldn't have the nerve to say "no" to the police, and we could have ended up breaking the law".

Section 29 is the part of the Data Protection Act (DPA) which allows a data controller to disclose a third party's data for law enforcement purposes... but it is not a blanket exemption from applying the Act: for instance, it does not give the data controller permission to disclose data in response to a 'fishing' request (that is, a non-specific request such as 'tell me the details of all your employees who live in Middletown').

The same data controllers often then go on to say things like this:

"In the end, I had to go to the police and say 'look, if your people don't use Section 29 properly it just wastes our time and theirs; let's get some proper processes sorted out, so that you've got some trained, nominated people in place who can contact trained, nominated people in our organisation, and then we'll know it's being done right. We may still have to say no occasionally, but you'll know that you're getting a considered response, and we'll know we're only getting qualified, legitimate requests for access'. These days it all works pretty well... but it takes a lot of ongoing effort and training to make sure our people are kept up to speed - and the volume of requests certainly isn't going down."

The picture which emerges is one where technology (authentication, authorisation, access control, etc.) plays an important but only partial role. The larger, more difficult and more expensive part is creating a substainable culture of awareness, expertise and good practice. In the absence of that, you can throw all the technology you like at the problem and still fail to meet the real objective.

The Home Secretary says she wants to legislate, but only after a period of consultation. The important question is: if that's the message, will she want to hear it?

The second aspect which concerns me is one of the examples she cites to justify this increase in surveillance capability. She says

"If [the way in which we intercept communications and collect communications data] does not [change,] we will lose this vital capability that we currently have and that, to a certain extent, we all take for granted. The capability that enabled us to convict Ian Huntley for the Soham murders..."...

I read that a couple of times and then went searching for anything which explained how communications interception contributed to Ian Huntley's arrest. After all, what that case is perhaps most notorious for is the failure of different law enforcement agencies to make effective use of information which they already had; the Bichard Inquiry was abundantly clear on that principle. Eventually I found mention (on the ever-incisive Spy Blog, here) of three relevant factors:

• Ian Huntley's girlfriend, Maxine Carr, said she was with Huntley in Soham on the evening when his two victims went missing. According to the phone records, her phone was used in Grimsby at the time, thus undermining the credibility of her statement and - by implication - his alibi.
  
• Phone records were also used to trace the last known mobile phone mast with a connection to the handset of one of the two murdered girls, Jessica Chapman; however, as the Spy Blog post indicates, there appears to be at least five miles-worth of room for doubt about the accuracy of that information as an indicator of exactly where the phone itself was at that time.
• This data was retrieved and used within two weeks of the crime - which raises the question of whether it is proportionate to legislate for such data to be retained for two years.

The Home Secretary did not mention any of the many other reported factors leading to Huntley's arrest - such as the physical forensic evidence, or the police's increasing suspicion about his demeanour as the investigation proceeded. It's a bit like using HMS Titanic as the rationale for a new kind of non-slip deckchair. Somewhat perverse.

Hmm. Bank Board Members must be quaking in their Lobbs. Gordon Brown has said he is "angry" about irresponsible risk-taking and excessive bonuses among those who run our financial institutions. We have been led to expect that any bailout of failing banks, using tax-payers' money, will have strings attached. So what might the small print look like?

Here's an example, from the Investor and Media Relations page of LloydsTSB, one of three banks which has been 'told it must have additional capital if it is to access government-backed sources of liquidity':

Remuneration of Board Directors

o Although they will be entitled to take cash as an alternative, Lloyds TSB
will ask executive directors to receive their 2008 bonus entitlement in
Lloyds TSB shares. These will be subject to a restriction on sale until
December 2009.

o Going forward, for the merged group, in addition to complying with the
ABI industry best practice code, remuneration will reflect long term value
creation and take account of risk. Reward for Board Members will take
into account internal relative compensation packages and perceived
fairness in the current economic climate.

o No rewards for failure: where a Board Member loses the confidence of
the Board, they should be able to be dismissed at a cost that is
reasonable and perceived as fair.

o Commitment to FSA Code on Risk Based Remuneration

Thank goodness Gordon is only 'angry'. If he'd been really furious, we might have seen something punitive.

I heard on the lunchtime news today that Gordon Brown is to press for a complete overhaul of the governance system for the global banking system. One question this raises, given the current state of our own domestic banking system, is whether anyone will rush to take the advice of someone who, as Chancellor, presided over its governance for the last decade. Presumably Mr Brown will be recommending that, if and when crises arise, governments and regulators should act in concert, not in conflict.

Unfortunately,  there again, his advice may not be entirely welcome: there has also been quite a bit of media coverage recently of Mr Brown's reaction to the Icelandic banking crisis... a web search on the following will point you towards further reading: "Anti-terrorism, Crime and Security Act 2001, Iceland".

You may be wondering what the Anti-terrorism, Crime and Security Act has to do with Icelandic banks... and so does much of the coverage. According to this article on the BBC site, the Act allows for foreign assets held in the UK to be frozen

'if the Treasury "reasonably believe" that "action to the detriment of the United Kingdom's economy (or part of it) has been or is likely to be taken by a person or persons, or action constituting a threat to the life or property of one or more nationals of the United Kingdom..."'  [here's a link to the relevant section of the Act]

The Icelanders are, needless to say, both bewildered and insulted that the step has not only been taken, but taken in a spirit of some acrimony and aggression, and under legal provisions which equate them to terrorists. Bear in mind that the ATCSA was passed a scant 3 months after the September 2001 attacks on the World Trade Center.

It's a salutory lesson illustrating the principle that, once a power is on the statue books, its use is governed by current expediency, and not by whatever motivation put it there in the first place.

That, in turn, is a sobering thought as the government sets out its plans for collection, on a massive scale, of internet, landline, mobile phone and email traffic data.

In a vote yesterday, peers rejected the government's proposals for 42-day detention without charge, by a majority of some 191 votes. There are currently 732 members of the House of Lords, the bulk split between Conservative (201), Labour (213) and Cross-bench (203) groups. The actual voting numbers were 309 against to 118 in favour.

So what happens next? Well, in principle the Lords can only delay the passage of a bill, not prevent it: if the House of Commons wants to do so, it can force a bill through even if that bill has been repeatedly voted down by the Lords. However, in practice, repeated rejection by the Lords usually leads to the bill being altered to make it more acceptable - or to the proposal being withdrawn altogether. That's what has happened in this case. The government has removed the 42-day proposal from the Counter-Terrorism Bill and re-drafted it as a separate one-pager, to be shelved in the Home Secretary's office and brought out again in case of an emergency.

Some of you may be wondering why they didn't just do that in the first place. After all, the proposal's past wouldn't lead one to expect anything other than a very rough ride. One earlier vote, on 9/11/2005, on a 90-day detention period was the occasion of Mr Blair's first defeat in the House of Commons, and most recently, the current bill only passed through the Commons by 9 votes. In that vote, 36 Labour MPs rebelled against their own whips, forcing the government to rely on the votes of 9 Democratic Unionist Party MPs. Both the Government and the DUP strenuously denied that any kind of a deal had been done to 'buy' their votes. For those of a more sceptical turn of mind, this Guardian article suggests some of the areas in which the interests of the DUP could have offered some leverage to anyone inclined to use it.

Even as late as last week, Gordon Brown was sticking to a hard line on the bill, maintaining that 'it was the right thing do to' in the face of advice from his own ministers, who were apparently warning that an attempt to force the bill through against the wish of the Lords would be "politically suicidal". As today's BBC article points out, among those advising against the bill were Lord Irving, Lord Falconer and Lord Goldsmith, the first two of whom have served as Lord Chancellor and the third as Attorney General - and presumably all three of them must have had a pretty clear idea of the prevailing sentiment among their... peers (no pun intended).

What of that shelved one-pager, then? The Home Secretary lambasted opponents of the original bill in the wake of its defeat, accusing them of ignoring the terrorist threat to public safety, and preferring to 'cross their fingers and hope for the best'. So if her dire warnings were to be justified, what would be the government's swiftest route to action? To exercise powers which are already on the statue books, or hold off on detaining anyone until the shelved bill can be dusted off and rushed through parliament.

In the face of that kind of logic, Nick Clegg, leader of the Liberal Democrats, described the failed proposal in these terms: "The push for 42 days' detention was more about ministers posturing and looking tough than it ever was about fighting terrorism."

He might think that. I, of course, couldn't possibly comment.

There's an old joke about being cautious when you see a light at the end of the tunnel... it could be an oncoming train. (There's another one which warns that it could be New Jersey, but that's not very charitable). I suppose it depends how optimistic you want to feel...

Apparently up to 1.7m people who have expressed some level of interest in joining the UK armed services have had their personal details go missing on a hard drive which had been on an EDS site, under a contract they have with the Ministry of Defence. According to the Armed Forces Minister, Bob Ainsworth, the data could include include details such as "next of kin details, passport and National Insurance numbers, drivers' licence and bank details and National Health Service number", for those individuals who got to the stage of completing an application form.(Incidentally, it's not clear at this stage whether these are the same people affected by this January's loss of a Royal Navy laptop containing details of 600,000 applicants to the Navy, Marines or RAF...).

Either way, age demographics being what they are, many of those applicants can probably console themselves with the thought that their details have already been compromised as a result of last year's HMRC data breach. If you recall, that exposed information relating to families drawing Child Benefit - an entitlement which ends when the child turns 16 (or 18 if they are in full-time education). Realistically, then, many young people of an age to be considering a career in the forces will have been in the age-group affected by the HMRC loss. Light, or oncoming train?

If there's any further scrap of consolation to offer this unlucky generation, it is that, although their banking details may have been compromised, those details are probably worth a lot less now than they were a few months ago. Light, or...?

As you have probably noticed, the proportion of public-sector related material on this blog has been creeping up somewhat, relative to the rest. That reflects the increasing amount of work I find myself doing in the areas of privacy and public policy.

With that in mind, it makes sense to add Bill Vass to my blogroll. Bill is the COO of Sun's Federal business unit, so he knows a lot of interesting stuff and talks to a lot of interesting people.

Another link between Bill and me is that Wayne Horkan has recently helped both of us 'clean up' the layout of our blogs. Those of you visiting esoterica should notice that it looks crisper now, and is more consistent across different browsers.

Thank you, Wayne!

Maple and shad-bush,

The garden's autumn colours

Recall Shakotan.

In the wake of the HMRC breach, you may remember that I described the questionable equation according to which the 'cost' of disclosing 25m unsecured records is more acceptable than the £5,000 it would apparently have cost to extract from those 25m the few hundred records which were all the Audit Commission actually wanted.

This reflects a couple of general truths about the current state of technology:

1 - in the absence of pressure to the contrary, it is now easier to store data than to destroy it (especially selectively); it is easier to share data than to compartmentalise it; it is easier to aggregate data than to segregate it; it is easier to visualise data than to conceal it.

2 - that 'pressure to the contrary' is in most cases non-technical. It's the governance we apply to data, the processes which control our use of data, the culture which determines whether we see data as an asset or a liability.

Bearing that in mind, you can revisit point 1 and substitute the word "cheaper" for the word "easier".

Yesterday the UK government announced its plan to allocate around £500bn to try to restore confidence in the global financial system; £50bn for share purchases in failing financial institutions, £250bn of guarantee funding for bank debt, £200bn in short-term loan provision by the Bank of England. This is in addition to £119bn already pumped into Northern Rock, and £14bn into Bradford and Bingley.

For comparison, as the chart in this BBC article illustrates, total annual public spending in the UK is $618bn, of which healthcare spending accounts for £111bn and education for £82bn.

One implication seems clear to me. The financial rescue plan cannot but create a massive deficit in the public account. Whatever the government's plans were for public spending over the coming years, the reality must surely be that public spending is in for a tight time. In that context, the pressure to reduce spending on information governance measures will be extreme, and the tendency will swing in favour of what is technologically easier and cheaper: aggregation, communication and retention of data - usually without the expensive luxury of being selective.

That, in turn, puts pressure on the technology community to redress the balance. We must do more to make the technology reduce the cost and effort of effective governance - and that is likely introduce new challenges of perspective, and of design philosophy.

That was the jab Gordon Brown aimed at David Cameron in the run-up to the Conservative Party conference. Cameron, of course, is far too well-mannered to respond by observing that 9 years in waiting did not seem to have prepared Gordon Brown terribly well for the top job. After all, here we are in the midst of an economic crisis, with families feeling the financial pinch, and high-street banks failing around us because of the dubious status of their mortgage loans.

I have to wonder, then, at the thought process which must have preceded Gordon Brown's decision to re-instate Peter Mandelson as a Cabinet Minister; Mandelson, you may recall, had to resign from the Blair cabinet 10 years ago because of the dubious status of his own mortgage loan (an undeclared £373,000 from the then Paymaster General, Geoffrey Robinson). He then had to resign a second time, in 2001, following allegations that he had improperly intervened in the passport application process for a wealthy donor to the Millennium Dome project Mandelson was running at the time.

The BBC's Radio Five Live today had an interview with Chris Patton (Lord Patton of Barnes), the former Conservative Cabinet Minister and last Governor of Hong Kong. At one point Patton remarked that Mr Mandelson might be "just the man to convince UK businesses that they need more regulation".

This being radio, it was quite impossible to see whether his tongue was in his cheek or not.