Robin Wilton's esoterica

Just been watching the first of a series of BBC adaptations of Henning Mankell's Kurt Wallander series. As you may be able to guess from the "Bookworm" sidebar on my blog, I'm a fan of the books... so I'm afraid I'm going to come up with a classic reaction to the TV adaptation. You see, one of the problems with a writer like Mankell is that his sense of place is acute, and it comes across in every detail of the books. 

Wallander doesn't live in a detached house with posh furniture and wood-panelled walls; he lives in a town-centre apartment block, where he has to use the basement laundry on a rota with the other residents. The person who turns out to be the murderer lives on the fifth floor of a squalid block, not in an elegant detached country house. Wallander's police headquarters is functional and slightly depressing; it doesn't have abstract interior murals and montages of historic cameo photo portraits. Wallander's father doesn't live on the coast, and he's never described as doing anything as un-introspective as standing on the jetty gazing out to sea.

The Beeb deserves marks for making the series in Skåne, in southern Sweden, to be sure, but all the Swedes I've spoken to about Skåne describe it with a certain sense of alienation. The other Swedes, they say, regard Skåne's inhabitants with a certain suspicion... they don't quite belong; they live rather a long way south; their TV aerials don't point inwards towards Sweden, but outwards towards Denmark...

And that's the essence of the problem with the Wallander adaptation: it's had a Swedish make-over. This isn't Skåne as Mankell describes it, it's the Sweden of designer furniture, polished wooden floors and crisp, tasteful interiors. What Mankell depicts is a Sweden bewildered by changing social mores, cheap tastelessness and the impact of immigration and liberal social policy. The adaptation may yet make for good telly, but as so often happens, it is not going to match up to what the author has put into the minds of his readers.

The late Douglas Adams said that the reason he wrote for radio rather than film or TV was that on radio, the visual effects were better.

This is a very simple post to link to Sid Arora's MSc thesis (done on Royal Holloway University of London's distance learning course): "Review and Analysis of Current and Future European e-ID Schemes". For those who don't want to tackle the full 73 pages, there is also a 16-page summary here.

I met Sid earlier this year at the Porvoo Group's 13th meeting, and it was obvious from the outset that he is intelligent, well-informed and articulate. This piece of work only reinforces that impression; Sid sets out the theoretical principles of e-identity, looks at how these have been put into practice across a range of European national schemes, and relates this to the human and political factors which play such an important part. 

A busy week this week, with a Directors' Round-Table discussion at EURIM (a working group which brings together policymakers, industrialists and stakeholders from think-tanks and the not-for-profit sector), and then a launch event for the Information Commissioner's Office to publish the latest report from the Enterprise Privacy Group (EPG) - on "Privacy By Design".

While the two events were very different, they both reinforce a few key points about the identity and privacy world of today.

The EURIM round table was fascinating, as it always is to get a glimpse of the inner workings of our parliamentary system (which, incidentally, is in a state of some upheaval today... but more of that another time...). Among other things, there is this perennial question: when you invite MPs (and peers) to a meeting while parliament is in session, what are the chances that any of them will be able to turn up, and/or stay for any useful length of time? The chances are that they will either simply not attend, because there's something more important going on in the House (on Monday it was the Chancellor's Pre-Budget Report, so a highly-charged and contentious session), or that they will have to rush out of the room at short notice when the Division Bell signals that it is time to vote.

Most parliamentarians are, unfortunately, notoriously technophobic, and indifferent to anything related to the information society and knowledge economy. There are a number of exceptions, and in the interest of impartial representation I can cite  Alun Michael MP (Lab/Co-op), Philip Dunne (Con) and Merlin, Lord Erroll (Cross-bench) as all demonstrating a greater-than-average commitment to these topics.

On the other hand, the EURIM round-table was somewhat frustrating, in this sense: there was, to be sure, a wide range of input, from policymakers, technologists, civil society and so on. There was, as one might expect, a commendable wish to address the high-order topics such as identity, privacy, the 'ownership' of personal data, and so on.

However - and it gives me no pleasure to say this, I assure you - there was a depressing sense of déjà entendu about the whole thing. We trotted steadily round the same topics, jumping (or hitting) the same obstacles as have been encountered at countless similar meetings over the past year or so. And it need not be like this. For instance, the model I described in an earlier post (The Future of Identity and Privacy - 2) charts exactly what we went through on Monday, how it can be avoided, and how to pass beyond it to a productive discussion of the high-level issues. As it was, I'm afraid we got, once again, a series of statements of stakeholder perspectives and no real progress. 10/10 for effort, though, and likewise, full marks to EURIM for diligently keeping this in the attention of at least some of our elected representatives.

Then, on Wednesday, it was up to Salford for the launch of EPG's "Privacy By Design" report - commissioned by the Information Commissioner's Office and produced in record time after sterling work by Toby Stevens, co-founder of EPG. He was rightly praised by the Commissioner for that, and for the report itself, which is a very readable and practical document. It, and other related reports, can be downloaded from the ICO site here, or the EPG site here.

Arguably, the UK ICO has for too long been under-funded and 'under-empowered' (if that's a word...), frequently criticised for lacking the legislative teeth to do an effective job. On that score, at least, the Commissioner was able to announce that the Ministry of Justice is announcing greater powers for the ICO, including the ability to 'spot check' public sector bodies without their consent, if that is felt to be appropriate. Where the problem at hand is so much a 'cultural' one - such as good practice in data privacy - it's often hard to know where to start to bring about meaningful change. I tend to think that that ability to perform consentless audits is a good place to begin.

There are those who have argued that it's invidious for public sector bodies to be singled out this way, and that commercial organisations should be subject to the same regime. There, I tend to disagree. As of next year, the ICO will be able to punish commercial sector organisations by fining them. Applying the same sanction to public sector bodies is likely to be neither rational nor effective: at best, it shuffles money from one part of the public purse to another; at worst, it will further stretch the (fixed) budget of the body in question, and reduce still further their ability to resource effective compliance. On the other hand, the possibility of a 'spot check' may do much to encourage good practice - which is, after all, the desired outcome.

(Rearrange as appropriate.)

Lord Mandelson has decided that banks' behaviour in the wake of the credit collapse merits legislative micro-management. 

Elsewhere in today's news, Gordon Brown 'refuses to deny rumours' that he the Chancellor will cut VAT in tomorrow's pre-budget report, as part of a rescue package for the economy. With his usual flair for indirection, he's gone for a European Union tax rather than any of the ones he has introduced over the last decade. Well  - I suppose it makes a change from picking on the Icelanders.

In the wake of convictions for the death of "Baby P", a court order was put in place to ban the publication of the identities of those involved. Unfortunately that didn't prove an effective deterrent to a number of social network subscribers, according to this BBC news story.

The appalling nature of "Baby P's" fatal treatment mean it is hard to detect any signs of public sympathy for the perpetrators. There are three areas in which this can get into questionable ground, of course:

- if someone decides to take the law into their own hands as a result;

- if the lust for revenge extends to those not facing charges (such as the council and social workers involved with the case);

- if someone gets the identities wrong.

Whether or not the current disclosures end up having unwanted consequences, they do illustrate some of the problems modern social networking can produce when it comes into conflict with traditional notions of law and law enforcement.

The House of Lords has voted in favour of an amendment to the Counter Terrorism Bill, requiring a shift in the policy of data retention. Currently the law is, in the words of its critics, "severely loaded against innocent people being able to ensure that their most sensitive personal details are not kept indefinitely following their exclusion" [from an enquiry].

Baroness Hanham, the sponsor of the amendment, said:

"The guidelines are deeply worrying and make clear just how high a barrier the Government have imposed on DNA and fingerprint information ever being destroyed. The initial response to a request for destruction is an automatic refusal."

The Lords are not the only ones to have recommended that the Government change its current policy of indefinite retention. The Government-appointed Ethics Committee of the National DNA Database (NDNAD) recommended earlier this year that the DNA samples of innocent people should be deleted on conclusion of an investigation, and that their DNA profiles should not be added to the database.

The citizen's enquiry run by the Human Genetics Commission (another Government initative) also recommended, in July this year, that the samples and records of innocent people should not be retained, as you may remember from these blog posts. You might also remember the speech Gordon Brown made to the IPPR back in June, putting a precise figure on how many cases the NDNAD has solved... despite the NDNAD's operators saying that "it is not possible to provide figures for the number of convictions produced by DNA".

All in all, the present policy on DNA retention does not, it must be said, smack of a Government acting on the views of those it has appointed to look into this. In a week when the Home Secretary has published the results of her public consultation into the National Identity Scheme, that is not an encouraging picture... but more of that later.

Carl Hiaasen's books (set in Florida) were once memorably described as "doing more damage to the State's reputation than anything short of an actual visit". Well, it's time for me to find out. I will be at the Gartner IAM conference next week, and they have very kindly invited me to run  a couple of workshops on the Sunday afternoon just before the event.

One will recap the Liberty Alliance Contractual Frameworks, and the other will be a Privacy round-table... the 9th in the programme.

If you're there, you'd be most welcome to attend either or both of those sessions (registration via the link on this page).

And if you're at the IAM conference, do stop by the Sun booth... I'm reliably told they'll be running a raffle, and also that beer and pizza could well be involved at some stage.

I had been wondering what to write for the 1,000th post on this blog (!), but serendipity stepped in with a public sector data breach headline. This time it's Atos Origin who are in the spotlight, after a USB stick was found in a pub car park, and turned out to contain data and software relating to the Government Gateway server. You may remember the Gateway from this post back in September 2006, when it won a Liberty Alliance IDDY award for its implementation of interoperable authentication.

As far as the current breach report is concerned  - I don't have any more details than what appears in the public record, but according to the Daily Mail (to whom the USB stick was handed after it was found), it contained

"confidential passwords, security software and the technical blueprint to the system known as the 'source code'."

 That in itself raises a number of questions...

- for all the bickering about how the Government 'can't be trusted to keep our details secret', why is it that someone's first instinct, on finding a USB stick in a car park, would be to hand it to a national newspaper, rather than, say, the police?

- in 2008, are we really still at the level of IT literacy where 'source code' needs to be in inverted commas, and the best analogy the journalist can come up with is to say that it's a 'technical blueprint to the system'? For goodness' sake: a blueprint is a technical drawing from which a physical object can be constructed. By extension, it's a design document from which source code could be developed. Is that distinction too hard to grasp? (Please, don't feel you have to respond by reference to the Daily Mail's target readership... ;^)

If I've interpreted the Mail's story correctly, the USB stick also contained a high-level description of the Gateway's architecture, some individuals' tax/NI details and some user IDs and passwords. A DWP representative said the passwords were 'hidden using an industry standard technique', but seemed to stop short of using the word 'encrypted'.

And if I've interpreted the BBC's article correctly, the DWP said that the user details and passwords on the stick were dummy accounts used to test a previous version of the Gateway.

On the basis of the information available - tempered by the knowledge that it may have been imperfectly understood, and/or dumbed down for public consumption - it's very hard to do any kind of risk assessment. That said, the implications seem to be more of a concern for Atos Origin and their management of internal procedures than for the average citizen/Gateway user.

At present the DWP (who took ownership of the Government Gateway project from the Cabinet Office) haven't issued a press release on this topic, but if they do, I'll link to it here.

I think I have finally worked out what, at some subliminal level, has been nagging at me about the Obama and McCain campaigns. At the superficial level, what's been visible from the UK, at least, is that the McCain team have been far readier to revert to negative messaging about their opponent. That comes across particularly starkly in the UK because it's a comparatively rare tactic over here.

That wasn't it, though. It was more what the candidates' statements said about their motivation for seeking the top job. Now, I admit, this is an entirely subjective conclusion, reached a long way from the action by someone with a very sketchy view of what's going on, but when you look at Obama's statements they are often something like this one, from a Wall Street Journal OpEd:

"Tomorrow, I ask you to write our nation's next great chapter... If you give me your vote, we won't just win this election - together, we will change this country and change the world."

It almost smacks of Kennedy's iconic "Ask not...".

McCain, on the other hand, was quoted in these terms from a Sunday evening speech in New Hampshire:

"So again I come to the people of New Hampshire, Republicans, independents, Democrats, Libertarians, vegetarians, all of them. I am asking you again to let me go on one more mission."

It's almost as if he wants that last mission in order to tick some personal goal of his own list, rather than to do something, for their benefit, on behalf of the voters.

Still, at least he's recycling. He used the same "one last mission" appeal back in 2000. It won him New Hampshire then, but that wasn't enough to take him all the way.