Tuesday, November 27, 2007

Coming next… an even bigger database

"The parents whose information has been lost may not be happy to hear that their medical history, benefits statements, education details, criminal record, tax information and driving licence facts could all potentially be accessed through a central computer." —Rachel Sylvester

Monday, November 26, 2007

Biometrics are not a panacea for data loss

Along with several colleagues I have been worried by the government's emphasis over the last week on biometrics as a "solution" to data breaches such as those from HM Revenue & Customs. We wrote this morning to Parliament's Joint Committee on Human Rights to point out these problems as follows (now picked up by the Daily Mail, Computing, the Register, New Statesman and the IEEE):


Mr Andrew Dismore MP
Chair, Joint Committee on Human Rights
Committee Office
House of Commons
7 Millbank
London SW1P 3JA

cc: Committee members; David Smith, Deputy Information Commissioner

26 November 2007

Dear Mr Dismore,

The government, in response to the recent HMRC Child Benefit data breach, has asserted that personal information on the proposed National Identity Register (NIR) will be 'biometrically secured':

"The key thing about identity cards is, of course, that information is protected by personal biometric information. The problem at present is that, because we do not have that protection, information is much more vulnerable than it should be." - The Chancellor, Hansard Column 1106, 20/11/07

"What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected." - The Prime Minister, Hansard Column 1181, 21/11/07


These assertions are based on a fairy-tale view of the capabilities of the technology, and in addition, only deal with one aspect of the problems that this type of data breach causes.

Ministers assert that people's information will be 'protected' because it will be much harder for someone to pass themselves off as another individual if a biometric check is made. This presupposes that:

(a) the entire population can be successfully biometrically enrolled onto the National Identity Register, and successfully matched on every occasion thereafter - which is highly unlikely, given the performance of biometrics across mass populations generally and especially their poor performance in the only, relatively small-scale, trial to date (UKPS enrolment trial, 2004). Groups found to have particular problems with biometric checks include the elderly, the disabled and some ethnic groups such as Asian women;

(b) biometrics are 'unforgeable' - which is demonstrably untrue. Biometric systems have been compromised by 'spoofing' and other means on numerous occasions and, as the technology develops, techniques for subverting the systems evolve too;

(c) every ID check will be authenticated by a live biometric check against the biometric stored on the NIR or at the very least against the biometric stored on the chip on the ID card which is itself verified against the NIR. [N.B. This would represent a huge leap in the cost of the scheme which at present proposes only to check biometrics for 'high value' transactions. The network of secure biometric readers alone (each far more complex and expensive than, e.g. a Chip & PIN card reader) would add billions to the cost of rollout and maintenance.]

Even if, in this fairy-tale land, it came to pass that (a) (b) and (c) were true after all (which we consider most unlikely), the proposed roll-out of the National Identity Scheme would mean that this level of 'protection' would not - on the Home Office's own highly optimistic projections - be extended to the entire population before the end of the next decade (i.e. 2020) at the earliest.

Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.

The inclusion of biometric data in one's NIR record would make such a record even more valuable to fraudsters and thieves as it would - if leaked or stolen - provide the 'key' to all uses of that individual's biometrics (e.g. accessing personal or business information on a laptop, biometric access to bank accounts, etc.) for the rest of his or her life. Once lost, it would be impossible to issue a person with new fingerprints. One cannot change one's fingers as one can a bank account.

However, this concentration on citizens 'verifying' their identity when making transactions is only one issue amongst many when considering the leakage of personal data. Large-scale losses of personal data can have consequences well beyond an increase in identity fraud. For example, they could be potentially fatal to individuals such as the directors of Huntingdon Life Sciences, victims of domestic violence or former Northern Ireland ministers.

It is therefore our strongest recommendation that further development of a National Identity Register or National Identity Scheme (including biometric visas and ePassports) should be suspended until such time that research and development work has established beyond reasonable doubt that these are capable of operating securely, effectively and economically on the scale envisaged.

Government systems have so far paid little attention to privacy. Last week's events have very significant implications indeed for future government information systems development.

We would be pleased to clarify any of these points or provide further information if useful to the Committee.

Yours sincerely,

Professor Ross Anderson
Dr Richard Clayton
University of Cambridge Computer Laboratory

Dr Ian Brown
Oxford Internet Institute, University of Oxford

Dr Brian Gladman
Ministry of Defence and NATO (retired)

Professor Angela Sasse
University College London Department of Computer Science

Martyn Thomas CBE FREng

Sunday, November 25, 2007

We have all the details we need

"It was Junior Civil Servant X, after all, who reportedly downloaded the data of 25 million people onto two unencrypted discs and dispatched it by internal mail to the National Audit Office. Witless, yes: but such data had been sent that way before. For the Government to blame a low-level employee for this fiasco is a bit like allowing a teenage work experience girl access to the nuclear button, and then bleating that she had 'clearly not followed strict rules' when she reached for her skinny latte and accidentally wiped out Tajikistan." —Jenny McCartney

A mass movement against state snoopers

"Each of us should understand that personal information is exactly that — personal — and that the government has only limited rights to demand and retain it. The scale of its operations and the innate weakness of the systems is a very grave concern to us all." —Henry Porter

Saturday, November 24, 2007

The revenge of Googlezon

Googlezon
The media's gaze has rightly widened from the government's data debacle to the floods of personal data being gathered by search engines, e-commerce sites and especially social networking utilities. The Information Commissioner's Office has issued a warning to young people about the potential damage such sites can do to their academic and employment prospects.

I spoke about this last night to Newsnight.

Crisis of identity

"The government has claimed that the cards would combat identity fraud. But the opportunity handed to fraudsters with the loss of the Revenue discs demolishes that argument. Few will trust Whitehall to manage such sensitive data again. There are grave problems with introducing even a well-managed ID card system. Instead, we are being asked to accept one that will drain taxpayers’ money and yet leave no-one sleeping better at night. Mr Brown has displayed relish in tearing up some of his predecessor’s pet schemes. He should now add ID cards to the scrapheap." —The Financial Times

We pay no attention to the man behind the curtain

"Already the pall of platitudes is being spread over both cockups. Identical platitudes, in fact. There will be a 'root and branch' review of management systems within HMRC. There will be a 'root and branch' review of the arrangements around the England team. And yet it doesn't feel awfully like that at present. Vitriol is being poured over the England goalkeeper Scott Carson, just as it will be over the still anonymous junior manager who popped the child benefit database in the post. Obviously, both of them had shockers. But it feels neither root nor branch to be laying the blame on a 22-year-old and a 23-year-old respectively. Then again, deeper chaos is much more frightening to contemplate, let alone deal with." —Marina Hyde

Request and response for child benefit data was incompetent

It is clear from correspondence between the National Audit Office and Her Majesty's Revenue & Customs over the lost files fiasco that this data should never have been requested, nor supplied.

NAO wanted to choose a random sample of child benefit recipients to audit. Understandably, it did not want HMRC to select that sample "randomly". However, HMRC could have used an extremely simple bit-commitment protocol to give NAO a way to choose recipients themselves without revealing any of the data related to those not chosen:

  1. For each recipient, HMRC should have calculated a cryptographic hash of all of the recipient's data and then given NAO a set of index numbers and this hash data.

  2. NAO could then select a sample of these records to audit. They would inform HMRC of the index values of the records in that sample.

  3. HMRC would finally supply only those records. NAO could verify the records had not been changed by comparing their hashes to those in the original data received from HMRC.


This is not cryptographic rocket science. Any competent computer science graduate could have designed this scheme and implemented it in about an hour using an open source cryptographic library like OpenSSL.

Ben Laurie notes that the redacted correspondence itself demonstrates a lack of basic security awareness. I hope those carrying out the security review of the ContactPoint database are better informed.

I never lose things. Bet I'd find those discs

"The notion that a 23-year-old bloke, having whipped up a zip file detailing every child in the nation, puts down his Ginsters scotch egg slice for a moment, calls the courier company, but can't be arsed to fill in the additional labels to send the parcel as registered mail, is as comic as it is tragic. Certainly the jolly Indian lady in my local post office thought so on Wednesday: 'Ha ha ha, dear, yes better post special delivery: else you'll have to send the police looking for it!'" —Janice Turner

Friday, November 23, 2007

The Lovely Mistresses of George W. Bush

Telecom Heiress Eve Stropping
"The Lovely Mistresses of George W. Bush is a classically styled, 13 month pin-up calendar ending on January 20th, 2009, the final day of George W. Bush's presidency. Packed with jaw dropping all-original images by Burke Heffner, The Lovely Mistresses features some of America's hottest burlesque stars and pin-up girls.

"Every stunning girl is a hilarious reveal of the corporations, special interest groups and billionaires who have influenced George the most. Each pin-up includes her vital statistics, important dates and a farewell love letter to the president." (via Boing Boing)

Thursday, November 22, 2007

WIPO vs 1984

"The conclusion you presented to your African brothers, whose support you want for your re-election is a disgraceful fools market. An insult to their intelligence and to their integrity. It betrays your contempt for your interlocutors as well. Do you take your staff, your member states, your NGOs and the press for imbeciles?" —WIPO staff open letter to director Kamil Idris

See my own thoughts on the World Intellectual Property Organisation.

Labour's new lottery: You could be ripped off

"What is so appalling about the present episode is the casualness, the condescending indifference on the part of the state towards the privacy of British people.

"This is how they treat vital personal information — allowing a junior official to burn it on to several discs, and then losing it in the mail.

"How dare these people continue to make the case for ID cards? How dare they claim that they can be trusted with any more of our data?

"The argument is lost, and before the Government wastes £10 billion of our money, it should run up the white flag and withdraw the Bill." —Boris Johnson MP

Steve Bell on the data debacle

Wednesday, November 21, 2007

Why was HMRC sending sensitive data through the post?

According to Computer Weekly editor Tony Collins: to avoid security controls on online transfers.

Second-class and lost in the post

"It is shocking, it is risible, it is hilarious. Someone gave a disc containing confidential data about 25 million people to a bloke on a bike? And he lost it? Of course, a case of mass identity or financial fraud would never happen in this way. It is too chaotic. Fraud will happen through a far more organised infiltration of the official systems; but what yesterday's revelation does is underscore the insecurity of those systems. And allows us to giggle at the po-faced pretence of those in authority that they are any better at protecting us than we are ourselves." —Alice Miles

Tuesday, November 20, 2007

Discs with 15m bank details lost by Revenue

What happens when you put sensitive data about tens of millions of individuals into centralised government databases with atrocious security controls? Go on, take a wild guess

Thank goodness the government isn't making a similar mistake with highly sensitive information about all of the UK's children. Or everyone's medical records. Or indeed, everyone's entire identity.

More from Ross Anderson.

UPDATE: The government has now admitted that 25 million individuals' data was lost. I spoke tonight about this on Newsnight.

UPDATE 2: Also spoke to Five Live, BBC Radio Wiltshire and Fox FM on this.

Monday, November 19, 2007

Happy ORG day!

Support the Open Rights Group
One of the most exciting political organisations in the UK right now is the small but perfectly-formed Open Rights Group. It was founded two years ago based on a Pledgebank.com promise from 1,000 people to donate £5 per month to a UK digital rights organisation. Ever since, ORG has been exploiting new Internet technologies to massive political effect. Old-skool tech like public meetings, parliamentary lobbying and mailing lists has combined with ORG blogs, wikis, twittering and assorted other 2.0 technologies to:

  • Convince the Gowers review of intellectual property that Cliff Richard was not the leading copyright thinker that he claimed.

  • Expose the shocking electoral problems caused by e-voting and e-counting equipment in May 2007's ballots.

  • Persuade the All-Party Parliamentary Internet Group that Digital Rights Management is not manna from heaven for the creative industries.

I'm extremely proud to have helped found and run ORG. So, why aren't you a member yet? Join now!

PS Danny O' Brien has a nice potted history.

Britain is a US client state and should not forget it

"In his speech on Tuesday the prime minister himself said ingratiatingly: 'I am a lifelong admirer of America. I have no truck with anti-Americanism in Britain or elsewhere in Europe and I believe that our ties with America founded on values we share constitute our most important bilateral relationship.'

"Those are interesting and thought-provoking words. Is it 'anti-American' to regret that we were dragged into the Iraq adventure purely to demonstrate Blair's — and Brown's — fealty to our most important bilateral partner, or even to wonder occasionally whether the last few years may not have raised questions about the fitness of the US for its role as hegemonic superpower? Does the prime minister have in mind the 'shared values' of Guant├ínamo Bay and Abu Ghraib? Of 'extraordinary rendition' and 'enhanced interrogation'?" —Geoffrey Wheatcroft

Sunday, November 18, 2007

It’s one small step from Brown’s paranoid state into a police one

"Given the fallibility of government computers — the new e-border one is to cost an astronomical £650m — getting into, out of and about Britain will change from inconvenient to sheer hell. If a Brazilian, de Menezes, can be shot for looking Arabic and a normal Briton in a diabetic fit be Tasered and manacled for 'looking Egyptian', the mind boggles at the accidents waiting to happen." —Simon Jenkins

We're trapped in a prison and the walls are rising higher

"How have we allowed this rolling putsch against our freedom? Where are the principled voices from left and right, the outrage of playwrights and novelists, the sit-ins, the marches, the swelling public anger? We have become a nation that tolerates a diabetic patient collapsed in a coma being tasered by police, the jailing of a silly young woman for writing her jihadist fantasies in verse and an illegal killing by police that was prosecuted under health and safety laws." —Henry Porter

Saturday, November 17, 2007

Fortress Britain, a grotesque thought

"If, as Gordon Brown says, 'terrorism can hit us anywhere', then what is the point? Where is the benefit in a mentality at once paranoid and supplicant? If a former iron chancellor is hoping to turn into an armour-plated premier, to create a vision of imminent threat that he alone can protect us from, he is failing. These new measures don't make him rock-like and brave but weak, flappy and overreactive. The term 'helicopter parent' is used to describe the obsessively risk averse, who hover over their children, terrified they will bump heads, scratch legs, wander an inch out of sight. We don't need a helicopter PM.

"But if this is just about creating a fearful hunger for authoritarianism to justify the extension of the 28-day detention limit, in turn so Labour can appear tougher on terrorism than the Tories, if Britain is to be made a citadel in the name of party politicking, it is an unspeakable shame." —Janice Turner

Publisher's plan could spell the end of hardback

Picador and moreIt seems that book publishers are losing their power to price discriminate using versioning in the same way that iTunes has almost fatally damaged the ability of the recording industry to bundle songs using albums. Picador has announced that it will from next year launch 80% of new books in paperback. Publisher Andrew Kidd told The Guardian: "Over the last few years publishers have witnessed sales of literary fiction in hardback reaching new lows. All of us find that depressing, and there are, frankly, no reasons to think the situation might soon reverse itself."

In better news for creative types, the booming live music scene is leading to the opening of a whole series of new venues. This is being driven both by new acts like the Arctic Monkeys, and reunion tours by groups such as the Police (who last year grossed more than £83.8m from 53 shows seen by more than 1.5 million people.) Mintel estimated the 2006 value of the UK's live music industry at £743m.

Recording companies are going to have to move extremely quickly if they are to avoid total disintermediation.

If you've got talent, hide it quick

"Of all the briefings against Lord Malloch-Brown in recent weeks, perhaps the most wearying was some anonymous source's diagnosis that he was 'struggling to make the transition'. Can you bear the faux sympathy? What truly grates is the implication that transferring to contemporary British politics is somehow a giant step up, as though deputy-presiding over the United Nations — or being last off your sinking ship in the heat of war and winning a DSC — are merely the nursery slopes compared with having to sit through a lot of tedious Westminster meetings while allies of the foreign secretary brief babyishly against you." —Marina Hyde

Thursday, November 15, 2007

UK wants Net companies to fight terror

Prime Minister Gordon Brown has set out his new national security plans, including the following:

One central issue is how to balance extremist views supporting terrorism which appear on the internet and media. The Home Secretary is inviting the largest global technology and internet companies to work together to ensure that our best technical expertise is galvanised to counter online incitement to hatred.

As I told Associated Press, this is more rhetoric than a realistic strategy.

Saturday, November 10, 2007

Perugia police find wealth of digital evidence

Meredith KercherThe investigation into the shocking murder of English student Meredith Kercher has uncovered a wealth of mobile and Internet-related evidence.

The main suspect, Raffaele Sollecito, blogged on 13 October 2007 that he wanted to try "extreme experiences". With his girlfriend Amanda Knox he was tracked on the evening of the murder to a meeting with the third suspect Diya Lumumba; they returned to Kercher and Knox's flat, where they switched off their mobile phones. Lumumba's later claim that he was running his bar at the time was shown to be highly unlikely, based on the timestamped receipts in the bar till.

The following lunchtime the Postal Police of Perugia visited Knox's flat because another flatmate's mobile phone (in recent use by Kercher) had been found in a neighbour's garden. They disturbed Sollecito and Knox, whose claim they were waiting for the Caribinieri was later shown to be false based on the timing of their call to the police.

Police searched Facebook for information related to Kercher, in particular to identify friends they could interview. Sollecito and Knox also had a wealth of personal information on MySpace, Facebook and YouTube.

Of course, as Cardinal Richelieu observed: "If you give me six lines written by the most honest man, I will find something in them to hang him." It will be interesting to see if all of the publicity around this case causes any shift away from the self-publicising culture of social networking sites.

If you are interested in finding out more, last year I wrote a research note on the powers that the UK police and other government agencies have to access such personal information. In September I gave a joint conference presentation on Facebook's privacy controls. I also just did an interview for Sky News.

The fame generation needs to learn the value of privacy

"Gradually, older generations are having to adjust to the notion that not only do younger people not really care about privacy; they often don't even comprehend the idea of it. Watch the audition rounds of any television talent show, and it seems as if an entire generation now believes fame to be a basic human right. Maybe one of the other rights had to give. Maybe it was privacy. At this rate, they'll be employing acting coaches to make their CCTV outings stand out from the crowd.

"But the view that this is a cultural shift with which we must all make our peace is wrong. Naive and cavalier is a dangerous combination, and a disdain for their own privacy will leave young people immensely exposed." —Marina Hyde

Friday, November 09, 2007

We can best stop terror by civil, not military, means

"The focus on the civil paths to peace does not ignore, in any way, the basic fact that terrorism and homicide, no matter how generated, are criminal activities that call for effective security measures. No serious analysis of group violence can fail to begin with that basic understanding. But the analysis cannot end there, since many social, economic and political initiatives can be undertaken to confront and defeat the appeal on which the fomenters of violence and terrorism draw to recruit active foot soldiers and passive sympathisers." —Amartya Sen

Thursday, November 08, 2007

Modern killers turn to video to get message out

The murder of seven Finnish students and their head teacher yesterday by a lone gunman is a tragedy. The gunman's YouTube video predicting the event has caught the media's attention, but is I think largely irrelevant. As I told Reuters:

"New technologies like the Internet get used by a very wide range of people unfortunately including in events like this. Previously many people who committed very serious crimes would get publicity through newspapers. This is how the mass media works in the 20th and 21st century."

The Guardian has a good background piece.

UPDATE: Also did interviews on this for Radio 4's PM and BBC Radio Oxford.

Tuesday, November 06, 2007

This morning I met the Queen

The Horse Guards
Well, she waved as she swept by in her carriage to open this session of Parliament :) Unfortunately she also forced me to cycle miles out of my way to get to a meeting at Scotland Yard. Her procession of mounted guards was something to behold; as was the fleet of ambassadors, admirals and peers that glided by afterwards in their Jaguars, Mercedes and BMWs. If you are a fan of British pageantry this is an occasion you really shouldn't miss.

Wits of the week in Guardian letters

"Your front-page headline (Guilty, but Blair refuses to go, November 2) gave me profound sense of deja vu." —David Greig

"I see a leading public figure, Charles Prince, has been forced to go (Report, November 5). A typo short of an abdication." —Keith Flett

Monday, November 05, 2007

So, Mr Cameron, what would you do with our liberties?

"Quoting Locke, de Tocqueville and Mill doesn't mean you have an instinctive feel for liberty. Indeed, Brown's whole belief in the wisdom of big government leads me to believe that he has no feel for liberty at all. And given his seeming lack of concern about extending detention without charge even beyond 28 days, presumably 'the next chapter in British liberty' he so badly wants to write is: 'The End'." —David Cameron MP

Sunday, November 04, 2007

Blair will resign. The only real question is when

"Let us recall exactly what happened to Jean Charles de Menezes on his way to work that morning. Armed agents of the state drilled seven dum-dum bullets into his brain. When police officers kill innocent people someone must be held to account. That principle is what distinguishes a free society from a police state. Sir Ian may not be personally culpable, but he is ethically responsible for his organisation. The moral buck stops with him." —Andrew Rawnsley

Friday, November 02, 2007

Co-designing the future

Designs of the Time 2007
Last week I spent a happy 30 minutes browsing around the Designs of the Time 2007 festival in Newcastle. Lots of fascinating projects including a climate change "weather forecast", OurNewSchool, Urban Farming and accessible sexual health services.

What all of these projects had in common was the involvement from start to finish of the users of their services. You might think this is the obvious way to design new systems, but if so you clearly haven't spent much time in the IT world — particularly in the design of large public sector information systems. The more usual approach is that a system is hacked together to a constantly-changing specification from consultants and officials who may have never used the service in question (e.g. collecting child benefit or jobseekers' allowance), and fine-tuned by programmers who are similarly disconnected from their users.

Interaction design is a key new field between design and computer science. John Thackara and his Dott team have done a sterling job of putting it into practice, both here and in the Juice workshop I attended earlier this year in Delhi. I hope that visitors from the North East and local and central government were enthused and will build co-design into their future projects — as we are doing in Fair Tracing, e-Curator, and hopefully a forthcoming ID management project.

Blogzilla is 2!

Birthday cakeThis week Blogzilla has burst through into the terrible twos. He is enjoying his new home in Oxford while still taking full advantage of life in Bloomsbury.

Favourite subjects of discussion over the last year:


As always, your comments and suggestions are welcome!

The calamity of Iraq has not even won us cheap oil

"Although 'the judgment of history' has a sonorous ring, it doesn't necessarily require the long gestation that phrase might imply: sometimes there's no need for the owl of Minerva to hang around waiting for the sun to go down. When one eminent historian, Sean Wilentz of Princeton, pronounces bluntly that George Bush the Younger is 'the worst president in American history', and another, Tony Judt of New York University, calls the Iraq war 'the worst foreign policy error in American history', not many of us will argue with them." —Geoffrey Wheatcroft

Thursday, November 01, 2007

CCTV is no silver bullet

"If CCTV was an expensive medical treatment, the government would have demanded compelling evidence before farming it out to private companies, which rake in serious cash from its manufacture. But instead MPs clamour for more, egged on by their constituents, because CCTV has been almost unresistingly accepted as an elixir for the low-level criminality and public disorder that most concerns the public, despite the fact that the limited research available does not bear this out." —Libby Brooks

Bloodspell and the Rise of the Machinima

Bloodspell
Machinima, movies rendered using a real-time video console graphics engine, is one of the most interesting new composite art forms of the last decade.

I'm delighted that London Metropolitan Business School and the Open Rights Group have organised a free screening of Bloodspell: a feature-length, Creative Commons-licensed machinima film, written and directed by pioneer Hugh Hancock. I'll be one of the panellists at the screening Q&A session afterwards along with Hugh and colleagues Lilian Edwards, Andres Guadamuz and Holly Ayllet. Hope to see you there!

NPfIT went ahead after PM had 10-minute briefing

A new low in news on the National Health Service's National Programme for IT, reported by the ever-vigilant Tony Collins:

"Some in the IT industry may be surprised that the government made a provisional decision to invest billions of pounds in a technology-based programme on an apparently whimsical basis… If news leaked out that a fledging democracy had launched a technology project of enormous cost, size and importance on the basis of the informal style of decision-making that is parodied by the 10-minute presentation to the Prime Minister, its ruling party would, perhaps, be deeply embarrassed. Not the British government."