Sunday, December 30, 2007

Beware the state’s ID card sharks

"As chancellor, Brown relentlessly pursued his forlorn vision of a 'joined-up identity management regime' across public services. As prime minister, he continues this vain search, like an obsessed alchemist, for a giant database that his closest advisers ominously refer to as a 'single source of truth'.

"This fixation has not revolutionised public services. It has led to disaster. Brown’s approach combines three flaws: the ruthless pursuit of 'identity management'; a naive faith in computerised solutions; and sheer recklessness in managing the integrity of systems to which he is devoted. This has delivered a massively overcentralised government and a surveillance society." —David Davis MP, shadow Home Secretary

Wednesday, December 19, 2007

This spate of crises speaks of a bloated, broken Whitehall

"Brown's famous ´delivery tool´, e-government, is imploding in a welter of costs. A 2005 survey in the Guardian rated Britain bottom of seven western governments in using computers - everything from procurement to ´scrap rates´ and negotiating weakness. Whitehall's response was to double spending on consultants by the Office of Government Commerce. Government computers are like Hal in the film 2001, with inbuilt self-aggrandisement and self-defence.

"With costs on the ID card and NHS computer projects accelerating beyond the power of audit, there is no sign of improvement. In areas such as child support, doctor recruitment, defence coordination, illegal immigration and farm subsidies, not millions but billions of pounds are being wasted. Next year the senseless ContactPoint computer of all child records will go online, costing £40m a year just to operate. It is a racing certainty that this project will collapse from over-complexity and insecurity." —Simon Jenkins

Monday, December 17, 2007

¡Nos vemos en un mes!

Blogzilla is off to stomp around South America for a month. Hopefully will be able to send some despatches from Brazil, Argentina, Paraguay, Uruguay and Peru — but normal service will resume mid-January. ¡Hasta la vista, boludos!

Privacy as a key system requirement for building trust

Given the data debacle of the last month in the UK — today's episode: Norwich Union fined £1.26m for losing customer data — the engineering of privacy-protective systems is now a lot higher up the policy agenda.

How does one design and build such wondrous systems? Dear reader, I would suggest you start with my slides from last week's Public Services Summit in Stockholm where I described exactly that:

Eindhoven Institute for the Protection of Systems and Information

I am very proud indeed to have been invited to speak alongside Bruce Schneier, Whit Diffie and Andrew Odlyzko at the launch of the Eindhoven Institute for the Protection of Systems and Information. Schneier is the world's leading security guru and author of Applied Cryptography, one of my most favourite geek-out books. Diffie invented public-key cryptography, the foundation of Internet security, and has since authored classics such as Privacy on the Line. Odlyzko is one of the world's top information economists and mathematicians. It should be a fun event!

Sunday, December 16, 2007

Henry Porter's constitutional preamble

These truths Henry Porter (and I) hold self-evident…

"That government exists to serve and respect the people and can only do so by trusting the people; that every individual has the right to privacy and that personal information is exactly that — personal; that every individual has a right to justice — access to proper representation, to know the evidence against them, and be punished only if a normal court of law has decided the law has been broken; that every individual has the right to communicate, move about, assemble and express him or herself without the state obstructing, interfering with or monitoring those activities; that government and the state are not the same thing; that good government is only possible when these liberties are respected and government is fully accountable to the people."

Saturday, December 15, 2007

The Insatiable Appetite for Intellectual Property Rights

“We should be trying to hone the system so that the greatest rewards and encouragement go to those industries which need and deserve them most. Where IP rights perform their function of advancing the sciences or arts, they should be encouraged to do so. Where or to the extent that they do not, they have no justification and the normal discipline of competition should prevail. The gluttony which has resulted in the growth of completely unnecessary or excessively long IP rights undermines the system itself.” —Professor Sir Hugh Laddie QC

World Service on cybercrime

The World Service broadcast a 20-minute debate this lunchtime on cybercrime featuring yours truly along with cyber forensics expert Gary Warner from the University of Alabama and penetration tester Jason Moon. You can listen online, at least for now.

Who is the Justice Secretary kidding?

"In Wednesday's Guardian we had a superlative example of repackaged narrative. With jaw-dropping chutzpah, Jack Straw tells us that not only is it a complete fantasy that Labour reduced liberty — in fact Labour advanced its cause. Well, as my old mother would have said, tell that to the marines.

"This piece of effrontery did not come as a total surprise, as only a couple of weeks ago I was invited to debate the government's record on civil liberties and heard the same load of horse manure fall from the mouth of the former Lord Chancellor, Charles Falconer. It is the new line. 'We gave you human rights so we have actually added to your civil liberties.' He who fashioned it? I can hazard a guess but, dear reader, do not be misled. What it tells us is that spin is alive and well and sadly living in the hearts of some of those we thought had been translated to the new administration unencumbered by the pall of the old." —Baroness Kennedy QC

Friday, December 14, 2007

Is God in the machine?

Recording a Radio 4 spot
This week Radio 4's science show Leading Edge kindly asked me to record a short opinion piece. It was broadcast on last night's programme. You can listen to the audio, and read below my cheery Christmas message.

We are living in the middle of an information revolution. In 1965 Intel founder Gordon Moore first noted the doubling of the number of transistors per integrated circuit roughly every 24 months [1]. Raw computer power has since increased a million-fold. Hard disk capacity and Internet bandwidth are increasing at an even faster pace. Disk information density is doubling annually [2]. We can now fit 160 wavelengths down one fibre cable, with photonic integrated circuits capable of carrying 1.6 terabits per second [3] — the equivalent of over 10,000 television channels.

Surely the UK government must be correct to think this explosion in computing capability can solve some of society's most pressing problems? National databases of 60m citizens' health records, biometrics and children's details are now possible. You could be data matched against the profiles of alcoholics, suicide bombers and delinquent dads before breakfast. Even the estimated £70bn budgeted by the governments of Tony Blair and Gordon Brown on major IT projects and consultancy [4] would seem small change if their promises of a substantially healthier and safer society were fulfilled.

Unfortunately our capacity to design, build and securely operate information systems has not progressed quite so rapidly. In the last decade alone we have seen severe IT problems at the Child Support Agency, Passport Office, Criminal Records Bureau, HM Revenue & Customs, National Air Traffic Services and the Department for Work and Pensions [5]. Revenue & Customs have recently demonstrated the problems of systems that allow 25m child benefit records to be downloaded by junior officials — and who knows how many criminal gangs had already trodden this path before two discs were so unfortunately lost in the post.

The Information Commissioner told Parliament last week he had recently seen a whole stream of top businessmen and civil servants who revealed on a "confessional basis" that many more spectacular data breaches remain to be discovered [6].

We have heard from the prime minister that biometric security based on fingerprints and iris scans would reduce the problems caused by criminal plundering of personal data. This claim is not based on a realistic understanding of the technology [7]. We have recently seen fingerprint scanners fooled by prints reconstructed using gummi bear sweets. Trials have found problems in recording biometrics from several groups such as Asian women and manual workers. And once your biometrics are compromised, you have no way to change your fingers or irises.

In building widely accessible databases describing tens of millions of citizens, it seems that our government is trying to run at the speed of Moore's law rather than walk at the much slower pace of our developing understanding of secure and privacy-protective systems. Rather than risk a continuing stream of Revenue & Customs-scale breaches, the government might be wiser to listen to the computer scientists [8] who recommend a slower and more considered path towards information nirvana.

[1] Gordon E. Moore. Cramming more components onto integrated circuits. Electronics Magazine 38(8), 19/4/1965

[2] E. Grochowski and R. D. Halem. Technological impact of magnetic hard disk drives on storage systems. IBM Systems Journal 42(2), 21/4/2003

[3] Fred A. Kish et al. Ultra High Capacity WDM Photonic Integrated Circuits. Optical Fiber Communication and the National Fiber Optic Engineers Conference 2007

[4] David Craig and Richard Brooks. Plundering the Public Sector. London: Constable, 10/4/2006

[5] Parliamentary Office of Science and Technology. Government IT projects, July 2003

[6] Patrick Wintour. Information chief calls for review of ID card plans. The Guardian, 5/12/2007

[7] Ross Anderson, Richard Clayton, Ian Brown, Brian Gladman, Angela Sasse and Martyn Thomas. Biometrics are not a panacea for data loss. Letter to the Joint Committee on Human Rights, 26/11/2007

[8] Brian Randell. A computer scientist's reactions to NPfIT. Journal of Information Technology (2007) 22, 222–234

Thursday, December 13, 2007

Freedom of speech

"Though liberty is indivisible, regimes of liberties have a structure. The keystone of the arch is free speech. Without free speech one cannot claim other liberties, or defend them when they are attacked. Without free speech one cannot have a democratic process which requires the statement and testing of policy proposals and party platforms. Without free speech one cannot have a due process at law in which one can defend oneself, accuse, collect and examine evidence, make a case or refute one. Without free speech there cannot be genuine education and research, enquiry, debate, exchange of information, challenges to falsehood, questioning of governments, proposal and examination of opinion. Without free speech there cannot be a free press, which although it always abuses its freedoms in the hunt for profit, is necessary with all its warts, as one of the two essential estates of a free society (the other being an independent judiciary). Without free speech there cannot be a flourishing literature and theatre. Without free speech there are limits to innovation and experiment in any walk of life. In short and in sum, without free speech there is no freedom worth the name in other respects where freedom matters." —A.C. Grayling

Monday, December 10, 2007

The Picture Of Conformity

After the hell of being herded for 25 minutes through Heathrow Terminal 1 security on Sunday, this Washington Post article (via ORG) on "anticipatory conformity" struck a real chord. It includes this comment from Paul Saffo:

"As the memory of a world without surveillance disappears, society will just create a new normal, and then you'll see worse horrors. Our whole lives will become like the TSA checkpoint. You walk in there, you don't look mad, don't look upset, don't look distracted. Do nothing to stand out."

Sunday, December 09, 2007

Pepsi to give away 1 billion DRM-free downloads

Interesting news from Pepsi via Rhys Blakely in The Times:

"Pepsi is preparing a year-long marketing campaign in the United States in which up to a billion digital music tracks will be given away. Based on the prices charged by Apple, the largest online music retailer, the offer could be worth up to $1 billion (£490 million).

"Crucially, the drinks group is believed to be teaming up with, the online retailer vying with Apple’s iTunes music store, to distribute the giveaway tracks… It is also thought that the music will be distributed free of the digital rights management (DRM) technology that limits where legitimately downloaded tracks can be played."

This is another nail in the coffin of the artificial scarcity business model for digital music — or, as Cory Doctorow puts it, the "urinary tract infection" experience.

Wednesday, December 05, 2007

Data fiasco keeps getting worse

The lost disc disaster keeps getting worse for the government. This morning the Metropolitan Police have announced that they have finished their primary search with no results, and are therefore offering a £20,000 reward for the discs. Of course, even if they show up, it is highly likely that they have already been duplicated and plundered.

Much more seriously, it appears that the discs contain the names and addresses of up to 350 people who have changed their identities after giving evidence against serious criminals. If one of them is murdered, will we see someone more senior than the chairman of HMRC take responsibility?

The Information Commissioner was rightly on the warpath yesterday. In evidence to the House of Commons Justice Select Committee he said:

"Any massive collection of information like the identity card carries risk … We still have some uncertainties about what the primary purpose of the identity card is … Is it to improve policing, to fight terrorism, to improve public services, to avoid identity theft? I think there is a lot of thinking still to be done on its primary purpose."

Wouldn't it be a good idea for the government to decide what they want their ID database to achieve before they spend £20bn on the scheme?

Tuesday, December 04, 2007

Eunuchs, death threats and copyright

Last week the Social Market Foundation held an event on Intellectual Property Rights and Consumer Rights, sponsored by the Alliance Against IP Theft and with a keynote speech from the Minister for Intellectual Property, Lord Triesman. Muggins here was the token "consumer" speaker in a room packed full with right holder lobbyists and lawyers.

The highbrow tone of the debate did not disappoint. From the floor one IP lawyer asked Lord Triesman whether bands like Radiohead should be banned from trying out new business models. In his presentation, Eighties popstar Fergal Sharkey variously called me a eunuch, ultra-liberal cyberprof and über-capitalist free marketeer. I assume that means I had taken a reasonably balanced position! Still, better than the death threat I got from Nineties crooners Right Said Fred at a similar event organised by JP Morgan in 2001.

If like me you're more interested in copyright policy discussion than ad hominen attacks, you can read through my slides and also Michael Holloway's report on the meeting. Meanwhile, Lord Triesman has more pressing concerns.

Schneier: Security in Ten Years

"Throughout history and into the future, the one constant is human nature. There hasn't been a new crime invented in millennia. Fraud, theft, impersonation and counterfeiting are perennial problems that have been around since the beginning of society. During the last 10 years, these crimes have migrated into cyberspace, and over the next 10, they will migrate into whatever computing, communications and commerce platforms we're using." —Bruce Schneier

Sunday, December 02, 2007

Ready, steady, scrap

"Gordon Brown should announce forthwith that he is putting his three wildest white elephants out to grass: identity cards, the National Health Service computer and the plan to locate the 2012 Olympics in Stratford. All have budgets out of control. Such is this centralist squandermongering that Brown could take 2p off income tax for a decade or give every school, hospital and library in Britain a Christmas bonus of £1m." —Simon Jenkins

Saturday, December 01, 2007

Data protection won't help once all the data is gone

"Data-protection legislation won't help when the data is gone. Biometrics won't help, because it can only secure individual transactions. The Home Office doesn't ask for your fingerprint in order to give your details to someone it thinks is from Revenue & Customs.

"Simply put, the [ID] system will create crime. It will be unworkable. And it will destroy the trust between citizen and state that has existed in this complex, ancient nation — a model of democracy, common sense and decency — for 800 years. The technology has simply not been invented that could keep an entire database state properly secure and give the government the control it aims for." —Christina Zaba

EC High Level Review of the future of networks and the Internet

European Commission Charlemagne buildingI spoke on Wednesday at a closed European Commission meeting reviewing progress on the EU's i2010 agenda. There were several other excellent speakers and a fascinating discussion with the Commission staff and 30 European Economic Area member states' representatives present. If you are interested you can see my short introductory presentation: Openness and innovation in the information society.

Lords Constitution Committee publishes privacy inquiry evidence

The House of Lords Constitution Committee is conducting an inquiry into surveillance and data collection. They have now published evidence submitted to the inquiry, including the response I co-authored in June with colleagues from the Foundation for Information Policy Research. I recommend reading the entire submission, but here is a brief taste:

13. At the level of philosophy, human rights are most commonly founded on the principle of human dignity. Pervasive surveillance will undermine personal dignity, and ultimately support for human rights.

14. There are other theories. A communitarian view is that many public goods depend on social capital — the networks of mutual obligation, reciprocity and trust that exist in society. Diminished social capital increases crime; damages child development; and particularly harms the poor, who have less human or financial capital as a backstop. Social capital is generally built by local action and diminished by central action: involving parents in running a school is vastly preferable to using a government computer as their surrogate.

15. A third view is that privacy is an internalised version of territoriality and serves to order society. This comes from the substantial research literature on the economics of privacy, in which central problems are why privacy remains more of a luxury good than a fundamental right, and why people do not complain more about privacy erosion. We tend to the view that they are starting to, as awareness spreads from the policy and technical elite to the masses.

States flex muscles in cyberspace

On Thursday McAfee published their Virtual Criminology Report 2007, commissioned from myself, Prof Lilian Edwards and Prof Eugene Spafford. Our main finding was that this is the year that states have really started flexing their cybermuscles, with incursions into sensitive government networks by China reported by the UK, US and Germany over the summer and three weeks of attacks on Estonia during May.

While China has rejected our report, MI5 Director-General Jonathan Evans wrote on Wednesday to the CEOs of 300 UK companies warning them of Chinese surveillance. I just spoke to the World Service and Radio 4 about this.

Of course, countries such as the US and UK conduct similar electronic espionage. As the former CIA director James Woolsey said in 2000:

"[A]pproximately 95 percent of U.S. intelligence collection with respect to economic matters, which itself is only one of a reasonable number of U.S. intelligence targets — but with respect to economic matters, 95 percent of our intelligence collection is from open sources. Five percent is essentially secrets that we steal. We steal secrets with espionage, with communications, with reconnaissance satellites."

Dr Brian Gladman has compared the online intelligence battles of the major states and their proxies as the 21st century equivalent of state-sponsored piracy:
"Nations gave up their sponsorship of piracy then when they came to realise that they each gained more from a safe global trading environment than they did in encouraging pirates to plunder the trade routes of other nations. We are now in an analogous situation in cyberspace with some nations claiming to support the global information society — a development which requires respect for the information assets of others — whilst secretly pursuing economic intelligence collection in what amounts to a direct modern analogue of the State sponsored piracy of past ages.

"The global information society (and the associated global electronic trading environment) cannot truly flourish while nations sponsor (or are perceived by others to sponsor) information piracy in cyberspace."

The international law of the sea took centuries to develop. Will we see an online equivalent in our lifetimes?