" /> net.wars: August 2010 Archives

« July 2010 | Main | September 2010 »

August 27, 2010

Trust the data, not the database

"We're advising people to opt out," said the GP, speaking of the Summary Care Records that are beginning to be uploaded to what is supposed to be eventually a nationwide database used by the NHS. Her reasoning goes this way. If you don't upload your data now you can always upload it later. If you do upload it now - or sit passively by while the National Health Service gets going on your particular area - and live to regret it you won't be able to get the data back out again.

You can find the form here, along with a veiled hint that you'll be missing out on something if you do opt out - like all those great offers of products and services companies always tell you you'll get if you sign up for their advertising, The Big Opt-Out Web site has other ideas.

The newish UK government's abrupt dismissal of the darling databases of last year has not dented the NHS's slightly confusing plans to put summary care records on a national system that will move control over patient data from your GP, who you probably trust to some degree, to...well, there's the big question.

In briefings for Parliamentarians conducted by the Open Rights Group in 2009, Emma Byrne, a researcher at University College, London who has studied various aspects of healthcare technology policy, commented that the SCR was not designed with any particular use case in mind. Basic questions that an ordinary person asks before every technology purchase - who needs it? for what? under what circumstances? to solve what problem? - do not have clear answers.

"Any clinician understands the benefits of being able to search a database rather than piles of paper records, but we have to do it in the right way," Fleur Fisher, the former head of ethics, science, and information for the British Medical Association said at those same briefings. Columbia University researcher Steve Bellovin, among others, has been trying to figure out what that right way might look like.

As comforting as it sounds to say that the emergency care team looking after you will be able to look up your SCR and find out that, for example, you are allergic to penicillin and peanuts, in practice that's not how stuff happens - and isn't even how stuff *should* happen. Emergency care staff look at the patient. If you're in a coma, you want the staff to run the complete set of tests, not look up in a database, see you're a diabetic and assume it's a blood sugar problem. In an emergency, you want people to do what the data tells them, not what the database tells them.

Databases have errors, we know this. (Just last week, a database helpfully moved the town I live in from Surrey to Middlesex, for reasons best known to itself. To fix it, I must write them a letter and provide documentation.) Typing and cross-matching blood drawn by you from the patient in front of you is much more likely to have you transfusing the right type of blood into the right patient.

But if the SCR isn't likely to be so much used by the emergency staff we're all told would? might? find it helpful, it still opens up much broader possibilities of abuse. It's this part of the system that the GP above was complaining about: you cannot tell who will have access or under what circumstances.

GPs do, in a sense, have a horse in this race, in that if patient data moves out of their control they have lost an important element of their function as gatekeepers. But given everything we know about how and why large government IT projects fail, surely the best approach is small, local projects that can be scaled up once they're shown to be functional and valuable. And GPs are the people at the front lines who will be the first to feel the effects of a loss of patient trust.

A similar concern has kept me from joining at study whose goals I support, intended to determine if there is a link between mobile phone use and brain cancer. The study is conducted by an ultra-respectable London university; they got my name and address from my mobile network operator. But their letter notes that participation means giving them unlimited access to my medical records for the next 25 years. I'm 56, about the age of the earliest databases, and I don't know who I'll be in 25 years. Technology is changing faster than I am. What does this decision mean?

There's no telling. Had they said I was giving them permission for five years and then would be asked to renew, I'd feel differently about it. Similarly, I'd be more likely to agree had they said that under certain conditions (being diagnosed with cancer, dying, developing brain disease) my GP would seek permission to release my records to them. But I don't like writing people blank checks, especially with so many unknowns over such a long period of time. The SCR is a blank check.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series

August 20, 2010

Naming conventions

Eric Schmidt, the CEO of Google, is not a stupid person, although sometimes he plays one for media consumption. At least, that's how it seemed this week, when the Wall Street Journal reported that he had predicted, apparently in all seriousness, that the accumulation of data online may result in the general right for young people to change their names on reaching adulthood in order to escape the embarrassments of their earlier lives.

As Danah Boyd commented in response, it is to laugh.

For one thing, every trend in national and international law is going toward greater, permanent trackability. I know the UK is dumping the ID card and many US states are stalling on Real ID, but try opening a new bank account in the US or Europe, especially if you're a newly arrived foreigner. It's true that it's not so long ago - 20 years, perhaps - that people, especially in California, did change their names at the drop of an acid tablet. I'm fairly sure, for example, that the woman I once knew as Dancingtree Moonwater was not named that by her parents. But those days are gone with the anti-money laundering regulations, the anti-terrorist laws, and airport security.

For one thing, when is he imagining the adulthood moment to take place? When they're 17 and applying to college and need to cite their past records of good works, community involvement, and academic excellence? When they're 21 and graduating from college and applying for jobs and need to cite their past records of academic excellence, good works, and community involvement? I don't know about you, but I suspect that an admissions officer/prospective employer would be deeply suspicious of a kid coming of age today who had, apparently, no online history at all. Even if that child is a Mormon.

For another, changing your name doesn't change your identity (even if the change is because you got married). Investigators who track down people who've dropped out of their lives and fled to distant parts to start new ones often do so by, among other things, following their hobbies. You can leave your spouse, abandon your children, change jobs, and move to a distant location - but it isn't so easy to shake a passion for fly-fishing or 1957 Chevys. The right to reinvent yourself, as Action on Rights for Children's Terri Dowty pointed out during the campaign against the child-tracking database ContactPoint, is an important one. But that means letting minor infractions and youthful indiscretions fade into the mists of time, not to be pulled out and laughed until, say, 30 years hence, rather than being recorded in a database that thinks it "knows" you.

I think Schmidt knows all this perfectly well. And I think if such an infrastructure - turn 16, create a new identity - were ever to be implemented the first and most significant beneficiary would be...Google. I would expect most people's search engine use to provide as individual a fingerprint as, well, fingerprints. (This is probably less true for journalists, who research something different every week and therefore display the database equivalent of multiple personality disorder.)

Clearly if the solution to young people posting silly stuff online where posterity can bite them on the ass is a change of name the only way to do it is to assign kids online-only personas at birth that can be retired when they reach an age of reason. But in such a scenario, some kids would wind up wanting to adopt their online personas as their real ones because their online reputation has become too important in their lives. In the knowledge economy, as plenty of others have pointed out, reputation is everything.

This is, of course, not a new problem. As usual. When, in 1995, DejaNews (bought by Google some years back to form the basis of the Google Groups archive) was created, it turned what had been ephemeral Usenet postings into a permanent archive. If you think people post stupid stuff on Facebook now, when they know their friends and families are watching, you should have seen the dumb stuff they posted on Usenet when they thought they were in the online equivalent of Benidorm, where no one knew them and there were no consequences. Many of those Usenet posters were students. But I also recall the newly appointed CEO of a public company who went around the WELL deleting all his old messages. Didn't mean there weren't copies...or memories.

There is a genuine issue here, though, and one that a very smart friend with a 12-year-old daughter worries about regularly: how do you, as a parent, guide your child safely through the complexities of the online world and ensure that your child has the best possible options for her future while still allowing her to function socially with her peers? Keeping her offline is not an answer. Neither are facile statements from self-interested CEOs who, insulated by great wealth and technological leadership, prefer to pretend to themselves that these issues have already been decided in their favor.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 13, 2010

Pirate flags

Wednesday's Future Human - The Piracy Panacea event missed out on a few topics, among them network neutrality, an issue I think underlies many net.wars debates: content control, privacy, security. The Google-Verizon proposals sparked much online discussion this week. I can only reiterate my belief that net neutrality should be seen as an anti-trust issue. A basic principle of anti-trust law (Standard Oil, the movie studios) is that content owners should not be allowed to own the means of distribution, and I think this readily applies to cable companies that own TV stations and telephone companies that are carriers for other people's voice services.

But the Future Human event was extraordinary enough without that. Imagine: more than 150 people squished into a hot, noisy pub, all passionately interested in...copyright! It's only a few years ago that entire intellectual property law school classes would fit inside a broom cupboard. The event's key question: does today's "piracy" point the way to future innovation?

The basis of that notion seemed to be that historically pirates have forced large imperial powers to change and weren't just criminals. The event's light-speed introduction whizzed through functionally democratic pirate communities and pirate radio, and a potted history of authorship from Shakespeare and Newton to Lady Gaga. There followed mock trials of a series of escalating copyright infringements in which it became clear that the audience was polarized and more or less evenly divided.

There followed our panel: me, theoretically representing the Open Rights Group; Graham Linehan, creator of Father Ted and The IT Crowd; Jamie King, writer and director of Steal This Film; and economist Thierry Rayna. Challenged, of course, by arguers from the audience, one of whom declined to give her affiliation on the grounds that she'd get lynched (I doubt this). Partway through the panel someone complained on Twitter that we weren't answering the question the event had promised to tackle: how can the creative industries build on file-sharing and social networks to create the business models of the future?

It seems worth trying to answer that now.

First, though, I think it's important to point out that I don't think there's much that's innovative about downloading a TV show or MP3. The people engaged in downloading unauthorized copies of mainstream video/audio, I think, are not doing anything particularly brave. The people on the front lines are the ones running search engines and services. These people are indeed innovators, and some of them are doing it at substantial personal risk. And they cannot, in general, get legal licenses from rights holders, a situation that could be easily changed by the rights holders. Napster, which kicked the copyright wars into high gear and made digital downloads a mainstream distribution method, is now ten years ago. Yet rights holders are still trying to implement artificial scarcity (to replace real scarcity) and artificial geography (to replace real geography). The death of distance, as Economist writer Frances Cairncross called it in 1997, changes everything, and trying to pretend it doesn't is absurd. The download market has been created by everyone *but* the record companies, who should have benefited most.

Social networks - including the much-demonized P2P networks - provide the greatest mechanism for word of mouth in the history of human culture. And, as we all know, word of mouth is the most successful marketing available, at least for entertainment.

It also seems obvious that P2P and social networks are a way for companies to gauge the audience better before investing huge sums. It was obvious from day one, for example, that despite early low official ratings and mixed reviews, Gossip Girl was a hit. Why? Because tens of thousands of people were downloading it the instant it came online after broadcast. Shouldn't production company accountants be all over this? Use these things as a testbed instead of having the fall pilots guessed on by a handful of the geniuses who commissioned Cavemen and the US version of Coupling and cancelled Better Off Ted. They could have a lot clearer picture of what kind of audience a show might find and how quickly.

Trying to kill P2P and other technologies just makes them respawn like the Hydra. The death of Napster (central server) begat Gnutella and eDonkey (central indexes), lawsuits against whose software developers begat the even more decentralized BitTorrent. When millions and tens of millions of people are flocking to a new technology rights holders should be there, too.

The real threat is always going to be artists taking their business into their own hands. For every Lady Gaga there are thousands of artists who, given some basic help can turn their work into the kind of living wage that allows them to pursue their art full-time and professionally. I would think there is a real business in providing these artists with services - folksingers, who've never had this kind of help, have produced their own recordings for decades, and having done it myself I can tell you it's not easy. This was the impulse behind the foundation of CDBaby, and now of Jamie King's VoDo. In the long run, things like this are the real game-changers.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 6, 2010

Bride of Clipper

"It's the Clipper chip," said Ross Anderson, or more or less, "risen out of its grave trailing clanking chains and covered in slime." Anderson was talking about the National Strategy for Trusted Identities in Cyberspace, a plan hatched in the US and announced by cybersecurity czar Howard Schmidt in June.

The Clipper chip was the net.war in progress when I went to my first Computers, Freedom, and Privacy conference, the 1994 edition, held in Chicago. The idea behind Clipper was kind of cute: the government, in the form of the NSA, had devised a cryptographic chip that could be installed in any telecommunications device to encrypt and decrypt any communications it transmitted or received. The catch: the government would retain a master key to allow it to decrypt anything it wanted whenever it felt the need. Privacy advocates and civil libertarians and security experts joined to fight a battle royal against its adoption as a government standard. We'll never know how that would have come out because while passions were still rising a funny thing happened: cryptographer Matt Blaze discovered he could bypass the government's back door (PDF) and use the thing to send really encrypted communications. End of Clipper chip.

At least, as such.

The most important element of the Clipper chip, however - key escrow - stayed with us a while longer. It means what it sounds like: depositing a copy of your cryptographic key, which is supposed to be kept secret, with an authority. During the 1990s run of fights over key escrow (the US and UK governments wanted it; technical experts, civil libertarians, and privacy advocates all thought it was a terrible idea) such authorities were referred to as "trusted third parties" (TTPs). At one event Privacy International organised to discuss the subject, government representatives made it clear their idea of TTPs were banks. They seemed astonished to discover that in fact people don't trust their banks that much. By the time the UK's Regulation of Investigatory Powers Act was passed in 2000, key escrow had been eliminated.

But it is this very element - TTPs and key escrow - that is clanking along to drip slime on the NSTIC. The proposals are, of course, still quite vague, as the Electronic Frontier Foundation has pointed out. But the proposals do talk of "trusted digital identities" and "identity providers" who may be from the public or private sectors. They talk less, as the Center for Democracy and Technology has pointed out, about the kind of careful user-centric, role-specific, transactional authentication that experts like Jan Camenisch and Stefan Brands have long advocated. (Since I did that 2007 interview with him, Brands' company, Credentica, has been bought by Microsoft and transformed into its new authentication technology, U-Prove.) Have an identity ecosystem, by all means, but the key to winning public trust - the most essential element of any such system - will be ensuring that identity providers are not devised as Medium-sized Brothers-by-proxy.

Blaze said at the time that the Feds were pretty grown-up about the whole thing. Still, I suppose it was predictable that it would reappear. Shortly after the 9/11 attacks Jack Straw, then foreign minister, called those of us who opposed key escrow in the 1990s "very naïve". The rage over that kicked off the first net.wars column.

The fact remains that if you're a government and you want access to people's communications and those people encrypt those communications there are only two approaches available to you. One: ban the technology. Two: install systems that let you intercept and decode the communications at will. Both approaches are suddenly vigorously on display with respect to Blackberry devices, which offer the most secure mobile email communications we have (which is why businesses and governments love them so much for their own use).

India wants to take the second approach, but will settle for the first if Research in Motion doesn't install a server in India, where it can be "safely" monitored. The UAE, as everyone heard this week, wants to ban it starting on October 11. (I was on Newsnight Tuesday to talk about this with Kirsty Wark and Alan West.)

No one, not CDT, PI, or EFF, not even me, disputes that there are cases where intercepting and reading communications - wiretapping - is necessary in the interest of protecting innocent lives. But what key escrow and its latter variants enables, as Susan Landau, a security researcher and co-author of Privacy on the Line: The Politics of Wiretapping and Encryption, has noted, is covert wiretapping. Or, choose your own favorite adjective: covert, warrantless, secret, unauthorized, illegal... It would be wonderful to be able to think that all law enforcement heroes are noble, honorable, and incapable of abusing the power we give them. But history says otherwise: where there is no oversight, abuse follows. Judicial oversight of wiretapping requests is our bulwark against mass surveillance.

CDT, EFF, and others are collecting ideas for improving NSTIC, starting with extending the period for public comments, which was distressingly short (are we seeing a pattern develop here?). Go throw some words at the problem.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.