net.wars

The 17 judges of the European Court of Human Rights ruled unanimously yesterday that the UK's DNA database, which contains more than 3 million DNA samples, violates Article 8 of the European Convention on Human Rights. The key factor: retaining, indefinitely, the DNA samples of people who have committed no crime.

It's not a complete win for objectors to the database, since the ruling doesn't say the database shouldn't exist, merely that DNA samples should be removed once their owners have been acquitted in court or the charges have been dropped. England, the court said, should copy Scotland, which operates such a policy.

The UK comes in for particular censure, in the form of the note that "any State claiming a pioneer role in the development of new technologies bears special responsibility for striking the right balance..." In other words, before you decide to be the first on your block to use a new technology and show the rest of the world how it's done, you should think about the consequences.

Because it's true: this is the kind of technology that makes surveillance and control-happy governments the envy of other governments. For example: lacking clues to lead them to a serial killer, the Los Angeles Police Department wants to copy Britain and use California's DNA database to search for genetic profiles similar enough to belong to a close relative .The French DNA database, FNAEG, was proposed in 1996, created in 1998 for sex offenders, implemented in 2001, and broadened to other criminal offenses after 9/11 and again in 2003: a perfect example of function creep. But the French DNA database is a fiftieth the size of the UK's, and Austria's, the next on the list, is even smaller.

There are some wonderful statistics about the UK database. DNA samples from more than 4 million people are included on it. Probably 850,000 of them are innocent of any crime. Some 40,000 are children between the ages of 10 and 17. The government (according to the Telegraph) has spent £182 million on it between April 1995 and March 2004. And there have been suggestions that it's too small. When privacy and human rights campaigners pointed out that people of color are disproportionately represented in the database, one of England's most experienced appeals court judges, Lord Justice Sedley, argued that every UK resident and visitor should be included on it. Yes, that's definitely the way to bring the tourists in: demand a DNA sample. Just look how they're flocking to the US to give fingerprints, and how many more flooded in when they upped the number to ten earlier this year. (And how little we're getting for it: in the first two years of the program, fingerprinting 44 million visitors netted 1,000 people with criminal or immigration violations.)

At last week's A Fine Balance conference on privacy-enhancing technologies, there was a lot of discussion of the key technique of data minimization. That is the principle that you should not collect or share more data than is actually needed to do the job. Someone checking whether you have the right to drive, for example, doesn't need to know who you are or where you live; someone checking you have the right to borrow books from the local library needs to know where you live and who you are but not your age or your health records; someone checking you're the right age to enter a bar doesn't need to care if your driver's license has expired.

This is an idea that's been around a long time - I think I heard my first presentation on it in about 1994 - but whose progress towards a usable product has been agonizingly slow. IBM's PRIME project, which Jan Camenisch presented, and Microsoft's purchase of Credentica (which wasn't shown at the conference) suggest that the mainstream technology products may finally be getting there. If only we can convince politicians that these principles are a necessary adjunct to storing all the data they're collecting.

What makes the DNA database more than just a high-tech fingerprint database is that over time the DNA stored in it will become increasingly revealing of intimate secrets. As Ray Kurzweil kept saying at the Singularity Summit, Moore's Law is hitting DNA sequencing right now; the cost is accordingly plummeting by factors of ten. When the database was set up, it was fair to characterize DNA as a high-tech version of fingerprints or iris scans. Five - or 15, or 25, we can't be sure - years from now, we will have learned far more about interpreting genetic sequences. The coded, unreadable messages we're storing now will be cleartext one day, and anyone allowed to consult the database will be privy to far more intimate information about our bodies, ourselves than we think we're giving them now.

Unfortunately, the people in charge of these things typically think it's not going to affect them. If the "little people" have no privacy, well, so what? It's only when the powers they've granted are turned on them that they begin to get it. If a conservative is a liberal who's been mugged, and a liberal is a conservative whose daughter has needed an abortion, and a civil liberties advocate is a politician who's been arrested...maybe we need to arrest more of them.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 5:02 PM | Permalink | Comments (0) | TrackBacks (0)

"I call it tracking," said a young woman. She had healthy classic-length hair, a startling sheaf of varyingly painful medical problems, and an eager, frequent smile. She spends some minutes every day noting down as many as 40 different bits of information about herself: temperature, hormone levels, moods, the state of the various medical problems, the foods she eats, the amount and quality of sleep she gets. Every so often, she studies the data looking for unsuspected patterns that might help her defeat a problem. By this means, she says she's greatly reduced the frequency of two of them and was working on a third. Her doctors aren't terribly interested, but the data helps her decide which of their recommendations are worth following.

And she runs little experiments on herself. Change a bunch of variables, track for a month, review the results. If something's changed, go back and look at each variable individually to find the one that's making the difference. And so on.

Of course, everyone with the kind of medical problem - diabetes, infertility, allergies, cramps, migraines, fatigue - that medicine can't really solve - has done something like this for generations. Diabetics in particularly have long had to track and control their blood sugar levels. What's different is the intensity - and the computers. She currently tracks everything in an Excel spreadsheet, but what she's longing for is good tools to help her with data analysis.

From what Gary Wolf, the organizer of this group, Quantified Self, says - about 30 people are here for its second meeting, after hours at Palo Alto's Institute for the Future to swap notes and techniques on personal tracking - getting out of the Excel spreadsheet is a key stage in every tracker's life. Each stage of improvement thereafter gets much harder.

Is this a trend? Co-founder Kevin Kelley thinks so, and so does the Washington Post, which covered this group's first meeting. You may not think you will ever reach the stage of obsession that would lead you to go to a meeting about it, but in fact, if the interviews I did with new-style health companies in the past year is any guide, we're going to be seeing a lot of this in the health side of things. Home blood pressure monitors, glucose tests, cholesterol tests, hormone tests - these days you can buy these things in Wal-Mart.

The key question is clearly going to be: who owns your health data? Most of the medical devices in development assume that your doctor or medical supplier will be the one doing the monitoring; the dozens of Web sites highlighted in that Washington Post article hope there's a business in helping people self-track everything from menstrual cycles to time management. But the group in Palo Alto are more interested in self-help: in finding and creating tools everyone can use, and in interoperability. One meeting member shows off a set of consumer-oriented prototypes - bathroom scale, pedometer, blood pressure monitor, that send their data to software on your computer to display and, prospectively, to a subscription Web site. But if you're going to look at those things together - charting the impact of how much you walk on your weight and blood pressure - wouldn't you also want to be able to put in the foods you eat? There could hardly be an area where open data formats will be more important.

All of that makes sense. I was less clear on the usefulness of an idea another meeting member has - he's doing a start-up to create it - a tiny, lightweight recording camera that can clip to the outside of a pocket. Of course, this kind of thing already has a grand, old man in the form of Steve Mann, who has been recording his life with an increasingly small sheaf of devices for a couple of decades now. He was tired, this guy said, of cameras that are too difficult to use and too big and heavy; they get left at home and rarely used. This camera they're working on will have a wide-angle lens ("I don't know why no one's done this") and take two to five pictures a second. "That would be so great," breathes the guy sitting next to me.

Instantly, I flash on the memory of Steve Mann dogging me with flash photography at Computers, Freedom, and Privacy 2005. What happens when the police subpoenas your camera? How long before insurance companies and marketing companies offer discounts as inducements to people to wear cameras and send them the footage unedited so they can study behavior they currently can't reach?

And then he said, "The 10,000 greatest minutes of your life that your grandchildren have to see," and all you can think is, those poor kids.

There is a certain inevitable logic to all this. If retailers, manufacturers, marketers, governments, and security services are all convinced they can learn from data mining us why shouldn't we be able to gain insights by doing it ourselves?

At the moment, this all seems to be for personal use. But consider the benefits of merging it with Web 2.0 and social networks. At last you'll be able to answer the age-old question: why do we have sex less often than the Joneses?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 4:36 PM | Permalink | Comments (0) | TrackBacks (0)

The basic complaints we've been making for years about law enforcement's and government's desire to collect masses of data have primarily focused on the obvious set of civil liberties issues: the chilling effect of surveillance, the right of individuals to private lives, the risk of abuse of power by those in charge of all that data. On top of that we've worried about the security risks inherent in creating such large targets from which data will, inevitably, leak sometimes.

This week, along came the National Research Council to offer a new trouble with dataveillance: it doesn't actually work to prevent terrorism. Even if it did work, the tradeoff of the loss of personal liberties against the security allegedly offered by policies that involve tracking everything everyone does from cradle to grave was hard to justify. But if it doesn't work - if all surveillance all the time won't make us actually safer - then the discussion really ought to be over.

The NAS report, Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Assessment, makes its conclusions clear: "Modern data collection and analysis techniques have had remarkable success in solving information-related problems in the commercial sector... But such highly automated tools and techniques cannot be easily applied to the much more difficult problem of detecting and preempting a terrorist attack, and success in doing so may not be possible at all."

Actually, the many of us who have had our cards stopped for no better reason than that the issuing bank didn't like the color of the Web site we were buying from, might question how successful these tools have been in the commercial sector. At the very least, it has become obvious to everyone how much trouble is being caused by false positives. If a similar approach is taken to all parts of everyone's lives instead of just their financial transactions, think how much more difficult it's going to be to get through life without being arrested several times a year.

The report again: "Even in well-managed programs such tools are likely to return significant rates of false positives, especially if the tools are highly automated." Given the masses of data we're talking about - the UK wants to store all of the nation's communications data for years in a giant shed, and a similar effort in the US would have to be many times as big - the tools will have to be highly automated. And - the report yet again - the difficulty of detecting terrorist activity "through their communications, transactions, and behaviors is hugely complicated by the ubiquity and enormoity of electronic databases maintained by both government agencies and private-sector corporations." The bigger the haystack, the harder it is to find the needle.

In a recent interview, David Porter, CEO of Detica, who has spent his entire career thinking about fraud prevention, said much the same thing. Porter's proposed solution - the basis of the systems Detica sells -is to vastly shrink the amount of data to be analyzed by throwing out everything we know is not fraud (or, as his colleague, Tom Black, said at the Homeland and Border Security conference in July, terrorist activity). To catch your hare, first shrink your haystack.

This report, as the title suggests, focuses particularly on balancing personal privacy against the needs of anti-terrorist efforts. (Although, any terrorist watching the financial markets the last couple of weeks would be justified in feeling his life's work had been wasted, since we can do all the damage that's needed without his help.) The threat from terrorists is real, the authors say - but so is the threat to privacy. Personal information in databases cannot be fully anonymized; the loss of privacy is real damage; and data varies substantially in quality. "Data derived by linking high-quality data with data of lesser quality will tend to be low-quality data." If you throw a load of silly string into your haystack, you wind up with a big mess that's pretty much useless to everyone and will be a pain in the neck to clean up.

As a result, the report recommends requiring systematic and periodic evaluation of every information-based government program against core values and proposes a framework for carrying that out. There should be "robust, independent oversight". Research and development of such programs should be carried out with synthetic data, not real data "anonymized"; real data should only be used once a program meets the proposed criteria for deployment and even then only phased in at a small number of sites and tested thoroughly. Congress should review privacy laws and consider how best to protect privacy in the context of such programs.

These things seem so obvious; but to get to this the point it's taken three years of rigorous documentation and study by a 21-person committee of unimpeachable senior scientists and review by members of a host of top universities, telephone companies, and top technology companies. We have to think the report's sponsors, who include the the National Science Foundation, and the Department of Homeland Security, will take the results seriously. Writing for Cnet, Declan McCullagh notes that the similar 1996 NRC CRISIS report on encryption was followed by decontrol of the export and use of strong cryptography two years later. We can but hope.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 4:47 PM | Permalink | Comments (0) | TrackBacks (0)

A certain amount of government and practical policy is being made these days based on the idea that you can take large amounts of data and anonymize it so researchers and others can analyze it without invading anyone's privacy. Of particular sensitivity is the idea of giving medical researchers access to such anonymized data in the interests of helping along the search for cures and better treatments. It's hard to argue with that as a goal - just like it's hard to argue with the goal of controlling an epidemic - but both those public health interests collide with the principle of medical confidentiality.

The work of Latanya Sweeney was I think the first hint that anonymizing data might not be so straightforward; I've written before about her work. This week, at the Privacy Enhancing Technologies Symposium in Leuven, Belgium (which I regrettably missed) researchers Arvind Narayanan and Vitaly Shmatikov from the University of Texas at Austin won an award sponsored by Microsoft for taking reidentifying supposedly anonymized data a step further.

The pair took a database released by the online DVD rental company Netflix last year as part of the $1 million Netflix Prize, a project to improve upon the accuracy of the system's predictions. You know the kind of thing, since it's built into everything from Amazon to Tivos - you give the system an idea of your likes and dislikes by rating the movies you've rented and the system makes recommendations for movies you'll like based on those expressed preferences. To enable researchers to work on the problem of improving these recommendations, Netflix released a dataset containing more than 100 million movie ratings contributed by nearly 500,000 subscribers between December 1999 and December 2005 with, as the service stated in its FAQ, all customer identifying information removed.

Maybe in a world where researchers only had one source of information that would be a valid claim. But just as Sweeney showed in 1997 that it takes very little in the way of public records to re-identify a load of medical data supplied to researchers in the state of Massachusetts, Narayananan and Shamtikov's work reminds us that we don't live in a world like that. For one thing, people tend disproportionately to rate their unusual, quirky favorites. Rating movies takes time; why spend it on giving The Lord of the Rings another bump when what people really need is to know about the wonders of King of Hearts, All That Jazz, and The Tall Blond Man with One Black Shoe? The consequence is that the Netflix dataset is what they call "sparse" - that is, there few subscribers have very similar records.

So: how much does someone need to know about you to identify a particular user from the database? It turns out, not much. The is the public ratings and dates at the Internet Movies Database, which include dates and real names. Narayanan and Shmatikov concluded that 99 percent of records could be uniquely identified from only eight matching ratings (of which two could be wrong); for 68 percent of the records you only need two (and reidentifying the rest becomes easier). And of course, if you know a little bit about the particular person whose record you want to identify things get a lot easier - the three movies I've just listed would probably identify me and a few of my friends.

Even if you don't care if your tastes in movies are private - and both US law and the American Library Association's take on library loan records would protect you more than you yourself would - there are couple of notable things here. First of all, the compromise last week whereby Google agreed to hand Viacom anonymized data on YouTube users isn't as good a deal for users as they might think. A really dedicated searcher might well think it worth the effort to come up with a way to re-identify the data - and so far rightsholders have shown themselves to be very dedicated indeed.

Second of all, the Thomas-Walport review on data-sharing actually recommends requiring NHS patients to agree to sharing data with medical researchers. There is a blithe assumption running through all the government policies in this area that data can be anonymized, and that as long as they say our privacy is protected it will be. It's a perfect example of what someone this week called "policy-based evidence-making".

Third of all, most such policy in this area assumes it's the past that matters. What may be of greater significance, as Narayanan and Shmatikov point out, is the future: forward privacy. Once a virtual identity has been linked to a real-world identity, that linkage is permanent. Yes, you can create a new virtual identity, but any slip that links it to either your previous virtual or your real-world identity blows your cover.

The point is not that we should all rush to hide our movie ratings. The point is that we make optimistic assumptions every day that the information we post and create has little value and won't come back to bite us on the ass. We do not know what connections will be possible in the future.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 3:40 PM | Permalink | Comments (0) | TrackBacks (0)

It must be hard to be the Direct Marketing Association. All individuals in the DMA must know that they themselves hate getting marketing calls during dinner, weeding the real post out from the junk mail, and constantly having to unsubscribe from email lists that they're only on because they had the misfortune to buy something from the sender. Collectively, the DMA remains firmly convinced that people want advertising really, it just has to be targeted right (at which point people no longer call it advertising). It must be very hard for everyone involved to maintain this level of cognitive dissonance.

And it leads them to do things as an organization that probably each individual would oppose if they were working for someone else. Today the DMA is opposing the withdrawal of the edited electoral register, a recommendation appearing in the Data-Sharing Review, published by the Ministry of Justice and written by Information Commissioner Richard Thomas and Dr Mark Walport. There's a lot of interesting stuff to digest; the electoral register issue is one of the simpler bits.

To recap: historically the UK, like the US, treated the electoral rolls as public information. In the UK every household gets sent a canvassing form once a year that comes with a stern warning that you are legally required to register.

Starting in the 1830s, the British electoral rolls have been available for public inspection and sale; what a godsend for direct marketers as their industry grew up. As of 2001, electoral registration officers are required to sell a copy of the register at a specified price to anyone who wants it under Regulation 48 of the Representation of the People (England and Wales) Regulations. Almost immediately there were objections on privacy grounds, most notably a complaint by Pontefract-based Brian Robertson, a retired accountant, against Wakefield City Council because there was no provision for him to prevent the sale of his information for commercial use. He refused to register, took them to court - and won.

The regulations were promptly amended to require councils to maintain two registers: the full public register and an edited version that could be sold to commercial organizations and others and to which voters would be added automatically - but with the right to opt out. The first edited registers appeared in 2002.

And there was a lot of confusion. The canvassing forms that first year didn't make it very clear what the edited register was, and it was easy to make the mistake of thinking that if you opted out you would not be able to vote. Subsequent years saw amended forms that made it more clear just what you were opting out of. And the results really shouldn't surprise anyone: in the latest rolls 40 percent of voters opted out, double the percentage in the first years. Given that, it's not entirely clear why the government needs to withdraw the register. If they just wait a few more years everyone of any value to marketers will have opted out, and the edited rolls will become useful again as a list of all the people who aren't worth marketing to. Anyone left presumably either didn't understand the form, so lonely they enjoy the attention, or so mentally afflicted that someone else filled out the form for them.

The full register is available - at least in theory - only to a select group of people and organizations: political parties for electoral purposes, credit reference agencies to check names and addresses when people apply for credit, and law enforcement. The main purchasers of the edited register, the Thomas-Walport report notes, are direct marketing companies and companies compiling directories.

Thomas and Walport disapprove of its existence on these grounds: "It sends a particularly poor message to the public that personal information collected for something as vital as participation in the democratic process can be sold to 'anyone for any purpose'."

A key data protection principle is that a chance of use in personal information requires the consent of the individual. If ever there were a more significant change of use than selling information collected to enable people to vote to third party companies for general marketing purposes, I don't know what it would be.

The DMA's objection to its withdrawal is that its members won't be able to clean their lists and keep them accurate and up-to-date. And it happily sees the direct mail envelope as more than half full: "Some householders have opted out, but around 60 petrcent have chosen to remain on the edited register." They don't believe the forms are all confusing. And the DMA plays the environmental card: targeting reduces the amount of waste paper the industry produces.

One issue neither group tackles is whether the register represents a significant source of income for councils. How much are we willing to pay for privacy. This warrants more research; a quick glance turns up figures from Bath and North East Somerset Counil. In 2005-2006, the council netted £1,553 and £380.50 for the sales of the full and edited registers respectively; in 2006-2007 those figures were £1558.50 and £681. If that's indicative of national trends, we can afford it, especially given the savings on administering the opt-out process.

"The edited register does serve a purpose," the DMA concludes, "and so should not be abolished." A purpose, yes. Just not our purpose.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 1:56 PM | Permalink | Comments (0) | TrackBacks (0)

This week we got the detail on what went wrong at Her Majesty's Revenue and Customs that led to the loss of those two CDs full of the personal details of 25 million British households last year with the release of the Poynter Review (PDF). We also got a hint of how and whether the future might be different with the publication yesterday of Data Handling: Proecures in Government (PDF), written by Sir Gus O'Donnell and commissioned by the Prime Minister after the HMRC loss. The most obvious message of both reports: government needs to secure data better.

The nicest thing the Poynter review said was that HMRC has already made changes in response to its criticisms. Otherwise, it was pretty much a surgical demonstration of "institutional deficiencies".

The chief points:

- Security was not HMRC's top priority.

- HMRC in fact had the technical ability to send only the selection of data that NAO actually needed, but the staff involved didn't know it.

- There was no designated single point of contact between HMRC and NAO.

- HMRC used insecure methods for data storage and transfer.

- The decision to send the CDs to the NAO was taken by junior staff without consulting senior managers - which under HMRC's own rules they should have done.

- The reason HMRC's junior staff did not consult managers was that they believed (wrongly) that NAO had absolute authority to access any and all information HMRC had.

- The HMRC staffer who dispatched the discs incorrectly believed the TNT Post service was secure and traceable, as required by HMRC policy. A different TNT service that met those requirements was in fact available.

- HMRC policies regarding information security and the release of data were not communicated sufficiently through the organization and were not sufficiently detailed.

- HMRC failed on accountability, governance, information security...you name it.

The real problem, though, isn't any single one of these things. If junior staff had consulted senior staff, it might not have mattered that they didn't know what the policies were. If HMRC used proper information security and secure methods for data storage (that is, encryption rather than simple password protection), they wouldn't have had access to send the discs. If they'd understood TNT's services correctly, the discs wouldn't have gotten lost - or at least been traceable if they had.

The real problem was the interlocking effect of all these factors. That, as Nassim Nicholas Taleb might say, was the black swan.

For those who haven't read Taleb's The Black Swan: The Impact of the Highly Improbable, the black swan stands for the event that is completely unpredictable - because, like black swans until one was spotted in Australia, no such thing has ever been seen - until it happens. Of course, data loss is pretty much a white swan; we've seen lots of data breaches. The black swan, really, is the perfectly secure system that is still sufficiently open for the people who need to use it.

That challenge is what O'Donnell's report on data handling is about and, as he notes, it's going to get harder rather than easier. He recommends a complete rearrangement of how departments manage information as well as improving the systems within individual departments. He also recommends greater openness about how the government secures data.

"No organisation can guarantee it will never lose data," he writes, "and the Government is no exception." O'Donnell goes on to consider how data should be protected and managed, not whether it should be collected or shared in the first place. That job is being left for yet another report in progress, due soon.

It's good to read that some good is coming out of the HMRC data loss: all departments are, according to the O'Donnell report, reviewing their data practices and beginning the process of cultural change. That can only be a good thing.

But the underlying problem is outside the scope of these reports, and it's this government's fondness for creating giant databases: the National Identity Register, ContactPoint, the DNA database, and so on. If the government really accepted the principle that it is impossible to guarantee complete data security, what would they do? Logically, they ought to start by cancelling the data behemoths on the understanding that it's a bad idea to base public policy on the idea that you can will a black swan into existence.

It would make more sense to create a design for government use of data that assumes there will be data breaches and attempts to limit the adverse consequences for the individuals whose data is lost. If my privacy is compromised alongside 50 million other people's and I am the victim of identity theft does it help me that the government department that lost the data knows which staff member to blame?

As Agatha Christie said long ago in one of her 80-plus books, "I know to err is human, but human error is nothing compared to what a computer can do if it tries." The man-machine combination is even worse. We should stop trying to breed black swans and instead devise systems that don't create so many white ones.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 4:07 PM | Permalink | Comments (0) | TrackBacks (0)

It's easy to found an organization; it's hard to keep one alive even for as long as ten years. This week, the Foundation for Information Policy Research celebrated its tenth birthday. Ten years is a long time in Internet terms, and even longer when you're trying to get government to pay attention to expertise in a subject as difficult as technology policy.

My notes from the launch contain this quote from FIPR's first director, Caspar Bowden, which shows you just how difficult FIPR's role was going to be: "An educational charity has a responsibility to speak the truth, whether it's pleasant or unpleasant." FIPR was intended to avoid the narrow product focus of corporate laboratory research and retain the traditional freedoms of an academic lab.

My notes also show the following list of topics FIPR intended to research: the regulation of electronic commerce; consumer protection; data protection and privacy; copyright; law enforcement; evidence and archiving; electronic interaction between government, businesses, and individuals; the risks of computer and communications systems; and the extent to which information technologies discriminate against the less advantaged in society. Its first concern was intended to be researching the underpinnings of electronic commerce, including the then recent directive launched for public consultation by the European Commission.

In fact, the biggest issue of FIPR's early years was the crypto wars leading up to and culminating in the passage of the Regulation of Investigatory Powers Act (2000). It's safe to say that RIPA would have been a lot worse without the time and energy Bowden spent listening to Parliamentary debates, decoding consultation papers, and explaining what it all meant to journalists, politicians, civil servants, and anyone else who would listen.

Not that RIPA is a fountain of democratic behavior even as things are. In the last couple of weeks we've seen the perfect example of the kind of creeping functionalism that FIPR and Privacy International warned about at the time: the Poole council using the access rules in RIPA to spy on families to determine whether or not they really lived in the right catchment area for the schools their children attend.

That use of the RIPA rules, Bowden said at at FIPR's half-day anniversary conference last Wednesday, sets a precedent for accessing traffic data for much lower level purposes than the government originally claimed it was collecting the data for. He went on to call the recent suggestion that the government may be considering a giant database, updated in real time, of the nation's communications data "a truly Orwellian nightmare of data mining, all in one place."

Ross Anderson, FIPR's founding and current chair and a well-known security engineer at Cambridge, noted that the same risks adhere to the NHS database. A clinic that owns its own data will tell police asking for the names of all its patients under 16 to go away. "If," said Anderson, "it had all been in the NHS database and they'd gone in to see the manager of BT, would he have been told to go and jump in the river? The mistake engineers make too much is to think only technology matters."

That point was part of a larger one that Anderson made: that hopes that the giant databases under construction will collapse under their own weight are forlorn. Think of developing Hulk-Hogan databases and the algorithms for mining them as an arms race, just like spam and anti-spam. The same principle that holds that today's cryptography, no matter how strong, will eventually be routinely crackable means that today's overload of data will eventually, long after we can remember anything we actually said or did ourselves, be manageable.

The most interesting question is: what of the next ten years? Nigel Hickson, now with the Department of Business, Enterprise, and Regulatory Reform, gave some hints. On the European and international agenda, he listed the returning dominance of the large telephone companies on the excuse that they need to invest in fiber. We will be hearing about quality of service and network neutrality. Watch Brussels on spectrum rights. Watch for large debates on the liability of ISPs. Digital signatures, another battle of the late 1990s, are also back on the agenda, with draft EU proposals to mandate them for the public sector and other services. RFID, the "Internet for things" and the ubiquitous Internet will spark a new round of privacy arguments.

Most fundamentally, said Anderson, we need to think about what it means to live in a world that is ever more connected through evolving socio-technological systems. Government can help when markets fail; though governments themselves seem to fail most notoriously with large projects.

FIPR started by getting engineers, later engineers and economists, to talk through problems. "The next growth point may be engineers and psychologists," he said. "We have to progressively involve more and more people from more and more backgrounds and discussions."

Probably few people feel that their single vote in any given election really makes a difference. Groups like FIPR, PI, No2ID, and ARCH remind us that even a small number of people can have a significant effect. Happy birthday.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 2:48 PM | Permalink | Comments (0) | TrackBacks (0)

Early this week the news broke that the Home Office wants to create a giant database in which will be stored details of all communications sent in Britain. In other words, instead of data retention, in which ISPs, telephone companies, and other service providers would hang onto communications data for a year or seven in case the Home Office wanted it, everything would stream to a Home Office data center in real time. We'll call it data swallowing.

Those with long memories - who seem few and far between in the national media covering this sort of subject - will remember that in about 1999 or 2000 there was a similar rumor. In the resulting outraged media coverage it was more or less thoroughly denied and nothing had been heard of it since, though privacy advocates continued to suspect that somewhere in the back of a drawer the scheme lurked, dormant, like one of those just-add-water Martians you find in the old Bugs Bunny cartoons. And now here it is again in another leak that the suspicious veteran watcher of Yes, Minister might think was an attempt to test public opinion. The fact that it's been mooted before makes it seem so much more likely that they're actually serious.

This proposal is not only expensive, complicated, slow, and controversial/courageous (Yes, Minister's Fab Four deterrents), but risk-laden, badly conceived, disproportionate, and foolish. Such a database will not catch terrorists, because given the volume of data involved trying to use it to spot any one would-be evil-doer will be the rough equivalent of searching for an iron filing in a haystack the size of a planet. It will, however, make it possible for anyone trawling the database to make any given individual's life thoroughly miserable. That's so disproportionate it's a divide-by-zero error.

The risks ought to be obvious: this is a government that can't keep track of the personal details of 25 million households, which fit on a couple of CDs. Devise all the rules and processes you want, the bigger the database the harder it will be to secure. Besides personal information, the giant communications database would include businesses' communication information, much of likely to be commercially sensitive. It's pretty good going to come up with a proposal that equally offends civil liberties activists and businesses.

In a short summary of the proposed legislation, we find this justification: "Unless the legislation is updated to reflect these changes, the ability of public authorities to carry out their crime prevention and public safety duties and to counter these threats will be undermined."

Sound familiar? It should. It's the exact same justification we heard in the late 1990s for requiring key escrow as part of the nascent Regulation of Investigatory Powers Act. The idea there was that if the use of strong cryptography to protect communications became widespread law enforcement and security services would be unable to read the content of the messages and phone calls they intercepted. This argument was fiercely rejected at the time, and key escrow was eventually dropped in favor of requiring the subjects of investigation to hand over their keys under specified circumstances.

There is much, much less logic to claiming that police can't do their jobs without real-time copies of all communications. Here we have real analogies: postal mail, which has been with us since 1660. Do we require copies of all letters that pass through the post office to be deposited with the security services? Do we require the Royal Mail's automated sorting equipment to log all address data?

Sanity has never intervened in this government's plans to create more and more tools for surveillance. Take CCTV. Recent studies show that despite the millions of pounds spent on deploying thousands of cameras all over the UK, they don't cut crime, and, more important, the images help solve crime in only 3 percent of cases. But you know the response to this news will not be to remove the cameras or stop adding to their number. No, the thinking will be like the scheme I once heard for selling harmless but ineffective alternative medical treatments, in which the answer to all outcomes is more treatment. (Patient gets better - treatment did it. Patient stays the same - treatment has halted the downward course of the disease. Patient gets worse - treatment came too late.)

This week at Computers, Freedom, and Privacy, I heard about the Electronic Privacy Information Center's work on fusion centers, relatively new US government efforts to mine many commercial and public sources of data. EPIC is trying to establish the role of federal agencies in funding and controlling these centers, but it's hard going.

What do these governments imagine they're going to be able to do with all this data? Is the fantasy that agents will be able to sit in a control room somewhere and survey it all on some kind of giant map on which criminals will pop up in red, ready to be caught? They had data before 9/11 and failed to collate and interpret it.

Iron filing; haystack; lack of a really good magnet.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 2:11 PM | Permalink | Comments (0) | TrackBacks (0)

There was a wonderful cartoon that cycled frequently around computer science departments in the pre-Internet 1970s - I still have my paper copy - that graphically illustrated the process by which IT systems get specified, designed, and built, and showed precisely why and how far they failed the user's inner image of what it was going to be. There is a scan here. The senior analyst wanted to make sure no one could possibly get hurt; the sponsor wanted a pretty design; the programmers, confused by contradictory input, wrote something that didn't work; and the installation was hideously broken.

Translate this into the UK's national ID card. Consumers, Sir James Crosby wrote in March (PDF)want identity assurance. That is, they - or rather, we - want to know that we're dealing with our real bank rather than a fraud. We want to know that the thief rooting through our garbage can't use any details he finds on discarded utility bills to impersonate us, change our address with our bank, clean out our accounts, and take out 23 new credit cards in our name before embarking on a wild spending spree leaving us to foot the bill. And we want to know that if all that ghastliness happens to us we will have an accessible and manageable way to fix it.

We want to swing lazily on the old tire and enjoy the view.

We are the users with the seemingly simple but in reality unobtainable fantasy.

The government, however - the project sponsor - wants the three-tiered design that barely works because of all the additional elements in the design but looks incredibly impressive. ("Be the envy of other major governments," I feel sure the project brochure says.) In the government's view, they are the users and we are the database objects.

Crosby nails this gap when he draws the distinction between ID assurance and ID management:

The expression 'ID management' suggests data sharing and database consolidation, concepts which principally serve the interests of the owner of the database, for example, the Government or the banks. Whereas we think of "ID assurance" as a consumer-led concept, a process that meets an important consumer need without necessarily providing any spin-off benefits to the owner of any database.

This distinction is fundamental. An ID system built primarily to deliver high levels of assurance for consumers and to command their trust has little in common with one inspired mainly by the ambitions of its owner. In the case of the former, consumers will extend use both across the population and in terms of applications such as travel and banking. While almost inevitably the opposite is true for systems principally designed to save costs and to transfer or share data.

As writer and software engineer Ellen Ullman wrote in her book Close to the Machine, databases infect their owners, who may start with good intentions but are ineluctibly drawn to surveillance.

So far, the government pushing the ID card seems to believe that it can impose anything it likes and if it means the tree collapses with the user on the swing, well, that's something that can be ironed out later. Crosby, however, points out that for the scheme to achieve any of the government's national security goals it must get mass take-up. "Thus," he writes, "even the achievement of security objectives relies on consumers' active participation."

This week, a similarly damning assessment of the scheme was released by the Independent Scheme Assurance Panel (PDF) (you may find it easier to read this clean translation - scroll down to policywatcher's May 8 posting). The gist: the government is completely incompetent at handling data, and creating massive databases will, as a result, destroy public trust in it and all its systems.

Of course, the government is in a position to compel registration, as it's begun doing with groups who can't argue back, like foreigners, and proposes doing for employees in "sensitive roles or locations, such as airports". But one of the key indicators of how little its scheme has to do with the actual needs and desires of the public is the list of questions it's asking in the current consultation on ID cards, which focus almost entirely on how to get people to love, or at least apply for, the card. To be sure, the consultation document pays lip service to accepting comments on any ID card-related topic, but the consultation is specifically about the "delivery scheme".

This is the kind of consultation where we're really damned if we do and damned if we don't. Submit comments on, for example, how best to "encourage" young people to sign up ("Views are invited particularly from young people on the best way of rolling out identity cards to them") without saying how little you like the government asking how best to market its unloved policy to vulnerable groups and when the responses are eventually released the government can say there are now no objectors to the scheme. Submit comments to the effect that the whole National Identity scheme is poorly conceived and inappropriate, and anything else you say is likely to be ignored on the grounds that they've heard all that and it's irrelevant to the present consultation. Comments are due by June 30.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 1:06 PM | Permalink | Comments (0) | TrackBacks (0)

Most net.wars are not new. Today's debates about free speech and censorship, copyright and control, nationality and disappearing borders were all presaged by the same discussions in the 1980s even as the Internet protocols were being invented. The rare exception: online gambling. Certainly, there were debates about whether states should regulate gambling, but a quick Usenet search does not seem to throw up any discussions about the impact the Internet was going to have on this particular pastime. Just sex, drugs, and rock 'n' roll.

The story started in March, when the French Tennis Federation (FFT - Fédération Française de Tennis) filed suit in Belgium against Betfair, Bwin, and Ladbrokes to prevent them from accepting bets on matches played at the upcoming French Open tennis championships, which start on May 25. The FFT's arguments are rather peculiar: that online betting stains the French Open's reputation; that only the FFT has the right to exploit the French Open; that the online betting companies are parasites using the French Open to make money; and that online betting corrupts the sport. Bwin countersued for slander.

On Tuesday of this week, the Liège court ruled comprehensively against the FFT and awarded the betting companies costs.

The FFT will still, of course, control the things it can: fans will be banned from using laptops and mobile phones in the stands. The convergence of wireless telephony, smart phones, and online sites means that in the second or two between the end of a point and the electronic scoreboard updating, there's a tiny window in which people could bet on a sure thing. Why this slightly improbable scenario concerns the FFT isn't clear; that's a problem for the betting companies. What should concern the FFT is ensuring a lack of corruption within the sport. That means the players and their entourages.

The latter issue has been a touchy subject in the tennis world ever since last August, when Russian player Nikolay Davydenko, currently fourth in the world rankings, retired in the third and final set of a match in Poland against 87th ranked Marin Vassallo Arguello, citing a foot injury. Davydenko was accused of match-fixing; the investigation still drags on. In the resulting publicity, several other players admitted being approached to fix matches. As part of subsequent rule-tightening by the Association of Tennis Professionals, the governing body of men's professional tennis, three Italian players were suspended briefly late last year for betting on other players' matches.

Probably the most surprising thing is that tennis, along with soccer and horse racing, is actually among the most popular sports for betting. A minority sport like tennis? Yet according to USA Today, the 2007 Paris Masters event saw $750 million to $1.5 billion in bets. I can only assume that the inverted pyramid of matches every week involving individual players fits well with what bettors like to do.

Fixing matches seems even more unlikely. The best payouts come from correctly picking upsets, the bigger the better. But top players are highly unlikely to throw matches to order. Most of them play a relatively modest number of events (Davydenko is admittedly the exception) and need all the match wins and points from those events to sustain their rankings. Plus, they're just too damn rich.

In 2007, Roger Federer, the ultra-dominant number one player since the end of 2003, earned upwards of $10 million in prize money alone; Davydenko picked up over $2 million (and has already won another $1 million in 2008). All of the top 12 earned over $1 million. Add in endorsements, and even after you subtract agents' fees, tax, and travel costs for self and entourage, you're still looking at wealthy guys. They might tank matches at events where they're being paid appearance fees (which are legal on the men's tour at all but the top 14 events, but proving they've done so is exceptionally difficult. Fixing matches, which could cost them in lost endorsements on top of the tour's own sanctions, surely can't be worth it.

There are several ironies about the FFT's action. First of all (something most of the journalists covering this story don't mention, probably because they don't spend a lot of time watching tennis on TV), Bwin has been an important advertiser sponsoring tennis on Eurosport. It's absolutely typical of the counter-productive and intricately incestuous politics that characterize the tennis world that one part of the sport would sue someone who pays money into another part of the sport.

Second of all, as Betfair and Bwin pointed out, all three of these companies are highly regulated European licensed operations. Ruling them out of action would mean shift online betting to less well regulated offshore companies. They also pointed out the absurdity of the parasites claim: how could they accept bets on an event without using its name? Betfair in particular documented its careful agreements with tennis's many governing bodies.

Third of all, the only reason match-fixing is an issue in the tennis world right now is that Betfair spotted some unusual betting patterns during that Polish Davydenko match, cancelled all the bets, and went public with the news. Without that, Davydenko would have avoided the fight over his family's phone records. Come to think of it, making the issue public probably explains the FFT's behavior: it's revenge.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 12:10 PM | Permalink | Comments (0) | TrackBacks (0)

Some years back when I was writing about the data protection directive, Simon Davies, director of Privacy International, predicted a trade war between the US and Europe over privacy laws. It didn't happen, or at least it hasn't happened yet.

The key element to this prediction was the rule in the EU's data protection laws that prohibited sending data on for processing to countries whose legal regimes aren't as protective as those of the EU. Of course, since then we've seen the EU sell out on supplying airline passenger data to the US. Even so, this week the Article 29 Data Protection Working Party made recommendations about how search engines save and process personal data that could drive another wedge between the US and Europe.

The Article 29 group is one of those arcane EU phenomena that you probably don't know much about unless you're a privacy advocate or paid to find out. The short version: it's a sort of think tank of data protection commissioners from all over Europe. The UK's Information Commissioner, Richard Thomas, is a member, as are his equivalents in countries from France to Lithuania.

The Working Party (as it calls itself) advises and recommends policies based on the data protection principles enshrined in the EU Data Protection Directive. It cannot make law, but both its advice to the European Commission and the Commission's action (or lack thereof) are publicly reported. It's arguable that in a country like the UK, where the Information Commissioner operates with few legal teeth to bite with, the existence of such a group may help strengthen the Commissioner's hand.

(Few legal teeth, at least in respect of government activities: the Information Commissioner has issued an opinion about Phorm indicating that the service must be opt-in only. As Phorm and the ISPs involved are private companies, if they persisted with a service that contravened data protection law, the Information Commissioner could issue legal sanctions. But while the Information Commissioner can, for example, rule that for an ISP to retain users' traffic data for seven years is disproportionate, if the government passes a law saying the ISP must do so then within the UK's legal system the Information Commissioner can do nothing about it. Similarly, the Information Commissioner can say, as he has, that he is "concerned" about the extent of the information the government proposes to collect and keep on every British resident, but he can't actually stop the system from being built.)

The group's key recommendation: search engines should not keep personally identifiable search histories for longer than six months, and it specifically includes search engines whose headquarters are based outside the EU. The group does not say which search engines it studied, but it was reported to be studying Google as long ago as last May. The report doesn't look at requirements to keep traffic data under the Data Retention Directive, as it does not apply to search engines.

Google's shortening the life of its cookies and anonymizing its search history logs after 18 months turns out to have a significance I didn't appreciate when, at the time, I dismissed it as insultingly trivial (which it was): it showed the Article 29 working group that the company doesn't really need to keep all that data for so long. In

One of the key items the Article 29 group had to decide in writing its report on data protection issues related to search engines (PDF) is this: are IP addresses personal information? It sounds like one of those bits of medieval sophistry, like asking how many angels can dance on the head of a pin. In the dial-up days, it might not have mattered, at least in Britain, where local phone charges forced limited usage, so users were assigned a different IP address every time they logged in. But in the world of broadband, where even the supposedly dynamic IP addresses issued by cable suppliers may remain with a single subscriber for years on end. Being able to track your IP address's activities is increasingly like being able to track your library card, your credit card, and your mobile phone all at the same time. Fortunately, the average ISP doesn't have the time to be that interested in most of its users.

The fact is that any single piece of information that identifies your activities over a long period and can be mapped to your real-life identity has to be considered personal information or the data protection laws make no sense. The libertarian view, of course, would be that there are other search engines. You do not actually have to use Google, Gmail, or even YouTube. But if all search engines adopted Google's habits the choice would be more apparent than real. Time was when the US was the world's policeman. With respect to data, it seems that the EU has taken on this role. It will be interesting to see whether this decision has any impact on Google's business model and practices. If it does, that trade war could finally be upon us. If not, then Google was building up a vast data store just because we can.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 3:03 PM | Permalink | Comments (0) | TrackBacks (0)

Las Vegas shouldn't exist. Who drops a sprawling display of electric lights with huge fountains and luxury hotels that into the best desert scenery on the planet during an energy crisis? Indoors, it's Britain in mid-winter; outdoors you're standing in a giant exhaust fan. The out-of-proportion scale means that everything is four times as far away as you think, including the jackpot you're not going to win at one of its casinos. It's a great place to visit if you enjoy wallowing in self-righteous disapproval.

This all makes it the stuff of song, story, and legend and explains why Jeff Jonas's presentation at etech was packed.

The way Jonas tells it in his blog and at his presentation, he got into the gaming industry by driving through Las Vegas in 1989 idly wondering what was going on behind the scenes at the casinos. A year later he got the tiny beginnings of an answer when he picked up a used couch he'd found in the newspaper classified ads (boy, that dates it, doesn't it?) and found that its former owner played blackjack "for a living". Jonas began consulting to the gaming industry in 1991, helping to open Treasure Island, Bellagio, and Wynn.

"Possibly half the casinos in the world use technology we created," he said at etech.

Gaming revenues are now less than half of total revenues, he said, and despite the apparent financial win they might represent problem gamblers are in fact bad for business. The goal is for people to have fun. And because of that, he said, a place like the Bellagio is "optimized for consumer experience over interference. They don't want to spend money on surveillance."

Jonas began with a slide listing some common ideas about how Las Vegas works, culled from movies like Ocean's 11 and the TV show Las Vegas. Does the Bellagio have a vault? (No.) Do casinos perform background checks on guests based on public records? (No.) Is there a gaming industry watch list you can put yourself on but not take yourself off? (Yes, for people who know they have a gambling addiction.) Do casinos deliberately hire ex-felons? (Yes, to rehabilitate them.) Do they really send private jets for high rollers? (Cue story.)

There was, he said, a casino high roller who had won some $18 million. A win like that is going to show up in a casino's quarterly earnings. So, yes, they sent a private jet to his town and parked a limo in front of his house for the weekend. If you've got the bug, we're here for you, that kind of thing. He took the bait, and lost $22 million.

Do they help you create cover stories? (Yes.) "What happens in Vegas stays in Vegas" is an important part of ensuring that people can have fun that does not come back to bite them when they go home. The casinos' problem is with identity, not disguises, because they are required by anti-money laundering rules to report it any time someone crosses the $10,000 threshold for cash transactions. So if you play at several different tables, then go upstairs and change disguises, and come back and play some more, they have to be able to track you through all that. ID, therefore, is extremely important. Disguises are welcome; fake ID is not.

Do they use facial recognition to monitor the doors to spot cheaters on arrival? (Well...)

Of course technology-that-is-indistinguishable-from-magic-because-it-actually-is-magic appears on every crime-solving TV show these days. You know, the stuff where Our Heroes start with a fuzzy CCTV image and they punch in on a tiny piece of it and blow it up. And then someone says, "Can you enhance that?" and someone else says, "Oh, yes, we have new software," and a second later a line goes down the picture filling in detail. And a second after that you can read the brand on the face of a wrist watch (Numb3rs or the manufacturer's coding on a couple of pills (Las Vegas. Or they have a perfect matching system that can take a partial fingerprint lifted off a strand of hair or something and bang! the database can find not only the person's identity but their current home address and phone number (Bones). And who can ever forget the first episode of 24, when Jack Bauer, alarmed at the disappearance of his daughter, tosses his phone number to an underling and barks, "Find me all the Internet passwords associated with this phone number."

And yet...a surprising number of what ought to be the technically best-educated audience on the planet thought facial recognition was in operation to catch cheaters. Folks, it doesn't work in airports, either.

Which is the most interesting thing Jonas said: he now works for IBM (which bought his company) on privacy and civil liberties issues, including work on software to help the US government spot terrorists without invading privacy. It's an interesting concept, partly because security at airports and other locations is now so invasive. But also because if Las Vegas can find a way to deploy surveillance such that only the egregious problems are caught and everyone else just has a good time...why can't governments?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 3:17 PM | Permalink | Comments (0) | TrackBacks (0)

Apparently the US Congress is now being scripted by Jon Stewart of the Daily Show. In a twist of perfect irony, the House of Representatives has decided to hold its first closed session in 25 years to debate - surveillance.

But it's obvious why they want closed doors: they want to talk about the AT&T case. To recap: AT&T is being sued for its complicity in the Bush administration's warrantless surveillance of US citizens after its technician Mark Klein blew the whistle by taking documents to the Electronic Frontier Foundation (which a couple of weeks ago gave him a Pioneer Award for his trouble).

Bush has, of course, resisted any effort to peer into the innards of his surveillance program by claiming it's all a state secret, and that's part of the point of this Congressional move: the Democrats have fielded a bill that would give the whole program some more oversight and, significantly, reject the idea of giving telecommunications companies - that is, AT&T - immunity from prosecution for breaking the law by participating in warrantless wiretapping. 'Snot fair that they should deprive us of the fun of watching the horse-trading. It can't, surely, be that they think we'll be upset by watching them slag each other off. In an election year?

But it's been a week for irony, as Wikipedia founder Jimmy Wales has had his sex life exposed when he dumped his girlfriendand been accused of - let's call it sloppiness - in his expense accounts. Worse, he stands accused of trading favorable page edits for cash. There's always been a strong element of Schadenpedia around, but the edit-for-cash thing really goes to the heart of what Wikipedia is supposed to be about.

I suspect that nonetheless Wikipedia will survive it: if the foundation has the sense it seems to have, it will display zero tolerance. But the incident has raised valid questions about how Wikipedia can possibly sustain itself financially going forward. The site is big and has enviable masses of traffic; but it sells no advertising, choosing instead to live on hand-outs and the work of volunteers. The idea, I suppose, is that accepting advertising might taint the site's neutral viewpoint, but donations can do the same thing if they're not properly walled off: just ask the US Congress. It seems to me that an automated advertising system they did not control would be, if anything, safer. And then maybe they could pay some of those volunteers, even though it would be a pity to lose some of the site's best entertainment.

With respect to advertising, it's worth noting that Phorm, which we is under increasing pressure. Earlier this week, we had an opportunity to talk to Kent Ertegrul, CEO of Phorm, who continues to maintain that Phorm's system, because it does not store data, is more protective of privacy than today's cookie-driven Web. This may in fact be true.

Less certain is Ertegrul's belief that the system does not contravene the Regulation of Investigatory Powers Act, which lays down rules about interception. Ertegrul has some support from a informal letter from the Home Office whose reasoning seems to be that if users have consented and have been told how they can opt out, it's legal. Well, we'll see; there's a lot of debate going on about this claim and it will be interesting to hear the Information Commissioner's view. If the Home Office's interpretation is correct, it could open a lot of scope for abusive behavior that could be imposed upon users simply by adding it to the terms of service to which they theoretically consent when they sign up, and a UK equivalent of AT&T wanting to assist the government with wholesale warrantless wiretapping would have only to add it to the terms of service.

The real problem is that no one really knows how Phorm's system works. Phorm doesn't retain your IP address, but the ad servers surely have to know it when they're sending you ads. If you opt out but can still opt back in (as Ertegrul said you can), doesn't that mean you still have a cookie on your system and that your data is still passed to Phorm's system, which discards it instead of sending you ads? If that's the case, doesn't that mean you can not opt out of having your data shared? If that isn't how it works, then how does it work? I thought I understood it after talking to Ertegrul, I really did - and then someone asked me to explain how Phorm's cookie's usefulness persisted between sessions, and I wasn't sure any more. I think the Open Rights Group: Phorm should publish details of how its system works for experts to scrutinize. Until Phorm does that the misinformation Ertegrul is so upset about will continue. (More disclosure: I am on ORG's Advisory Council.

But maybe the Home Office is on to something. Bush could solve his whole problem by getting everyone to give consent to being surveilled at the moment they take US citizenship. Surely a newborn baby's footprint is sufficient agreement?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 4:12 AM | Permalink | Comments (0) | TrackBacks (0)

There is a certain kind of mentality that is actually proud of not understanding computers, as if there were something honorable about saying grandly, "Oh, I leave all that to my children."

Outside of computing, only television gets so many people boasting of their ignorance. Do we boast how few books we read? Do we trumpet our ignorance of other practical skills, like balancing a cheque book, cooking, or choosing wine? When someone suggests we get dressed in the morning do we say proudly, "I don't know how"?

There is so much insanity coming out of the British government on the Internet/computing front at the moment that the only possible conclusion is that the government is made up entirely of people who are engaged in a sort of reverse pissing contest with each other: I can compute less than you can, and see? here's a really dumb proposal to prove it.

How else can we explain yesterday's news that the government is determined to proceed with Contactpoint even though the report it commissioned and paid for from Deloitte warns that the risk of storing the personal details of every British child under 16 can only be managed, not eliminated? Lately, it seems that there's news of a major data breach every week. But the present government is like a batch of 20-year-olds who think that mortality can't happen to them.

Or today's news that the Department of Culture, Media, and Sport has launched its proposals for "Creative Britain", and among them is a very clear diktat to ISPs: deal with file-sharing voluntarily or we'll make you do it. By April 2009. This bit of extortion nestles in the middle of a bunch of other stuff about educating schoolchildren about the value of intellectual property. Dare we say: if there were one thing you could possibly do to ensure that kids sneer at IP, it would be to teach them about it in school.

The proposals are vague in the extreme about what kind of regulation the DCMS would accept as sufficient. Despite the leaks of last week, culture secretary Andy Burnham has told the Financial Times that the "three strikes" idea was never in the paper. As outlined by Open Rights Group executive director Becky Hogge in New Statesman, "three strikes" would mean that all Internet users would be tracked by IP address and warned by letter if they are caught uploading copyrighted content. After three letters, they would be disconnected. As Hogge says (disclosure: I am on the ORG advisory board), the punishment will fall equally on innocent bystanders who happen to share the same house. Worse, it turns ISPs into a squad of private police for a historically rapacious industry.

Charles Arthur, writing in yesterday's Guardian, presented the British Phonographic Institute's case about why the three strikes idea isn't necessarily completely awful: it's better than being sued. (These are our choices?) ISPs, of course, hate the idea: this is an industry with nanoscale margins. Who bears the liability if someone is disconnected and starts to complain? What if they sue?

We'll say it again: if the entertainment industries really want to stop file-sharing, they need to negotiate changed business models and create a legitimate market. Many people would be willing to pay a reasonable price to download TV shows and music if they could get in return reliable, fast, advertising-free, DRM-free downloads at or soon after the time of the initial release. The longer the present situation continues the more entrenched the habit of unauthorized file-sharing will become and the harder it will be to divert people to the legitimate market that eventually must be established.

But the key damning bit in Arthur's article (disclosure: he is my editor at the paper) is the BPI's admission that they cannot actually say that ending file-sharing would make sales grow. The best the BPI spokesman could come up with is, "It would send out the message that copyright is to be respected, that creative industries are to be respected and paid for."

Actually, what would really do that is a more balanced copyright law. Right now, the law is so far from what most people expect it to be - or rationally think it should be - that it is breeding contempt for itself. And it is about to get worse: term extension is back on the agenda. The 2006 Gowers Review recommended against it, but on February 14, Irish EU Commissioner Charlie McCreevy (previously: champion of software patents) has announced his intention to propose extending performers' copyright in sound recordings from the current 50-year term to 95 years. The plan seems to go something like this: whisk it past the Commission in the next two months. Then the French presidency starts and whee! new law! The UK can then say its hands are tied.

That change makes no difference to British ISPs, however, who are now under the gun to come up with some scheme to keep the government from clomping all over them. Or to the kids who are going to be tracked from cradle to alcopop by unique identity number. Maybe the first target of the government computing literacy programs should be...the government.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 1:34 PM | Permalink | Comments (0) | TrackBacks (1)

If a data point falls in the forest and there's no database to pick it up, is it still private?

There is a general view that people do not care about privacy, particularly younger people. They blog the names of all their favorite bands and best friends, post their drunken photographs on Facebook, and tell all of MySpace who they slept with last night. No one, the argument goes – actually 22 percent – reads the privacy policies Web sites pay their lawyers to draw up so unreadably.

And yet the perception is wrong. People do, clearly, care about privacy – when the issues are made visible to them. Unfortunately, the privacy-invasiveness of a service, policy, or Web site usually only becomes visible after the horse has escaped and is comfortably grazing in the field of three-leaf clover.

A lot of this is, as Charles Arthur blogged recently in relation to the loss of the HMRC discs holding the Child Benefit database, an education issue: if we taught kids important principles of computer science, like security, privacy, and the value of data, instead of boring things like how to format an Excel spreadsheet, some of the most casual data violations wouldn't happen.

A lot of recent privacy failures seem to have happened in just this same unconscious way. Google's various privacy invasions, for example, seem to be a peculiarly geeky failure to connect with the general public's view of things. You can just imagine the techies at the Googleplex saying, "Oh, cool! Look, you can see right into the windows of those houses!" and utterly failing at simple empathy.

The continuing Facebook privacy meltdown seems to include the worst aspects of both the HMRC incident and Google's blind spot. If you haven't been following it, the story in brief is that Facebook created a new advertising program it calls Beacon, which collects tracking data from a variety of partner sites such as Blockbuster.com. Beacon then uses the data to display your latest purchases so your friends can see them.

The blind spot is, of course, the utter surprise with which the company greeted the discovery that people have all sorts of reasons why they don't want their purchase history displayed to their friends. They might be gifts for said friends. The friends, as so often on Facebook and the other social networks, may not be really friends but acquaintances chosen to make you look well-connected, or relatives you assiduously avoid in real life. And even your closest real friends may prefer not to know too much about the porn DVDs you rent. American librarians are militant about protecting the reading lists of library patrons; but Facebook would gleefully expose the books you buy. Are you kidding me? Facebook CEO Mark Zuckerberg can apologize all he wants, but his apparent surprise at the size of the fuss suggests that he's as inexperienced at shopping as those women in front of you in the grocery checkout who seem not to know they'll need to pay until after everything's been bagged up.

What Facebook shares with HMRC, though, is the underlying principle that it's cheaper to send the full set of data and let the recipients delete what they don't want than to be selective. And so, as the story has developed, it turns out that all sorts of data is being sent to Facebook, some of it even relating to non-users. They just delete what they don't want, so they say.

Facebook was briefly defensive, then allowed users to opt out, and then finally allowed users to delete the thing entirely. But the whole thing highlights one of the very real problems with social network sites that net.wars first wrote about in connection with (the now more responsibly designed) Plaxo: they grow by getting people to invade their own and their friends' privacy. The Australian computer scientist and privacy advocate Roger Clarke, whose paper Very Black "Little Black Boooks" is the seminal work in this area, predicted in 2003 that the social networks' business models would force them to become extremely invasive. And so it has proved.

How do we make privacy a choice? We know people care about privacy when they can see its loss: the reactions to the Facebook and HMRC incidents have made this plain. We know theyRecent research by Lorrie Cranor at Carnegie-Mellon (PDF) suggests, for example, that people's purchasing habits will change if you give them an easy-to-understand graphical representation of how well an ecommerce site's practices match their privacy preferences.

But visibility to users, helpful though it would be, is not the root of the problem. What privacy advocates need going forward is a way to persuade companies and governments to make privacy choices easy and visible when their mindset is to collect and keep all data, all the time? These organisations do not perceive giving users control over their privacy as being in their own best interests. Maybe plummeting stock prices and forced resignations, however brief, will get through to them. But to keep their attention focused on building better systems that put the user in control, we need to make the consequences of getting it wrong constantly visible and easily interpretable to the data hogs themselves.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 3:51 PM | Permalink | TrackBacks (0)

There are many ways for a computer system to fail. This week's disclosure that Her Majesty's Revenue and Customs has played lost-in-the-post with two CDs holding the nation's Child Benefit data is one of the stranger ones. The Child Benefit database includes names, addresses, identifying numbers, and often bank details, on all the UK's 25 million families with a child under 16. The National Audit Office requested a subset for its routine audit; the HMRC sent the entire database off by TNT post.

There are so many things wrong with this picture that it would take a village of late-night talk show hosts to make fun of them all. But the bottom line is this: when the system was developed no one included privacy or security in the specification or thought about the fundamental change in the nature of information when paper-based records are transmogrified into electronic data. The access limitations inherent in physical storage media must be painstakingly recreated in computer systems or they do not exist. The problem with security is it tends to be inconvenient.

With paper records, the more data you provide the more expensive and time-consuming it is. With computer records, the more data you provide the cheaper and quicker it is. The NAO's file of email relating to the incident (PDF) makes this clear. What the NAO wanted (so it could check that the right people got the right benefit payments): national insurance numbers, names, and benefit numbers. What it got: everything. If the discs hadn't gotten lost, we would never have known.

Ironically enough, this week in London also saw at least three conferences on various aspects of managing digital identity: Digital Identity Forum, A Fine Balance, and Identity Matters. All these events featured the kinds of experts the UK government has been ignoring in its mad rush to create and collect more and more data. The workshop on road pricing and transport systems at the second of them, however, was particularly instructive. Led by science advisor Brian Collins, the most notable thing about this workshop is that the 15 or 20 participants couldn't agree on a single aspect of such a system.

Would it run on GPS or GSM/GPRS? Who or what is charged, the car or the driver? Do all roads cost the same or do we use differential pricing to push traffic onto less crowded routes? Most important, is the goal to raise revenue, reduce congestion, protect the environment, or rebalance the cost of motoring so the people who drive the most pay the most? The more purposes the system is intended to serve, the more complicated and expensive it will become, and the less likely it is to answer any of those goals successfully. This point has of course also been made about the National ID card by the same sort of people who have warned about the security issues inherent in large databases such as the Child Benefit database. But it's clearer when you start talking about something as limited as road charging.

For example: if you want to tag the car you would probably choose a dashboard-top box that uses GPS data to track the car's location. It will have to store and communicate location data to some kind of central server, which will use it to create a bill. The data will have to be stored for at least a few billing cycles in case of disputes. Security services and insurers alike would love to have copies. On the other hand, if you want to tag the driver it might be simpler just to tie the whole thing to a mobile phone. The phone networks are already set up to do hand-off between nodes, and tracking the driver might also let you charge passengers, or might let you give full cars a discount.

The problem is that the discussion is coming from the wrong angle. We should not be saying, "Here is a clever technological idea. Oh, look, it makes data! What shall we do with it?" We should be defining the problem and considering alternative solutions. The people who drive most already pay most via the fuel pump. If we want people to drive less, maybe we should improve public transport instead. If we're trying to reduce congestion, getting employers to be more flexible about working hours and telecommuting would be cheaper, provide greater returns, and, crucially for this discussion, not create a large database system that can be used to track the population's movements.

(Besides, said one of the workshop's participants: "We live with the congestion and are hugely productive. So why tamper with it?")

It is characteristic of our age that the favored solution is the one that creates the most data and the biggest privacy risk. No one in the cluster of organisations opposing the ID card - No2ID, Privacy International, Foundation for Information Policy Research, or Open Rights Group - wanted an incident like this week's to happen. But it is exactly what they have been warning about: large data stores carry large risks that are poorly understood, and it is not enough for politicians to wave their hands and say we can trust them. Information may want to be free, but data want to leak.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 1:20 PM | Permalink | Comments (0) | TrackBacks (0)

A few months ago, a neighbour phoned me and asked if I'd be willing to position a camera on my windowsill. I live at the end of a small dead-end street (or cul-de-sac), that ends in a wall about shoulder height. The railway runs along the far side of the wall, and parallel to it and further away is a long street with a row of houses facing the railway. The owners of those houses get upset because graffiti keeps appearing alongside the railway where they can see it and covers flat surfaces such as the side wall of my house. The theory is that kids jump over the wall at the end of my street, just below my office window, either to access the railway and spray paint or to escape after having done so. Therefore, the camera: point it at the wall and watch to see what happens.

The often-quoted number of times the average Londoner is caught on camera per day is scary: 200. (And that was a few years ago; it's probably gone up.) My street is actually one of those few that doesn't have cameras on it. I don't really care about the graffiti; I do, however, prefer to be on good terms with neighbours, even if they're all the way across the tracks. I also do see that it makes sense at least to try to establish whether the wall downstairs is being used as a hurdle in the getaway process. What is the right, privacy-conscious response to make?

I was reminded of this a few days ago when I was handed a copy of Privacy in Camera Networks: A Technical Perspective, a paper published at the end of July. (We at net.wars are nothing if not up-to-date.)

Given the amount of money being spent on CCTV systems, it's absurd how little research there is covering their efficacy, their social impact, or the privacy issues they raise. In this paper, the quartet of authors – Marci Lenore Meingast (UC Berkeley), Sameer Pai (Cornell), Stephen Wicker (Cornell), and Shankar Sastry (UC Berkeley) – are primarily concerned with privacy. They ask a question every democratic government deploying these things should have asked in the first place: how can the camera networks be designed to preserve privacy? For the purposes of preventing crime or terrorism, you don't need to know the identity of the person in the picture. All you want to know is whether that person is pulling out a gun or planting a bomb. For solving crimes after the fact, of course, you want to be able to identify people – but most people would vastly prefer that crimes were prevented, not solved.

The paper cites model legislation (PDF) drawn up by the Constitution Project. Reading it is depressing: so many of the principles in it are such logical, even obvious, derivatives of the principles that democratic governments are supposed to espouse. And yet I can't remember any public discussion of the idea that, for example, all CCTV systems should be accompanied by identification of and contact information for the owner. "These premises are protected by CCTV" signs are everywhere; but they are all anonymous.

Even more depressing is the suggestion that the proposals for all public video surveillance systems should specify what legitimate law enforcement purpose they are intended to achieve and provide a privacy impact assessment. I can't ever remember seeing any of those either. In my own local area, installing CCTV is something politicians boast about when they're seeking (re)election. Look! More cameras! The assumption is that more cameras equals more safety, but evidence to support this presumption is never provided and no one, neither opposing politicians nor local journalists, ever mounts a challenge. I guess we're supposed to think that they care about us because they're spending the money.
The main intention of Meingast, Pai, et al, however, is to look at the technical ways such networks can be built to preserve privacy. They suggest, for example, collecting public input via the Internet (using codes to identify the respondents on whom the cameras will have the greatest impact). They propose an auditing system whereby these systems and their usage is reviewed. As the video streams become digital, they suggest using layers of abstraction of the resulting data to limit what can be identified in a given image. "Information not pertinent to the task in hand," they write hopefully, "can be abstracted out leaving only the necessary information in the image." They go on into more detail about this, along with a lengthy discussion of facial recognition.

The most depressing thing of all: none of this will ever happen, and for two reasons. First, no government seems to have the slightest qualm of conscience about installing surveillance systems. Second, the mass populace don't seem to care enough to demand these sorts of protections. If these protections are to be put in place at all, it must be done by technologists. They must design these systems so that it's easier to use them in privacy-protecting ways than to use them in privacy-invasive ways. What are the odds?

As for the camera on my windowsill, I told my neighbour after some thought that they could have it there for a maximum of a couple of weeks to establish whether the end of my street was actually being used as an escape route. She said something about getting back to me when something or other happened. Never heard any more about it. As far as I am aware, my street is still unsurveilled.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 5:11 PM | Permalink | Comments (0) | TrackBacks (0)

It was Edward Hasbrouck who drew my attention to a bit of rulemaking being proposed by the Transportation Security Agency. Under current rules, if you want to travel on a plane out of, around, into, or over the US you buy a ticket and show up at the airport, where the airline compares your name and other corroborative details to the no-fly list the TSA maintains. Assuming you're allowed onto the flight, unbeknownst to you, all this information has to be sent to the TSA within 15 minutes of takeoff (before, if it's a US flight, after if it's an international flight heading for the US).

Under the new rules, the information will have to arrive at the TSA 72 hours before the flight takes off – after all, most people have finalised their travel plans by that time, and only 7 to 10 percent of itineraries change after that – and the TSA has to send back an OK to the airline before you can be issued a boarding pass.

There's a whole lot more detail in the Notice of Proposed Rulemaking, but that's the gist. (They'll be accepting comments until October 22, if you would like to say anything about these proposals before they're finalised.)

There are lots of negative things to say about these proposals – the logistical difficulties for the travel industry, the inadequacy of the mathematical model behind this (which at the public hearing the ACLU's Barry Steinhardt compared to trying to find a needle in a haystack by pouring more hay on the stack), and the privacy invasiveness inherent in having the airlines collect the many pieces of data the government wants and, not unnaturally, retaining copies while forwarding it on to the TSA. But let's concentrate on one: the profound alteration such a scheme will make to American society at large. The default answer to the question of whether you had the right to travel anywhere, certainly within the confines of the US, has always been "Yes". These rules will change it to "No".

(The right to travel overseas has, at times, been more fraught. The folk scene, for example, can cite several examples of musicians who were denied passports by the US State Department in the 1950s and early 1960s because of their left-wing political beliefs. It's not really clear to me why the US wanted to keep people whose views it disapproved of within its borders but some rather hasty marriages took place in order to solve some of these immigration problems, though everyone's friends again now and it's fresh passports all round.)

Hasbrouck, Steinhardt, and EFF founder John Gilmore, who sued the government over the right to travel anonymously within the US, have all argued that the key issue here is the right to assemble guaranteed in the First Amendment. If you can't travel, you can't assemble. And if you have to ask permission to travel, your right of assembly is subject to disruption at any time. The secrecy with which the TSA surrounds its decision-making doesn't help.

Nor does the amount of personal data the TSA is collecting from airline passenger name records. The Identity Project's recent report on the subject highlights that these records may include considerable detail: what books the passenger is carrying, what answer you give when asked where you've been or are going, names and phone numbers given as emergency contacts, and so on. Despite the data protection laws, it isn't always easy to find out what information is being stored; when I made such a request of US Airways last year, the company refused to show me my PNR from a recent flight and gave as the reason: "Security." Civilisation as we know it is at risk if I find out what they think they know about me? We really are in trouble.

In Britain, the chief objections to the ID card and, more important, the underlying database, have of course been legion, but they have generally focused on the logistical problems of implementing it (huge cost, complex IT project, bound to fail) and its general privacy-invasiveness. But another thing the ID card – especially the high-tech, biometric, all-singing, all-dancing kind – will do is create a framework that could support a permission-based society in which the ID card's interaction with systems is what determines what you're allowed to do, where you're allowed to go, and what purchases you're allowed to make. There was a novel that depicted a society like this: Ira Levin's This Perfect Day, in which these functions were all controlled by scanner bracelets and scanners everywhere that lit up green to allow or red to deny permission. The inhabitants of that society were kept drugged, so they wouldn't protest the ubiquitous controls. We seem to be accepting the beginnings of this kind of life stone, cold sober.

American children play a schoolyard game called "Mother, May I?" It's one of those games suitable for any number of kids, and it involves a ritual of asking permission before executing a command. It's a fine game, but surely it isn't how we want to live.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 1:08 PM | Permalink | Comments (0) | TrackBacks (0)

The actor David Hyde Pierce is widely reported to have once responded to a TV interviewer inquiring as to whether he was gay, "My life is an open book, but that doesn't mean I'm going to read it to you." (Or something very like that.)

This seems to me a both witty and intelligent response to the seemingly ever-present mantra these days, "If you have nothing to hide, you have nothing to fear," invoked every time someone wants to institute some new, egregious privacy-invasive surveillance practice. And there are a lot of these.

Last week, a British judge came up with a brilliant scheme for eliminating the racial bias of the 3 million-entry DNA database: collect samples from everyone, even visitors. I may have nothing to fear from this – after all, DNA testing has, in the US, been used to exonerate the innocent on Death Row - but it invokes in me what British politicos sometimes call the "yuck factor". Normally, this is reserved for such science-related ethical dilemmas as human cloning, but for me at least it applies much more strongly here. I loved the movie Gattaca, but I don't want to live there.

In fact, there are considerable risks in DNA-printing the entire population (aside from killing tourism). For one thing, we do not know how we will be able to use or interpret DNA in the future as sequencing plummets in price (as it's expected to do). Say, the UK had considered compiling a nationwide fingerprints database back in 1970 (there would have been riots, but leaving that aside). No one would have foreseen then the widespread availability of cheap fingerprint scanners and online communications that could turn that database into a central authority.

We can surmise that the DNA database will contain sufficient information to allow anyone who can gain access to it to impersonate anyone at any time. Conversely, as we get better and better at understanding what individual genes mean and sequencing drops precipitously in price, the DNA database will grant those who have access to it unprecedented amounts of information about each person's biological or medical prospects and those of their immediate relatives. While there are many diseases that do not have markers in our genes, there are plenty more that do. Does anyone really want the government to be the first to know that they carry the gene for cystic fibrosis or breast cancer?

I don't believe for a second that it was a serious proposal. This is the kind of thing someone says and then everyone holds their breath to gauge the reaction. Has the country been softened up enough to accept such a thing yet? But the fact that someone could say it at all shows how far we have moved away from the presumption of innocence on which both the UK and the US governments were founded.

Witty answers on talk shows aren't, however, quite enough to make a case to a government that what it wants to do is a bad idea. Daniel Solove, author of The Digital Person and a law professor at

In it, he compares privacy to environmental damage: not the single horror story implied by "nothing to hide, nothing to fear", but the result of the accumulating damage caused by a series of "small acts by different actors". The broader structural damage that happens in breaches of confidentiality (such as companies violating their own privacy policies by selling data to third parties) is a loss of trust.

I am not a supporter of open gun ownership, but the US Second Amendment has some merit in principle: the basic idea is to balance the power of the individual against the State. The EU's data protection laws do – or would, if the EU doesn't ignore them as it has in the case of passenger data – a reasonable job of balancing the power of the individual against commercial companies. But the data protection laws can be upended, it seems, whenever a national government wants to do so. All it has to do is pass a law making it legal or mandatory to supply the data it wants to collect, transfer, share, or sell. But the fact that such policies are possible doesn't make them a good idea, even with the best intentions of improving security or personal safety.

The San Francisco computer security expert Russell Brand once asked me, in the casual way he poses philosophical questions, "If you knew they would never be used against you, would you still have secrets?" After some thought, I came up with this: yes. Because one of the ways you show someone that they are important to you and you trust them is that you disclose to them things you don't normally tell other people. It is, in fact, one of the ways we show we love them. We don't tell governments secrets because we want to be intimate with them; we do it because we're required to do so by law. The more one-sided laws make the balance of power, the less we're going to trust our government. Is that really what they want?

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 2:18 PM | Permalink | Comments (0) | TrackBacks (0)

Time and again the Net has proved that anything large corporations can do to us – we can do to ourselves much more effectively and willingly. Churn, for example, used to be something people fired stockbrokers for; it is the practice of buying and selling stocks much more frequently than is rational in order to profit from the brokerage fees. But during the dot-com day-trading boom, as I remember brokers saying at the time, people churned their own accounts far more than any broker would ever have dared to do (and, we add, probably losing themselves far more money).

The same is happening now with privacy. If, say, Tesco posted the real names of its club card members on a Web site complete with little jokes about the foods they buy and the times of day they like deliveries, there would be considerable outrage. (And rightly so.) When a government allows the kinds of leaks detailed here on the Blindside site (to which I contribute) we are significantly unimpressed. On the other hand, over and over on the Net we see people invading their own privacy to a degree that probably no corporation or government would dare. We post about our friends, our habits, our flight times, the shinies we just bought, the books and newspapers we read, the TV programs we watch (and, in some cases, download), our religious feelings or lack thereof, and the organisations we join and promote. We do this for the same reason people feel safer driving in their own cars than they do flying on someone else's airplane: we think we're in control.

Which all leads to a 2003 European court decision that was noted this week by Oxford Internet Institute law professor Jonathan Zittrain (who had it from Karen McCullagh) about Mrs Bodil Lindqvist, a Swedish church catechist who apparently chatted rather liberally about some of her fellow church committee members on a Web site they didn't know she'd created. Among other information, she included names, the fact that a colleague was on partial medical leave because her foot was injured, phone numbers, and so on.

Your attitude about this sort of thing depends partly on your personality, your culture, and your own online habits. So many of my friends blog what seems to be their whole lives in copious detail that it never occurred to me I was doing anything privacy-invasive when I visited a foreign country and blogged the name of the friend of a friend I met there and an account of a day we spent together. The blogee, however, was unhappy and asked me to remove the name and other identifying details. I was surprised, but complied. Referring to someone's injured foot seems kind of harmless, too. On the other hand, I would never, however, put someone's telephone number online without their consent, even though my own phone number is on my Web site. Yet that prejudice seems irrational if you instead call the information about the injured foot "personal medical data" but see the phone number as something anyone could find in the phone book.

Fortunately, I don't live in Sweden. Mrs Lindqvist also took down her pages when she found out the people she had mentioned were upset. But nonetheless she was prosecuted for several violations of the data protection laws – processing personal data without giving prior written notice to the data protection authorities, processed sensitive personal data (the medical information about the foot) without consent, and transferred personal data to a third country. The European Court of Justice, where the case eventually ended up, concluded the third of these did not apply – simply posting something on a Web page that can be read by someone in another country isn't enough for that. But the ECJ agreed she was guilty of the first two of these offenses – as are, by now, probably hundreds of thousands, if not millions, of other Europeans.

This judgement was rendered (and ignored) before Facebook and MySpace became phenomena, and before blogging became quite such a widespread pastime. It acknowledges the competing claims of laws guaranteeing freedom of expression, but still comes down against Mrs Lindvist – who, frankly, seems like pretty small beer compared to this week's announcement that Facebook is to open its member listings to Google's search engine.

The problem with the Facebook decision is that one of the things that really does govern the Net while the law is still making up its mind is community standards. Based on Facebook's assurances that the system was closed to members only, people posted material about themselves and their friends that they thought would stay private. The decision to open the service makes them more like celebrities at Addictions Anonymous meetings. They are about to discover this in the same way that a generation of Usenet posters did when the archives of what they thought were ephemera were assembled and opened to the public by Deja News (now Google Groups). What they will also discover is that although they can delete their own accounts or mark them private, like Mrs Lindqvist's church colleagues, they have no control over what others have said about them in public when they weren't looking.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 3:29 PM | Permalink | Comments (0) | TrackBacks (0)

Virtual worlds have been with us for a long time. Depending who you listen to, they began in 1979, or 1982, or it may have been the shadows on the walls of Plato's cave. We'll go with the University of Essex MUD, on the grounds that its co-writer Richard Bartle can trace its direct influence on today's worlds.

At State of Play this week, it was clear that just as the issues surrounding the Internet in general have changed very little since about 1988, neither have the issues surrounding virtual worlds.

True, the stakes are higher now and, as Professor Yee Fen Lim noted, when real money starts to be involved people become protective.

Level 70 warrior accounts on World of Warcraft go for as little as $10 (though your level number cannot disguise your complete newbieness), but the unique magic sword you won in a quest may go for much more. The best-known pending case is Bragg versus Second Life over virtual property the world's owners confiscated when they realized that Bragg was taking advantage of a loophole in their system to buy "land" at exceptionally cheap prices. Lim had an interesting take on the Bragg case: as a legal concept, she argued, property is right of control, even though Linden Labs itself defines its virtual property as rental of a processor. As computer science that's fine, but it's not law. Otherwise, she said, "Property is mere illusion."

Ultimately, the issues all come down to this: who owns the user experience? In subscription gaming worlds, the owners tend to keep very tight control of everything – they claim ownership in all intellectual property in the world, limit users' ability to create their own content, and block the sale of cheats as much as possible. In a free-form world like Second Life which may host games but is itself a platform rather than a game, users are much freer to do what they want but the EULAs or Terms of Service may be just as unfair.

Ultimately, no matter what the agreement says, today's privately owned virtual worlds all function under the same reality: the game gods can pull the plug at any time. They own and control the servers. Possession is nine-tenths of the law, and all that. Until someone implements open source world software on a P2P platform, this will always be the way. Linden Labs says, for what it's worth, that its long-term intention is to open-source its platform so that anyone may set up a world. This, too, has been done before, with The Palace.

One consequence of this is that there is no such thing as virtual privacy, a topic that everyone is aware of but no one's talking about. The piecemeal nature of the Net means that your friend's IRC channel doesn't know anything about your Web use, and Amazon.com doesn't track what you do on eBay. But virtual worlds log everything. If you buy a new shirt at a shop and then fly to a distant island to have sex with it, all that is logged. (Just try to ensure the shirt doesn't look like a child's shirt and you don't get into litigation over who owns the island…)

There are, as scholars say, legitimate reasons. Logging everything that happens is important in helping game developers pinpoint the source of crashes and eliminate bugs. Logs help settle disputes over who did what to whose magic sword. And in a court case, they may be important evidence (although how you can ensure that the logs haven't been adjusted to suit the virtual world provider, who is usually one of the parties to the litigation, I don't know).

As long as you think of virtual worlds as games, maybe this isn't that big a problem. After all, no one is forced to spend half their waking hours killing enough monsters in World of Warcraft to join a guild for a six-hour quest.

But something like Second Life aspires to be a lot more than that. The world is adding voice communication, which will be interesting: if you have to use your real voice, the relative anonymity conferred by the synthetic world are gone. Quite apart from bandwidth demands (lag is the bane of every SLer's existence), exploring what virtual life is like in the opposite gender isn't going to work. They're going to need voice synthesizers.

Much of the law in this area is coming out of Asia, where massively multi-player online games took off so early with such ferocity that, according to Judge Unggi Yoon, in a recent case a member of a losing team in one such game ran to the café where the winning team was playing and physically battered one of its members. Yoon, who explained some of the new laws, is an experienced online gamer, all the way back to playing Ultima Online in middle school. In his country, a law has recently come into force taxing virtual world transactions (it works like a VAT threshold – under $100 a month you don't owe anything). For Westerners, who are used to the idea that we make laws and export them rather than the other way around, this is quite a reality shift.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 2:27 PM | Permalink | Comments (0) | TrackBacks (0)

This has been the week for reminders that the border between real life and cyberspace is a permeable blood-brain barrier.

On Wednesday, Linden Labs announced that it was banning gambling in Second Life. The resentment expressed by some of SL residents is understandable but naive. We're not at the beginning of the online world any more; Second Life is going through the same reformation to take account of national laws as Usenet and the Web did before it.

Second, this week MySpace deleted the profiles of 29,000 American users identified as sex offenders. That sounds like a lot, but it's a tiny percentage of MySpace's 180 million profiles. None of them, be it noted, are Canadian.

There's no question that gambling in Second Life spills over into the real world. Linden dollars, the currency used in-world, have active exchange rates, like any other currency, currently running about L$270 to the US dollar. (When I was writing about a virtual technology show, one of my interviewees was horrified that my avatar didn't have any distinctive clothing; she was and is dressed in the free outfit you are issued when you join. He insisted on giving me L$1,000 to take her shopping. I solemnly reported the incident to my commissioning editor, who felt this wasn't sufficiently corrupt to worry about: US$3.75! In-world, however, that could buy her several cars.) Therefore: the fact that the wagering takes place online in a simulated casino with pretty animated decorations changes nothing. There is no meaningful difference between craps on an island in Second Life and poker on an official Web-based betting site. If both sites offer betting on real-life sporting events, there's even less difference.

But the Web site will, these days, have gone through considerable time and money to set up its business. Gaming, even outside the US, is quite difficult to get into: licenses are hard to get, and without one banks won't touch you. Compared to that, the $3,800 and 12 to 14 hours a day Brighton's Anthony Smith told Information Week he'd invested in building his SL Casino World is risibly small. You have to conclude that there are only two possibilities. Either Smith knew nothing about the gaming business - if he did, he know that the US has repeatedly cracked down on online gambling over the last ten years and that ultimately US companies will be forced to decide to live within US law. He'd also have known how hard and how expensive it is to set up an online gambling operation even in Europe. Or, he did know all those things and thought he'd found a loophole he could exploit to avoid all the red tape and regulation and build a gaming business on the cheap.

I have no personal interest in gaming; risking real money on the chance draw of a card or throw of dice seems to me a ridiculous waste of the time it took to earn it. But any time you have a service that involves real money, whether that service is selling an experience (gaming), a service, or a retail product, when the money you handle reaches a certain amount governments are going to be interested. Not only that, but people want them involved; people want protection from rip-off artists.

The MySpace decision, however, is completely different. Child abuse is, rightly, illegal everywhere. Child pornography is, more controversially, illegal just about everywhere. But I am not aware of any laws that ban sex offenders from using Web sites, even if those Web sites are social networks. Of course, in the moral panic following the MySpace announcement, someone is proposing such a law. The MySpace announcement sounds more like corporate fear (since the site is now owned by News International) than rational response. There is a legitimate subject for public and legislative debate here: how much do we want to cut convicted sex offenders out of normal social interaction? And a question for scientists: will greater isolation and alienation be effective strategies to keep them from reoffending? And, I suppose, a question for database experts: how likely is it that those 29,000 profiles all belonged to correctly identified, previously convicted sex offenders? But those questions have not been discussed. Still, this problem, at least in regards to MySpace, may solve itself: if parents become better able to track their kids' MySpace activities, all but the youngest kids will surely abandon it in favour of sites that afford them greater latitude and privacy.

A dozen years ago, John Perry Barlow (in)famously argued that national governments had no place in cyberspace. It was the most hyperbolic demonstration of what I call the "Benidorm syndrome": every summer thousands of holidaymakers descend on Benidorm, in Spain, and behave in outrageous and sometimes lawless ways that they would never dare indulge in at home in the belief that since they are far away from their normal lives there are no consequences. (Rinse and repeat for many other tourist locations worldwide, I'm sure.) It seems to me only logical that existing laws apply to behaviour in cyberspace. What we have to guard against is deforming cyberspace to conform to laws that don't exist.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 2:01 PM | Permalink | Comments (0) | TrackBacks (0)

Google announced this week that in order to improve user privacy it would cut the length of time its cookies stay on our systems to two years. The clock will start ticking again every time you use Google or a site using a Google application. The company also plans to anonymize its user logs after 18 months.

The company has been under attack lately for its privacy policies. First, a few weeks ago, Privacy International published its report on the privacy practices of key Internet companies, A Race to the Bottom, and Google came last. Not, you understand, that many companies did all that much better.

Privacy International didn't think any company was "privacy-friendly and privacy-enhancing", but it classed several as "generally privacy-aware but in need of improvement". These were: eBay, LiveJournal, the BBC, Wikipedia, and Last.fm. The report excluded travel sites and financial services, on the grounds that these are subject to regulations beyond their control..

You may notice that these sites aren't exactly comparable with Google, to say nothing of other companies included in the survey, such as AOL, Friendster, Microsoft, and Skype. This seems to me a real problem. The BBC, which does not rely on advertising or commercial sales, needs to operate no registration system, and outside its ecommerce sales has no reason to track anybody beyond generating usage statistics to show the patterns of how content is accessed on its site. Skype, on the other hand, can hardly offer a service without retaining user information, call records, and financial data. Practices that Skype must engage in to operate would be shockingly privacy-invasive if adopted by the BBC. More difficult to assess is user privacy on the social networking sites; on a site like Friendster or LiveJournal by publishing the details of their lives and thoughts users may invade their own privacy far more comprehensively than the site itself can.

The sites are also not comparable in terms of how necessary they are. Hardly anyone really needs AOL. Keeping a blog on LiveJournal is optional; my life proceeds quite happily without Friendster or Facebook. But it's almost impossible these days to look anything up without at least considering looking on Wikipedia, and while there are many VoIP services, peer pressure makes a lot of people sign up for Skype. Therefore, while it's reasonable to compare the companies' corporate behavior, the impact of that behavior is not comparable, nor is the amount of effort and money respecting privacy costs the company. It's a lot harder for Google to respect privacy and maintain its revenue stream than it is for the BBC.

It's also ironic that eBay should have scored so well. Police forces all over Britain agree that online auction fraud is one of the biggest sources of complaints they have. Google's ability to track everyone's search history, reading habits, and general interests may be, long-term, the worse privacy invasion. But to most people it's worse to be ripped off, and while eBay says it takes fraud seriously, the site is still awash in counterfeit DVDs, and does nothing to warn people with transactions in progress when a user's account is suspended for fraud. Which is worse? Being marketed at and tracked or being ripped off? Given that so many people are happy to hand over their privacy in return for some money off groceries (loyalty cards) or a truly modest amount of better treatment from their airline, I'd guess most people would think the latter.

But even given all that Google's announcement this week is so trivial that it's insulting. For one thing, as Google Watch points out, Google assigns your computer a unique ID that persists through rain, snow, IP address change and cookie rewrite. For another, you have no idea when you click on a URL whether a Web site you're about to visit uses a Google service. The point of privacy practices is to give users control; this does anything but that. Why not instead widen the user-configurable preferences to include whether or not to accept cookies and for how long? How hard can that be for all those Google geniuses?

The Article 29 working group pointed out also that the bigger problem is Google's storing search histories and IP addresses. As Privacy International noted, most companies regard individual IP addresses as essentially anonymous, impersonal data – absurd in this time of broadband, when people have the same addresses for years on end. My IP address identifies my computer system more tightly than a library card.

To a large extent, Privacy International blames advertising. As long as content and services are going to be paid for by advertising, sites must track user statistics and supply the data that keeps advertisers happy. There's some justice to that.

But the real problem is the users: who is going to stop using Google because of its privacy policies? You might decide to avoid Gmail, or to delete patiently, one by one, the Usenet postings you crazily typed one night while drunk in 1982, but if you want search, or advertising on your own site… Google is successful as a business because it's made itself indispensable.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 1:09 PM | Permalink | Comments (0) | TrackBacks (0)

Some months back I blogged a breakdown of the various fees that are added on to each airline ticket and tagged it "What we're paying." A commenter took issue: society at large, he wrote, was paying a good deal more than that for my evil flying habits, and I shouldn't be going to Miami anyway. He had a point. What's offending one niece by missing her wedding? I have more.

The intemperateness of the conversation is the kind of thing smokers used to get from those who've already quit.
Just how acrimonious the whole thing is getting was brought home to me this week when Ian Angell surfaced to claim that it is not really possible to be a privacy advocate and an environmentalist at the same time. Of course, Angell was in part just trying to make trouble and get people arguing. But he says he has a serious point.

"The green issues are providing a moral justification for the invasion of privacy," he says, "and the green lobby must take it on board as part of what they're doing. And the fact that they're not taking it on board makes them guilty."

I wouldn't go that far – I do not think you can blame people for unintended consequences. But there are a number of proposals floating around in the UK that could provide yet more infrastructure for endemic surveillance, even if the intention at the moment is to protect the environment.

For example: the idea of the personal carbon allowance, first mooted in 2005 with the notion that it could be linked to the ID card. Last July, environment minister, David Miliband, proposed issuing swipe cards to all consumers, which you'd have to produce whenever you bought anything like petrol or heating – or plane tickets. That at least would give me ammunition against my blog commenter, because other than flying my carbon footprint is modest. In fact, we could have whole forums of moral superiors boasting about how few carbon points they used, like we now have people who boast about how early they get up in the morning. And we could have billboards naming and shaming those who – oh, the horror – had to buy extra carbon points, like they do for TV license delinquents.

Or take the latest idea in waste management, the spy bin fitted with a microchip sensor that communicates with the garbage truck to tell your local council how much you've contributed to the landfill. Given the apparent eagerness of manufacturers to enhance their packaging with RFID chips, this could get really interesting over time.

This is also a country where the congestion charge – a scheme intended to reduce the amount of traffic in central London – is enforced by cameras that record the license plates of every vehicle as it crosses the border. Other countries have had road tolls for decades, but London's mayor, formerly known as "Red Ken" Livingstone because of his extreme left-wing leanings, chose the most privacy-invasive way to do it. Proposals for nationwide road charging follow the same pattern, although the claim is that there will be safeguards against using the installed satellite tracking boxes to actually track motorists. Why on earth is this huge infrastructure remotely necessary? We already have per-mile road use charging. It's called buying fuel.

Privacy International's executive director, Simon Davies, points out that none of these proposals – nor those to expand the use of CCTV (talking cameras!) – are supported by research to show how the environment will benefit.

Of course, if there's one rule about environmentalism it is, as Angell says, "The best tax is the tax the other guy pays." Personally, I'd ban airconditioning; it doesn't get that hot in the UK anyway, and a load of ceiling fans and exhaust fans would take care of all but the most extreme cases of medical need. It certainly does seem ironic that just at the moment when everyone's getting exercised about saving energy and global warming – they're all putting in airconditioning so cold you have to carry a sweater with you if you go anywhere in the "summer".

So, similarly, when Angell says there are "straightforward, immediate answers" he's perfectly right. The problem is they'll all enrage some large group of businesses. "You could reduce garbage by 80 percent by banning packaging in shops. We are squabbling about tiny little changes when quite substantial changes are just not on the cards."
And then, he adds, "They jump on airline travel because you can bump up the taxes and it's morally justified."

I am convinced, however, that it's possible to be a privacy advocate and an environmentalist simultaneously. This is a type of issue that has come up before, most notably in connection with epidemiology. If you make AIDS a notifiable disease you make it easier to track the patterns of infection and alert those most at risk; but doing so invades patient privacy. But in the end, although Angell's primary goal was to stir up trouble, he's right to say that environmentalists need to ensure that their well-meaning desire to save the planet is not hijacked. Or, he says, "they will be blamed for the taxation and the intrusion."

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 1:58 PM | Permalink | Comments (0) | TrackBacks (0)

A friend went to India recently and got sick. Unsurprising, you might think, except that the reason she got sick was that her doctor in Pennsylvania didn't know that the anti-malaria medication he prescribed would interact badly with the anti-acid reflux drug he had also prescribed. The Indian doctor (who, ironically, had trained in Pennsylvania) knew all about it. Geography.

Preventing this kind of situation, at least on a national level, is part of the theory behind the NHS data spine; for Americans, it's a giant database onto which patient information from all parts of Britain's National Health Service is going to be put. It's also presumably part of the reason that pharmacists think they should be allowed to edit and add to patient records; American pharmacies have for years marketed the notion that if you fill all your prescriptions at the same place they'll be able to tell you if you're prescribed something stupid.

Personally, I can see a lot of merit in this idea. Also in the idea that medical personnel would have access to my records, that my allergies would be known to all and sundry (it would be a help, in a medical crisis, if someone didn't try to revive me by feeding me peanut butter).

The problem is that this is a fantasy. It seems appealing to me, I suppose, only because a) I have hardly any medical records – all my doctors either died, refused to give me my records, or destroyed them after they hadn't heard from me for too long – and b) I can't imagine anything bad happening to me if any of my medical history were disclosed. This is not true for most people, and it ignores the most important thing we know about all databases: they contain errors. This is how the campaign to opt out of the database was born: its organiser, Helen Wilkinson, discovered that her medical records had erroneously labeled her an alcoholic. (Not that there's anything wrong with that.) Getting that corrected took years and questions in Parliament.

The problem with all these systems is that they seek to replace knowledge with information. Your GP may know you; the database merely holds information about you and can make no intelligent judgments about what's relevant to a particular situation or distinguish true from false.

Last year, the World Privacy Forum released a report on medical identity theft. Identity fraud, they concluded, happens at all levels in the US medical system. Medical personnel or clinics seeking to pad their income may add treatments they have never delivered to patient records and present them to insurers for payment. Thieves may use doctors' information to forge prescriptions. Patients without insurance or who do not want particular types of treatment to appear on their own records may steal another's identity. In the US, where most treatment is funded by private medical insurance, the consequences can be far-reaching for the victims of such fraud: their credit ratings, employment prospects, and ability to get medical insurance can all be hit hard. A lot of the complaints, therefore, about the Health Insurance Portability and Accountability Act are that it opens medical records to far too many people and, like the NHS Data Spine, does not provide a way for individuals to correct their own records.

In the UK, things are a bit different. Here, GPs are gatekeepers to all care. According to Fleur Fisher, a consultant on ethics and health care practice, and probably the leading expert on medical privacy in the UK, there have, however, been serious frauds in dentistry in the UK, where dentists may claim for big treatments they haven't actually performed.

The problem in the UK, she says, "is not that people will assume your medical identity so they can get treatment. It's much more that it will open people's health records."

A key part of the NHS plan seems to be to provide data to researchers to help determine public policy. Again, in a lot of ways this makes sense; but there is an old and recurring conflict between the desire for privacy of patients with, say, AIDS, and the legitimate interest of society at large to halt the disease's spread. One thing you should not rely on is that the data will be unidentifiable, even if the NHS confirms that it will be "anonymized". Years ago, Latanya Sweeney showed just how unreliable this is by analyzing supposedly anonymized data from the health system in the state of Massachusetts by matching it against publicly available motor vehicle rolls. With only a few database fields she was able to identify almost all of the individuals in the medical data.

Opting out has turned out not to be so simple, despite the fact that according to Ross Anderson, who has been working on medical privacy for well over a decade, most GPs are unhappy about the forced uploading of patient data to a centralised database. That being the case, as Phil Booth notes in the No2ID forum on the topic, if you want to opt out treat your GP as your ally unless he proves otherwise.

Meantime, if you really want emergency personnel to know the important stuff about you, wear an alert bracelet or some other identifier.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 2:20 PM | Permalink | Comments (0) | TrackBacks (0)

A person can dream, right?

- Scrap the UK ID card. Last week's near-buried Strategic Action Plan for the National Identity Scheme (PDF) included two big surprises. First, that the idea of a new, clean, all-in-one National Identity Register is being scrapped in favor of using systems already in use in government departments; second, that foreign residents in the UK will be tapped for their biometrics as early as 2008. The other thing that's new: the bald, uncompromising statement that it is government policy to make the cards compulsory.

No2ID has pointed out the problems with the proposal to repurpose existing systems, chiefly that they were not built to do the security the legislation promised. The notion is still that everyone will be re-enrolled with a clean, new database record (at one of 69 offices around the country), but we still have no details of what information will be required from each person or how the background checks will be carried out. And yet, this is really the key to the whole plan: the project to conduct background checks on all 60 million people in the UK and record the results. I still prefer my idea from 2005: have the ID card if you want, but lose the database.

The Strategic Action Plan includes the list of purposes of the card; we're told it will prevent illegal immigration and identity fraud, become a key "defence against crime and terrorism", "enhance checks as part of safeguarding the vulnerable", and "improve customer service".

Recall that none of these things was the stated purpose of bringing in an identity card when all this started, back in 2002. Back then, first it was to combat terrorism, then it was an "entitlement card" and the claim was that it would cut benefit fraud. I know only a tiny mind criticizes when plans are adapted to changing circumstances, but don't you usually expect the purpose of the plans to be at least somewhat consistent? (Though this changing intent is characteristic of the history of ID card proposals going back to the World Wars. People in government want identity cards, and try to sell them with the hot-button issue of the day, whatever it is.

As far as customer service goes, William Heath has published some wonderful notes on the problem of trust in egovernment that are pertinent here. In brief: trust is in people, not databases, and users trust only systems they help create. But when did we become customers of government, anyway? Customers have a choice of supplier; we do not.

- Get some real usability into computing. In the last two days, I've had distressed communications from several people whose computers are, despite their reasonable and best efforts, virus-infected or simply non-functional. My favourite recent story, though, was the US Airways telesales guy who claimed that it was impossible to email me a ticket confirmation because according to the information in front of him it had already been sent automatically and bounced back, and they didn't keep a copy. I have to assume their software comes with a sign that says, "Do not press this button again."

Jakob Nielson published a fun piece this week, a list of top ten movie usability bloopers. Throughout movies, computers only crash when they're supposed to, there is no spam, on-screen messages are always easily readable by the camera, and time travellers have no trouble puzzling out long-dead computer systems. But of course the real reason computers are usable in movies isn't some marketing plot by the computer industry but the same reason William Goldman gave for the weird phenomenon that movie characters can always find parking spaces in front of their destination: it moves the plot along. Though if you want to see the ultimate in hilarious consumer struggles with technology, go back to the 1948 version of Unfaithfully Yours (out on DVD!) starring Rex Harrison as a conductor convinced his wife is having an affair. In one of the funniest scenes in cinema, ever, he tries to follow printed user instructions to record a message on an early gramophone.

- Lose the DRM. As Charlie Demerjian writes, the high-def wars are over: piracy wins. The more hostile the entertainment industries make their products to ordinary use, the greater the motivation to crack the protective locks and mass-distribute the results. It's been reasonably argued that Prohibition in the US paved the way for organized crime to take root because people saw bootleggers as performing a useful public service. Is that the future anyone wants for the Internet?

Losing the DRM might also help with the second item on this list, usability. If Peter Gutmann is to be believed, Vista will take a nosedive downwards in that direction because of embedded copy protection requirements.

- Converge my phones. Please. Preferably so people all use just the one phone number, but all routing is least-cost to both them and me.

- One battery format to rule them all. Wouldn't life be so much easier if there were just one battery size and specification, and to make a bigger battery you'd just snap a bunch of them together?

Happy New Year!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 3:19 PM | Permalink | Comments (0) | TrackBacks (0)

One of the clear trends of the last five years has been increasing international surveillance, especially by or on behalf of the US. Foreign visitors to the US now are welcomed with demands for fingerprints and other biometrics; airlines flying to the US are required to hand over passenger data even before the plane pushes back; and, behind the scenes, the cooperative that handles interbank transfers within Europe has been sending the US Treasury department banking records that the average European citizen almost certainly assumes are confidential.

This week, the Article 29 group – a panel of European Commissioners for Freedom, Security, and Justice – ruled that the interbank money transfer service SWIFT (Society for Worldwide Interbank Financial Telecommunication) has failed to respect the provisions of the EU Data Protection directive by transferring personal financial data to the US in a manner the press release describes as "hidden, systematic, massive, and long-term."

It doesn't sound like much when you say that a few people brought a complaint about an obscure organization to an equally obscure branch of the EU government and won. It sounds like a lot more when you say that a few people brought a complaint that, upheld, means that the European financial world will have to change their behavior.

The transfers are part of anti-terrorist programs put in place after the September 11, 2001 attacks to allow American intelligence agency analysts to spot funds being sent to finance terrorists. The problem is that, under EU law, the Data Protection Directive forbids the transfer of personal data to countries that do not have the same level of protection in place; the US is most certainly in that category. Simon Davies, executive director of Privacy International, says the goal in making the complaint that led to the Article 29 group's decision was not to stop all data transfers. "The data should be transferred when there's some level of evidence," he says. What PI objected to was the lack of oversight from anyone outside the cooperative, which is owned by the many private companies – banks, brokers, investment managers, and corporations.

"Now that we know SWIFT was acting illegally," says Davies, "the aim is to bring SWIFT and the banks to account, first by establishing a meaningful oversight mechanicsm, and second by bringing some transparency to the whole arrangement." Part of Privacy International's involvement was, together with the American Civil Liberties Union, to prepare a report on the involvement of consulting firm Booz Allen Hamilton, which is SWIFT's supposedly independent auditor but which, according to the report, has been deeply involved with American surveillance programs for the last ten years. Booz Allen told the New York Times that it rejected PI's charges.

PI's next step, Davies says, will be to contact the banks to ask what they intend to do or have done to comply with the decision. Under the law, they have 30 days to reply. "At the end of the 30 days, unless they provide evidence that they have complied, we then follow up with a second round of complaints to all commissioners worldwide." The US, of course, has no data protection commissioner – and even if it did, the transfers are legal there – so the list Davies is talking about is all the EU countries, Canada, Hong Kong, Australia, New Zealand, and a smattering of others.

"What they do depends on their powers in each country," says Davies, noting that "the UK is particularly weak." Unlimited fines can be imposed, should the commissioners so choose. "If SWIFT doesn't make an adult decision to deal with the situation, then it's up to member banks to use their voting rights within SWIFT to force change."

Meanwhile, he says, "SWIFT is also stuck. They have to comply with subpoenas issued by US authorities." Otherwise, SWIFT would be incurring criminal liability.

Davies' belief is that what's needed is either a truly independent oversight body or perhaps a former judge, to review proposed data transfers and ensure they comply with the law.

That, of course, is not what the US wants; Jane Hovarth, chief privacy and civil liberties officer for the US Department of Justice, told the recent international conference of data protection officers that the US does, too, have privacy laws, and that everyone should get together and agree on some kind of global data law. Under EU law, however, the US would have to raise its privacy protections to EU standards before sending data there would be legal.

This seems unlikely, but you never know. A couple of years ago, when the EU had the choice of honoring data protection law or sending the US government all the airline passenger data it wanted – the EU caved and sent the passenger data. Still, in this era when people seem willing to justify almost any amount of privacy invasion with the words "anti-terrorism", it was heartening to read the Working Party's final comment on the whole thing:

"The Working Party recalls that any measures taken in the fight against crime and terrorism should not and must not reduce standards of protection of fundamental rights which characterise democratic societies."

It's up to us to make them stick to that.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 2:25 PM | Permalink | Comments (0) | TrackBacks (0)

One of the things about being an expatriate is this: whenever there’s a problem you always think that changing countries might be the solution. So one of the games we like to play is where-can-we-go. Global warming means the Gulfstream will stop or change direction and Britain will freeze? Where can we go? Britain is awash in CCTV cameras and wants to bring in a national identity card. Where can we go?

My usual answer is New Zealand, based on no knowledge whatsoever: it just seems so far from here that anything that’s a problem here surely can’t be one there, too. And I know so little about the country that it’s easy to fantasize being left alone to roam the hills among the sheep. Yes, I know: it can’t really be like that, and I’d hate it if it were.

But apparently when it comes to privacy the answers are Germany or Canada. In a pinch, Belgium, Austria, Greece, Hungary, or Argentina. At least, that’s the situation according to Privacy International’s new human rights survey New Zealand’s score is a good bit lower, although you could improve it by avoiding employment; workplace monitoring was the one area in which it scored really badly. Of course, the raw numbers never really tell you the quality of life in those countries; and most people don’t want to play where-can-we-go. Most people, being sensible, want the place they do live, and where they have their cultural and social ties, to be better.

The problem with talking about privacy is that it's so abstract. It’s arguable, for example, that the biggest worry in many people’s lives in the US is not privacy but how to pay for health care. A friend, for example, recently had occasion to go to the emergency room for a few tests; she estimated the bill at $2,000 and her share of it at $500.

In that sense, the Information Commissioner’s new survey, A Surveillance Society, launched alongside the annual data protection conference, is more alarming, in part because it investigates the consequences of constant surveillance and the impact it has on the realities of daily life. What can be done and is being done is to create a class system of great rigidity: surveillance, it says, brings social sorting to define target markets and risky populations. The airline that knows how much you travel decides accordingly how to treat you; the health service decides how to treat you based on its assessment of your worthiness for treatment. Welfare becomes an exercise in deterring fraud rather than assuring safety. It is, the IC’s survey says, risk management rather than the original promise of universal health care. That it’s not a conspiracy, as the IC survey repeats several times, makes it almost more alarming: there is no one specific enemy to fight.

This should not be surprising to anyone who read, some years back, the software engineer Ellen Ullman’s wonderful essay collection, Close to the Machine. Everything the IC is talking about was laid out there in detail, including the exact process by which it happens. Her story concerned a database created to help ensure that people with AIDS got all the help that was available to them. Slowly, the system morphed; in her words, it “infected” its users. The fuzzy, human logic by which one person might get an extra blanket was replaced by inexorable computer rules. Then it became hostile, trying to ensure that no one got more than they were entitled to – the precise stage Britain is at right now with respect to welfare.

In another case, the fact of a system’s existence led a boss to wonder whether he could monitor his sole employee to find out what she did all day. The employee had worked for him for decades and had picked up his children from school. This is, I suppose, where we are with National Identity cards. We *can* find out what everyone does all day, so why shouldn’t we?

Of course, Britain is famous for its class system and the anti-democratic nature of it. But if there was one thing you could say for the old ways, the class differences were clearly visible on the outside. Accent and habits of speech, as George Bernard Shaw observed more than a century ago in Pygmalion, determined how you were treated, and you knew what to expect. Social sorting via surveillance is more democratic in the sense that you don’t have to have a title or the right accent to be a big spender the airlines will treat like gold dust/ But the rules are hidden and insidious; rather than open and well-understood.

So: where can we go (PDF)? A lot of people like the sound of Ireland – they speak English, it’s close, and it’s pretty. But it ranks only a tier above the UK and will always been under pressure to adopt British standards because of the common travel area. Some people like Sweden, for its longstanding commitment to social welfare. It, too, ranks low on the privacy scale. It will have to be Canada. But it’s cold, I hear you cry. Nah. Global warming. Those igloos will be melting any day now. Off to Winnipeg (DOC)!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her , or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 2:46 PM | Permalink | Comments (0) | TrackBacks (0)

Illinois is a fine state. It is the Land of Lincoln. It is the birth place of such well-known Americans as Oprah Winfrey, Roger Ebert, and Ronald Reagan. It has a baseball team so famous that even I know it's called the Chicago Cubs. John Dewey (as in the Dewey decimal system for cataloguing library books) came from Illinois. So did the famous pro-evolution lawyer Clarence Darrow, Mormon church founder Joseph Smith, the nuclear physicist Enrico Fermi, semiconductor inventor William Shockley, and Frank Lloyd Wright.

I say all this because I don't want anyone to think I don't like or respect Illinois or the intelligence and honor of its judges, including those of Charles Kocoras, who who awarded $11.7 million in damages to e360Insight, a company branded a spammer by the Spamhaus Project.

The story has been percolating for a while now, but is reasonably simple. e360Insight says it's not a bad spammer guy but a good opt-in marketing guy; Spamhaus first said the Illinois court didn't have jurisdiction over a British company with no offices, staff, or operations in the US, then decided to appeal against the court's $11.7 million judgement. e360Insight filed a motion asking the court to haveICANN and/or Spamhaus's domain registrar, the Canadian company Tucows, remove Spamhaus's domain from the Net. The judge refused to grant this request, partly because doing so would cut off Spamhaus's lawful activities, not just those in contravention of the order he issued against Spamhaus. And a good time is being had by all the lawyers.

The case raises so many problems you almost don't know where to start. For one thing, there's the arms race that is spam and anti-spam. This lawsuit escalates it, in that if you can't get rid of an anti-spammer through DDoS attacks, well, hey, bankrupt them through lawsuits.

Spam, as we know, is a terrible, intractable problem that has broken email, and is trying to break blogs, instant messaging, online chat, and, soon, VOIP. (The net.wars blog, this week, has had hundreds of spam comments, all appearing to come from various Gmail addresses, all landing in my inbox, breaking both blogs and email in one easy, low-cost plan. The breakage takes two forms. One is the spam itself – up to 90 percent of all email. But the second is the steps people take to stop it. No one can use email with any certainty now.

Some have argued that real-time blacklists are censorship. I don't think it's fair to invoke the specter of Joseph McCarthy. For one thing, using these blacklists is voluntary. No one is forced to subscribe, not even free Webmail users. That single fact ought to be the biggest protection against abuse. For another thing, spam email in the volumes it's now going out is effectively censorship in itself: it fills email boxes, often obscuring and sometimes blocking entirely wanted email. The fact that most of it either is a scam or advertises something illegal is irrelevant; what defines spam, I have long argued, is the behavior that produces it. I have also argued that the most effective way to put spammers out of business is to lean on the credit card companies to pull their authorisations.

Mail servers are private property; no one has the automatic right to expect mine to receive unwanted email just as I am not obliged to speak to a telemarketer who phones during dinner.

That does not mean all spambusters are perfect. Spamhaus provides a valuable public service. But not all anti-spammers are sane; in 2004 journalist Brian McWilliams made a reasonable case in his book Spam Kings that some anti-spammers can be as obsessive as the spammers they chase.

The question that's dominated a lot of the Spamhaus coverage is whether an Illinois court has jurisdiction over a UK-based company with no offices or staff in the US. In the increasingly connected world we live in, there are going to be a lot of these jurisdictional questions. The first one I remember – the 1996 case United States vs. Thomas – came down in favor of the notion that Tennessee could impose its community decency standards on a bulletin board system in California. It may be regrettable – but consumers are eager enough for their courts to have jurisdiction in case of fraud. Spamhaus is arguably as much in business in the US as any foreign organisation whose products are bought or used in the US. Ultimately, "Come here and say that" just isn't much of a legal case.

The really tricky and disturbing question is: how should blacklists operate in future? Publicly listing the spammers whose mail is being blocked is an important – even vital – way of keeping blacklists honest. If you know what's being blocked and can take steps to correct it, it's not censorship. But publishing those lists makes legal action against spam blockers of all types – blacklists, filtering software, you name it – easier.

Spammers themselves, however, should not rejoice if Spamhaus goes down. Spam has broken email, that's not news. But if Spamhaus goes and we actually receive all the spam it's been weeding out for us – the flood will be so great that spam will finally break spam itself.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 1:25 PM | Permalink | Comments (0) | TrackBacks (0)

Elections have always had two parts: the election itself, and the dickering beforehand (and occasionally afterwards) over who gets to vote. The latest move in that direction: at the end of September the House of Representatives passed the Federal Election Integrity Act of 2006 (H.R. 4844), which from 2010 will prohibit election officials from giving anyone a ballot who can't present a government-issued photo ID whose issuing requirements included proof of US citizenship. (This lets out driver's licenses, which everyone has, though I guess it would allow passports, which relatively few have.)
These days, there is a third element: specifying the technology that will tabulate the votes. Democracy depends on the voters' being able to believe that what determines the election is the voters' choices rather than the latter two.

The last of these has been written about a great deal in technology circles over the last decade. Few security experts are satisfied with the idea that we should trust computers to do "black box voting" where they count up and just let us know the results. Even fewer security experts are happy with the idea that so many politicians around the world want to embrace: Internet (and mobile phone) voting.

The run-up to this year's mid-term US elections has seen many reports of glitches. My favorite recent report comes from a test in Maryland, where it turned out that the machines under test did not communicate with each other properly when the touch screens were in use. If they don't communicate correctly, voters might be able to vote more than once. Attaching mice to the machines solves the problem – but the incident is exactly the kind of wacky glitch that's familiar from everyday computing life and that can take absurd amounts of time to resolve. Why does anyone think that this is a sensible way to vote? (Internet voting has all the same risks of machine glitches, and then a whole lot more.)

The 2000 US Presidential election isn’t as famous for the removal from the electoral rolls in Florida of few hundred thousand voters as it is for hanging chad – but read or watch on the subject. Of course, wrangling over who gets to vote didn't start then. Gerrymandering districts, fighting over giving the right to vote to women, slaves, felons, expatriates…

This is in fact the sort of point that opponents are making.

There are plenty of other logistical problems, of course, such as: what about absentee voters? I registered in Ithaca, New York, in 1972. A few months before federal primaries, the Board of Elections there mails me a registration form; returning it gets me absentee ballots for the Democratic primaries and the elections themselves. I've never known whether my vote is truly anonymous; nor whether it's actually counted. I take those things on trust, just as, I suppose, the Board of Elections trusts that the person sending back these papers is not some stray British person who's does my signature really well. To insert voter ID into that process would presumably require turning expatriate voters over to, say, the US Embassies, who are familiar with authentication and checking identity documents.

Given that most countries have few such outposts, the barriers to absentee voting would be substantially raised for many expatriates. Granted, we're a small portion of the problem. But there's a direct clash between the trend to embrace remote voting - the entire state of Oregon votes by mail – and the desire to authenticate everyone.
We can fix most of the voting technology problems by requiring voter-verifiable, auditable, paper trails, as Rebecca Mercuri began pushing for all those years ago (and most computer scientists now agree with), and there seem to be substantial moves in that direction as state electors test the electronic equipment and scientists find more and more serious potential problems. Twenty-seven states now have laws requiring paper trails. But how we control who votes is the much more difficult and less talked-about frontier.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 12:54 PM | Permalink | Comments (0) | TrackBacks (0)

If there is one thing we always said about the ID card it's that it was going to be tough to implement. About ten days ago, the Sunday Times revealed how tough: manufacturers are oddly un-eager to bid to make something that a) the Great British Public is likely to hate, and b) they're not sure they can manufacture anyway. That suggests (even more strongly than before) that in planning the ID card the government operated like an American company filing a dodgy patent: if we specify it, they will come.

I sympathize with IBM and the other companies, I really do. Anyone else remember 1996, when nearly all the early stories coming out of the Atlanta Olympics blamed IBM' prominently for every logistical snafu? Some really weren't IBM's fault (such as the traffic jams). Given the many failures of UK government IT systems, being associated with the most public, widespread, visible system of all could be real stock market poison.

But there's a secondary aspect to the ID card that I, at least, never considered before. It's akin to the effect often seen in the US when an amendment to the Constitution is proposed. Even if it doesn't get ratified in enough states – as, for example, the Equal Rights Amendment did not – the process of considering it often inspires a wave of related legislation. The fact that ID cards, biometric identifiers, and databases are being planned and thought about at such a high level seems to be giving everyone the idea that identity is the hammer for every nail.

Take, for example, the announcement a couple of days ago of NetIDme, a virtual ID card intended to help kids identify each other online and protect them from the pedophiles our society apparently now believes are lurking behind every electron.

There are a lot of problems with this idea, worthy though the intentions behind it undoubtedly are. For one thing, placing all your trust in an ID scheme like this is a risk in itself. To get one of these IDs, you fill out a form online and then a second one that's sent to your home address and must be counter-signed by a professional person (how like a British passport) and a parent if you're under 18. It sounds to me as though this system would be relatively easy to spoof, even if you assume that no professional person could possibly be a bad actor (no one has, after all, ever fraudulently signed passports). No matter how valid the ID is when it's issued, in the end it's a computer file protected by a password; it is not physically tied to the holder in any way, any more than your Hotmail ID and password are. For a third thing, "the card removes anonymity," the father who designed the card, Alex Hewitt, told The Times. But anonymity can protect children as well as crooks. And you'd only have to infiltrate the system once to note down a long list of targets for later use.

But the real kicker is in NetIDme's privacy policy, in which the fledgling company makes it absolutely explicit that the database of information it will collect to issue IDs is an asset of a business: it may sell the database, the database will be "one of the transferred assets" if the company itself is sold, and you explicitly consent to the transfer of your data "outside of your country" to wherever NetIDme or its affiliates "maintain facilities". Does this sound like child safety to you?

But NetIDme and other systems – fingerprinting kids for school libraries, iris-scanning them for school cafeterias – have the advantage that they can charge for their authentication services. Customers (individuals, schools) have at least some idea of what they're paying for. This is not true for the UK's ID card, whose costs and benefits are still unclear, even after years of dickering over the legislation. A couple of weeks ago, it became known that as of October 5 British passports will cost £66, a 57 percent increase that No2ID attributes in part to the costs of infrastructure needed for ID cards but not for passports. But if you believe the LSE's estimates, we're not done yet. Most recent government estimates are that an ID card/passport will cost £93, up from £85 at the time of the LSE report. So, a little quick math: the LSE report also guessed that entry into the national register would cost £35 to £40 with a small additional charge for a card, so revising that gives us a current estimate of £38.15 to £43.60 for registration alone. If no one can be found to make the cards but the government tries to forget ahead with the database anyway, it will be an awfully hard sell. "Pay us £40 to give us your data, which we will keep without any very clear idea of what we're going to do with it, and in return maybe someday we'll sell you a biometric card whose benefits we don't know yet." If they can sell that, they may have a future in Alaska selling ice boxes to Eskimos.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 1:54 PM | Permalink | Comments (4) | TrackBacks (0)

It's funny. Half the time we hear that the security of the nation depends on the security of its networks. The other half the time we're being told by governments that if the networks are too secure the security of the nation is at risk.

This schizophrenia was on display this week in a ruling by the US Court of Appeals in the District of Columbia, which ruled in favor of the Federal Communications Commission: yes, the FCC can extend the Communications Assistance for Law Enforcement Act to VoIP providers. Oh, yeah, and other people providing broadband Internet access, like universities.

Simultaneously, a clutch of experts – to wit, Steve Bellovin (Columbia University), Matt Blaze (University of Pennsylvania), Ernest Brickell (Intel), Clinton Brooks (NSA, retired), Vinton Cerf (Google), Whifield Diffie (Sun), Susan Landau (Sun), Jon Peterson (NeuStar), and John Treichler (Applied Signal Technology) – released a paper explaining why requiring voice over IP to accommodate wiretapping is dangerous. Not all of these folks are familiar to me, but the ones who are could hardly be more distinguished, and it seems to me when experts on security, VOIP, Internet protocols, and cryptography all get together to tell you there's a problem, you (as in the FCC) should listen. Together, this week they released Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP (PDF), which carefully documents the problems.

First of all – and they of course aren't the only ones to have noticed this – the Internet is not your father's PSTN. On the public switched telephone network, you have fixed endpoints, you have centralized control, and you have a single, continuously open circuit. The whole point of VoIP is that you take advantage of packet switching to turn voice calls into streams of data that are more or less indistinguishable from all the other streams of data whose packets are flying alongside. Yes, many VoIP services give you phone numbers that sound the same as geographically fixed numbers – but the whole point is that neither caller nor receiver need to wait by the phone. The phone is where your laptop is. Or, possibly, where your secretary's laptop is. Or you're using Skype instead of Vonage because your contact also uses Skype.

Nonetheless, as the report notes, the apparent simplicity of VoIP, its design that makes it look as though it functions the same as old-style telephones, means that people wrongly conclude that anything you can do on the PSTN you should be able to do just as easily with VoIP.

But the real problems lie in security. There's no getting round the fact that when you make a hole in something you've made a hole through which stuff leaks out. And where in the PSTN world you had just a few huge service providers and a single wire you could follow along and place your wiretap wherever was most secure, in the VoIP world you have dozens of small providers, and an unpredictable selection of switching and routing equipment. You can't be sure any wiretap you insert will be physically controlled by the VoIP provider, which may be one of dozens of small operators. Your targets can create new identities at no cost faster than you can say "pre-pay mobile phone". You can't be sure the signals you intercept can be securely transported to Wiretap Central. The smart terminals we use have a better chance of detecting the wiretap – which is both good and bad, in terms of civil liberties. Under US law, you're supposed to tap only the communications pertaining to the court authorization; difficult to do because of the foregoing. And then, there's a hole, as the IETF observed in 2000, which could be exploited by someone else. Whom do you fear more will gain access to your communications: government, crook, hacker, credit reporting agency, boss, child, parent, or spouse? Fun, isn't it?

And then there's the money. American ISPs can look forward to the cost of CALEA with all the enthusiasm that European ISPs had for data retention. Here, the government helpfully provided its own data: a VoIP provider paid $100,000 to a contractor to develop its CALEA solution, plus a monthly fee of $14,000 to $15,000 and, on top of that, $2,000 for each intercept.

Two obvious consequences. First: VoIP will be primarily sold by companies overseas into the US because in general the first reason people buy VoIP is that it's cheap. Second: real-time communications will migrate to things that look a lot less like phone calls. The report mentions massively multi-player online role-playing games and instant messaging. Why shouldn't criminals adopt pink princess avatars and kill a few dragons while they plot?

It seems clear that all of this isn't any way to run a wiretap program, though even the report (two of whose authors, Landau and Diffie, have written a history of wiretapping) allows that governments have a legitimate need to wiretap, within limits. But the last paragraph sounds like a pretty good way to write a science fiction novel. In fact, something like the opening scenes of Vernor Vinge's new Rainbows End.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

Posted by Wendy M. Grossman at 2:09 PM | Permalink | Comments (0) | TrackBacks (0)

“Everyone seems depressed,” someone said a half-day into this year’s Computers, Freedom, and Privacy conference.

It’s true. Databases are everywhere this year. FEMA databases made of records from physicians, pharmacists, insurers. The databases we used to call the electoral rolls. Choicepoint. The National Health infrastructure they want to build. Real ID. RFID tracks and trails – coming soon to a database near you. And so on.

The only really positive moment is when Senator Leahy (Democrat – VT) bounds in to deliver a keynote, saying that the society we are creating is “a different US society than the one we know”. He ringingly denounces the claim that voting for the resolution to pursue Al-Qaida included voting for warrantless wiretapping, and everyone applauds.
Wait. CFP is being bucked up by a senator? Ten years ago, this conference thought it could code its way out of anything. PGP and Internet architecture could beat any lawmaker.

Now, someone says, “The governments are moving in in a big way” and there is a sense that the only hope lies in policy-making and persuasion. Privacy advocates are brainstorming legislative proposals. The Electronic Frontier Foundation is opening an office in DC.

Even the government types are depressed. Stewart Baker, who in 1994 baited this group by claiming that opposition to key escrow was coming only from those who couldn’t go to Woodstock because they had to finish their math homework, is now at the Department of Homeland Security, and tells us that in an emergency we should save ourselves.

Actually, that was one of the few moments of levity. What he did was ask how many libertarians were there in the room who believed that a government governs best that governs least. About ten percent of the crowd raised their hands (another major change from minus ten years, when at least half would have done so). How many actually had provisions of food and water for 72 hours? Most hands dropped. “Who,” Baker asked, “are you expecting to rescue you?” Gotcha.

The science fiction writer Vernor Vinge, who’s been wandering the conference to sample the zeitgeist preparatory to delivering his wrap-up late Friday, summed it up in an advance sample.

“The angle that’s somewhat discouraging,” he says, “is the sense I have in many of these issues that they do reflect an almost implacable advance and on many different fronts on the part of the government in support of the fundamental government idea that total information awareness (no trademark) is absolutely essential to the national interest. I see that as clearly and explicitly recognized by the government as essential to national security, so that in the long run opposing it is at best a matter of slowing its advance down and at worst giving it the appearance of slowing its advance down.”

Vinge was last at CFP in 1996, when he, Bruce Sterling, and Pat Cadigan all participated in a panel called “We Know Where You Will Live”. I remember it as one of the best CFP panels, ever. It was, to be sure, somewhat gloomy. I remember, for example, predictions that a supermarket might know what foods you had been eating from your sales records and, in cahoots with your medical insurer, order you off the potato chips and onto the celery sticks. But being able to imagine this dysfunctional future gave the sense that we would be able to avert it. And without, as one prominent CFPer has done since last year, moving to Canada.

This year, Katherine Albrecht, the leading campaigner against RFID tags and their prospective use to tag and track goods and people, presented her latest findings. Some of her scenarios are far-fetched enough to be truly lame (for example, the idea that someone could sit next to you in a plane and scan your bag so they could steal exactly what they wanted while you were in the lavatory) and others are too clearly chosen to try to manipulate emotional hot buttons (such as the idea that someone passing on the street could point a cellphone reader at a woman and be able to tell what model and color bra she was wearing; I mean, so what?). But the tracking, storing, and eventually sharing of data are all logical consequences of the infrastructure her research shows they are building. I’m not convinced we will go there. But the possibility is no longer outlandish enough for me to feel empowered by considering it any more.

“We haven’t,” a privacy activist now in the corporate sector said to me over dinner, “had one single success. It’s just a long list of failures.”

It is the health care situation that is particularly depressing. The UK has its flaws, but one benefit of nationalized health care is a real reduction in the number of people and organizations who are intensely interested in your medical records. In the US, it seems as though everyone is lining up hoping to get a glimpse of what might be wrong with you.

In one panel we learn that medical identity theft is one of the biggest and fastest growing problems. Now, I wouldn’t mind that so much if they’d take my ailments, too. Such as this growing sensation of being surrounded, spied upon, watched by cameras…

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML)

Posted by Wendy M. Grossman at 12:35 PM | Permalink | Comments (0) | TrackBacks (0)

I spent some of this week talking to parents about the phenomenon of fingerprinting kids in schools for the Guardian. (Surely fingerpainting was more fun.) One of the real frustrations among the people I spoke to was the lack of (helpful) response from the Information Commissioner's Office.

The systems that are being deployed in many school libraries in the UK (with doubtless other countries to follow if they succeed here) are made by Micro Librarian Systems. The fingerprinting side of it is really an add-on; without fingerprint readers, the kids use barcodes. One of the system's selling points seems to be that it doesn't need adult supervision, unlike library cards.

You can see why fingerprints sound appealing as a way to unlock the system: quick, easy, efficient, nothing to lose and/or replace. Slight problem, maybe, that kids' fingers are often dirty, sticky, or damaged, but at least they can't lose them.

What took me aback a bit was discovering that MLS has on its Web site – and quotes to schools – letters from the Information Commissioner's Office and from the Department of Education saying they saw nothing wrong with the system.

It's not my purpose here to rehash whether fingerprinting kids to let them take out library books is appropriate; the parents who were against it had plenty to say in my Guardian piece. But the whole incident has made me think about the role of the Information Commissioner's Office. Whenever I've spoken to anyone there it's seemed clear that ICO's job (PDF) is to explain the law and ensure that organizations obey it. They don't go around looking for things to investigate; they respond to complaints from the public. In this case, they say, they haven't had many. They do advise, as the letter MLS received says, that schools consult parents before instituting fingperprinting "as it may be a sensitive issue".

Indeed, it might. It's a measure of how much both technology and the willingness to be monitored are infiltrating everyone's consciousness that there has been so little public outcry over this. The manufacturers are, of course, very reassuring: the system doesn't store whole fingerprints but an encrypted, very large number mathematically derived from the scanned finger. The image cannot be reconstructed from the number.

But that doesn't actually help because if what unlocks the system is the number it is actually more easily forged than a fingerprint image would be. Now, no one's suggesting that some crook is going to break into a school and steal the computer that holds the kids' fingerprints just so he can take out all the library books. If you were told that your government records were protected by a very large number in encrypted form would you feel reassured that it wasn't an image? I'm not sure you should, because first of all, even encryption that can't be cracked today probably can be tomorrow. Second of all, there are plenty of people out there with good reasons to try to deconstruct how these systems work. And third of all, a number is, well…sometimes it's just a number. In the case of MLS, it's a number generated by a system created by Digital Persona, who supply enterprise biometric solutions to all sorts of other clients. How many of them will accept the same numbers because they use the same algorithms?

In this case, it seems to me that it's not sufficient to say whether the precautions taken to protect the data are adequate. It seems to me the real question is whether the proposed system is proportionate to the problem it's being installed to solve. Is the desire to provide a quick and easy method for kids to check out their own library books sufficient justification for fingerprinting children? This is a question the ICO is not in business to answer.

It's always seemed to me that no amount of data protection really solves anything: data always seems to go where it's not supposed to, whether that's because someone leaves a laptop in a cab or a CD in the back of an airplane seat, or because the database's owner has become infected with what writer Ellen Ullman has called "the fever of the system". The MLS literature states that fingerprints are removed from the system when the child leaves school. But how would a parent check this? And how often do people really throw out data they have. You never know, you might need it someday.

It seems to be an inalienable truth of human nature: if you have two databases you want to link them together; if you have one database you want to keep adding to it and using it for more and more stuff. In the end it's like Mark Twain's old adage, that "Three people can keep a secret if two of them are dead." Databases are not designed to keep secrets; they are designed to help people find things out. If you really want to protect privacy, the only certain option is not to create the database.

In the meantime, it would be nice if the ICO's job description and title went further to ask, "Is this an appropriate use of technology? Is it possible there will be consequences down the line that make this a bad idea?" Now that the government has its way to build the national identity register, these are questions we should all be asking.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. She has an intermittent blog. Readers are welcome to post there, at the official net.wars blog, or to send email, but please turn off HTML.

Posted by Wendy M. Grossman at 3:29 PM | Permalink | Comments (0) | TrackBacks (0)

Ping-pong is so much fun. If you haven't been following the ins and outs of the latest incarnation of the Identity Cards Bill, it's on about its fifth bat between the House of Commons and the House of Lords, with doubtless more to come. In the fourth bat, the Lords had proposed an amendment making the system opt-in until 2012, which would have meant that when you applied for your new passport (or other designated document, such as residence permit or driver's license) you would have the option of also being added to the National Identity Register and an ID card. That, of course, is not what the government wants.

Despite all the lip service paid in the election manifesto to the scheme's being voluntary, the government wants registration to be compulsorily tied to the issuance of documents that most people want to have. In the government's scheme, the ID card will be "voluntary" in the sense that having a passport is "voluntary". Don't want an ID card? Fine. Don't travel, and if you drive, don't lose your old license, change address, or turn 70. (For Americans: old-style British licenses are a fancily printed piece of folded paper that are valid until you're 70; these are gradually being replaced by new-style plastic photo licenses that are valid for ten years, but it's a very long process. Few people in Britain carry them as daily identification, and the only time you need to produce it is within ten days of being stopped for a traffic violation, so there's little incentive to update them.)

The Commons rejected that (PDF). What's supposed to happen next: the House will reject the Lords' amendments again, and the Lords will amend it again.

We even know something about how the Lords will try to amend it: Lord Armstrong of Ilminster has already tabled the amendment to be proposed. The new amendment will offer people the chance to opt out of registering in the national identity database and acquiring an ID card alongside a passport application. It's an interesting idea for a compromise. Most people will not bother to opt out. The ones who do will be the ones who otherwise might decide to forgo travelling in order to avoid registering as long as possible.

If that amendment were to succeed—and it seems likely to garner more support than the last round—there is one significance class of people we know would not opt out of getting ID cards: criminals. Just as you'd probably opt to wear a business suit and tie and get your hair cut respectably short if you were a dope dealer traveling internationally, if you are up to any nefarious schemes you will want the credibility having an ID card will lend you.

Eventually, the most likely outcome is that the Commons will win. There are several reasons for that, none of them really to do with ID cards. The most important is the balance of power between the Commons and the Lords: everyone agrees that the Commons, as the elected body, has supremacy. But the whole mess could easily drag on long enough to block the bill until everyone goes on their summer vacation. If the Commons has to invoke the Parliamentary Act to override the Lords' dissent, we could be into November before the government can even get going on it. The ID card is already behind the govenrment's original schedule. But, hey, what's the hurry?

The ID card is becoming secondary in these debates to the question of how much say the Lords should have and how much the government is railroading its proposals through. The ID card is increasingly controversial; the most recent YouGov/Daily Telegraph survey (PDF) showed only 45 percent in favor of the thing, and support decreases when the estimated cost rises from £6 billion (government) to £18 billion (LSE's upper figure). Are the Lords in fact more representative than the elected Commons?

It's interesting to consider this question in the light of the Power Inquiry, which is considering the question of voter alienation. Two of its conclusions: that there should be a "rebalancing of power away from the executive and unaccountable bodies towards Parliament and local government" and that electoral systems should be more responsive "allowing citizens a much more direct and focused say over political decisions and policies". Exactly the opposite is happening with respect to the ID Cards bill which, given the size of the shift it would cause in British national life and its cost, arguably should be the subject of a referendum.

In this context it's also worth reading testimony given recently to the US Congress by Stephen T. Kent, author of two books on ID card systems about the difficulties of doing what the UK government is proposing (and the US government has in mind with Real ID). Kent reminds us that what we are proposing to build is not an ID card but an ID system, and asks the same questions that even technology vendors have been asking the British government all along: what is the system for? What problem are you trying to solve? Without a clear set of goals, how can the technology fail to fail? In Britain's case, though, getting the ID card bill passed seems to be the problem the ID card is trying to solve.

You can, of course, still promise to refuse.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of linkts to all the earlier columns in this series. Readers are welcome to send email ( but please turn off HTML), or to post comments at the net.wars blog

Posted by Wendy M. Grossman at 12:18 PM | Permalink | TrackBacks (0)