" /> net.wars: October 2013 Archives

« September 2013 | Main | November 2013 »

October 25, 2013

Surveillance by consent

Only 20 years ago the UK had barely a surveillance camera in sight. Wikipedia tells me that the change to today's 2 million-odd was precipitated by a 1994 Home Office report praising the results of a few trials. And off we went. That's not counting private cameras, estimated by the British Security Industry Association estimated that to outnumber public ones 70 to one. Coverage is, of course, uneven.

The good news, such as it is, is that the conversation that should have taken place years ago to assess the effectiveness of the cameras for their stated purpose - cutting crime, improving public safety, combating terrorism - seems to be starting now. This may be simple economics: central government money paid for cameras in the 1990s, but now having to foot the bill themselves is making councils take a harder look. Plus, there is greater recognition of the potential for abuse. In June, as required by the 2012 Protection of Freedoms Act, the UK government published a new code of practice covering surveillance cameras (PDF) and, in September, appointed Andrew Rennison, the forensic science regulator to the post of surveillance camera commissioner.

Rennison was in action on Wednesday leading the first Surveiillance Camera Conference ("sounds like the Photocopier User Group" a Twitter follower quipped). Throughout the day, he called for several things that privacy advocates have long wanted: better evidence regarding the efficacy of the cameras, and greater transparency and accountability. There were even disapproving references to function crrep - that is, councils that have used the cameras to generate revenue by imposing fines on motorists.

The bad news for those who would like to see Britain let go of its camera fetish is that it seems clear they're popular. One quoted survey conducted earlier this year by ICM for Synectics found that 76 percent of people feel safer in public areas knowing that CCTV is in operation, 62 percent would like to see more cameras in their area, and 72 percent would be worried if their council decided to reduce the number of cameras to save money.

I would love to see how that survey was constructed. Would the numbers be the same if every public space didn't have signs and constant public announcements propagandizing that the cameras are there "for your safety and security"? Would they feel the same if they knew that, as the representative from the Local Government Association estimated that it costs £200,000 a year for a medium-sized council to run a surveillance camera system? Or would they think again about the trade-offs and the foregone opportunities for that money?

However it was achieved - catching and prosecuting rioters in the summer of 2011 seems to have done a lot - the groundswell of public opinion in favor seems to be real. Neil Harvey, the operations and control officer in charge of the Nottingham police camera systems, for example, said he gets five or six requests a week for new cameras to be added to his current network of 204. Each camera is capable of nine positions; they are monitored by five operators.

"I don't track people," he objected after a carelessly constructed question. "I watch areas." Fair enough.

A bigger source of unhappiness for many is that the rules only apply to camera systems installed by public bodies, which several argued were more transparent already; the privately owned ones are exempt. Some attendees theorized that trying to regulate privately owned systems would have been politically impossible. At any rate, Rennison commented that the legislation is having an impact: private operators are adopting the code of practice even though it's not legally required of them.

Several other interesting trends emerged. For one thing, several commenters noted that TV shows like 24 and many others (I'll name Bones, Las Vegas, and various editions of CSI as particularly egregious "magic technology" offenders) have left the public with a completely unrealistic idea of what the cameras can do. A camera pinned up on a lamp post can't easily see faces if the person is looking down. Similarly, many cameras are old (grainy pictures, low resolution). Even so, there's general recognition that these systems are improving all the time both in image quality and in portability; the current vogue is for cameras that can be easily redeployed to trouble spots as they emerge. Several, therefore, said they welcomed public visits to their control rooms so they can impart a more realistic understanding of what the technology can do.

Several speakers actually said that cameras shouldn't be installed just because they're popular. The demand for better evidence about how the cameras can best be used seems genuine - particularly in the case of Rennison, whose background in forensic science makes him particularly aware of the issues surrounding error rates.

But here's my favorite story of the day, again from Neil Harvey. It seems that the protection of the cameras is welcomed by a sector of the population that you might not expect: drug dealers. They prefer to conduct deals in sight of the cameras. Apparently they don't like being robbed either.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted irregularly during the week at the net.wars Pinboard - or follow on Twitter.

October 18, 2013

Bad people

The MAGICAL airport of 2020 doesn't exist, and already I feel trapped in it like the nettlesome fly in the printer in the 1985 movie Brazil. The vision, presented by Joe Flynn, the director of border and identity management services for Accenture Ireland at this year's Biometrics Conference, probably won't sound bad to today's frustrated travelers. He explained MAGICAL - mobility, analytics, gamification, intelligence, collaboration, automation, low-touch - but we know the acronym wagged this dog.

MAGICAL goes like this. The data you enter into visa and passport systems, immigration data, flight manifests, advance passenger information, all are merged and matched by various analytics. At the airport, security and immigration are a single "automated space": you move through the scanner into a low-touch, constantly surveilling environment ("massive retail space") that knows who you are and what you're carrying and ensures no one is present who shouldn't be. Your boarding pass may be a biometric.

Later, when you step off the plane, you are assessed against expected arrivals and risk profiles . As you sprint down the people movers elbowing slowpokes out of your way (doesn't everyone do this?), accelerated face-on-the-move recognition systems identify you. You cross an indicator line so you know you've entered another country, but as a known traveler you flow through seamlessly. Only 5 to 10 percent of travelers - the unwashed unknowns - are stopped to go through gates - or be checked by an officer with a mobile device. Intervention is the exception, although you will still have to choose a customs channel.

My question was: what happens when it goes wrong?

"We don't replace the border guards and people," Flynn said reassuringly. Rasa Karbaukaite, a research officer from Frontex, the Polish-based organization that coordinates and develops integrated European border management, noted that "automated" is not "automatic": there will be human supervision at all times.

But I was worrying about the back end. What happens when some database makes a mistake and you get labeled bad news? In Brazil that meant the goon squad invaded your home and carted you off. In a modern-day airport, well...what?

This concern re-emerged when Simon Gordon and Brian Lovell, respectively the founder and research leader of Facewatch, outlined "cloud-based crime reporting", a marriage of social networking with advanced facial recognition systems to help businesses eliminate low-level crime. Say a handbag is stolen in a pub. The staff can upload the relevant still and moving CCTV images in a few minutes along with a simple witness statement. Police can review the footage, immediately send back the reference number needed to claim on insurance, and perhaps identify the suspect from previous crimes.

Speeding up crime reporting and improving detection aren't contentious, nor are, in and of themselves, the technical advances that can perform facial recognition on the grainy, blurred footage from old CCTV cameras. The many proprietary systems behind CCTV cameras pose an expensive challenge to police; Facewatch overcomes this by scraping the screens so that all uploaded images are delivered in a single readable format.

But then Gordon said: "[The system] overcomes privacy issues by sharing within corporate and local groups." It's not illegal for Sainsbury's to share information across all its branches that would effectively blacklist someone. Shopwatch and Pubwatch groups can do the same - and already are. Do we want petty criminals to be systematically banned? For how long? What happens when the inevitable abuse of the system creeps in and small businesses start banning people who don't do anything illegal but annoy other customers or just aren't lucrative enough? Where does due process fit in?

A presentation from Mark Crego, global lead for border and identity management, Accenture Ireland, imagined "Biometrics Bill" - the next-generation "Old Bill" policeman. Here, passively collected multi-modal biometrics and ubiquitous wireless links allow an annoyingly stereotyped old lady who's been mugged to pick her attacker out of a line-up assembled at speed on an iPad from her description (ignoring the many problems with eyewitness testimony) and local video feeds and instantly submit a witness statement. On-the-fly facial recognition allows the perpetrator to be spotted on a bus and picked up, shown the watertight case against him on screen, and be jailed within a couple of hours. Case file integration alerts staff to his drug addiction problems and he gets help to go straight. Call me cynical, but it's all too perfect. Technology does not automatically solve social problems.

The systems may be fantasy, but the technology is not. As Joseph Atick, director of the International Biometrics and Identity Association said, "The challenge is shifting from scalability and algorithm accuracy to responsible management of identity data." Like other systems in this era of "big data", identity systems are beginning to draw on external sources of data to flesh out individual profiles. We must think about how we want these technologies deployed.

"We don't want to let the bad people into our country," said Karbauskaite in explaining Frontex's work on creating automated border controls. Well, fair enough, it's your country, your shop, your neighborhood. But where *are* we going to put them? They have to go somewhere - and unfortunately we've run out of empty continents.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Stories about the border wars between cyberspace and real life are posted throughout the week at the net.wars Pinboard - or follow on Twitter.

October 11, 2013

In name only

Registering domain names sounds like a simple, straightforward job. In fact, until 1998, the entire domain name system - the thing that lets you use the wordlike string pelicancrossing.net (which I preferred to the then-unregistered wendygrossman.com) lead you to my Web site rather than the four to 12-digit numbers the computers actually use behind the scenes - was managed by one person: Jon Postel. Plans had already begun to shift the DNS into a more professional structure when he died. The result is global management by the Internet Corporation for Assigned Names and Numbers, which subsidiarily has a registry for each top-level domain (.net, .com, or a country code like .uk), which in turn has registrars that do the actual work of selling and setting up registrations. Even as ICANN was being set up, many foresaw that it could become a central point of censorship. That's taken longer to happen than was feared, but as Monica Horten highlights in her new book, >a href="http://www.iptegrity.com/">A Copyright Masquerade, seizure of registered domains has become a weapon of copyright enforcement actions.

In the UK, the country code authority is Nominet. Nominet has been asking for comments on whether and how it should deal with "offensive" domain name registrations. These are due November 4.

First question: what's offensive? I happen to find those repeated announcements in train stations and elsewhere that the ubiquitous CCTV cameras are "to enhance safety" offensive propaganda, but my chances of getting them banned are approximately nil.

In the case of domain names, the driver behind this push seems to be John Carr, whose career as a campaigner for online child safety has grown up alongside the Internet since at least the mid 1990s. His targets, therefore, as explicated in Nominet's outline of the situation, seem to be domain names that hint at incest, rape, and pornography. Nominet's documentation gives a short list of sites that have been complained about. A couple weren't registered, a couple were referred to the Internet Watch Foundation. The most significant were the two in which the offensive part of the name was actually at the second level - beyond the scope of Nominet's control. This suggests that as a practical matter avoiding offensive domain name registrations is pretty much impossible: there are too many workarounds.

The more important point is that what matters is the content of a Web site. Only rarely - for example, in cases of bullying - is the name important as a signifier.

Pause for some Internet history to illustrate the pitfalls of judging by name only. Back in the early 1990s,. when the big online party was Usenet, there was a game you could play. It relied on two things. One: that anyone could start a newsgroup in the alt hierarchy. Two: that university users (who were most of the Usenet population before 1994) would see the list of new newsgroups available when they turned on their reader software in the morning. So the game was to make up silly and provocative names. Things ending in "die.die.die" were in vogue for a while; also things ending in ".sucks", And there were some deliberately intended to shock and outrage. Many of those newsgroups remained empty shells, the point of their existence fulfilled by their creation.

Names also played a significant role in a very early - 1991 or so - tabloid attack on the (in 2013, still going) UK's CIX conferencing system. At that time, online participants were considered weird, so some intrepid reporter accordingly joined the service and went on a pornography hunt. He found the "adult" conference, discovered its list of files that people had uploaded. When he saw one labeled "Japanese schoolgirls????" he assumed the worst and didn't check. I'm told the "schoolgirl" bit was ludicrous.

The resulting sensationalist article led to some unpleasantness. The conference moderator, a prominent technology journalist, had stones thrown at his house, breaking a window and frightening his children. The actual contents of the adult conference got lost in a disk crash.

I'm going to bet that given that child abuse images are illegal in almost all countries, no one is going to advertise them by registering a domain name that invites police scrutiny. What's more likely is that an outrageous domain name will be used to attract custom for extreme - but legal - material, just as the MPAA's X rating generated ads for "XXX-rated" films.

But even that is giving the domain name system too much importance. Carr's complaint is so last-century, when people found things by typing in domain names, often having to guess. Today the circumstances under which people guess domain names are relatively few. Of the 200 signals that determine a site's Google ranking, hardly any use the domain name itself, and only a few more use data about the domain name. On mobile phones domain names are even less important; apps are obviously where the action is.

In sum: there's clearly a need for dispute resolution when two people or organizations claim rights to the same domain name. There's clearly a need to remove criminal sites that fleece people or engage in other illegal activities (including bullying or libeling someone). But patrolling for "offensive" domain names just isn't a sensible priority.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

October 4, 2013

Bread and circuses

I was intrigued to read this week that sometime pre-1989 a Soviet official asked the British economist Paul Seabright this question: Who is in charge of London's bread supply?. The official was, I found elsewhere, eager to understand how to create a market economy.

Granted, bread isn't quite the staple it once was - blame the low-carb folks - but what a question! It's immediately comprehensible why someone who is used to a centrally planned economy would be shocked and terrified by the notion that a Commissioner of Bread is not needed to ensure that sufficient nutrition, like rain, falls adequately into people's lives. Especially if that person is in charge of a large, populous country with a history of inadequate supplies. And yet, amazingly, most of us take it for granted: bread happens. On the rare occasion when it doesn't, we eat something else.

Those who study the development of the Internet will find it easy to draw analogies. The centrally planned economy is like the legacy telephone networks; the Internet's cooperative design supplies bread - or at least bits - to all sorts of unexpected people on an ad hoc basis without anyone's needing to plan the number of bits or their delivery time. The pioneers who built the Internet's basic framework foresaw, at least in a small way, that there would be battles over copyright, privacy, censorship, and control, though they may not have fully understood the effects of scale. As noted in at a historical event in early July, they had to be ingenious about bypassing the various rules that might have stopped their efforts.

Many of the net.wars covered here are about exactly this collision between those who want to impose central planning and those who want the Internet to stay open as infrastructure and facilitator. So much goes into the taken-for-granted infrastructure that supports that ad hoc delivery: transport networks, communications, expertise, payments, and, somewhere far from the bread on my table, farmers. The Internet has benefited similarly. As Paulina Borsook pointed out in 1996 in Cyberselfish, modern Silicon Valley denizens are "the inheritors of the greatest government subsidy of technology and expansion in technical education the planet has ever seen; and like the ungrateful adolescent offspring of immigrants who have made it in the new country, they take for granted the richness of the environment in which they have flourished, and resent the hell out of the constraints that bind them. And, like privileged, spoiled teenagers everywhere, they haven't a clue what their existence would be like without the bounty showered on them."

Fade in on this week's US government shutdown, in which a small Republican faction are holding the entire country to ransom. Some of the comments about this are staggering: the libertarian who thinks people shouldn't be forced to buy health insurance if they "choose" not to, and the numbers who seem to think the shutdown is a good thing because there's too much government and this will show people we need it a whole lot less than we think. Or maybe that the federal government has its fingers in all sorts of pies it should divest and this will get the public pushing for them to do just that. I'm not quite sure. What I am sure about is that the damage will be profound, long-lasting, and destructive, beginning with international fiscal trust and probably ending with the US's having choked off some of its best science. And we can't solve it by making government more like the Internet, and routing around the damage. (Note that while the Internet at large survives unaffected, most government Web sites have shut down for the duration.)

Many of my British friends are baffled as to why nationalized health insurance is such a contentious issue in the US. One answer is that it's about class: if health insurance is a perk of a "good job", having it provided proves you're a high achiever. A second, however, is that big employers know that losing access to health benefits is such a potent threat that it keeps employees in line. In other words, health insurance tied to employment has turned the American middle class into peasants. It is horrifyingly feudal - and some business interests are quite happy with that.

"The thing is," someone English said to me this week, "our government evolved. Yours was actually *designed* to work like this." That's not really quite true: no one intended to design severe dysfunction.

Government-defining constitutions read like responses to past threats; they are reactive, like security plans. The threat model when the US constitution was written was a powerful, persecuting king, not disgruntled politicians who put ideology ahead of national interest. Further, the Founding Fathers were no better than the rest of us at imagining threats that didn't yet exist - such as giant multinational corporations with government-sized resources. If the threat model had included the idea that 40 politicians could become a central point of failure the design might have included a feedback mechanism by which they could be, in the immortal words of the 1982 movie Tootsie, zapped in the badoobies.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Stories about the border wars between cyberspace and real life are posted throughout the week at the net.wars Pinboard - or follow on Twitter.