The Home Office has refused to meet with Adam Laurie, the researcher who demonstrated an attack on the Foreign National ID Card last week.
“…the Home Office again refused to see the demonstration, according to investigative journalist Steve Boggan, who has been trying to broker a meeting between Laurie and the government department.
The Home Office said it had declined on the grounds that it did not want to be overwhelmed by individuals wishing to demonstrate ID card cracks.”
[Thanks to FIPR for this one]
The Information Commissioner’s Office has commissioned a study into the business case for privacy. Building on the Privacy by Design report, this project seeks to research and develop an easily understandable and compelling business case that will help organisations to justify and implement privacy protection within their business processes and systems. This is a very important piece of work – for the majority of organisations, the challenge is understanding why they should provide protection of personal information when there are so many competing calls on their budgets. If we can provide a simple, meaningful business case, then we can correctly prioritise privacy needs against others.
The project team, lead by Dr John Leach and Colin Watson, is now soliciting input, and their discussion document can be found here.
The BBC reports that Palm’s long-awaited next-generation handset, the Pre, has been returning system and location data to Palm without users being aware or giving consent. Developer Joey Hess noticed some odd traffic going out from the handset and investigated further, only to find that the device was returning daily details of its location, installed applications, usage and crashes.
Palm have responded by saying that they take privacy seriously, and that this service is mentioned in the small print of their Ts & Cs, but it does appear to be unnecessarily invasive. If the iPhone is anything to go by, installed apps can reveal a lot about the users’ interests, sexuality, religion, finances and other potentially sensitive information. Couple those with a home location, and you’ve got a good personal profile.
Palm don’t appear to have addressed the issue at the time of writing, but they have a couple of months to do so before the UK launch of the handset.
Last week the Daily Mail published a feature piece in which it claimed that security expert Adam Laurie had managed to hack an ID Card in 12 minutes. The Home Office rubbished the article and claims that no hack has taken place. Which version of events should we believe?
I was very disturbed to read the Guardian’s claim that the police have been instructed by the Home Office to ignore the European Court’s ruling that the UK DNA Database breaches human rights law, and instead continue to add information on arrestees to the database:
Senior police officers have also been “strongly advised” that it is “vitally important” that they resist individual requests based on the Strasbourg ruling to remove DNA profiles from the national database in cases such as wrongful arrest, mistaken identity, or where no crime has been committed.
Approximately 10% of the UK population is already recorded in the DNA Database, and that number continues to rise rapidly. I’ve talked in the past about why this disturbs me – it’s not the DNA data itself, but the ability to track familial links, coupled with the inevitable failure of the forensic process for using that data, that will lead to injustice. This latest development is even more worrying, since allegedly senior police officers are obeying Home Office officials rather than the rule of law. If a member of the armed forces is issued an order which they believe to be unlawful, it is their duty to disregard the order and escalate their grievance up the chain of command. Does that not apply to the police in the UK? Or are they now above the law?
[Apologies for going all Daily Express letters page on you all, it’s one of those weeks…]
Apologies for the lack of blogging over the past few weeks, I’ve been taking a break that included cycling to Paris and living in the woods for 10 days. In reviewing the mountain of news items that were waiting in my inbox when I returned, I noticed four examples of incidents that blow away the old lie “if you have nothing to hide, you have nothing to fear“.
Please forgive the off-topic post. Next week I will set out on the 400 miles ride from Hampshire up to London, then back to Paris via Portsmouth/St Malo. I’m part of a team cycling in aid of Action Medical Research, a charity that researches a range of conditions including premature birth. Over the past two years Team Star Inn have raised over £41,000 for Action Medical research plus nearly £10,000 for other charities. This year our team of eleven riders – all of whom will pay their own personal costs so your sponsorship will go directly to the “Touching tiny lives campaign” – will see us pass the £50,000 mark.
We’ve had an incredibly generous offer that any sponsorship we receive over the next five days will be matched one for one. That means if you can sponsor us for £5 then we will receive an additional £5, plus the gift aid tax return, making your £5 worth £12 to charity. Please help us on our way by sponsoring the team here.
Thank you for your support.
Centre-right think tank the Centre for Policy Studies has published a new paper that sets out a vision for IT policy under a Conservative government. Written by technologist and Conservative counsellor Liam Maxwell, the central theme of “It’s Ours – Why we, not the government, must own our data” is a transition away from current policy of large, centralised databases towards more empowered individuals who retain control of information in smaller, user-centric applications.
The paper isn’t just about ID cards or data ownership, but explores issues of procurement with an argument for greater use of open source software and better opportunities for SMEs to contribute to government IT. Arguing that the continued reliance on a small number of major suppliers fails to create a constructive competitive tension, the report calls for major projects to be broken down into chunks no bigger than £100m in a single procurement.
In an interview with Government Computing, Maxwell also reflects on the central theme of data ownership. “It’s my choice, it’s my data. The government thinks it owns the data. It’s like Amazon coming to me and saying ‘I own your data’, but they don’t, I allow them to access my data to send me the stuff when I buy it. That ownership of data will be the key change in the structure of public services in the future, we hope.’
Conservative thinking on IT doesn’t appear to be fully joined-up yet; for example, there’s still confusion about what our ICAO commitments on passports really are, and no coherent policy on ID beyond ‘no ID cards’ – but this is a valuable step towards a formal IT strategy for the Tories.
Robin points out that the 118800 mobile phone directory service has been suspended. Operators Connectivity claim that the suspension is to allow revisions to the beta version of the service, but speculation has it that the volume of ex-directory opt-out requests has buried them and the website was unable to cope with the traffic.
I had some contact with Connectivity* in the early days of the business, and concluded that whilst their approach – requiring opt-out but not actually revealing phone numbers – probably doesn’t breach the Data Protection Act, clearly there would be folk who would be unhappy with it. However it seemed unlikely that there would be such an extreme reaction to the 118800 service. The viral campaign against Connectivity has been a success – I’ve received emails from all sorts of folk, and seen the message in a host of completely unrelated discussion fora. 118800 crosses an invisible line of acceptability from a privacy perspective, and in light of the fight over Phorm which has seen all its partners withdraw from the UK trials, the future might not be too rosy for Connectivity either.
* Purely on an informal basis – I’ve no commercial relationship with Connectivity
Datonomy reports on the new fee levels being set by the ICO for Data Protection notification. Small organisations won’t see any hike from the existing £35 annual fee (free in certain cases), but for “tier 2” data controllers (250+ staff or an annual turnover of £25.9 million or more) the fee will rise to £500. The change was recommended in the review conducted by Richard Thomas and Dr Mark Walport last year, and is detailed in the new Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 which were laid before Parliament last week.