Please excuse the off-topic posting, but it’s time for the annual charity event. Those of you whom I’ve pestered for sponsorship before will know that for the past three years I’ve cycled from my home to London and then on to Paris (400 miles) in aid of Action Medical Research. This year I’ve decided to up the ante a little, and have entered the Deloitte Ride Across Britain.
On 12th June 2010 I will join 500 other riders as we depart from John O’Groats to cycle the 1,000 miles to Land’s End over 9 days. Our route, which takes us down the west coast of Scotland, through the Lake District, over the Bristol Channel, and across Dartmoor, will climb further than the height of Everest. We’ll be cycling around 110 miles a day, and camping at night.
I’m covering all my own costs, and a donation to the Paralympics, but I’d like to raise £1,000 for Help for Heroes. I think we’re all aware of the stunning work this charity does for our forces, and it’s a chance for me to repay a debt from my past. If you can sponsor me even for just a few pounds I would be extremely grateful. Every penny you donate will go directly to this worthwhile cause. I’ll be wearing a satellite tracking device and blogging as I go, so there will be plenty of opportunities for you to mock me as I go.
You can sponsor me through Just Giving. Thank you for your support.
As the country goes to the polls, the three main parties have committed to specific policies on Privacy, Data Protection and Security. In particular, the Conservatives have promised radical reform in these areas. What changes are we likely to see once the new government is elected?
I will be presenting a free online seminar on the topic of “Privacy, Data Protection and Security – Post UK Election” at 1100hrs BST on 13th April 2010. You can tune in for free, and pre-register for the event here.
[Declaration: There is no fee for this event, and I am not being paid as a speaker]
Google is reported to be recruiting bond traders. So what? They’re a big company, they doubtless have a corporate treasury function (although being Google they’ve probably come up with a much more interesting name for it), they probably need to run their own funds purely to manage the enormous heaps of real and theoretical cash sloshing around the place.
The thing is, these traders will have a secret weapon: the results of your web searches. They can look at search trends to understand what others are looking for, and use this as business intelligence to guide their portfolio. If users in Washington DC start searching for information about breakdowns in relations with China, or City of London users are querying rises in VAT, then the Google team have exclusive information to steer their trading strategy.
This is all legal and above board, but it demonstrates the power that companies such as Google can accrue even without using personal data.
A very unpleasant little amendment to the Licensing Act (2003) is in front of Ministers for approval as a Statutory Instrument (SI). If you’re not familiar with the process, a SI is a delegated legislation made under the powers of a parent Act, and it is very rare for a SI to be amended or changed – it is generally either approved or rejected when presented to Parliament.
The SI in question is there to address binge drinking by restricting licensees’ abilities to offer discounted booze and encourage heavy drinking. Part 4 (2) of this particular SI refers to a licensee’s policy, and reads as follows:
(2) The policy must require individuals who appear to the responsible person to be under 18 years of age (or such older age as may be specified in the policy) to produce on request, before being served alcohol, identification bearing their photograph, date of birth and a holographic mark.
I’d like to think that this is simply a bit of shoddy text drafted by a junior civil servant who hasn’t thought it through properly, but that seems unlikely. The only acceptable proof of age in a licensed premises will be either a passport, a driving license or an ID Card. Licensees will no longer be able to use common sense, or to accept other forms of ID even where they are credible beyond doubt. Young drinkers won’t dare go out without one of those forms of ID on them, and that will inevitably lead to a rise in the number of lost passports – something that Identity Minister Meg Hillier has been banging on about as almost the sole justification for the National ID Service for a long time now. It seems probable that this move is an attempt by a government that has almost no understanding of ID technology, and an active interest in undermining privacy, to force yet another justification for ID Cards through without proper scrutiny.
What this will do is create a fresh market for false ID cards. A card with a photo, hologram and date of birth is still relatively trivial to put together, and is the average member of bar staff really going to challenge someone who is in possession of what looks like it is probably a legitimate card? I doubt it. Just over a year ago I warned the BBC of the dangers of ‘flash and dash’ fraud that will arise from the misuse of ID Cards, and this is the first stage in making that situation come to pass.
For a long time those who have given more than the briefest of thought to the challenge of proof of age have understood the potential of ID technologies to be used in a zero disclosure way: to respond to a challenge without providing any information about the data subject. The relying party asks the system ‘is the individual 18 years of age or over?’ The system responds ‘yes’ or ‘no’. No other information is released. Innovative organisations such as Touch2ID have put the concept into practice, and offer contactless proof of age cards that simply contain a biometric hash of the bearer’s fingerprint. The licensee’s reader asks the card ‘is the bearer 18 years of age or over’? The bearer puts their finger on the reader, the biometric is compared with the hash on the card, and a positive or negative response is given. The card doesn’t need a photo, or a date of birth, so the individual retains their privacy. The card is issued for free. If the card is lost then it’s useless to anyone else, can’t be used for identity fraud, and can be replaced for £2.50.
This ridiculous SI, which is another back-door attempt to undermine civil liberties and bolster the National ID Service, will pass on 6 April unless it is sent back by Parliament. You need to write to your MP to make them aware of what’s hidden in the small print, and demand that the SI is redrafted before it’s accepted.
[Hat-tip to Edgar for bringing this one to my attention]
[Declaration: I have no commercial or personal interest in Touch2ID]
The financial year end is nearly upon us. In a couple of weeks’ time, government departments are expected to draw a line under many of their existing procurement contracts and move to a new budget year. As always, there’s a flurry of small, last-minute procurements as they spot a few thousand pounds here and there that have to be used up otherwise they’ll be lost from next year’s allowance.
In a normal year, this would be followed by the release of the purse-strings on larger pieces of work that have been awaiting the new budget, but this year we will be in the grip of an election, and some of these will inevitably be delayed; others will (allegedly) be rushed through to ensure that the current government gets its spending plans under way before May. After that, it’s anyone’s guess what might happen: all that we know for sure is that there will be a lot less money in 2010 than there was in 2009.
The principle of annuality in public sector budgets is a perverse one. Whilst it obviously makes sense to take a snapshot of expenditure, and to ensure that out-of-control projects don’t have access to more funds than have been allocated for a given period, it also makes it impossible for public authorities to ‘save up’ for major new procurements, since any success at saving money is rewarded by having the savings taken away, not just now, but in future years’ budgets as well. The taxpayer is hit with shocking and unexpected bills for systems that could have been foreseen, and budgeted for, many years in advance.
I grew up in the home computing revolution. When I was 13, I managed to persuade my father to part with the price of a home computer, which at the time cost about twice the price of a good racing bike. I wanted a BBC Micro, he wanted to pay for a ZX Spectrum, we compromised on a Dragon 32. That came as a shock to his wallet. At 18, I needed to upgrade to a new machine, and once again without warning put in for the price of a PC; he recovered from the shock, the haggling began and I ended up with an Atari 1040ST. On each occasion I felt aggrieved that he was unhappy with me requesting an out-of-the-blue purchase that cost the equivalent of a few years’ pocket money. He was unhappy that his son kept pitching up demanding new equipment, and then the price kept rising to cover peripherals and software. That’s not a particularly good way to budget for your domestic IT needs, and I recognise how fortunate I was that there was enough money to still be able to get a new computer.
The thing is, that’s how we run much of our public-sector procurement, and authorities are only just waking up to the fact that the money’s gone. The recession has scuppered these budgets, and we’ll be paying for it for many years to come. Public authorities can no longer expect to present a business case for a major IT procurement and get it approved. It’s time that they’re given a mechanism that allows them to save for their needs, and that their accounting procedures are updated to force them to do so. If a system is anticipated to have a 10-year lifespan, then that’s a 10-year period to save up for its replacement. Teenagers around the country are discovering that there’s no longer enough money in the household budget to pay random IT purchases, and public authorities will have to do the same. The Conservatives have discussed the principle of scrapping annuality in certain areas of public budgets, and that has to be a good thing if those authorities are to be held accountable for responsible and prudent spend on IT.
In the meantime, I’m swamped with finishing Privacy Impact Assessments for two central government agencies and chasing around for the next round of spend that will hopefully be released in the coming weeks. I’ll be blogging more frequently once this silly season – which for the sake of the UK economy I hope is the last one – is over…
The US Federal Trade Commission has just found so-called privacy and security certification service ControlScan guilty of failing to monitor the practices of its certified sites. In their settlement agreement, they state that “founder and former Chief Executive Officer has entered into a separate settlement that requires him to give up $102,000 in ill-gotten gains.”
ControlScan offered a variety of privacy and security seals for display on Web sites. Consumers could click on the seals to discover exactly what assurances each seal conveyed. For example, the company’s Business Background Reviewed, Registered Member, and Privacy Protected seals conveyed that ControlScan had verified a Web site’s information-security practices. However, the FTC alleges that ControlScan provided these seals to a Web sites with “little or no verification” of their security protections. Similarly, the FTC alleges that the company provided its Privacy Protected and Privacy Reviewed seals to a Web sites with “little or no verification” of their privacy protections.
The FTC also charged that although ControlScan’s seals displayed a current date stamp, the company did not review any of the seal sites on a daily basis. In some instances, Web sites were reviewed only weekly, and in other instances, ControlScan did no ongoing review of a company’s fitness to continue displaying seals. The FTC charged that the defendants’ deceptive acts violated federal law.
Stern words indeed, and the sort of thing one would expect to hear from a heavily empowered regulator (the UK Information Commissioner simply doesn’t have this sort of clout, particularly since the government gave up on plans to increase penalties before the election). Any company that makes a commercial offer in the US and then doesn’t do what it said can face that level of wrath from the FTC.
As for privacy and security seals: well, I’ve never been much of a fan. There are some excellent programmes out there, but for a seal to be meaningful it has, to my mind, to be backed by an independent ombudsman who can award meaningful damages when an organisation in possession of a seal fails to protect data. Even then, for victims it is almost impossible to prove the source of a data breach unless it’s very specific indeed; in most cases, the accused organisation could wriggle out of liability by claiming that the individual must have lost the data elsewhere, or had inadequate protection on their own machine.
In their policy document Reversing the rise of the surveillance state, the Conservatives state that they will task the Information Commissioner to carry out a consultation with the private sector, with a view to establishing guidance on data security, including examining the viability of introducing an industry-wide kite mark system of best practice. Unfortunately I doubt that will result in anything meaningful if such a kitemark is created, and there are better places on which to focus resources: rigorously-applied security and privacy standards for public sector; a properly-funded police that can investigate e-crime; an empowered ICO that deals sternly with public authorities and private companies alike; and above all a fresh way to properly value personal information so that it is protected in accordance with the expectations of the data subject, not the convenience of the data controller. Tomorrow the ICO will publish its report on valuing personal information – with a bit of luck, that will be the first step towards a revitalised approach to information security.
The RSA Conference Europe is now accepting calls for papers for the conference on 12-14 October in London. I’ve always found the event to be a great mix of security, identity and privacy content, and an excellent networking opportunity. If you’re interested in a free VIP ticket, then now’s the time to get your paper in – speaker submissions close on 9th April 2010.
[Declaration of interests: I’m a panel judge for the conference, which is an unpaid role]
An Italian court has flown in the face of the convention by convicting four Google executives – including Peter Fleischer, Google’s Global Privacy Counsel – over a YouTube video that showed the bullying of a vulnerable boy.
In 2006 a video was posted by a user showing the autistic boy being assaulted by classmates. Google received two complaints from Italian authorities, within 24 hours had removed the content from the site, and thereafter assisted an investigation to try to identify the culprits. This action complied with both the law and convention over ISP responsibilities for user-generated content. However, Italian authorities were not satisfied, and when Fleischer visited Italy to address a conference, he found himself bundled in front of a prosecutor and charged with a breach of Italian penal code. Fleischer and three colleagues have now been convicted and given six-month suspended sentences, which they intend to appeal.
The case has disturbing implications for ISPs, since if they are to be held liable for all user-generated content, then they will effectively be driven out of Italy because of the impossibility of managing that content. Whilst the original incident is clearly distressing and all such user-generated postings must be investigated as soon as they are posted, it’s clearly not reasonable to expect an ISP to review all user-generated content on its sites. For once Google is likely to find support from liberties groups, and I very much hope that this daft ruling is overturned on appeal.
The Ministry of Justice has once again dropped plans to increase penalties against those who recklessly or deliberately misuse personal information. As part of its response to the Data Sharing Review, the Ministry of Justice proposed enhanced powers for the Information Commissioner’s Office and new penalties for abuse of personal data. These were largely welcomed by all parties (with most debate around whether the penalties needed to go even further), and a public consultation was held last year to explore views on the subject.
However, last week Justice officials revealed to a CBI meeting that they do not intend to put legislation in front of Parliament before the election, citing insufficient time to do so. This seems odd, seeing as there is plenty of other legislation still going through (such as electoral reform), and it is important that the next government sends a strong message of commitment to building trust by pushing through penalties at the earliest opportunity.
As for the real reason for backing down on legislation? Well, a lot of articles refer to the likes of ‘data thieves’ and ‘hackers’ who abuse personal data. But they’re not the real problem here – the issue is the public authorities and private companies that simply cannot be bothered to set in place proper security and acceptable usage controls, and allow staff to run riot with personal data without any form of governance or oversight. And why would the government want to bring in tough new legislation just before an election when many of the greatest data culprits likely to attract the wrath of the ICO are its own officials? As Data Sharing Czar Sir Bonar Neville-Kingdom points out – “We cant jail data offenders. Through no fault of their own, some of the ‘offenders’ might be perfectly innocent Civil Servants!”