Newly-appointed Identity Commissioner Sir Joseph Pilling has addressed the Home Affairs Committee in his first public appearance since taking up the post. What he had to say was interesting, and I doubt that the Identity & Passport Service are particularly happy about it all. In answering questions from the Committee, Sir Joseph announced:
- that the National Identity Register contains 538 records (of which one is a foreign national);
- that he is paid £44,000 for six months in his role, with a staff of four and an annual budget of £560,000;
- and most significantly, that he did not apply for the post (which he expects to hold for 18 months) but was telephoned at home and offered it without interview.
So we have an Identity Commissioner who is known to be a career civil servant with a long track record of loyalty to the Home Office, and who reports directly to the Home Secretary rather than Parliament. It’s been widely noted that an arrangement such as that leaves us with little hope of independence in his office; now he tells us himself that the job was a fix, and that he was not appointed through the normal – and in my opinion proper – channels.
The Conservatives have stated their intention to abandon the National Identity Scheme, and in light of this information there seems to be a compelling case that they should also disband the office of the Identity Commissioner. If the government were serious about restoring public confidence in this and other major ICT schemes, then emasculating the powers of the Commissioner’s Office and filling the role with a pre-selected candidate is no way to do it.
[Note: Any criticism here is of the role and how it was filled, not of Sir Joseph himself, whom I have not met]
I attended a very good session at the RSA Conference Europe in London this afternoon, entitled “Privacy Concerns with Adopting DLP Technology”. The panel, which comprised RSA’s Katie Curtin-Mestre, FFW’s Stewart Room, and SAS’ Yngve Sunnanbo, considered the privacy implications from intelligent monitoring of the organisation’s boundary traffic.
Data Loss Protection (DLP) takes content scanning to the next level by inspecting traffic at a number of levels (including the much-loathed DPI) to identify security risks that might be missed by a regular scanner. Systems may, for example, look for email content that leaves the organisation at 5pm, and returns in a modified form at 7am, which might indicate an employee emailing work home rather than using a more secure method of transfer, then emailing it back when it’s complete. Clearly this is the sort of insecure behaviour that organisations need to stop, and DLP is a valuable tool to protect security, and hence privacy, of information.
However, like all tools, you can cut yourself with it if you use it incorrectly: DLP will automatically gather large amounts of personal and sensitive personal information, and there is a risk that organisations using may inadvertently infringe the privacy of employees or third parties during investigations. Furthermore, the DLP log will itself be very sensitive, and must be protected appropriately.
I was particular interested in Stewart’s advice in the Q&A, in which he reiterated the importance of intention and action for data protection compliance: say what you’re going to do, then do it. Stewart is the author of Butterworth’s Data Security Law/Practice, so he knows what he’s talking about here.* He also pointed out the importance of transparency in managing the DLP logs: that the log data will, in most cases, be considered personally identifiable, and therefore subject to the Data Protection Act, including the right of access by the Data Subject. In other words, the employee or data subject concerned can demand access to the information held in the log about them. Furthermore, under FoI rules, public bodies operating a DLP system should be prepared to have to provide statistical data about the system’s logs, which might have the unintended consequence of revealing the extent of security problems encountered within the organisation.
This of course isn’t a good reason not to implement DLP, but it’s good advice for any organisation that’s installing a system without having properly considered the consequences.
* Declaration of interest: I’ve no commercial link with Stewart.
The Evening Standard reports that PC World was asked to withdraw a £750 printer after the Met police “revealed it could produce replicas of the proposed new ID card and EU driving licenses.” It’s certainly good to see that the police are stamping down on organised criminals and have closed this particular avenue for identity-related fraud – otherwise, we’d all be vulnerable to crime arising from the absence of a proper authentication infrastructure.
This is one of my greatest concerns about the current state of authentication in the UK – we currently rely on passports, driving licenses and utility bills, all of which can be easily forged. Without any proper way to verify the authenticity of those documents, and to bind them to the holder, we have to take a risk judgement on whether they are legitimate or not. The government has pitched biometric ID cards and photo driving licenses as a ‘gold standard’ for ID that will be infallible, but seems to have forgotten that the system is only as good as the verification mechanism, and in the absence of pervasive biometric readers, these cards might just as well be the printed plastic blanks that will be spewing from the £750 printers that used to be on sale at PC World. At least it was harder to forge a passport (you can’t buy blank ones at the local stationers).
Returning from Spain yesterday, I thought I’d jump the queue by using the IRIS biometric entry system. It’s been a while since I’ve used it, since on recent returns to the UK, the gateway has been:
- occupied by an American shouting at the screen wondering why she can’t get through the gate;
- backed up with a longer queue than the regular immigration channel, or;
However, yesterday IRIS seemed to be the preferred route, so in I stepped, gazed confidently into the robot, which in turn buzzed, spewed out a slip of paper and refused to let me in.
The slip explained that whilst it had recognised my iris pattern, my permission to use the system has expired. Why? My passport’s good for several years yet. It knows who I am. It must be confident I can’t be an imposter. It hasn’t deleted my personal information. So why can’t I get through? And what am I supposed to do about it – do I have to re-enrol? This isn’t exactly a shining example of joined-up systems design…
The Identity and Passport Service has just launched a Public Panel and Experts Group. In their words:
The Public Panels will provide an opportunity for IPS to have a conversation with the public and listen to the concerns and views of people in relation to identity cards.
The Experts Group will provide an independent perspective to inform the development of the NIS.
Independent experts will:
- Provide clarity where there may be ambiguity and will help the Public Panel understand the detail
- Challenge the thought process through the review and analysis of policies and process
- Provide alternative solutions through reasoned opinions
- Provide a credible and independent view that will serve to enhance and strengthen our direction
- Provide an opportunity for experts across disciplines to share knowledge and further their understanding
These groups are the product of the Identity Rights team, which have been notable for their engagement with stakeholders at times when the rest of IPS have been very quiet. Anyone is eligible to apply for either group, and applications will open on 23rd September.
[Declaration of Interests: The Enterprise Privacy Group was commissioned by IPS in 2008 to assist with stakeholder engagement, a contract which closed earlier this year]
The Conservatives have unveiled their plans for reversing the rise of the surveillance state. Seeking to pull the surveillance infrastructure out of government, their views are commendable, but it will be difficult to pick out the undesirable straws from the necessary ones – in the manner of Kerplunk – without bringing the infrastructure down around us. What are they calling for, and what are the consequences?
The Conservatives will this morning describe their plans to reverse the rise of the surveillance state. Espousing three principles: that individuals, not the state, own personal information; that when government holds personal information, it is on trust; and that government must be accountable to its citizens.
These principles give rise to a number of policies that include:
- scrapping the National Identity Register and ContactPoint databases;
- resolving the ongoing illegality over government use of the DNA Database;
- restricting local government access to personal communications data;
- establishing a Bill of Rights to protect privacy from the surveillance state.
I’ll be providing a full analysis of the policy statement shortly.
DNA fingerprinting is 25 years old today. Speaking to the BBC, Professor Sir Alec Jeffrey, who pioneered the technique, called for the scrapping of innocent peoples’ entries on the National DNA Database:
Innocent people do not belong on that database – branding them as future criminals is not proportionate response in the fight against crime.
Once in a while, a spam hits your inbox that raises a smile – which this one did. I’ve always rather liked Radisson hotels, but was particularly impressed with the list of jobs available in this one. I’m considering a job as a busier, yoga doctor, soup chef (that’s wonderful), but might miss out the one listed between Security Officers and Concierge…
22 POTMAN SQUARE,UB3 5AN United Kingdom
THE MANAGEMENT AND STAFF OF RADISSON HOTEL LONDON WISHES TO INFORM YOU ON JOB VACANCIES AT THE HOTEL FROM 15-08-2009 READ CAREFULLY FOR BETTER UNDERSTANDING. THE HOTELS NEED MEN AND WOMEN WHO CAN WORK AND LIVE IN OUR HOTEL HERE IN UK.
Employment decisions are made solely on the basis of qualifications to perform the work for which you are applying. Qualifications include education, training, work experience and other factors which are relevant in determining job performance. Credentials and experience will be verified through schools, former associates and licensing/certification agencies, if applicable. Heathrow hotel decision to hire and promote are made without regard to race, religion, colour sex, nationality, origin, age, disability, or any other classification as proscribed by federal, state or local law.
Would you like to be a part of the Radisson Hotels team? Experienced managerial candidates, as well as entry-level applicants, are invited to apply for positions in rooms operations, food and beverage, sales and marketing, finance, human resources, culinary arts, Director Of Catering and Conference Services, Guest Services Manager, Restaurant Manager, Engineers, Guest Ambassador, Guest Services Driver, Operator, Room Service Server, Director of Food & Beverages, Doormen, Housekeepers, Security Officers, Real sex workers, Concierge, Assistant Controller, Restaurant Manager, Banquet Cook, Banquet Steward, Cold Station Attendant, Convention Service Floor Supervisor, Bell Person, Clerk Attendant, Loss Prevention, Storeroom Manager, Various Restaurant Positions, Various Spa Positions, Potman Express Meeting Sales Manager, Director of Rooms, Bartender/Pool Attendant, Assistant Executive Steward, Yoga doctors ,Director of Purchasing, Soup Chef, Director Of Banquets, , Group reservation Coordinator, Leader in Development in F&B, Utility Steward, Front Desk Agent, Night Manager, Night Auditor, Leader In Development Rooms Division, Housekeeping Supervisor/Dispatcher, Busier, Valet – Parking Attendant, Steward Supervisor
Salary very attractive, excluding family allowance, road allowance,medical allowance, housing allowance transport allowance,miscellaneous allowance etc
Section B Professionals Medical/engineering fields. We implore the services of Doctors/Nurses in Fair Mont outfits also the services of engineers in our engineering department, electrical,mechanical, xerographic technicians, and computer. If you interested, send your CV/Resume Via this mail:email@example.com Hotel Management offer every selected candidate free Air Ticket, free accommodation, and feeding. Candidates will only responsible for his/her Visa charges in his/her respective Country.
In the excellent Datonomy blog, Roger provides an interesting overview of the definition of ‘Identity’. Arguing that it is about the autonomy of the data subject to control their personal data, he points out that inadequacies in the EU Directive and its local implementation allow many data controllers to ride roughshod over subjects’ wishes when it comes to the handling of sensitive personal data.
‘Identity’ has become one of the most misused and misunderstood concepts in modern government and modern technology. Several years ago we seemed to collectively forget the word’s connections with totalitarian regimes throughout history, and the use of identity systems to police the population in times of crisis – or maybe we felt that we had a new and enduring crisis on our hands – and instead decided that ‘identity’ is aspirational, desirable and achievable. The word has entered common parlance in Whitehall and Westminster, forms part of the functional specification for who-knows-how-many systems, processes and initiatives, has spawned a new marketing approach for companies selling access control systems, and is fast becoming ‘part of the way we do things round here’.
This has to stop. We’re sleepwalking towards the precipice (insert scary metaphor of your choice here) simply because we’ve decided that the ‘I’ word – Identity – is what we aspire to. I don’t object to proving my identity, or owning identification credentials, it’s just that we so rarely ever need to identify ourselves. When does identity become an issue? Solely in establishing a trust relationship between two parties where there is a claim to entitlement and an imbalance of risk: for example, when claiming entitlement to enter the country, and there is so much for the individual to gain that they may make false claims about their identity or submit false credentials; or when opening a bank account or credit card that will allow them to borrow money. In such circumstances where the individual’s assertions about their identity might reasonably be expected to be fraudulent, it is proportionate to use other means to prove who they are – to identify them.
Once that initial identification has taken place, there is no further need for identity. Credentials are issued – a credit card, a digital certificate, a library card etc. – and thereafter the individual simply has to authenticate themselves as the legitimate bearer of the credential in order to obtain their entitlement. Identity processes only kick in again where there are grounds to doubt the legitimacy of the credential or the bearer. Of course there are other circumstances where the need to identify an individual is justifiable, normally in law enforcement and border control if a person can provide no credentials or refuses to disclose any details about themselves. I’m assuming that situation doesn’t arise for most of us on a day-to-day basis.
So why does the word identity get me so riled? Our problem is that policymakers lack the technological vocabulary to accurately describe what is required of a system or process. Under pressure to deliver, they demand a new system or process to identify benefits claimants, to identify underage drinkers, to identify passing cars, when in fact what they want is to check an existing credential, to confirm an attribute, or to bill an individual. Through these poor specifications we are unwittingly building a disproportionate and dystopian database state that in the short term strips autonomy from data subjects, but in the longer term will undermine the state itself: when the identity infrastructure becomes pervasive, errors and failures will become so punitive on the data subjects concerned that life will be unbearable for them.
Take the tragic example of Skhumbuzo Mhlongo, a 22-year old South African who was refused an ID Card because of a bureaucratic error that resulted in officials believing he was not a South African national. Unable to work or claim any form of entitlement, and effectively denied any sort of ‘official’ existence, he ultimately took his life. It would take very few such tragedies to collapse confidence in an identity infrastructure and turn individuals against the State.
My proposal is that we ban the use of the ‘I’ word in any situation where ‘authentication,’ ‘verification,’ ‘binding,’ or similar terms would more accurately describe what needs to be achieved without creating a panopticon to achieve the outcome. In fact, if anyone feels like setting up a website to monitor inappropriate uses of the ‘I’ word by government ministers, that might help to raise awareness – much in the same vein as Private Eye’s monitoring of the word ‘solutions’ (perhaps we could name it after their Colemanballs column – ‘Blunkettballs?’). It is our duty to stamp out inappropriate use of the ‘I’ word, to educate policymakers in a more balanced and descriptive language, and to ‘I’ and publicly ridicule those who believe that ‘I’ is a proportionate and necessary goal for the greater public good.
(Here ends a somewhat grumpy ‘back to school’ rant. Normal slightly irritable service will be resumed tomorrow)