When IT Meets Politics


February 19, 2014  10:17 AM

The fight against Surveillance Society claims its first victory – against NHS not NSA

Philip Virgo Profile: Philip Virgo
anonymous, Big Data, Cyber, Edward Snowden, NSA, privacy, Security, Surveillance

The postponement of the ill-conceived NHS central database is the first great win for common sense over Big Data, but we need more clarity as to what is at stack and who is on which side in the battle between Big Brother and Anonymous.  We also need to consider whose side, if any, we are on. I personally regard GCHQ as much less of a threat to my personal safety, let alone privacy and civil liberties, than the members of the Global Government Surveillance Reform Group and that we need to the current legal governance for both to be seen to be enforced, particularly the minimum information requirements specified in the e-Commerce directive for those trading on line and the RIPA regulations on the lawfull interception of business communications, before calling for more.

Enforcing the minimum information requirements, (including to ensure that those claiming to be based in Europe really are, e.g. the reform of .uk), will do more to enhance consumer confidence in the on-line world and business confidence in Europe as a location of choice for e-commerce operations, than any of the Data Protection, Identity or other directives and Regulations currently under discussion.

In parallel we also need GCHQ to be more public about its govenance processes, particularly those that protect against political interference. These mark it out from similar operations in other nations (including the USA). Until that happens, GCHQ (and the rest of UK surveillance activities in support of law enforcement), are unfairly tarred by a series of brushes, from the dodgy dossier at the top, through to local authority staff using data access to help police family honour or school admissions policies.    

I had hoped to lose the debate at the Real Time Club last night but I won, (23 to 14 with 17 abstentions) after putting the symbiotic relationship between surveillance and ICT into perspective and kicking as many cyber-myths as practical, given my ten minutes and some very perceptive and well-informed questioning and probing as the evening wore on. The meeting was under the Club’s variation of the Chatham House Rule so I will not repeat any of what was said during the discussion but I will refine the comments I blogged when I rehearsed the arguments I was planning to make in order to open that discussion …

Continued »

February 14, 2014  6:25 PM

The thefts from Tesco customers help illustrate the uselessness of Data Breach Notification

Philip Virgo Profile: Philip Virgo
customer, data breach notification, Data protection, directive, European Union, NSA, PICTFOR, regulation, Security, Tesco

According to press cover the recent theft of vouchers from 2000 Tesco on-line customers was based on the collation of data already available over the darker parts of the Internet. So what should Tesco have notified, to whom, under the EU Data Protection Directive and Regulation currently under discussion, since it had no “breach” of its own to notify?

Over half of all on-line transactions are now via mobiles, increasingly “infected” with apps (many from bucket shops in Florida) which not only capture what you key in but also use the camera to view your banking transactions. Their “surveillance” is a greater threat to most of us than anything the NSA might, or might not, do, including via Angry Birds (and the NSA’s most cost-effective use of taxpayers funds).

One again, who should notify what, and to whom?

The EU is pressing ahead with a new Data Protection Directive and “Regulation“, both fine-tuning approaches designed for the age of mainframes – as relevant to the privacy of the users of today as using the 1896 Infantry Manual (instead of the 1911 Manual) was for Kitchener’s New Army of 1916. In parallel it has an equally well-intentioned, but also equally flawed, Directive concerned with Network and Information Security and an Electronic Identity Regulation supported only by those seeking to promote services which no-one will trust with their own money.

I was dismayed at the lack of response at the PICTFOR meeting on 4th February when Bill Cash MP, chairman of the European Scrutiny Committee of teh House of Commons delivered a robust call for industry to help with inputs to help improve the legislation coming out of Brussels. Yesterday at the UK Internet Governance Forum a very good point was made on the need to subject the US based filtering operations, (on which those implementing UK Child Protection Policy place such dependence), to local scrutiny. Meanwhile the EU is pressing ahead with policies which, (by driving major operations off-shore), will decrease rather than increase such scrutiny, leaving only the supervision of the Irish Data Protection Commissioner for those running their EU operations via Dublin instead of Luxembourg.

I am delighted to note that the Digital Policy Alliance now has increasingly strong groups bringing together some of the major players (professional bodies, trade associations and those with large numbers of customers across Europe who will be made less competitive with the rest of the world), helping UK officials and Ministers and also MEPs, with informed scrutiny in all three areas, including in the context of attempts to make a reality of the Digital Single Market. My successor has succeeded where I failed, in getting major players to work together across sector boundaries.

In just under a fortnight, the DPA plans to bring together players for the launch of a new group to look at the how Network and Information Security Directive can be focussed on that which could and should be done at EU level, without distracting effort into tick box activities which are irrelevant to improving practical co-operation. This first scoping meeting will amost certainly be for members and guests. Those who are serious about working together to ensure effective political action to help improve their safety of themselves and their customers, as opposed to bleating afterwards about another layer of irrelevant overhead, should therefore get their membership applications in now. The subscription charges have not increased in over a decade. They are now much better value than when I was Secretary General and it was called EURIM (Euroepan Informatics Market) and failed to live up to its name because …. But that is another story and we need to look forward, not back … before it is too late.   

For those who want a more public debate, there are still some places at the Real Time Club dinner debate next week. I have jsut taken a sneal look at who has booked so far. We are in for a lively evening.    

Enhanced by Zemanta


February 12, 2014  10:22 PM

How do we make the Internet a Safer Place?

Philip Virgo Profile: Philip Virgo
DPA, Google, Safer Internet Day

Yesterday I blogged on the irony of releasing “The Intercept” between the 70th Birthday of Colossus and Safer Internet Day. Today I am delighted to be able to blog on the release of the summary and transcript of the round table organised by the Digital Policy Alliance during the run up to Safer Internet Day. The round table was chaired by Diana Johnson MP (Shadow Minister for Home Affairs) and was unusual in that it may have produced immediate results: two members of the audience had to leave early to introduce an amendment to the Children and Families Bill with cross party support, using some of the material presented.

I reproduce the summary report below, but I do recommend you click through to the full transcript and ponder the detailed comments by Chris Ratcliffe (Portland TV) on the current state of play with regard to age verification, by Peter Davies (outgoing head of CEOP) on some of the legal loopholes that need to be closed and by Sally Leivesley (Newrisk) on the need to take action on the videos promoting suicide bomber as a career of choice for a devout muslim girl.

The discussion on over- and under-blocking was most informative but there was unanimity on the need for a follow up event to discuss other ways forward. The DPA is now working on this. Those who are serious about helping balance Internet safety and freedom should join and help with the planning – not just the subsequent debate.

=================================

Summary of

DISCUSSION MEETING: RECENT DEVELOPMENTS IN CHILD INTERNET SAFETY

The Issue: 

Children are increasingly subject to unsuitable material on the open web ranging from pornography, through suicide forums and terrorist grooming sites to bullying and blackmail over social networks.

They are active targets for paedophiles operating anywhere in the world. Material can be legal in other parts of the world but not the UK. The exchange of illegal material, including child abuse images, is increasingly across closed and peer-to-peer networks. Children often use these to download pirated films/music and thus become familiar with the dark side of the Internet

There has been an explosion in the scale of web traffic and a  proliferation of sites hosting child-inappropriate material. There are currently 220 million hits a month in the UK alone on the main soft and hard pornography web sites. Children are accessing the Internet at an increasingly younger age – with a high proportion (37%) of 3-4 year olds regularly going online.

Tackling the Issue:

Following a Prime Ministerial initiative in July and November 2013, government called upon Internet Service Providers, social media companies, and Wi-Fi operators to make access to unsuitable sites via the open web harder. It has also stimulated proactive initiatives to tackle illegal content and perpetrators on the closed web and peer-to-peer sites.

As a result this year 20m homes will have internet filtering applied as default by the four leading Internet Service Providers, 90% of all public Wi-Fi networks will have family friendly filters introduced and since November, Google has blocked over 100,000 child sexual abuse related search terms. The UK is the first country to adopt such widespread measures so in some ways this is a massive social experiment.

Practical Implications:

The discussion looked at the practical implications and overall effectiveness of filtering and blocking initiatives. Filtering was criticised for being over effective – blocking legitimate and useful content such as LGBT (Lesbian, Gay, Bi-Sexual and Transvestite) community resources, sexual health and education pages, or restricting access to legitimate commercial sites and services. Filtering was also criticised for being under-effective because its restrictions are often easily circumvented by computer literate children. Furthermore, given that filtering does not prevent online bullying, self harm or suicide, terms such as “one click to safety” are misleading, giving parents a false sense of security.

There is a need for education to ensure widespread parental understanding of the dangers and the signs to look for. However there are no universally agreed benchmarks or criteria as to who decides what is and what is not suitable. Views on what constitutes appropriate/inappropriate content for children of different ages can vary substantially from household to household.

Effective age verification was identified as a key factor in restricting access by children to unsuitable sites. The gambling and the licensed pornography broadcast industries employ robust age verification systems. There was a call to adopt these methods more widely. On the other hand these are regarded by other industry sectors as too expensive and complicated to implement.

One third of unsuitable child imagery is created by children themselves and predators who exploit such images for extortion are not subject to the laws of blackmail because of the limitations of the 1968 Theft Act Section 21. Other instances of narrow legal definitions preventing action against abuse were cited.

Next Steps:

The Digital Policy Alliance will follow up on these issues in further meetings.

=================================

P.S. I should add that I did some checking after the event and discovered that those who claim that age verification is too expensive and complex for widespread use are usually unaware of how cheap and comprehensive it now is. I was surprised to discover that some services charge under £1 (after high volume discounts) to do a more thorough check on first time visitors than most banks to do on new customers.

The “real” reasons for not not doing so appear to be:

1) Fear that checking will remove the “innocent carrier” defence (under the e-Commerce Directive and other legislation).

but perhaps more significantly

2) It destroys the “drive-by click per view” advertising revenues on which “free” porn (and many other) services now depend – because the checking routines strip away anonymity.


February 11, 2014  7:57 PM

The irony of exposing state surveillance between 70th birthday of Colossus and Safer Internet Day

Philip Virgo Profile: Philip Virgo
Bletchley, Colossus, Edward Snowden, Facebook, Google, guardian, Microsoft, national museum of computing

The commentators responding to the Guardian press cover for the launch of Glenn Greenwald‘s anti NSA website, The Intercept appear to lack a sense of history, let alone of irony.

I have blogged many times before on the symbiotic relationship between computing  and surveillance and between Bletchley and Fort Meade and very recently on the women, younger in years than Snowden but considerably more mature, who “won the war” (or at least shortened it by many years and millions of dead).

It is nice, therefore, to be able to link to the photos taken at the 70th Anniversary of the first time a “computer” broke a cipher of some of the those who kept silent for half a century. It is also nice to link to a reconstruction of the process, from intercept to decrypt .Both remind us that computing and surveillance are more efficiently, securely and discretely run by women. They tend to focus on the job instead of playing macho games or demanding attention.

The even bigger irony is that “The Intercept” should be launched on the eve of Safer Internet Day , when most of the world is more concerned about the predators and perverts watching us and our children than about what the Security Services might be doing.

I suspect that, were a survey to be done today, more of the population (not just parents and grandparents)  would say that the security services were not doing enough surveillance, but were spending far too much, watching the wrong people, very inefficiently.  Instead they should be working hand in glove with Telcos, ISPs and players like Facebook, Google and Microsoft to protect us all, not just those in power.

Personally I am more concerned to be able to control what my fridge tells the food police and to avoid reprisals from my ISP or Search Engine when I put my mobile smart phone in a booster bag mesh bag (miniature Faraday Cage) to avoid all their location dependent adverts.   
P.S. Jim Prideaux has just (Thursday 13th) sent me the following: “your phone might not survive very well in a booster bag. Better to turn off if you don’t want location tracked.

Indeed just knocking it on inside a bag could be bad news because it will try harder and harder to get a signal. Perhaps modern phones are cleverer, but it was an concern when we had to use such bags.” Does anyone supply a mobile phone booster “case” which will protect against accidentally switching it on and draining the battery? 

 


February 10, 2014  7:54 AM

Ed Milliband adopts the first plank of my NRDP Manifesto

Philip Virgo Profile: Philip Virgo
Barack Obama, Biometrics, Data protection, DNS, europeanunion, guardian, Milliband, obama, personal information, privacy

According to the Guardian, the first plank in Ed Milliband’s speach to their  Hugo Young lecture this evening will be “People should own data about themselves, We should change the assumption that information on people’s interaction with the state is owned by the state. Instead there should be an assumption that such data is owned by and accessible to the parents, patients and those who use the public services who it is about”.

I concluded my recent blog entry on the EU welcome for President Obama’s latest Presidential Directive and the European Manifesto of the “National Restore Democracy Party” with: 

“That we each own our personal information (from DNS and Biometrics to transaction profiles) and all who presume to collect, copy, collate or use that information owe us a duty of care.”

I look forward to the adoption of this principle by all political parties and, more importantly, the implementation of policies based on it – covering the private as well as public sectors.  

I also look forward to seeing squadrons of pigs flying past my window in close formation – but first steps first.


February 9, 2014  7:26 AM

Is “know your customer” the on-line fraudsters’ greatest ally?

Philip Virgo Profile: Philip Virgo
Barclays, crime, Data protection, Fraud, kyc, liquidator, Money laundering

The press cover for the use by fraudsters of files from a defunct Barclays subsidiary serves to highlight the counter-productive nature of the “know your customer regulations” which require banks, brokers and “financial advisors” to collect and keep information for supposed consumer protection and anti-money-laundering reasons. The churn rate among brokers and “financial advisors” and the lack of responsibility of liquidators to safeguard (or at least delete) the files on computers they may be selling, as opposed to getting the best price for the creditors, illustrates soem of the consequences. 

The Daily Mail article also reminded me of a conversation after an “awareness” event. I was asked to consider a similar exercise for a silver surfers by an organisation whose high value clients were being targeted by fraudsters who had all the information necessary for  successful impersonations. They did not know if the problem was shared or peculiar to them. It was too commercially sensitive to talk with their competitors and they could find no leak or breach. Was it some-one in their supply chain? Was it a common problem: e.g. a fake “Cruises’Rus” website to harvest the details and preferences of high value silver surfers? They did not subsequently offer to help with funding, so I filed the conversation away. 

Yesterday I was drafting a possible call for reform of the EU approach to Data Protection, Electronic Identities and Information Security. One of the high level recommendations was:


·         “Regulation should focus less on what is stored, (given the many requirements of consumer protection regulators and others to retain that which is not required for business purposes) and more on who has access, under what conditions and how that right of access is checked and exercised.”


We should never forget that what is retained for regulatory, not business, reasons is a potential honey pot for fraudsters.

 

      Related articles


February 6, 2014  10:59 AM

Men fight over Bletchley Park: where women won the war.

Philip Virgo Profile: Philip Virgo
BBC, Bletchley, Colossus, FIPR, national museum of computing, Testery, Tunny

codebreakers-_2812302c.jpgbletchley_2328727b.jpg

I have been dismayed, but not surprised by the unseemly spat between the Bletchley Park Trust and The National Museum of Computing. Common sense tends to fly out of the window once men, money, the Lottery Fund and the Charity Commission get involved. Bletchley should be about using the symbiotic relationship between computing, communications, cryptography and surveillance to inform and inspire future generations, whether they have been drawn in via the theme park or an educational visit to the museum.

We should also remind the world that Bletchley was an almost all female operation: around 9,000 women, who did most of the deciphering and translation once a couple of hundred cryptographers (not all men) had broken the codes, plus 3,000 men, guarding the site and building and maintaining the equipment (although much of the latter was also done by women).

The photos above are from a couple of excellent articles in the Daily Telegraph. One very recent contains an illegal (probably still in breach of the Official Secrets Act) photograph of “C” Watch for the Colossi (around a dozen operational at the time) in 1945. The other picture, timed for the TV series, was said to be of “Typists” and appears to be of part of the Testery   where the ATS girls deciphered German teleprinter traffic and checked for sense, guided by equally young, or even younger, cryptographers (Roy Jenkins was only 25 at the end of the War and Donald Michie was only 22).     
 
Meanwhile I am indebted to Brian Randell for kindly allowing me to reproduce the guide to the current dispute which was sent out as an FIPR alert last week-end. At the end I give my own facile opinion as to the obvious resolution. But how to get there, given the personalities involved and current UK Charity Law (for which the last Government and its appointees bear a terrible responsibility), is less than obvious.

First the text of the FIPR alert summarising the state of play:

“I’ve had several requests for detailed page links related to the very unfortunate dispute at Bletchley Park, a subject which has given rise to a large amount of traffic on the Web and in social media since the BBC News broadcasts of 24 Jan. Here, for those wishing to gain a better understanding of this dispute, is my attempt to identify and provide links to the most significant web pages that have been produced as a result of the BBC News broadcasts, as of 1 Feb 2014. (In many cases the pages I’ve identified have already had an extensive set comments added to them.)

I have no plans to take on a role of unofficial chronicler of this dispute, which I fear is going to run and run, unless the senior staff at the Bletchley Park Trust can be persuaded to reverse some of their recent policy decisions promptly, but would nevertheless appreciate being informed of any other/further really significant web pages related to the dispute.

Meanwhile I note a very significant spike in the rate of contributions to The National Museum of Computing, so have included a link to their donations page.

Cheers

Brian Randell

——

THE BBC NEWS ITEMS OF 24 JAN 2014

BBC TV News – a 2.4 min video clip
 
BBC Radio 4 – a 5 min audio clip

OFFICIAL STATEMENTS FROM THE BLETCHLEY PARK TRUST

Progress in Perspective

Crossed Wires at Bletchley Park
 
OFFICIAL STATEMENTS FROM THE NATIONAL MUSEUM OF COMPUTING

Deciphering dissent at Bletchley Park

The bigger picture: fragmenting a heritage site

THE BEST (IN MY OPINION) INDEPENDENT ACCOUNTS OF THE DISPUTE

Disharmony at Bletchley Park

UK National Computer Museum Off-Limits At Bletchley Park

ACCOUNTS BY (ANONYMOUS) VOLUNTEERS

The history behind the Bletchley Park dispute:

Bletchley Park plan to “cull old and infirm”

THE NATIONAL MUSEUM OF COMPUTING

Donations Page “

[P.S. The Virgo solution

Objective – to more than double paying visitors and untied (i.e not linked to specific projects) donations to both: operating in a symbiotic relationship which exploits rather than fudges the differences.

1)  Joint ticketing with the standard price covering both, albeit with options: to book only for Trust (plus Colossus/Tunny) or to book only for the Museum (plus Colossus/Tunny). Note that I view Colossus and Tunny as common to both and the aim is to get day visitors to book for both even if school parties (more severe cost and time pressures) do only one or the other, depending on age and educational objectives. 
 
2)    Make a feature of the gate and perhaps add a few more. Station X was a secure facility with guards, barriers and pass inspections between many of the buildings. The fence should be World War 2 barbed wire (as should the gate). The gate should be manned by uniformed sentries who inspect passes (alias tickets) and pose for photographs.

3) Trust to waive rental to Museum and/or provide management and marketing support with the aim of attracting museum visitors (including school parties) to also visit the Trust and to generate additional revenues from joint shop and catering facilities.

I should perhaps add that I have been over HMS Ocelot (in Chatham Dockyard) nearly as many times as I have been to Bletchley. Each time was different. Once our guide was one of the Chatham Dockyard staff who built her, went on her sea trials and later maintained her. He explained how and why she was different to rest of her class. Once our guide had served on one of her sister ships. He described sitting on the bottom of a Russian harbour. They had different reasons for being grateful they had never to use the escape hatch for real. I hope their various accounts have been taped so that, when they are no longer available, more professional guides can give future generations a similar experience.

I very much hope that Bletchley is also planning this. Anything less would be a betrayal of the past. I can, however, also appreciate the pressures to sanitise history – particularly with regard to the very special relationship between the operations based at Bletchley Park and those now based at “Fort Meade” It may be helpful to refer to one of the blog entries I did on this before the Snowden affair.

P.S. Added 12th February I have just been given links to the photos at the 70th Anniversy of the first run of Colossus breaking the Lorenz code and the video of the reconstruction. I have not checked to see if any of those in the photos taken last week were in those at the head of this article.


February 3, 2014  12:45 PM

Is investment in UK/EU Broadband (fixed and mobile) falling – and, if so, why?

Philip Virgo Profile: Philip Virgo
BT Retail, btgroup, Capex, Communications, Crapband, decline, investment, McAfee, Ofcom, Openreach, regulation, Sky, Surveillance, Vodafone

At a recent event on European Communications policy, held under the Chatham House rule, the audience was told that revenues and investment across the European telecoms markets, both fixed and mobile, are now stagnant or falling. This was blamed on incoherant over-regulation which is about to be exacerbated, not alleviated, by the Telecoms, Data Protection and Security packages currently being discussed. The overall effect is to weaken investor confidence in the telecoms markets at the same time as giving competitive advantage to those syphoning intra-EU on-line business across the Atlantic. The collective message was about the need for a much sharper approach to regulatory reform.

Prices were said to have fallen faster than volumes were rising, although I note prices are now rising again, sometimes very sharply, e.g. 50 – 200% for BT Fibre to the premises. Price comparisons with the US, where spend per customer is said to be double that in the UK/EU, were said to be seriously misleading because usage per customer was also double ours for data and six time more for voice. I was surprised at the “authority” with which such figures were quoted until I looked at Ofcom’s recent Consumer Experience report , This shows how UK consumer spend on fixed and mobile communications services peaked in 2006 and has yet to recover, albeit it has been rising as services extend to cover more of those parts of the UK previously on crapband: bandwidth that is not fit for purpose – whether purpose is doing homework, a DEFRA return or watching football.

I also looked at  BT’s reported Financial Results as opposed to its press releases.

During the year to March 31st 2013 the capital spend by Openreach in fibre roll-out was said to have accelerated by 5% (to £1,144 million), despite one of the wettest years on record and the consequent demand on engineeering resources. However, by Quarter 3 of the current year it was down, by £38 million (13%) over the previous 3rd Quarter. The reason given in the accounts is “reflecting £42 million of grant income relating to our investment in the regional broadband programme”. This appears to mean that BT’s own investment is going down, not up, in response to the contributions from BDUK.  

The overall trends in BT capital spend over recent years, despite the surge in investment to handle the Olympics, is down. Overall capex was £2.6 billion in the year to March 2011,  £2.6 billion in the year to  March 2012, £2.4 billion in the year March 2013. It is currently running just below the level last year, with investment falling in Openreach (local utility infrastructure) and rising in Global (overseas) and Wholesale (bulk connections). Capital investment into BT Retail, despite the need to handle the demand being hopefully generated by the foray into Sport, appears to be the same.

BT’s has indeed said to investors that its current strategy is to focus on using the entry into Sport to build up consumer demand to make better use of its past investments. BT Retail is having its best year for some time, attributed to the growth of its Sports TV serves. However, the increase in revenue in BT Retail is less than the drops in revenue from BT Wholesale and Openreac. It also appears to be less than the increase claimed by Sky during a similar period. Might BT not have done better for shareholders by selling utility infrastructure to Sky and its competitors? Or is the investment really just a large scale negotiating ploy to bring about a series of cross licensing deals for content? 

Such analyses and speculations help put BT’s infrastructure investment into perpective.

This appears to be running at about £1,15 billion a year – approximately the same as Vodafone’s annual spend on upgrading its networks to meet its past obligations , prepare for 4G and renovate the networks it acquired from Cable & Wireless.  When I last blogged on the scale of UK communications infrastructure investment figures I thought that BT’s broadband investment was running at “£billions a year”. It seems it is actually “£billions over the life of a programme”: no more than that of its largest intra-UK competitor and barely a quarter of the industry total.

Meanwhile we have the Broadband Stakeholder Group saying it cannot understand why anyone needs more that the current average UK speed, while consumers across much of the country complain that “when the football comes on, everything else goes off”.

I have been taking a look at why so many experience poor quality of service despite the nominal speeds claimed by their suppliers. The reasons are many and varied: from problems with old PCs or wiring to responses times from the servers they visit. Perhaps the most common problem is, however, is the incomprehensible and patronising answer they get when they ask the question: if they can get any answer at all. 

Looking at why my own system regularly slows and hangs, I have come to suspect that is usually waiting: while Firefox, McAfee and others fight their various filtering battles with each other and with the surveillance bloatware attached to the newspaper and other sites that I visit in order to collect material for posts like this.

Hence my growing view that we need a revision of RIPA designed to better enable us all to chose to block surveillance other than by law enforcement or our own choice of ISP.  I expect to hear squawks from all sorts of Angry Birds and their allies but this is a debate that needs to be had. I therefore plan to make this point at the forthcoming  Real Time Club Debate on which I recently blogged.

In the mean time I would be interested to see who has done what research into why it is that customer experience appears to becoming increasingly adrift from expectations.

I would also like to know why it is that the UK and EU are so unattractive for infrastructure investment on the part of those who are supposedly sitting on $hundreds of billions of cash reserves made from those going on-line.  Is it that the incumbents, regulators and politicians are standing in the way? Or are there other reasons?


February 1, 2014  9:38 AM

Everyone is recording what we do over the Internet: why should the NSA and GCHQ be different?

Philip Virgo Profile: Philip Virgo
Cabinet office, cyberbullying, Data protection, Edward Snowden, GCHQ, Google, IBM, ICANN, ISOC, Nominet

On February 18th I am due to propose the motion “Nobody is telling the  truth about cyber security – not even when they think they know what the truth is” at a Real Time Club dinner debate.

I do not plan to accuse anyone of lying, merely of a mix of ignorance, myopia, tunnel vision and “economy with the truth”.  I expect to begin by describing the symbiotic relationship between communications surveillance and computing that the Bletchley Park trustees appear concerned to erase from their sanitised version of history. That relationship still lies at the heart of the modern on-line world, as with big data technologies and tools, whose roots lie with the need to digest sigint from the enormous volumes of data passing over the cables serving the main Internet peering points .

Just as “everyone” uses computers today, so “everyone” is recording what you do on line: including to help:
 
– telcos and mobile operators to charge for and fine tune their services,
– advertisers to better target those they wish to sell to
– lawyers to police their clients’ intellectual property
– market and consumer protection regulators, in case they they ever decide to do their jobs
– organised crime with victim selection
– transaction services to distinguish between known customers and impersonators.

All Edward Snowden has told us is that our national security services are also trying, under semi-democratic control, to use subsets of the same technologies to identify the current and potential enemies of our Governments.  

The over-reactions to that “revelation”, like the similar over-reactions to attempts to protect children from on-line bullying and abuse, tell us that the Internet has lost its innocence.

Whatever we do on-line is not only recorded (to enable the packet-switched, store-and-forward, Internet to work at all), but stored (often well beyond the time needed for resilience), analysed (not just to improve performance) and the results are made available (legitimately or otherwise), to a growing variety of “researchers”, lawyers, spooks and organised crime groups.

“They” not only know you are a dog, but which breed and what trees you pee against.

I plan to question the relevance of the EU obsession with Data Protection principles drafted for the age of mainframes, because today our most personal data (including our on-line habits) is being routinely collated, stored and analysed around the world by persons outside the reach of any UK or EU regulator.

I will question the relevance of the obsession of the Cabinet Office and European Commission with Digital Identities and Trust Services, because those running banking and payment services can no longer afford the risk that their certificate providers have been “quietly compromised” (and not just by the NSA). Instead they increasingly use real time transaction profiling to back up their in-house routines.

Meanwhile those who are serious about protecting their organisations and their customers are joining a variety of “intelligence led security” partnerships to not only identify those attacking them but support “asset recovery” exercises to get redress and deter future attacks.

In short: almost everyone is running surveillance operations, whether to identify terrorists, victims or potential customers or those in need of health and welfare services or to attack, exploit, serve or protect existing customers and their families.

But the on-line world has also gone both mobile and ubiquitous. The first fridge has been caught taking part in a botnet attack. To quote the Choco Leibnitz adverts before “Person of Interest” – Who is watching yours?

– The food police for breaching the latest NHS obesity “guidelines”?

– Google or Amazon looking to target advertising?

– Organised crime looking for an exploitable change in your life style?

I look forward to a debate as hard-hitting and informative as when the Real Time Club debated whether Google was a greater threat to personal freedom and civil liberties than GCHQ. That debate was introduced by a former Director of CESG and a senior Google executive.  I do not think that my opponent (one of his current roles is a reporter with the Register) and myself can match their expertise: but, between us, we have half a century of experience with throwing rocks into stinky pools.

P.S. You can book on-line via the Club’s website (the untruth in the booking form concerns my directorships, I have only two and neither affect my impartiality, i.e. ability to throw stones in any direction without breaking my own windows.

Those looking to actively help in clearing up the current mess of misinformation and apparently contradictory mindsets, objectives, values leading to schizophrenic public policy should also put the following in their diaries:

Internet Safety Day

the next meeting of the UK Internet Governance Forum

the Internet Engineering Task Force (IETF)  meeting on 2-7 March in London 

and

the ICANN meeting in London from 22 to 26 June .

ISOC England will be taking the opportunity to be involved in both the IETF and ICANN events including co-chairing the “ISOC in ICANN” meeting on the eve of the ICANN meeting and the Chair of ISOC England has just sent out an e-mail asking the three thousand or so individuals on their mailing list to get involved, including channelling inputs on the issues under discussion.

I was persuaded to join ISOC back in 1995, by the then head of IBM’s Internet Strategy. IBM was about to use the Internet Protocols to run the systems for the Atlanta Olympics. He told me that sooner or later the Internet Society would have to develop into the governance structure that would be needed as the Internet matured – because Governments could not trusted, even if they could agree.

I am still waiting – but the juxtaposition of meetings in London does give the opportunity to “make a difference”.

If you are serious about making the Internet a safer place, rather than run the risk that politicians will do it for you (or rather them), then you should join ISOC, Nominet and/or ICANN and make your voice heard in the inside.

Alternatively join the political party of your choice and get them to take action – as chairman of the Conservative Technology Forum I have already asked my opponent on the 18th February to lead a group looking at the issues. I also know that the Council of the Digital Policy Alliance is looking at an exercise in co-operation with the European Internet Foundation to help politicians make sense of the current rash of Internet governance initiatives (another one was launched at Davos).


January 20, 2014  12:17 PM

European Commission welcomes US Presidential Remarks and Directive

Philip Virgo Profile: Philip Virgo
bigdata, Cyber security, Data protection, Edward Snowden, European Commission, European Union, NSA, obama, Surveillance

Do read the statement by a European Commission spokeswoman on President Obama’s remarks on the review of of US Intelligence programmes. 

In my previous blog, a couple of days ago, I compared those remarks, and the accompanying directive, to the assurances given to the Foundation as the start of Isaac Asimov’s saga on the process of shortening the chaos that followed the disintegration of “the Empire”. I led through to the need for a fundamental political rethink in order to avoid, or at least shorten, the period of chaos that will follow the disintegration of the Internet.

The first response, from a leading figure within ISOC, focused on my comments on the On-line Child Protection debate. It illustrated a lack of understanding that the scale and nature of the demands for action from parents around the world (and not just in the UK) may be even more potent than the Snowden revelations. If these are harnessed by those wishing to preserve the Stasi on-line world, because those who wish to restore personal control …

On a more positive note, I enjoyed watching the Musketeers last night and woke up in the middle of the night having dreamt that I was in charge of drafting NRDP (National Restore Democracy Party) manifesto for the European elections this year.

This was part of the section on European Internet Governance policy:

“The current European approach to Data Protection, Digital Identity, Cyber Security and Surveillance has been overtaken by events and is now over a decade out of date.

The Internet has lost its innocence. Thanks to Edward Snowden we all know that whatever we do on-line is not only recorded (to enable the packet-switched, store-and-forward, Internet to work), but stored (often well beyond the time needed for resilience), analysed (not just to improve performance) and the results made available (legitimately or otherwise), to a growing variety of “researchers”, lawyers, spooks and hackers. 

The Data Protection principles, drafted for the age of mainframes, have yet to be properly applied for the Internet age, when our most personal data (including our on-line habits) is routinely collated, stored and analysed around the world by persons outside the reach of any EU regulator. 

The Digital Identity principles are irrelevant in an age where confidence in accreditation services (e.g. Diginotar) has collapsed and those running reputable banking and payment  processing operations use transaction profiling, not third party trust providers to back up their own authorisation routines. 

Conventional approaches to cyber security no longer protect against serious attacks. Those who wish to protect their organisations and their customers are therefore joining a variety of “intelligence led security” partnerships to not only identify those attacking them but also use aggressive “asset recovery” techniques against the predators and those in their supply chains to get redress and deter future attacks.

In consequence almost everyone is running surveillance operations, whether to identify terrorists, victims or potential customers or those in need of health and welfare services or to attack, exploit, serve or protect them. 

Most of the data needed to digitally impersonate most of us is now out “in the wild”. The “Big Data analytics” technologies, whose use by the NSA has been revealed to the world by Edward Snowden, are routinely used by criminals to identify victims and by financial services organisations to identify attacks on their them and customers as well as by Internet Service providers to “improve” their services and National Security Agencies to identify terrorists or subversives.

Meanwhile the world has gone mobile, Even on Christmas Day nearly half of all UK traffic was over mobiles . More than half of us now use pay as you go . More-over the traffic figures are understated, because most of us piggyback our smart phones onto wifi wherever possible to get better speed and keep the charges down.

Things are also about to get much more complicated.

The Corporation of the City of London ordered the immediate removal of surveillance chips (measuring local footfall) as soon as it discovered they had been included, without its knowledge, in smart rubbish bins being piloted in the City.

The first fridge has already been caught taking part in a botnet attack. Who will be monitoring your kitchen appliances?

– The food police for breaching the latest NHS obesity “guidelines”?

– Google or Amazon looking to target advertising?  

– Organised crime looking for exploitable changes in life style? 

Most of what we are commonly told about the Internet is not true. “They” not only know you are a dog, but which breed and what trees you pee against. Conversely, however, hardly anyone, except those harvesting you profile in order to obtain electronic credentials for sale to fraudsters, is genuinely interested in you as an individual.    

We need to bring regulatory policies designed for late 20th Century on-line systems and threats, when on-line was an exception, into the 21st Century, when it is an integral part of the mainstream world, with our lives increasingly dependent on the secure and resilient functioning of a multitude of on-line support systems, which are dependent, in turn, on secure and resilient energy supplies   

So far the issues have been raised in the context of Government surveillance but US-centric players, such as the members of The Reform Government Surveillance Group , Facebook, Google, Twitter etc.) while European players, such as Vodafone have taken a more international approach.

Whether Europe steps up to the plate with a coherent forward looking approach, in place of the current mish-mash of irrelevant, tick box, regulatory overheads, will determine not only its future as a location for on-line business, but also whether the Internet as a whole survives as a globally integrated service or it fragmented along regional or national lines.

NRDP policy is that we should halt all current initiatives which do not have a compelling business case, showing how the benefits outweigh any possible economic or social harm, pending a review of the basic Commission approach to the regulation of the on-line world and the governance of the Internet.

We believe that the review should have the following objectives in mind:

– That we each own our personal information (from DNSA and Biometrics to transaction profiles) and all who presume to collect, copy, collate or use that information owe us a duty of care.

– That …”

And then I woke up   

Suggestions as to what I should have dreamt would be most welcome.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: