OGC releases Gateway Reviews of ID Card project

On one of my bookshelves, there’s a copy of Peter Wright’s memoir, Spycatcher. Published in 1987, the book spurred the then government into frenzied attempts to ban it. Those attempts were fatally undermined by the government’s inability to prevent publication elsewhere – and eventually in 1988 the Law Lords ruled that the book no longer contained anything which could be classified as a secret. I got my copy during a visit to the States in 1987, early enough that I probably broke the law by bringing it back to the UK – though apparently had I declared my contraband on re-entry, customs officers would have been under no instruction to confiscate it.

Oh, how wicked I felt. That sense of mischief faded fairly rapidly as I read the book, though, and the sheer banality of much of its contents became apparent. Don’t get me wrong, it was interesting enough… but to anyone brought up on espionage fiction later than the Joseph Conrad or Erskine Childers vintage, it was all pretty tame stuff. Even real life, in the form of the unfortunate Georgi Markov (assassinated with a poisoned umbrella in London, ten years earlier), outstripped most of Peter Wright’s revelations about MI5’s domestic counter-espionage operations. And did its publication shake our national security apparatus to its very foundations, impairing its very ability to protect us from the foreign menace? Not noticeably, no.

Wind forward two decades, and after a lengthy legal struggle, the Office for Government Commerce (OGC) has finally acceded to a request originally made in early 2005 for the “Gateway Reviews” of the ID Cards project to be made public. The wrangling over whether or not the reviews could be published went to the Information Commissioner, thence to the Information Tribunal, and ultimately to the High Court – and according to SpyBlog cost the OGC at least £120,000 in legal fees, not to mention the administrative time and effort.

Naturally I fell on the released documents in a state of high excitement, eager to see what damning findings they contained. To put it briefly, there is no smoking gun. The Gateway reviews do not contain the secret details of the ID Scheme’s fatal flaw, or evidence of diabolical intent on the part of the Scheme’s proponents. That’s not to say they include no basis for criticism: see SpyBlog’s succinct analysis here for a clear indication of some of the shortcomings revealed.

The reports do contain clear evidence that the fundamental objectives of the scheme evolved substantially between the two reviews (notably, from “Entitlement” to “Identity” cards) – but then, that much has been blatantly obvious despite, or perhaps because of, the whirl of departing and arriving Home Secretaries over the years.

One can also see the review team’s concerns about the complexity of the project in organisational and technical terms, and gauge whether subsequent moves have mitigated those risks.

Finally, the first review in particular also includes revealing comments about who the scheme’s principal beneficiaries are expected to be, and what level of user consent is assumed. There is no mention of the sharing of citizen data – something which is now surely an unavoidably large feature of the landscape.

None of these revelations, though, is fundamentally surprising – though it would be newsworthy if subsequent releases showed that the reports had been ignored as the policy and its implementation were taken forward.

In the Spycatcher case, arguably, far worse than anything which resulted from publication was the damage done to the Government’s credibility by its frantic attempts at a ban. Its pursuit of the matter through the courts made it, and the law, look increasingly asinine.

In the Gateway Review case, the OGC has been at pains to state that its decision to abide by the High Court’s decision does not set a precedent.

cnet review of a week trying IE8

I’ve just been reading Steven Shankland’s review of his week using Internet Explorer 8 as his default browser. I haven’t tried it yet, so I am in no position to offer an opinion of my own. That said, there are a couple of things which stood out when I read the review.

“The sluggishness problem got worse as my Lenovo dual-core laptop’s 3GB memory was taxed by running the 10 or 12 programs I need to do my job. Most days, I shut down my Windows XP work machine once a day without thinking much about it. But during IE 8 week, I found myself craving a fresh start by mid-afternoon. IE 8 didn’t bear the load as gracefully as rivals, especially as the tabs piled up. “

A dual-core machine with 3Gb of memory…? Shut it down once a day…? Mid-afternoon re-start…? Whatever the relationship may be between running 10 or 12 programs and IE, and sluggish performance, I suspect that a lot of Linux users will be raising a quizzical eyebrow at that paragraph. For example, I run Ubuntu on a 2.6GHz Pentium 4 with 1Gb of memory. Before Ubuntu, the same machine ran Java Desktop System. I frequently use the ‘multiple desktop’ feature so that I can have email on one desktop, browser on another, OpenOffice on a third, and so on – though I freely admit I rarely have more than half a dozen applications active at any one time.

However, performance is not an issue, and I have long since forgotten what it’s like to have to reboot a machine part way through the day just to get it to run faster again.

Quite possibly what the cnet review uncovers is a set of parameters for which IE8 was not designed or optimised… but all the front-end gloss in the world is not much use if it’s too slow, or if you have to structure your working day around the need to jump-start it from time to time. I had a 1974 Mini like that once (except without the front-end gloss).

MPs expenses – another useful lesson

Whatever my feelings about some MPs and their expense claims, I have to be grateful to them for providing, today, yet another good case study on personal data. Yesterday, I remarked in passing that ‘there are many other ways in which that information can reach the public domain’.

Today’s news story reveals one of the more powerful – the pull of money: apparently £300,000 will get you a leaked copy of all their receipts.

Back in November 2007, in the wake of the HMRC data breach, I referred to the bon mot which Willy Sutton apparently never uttered – that he robbed banks because “that’s where the money is”. Whether he did or did not, the principle holds good: the theft of personal data is attractive because there’s money in it.

Home Secretary "shocked" by digital footprint

I don’t really care whether the Home Secretary claims her ISP costs without remembering to cross out the “personal use” items – though as someone who has occasionally had to distinguish between personal and business elements on a single phone bill, I am at a loss to see what is so hard about doing so.

I care even less who watches which films in the Smith/Timney household – and if those give rise to frank exchanges between the couple, that’s entirely a matter for them.

However, I wonder if this has had any effect on the Home Secretary’s awareness of her digital footprint. Our online activities, whether by mobile phone, landline, broadband, cable or satellite, all leave a track, whether we intend them to or not – as Mr Timney has discovered. Admittedly, that doesn’t necessarily result in Daily Express coverage for every one of us, but the information is there nonetheless, and there are many other ways in which it can make its way into the public domain.

I doubt, though, whether this will materially affect current plans for the mass interception of communications data and the rumoured monitoring of social networking sites.

“[T]he EU Data Retention Directive, under which ISPs must store communications data for 12 months, does not go far enough” – Home Office security minister Vernon Coaker (March 16th 2009).

Will the real Ceadúnas Tiomána please step forward?

Thanks to Richard Veryard for spotting this and Twittering about it…

Apparently the Gardai noticed that a disproportionate number of motoring offences were being committed by a Mr Prawo Jazdy. On investigation, this turns out to be the Polish for “driving licence”.

It reminded me of my father’s stories of English army officers trying to map the interior of southern Arabia with the help of native guides. The officers typically didn’t speak much Arabic (beyond useful map-maker’s phrases like “what’s this called?”), and the guides, soon growing bored, started to give frivolous and sometimes coarse answers. As you might well do, given the priceless opportunity to put one over on the colonial intruder.

The mischief was often only discovered when users of the resulting maps, more versed in the Arabic language, found they were navigating via features such as “My *rsehole”, “What do you think?” and “Mt. Your Finger”. I don’t know how the guides could have kept a straight face.

Se non è vero, è ben trovato

PrimeLife meeting in Frankfurt

Well, as the Twitter channel wasn’t working for me at the time, here’s a quick update about the PrimeLife workshop I have jsut attended in Frankfurt. PrimeLife is an EU part-funded project which follows on from the PRIME (PRivacy and Identity Management in Europe) project. It seeks, among other things, to turn some of PRIME’s principles into practical privacy-protection over (and beyond) the life of the citizen/data subject. I am fortunate enough to have been invited to be on its Advisory Group – hence the trip to Frankfurt.

It’s a little unfair to pick specific sessions from what was a very productive and thought-provoking workshop, but I’m going to do so anyway… life isn’t always fair, after all. The two discussions which I found particularly interesting were on ‘identity and privacy in social networking’ and ‘managing personal information throughout life’.

I won’t try to reproduce either of them here, but for instance, the social networking session raised intriguing questions about implicit and explicit disclosure, and the risk assessments users make on the basis of perceived risk. As you might expect, those risk assessments are often likely to be fundamentally flawed.

Here are a couple of examples which I found particularly striking:

– “I’ve uploaded some photos from last weekend’s party – but it’s OK; I haven’t labelled who’s in them, so the only people who will recognise you are the people who know you anyway”. Except that facial recognition software can render that assumption invalid. You might argue that the face-matching capability is not in the hands of every individual… but I’d counter that that’s only a matter of time (grid/cloud computing and Moore’s Law being what they are), and the photos will still be there when it is. In the meantime, there are plenty of organisations with the capability and the motivation to crawl the web matching faces to individuals and individuals to market segmentation profiles.

– “I have a MySpace account I use for social stuff, and a FaceBook account I use for family stuff. But I want to keep them separate, so one of them is pseudonymous.” Apparently not only facial recognition, but also ‘background recognition’ algorithms are good enough now to start making matches on that basis, and that kind of capability can nullify a lot of other steps you might have taken to try and enforce separation between personas. Even if you’re not in the photo, there could well be enough data there (background, time/date) to make it linkable.

Worried? Then you probably shouldn’t read this.

The discussion about life-long management of personal data of course raised the issue of what to do when the data subject is not capable of managing either their personal data or their privacy on their own behalf – for instance, through illness, incapacity or, in extreme cases, death. The latter is not a trivial case, and there was much debate about whether systems should be designed with a ‘recovery mode’ in mind. Not, I hasten to clarify, for reanimating the deceased… but to make it possible for executors and/or trustees to get appropriately controlled access to someone’s ‘digital legacy’. After all, the more we live our lives online, the more of our information and assets are likely to be found there (rather than in a dusty box of papers in the attic).

Fascinating stuff, and looking at the PrimeLife participants, I think their investigations and conclusions are going to be well worth keeping an eye on over the next two years.

Figures, statistics and cost-of-cancellation

‘Home Secretary says undoing ID Cards project will cost £40m”…

I know I’m by no means the first person to have commented on this story, but for the heck of it, here’s my 2-penn’orth.

Not unexpectedly, the opposition has taken the opportunity to re-cast one of their objections to the National ID Cards scheme (NIS) as a “how can the Government commit us to £40m of wasted public money at time when the public finances are already is such dire shape?” question.

In some respects I think the criticism is unfair; for instance, it was not Jacqui Smith who (as one might infer from the Computing article I linked to) wrote cancellation clauses into the contracts with NIS suppliers. That happened long before she arrived at the Home Office, and even longer before the effects of the economic downturn really started to bite. If the shadow Home Secretary, Chris Grayling, has only just noticed the cancellation clauses, he must have been asleep for some time.

In other respects, however, the story uncovers all the same confusions and confabulations which have made it so hard to take policy statements on the NIS seriously.

For instance, here’s one line of reasoning put forward by the Home Secretary (at least, according to the Computing article):

– Cancelling the ID cards scheme will cost some £40m in cancellation fees;
– Cancelling the ID cards scheme will therefore ‘not free up a large fund of money to spend on other priorities’;
– Cancelling the ID cards scheme is therefore not worth considering on grounds of cost.

As Richard Veryard has observed, if spending £40m removes the commitment to spend £4bn, that looks like a pretty good net outcome.

The riposte to this appears to be “Ah, but the ID cards scheme won’t cost £4bn anyway… the cards actually only account for £1.19bn of the budget, with a further £550,000,000 to £750,000,000 for storage of biometrics”.

At the risk of being accused of shooting fish in a barrel… writing off £40m to save £1.19bn, £1.74bn or £1.94bn still doesn’t look too fiscally imprudent to me. The broader point, though, is this: yet again, the over-all NIS policy is being justified on the basis of confusing (whether deliberately or otherwise) the authentication functions, the biometric elements, the databases which enable those other parts to work, and the little piece of plastic wich you may or may not end up carrying in your wallet. Or, according to various ministerial statements, your shoe*.

The point is that as long as policy statements perpetuate this confusion, most citizens will tend to assess the risk/benefit of the NIS on the basis of the physical part of it which is tangible to them; the “terrifying, small… plastic card“. That is not an adequate basis for informed consent.

* This rather gnomic comment relates to public statements like this, which I and others have heard made at minsterial level (this is not verbatim, but is accurate in essence): “Every weekend, the Passport Service receives hundreds of passports which have been sent in from nightclubs where they have been left behind/dropped by young ladies who needed something to prove their age, but had nowhere to keep something the size of a passport. What those young ladies need is a proof-of-age credential which is credit-card sized and can therefore be slipped conveniently into their shoe.”

Problem solved. I don’t know why I have been being so selfish. Of course my biometrics can be recorded in perpetuity… as long as it means that all female clubbers who are of legal age but don’t look it can have a credential which fits into whatever footwear Young People wear nowadays when they frequent the discotheque. Proportionality, my iris.