A pointer to "Tech And Law" blog

Some excellent posts on the Tech and Law blog, which deserves to be in your feed-reader (and not just because I get a mention ;^).

Notably good pieces on:

  • the sensible and other uses of RFID in credentials;
  • the apparent poor maturity of UK ID Card plans relative to those of other EU member states;
  • plans for US Government ID schemes to cater for anonymity and pseudonymity;
  • Conservative plans to get rid of ID databases, not just ID cards…

There’s also a post (21st July) on Daniel Solove’s recent comments about privacy, gossip and the indelible Web. This is a theme which I think is going to filter into the collective consciousness – and the sooner the better, I think. It’s one which I have summed up recently as follows:

There’s no such thing as “social networking”. There’s “social interaction” and there’s “networking”. If you assume that both operate by the same rules (regardless of how tempting appearances may make that assumption) you’re fooling yourself. Admittedly, that’s just what a lot of us are doing these days – but we don’t yet know what the implications of that mass consensual delusion are.

Anyway, head over to Tech & Law’s new URL and have a read. As Chaucer put it:

“Ye get namore of me, but ye wole rede / Th’origynal that telleth al the cas[e]”.

Marketing expertise…

Have been thinking, recently, about how to improve the visibility and image of Future Identity Ltd.. After considerable thought, have concluded that the PR Agency to engage is whoever it was that came up with the term “Athlete’s Foot”. Think about it…

“Hey, how would you like to have a high-performance, athlete’s foot instead of those merely normal feet you have now?”

“Wow… athlete’s feet, those sound much better than normal feet… or ‘foot fungus’, come to that.”

See what I mean? By contrast, think of the humble verruca or plantar wart. Clearly didn’t engage the same high-calibre team. Otherwise it would be called something like “amphibious foot”…

UK e-Borders faces practical challenges

There’s a good piece in Computing today on the UK’s e-Borders programme – the project to extend and digitise passport checks on travellers heading for the UK. It rightly raises the prospect of challenges to the system over issues like cost, and compliance with EU laws on data-sharing and freedom of movement.

However, there are some foreseeable practical issues as well, and the commercial carriers who will be responsible for much of the ‘front-office’ implementation are already voicing their concerns. The programme director, Julie Gillis, is quoted as saying that:

“There is no system yet in place for maritime and that’s why they’re not going live until 2010,” Of those implementers who have gone live, she says “We’ve had no one report to us yet they have suffered problems with queues.”

Facial biometric checking is already included in the system’s design, and from 2011 fingerprints are to be added – and the functional requirements mean that the systems to carry out these checks have to be put in place by the carriers at the point of embarkation.

That must be one reason why there’s no system in place yet for maritime travellers: the practicalities of checking either facial or fingerprint biometrics for a car-full of passengers – let alone a coach-load – must inevitably mean radical and major changes to the way in which ferry travellers are processed.

With all respect to Ms Gillis, I would say the chance of all maritime carriers going live with such a process in 2010 and reporting no problems with queueing time is zero. If we assume that there is the political will to force through change on the scale (and at the cost) required to meet those objectives, there would still be serious questions to answer about the proportionality of what is being proposed.

UK DNA policy – four uneasy pieces

Some thoughtful challenges to the government’s policy plans on DNA retention have appeared recently. The current policy is under review because of a European Court of Human Rights ruling that the retention of DNA from those who are arrested but not subequently charged breaches EU law.

Article in the Guardian, arguing that the current policy proposals are based on flawed evidence and interpretation;

Paper by two professors from Lancaster University, cited in the Guardian article;

– Blog post on Dr Ben Goldacre’s “Bad Science” blog with some trenchant criticisms of the Home Office research into the statistics of criminal activity;

And here’s the Home Office consultation paper referred to by Dr Goldacre.

Here are a couple of statements I found in these sources, which indicate some of the difficulties of formulating policy statements on the basis of statistical investigation:

“innocent people who have been arrested are as likely to commit crimes in the future as guilty people” – Assertion from the Home Office paper

“half of all crimes are committed by something like 6% of persistent offenders” – comment by Prof. Keith Soothill (University of Lancaster)

I find it hard to see how both of those statements can be true… but then, that’s probably why statistics and I have never really got on.

Is 118800 a red herring?

You know what? I’m actually starting to feel twinges of sympathy for the folks at Connectivity. There are two pieces in the Guardian devoted to the suspension of their mobile directory enquiries services, one from yesterday and one from today.

Now, I’m not trying to argue that basing the service on an “opt out” principle was a good idea – it wasn’t. But at least Connectivity set it up in such a way that you would first find out that someone had looked you up, then have the opportunity to decide whether or not to take the call, and then have the option of asking to be removed from the list. All this would happen without the requesting party being told your number. So in a way, there was at least a certain amount of privacy-friendliness built into the protocol. Whether that made it a good idea for Connectivity to be sitting on a database of numbers which might get shared with other service providers is another question entirely.

However, any slight twinges of sympathy at Connectivity’s plight are (and should be) rapidly displaced by a concern that all this high-profile coverage is distracting us from a more significant issue: namely, the means by which Connectivity were able to populate their directory in the first place. As I’ve suggested above, the way they set up their enquiry protocol show at least some concern for the data subject’s privacy. The same cannot be said for those data brokers who handed over their subscriber lists to Connectivity in the first place.

It’s just that, as they are not in a part of the food chain which is normally visible to the data subject, they don’t come under the same kind of scrutiny as the company which delivers a service direct to the consumer.

For all the focus on Connectivity, we should not pass up on this opportunity to shine the spotlight on the behaviour and regulation of the intermediaries who made Connectivity’s business model possible.

Detica MD describes UK privacy debate as "immature"

The MD of UK defence contractor Detica, Martin Sutherland, is quoted in this Register article as saying that the UK privacy debate is ‘immature’. (Thanks, by the way, to @privacyint for the pointer to the article).

The argument – at least, as it comes across in the article – is roughly this: the pace of technological advance means that huge amounts of data can and will be collected about you… so there’s no point bleating on about data collection: the debate needs to move on to more productive topics, such as controlling what’s done with the stored data.

With respect, I think Mr Sutherland’s got it the wrong way round. If the current state of affairs is that lots of data about lots of people is collected by default but not well managed thereafter, then fair enough, one step towards maturity would be where lots of data about lots of people is collected by default but is well managed thereafter… but a more mature approach still would be to pre-empt the indiscriminate collection of lots of data by default in the first place.

I agree with him from a technology perspective, but not from a privacy one.

From a commercial perspective, of course, I can see where he’s coming from. The article goes on to explain how Detica’s data mining and pattern detection products improve the accuracy with which data can be processed and interpreted, and fair play to them – I’ve seen some of the examples, and it’s impressive stuff. But it’s only tangentially to do with the UK privacy debate.

What about the policy perspective? Well, this is where I think the article is potentially quite damaging. I have no doubt that Detica’s “confidential accounts” use these tools diligently and with great care as to data security, access control and so on. After all, that’s what the intelligence services are supposed to be good at. But what about those other organisations who, through departmental dysfunction, crippling bureaucracy, inadequate governance, insufficient resources, poor training or even indifference, do not or cannot do as good a job of managing the data they collect?

For these organisations (and, more important, the citizens and consumers they interact with), the message that ‘data collection is going to happen anyway, so take that as read and focus your efforts on data management and access control’ is not one which moves the privacy debate any closer to maturity.

It’s unfortunate, then, that that message appears to be coming from the head of a contractor in whom policy-makers and government departments (albeit rightly) place so much faith.