This one’s for the Prof…

In my previous post I mentioned the very engaging lecture I attended last week, by Prof David Lyon – who spoke about “Identity as Surveillance – Security, Surveillance and Citizenship”.

I do hope he has seen this article from the BBC, on the opening day of the Labour Party Conference: “Lord Mandelson denied entry to conference“, because I’m sure it would give him a good laugh.

Apparently, the Noble Lord, First Secretary of State, Secretary of State for Business, Innovation and Skills, President of the Board of Trade and Lord President of the Council could not, initially, get into the conference because there was a problem with his pass. Maybe they couldn’t fit his title onto it. The press were naturally quick to savour the irony that the man perhaps most identified with New Labour should be unable to identify himself to the satisfaction of the party’s gatekeepers.

What this has to do with Prof Lyon’s talk is this: one of his themes was the way in which identity systems (particularly national ones) permit, enable and encourage judgements to be made about individuals on the basis of “actuarial criteria”, even if other methods would be more reliable (and more respectful of personal privacy).

An example Prof Lyon gave was this: research work by John Taylor and Miriam Lips (full text of paper available online here) investigated the use of online identity data by the DVLA when someone applies online for a driving licence. The researchers noted that the DVLA submits the applicant’s details to the credit reference company Experian, which attempts to corroborate the applicant’s identity assertions by matching them against databases of Credit Applications and Addresses. Experian then applies a weighting which assigns a ‘trust score’ to the applicant’s assertions, based on the apparent quality of the applicant’s digital footprint (as revealed by the database enquiries). These actuarial measurements are then used by the DVLA to govern the subsequent processing of the application transaction.

Prof Lyon’s point was that this ‘trust score’ mechanism goes beyond a simple assessment of whether or not the applicant’s address can be corroborated. The score is enhanced more, for instance, if the applicant’s records indicate that they have had a lot of interactions with clearing banks, than if the indication is that the applicant has had a lot of interactions with mail-order companies.

The implication of this is that subsequent processing of the DVLA application is determined not just by past records, but by inferences based on supposed future behaviours of the applicant – whether or not those inferences are in fact accurate.

Basically, this is what starts to happen, the more you architect systems on the basis of actuarial criteria in support of the categorisation of individuals, and the more you remove notions of human judgement and discretion from the process. Admittedly, that’s not always a bad thing – after all, humans are fallible too. But if you design humans into the process rather than out of it, you get fewer embarassing incidents such as the sight of Labour’s “eminence grise” being locked out of his own conference…

Advertisements

Hostages to fortune

It’s time for that seasonal blog post in which I apologise for the low post-rate, mumble about the holiday season etc. and promise to post more frequently over the coming weeks…

So I thought I would leave some hostages to fortune, in the form of one-liners about what has been keeping me from more frequent posting over the past few weeks. That way I will have to re-visit some of these topics soon and give you some more details. Oh, and it hasn’t just been holiday absence… nice though that was.

Looking at the diary, this current and seemingly constant stream of activity stretches back to the Burton Catalyst conference in San Diego at the end of July; I gave a talk there about concepts of identity and privacy, and it seemed to go down well. One participant was even so kind as to say that it was “the most intellectually stimulating presentation” he’d seen at the conference, which was a fabulous piece of feedback.

Since then, what else has kept me busy:

– two pieces of chargeable work for new consulting clients – one commercial, one academic, which is really good news for Future Identity as a business;

– the Kantara plenary meetings in Las Vegas, including the first face-to-face sessions of the Privacy and Public Policy Work Group, which I am currently chairing through its infancy;

– another presentation, this time at the Society for Computers and Law’s Policy Forum in London. If there’s one thing scarier than public speaking, it’s public speaking to a room full of lawyers…

I’ve also attended two events at which I have, for once, been in the audience rather than on the other side of the podium:

– the Information Security Specialists’ Group of the British Computer Society held a privacy workshop day, including an excellent presentation on Privacy Impact Assessments, given by Toby Stevens of the Enterprise Privacy Group;

– I heard a fascinating lecture at the LSE by Professor David Lyon on “National Identity Schemes as Surveillance: surveillance, security and citizenship”, which was a perfect blend of reinforcement of some of my existing assumptions, challenges to other existing assumptions, and new thinking in several areas. I will do my best to transfer my written notes to a future blog post, because it really was a great talk. Prof Lyon also has a book out on the same topic, which I would heartily recommend on the basis of the lecture.

Oh, and I have a couple of publication deadlines at the moment (count this blog post as a frantic last-ditch piece of displacement activity before I get down to work again…), one for a white paper, and one for a book chapter. Oh, the joys of ‘vanity’ publishing…

So yes, the holiday in the wilds of Turkey was fantastic, warm, scenic, relaxing… and the beneficial effects survived about 30 seconds of contact with the horror that is Gatwick Airport.

Airport security nonsense

Those of you following my Twitter feed may have spotted my micro-rant last Monday about the confiscation of a potential weapon from my hand-luggage at Gatwick Airport. I thought I should follow up with a little more detail. OK – no cheating now: we’re going to see if you can identify the object in question from a number of characteristics which I will describe.

  1. It had already passed successfully through the compulsory hand luggage scan at the main security checkpoint;
  2. It was in the external mesh side-pocket of my laptop bag;
  3. It has travelled by air many times in the same place;
  4. It was confiscated in a further, random screening at the boarding gate;
  5. It is hollow, with a mass of almost exactly 2oz (approx. 56 grams), and a diameter of about 2 1/2 inches (approx. 6.5 cms);
  6. According to the security staff, it is not a risk at ground level, but in the reduced air pressure of an aeroplane cabin, becomes hard and potentially dangerous (!).

OK, I’ll put you out of your misery – the lethal object in question is… a tennis ball.

And why do I carry a tennis ball in my hand luggage? Well, it’s not because I’m a deranged fundamentalist hell-bent on taking over the aircraft; it’s on the advice of my physiotherapist, who recommends I use it to apply targeted pressure to specific areas of my back – especially during or after long-haul flights. On the other hand, you can take on board items such as the following:

  • lap-top power supply adapter and cable (solid 14 oz./380g weight on a handy lead);
  • lap-top security cable (6ft steel cable with a metal lock on the end);
  • bottle of duty-free vodka (1 kg weight with a neck for a handle – also contains lots of sharp glassy bits and flammable stuff);
  • 4oz can of foie gras… hard and solid, with sharp edges when opened;
  • and so on and so on…

I’m going to stop at that, because mulling over the absurdities of this can quickly drive you round the twist. And to the security guys – I know you’re only doing your job, but thanks for the back-ache. To whoever does the risk assessment: get real.

Back at my desk…

… for a few hours, at least.

Apologies for the lack of posts in the last few weeks: I’ve been travelling a lot (and haven’t finished yet); just returned from two weeks of very relaxed holidaying in the wilds of the Turkish coast, and tomorrow I’m off again – this time for work. Going for Total System Shock, in the space of about 48 hours I’ll go from GMT+2 to GMT-8; holiday to work; and rural solitude to… the Vegas Strip.

Next week sees the Digital ID World (DIDW) conference there, and running in parallel with it, the first plenary sessions of the Kantara Initiative. I’ll be chairing the Public Policy Work Group there, and I’m hoping we’ll have great participation from Kantara and DIDW folks alike. The conference will also be the setting for this year’s Identity Deployment of the Year (IDDY) awards, now in their fourth year, and re-designed to take in a wider scope of entries.

I’m unashamedly going to go for the Nevada metaphor here: the privacy landscape (and the policies which shape it) continues to be red-hot, so come and join us as we explore and document it…