Lord Meddlesome?

Somewhat to my surprise, “three strikes and out” turns out not to be Lord Mandelson’s latest contribution to the postal dispute.

Considering all the state roles which encumber Lord Mandelson, Baron of Foy in the County of Herefordshire and of Hartlepool in the County of Durham (at the last count: First Secretary of State; Secretary of State for Business, Innovation and Skills; President of the Board of Trade; Lord President of the Council), I suppose he can hardly be blamed for taking his “disconnection of downloaders” policy out of the oven while it was still only half baked.

Still, it does seem unusually hapless, for reasons including those set out in Lilian Edwards’ excellent post here.

As Lilian suggests, the proposed law seems to place an enforcement burden on a householder, to compensate for ISPs’ inability to narrow down exactly who might be responsible for a given download.

It looks to me as though the proposals will need to include the creation of a new offence, viz. “Failure of the subscriber to control the behaviour of any individual who gains access to the subscriber’s domestic internet connection”. That should give rise to some fascinating case law.

Then there are the other, slightly more esoteric technical options – such as infecting a home PC with malware capable of downloading material and then forwarding it to the attacker’s destination of choice via a peer-to-peer connection; or an insider attack at the ISP – associating illegal download activity with the domestic account of someone who had nothing to do with it…

These may be less probable attacks, but they are certainly feasible – and the higher the stakes, the greater the incentive for an attacker to consider ways of landing some unsuspecting, legitimate subscriber with the disconnection notice. After all, what tools does the average householder have at their disposal with which to disprove such an accusation from the ISP? Again, I look forward to the first court cases on those ones.

I appreciate, of course, that this is ‘just’ another of those classic instances where there’s a fundamental fracture between the policy-makers’ understanding and what is realistically feasible in terms of the technology. That said – if Lord Mandelson claims the mandate to set out a strategy for a Digital Britain, I think we’re entitled to expect that the strategy should be well-founded on a robust understanding of the technology involved.

Nominated for ComputerWeekly blog awards 2009…

Very happy 8^)

I got shortlisted last year, which was fantastic (but of course there was the factor that I could trade off Sun’s reputation as well as anything I wrote…). Since I set up Future Identity, this blog has only been going for under a year, so I am all the more delighted to be nominated this year on my own account.

This year I’m in the IT Consultant and Analyst category. Typing that and reading it back still has a slight aura of unreality about it… but in a good way.

Fingers crossed to make it onto the shortlist… but whatever happens, I’m already chuffed.

One other thought…

The BBC (and David Dimbleby) have also been criticised for putting on what some people saw as little more than an exercise in “bear-baiting”.

It reminded me of a quotation cited by the luckless tutor who had to prepare me for an Ethics paper years ago:

“The puritan hated bear-baiting, not because it gave pain to the bear, but because it gave pleasure to the spectators.” (Thomas Macaulay)

OK… the BNP on Question Time thing…

I’d been wondering whether to say anything about this, but on balance I think there are a couple of points worth drawing out.

As some of my Twitter Fellows* have been remarking, it’s all too easy to be seduced into thinking that, just because all the opinions you might happen to see might happen to co-incide with yours (and why not, since that’s probably why you follow each other in the first place), that must reflect the broader view. As it is, there also appears to be plenty of evidence, via online comment channels, that quite a number of people either agreed with Griffin’s views anyway, or disagreed with them but felt he was not given a fair ride.

It’s also interesting that someone, somewhere, sees a villain in every single player in this little drama. Here are some of the criticisms I’ve seen so far:

  • the BBC should not have given the BNP such a publicity platform in the first place;
  • Dimbleby should have been more even-handed and protected Griffin from some of the gang-ups (and not weighed in with a couple of deft jabs of his own, to boot…);
  • Jack Straw’s got no business cricitising anyone else’s immigration policy, because Labour have made such a hash of their own one;
  • The rest of the panel (with the possible exception of Bonnie Greer) are hypocrites for papering over their own differences to gang up on Griffin;
  • The audience were un-representatively hostile (which is either their fault, or the BBC’s, or both…);
  • The protesters outside were interfering with free speech, or Griffin’s opportunity to be held accountable, or both…
  • … and so on.

If I have a criticism of the BBC it is that, having decided to go ahead with the programme, they then did as shameless a job of padding and puffing it as any X-Factor final. Driving back from the airport last night, every news bulletin trailed the broadcast, and such a slab of “The World Tonight” was dedicated to it that, by the time it actually aired I felt that I’d heard most of the material already.

I suspect the bottom line is this: I have yet to see anything, anywhere, from anyone to say that the programme changed their mind with respect to Mr Griffin’s views – either in one direction or the other. Even in our televisually-mediated society, then, you can put a racist, revisionist bigot on air for an hour and still not convince his sympathisers that he’s beyond the pale.

On that basis, it has to go down as a failure.

*Fellow (n): someone who is either a ‘follower’ or ‘followee’ of yours on Twitter… (if someone else hasn’t already coined it, you saw it here first, folks ;^)

Identity versus attributes

I’ve had several conversations recently, including one at the TERENA/EMC2 (higher education federation) workshop in Rome yesterday, which suggest that we are gradually overcoming some of the adoption barriers to attribute-based authorisation.

That might sound a bit dry and esoteric, but actually it’s a Good Thing, and intuitively simple. To try and put it in a nutshell: for an awful lot of service access decisions, it’s not actually important to know who the service requester is – it’s usually just important to know some particular thing about them. Here are a couple of examples:

  • If someone wants to buy a drink in a bar, it’s not important who they are, what’s important is whether they are of legal age;
  • If someone needs a blood transfusion, it’s more important to know their blood type than their identity…

In the past, of course, unique identifiers have been used as a way to index that attribute data. You tell me who you are, and I’ll look up the record which associates that identity with all the attribute data I hold about you. Then I’ll make an entitlement/access control decision based on that information.

For understandable reasons, that approach tends to lead to a very disclosure-heavy design. If the first thing I have to provide you with is the index to all the data you hold about me, every request for a service implicitly unlocks everything about me, rather than only that information relevant to this request. In simple and/or hierarchical relationships, and when communication between multiple parties is difficult or impossible, this is a rational (and sometimes perhaps the only) way to do things.

However, the internet undermines some of those assumptions: online service provision relationships are often neither simple nor hierarchical; multi-party communication and transactions are the norm.

The problem is, we’ve ended up by default with the worst of both worlds. We have all the disclosure-heaviness of the previous model, plus the promiscuous communication of the web. And that’s why I think the increasing awareness of attribute-level assertion is so important. It offers far better ways of having multi-party transactions take place with selective disclosure of the user’s data.

That’s not to say that attribute-level assertions are the panacea. There are still knotty problems to resolve, even if we adopt that approach; for instance:

  • managing user consent and control;
  • making selective disclosure appropriate to each given context;
  • defining and enforcing ‘sticky policy’, to protect users’ preferences even after the data has been disclosed;
  • catering for transactions which involve multiple different levels of assurance;
  • defining appropriate metaphors to represent all this to the user…
  • … and so on.

But the signs are positive. Awareness that attribute-level assertions are a key component is a vital first step, and it is heartening to see that awareness rising and becoming increasingly widespread.

Retention versus rehabilitation

There’s news today about five UK police forces who appealed against a ruling that they should delete information about criminal offences from their databases. According to the appeal court judges:

“If the police say rationally and reasonably that convictions, however old or minor, have a value in the work that they do, that should, in effect, be the end of the matter”

With all due respect to their Lordships, I don’t think it should.

They found that if the data retained could be of use to the police, no matter how old or minor the offences in question, then retention was permissible.

Let’s look at the question of ‘minor offences’ first. In one instance cited in court, the police still held a record of the theft, in 1984, of a 99p packet of meat – for which the offender was fined £15. Under those circumstances, keeping a record of the offence 25 years later is surely just disproportionate.

But what of the age of the offence? This is the aspect I find most confusing, and in conflict even with the police’s own FAQ database. Here’s what that says about spent convictions. It clearly states that the purpose of the 1974 Rehabilitation of Offenders Act is to ensure that former offenders’ lives are not permanently blighted by their past actions if they are subsequently law-abiding. It also notes that there are circumstances when a conviction may never become spent (if it has resulted in more than 2 1/2 years in prison), and that for some kinds of work (such as work with children or vulnerable adults) you may have to disclose past convictions even if they are spent. Those conditions aside, though, the website is unequivocal:

“a person who has spent convictions does not have to disclose the conviction to prospective employers”

And there’s a page which says that, if you have been given a caution, that caution is considered to be spent immediately:

“This means that if you are asked on an application form if you have a caution you can reply ‘no’. “

There’s even a page on the Police FAQ which explains what you can do to request that information about spent offences be removed from the record.

The Police FAQ also links to this Liberty table, which sets out the time-table according to which different offences are regarded as spent. In the case of the person fined £15 for taking the packet of meat, that would have been 5 years, halved to 2 1/2 years because the person was under 18 at the time of the offence. And yet, information about the offence is still on the record, 23 years after it was legally non-existent.

Let me just repeat their Lordship’s ruling:

“If the police say rationally and reasonably that convictions, however old or minor, have a value in the work that they do, that should, in effect, be the end of the matter”

Dickens had Mr Bumble assert that “the law is an ass”. In this case, though, the law appears to be quite sensible and clear. The same can’t be said for the way in which it has been interpreted.

Ethics and warmth

I just found this quotation from David Hume:

“it is only from the selfishness and confined generosity of men, along with the scanty provision nature has made for his wants, that justice derives its origin.”

Scanty provision, eh? Is this why so many ethicists come from the barren northern climes*, and rather fewer from Hawaii and other places where nature’s provision is less scanty?

*Descartes, for instance, used to withdraw to the interior of a large oven to work in warmth; Diogenes (who came from balmier latitudes, but lived in a barrel) was once asked by Alexander the Great whether the latter could do anything for him – “Yes”, said the philosopher… “get out of my sunlight”.