Compounding errors and debit interest

Well – good news on the home finances front; now that my offspring’s student loan cheque for this year has come through, I’ve been able to pinch it and pay off a chunk of my credit card debt. After all, she’s got a whole working life ahead, during which to pay off the debt, so why not? Plus, it’s not really her money to start with, so she probably won’t miss it much.

Actually, I made that up. Would I pull such a scurrilous trick? Well, that might depend whose example I was following.

I saw on the news yesterday that Gordon Brown has joined with Nicolas Sarkozy to propose a $10bn fund to help developing nations mitigate the impact of climate change measures. Laudable as that goal may be, the proposal does smack of what Mr Brown said as Chancellor ten years ago about writing off third world debt…

At the time, he derived huge political capital from the move, and yet by 2004 the tangible results hardly reflected the rhetoric:

“Zambia, which receives the maximum relief available under the scheme, still paid out £313m in 2003 – three times its combined education and health budgets of around £100m” – Third Sector website, 24/3/2004

As I say, the goals are laudable, but Mr Brown’s pronouncements on the world stage must surely ring hollow to an electorate which has seen him make so many generous gestures… with other people’s money. We’ve had his notorious and irreparable raid on the pension investments of millions of taxpayers, and of course more recently his massive programme of bail-outs and stakeholdings in UK banks, funded by the public purse. Whatever the policy imperatives, these mvoes have ensured that our children will shoulder a burden of debt throughout their economically active lives, and will finish with even worse pension prospects than the current generation.

Even this current proposal (to offset poorer countries’ climate change measures) has attracted criticism; according to the Ekklesia site here, the way the deal is structured may simply aggravate developing countries’ debt problems – while still allowing the funds to be used, for instance, to build coal-fired power stations. That sounds a lot like a lose-lose to me.

ComputerWeekly IT blog awards…

So, no cigar this year in the ComputerWeekly IT blog awards, but it was an honour to be shortlisted for a second year running, especially as this year it was for the relatively infant blog of Future Identity. Thanks so much to all those who voted for it.

Many congratulations, then, to Alim Ozcan, whose blog on ITP Report won the IT Consultant/Analyst category, and Graham Cluley of Sophos, who won the IT Security category and the “Best of the Best” award.

UK DNA policy (still) fails proportionality test

It is now a year since the European Court of Human Rights’ (ECHR) ruling on UK vs. S and Marper. The court’s ruling in that case was clear: the UK government’s policy of systematic and indiscriminate retention of DNA samples, DNA profiles and fingerprints of those acquitted of any offence is disproportionate. The government had, it says,

“overstepped any acceptable margin of appreciation in this regard”.

Grudgingly and slowly, the government is considering amending its policy – but only to the extent of conceding on indefinite retention. [Editorial update: as of December 9th, the Council of Europe expressed its concern that the new proposals probably still fail the proportionality tests required by the ECHR. They are keeping the dossier open, and will review the UK position again in March 2010].

Under the Home Secretary’s current proposals, the data and samples of the innocent are now only to be held for 6 years (there’s an excellent summary paper here, on the House of Commons Library website). The ruling in full is accessible online here. It’s well worth a read; almost every paragraph contains something to back up the view that the policy on DNA retention is intrusive and obnoxious. For instance, how about this section on the Police and Criminal Justice Act 2001 (my emphasis):

27. As to the retention of such fingerprints and samples (and the records thereof), section 64 (1A) of the PACE was substituted by Section 82 of the Criminal Justice and Police Act 2001. It provides as follows:

“Where – (a) fingerprints or samples are taken from a person in connection with the investigation of an offence, and (b) subsection (3) below does not require them to be destroyed, the fingerprints or samples may be retained after they have fulfilled the purposes for which they were taken but shall not be used by any person except for purposes related to the prevention or detection of crime, the investigation of an offence, or the conduct of a prosecution. …

(3) If – (a) fingerprints or samples are taken from a person in connection with the investigation of an offence; and (b) that person is not suspected of having committed the offence, they must except as provided in the following provisions of this Section be destroyed as soon as they have fulfilled the purpose for which they were taken.

(3AA) Samples and fingerprints are not required to be destroyed under subsection (3) above if (a) they were taken for the purposes of the investigation of an offence of which a person has been convicted; and (b) a sample or, as the case may be, fingerprint was also taken from the convicted person for the purposes of that investigation.”

Even the ECHR judges somewhat understate the case against retention – for instance, in this paragraph:

“78. It is common ground that fingerprints do not contain as much information as either cellular samples or DNA profiles. “

Unfortunately, that is not accurate. The fingerprints themselves (as opposed to any scanned or photographic record of them) consist of natural oils and skin cells – which of course contain the subject’s DNA. There is plenty of published material on the practicalities of small-sample DNA analysis, and the technique has been used by UK law enforcement agencies. In other words, fingerprints not only contain the same information as cellular samples, they contain cellular samples in a very individual layout – the fingerprint itself.

But I digress…

What I really wanted to do was point to three excellent blog posts on the “justification” for DNA collection and retention in the UK system.

The first is this one from Privacy law specialists Amberhawk – correlating the government’s own re-offending statistics with their assertions about the benefits of 6-year retention.

The Tech and Law blog has further analysis of the Amberhawk piece, here, including a link to a trenchant letter questioning both the practicality and the proportionality of the current policy.

And finally, Toby Stevens adds his excellent analysis here, setting out (among other things) four fundamental flaws with the current approach. In passing, he notes that the UK’s national DNA database is (perhaps thankfully) unique; no other country has one like it, or uses DNA in the same way.

Which brings us back to the ECHR’s judgement in UK vs S and Marper. Sections 47 and 48 of that judgement bear repeating in full (my emphasis):

“47. The United Kingdom is the only member State expressly to permit the systematic and indefinite retention of DNA profiles and cellular samples of persons who have been acquitted or in respect of whom criminal proceedings have been discontinued. Five States (Belgium, Hungary, Ireland, Italy and Sweden) require such information to be destroyed ex officio upon acquittal or the discontinuance of the criminal proceedings. Ten other States apply the same general rule with certain very limited exceptions: Germany, Luxembourg and the Netherlands allow such information to be retained where suspicions remain about the person or if further investigations are needed in a separate case; Austria permits its retention where there is a risk that the suspect will commit a dangerous offence and Poland does likewise in relation to certain serious crimes; Norway and Spain allow the retention of profiles if the defendant is acquitted for lack of criminal accountability; Finland and Denmark allow retention for 1 and 10 years respectively in the event of an acquittal and Switzerland for 1 year when proceedings have been discontinued. In France DNA profiles can be retained for 25 years after an acquittal or discharge; during this period the public prosecutor may order their earlier deletion, either on his or her own motion or upon request, if their retention has ceased to be required for the purposes of identification in connection with a criminal investigation. Estonia and Latvia also appear to allow the retention of DNA profiles of suspects for certain periods after acquittal.

48. The retention of DNA profiles of convicted persons is allowed, as a general rule, for limited periods of time after the conviction or after the convicted person’s death. The United Kingdom thus also appears to be the only member State expressly to allow the systematic and indefinite retention of both profiles and samples of convicted persons.”

Three-way translation

In my previous post on cookies and privacy in the new EU Directive, I mentioned, in passing, the question of user consent. I think it’s time to return to that for a closer look. First, a couple of references to set context:

  • Ralf Bendrath’s comment, here, on the recently-adopted Stockholm Programme. This, he notes, includes an amendment in which the European Parliament

“… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective”.

This is a clear indication of the way the Parliament thinks that balance ought to tilt.

  • This analysis from Pinsent Masons’ Out-Law blog, in which they compare the text of the new cookie law with the interpretation of the same by some online advertising bodies. The advertisers point to a clause in the preamble of the telecom package, which says:

“Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC [the Data Protection Directive], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

According to the advertisers, this lets them off the hook – because a user’s consent can be inferred from the fact that their browser is set to allow cookies or block them.

However, there are several rather fatal flaws in that argument. A couple are pointed out by Struan Robertson (whose previous analysis I quoted in my other post):

“Most browsers don’t default to blocking all cookies and most people don’t change their browser settings, so it’s hard to say that effective consent is conveyed by browser settings,” said Robertson. “Also, browsers can’t tell you the purpose of a cookie.”

On a strict interpretation, the point about “purpose” ought to be fatal in itself: it would generally mean that relying on the browser setting to imply consent would fail the test of compliance with the Data Protection Directive (purpose of collection == purpose of use); if the user has no indication of purpose of collection, how can they meaningfully consent (and how can inappropriate use be detected)?

Next – given the number of people who pay little or no attention to the default cookie settings of their browsers (assuming they are even aware of them in every browser or internet terminal they use), it would be tough for a website owner to prove that the setting in effect on a given visit was chosen by the user, as opposed to merely being a default setting. What’s more, the new law repeatedly mentions the need for the user to be clearly informed before access is effected to their device – so this law isn’t just calling for implied consent, it’s calling for informed and explicit consent. (Note the clear qualification in the preamble: “Where it is technically possible and effective…”).

Now, it’s fair to argue that explicit consent is an unreasonable expectation unless and until there is a general change in people’s awareness of cookies… and advertisers will doubtless maintain that it’s not their fault we like to ignore or dispense with cookie warnings in the interests of convenience. But that argument can also reasonably be countered by saying that poor consent-seeking practice up to now can hardly be used to excuse it in future.

Finally, the Pinsent Masons article makes one other extremely valuable contribution to the debate, in quoting Commissioner Reding’s clarificatory comments on the question. I use the word clarificatory in its loosest possible sense.

According to the Commissioner, there are two kinds of cookie: “technical cookies”, without which the internet would cease to function (and which, therefore, we are presumably to allow without question), and “spy cookies”, which are the ones this law is clearly intended to regulate.

This reminds me of that Not The Nine O’Clock News sketch in which a disgruntled aide induces his president to include phrases like “cupcakes” and “big, floppy, dangly bits” in a public address.

Quite apart from the glaring absurdity of browser manufacturers now having to enhance their products to include a Privacy Settings option which allows users to turn “spy cookies” off while leaving “technical cookies” in place, there’s also the minor (though not entirely unexpected) problem that the law itself does not, of course, make any mention of these mythical creatures.

We all understand the difficulties which can arise when a legislator tries to express technical concepts in terms which are meant to be accessible either to other legislators or to the general public – but the perfectly-coiffured Commissioner has been in post now for almost exactly five years. Surely that – and her professional career as a journalist – must have taught her the danger of such ill-conceived dumbing-down?

Revenue Protection Support Staff

This blog post is named for the people First Great Western employ to make sure no-one travels on their trains without paying.

Although I live only 20 minutes’ walk from the nearest station, and used to use FGW to commute 2-3 times a week from there to Paddington, I no longer do so – preferring to drive 50 miles and take a (South-West) train to Waterloo instead. It takes the same time, door to door, and saves me £50 compared to the cost of a standard return ticket with FGW. And yes, I am including the cost of the petrol for the 100-mile round trip drive. It’s insane.

To get to last week’s e-Government conference, I took the train from Copenhagen airport across to Malmo. Unfortunately I cocked up the ticket-buying process in most respects: what I thought was an “open” return turned out to be only a 24-hour one, and in any case I didn’t realise, in my rush to board the train, that I was supposed to validate the ticket in a machine on the platform.

To make matters worse, I didn’t discover any of this until the return rail journey, when a ticket inspector was doing his rounds of the carriage. As the various errors emerged, my heart sank. Having seen other people go through the equivalent process at the hands of FGW’s Revenue Protection Support Staff, my immediate reaction was “this is going to be expensive”. However, he assured me there was no need to worry, explained about the ticket validation and return period, endorsed my ticket with a date/time of outward journey, wished me a pleasant journey, and that was that.

Oh, and incidentally, that service runs every 20 minutes, all day, every day.

If you travel by FGW, they don’t call it a train – they call it a “service” – or at least, they did when I last used one. I don’t think that word means what they think it means.

Notes from Malmø eGov2009

Earlier today I Twittered from the Ministerial eGovernment Conference in Malmø (#egov2009), expressing the hope that the press release would contain a bit more substance than the keynote announcement of the Ministerial Declaration. I am delighted to say, having got my hands on a copy of the full text, that it does. (PDF of the Declaration available online here.)

First, though, here were the policy priorities announced by Mats Odell, Sweden’s Minister for Local Government and Financial Markets:

  • Use eGovernment services to empower citizens and businesses;
  • Improve mobility in the single market;
  • Improve efficiency and effectiveness in eGovernment.

On that basis, you can probably see why the initial announcement left me somewhat underwhelmed. Was this, I wondered, really the culmination of four years’ policy and implementation work since the Manchester Declaration (which, at the time, I had actually thought was quite good…)?

Second, I have to say there is also still quite a lot in the full text which mostly prompts the reaction: “Oh…. well, weren’t you either doing, or supposed to be doing that anyway?”. For instance, Article 13 promises to involve stakeholders in public policy processes. Well, good.

Incidentally, while we’re on page 3 of the document, Article 12 will raise more than a few hollow laughs:

“We will explore how we can make our administrative processes more transparent. Transparency promotes accountability and trust in government”.

Not 10 days ago, the Court of Auditors declined to sign off the accounts of the European Commission for the 15th year in a row. Is it facile to suggest that as a starting point?

That good old standby “reduction of the administrative burden for citizens and business” still gets an airing (Article 17) – and rather disappointingly, “respect for privacy and data protection” gets buried under that heading, whereas I would have thought it deserves to headline in an article of its own.

Artcile 18 is a bit “meh” as well: policymakers should “consider how organisational processes could be improved”. Laudable, but it doesn’t exactly make me want to run out and have it printed on a t-shirt.

OK, so having got some of the gripes off my chest, what did I pick out as being positive aspects of the Declaration?

Well, actually, the opening Background statement is pretty good. It notes that the economic, social and environmental landscape is grim, and that despite (or perhaps even because of) that, citizens’ expectations for open, flexible and collaborative government are high.

It goes on to acknowledge that eGovernment extends beyond national boundaries, and across the divide between the public and commercial sectors.

It also suggests – which I think is fair – that some of the progress to date in e-government, and in collaboration between different member states, has happened because of the political will expressed through the precursors of this year’s Declaration.

Other positive signs:

  • The tone of the Declaration is one which acknowledges that the eGovernment services of the future will be co-produced by citizens and third parties. That might not be going far enough, of course: there’s already evidence that citizens and third parties are creating public services without the direction or collaboration of government – so the latter might find that it needs to re-calibrate its notion of “open and collaborative” quite radically.
  • There’s an explicit call, in Article 19, for public administrations to exploit IT in their efforts to reduce carbon footprint.
  • Article 21 is explicit about the benefits of using open specifications – not least, to stimulate effective and open competition in the market. If the political will persists to enforce that effectively over time, the potential benefits are huge.

There’s more (if you count the nested lists, there are about 40 paragraphs in total), and in essence the full text does a lot more than the keynote suggested. I compared it rather unfavourably with the Manchester Declaration earlier; in retrospect that’s probably not giving a fair picture.

The current Declaration treats some of the key Manchester themes almost as “solved problems”: for instance, “trustworthy electronic identifiers” for citizens pops up only in Article 26 (d) – in the final recommendations – with a note that “activity should be intensified” and “gaps closed in cross-border interoperability and mutual recognition”.

The way I see it is this: there are definitely eGovernment problems to solve today, which only present themselves because of the increased sophistication of some current implementations (and those implementations, of course, are based on previous progress). In other words, solving one set of problems usually just raises you within reach of the next set. To extend that analogy a little: previous work has built a ladder which means we can reach out towards the next set of goals. My worry is that some of the rungs below us (and, if we’re unlucky, bits of the ladder itself) are either missing or not very well put together.

However, we are where we are – and the heartening thing about this year’s exhibition area was the sophistication and practicality of many of the systems being shown. To me, they suggest that there is good practice out there in abundance, if the rest of us are only prepared to look and learn.

A live stream of the awards announcement is running in another tab even as I type, so I there is just time to list the winners (hot off the feed):

EU OPA – the European Order for Payments Application

Genvej – Gentofte Kommune’s citizen services project

MEPA – Italian eMarketplace for Public Administration

AFN/MB – Portuguese project to issue hunting licenses via the Multibanco ATM network.

And a “public vote” prize goes to the Turkish Ministry of Justice project on SMS messaging for legal cases which are in progress.

EU to legislate on cookies

UK readers will probably remember one of those legal wrangles which make for such easy satire – the protracted argument over whether a Jaffa Cake is a cake or a biscuit (for VAT purposes, of course…)

It looks as though the European Commission is heading towards a similar argument about cookies – though there may not be much discussion, as the Directive in question has apparently already been approved and merely awaits a few signatures and a rubber stamps or two.

This is about amendments to 2002/58/EC; the Directive on Privacy and Electronic Communications. There are amendments to several areas of the original Directive, but the one which is currently exercising an articulate group of higher-education identity federation experts is nicely summarised here, by Struan Robertson of law firm Pinsent Mason. I recommend a read of his blog post; it isn’t often you see a lawyer describe proposed legislation as “breathtakingly stupid”… but I should also point out that he makes that comment off his own bat, so to speak, and not on behalf of his employers.

The amendments in question are apparently intended to regulate the storing and use of cookies on end users’ devices. I say “apparently”, because the further one gets into the practicalities of it, the less clear it is how the legislation could be put into any meaningful practice.

I’ve no doubt the intent of the amendments is both clear and laudable: to improve privacy outcomes for (EU) citizens going about their online life. In practice, though, there are pitfalls which the legislation seems doomed to encounter – several of them probably fatal.

The way the amendment is phrased (it’s a replacement of Article 5.3, for those who like to read that kind of thing – see Struan’s post, or read p.77 of the document here if you prefer the unexpurgated version) makes it fairly clear to me that what they are trying to regulate is access to the end user’s machine. In other words, if you want to put something on my PC, or read something you put there earlier, you will need to be able to show that I gave my consent. As I say, laudable and straightforward. Until you start to go through the permutations:

  • What if I’m using my PC outside the EU?
  • What if I’m inside the EU, but accessing a cookie-setting site which is outside the EU?
  • What about non-EU citizens, in the EU, accessing EU sites?
  • Or non-EU citizens accessing EU sites from elsewhere?
  • Or non-EU citizens accessing non-EU sites via a mobile device, roaming through an EU telco?
  • … and so on and so on…

There are many other aspects one could dive into similarly – such as “what counts as consent?”, or “how on earth will users cope with all those pop-ups” – but we haven’t got all week.

Before long, a yawning gap opens up between what the legislation is capable of saying, and what it would take to describe something implementable. Depressingly, this really should not have come as a surprise either to the legislators or their drafters. After all, this is merely the next evolution of some quite long-standing network-mediated problems:

  • the advent of satellite broadcasting introduced us to the problems of whether such services were to be regulated at the “up-link”, the “down-link”, or some combination of both;
  • internet e-commerce has given us plenty of opportunities to work out how you establish distance contracts, between parties under different regulatory regimes.

On that basis, there seems to me to be no excuse for this current legislative initiative to be so woefully half-baked.

All of which brings us back, in a way, to the humble Jaffa Cake; and why not? For those who didn’t follow the saga, this went as far as a court case between leading manufacturer McVitie and Her Majesty’s Customs and Excise, as they were at the time. The conclusion was that legally, they are cakes. The court found that a cake is something which starts off soft and goes hard when it gets stale… whereas a biscuit, they found, starts off hard and goes soft as it gets stale. The majesty of the law leaves me awe-struck sometimes, it really does.