Can you have federation without trust?

Back in olden days, when I worked for IBM, its sales & marketing people weren’t allowed to use the word “risk”… because it might be taken (by customers) to imply that there was any form of risk associated with the corporation’s products (this is long enough ago that it hadn’t really cottoned on to ‘services’ yet…). And so the word was carefully expunged from the corporate lexicon (as evidence, I cite Mike Cowlishaw’s seminal IBM Jargon Dictionary… look up “exposure” in the pdf file here).

This made things quite tricky for the poor souls who had to write a Project Risk Checklist for IBM’s project managers… without using the word “risk” anywhere. So, “Project Assessment Checklist” it was, then…

That said, when we in the field were given our first training session by a proper project manager, he was blunt about it to the point of political incorrectness. “A project which involves no business risk”, he intoned, “is unlikely to deliver any significant business benefit”.

Which is a fair enough comment, and worth making (if your vocabulary permits you to do so, that is…).

I thought of this as I read a Tweeted Q&A from the Burton Catalyst conference currently under way in Prague. Bob Blakey asks Tony Nadalin “Can federation exist on the internet without trust frameworks?”.

My initial thought is that not all kinds of trust are equivalent; for instance, when I conduct banking transactions online from my laptop, I place different kinds of trust in the bank and in the telecommunications infrastructure. I hold them responsible, respectively, for different aspects of the transaction’s success, and I would expect different forms of recourse if something went wrong.

So, if I intend my organisation and your organisation to conduct high-value business over the internet, but choose to do so with no kind of trust framework in place, I’m probably taking quite a risk. In some forms of business, I might be happy to do that. I might even be insured or re-insured against some kinds of failure. My safeguards against “transactional” risk for that high-value business are not necessarily the same as my safeguards against, say, the network suddenly dropping out of service.

On the other hand, some networks are not meant for ‘high value business’. What are referred to as ‘social networks’ (and I still don’t like that phrase) get their value from the network effect, rather than from the exchange of financial value – again, that doesn’t mean there’s no need for trust – but the risks and appropriate mitigations involved are different.

I’m not going to go for the CEM Joad response (“Well, I suppose it all depends on what you mean by ‘federation’ and what you mean by ‘trust frameworks'”), but it did occur to me that a federation, constructed over the internet, which has absolutely no element of trust is unlikely to deliver significant benefit.

There’s another interesting question, of course: can you have a federation which successfully meets the goals of all its stakeholders even if they don’t trust each other? (Strategic arms reduction, for instance). But that’s another discussion…

Advertisements

Google wi-fi-gate rumbles on

Yesterday’s Tech Daily Dose announced (rather optimistically, I feel) that Google had ‘cleared the air over wi-fi-gate’. The rest of the article went on to sum up Google’s position as “we haven’t broken US law”. A spokeswoman is quoted as saying “it’s legal to receive information from networks configured to be open to the public”.

I am not in a position to comment on US law in that regard, but I have looked at the potentially applicable UK legislation.

I turned first to the Computer Misuse Act 1990, Section 1 – Unauthorised Access to Computer Material:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at—

(a) any particular program or data;

(b) a program or data of any particular kind; or

(c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

At first glance, 1(a) appears to offer an “out”, in that it refers to data held in a computer, not data wirelessly broadcast by it. However, paragraph 2(c) specifies that it is not necessary for data held in any particular computer to have been targeted in order for an offence to have been committed. Potentially, that opens the way for a charge that the SSID which I set in my wireless router (a computer which I own), although not specifically targeted by Google’s StreetView sniffer, would nonetheless be accessed by that device, as the router went about its intended function.

The intended function of the router is a factor, in the sense that I set it up (including broadcast of the SSID) for a specific purpose: namely, to enable members of my household to distinguish between my wi-fi network and neighbouring ones.

Paragraph 1(b) must be held to apply in any case. There is no way, simply through the SSID broadcast mechanism or the wireless router configuration, to notify third parties of my intent, or for third parties to be granted authorisation to access my wireless network: therefore I would argue that they must presume they have not been authorised to do so (and Article 8 of the European Convention on Human Rights would seem to back up that assumption).

However, arguably by its narrow definition of “computer”, and its failure explicitly to define “computer systems” and “systems composed of computers and network connections”, the Computer Misuse Act might be too tightly scoped to include wireless links.

So next I looked at the Regulation of Investigatory Powers Act 2000 (RIPA). This is explicitly aimed at ‘data in motion’ as opposed to ‘data in computers’. While its primary purpose was to provide a legislative basis for the authorities to intercept citizens’ communications traffic, it also contains provision to protect “our” communications too.

Thus, Part 1, Chapter 1, Section 2 “Meaning and location of interception etc.” says:

(1) In this Act: […]

  • “private telecommunication system” means any telecommunication system which, without itself being a public telecommunication system, is a system in relation to which the following conditions are satisfied—

    (a) it is attached, directly or indirectly and whether or not for the purposes of the communication in question, to a public telecommunication system; and

    (b) there is apparatus comprised in the system which is both located in the United Kingdom and used (with or without other apparatus) for making the attachment to the public telecommunication system;

Sub-sections (2) and (3) continue as follows:

(2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—

(a) so modifies or interferes with the system, or its operation,

(b) so monitors transmissions made by means of the system, or

(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,

as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.

(3) References in this Act to the interception of a communication do not include references to the interception of any communication broadcast for general reception.

Which seems clear to me. Even my SSID (let alone the traffic I exchange between my workstation and the wireless router) is not broadcast for general reception. It is broadcast for reception within a strictly limited geographical area, and by a strictly limited set of devices.

Some may argue that I have the option of not broadcasting the SSID of my domestic network. The practical problem with that is that, if a neighbour adopts the same policy, there is a risk that users will try (in vain) to connect to the wrong network. That is inconvenient and time-consuming – and, of course, in the event that they thus inadvertently connect to the wrong wireless router, could even result in them breaking the law. There’s irony for you.

Again, as long as the mechanisms for that broadcast do not enable me to specify more precisely the intended use of the system, or to grant explicit authorisation to third parties to gain access to it, any third party must proceed on the assumption that their access is unauthorised.

In the absence of such mechanisms, it is hard to see what else a householder can do to make their intended purpose clear – so here’s an alternative attempt:

I hereby give notice that the purpose for which I set a public SSID on my domestic wi-fi network is so that members of my household can distinguish it from visible neighbouring access points. I do not intend that SSID to be available to third parties beyond the transmission range of my wi-fi-router. In the absence of a mechanism for third parties to seek authorisation to access my domestic wi-fi network or the data carried over it, any such access should be assumed to be unauthorised.