Privacy, Identity & Consent

Yesterday saw an announcement by the Financial Services Authority that the UK arm of Zurich Insurance Plc has agreed a record-breaking fine of £2.4m as a result of losing 46,000 customer records. The records, which comprised personal details, 'identity details,' and in some cases bank account and credit card information, details about insured assets and security arrangements, were on an unencrypted back-up tape which was lost in transit during routine transfer to Zurich Insurance Company South Africa Ltd. The SA subsidiary was handling processing on behalf of the UK arm, but there were apparently no proper reporting lines between the two, and the loss was not reported to the UK for over a year after it occurred. There is no suggestion that the lost data has been misused.

In its statement, the FSA said:

"Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.

"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."

There are a few important implications arising from the FSA's actions. A key issue is the valuation of data assets: by settling at an early stage of investigation, Zurich managed to get the fine down from £3.25m to £2.4m. This means that the FSA has assessed the value of each missing record as being approximately £70. That's a figure that is substantially higher than has been assigned to many similar fines in the past, but is arguably much less than the damage per customer that could have been done if the data were misused. Of course the fine is not actually calculated in this way, and is in fact levied because the organisation "failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement."

There is the (hopefully obvious) fact that whilst an organisation can outsource responsibility for proper data management, it cannot outsource accountability: the Data Protection Act makes it clear that the Data Controller remains accountable for proper management of data by a Data Processor acting on its behalf. Yet so many organisations fail to recognise this, particularly when they are passing data within the organisation - in many cases they fail to realise that a data sharing process is even occurring.

The scale of the fine is also clearly there to set an example to other regulated financial organisations to put their security arrangements in order. Nationwide, HSBC and Marks & Spencer have all fallen foul of substantial fines from the FSA, in each case being found guilty of systemic security failures. The FSA said "Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made." Zurich's shareholders can justifiably feel aggrieved at the scale of the fine compared with those applied elsewhere in the sector or across other sectors.

That brings us on to the issue of who is responsible for Data Protection regulation. The Information Commissioner's Office does not have a reputation for enforcement in the way that many of its European counterparts have - for example, the Schleswig-Holstein Commissioner in Germany has a fearsome reputation and is unafraid to take on the likes of the federal government, Google or SWIFT. In comparison, the UK Commissioner rarely attempts enforcement actions on large firms or public authorities, and even then they normally settle for an Enforcement Notice rather than a financial penalty. The FSA on the other hand is clearly happy to hit companies hard for data protection breaches. Whilst I support that approach - poor data protection practices invariably arise from poor information security regimes coupled with a cultural disregard for personal data - I'm somewhat concerned that heavy penalties will deter firms from voluntarily notifying individuals or authorities about breaches when they occur, for fear of being penalised. In this particular case, Zurich voluntarily notified its customers of the loss, but I'm guessing that other financial firms in the same position might think twice in light of this penalty (government authorities and any unregulated body can of course carry on with relative impunity, not being subject to the FSA's regime).

So what does all this mean? Whilst I fully support meaningful penalties for organisations that systemically fail to protect personal data, I'm concerned that the creation of scapegoats will simply serve to deter organisations - and financial organisations in particular - from voluntarily reporting incidents when they occur. We need to level the playing field such that fines are proportionate to the offence and the organisation's ability to pay, regardless of size or sector. We need to consolidate to a single regulator for a single issue, rather than sector-specific regulators determining their own scale of penalties. And we need the Information Commissioner to recognise that after 20 years of promotion and awareness, it's time to focus his resources on effective enforcement. Only then will all organisations, and public authorities in particular, start to treat personal data with the respect it deserves, and stop trying to duck accountability for protecting it properly.

The open season on Facebook (1 Jan - 31 Dec, no sniping on Sundays or religious holidays) continues with the sort of vigour that the media normally reserves for footballers' wives and anyone who's ever been in a talent show. Facebook brought some of this upon themselves with their repeated, poorly-publicised and complicated revisions to their privacy policies. But yesterday's 'headline' was that a researcher has used a script to skim all the public domain text from the social networking site and compiled it into a single file.

The only data in the file (which as someone who doesn't frequent the torrents, I don't have a copy of) is apparently the public domain information on Facebook - anything which was set to 'private' was not accessible. The file is only a few GB in size, which suggests it's just text (please correct me if I'm wrong), so the richness of the pictures isn't in there.

If the facts have been reported correctly then from a legal perspective nothing has happened here. Someone has taken a large volume of searchable public domain information and put it into a file where it is searchable. Data Subjects gave their consent to the publication at the time they originally published it. Of course there's likely to be material in there that is subject to intellectual property rights, but it wasn't our researcher who put it onto Facebook in the first place. I imagine that a skilled grep-er could find information in there that isn't easily spotted using Facebook's own search tools, and that some interesting patterns might emerge, but I'd also imagine that much of the context and interconnectivity of the information was lost in the download process, so it's swings and roundabouts for the value of the offline data.

And yet... and yet... the media still throw up their hands in horror and cry that the death of privacy is upon us. That may be so, but it's not because someone's downloaded Facebook. Our problem is that in modern society we seem to think of privacy as being a form of urban anonymity* - less 'the right to be left alone,' and more 'the right to do whatever the hell we please because nobody's going to know who we are when we do it'.

This is not privacy, but an uncontrolled and irresponsible form of pseudonymity, where we assume that people don't know our other personae: the 'me' on Facebook isn't the 'me' at work or the 'me' that visits my parents or the 'me' that goes down the pub. These are all legitimate personae that we choose to portray, but we keep them from others because they simply don't mix. Our fear stems from the threat of those personae ever getting together in public with a few drinks and telling the world who we really are. Once that happens, it's all over for privacy under the urban anonymity model - there's no way to separate those personae once their interconnectedness has been made public (particularly if your boss - or worse still, your mother - finds out what you did down the pub).

It's never pretty when your various personae get together

So perhaps it's time we look to a pre-industrial past for fresh concepts that will help us to understand privacy in the age of social networking, and to respond to non-incidents such as this in a more meaningful way.

Our current model is one of urban anonymity, but is that a reasonable model for the Internet? Surely we actually engage in communities? The Internet may provide an enormous anonymous backdrop, but most of what we do within it is community-driven, with those communities bounded by interests, professions, territories, applications, providers etc.

In a small community, there is no anonymity: everything you do in a public place is public knowledge. Your childhood sweethearts, exam successes and failures, your drunken teenage nights, health problems, run-ins with the police, financial problems - anything that happens in public becomes public domain, and you are completely identifiable by your peers when it happens. Yet village communities rarely seem to schism, ostracise or generally form lynch mobs (except when it's as part of the local tradition, of course). Because everyone's life is a matter of public record, and sooner or later everyone says or does something in public they'd sooner forget, then that quality of forgetting becomes embedded in the community: even if we can't forgive, we choose to forget because we hope others will do the same for us. Otherwise we'd never venture out of our houses for fear of twitching net curtains.

So is this a valid model for considering how we use the Internet? I think so. We don't go searching for embarrassing things online done by complete strangers (well I don't anyway) unless they are truly staggeringly stupid/naked/funny, but we are interested when even a minor incident involves someone we know, or who exists within one of our online communities. Those are people that seek forgetfulness, and from whom we may require that forgetfulness to be reciprocated. The Internet itself won't forget anything, so there's no point in trying to erase the evidence.

As adults we fret that the re-appearance of a photo of teenage high spirits (i.e. that one wearing nothing but a pair of pants on your head and a winning smile) may come back to haunt us, but younger generations will have learned to see the Internet for what it is: a global network of interconnected communities, rather than a homogenous mass of users. Maybe they'll be better at forgetting than we - or computers - will ever be. And maybe they'll come up with a more grown-up model for online privacy than we currently use.

* - Thank you Robin for so ably explaining this idea to me last year...

The BBC reports that the financial failure of gay teenager magazine XY, and its associated database, has given rise to a painful privacy conundrum: what happens to the database of registered site users?

When a company fails, it is normal practice for the administrator to seek the greatest possible asset value on behalf of the creditors. In some cases this means running the company on their behalf, but most of the time the administrator will sell off assets, or offer them up to creditors in lieu of debts. 10 years ago, the administrator would have been selling off the IT assets based upon their hardware value, but as businesses become increasingly aware of the (often intangible) value of data assets, these are being put up for sale as well.

That all seems reasonable, but we run into a fundamental conflict where the data assets contain personal information. A sale of the asset causes two principal problems from a data protection perspective: the change of Data Controller, and potential change of purpose of the personal information. The database has very little commercial value to the buyer unless the vendor can obtain consent from data subjects to both of these changes, and would be in breach of the Data Protection Act (1998) unless this was obtained. In practice the new consent is so complex to obtain that this situation rarely arises in Europe, where the European Data Protection Directive provides parity of protection across member states.

But the US has no equivalent Federal legislation. Contrary to popular belief, US citizens have no constitutional right to privacy (although this is in part granted by various constitutional amendments), and instead achieve privacy through a powerful Federal Trade Commission, individual State legislation, and the ever-present threat of class action lawsuits against any company that infringes its own privacy policies.

And hence we have the situation arising with XY.com. The database, containing personal information about many tens of thousands of young gay men, many of whom will not yet have decided upon their own sexuality, or told family and friends about that sexuality, is now up for grabs. The creditors are keen to obtain the maximum value for the database, and this might include selling it for commercial purposes at odds with the original intentions. In the US, this may be legal, but the situation becomes increasingly complicated when we take into account that because of the global nature of the Internet, it is inevitable that EU citizens will be in that database. Does the Data Protection Directive apply? Can they demand protection of their personal data? As Privacy International's Simon Davies points out,

"The selling off of private information, gathered under the supposition of privacy, is bad enough ... Even worse if you're forced into it. And positively untenable when the information is connected to kids who are dealing with a dawning sexual reality that in some instances is even more fraught than what straight kids go through. ... I would argue that this is a case where the Information Commissioner should write directly to the US and ensure action is taken."

That point about intervention by the Information Commissioner's Office is an important one, and I agree that the Commissioner should get involved. But will the US listen? Probably not. More likely, the lawyers will weigh up the threat of a meaningful lawsuit being brought by young gay men in the EU, who may well have to disclose their details in order to take action (many will not wish to do so), and decide that the risk is acceptable. The situation is about as far from ideal as it could be, and underlines the pressing need for reform of the legal arrangements for transfer of personal data about EU citizens to the US in light of the general failure of the Safe Harbour agreement and companies' poor implementations of Binding Corporate Rules.

This is also a classic case of how matters of gender and sexuality are often the lightning rods for privacy policy development. Young people growing up uncertain of their sexuality or gender often spend many years keeping their feelings and experiences away from some or all of the people in their lives, and may live 'split' lives whereby family, friends and employers have very different views of their personae. One of the most important implications of the fundamental right to privacy is the right to keep these aspects of our lives separate, and that right is critical where the wedge of prejudice might force a person away from the support of people they need most. Last week former Minister for ID Cards Meg Hillier MP demonstrated her appalling lack of understanding of this sensitivity by proposing the forcible outing of the UK's transgender population.*

The Information Commissioner launches his annual report today, and I hope that as his office publicly reviews the past year and speaks of the challenges of the year ahead, that the protection of those individuals threatened with a loss of privacy by the potential sale of XY.com's database is one of the topics on his agenda.

* - This was almost certainly because of a lack of understanding of ID issues rather than a lack of compassion for the transgender community, and I'm not for a moment suggesting any prejudice on her part.

In a world where it's quite possible for minors to be arrested for taking pictures of parades on Armed Forces Day, parents go crying to the press when their children are accidentally phtographed playing naked in a public place, and sooner or later we'll all get nicked for looking at a policeman in a funny way, it's good to see the Information Commissioner's Office providing some timely and useful guidance on the acceptability of taking pictures of your child's school sports day.

For the avoidance of doubt: if you are taking photos for your personal use (as opposed to commercial/official photos) then the Data Protection Act does not apply. If a jobsworth tells you that you cannot do so because of the DP Act, then they are wrong. Carry a copy of the guidance note and stick it under the nose of anyone who says otherwise. It would be a great shame if all our schoolday memories looked like this...

The 100 yard dashing around like a headless chicken race...

Do you remember the UK ID Cards scheme? You know, the government's promised 'gold standard' of identity? The unforgeable, unbeatable, genius of authentication that was promised to do anything you want (so long as all you wanted to do was submit to an identity check by a public official)? The one that eventually cost us £450,000 per card? Ah, now you remember it.

Back in the heady days of 2005, a number of us warned that the idea of a 'gold standard' of identity was preposterous, and that the UK abandoned the concept of a gold standard in its fiscal policy for a number of reasons, one of the most important of which was the fact that underpinning your entire economy on a single asset is a ridiculous and unnecessary risk. Would you want to discover that the UK economy has collapsed because investors have intentionally pulled the rug out from under the gold market (as opposed just good old-fashioned fiscal mismanagement)? No. Would you want to discover that the country's entire system of authentication and verification has to be abandoned because some idiot left a copy of the database on a memory stick in a pub car park? No. But we came very close to building that ID system, and in Puerto Rico they've just discovered what happens when your primary credential is no longer trustworthy.

Apparently in Puerto Rico, a birth certificate is the de facto ID document. It's been normal practice for many years for public authorities and private organisations to take a copy of that simple, forgeable piece of paper when they transact with individuals, and to keep it on record for indefinite periods. Unfortunately, the Puerto Rican birth certificate is an immensely valuable document, since it can also be the gateway to US citizenship, and that makes it an attractively nickable credential that can be sold across Latin America.

Organised criminals soon cottoned on to this, and started raiding organisations - in particular schools - to steal copies of certificates, and selling them on. US authorities are quoted as saying that up to 40% of fraudulent applications for US passports use Puerto Rican birth certificates, and 12,000 individuals are known to be victims of this type of credential fraud. The Puerto Rican birth certificate has been rendered untrustable, and has had to be abandoned as their 'gold standard' of ID.

In response, and under pressure from the US, the Puerto Rican government has demanded that over 5 million individuals re-register for a new birth certificate that will be printed on a different document standard, and will not be collected by other organisations for ID purposes. It seems a little odd that they've replaced a stealable, replicable, forgeable, fundamentally weak credential with another stealable, replicable, forgeable, fundamentally weak credential, when they could have used electronic credentials to leapfrog underdeveloped nations such as the UK by creating a really useful ID infrastructure, but then I doubt they'll be paying £450,000 per certificate either.

The sooner that we get away from this outmoded concept that the only way to prove our entitlements is a bit of paper - or a smartcard - issued by the State, and start adopting global, interoperable standard for open identity rights, the better. The Coalition government saved us from a move back to the gold standard in ID, and the ultimate inevitable collapse of a fundamentally flawed ID infrastructure. Sadly, they've yet to propose alternatives, and we're floating around in an identity vacuum that needs leadership, standards and purpose. Where's the government's ID Tsar? Where's our commitment to an Open ID initiative such as that created by Obama? I know it will be many years before it happens, but I can dream, can't I?

In the meantime, I'm off San Juan to register for a birth certificate under my Latin alter ego, 'Spanky Fernandez'*. Should be worth a few bob once the ID thieves figure out how to copy them over the next few weeks.

* - I once knew a chap by that name. If you're reading this Spanky, sorry for stealing it.

I've written on a number of occasions about the fallibility of biometrics as a trusted means to find or identify an individual. Setting aside problems with the mathematics of biometrics and associated false accept / false reject issues, my biggest concern is the human factor: once the authorities have it into their heads that biometrics never lie, common sense and good judgement go out the window. This is particularly important where biometric evidence is used in a police investigation, since it becomes impossible for defendants to challenge either the accuracy of the original evidence, or of the procedures used to process it within the investigation. High-profile false convictions become inevitable, and it would only take a few such cases to completely undermine the evidential value of biometrics even in apparently 'open and shut' cases.

Perhaps the most important example of this in the UK is that of Shirley McKie, a police officer whose fingerprint was allegedly discovered at the scene of a murder in 1997. Despite the absence of motive or any other evidence, she was brought to trial and eventually cleared of perjury when she defended her innocence of involvement in the crime. Four supposed experts asserted that the print had to be hers, and in the wake of her trial three accepted redundancy and one was sacked. Mrs McKie, having left the police service, was subsequently awarded £750,000 in compensation, and one of the experts was eventually reinstated having successfully challenged her dismissal at an employment tribunal. HM Chief Inspector of Constabulary demanded an overhaul of procedures, and a public inquiry is now under way.

Aside from the ridiculous waste of public funds in pursuing a patently unsafe conviction, the most disturbing aspect of the case is the way in which police and justice authorities closed ranks to protect their own staff and their unswerving faith in biometric evidence. The Scottish Information Commissioner Kevin Dunion has ordered that 131 previously unreleased documents about the case be provided to Mrs McKie. Whilst only a fraction of the 630 documents yet to be disclosed (and likely to remain secret because of other legal exemptions), this demonstrates just how hard it is for an individual to fight a case once there is a claim of infallible biometric evidence against them.

I very much hope that Mrs McKie is successful in exposing every flaw that lead to this ridiculous situation, and that authorities across the UK - not just in Scotland - take heed of the lessons learned and modify their attitudes towards biometric evidence accordingly.

Please excuse the lack of posts recently - I've been preparing for an experiment in locational privacy. On 12th June I will set off from John O'Groats to cycle 1,000 miles to Land's End in aid of Help for Heroes. Every moment that could have been used for blogging has instead been taken up with cycle training. I'll be wearing a satellite tag so that you can follow my progress at http://beest.com. If you can sponsor me then I'd be extremely grateful!

As for privacy, it'll be interesting to see what it's like to have my movements tracked for 10 days. For anyone following Please Rob Me, don't get your hopes up, the house will be full of people whilst I'm away...

The Conservatives and Liberal Democrats have published their coalition agreement. This includes the following key lines:

10. Civil liberties

The parties agree to implement a full programme of measures to reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.

This will include:

- A Freedom or Great Repeal Bill.

- The scrapping of ID card scheme, the National Identity register, the next generation of biometric passports and the Contact Point Database

So that's it - the battle is over. We've put an end to the daftest databases invented under Labour. But it's far from the end of the work. Whatever happens, the UK needs a trusted population-scale authentication scheme to support online transactions and interaction. It needs to be a scheme that is open, trustworthy, flexible, respectful of privacy and civil liberties, and most importantly, not owned by the government. Over the coming months we will see a host of new identity and authentication mechanisms proposed to support industry, in much the same way as was originally proposed by Sir James Crosby's prescient report. Hopefully this government will have the good sense to actually listen to those who properly understand the issues and technology, and will embrace whatever solutions the people - and not the Home Office - select as their preferred tools.

It's a bright, sunny morning. Finally, we have a new government. I'm excited. I've a strong sense that a Conservative-Liberal coalition could be the best possible election outcome for the UK: a strong economy coupled with a commitment to overturn the inefficiencies and centralisation of 13 years of Labour, but tempered by the humility and introspection that will be forced upon the government by the Liberal Democrat influence. This could work really well if they commit to collaborating. But what should they now do about privacy, identity and consent?

Fortunately, this is one of the areas in which the two parties find common ground, and in fact it may be one of the first policy actions taken by the coalition since they will want to be seen as decisive. The first announcements are likely to be the cancellation of the Identity Cards programme and the ContactPoint database; quick, easy decisions that will save money and tear down one of the pillars of Labour's centralisation policies. Cynics say that the government will shy away from destroying the National Identity Register because of its complex linkages into other systems, and the supposedly watertight contracts that are in place with key vendors. I say watch this space, there's a strategy prepared to deal with those issues.

Next, we will see the government order a detailed review of spending across public service. How many computers does the government own? You don't know? Well, neither does the government. Nor how many systems it operates, contractors it employs, or contracts it has signed. It's time to get a proper view of what's in place. And then it's time to publish that view, and details of all spending thereafter. Greater transparency is a cornerstone of both parties' manifestos, so I can't imagine the two parties disagreeing on that.

Then there will be a commitment to a much greater reform of government IT. We're going to see the end of the current status quo, in which a handful of massive SIs control nearly all government IT spending, and instead the market will be opened up by demanding open source standards and technologies, capping contract values, and publishing values and details of all contracts. A few naysayers have suggested this would be a bad thing. Rubbish. It will spread public spending across a much broader range of SMEs rather than allowing a few companies to hog it for themselves.

The Digital Economy Act is unfortunately likely to end up on the back burner, at least for a few months. It's an appalling bit of legislation, but the government will want to deal with issues of economy, education and defence before it starts tackling the mess that the major record companies talked us into.

And then we have the longer-term reform of the civil liberties agenda. Both parties are committed to a range of fundamental reforms to protect privacy, control libel laws, protect liberties and ensure a new vein of common sense runs through government. These changes won't happen quickly, but they will be protect us all from a repeat of the ridiculous attitudes of recent years.

As I say, it's a bright, sunny morning. Looking out the window, I see it's rather nice out there too.

At some point in the next few hours, we're likely to find out the shape of the next government. I deliberately avoided commenting on my political preferences in the run-up to the election, preferring to remain neutral. However, now that the votes are in, from a privacy, identity and consent perspective I'm hoping hard to see a Con-Lib alliance.

Purely taking these issues into account, the Liberal Democrats have a very attractive manifesto indeed. Whilst similar to the Conservatives in these areas, they have promised to go so far as scrapping biometric passports, which is an area on which the Tories have been mute. The two parties can coalesce around many sensible policies that include scrapping the National Identity Register and Contactpoint, enhancing or replacing current privacy and libel laws, protecting freedom of speech, and putting an end to the past 13 years' relentless and ruthless accumulation of personal information.

Not that ending these projects will be the end of the issues: anyone who thinks that the UK can live without some form of population-scale authentication system - ideally not one provided by the State - is ignoring the realities of the Internet age. I fervently hope that a Con-Lib government would bring common sense coupled with a degree of humility and introspection, qualities that can only help to enhance the government's attitudes towards privacy and consent.

Tonight is the premiere of David Bond's new film 'Erasing David,' which will also be shown on More 4 at 10pm on 4th May. If you have any doubt in your mind about whether we have already sleepwalked into a surveillance state; about whether there is any truth in the phrase 'nothing to hide, nothing to fear'; or the potential for your details to be stolen and misused by criminals; then this is a film you need to see.

Concerned by the implications of the government's loss of Child Benefit data, David set out to remain hidden for a month whilst being tracked by two private investigators. This wasn't about hiding in the woods for four weeks, but remaining part of society without leaving a trail of clues. He had the chance to 'cleanse' his online records as best he could, such as removing information from his Facebook profile, to receive briefings on the psychology of fear and practical ways to remain anonymous, and to plan his hiding strategy. The detectives simply have to meet up with him face to face in order to win the challenge, and are not allowed to break the law in doing so.

The result is a film that is almost comedic at first, as he comes to terms with privacy problems that those of us in the privacy mainstream have fretted about for a long time now, but then starts to become increasingly disturbing as he reacts to the assumption that all his movements, communications and transactions might be monitored. The private eyes don't fit the stereotypical image portrayed in American movies, but whilst they come across as gentle and almost amusing, their (perfectly legal - possibly with the exception of the questions arising from dumpster diving) techniques are highly effective.

What surprised me was how quickly David Bond begins to experience the paranoia arising from being watched. Without giving away the plot, there is one point at which this seems rather extreme (bearing in mind that the worst consequence of his being tracked down would be to be able to go home!), but the wider theme of discomfort and behavioural change is food for thought for those that buy into the 'nothing to hide argument' when trying to justify surveillance regimes. David Bond starts this project with just a vague sense of unease about the concept of a database state. By the end, his radicalisation as a privacy activist is complete.

Tune in to watch Erasing David on More4 on 4th May at 10pm.

One of the biggest flaws in the National ID Scheme's architecture is its failure to support peer-to-peer authentication in any meaningful way. The government has promoted it as a way to interact with government, UK border controls, proof of age scenarios, and... that's about it really. However, this is a classic case of designing a system around the needs of a minority user group: those who lack other trusted credentials, or often come into contact with the authorities. It's an approach that disregards the needs of everyone else.

Like most people with a 'conventional' lifestyle (i.e. someone who is not regularly in contact with police, UKBA or social services) I rarely need to prove who I am. My wallet contains two credit cards and a debit card, a few bits of plastic for club memberships (IoD, British Cycling, Britannia Rescue etc) and that's about it. On a couple of occasions each year I have to dig out my passport from its safe storage in order to a) travel or b) prove who I am for a new financial services product (e.g. moving mortgage provider or changing mobile phone company). Those occasions aren't an inconvenience for me, since I know when they're going to happen, and otherwise my passport lives safely locked away.

In this context, a National ID Card - as envisaged by the government - is a complete waste of money for me. It adds no value over a passport, which I'll still have to own for travel purposes. Furthermore, because the Identity & Passport Service has designed the scheme entirely around government needs, it has been rendered useless for anyone else. Only an organisation with a card reader connected to the National Identity Register can obtain a 'trusted' authentication, and that authentication is a one-way process - there's no mechanism for the card holder to confirm they're really dealing with an authorised official. In fact the card can't even support Chip and PIN functionality, so it's less trustworthy than the average credit card.

And it's the failure to provide mutual authentication that is the most disgraceful aspect of the scheme's architecture. Here's an example. Yesterday I received a knock on the door, and a young Liverpudlian waved a bit of card at me, politely introduced himself as a young offender working in a rehabilitation programme, and asked if I might be interested in buying some household items from him. Now I have no way whatsoever of knowing whether such a scheme is legitimate, or if he's just casing the house for a later break-in; whether the card is real or if he is the authorised holder; and whether I can trust him in this context.

Now if I had a useful peer-to-peer authentication mechanism, I could have verified the legitimacy of his claims about organisation and employment; checked he was the cardholder; and would happily have purchased something. As it was, I politely sent him packing.

If the government wants an identity scheme that will genuinely engage with marginalised or disadvantaged groups; prove meaningful and valuable across the entire population; and build trust rather than facilitating flash and dash fraud; then it's time to scrap the current approach and start again with something that reflects the needs of everyone, not just the Identity & Passport Service. Build it as a Psychic ID Card that can be applied across a range of scenarios without accumulating personal data or compromising privacy, and encourage individuals to invent innovative applications. But don't lumber us with a scheme that costs billions and fails to serve the needs of those who need it most.

Oh, and if that salesman is reading - come back with proper ID and I'll happily buy something from you.

[And for the under 40s, if the word 'Gissa' means nothing to you then here's Bernard Hill's seminal character who coined the phrase 'Gissa job']

The Technology Strategy Board has allocated up to £8m to invest in highly innovative collaborative research and development projects in the area of trusted services.

The tools, techniques and services developed will accelerate the deployment of secure and trustworthy information systems, within Digital Britain and the wider global economy. The competition will focus on business-led collaborative projects to develop trusted services which rely on technologies and their associated supply chains that will deliver significant improvements over today's service offerings.

Up to one quarter of the funding will be awarded to fast-track projects which last up to 12 months and have a total value of less than £150k. he remainder of the funding will be awarded to collaborative R&D projects lasting 12-36 months and with a total project value exceeding £150k.

For further information about the competition, please refer to the Technology Strategy Board website.

Please excuse the off-topic posting, but it's time for the annual charity event. Those of you whom I've pestered for sponsorship before will know that for the past three years I've cycled from my home to London and then on to Paris (400 miles) in aid of Action Medical Research. This year I've decided to up the ante a little, and have entered the Deloitte Ride Across Britain.

On 12th June 2010 I will join 500 other riders as we depart from John O'Groats to cycle the 1,000 miles to Land's End over 9 days. Our route, which takes us down the west coast of Scotland, through the Lake District, over the Bristol Channel, and across Dartmoor, will climb further than the height of Everest. We'll be cycling around 110 miles a day, and camping at night.

I'm covering all my own costs, and a donation to the Paralympics, but I'd like to raise £1,000 for Help for Heroes. I think we're all aware of the stunning work this charity does for our forces, and it's a chance for me to repay a debt from my past. If you can sponsor me even for just a few pounds I would be extremely grateful. Every penny you donate will go directly to this worthwhile cause. I'll be wearing a satellite tracking device and blogging as I go, so there will be plenty of opportunities for you to mock me as I go.

You can sponsor me through Just Giving. Thank you for your support.

As the country goes to the polls, the three main parties have committed to specific policies on Privacy, Data Protection and Security. In particular, the Conservatives have promised radical reform in these areas. What changes are we likely to see once the new government is elected?

I will be presenting a free online seminar on the topic of "Privacy, Data Protection and Security - Post UK Election" at 1100hrs BST on 13th April 2010. You can tune in for free, and pre-register for the event here.

[Declaration: There is no fee for this event, and I am not being paid as a speaker]

Google is reported to be recruiting bond traders. So what? They're a big company, they doubtless have a corporate treasury function (although being Google they've probably come up with a much more interesting name for it), they probably need to run their own funds purely to manage the enormous heaps of real and theoretical cash sloshing around the place.

The thing is, these traders will have a secret weapon: the results of your web searches. They can look at search trends to understand what others are looking for, and use this as business intelligence to guide their portfolio. If users in Washington DC start searching for information about breakdowns in relations with China, or City of London users are querying rises in VAT, then the Google team have exclusive information to steer their trading strategy.

This is all legal and above board, but it demonstrates the power that companies such as Google can accrue even without using personal data.

A very unpleasant little amendment to the Licensing Act (2003) is in front of Ministers for approval as a Statutory Instrument (SI). If you're not familiar with the process, a SI is a delegated legislation made under the powers of a parent Act, and it is very rare for a SI to be amended or changed - it is generally either approved or rejected when presented to Parliament.

The SI in question is there to address binge drinking by restricting licensees' abilities to offer discounted booze and encourage heavy drinking. Part 4 (2) of this particular SI refers to a licensee's policy, and reads as follows:

(2) The policy must require individuals who appear to the responsible person to be under 18 years of age (or such older age as may be specified in the policy) to produce on request, before being served alcohol, identification bearing their photograph, date of birth and a holographic mark.

I'd like to think that this is simply a bit of shoddy text drafted by a junior civil servant who hasn't thought it through properly, but that seems unlikely. The only acceptable proof of age in a licensed premises will be either a passport, a driving license or an ID Card. Licensees will no longer be able to use common sense, or to accept other forms of ID even where they are credible beyond doubt. Young drinkers won't dare go out without one of those forms of ID on them, and that will inevitably lead to a rise in the number of lost passports - something that Identity Minister Meg Hillier has been banging on about as almost the sole justification for the National ID Service for a long time now. It seems probable that this move is an attempt by a government that has almost no understanding of ID technology, and an active interest in undermining privacy, to force yet another justification for ID Cards through without proper scrutiny.

What this will do is create a fresh market for false ID cards. A card with a photo, hologram and date of birth is still relatively trivial to put together, and is the average member of bar staff really going to challenge someone who is in possession of what looks like it is probably a legitimate card? I doubt it. Just over a year ago I warned the BBC of the dangers of 'flash and dash' fraud that will arise from the misuse of ID Cards, and this is the first stage in making that situation come to pass.

For a long time those who have given more than the briefest of thought to the challenge of proof of age have understood the potential of ID technologies to be used in a zero disclosure way: to respond to a challenge without providing any information about the data subject. The relying party asks the system 'is the individual 18 years of age or over?' The system responds 'yes' or 'no'. No other information is released. Innovative organisations such as Touch2ID have put the concept into practice, and offer contactless proof of age cards that simply contain a biometric hash of the bearer's fingerprint. The licensee's reader asks the card 'is the bearer 18 years of age or over'? The bearer puts their finger on the reader, the biometric is compared with the hash on the card, and a positive or negative response is given. The card doesn't need a photo, or a date of birth, so the individual retains their privacy. The card is issued for free. If the card is lost then it's useless to anyone else, can't be used for identity fraud, and can be replaced for £2.50.

This ridiculous SI, which is another back-door attempt to undermine civil liberties and bolster the National ID Service, will pass on 6 April unless it is sent back by Parliament. You need to write to your MP to make them aware of what's hidden in the small print, and demand that the SI is redrafted before it's accepted.

[Hat-tip to Edgar for bringing this one to my attention]

[Declaration: I have no commercial or personal interest in Touch2ID]

The financial year end is nearly upon us. In a couple of weeks' time, government departments are expected to draw a line under many of their existing procurement contracts and move to a new budget year. As always, there's a flurry of small, last-minute procurements as they spot a few thousand pounds here and there that have to be used up otherwise they'll be lost from next year's allowance.

In a normal year, this would be followed by the release of the purse-strings on larger pieces of work that have been awaiting the new budget, but this year we will be in the grip of an election, and some of these will inevitably be delayed; others will (allegedly) be rushed through to ensure that the current government gets its spending plans under way before May. After that, it's anyone's guess what might happen: all that we know for sure is that there will be a lot less money in 2010 than there was in 2009.

The principle of annuality in public sector budgets is a perverse one. Whilst it obviously makes sense to take a snapshot of expenditure, and to ensure that out-of-control projects don't have access to more funds than have been allocated for a given period, it also makes it impossible for public authorities to 'save up' for major new procurements, since any success at saving money is rewarded by having the savings taken away, not just now, but in future years' budgets as well. The taxpayer is hit with shocking and unexpected bills for systems that could have been foreseen, and budgeted for, many years in advance.

I grew up in the home computing revolution. When I was 13, I managed to persuade my father to part with the price of a home computer, which at the time cost about twice the price of a good racing bike. I wanted a BBC Micro, he wanted to pay for a ZX Spectrum, we compromised on a Dragon 32. That came as a shock to his wallet. At 18, I needed to upgrade to a new machine, and once again without warning put in for the price of a PC; he recovered from the shock, the haggling began and I ended up with an Atari 1040ST. On each occasion I felt aggrieved that he was unhappy with me requesting an out-of-the-blue purchase that cost the equivalent of a few years' pocket money. He was unhappy that his son kept pitching up demanding new equipment, and then the price kept rising to cover peripherals and software. That's not a particularly good way to budget for your domestic IT needs, and I recognise how fortunate I was that there was enough money to still be able to get a new computer.

The thing is, that's how we run much of our public-sector procurement, and authorities are only just waking up to the fact that the money's gone. The recession has scuppered these budgets, and we'll be paying for it for many years to come. Public authorities can no longer expect to present a business case for a major IT procurement and get it approved. It's time that they're given a mechanism that allows them to save for their needs, and that their accounting procedures are updated to force them to do so. If a system is anticipated to have a 10-year lifespan, then that's a 10-year period to save up for its replacement. Teenagers around the country are discovering that there's no longer enough money in the household budget to pay random IT purchases, and public authorities will have to do the same. The Conservatives have discussed the principle of scrapping annuality in certain areas of public budgets, and that has to be a good thing if those authorities are to be held accountable for responsible and prudent spend on IT.

In the meantime, I'm swamped with finishing Privacy Impact Assessments for two central government agencies and chasing around for the next round of spend that will hopefully be released in the coming weeks. I'll be blogging more frequently once this silly season - which for the sake of the UK economy I hope is the last one - is over...

The US Federal Trade Commission has just found so-called privacy and security certification service ControlScan guilty of failing to monitor the practices of its certified sites. In their settlement agreement, they state that "founder and former Chief Executive Officer has entered into a separate settlement that requires him to give up $102,000 in ill-gotten gains."

ControlScan offered a variety of privacy and security seals for display on Web sites. Consumers could click on the seals to discover exactly what assurances each seal conveyed. For example, the company’s Business Background Reviewed, Registered Member, and Privacy Protected seals conveyed that ControlScan had verified a Web site’s information-security practices. However, the FTC alleges that ControlScan provided these seals to a Web sites with “little or no verification” of their security protections. Similarly, the FTC alleges that the company provided its Privacy Protected and Privacy Reviewed seals to a Web sites with “little or no verification” of their privacy protections.

The FTC also charged that although ControlScan’s seals displayed a current date stamp, the company did not review any of the seal sites on a daily basis. In some instances, Web sites were reviewed only weekly, and in other instances, ControlScan did no ongoing review of a company’s fitness to continue displaying seals. The FTC charged that the defendants’ deceptive acts violated federal law.

Stern words indeed, and the sort of thing one would expect to hear from a heavily empowered regulator (the UK Information Commissioner simply doesn't have this sort of clout, particularly since the government gave up on plans to increase penalties before the election). Any company that makes a commercial offer in the US and then doesn't do what it said can face that level of wrath from the FTC.

As for privacy and security seals: well, I've never been much of a fan. There are some excellent programmes out there, but for a seal to be meaningful it has, to my mind, to be backed by an independent ombudsman who can award meaningful damages when an organisation in possession of a seal fails to protect data. Even then, for victims it is almost impossible to prove the source of a data breach unless it's very specific indeed; in most cases, the accused organisation could wriggle out of liability by claiming that the individual must have lost the data elsewhere, or had inadequate protection on their own machine.

In their policy document Reversing the rise of the surveillance state, the Conservatives state that they will task the Information Commissioner to carry out a consultation with the private sector, with a view to establishing guidance on data security, including examining the viability of introducing an industry-wide kite mark system of best practice. Unfortunately I doubt that will result in anything meaningful if such a kitemark is created, and there are better places on which to focus resources: rigorously-applied security and privacy standards for public sector; a properly-funded police that can investigate e-crime; an empowered ICO that deals sternly with public authorities and private companies alike; and above all a fresh way to properly value personal information so that it is protected in accordance with the expectations of the data subject, not the convenience of the data controller. Tomorrow the ICO will publish its report on valuing personal information - with a bit of luck, that will be the first step towards a revitalised approach to information security.