The Privacy, Identity & Consent Blog

The Information Commissioner has published fresh guidance about acceptable use of CCTV cameras. The most notable part of this is a recommended ban on microphones to record conversations. Why is this such a big deal?

The risks associated with social networking sites are becoming a hot topic, but a recent incident demonstrates a new low for employer attitudes towards staff use of the Internet.

Last year's data loss incidents have sparked a fascinating discussion that compares personally identifiable information with radioactive waste - and who is supposed to pay to clear it up.

BAA is trialling the biometric identification systems that will be used throughout the new Terminal 5, but is this an appropriate solution, and what exactly is the problem?

A little while ago, the Association of Chief Police Officers (ACPO) renewed the debate about building a compulsory DNA database for all UK citizens. The Home Office has rejected this idea, and two individuals are challenging the existing of the UK DNA database at the European Court of Human Rights. What's all the fuss about?

Media attention is shifting away from London Heathrow's new Terminal 5. A backlog of 28,000 bags is being cleared via Milan, and the number of cancelled flights seems to be gradually coming down. But what about the biometric security controls?

Infosecurity starts today, and it will doubtless be the biggest, busiest and boldest conference yet. So why am I feeling rather underwhelmed at the prospect?

At Monday's Enterprise Privacy Group meeting, a debate arose around the value of identity management - and in particular the Identity Metasystem - in the grand scheme of human endeavour. Why do we fret about identity when there are lots of apparently bigger issues out there? But stacked up against climate change, curing cancer and ending world hunger, identity management is a lot more important than you might think.

A senior police officer has stated that the pervasive use of CCTV in the UK has failed to cut crime and is an 'utter fiasco'. with only 3% of London's street robberies being solved using security cameras.

Data Protection guru Chris Pounder has put forward an excellent argument that there is no legal requirement for a security breach notification law in the UK because we already have a requirement for this under the Data Protection Act (1998). I'd also argue that there is no need for such a law because there's simply no point in it. Unless you're a pilot.

A new market is developing in environmentally-friendly low-carbon energy management solutions for businesses. Whilst visiting a public authority recently I witnessed an innovative solution to controlling energy use by their air-conditioning systems. Here's how they've done it...

Today's Dilbert focusses (geddit?) on workplace surveillance.

Online auction house eBay's reputation-driven trust scheme is a much-admired and much-emulated model. Or at least, it was until recently when eBay made a significant change to its operation.

Apologies to all for the lack of posting recently, it's been silly season in preparation for the summer - but finally that's here! Today I depart for a 350-mile cycle ride to London and then on to Paris, in aid of Action Medical Research and Riding for the Disabled. The team has raised well over £30,000 so far, so please sponsor us here - and you can follow our progress here.

Normal service will be resumed next week!

Another day, another data loss, and another struggle for an original headline. However, the RBS / NatWest / Amex loss of 1m sets of personal information isn't as straightforward as it might at first look.

New Forest District Council has been rapped by the Information Commissioner for posting up personal information on its planning website. The problem is not new, and a number of councils have been warned about this in the past. However, having been warned before about this, New Forest's response to the criticism was: "... signatures and other unique information are not now available for public scrutiny".

Out of interest, I went to their planning portal, punched in a postcode and pulled down the documents from a random applications. Guess what? There's the signature, together with all the other personal information. In the very first document I downloaded. So, is the New Forest District Council lying, or do they not understand their own system? Let's hope the enforcement notice is in Monday's post - because I'm off to steal a pony's identity.

(Partial signature reproduced here)

Shadow Schools Secretary Michael Gove has confirmed that the Tories will scrap ContactPoint - aka the Children's Index - if they win the next election. Speaking to the Telegraph, he expressed his concern that ContactPoint, which will contain details of (almost) every child in the UK will be exploited by paedophiles. The project, which involves the likes of PA Consulting (recently rapped for losing a memory stick containing prisoner and repeat offender information), 'can never be secure' according to Gove.

Whilst the paedophile argument is, I suppose, legitimate, it smacks of pandering to the red-tops for a bit of a soundbite. However, the policy itself is sound, and in fact essential for the Conservatives if they are to maintain their continued opposition to the National Identity Scheme.

My fears about ContactPoint stem from the incredible potential for function creep. The government has already said that it will be used to 'track criminals', so it's only a matter of time before its usage extends far beyond the protection of chiildren. After all, councils are at pains to emphasise that it won't record fruit and vegetable consumption - which can only mean that this has been given serious consideration at some point. Good grief.

Furthermore, how can data be kept secure on a system with an expected 300,000 authorised users? Well, it can't. Plain and simple. And that's why the policy is that it won't contain the contact details for children of celebrities and political figures. That's OK then, since the rest of us are so much less important and our details simply aren't worth having.

I understand that the ContactPoint team have been to great pains to ensure that they comply with the Data Protection Act, and I've heard representatives from the Information Commissioner's Office confirm this. But it's a classic example of the Data Protection Act being used as the maximum target for what needs to be achieved, rather than the minimum needs for protecting privacy. This is the DPA as an annoying compliance hurdle rather than something to be embraced and respected. And that needs to change.

The Home Office has floated the idea of forcing anyone who wishes to purchase a mobile phone to provide a passport or equivalent before they can do so, and these details will be logged on a database for the purposes of tracking terrorists and organised criminals.

I suspect that it's not beyond the capabilities of the average criminal mastermind to obtain false papers, or easier still to pay someone else to buy the phone for them. It will certainly make a change from kids asking adults to buy them booze, I now expect to see besuited mafia types lurking outside Phones4U saying "oi mister, get us a Nokia N95 will ya". Furthermore, if the purpose really is national security, then surely Sir James Crosby's recommendations would suggest that the government should want to make it easy to buy phones so that their location and traffic can be monitored (the Communications Data Bill should assist with that one).

Anyway, there are a couple of good business opportunities here. Firstly, to open an import business that sells overseas SIMs into the UK by mail order. Secondly, if the Home Office really means 'phones' and not 'SIMs' then I'm going to start hoarding handsets because prices of second-hand units will skyrocket as people either refuse to identify themselves for a new one, choose not to identify themselves because of nefarious intent, or (much more importantly) cannot identify themselves because of a lack of suitably robust credentials (socially marginalised groups).

It certainly seems inevitable that if this proposal goes through then it will only be a short period before ID Cards are accepted in place of passports, and the next logical step will be ID Cards being the only valid way to obtain a phone. Welcome to the panopticon...

Newsbiscuit is reporting that a book containing the names and telephone numbers of hundreds of thousands of people has been discovered on a doorstep.

[Another classic from Newsbiscuit, which is well worth keeping an eye on!]

The credit crunch is beginning to bite hard - so much so that we're finally starting to refer to it as the recession that it really is. At a time when data loss incidents are still high on the media agenda, is the recession going to have a negative impact on privacy?

So, last week we had the latest in a long line of data loss incidents: a member of Atos Origin's staff left user and password data for the Government Gateway in a pub car park. I look forward to hearing confirmation that both the individual concerned and the individual responsible for management of the project have both been asked to revise their career aspirations. But this was in the same week that the Minister responsible - Work and Pensions Secretary James Purnell MP - had to apologise for leaving confidential documents on a train. Are the two cases really so different, and can future incidents be avoided using the same controls?

Tory MP Grant Shapps has used the Freedom of Information Act to discover that the government lost 53 computers over the last year, and is demanding an inquiry. If this claim is to be believed, then it works out at one computer a week. And I don't believe a word of that.

Portsmouth Council is trialling a new CCTV system that claims to be able to spot anomalous behaviour and alert operators in real time so that they can respond to incidents rather than scanning 152 cameras in the hope that they spot something happening. The BBC article makes some rather spurious references to 'Big Brother' in this context; does it have privacy implications?

We're all aware of the famous New Yorker cartoon - "on the Internet, nobody knows you're a dog". However, that's about to come to an end if the latest application of the Regulation of Investigatory Powers Act (RIPA) comes to pass.

The Information Commissioner has published a draft Code of Practice to address the problem of the poor-quality privacy notices that are all too common online, in printed documentation, or even used by call centres (the 'we may record anything we like' approach). The consultation quite rightly highlights the fact that too many notices are written in legal jargon, are hard to find, fail to clarify key issues about how personal data will be used, and in some cases appear to be deliberately misleading. Upon first read, it looks like a really good document - it covers a lot of ground, uses simple language, and even encourages the use of Privacy Impact Assessments to confirm that data usage is legitimate. Best of all, it provides examples of what good and bad privacy notices look like.

The "Coroners and Justice Bill" has been placed in front of Parliament. Does this sound a little irrelevant to a privacy article? Not if you look in the small print of the Bill...

Google has just launched its 'next big thing' - Latitude, a location tracker that can be used to share your location details with others. Is this a great leap forward, or a threat to privacy?

The Coroners and Justice Bill has had its second reading in the Commons and gone to Committee. Why should we care about a Bill that is, on the face of it, intended to reform the operation of Coroners and provide some revisions on sentencing procedures? The answer is hidden in Clauses 152-154 which, quite simply, exempt public authorities from compliance with the Data Protection Act, and allow them to do whatever they please with personal information. Coroners and Justice represents one of the most fundamental attacks on privacy ever set before Parliament.

I wish there were an emoticon for <slaps forehead with one hand whilst lightbulb goes on over head>. I was pondering Coroners & Justice on the flight home last night, when I realised what the Bill is really all about (although I'm sure I'm not the first). Click through for the answer...

I spoke today at a Social Market Foundation event on biometrics. The keynote was Prof James Wayman, who was exceptionally fluent and interesting on the topic, and I was pleasantly surprised to see him talking openly about the abilities and limitations of biometric technologies.

Biometric technologies are one of those 'lightning rod' topics that quickly polarise people into the 'for' and 'against' camps. It's difficult to say exactly why this is, but much of the problem probably rests in the dystopian science-fiction visions of the likes of Brazil or Minority Report that blur the reality of technology with the possibility of imagination.

The idea that an individual can live in a surveillance society with nothing to fear so long as they have nothing to hide may, on the face of it, appear attractive. For those of us who think of ourselves as 'honest' - we pay our taxes, don't commit murders and are loyal to our partners - why indeed should we fear surveillance?

I'm indebted to William van Zwanenberg, who has provided such a detailed and extensive comment on yesterday's "Nothing to hide, nothing to fear" (NTHNTF) article that is merits a blog entry in its own right. William's piece is below - many thanks indeed!

The Register is reporting that a number of prominent Scots - including Gordon Brown - had their medical records accessed by a doctor without authorisation:

The files were part of the Emergency Care Summary system database, which was established three years ago amid guarantees by the NHS that it was protected using the "highest standards of security."

- The Register, 2nd March 2009

Whilst completely unsurprising that such a breach could happen, it seems a shame that it's happened in Scotland, where the Scottish Government appears to be clued in to the implications of gathering databases full of personal information. It's patently simple to understand that where a big database exists, it doesn't matter how many security controls it has, or how carefully vetted the users are, sooner or later it's going to become porous. I therefore wish to propose a new First Law of the Bleedin' Obvious which states:

"The risk of the loss or misuse of personal information is directly proportional to the product of the number of records in that database and the number of authorised users of that database."

I think that might be a bit complicated for some of the policymakers who have been engaged in designing public authority databases, so the Simplified First Law goes as follows:

"There is a direct link between HAVING a massive database of personal information with thousands of authorised users, and then LOSING that data, and NOT HAVING a massive database of personal information with thousands of authorised users, and NOT LOSING that data."

Clearly some policymakers do understand this law - it's why, for example, ContactPoint will have 'shielding' exemptions to prevent the details of their own children appearing in the database. This is a living example of my proposed Second Law of the Bleedin' Obvious, hereafter referred to as the ContactPoint Paradox:

"The effectiveness of any database information security system is inversely proportional to the product of the number of records in that database and the number of authorised users of that database."

Once again, this needs to be explained as a Simplified Second Law that policymakers can understand:

"Information security controls reduce the risk that data will be lost or misused. No database is completely secure, and anyone who claims otherwise is lying."

We need to build up at least seven of these Laws of the Bleedin' Obvious, which (possibly subject to a more complex and expensive name) could be used to inform policy development in this area. That's laws number one and two proposed. I'd like to hear proposals for the other five please.

I don't normally bother reporting on spam emails, since we all accept them as part of the dot-com world. I assume that they must still work, otherwise the Lads from Lagos wouldn't keep sending them, and I've certainly observed a huge rise in the number of emails received in recent months - perhaps this is a sign of the times in the recession?

Anyway, in a junk mail box full of 419s, this one really stands out for the number of topical references, confused cultural ideas, and above all the fact it's from a knight of the realm (should one assume this knighthood is in the same category as those of Allan Stamford or Conrad Black). I wasn't aware that NatWest had taken over the Bank of England. Oh, and the fact that Sir David is "bugging into my privacy". Enjoy.

Dear Sir/Madam,

I am sincerely Sorry for bugging into your privacy, it's due to a business deal in my bank valued at 21.5Million us dollars, as a foreigner l can present you as the beneficiary to the inheritance since there is no written will by the deceased who Died at the Israeli checkpoint in jerusalem, as the director of system l have been following the records. However l am the only one aware of the funds and investigation so far in my bank due to my investigations.

l am Sir David Murray Ess an Executive director working with Natwest Bank of England. This opportunity will be of mutual benefit to the two of us. I would provide you with all the necessary documents to lay claims and also I would avail you with the modalities we shall follow once I hear from you Because of my position in office, please endeavor to keep to yourself issue concerning this proposal.

If you are interested, kindly get back to me with your full contact informations Upon your response l will give you more details about this transaction, if not interested you can delete this mail.

Regards,

Sir D.M Ess

I'm delighted to announce that Identity and Privacy 2009 will be held in London on 14th and 15th May 2009.

I've just received a cracking advance-fee fraud attempt that's trying to pitch leftover funds from some "sharp practice" in the stadium construction. I can't wait to see the first one claiming to have a load of 2012 Olympics money up for grabs.

THE HEADQUARTER SOUTH AFRICAN 2010 CONTRACT IMPLEMENTING DEPARTMENT   

In a brief introduction, I am Mr. SAMSON MUDAU Secretary Contract bidding and Implementation of Local Organizing Committee of South Africa Football Association (SAFA) for FIFA Word-cup 2010 to be held in South Africa. Our Committee was in charge for the contract bidding for the construction of six new stadiums and renovation of four existing stadiums to meet the World and FIFA specified standards both foreign and local contractors were involved in these projects execution.

In course of exercising our duties, we were in few sharp practices which have fetched us the sum US$8.2M (Eight Million Two Hundred Thousand United States Dollars) which we intend to transfer out of our country now that the works at the sites of the six new stadiums are coming up to completion level. For us to realize the transfer of this deliberate over estimate of contract value and kickback, we received from two foreign firms, we needed a foreign partner, and thus I contacted you.

I wish to assure you that this transaction is risk and hitch free as we are still in service with our government and cannot afford to make any mistake because of our reputation. This above amount can be transferred to your nominated personal or company name which you will send for the purpose of the execution of this mutual benefit transaction.

For more details on how this transaction can be realized. Feel free to contact me on this private email. samson.mudau@googlemail.com Remember like in all conspired deal confidentiality should be our watch word.

Thanks for your anticipated response.

Yours faithfully.

Mr. SAMSON MUDAU.    

The government is once again bigging up the need for the proposed Interception Modernisation Programme (aka the GIMP) by arguing that it's essential to collect and retain all social networking traffic in order to catch paedophiles.

This is one of the most spectacularly disproportionate schemes yet to be waved in front of the British public under the catch-all excuse of "think of the children". There is no doubting that it's essential to protect children online, and that any incident is to be prevented or investigated at any cost. But that does not justify the accumulation of spectacular amounts of data relating to every innocent Internet user, just to find the few that have malicious intent. The proposal is disproportionate from a privacy perspective, and could not possibly be as cost-effective as providing proper resourcing to the police in place of the token funding they currently receive.

I think we need to add a new rule to the Laws of the Bleedin' Obvious: "Any surveillance system that has its construction justified for child protection reasons, whilst not delivering child protection as its sole objective, is not justifiable." The short form of that rule (you may recall we simplify these for certain policy makers so that they can understand them) is "If you need to use kids as an excuse then give up and go home."

Google has launched its Street View service in the UK to inevitable howls of protest about the privacy implications. Is it really such a big deal? And might customisation offer a compromise for all concerned?

I had a big clear-out of my attic over the weekend, and made in-roads into 15 years' worth of junk that had taken over the top of the house. Nothing exciting there (except for a mouse-filled Xmas pudding - how did that end up there?) but it merited a few trips to the district environmental waste recycling facility (or 'dump' for anyone not engaged in creating mindless jargon).

Dumps operate their own special underground economy, and it seems to be the accepted norm that workers there can scavenge and sell the waste, even if it contravenes fire safety or electrical safety rules. I quickly became popular as old laptops (with their hard discs removed), books, bags and bits of furniture were hauled out of the Land Rover. Selling that for a profit is obviously a perk of the job.

What disturbed me though was the worker (whom I know to be legitimate, I've seen him there before) stood over the paper skip going through all the loose paper: not just sorting it, but reading it, opening envelopes, and in one case pocketing something (it looked like a utility or tax bill) that interested him. I wonder if that's a another unofficial perk of the job - stealing identity credentials to order?

The Identity and Passport Service has announced the award of the first two contracts under the National Identity Scheme. CSC has been awarded the £385m contract for Application and Enrolment, whist IBM got the £265m contract to build the National Identity Register. These are the first in a series of components being procured under the framework agreement, which also includes EDS (HP), Fujitsu and Thales.

Professor Sir Alec Jeffreys, the scientist behind the development of DNA testing methods used in modern policing, has attacked the government DNA database.

The controversial deep-packet inspection service offered by Phorm has been making the news again. But despite some of the hostile coverage that Phorm has received, there are possible benefits as well.

Some weeks ago I was interviewed by the BBC, who asked what I thought the greatest security threat to the National Identity Scheme (NIS) would be. The answer was easy: the biggest threat to ID Cards is things that aren't ID Cards.

Whilst there will doubtless be numerous attempts to use the NIS in criminal ways, the simplest will be to create bits of plastic that call themselves ID Cards but aren't - they don't relate to any legitimate record in the National Identity Register and wouldn't stand up to anything more than a visual inspection. But until we have access to pervasive card verification facilities, how will anyone be able to confirm whether a card is legitimate, even if it looks fine? In situations where a relatively low burden of proof is required, such as proof of age for buying alcohol (as opposed to taking out a mortgage, for example), a quick visual inspection will suffice if a card reader isn't readily available. The consequence of this will be 'flash and dash' fraud, and the problem with that type of fraud is that it will undermine public confidence in the NIS, even though the NIS itself hasn't been breached.

The problem is not unique to ID Cards: passports, bankers drafts and banknotes are all subject to this sort of problem. The solution is to roll out the verification infrastructure very quickly indeed, so that the window of opportunity between the first cards being issued, and relying parties having the ability to check them, is as small as possible.

So I was interested to see that a couple have been jailed for manufacturing 'fake ID cards'. These are readily available from the back of magazines and on the Internet, and carry credible (if meaningless) logos and crests, with titles such as 'UK Identity Card' on them. The best ones even have small print on the rear saying 'for novelty use only'. I assume that the reason they were punished was for pitching them to underage drinkers, since I can't see what crime is committed if a card is made up without breaching any copyright, doesn't actually resemble any official document, and is sold for novelty purposes. The crime happens when the holder uses it to misrepresent themselves or their entitlement.

A quick google around the novelty card sites suggests that many have recently closed, which might be because Trading Standards is stamping on them - or maybe they're gearing up to start producing 'real' fake IDs?

Deep Packet Inspection outfit Phorm is busy covering itself with glory today. This morning we had the Freedom of Information revelation that contrary to previous statements, the Home Office not only advised Phorm on the legality of its service, but in fact afforded Phorm the opportunity to edit the Home Office advice before it was released.

Then we saw the launch of www.stopphoulplay.com, a website set up by Phorm to name and smear the 'privacy pirates', who "appear to be determined to harm our company". The purpose of the site seems to be to plant the idea in people's minds that the only reason that privacy campaigners object to Phorm's DPI technologies is because Phorm's competitors are paying them to do so.

Any chance we had of trusting what's been said by either Phorm or the Home Office on the topic of DPI is now completely lost. I would have expected a company working on something so sensitive to have demonstrated much greater transparency in its approach to market - as I've said before, I don't actually have a problem with what Phorm is trying to achieve, I have a problem with how it's going about it.

But Phorm's actions have forced me to climb off the fence and make my new position clear: I object to Phorm's technologies and will be asking them not to profile visitors to my website. I will not use an ISP that participates in the Webwise service, even if there is an opt-out. I will avoid visiting websites that are early adopters of Phorm's technologies. And I will urge my friends to do the same until I see a change in attitude from Phorm's management.

[For the avoidance of doubt, my opinions are my own, and do not necessarily reflect those of either Computer Weekly or the Enterprise Privacy Group and its member organisations].

"Mark Thompson" has commented on the previous short item on 'Phiting Dirty,' and I think his comment merits a blog item in its own right. I've reproduced his text below:

This new 'smear' website Phorm have setup is a complete disgrace. It is an attack on private individuals the likes of which I wouldn't expect from a company trying to convince people to trust them with their internet browsing history.

As the person who created the petition against Phorm on the 10 downing street website I can certainly prove that the section on this website about the petition is completely wrong. They portray the petition as something that was thought up by 'Privacy Pirates' (Whatever that means ?), claim it desecrates the long history in this country of petitions and then claim the petition was completely missleading by infering that Phorm was illegal.

Ok, so to set the record straight, I created the petition myself as a private UK citizen. I have had no contact with any other 'Privacy Pirates' when creating the petition, it was never worded in such a way as to cause anything missleading about Phorm or the Privacy issue. If you read the text of the petition it does NOT state that Phorm is illegal, it petitions the government to investigate Phorm, and IF found to be illegal then ban it's use, as well as asking for a review of privacy laws. I have had very little to do with most of the campaign against Phorm, other than creating the petition and posting a couple of vids on youtube to get the word out. I've never met or spoken to any of the named 'Privacy Pirates' such as Alex Hanff, and the petition was certainly not created as some organised attempt at damaging Phorm.

Sorry to bang on about the petition, but if Phorm have got it so wrong about this one particular section, it leaves me wondering how wrong have they got all the other information on this website?

I hope Phorm see sense, I would like to see nothing more than the website pulled and replaced with a public apology to those people named and insulted on the website, as well as an apology for insinuating that I attempted to desecrate the very principle of petitioning. I was simply exercising my right as a UK citizen to petition my Government on an issue I felt was important (and it turned out over 20,000 other people thought so too). For Phorm to characterise it the way they have with this website, well it is just plain insulting and I think it shows the true nature of the company.

[Disclaimer: I don't know Mark and have not verified his remarks. If Phorm wish to comment then I'll happily publish subject to the same rules applied to all comments here]

The Register notes that the Identity and Passport Service refused to issue a passport to a woman who had changed her name to "Ms Pudsey Bear" (in aid of the BBC's Children in Need charity), despite the fact that her bank and even DVLA had done so. The reason allegedly cited by IPS is "It is deemed to be a frivolous change of name, which would bring IPS into disrepute. It could also pose problems for you at border control in some countries."

Leaving aside the obvious gag here, there's a more serious issue for anyone naming a child or changing their own name. The Identity and Passport Service is governed by the Registrar General, who is responsible for official records of births, deaths, marriages etc. If his department refuses to accept a name then surely he has seniority over all other registrations, and therefore those other departments should also reject the name? This is going to create an anomalous situation where individuals cannot have the name of their choice simply because a government official arbitrarily doesn't like it. That couldn't be allowed to happen either, so the next logical step would have to be a list of approved names.

A New Zealand court threw out a girl's name on the grounds that it was patently ridiculous, and the Chinese government is said to be drawing up a list of approved names. Come to think of it, I know more dogs called Toby than I do people with that name - should I be worried about getting my application rejected next time I try to renew my passport?

The National Programme for IT is steaming ahead within the NHS (if you believe the press releases), but remains controversial as ever. Pilots in two different areas demonstrate the incredible difference between allowing patients to 'opt-out' of the system and 'opt-in'.

Thinker, entrepreneur and social activist William Heath is engaged in a running battle with mobile telco Orange after a contract was fraudulently taken out in his name. Despite his reporting the incident to the police, and a mountain of correspondence with Orange, they have set the debt collectors on him. It's a classic case study of institutions that try to overcome poor risk management by intimidating their customers into accepting liability for fraudulent debt.

William's now set the lawyers on Orange - you can follow his progress here.

It's been the busiest of weeks for privacy, identity and consent:

• MPs' suffering data loss on the most spectacular scale (or at least that's their version of events);
• the Home Office choosing to completely disregard the European Court's ruling on retention of DNA data, and hang on to it anyway;
• the Home Office hiding its interception and modernisation plans by forcing the databases onto telecommunications companies (and hence on to their customers);
• the Home Office admitting that in fact the cost of ID Cards are significantly higher than those of simply modifying the existing passport system, despite years of asserting that wasn't the case;
• the Home Office formally announcing Manchester as a 'Beacon Area' for ID Cards in the face of increasing opposition from pilots' unions;
• and some good news in the form of the publication of Dave Birch's amazing 'Psychic ID' paper.

I'll be writing about all these next week, but this past week's been consumed by preparing for our Identity and Privacy conference. For those of you attending, I look forward to catching up with you there, for everyone else normal blogging service will be resumed shortly.

I've surfaced from last week's Identity and Privacy conference to start work on some lengthier and more detailed posts, but this particular item caught my eye - the Guardian reports on a review of CCTV use in cities and urban areas which, unsurprisingly, concludes that it offers very few benefits. The authors say "while their results lend support for the continued use of CCTV, schemes should be far more narrowly targeted at reducing vehicle crime in car parks."

This is a theme we've discussed before, and one that is becoming increasingly widespread: just last week a senior ACPO representative reiterated his belief that practical applications of CCTV are few and far between. The Home Office is trying to force pubs, clubs, shops and off licenses to install CCTV, despite their experience of what happens when ordinary citizens have the ability to film the police in action, and the fact that this is now technically illegal. And there are still big problems with retention of CCTV images and the difficulty of obtaining subject access to those images.

We need greater honesty about why the government is keen on CCTV: it doesn't prevent crime, but moves it to other areas. CCTV is pretty useful to protect property (for example, when I park at the station I try to ensure my car is within the gaze of a camera). When properly implemented and used, CCTV makes for a great evidence tool, so I've no problem with cameras at bank counters. But when CCTV is used instead of an effective police presence then we run into problems. If the police, or a private organisation, choose to use CCTV in place of a person on the ground, then as well as a Privacy Impact Assessment they should be encouraged to release an economic statement to justify why they have chosen to use cameras instead of eyes. Considering CCTV as an economic, rather than a security, tool would make for a much simpler and easier debate all round.

[Thanks to FIPR for the link]

The British Standards Institute has today published the first version of its BS10012:2009 - Data Protection: Specification for a Personal Information Management System. Is this the panacea that privacy professionals have been seeking?

Data sharing has become one of the toughest technology topics for the public sector. Our strategies are being driven by the need to gather and exchange huge amounts of personal information within and between authorities. But the majority of the most significant data loss incidents of recent times have been linked to a failure to share data properly: either through gathering and processing excessive information, or sharing it through insecure means because legacy systems do not support our current needs. We have to revisit some of our basic assumptions about service delivery if we are to move forward from our current problems.

The Sunday Times reports that new Home Secretary Alan Johnson has ordered a review of the National Identity Service. Claiming inside information that he "is more sympathetic to civil liberties arguments than previous home secretaries," the article suggests that he would scrap the ID Card scheme but continue with the build of biometric passports. Could this be the victory that anti-ID campaigners have been seeking?

The Digital Britain report is out, and I'm glad I didn't hold my breath waiting for it. Ian has summarised the main recommendations, which appear to consist of propping up unsustainable copyright models for the recording industry, and throwing a freebie in the direction of 3G network operators in the form of an indefinite operating license extension. Oh, and a 50p a month poll tax on fixed connections to pay for rural rollout.

I guess we probably shouldn't be surprised at such a spectacularly underwhelming and unimaginative approach; after all, innovation is hardly the flavour of the month in the present government, and there would be little appetite to upset major industrial interests. But the fact that the document completely disregards the need for a trustworthy identity management infrastructure, and whilst it pays lip service to privacy, it ignores the importance of privacy as a core strategy objective, instead favouring the need to track down file sharers and expose individuals' details when major corporations ask for them.

I'm sure there's probably some good stuff there in areas that are of less interest to me, but the fact that Lord Carter's review fails to consider the reasons that people don't want to go online - fear of fraud, loss of privacy, uncertainty about to whom they can turn when things go wrong - shows that once again government policy has abandoned the needs of the user in favour of the needs of the state.

Shadow Home Secretary Chris Grayling appeared briefly on this morning's Today programme to ask the five framework suppliers under the National Identity Service - CSC, EDS, Fujitsu, IBM, Thales - to think carefully before signing any contracts associated with the delivery of the scheme. Restating the Conservatives' manifesto commitment that they will cancel the NIS, he warned them that if they sign the contracts they may find themselves out of pocket when the contracts are revoked.

Unfortunately that's a pretty hollow threat for the suppliers, and there's not a hope that any of them will rethink their delivery plans on the back of it. Aside from the fact that the suppliers will obviously have factored a change of government into their risk models, there are three key reasons why they won't rethink their approach:

1. The Identity & Passport Service has boasted on a number of occasions that the termination clauses in the supplier contracts are so punitive that no government would dare cancel them (sorry, I can't find a reference for this, but IPS representatives have definitely made this assertion);
2. The delivery of ID Cards has become inextricably intertwined with that of biometric passports. Cancelling the ID Cards component would not in fact require a cancellation of the supplier contracts, but instead a simple renegotiation of the scope of work that would most likely only shave a small component off the contract value for the suppliers, and certainly not cause them any major problems;
3. Even if the Conservatives repeal the Identity Cards Act and scale the biometric passport programme back to the bare minimum obligation (which is significantly smaller than the government has repeatedly insisted it is) there will be a gaping void in public service information systems that will have to be filled with some sort of trusted authentication/verification infrastructure. The incumbent suppliers, having been amply compensated already, will have a strong case to argue that whatever new system replaces ID Cards should be procured through the existing framework rather than incurring the cost and delays associated with a fresh framework competition. They also have a wealth of experience in designing these solutions so will be well-placed to bid again.

This highlights one of the policy dilemmas that the Conservatives have created for themselves: it's not enough just to cancel the ID Cards programme, they have to come up with a more constructive alternative that takes into account both our international commitments and the needs of public authorities and industry for a trusted authentication infrastructure.

It'll also be interesting to see whether this reignites the spat between Intellect and the Conservatives, where John Higgins wrote to then shadow Home Secretary David Davis to warn him not to interfere in the IT industry, which was countered by a wonderful open letter from Davis in which he chastised Intellect for its involvement and promised that a Conservative government had learned how to deal with the IT industry.

[Declaration: I have no commercial relationship with any of the ID Cards framework bidders, although HP (who own EDS) are members of the Enterprise Privacy Group]

I'd like to offer my congratulations to the Communications team at the Identity and Passport Service for successfully pulling off one of the most audacious and downright clever pieces of media manipulation I've ever witnessed. If I ever find myself in charge of a large and unpopular public service project, I'm headhunting the lot of you into my team. Here's why.

Yesterday afternoon I was tied up running a small conference when I received an email from a friend telling me that the Home Secretary had scrapped compulsory ID cards. My first reaction was to take that at face value - that the scheme had been binned as a result of the Home Secretary's policy review. Clearly that was the reaction of the media as well - the BBC, the broadsheets and tabloids, even the Metro are running the story that the government has been forced into an embarrassing U-turn*on the National Identity Service, with '£1bn wasted' according to the Metro. The media appear triumphant that the CWIC airside worker trial in Manchester has been switched from compulsory to voluntary, and there will be no compulsion to have an ID Card.

But we're so very wrong, and that's the genius of IPS' communications team.

All that has happened here is that the Home Secretary has reiterated the legislation (Identity Cards Act (2006)) by restating that there will be no compulsion to have an ID card. There never could have been such a compulsion without secondary legislation. Furthermore, work on the National Identity Register continues unabated, and in fact the Home Office is now speeding up the plan for enrolment into that database, which will happen as part of the passport application process. So in one stroke, IPS has managed to persuade the media that the National Identity Service is dead, when in fact enrolment will happen faster than before, and simultaneously distract attention from the delayed CWIC implementation.

The real genius of the move is the headlines that it has created: a seed has been sown in the public's mind that the National Identity Service is no more. If that seed can be made to take root, then ID Cards will cease to be a manifesto battle in the next election. The public won't want to hear debates about something that they believe to have been dropped already. The media will lose interest in an ex-project. And it will continue without the baggage of the public protests (although I'm sure NO2ID will continue their work).

I'm also deeply concerned by a small headline on the BBC feed this morning. In his announcement yesterday, the Home Secretary dropped any sense that ID Cards will be of use in protecting national security or fighting serious and organised crime, instead stating that:

"That is why I have announced today that I intend to see their introduction speeded up. The benefits are not just for individuals but also for communities where a reliable proof of age will be invaluable in the fight against underage drinking and young people trying to buy knives. But at the same time, these cards will benefit young people who, on average, have to prove their age more than twice as often as adults and I want to make that process simple and secure."

Proof of age comes to the forefront of the Scheme's purposes, and with it the fight against knife crime. On the same day, the BBC published the following article:

Trading standards officers have called for a ban on online knife sales after a machete was sold to a 15-year-old for £1.50 over the internet. The potential weapon was delivered in the mail in bubble wrap and cardboard to the teenager who was testing underage sales for trading standards.

To my mind, there's no coincidence here. The government will now shift the focus of ID Cards purposes to meaningless** proof of age arguments, and if it can make it harder for young people to access adult services or goods without proof of age, then they will be coerced into taking an ID Card because life becomes too difficult without one. Expect to see more articles like this, claiming that all teenage social ills could be resolved with a proof of age scheme (which incidentally already exists in a number of successful independent approaches as well as the government's own Proof of Age Standards Scheme (PASS)). We're going to victimise our youth to push this policy through, and that saddens me.

So rumours of the National Identity Service's demise are very much ill-founded - it's alive and well and blossoming. And if I ever have to manage such a difficult project, I'd like IPS' current communications team on my side, since clearly they could sell snow to the Inuit.***

* as a colleague pointed out recently, it's more of a J-turn if something is already going backwards at speed...

** if a young person wants a knife, they can get one from the kitchen drawer. A machete is possibly the least practical edged weapon that anyone could ever choose to carry around with them.

*** to see how this happens, watch the brilliant "Absolute Power" episode on "Identity Crisis"

Apologies for the lack of blogging over the past few weeks, I've been taking a break that included cycling to Paris and living in the woods for 10 days. In reviewing the mountain of news items that were waiting in my inbox when I returned, I noticed four examples of incidents that blow away the old lie "if you have nothing to hide, you have nothing to fear".

I was very disturbed to read the Guardian's claim that the police have been instructed by the Home Office to ignore the European Court's ruling that the UK DNA Database breaches human rights law, and instead continue to add information on arrestees to the database:

Senior police officers have also been "strongly advised" that it is "vitally important" that they resist individual requests based on the Strasbourg ruling to remove DNA profiles from the national database in cases such as wrongful arrest, mistaken identity, or where no crime has been committed.

Approximately 10% of the UK population is already recorded in the DNA Database, and that number continues to rise rapidly. I've talked in the past about why this disturbs me - it's not the DNA data itself, but the ability to track familial links, coupled with the inevitable failure of the forensic process for using that data, that will lead to injustice. This latest development is even more worrying, since allegedly senior police officers are obeying Home Office officials rather than the rule of law. If a member of the armed forces is issued an order which they believe to be unlawful, it is their duty to disregard the order and escalate their grievance up the chain of command. Does that not apply to the police in the UK? Or are they now above the law?

[Apologies for going all Daily Express letters page on you all, it's one of those weeks...]

Last week the Daily Mail published a feature piece in which it claimed that security expert Adam Laurie had managed to hack an ID Card in 12 minutes. The Home Office rubbished the article and claims that no hack has taken place. Which version of events should we believe?

In the excellent Datonomy blog, Roger provides an interesting overview of the definition of 'Identity'. Arguing that it is about the autonomy of the data subject to control their personal data, he points out that inadequacies in the EU Directive and its local implementation allow many data controllers to ride roughshod over subjects' wishes when it comes to the handling of sensitive personal data.

'Identity' has become one of the most misused and misunderstood concepts in modern government and modern technology. Several years ago we seemed to collectively forget the word's connections with totalitarian regimes throughout history, and the use of identity systems to police the population in times of crisis - or maybe we felt that we had a new and enduring crisis on our hands - and instead decided that 'identity' is aspirational, desirable and achievable. The word has entered common parlance in Whitehall and Westminster, forms part of the functional specification for who-knows-how-many systems, processes and initiatives, has spawned a new marketing approach for companies selling access control systems, and is fast becoming 'part of the way we do things round here'.

This has to stop. We're sleepwalking towards the precipice (insert scary metaphor of your choice here) simply because we've decided that the 'I' word - Identity - is what we aspire to. I don't object to proving my identity, or owning identification credentials, it's just that we so rarely ever need to identify ourselves. When does identity become an issue? Solely in establishing a trust relationship between two parties where there is a claim to entitlement and an imbalance of risk: for example, when claiming entitlement to enter the country, and there is so much for the individual to gain that they may make false claims about their identity or submit false credentials; or when opening a bank account or credit card that will allow them to borrow money. In such circumstances where the individual's assertions about their identity might reasonably be expected to be fraudulent, it is proportionate to use other means to prove who they are - to identify them.

Once that initial identification has taken place, there is no further need for identity. Credentials are issued - a credit card, a digital certificate, a library card etc. - and thereafter the individual simply has to authenticate themselves as the legitimate bearer of the credential in order to obtain their entitlement. Identity processes only kick in again where there are grounds to doubt the legitimacy of the credential or the bearer. Of course there are other circumstances where the need to identify an individual is justifiable, normally in law enforcement and border control if a person can provide no credentials or refuses to disclose any details about themselves. I'm assuming that situation doesn't arise for most of us on a day-to-day basis.

So why does the word identity get me so riled? Our problem is that policymakers lack the technological vocabulary to accurately describe what is required of a system or process. Under pressure to deliver, they demand a new system or process to identify benefits claimants, to identify underage drinkers, to identify passing cars, when in fact what they want is to check an existing credential, to confirm an attribute, or to bill an individual. Through these poor specifications we are unwittingly building a disproportionate and dystopian database state that in the short term strips autonomy from data subjects, but in the longer term will undermine the state itself: when the identity infrastructure becomes pervasive, errors and failures will become so punitive on the data subjects concerned that life will be unbearable for them.

Take the tragic example of Skhumbuzo Mhlongo, a 22-year old South African who was refused an ID Card because of a bureaucratic error that resulted in officials believing he was not a South African national. Unable to work or claim any form of entitlement, and effectively denied any sort of 'official' existence, he ultimately took his life. It would take very few such tragedies to collapse confidence in an identity infrastructure and turn individuals against the State.

My proposal is that we ban the use of the 'I' word in any situation where 'authentication,' 'verification,' 'binding,' or similar terms would more accurately describe what needs to be achieved without creating a panopticon to achieve the outcome. In fact, if anyone feels like setting up a website to monitor inappropriate uses of the 'I' word by government ministers, that might help to raise awareness - much in the same vein as Private Eye's monitoring of the word 'solutions' (perhaps we could name it after their Colemanballs column - 'Blunkettballs?'). It is our duty to stamp out inappropriate use of the 'I' word, to educate policymakers in a more balanced and descriptive language, and to 'I' and publicly ridicule those who believe that 'I' is a proportionate and necessary goal for the greater public good.

(Here ends a somewhat grumpy 'back to school' rant. Normal slightly irritable service will be resumed tomorrow)

Once in a while, a spam hits your inbox that raises a smile - which this one did. I've always rather liked Radisson hotels, but was particularly impressed with the list of jobs available in this one. I'm considering a job as a busier, yoga doctor, soup chef (that's wonderful), but might miss out the one listed between Security Officers and Concierge...

Enjoy.

RADISSON HOTEL

   22 POTMAN SQUARE,UB3 5AN United Kingdom

  

HELLO DEAR

THE MANAGEMENT AND STAFF OF RADISSON HOTEL LONDON WISHES TO INFORM YOU ON JOB VACANCIES AT THE HOTEL FROM 15-08-2009 READ CAREFULLY FOR BETTER UNDERSTANDING. THE HOTELS NEED MEN AND WOMEN WHO CAN WORK AND LIVE IN OUR HOTEL HERE IN UK.

Employment decisions are made solely on the basis of qualifications to perform the work for which you are applying. Qualifications include education, training, work experience and other factors which are relevant in determining job performance. Credentials and experience will be verified through schools, former associates and licensing/certification agencies, if applicable. Heathrow hotel decision to hire and promote are made without regard to race, religion, colour sex, nationality, origin, age, disability, or any other classification as proscribed by federal, state or local law.

Would you like to be a part of the Radisson Hotels team? Experienced managerial candidates, as well as entry-level applicants, are invited to apply for positions in rooms operations, food and beverage, sales and marketing, finance, human resources, culinary arts, Director Of Catering and Conference Services, Guest Services Manager, Restaurant Manager, Engineers, Guest Ambassador, Guest Services Driver, Operator, Room Service Server, Director of Food & Beverages, Doormen, Housekeepers, Security Officers, Real sex workers, Concierge, Assistant Controller, Restaurant Manager, Banquet Cook, Banquet Steward, Cold Station Attendant, Convention Service Floor Supervisor, Bell Person, Clerk Attendant, Loss Prevention, Storeroom Manager, Various Restaurant Positions, Various Spa Positions, Potman Express Meeting Sales Manager, Director of Rooms, Bartender/Pool Attendant, Assistant Executive Steward, Yoga doctors ,Director of Purchasing, Soup Chef, Director Of Banquets, , Group reservation Coordinator, Leader in Development in F&B, Utility Steward, Front Desk Agent, Night Manager, Night Auditor, Leader In Development Rooms Division, Housekeeping Supervisor/Dispatcher, Busier, Valet - Parking Attendant, Steward Supervisor

Salary very attractive, excluding family allowance, road allowance,medical allowance, housing allowance transport allowance,miscellaneous allowance etc

Section B Professionals Medical/engineering fields. We implore the services of Doctors/Nurses in Fair Mont outfits also the services of engineers in our engineering department, electrical,mechanical, xerographic technicians, and computer. If you interested, send your CV/Resume Via this mail:radissonhotel_joboffer@hotmail.com Hotel Management offer every selected candidate free Air Ticket, free accommodation, and feeding. Candidates will only responsible for his/her Visa charges in his/her respective Country.

Thanks.

MANAGEMENT

The Conservatives have unveiled their plans for reversing the rise of the surveillance state. Seeking to pull the surveillance infrastructure out of government, their views are commendable, but it will be difficult to pick out the undesirable straws from the necessary ones - in the manner of Kerplunk - without bringing the infrastructure down around us. What are they calling for, and what are the consequences?

Returning from Spain yesterday, I thought I'd jump the queue by using the IRIS biometric entry system. It's been a while since I've used it, since on recent returns to the UK, the gateway has been:

1. broken;
2. occupied by an American shouting at the screen wondering why she can't get through the gate;
3. broken;
4. backed up with a longer queue than the regular immigration channel, or;
5. broken.

However, yesterday IRIS seemed to be the preferred route, so in I stepped, gazed confidently into the robot, which in turn buzzed, spewed out a slip of paper and refused to let me in.

The slip explained that whilst it had recognised my iris pattern, my permission to use the system has expired. Why? My passport's good for several years yet. It knows who I am. It must be confident I can't be an imposter. It hasn't deleted my personal information. So why can't I get through? And what am I supposed to do about it - do I have to re-enrol? This isn't exactly a shining example of joined-up systems design...