Rationalising the slew of semi-incompatible Information and Identity Governance proposals

Tomorrow I am due to help open the first discussion at the ETICA conference in Brussels on bringing together Ethics, Innovation and Politics. I have been piggy-in-the-middle between politicians and techies for over thirty years and believe Ethics entails accepting responsibility for the consequences of our past actions – not evading responsibility because the unexpected has happened or technology has changed.  My first point will therefore be that not only is technology  neutral but that the implications of most of the supposedly emerging technologies were being discussed over twenty years ago, albeit some of the terminology was different.

I was on the IFIP “societal impact” working party in the early 1980s when the late Donald Michie organised a conference on the impact of artificial intelligence and robotics. In the early 1990s I attended a similar event on the impacts of visual processing and convergence. I have been on the disciplinary committee of the British Computer Society for nearly 30 years and used to lecture on what the code of conduct meant in practice: including how to blow the whistle is such a way that it was not rammed down your throat during the cover-up. I do not believe the ethical issues posed by new technologies have changed significantly over the past thirty years.


What has changed is the scale and nature of the damage that irresponsible behaviour can cause.


On-line communications are now mass market, global, multi-lingual and multi-cultural and most advanced societies have become critically dependent on them. Take-out the supply chains of the supermarkets and many western nations would face food riots within days and the threat of regime change within weeks.


The Internet is no longer run by Californian Liberals. The majority of users do not speak English or accept the mindset and values of the crew of the Star Ship Enterprise. They neither know nor care what Europeans think. Their on-line business, like their off-line business, is as likely to be conducted under Chinese, Indian or Islamic law as under Roman or Common law.


We have to recognise and build on their ethical values, as well as ours, if Europe is to be a hub of global business rather than a fragmented, sleepy and decaying backwater, a latter day Cannery Row, trying to protect itself from being swamped by tsunamis of cultural cybercrud that originate elsewhere.


I remember reading the proceedings of a conference on co-operation between China, Malaysia, Indonesia, Vietnam and Singapore on the future of mobile communications. It was conducted in English but the only Europeans present were Finnish – Nokia was one of the sponsors. I was particularly struck by the comment that Westerners, with their shallow barbaric value sets, did not understood co-operation, consensus and respect for the views of others. We were said to confuse rituals for demonstrating cleverness with constructive debate and routines for electing noisy debaters to public office with democracy.


I will argue that ethical political policies need to address the “real” risks


·         Off-shoring to avoid regulatory overheads

·         Over-ambitious/Rogue CEO (RBS/Enron)

·         Mother Nature (Storm/Fire/Flood/Quake)

·         Insiders (Finance/ICT/Marketing/Cleaners) 

·         Digititis (usually during “routine maintenance”)

·         Death by Data Protection


The most important is that of driving industry offshore to avoid spend time and money on complying with tick box regulatory regimes, which get in the way of good customer service. We need to allow and encourage business to transfer effort to addressing people risks and reducing reliance on systems that are liable to catastrophic failure. “Computer says no” is now one of the most common excuses for poor service. Tens of thousands die or suffer from failure to follow adequate practice in the secure and timely sharing of reliable information between agencies responsible for health and welfare because of “data protection”.


The briefing note for the ETICA conference thinks in terms of technology innovation (e.g. the risks posed by mobile, ambient and ubiquitous technology) . I’d prefer to think of the way that ubiquitous technology enables us to reconcile the triangular conflict between customers, merchants and governments as to who owns our personal data and the duties owed to us by those who collect and hold data about us.


Do we have copyright in our identities, including our DNA and other biometrics?


If so, we should be due royalties when it is used?


Most current regulatory regimes serve to protect those handling our data from the consequences of their abuse or failure. They do not add to our protection. They merely take away our rights of legal redress.


Business has to put the conflicting demands of government and regulators into context. Ignoring them runs the risk of being shut down for non-compliance. Taking everything at face leads to becoming uncompetitive and being shut down anyway. We have to distinguish between the demands for information from government, regulators and law enforcement and what they actually need to do their jobs.


Debate over the retention of communications data (phone calls, text messages and e-mails) and content has a surreal quality. Most of it is demanded by agencies who do not know what they may need and could not handle it if they did. The result diverts attention away from that which would actually address malpractice and help identify and remove on-line predators.


Hence the objectives of the EURIM programmes to take a holistic look at Information and Identity Governance so that:

·         our growing reliance on the online world is not inhibited by fear of ecrime and the consequences of failure to ensure adequate cybersecurity:

·         we can preserve and enhance UK/EU competitiveness by making it a natural hub for global law enforcement: civil (including contracts and disputes) as well as criminal

·         we have democratically accountable regimes for partnership (law enforcement and industry) policing and cybsersecurity both nationally and internationally.

·         we have compatible identity, data protection, sharing and surveillance regimes that attract rather than repel globally trusted information operations.


These entail putting ethics into practical context, at the heart of thinking about how to better, and more profitably, serve customers – including helping governments to meet the needs of their taxpayers at a price they are willing to pay.


In that context ethical behaviour should be seen as an integral part of customer service – not an add-on. In that context one might well argue that most of the supposedly new technologies do not require new ethical thinking but a return to old disciplines of security by design, avoiding unnecessary vulnerabilities, in order to prevent the risks of unpredictable and uncontrollable behaviour.


That may well require looking through the other end of the telescope and I will end with the example of Data Protection as a Customer Service:


·         A consent driven cycle of trust and validation (akin to financial services)

·         Publicly accountable 3rd party governance for statutory powers

·         Cost, risk and liability assessment for trust and governance models

·         Clear (and published) rules, responsibilities and liabilities for operational staff

·         Rolling data validation programmes

·         Inter-operability of personal/legal identities 


The core of my argument will be that we need to focus a lot more on the rights and responsibilities of the people, including those who design and operate the systems, and rather less on the technologies. I’d also like to see rather more serious thinking on routines for informed consent, including whether the consent  was indeed freely given or under duress.   


I will end on a political note. Governments are complex machines and do not do what is rational or sensible unless manoeuvred into it by well engineered political campaigning. The European Union is a government of governments. Do we really want to make things happen or preserve problems for future study.


It is not an occasion for a sales and recruitment pitch so I will stop there – but you will recognise my theme – “The silent majority gets what it deserves – ignored.” And the consequences of leaving policy in this area to the usual suspects, a mix of the paranoid and the snake-oil salesmen, could be very expensive in jobs and in customer service