What is the difference between South Tyneside Council and the Iranian Secret Police? South Tyneside uses californian lawyers instead of deep packet inspection to identify their on-line enemies.
It is five years since Goldsmith and Wu wrote “Who Controls the Internet: illusions of a borderless world” and readers will know that I blog regularly on the nature of the Internet as a “Cartel masquerading as Anarchy” and the question of whether we can and should trust industry (“merchants”) more than governments (“warlords”) to handle on-line malpractice. They will also note that my views on some of the key questions are little more consistent than my punctuation and spelling. It believe it more important that you understand the fundamental importance of the questions than listen to my attempts at answers.
Next week the Information Society Alliance (EURIM) is due to announce a major exercise on information and identity governance. This will combine top down studies of the conflicting agendas that need to be discussed “in the same room at the same time” with bottom up exercises to distil practical solutions. Later in the June I am due to introduce a high level workshop (of Whitehall Mandarins and Heads of Industry and Finance) on the differences between government and industry in their approaches to information assurance and security. I expect to get more from them than they do from me – but was honoured to be asked – especially when I heard who had recommended me.
I had not, however, expected the EURIM exercise and the high level workshop to be quite so topical, although I knew they were timely.
The draft prospectus for the EURIM study (see below) does not explicitly address the use of social networking for management and consultation – or its “monitoring” to “remove” dissenters” but one of the prospective members of the leadership team has already asked whether this will be included.
I do not know.
The plan is to leave it to the leadership tem to decide their terms of reference. Those expected to participate need to find solutions that will work globally, not just “domestically”, if their business models are not to be crippled by legislative and regulatory confusion. I would therefore be surprised if that organisation, and its peers, decided to leave the issues off-limits – but whether they can agree what to say and do is another matter. It will not be easy but the benefits are enormous from finding practical win-win solutions, with which all can live, particularly citizens, consumers and customers and not just merchants, warlords, politicians and the chattering classes.
The draft prospectus on which I have been collecting comments is shown below:
Draft for Discussion Only – comments to [email protected] by 9/5/2011
Towards Information and Identity Governance Regimes that are fit for purpose
and attract globally trusted business and transaction hubs to the UK/EU
Why action is needed
Good practice in electronic information assurance is central to a society that is critically dependent on the reliability of on-line systems. We face growing problems from the lack of inherent security in the processes, technologies and infrastructures on which we have come to rely. The costs to legitimate business and defrauded taxpayers mount when information is leaked and abused. Meanwhile customers complain of poor service and those in need of welfare or health care suffer when information is not shared and used in their interests. Problems are compounded when governments and regulators attempt to address symptoms without recognising the increasing needs for business to operate across jurisdictional boundaries.
EURIM recently flagged the political importance of identity assurance . But debate as to what is, or is not essential, desirable or even practical is similarly confused – with proposals that are tangential to the problems they are said to address.
The scale and nature of current leaks of information (including the structure and content of data supporting commonly used identity credentials) from governments, on-line retailers and communications and security service suppliers calls into question many of the assumptions behind current policy proposals across the US, EU and UK. Linking “ID theft” to the incidence of fraud is often used to justify investment in new “joined-up” identity systems without demonstrating that this would be more a cost-effective use of available funds than re-using existing processes or alternative approaches, such as action on the domain name and Internet addressing routines that are used to facilitate most electronic impersonation.
Governments around the world require organisations to comply with their local routines for identifying citizens, residents, customers and/or visitors (whether individuals or businesses). There are a growing number of proposals for identifying those who may work, trade, fight (including provision of security and emergency services), study (including participation in research and academic programmes) or otherwise travel across multiple jurisdictions in the course of the year, month, week or (in the on-line world) day.
We have conflicting requirements on organisations (public as well private sector) to keep information confidential, delete it when no longer required for the original purpose and to retain it, in case a regulatory or law enforcement agency might want it. We also have routines that forbid or mandate the sharing of information according to circumstances that require judgements on which few can agree until after the event, when the consequences of a wrong decision have led to a public enquiry or court case.
Why proposals for action need to be subject to “joined up scrutiny”
The issues are perceived to be important and every government organisation believes it is unique. In consequence they “cannot” re-use solutions found by others and we have multiple fragmented consultations for law enforcement, health, welfare and other applications at both national and EU level. For the same reasons we have multiple and fragmented research proposals, commonly without reference to what is already happening in market places, let alone commercial development centres, around the world.
Business has to manage the conflicting demands of governments and regulators. Ignoring them runs the risk of being fined or shut down for non-compliance, while strict adherence risks failure to compete and going out of business anyway. Meanwhile predators are assisted by failure to distinguish between demands from government, regulators and law enforcement for information that they might need (but commonly lack the resources to process) and requests for targetted assistance in tracking and tracing criminal activities. The reasons are understandable but the consequent overload diverts attention from practical co-operation to deter malpractice or identify those responsible. The EURIM-ippr study “Partnership Policing in the Information Society” covered what was needed and the EURIM Cybersecurity and e-Crime group is now working on pilot projects to demonstrate that even modest co-operation produces rapid payback..
We need action to
· attract and foster reputable, wealth-creating businesses with regulatory regimes that are fit for purpose, i.e. they support and encourage good practice, including with regard to secure inter-operability with trusted partners in other part of the world under different legislative and regulatory regimes
· reduce the risk of driving reputable businesses offshore to avoid spending time and money on tick box regulatory regimes which get in the way of good customer service, without addressing the real risks.
· reduce reliance on systems that are liable to catastrophic failure with all that means for trust and reputational loss
· remember how many die or suffer needlessly because of failure to follow adequate practice in the secure and timely sharing of reliable information between agencies responsible for health and welfare.
· look at how technology can be used to facilitate new approaches to old problems:
- does ubiquitous technology enable us to reconcile the triangular conflict between customers, merchants and governments as to who owns our personal data and the duties owed to us by those who collect and hold data about us?
- current regulatory regimes often take away our rights under the law of tort for those who cause us loss. Might low cost, semi-automated, cross-border disputes resolution processes under civil law provide better “protection”?
- do we have copyright in our identities, including our DNA and other biometrics? If so, we now have the technologies available for the equivalent of the performing rights organisations, collecting royalties on our behalf whenever they are used?
What do we propose?
The EURIM Information and Identity Governance group therefore proposes a major policy study into how to join up relevant UK/EU regulatory structures and government initiatives so as to:
· ensure that our growing reliance on the online world is not inhibited by fear of e-crime and the consequences of failure to ensure adequate cybersecurity;
· preserve and enhance UK/EU competitiveness by making it a natural hub for global law enforcement: civil (including contracts and disputes) as well as criminal;
· ensure democratically accountable regimes for partnership policing (law enforcement and industry) and cybsersecurity, both nationally and internationally;
· ensure compatible identity, data protection, sharing and surveillance regimes that attract rather than repel globally trusted information operations.
The short-term objectives, to give direct benefits to participants and build confidence that the long term objectives are achievable, are to:
· help ensure UK/EU proposals for new regulatory and legislative initiatives, including requirements that government departments might mandate on those outside their silos, are subjected to joined up scrutiny;
· identify case studies of success (including innovative use of processes and technologies across boundaries to cut costs/losses) that make it easier to build on and join up what already works;
· build on the work of the Security by Design Group and ensure security/privacy by design/default is embedded in new public sector systems and procurements;
· drive a pan-industry and interest group initiative to ensure political appreciation of the importance of the issues and the experience available from successful identity and information assurance schemes;
· look at the issues from the perspective of the victims of impersonation, corporate or individual, beginning with what can already be done to organise practical international co-operation to obtain redress within existing legal frameworks
The intention is to build the leadership team for the study around those looking for practical benefits to their own organisations and their customers, not just from reducing the cost of fraud, regulatory overheads and lost tax revenues (because businesses are migrating overseas) but increased profits as more of those with whom they transact are willing to do higher value business on-line.