(The following article by Toby Stevens was originally published by Big Brother Watch in the book "The state of civil liberties in Modern Britain" ).

If the government is serious about its policy objectives of slashing administrative costs, bolstering the UK's cyber defences, moving away from proprietary software systems, putting data into the Cloud, and treating personal data with the respect it deserves, then it is time to reassess the role of information assurance and how it is delivered. There is a pressing need to reform the information assurance function so that we have proper security governance, and so that information assurance supports, not hinders, the government’s policy objectives.

Public Sector Data Leaks

With the announcement of a £650m budget for cybersecurity, coupled with the axing of defence infrastructure that until recently would have been considered critical to the protection of Britain's national interests, Prime Minister David Cameron has delivered the unequivocal message that cybersecurity is a cornerstone of the UK's broader defence interests. UK defence companies will be switching their research budgets away from military hardware and into homeland security products, and information security companies around the world will doubtless be examining the UK security market, keen to get their share of the new government spend.

All this has to be a good thing for the central and local government authorities who have seen public confidence in their ability to protect information eroded by a seemingly endless string of high-profile data loss incidents. Ever since Chancellor Alastair Darling informed Parliament that HM Revenue & Customs had misplaced the details of child tax credit claimants, we have been bombarded with reports of files left on trains, memory sticks dropped in the street, emails accidentally sent to the wrong mailing lists, hard disc units lost, laptops stolen from cars; and despite senior managers time and again promising the Information Commissioner that 'lessons have been learned' the incidents keep on happening. Public authorities appear to be incapable of protecting information. What can possibly have gone so badly wrong with information assurance that our authorities are apparently unable to keep anything secret, at a time when the Prime Minister tells us that our cyber security has never been more important to the nation?

The Department of ‘No’

The UK government’s information assurance function is distributed across government through a number of agencies. Perhaps the best known of these is CESG (formerly known as the ‘Communications Electronic Security Group’ of Government Communication Headquarters), the national technical authority for information assurance. Based in Cheltenham, and reporting to the Cabinet Office, CESG is tasked with delivering a range of products and services including threat monitoring, product assessment, advisor training and system testing.

The information assurance function is not exclusive to CESG. The Cabinet Office has a Security Policy Division (COSPD) which produces part of the Security Policy Framework (SPF) that replaced the Manual of Protective Security (the government’s primary standards document for information assurance), and CESG produces the rest of the SPF. The National Cybersecurity Strategy also sits within Cabinet Office, but focuses more on protecting the broader Critical National Infrastructure (CNI) from major disasters, terrorist threats, foreign intelligence services and serious/organised crime, than general systems security. The MoD uses equivalent standards and administration internally, which refer back to the products and services provided by the government’s other security centres (all of which have a common root in standards that evolved into ISO/IEC27001:2005), but which operate completely separately. Other parts of the security governance function are fragmented across many committees and boards.

Significantly, this substantial infrastructure is focussed mainly upon advisory services rather than actually implementing and managing systems security: that burden falls upon the Senior Information Risk Owner (SIRO) in individual public authorities. This individual, who should ideally be from an information risk background, is the focus for information assurance delivery at a Board level within their authority. In smaller bodies, the role of SIRO is often shared with other duties such as Chief Information Officer.

The Cabinet Office has recently established the Office of Cyber Security and Information Assurance (OCSIA) , which has yet to have an opportunity to reform the information assurance function, but publicly appears to be more focussed upon the cyber defence agenda than the day-to-day mechanics of running information assurance.

With this advisory capability, one would imagine that the government’s information assurance function would be robust and strong, drawing upon a wealth of shared expertise that is delivered in such a way that security enables and supports service delivery. Unfortunately, all too often the opposite is true.

Cost-Effective Information Assurance?

The Department Says ‘No’ Government lacks a focal point for information security: there is no ‘Government Chief Information Security Officer’ or ‘Office for Government Information Assurance’ - in other words, no one individual or organisation accepts accountability for the proper governance of data in the public sector.

The fragmented approach to information assurance has developed over many decades, and the cultural unwillingness for government bodies to accept responsibility for an issue as ‘toxic’ as information assurance has left the subject in the long grass as far as most CIOs are concerned. Even the proliferation of Quangos under the last Labour government did not lead to the creation of a body that might deal with this critical issues, despite some of the highest-profile data loss incidents ever to impact the public sector occurring during their term of office.

Instead the various bodies tasked with information assurance focus upon their own jurisdictions and rarely cooperate successfully: the MoD does not discuss its security standards, although they are little different from those in use across the rest of government; CESG and COSPD will only release information to suitably cleared individuals, and rarely reference each other’s work. Each department and agency has to pay to support its own security infrastructure rather than drawing upon the economies of scale that might be achieved by a central security team working for the common good of government. The information assurance environment is far from cost-effective.

Information Risk Management? The Department Says ‘No’

This lack of cooperation doesn’t just mean that key activities are duplicated: it also means that without support from their managers, those tasked with protecting systems are afraid to take risks, for fear of being blamed if an incident occurs.

The problem is that information assurance is not about absolute control, and any professional security manager will acknowledge that there is no such thing as 100% risk avoidance. Instead, it is about assessing the information risks faced by the organisation, developing mitigating controls and actions, and ensuring that they are managed properly so that the risk levels are reduced to a point where they are proportionate and acceptable.

This means that incidents will always happen. This may be because security controls are judged to be disproportionately expensive (for example, spending many millions of pounds on security to protect assets worth only some thousands of pounds); because individuals failed to comply with the instructions given to them (for example, downloading unprotected files on to a memory stick to take home, then losing that memory stick); because the system is attacked by a capable and dedicated enemy (for example, an authorised user taking copies of MP’s expense claims); or because of a ‘zero day’ exploit (for example, a hacker breaking into a system using a weakness that was previously unknown to the security officer).

Whatever the cause, security incidents will always occur, and the public sector culture is to look for someone to blame - remember how the HMRC incident was almost immediately blamed upon a ‘junior clerical officer’ before it was revealed that systemic failures were at the root of the problem? Security officers are rightly fearful of being blamed for incidents, and in the absence of someone who will act as an advocate for them when things go wrong, they are forced to fall back on the only safe path available to them, which is to say ‘no’ when the business wants to do anything which might carry an associated security risk. The likelihood of the current information assurance community being willing to support the government’s cloud computing ambitions seems slim indeed.

As a result, most public servants view information assurance as an obstacle, not an asset. Because of poor leadership, excessive bureaucracy, and a culture of unnecessary secrecy, public authorities are unable to obtain cost-effective information security controls. The current infrastructure will neither permit nor support the new commitment to respecting personal data, making government data available, or protecting data that needs to be kept secret.

Secure Systems? The Department Says ‘No’

Ironically, the culture of ‘No’ has not resulted in better security within the public sector. Project managers, afraid of having their plans thrown into disarray by uncooperative security professionals, simply avoid seeking security advice. Enterprising users who need to get their jobs done seek out risky ways to bypass security controls because the security departments won’t allow them to get on with what they have to do. For example, it is common to find use of unauthorised online file sharing services to exchange information because the security department has shut down USB memory sticks and CD drives without providing an alternative. That’s how accidents happen.

The problem has even deeper consequences outside of Westminster and Whitehall. Most important standards, guidelines and publications are protectively marked such that they are only available to individuals with appropriate levels of security clearance working on appropriately secured PCs. But local government bodies, for example, rarely conduct background checks on their staff beyond a basic criminal records check, so individuals tasked with securing local authority systems don’t know how to secure them in line with government requirements because they are not cleared to see those requirements - and aren’t allowed to hold copies because their PCs aren’t sufficiently secure. Without the intervention of costly consultants who have the correct clearances and computers, this paradox can’t be broken.

Those consultants are a very special breed indeed. Only the few hundred members of the CESG Listed Advisor Scheme (CLAS) are officially qualified to provide security advice across government. They hold the necessary clearances, and have access to CESG’s source materials. What they do is not particularly ‘special’ compared with their private-sector colleagues, and because the pool of available talent is so small, and the barriers to entry are high (CESG only accepts a limited number of candidates once a year, and they need to pay a substantial fee for clearance, acceptance and training), public authorities have to draw from a relatively small - and therefore uncompetitive - pool of consultants for their information assurance advice.

CESG has for some years been attempting to move parts of the CLAS environment into the private sector, but this has yet to deliver any significant change in the way that systems are secured. The outcome of this ‘closed shop’ is that local authorities and arm’s length bodies very often fail to comply with government security standards simply because they don’t know that those standards even exist, and if they do, they can’t gain access to either the standards or cost-effective individuals who are able to assist them. We therefore have a public sector environment in which the prevailing culture and practices conspire against effective information assurance.

Privacy by Design? The Department Says ‘No’

Clearly a public sector that struggles with information assurance will also struggle to respect privacy: if personal data cannot be kept secret, then it cannot be kept private either. But public authorities’ inability to effectively manage personal data runs much deeper than that, since CESG’s formal policies until recently simply didn’t get the idea of privacy. Formal risk assessment processes tried to assign protective markings according to the volumes of personal records rather than the sensitivity of the data: so, 999 personal records might be considered Not Protectively Marked, whilst 1,000 would be marked at the higher level of Restricted. Authorities could circumvent the more onerous controls by simply breaking databases down into smaller files of less than 1,000 individual records.

What’s more, those risk assessment models are designed around an assumption that authorised users are always trustworthy - how else could designs such as the ill-fated Contactpoint, or the NHS Summary Care Record, be allowed to exist where hundreds of thousands of users can access millions of individuals’ sensitive private records? The risk assessment processes treat individuals as low-value assets whose privacy is significantly less valuable than, say, a Minister’s public reputation.

Private companies, and in particular those in the financial sector where the FSA has demonstrated an appetite to impose punitive fines for misuse of personal data, woke up long ago to the need to show greater respect for personal data. The public sector, where senior public servants are rarely held accountable, and the sternest sanction generally applied is a letter from the Information Commissioner’s Office, has not kept up with the change. In their defence, CESG have made some positive revisions to their personal data handling rules in recent years, but much more needs to be done if the government is ever to meet individuals’ expectations of privacy.

Open Source Software? The Department Says ‘No’

The new government’s commitment to open source systems represents perhaps the greatest challenge that the information assurance community has faced in many years. The use of software that has been collectively developed, with publicly available source code, flies in the face of long-established security policies and practices, which have traditionally demanded that source code comes from an approved developer, is scrutinised for vulnerabilities, and is kept out of the public domain.

In general, software and hardware vendors are expected to have their products pre-tested for use in government systems (something which is not required in the private sector), and to pay up front for that testing. CESG has a number of services such as the CESG Claims Tested Mark (CCTM) and CESG Assisted Products Service (CAPS), that are used to test the security of products that are being sold to public sector organisations. When private companies sell to government, they can justify the expense of the testing process, since that will grant them access to a lucrative new market. But the same does not hold true for open source software: in the same way that drugs companies won’t pay for clinical trials on products that they can’t patent, vendors won’t pay for the testing of public domain software when they cannot expect to charge for it at the end of the process. Furthermore, the test processes are notoriously long-winded and complicated, so even vendors of proprietary systems are reluctant to invest in them. Whilst not all products have to be subject to this test approach, failure to demonstrate test approval can count against them during procurement, and as a result public authorities are driven towards a small number of approved, tested, and often outdated technologies.

Once products have been selected, and designs are in place, the complicated process of accreditation begins. Security Officers - or more commonly CLAS consultants - conduct a tightly-proscribed risk assessment that is used to determine whether the system requires formal accreditation (a certificate to prove that a system is fit to handle a given level of data, and to interconnect with similarly secure systems), and potentially to prepare a Risk Management Accreditation Document Set (RMADS) that is used to define security controls. Accreditation of open source systems, where there are no vendors to make assertions about security levels, is very difficult indeed using current processes.

But accreditation isn’t the end of the problem: like all software, open source software requires patching and upgrading to keep up with technology developments and newly-discovered security vulnerabilities. Without a vendor to pay for security testing the patches and updates under the current regime, open source software will remain largely inaccessible for government.

In the private sector, where there is no obligation to verify the security claims of systems vendors, and organisations can select their own risk assessment approaches, these problems simply doesn’t exist. Independent testing schemes can be used to provide customers with greater assurance of security capabilities, but in general market forces drive vendors towards delivering secure systems, since a major failure will count against them in procurement processes. Government’s open source goals will remain hampered by information assurance until a new way of dealing with the security of open source software can be developed.

The Department of ‘Yes’: Treating Information Assurance as a Business Enabler

The relative success of private-sector security practices, and the fact that large corporations do not struggle to manage information security in the way that government does, shows that it should be perfectly possible to move to an environment in which information assurance helps, rather than hinders, delivery of public services. In particular, we need to ensure that:

• information is available to all that legitimately require it, is appropriately protected, delivered, and of assured integrity and accuracy, so that information can support the needs of government, industry and individuals;
• public confidence in the ability of public authorities to handle personal information is restored;
• public authorities can adopt open source systems and cloud technologies without security being a disproportionate burden;
• public authorities break away from the negative mentality of information assurance that blocks innovation, and instead move towards a new culture that is able to support, rather than hinder, the delivery of new technology policies.

The significant changes in government IT policy, the shake-up of its delivery driven by the spending review, the government’s commitment to cybersecurity as a cornerstone of the UK’s defence strategy, and the establishment of the Office of Cybersecurity and Information Assurance (OCSIA) within the Cabinet Office collectively drive the need for reform. OCSIA may be the best hope for achieving reform, but will only succeed if there is a collective will in that office to do things differently. Ministers and senior civil servants are too quick to defer to Cheltenham on the assumption they are ‘the experts,’ when evidence suggests they are behind the times and operating in a mainframe mindset in an Internet age. They have become unaccountable arbiters of what does and does not happen, and what can and cannot be used. There is a clear need for leadership, to remove duplication of responsibilities, to improve availability of security standards and technologies, and to change the way that security is perceived across government. There is also a need for greater participation by local government and the private sector, whilst recognising that some aspects are better suited to remaining under government control.

A few simple actions would suffice to create the ‘Department of Yes.’

1. Appoint a pan-government Chief Information Security Officer as a new focal point for information assurance

Just as a large company would be expected to have a Chief Information Security Officer (CISO), the OCSIA should appoint a Government CISO responsible for the proper implementation of information assurance across government. This role must not be one that is any way combined with the cyber defence agenda (which invariably becomes politicised and distracted from the day to day running of information assurance), but rather a ‘hands on’ leadership position that provides a figurehead for information assurance issues. Bringing in a CISO from industry, rather than public service, would ensure a break with past practices and a fresh approach to the task in hand.

2. Create a government CISO Council

The Government CISO should chair a new Government CISO Council within the OCSIA. This group, comprising CISOs and/or SIROs from all major parts of government, should act as the focal point for all information assurance issues, and hold responsibility for development and maintenance of security standards, accreditation, product certification and professional development across government. The CISO Council should be engaged in policy development across central and local government to ensure compliance with national and international legal obligations. Where public sector security incidents occur, the CISO Council should be involved in independent investigation and reporting.

3. Consolidate existing duplicate information assurance services

The Government CISO should work with OCSIA across government to amalgamate existing policy and solutions branches, including CESG, COSPD and the relevant parts of MoD, into OCSIA. This by implication will require consolidation of duplicated services and roles. The newly-amalgamated security body should take responsibility for all aspects of establishing standards and procedures for the defence of public sector ICT infrastructure, and should develop and publish security standards for use in government and the private sector. The body should also operate ‘How To’ teams of experts who look for cost-effective solutions to security problems, and constantly improve the advice and controls available to government, drawing upon the best the private sector has to offer.

4. Ease the administrative security regime for lower-value data

The UK government operates a protective marking policy for its data assets to ensure that they are used and secured in accordance with the value of those assets. Clearly some of that information - particularly when assigned a Top Secret or Secret marking - requires very robust security controls. But the vast majority of data, particularly outside of Whitehall, sits at Restricted or even lower, and the nature of the data is not dissimilar to that which might be held by a private company such as a bank. Yet that information is subject to ‘special’ information assurance controls that are often significantly more onerous and administratively complicated than might be found in the private sector, despite those controls having their roots in the same standards.

If OCSIA were to relax the administrative processes for securing Restricted data, such that authorities may use any commercial services or products so long as they comply with the basic security policy requirements defined in the Security Policy Framework and supporting materials, then the market would be opened up for any commercial product or service vendor to compete in the public sector. Rules will need to remain in place to ensure that data is correctly marked, and not ‘upgraded’ to higher protective marking levels than appropriate. Implemented correctly, this change would not result in chaos or insecurity, but instead allow greater competition to bring down the cost of delivery, and free up local authorities to get on with securing their information without the burden of complying with security frameworks that are intended to deal with data at much higher levels of security. CLAS consultants could shift their focus to systems operating at the higher protective marking levels.

5. Sort out the existing mess of unaccredited Whitehall systems

The imperative for information assurance reform does not apply solely to new systems: there is little value in securing new ICT infrastructure if it has to interface with older systems with unproven levels of security. The government’s own report into data losses (the Hannigan report) identified approximately 2,300 government systems that have not been subject to any form of assurance certification (known as accreditation) but made no demands that those legacy systems should be secured. Significantly, recent changes to the Security Policy Framework introduced a new marking level of Protect which was, in part, intended to ease the burden of accreditation, but anecdotal evidence suggests that it has the opposite effect, and is instead seen as a new, unfunded administrative burden. This needs to be addressed as a matter of urgency: those systems must either be secured or scrapped.

Equally importantly, senior civil servants still have the power to over-ride the need for accreditation if they so choose: in other words, to disregard security requirements if these are too expensive or likely to take too long. This exemption must also be dropped: if system security is too expensive, then the system itself is too expensive, and other more affordable ways must be found to deliver the same outcomes.

6. Voluntarily accredit open source software where appropriate

If the current approach to accreditation remains in place, then government must take responsibility for accrediting testing and maintaining the security of open source software. There is no reason why OCSIA, or even a private company, could not provide and maintain its own secure builds of the likes of Linux, OpenOffice or OpenSQL for use in government. Builds and patches would be checked and tested by a central team without the need for a vendor to sponsor the work, thus making the software available across government, and saving costs on software licensing and duplicated testing.

7. Develop the information assurance profession

If the government is to obtain access to the best possible security expertise, then the profession needs major reform. OCSIA should take responsibility for development of the information assurance profession, working in close partnership with relevant information security professional bodies. This will include:

• defining a career structure for information assurance in the public sector;
• developing information assurance professional development and training syllabuses for delivery by commercial organisations;
• providing examination and certification of government security professionals, with an emphasis on facilitating simple and affordable cross-qualification from the private sector, so as to expand the pool of professionals available to government;
• governing the certification and management of inspectors and accreditors;
• maintaining a pool of expert instructors and project managers to coach and where necessary manage particularly large, innovative or sensitive public-sector projects.

CESG has already taken steps down this route by moving aspects of the professional qualifications across to the Institute of Information Security Professionals (IISP). If it were to go a little further and insist that all government information assurance professionals must become IISP members who maintain Continuing Professional Development (CPD) training, and could be struck off for malpractice, unprofessional conduct or incompetence, then there would be a case to argue for abandoning the overhead of CLAS altogether.

More for Less from the Department of ‘Yes’

In the world of the Department of ‘Yes,’ information assurance will be a service enabler. Public authorities will have the confidence to adopt innovative new technology schemes, knowing that they will be supported in doing so by their information assurance teams. They will be look to their information assurance groups for support at the earliest stages in projects, rather than trying to hide from them. They will understand that on the rare occasions that their security advisers say ‘No,’ there is a good reason for them to do so.

If we want an information assurance function that really supports public authorities, and that can deliver more for less, then these changes are cheap and easily done. We simply have to ask OCSIA to reform the information assurance function, give that office the power to do so, and support it when it encounters inevitable resistance from within the security establishment. All it takes is the will to say ‘Yes.’

Comments (1) | Views: 1599

Quite a lot actually, particularly in the world of social media. The popularity of Facebook, Twitter etc is very much driven by their flexibility in extending our real-world lives into the virtual in whatever manner we wish, including allowing us to completely reinvent - or fabricate - ourselves online.

The BBC reports on the rather odd case of Facebook allegedly taking down a user's account because she was 'impersonating' Kate Middleton. She wasn't doing that, she just happens to be called Kate Middleton, and I'm sure there are plenty of other Kates out there who share that surname. It's unusual because in most cases, social media sites leave it to users to sort out name ownership amongst themselves, except where there is a clear criminal intent to defraud or mislead.

Our problem is that the glue that binds online personae to their friends/followers/acolytes is their name: it is the primary identifier for the account, and often the tool against which friends may search for each other. For example, I have three social networking accounts: a Facebook profile which I use mainly for social purposes, a Twitter account that is largely focussed on my professional network, and a second Twitter account in which I take on the persona of an entirely fictional character. Annoyingly, the fictional character has more followers than I do, but that's probably because he's much more interesting than I am, and has some very interesting fictional friends.

We have invented a social media world that reflects the simplest of our identifying conventions from the real world. Just like the real world, we can be pseudonymous. After all, a name is not a fixed attribute, and an individual can have multiple names and change those whenever they wish. That may be fine for social media applications, but it's not good enough for a broader ID system, except possibly as a selector that allows an individual to point to the attributes that they wish to associate with a particular transaction or relationship.

Whilst our chosen identifiers are not unique, and whilst we continue to use contextual, changing identifiers such as names as public identifiers, this problem will continue. Names also provide a simple way for third parties to track us across multiple accounts, or to incorrectly assume that individuals who share a name are one and the same, and that is a key privacy weakness. We need the option to use meaningless but unique identifiers that prevent that tracking but ensure that we can uniquely identify ourselves when we wish to do so. More on that in another article.

In the meantime, I'm pleased to see that the top handful of hits against my name in Google report on my many acting successes, my distillery and US real estate business. Maybe I am as interesting as my fictional persona after all?

No Comments | Views: 1903

(Toby Stevens was kindly invited to respond to a speech delivered by former Information Commissioner Richard Thomas CBE at a dinner at the ICAEW . The following is the text of that response)

In 1890, Samuel Warren and Louis Brandeis famously described privacy as “the right to be let alone.” For over a century since then, society has developed legal, technical and social frameworks that protected a concept of alone-ness, of isolation, of keeping others away from the individual and information about that individual. Our concept of privacy has become one of ‘urban anonymity:’ we believe we have some degree of anonymity when we are in public, since if nobody knows who we are, then our actions cannot have consequences since we can’t be identified.

But Richard has described how the emergence of the Internet has stood that idea on its head in the past ten years. The explosion of data, of access to that data, of tools to search, filter, analyse, interrogate, present and disseminate that data, placed in the hands of government, companies and individuals have stripped away that veneer of anonymity and created a dystopia in which our privacy is fading, not because of our failure to control privacy, but because privacy itself has changed, and the old controls are no longer able to contain or to manage the ways in which we share information with others. Nor has this erosion been gradual: great swathes of our privacy have been cut away by tragic catalyst events such as the killings of Jamie Bulger, Holly Wells and Jessica Chapman, Baby P; the attacks on the World Trade Centre and London’s transport system.

Privacy is no longer about keeping our personal information secret, but is instead about controlling how it is used. And unless we can enforce that control, the only possible outcome for our society is total transparency: a world in which nobody has any secrets at all, and individuals have no meaningful control over how those secrets are used. Nothing is ignored, nothing is forgotten, nothing is forgiven. That is the surveillance society which four years ago Richard warned the government we will sleepwalk into if we continue down this path.

There is still hope: during his tenure as Information Commissioner, Richard recognised the critical need not to prevent access to information – something which is now impossible, as Wikileaks have shown the world’s governments – but to render individuals, organisations and governments accountable for how that information is used. This evening he has described how the legal approach to accountability can work. But I would argue that if we continue to rely solely upon regulation to enforce that accountability, then we will never win, since there will always be those corporations – and in particular global ones - who choose to operate above the law, and Richard’s successor has discovered just how difficult it can be to fight the corporate spin machine.

True accountability must depend upon mathematics, not who has the best lawyers. As consumers, we must demand that privacy controls are coded into every aspect of our online world, so that we regain control of our information. It is consumers, not corporates and governments, who should dictate what is collected, processed, stored, disseminated, derived and deleted. And this can only happen when we have delivered the technical, as well as the regulatory, demands of Privacy by Design.

And that accountability will, ironically depend upon us delivering a truly effective population-scale identification and authentication system – not the control-freakery daydream that is thankfully now being struck from the statute books, but a proportionate, federated, privacy-enabling infrastructure that will provide the cryptographic roots of true information accountability. Individuals will be able to control how their information is used and by whom, and to easily identify and prove when misuse has occurred. In fact in a utopia where the cryptographers rule, I’m sorry to say for Richard that there might even be no further need for lawyers, or even an information commissioner.

But for now we have to live in reality, and that reality needs the rules and regulators that Richard has described. What I hope we can discuss now are the implications of his ideas for us as individuals, organisations and professionals, and how we can move forward from our imperfect present to a pretty good – if not actually perfect – future for privacy.

No Comments | Views: 1808

The NHS Choices website is a cornerstone of the government's drive for health service efficiency and to move service delivery online. Users can log on to find out more about NHS services, and to use a symptoms checker to understand what might be wrong with them and (hopefully) seek medical attention where appropriate, or save a doctor's time if their condition turns out to be nothing more than a cold. The site has made an effort to engage with social networking sites, such as integrating the Facebook 'Like' button. And as Mischa Tuffield of Garlk has spotted , this is where we get a big privacy FAIL.

Mischa points out that a visit to a NHS Choices conditions page calls on four external service providers:

Host: l.addthiscdn.com
Host: statse.webtrendslive.com
Host: www.facebook.com
Host: www.google-analytics.com

Two of these - Google Analytics and Webtrends - are used to monitor web traffic. In theory the privacy implications are relatively minor, although in certain scenarios it should be possible to identify an individual user subject to access to other information. It's odd that the NHS has chosen to use third-party analytic services rather than implementing their own. This problem has been explored in detail elsewhere, so I won't dwell on it here.

However, the Facebook and Addthiscdn links are there to drive the Facebook 'like' service, and this is where our problems begin. If a user visits the page from a browser that they've used to access Facebook before, then Facebook automatically gets to know that they've been to that particular conditions page. That means that if someone is concerned about a particular condition - let's say testicular cancer - then if they've been to Facebook before, then Facebook gets to find out about that interest. Not good. And it gets worse - let's say that the user feels they've received useful information, and clicks on the 'Like' button (or does so accidentally) - then it shows on their Facebook profile, and that's really not good at all. Imagine being worried you have a serious illness that you don't want to worry your spouse about, and accidentally clicking 'Like' - they get to find out. So does a potential or current employer if they're checking your profile. The consequences could be very significant indeed.

I'm really quite shocked that NHS Choices has allowed this to happen, and more importantly that they have clearly failed to apply any form of effective Privacy Impact Assessment to how they deliver health information. If they do wish to connect to Facebook or analytics engines, then they should be making it an explicit 'opt-in' for the user before any information is shared at all. The NHS' privacy policy has completely outsourced the problem to Facebook, so that users are left in the dark about the consequences of this functionality.

I'd like to hope that Mischa's research will force the NHS to modify the website, and that at the very least the functionality will be suspended until the privacy issues have been properly investigated.

No Comments | Views: 1835

So, to Lille today to attend IMRG's inaugural EbizEU conference. The theme is e-commerce strategy, with a number of speakers looking to the future of cross-border e-retail.

The keynote pitch was delivered by Nils Muller of TrendONE, a 'futurologist' who distinguished himself from others who claim that title by delivering a fast-paced and technically demanding presentation about the future of the Internet, supported by a toy box of gizmos from various development labs to demonstrate the points he was making.

Nils walked the audience through his view on the coming iterations of the Internet, including:
- Web 2.0: social media and user generated content
- Web 3.0: immersion and augmented reality
- Web 4.0: internet of things
- Web 5.0: web of thoughts

There were a number of apparent non-sequiturs in the pitch, where the speaker seemed to assume that a magic wand will change the way things are, but overall Nils painted a fascinating vision of the next 10 years. Setting aside the sci-fi vision of a neural lace to deliver Web 5.0, his predictions seemed to be built upon a statement he made very early in the session: that by 2016 we will see the death of privacy. He assumes that we will relinquish control of our personal data and move into a completely transparent environment where we have little ability to establish boundaries over how that data is used.

At the core of this is his argument that a number of ambient technologies, and facial recognition in particular, will turn each of us into a physical hyperlink to our own online data. Augmented reality systems will be able to draw down information about an individual simply by recognizing their image (think Google Goggles on steroids - it's pretty much achievable today). Other hyperlink identifiers, whether biometric or token-based (for example, distance-readable contactless cards) will inevitably emerge to support this vision.

Whilst the hyperlink concept is already a reality, I'm rather sceptical about Nils' view of the future of privacy. The idea that we will give in trying to control what's available online about us seems to be a little nihilistic (although it's probably a meme that will appeal to the many marketeers at the event.

The defence of privacy in a near future where non-consensual identification is pervasive (think Minority Report) isn't a futile battle. Quite the opposite, in fact.

I believe that over the next few years, individuals will increasingly and collectively demand respect for their personal information in ways that are not currently available to them. The single most important change will be a shift of ownership away from organizations and across to the individuals themselves: the individual will become the single trusted source of their own personal data.

In this environment, the only trustworthy data is that which has come directly from the data subject. By volunteering information to be held in a network of distributed Personal Data Stores, individuals will be able to grant access to personal information on a 'need to know' basis, and retain rights-managed control over how that data is used.

This isn't a 'futurology' vision, but something that is happening now. The government is nurturing a private market for commercial provision of ID services through it's G-Digital framework. Innovators such as Mydex are piloting Personal Data Stores for the management of volunteered personal information. Research projects such as EnCoRe and PVnets are developing innovative consent management models.

Of course my vision also has a few 'magic wand' moments as well. We need to find a way to promote and then protect this new environment; businesses need to establish viable commercial models for the new data architectures; individuals need to understand what this all means, and providers need to find ways to deliver it whilst hiding the technical complexity under the bonnet.

There are of course those who will argue that my understanding of privacy is outmoded - that we need to forget our middle-class, middle-aged views of how our information is shared, and instead think about how we value that information. I agree with that, and believe that the focus of the privacy debate will most likely shift towards accuracy, timeliness and consent as key metadata qualities that consumers and businesses alike will wish to address.

What is important to remember, however, is that the future of the Internet will be driven by the organizations that can most effectively milk it's value, and the winners will be those companies that correctly understand and address mainstream needs - after all, would you adopt immersive and ambient technologies which you did not trust? Let's hope that Mydex, EnCoRe and the other enlightened players in this new age can face down the Web 1.0 marketeers and give us the online future we want - and not the one that is being forced upon us at the moment.

No Comments | Views: 1734

Yesterday saw an announcement by the Financial Services Authority that the UK arm of Zurich Insurance Plc has agreed a record-breaking fine of £2.4m as a result of losing 46,000 customer records. The records, which comprised personal details, 'identity details,' and in some cases bank account and credit card information, details about insured assets and security arrangements, were on an unencrypted back-up tape which was lost in transit during routine transfer to Zurich Insurance Company South Africa Ltd. The SA subsidiary was handling processing on behalf of the UK arm, but there were apparently no proper reporting lines between the two, and the loss was not reported to the UK for over a year after it occurred. There is no suggestion that the lost data has been misused.

In its statement, the FSA said:

"Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.

"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."

There are a few important implications arising from the FSA's actions. A key issue is the valuation of data assets: by settling at an early stage of investigation, Zurich managed to get the fine down from £3.25m to £2.4m. This means that the FSA has assessed the value of each missing record as being approximately £70. That's a figure that is substantially higher than has been assigned to many similar fines in the past, but is arguably much less than the damage per customer that could have been done if the data were misused. Of course the fine is not actually calculated in this way, and is in fact levied because the organisation "failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement."

There is the (hopefully obvious) fact that whilst an organisation can outsource responsibility for proper data management, it cannot outsource accountability: the Data Protection Act makes it clear that the Data Controller remains accountable for proper management of data by a Data Processor acting on its behalf. Yet so many organisations fail to recognise this, particularly when they are passing data within the organisation - in many cases they fail to realise that a data sharing process is even occurring.

The scale of the fine is also clearly there to set an example to other regulated financial organisations to put their security arrangements in order. Nationwide, HSBC and Marks & Spencer have all fallen foul of substantial fines from the FSA, in each case being found guilty of systemic security failures. The FSA said "Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made." Zurich's shareholders can justifiably feel aggrieved at the scale of the fine compared with those applied elsewhere in the sector or across other sectors.

That brings us on to the issue of who is responsible for Data Protection regulation. The Information Commissioner's Office does not have a reputation for enforcement in the way that many of its European counterparts have - for example, the Schleswig-Holstein Commissioner in Germany has a fearsome reputation and is unafraid to take on the likes of the federal government, Google or SWIFT. In comparison, the UK Commissioner rarely attempts enforcement actions on large firms or public authorities, and even then they normally settle for an Enforcement Notice rather than a financial penalty. The FSA on the other hand is clearly happy to hit companies hard for data protection breaches. Whilst I support that approach - poor data protection practices invariably arise from poor information security regimes coupled with a cultural disregard for personal data - I'm somewhat concerned that heavy penalties will deter firms from voluntarily notifying individuals or authorities about breaches when they occur, for fear of being penalised. In this particular case, Zurich voluntarily notified its customers of the loss, but I'm guessing that other financial firms in the same position might think twice in light of this penalty (government authorities and any unregulated body can of course carry on with relative impunity, not being subject to the FSA's regime).

So what does all this mean? Whilst I fully support meaningful penalties for organisations that systemically fail to protect personal data, I'm concerned that the creation of scapegoats will simply serve to deter organisations - and financial organisations in particular - from voluntarily reporting incidents when they occur. We need to level the playing field such that fines are proportionate to the offence and the organisation's ability to pay, regardless of size or sector. We need to consolidate to a single regulator for a single issue, rather than sector-specific regulators determining their own scale of penalties. And we need the Information Commissioner to recognise that after 20 years of promotion and awareness, it's time to focus his resources on effective enforcement. Only then will all organisations, and public authorities in particular, start to treat personal data with the respect it deserves, and stop trying to duck accountability for protecting it properly.

No Comments | Views: 1284

The open season on Facebook (1 Jan - 31 Dec, no sniping on Sundays or religious holidays) continues with the sort of vigour that the media normally reserves for footballers' wives and anyone who's ever been in a talent show. Facebook brought some of this upon themselves with their repeated, poorly-publicised and complicated revisions to their privacy policies. But yesterday's 'headline' was that a researcher has used a script to skim all the public domain text from the social networking site and compiled it into a single file.

The only data in the file (which as someone who doesn't frequent the torrents, I don't have a copy of) is apparently the public domain information on Facebook - anything which was set to 'private' was not accessible. The file is only a few GB in size, which suggests it's just text (please correct me if I'm wrong), so the richness of the pictures isn't in there.

If the facts have been reported correctly then from a legal perspective nothing has happened here. Someone has taken a large volume of searchable public domain information and put it into a file where it is searchable. Data Subjects gave their consent to the publication at the time they originally published it. Of course there's likely to be material in there that is subject to intellectual property rights, but it wasn't our researcher who put it onto Facebook in the first place. I imagine that a skilled grep-er could find information in there that isn't easily spotted using Facebook's own search tools, and that some interesting patterns might emerge, but I'd also imagine that much of the context and interconnectivity of the information was lost in the download process, so it's swings and roundabouts for the value of the offline data.

And yet... and yet... the media still throw up their hands in horror and cry that the death of privacy is upon us. That may be so, but it's not because someone's downloaded Facebook. Our problem is that in modern society we seem to think of privacy as being a form of urban anonymity* - less 'the right to be left alone,' and more 'the right to do whatever the hell we please because nobody's going to know who we are when we do it'.

This is not privacy, but an uncontrolled and irresponsible form of pseudonymity, where we assume that people don't know our other personae: the 'me' on Facebook isn't the 'me' at work or the 'me' that visits my parents or the 'me' that goes down the pub. These are all legitimate personae that we choose to portray, but we keep them from others because they simply don't mix. Our fear stems from the threat of those personae ever getting together in public with a few drinks and telling the world who we really are. Once that happens, it's all over for privacy under the urban anonymity model - there's no way to separate those personae once their interconnectedness has been made public (particularly if your boss - or worse still, your mother - finds out what you did down the pub).

So perhaps it's time we look to a pre-industrial past for fresh concepts that will help us to understand privacy in the age of social networking, and to respond to non-incidents such as this in a more meaningful way.

Our current model is one of urban anonymity, but is that a reasonable model for the Internet? Surely we actually engage in communities? The Internet may provide an enormous anonymous backdrop, but most of what we do within it is community-driven, with those communities bounded by interests, professions, territories, applications, providers etc.

In a small community, there is no anonymity: everything you do in a public place is public knowledge. Your childhood sweethearts, exam successes and failures, your drunken teenage nights, health problems, run-ins with the police, financial problems - anything that happens in public becomes public domain, and you are completely identifiable by your peers when it happens. Yet village communities rarely seem to schism, ostracise or generally form lynch mobs (except when it's as part of the local tradition, of course). Because everyone's life is a matter of public record, and sooner or later everyone says or does something in public they'd sooner forget, then that quality of forgetting becomes embedded in the community: even if we can't forgive, we choose to forget because we hope others will do the same for us. Otherwise we'd never venture out of our houses for fear of twitching net curtains.

So is this a valid model for considering how we use the Internet? I think so. We don't go searching for embarrassing things online done by complete strangers (well I don't anyway) unless they are truly staggeringly stupid/naked/funny, but we are interested when even a minor incident involves someone we know, or who exists within one of our online communities. Those are people that seek forgetfulness, and from whom we may require that forgetfulness to be reciprocated. The Internet itself won't forget anything, so there's no point in trying to erase the evidence.

As adults we fret that the re-appearance of a photo of teenage high spirits (i.e. that one wearing nothing but a pair of pants on your head and a winning smile) may come back to haunt us, but younger generations will have learned to see the Internet for what it is: a global network of interconnected communities, rather than a homogenous mass of users. Maybe they'll be better at forgetting than we - or computers - will ever be. And maybe they'll come up with a more grown-up model for online privacy than we currently use.

No Comments | Views: 658

The BBC reports that the financial failure of gay teenager magazine XY, and its associated database, has given rise to a painful privacy conundrum: what happens to the database of registered site users?

When a company fails, it is normal practice for the administrator to seek the greatest possible asset value on behalf of the creditors. In some cases this means running the company on their behalf, but most of the time the administrator will sell off assets, or offer them up to creditors in lieu of debts. 10 years ago, the administrator would have been selling off the IT assets based upon their hardware value, but as businesses become increasingly aware of the (often intangible) value of data assets, these are being put up for sale as well.

That all seems reasonable, but we run into a fundamental conflict where the data assets contain personal information. A sale of the asset causes two principal problems from a data protection perspective: the change of Data Controller, and potential change of purpose of the personal information. The database has very little commercial value to the buyer unless the vendor can obtain consent from data subjects to both of these changes, and would be in breach of the Data Protection Act (1998) unless this was obtained. In practice the new consent is so complex to obtain that this situation rarely arises in Europe, where the European Data Protection Directive provides parity of protection across member states.

But the US has no equivalent Federal legislation. Contrary to popular belief, US citizens have no constitutional right to privacy (although this is in part granted by various constitutional amendments), and instead achieve privacy through a powerful Federal Trade Commission, individual State legislation, and the ever-present threat of class action lawsuits against any company that infringes its own privacy policies.

And hence we have the situation arising with XY.com. The database, containing personal information about many tens of thousands of young gay men, many of whom will not yet have decided upon their own sexuality, or told family and friends about that sexuality, is now up for grabs. The creditors are keen to obtain the maximum value for the database, and this might include selling it for commercial purposes at odds with the original intentions. In the US, this may be legal, but the situation becomes increasingly complicated when we take into account that because of the global nature of the Internet, it is inevitable that EU citizens will be in that database. Does the Data Protection Directive apply? Can they demand protection of their personal data? As Privacy International's Simon Davies points out,

"The selling off of private information, gathered under the supposition of privacy, is bad enough ... Even worse if you're forced into it. And positively untenable when the information is connected to kids who are dealing with a dawning sexual reality that in some instances is even more fraught than what straight kids go through. ... I would argue that this is a case where the Information Commissioner should write directly to the US and ensure action is taken."

That point about intervention by the Information Commissioner's Office is an important one, and I agree that the Commissioner should get involved. But will the US listen? Probably not. More likely, the lawyers will weigh up the threat of a meaningful lawsuit being brought by young gay men in the EU, who may well have to disclose their details in order to take action (many will not wish to do so), and decide that the risk is acceptable. The situation is about as far from ideal as it could be, and underlines the pressing need for reform of the legal arrangements for transfer of personal data about EU citizens to the US in light of the general failure of the Safe Harbour agreement and companies' poor implementations of Binding Corporate Rules.

This is also a classic case of how matters of gender and sexuality are often the lightning rods for privacy policy development. Young people growing up uncertain of their sexuality or gender often spend many years keeping their feelings and experiences away from some or all of the people in their lives, and may live 'split' lives whereby family, friends and employers have very different views of their personae. One of the most important implications of the fundamental right to privacy is the right to keep these aspects of our lives separate, and that right is critical where the wedge of prejudice might force a person away from the support of people they need most. Last week former Minister for ID Cards Meg Hillier MP demonstrated her appalling lack of understanding of this sensitivity by proposing the forcible outing of the UK's transgender population.*

The Information Commissioner launches his annual report today, and I hope that as his office publicly reviews the past year and speaks of the challenges of the year ahead, that the protection of those individuals threatened with a loss of privacy by the potential sale of XY.com's database is one of the topics on his agenda.

* - This was almost certainly because of a lack of understanding of ID issues rather than a lack of compassion for the transgender community, and I'm not for a moment suggesting any prejudice on her part.

No Comments | Views: 639

Do you remember the UK ID Cards scheme? You know, the government's promised 'gold standard' of identity? The unforgeable, unbeatable, genius of authentication that was promised to do anything you want (so long as all you wanted to do was submit to an identity check by a public official)? The one that eventually cost us £450,000 per card? Ah, now you remember it.

Back in the heady days of 2005, a number of us warned that the idea of a 'gold standard' of identity was preposterous, and that the UK abandoned the concept of a gold standard in its fiscal policy for a number of reasons, one of the most important of which was the fact that underpinning your entire economy on a single asset is a ridiculous and unnecessary risk. Would you want to discover that the UK economy has collapsed because investors have intentionally pulled the rug out from under the gold market (as opposed just good old-fashioned fiscal mismanagement)? No. Would you want to discover that the country's entire system of authentication and verification has to be abandoned because some idiot left a copy of the database on a memory stick in a pub car park? No. But we came very close to building that ID system, and in Puerto Rico they've just discovered what happens when your primary credential is no longer trustworthy.

Apparently in Puerto Rico, a birth certificate is the de facto ID document. It's been normal practice for many years for public authorities and private organisations to take a copy of that simple, forgeable piece of paper when they transact with individuals, and to keep it on record for indefinite periods. Unfortunately, the Puerto Rican birth certificate is an immensely valuable document, since it can also be the gateway to US citizenship, and that makes it an attractively nickable credential that can be sold across Latin America.

Organised criminals soon cottoned on to this, and started raiding organisations - in particular schools - to steal copies of certificates, and selling them on. US authorities are quoted as saying that up to 40% of fraudulent applications for US passports use Puerto Rican birth certificates, and 12,000 individuals are known to be victims of this type of credential fraud. The Puerto Rican birth certificate has been rendered untrustable, and has had to be abandoned as their 'gold standard' of ID.

In response, and under pressure from the US, the Puerto Rican government has demanded that over 5 million individuals re-register for a new birth certificate that will be printed on a different document standard, and will not be collected by other organisations for ID purposes. It seems a little odd that they've replaced a stealable, replicable, forgeable, fundamentally weak credential with another stealable, replicable, forgeable, fundamentally weak credential, when they could have used electronic credentials to leapfrog underdeveloped nations such as the UK by creating a really useful ID infrastructure, but then I doubt they'll be paying £450,000 per certificate either.

The sooner that we get away from this outmoded concept that the only way to prove our entitlements is a bit of paper - or a smartcard - issued by the State, and start adopting global, interoperable standard for open identity rights, the better. The Coalition government saved us from a move back to the gold standard in ID, and the ultimate inevitable collapse of a fundamentally flawed ID infrastructure. Sadly, they've yet to propose alternatives, and we're floating around in an identity vacuum that needs leadership, standards and purpose. Where's the government's ID Tsar? Where's our commitment to an Open ID initiative such as that created by Obama? I know it will be many years before it happens, but I can dream, can't I?

In the meantime, I'm off San Juan to register for a birth certificate under my Latin alter ego, 'Spanky Fernandez'*. Should be worth a few bob once the ID thieves figure out how to copy them over the next few weeks.

* - I once knew a chap by that name. If you're reading this Spanky, sorry for stealing it.

No Comments | Views: 720