Ross Anderson and the Cambridge security posse are on characteristically trenchant form with a withering piece on TKMaxx and UK banking regulation. The knee-jerk would be to call for better access control but he immediately thinks differently. The UK needs a data breach disclosure law too, he argues. Also responsibilities between banks and police are all wrong and getting worse, to the greater disadvantage of the consumer.

UK citizens won’t be able to report bank or card fraud to the police; you’ll have to report it to the bank instead, which may or may not then report it to the police. (The Home Office wants to massage the crime statistics downwards, while the banks want to be able to control and direct such police investigations as take place.)

…the EU Payment Services Directive looks set to level down consumer protection against card fraud in Europe to the lowest common denominator.

Oh, and I think it’s disgraceful that the police’s Dedicated Cheque and Plastic Crime Unit is jointly funded and staffed by the banks.

While you’re at it see also the FIPR’s response to the e-gov framework for information assurance which pulls no punches

There are four things seriously wrong with this Framework: an obsolete model of online threats, a failure to treat harm to government employees on the same basis as harm to other citizens, a failure to draw a clear distinction between identity and authority, and a security policy model that is often inappropriate…This is a document that could have been largely written ten years ago, and is perfused with last century assumptions about online dangers.

People want to retire to a safe distance when Ross starts fizzing because he effectively states, in the clearest possible terms: “Gentlemen, you are about the be blindsided.” That’s never comfortable to hear. He has been known to be wrong, and sometimes rude, but he’s mostly right and his pithy style is always a delight. As time goes by the more profoundly right events seem to prove him to have been - he lives to expose the Blindside (not that I’d expect him to post or comment here - he’s the only person so far to have been really rude to me when I told him what we’re trying to do).

The CSIA consultation on the Framework ended 15 March. Sam Smith did a lovely Commentonthis version (where you can link to each paragraph and get an RSS feed of all comments. It’s a great way to do a transparent, outward-looking consultation, instead of focussing internally on the usual suspects which seems easier but in fact is so much less valuable.

CSIA now says

Many thanks to those who have responded to our request for feedback on the development of the IA Framework for e–government services. We are in the process of producing a revised version of the document taking into account the comments and will be producing a further version of the document over the coming weeks. Your input is extremely important to us and if you have any queries about the framework please contact us on csia@cabinet-office.x.gsi.gov.uk

So we look forward to a revised version, which avoids the common and obvious mistake of putting things out to consultation then appearing to ignore the feedback. It’s worse than not consulting at all, and a classic technique of those about to be Blindsided (that sounds as if it should be a expressed as a Latin gerundive similar to the one for those about to die who salute Caesar).

Over at Sun Alec Muffett and others are also trying to open up how we talk about security, in their case starting from an industry security practitioner base. From his blog Dropsafe

me and some other folk in the Sun security community are trying something a little bit different. Security has always been a problematic topic for a corporation to discuss, except in the narrow sense of products that do some small security thing.

You know what I mean - virus scanning, crypto acceleration, software containment, hardening tools, stuff like that.

We really needed - and now we have - a forum to talk about the “soft stuff”, too. Permissions. Tips. Tricks. Little features which are not sexy enough to make the masthead of a glossy brochure.

The new shared Sun security blog tries to answer the question “how can we talk with the customer whilst using a single voice?”

We can’t be confident we’ll have the right future solutions in the information age if we don’t make the effort to understand the problems. That means all involved have to have a sound, cross-disciplinary grasp of:

- current, emerging and future trends in computers and networking

- government, commercial sector and public security awareness, maturity of response and appetite for risk

- and the broader landscape of vulnerabilities and requirements for computers, networks, and information-assurance products and services.

Many of us look at these issues, and understand different aspects with different levels of expertise. No-one outdoes the security services, research bodies or specialist suppliers at what they do in their own field, but at the same time none of these experts know so much they can’t learn from others. When an expert paediatrician presents statistically misleading evidence the consequences for the innocent defendant are disastrous.

That’s the purpose of Blindside. The blog is meant to be a safe place to share opinions, news or comment across sectors and disciplines. And the wiki is a repository where we canbuild a single evolving picture of what’s coming down the track, the opportunities and threats we perceive and how we believe different commuities might respond.

It’s driven from an information-assurance perspective because good information assurance can help overcome the problems and make the most of the opportunities of emerging IT. But only if we recognise the full richness and extent what’s going on first, including what’s coming up on the Blindside.

IN the hall during the break I met a guy from IBM who works in Austin - he does energy. Sits on the city council, etc, and works on conservation. IBM has a smart house in Austin, which I saw a few years ago (2003) and wrote up for a net.wars (”And there will come soft sprinklers” if you want to find it). The system gives your house an interface you control from a TV, but the thing that blew me away was there was a page for your sprinkler system, and a little box to tick that says, “Observe municipal watering regulations”. You tick this box and thereafter your automated sprinkler system can download constraints from the municipal authority, so you *automatically* do not water your lawn at the wrong times during a drought, etc. I thought this was *brilliant* and the most useful thing I’d ever seen it proposed for a Smart House to do. This capability is now being rolled out to the entire city of Austin.

*This* is a tiny piece of what egovernment should be. Making it effortless to follow rules that are in the public good - though note you do not have to tick the box.

wg

Matt Webb (part of a two-man London-based design consultancy called Schulze and Webb) just finished a presentation about Generation C - people who expect control, complexity, and social connections. It’s not an age group but a state of mind - and this entire conference is GenC, as is an increasing percentage of the population and therefore an increasing percentage of the people for whom these egovernment systems are being/going to be designed. Today’s designs tend to be one-way: washing machine has a single interface. Why can’t we hack it so it only offers the settings we use? Orput a graphic equalizer on the front as the selection mechanism instead of these old dials and knobs? Webb showed off a couple of their design ideas, a little robot that plugs into your USB port and falls over if your IM buddy goes offline. Governments tend to want to issue monolithic systems, but they’re going to be awash in users who would like to reshape the system according to their own desires, whether that means scraping data into a more usable form (RSS and XML instead of PDF and DOC) or shoving a graphic equalizer on it (why not have one for your bank and credit accounts?) to make it more fun.

wg

Every technology breeds its opposite. In response to a comment by Katherine Albrecht that she didn’t want anyone reading RFID tags to find out what kind of bra she is wearing, a group is working on RFID Guardian, which allows RFID tags to be selectively jammed.

Two things:

1) Ubiquitous (CA) / Pervasive (IBM) / Ambient (EU) computing creates vast, new, poorly understood and anticipated security risks

2) Any technology created and deployed will - not may - be cracked and countered in unexpected ways.

wg

The slogan for this conference is Arthur C. Clarke’s encomium about technology that’s sufficiently advanced being indistinguishable from magic. And this morning’s talk is “The Coming Age of Magic” - which seems to be about the influence of games and their magical leanings on future interface design (the Wii wand, etc). - magic as the metaphor for ubiquitous computing design. On his way to his main point, however, he showed some examples of interface design from General Magic, the cutting edge ten years ago, which foresaw the convergence of handheld computers, networks, and communications. But when it was working, cutting edge though was that interface design needed a metaphor people understood, and the common choice was the desktop. GM extended this, so you could walk away from your cartoon desktop down a hallway past doors labeled library into a downtown with a huge building that was the Internet…

We have moved on now from this particular metaphor, and when you see this interface it looks unbelievably lame and clunky. Some of it was fashion (as I believe the magic games metaphor is), and some of it was necessary as training wheels for people unused to the concepts of computing. But how lame will what we design now look in ten years? And how long will we have to go on using it while the next generation rolls their eyes?

Rightsholders! Tom Loosemore here, talking about the problems. “They couldn’t find a single program that was entirely cleared wrt rights. “We thought we’d found one concert.” BBC orchestra, check. BBC hall, check. BBC…nope, the composer was on a freelance contract. Next!

Earlier today, Cory Doctorow talked about DRM: it creates dark pockets of content and encourages people to steal.

More to the point, a significant area where we are being blindsided now is by the conflict between the things technology would allow us to do vs old buisness models.

wg

So the story goes like this: Kathy Sierra, who blogs about interface design, cancelled her appearance at this conference because she was getting death threats posted on her blog (and elsewhere). Her story about it is here.

Public personalities have had to deal with this kind of thing for years - as we all become to some extent public personalities through our visible online interactions, is dealing with this kind of thing something we must all learn to do? (Without in any way blaming the victim, I have to say that in my own experience dealing with online trolls your best strategy is to ignore them; expressing distress feeds them.)

wg

Jane McGonigal this morning talked about carrying over games into real life and her belief that the emerging force in technology is happiness. She predicts that by 2012 - an unfortunate date to pick for Londoners, since we all expect to spend much of that year absolutely miserable with traffic, lack of parking, security, surveillance, and hordes of tourists - whether a technology contributes to human happiness will be the key to its eventual success. I can’t think of a government service that’s ever been specified this way (least of all the Olympics).

She lsited a number of books that bolster her prediction:
Dale Gilbert: Stumbling on Happiness (peopel are really bad at telling what makes us happy)
The Science of Happiness (Klein)
Happiness: Lessons from a New Sciencie
Authentic Happiness (Seligman)
The Paradox of Choice (the only one I’m familiar with - basic thesis that increasing choice increases confusion)
The Economist 12/06 “Happiness and How to Measure It”
BBC The Happiness Formula
Time cover story Jan 2005.

She lists three key factors of happiness: pleasure; engagement; meaning.

She then went on to describe some of the real-life games she’s spawned. For example: the Ministry of Reshelving. An attempt to apply folksonomy to real life cataloguing by deploying hundreds of people across the US with downloaded and printed tags to reshelve copies of Orwell’s 1984 into history, politics, military history — and out of fiction. (This may have increased the happiness of the game players, but it will have done nothing for that of the book store staff who had to put the books back or of anyone trying to find and buy a copy that day.) Random acts of kindness - invade a formerly public space that has been taken over by private interests (an increasing issue in the US) and be kind to targets in your general vicinity. Shake hands! Kiss them! Etc. A puzzla-solving hunt involving answering ringing pay phones and hearing seconds of a War of the Worlds type drama and then reporting on same online.

We live life forwards, but we measure happiness looking backwards. Does, McGonigal asks, our technology pass the deathbed test? She believes that in the common years we will be beuilding technolgoy around quality of life. IN a sense, this is what IdealGovernment/Blindside are attempting to do. But I don’t think happiness is always going to be the right measure. And in fact, the right might argue that if you make people *happy* by giving them welfare, you’ve done them a disservice.

Her slides will be up here on Friday.

wg