Ross Anderson and the Cambridge security posse are on characteristically trenchant form with a withering piece on TKMaxx and UK banking regulation. The knee-jerk would be to call for better access control but he immediately thinks differently. The UK needs a data breach disclosure law too, he argues. Also responsibilities between banks and police are all wrong and getting worse, to the greater disadvantage of the consumer.

UK citizens won’t be able to report bank or card fraud to the police; you’ll have to report it to the bank instead, which may or may not then report it to the police. (The Home Office wants to massage the crime statistics downwards, while the banks want to be able to control and direct such police investigations as take place.)

…the EU Payment Services Directive looks set to level down consumer protection against card fraud in Europe to the lowest common denominator.

Oh, and I think it’s disgraceful that the police’s Dedicated Cheque and Plastic Crime Unit is jointly funded and staffed by the banks.

While you’re at it see also the FIPR’s response to the e-gov framework for information assurance which pulls no punches

There are four things seriously wrong with this Framework: an obsolete model of online threats, a failure to treat harm to government employees on the same basis as harm to other citizens, a failure to draw a clear distinction between identity and authority, and a security policy model that is often inappropriate…This is a document that could have been largely written ten years ago, and is perfused with last century assumptions about online dangers.

People want to retire to a safe distance when Ross starts fizzing because he effectively states, in the clearest possible terms: “Gentlemen, you are about the be blindsided.” That’s never comfortable to hear. He has been known to be wrong, and sometimes rude, but he’s mostly right and his pithy style is always a delight. As time goes by the more profoundly right events seem to prove him to have been - he lives to expose the Blindside (not that I’d expect him to post or comment here - he’s the only person so far to have been really rude to me when I told him what we’re trying to do).

The CSIA consultation on the Framework ended 15 March. Sam Smith did a lovely Commentonthis version (where you can link to each paragraph and get an RSS feed of all comments. It’s a great way to do a transparent, outward-looking consultation, instead of focussing internally on the usual suspects which seems easier but in fact is so much less valuable.

CSIA now says

Many thanks to those who have responded to our request for feedback on the development of the IA Framework for e–government services. We are in the process of producing a revised version of the document taking into account the comments and will be producing a further version of the document over the coming weeks. Your input is extremely important to us and if you have any queries about the framework please contact us on csia@cabinet-office.x.gsi.gov.uk

So we look forward to a revised version, which avoids the common and obvious mistake of putting things out to consultation then appearing to ignore the feedback. It’s worse than not consulting at all, and a classic technique of those about to be Blindsided (that sounds as if it should be a expressed as a Latin gerundive similar to the one for those about to die who salute Caesar).