I recently was at a company that considered its database of consumer contact information its biggest asset. They had big clients who also provided their customer lists for this company to market to. They took information security very seriously–swipe cards, paying hacker teams to try and penetrate their security, etc. Employees were physically prevented from accessing web-based emails, and they disabled the floppy drives and CD-ROM drives on all the PCs. You could not ever hook a laptop to the network.

But the PCs all had USB ports. The company, a forward-looking, publicly listed, hard driving enterprise, just didn’t pay attention to it.

Can you say memory stick?

Memory is cheap. We all know that now, and we’re happy about it. But now memory is invisible and portable, too.

I won’t even go near the subject of Bluetooth–I’ll need another cup of coffee (or two) for that. Instead, I’ll challenge you, dear readers.

Could you all describe the difficulties you foresee a) in getting enterprise level information from an organisation using kit that costs less than £100 (total) and b) what advice you would give the average organisation (not military, not intelligence, not police) on how to safeguard against low-level, mostly inadvertent data breaches? Think memory stick, SAN, mobile phone, Bluetooth–put your answers in the comments, please.

When I have had the time to look around the Intertubes thingy looking for information about identity management, government identification schemes, risk management and related topics, I do not find much information regarding the goals of government.

Can you help me on this, please? Here in the UK, where the issue had multiple triggers (terrorism, illegal immigration, benefits fraud, rebuild of the NHS, need to address U.S. passport protocols), it is particularly difficult to find a list of what they want the end product to do.

If someone can point me to a statement or article that defines the user requirements for a large, centralized database of information about all UK residents, that might be a clue as to what the real goals might be.

But I suspect that might be difficult to lay hands on, in part because I imagine that the various departments are institutionally incapable of communicating this information with each other.

So, as I am still quite an agnostic on this issue, I will try and list what I would want an integrated multi-purpose citizen identification programme to be able to do. I hope then (with your help) to unpack the requirements for analysis of feasibility, cost, risk to client, risk to user.

The first issue is there would be multiple clients. The Home Office, which is now two, one dealing with what is loosely termed homeland security issues and another dealing with the criminal justice issue. I think it might be easier to list sub-units who may piggyback requirements onto an original specification.

Client list:

HMRC: Assist in identifying illegal immigrants.
Prison and probation: Assist in monitoring parolees
Criminal justice: Assist in detecting fraud, particularly relating to benefits
Job Centre: As in criminal justice
DWP: Assist in pension administration
MOT: Assist in administration, identify uninsured drivers
DOH: Assist NHS NPfIT in joining up transmission of patient records, reducing medical error

Then there are indirect stakeholders, who don’t have specific citizen information requirements, but would greatly benefit from access to a completed database:
MI5 and MI6
Police departments
Crown Prosecution Service
The other half of HMRC–the part that deals with taxes
SOCA

Who am I leaving out?

When this list has been vetted, we will try and compile a list of user requirements for each.

We will then begin the merry task of seeing if one system is feasible at the level of accuracy needed. I think that only then can we estimate the threat level to civil liberties. Notice I am not saying a word about cost. The price of a system means nothing in and of itself. If we have a clear idea of benefits and potential savings, we can put a price tag into perspective.

But looking at the list, I think one term will be paramount in any bid specification document–the ability to fail gracefully.

Sorry I’m late to the keyboard–long day. I want to talk about how culture is changing people’s expectations of privacy, anonymity and identity. Hope I’m making sense at this hour.

For 1 billion people on this planet, and 37 million in the U.K., the effects of frequent Internet use are changing our behaviour–and, I think our expectations.

We now are used to passing financial and personal details online to a vendor we don’t know. We are used to multiple passwords. Those of us who comment on weblogs are getting used to replicating letters and numbers written in wavy script just to get our comments published. Those of us on social networking sites regularly post details of our lives that we would not tell our mothers, let alone our banks.

We behave differently to people who do not connect. And I think, regarding surrendering information, we have collectively shown that we’ll do it–if the following conditions are satisfied:

1. We trust the recipient (Not like them, or know their employees. We essentially trust the brand.)
2. The Brand explains to us why they want the information and how they will use it.
3. They give us an alternative.
4. There is a carrot, and a chance to unsubscribe, opt out, etc.

For those of us in the UK, these conditions are added to the surrender of privacy brought on by the CCTV culture. We’re always on, we know it, internalise it and ignore it. Because CCTV does not do what it says on the tin (stop crime), we think it does nothing. We’re safe in our numbers. The ubiquity of mobile phone and digital cameras adds to this.

The police do not need my DNA to get me–my profile is up on MySpace. People have announced impending crimes and suicides on social networking sites.

The implications of all this are that society will (once again) split into those who have acculturated themselves to the loss of privacy and those who have not. Support for ID management issues may follow that split.

The other factor is Internet schizophrenia. I may not know you’re a dog–or a Lara Croft lookalike in Second Life, a pre-teen on MySpace and a regular commenter under a false name at any number of blogs, news sites and forums. Soon, I may not care–I might have my pseudo identity or identities of my own, each with a private email and Skype number. We all may have different reasons for setting up different identities (I have talked with one young girl who had seven MySpace blogs, one for each boyfriend…), but will anybody be surprised if people start adding enough weight to these identities to make them credible entities in the eyes of society and the law?

If I have a name, a weblog, an email address and a Skype point, how much more do I need to get instruments more commonly recognised as proof of identity? And how much longer before I begin to spoof the identity masters?

If you go to Scirus and search for “identity management” you get a picture of what research and development has been going on in this field. The term returns 81,497 results–but only 321 of those results are academic journal publications containing the phrase in the title, abstract or text, and only 592 of those results are patents. This total is amazingly low, and I don’t know what to make of it. Of the 592 patents, 551 have been filed since 2002. Of the 321 journal publications, 286 were published since 2002. Compared with totals for other sub-sectors, it is clear that we are at the birth of a field–which I confess I did not know. My education continues…

About ten years ago, I had the wild idea that the world should change. It should specifically change the calendar, moving to an 8-day week, with a new day called (in English speaking countries) Funday, which would follow Sunday. Most of us could then work 5-day workweeks and have 3-day weekends and we’d have 6 days to play with at the end of the year. Big companies (and government) could benefit by having Blue and Gold teams (like the U.S. submarine fleet) that could work four 10-hour days and they’d be up and running all the time.

I figured, what’s the big deal? We’ve only been using the Gregorian Calendar in the U.K. since 1752, why would this be a bigger deal than going metric? But, as time passed, I realised that calendars are named after big leaders like Caesars and Popes because they were the only ones powerful enough to dictate the change… and we don’t have anyone that powerful anymore, and that’s probably a good thing.

Now, older and wiser, I have changed my views. I now think that emerging technology makes it possible for everyone to negotiate their own individual calendar, one that can be harmonised with the legacy Gregorian Calendar for common reference. We already do this with time zones. Your computer and mobile phone convert to summer and winter times automatically, and remembers when Leap Year happens even if you don’t.

As productivity climbs, so do corporate profits (and business taxes). However, companies (and governments) don’t want to share increased revenues with workers. Globalisation and competition mean that many jobs have to be performed during more than an eight hour day. So, how can we strike a balance that allows workers to have a life while meeting employer demands? See above for my answer.

In 1840, the average UK worker put in between 3,105 and 3,588 hours per year, according to Wikipedia. In 1988, that total for manufacturing workers in the UK had dropped to 1,855. Today, the UK worker is estimated to punch in for 1,652 hours.

If it’s the total that counts, negotiate the total and a core group of hours, and let technology do the rest. With emerging social networking tools and established calculators that integrate into our systems, it should be a doddle.

Could someone explain to me why this wouldn’t work?

The scientific database Scirus contains information on literally millions of academic publications and patents. It draws information from a very wide variety of publications.

Searching with the term ‘biometrics’ returns 230,426 results, of which 17,782 are academic journal publications and 8,242 are patent filings. (By way of comparison, a search for ’stem cells’ returns 152,608 journal articles and 62,220 patent filings).

Of the 17,782 journal articles about biometrics, 2,291 were published last year (13% of the total). Of the 8,242 patent filings containing the word biometrics, 1,731 were published last year (21% of the total).

Welcome to the world of Scientometrics.

Indeed, 6,252 of the 17,782 journal articles have been published in the past five years, (35% of the total) and 6,146 of the 8,242 patent filings as well (75% of the total).

I’ve been using this search methodology on another project for a while, searching for scientific activity on a variety of topics, and I must say that only nanotechnology has shown as high a level of commercial interest as we see here for biometrics. If you would like to compare progress in different sectors, click here.

Journal publications containing the word ‘biometrics’ in the title, abstract or document text have grown at a compound annual growth rate (CAGR) of 10.86% since 1961. It doubles every 6.72 years, quite respectable growth. The timeline exhibits the characteristics found in other sectors, seeming to follow increases in university enrollment and GDP growth in the OECD. Nothing startling.

But if you want to see history in statistics, look at patent growth since 1960. Overall, the CAGR for patents for biometrics is 17.19%–very good. It doubles every 4.37 years. What is most interesting is that growth has slowed down since 1995, from 13% to 8%. Last year, the number of patents actually dropped, effectively ending the surge in patents since 2001. I find this remarkable–it’s not something I’ve seen in other sectors, and might be worth discussing.

I will post the statistics here as soon as I figure out how to add another page or an extended post… but I’d like your comments in the meantime.

Somewhere between 5% and 9% of the UK population are registered disabled. Which emerging technologies can help them, and how? We’ve probably all heard Stephen Hawking’s Dalek voice–which he refuses to have updated to something sounding more natural–but is this technology being supported and adopted by government?

For that matter, physical access to physical spaces could be helped by emerging technologies. The GPS locating function of mobile phones means that the blind need never be lost (nobody will ever need to be lost again… think about it)–but where are the talking maps? Heck, museums have them–have had them for years.

The TFT screen and smaller size of computing devices means that those in wheelchairs can have workspaces configured for them–you can see examples in the British museum. How come there aren’t minimum requirements (and ramps and lifts) for call centres? Wheelchairs are battery powered and very green–why can’t we give them a tenth the attention we give a Toyota Prius?

Okay, that’s my take on this–what is yours?

I would like to explore some emerging technologies with you by trying to look at how they will affect citizens.

Have you heard of machinima? It’s a way of using video game development tools to make a movie. You can download and watch an example found here, at the Machinima website. Machinima is becoming so popular they even have machinima film festivals.

If non-programmers can use video game technology to make movies, why can’t non-programmers use the tools to make simulations for professional skills, walk-through lessons for students, jazz up modules for training, etc.? Virtual driving lessons, anyone?

If you were a student or trainee (or military recruit), wouldn’t you find this more engaging?

Second Life is a virtual world where you customize your own avatar, and interact with other virtual people in ways that range from the conventional to the highly indiosyncratic. Again, the possibilities for simulation and training are obvious. But what about the chances for shaping (or reshaping, where appropriate) the self-image of those who need it?

Again, many emerging technologies are grouped around the concept of making the production of certain media (websites, movies, video games, networks) available to those who don’t have large organisational infrastructure at hand. Many of those in government who are charged with delivering services on a tight budget could find these technologies liberating.

Can you give me more examples of technologies, uses, caveats?

I find this disturbing. Both the Times and the Metro (have to cover all angles, right?) report this morning that ‘civil servants at the Treasury have been ordered by the Office of Government Commerce to destroy the ‘gateway reviews’ detailing the cost of the Government’s controversial ID cards scheme and other IT projects.’ (Both articles are in the dead tree version, but I’ll link to the story if I find it online.)

I may be new to this topic, but come on. After defaming the reputation of the LSE publicly and repeatedly for offering cost estimates that were higher than published government reports, they… burn the government reports? After the Information Tribunal ruled that the Treasury must publish the official documents relating to ID cards?

Update: Phil Booth made some cogent comments that I think deserve putting here.

Phil: “Reading the various reports carefully, it seems as if the memo is advising people to destroy hard copies of Gateway reviews after they have read them (sensible advice to avoid accidental leaks, e.g. from stolen briefcases) but not to be saying that they’ll shred all copies of every report in existence. If the latter were the case, then there’d hardly be any point in taking the current appeal re. the ID scheme Gateway reviews to the High Courts.”

…and later, Phil adds: “What’s more worrying is the destruction of the “supporting documentation” - and the fact that, if only two copies are allowed, the reviews can be of very limited further use. For if only a very limited number of civil servants can read it, how can any recommendations be adopted/acted upon?”

I do intend to examine ID management issues on the merits. But this type of behaviour will quickly make the ‘merits’ irrelevant, if it continues.

Can anyone suggest a legitimate reason for this action?

Hi all, Tom here again. I need your help. I am going to be adding content to the wiki we are running here.

One of the first areas I intend to work on is identity management, and I hope to incorporate much of what is on this weblog. If I make any mistakes, well, that’s what wikis are all about–you can fix them when you see them.

But I like to measure twice and saw once, so before I start I thought I would ask for your assistance in preparing my mindset and removing any cant or prejudice I bring to the task. So I am going to lay out my starting assumptions and ask for your comments before I start.

1. What we are focusing on here is not a technical or financial issue, or at least not primarily. It is political, social and ethical.
1A. I say this because I have not met anyone who would change opposition to large scale ID projects based on cost–if Oracle, Tesco and Dun Humbie offered a solution for free, the concept of UK government ID management would not win any new adherents. Nor have I met anyone who has said they support ID management for £X, but would oppose a scheme at £X+1, or even £2X.
1B. There are large scale databases that securely contain and manipulate similar volumes of data as proposed for UK identity management, and many are fit for purpose. The fact that UK government has had scant success in finding, buying or building such a database in the past is not a compelling argument against ID management–it may be an argument against government procurement practices.
2. Proponents of large scale identity management programmes focus on social benefits, such as the reduction of crime or terrorism. A secondary argument is made regarding internal efficiencies of government operation.
3. Opponents of such programmes focus on the risks posed to individual liberty and civil rights, with secondary arguments about costs and past performance of government IT endeavours.

This is the mindset I am bringing to the project. If I am mischaracterising anything or completely ignoring large parts of the issue, if you enlighten me before I begin, it will save me a lot of time and work. Please use the comments section to continue my education.

Thanks

Update: Thanks all, for the cogent comments. All of a sudden I’m glad there’s no football on tonight.