Here’s the story on the day after…

I have said this before on this blog. There are countries where a national identification card is completely non-controversial. There are possible benefits to society from a well run and properly managed system.

But in my heart of hearts I do not believe that this country’s government (and I do not distinguish between political party here) is capable of building and operating an ID management system at this point in time without disastrous consequences to information assurance.

The Open Rights Group posted today its annual review, including its first full year’s accounts. (Like a number of people who read here, I’m on its Advisory Board.) ORG wants the link blogged as widely as possible…

Some months back a photographer practically made the sign of the cross when I mentioned ORG in an interview. I think one of the challenges ORG has is to make people understand that it’s not against people making a living from IPR - after all, many of its AB members, its patron (Neil Gaiman), and one of its founders (Cory Doctorow) all make their livings by creating and selling intellectual property. What it’s against is the extension of copyright beyond all reason. Since the primary beneficiaries of that are the same publishers who have been grabbing rights from people like photographers, journalists, et al it’s hard for me to understand why the “enemy of my enemy is my friend” principle doesn’t apply…

For Blindside, I suppose the relevance is that if you make a sufficient number of sufficiently anti-public access laws for long enough, eventually you will spark enough opposition to create something like ORG, which really seems to me to have grown on Internet time.

wg

From Popular Mechanics:

(Let’s count how many network connections we find in the police car of the future).

1. “The E7 would go from 0 to 60 mph in six seconds, with a top speed of 155 mph, and a slew of humble-sounding improvements, like seats that can accommodate radios and other bulky equipment. According to Li, the E7 would start in the “high-20’s,” climbing up to as much as $70,000 with options like license-plate-reading cameras and even WMD sensors.” (Is that two?)

2. “Researchers at the University of New Hampshire have developed a system that lets officers use voice commands to run a license plate, turn on the lights and siren, and even clock a speeding car.”

3. “If the (suspect) car suddenly takes off, the officer can say, “Pursuit,” activating the lights and siren, as well as his own vehicle’s GPS tracking system.”

4. “It gets even more futuristic: A handful of officers are testing Project54 with PDAs, checking a driver’s license on the handheld’s screen and running voice commands through the PDA’s mic. The system has also been installed on six motorcycles, using helmet mics, as well as handlebar-mounted, WiFi-enabled touchscreens, which can be detached and used up to 300 ft. from a bike-mounted Panasonic Toughbook. No specialized gear, no experimental hardware—just a smart application.”

Too futuristic for your tastes? Short-Term Impact: Project54 is currently installed on about 1000 vehicles, most of which are in New Hampshire. But Lenharth insists demand is increasing rapidly. “We aren’t selling anything,” he says. “This is basically an open-source system.” The Texas state police, for example, are looking into outfitting some 2000 vehicles with the voice-command technology. The Coast Guard is currently testing an installation on a boat, using a waterproof tablet, and a Project54-enabled ATV is being tested by the National Guard.

5. We call it ANPR, but in the states it’s ALPR: “The most common configuration is a three-camera system. All of the cameras have a fixed position and focal length, with two facing forward—one scanning the lane to the right of the car, the other scanning the lane to the left—and a side-mounted camera intended for parking lots. Each camera sends a constant stream of infrared and full-color images back to a processor in the trunk, which searches them against current warrant lists, Amber alerts and other records that are updated daily.” PIPS hasn’t provided exact numbers, but despite its relatively high price tag—a three-camera system costs around $25,000—ALPR systems are already in use across the United States, including agencies in California, Arizona, Texas and New Jersey.

6. StarChase GPS Launcher: This system is behind schedule—when we (Popular Mechanics, not Blindside) last covered it, the plan was for a deployment by the end of this year—but Virginia-based StarChase now claims that the Los Angeles Sheriff’s Department is closing in on the final stage of its testing, which could put a deployed GPS launcher on the road early next year.
The purpose of StarChase is to stop high-speed pursuits, by letting officers launch a sticky GPS tracker onto a fleeing vehicle. Everything is riding on the LA test. If StarChase is considered effective in one of the most chase-heavy regions in the country, other agencies are likely to start their own field-tests.

How many network connections did you count?

Via Kable: “Buckinghamshire and Milton Keynes Fire and Rescue Service is planning to use handheld technology for fire risk inspections. It intends to replace its paper based scheme with electronic forms on handheld devices, which make it possible to transmit the reports immediately to headquarters servers.”

Progress marches on. However, “Information captured is stored on the device until completed and automatically updated to a Fire Safety Management application provided by Consilium, which manages Fire Safety Inspections and produces statutory reports.”

A couple of things I hope they’ve thought of: What happens to the data in the device after the Consilium Fire Safety Management application is automatically updated? Does it stay on the device? Is it transmitted securely? And, of course, what happens if a device is left in a pub?

I don’t (at first glance) see that this information needs MI5 level of security, but the providers of this information do have rights under the Data Protection Act, and as property is money these days, I should hope there is some provision regarding this.

Government should control the use of its resources. But there has been an implicit social contract over the past 15 years–as work has intruded more and more into the lives of workers, management has conceded that some non-work activities done on the clock are permissible. It’s beginning to look as if that social contract should be made explicit…

ISLIP, N.Y. - “GPS tracking devices installed on government-issue vehicles are helping communities around the country reduce waste and abuse, in part by catching employees shopping, working out at the gym or otherwise loafing while on the clock.

The use of GPS has led to firings, stoking complaints from employees and unions that the devices are intrusive, Big Brother technology. But city officials say that monitoring employees’ movements has deterred abuses, saving the taxpayers money in gasoline and lost productivity.

“We can’t have public resources being used on private activities. That’s Management 101,” Phil Nolan, supervisor of the Long Island town of Islip.

Islip saved nearly 14,000 gallons of gas over a three-month period from the previous year after GPS devices were installed. Nolan said that shows that employees know they are being watched and are no longer using Islip’s 614 official vehicles for personal business.”

If a worker is multi-tasking and some of those tasks are work-related and some are not, should the worker be compensated? At one extreme, people are not fussed if a security guard catches up on his reading on the night shift. At the other end of the spectrum, do you really want your shrink to respond to your latest tale of woe by asking for a seven-letter synonym for dance starting with ‘F’? If work is only work, people will work to rule. If you want more from workers, flexibility will be key.

There is a variety of information assurance issues here. Resource allocation for monitoring employees, identity management (you’d better have the right employee identified before approaching him/her about their practices), records management, turning off monitoring when the employee is off duty, etc.

I just hope people stop and think about the implications for just a moment before using the latest technology marvels.

Here’s what I’ve hijacked from Kable’s website–click here if you want to see GC News in all its glory.

* I was going to applaud this until I realised that I don’t know what my rights are under the Data Protection Act–so instead I’ll just sit here feeling jealous of those who are better informed: “Individuals’ awareness of their rights under the Data Protection Act has reached an all time high, according to new research published from the Information Commissioner’s Office (ICO). It said that 90% of individuals know that they have a right to see information that an organisation holds about them compared to 74% three years ago. The nationwide survey, released on 14 November 2007, reveals that 87% of individuals know they have the right to correct inaccurate personal information held about them – a 10% increase from three years ago.

* “The Home Office has announced that a new UK Border Agency will unite immigration, customs and visa checks, backed by a £1.2bn passenger screening programme. The screening system programme includes a £650m contract, signed on 14 November 2007, with consortia Trusted Borders for a passenger screening IT system, which will work alongside the rollout of fingerprint visas. Raytheon Systems, the prime contractor for Trusted Borders, will work with Accenture, Detica, Serco, QinetiQ, Steria, Capgemini, and Daon. The electronic security system will screen all passengers before they travel to the UK against immigration, customs and police watch lists. International air, rail and sea ports will be covered, with all high risk routes into the UK covered by mid-2009. According to the Home Office, trials of the new system led to more than 1,000 criminals being caught and more than 15,000 “people of concern” being checked out by immigration, customs or the police.”

* “A government led ID management standards policy group will meet for the first time next week. The group, which includes a number of public sector organisations such as the Home Office, CESG – the information assurance arm of GCHQ – and the Central Sponsor for Information Assurance, will meet on 22 November to discuss how to coordinate ID management standards policy and understanding across the public, private and voluntary sectors. A major role of the group will be to establish a baseline for key ID management business standards and act as a change control authority to oversee how organisations implement standards and where they should be aiming.” *Sigh.* Maybe my invite was lost in the post.

* Well, I actually agree with the substance of this (Can I do that?): “The Department of Health has accepted the health committee’s recommendations on electronic health records. In an official response to the Commons health committee’s report on electronic health records in the National Programme for IT (NPfIT), the Department of Health said that in most cases it agreed with the recommendations and was already taking action on several. Among these was that it should set clear timetables for the delivery of patient adminstration, e-prescribing and shared local record systems. Delays in this area have been one of the major sources of discontent with the progress of NPfIT. Among the other recommendations accepted by the department are that:

it should let patients know as clearly and quickly as possible that explicit consent is required for organisations to share their detailed care records (DCRs);
the summary care record (SCR) should have a standardised front screen;
only patients should have the right to break the “sealed envelope” of confidential records;
there should be an independent evaluation of the planned security system for national applications; and
there should be custodial sentences for unlawful access to patients’ personal information. ”

In contrast, it has turned down the MPs’ recommendation that the Secondary Use Service, which makes anonymised data available for research, should not have access to data from “sealed envelopes”. “Patient consent to the use of anonymous or effectively pseudonomised data is not required by law, and the use of such data for secondary uses, such as research, is both accepted and actively promoted by the relevant professional and regulatory bodies,” the department said in its response document. It also turned down recommendations that access to the SCR should be through the new health insurance card, and that implementation of shared records should be devolved to primary care trusts.”

* Maybe next time it will work: “The government has dismissed the Electoral Commission’s call to pull back from e-voting. The government has rejected the Commission’s view that no further e-voting pilots should take place until the government has a comprehensive electoral modernisation framework covering the role of e-voting. It has turned down a number of proposals made by the Commission following the pilots that took place during May 2007.”

* I guess I’m not the only skeptic on e-voting: “Digital rights advocacy group ORG issued a statement on 13 November 2007 stating its “deep concern” at the government’s response to an Electoral Commission report on the May 2007 e-voting and e-counting pilots. ORG observers were accredited by the Electoral Commission to monitor the pilots - and observed serious failings in the process. The group said the government has ignored the fundamental failings observed in trials so far. This includes analysis by computer security experts that the technology is not yet sufficiently robust, and that remote voting systems threaten the privacy, allowing third parties to coerce and influence voters.”

* Someone’s stretching the truth here: “The government’s information watchdog has ruled that a visa application website breached the Data Protection Act. An investigation by the Information Commissioner’s Office (ICO) has found that the Foreign and Commonwealth Office (FCO) breached the Data Protection Act with its online visa application website.” Well, yeah, but when you tell us that “The security breach became apparent in May on a website operated in India by FCO contractor VFS. It meant that personal information about people applying for visas to enter the UK was visible to other people visiting the website. The FCO said that it immediately closed down its VFS operated online application websites in India, Nigeria and Russia. The recommendations of a subsequent report into the failures were accepted by the government…” Aren’t you stretching the definition of immediately? As we noted in August, didn’t the person who reported this to you continue to report this to you for a year? Didn’t they have to email you screenshots of other people’s information before you pulled down the website?

* Finally, for those social networking fans among you: “British servicemen and women are being warned off social networking sites like Facebook and MySpace. According to The Register, advice circulated in mid-October warned service staff not to post “your service connections on chatroom and dating sites”. Military bosses are worried that terrorists will use social networking sites to identify and target military personnel. The warning continued: “Be particularly careful if you are on Facebook, MySpace or Friends Reunited.” The document warned that organisations like al-Qaeda will continue to target “soft targets”. The Sunday Telegraph found nearly 900 Royal Marines on Facebook, and 72 members of the Royal Anglian Regiment.” Yeah, but what happens if you Poke a service member?

Couple of things I’ve been meaning to post.

- A paper (launched last July), Privacy in Camera Networks: a Technical Perspective (PDF), which proposes technical means by which camera networks could be built that preserve privacy. The paper also talks about the Constitution Project’s model legislation in this area. In last week’s net.wars (http://www.newswireless.net/index.cfm/article/3653), I mourn the fact that the kinds of debate the CP thinks should take place about camera networks - stating their purpose, reviewing their effectiveness, accepting citizen input regarding their impact, etc. - do not take place, and also surmise that neither this type of debate nor the technical measures will ever happen because a) it’s harder to implement the technical measures than not to do so; b) governments have no incentive to do these things because c) the public in general has proved too willing to accept the cameras as is.

- I note that the subprime mortgage lending mess continues to spread. Inadequate risk management in the interests of making profits seems an even more likely threat to information assurance than many of the things we have already discussed here. (Merrill Lynch, Bear Stearns, this means YOU.)

- In an interview this week, the managing director of the private banking branch of one of Europe’s oldest banks noted several very interesting statistics. TMost British (and European) entrepreneurs 50-65 years old (the majority of their businesses, SMEs, are

From the Beeb: A hard drive containing sensitive information on one of Europe’s largest financial services groups has been purchased on an internet auction site for just a fiver.

Well, this is what happens when you follow links to related stories… Thanks to Chris for pointing out that this story was old enough to print on Gutenberg’s machine…

Chris R Says:
November 14th, 2007 at 1:11 pm e
Um, isn’t that story from June 2004?

Chris R Says:
November 14th, 2007 at 3:08 pm e
… one of the clues is the fact that the National Hi Tech Crime Unit no longer exists. http://www.nhtcu.org/

I’m wondering if it would be useful to look through the other end of the telescope for a bit. What would be the result if we looked at UK government first, their information assurance issues, and then looked at technology? Right now, we’re looking at new technology, then information assurance implications, and then extrapolating effects on UK government. What would change?

The Department of Work and Pensions has a large number of employees, distributed offices, a vast field force, and manages a variety of sensitive interactions with broad swathes of the public. They have had publicised cases of data mishandling, and a recent IT transformation agenda that was broad-ranging and cost quite a bit of money.

Ultra-portable computing with mobile connectivity should spur productivity of their large field force. However, if these ultra-portable devices have large amounts of data on them, security arrangements of devices and information storage will have to be addressed. If these devices will communicate with central data warehouses, the communications will need a good level of security.

The physical security of these devices will need to be an order of magnitude better than what has transpired with laptops and Blackberries–leaving them on car rooftops and in trains just needs to stop happening.

Pensioners will require multiple channels of delivery, with silver surfers given web access to services while those who are content to let the Internet pass them by must be addressed either by cloaked devices, mobile or traditional delivery channels. People who are turning 65 now were in the workforce when modern telecommunications arrived. Those who are 80 were not. It is not sound to think that the needs of both can be addressed by the same systems just because both groups are receiving government benefits.

Is this approach helpful? Comments would be most welcome.

* A five-inch portable computer with fold-out keyboard…

* Best line of the day: “”MySpace has gotten a bad rep as a bubbling scum of malware,” he added. “It’s where people go to incubate their malware.”

* But hey, folks–it’s not just MySpace: “But who are you trusting? A series of recent attacks has resulted in seemingly respectable news sites serving malware and redirecting users to sites that serve malware. The problem is in the ads on those news sites. The ads are served by advertising networks that weren’t careful enough with their own security. When you trust a Web site you have to trust everyone it’s in bed with.”

* Get these on street corners and in buildings as soon as they are available: “FRANKFURT (Reuters) - Microsoft and the DAISY digital talking books consortium are to work together on a tool for the blind and otherwise print-disabled that translates Microsoft Word documents into a digital audio standard. The two organizations said on Tuesday the collaboration was aimed at producing a free, downloadable plug-in that would translate documents based on Open XML — the default file-saving format in Microsoft Office 2007 — into DAISY XML.”