Home Office documents laying out what is probably late-2007 thinking on ID cards have been leaking to the press. Here (PDF) you will find a complete version of a document analyzing options, with extensive No2ID annotation. Interesting reading for those here, and not just because it’s worth understanding how the government is thinking about ID cards these days. The kind of thinking embodied in this document is, I think, a significant reason why citizens do not trust government.

wg

Via Silicon.com, we saw yesterday that the Council for Science and Technology is recommending six technology areas for government funding. One of those areas is distribution networks for low carbon electricity generation “to provide locally generated electricity using renewable and low carbon technology.”

This will bring with it information issues, but I’m not 100% convinced that these IA issues need to be solved by government. I think it will be more of a regulatory issue. I think the bottleneck issue for this will essentially be metering. Assuming that utilities can build temporary storage for electricity generated during non-peak times, government may, as has been done in Germany, mandate purchase of locally generated power at attractive rates, and cause that part of the general public that can respond to start doing so–perhaps in a wholesale manner. (I assume they’ll specify origin of power to insure the whole concept remains green–but how will they monitor and enforce this?)

But this type of forced transaction may not sit well with power companies, many of which are already, well, a bit sluggish (if not thuggish) in their treatment of residential customers. Who will measure the power that John is selling from his farm to British Gas? John or British Gas? How will it be measured? Who will arbitrate? The transaction may require two meters, one for John and one for the utility. Does the utility get compensated for line loss (typically 10%, but could be more for small transmission volumes)?

I think the regulatory scheme will have to be robust. The information assurance issue is trust in the quality of information transmitted and stored about a financial transaction, where there is a marked imbalance between the parties to the transaction.

Will British Gas and its competitors be compensated for having to build power storage facilities (not very efficient, but it’s part of the territory)?

This scheme will require significant investment. How will it be treated for tax purposes? Will John with a windmill have to register as a business?

Were I government, I would be testing to see how many would take this up. It has the potential to rival (in cost, complexity and amount of regulatory oversight) the set-up of a network of alternative fuel stations nationwide–which might provide greater environmental benefits at the end of the day.

Lots of number crunching to do for this one.

It’s so easy to get caught up in the protection of data (or lack thereof) that it is easy to forget about the other primary goal of information assurance–getting correct information to the right place in good shape, accurately and on time, to preserve the confidence of the public in government’s ability to manage its own affairs.

“THOUSANDS of servicemen and women, including many fighting on the front line, are being underpaid because of failures in a new computerised pay system.”

…”The computer system, known as Joint Personnel Administration (JPA), was introduced in March last year in the Royal Navy and saw a flood of complaints from sailors not being paid their full pay. The RAF was taken on to the system in October last year, followed by the Army in April this year. The £250m system was implemented by EDS, which was widely criticised for its computerisation of the Child Support Agency.

One of the key problems with the system is that it requires senior officers to log in to authorise payments, which means that if they are away on operations, the whole procedure grinds to a halt. “The system is based on the design for a civilian pay system and takes no account of the complexities of the armed forces pay system,” one officer said.”

It’s a good thing that the British are so patient–these people are armed. It’s a very bad thing that we can’t get JPA right–ADP would have taken this on as an outsourcing project for a lot less than £250 million.

This was covered in the London papers, but Popular Mechanics has better pictures and more links–I’m writing of course about Qinetic’s firefighting robots. “When you have money to burn, robots are the best kind of first responders: the disposable kind. Bomb-squad bots are already a common tool for local law enforcement agencies and the military, but remote-controlled firefighters are just now making it into the field. A team of robots built by London-based Qinetiq has recently started responding to a very specific threat: fires involving Acetylene gas.”

“The Roomba’s inventors over at iRobot have also explored this territory, claiming that its upcoming Warrior X700, which is due next year, could be used to fight fires.”

On the military side, “When robot-maker Foster-Miller strapped machine guns onto a trio of bomb-disposal bots and sent them to Iraq and Afghanistan in 2007, the company created the first armed robots to be deployed in a war zone. Still, no robot has ever actually fired a shot in combat. “Weaponized robots represent a new technology that is only in the developmental stages,” says Duane Gotvald, a deputy at the Pentagon’s Robotic Systems Joint Project Office.” Er, I have heard that shots have been fired in anger by robots… maybe not theirs…

From the information assurance point of view, the key quote is this: “One thing that won’t change is who decides to pull the trigger. MAARS doesn’t have a mind of its own: A soldier commands the bot through a video-and-map-enabled remote control.”

This generation of robots could be categorized as ‘longer nozzles’ for firefighting equipment or ‘longer barrels’ for the military. They should pose little or no IA issues. It’s when we start programming them that we need to concern ourselves with information security and assurance–but wouldn’t it be better if we were planning for that now?

The Economist’s Quarterly Technology Review is out today, and there are lots of Blindsidey nuggets to chew over.

They note progress being made in using virtual worlds for training and simulations, have a nice article on how DNA samples can be pickled (well use a briney process) for longer storage, and have two articles that I personally hope will be related in the near future: one about how corrective eye surgery is progressing and another about how head-mounted displays (HMDs) are creating a world of augmented reality.

Location-based services gets an article about Bluetooth enabling mobile dating, and another that makes me wonder if anybody is considering the information assurance issues about clustering volunteer computers to look for alien life and cures for cancer.

Surveillance in the stores gets an article–makes me hope this stays in the stores. But it won’t…

Larry Lessig of the EFF gets a nice write-up. Corrupt politicians (at least in the U.S.) should really start evaluating career alternatives.

But the piece I was waiting for, about Unmanned Aerial Vehicles (UAVs) is a real dud–unless you want the history. The present is much more interesting. Maybe they just ran out of space.

Now I have to wait three more months…

The Promise: “We will start with air cards and an in-building modem, then embedded devices will begin to appear in laptops and ultramobile PCs. But then imagine camcorders that display footage on monitors without wires or send files to social networking sites such as YouTube and MySpace; car navigation systems that get Internet access and rear-seat entertainment; Internet video; public safety surveillance. Think Internet tablets, gaming devices, DVD players. You get the idea.” Certainly Sony and Nintendo must be salivating at the possibility of extending online play to future DS and PSP gaming systems.”

The Potential: “That means a potential end to the minute model, and perhaps an end to the cellphone as we know it, since VoIP could be built into anything with a Web browser, speaker and microphone. Earlier this year, Apple gave us the phone that also was a music player, camera and on down the line. But WiMAX may give us the camera or other connected device that is also a phone. Heady stuff.”

Background: Broadband is still patchy in the U.S., and Sprint is trying to use a variant of WiMax (called Xohm) to remedy this. It’s already gotten one CEO fired for being focussed on WiMax instead of traditional subscribers, but they have 10,000 base stations ready to launch. If it works, it will impact a lot of mobile services, enable location-based services and increase the potential of mobile, pervasive and wearable devices.

The story is from the senior tech editor of Popular Mechanics. You can read it here.

This could be smoke–but if it fails, it will be because something better comes along that does the same thing.

Hey Guv,

Just so you know, from what I’ve read (somebody please help me with the source–one of you must know) if you upgrade to WinZip 9.0 or above it comes with PGP encryption. If you then choose a password with 10 or more characters, you’ll probably be okay in regards to common criminals or the curious who come across your disc or file. Zip your files, communicate the password over the phone, send the disc by a trustworthy courier (or electronically), and this will work in the interim until you sort out something for the longer term. Oh–and don’t send more data than you need to.

Update: Ian Brown Says:
December 6th, 2007 at 9:59 am e
No. WinZip 9.0 contains AES (the recent US govt-approved Advanced Encryption Standard) which is secure *if* a password of adequate strength is used. A 10-character password does not qualify and could be guessed trivially by password cracking software. Key management is much harder than just using an appropriate cipher.

Tom Fuller Says:
December 6th, 2007 at 10:35 am e
Hi Ian,

Thanks for this.

How many characters should the password contain, and what proportion should be non-alphabetic–do you happen to know? I think that a lot of mid-level government staff would be able to use this information.

In related news,

“The Information Commissioner, Richard Thomas, said that a number of public bodies and private companies had contacted him over the fortnight since the HMRC incident was revealed to confess that they too had lost data.”

“Hundreds of people in police witness protection programmes have been put at risk by the loss of millions of child benefit records, The Daily Telegraph can reveal.”

Expect to see a lot more of this: “Now imagine that a company that you knew had just lost the details of 25 million of its customers, including some who are at risk of violence because of something they’d done for you in the past, was setting up a scheme to bring all of your biometric details together – every valuable confidential piece of information that identifies you as you – and was going to charge you £100 to join.

Want to sign up? No, me neither.

The National Identity Register is just that, a Government database to be used as the final authority for confirming identity. It will be shared with other Government agencies and even though it’s specifically prevented from holding some information (tax and medical records, for example), we’ve never had an electronic register of every British person before.”

When it comes to data warehousing, it’s becoming painfully evident that bigger is not always better.

How easy would it be to find this information for UK and continental Europe?

“An estimated 8.3 million Americans over the age of 18 were victims of identity theft in 2005, according to an analysis of a phone survey released Tuesday by the FTC. That represented a decline of about 16 percent from an estimated 9.9 million victims in 2003, when the agency last conducted its survey.”

“Identity theft cost U.S. businesses $55.7 billion in 2006, according to Javelin Strategy & Research. The FTC estimates that in 2006 the cost to consumers was $1.2 billion.

But experts say complaints filed with the FTC offer only a glimpse of the actual damage. “Most people don’t even think about calling the government because they are not going to help them get their money back,” Litan said.

The FTC estimates that 1.8 million Americans discovered some type of fraud committed using their personal information, 3.2 million had their credit card accounts misused and 3.3 million experienced misuse of other financial accounts.

Javelin’s estimates back the FTC’s findings. It said 8.4 million people were victims of identity theft in 2007, down from 8.9 million in 2006 and 9.3 million in 2005.”

Information Assurance almost by definition starts from the top of an organisation and works down. (Well, at least by my definition, which involves a board-level commitment to risk management, smooth flow of information to appropriate resources, and protection of information from those not explicitly authorised to view it).

But can this work in the public sector? Obviously, it currently does not, but is it feasible? I guess what I would like feedback on is if there is an Information Assurance briefing for those who move into senior levels of public service, get elected, change organisations, etc. Is there a Book? (a movie…?) Is there an IA Seminar 101 for those who move into positions of responsibility?

Then moving down, is there appropriate training for mid-level management? Should cover most of the same issues, but in greater depth as they will have to execute the broad strategies developed up above, right? And then, of course, the front lines. What dedicated training do they receive in information security, good data hygiene, etc.?

If it’s all there and up and running, I’d like to know.

Afterthought: On a Toyota assembly line, any production worker can stop the line if s/he suspects something is going wrong. I would wager that similar devolved authority to front line workers in government would stop a lot of these problems, especially if accompanied by appropriate training beforehand.

“A security breach affecting an unknown number of Canadian citizens came to light last week in the Canadian province of Newfoundland and Labrador when a consultant for the Provincial Public Health Laboratory took a laptop containing patient health information home. The consultant was contacted by a person who identified himself as a representative of a computer security company and who claimed that he was able to access to data on the laptop through the consultant’s home Internet connection.”

…”The exposed information includes names, Medical Care Plan numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis.”

In a related news story…. “Trust is fundamental to the effective management of security and privacy in the public realm. Surprised? “Results from a ground-breaking pan-European study show that when it comes to security and identity in electronic public services, trust is a critical issue for European eGovernment. Given recent negative press stories about the security risks associated with personal data on social networking sites such as Facebook, and recent events in the UK where the personal details of some 25 million citizens appear to have been lost, this paper comes as a timely reminder about the need to manage trust and security effectively.” …”The cc:eGov study has identified exceptional good practice in Europe, for example in Estonia where an integrated ID card provides access to public and private services. However, the Estonian Government is rigorous and thorough in its protection of citizens’ data, to the extent where sustained cyber attacks on their systems earlier this year did not result in a breach of security. The trust of citizens was therefore reinforced.”