This article, by Wired’s Ryan Singel details the FBI’s wiretapping capabilities with DCSNet, a communications surveillance network built under CALEA that sounds like it might have been advertised with the slogan, “Be the envy of other major governments”. The salient points:

- The FBI has extremely wideranging wiretapping facilities that let it log into a provider’s network; the provider turns on the tap once it receives a court order

- It’s having trouble with Skype, because there’s no central point to tap

- These digital wiretaps are more expensive than the traditional physical kind (by nearly a factor of ten) and processing the data is also considerably more expensive (all of which we taxpayers get to pay for)

- There are significant security holes inside DCSNet itself, many of which were spotted in its predecessor system, Carnivore.

wg

…in this article found on Kable–can you spot it? Reduced queueing for school lunches.

I’m sure there are some common sense reasons for fingerprinting and retina scanning little children. Indeed, the article does eventually mention one–preventing unauthorised access to school premises (don’t fingerprint the criminal, get the innocent and then exclude… a little scary). But really, biometric collection and storage and identity management system and end of lifecycle data protection considerations… for shorter lunch queues?

We’ve been thinking a bit about the future, but I’d like to know how UK information and information security infrastructure would cope if some of the new toys and behaviours migrated here overnight from places where they are currently used in an almost everyday manner.

What would happen here if South Korean style use of broadband showed up overnight? Specifically, increasing use of massive online multi-player games and MyNews? My thinking about MMRPG is that anti-social and asocial behaviour hides well behind an avatar, and for the other, I don’t know what would happen if the populace in the UK decided to become mass amateur journalists with their mobile phone cameras, but the activist portion would probably be considered intrusive by the military and animal researchers, not to mention journalists who actually get paid…

What would happen here if Japanese usage of mobile telephony was instantly adopted here? They have more services available and the Japanese are much more willing to use them, and some of these services have identity management issues attached. For that matter, if Japanese use of domestic robots came here in a magic flash, it would also have implications–would they be licensed as child minders? Could they work in hospitals?

Closer to home, the Scandinavian countries, and Belgium as well, can do all their banking with a mobile. What would happen here if this poppped up all of a sudden?

If German and American use of RFID was instantly adopted, would we cope? Would it integrate well with our camera-based tracking and satellite surveillance? Would the combination of the three tip us over into Orwellian nightmare land?

And if UK activists for issues such as animal rights and the environment adopted the use of social media in the same way that anti-abortionists do in America, or Al Qaeda for that matter, would we be able to adapt?

Can you think of other examples of cutting edge use of technology that would cause issues here in the UK?

Hi all. The third of our three featured areas in our upcoming report to the CSIA regarding nanotechnology. Here are excerpts, and the entire section is here on the wiki.

Are you comfortable with what we are telling government? Yesterday’s presentation on Convergence got exactly 1 comment. Is it that non-controversial? Here we are telling government ‘don’t worry about grey goo or evil artificial intelligence.’ Is that okay with you?

Nanotechnology

The subject is discussed in more detail here: http://www.blindside.org.uk/wiki/Nano-
The Royal Society uses this definition of nanotechnology: “Nanotechnologies are the design, characterization, production and application of structures, devices and systems by controlling shape and size at nanometer scale.”

Longer term, (and it must be emphasized this list is at the conservative end of possible applications), the Institute forecasts use of nanotechnology in the following ways:
• Miniaturised data storage systems with capacities comparable to whole libraries’ stocks
• PCs with the power of today’s computer centres
• Chips that contain movies with more than 1,000 hours of playing time
• Replacements for human tissues and organs
• Cheap hydrogen storage possibilities for a regenerative energy economy
• Lightweight plastic windows with hard transparent protective layers

Detailing possible applications moves very quickly into a realm that seems like science fiction. But other nanotechnology enthusiasts foresee the enabling of quantum computing, artificial intelligence and a complete re-ordering of economies and political systems. Currently in the U.S. there are 450 consumer products using nanotechnology approved by the EPA and 600 nano-based materials licensed for use in manufacturing products. The number of products and services used in industry is not known, but believed to exceed 1,000. Lux Research, a consultancy specializing in nanotechnology, estimates that, worldwide, nanotechnology was incorporated in $30 billion (USD) of manufactured goods in 2005, which more than doubled the amount in the previous year. It estimates that by 2014 the figure will be $2.6 trillion, a more-than-85-fold increase (Lux Research 2006, p. iii).
There are respected scientists, technologists and philosophers that fear nanotechnology, including Bill Joy, a former senior executive at Sun MicroSystems, who wrote the article ‘Why the Future Doesn’t Need Us’ for Wired magazine two years ago.

Key Findings

• The impact on information assurance issues may be dramatic, involving a redefinition of information, cryptography, memory (both human and computer) and system. If a young person wearing a tongue stud can carry in it the contents of the British Library, what physical security measures can prevent data theft? If nanotechnology enables neural networking and computer enhancement of human memory, what are the implications for identity management, or indeed for identity itself?
• Nanotechnology receives a lot of attention in the media, with a search on Google returning 1,846 newspaper articles and magazine stories for one day in June 2007. Because of the potential impact and because of its treatment in books and films, take-up of nanotechnology has the potential to be as controversial as genetically modified organisms, if not more so.
• Nanotechnology is essentially a cross-disciplinary enabler that will impact healthcare, manufacturing, information systems, transportation, computer science and micro-electro- mechanical devices (MEMS) and probably much more. Advances in the use of nanotechnology in one field will often be of immediate relevance to its use in other fields. Progress in nanotechnology is rapid, and is expected to increase. Patent filings have increased 40% annually for over a decade.
• Nanotechnology has the potential to be disruptive as well as beneficial. In addition to substituting current manufacturing and agricultural processes that employ large numbers of people, some speculative thinkers envisage what they call the Singularity, where nanotechnology enables artificial intelligence that can be tasked with self-improvement, which would happen extremely quickly. This will not happen soon, if at all. Should it actually occur, it would have a very high impact on society, and would probably render information assurance useless or redundant. Blindside covers this in a special topic called Rampancy: AI Gone Wrong, found at http://www.blindside.org.uk/wiki/Rampancy:_AI_gone_wrong.

Citizen Centric

Some of the questions citizens will be asking are already being posed by advocacy groups in the UK :
• Is nanotechnology safe?
• Will ‘grey goo’ (self-replicating nano-robots, or ‘nanobots’) destroy the world?
• Will the benefits of nanotechnology be available to all?
• Why isn’t government regulating this more?
• Why is government regulating this at all?

Implications for UK Government

Because nanotechnology is most frequently seen in healthcare and materials coating, the current interest in nanotechnology revolves around toxicity and tolerance.
The Royal Society of Chemistry wrote in 2003 that “The potential health, safety and environmental impacts of nanotechnology are comparable to the impact of the existing chemical, electronics and biotechnology industries and the potential hazards should be judged in the same way. Our understanding is that current legislation should be sufficient to control the risks from nanoparticles, however research into their potential toxicity should be funded, as it may differ from that of larger particles with respect to respiratory and genetic damage. Until we develop ‘self replicating machines’- artificial life, there are no issues of substance not covered by existing regulatory practices. The ethical and social issues raised are also not unique to nanotechnology and are comparable to issues raised by many existing technologies, such as the differential access to costly technology in the developed and developing worlds and issues of privacy and security. “ (Nanotechnology – The issues, The Royal Society of Chemistry, July 2003). We concur with the RSC recommendation and see nothing that has happened since 2003 that requires rethinking of current legislation.
However, it may serve government well to begin planning for the disruptive economic effects of nanotechnology used in manufacturing, agriculture and healthcare. Indeed, there may be political and social ramifications resulting from nanotechnology.
Lastly, regarding the possibility of the creation of self-replicating artificial intelligence, even the most enthusiastic proponents of ‘The Singularity,’ as it is known, do not see it happening before 2045. Government bodies can afford to take a ‘wait and see’ approach for now.

Here’s our preliminary assessment of the main categories of emerging technology issues, along with an impact rating. Each is discussed in more preliminary detail on the Blindside Wiki. We will be reporting to the Cabinet Office in mid-July on those that assessed as having an impact level of 3, and need full expert descriptions by that date.

This is your chance to tell us we’re on the wrong track: to add stuff; to argue that somethings missing, over-rated or under-rated. Don’t miss it!

Category Impact (from 3/high to 1/low)
————————
CCTV 3
Convergence 3
Location-based services 3
Mobile and Pervasive Computing 3
Open Standards 3
Anonymity 3
Data breaches 3
E-Voting 3
Human rights (intersection with emerging technology) 3
Identity management 3
NHS IT 3
Non-bank payment service providers 3
People and IT 3
Mission Critical Legacy Systems 3
Rampancy: AI gone wrong 3
Surveillance society effects 3
Semantic Web 3
Self-reproducing technologies: the “GRINs” 3
- *Geno- 3
- *Robo- 3
- *Info- 3
- *Nano- 3
Social media 3
APIs 2
Bandwidth - massive wireless and cable bandwith to the home 2
Shared Service Management 2
Ultraportable devices 2
Automated number-plate recognition (ANPR) 2
Bad sysadmin procedures 2
Bad procedures - other 2
Changes to daylight saving time in the US 2
Public sector databases on children 2
Keyloggers 2
Phishing 2
Phones as bugs 2
Technologies for Non-Repudiation 2
Underground economy servers 2
Unencrypted email 2
Biometrics - unencrypted 2
Windows Vista and other operating systems 2
Government IT projects 2
DNA terrorism 2
On demand computing (ODC) 2
Grid Computing 2
Quantum Computing 2
plus in the lower impact categories (please use the search box if you want to add to these):
Aeronautical cabin services 1
OpenDocument 1
Service-oriented architecture 1
APIs that change without warning 1
Cybercrime 1
Electronic banking 1
Fraud Websites 1
Search Engine Logs 1
Spam 1
Computing Monoculture 1
DRM and its side-effects 1
Environmental side-effects 1
Exploding Batteries 1
Optical Computing 1
User-generated content 1
Virtualisation 1
Generation C - the knowledge nomads 0

Thank you for any help, comments, suggestions.

The chaotic present and hopeful future of information systems exists in a microcosm about 30 minutes by tube from my flat, and I daily watch a stately procession of airliners descending to Heathrow Airport, a beautiful, if not quite silent, parade. It is at Heathrow airport that the current need for better performance on every topic covered in this blog is demonstrated. It is a non-sterile testing environment and the ultimate pilot project to test the ability of information systems and information assurance to integrate modern technology to meet the needs of a mass public. You may have noticed that I ticked every category we use in assigning this blog post its proper place in our own information hierarchy. It’s not a coincidence.

Let’s walk through the daily issues faced at Heathrow from an information standpoint:

1. About half of all tickets to fly are booked via the Internet, and that information must be completely available to several very different systems immediately and be perfectly accurate.
2. Parking systems must provide availability, administrative and financial information.
3. Public transportation systems must send and receive useful information about current operations and schedule changes, and receive and use similar information from several different airport systems.
4. The logistics of welcoming, feeding, watering and moving 67.7 million people per year (and taking care of 70,000 employees) are an interesting challenge, as is maintaining 48,000 square metres of retail space. Private security, first aid, tourist information, all of these have information issues attached.
5. Oh yes–core business–mustn’t forget–90 airlines, 186 destinations, 469,000 ‘air transport movements’ (er, would that translate to flights in English?) annually. Information requirements include weather at each destination, status of all airports and traffic, passenger information (but more on that below…)
6. On-time status of flights relating to connecting flights.
7. Correlating information from HMRC (well, more the C part than the R) with the Home Office (now with both parts of the newly divorced members of what was once one) and probably discreet communications with agencies using numbers as well as initials.
8. Communicating with the Civil Aviation Authority, National Air Transport System, HM Immigration–of course I’m sure they all use the same electronic forms that grab data smoothly from Heathrow systems… right?
9. Communicating with the media–and having the capability of communicating with international media
10. Having co-ordinated disaster preparedness programmes that are up to date as well as up to snuff.

Probably missed half a dozen supremely vital information systems there… but it’s Sunday morning, so it’s okay. (Did somebody say baggage?)

Lots of things to go wrong there. Amazingly, not much does. (Did somebody say baggage–again?) That’s why when things do go wrong it’s news.

Notice they don’t have an uber-contractor trying to integrate all systems and dictate technology standards and usage. Strange, that. And I’ll bet they often use trainer-net(where some employee puts on trainers and walks information to diverse destinations). But that’s how functional communities develop–and despite grumbling and glitches, Heathrow functions as an information community: People get to destinations, planes don’t fall out of the sky. Successful information communities do seem to develop from the ground up, not the top down.

I guess the point I’m trying to make is that information systems and information assurance issues develop in an ecosystem not a vacuum. Complexity in information management is probably a geometric rather than arithmetic function relating to the number of actors involved. And yet don’t we often see government requirements for information systems that are internally oriented and indeed self-referential? The box must be this big with holes here and here, and those holes must be guarded in this way. I think more than anything else, government’s inability to get value for money from IT investment is based on this issue.

Please feel free to contribute complaints about Heathrow in the comments–I’ve suffered there myself. My praise is directed at a higher level, at finding a community that functions. Your nominations?

The notion of identity is still fundamentally misunderstood, even as emerging technologies change beyond recognition how we manage it, we heard yesterday at the LSE. Yet still there has not yet been any sort of full and proper interdisciplinary or public debate.

Bruce Schneier told the seventh Social Study of ICT workshop we live in a unique interim period where identity checks are increasingly everywhere but for now we still know they’re going on. We still use cash and the cameras are still big enough to see. “Everything creates a transaction record - calls, web browsing, buying, not buying, automated toll collection..These records may have value; there’s a reason they’re kept.”

But identity checks can’t deliver security, he said. “The notion that identification is necessary for security turns out not to be true.” To check someone’s ID is not to check whether they’re a bad guy. Osama bin Laden does not have anID card marked “evildoer”.

A critic had put it to Mr Schneier if he were sitting next to someone acting suspiciously on a plane he’s surely want to know that person’s identity. Not in the least, retorted Mr Schneier: I just need someone to stop him. “Identity does not map to intentionality.” Walls, locks and safes create safety in the real world without checking identity, and the same principles are true in the online world.

Wholesale surveillance is now possible, he said. We don’t just say “follow that car!”. We follow every car, in real time and back through history. Governments like it. It seems to make the police’s job easier. Corporations want to sell services like location-based advertising.

But people don’t make good security tradeoffs. For a small reward they’ll give away a lot of information.

When they’re finally told what’s going on, such s in the UK ID card situation, they say ‘Hey, stop. We didn’t want that’, Mr Schneier said. “But it’s rare they’re told what’s going on.” It’s not a dichotomy of privacy or security, he said. It’s liberty or control.

To think technology will protect us from this is futile, he said. We need laws which anticipate the effects of the emerging technologies. “Learn to look for the cameras now,” he said. “You’ve only got a few years.”

With all the promise data mining holds for counterterrorism Congress is having a good look it, posts Jeff Jonas
.

This session again proved that what data mining means depends on whom you ask. And, as such, this poses a real problem for those trying to have a rational conversation on the subject. And I worry that if lawmakers get this wrong … poor laws will follow.

Like ID management, if we don’t start with clear definitions then we won’t understand what we’re talking about. Because we need to work out
- what is feasible
- what should we realistically expect
- what are the social consequences

Jonas lists several defiinitions from other data-mining submissions, and makes the point we need to settle on one if were going to regulate it.