“A security breach affecting an unknown number of Canadian citizens came to light last week in the Canadian province of Newfoundland and Labrador when a consultant for the Provincial Public Health Laboratory took a laptop containing patient health information home. The consultant was contacted by a person who identified himself as a representative of a computer security company and who claimed that he was able to access to data on the laptop through the consultant’s home Internet connection.”

…”The exposed information includes names, Medical Care Plan numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis.”

In a related news story…. “Trust is fundamental to the effective management of security and privacy in the public realm. Surprised? “Results from a ground-breaking pan-European study show that when it comes to security and identity in electronic public services, trust is a critical issue for European eGovernment. Given recent negative press stories about the security risks associated with personal data on social networking sites such as Facebook, and recent events in the UK where the personal details of some 25 million citizens appear to have been lost, this paper comes as a timely reminder about the need to manage trust and security effectively.” …”The cc:eGov study has identified exceptional good practice in Europe, for example in Estonia where an integrated ID card provides access to public and private services. However, the Estonian Government is rigorous and thorough in its protection of citizens’ data, to the extent where sustained cyber attacks on their systems earlier this year did not result in a breach of security. The trust of citizens was therefore reinforced.”

Here’s the story on the day after…

I have said this before on this blog. There are countries where a national identification card is completely non-controversial. There are possible benefits to society from a well run and properly managed system.

But in my heart of hearts I do not believe that this country’s government (and I do not distinguish between political party here) is capable of building and operating an ID management system at this point in time without disastrous consequences to information assurance.

Government should control the use of its resources. But there has been an implicit social contract over the past 15 years–as work has intruded more and more into the lives of workers, management has conceded that some non-work activities done on the clock are permissible. It’s beginning to look as if that social contract should be made explicit…

ISLIP, N.Y. - “GPS tracking devices installed on government-issue vehicles are helping communities around the country reduce waste and abuse, in part by catching employees shopping, working out at the gym or otherwise loafing while on the clock.

The use of GPS has led to firings, stoking complaints from employees and unions that the devices are intrusive, Big Brother technology. But city officials say that monitoring employees’ movements has deterred abuses, saving the taxpayers money in gasoline and lost productivity.

“We can’t have public resources being used on private activities. That’s Management 101,” Phil Nolan, supervisor of the Long Island town of Islip.

Islip saved nearly 14,000 gallons of gas over a three-month period from the previous year after GPS devices were installed. Nolan said that shows that employees know they are being watched and are no longer using Islip’s 614 official vehicles for personal business.”

If a worker is multi-tasking and some of those tasks are work-related and some are not, should the worker be compensated? At one extreme, people are not fussed if a security guard catches up on his reading on the night shift. At the other end of the spectrum, do you really want your shrink to respond to your latest tale of woe by asking for a seven-letter synonym for dance starting with ‘F’? If work is only work, people will work to rule. If you want more from workers, flexibility will be key.

There is a variety of information assurance issues here. Resource allocation for monitoring employees, identity management (you’d better have the right employee identified before approaching him/her about their practices), records management, turning off monitoring when the employee is off duty, etc.

I just hope people stop and think about the implications for just a moment before using the latest technology marvels.

One weapon in the war for information assurance is enforcing legal penalties: “A hacker has pleaded guilty to infecting hundreds of thousands of computers with malware in order to steal money from Paypal accounts. He could spend 60 years in prison and face a US$1.75 million fine.” Of course, given that so much mischief originates in S. Korea and China, (although contracted for by Western hooligans), those of us concerned with the safety of the Internet would have to consider financing a) legislation, b) enforcement and possible c) incarceration costs for this method to actually work.

The term ‘trusted news source’ takes on another meaning: Visitors to IndiaTimes.com, a major English-language Indian news site, risk infecting their computers with a deluge of malware, according to Mary Landesman, senior security researcher at ScanSafe.
“It’s an entire cocktail of downloader Trojans and dropper Trojans,” Landesman said Friday, putting the number of malicious files involved at 434. This includes scripts, binaries, cookies, and images.

Perhaps from the Stasi memorial files: If everybody is spying, is there any privacy to violate? “Think your wife may be cheating on you? Wondering who your boss might be talking to? “Learn the truth. Spy today.”
So reads an ad for “Bluetooth Spy Pro-Edition,” one of nearly 200 mobile phone spyware products currently listed for sale on eBay.
The software, which costs as little as $3.99, can be used to view photographs, messages, and files on the phone, listen into phone conversations, and even make calls from the phone being spied upon.”

Mobile computing and wireless communications firm Motion Computing is collaborating with US computer chip manufacturer Intel to create a new tablet PC specifically for the healthcare sector called the mobile clinical assistant. It is now on the market.

“The Motion C5, the first mobile clinical assistant (MCA) that integrates technology from Intel® Health, combines durable design elements with key data capture technologies to simplify workflows, increase productivity and improve overall quality of care. Designed based on input from thousands of clinicians, the C5 brings reliable, automated patient data management directly to the point of care. Get a handle on patient care with the C5. It’s highly portable. It’s lightweight. And, it’s ready to work for you. A convergence of technologies allows you to do everything you normally do during your shift such as perform clinical documentation, administer medication and take pictures using a single device. With Intel® Centrino® mobile technology and integrated high-speed wireless connectivity, the Motion C5 integrates key functions that clinicians require to be productive during the course of the day.”

Now back in October of last year, when this was being tested, an interview with the company’s senior executives produced these quotes (notice the priority):

The new mobile clinical assistant will run using Motion’s existing tablet PC products and is being designed to advance the effectiveness of nurses, physicians and other clinicians. Toal told EHI that there were many questions about the ergonomics of the project that were being addressed and the product itself will probably not be released until mid-2007.

“The key thing that we are learning from staff about our plans to launch a mobile clinical assistant is not worry about the IT itself, but to ensure that we concentrate on the care-giving. The tablet needs to be a clinical aid, capable of improving the quality of care and the amount of time spent on delivering that care

“We have also had to address issues where staff here thought the technology we were using wasn’t mature enough and we have had to implement new technology such as RFID [Radio Frequency Identification Devices] and wireless transmissions in order to keep the product as effective as possible.”

However, Toal feels confident that tablet PCs will become the new norm for mobile medicine in the near future despite fears about durability and safety.

“There will always be barriers, but we are working hard to overcome these. Battery life and security issues are topics which will inevitably be part and parcel of the debate surrounding mobile technology, but I do believe that clinicians will soon be able to carry mini-tablets on them to every patient they see and be capable of producing the best patient care possible. ”

Let’s see. Wireless transmission of sensitive information–yeah, we’ll get to that right after we take care of those pesky ergonomic and battery life issues. And preventing hacking and malware to ensure that the information is accurate? Hmm. Let’s put that on the list of things to do after we make sure it doesn’t add to the weight of the tablet device.

When the Economist starts paying attention to a technology, it’s pretty much arrived. Their coverage of ‘flying robots,’ UAVs controlled by either joystick or programme, is more or less a good summary of the same literature we looked at and reported on in previous posts. Essentially, they’re coming soon, they will be an issue for the public, for UK government and for information assurance.

Their ability to hover and their growing numbers will make them a public concern. Control of traffic lanes and changes to privacy regulations will be a concern of UK government, somewhat counterbalanced by their ability to substitute for other, more expensive forms of surveillance.

The common sense approach would be to reserve the 300 metres closest to the Earth for government only use, with exceptions for parks and racing grounds. Although the primary reason will be to protect public safety, an extra benefit will be to forestall private surveillance cameras and early detection of criminal/terrorist activity.

The enabling technology will need to be a clever combination of GPS, RFID and wireless broadcasting, and the UK government should move very fast in defining what needs to be included in a UAV before it can fly. UAVs above a certain weight limit perhaps should file flight plans, but nothing, repeat nothing, should go up in the air without the appropriate equipment that allows tracking.

The UK government should consider auto-destruct buttons that can be operated by either the user or over-ridden and actuated by an ATC–one of these things has already fallen out of the sky over civilian territory. The alternative–the ability to invoke a ‘feather’ landing remotely, could be a significant expense, although this might be addressed by automatic cutoff of a motor and deployment of a parachute.

This should begin very soon. Were I in UK government, I would very quickly announce an X Factor contest with an appropriate prize (£5 million and some licensing agreement) for development of standards and a version of kit that will meet them. The kit might be a tamper-proof black box that is required to be installed in any UAV operating in the UK.

But what UK government needs to do now is to reserve the lowest tranche of airspace over populated areas and put Keep Off signs around those tranches. It will take exactly one criminal/terrorist/fool to put this entire technology into the long grass for a decade. Considering the potential (reductions in fuel use, lower utilization of conventional resources, improvements in shipping logistics, traffic monitoring, etc. [I once delivered a kidney for transplant from an airport to a hospital. I covered 28 miles in 17 minutes. It would have taken 4 by UAV]), getting the governmental and information assurance infrastructure right, now, would be a considerable public service.

Further down the road, they’ll need to buy a fair few of them and turn them into traffic wardens.

The implications for information assurance are a bit fraught. All vehicles will need identification, with secure verification when pinged. It is inevitable that licensing of operators will prove useful, and some form of background check will probably be needed. Weight limits, traffic lanes, rules of the road–this would all be a fruitful area for quick and targeted research. In the very short term.

The Internet database WhoIs may be marked for destruction, if some privacy advocates have their way. The database is regularly used by law enforcement officials and contains contact information of website owners.

The story is covered in some detail here.

“What removing the status quo will do is force all of the actors to come together without the benefit of a status quo to fall back on and say, `We are now all screwed. What will we do?’” Rader (Ross Rader, a member of ICANN’s generic name council) said. “It will lead to better good-faith negotiations.”

The issues are quite important–the database has clear value, but the potential for abuse is quite high. Because of ham-handed law enforcement and anti-terrorist measures in the recent past (mostly in the U.S. and U.K.), a significant percentage of stakeholders are willing to give up the database to prevent abuse.

“Law-enforcement officials and Internet service providers use it to fight fraud and hacking. Lawyers depend on it to chase trademark and copyright violators. Journalists rely on it to reach Web site owners. And spammers mine it to send junk mailings for Web site hosting and other services.

Internet users, meanwhile, have come to expect more privacy and even anonymity. The requirements for domain name owners to provide such details also contradict some European privacy laws that are stricter than those in the United States.

There’s agreement that more could be done to improve the accuracy of Whois, as scammers and even legitimate individuals who want to remain anonymous can easily enter fake data.

The disagreements are over “who gets to see it (and) how can we protect people’s privacy while at the same time making accurate information available to those who need it,” said Vint Cerf, ICANN’s chairman.”

The lesson to be learned is to take privacy seriously and don’t sacrifice your long term credibility for short term information gains. But there is no evidence that that lesson will in fact be learned.

Mary Meeker was an analyst who, back in the nineties, was accused of over-hyping dot com companies, helping them launch into publically listed existence. Many of her recommended picks failed, a few became the Internet powerhouses we see on the web today. Mary became very controversial for a while. Perhaps failing upwards, Ms. Meeker is now head of Morgan Stanley’s global technology research team.

She is here before us today, ranking countries in terms of their Internet ‘power,’ or who is leading the world in what.

The American news story focusses on America’s declining share of world GDP, which really should be welcome news for all, including Americans. What interests me is her assessment of world leaders in certain areas of Internet practice.

“In terms of the Internet — especially in technologies key to Web 2.0 success — the fastest growth is in non-U.S. markets. For example, Germany leads the e-commerce market, China leads in online gaming, South Korea leads in broadband, Japan leads in mobile payments, the United Kingdom leads in online advertising, Brazil and South Korea lead in social networking, and the Philippines leads in micro-transactions via SMS.”

Nice to know the UK leads in something. Pity it’s just advertising. Sadly, Ms. Meeker does not nominate a country as leader in the areas of IT security, information assurance, etc.

I bring this up because I wonder where people turn when they search for best practice. There was a time when the default might well have been the U.S. for many areas of technology. But I think that time passed around 1990.

There is, or should be, relevance to information assurance efforts in all of this, as a technology that undergoes its growth pains in another country and matures into commercial propositions can be introduced into the UK as a disruptive solution before anybody has had a chance to consider the implications. If it is introduced from a country where legislative and regulatory goals are vastly different, it could have implications for all of us.

Yesterday I posted about a Korean company that allows for mobile phone CCTV coverage of your house (it’s near the bottom of the post). But of course it doesn’t have to be your house. It can be anyplace you can stick a webcam. Great technology. But there are implications for privacy, security, all the things we go on about here at Blindside.

And a long time ago I asked if the UK was ready in any meaningful sense of the word to integrate best practice or leading edge technology currently available in other parts of the world, should they migrate here in full form. I didn’t get an answer… so I’ll ask again, using this as a specific case study.

Is the UK prepared, in terms of existing laws and regulation, in terms of social attitudes and acceptance, in terms of technology infrastructure, to accept a fully-formed technology that allows anyone to stick a webcam anywhere and view the results over a mobile phone?

Via Kable, “Home Office minister Meg Hillier has insisted on the need to debate the future of the National DNA Database. Responding to parliamentary questions from two Conservative MPs on 15 October 2007, Hillier said the growth of the database, which now holds records of more than 4m people, has made a debate on its future development necessary.”

Benefits to society so far: “Hillier claimed that the database had been used to solve 452 homicides, 644 rapes and more than 8,000 domestic burglaries.”

Example of possible downsides: Tory MP Stephen Crabb “highlighted the case of 75 year old Geoffrey Orchard, who was wrongfully arrested and received a written apology from the police, but who remains unable to get his DNA information removed from the system.”

So let’s have the debate. I suggest on the BBC (they may be looking for cheap programming these days). Let’s by all means have some of the great and the good participate. But let’s also have some of the Awkward Squad and some ordinary citizens as well.

“The General Register Office, which oversees the registration of births and deaths, is to become part of the Identity and Passport Service in a move that is likely to see sharply increased data sharing between the two bodies.”

This is, or should be, the story of the week.

“The government plans to give IPS staff online access to births and deaths information which could be cross checked with ID card or passport applications. Data sharing between the two bodies was given a legal basis in July by an order made under section 38 of the Identity Cards Act.”

In the story linked to above, Phil Booth of No2ID makes the badly needed points, and I doubt if he’ll mind if he’s quoted at length:

“But Phil Booth, national coordinator of the No2ID campaign monitoring the government’s ID card and data sharing plans, described the merger as “chilling.”

It was “deeply worrying” that the GRO, a “formerly independent agency should be subsumed in this way, with no debate and for no apparent reason other than bureaucratic convenience,’ he said.

Birth and death dates might form part of an individual’s official identity, but register offices also recorded other information such as details about parents, Booth pointed out.

“The ID program is insinuating itself deeper and deeper into people’s lives. This is not so much ‘feature creep’ as a blatant land-grab of personal identity.

“That an agency which until a little over a year ago was limited to issuing passports is now grabbing control of citizen data from cradle to grave, and openly talks about ‘registration of life events,’ confirms what NO2ID has said all along. It’s not about ID cards, but the creation of a detailed, lifelong government dossier on every person,” Booth said.

He added “And that this sits in the dysfunctional and acquisitive culture of the Home Office should certainly make people think twice.”