Just trying it out, finding the levers and buttons, etc...
 |
 |
|
|
||
 |
 |
Robin Wilton
-
Profiles On The Web
-
Addresses
Blogs and Websites
Recent Activity
- Can you have federation without trust? Back in olden days, when I worked for IBM, its sales & marketing people weren't allowed to use the word "risk"... because it might be taken (by customers) to imply that there was any form of risk associated with the corporation's products (this is long enough ago that it hadn't really cottoned on to 'services' yet...). And so the word was carefully expunged from the corporate lexicon (as evidence, I cite Mike Cowlishaw's seminal IBM Jargon Dictionary... look up "exposure" in the pdf file here).
This made things quite tricky for the poor souls who had to write a Project Risk Checklist for IBM's project managers... without using the word "risk" anywhere. So, "Project Assessment Checklist" it was, then...
That said, when we in the field were given our first training session by a proper project manager, he was blunt about it to the point of political incorrectness. "A project which involves no business risk", he intoned, "is unlikely to deliver any significant business benefit".
Which is a fair enough comment, and worth making (if your vocabulary permits you to do so, that is...).
I thought of this as I read a Tweeted Q&A from the Burton Catalyst conference currently under way in Prague. Bob Blakey asks Tony Nadalin "Can federation exist on the internet without trust frameworks?".
My initial thought is that not all kinds of trust are equivalent; for instance, when I conduct banking transactions online from my laptop, I place different kinds of trust in the bank and in the telecommunications infrastructure. I hold them responsible, respectively, for different aspects of the transaction's success, and I would expect different forms of recourse if something went wrong.
So, if I intend my organisation and your organisation to conduct high-value business over the internet, but choose to do so with no kind of trust framework in place, I'm probably taking quite a risk. In some forms of business, I might be happy to do that. I might even be insured or re-insured against some kinds of failure. My safeguards against "transactional" risk for that high-value business are not necessarily the same as my safeguards against, say, the network suddenly dropping out of service.
On the other hand, some networks are not meant for 'high value business'. What are referred to as 'social networks' (and I still don't like that phrase) get their value from the network effect, rather than from the exchange of financial value - again, that doesn't mean there's no need for trust - but the risks and appropriate mitigations involved are different.
I'm not going to go for the CEM Joad response ("Well, I suppose it all depends on what you mean by 'federation' and what you mean by 'trust frameworks'"), but it did occur to me that a federation, constructed over the internet, which has absolutely no element of trust is unlikely to deliver significant benefit.
There's another interesting question, of course: can you have a federation which successfully meets the goals of all its stakeholders even if they don't trust each other? (Strategic arms reduction, for instance). But that's another discussion...~1 month on
Racingsnake - the blog of Future Identity - Google wi-fi-gate rumbles on Yesterday's Tech Daily Dose announced (rather optimistically, I feel) that Google had 'cleared the air over wi-fi-gate'. The rest of the article went on to sum up Google's position as "we haven't broken US law". A spokeswoman is quoted as saying "it's legal to receive information from networks configured to be open to the public".
I am not in a position to comment on US law in that regard, but I have looked at the potentially applicable UK legislation.
I turned first to the Computer Misuse Act 1990, Section 1 - Unauthorised Access to Computer Material:
At first glance, 1(a) appears to offer an "out", in that it refers to data held in a computer, not data wirelessly broadcast by it. However, paragraph 2(c) specifies that it is not necessary for data held in any particular computer to have been targeted in order for an offence to have been committed. Potentially, that opens the way for a charge that the SSID which I set in my wireless router (a computer which I own), although not specifically targeted by Google's StreetView sniffer, would nonetheless be accessed by that device, as the router went about its intended function.(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.
The intended function of the router is a factor, in the sense that I set it up (including broadcast of the SSID) for a specific purpose: namely, to enable members of my household to distinguish between my wi-fi network and neighbouring ones.
Paragraph 1(b) must be held to apply in any case. There is no way, simply through the SSID broadcast mechanism or the wireless router configuration, to notify third parties of my intent, or for third parties to be granted authorisation to access my wireless network: therefore I would argue that they must presume they have not been authorised to do so (and Article 8 of the European Convention on Human Rights would seem to back up that assumption).
However, arguably by its narrow definition of "computer", and its failure explicitly to define "computer systems" and "systems composed of computers and network connections", the Computer Misuse Act might be too tightly scoped to include wireless links.
So next I looked at the Regulation of Investigatory Powers Act 2000 (RIPA). This is explicitly aimed at 'data in motion' as opposed to 'data in computers'. While its primary purpose was to provide a legislative basis for the authorities to intercept citizens' communications traffic, it also contains provision to protect "our" communications too.
Thus, Part 1, Chapter 1, Section 2 "Meaning and location of interception etc." says:(1) In this Act: [...]
Sub-sections (2) and (3) continue as follows:-
“private telecommunication system” means any telecommunication system which, without itself being a public telecommunication system, is a system in relation to which the following conditions are satisfied—
(a) it is attached, directly or indirectly and whether or not for the purposes of the communication in question, to a public telecommunication system; and(b) there is apparatus comprised in the system which is both located in the United Kingdom and used (with or without other apparatus) for making the attachment to the public telecommunication system;
(2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—
(a) so modifies or interferes with the system, or its operation,
(b) so monitors transmissions made by means of the system, or
(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,
as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.
(3) References in this Act to the interception of a communication do not include references to the interception of any communication broadcast for general reception.
Which seems clear to me. Even my SSID (let alone the traffic I exchange between my workstation and the wireless router) is not broadcast for general reception. It is broadcast for reception within a strictly limited geographical area, and by a strictly limited set of devices.
Some may argue that I have the option of not broadcasting the SSID of my domestic network. The practical problem with that is that, if a neighbour adopts the same policy, there is a risk that users will try (in vain) to connect to the wrong network. That is inconvenient and time-consuming - and, of course, in the event that they thus inadvertently connect to the wrong wireless router, could even result in them breaking the law. There's irony for you.
Again, as long as the mechanisms for that broadcast do not enable me to specify more precisely the intended use of the system, or to grant explicit authorisation to third parties to gain access to it, any third party must proceed on the assumption that their access is unauthorised.
In the absence of such mechanisms, it is hard to see what else a householder can do to make their intended purpose clear - so here's an alternative attempt:
I hereby give notice that the purpose for which I set a public SSID on my domestic wi-fi network is so that members of my household can distinguish it from visible neighbouring access points. I do not intend that SSID to be available to third parties beyond the transmission range of my wi-fi-router. In the absence of a mechanism for third parties to seek authorisation to access my domestic wi-fi network or the data carried over it, any such access should be assumed to be unauthorised.
~1 month on
Racingsnake - the blog of Future Identity -
- Smart meters and privacy Belatedly, I've spotted a good post on the Big Brother Watch blog, here, on the subject of smart metering of utilities such as electricity, gas and water. I tried to leave a comment, but for some reason it got rejected... so here you go:
An awful lot of this debate needs to hinge on transparency. If smart metering is 'something "they" do to "us" for "their" reasons and benefit', it will run into considerable opposition, fail to generate the buy-in of household energy consumers, and therefore ultimately fail to reduce energy consumption/carbon footprint etc.
That principle has to guide the energy companies, as they consider design factors such as:
- what are the full range of purposes for which energy consumption data is collected, processed and shared with other organisations?
- what's the balance of interests between the householder, the energy supplier and third parties?
- exactly what data items are collected by the meters?
- how much of that data is transmitted to the energy supplier?
- how much of it is visible to the householder?
- what degree of control does the householder have over what data is sent and what is kept solely for the householder's use/convenience?
I really worry when I see the Director of Energy UK, on behalf of the UK Energy Industry, quoted as saying, essentially, "consumers' security is paramount, and all information will be handled in strict accordance with the Data Protection Act".
Frankly, if those are the success metrics, the privacy outlook is grim.
1 - Security is not the same as privacy, and a system can be designed to provide great security but trample all over users' privacy. Privacy needs to be an explicit design goal in its own right from the outset.
2 - Data Protection law applies to the subset of data currently classed as "personally identifiable"... and there is still plenty of argument over what that means. As others have pointed out, you don't need to personally identify someone in order to burgle their house when energy consumption data indicates they are not at home. DP law is an interesting starting point, but is not sufficient to guarantee a privacy-respecting implementation which protects householders from the range of possible threats.
I am also increasingly wary of promises such as that offered by Mark Daeche of First Utility, who says that information should be "secure and anonymous". The work, particularly, of Vitaly Shmatikov and Arvind Narayanan has made it increasingly clear that anonymisation of consumer data is extremely hard to guarantee. Their papers should be required reading for anyone involved with supposedly "anonymised" datasets - required, but probably not reassuring. (See Arvind's excellent blog here, aptly named "33 Bits of Entropy", for well-informed and well-reasoned thoughts on data and privacy).
The question of "entropy" in personal data is going to be a key one, as we speed ever faster into the world of grids, sensors and smart devices. As I mentioned in a Tweet earlier today, it means that, as a perverse consequence, the more users pare their electricity consumption down to the bare essentials, for instance, the more identifiable the resulting usage pattern will be.2 months on
Racingsnake - the blog of Future Identity - Guardian Tech interview with Eric Schmidt Some of my readers are probably old enough to remember the occasion in 1984 when President Ronald Reagan stepped up to a microphone for a sound check and uttered the memorable words:
"My fellow Americans, I'm pleased to tell you today that I've signed legislation that will outlaw Russia forever. We begin bombing in five minutes."
This week's Tech Weekly audiocast on the Guardian site (here) includes a brief interview with Eric Schmidt (it's in the first 10 minutes, followed by analysis/discussion from the Tech Weekly team).
In the excerpt, Eric Schmidt explains to Jemima Kiss how Google happened to capture some network traffic as its rather inaccurately-named camera cars "sniffed" wireless SSIDs as well as StreetView image data.
Unfortunately - at least on the basis of this part of the interview - I am still not convinced that Mr Schmidt really has as firm a grasp on the privacy issue as I would have hoped for from Google's CEO. Here's why:
1 - the problem of cross-border jurisdiction. One of the examples Schmidt cites, of 'how much data we all happen to disclose', is that of mobile phone location data. He describes it as a 'legal requirement' that your ISP should be able to locate your mobile phone (in case it is needed for emergency services, for instance). As I understand it, that is a legal requirement in the US, but not in the UK, for example. I don't claim to know which jurisdictions do and don't require it, but that's beside the point - the point being that the legal status of your mobile phone location data varies by jurisdiction.
When the CEO of a company with Google's global reach and colossal processing capacity uses examples which suggest he thinks the regulatory regime is homogenous world wide, that does not instill confidence. Not all countries have the same cultural, legal or regulatory approach to privacy as the US, and it is dangerous to proceed on the assumption that they do.
2 - the issue of privacy and harm. At one point, Schmidt essentially argues that we need to keep the wi-fi data snarfing in perspective, and bear in mind that, as no harm has arisen out of it, it's not really a privacy breach. Again, if one is in Schmidt's position, I think that is a very dangerous position to espouse. For instance, there is (as yet) no indication that harm has arisen from the UK HMRC "2 CDs" data breach... so is that entirely privacy neutral? Of course not; it would be absurd to conclude that absence of provable harm means that no action need be taken as a result of the HMRC data breach.
Harm is one factor in assessing actual or potential data breaches, but it is absolutely not a sufficient metric for gauging privacy risk.
And finally, there's the question of Google's reaction to the wi-fi incident. What will they do as a result? Well, according to Schmidt's comments, it's predominantly a matter of "education" and addressing the fact that "people don't like it".
Those are part of the picture, for sure - but again, they are not enough. There are laws in this area - and if those are not given due consideration, the fact of whether or not people like your behaviour is somewhat secondary.
The point of my opening reference to Reagan is that often it's not just a question of what is said, but by whom and in what context. It may well be that Schmidt's heart is in the right place and has "Don't be evil" tattooed on it - but I come back to the point that, because of the post he occupies, his pronouncements on these topics have a very particular weight and resonance. On that basis, I think we are entitled to less about 'educating us about why we should like it', and more about building respect for our privacy into Google's business model.2 months on
Racingsnake - the blog of Future Identity
