Wednesday 26 May 2010

Facebook! Our privacy settings are a-changing ...

Come gather 'round people
Wherever you roam
And admit that the web news
About you has grown
And accept it that soon
You'll be open to the bone
If your privacy to you
Is worth savin'
Then you better start securing it
Or you'll sink like a stone
For the times they are a-changin'.

(Apologies to the great Bob Dylan for inspiring me to rip off his lyrics!)

Facebook has finally announced a great innovation – which is that basically it will ensure that its privacy settings can be more readily understood by its users. Move over Albert Einstein, no need for your help now that they’re designed to be understood by the likes of Homer Simpson.

Come to think of it that would make a good episode of “The Simpsons”. You can hear the pitch to the story team now: "Homer tries to change his privacy settings, but gets confused and manages to link up with some international superstars, each of whom have to perform crazy chores for Facebook Czar Mark Zuckerberg before they are permitted to drop their links with Homer."

Anyway, the critical thing is that a new system will offer users one privacy page with a list of all their applications and a choice of three settings for each. This means that users will be able to see all their information in one grid and apply privacy settings to each. Facebook will suggest defaults.

The redesigned privacy page allows users to see all their information in one grid and apply privacy settings to each. Facebook will suggest defaults, but the standard choice will be whether users want to share information and applications with just friends, friends of friends or everyone.

Naturally, those with brains as complex as Albert Einstein’s will still be able to access the existing bewildering array of hundreds of choices.

This bold move will pose a significant challenge to other webmasters. If Facebook manage to make life sufficiently easy (and transparent) for users, then when is everyone else going to follow on. And particularly, when will everyone else be giving users the same degrees of ease of choice? I’m sure the regulators are sitting up and taking notice, and wondering how this will affect the line they wish to take when advising data controllers on the privacy notices they need to have in place to explain all about cookies, and how to prevent them.

But having said that, the challenge will be equally as great on the privacy regulators, who will face similar problems when explaining to people who browse on their own websites what their cookie options are. And when the regulators get their own messages right, then I’m sure that the rest of us will sit up and take note.

I wonder how many privacy regulators are currently using Google Analytics and other beacons and cookies to track their users’ behaviour? And while this is (of course) entirely honourable and legitimate, I wonder whether any additional steps will be taken to advise users how to exclude themselves from such tracking tools.

Let’s wait and see!

... And repeat to fade:

Supporters of Zukerberg
Please heed the call
Don't stand in the doorway
Don't block up the hall
For he that gets hurt
Will be he who's browser has stalled
There's a battle on the net
And it is ragin'
It'll soon shake your windows
And rattle your firewalls
For the settings - they are a-changin'.

Come mothers and fathers
Throughout the land
And don't criticize
What you can't understand
Your sons and your daughters
Are beyond your command
Your default settings are
Rapidly agin'
Please get off of the internet
If you’re not in my band
Mind my privacy - the times are changin'.


Tuesday 25 May 2010

HPPT? Oh, S ...

Those remarkably clever engineers at Google have come up with a cunning wheeze that’s bound to put lots of net snoopers off the scent. In giving users the option of being able to encrypt the requests it makes to its search engine, the guys and gals at Google have taken another step towards making it harder for anyone else to track the search items that are used to find other sites.

Farewell, HTTP. Hello, HTTPS!

What this change does is that it removes the ability of webmasters to understand how a user landed up on their webpage. Apparently, webmasters won’t even know whether the user had used a search engine, or had merely types in the actual web page into the address bar. Google will, but the others won’t.

Damm clever, huh!

Presumably it will make it harder for webmasters to customise sites, depending on the referrer information. Whether this really will have an impact on the overall customer experience, only time will tell. But it will make it harder for other interested parties, such as internet service providers, to peep over the fence, so to speak, to fully understand what their users do when they leave the servers that are controlled by the internet service provider themselves, and instead roam the wider web. (Put another way, and speaking bluntly, if you can only monetise what you can understand, it looks as though Google have found a way of making it harder for others to monetise this stuff).

And if Google are leading this secure revolution, just how close behind are those who follow? Will it be very long before every user can expect every webmaster to provide them with a secure connection each time they visit that server? To bolderise a couple of lines from one of my favourite plays:

"O YouTube, Facebook,
wherefore art thou Hotmail?"

If this ubiquitous encryption malarkey really takes off, then presumably the guys patrolling the surveillance society will have their work really cut out. Life will never be as transparent as it has previously been.

Unless all this encryption stuff comes with a back door (which I doubt).

Perhaps there is still life left in Article 8(1) of the Human Rights Act, which declares that “Everyone has the right to respect for his private and family life, his home and his correspondence.”

The trouble is, I haven’t a clue how much easier, or harder, it will make life for public authorities to exercise their rights, as expressed in Article 8(2), to interfere “with the exercise of this right [when it is...] in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

But I hope I’ll find out, eventually.

Sunday 23 May 2010

Transparent Parliamentary Expenses: “Get real”

Another blast of fresh air sweeps through Westminster. The new bunch of MPs no longer have to rely on the nod and wink of a canny and experienced politician to know whether their expenses are all entirely proper. The Independent Parliamentary Standards Authority has worked wonders to publish an on-line guide that lets everyone know just what our elected (and ermined) ones are entitled to claim. This transparency, together with easy access to the details of people's Parliamentary expense claims, have led us to take yet another (but, for once, possibly quite welcome) step in the direction of a surveillance state.

The ISPA Board, which is entirely independent of Parliament, has created a set of new rules, and it’s pretty clear that it has not allowed itself to simply serve the interests of those who have been elected. And, given the fuss that has already emerged from those who are to be subject to the new expenses scheme, it must be doing its job properly. James Kirkup, writing in The Daily Telegraph last Friday, noted that “Almost every MP I’ve spoken to since the Commons returned has mentioned the Independent Parliamentary Standards Authority, the new body in charge of their expenses. None has been happy.

Complaints generally focus on what MPs see as IPSA’s inflexibility and its relatively leisurely timetable for paying out on expenses claims.

A few new members say they have been left thousands of pounds in debt by having to pay for start-up costs for offices etc, and then claim them back from IPSA, which will not pay out on claims until June 23. IPSA says that loans and advances are available to help. Members counter that the system for registering and claiming that help is cumbersome and slow. Some are chuntering about asking for an advance on their salaries…

Others are cross about IPSA’s insistence that it will pay no more than 85 per cent of staff and office phone bills, assuming that the rest of the cost is personal calls.”

I’m sure that such comments could be made by most employees who rely on their Accounts Departments to reimburse them for the expenses they have incurred in getting on with their own jobs, so I don’t really have much sympathy with the same rules being meted out to politicians too. If bureaucracy’s good enough for my company's Accounts Department, then it ought to be good enough for theirs. As (I think) all three candidates said in their televised Leaders’ debates just a few weeks ago, “Get real.”

Read these extracts from the Foreword to the new rules, and ask yourself if you have ever before read an official document that puts our Parliamentarians so firmly in their place:

We have been required by the Parliamentary Standards Act 2009, as a body entirely independent of Parliament, Government or political parties, to provide a scheme for the reimbursement of expenses incurred by MPs in doing their work. We have no axe to grind. We have set about our task against a background of great public anger at the present discredited system that has been exposed over the last year. We have consulted widely, not only those whom we are required by the Act to consult, but also the public at large. We are indebted to all those who have responded and answered the questions we posed in our consultation paper. The strength of the arguments put – and the evidence adduced – are our overriding considerations in addressing each question. The scheme has had to be prepared within a very short timescale in order to be operational for the new Parliament following the general election.

We have endeavoured to produce a scheme that is fair, workable and transparent.

By fair we mean not only fair to the public purse but also to individual MPs. It is not our job to punish the next generation of MPs for the excesses of what has gone before. Our responsibility is to reimburse MPs for the costs they necessarily incur in properly doing the job of a legislator in the 21st Century. But fairness has another feature. People who abuse the system must know that we will bear down heavily on them. The public would expect no less. Expenses do not exist to allow some to profit at the cost of others.

By workable we mean that the scheme should be as simple and practicable as possible and avoid unnecessary administrative cost and complexity. Whilst it is not part of our remit to provide a scheme that ensures Parliament reflects the society it serves, we have kept firmly in mind the need to ensure that our scheme does not have the opposite effect.

By transparent we mean that the public is entitled to know not only what those remunerated from the public purse are paid, but the details of their reimbursements for the expenses they incur in doing their job. It is for this reason that perhaps the most important criterion of all is that the scheme should be transparent. Transparency is critical if public confidence in Parliament is to be restored. This is one reason why we have moved where possible to an expenses rather than an allowances based system, a move that has the overwhelming support of the respondents to our consultation paper. The power of transparency is that it allows people to find out for themselves what is being done in their name and with their money.

It has been suggested that the previous opaque system of allowances grew up in part because the issue of the appropriate salary for a Member of Parliament was not properly tackled as it was politically inexpedient to do so, and that the allowance arrangements contained, at least in some cases, a significant element of profit. Whether or not that is so, those days have now gone. Currently MPs’ pay is not part of our remit, although it is likely to become so in the future if the Constitutional Reform and Governance Bill becomes law.

It is our aim that MPs should be reimbursed fairly and that they should neither make a profit nor suffer a loss in carrying out their responsibilities.

Inevitably there are grey areas where the impact of the scheme will not be the same for all MPs. There is no stereotype MP. MPs represent different constituencies and adopt different working patterns. We do not pretend that some anomalies will not emerge but we have a statutory duty under the Act to revise the scheme annually and that we shall do, making such changes as appear to us to be appropriate.

And if you’re really interested in all the details of all the expenses that can be claimed, then point your browser to this address:

Friday 21 May 2010

Oh, Ye Gods

Once upon a time (actually not that long ago), the mighty Google could do no wrong.

Whatever it developed turned to gold, and we marvelled at its ingenuity.

And then some started to whisper that all might not be entirely right about its practices.

Now, it appears that more people have joined in and the whisper has turned into a murmur.

I’ve read that even the regulators are questioning some of these practices, and are asking whether an innocent mistake should be pardoned, or whether sterner measures should be taken to show who’s really who in the data protection kingdom.

The blogosphere is currently carrying posts from people who have questioned the mistakes that Google has admitted to when collecting location information about hotspots as its Street View cars were recording images about the physical environment. It seems clear that Google were mistakenly collecting samples of payload data as well as basic WiFi data.

I can understand how easy it can be, in retrospect, to make such a mistake. It all depends on how robust the definitions of “internet protocol traffic data” and “internet protocol content data” are. And I suppose it might help if, at some time in the future, someone might be clever enough to create proper definitions (together with actual working examples, so we can establish that the definition works just as well in practice as it does in theory).

Then, in an ideal world, we might hope that all EU Member States (and perhaps eventually all countries in the world) were to agree on a common definition. And only then, perhaps, might the Street View drivers be able to get back in their cars and collect this stuff safe in the knowledge that they weren’t going to get locked up for doing what they had been told to do.

I wonder when the UK will develop such definitions – and who will be brave enough to ask the courts to issue a declaration on their accuracy, before everyone piles in and tries to retain IP traffic records but not IP content records.

Thursday 20 May 2010

“They’ve actually gone and done it ...” !!

Wow – in the space of just a few days, a revolution has blown through Whitehall. Gone are the days of “I wonder what they will do now they've won the election” to “We now know precisely what they intend to do now they've won the election.” What an amazing change. Fancy that, an incoming administration actually being transparent about the manifesto commitments it will endeavour to implement, and which it will drop. No incoming administration has ever been so frank before - at least in my lifetime. How things are getting better!

And the good news continues. My predictions about the issues which the coalition parties might agree to promote were very accurate. I remember the days when “Mystic Megg” offered her predications about the winning lottery numbers. Where is she now? Perhaps she saw the competition on the horizon. Perhaps I should take an interest in the horses now, too!

Anyway, for those who don’t feel too inclined to read all 36 pages of the agreement, here’s the significant data protection commitments. No specific mention of a commitment to support the Information Commissioner’s Office – but there is quite a lot to be thankful for:

On Civil Liberties:

We will be strong in defence of freedom. The Government believes that the British state has become too authoritarian, and that over the past decade it has abused and eroded fundamental human freedoms and historic civil liberties. We need to restore the rights of individuals in the face of encroaching state power, in keeping with Britain’s tradition of freedom and fairness.
• We will implement a full programme of measures to reverse the substantial erosion of civil liberties and roll back state intrusion.
• We will introduce a Freedom Bill.
• We will scrap the ID card scheme, the National Identity register and the ContactPoint database, and halt the next generation of biometric passports.
• We will extend the scope of the Freedom of Information Act to provide greater transparency.
• We will introduce safeguards against the misuse of anti-terrorism legislation.
• We will further regulate CCTV.
• We will end the storage of internet and email records without good reason.
• We will introduce a new mechanism to prevent the proliferation of unnecessary new criminal offences.
• We will establish a Commission to investigate the creation of a British Bill of Rights that incorporates and builds on all our obligations under the European Convention on Human Rights, ensures that these rights continue to be enshrined in British law, and protects and extends British liberties. We will seek to promote a better understanding of the true scope of these obligations and liberties.

On Communities & Local Government:
The Government believes that it is time for a fundamental shift of power from Westminster to people. We will promote decentralisation and democratic engagement, and we will end the era of top-down government by giving new powers to local councils, communities, neighbourhoods and individuals. .
• We will give councils a general power of competence.
• We will ban the use of powers in the Regulation of Investigatory Powers Act (RIPA) by councils, unless they are signed off by a magistrate and required for stopping serious crime.

On Government Transparency:
The Government believes that we need to throw open the doors of public bodies, to enable the public to hold politicians and public bodies to account. We also recognise that this will help to deliver better value for money in public spending, and help us achieve our aim of cutting the record deficit. Setting government data free will bring significant economic benefits by enabling businesses and non-profit organisations to build innovative applications and websites.
• We will create a new ‘right to data’ so that government-held datasets can be requested and used by the public, and then published on a regular basis
• We will require all councils to publish meeting minutes and local service and performance data.
• We will require all councils to publish items of spending above £500, and to publish contracts and tender documents in full.
• We will ensure that all data published by public bodies is published in an open and standardised format, so that it can be used easily and with minimal cost by third parties.

On National Security:
The Government believes that its primary responsibility is to ensure national security. We need a coherent approach to national security issues across government, and we will take action to tackle terrorism, and its causes, at home and abroad.
• We have established a National Security Council and appointed a National Security Adviser.
• We have commenced a Strategic Defence and Security Review, commissioned and overseen by the National Security Council, with strong Treasury involvement. We will also develop and publish a new National Security Strategy.

And, for those who are inclined to read all 36 pages of the agreement, here’s the link:

Sunday 16 May 2010

Will a revised Data Protection Directive get any new clothes?

Lots of work is going on behind the scenes to look at the deficiencies in current European data protection legislation to see what can be done. Two camps are assembling.

One camp promotes the view that the main problem is the patchy implementation of the specific (and sectoral) Directives by Member States. Accordingly, the miscreants need to apologise profusely to the (current) She Goddess of Data Protection (aka Commissioner Vivien Reading) and promise to do better in future.

The other camp promotes the view that the main problem is that the specific (and particularly sectoral) Directives were inadequate, in that they concentrate on processes and procedures, rather than focussing on areas that are capable of causing the greatest amount of harm to individuals. Accordingly, they need drastic surgery, to carve out the awful bits and allow benign practices to flourish.

Naturally, some followers have feet in both camps.

I’ve just read a (50 page) report by the European Agency for Fundamental Rights, which analyses the extent to which data protection, which has now acquired the status of a fundamental right in the EU, distinct from the right to respect for private and family life, is protected and promoted by the national authorities within each Member State.

The report highlights six challenges – but my money is on Member States having the stomach to address just a couple of these as they revise the Directive. Here’s some of what the report has to say, together with a few personal observations:

Deficiencies of Data Protection Authorities:
At a structural level, the lack of independence of several Data Protection Authorities (DPAs) poses a major problem. In a number of Member States concerns are reported about the effectiveness and capability of the officers of Data Protection Authorities to perform their task with complete autonomy. At the functional level, understaffing and a lack of adequate financial resources among several Data Protection Authorities constitutes a major problem. At the operative level, a major problem is represented by the limited powers of several Data Protection Authorities. In certain Member States, they are not endowed with full powers to investigate, intervene in processing operations, offer legal advice and engage in legal proceedings.

Given current economic conditions, will Member States will be brave enough to increase resources in this area when they are forced to reduce funding elsewhere? It would be awfully brave of them to do so.

Lack of enforcement of the data protection system:
In some Member States, prosecutions and sanctions for violations of data protection law are limited or non-existing. With regard to compensation, the legal system of various Member States effectively rules out the possibility of seeking compensation for a violation of data protection rights, due to the combination of several factors such as burden of proof, Difficulties relating to quantification of the damage and a lack of support from the supervisory bodies, which are engaged principally in “soft” promotional activities like registration and awareness raising. There is a general tendency in the Member States to focus on ‘soft’ methods of securing compliance with data protection legislation, instead of applying and enforcing ‘hard’ instruments by which violators of data protection rights may be detected, punished and asked to compensate victims. Good practices in this respect regarding cooperation of Data Protection Authorities and other authorities to strengthen investigations were found in some Member States.

Many people can’t see much point in encouraging authorities to spend more resources in policing rules that are pretty outdated, burdensome and bureaucratic. The concept of compensating victims is fraught with difficulty, as it really is hard to assess the financial loss that someone has incurred because information has been misused which has caused them a certain amount of embarrassment. I’m looking forward to seeing what the Information Commissioner does with his new fining powers in the first few years of their introduction. Not much, I recon.

Rights awareness:
During the research for this report, the FRA was able to identify national surveys addressing data protection in 12 out of 27 EU Member States. These surveys have in some instances been commissioned by the national Data Protection Authorities. The questions posed, the number of participants, the methodology and the final results are diverse and do not always allow forcomparison. Nevertheless, of itself the existence of these national surveys constitutes a good practice. In February 2008, two Eurobarometer surveys on data protection were published.The most important findings from these surveys were that a majority of EU citizens showed concern about data protection issues and that national Data Protection Authorities were relatively unknown to most EU citizens.

Believe me, I think we Brits know all about our data protection rights and that the Commissioner’s staff can be called upon when there’s a problem. I do what I can to encourage anyone I’m dealing with, and whom I think has an unrealistic expectation of their entitlement to compensation following an administrative slip, to complain to the folks in Wilmslow. My company is paying them over £500 a year so they can share my pain! (Why more than £500? – because it has more than one DPA registration entry)

Lack of data protection in the former third pillar of the EU:
The main limitation currently faced by the EU to provide for effective and comprehensive data protection arises from the constitutional architecture of the former EU pillars. While data protection is highly developed in the former first pillar of the EU, the data protection regime in the former third pillar cannot be regarded as satisfactory. Yet the former third pillar of the EU comprises areas such as police cooperation, the fight against terrorism, and matters of criminal law where the need for data protection is especially important. The Lisbon Treaty facilitates the closing of this gap. Declaration No 21 to the Lisbon Treaty notes that specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation may prove necessary because of the “specific nature” of these fields.

This is a really important but a very hard issue to deal with. The Lisbon Treaty is supposed to reach into the shadows to extend regulations to areas no-one talks about in polite company. So how will we ever know whether anyone has listened? And if it meets resistance, again how will we ever know? And if I ever got to find out I expect I would be shot!

Exemptions from data protection for security and defence:
Article 13(1) of the Data Protection Directive provides for broad exemptions and restrictions concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters), and the activities of the State in areas of criminal law. There is a lack of clarity regarding the extent of these exemptions and restrictions. In various Member States, these areas are altogether excluded from the protection of data protection law. This leaves a considerably large area unprotected with potentially serious consequences for fundamental rights protection. Declaration No. 20 to the Lisbon Treaty says that whenever rules on protection of personal data are to be adopted which could have direct implications for national security, “due account” will have to be taken of the specific characteristics of the matter.

The lack of clarity regarding the text of various exemptions from data protection laws for national security purposes is easy to explain. Legislators make laws. They are voted into office by us, the public. You don’t have to be able to keep a secret to become a legislator. But that is precisely what we demand of those who safeguard our national security. So let’s all just shut up, and place our trust in people we never meet but hope have powers that are sufficiently special to keep us safe.

The challenge of technology:
Recent and ongoing technological developments pose challenges that urgently need to be addressed. Video surveillance in public space and in the employment environment is widespread, but the legislative framework is lagging behind. As an example, the report reveals that, in practice, CCTV cameras are often not registered and/or monitored in some Member States.

Technology moves at a terrific pace. I find it an incredibly exciting challenge to retain a working understanding of the technologies my company uses. Given that legislation almost always follows behind technology by several years, the legislators are never going to catch up. Let’s just hope they aren’t sufficiently foolish to think they can dictate the pace of technological change. They can’t, and if they try they’ll simply get ignored. And no-one wants to see legislators, like the fabled Emperor, without any clothes.

Point your browser at and download your copy now!

Facebook privacy or celebrity: We choose

I’m not one to knock large corporations for poor data protection practices – you just never know when that email may come from that very same corporation, offering me a challenge even greater than the one I’m currently dealing with. But I thought I might make a few comments on a trend that some data protection wonks have been commenting about recently.

It’s about the extent to which individuals cherish their privacy. Or perhaps it’s more about the extent to which they are prepared to trade their privacy for celebrity. And it appears as though some of the largest social media players have recognised this trend and are making it easier for people to become celebrities in their own right, by giving the rest of us ever more ways of finding out lots about them.

Take Facebook for example. I’ve recently seen a really interesting report which looks at the way they have continually changed their privacy policies over the past 5 years, which have had the cumulative effect of making it far easier for users to share information about themselves with others. Indeed, it’s become so easy (thanks to the default privacy options) that some commentators are expressing a degree of unease at both the direction and speed of travel. Have they gone too far? Are they simply “responding” to the wishes of Facebook users, as evidenced through a global pattern of focus groups, or has a decision been taken elsewhere within the organisation to lead their users to revealing information that more suits Facebook’s commercial aspirations, rather than their users’ social aspirations.

Of course the jury is out on this one and I suspect it may be out for some time. But for those who are interested of the evolution of privacy policies, take a good look at this example. What was once private is now only private if you choose to make it so.

But is this necessarily a bad thing ? Perhaps we all need a good kicking once in a while to remind us that we should never be complacent at what we place online, as the expectations of those we shared it with may change – and perhaps in ways we did not originally anticipate.

Facebook Privacy Policy circa 2005:
No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.

Facebook Privacy Policy circa 2006:
We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information. Our default privacy settings limit the information displayed in your profile to your school, your specified local area, and other reasonable community limitations that we tell you about.

Facebook Privacy Policy circa 2007:
Profile information you submit to Facebook will be available to users of Facebook who belong to at least one of the networks you allow to access the information through your privacy settings (e.g., school, geography, friends of friends). Your name, school name, and profile picture thumbnail will be available in search results across the Facebook network unless you alter your privacy settings.

Facebook Privacy Policy circa November 2009:
Facebook is designed to make it easy for you to share your information with anyone you want. You decide how much information you feel comfortable sharing on Facebook and you control how it is distributed through your privacy settings. You should review the default privacy settings and change them if necessary to reflect your preferences. You should also consider your settings whenever you share information. ...
Information set to “everyone” is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations. The default privacy setting for certain types of information you post on Facebook is set to “everyone.” You can review and change the default settings in your privacy settings.

Facebook Privacy Policy circa December 2009:
Certain categories of information such as your name, profile photo, list of friends and pages you are a fan of, gender, geographic region, and networks you belong to are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings. You can, however, limit the ability of others to find this information through search using your search privacy settings.

Current Facebook Privacy Policy, as of April 2010:
When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. ... The default privacy setting for certain types of information you post on Facebook is set to “everyone.” ... Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

Many thanks to Kurt Opsahl of the Electronic Frontier Foundation for his work in creating this summary (and thanks also to the hacks at The Register who first drew my attention to it). More analysis can be found in Kurt’s article at

Thursday 13 May 2010

“Why thank you, Mr Deputy Prime Minister”

Just hours after receiving an email from Chris Fox, Chief Executive of the Liberal Democrats , I’ve had one from the main (supporting) man, the Deputy Prime Minister himself. Brilliant. Nice of him to get in touch. Especially when he’s obviously a bit busy right now. Tony Blair only ever wrote to me once - and that was on 27 July 2007, just after handing over to Gordon Brown. And as for Gordon, well, he never wrote. Nor phoned. I didn’t take it personally though.

As an aside, what has really impressed me over the past couple of days is the easy manner that Gordon Brown has exuded in his public speeches. Gone is the tense and stressful delivery. Back is a warmth, humour and dignity that suggests he can be a really nice man to get to know. And David – no, he's only written to me once - on the morning of the General ELection, asking for mny vote. I hope he'll write again. Failing that, perhaps one of his team might.

Anyway, back to the plot. Nick Clegg has written to me (and, to be honest, probably to loads of other people outside the febrile Westminster village) with a message not of triumphalism but of humility. And with a sense that he is aware of the magnitude of the task in hand. Among other things, this is what he had to say:

“We are now going to form a new government More importantly than anything else, we are going to form a new kind of government; I hope this is the start of a new kind of politics I have always believed in. Diverse, plural, where politicians with different points of view find a way to work together to provide the good government for the sake of the whole country deserves.

Of course there will be problems along the way; of course there will be glitches. But I will always do my best to prove that new politics isn't just possible - it is also better.

I hope you will now keep faith with us let us prove to you that we can serve this country with humility, with fairness at the heart of everything we do. And with total dedication to the interests and livelihoods of everyone in this country.”

Very astute move, to use the internet to reach out to the electorate in a way I’ve not experienced with the Tories nor the Labour Party. Should I decide to opt out of electronic marketing by the Liberal Democrats, I’ll let you know how quickly they stop sending me this stuff.

Let’s see how Nick Clegg gets on developing his civil liberties agenda, now we know that we have Ken Clark and Theresa May ruling the roost over at Petty France and Marsham Street.* Not to mention Baroness Pauline Neville-Jones, who has just been appointed the Minister for Security. She knows a thing or two about the real needs of our intelligence community. Just how will Nick's ideas chime with these people? I have a great deal of respect for Ken, having known of him for all of my political life. The last time he was in office, he was renowned for wearing his Hush Puppies to work. I’ve never seen Theresa May in a pair – she’s renowned for her association with a different, more racy, line of footwear. And I really don't know what Pauline Neville-Jones's taste in shoes is - I'll cast my eyes to the carpet when I next see her.

*For those far away from the Westminster village, Petty France is the home of the Ministry of Justice, which sponsors the work of the Information Commissioner’s Office, while the Home Office is on Marsham Street, and is responsible for implementing decisions about the retention of phone, internet and email records.

Wednesday 12 May 2010

Springing a leak in the balloon of the surveillance state

Here it is – hot off the press – direct from Chris Fox, Chief Executive of the Liberal Democrats in a personal email to me (and probably many thousands of others). This is what the two political parties have agreed in respect of civil liberties as the basis for the coalition that will govern the country over the next few years. Actually, it's remarkably similar to the agreement I was expecting - and had blogged about last Saturday.

The parties agree to implement a full programme of measures to reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.

This will include:
• A Freedom or Great Repeal Bill.
• The scrapping of ID card scheme, the National Identity register, the next generation of biometric passports and the Contact Point Database.
• Outlawing the finger-printing of children at school without parental permission.
• The extension of the scope of the Freedom of Information Act to provide greater transparency.
• Adopting the protections of the Scottish model for the DNA database.
• The protection of historic freedoms through the defence of trial by jury.
• The restoration of rights to non-violent protest.
• The review of libel laws to protect freedom of speech.
• Safeguards against the misuse of anti-terrorism legislation.
• Further regulation of CCTV.
• Ending of storage of internet and email records without good reason.
• A new mechanism to prevent the proliferation of unnecessary new criminal offences.

I think we can interpret this as a commitment to spring a gigantic leak in the balloon of the surveillance state.

Sunday 9 May 2010

Are the lions more naive than the dragons?

Two things caused great hilarity in the Crouch End household this week, which left me to ponder which was the more stupid.

First up is the black comedy, just released, about an ill prepared and woefully misguided group of British suicide bombers. Forget the politics, it’s a comedy, and Chris Morris has done an amazing job with a taboo subject that is bound to offend anyone who takes life seriously. Most of the characters turn out to be complete idiots – the bombers, the police and the spooks. The only characters who appear totally credible are those who (fortunately) live in foreign parts and groom the misguided bunch of Sheffield-based bombers.

No political party is going to be able to use the film for any political points scoring. Riz Ahmed, who plays Omar, leader of the putative jihadis, attended the first screening of the film in Sheffield. He explained that the audience contained “a lot of working class white lads and a lot of brothers with beards as well. And after it we heard them hanging out together, laughing. So hopefully the comedy transcends any of those silly boundaries.”

Go see this explosive comedy. Despite what you may think, no birds (or sheep) were mishandled during the making of the film.

Next up for the prize of “wally of the week” is the Chinese Government, if you believe last Tuesday’s report in OUT-LAW News. Following the recent conviction of Rio Tinto executives for stealing commercial secrets, it has announced that it will clamp down on the communication of information that it believes will damage the interests of the state or of Chinese businesses. And, it’s going to pass a law requiring telecoms companies to act if state secrets pass through their networks.

Just what is a state secret? And just how will the telecoms companies be able to understand whether such a secret has passed through its network?


According to the Wall Street Journal, the guidance published by the Chinese Government on what constitutes a state secret means that some commercial secrets can count as state secrets. And, virtually any information not already disclosed by a company could count as a commercial secret, from technology to merger information to financial data.

I’m really keen to understand just what role the internet providers and telecoms companies are supposed to play. It sounds easy on paper. After all, the Government will pass a new law on state secrets that will require internet service providers and telecoms companies to identify, block and report the communication of state secrets. And then, voila, it will happen.

But will it – or even can it?

How can telecoms companies be forced to monitor communications and alert authorities about the communication of information that might be a state secret, as well as putting them under obligation to co-operate with investigations? From what you learn about the communication techniques used by terrorists from the Four Lions film, they are going to need an awful lot of people to monitor all types of what you and I would consider perfectly innocent internet conversations.

China is known to control its citizens' access to the internet, demanding that service providers block access to material it does not want citizens to see and blocking the material itself if companies do not comply. But the real-time interception of millions of citizens to prevent them from passing state secrets would be an achievement that even the Stazi would be proud of.

And if they ever find the technology that can actually do it, then I hope they might let me know. Deep packet inspection? In that volume, in real time and at current (let alone projected) bandwidth speeds? Give me a break.

To my mind, the people who will be really worried in China right now won’t be the telecoms or internet providers. It will be the poor geeks who are stuck in a lab somewhere and who have been told that they won’t see daylight again until they create a box that can do what the Chinese Government obviously thinks can be done.

More stuff on the OUT LAW report is at

Saturday 8 May 2010

Exclusive – the new Government’s cunning data protection plan?

Stumbling back from a Westminster pub late last night, I might have picked up an interesting document, freshly thrown out along with a dozen pizza boxes. Some poor sods were obviously working all through the small hours, hammering out what appears to be a draft of something or other. Poor buggers, I might have thought to myself.

Then, I might have read it. What was it? Data protection gold dust. It might have been the section in an early draft of the Lib Dem/Tory agreement that was being worked on in a nearby office. The section – or should I call it “Appendix 26” could have been entitled “common views on data protection.” And what could it have contained?

On data protection

Wherever possible, we believe that personal data should be controlled by individual citizens themselves. We will strengthen the powers of the Information Commissioner to penalise any public body found guilty of mismanaging data. We will take further steps to protect people from unwarranted intrusion by the state, including:

• Cutting back intrusive powers of entry into homes, which have been massively extended under Labour.
• Curtailing the surveillance powers that allow some councils to use anti-terrorism laws to spy on people making trivial mistakes or minor breaches of the rules.
• Requiring Privacy Impact Assessments of any proposal that involves data collection or sharing;
• Ansuring proper Parliamentary scrutiny of any new powers of data-sharing.
• Extending Freedom of Information legislation to private companies delivering monopoly public services such as Network Rail.

On civil liberties

We will:
• Scrap ID cards, and plans for expensive, unnecessary new passports with additional biometric data, the National Identity Register and the Contactpoint database, which is intended to hold the details of every child in England.
• Replace the Human Rights Act with a UK Bill of Rights, subject to final approval in a referendum.. We will restore the civil liberties that are so precious to the British character.
• Review and reform libel laws to protect freedom of speech, reduce costs and discourage libel tourism.
• Regulate CCTV, stop councils from spying on people by curtailing their powers of entry into private homes, stop unfair extradition to the US, defend trial by jury.
• End plans to store your email and internet records without good cause.
• Remove innocent people from the police DNA database and stop storing DNA from innocent people and children in the future, with the slimmer and more efficient Scottish system as our model.
• Roll back Labour's surveillance state, curtail powers of entry for state officials, and introduce new protections over the use of personal data.

On cutting crime with more and better police

We will:
• Get more police on the streets.
• Help the police to be more effective at catching criminals, spend less time on bureaucracy and more time preventing crime, reassuring the public and helping keep everyone safe. We can't go on with the police filling in forms instead of fighting crime.

On terrorism and defending our security

We will:

• Reach out to the communities most at risk of radicalisation to improve the relationships between them and the police and increase the flow of intelligence.
• Scrap control orders, which can use secret evidence to place people under house arrest
• Reduce the maximum period of pre-charge detention to 14 days.
• Make it easier to prosecute and convict terrorists by allowing intercept evidence in court and by making greater use of postcharge questioning.
• Establish a National Security Council to co-ordinate responses to the dangers we face, which will be chaired by the Prime Minister.
• Create a National Security Adviser and a new National Resilience Team for Homeland Security;
• Develop a National Security Strategy and oversee a Strategic Defence and Security Review that implements that strategy.
• Establish a new Permanent Military Command for Homeland Defence and Security to provide a more structured military contribution to homeland security.

That didn’t take too long to cobble together. Less than 20 minutes, I guess. Let's hope they sort out the appendix on the economy just as quickly. Oh yes, and the one on electoral reform too ...

Who's responsible for improving online child safety?

I’ve recently been reading some stuff about child safety online, as I’ve heard that some of the childrens’ charities have argued that internet service providers have not acted with sufficient vigour to prevent activities that cause considerable harm to young people. And, from what I’ve read, these charities want the regulators to take a much firmer stance against the providers for their failures to respond in an sufficiently adequate manner. It’s awful, it’s disgusting and it shouldn’t be happening. Much more must be done.... blah blah blah ...

I was then shown a document that goes by the thrilling title of the “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Published by a group of experts at the very end of 2008, it provided an interesting take on the issue – which obviously was not supported by all of the Task Force members. When dealing with issues such as these, I’m sure that passions run high and differences between the stakeholders (and experts) are often principled and irreconcilable.

I’m about to summarise some of the main points raise by the report, and must warn you, dear reader, that some of these thoughts are shocking. If you are easily shocked, please don’t read the rest of this blog. I don’t want you to get upset by reading other people’s views on the reasons behind such nasty behaviours. If you want an easy life, please read another blog. Please don’t complain to me that you are shocked at what the report states. Or that you are shocked at the way I’ve so crudely condensed the report.

OK. Here goes. Take a deep breath. And another one. Now, have a squint at these excerpts, which consider that the risks minors face online are complex and multifaceted and are in most cases not significantly different than those they face offline, and that as they get older, minors themselves contribute to some of the problems. In broad terms, the research to date shows:

• Sexual predation on minors by adults, both online and offline, remains a concern. Sexual predation in all its forms, including when it involves statutory rape, is an abhorrent crime. Much of the research based on law-enforcement cases involving Internet-related child exploitation predated the rise of social networks. This research found that cases typically involved post-pubescent youth who were aware that they were meeting an adult male for the purpose of engaging in sexual activity. The Task Force notes that more research specifically needs to be done concerning the activities of sex offenders in social network sites and other online environments, and encourages law enforcement to work with researchers to make more data available for this purpose. Youth report sexual solicitation of minors by minors more frequently, but these incidents, too, are understudied, underreported to law enforcement, and not part of most conversations about online safety.

• Bullying and harassment, most often by peers, are the most frequent threats that minors face, both online and offline.

• The Internet increases the availability of harmful, problematic and illegal content, but does not always increase minors’ exposure. Unwanted exposure to pornography does occur online, but those most likely to be exposed are those seeking it out, such as older male minors. Most research focuses on adult pornography and violent content, but there are also concerns about other content, including child pornography and the violent, pornographic, and other problematic content that youth themselves generate.

• The risk profile for the use of different genres of social media depends on the type of risk, common uses by minors, and the psychosocial makeup of minors who use them. Social network sites are not the most common space for solicitation and unwanted exposure to problematic content, but are frequently used in peer-to-peer harassment, most likely because they are broadly adopted by minors and are used primarily to reinforce pre-existing social relations.

• Minors are not equally at risk online. Those who are most at risk often engage in risky behaviors and have difficulties in other parts of their lives. The psychosocial makeup of and family dynamics surrounding particular minors are better predictors of risk than the use of specific media or technologies.

• Although much is known about these issues, many areas still require further research. Forexample, too little is known about the interplay among risks and the role that minors themselves play in contributing to unsafe environments.

What’s the key learning to this? In my view, it’s that internet service providers are going to struggle if they are to be considered solely (or principally) responsible for securing child safety. Greater safety is associated with parents assuming a greater degree of control over their offspring.

What’s this? Blame the parents rather than the internet? That’s a bit political and near the bone.

Shouldn’t need to do that....

Or should we?

The full report, and supporting materials, is available at

Friday 7 May 2010

Communications data retention to be kicked into the long grass?

Well, who would have believed it?

Just as I sit down with some of my chums to mull over the thorny question of how long phone and internet providers ought to be required to be forced to retain communications data, our Irish pals get leave to refer the whole issue to the big wigs at the European Court of Justice.

Many thanks to my great pal, Pat Walshe, for pointing out this article to me. It appeared in yesterday’s edition of The Irish Times. Without his ever watching eyes I would never have seen it. I've been especially busy recently. Yesterday I was pre-occupied with lots of stuff – which included being entertained by the sight of hordes of foreign television journalists, all vying for space on the shorter grass on College Green in Westminster, each reporting on the General Election. Prize for “Best booth” went to the BBC’s entry. Rather than just erecting a tent under which their hacks could broadcast to us in the dry, we licence payers forked out for a (temporary) 2 storey black-tinted glass walled studio. It looked just like a tinted version of the White House. And it looked wonderful, too. I bet it cost us a fortune.

Anyway, back to the plot. Read this:

THE HIGH Court has asked the European Court of Justice to determine if a European directive allowing the storage of telecommunications data for potential use by law enforcement agencies violates rights of privacy and communication.

The ECJ decision will have major implications for mobile phone users across Europe.

Given the rapid advance of technology, it is “of great importance” to define the legitimate legal limits of modern surveillance techniques used by governments especially with regard to telecommunications data retention, Mr Justice Liam McKechnie said yesterday.

“Without sufficient legal safeguards, the potential for abuse and unwarranted invasion of privacy is obvious.” The potential of “a prima facie interference” with all citizens’ rights to privacy and communications was “so great that a closer scrutiny of the relevant legislation is certainly merited”.

He was giving his reserved ruling granting a reference to the European Court of Justice, for a preliminary ruling, of issues concerning the validity of a 2006 EC directive (2006/24/EC).

The reference was sought in proceedings brought by Digital Rights Ireland Ltd (DRI), a non-governmental non-profit organisation concerned with promotion and protection of civil and human rights, particularly in the context of telecommunication technologies. The Human Rights Commission (HRC) is also involved in the case as an amicus curiae (adviser to the court on legal matters).

In its action against the Ministers for Communications and Justice, the Garda Commissioner and the State, DRI claims the defendants have wrongfully exercised control over data as they have illegally processed and stored data relating to DRI and other mobile phone users contrary to Irish and European law.

DRI claims the directive, intended to harmonise telecommunication data retention obligations across the EU, is invalid and in breach of rights under the EU and EC treaties, the European Convention on Human Rights and the Charter of Fundamental Rights.

DRI has also challenged the constitutionality of the Criminal Justice (Terrorist Offences) Act 2005 which requires telecommunications service providers to retain traffic and location data relating to phone communications and provides for access to such retained data for law enforcement and security purposes.

On grounds including that the impugned measures affect almost all of the population and the case raises important constitutional questions, Mr Justice McKechnie agreed to grant the ECJ reference.

DRI was a “sincere” litigant which had raised bona fide issues and had the required legal standing to bring a popular action to determine whether the impugned laws violate the rights both of citizens and companies to privacy and communications, including the right to privileged communications, he ruled.

The involvement of the HRC supported the proposition the case raised matters of fundamental public importance, he said. There was “a significant element of public interest concern” regarding the retention of personal telecommunications data and how this could affect persons’ rights of privacy and communication.

The precise wording of the issues to be referred will be decided after the sides have considered the judge’s ruling. The judge rejected arguments by the defendants that DRI did not have the required legal standing to bring the proceedings or should have to provide security for the legal costs of the proceedings.

All really interesting stuff. And many thanks to Pat for letting me see it.

Where does this take us in Blighty? A cynic (and someone running out of money to pay the data retention costs) might use this development as an opportunity to announce a delay on future investment in the UK data retention programmes until such times as the European Court had opined. It’s a cheap option, and one which leaves you with no negative brownie points. This seems to be an especially good option if you are a politician desperate to avoid anyone else hating you. The law enforcement community, aka the “boys in blue”, might not like it, but when was the last time a Home Secretary ever took their side against that of the Treasury?

We live in really interesting times, and I can’t wait to find out what the Home Office does when it gets to hear about what the Irish have done!

Watch this space.

Monday 3 May 2010

Google to be quizzed on its Streetview Wi-Fi database

According to those bright hacks at “The Register”, the (British) Information Commissioner’s Office is about to ask Google a few questions about the information its Street View cars have collected about Wi-Fi networks. Apparently, the Streetview fleet has been recording the MAC addresses and locations of Wi-Fi networks as they photograph national road networks - and the ICO only realised what was going on when a German regulator launched an attack on Google last month.

Peter Schaar, Germany's Federal Commissioner for Data Protection, is apparently "horrified" by the data gathering exercise. He has been demanding that the Wi-Fi database be deleted. But I'm relying on a journo for this information so Peter may be not have been as horrified as all that. Especially after all the other reported data scares in Germany over the past few years. He's a pretty rounded guy, actually.

Our set of regulators appear to be pragmatic, and have not yet rushed to diss the guys from Google. (Hey, we're all pretty streetwise in Blighty.) The ICO is trying to find out just how the data is being processed and used by Google. If the firm were just collecting details of what Wi-Fi networks covered particular public locations, then that seems quite innocuous. But if the database were also to contain details of the Wi-Fi’s security settings, then that could be a bit trickier to justify. However, if all Google are doing is merely collecting and using information that is publicly broadcast, it’s hard to know how those minded to will object. If we didn’t mind when Skyhook and Intel did it, (or if they ever have done it, of course, I’m reminded to say by my legal chums) then why should we bother when Google does it too?

Germany concerns may be more due to fears that a national database of Wi-Fi MAC addresses or network names could prove a boon to authorities tracking online activity. Similarly, easy look-up of encryption standards on Wi-Fi routers might be useful to investigators, or criminals. But are we worried that the British authorities get an equivalent tool to play with? We Brits are made of sterner stuff. We know how effective large databases are. And how easy they are to maintain. Especially when they’re designed for the public sector. I can’t see us losing much sleep over such a data grabbing exercise. We’ve got a recession. And a Government (in waiting) just waiting to impose draconian cuts in public spending. Will this scheme (if it exists) survive the Chancellor’s knife?

Not a hope ...

But what does interest me is how much smaller (and lighter) these cameras and Wi-Fi sniffing devices are getting. The first image was probably taken early last year. The second was probably taken late last year. How long before the device fits into the shiny top of a PC’s helmet?

Makes you wonder.

Then we may well see a new slant to the concept of “community policing”.

Saturday 1 May 2010

A hole in the logic ...

(with grateful thanks to Liza & Henry for the inspiration)

There’s been a breach of our data, dear Director, Dear Director,
There’s been a breach of our data, and your laptop has gone!

So fix it dear Martin, dear Martin, dear Martin
So fix it dear Martin, just tell me when it’s done.

With what shall I fix it? dear Director, dear Director,
With what shall I fix it? Your laptop has gone!

With encryption, dear Martin, dear Martin, dear Martin
Get encryption, dear Martin, just tell me when it’s done.

But I’ve no budget dear Director, Dear Director, dear Director,
I’ve no budget dear Director, Nor your laptop. It’s gone!

Then use training and awareness, dear Martin dear Martin
Use training and awareness. Just tell me when it’s done.

But I don’t think that’s the answer, dear Director, dear Director,
I don’t think that’s the answer. You know what you've done!

Then you must tell them, dear Martin, dear Martin, dear Martin,
You must tell all those affected. Just tell me when it’s done.

But I don’t know their details, dear Director, dear Director,
I don’t know their details. I know nothing of them.

Then look on my laptop, dear Martin, dear Martin
Then look on my laptop. That stuff is all there.

But someone's taken your laptop, dear Director, Dear Director,
You've caused a breach of our data, since your laptop has gone!