Tech and Law

Verifying identity, identity relationships and identity cards

2010-03-10T23:13:00.002Z

I've previously emphasised the importance of verification (data dozen for privacy-protective identity management systems, and how identity theft can be facilitated by lack of proper verification).

An excellent article by English lawyers Nicholas Bohm and Stephen Mason on "Identity and its Verification" is well worth reading (via Bruce Schneier.)

While the article was triggered by proposals by the Council of Bars and Law Societies of Europe to introduce an "identity card" for European lawyers its scope is much broader, looking at what is "identity" and what's involved in verifying identity, with some general observations about identity cards.

Their conclusions:

"Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question 'Identity with what?' An enquirer equipped with the answer to this question is in a position to tackle, on a rational basis, the task of deciding what evidence will be useful for the purpose. Without the answer to the question, the verification of identity becomes a sadly familiar exercise in blind compliance with arbitrary rules.

In short, identity cards will not solve the problem of establishing identity relationships. Identity cards for lawyers will also risk creating costs, burdens and liabilities for lawyers and their professional bodies without conferring any countervailing advantage either on them or on society."

That last paragraph in particular of course applies to identity cards generally, not just ones for lawyers.

Social media - video of Polis "reality check" seminar

2010-03-09T23:19:00.001Z

Discussion of 4 March 2010 at London School of Economics between social networking experts Michael Pranikoff from PR Newswire, Molly Flatt from 1000 Heads and Tomas Gonsorcik from London Interactive, with Polis director Charlie Beckett.

Also of possible interest: my write up of a previous LSE discussion on the future of the internet with representatives from Google, Facebook etc (with link to MP3 of the discussion).

How to commit identity theft

2010-03-08T23:06:00.001Z

Bob Walder of Gartner recounts, from Gartner's Identity and Access Management (IAM) Summit, the true story of Bennett Arron who was the victim of identity theft:

"It all started with a mail-shot from a home shopping catalogue company to an old address, which allowed the unscrupulous person now residing at that address to place an order and open an account with the home shopping company. That credit account allowed him to acquire a mobile phone or two. From there it was not too difficult to open bank accounts and obtain credit cards – all in Bennett Arron’s name.

The end result was Arron, who had already given notice on rented accommodation to buy a house, failed to acquire a mortgage, couldn’t rent another property, couldn’t get a line of credit, burned through savings and ended up penniless and living with parents with his pregnant wife. It took him two years to clear his name, by which time property prices had tripled and he could no longer afford to buy a house anyway!"

Arron appeared in a documentary for Channel 4 where at a local shopping mall he social engineered 18 (out of 20) people to give him their personal details, credit card numbers etc, by pretending to be someone advising on the dangers of identity theft!

He also proved how easy identity theft can be, using the example of politician Kenneth Clarke. Walder reported that:

"Arron applied for a duplicate birth certificate in Clarke’s name, and within 3 days it arrived. Using that, he applied for a duplicate driving license from the UK Drivers & Vehicle Licensing Authority (DVLA), which took just a couple of weeks to arrive. As part of this process, the DVLA requested photographs for the license which had to be authenticated on the reverse with a statement from a trusted, non-family member that this was a true likeness of Kenneth Clarke. This Arron completed himself using a false name. Something of a root trust issue, here, I think….

Naturally, with a birth certificate and driving license Arron could have gone on to open various accounts, building up to bank accounts and credit cards. Scary stuff. One good thing came from this – it is now no longer acceptable to use a birth certificate as the sole means of ID when applying for a UK driving license. Wonder if they have plugged that photo certification loophole too?"

It's real life examples like these that bring home how our society has a very long way to go yet in protecting citizens against identity theft. A root trust issue, indeed. As I mentioned in my suggested Data Dozen of identity management for privacy, proper verification of the base information has to be the foundation.

"Cloud cloud maybe" video - cloud computing history as you've never seen it before

2010-03-07T09:51:00.001Z

Never mind the Gartner hype cycle, you know a topic like cloud computing has peaked when video takes on it start proliferating.

There was the Hitler spoof video on cloud computing security I mentioned recently, and now we have this rap-style video, stuffed full of cloud references, which is actually an ad by cloud provider Vembu Home.

It's a canter through the history of cloud computing rather than a parody, though given the title it seems like it's meant to be more a parody of Vanilla Ice's "Ice Ice Baby".

Trivia - that song landed Vanilla Ice in trouble as he had used a sample of the bassline from Queen's song "Under Pressure". The bassline here is rather similar, it even starts on the same note, so one hopes Vembu haven't made the same expensive mistake as Vanilla Ice! The last note of Vendu's bass riff actually differs by a tone, probably deliberately; let's hope for Vembu's sake it's enough…

Forrester's privacy heat map

2010-03-05T16:15:00.004Z

Interesting - Forrester's interactive privacy & data protection heat map (via Broadstuff) -

There's also a list view -

And how does the UK do? Not too well, caution...

The USA too -

Both those countries share the exclamation mark "government surveillance" warning with, well, the Russian Federation and China.

The Privacy Dividend - business case for privacy & data protection-friendly systems, & the financial value of personal data

2010-03-03T10:36:00.002Z

Today the UK Information Commissioner's Office is launching The Privacy Dividend: the business case for investing in proactive privacy protection - a paper commissioned in 2009 "which provides organisations with a financial case for data protection best practice".

Interestingly, it aims to provide a way to estimate the monetary value of "personal information", and the financial cost of data security breaches and data losses (emphasis added, footnotes omitted):

"The total value of personal information to the organisation may be hundreds, thousands or millions of pounds, but the data brought together in Figure S1 appears to suggest a typical commodity value per record is likely to be in the £10-£100 range. The value to other parties who do not have a legitimate interest in personal information appears to range from a few pence to £100.

From a person-centric viewpoint rather than an organisation-centric one, the value of an individual's own information could be much higher, typically in the £100 to £1,000 range per person. If we consider financial fraud, where there are data published, a recent UK survey10 suggests that the average financial loss per victim is £463. While any one individual person might be able to recover some or all of this loss, this will not always the case.

In addition to this loss, an estimate should include the time and expenses of the person affected, and other resultant non-financial harms… the average cost to the victim (the sum of their financial loss and the time and effort needed to correct the results) amounts to between £476 and £1,054, or say between £450 and £1,050. To this should be added an allowance, say £50, for the other expenses and potential harm effects not otherwise included, giving a total average value in the range £500 to £1,100."

There's even appendices with: Value of personal information calculation sheet (from perspectives of organisation, individual, other parties and society), Privacy failure costs calculation sheet, Privacy protection benefits calculation sheet.

On the basis that money makes businesses sit up and take notice, putting it in financial terms is a good approach.

From the ICO press release of 3 Mar 2010:

"The report explains how to put a value on personal information and assess the benefits of protecting privacy. It includes practical tools to help organisations prepare a business case for investing in privacy protection…

This report provides organisations with the tools to produce a financial business case for data protection ensuring privacy protection is hardwired into organisational culture and governance.

Practical tools to help organisations prepare a business case for investing in privacy protection include:
• Guidance on the steps involved in a privacy protection scheme to assess the costs and benefits
• Guidance on creating business cases for implementing a new system or changing an existing system
• Calculation sheets to assess the value of personal information and put figures to the business case."

The report was prepared by John Leach of John Leach Information Security Ltd and Colin Watson of Watson Hall Ltd, after feedback on their discussion document.

File-sharing software may expose your private health & other data

2010-03-02T08:15:00.000Z

It seems that "Healthcare professionals who take patient information home to personal computers containing peer-to-peer file-sharing software are jeopardizing patient confidentiality" because "some vendors use software containing dangerous sharing features", according to the authors of a study "The Inadvertent Disclosure of Personal Health Information through Peer-to-peer File Sharing Programs".

Prof. Khaled El Emam, Canada Research Chair in Electronic Health Information, and his team "used popular file sharing software to access documents they downloaded from a representative sample of IP addresses. They were able to access the personal and identifying health and financial information of individuals in Canada and the United States. The research for the study was approved by the CHEO ethics board…. During their research on this project, El Emam said he and his colleagues found evidence of outsiders actively searching for files that contain private health and financial data. “There is no obvious innocent reason why anyone would be looking for this kind of information,” stated El Emam. “Very simple search terms were quite effective in returning sensitive documents.”"

From the paper (emphasis added):

"We modified an open source peer-to-peer file sharing client to automatically search multiple peer-to-peer file sharing networks, and download and organize the files. This modified client performed a wild card search for all document files (Word documents, Outlook email files, PDF files, Access database files, and Excel spreadsheets). Whenever a match was found, the file was downloaded to a repository and its originating IP address recorded. The main networks that were targeted for search were FastTrack, Gnutella, and eDonkey. The specific tool we modified is called ShareAza… Files that came from IP addresses outside the USA and Canada were discarded…"

The paper also:

describes examples of peer-to-peer file sharing client features that encourage the inadvertent sharing of files (p.149), and
makes some recommendations (p.156) for managing risks from inadvertent disclosure from peer-to-peer file sharing clients.

The research was obviously only in a medical context, but it seems to me that if installing filesharing software on your computer exposes you to bad hat hackers searching your computer files for health information and (as the researchers mentioned) financial information, unbeknownst to you, it also exposes you to all sorts of other privacy intrusions too. Scary.

Fair use & take-down - dancing baby victory

2010-03-01T09:33:00.001Z

US mum Stephanie Lenz sued Universal Music for issuing a notice to YouTube to take down her video of her toddler dancing cutely (with Prince's song "Let's Go Crazy" playing), when, she argued, she posted the video for friends and family and the presence of the music in the video was fair use and hence she didn't infringe US copyright law. She claimed they issued the takedown notice in bad faith.

Reuters now reports that a Californian district court judge has granted partial summary judgment to Lenz, rejecting Universal's arguments that Lenz acted in bad faith with "unclean hands" in trying to sue them for damages.The Reuters report says:

"The case is important because it raises the question of whether a media company can be held liable for pursuing a takedown without a full consideration of fair use. The decision by the court last Thursday is very technical and examines damage claims under a statutory code that deals with liability when misrepresentations are made about infringing works online."

See also EFF page (who supported and assisted Lenz) - not yet updated in light of these developments, it seems, but the Wikipedia page about this case links to the full text of the judgement: LENZ v.UNIVERSAL MUSIC CORP. I've not had the chance to read it yet.

Art. 29 working party's priorities 2010-2011

2010-02-28T20:48:00.000Z

The EU article 29 working party on data protection and privacy have published their work programme for 2010 to 2011.

The strategic themes they will focus on are -

implementation of the Data Protection Directive and working on a future comprehensive legal framework (as to which see the article 29 working party's paper on the Future of Privacy)
globalisation
technological developments
enhancing the effectiveness of the art. 29 WP and national data protection authorities e.g. investigation and enforcement including harmonisation of DPA powers and co-operation
topical issues

- based on which they're working in particular on:

interpretation -

applicable law
purpose limitation
grounds for processing
(they've already issued their opinion on the definitions of "processor" and "controller")

implementation of the revised e-Privacy Directive
considering the impact of the Lisbon Treaty
Binding Corporate Rules, safe harbor, adequacy of third countries' regimes
international standards work e.g. ISO, the Madrid Declaration, OECD guidelines review
cloud computing
profiling and behavioural advertising
search engines and the "right to be forgotten"
social networking sites
RFID privacy impact assessments
financial matters
traveller data
updating WP80 on biometrics
possibly updating WP73 on eGovernment and ID management

They say they're available for requests for opinions by the European Commission and others notably on privacy by design, accountability, strengthening role of data subjects and other areas discussed in their Future of Privacy paper.

Internet privacy - New York Times article

2010-02-28T17:45:00.001Z

Good article in the New York Times on online privacy, taking the view (as I've always thought) that privacy notices are meaningless and quoting US Commerce Department official Daniel J. Weitzner as saying “There are essentially no defenders anymore of the pure notice-and-choice model".

While updating laws or regulations may be (part of) the solution, the article points out some potentially helpful tools being developed, e.g.:

real-time "privacy nudges" like onscreen alerts reminding users of privacy implications before they disclose certain info like birthdates online, and
interesting research showing people pay more attention or are more likely to respond to anthropomorphic (human-like) images, e.g. pictures of eyes instead of flowers

as well as anonymous "incognito" browsing as standard.

"Data controller", "Data processor" - art. 29 WP opinion issued

2010-02-27T18:20:00.001Z

The EU Article 29 Working Party have issued their Opinion 1/2010 on the concepts of "controller" and "processor" under the EU Data Protection Directive.

The concepts of "data controller" and "data processor" are very tricky concepts which can trip people up or get in the way, so the opinion is very well worth reading.

I've only just seen it and wanted to post this heads up, I've not read it yet myself.

Google privacy & opt-out

2010-02-27T09:51:00.000Z

Brilliant spoof video from satirical site The Onion, particularly funny after the Google Buzz privacy debacle -

Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village

Genders that get ahead in law… or get a date…

2010-02-26T16:12:00.000Z

Queen's Counsel appointments are out, i.e. very senior court lawyers for any non-Brits readers, but the percentage who are women (15.5%) is pretty much the same as it was 10 years ago (list of successful applicants, stats by percentage only), in fact less in percentage terms than in 1998, which is disappointing.

I converted the figures into this graph, you'll see it's close to a flatline situation:

There's still clearly a glass ceiling, indeed a glass cliff for politicians & business executives; there's still a gender pay gap (US general research), and workplace gender inequalities endure; while in science it's been found that women researchers are less likely than men to get major career funding grants.

Even though there's little difference between the sexes in terms of math abilities, it seems that the work environment plays a big role in putting women off, at least in the case of computer science ("computer games, science fiction memorabilia and junk food"), though I guess that Star Trek posters aren't so much in evidence in law firms!

There's a clear need for more female QCs - not least because women need female role models to encourage them into a particular field, far more than men need male role models. However, it seems that unfortunately women as well as men support the traditional gender hierarchy:

"both men and women respond in a more hostile way to a woman who violates sex-role expectations, than to one who adheres to them. Secondly, that the more an individual supports social hierarchy in general (that some people should have more power and resources than others), the more hostile they responded toward a woman who violated sex-role expectations."

By way of light relief, on a far less serious note it also seems that if you're a female lawyer your chances of becoming Queen's Counsel are about the same as your chances of getting a date with a British man, according to a recent European survey by dating agency PARSHIP. See the tables below.

Clearly creative types come out tops as far as both genders are concerned. I don't know where developers and software engineers fit into this - "scientists", I suppose?

British men most want to date…

1 Artist, writer, musician - 46%
2 Doctor - 31%
3 Teacher & nurse 28%
4 Scientists & Academics 27%
5 Lawyer 16%
6 Advertising/Marketing 14%
7 Housewife 14%
8 Journalist 12%
9 Accountant 9%
10 Sales person 9%

British women most want to date a…

1 Artist, writer, musician 35%
2 Architect 30%
3 Doctor 28%
4 Lawyer 26%
5 Scientist & Academic 22%
6 Accountant 22%
7 Engineer/surveyor 21%
8 Teacher 16%
9 Advertising/Marketing 12%
10 Pilot 9%

Cross border authentication - security issues - ENISA report

2010-02-26T15:35:00.000Z

ENISA have been busy lately. They've just released a report on Security Issues in Cross-border Electronic Authentication (by Dirk Hartmann and Stephan Körting, HJP Consulting GmbH, 63 pgs), see summary.

These issues are clearly important given the EU goal of improving the interoperability of electronic identification and authentication systems with a view to enabling cross border management of citizens' identities, improving administrative efficiency, accessibility and user-friendliness, and reducing abuse and fraud as well as costs.

Their report analyses the current position (highlighting legal i.e. mainly data protection as well as technical issues), evaluating the security risks of electronic authentication in cross-border solutions by reference to 2 case studies (on which more below).

Not surprisingly, they conclude that data protection differences and the legal and contractual framework pose a challenge, but so do secure credentials, cross border authentication of system participants (service providers), the general security of online connections, technological differences, and agreeing a common security policy for (application-specific) electronic cross-border transactions.

The report looked at two projects offering cross-border authentication, as case studies:

Netcards/EHIC (European Health Insurance Card) - electronically readable European health insurance card to facilitate access to health care services for insured European citizens during temporary stays abroad, and
Stork (Secure idenTity acrOss boRders linKed) - pilot project to simplify administrative formalities by providing secure online access to public services across EU borders.

See also ENISA's Nov 2009 position paper on privacy & security risks when authenticating on the internet with European ID cards.

Data abundance - Economist articles

2010-02-26T13:23:00.000Z

The Economist magazine has a couple of short articles on:

the data deluge - including open data, data sharing, linking & data mining, data losses & privacy breaches, and recommending transparency, data breach notification and security audits with published results.
managing data & information overload - I like "data exhaust" better than "digital footprint", and the prediction that the sexiest job will be "statistician", i.e getting "wisdom" out of the mountains of data!

Hitler & Cloud Computing Security…

2010-02-26T09:51:00.004Z

A couple of days ago EU cybersecurity agency ENISA posted a video on cloud computing to go with their excellent late 2009 papers on the subject, namely -

Cloud Computing Risk Assessment (particularly good on privacy & security, legal issues as well as technical)
Cloud Computing - SME Survey
Cloud Computing Information Assurance Framework

I was going to blog that video but it seems to have disappeared behind a login screen for some reason. Hopefully they'll release it fully another time. Meanwhile, enjoy this video instead!

UPDATE - the ENISA video is now available! It "gives an introduction to ENISA's Risk assessment and assurance framework for cloud computing in the words of the experts who contributed to the report."

Behavioural biometrics / marketing - ENISA briefing

2010-02-25T09:10:00.001Z

ENISA Briefing: Behavioural Biometrics (by Giles Hogben, 10 pgs): "an introduction to the possibilities offered by behavioural biometrics, as well as their limitations and the main issues of disagreement between experts".

Particularly topical given the recent news about identifying people based on how they type, although behavioural biometrics, which includes gait and blinking pattern as well as keystrokes, voice or text style and, more subtly, ECG or EEG patterns, of course has benefits from a security & authentication perspective.

From the key points:

"Some behavioural biometrics, require specialised and sometimes highly obtrusive equipment which may be off-putting to users.
Other behavioural biometrics on the other hand offer a completely unobtrusive technique to identify or classify individuals. Such unobtrusiveness may be challenging from the point of view of collecting user consent, as required by law in many jurisdictions.
Data collected by behavioural biometrics may be used for secondary purposes which can involve the processing of highly sensitive data which may be inferred from the data collected.
Behavioural biometrics are vulnerable to several spoofing attacks."

The briefing also notes the overlap with behavioural marketing ("The same data which might allow the detection of anomalous behaviour for intrusion detection purposes – e.g. keystroke dynamics, haptic feedback etc..., could also be used to classify individuals for marketing purposes.") and the possibility of developing privacy-enhancing technologies to limit the exposure from collected behavioral profiles.

Links of interest 22 Feb 2010

2010-02-22T23:32:00.002Z

Not had time to blog much lately, so here are some links to recent developments of interest, in no particular order - and this is just what I've come across in the last 2 weeks or so!

Privacy & security

Your typing style could identify you uniquely - yet another way to identify an individual internet user through the cadence or rhythm of their typing, another weapon for the de-anonymisation armoury. See Ars Technica, CitMediaLaw comments.
10 information security tips for employees developed by ENISA "with the aim of focusing employees' attention on information security and allowing them to recognise IT security concerns and respond accordingly"
Tracking people - Autonomous Production of Images based on Distributed and Intelligent Sensing (APIDIS) system for tracking ball and players in sports matches "could also be useful for surveillance, when it could track groups of people on CCTV networks"
Forging passports (including British) to use in relation to an assassination is scary indeed. See Amberhawk, Reuters. (ID cards can be faked, techies knew that even if the UK government didn't seem to want to.)
Internet safety
- Child internet safety tips for parents & guardians - ENISA's 10 points, just issued.
- Social networking safety - the EU's general report and individual assessments of the safety of popular social media sites like Facebook, independently evaluated against the EU's Safer Social Networking Principles - e.g. see the report on Facebook.
Linking offline shopping behaviour to online ads - Yahoo & Sainsbury's Nectar make deal allowing online advertisers to target consumers based on their high street purchases, linking high street supermarket spending with the consumer's Yahoo! login (though it appears to be opt-in, at least) - IAB
Webcam spying - the stuff of movies, someone spying on you through your computer's webcam and mic, but a US school seems to have been watching students (and their families?) at school and and home using school-supplied laptops, and rightly have been sued - BoingBoing; the BBC have picked it up; Ars Technica say the school's backed down.
Ubercookies and identifying website users - Arvind Narayanan describes how "ubercookies" can be used to identify visitors - first, the history stealing and group membership correlating technique I mentioned previously, then more sophisticated attacks using what you share and other "footprint" traces you leave on the web; and next a bug in Google Docs (which Google said they'll fix) that lets sites identify you too.
Security - Chip & PIN cards can be used without knowing the PIN - Light Blue Touchpaper
DNA retention boo boo - 5 case studies submitted by Home Office to MPs to justify retention of innocent people's DNA were actually 4 with one being included twice… ComputerWeekly
ACTA (Anti-Counterfeiting Trade Agreement) negotiations -
- Ars Technica on the leaked internet chapter aimed at combating online copyright infringement
- Opinion of European Data Protection Supervisor - speaking up on the importance of privacy & data protection, and against "three strikes" internet disconnection policies. Out-Law report.
Government, business and social networking logins stolen through Kneber botnet virus - Reuters, ComputerWeekly
PleaseRobMe.com - lots of coverage of this site which aims to raise awareness that announcing your location publicly online, including the fact that you're not at home, may not be a good idea, particularly with the rise of location related services or games like FourSquare - BBC, TechCrunch
- Broadstuff: "I took one of the people on the first PleaseRobMe screen I looked at… and found their home address via a quick use of Twitter and Google. Took 5 minutes or so (the person was about the 10th I tried). You could fairly quickly build some algorithms to automate that mashup process".
People's locations & movements are predictable - study of "cellphone traces" showed that "regardless of whether a person typically remains close to home or roams far and wide, their movements are theoretically predictable as much as 93 per cent of the time." This USstudy made use of cellphone records collected for billing purposes and anonymised, but of course I wouldn't be surprised if someone didn't manage to de-anonymise them…
Top 25 programming errors that jeopardise security, updated. ComputerWeekly said New York State is updating its procurement terms (application security procurement language) to address these top 25 errors, with other states to follow. Will the OGC ensure UK government procurement requirements are updated too?
Google Buzz privacy debacle (exposing key Gmail contacts & Google Reader shared items to the world, etc) & complaints galore -
- It's like releasing crocodiles into a school! (Robin Wilton - though I think uncontainable "noxious vapours" may be a better analogy than crocodiles, perhaps…); Newsweek got in on the action too; and there's Google Buzz lets pervs stalk your kids, not at all good if someone called “iorgyinbathrooms” is following your child
- Cue complaint to FTC by EPIC (see complaint) and a class action lawsuit.
- See Arvind Narayanan on Buzz, social norms & privacy
- Oh, there was a security vulnerability in Buzz, too.
- Google added Buzz to their privacy dashboard but it should have been there from the start.
- But Buzz has its uses - tips & more tips
Data protection audits - the ICO will have more powers come April 2010 including auditing powers; they've issued for consultation a draft Code of Practice on Assessment Notices as to how they'd conduct audits. Out-Law report.
Model contractual clauses for transfer of personal data outside the EU - recently modernised. Helpful for multi-national businesses especially for subcontracting & out-sourcing. See Out-Law.
CV poaching - I didn't know this was going on:
- "…it turns out that the candidate fell victim to resume poaching; someone grabbed their resume and submitted the candidate without the candidate’s knowledge… the recruiter could lose out on a potential fill, the candidate can be disqualified by the client for shopping around (a scorched earth response – rather than attempting to sort out what happened, the client disqualifies any resume submitted more than once), and the client is put on the spot to intervene in a process they should never have been involved with in the first place…. If you do post your resume, anonymize it – make the recruiter come to you. Avoid using your LinkedIn profile as a resume (believe it or not, with enough detail an unscrupulous recruiter will just make the resume for you. The key is to just summarize your experience)."

Other mobile / comms stuff

BBC apps for iPhone planned, but objections come from the Newspaper Publishers Association and even (for different reasons) the Open Rights Group.
Apple is still tightly controlling iPhone App Store, now getting rid of "overtly sexual" apps. A designer swimwear retailer complained about "Apple's sexual crusade" removing their shopping app:
- "It seems like political correctness gone mad. It’s just women in bikinis, swimsuits and kaftans."
- (And by the way YouTube are now policing nudity too..)
Mobile apps generally - many global network operators, handset manufacturers and internet players have formed an alliance, the Wholesale Applications Community (WAC), to try to make mobile apps development easier and independent of user device or phone platform and "unite a fragmented marketplace". One way to fight back against Apple's App Store and its ilk..
M-banking or mobile phone "wallets" (transfer of value by mobile) are popular and helpful in developing economies like Africa - however, US consumers don't seem to like the idea of "wallet phones"
Skype's growing while international phone traffic is falling, but from a security viewpoint it seems large data files can be hidden almost undetectably in Skype VOIP calls. Presumably that's not the main driver for the increase in Skype's popularity!

Misc

Future of the Internet - Pew's 4th report released, including whether Google really is making us stupid, is the internet killing reading, is anonymity dead?
Domain names - ICANN study on Whois accuracy (not very), via Computing.

Photographing the police or public places - Met guidelines improved

2010-02-19T13:44:00.005Z

Summary of changes

In recent years it's been harder to take photographs in public places or to photograph the police in the UK, because some police officers have controversially used anti-terrorism powers to stop photography and/or delete pictures, whether taken by journalists or members of the public. This obviously curbs freedom of speech.

The good news is, sometime during the last week or so the London Metropolitan police changed their Photography advice for the better. (Their version last year had already been amended following criticism; these are further changes.) All this ought to apply to filming or videoing too.

The updated guidelines now recognise that:

It's important that the public and media have the freedom to take photos.
Police shouldn't delete images from a digital camera or destroy film without a court order.
What really matters is whether the info from the photo "is, by its very nature, designed to provide practical assistance to a person committing or preparing an act of terrorism".
It would normally be unlawful to arrest people photographing police officers in the course of normal policing activities, including protests - because normally there wouldn't be grounds for suspecting the photographs were being taken to provide practical assistance to a terrorist or intending terrorist.
While a police officer can ask why you're taking their photo, they can only do that "for a lawful purpose" and mustn't do it a way that "prevents, dissuades or inhibits the individual from doing something which is not unlawful".

Of course it's up to a court as to how to interpret the legislation, but the amendments to the guidelines can only be helpful to photographers and members of the public taking photos in public venues or at public events such as demonstrations.

I wonder if the improvements to the guidelines are related to the £5k the Thames Valley Police which had to pay out in Jan 2010 to a photographer who was arrested after trying take photos of a road accident, or the lawsuit by a film-maker who was handcuffed and detained after filming police officers on her mobile phone…- see the interview where she recounted her experience.

While it's good that the Met are now emphasising that the power to prevent photography of the police or in public places has to be exercised properly, they also need to make sure that officers on the ground understand what they can or can't do - as this incident last year illustrates. And while I agree that lots of police officer are very helpful and sensible people - and not just because I've had friends who worked in the Met! - officers in the street do need to be proactively kept informed by their superiors, especially about things as important as this.

There are however still issues with section 44 Terrorism Act stop and search powers being misused, e.g. the British Journal of Photography's report of Lord Carlile's Report on the operation in 2008 of the Terrorism Act 2000 and of part 1 of the Terrorism Act 2006, 18 June 2009 (para 196 onwards of that report also deals with photography).

The text of the changes

Here are the changes to the Met guidelines, for anyone interested -

Intro

One paragraph now reads (emphasis added):

"We encourage officers and the public to be vigilant against terrorism but recognise the importance not only of protecting the public from terrorism but also promoting the freedom of the public and the media to take and publish photographs."

Was:

"We encourage officers and the public to be vigilant against terrorism but recognise the balance between effective policing and protecting Londoners and respecting the rights of the media and the general public to take photographs."

Deleting images from digital cameras or destroying film

Now reads (2nd sentence is new):

"Officers do not have the power to delete digital images or destroy film at any point during a search. Deletion or destruction may only take place following seizure if there is a lawful power (such as a court order) that permits such deletion or destruction."

Section 58A Terrorism Act

Again emphasis added, bold bits are new, notes in italics:

"Section 58A of the Terrorism Act 2000 covers the offence of eliciting, publishing or communicating information about members of the armed forces, intelligence services or police where the information is, by its very nature, designed to provide practical assistance to a person committing or preparing an act of terrorism. [the bit in bold was added]

Any officer making an arrest for an offence under Section 58A must be able to demonstrate a reasonable suspicion that the information was, by its very nature, designed to provide practical assistance to a person committing or preparing an act of terrorism [was, "the information was of a kind likely to be useful to a person committing or preparing an act of terrorism"].

It would ordinarily be unlawful to use section 58A to arrest people photographing police officers in the course of normal policing activities, including protests because there would not normally be grounds for suspecting that the photographs were being taken to provide assistance to a terrorist. An arrest would only be lawful if an arresting officer had a reasonable suspicion that the photographs were being taken in order to provide practical assistance to a person committing or preparing an act of terrorism. [Was, "It should ordinarily be considered inappropriate to use Section 58a to arrest people photographing police officers in the course of normal policing activities, including protests, as without more, there is no link to terrorism."]

There is ["however" was deleted] nothing preventing officers asking questions of an individual who appears to be taking photographs of someone who is or has been a member of Her Majesty's Forces (HMF), Intelligence Services or a constable so long as this is being done for a lawful purpose and is not being done in a way that prevents, dissuades or inhibits the individual from doing something which is not unlawful.

Following these guidelines means both media and police can fulfill their duties without hindering each other."

Source

Note that the previous version's wording is taken from Google's cached snapshot of the Met's photography guidelines page as at 11 Feb 2010, so may have been updated to the latest by the time you click the link to the snapshot.

Digital Economy Bill - initial obligations code outline, draft Costs SI

2010-02-19T12:43:00.001Z

New on the Digital Britain website are papers on the Digital Economy Bill (see my redline showing the current Digital Economy Bill marked against the original version) including:

Outline of the proposed Initial Obligations Code which will govern ISP notifications to alleged file-sharers, discussing issues which might be covered by the code, such as:

Who can issue a CIR? (copyright infringement report)
Standards of evidence required
Timescales for submitting and actioning CIRs
What notification letters to ISP subscribers must contain
Copyright infringement lists
Code enforcement procedures
Appeals procedure
Possible grace period for ISPs

Draft Statutory Instrument - draft Online Infringement of Copyright (Initial Obligations) (Sharing of Costs) Order 2010 on the important issue of how much copyright owners must reimburse ISPs for notifications to their subscribers -for "notification costs" it's "a fixed sum [set by Ofcom] per copyright infringement report sent to any qualifying ISP", and there are also "qualifying costs" to be paid including in relation to subscriber appeals. Note that the draft is:

"designed to give an idea of how the cost issues could be approached. The proportional split included in the draft is a working assumption. Before laying the SI, we will conduct a full consultation"

Letter from Lord Young to Jack Straw regarding consumer complaints about threatening copyright infringement letters from ACS Law on behalf of copyright holders, whether owners may overstep the line in trying to pursue alleged infringements, and concerns about the standards of evidence expected under the Digital Economy Bill. (A proposed amendment and discussion in the Lords about "groundless threats" is here as the link in the letter isn't clickable.)

Via @digitalbritain.

De-anonymization illustrated; and guessing gender from web browser history

2010-02-18T11:22:00.001Z

Wise Woman's Words recounts a quick but telling practical experiment she did with some students, which brought home to them how easy it is to re-identify people from limited data about them (age, sex, country of birth, bachelor's degree program and city they graduated in - the last 2 she said were unnecessary).

What a good way to illustrate the point.

She also mentioned a site I hadn't come across, which peeks at your web browser history to guess your gender. (You'll recall from my blog about de-anonymisation through group membership that it's possible for sites to check whether you've visited specific webpages, through your browser history.)

With the browser I use the most at home, Chrome, it was accurate - especially as I visit all sorts of sites linked to in my Google Reader feeds via Chrome.

But it got it wrong with Firefox, Internet Explorer and Opera - too many computing and programming-related sites visited through those browsers, I suspect!

Transfer of EU banking data to US - interim agreement rejected

2010-02-11T23:19:00.001Z

The European Parliament today voted down the interim agreement on SWIFT allowing US authorities to access EU citizens' banking data due to "concerns for privacy, proportionality and reciprocity".

The timing of the signing of the interim agreement, literally just before the European Parliament were due to get greater powers in the EU, can't have helped either.

A new agreement with the USA will be negotiated (see the Commission's reaction), and meanwhile a Mutual Legal Assistance Agreement will be utilised to exchange financial data for anti-terrorism purposes.

Consent & revocation - EnCoRe paper

2010-02-10T23:56:00.001Z

The EnCoRe ("Ensuring Consent & Revocation") project, a UK inter-disciplinary research project into informational privacy which I've mentioned before in this blog (e.g. in the Data Dozen of Identity Management for Privacy post), have produced a paper "Technical Architecture for the first realized Case Study" (138 pgs).

This paper defines the EnCoRe Technical Architecture for a case study namely a hypothetical Enhanced Employee Data Scenario - the use by employees of an organisation of a Web 2.0-style service for work-related and personal purposes and its related consent management requirements.

Appendix A of the paper sets out some example Use Cases (e.g. employee gets hired, promoted, changes their personal data, gets demoted etc) and some general legal input (Data Protection Act 1998 and Data Protection Directive principles) on those use cases.

I've not had a chance to read it yet, but from the summary:

"The scope of the EnCoRe Technical Architecture for this first Case Study encompasses all the technical functions required for the management (including capture and revocation) and enforcement of individuals' consents that are pertinent to the Case Study's scenario. The technical architecture is the block-level design of the necessary technical system, at the level of functional blocks (i.e., software and service components) and the data flows between them and to/from humans, other technical systems, compliance and other business processes and regulatory environments. Its goal is to provide the basis for an EnCoRe reference implementation that validates the approach and the technology. To that end this document's approach is to start with contextual information and overviews, and incrementally refine the level of detail."

Transfer of EU banking data to US - Council issues declaration

2010-02-10T09:29:00.000Z

The Council of the European Union have just issued a declaration in defence of the interim EU-US Agreement on the Transfer of Financial Messaging Data for purposes of the Terrorist Finance Tracking (i.e. agreement to provide info on EU citizens' banking transactions to the US authorities).

This seems perhaps to have been prompted by negative press about the Agreement being signed just before the European Parliament were due to have more powers and more say upon the Lisbon Treaty coming into force.

Digital Economy Bill - with changes blacklined

2010-02-09T22:59:00.001Z

The Digital Economy Bill was reprinted yesterday, as amended in Committee in the House of Lords.

To help me figure out the agreed changes from the original version of the Bill, I produced a quick and dirty, very basic blackline (or redline, tracked changes or whatever you want to call it) of the amended Bill.

In case it's of use to anyone else, here it is, showing additions and deletions but not in colour (and not guaranteed to be 100% error free, of course):

Digital Economy Bill (as amended in Committee in the House of Lords 9 Feb 2010), showing changes from the originally introduced version of 20 Nov 2009

In relation to the internet access of suspected copyright infringers, you'll see the main changes are in:

5 Obligation to provide infringement lists to copyright owners
6 Approval of code about the initial obligations
7 Initial obligations code by OFCOM in the absence of an approved code
10 Obligations to limit internet access: assessment and preparation
11 Obligations to limit internet access
15 Sharing of costs
17 Power to amend copyright provisions - the most changes are here

There are other changes e.g. to the provisions on:

internet domain registries and
orphan works and copyright licensing

but from a quick skim no changes to the original provisions on video games or public lending right.