Trust and Security

Risk and Policy in the Real World

2008-12-19T09:35:00.002Z

Chandler Howell describes an interesting example of Risk and Policy in the Real World.

I have an interesting example of Policy actually making things worse for you all today. It’s not horrible, but it illustrates the point and I can talk about it, so I will.

Today someone asked me if I knew that one of the floors of a facility I visit from time to time is a “No Visitors” area. This is due to the fact that the marketing teams have product prototypes as well as all of their collateral and other materials displayed or in-progress on this floor. I had to confess that I did not realize that. Even worse, most of the people who don’t reside in the “No Visitors” zone, as well as some who do, also don’t seem to be aware of that fact.

Enforcement is, as you would imagine, non-existent. That would be rude, after all.

To make matters worse, not only is there is no access control (doors or guards), signage or other markings telling people that this floor is off-limits to visitors, but the canteen which is open longer hours than the main cafeteria (for coffee, snacks, etc.) is located on this floor. As a result, there’s a steady stream of people who, even if they are employees, really have no business wandering around this floor doing so at any given time.

So we have a situation where the people who need to display confidential information do so, safe behind the warm fuzzy blanket of their “No Visitors” policy. Everyone else wanders around their area in blissful ignorance that they shouldn’t bring their visitors through there on the way to the canteen.

My reading of this example is that Policy is being used as an ineffective patch for a failure of Architecture. In other words, there is a de facto physical architecture that involves visitors walking through this department, and an unenforced (and possibly unenforceable) policy saying they shouldn't.

If you want to protect the department, you probably need to change the physical architecture. Provide an alternative route to the canteen, and install enough barriers (like sleeping policemen) to discourage people taking short-cuts through the department. Or you move the marketing department to a different floor.

You still have the policy, but now the policy is used as a architectural design constraint rather than expecting the mere existence of a rule to alter people's behaviour.

Alternatively, you try to change the behaviour of the marketing department. After all, there are fewer of them. And they are the ones to whom it matters.

US Election 2008 - Trust

2008-09-24T05:55:00.004+01:00

Can the candidates in the US election trust their running mates?

Marc Ambinder, A Word on Trust (via Roadkill Refugee)

Chuck Todd says there is No Chemistry, No Trust between McCain and Palin (via BBC News)

CNN reports Palin's 'going rogue,' McCain aide says (via BBC News, Independent)

Barracuda: The Resentments of Sarah Palin (New Republic)

"I think Joe should have waited." (Barack Obama tells running mate Joe Biden to keep quiet)

US Election 2008 - Sincerity versus Authenticity

2008-09-23T17:18:00.005+01:00

(Where is my copy of Lionel Trilling's book? I thought I had one somewhere. Did I lend it to someone? Oh well, never mind, it'll turn up.)

I was just reading David Foster Wallace's account (in a book called "Consider the Lobster") of John McCain's 2000 campaign for the Republican nomination (against an opponent then referred to as "The Shrub"). Wallace (then writing for Rolling Stone) was far from being a supporter of McCain, but he was impressed by his personal qualities. It's difficult not to be impressed by McCain's biography - whether as a fantastic example of courage and fortitude or as a brilliant example of personal myth, or perhaps both.

So here's a thought. In the upcoming presidential election, Obama represents Sincerity while McCain represents Authenticity. Different kinds of truth.

A minority of voters might vote for McCain and Palin because they share their opinions and beliefs, but most Americans don't. The only reason McCain and Palin have the remotest chance of winning the election is because sackloads of American votes will be cast for who the candidates are, not for what they stand for. Megan Garber (Columbia Journalism Review) calls this the Authenticity Trap - " the West Wing logic of governance: that truth-to-self will somehow lead a president to effective leadership".

In contrast, people will mostly not vote for Obama because of who he is - a smooth Afro-American lawyer from Chicago with a foreign name - but because of what he (so eloquently) stands for. Adam Kirsch (New York Sun) finds Obama's book more authentic than Hillary Clinton's - but come on, how many American votes are going to be based on reading? (People didn't vote for Churchill because they'd read his books either.)

Perhaps more than any election in recent memory, this is the battle of the Enlightenment. The man who speaks from the heart for progress, hope and the American Dream against the man who was captured by the VietCong and will not tell a lie. George Lakoff (Huffington Post) thinks the Enlightenment frame isn't working so well for Obama these days, and wants the Obama campaign to stop reinforcing the Maverick frame for McCain.

Steven Shaviro has a rather different take on this. In More Electoral Ruminations, he contrasts Democrat hypocrisy with Republican cynicism, and avers that "It is not stupid to vote for McCain/Palin; rather, it is evil. Republicans are intrinsically, and necessarily, morally depraved."

Some of Shaviro's readers were shocked by this abrupt jump from the political discourse to the moral/ethical, so he tried to justify his position with a Note on Evil, claiming that Obama is the true follower of Kant, and resurfacing his argument (originally posted in 2004 - Nothing) that Kant's concept of radical evil applied exclusively to the Republicans.

For a much more coherent and compelling argument about the relationship between hypocrisy and cynicism, see David Runciman's new book on Political Hypocrisy. Runciman also finds for Obama, whom he compares with Lincoln, and quotes approvingly Obama's view that "It is only the politician who is able to speak his mind freely who knows when to compromise".

For a systems thinking view of the US election, see the POSIWID blog.

The Future of Cash

2008-07-12T15:46:00.003+01:00

Adam Shostack posts on The Recent History of the Future of Cash. He points out that the choice between cash and electronic payment systems is influenced by questions of trust. In some countries with high inflation, people don't trust cash. But people also don't trust complex and unreliable electronic systems.

Lack of trust increases transaction costs. If I am constantly on guard because of unexpected charges on my account - whether this is due to error or fraud, or simply because the service provider is pocketing a fee for something - then I may have to maintain transaction archives, or copy every transaction into a separate spreadsheet or database. Adam links to a post by Gary Leff, who prints out everything he can think of because he is expecting to be cheated out of some complicated deal on frequent flier miles. This kind of thing is symptomatic of the shallow and short-sighted version of the Support Economy.

Meanwhile, when I buy a book from my local bookshop, the shop accepts cash or debit cards. But if I use a card, the bank will take a cut of the transaction (from the shop). So I prefer to pay cash if I can: cash doesn't really cost me any more than card, but I prefer the shop to get all the money.

Some people feel safer just carrying a card, because cash can be lost or stolen. But which is the greater risk - being mugged by a drug addict in the street, or being ripped off by a major corporation? Different people balance those risks differently.

Plausible Denial

2008-06-20T17:26:00.002+01:00

In the annual Underhanded C Contest, programmers compete to construct code that looks innocent but does undocumented and devious things. One of the judging criteria is plausible deniability - which in this case means the ability to claim the error as a genuine mistake rather than a cunning trick. (Via Bruce Schneier)

In delegating stuff from an agent to a principal, plausible deniability can operate in either direction. Many well-known examples, both in real-life and in fiction, involve the principal denying knowledge or responsibility of the actions of the agent. For example, governments sometimes keeping the dirty details of espionage at arms length. Or well-known companies sometimes being strategically ignorant of the exploitation of child labour in their suppliers' factories, or turning a blind eye to short-cuts and risks taken by subcontractors.

But the programming example works in the other direction. It involves the agent (in this case a programmer) craftily subverting the intentions of the principal (the user of the program), while remaining "innocent" if the trick is detected. There are many situations in delegation and procurement where a dishonest agent or supplier can abuse trust with impunity. Even if the trick is detected, it can be passed off as human error, and probably forgiven and forgotten after a sufficiently charming apology and repair.

Shakespeare on Identity Theft

2007-11-27T13:58:00.001Z

On the Loss of Two CDs by Her Majesty's Revenue and Customs containing the Records of 25 Million Taxpayers and their Children.

Shall I compare thee to a string of digits?
Thou art more personal and more private.
Rough Humphreys doth quiz the Darling on Today,
And Gordon's lease hath all too short a date.
Sometime too close the eye of Google shines,
And oft is gold from banking accounts skimmed;
And every mother’s maiden name declines,
By chance, or nature's changing course untrimmed.
But thy perfect database shall not leak
Nor lose possession of that CD they sent;
Nor shall the hacker spam and phish and phreak,
When with eternal ID card thou went,
So long as cars have chips and streets have CCTV,
So long lives your identity, and this gives life to thee.

Sources: BBC News, The Register, Robin Wilton, Into the Machine.

Call Forwarding

2006-08-26T08:30:00.000+01:00

cross-posted to Innovation Matters blog

According to legend, the automatic telephone exchange was invented by an undertaker (Almon Strowger) who believed his business was being redirected to his competitors by corrupt telephone operators.

David Lazarus reports a vulnerability in call forwarding, whereby a fraudster persuades ATT to redirect a pizza parlour's calls to him. In this case, the fraud involved collecting credit card numbers, but as Lazarus suggests, this scam could also be used by a competitor to steal business.

Further comments on Bruce Schneier's blog, where greygeek points out the historical irony of the Strowger switch.

Fraud erodes the benefits of technological progress. What were the original benefits of the automatic telephone exchange? It was efficient, impersonal and less vulnerable to bribery and corruption. These are some of the benefits of the classic bureaucracy as identified by Max Weber - and many technological innovations provide similar benefits.

And now the benefits of Strowger's innovation are apparently reversed. Don't assume that technology progress is always onward and upward.

Security Trends

2006-07-30T01:34:00.000+01:00

Sean of F-Secure avers "that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better". [Exploit Wednesday, via Emergent Chaos]

F-Secure does seem to have some evidence for the growing sophistication of malware attacks, and a plausible explanation for the fact that these attacks are less visible. But explanation is not evidence.

Point One. Even if visible attacks are decreasing, this doesn't provide conclusive evidence that invisible attacks are decreasing.

Point Two. The lack of evidence that invisible attacks are decreasing does not imply any evidence that invisible attacks are increasing.

But that's not quite what F-Secure says. F-Secure avers that the reduction in visible attacks provides evidence that invisible attacks could be increasing.

But this is rubbish. We don't need evidence for the possibility of increased attack; it's not something that requires evidence. What we want to know, which F-Secure avoids telling us, is some measure of what is going on. And F-Secure is not offering us any evidence that is relevant to this question.

This illustrates a general problem with evidence-based policy in risk and security matters. When preventative action is effective, it is often difficult to demonstrate its necessity. So security experts and vendors feel themselves obliged to talk up the (sometimes counterfactual) possibility of attack, without always being able or willing to present concrete evidence of the incidence of attack.

Technorati Tags: evidence-based risk security trust

Double Bluff 2

2006-07-11T18:27:00.002+01:00

Barry Briggs worries that the bad guys might get to scan our data, thanks to Passport RFID.

"Achieving international cooperation for RFID encryption would probably never work anyway, and of course there are those nations that would be fine letting the algorithms/decoding chips into the wrong hands."

Now, which nations would those be? In my post Double Bluff, I commented on the fact that the British security forces deliberately leaked some technologies to the IRA, playing a devious game they thought they could control. These technologies later led to the death of British soldiers in Iraq.

We can't even trust our own side to look after our own security, or to think through the consequences of their actions.

Collective Bargaining

2006-07-05T12:44:00.000+01:00

Collective bargaining used to refer mainly to wage negotiations in which the workforce negotiated collectively rather than individually - typically delegated to special representatives such as trade union officials.

Collective bargaining has always involved a pattern of collective mutual trust known as solidarity, often enforced by formal discipline or social pressure.

A new form of collective bargaining is emerging in China, known as team buying or tuangou, where gangs of customers arrive at a shop and demand high discounts. [source: Economist via Confused of Calcutta]

I wonder how these gangs enforce solidarity? Suppose the gang leader demands a 20% discount, and the shop offers a 10% discount. What if some of the shoppers are happy to accept this? Is there a collective decision process? If a few shoppers accept the deal that the majority has rejected, would this be regarded as a breach of trust?

Technorati Tags: shopping trust

Protection and Resistance

2006-07-05T01:40:00.000+01:00

Adam Shostack notes that business tactics can sometimes be compared to the mafia.

Identity Theft Protection (Eric Rescorla). "That's a great credit rating you've got there ... shame if anything happened to it" (Adam).

And legitimate business services can be used by the mafia.

Mexican kidnappers are in league with the insurance companies (Tyler Cowen). Columbian kidnappers pull your credit file from the credit agency to calculate optimum ransom (Alex Tabarrok).

Does this mean that some structural similarity with the mafia should be sufficient to reject some business innovation?

Net Neutrality. "FedEx would never suggest intentionally losing your packages. They also would never suggest tearing them open to see if there’s anything good inside. But Verizon and Comcast and a number of other broadband providers are gleefully declaring their intent to drop your traffic, starting with whatever you consider most valuable. This, they call "innovation". (Dan Kaminsky).

Many stakeholders clearly regard arguments against network neutrality, or proposals that undermine network neutrality, as a form of bad faith. For example, telecoms analyst Martin Geddes argues eloquently against network neutrality, tells his readers You Won't Like This, Not One Bit, and is rewarded with the following comment: "There is a special place in jail for people like you".

Of course it's natural to be suspicious of change. Even if the old Internet model was a myth, people may regard any kind of innovation as a breach of trust.

It't not easy to decide which innovations to trust. While superficial similarities to mafia practice make good rhetoric, they may not be the best basis for trust decisions.

Technorati Tags: business ethics innovation rhetoric trust

Naked Feet

2006-06-28T11:46:00.000+01:00

Two contrasting stories this week about employees taking stuff away in their shoes.

William Grzeskowiac smuggles coins out of the Royal Australian Mint. [Sidney Morning Herald, Bruce Schneier, Chandler Howell.

Vasily Nikitich Mitrokhin smuggles scraps of paper out of the KGB archive. [Wikipedia, Mitrokhin's book, Johannes Ernst]

Chandler makes a useful point about motivation, which probably applies to both examples.

"When assessing security, never assume that people share your priorities or value assessments–if anything, you would probably be better-served to assume they don’t."

And Johannes adds a comment on

"how professionals go about undermining whatever technologies and organizational models we are putting in place".

The security implications of these two cases should not be muddled by value judgements of the two situations. Many people might (exceptionally) approve of stealing from an organization if they disapprove of the organization, or if they think the organization has no ownership rights over the items being taken. But it's still the same physical act.

There is an additional trust issue in the Mitrokhin case. The CIA disbelieved the authenticity and value of the scraps of paper, but MI6 thought it worth protecting him and preserving his material. Why did he steal these documents? Because he had an attitude against his employer? Does this call their accuracy into question?

Meanwhile, the low-denomination coins stolen by Grzeskowiac were of limited value (to him), because they could not be used in such large quantities. Most of the coins were recovered from his mother's garage. Why did he steal them? Because he could.

Technorati Tags: security trust

Cheating 2

2006-06-19T12:36:00.000+01:00

[Update] Corrections to this post have been made for legal reasons.

Apparently there are two ways for American students to pay someone else to write their college assignments. The all-American way recommended by an outfit called EssayFraud.org, and the cheap foreign imports allegedly offered by other organizations.

EssayFraud suggests that essay-writers in other countries will not be as knowledgeable or literate as Americans, and may not be as scrupulous in respecting copyright. (Yeah, right.)

Daniel Nexon, on the Duck of Minerva blog, sees this as part of the FightBack Against Outsourcing. Of course, it's still outsourcing if you get a fellow-American to do the essay for you - even your Mom - but the real issue here is apparently off-shore outsourcing ("off-shoring").

Obviously EssayFraud doesn't explicitly encourage students to pass off outsourced essays as their own work. However, it is difficult to see why any students would be willing to pay anyone for "research" unless they were intending to commit some kind of fraud. (Is there a clue in the name of the company?)

And it is perhaps when people are intending to commit untrustworthy acts themselves that they are most vulnerable to being ripped off by others.

[Update] I should have made clear that Essay Fraud is a watchdog organization, which invites membership applications from bona fide American research organizations. Essay Fraud does not itself sell services to American students or have foreign competitors, but it appears to represent the interests of companies that do so. I apologize to Essay Fraud and its members for this misunderstanding, which I hope I have now corrected.

Links: Essay Fraud, Essay Fraud 2.

Cheating

2006-05-25T22:40:00.000+01:00

Alex Halavais has some advice on How to Cheat Good, and there is some further discussion on Bruce Schneier's blog Cheating on Tests.

One of the indicators of poorly executed plagiarism is a discrepancy of style.

formatting - for example, text inserted in a different font, size and colour
spelling - for example sudden instances of British spelling in an otherwise American text - or vice versa.
grammar - correct and complete sentences in an otherwise illiterate text
fog - sudden clarity and precision in an otherwise muddy stream of prose
logic - contradictory material pasted together with no acknowledgement

In my (thankfully limited) experience of marking student assignments, I have found that the students who commit one type of stylistic error are also prone to the others. And exceptionally weak logic is often enough to generate a very poor mark, even without definite proof of plagiarism.

I did catch two identical submissions last year. Two scripts contained a particularly striking piece of idiocy, which I recognized on reading it for a second time. I had to wade back through the pile of already-marked scripts to find the first one, because they hadn't been quite stupid enough to submit the identical scripts consecutively.

Many of the worst cases of plagiarism are executed so poorly that they reveal the incompetence, ignorance and stupidity of the writer. So perhaps teachers should just fail such students for incompetence and ignorance, instead of trying to convict them of cheating.

Technorati Tags: trust

Identity Differentiation

2006-05-25T14:37:00.000+01:00

Kim Cameron asks

"if there is some blood alcohol level after which informed consent no longer applies?"

According to an informal view of identity, there is some blood alcohol level at which you are no longer the same person. Can a sober person repudiate the past or future actions of his drunk alterego? Or vice versa?

I thought this would be a good opportunity to republish some of my earlier notes on Security and Identity and Signatures.

It is not unusual for decisions of trust to make a distinction between different identities of the same person. Let's say I have a friend called John. JOHN-SOBER and JOHN-DRUNK are two different identities, with recognizably different patterns of behaviour and risk. I am happy to lend my car keys to JOHN-SOBER, but not to JOHN-DRUNK.

If a person has a gun to his head, or his children are held hostage, his behaviour is likely to be uncharacteristic. ("You are not yourself today.") Signatures and voice patterns change under stressful conditions, including duress and torture. If this uncharacteristic behaviour is detected at a security checkpoint, then it might be appropriate to hinder a person's entry, until the identity difference is resolved.

This is about a difference in identity, not just a difference in behaviour. I am not refusing John my car keys because of his slurred speech; I am refusing them because he is drunk It may be his slurred speech that alerts me to the fact that he is drunk; but if he convinces me that his slurred speech on this occasion is a result of a visit to the dentist, I may let him have the car keys. Conversely, if he learns to speak normally even when drunk, I shall just have to find a different way to determine when he is drunk and when sober.

After his attempt to blow up the Houses of Parliament, Guy Fawkes was taken to the Tower of London and tortured to extract a confession. His signature - an important token of identity - degenerated under torture, and on his confession it is barely legible. There are serious questions about the validity and authenticity of confessions extracted under torture. The Guy Fawkes example indicates that the identity of the person signing the confession may be brutally transformed by torture, or perhaps even destroyed. We also know that identity and character may be tranformed by brainwashing - which we may sometimes regard as just another more subtle form of violence. In other contexts, identity may be altered by advertising or other modes of influence.

And can Hogwarts parents trust Professor Lupin with the care of their children? Not when there's a full moon. Remus Lupin has two identities - man and werwolf. As man, he is an excellent teacher. As werwolf he is a danger to himself and others. However, the werwolf identity manifests itself only at the full moon; at other times Lupin is perfectly safe. [Hogwarts Security]

Can "user-centric" identity deal with these cases? How does "user-centric" identity deal with context-dependent identity?

Technorati Tags: identity trust

Private Morality and Public Morality

2006-04-13T21:19:00.000+01:00

Interviewed by Joan Bakewell on BBC Radio Three (April 12, 2006), Dame Mary Warnock conceded that the Committee of Inquiry into embryology, human fertilisation and embryology (which she had chaired) had fudged the issue of posthumous fertilization. She said she had thought it might be arrogant of her to impose her own experience (as a posthumous child) onto the committee, so she had remained silent. Here is Bakewell's response.

[JB] Well no what it is, is of course you're using personal experience

[MW] Yes

[JB] to inform your own moral judgement, which of course is what we want everyone to do.

[MW] Yes

[JB] As long as they are truthful about it.

This is of course the exact opposite of what Warnock has just admitted doing. Bakewell takes the moral high ground here, and proceeds to give Warnock a sharp lesson in practical moral philosophy.

Earlier in the interview, Warnock had appealed to a distinction between private morality and public morality. Bakewell is now attacking (or at least disregarding) this distinction, and Warnock acquiesces.

[Transcript] [Audio]

Technorati Tags: belief

Profiling

2006-04-11T11:12:00.000+01:00

Scribe has identified some of The Problems with Profiling. He also contributed a comment to my recent POSIWID post on The True Motive for Identity Cards.

The first problem is that profiling (as currently practised) doesn't work. It produces too many false positives, and too many false negatives.

For example, simple profiling based on a supposed correlation between name and affiliation is going to produce a lot of anomalies.

Richard Rees doesn't have an islamic name.
Sharif Abdel Gawad (the Greek Armenian Christian recently selected as a BNP candidate) apparently does have an islamic name. [source: Guardian, April 8th, 2006]

And profiling based on a history of contact with known evil-doers doesn't work for new emerging clusters of evil-doers.

But of course, the problem isn't with profiling as such - it is with stupid and unimaginative and counterproductive profiling. Aha, so the solution is to have more extensive and deeper profiling?

But this just produces a deeper problem. For me, the most interesting aspect of Foucault's account of the Panopticon was not the impact on the prisoners, but the impact on the prison warders - and by extension on the society that employs them. And the more so-called intelligence goes into the Machine, the less intelligence is deployed by the real human beings with "intelligence" in their job titles.

Profiling is essentially an anthropological act - and requires all the intellectual caution and self-awareness that Bateson championed - first as an anthropologist, and second as a systems thinker. Steps to an Ecology of Mind should be required reading for policemen and spies. On second thoughts, maybe that's not such a good idea ...

Technorati Tags: trust security

Who trusts computers?

2006-04-04T08:44:00.000+01:00

When I first heard about the September 11th attacks, I thought someone had managed to hack into the aircraft systems. Turned out I was wrong. Actually, it's a relief to think that the only way to carry out this kind of atrocity is when the attacker is in the plane.

Bruce Schneier has picked up a story about Computer-Controlled Fasteners, which suggests that aircraft can be reconfigured remotely. According to the story, "everything is locked down with codes, and the radio signals are scrambled, so this is fully secured against hackers."

So that's all right then. Assuming we trust the computers. (Remember that attacks may not need real-time connectivity - merely a bit of malware that hides in the system until the opportune moment.)

So the security question is not whether the system is technically secure. There is also a risk that people will panic when a nut with a garage-door opener phones the airline and makes some specific threats. (Frankly, I wouldn't like to have the responsibility of clearing a plane for take off in the face of such threats.) Security experts are always telling us to design security in - but this obviously needs to include social attacks and fear as well as technical threats.

Technorati Tags: security trust

Network Privacy 2

2006-03-18T15:57:00.000Z

Following on from my previous post on Network Privacy.

Privacy and data protection are primarily understood in terms of facts about one person. But most of the facts we are really interested in (gossip, political scandal, dastardly deeds and worse) involve more than one person.

John Major and Edwina Currie
John Profumo, Christine Keeler and Yevgeny Ivanov
David Mills and Tessa Jowell - with possible connections to the prime ministers of Great Britain and Italy
Peter Mandleson and his friends, Cherie Booth and her friends
David Blunkett, Kimblerly Quinn and a two-year-old boy who cannot be named for legal reasons (ha!)
Simon Hughes, Mark Oaten, George Michael, ...
Jeremy Thorpe and Norman Scott
... and jumping from the amusing to the horrible ...
Soham murderer Ian Huntley and those who had made previous allegations against him
and so on ...

This is particularly true if we are rigorous about including provenance. An allegation against person A by person B is a fact about B as well as a fact about A. B's credibility (and any other allegations made by B, as well as links between B and any other people making allegations against A) may be relevant to the veracity of the allegation.

(If someone made an unfounded allegation about me, I should perhaps feel slightly more comfortable if this was stored in some database as an allegation, with a defined provenance, rather than as unvarnished fact or vague probability. And I should want anyone reading the allegation to be automatically presented with my refutation as well. See my post on Google and Spin, which discusses the Prince Charles approach to news management.)

Why are we more interested in facts involving two or more people? One reason is that it is relevant to trust. If a politician has failed to disclose a loan, this may be relevant to his/her public duties. This is where there starts to be a conflict between privacy and public interest.

Where does this leave Prince Charles and his diaries? The relationship between royalty and the newspapers has often been uncomfortable. In 1908, Kaiser Wilhelm II of Germany unwisely gave an interview to the London Daily Telegraph, in which he liberally insulted half the people of Europe. Surely the people (vox populi and all that) have a right to know if the Kaiser is an ass?

Network Privacy

2006-03-18T11:48:00.000Z

In his post on Social Cartography - Mapping the Electorate, Scribe reminds that it's not enough to have privacy and data protection at the individual level. We also need to consider the privacy of relationships between individuals.

There are many concerns about data protection and privacy at the individual level. (In his recent post on the Status of Privacy in the UK, Robin Wilton points out that Prince Charles used arguments based on confidentiality and copyright to protect his diaries, presumably because of a lack of adequate privacy legislation.)

But if we think about interpersonal privacy, this becomes much more complex, and raises some serious ontologicial and practical issues that privacy campaigners don't seem to be addressing. So I thought it might be useful to cross-post a few notes here.

Let's start with an incident that might be regarded as an example of breached privacy. John Major, former UK prime minister, was embarrassed by the publication of an autobiography by fellow (hrm hrm) politician Edwina Currie, in which she revealed details of a long-standing affair between them. His public response was ungracious and ungentlemanly. [BBC News, September 2002]

Privacy means that some data subject has some rights over some data.

What can the data subject do with the data? (e.g. publish, hide, preserve, alter, destroy)
What can other agents NOT do with the data? (e.g. publish, hide, preserve, alter, destroy)
What recompense is the data subject entitled to, in the event of any accidental or deliberate breach of these rights.

Data protection implies a set of mechanisms to support the rights of the data subject, to limit the actions of other agents, and to resolve any disputes. This raises a number of complex issues.

Ownership	Who ‘owns’ the data? Does a company own the data it has collected about a person? Does a person have any ownership rights over his/her ‘own’ data? What data (if any) are governed by the principles of data protection, and what data are not so governed?
Identity	There must be some reliable mechanism for matching the identity of the data subject with the identity referenced by the data. Furthermore, this mechanism should not itself represent an invasion of privacy.
Ontology	Many types of data reference multiple individuals. For example, data about a secret relationship between two individuals can be understood as belonging to the pair (which is a composite data subject). However, the very existence of this pair may be part of the secret.
Collaboration	If secret data belong collectively to multiple individuals, then any legitimate action over such data may require a collaboration between them. Of course, any individual named as a party to a secret relationship may seek individual recompense. It is not always clear what rights (if any) an individual has when details of a secret relationship are published unilaterally by one party.
Fiction / Libel	Reports of a secret relationship may sometimes be fabricated. Standing up for one's rights against libel or slander may involve reference to a pairing that was only brought into being by the libel.

Note - these issues apply to commercial relationships between organizations, as well as to sexual relationships between consenting adults.

Technorati Tags: privacy trust

Security Orientation

2005-12-21T17:57:00.000Z

Adam Shostack identifies Three Views of Software Security, which he calls orientations. So I wondered whether these could be mapped onto the four types of trust and mistrust, and whether that reveals a fourth orientation. But the mappings turned out to be a little more complex.

Orientation	Focus	Typical assessment	Type of Trust
Government	Assurance of quality, reliability, safety, and appropriateness for use	Commercial security products aren't good enough to be used. We are losing the security war.	Authority+Network: We are not getting adequate assurances of security - neither from centralized guarantors, or from the emergent power of the network.
Hacking	Tools and techniques of exploration and exploitation at the micro and macro levels	Unwilling to confer a positive evaluation on any product or technology vendor (especially Microsoft).	Commodity+Authentic: We hackers can usually engage more deeply with the product than the vendors themselves.
Economic	People are behaving rationally, if only we can understand their motivations	Few people ask whether products are secure, so there is little explicit demand for security.	Commodity+Network: Security (or its lack) emerges from the combined behaviour of rational actors.

There are several other possible permutations, but the orientation I want to encourage is based on Network+Authentic - combining a deep engagement with the (focal) practices of technical security with a broad and dynamic social base (process-driven, community-driven). Next question: how can we foster this orientation?

Technorati Tags: security trust

Trust and Notification

2005-12-14T12:10:00.002Z

Authentic trust implies openness. When conditions change (especially when adverse events occur) we may reasonably expect to be notified.

Here are some examples where a first-order trust issue (failure to maintain an expected state) is compounded by a second-order trust issue (failure to notify affected parties).

Identity Theft

Many examples have emerged recently in which personal data has been abused. One of the most notorious was ChoicePoint.

Some have argued that ChoicePoint cannot be accused of betraying the trust of the data subjects, because they had no direct contract or business relationship with these subjects in the first place. However, there seems to be a strong argument for transitive betrayal.

The secondary issue here is that of notification. Should data subjects be notified when their identity has been compromised or stolen? ChoicePoint received a lot of criticism about their notification policy as well.

Split Capital Investment

Chris Flitwick, who was at the centre of the split capital scam, has argued that the split caps were originally low risk, and that it was the investment practices of the fund managers that turned them into high risk. (I have described this elsewhere as an example of Bezzle.)

Such a radical change in investment practices itself might be regarded as a breach of trust, since it compromised the implicit proposition which many investors thought they had accepted. Some investors have argued that the investment companies have a duty of trust to maintain the original risk profile and bear the difference.

But in any case, if events and changing management practices turn a low risk into a high risk, surely there is a duty of trust to notify all stakeholders that the risk profile has changed and give them an opportuity to reconsider their investment/involvement.

Good Examples

In contrast to these examples, they are many companies that have been very prompt and effective at communicating with customers and other stakeholders. And this is a great way to build trust, because it shows two things. Firstly that you care about the people who trust you; and secondly that you understand the situation well enough to appreciate the possible impact on these people. This is a great basis for a trustworthy organization.

Ambiguity

2005-11-29T11:04:00.000Z

Adam Bosworth has just posted an excellent piece on Trust, Morality and Software Services, which cites some of the borderline ethical practices of (and potential threats posed by) leading internet and media companies - mentioning Friendster, Google, Microsoft, Sony, TiVo and Yahoo, among others.

In some cases, the threats come from ill-considered invasions of user rights by the company itself. In other cases, the threats may come simply from the accumulation of new forms of information, which become subject to official and unofficial snooping.

Some threats are pretty unambiguous, to the extent that we can identify their sources as hostile and malicious, bent on outcomes that are clearly criminal or worse. But it is the ambiguous threats (sometimes from companies that can afford to spend millions on legal fees and political lobbying) that may be more difficult to manage.

If a hacker tries to syphon a few dollars from my bank account this is clearly a criminal act. But if the bank itself syphons a few dollars from my account it is probably going to be hard for me to get this classified as a criminal act. (The bank can usually cite some vague service charge somewhere in the small print.) But the effect on my bank balance is much the same.

We often end up with a kind of shallow commodity trust. We accept the products and services of big companies because they are hard to avoid. But we have to remain wary of them.

Adam argues that "the only way to restore or create trust is by over time and repetition creating a pattern of ethical decisions". Yes, and this pattern must be clear and visible. Deep trust requires transparency and unambiguity. The ethical challenge for large companies is to maintain a strong trustworthy position across a diverse and complex marketplace.

See previous posts: Intrusion and Immersion and Unambiguous Threat.

Technorati Tags: ambiguity service-oriented trust

The power of acronyms

2005-11-18T17:06:00.000Z

Differences between initialisms and acronyms are likely to be apparent only to students of the more recondite reaches of lexicography. At least that’s what I thought until a day or two ago. Now I’m not so sure. Now I have an idea forming in which acronyms are tools of the powerful, used to manipulate hierarchical trust, for good or ill, while initialisms are merely trust-neutral onlookers.

Acronyms are shorthand for something beyond themselves. They are walled-off territories and, in themselves, not (necessarily) threatening. Though, of course, they can be. They have owners who not only own the acronym itself but, and here’s where the power lies, they own all its walled-in knowledge and its connotations. And since ownership determines context, use of the acronym is always what the owners decide it is. Thus, when someone talks of WMD, DU, and now, WP, everyone knows they mean what the Pentagon says and not necessarily weapons of mass destruction, depleted uranium or white phosphorus. Likewise, DEFRA (an acronym in initialism’s clothing if ever there was one) owns FMD, as opposed to foot and mouth disease. (POSIWID is an initialism. And a pretty wonderful one it is too given its capacity to get to a meaningful reality and expose nonsense for what it is.) So, I contend, an acronym’s POSIWID is the reinforcement of power.

Two recent bits of reading gave rise to this idea. The first came about after an email chat with Richard reminded me of a long-ago talk by J K Galbraith. (I searched out the transcript, it’s called The Economics of Deprivation: How To Get The Poor Off Our Minds. Community Care Fifth Annual Lecture, London, 24 January 1989.) I interrupted the second bit of reading to check the Galbraith stuff and, reading it, decided that how we get the poor off our minds today is by turning them into acronyms.

What I was reading that led me to this conclusion was a piece by Helen Epstein, a writer on AIDS. Telling the story of the political mileage that President Bush has got, and still gets, out of AIDS by ‘promising’ $15bn in 2003, Epstein uses some of the most appalling acronyms imaginable.

While purporting to help OVCs, orphans and vulnerable children, PEPFAR, the President’s Emergency Plan for AIDS Relief, spends most of its money in the US on development agency bureaucrats, consultants, medical expert workshops and funding anti-condom evangelists. Very little money reaches the OVCs, of whom there are some 12 million. Every cent of it that does, like all US aid, comes with tugs (I was going to write yanks but bravely forewent the pun) at the strings of power trust.

When I formulated, somewhat tongue-in-cheek, the version of Smith’s First Law that says The World Bank gets more out of poverty than poverty gets out of The World Bank, I based it on experiences in Africa a decade or more ago. I had hoped that things had moved on, but no: PEPFAR needs OVCs more than OVCs need PEPFAR, far more. That’s clear.

What’s even clearer to me is that power flows out the end of an acronym.

Reference: The Lost Children of AIDS, Helen Epstein, NY Review of Books, 3 Nov 2005, page 41.

Technorati Tags: trust

Science and Scientists

2005-11-15T13:14:00.000Z

Dilbert's first excursion into Intelligent Design, upon which I commented favourably in the Knowledge and Uncertainty blog, has provoked a large and often critical postbag. However, Dilbert has expressed himself carefully, with the intention of framing much of the criticism as confirming his thesis.

In his second excusion into Intelligent Design, he reiterates his point about science and scientists. Although he is inclined to believe in evolution, he is uncomfortable about accepting the authority of the men and women in white coats.

I’d be surprised if 90%+ of scientists are wrong about the evidence for Darwinism. But if you think it’s impossible, you’ve lived a sheltered life.

Let me say very clearly here that I’m not denying the EXISTENCE of slam-dunk credible evidence for evolution. What I’m denying is the existence of credible PEOPLE to inform me of this evidence. The people who purport to have evidence of evolution do a spectacular job of making themselves non-credible.

The public has often been disappointed by the men and women in white coats. Most scientists get funding from political or commercial sources, and may be subject to political or commercial pressure. We have frequently been assured of the absolute safety of various things, we have been told that there is "no scientific evidence" of any risk, only to discover later that this reassurance was at best incomplete. No wonder if many intelligent non-scientists reserve judgement.

Meanwhile, scientists themselves are indignant at such suggestions, and strongly resist the idea that scientific truth might be regarded as a social construction. Scientists are taught to present their findings using a dry and impersonal third-person rhetoric, as if to emphasize an idealized independence from worldly matters, and an absolute trustworthiness.

Dilbert has clearly touched a raw nerve. Why else would so much energy and emotion be invested in arguing with a cartoonist?

Technorati Tags: Dilbert science trust