Friday, February 06, 2004

At the Mercury News: "California Secretary of State Kevin Shelley on Thursday announced measures to improve election security in the wake of a report describing how votes can be easily manipulated by hacking into an electronic voting system used across California."
Here's a novel way of alerting people to the privacy invading information trails we leave behind when using modern technology -

"Visitors to an art exhibit at the Pittsburgh Center for the Arts got more than their martinis when they ordered drinks at a bar inside the gallery's entrance. Instead of pretzels and peanuts, they were handed a receipt containing all the personal data found on their license. Some patrons also got receipts listing their phone number, income range, marital status, housing value and profession. For added effect, the receipt included a little map showing the location of their residence.

The magnetic strips and bar codes on the back of most state's driver's licenses contain more information than people think. The way the swipers use the information might surprise them as well: Some bars and restaurants scan driver's licenses to catch underage drinkers and fake IDs, but they're also using the information for marketing purposes.

Last year artists and producers Beatriz da Costa, Jamie Schulte and Brooke Singer built the Swipe exhibit in Pittsburgh to show what's on the cards we all carry. "
Erica Wass editor and contributing author "Addressing the World: National Identity and Internet Country Code Domains", (Rowman & Littlefield, October 2003) has a nice article on the .kid.us domain name space mandated last year by the US government.

"Ironically, it is the characteristics that make the .kids.us space remarkable that also create its uncertain future...

...the space is governed by two principal documents: a content policy and a governance policy. The content policy document defines the thirteen areas of content that are restricted from appearing in the space...Sites within .kids.us cannot link to sites outside of the .kids.us space; they also cannot incorporate interactive communications like chat rooms, instant messaging, discussion boards and e-mail...

...the majority of those who have registered sites have not yet made it through the content review processes. Despite having registered about 2,000 .kids.us domains, only seven have been activated...

The incentive to create a site within the .kids.us name space appears clear; it is a space directed toward children. It is a space created to enable children to be safe while surfing the Web. Many owners of sites directed toward children are now forced to reconcile this honorable goal with financial and theoretical concerns...

When Carol Myers, the owner of Stnicholas.kids.us, registered the domain, she already had developed a site at stnicholascenter.org and its .com variations. She says she wanted to be a part of the .kids.us space because she believes that parents should be careful about the media influences on their children. As a result, she paid $126 for each .kids.us name she registered, as well as the $250 per name content approval fee. She also bore the more hidden costs of hosting and design changes to fit the .kids.us regulations. "It is a big commitment, actually, to develop and maintain two sites," she says. The result, she says is that the kids.us site will be much more static than her main site. Myers worries that other non-profit sites, churches and other organizations that have a few excellent pages for children will not go through the hassle and expense of putting them on .kids.us...

Indeed, the restrictive linking and interactivity policies seem to turn a rich communications medium into just another example one-way communications. Why should children turn to the web, when they can access games on CD, video on TV, and text in various print media. While it is true that the ability to freely communicate can engender abuse, and, therefore, possible danger to children, it also enables a different type of learning and involvement. While such restrictive policies may provide protection for children, it also may insulate our children from the benefits of communicating online in a variety of ways with the rest of the world. "

Food for thought.
Today the EU is celebrating "Safer Internet Day."

"This event focuses on children's rights to a safer Internet as part of the European Commission's Safer Internet Programme. It showcases existing safer Internet projects, videos and awards developed with the backing of the programme. These programmes involve actors from the private, public and voluntary sectors. Safer Internet project members have contributed to several remarkable achievements. In October 2003 a worldwide child-porn ring was broken up following a tip from the Internet hotline association INHOPE. In November 2003 the new Internet Content Rating Association content filtering platform ICRAplus was launched. Events will be staged simultaneously in 12 European countries (Denmark, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Netherlands, Norway, Spain, Sweden, United Kingdom), as well as in Australia. These events involve public authorities, the Internet industry and hundreds of other organisations. "

According to the Washington Post, "The Pentagon has canceled plans to collect votes over the Internet from military personnel and civilians abroad for this fall's presidential election because of security concerns"

Apparently the system will still be used for a test but the votes will not be counted officially. The Pentagon have some very very smart people and it looks like they have won the argument on this. Good for them. As Avi Rubin said, "It's all the credit to them for inviting us onto the security panel when they anticipated we would say negative things about it, and then taking our advice that seriously. It's really incredible."

Wednesday, February 04, 2004

CNET have published a recent essay by Bruce Schneier, which they've called "Slouching towards big brother." More sensible thoughts.

"Security is a trade-off. It makes no sense to ask whether a particular security system is effective or not--otherwise you'd all be wearing bulletproof vests and staying immured in your home."

Tom Paine's tuppence worth of common sense on the problem of rewarding creators and producers at the centre of the knowledge economy?

"My prediction is that the balance will be found in new technologies that will be able to extract a small fee from each of a very large number of consumers all over the world who want to hear or see or otherwise make use of some creation. When added up, these fees will give innovators enough to compensate them for their efforts, while at the same time giving consumers access to all sorts of new creative products very cheaply. And all this without lawyers. "

I wish I could believe he was right about the lawyers.
Update: Out-Law are reporting on the Privacy International report mentioned earlier.

"EU accused of failing to protect air passengers' privacy"

It's a nice summary of how we got to the current situation between the US and the EU with the airlines caught in between.
Privacy International in cooperation with the Foundation for Information Policy Research, Statewatch and the European Digital Rights Initiative have just published a report on the air travel privacy issue. The report is called:"Transferring Privacy: The Transfer of Passenger Records and the Abdication of Privacy Protection" and is to be the first report in a series Privacy International call "Towards an International Infrastructure for Surveillance of Movement."

They accuse the European Commission of intending undermine the privacy rights of air travellers, systematic deception and subterfuge in relation to the promise to take a hardline on negotiations with the US over transfer of passenger data and covertly planning an EU surveillance system which "will be used not only for purposes of anti-terrorism, but also for immigration, law enforcement and customs" and a global air travel sureveillance system similar to the one being built by the US.

Privacy International are also calling for an investigation into these affairs by the European Parliament and for legal action against the Commission "to ensure that
this dangerous subterfuge does not occur in the future."

Pretty strong stuff.

Bruce Schneier is crystal clear as ever on "IDs and the illusion of security" over at sfgate.com.

"Everywhere, it seems, someone is checking IDs. The ostensible reason is that ID checks make us all safer, but that's just not so. In most cases, identification has very little to do with security...

...verifying that someone has a photo ID is a completely useless security measure. All the Sept. 11 terrorists had photo IDs. Some of the IDs were real. Some were fake...

...Harder-to-forge IDs only help marginally, because the problem is not making sure the ID is valid. This is the second myth of ID checks: that identification combined with profiling can be an indicator of intention.

Our goal is to somehow identify the few bad guys scattered in the sea of good guys. In an ideal world, what we would want is some kind of ID that denotes intention. We'd want all terrorists to carry a card that says "evildoer" and everyone else to carry a card that said "honest person who won't try to hijack or blow up anything." Then, security would be easy. We would just look at people's IDs and, if they were evildoers, we wouldn't let them on the airplane or into the building.

This is, of course, ridiculous, so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you're likely to be an evildoer...

"Profiling has two very dangerous failure modes. The first one is obvious. Profiling's intent is to divide people into two categories: people who may be evildoers and need to be screened more carefully, and people who are less likely to be evildoers and can be screened less carefully.

But any such system will create a third, and very dangerous, category: evildoers who don't fit the profile...
...Profiling can result in less security by giving certain people an easy way to skirt security.

There's another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm...

...Security is a trade-off; we have to weigh the security we get against the price we pay for it. Better trade-offs are to spend money on intelligence and analysis, investigation and making ourselves less of a pariah on the world stage...

...Identification and profiling don't provide very good security, and they do so at an enormous cost. Dropping ID checks completely, and engaging in random screening where appropriate, is a far better security trade-off. "

Can't fault Schneier's analysis on security. And the UK government could learn from this - the latest inquiry will presumably ultimately blame the intelligence community for the war in Iraq. Then there will be a 'review' and re-organisation of the intelligence services and more laws mandating blanket collection of personal data, which already overstretched law enforcement and intelligence services will somehow extract relevant information from. They'd be better off listening to Schneier - Better trade-offs are to spend money on intelligence, analysis and investigation.
Technology companies including Intel, Nokia, Panasonic, Matsushita, and Samsung are due to launch a new wireless DRM specification via the trade group the Open Mobile Alliance (OMA). They are also creating a non-profit licensing agency, the Content Management License Administrator, (CMLA), to promote the scheme. Toshiba has backed out and though Microsoft is a member of the OLA, they are not part of the new licensing scheme.
There was some interesting discussion on blogs at a recent meeting of the All-Party Parliamentary Group for
e-Democracy. Especially clear contributions from Tom Watson and Tony Benn.

Watson, MP for West Bromwich East, said he's exploring the use of blogs:

to encourage participation and agenda setting;
as a tool for civic action;
as tools to promote accountability and transparency;
and as a political weapon.

He's found out about RFID tags through his blog and managed to galvanise his local Lidl supermarket to clean up the litter problems it was causing.

Tony Benn said ‘Anyone serious in politics has to take communication seriously’ and blogs gave the opportunity to deal with lies directly and quickly, ‘truth can get its boots on a lot faster!’

Monday, February 02, 2004

Diebold Systems are in the e-voting wars again. This time the systems in Maryland come in for some criticism from security experts commissioned to assess them.

The SCO website has been taken down by the MyDoom virus, according to the NYT.

The Lambert Report on University-Business collaboration on research and technology transfer was published just before Christmas. I didn't read it in detail at the time because it was accompanied by the usual PR and platitudes about how it would be a good idea if there was greater cooperation and how it was inherently a good idea etc.

It does have some interesting things to say about intellectual property in the context of university-business research collaboration, however. Things that were not included in the general pr accompanying the report when it was published.
http://www.hm-treasury.gov.uk/media//EA556/lambert_review_final_450.pdf

Section 4 covers the IP issues.

Whilst recommending that UK universities be more active about filing and exploiting patents and commercialising their IP, it suggests that IP is never going be a major direct revenue generator for universities. It cites the cases of MIT, Yale and Stanford in the US as institutions which started out with expectations of high earnings from market exploitation of their IP but which have now changed their objective for engaging in technology transfer to improving the "public good."

Some quotes from the report:

"A warning: the impact of technology transfer on the direction of research - whether it be towards short term applied or long term research - needs to be monitored carefully."

Cited barriers to commercialising university IP:
"copyright law is a big barrier to research collaboration between universities and the private sector...."

There were "too many lawyers involved, and too much time wasted" in trying to sort out IP ownership issues between industry and universities.

The FT apparently have an article on it today but their site was down when I tried to access it.

Amnesty International have criticised Microsoft and Cisco for selling technology to the Chinese authorities which is used to facilitate civil rights abuses, according to the Observer.
'[Microsoft] should be more concerned about human rights abuses and should be using its influence to lift restrictions on freedom of expression and get people out of prison. It is worrying that they don't seem to have raised these issues.'

But then again the free market is amoral and does not require companies to police the uses to which their products are put. Smith & Wesson are not held responsible every time one of their guns is used to kill a police officer or an innocent bystander.

I've been avoiding commenting on the Hutton Report. Lots of other folk are doing so in a much more enlightening way than I ever could. My Open University colleague, John Naughton is one.