Sunday, 25 May 2014

The non-existent personal-data control-shift

DMossEsq's millions of readers may have got the wrong impression of Ctrl-Shift – "The opportunities for organisations arising from a new personal information economy are game changing. Ctrl-Shift is the world’s leading market analyst and consulting business helping organisations to capitalise on these opportunities".

Control shift
Ctrl-Shift have the Department for Business Innovation and Skills (BIS) as a client, among others.

They have an encyclopaedic knowledge of the apps market: "Tallyzoo, a service dedicated to self monitoring, allows users to measure anything from their caffeine intake to the number of times they cut their grass".

They have a social scientist's grasp of psychology: "There is further investment in the quantified self space as Canadian company Retrofit announces $8 million in new funding ...".

They have an admirably unquenchable belief that they are expert in modern marketing techniques: "Users collect data using a mobile device or website program which creates interactive flashbased graphs enabling them to spot trends and patterns in their consumption habits, work, health and fitness goals".

And they promote economic theories which DMossEsq has been unkind enough to label "mooncalf economics" but perhaps it's better simply to refer to them as hypothetical: "Ctrl-Shift’s research finds that the market for these new streams of information [caffeine intake, mowing the lawn, that kind of thing] could grow to be worth £20bn in the UK over the next ten years".

But their output isn't all ditzy. Sometimes Ctrl-Shift write something recognisably tethered to the planet. To wit, Trust frameworks: harnessing trust in an information economy.

Trust frameworks
They are addressing the concerns raised about massive data-sharing. The sort of data-sharing that Francis "JFDI" Maude is promoting and Stephan Shakespeare and Tim Kelsey. The sort of data-sharing that supports Google, Facebook and others in a lavish life-style. The sort of data-sharing that destroys privacy and which can lead to identity fraud.

People don't like it. We put up with it. Sometimes there's no alternative – if you want to buy an airline ticket you just have to hand over your passport number. Sometimes we even connive in it, not least because Google and Facebook, for example, are "free" as far as most of us are concerned. But we don't like it.

Better, Ctrl-Shift say, if the trade in personal data was conducted within "trust frameworks" where we could all keep our personal data under our control.

With their characteristic candour, Ctrl-Shift open the main body of their report by saying: "There are no agreed definitions of what a Trust Framework is or does". Trust frameworks, they say, are a bit like "Kitemarks, Codes of Practice and Standards".

The governing body of a trust framework needs to be able to enforce the code of practice that participants subscribe to. But how? Ctrl-Shift identify the problems. Among others, the failure of the Data Protection Act: "Interestingly none of the frameworks Ctrl-Shift has looked at so far base their enforcement/compliance measures on existing data protection regulations". But no solutions.

Enforcement costs money. How is it to be paid for? Everything is still up in the air. The best Ctrl-Shift can say is that "as the market develops we would expect to see a wider variety of commercial models being developed and deployed".

And that's it. For the moment, according to Ctrl-Shift, there are no effective trust frameworks to contain the trade in personal data. They remain undefined, the basis for enforcement is unknown and there's no settled way to pay for them. There's no reliable button to press, box to tick, handle to turn ... and out pops trust.

Mydex
All of which must come as a shock to Ctrl-Shift's sister company, Mydex: "Our mission is to empower individuals, to give them personal control over their personal data".

How can Mydex grant people control over their personal data? Through a trust framework. That's what they say: "The Mydex Trust Framework is a set of legal and technical rules by which members of a network agree to operate in order to achieve trust online".

And how can Mydex enforce the "set of legal and technical rules by which members of a network agree to operate"? They don't say.

Because they can't? That's the inference. Which undermines trust in Mydex's claim. The very trust the framework is meant to create.

Mydex is a member of tScheme, "the independent, industry-led, self-regulatory scheme set up to create strict assessment criteria, against which it will approve Trust Services", and they sometimes give the impression that they have been certified trustworthy by tScheme, see for example midata – the service you can trust and RIP IDA – JFDI and the Black Pencil. But they haven't been certified. They haven't even applied for certification.

That undermines trust not only in Mydex but also in midata, a BIS initiative which depends on Mydex. And it undermines trust in the Government Digital Service's identity assurance programme (IDA), which also depends on Mydex, as a so-called "identity provider".

This "empowerment" that Mydex are offering to "individuals". It's based on trust which doesn't exist. And it's based on enforcement that doesn't exist. So the empowerment doesn't exist. So the midata prospectus is a false prospectus and so is the IDA prospectus.

Some of us have been trying to tell Mydex that for years. The control shift Mydex offer is not in their gift and can't be delivered. Now Ctrl-Shift are telling them as well.

----------

Updated 28 May 2014

DMossEsq's copy of Ctrl-Shift's weekly Market Watch turned up yesterday. Always entertaining, you are enjoined to sign up for it.

Marketing experts vie with each other to devise the most guru-like epigram.

The competition is usually won by Peter Vander Auwera. Talking of the ocean of data now available, he once assured us that:
We are a species from the land that have to learn to live in the ocean. Like camels that used to live in the desert, that now have to survive in the ocean ...
There is a new contender, though, Hugo Pinto, who came up with this at Ctrl-Shift's recent Personal Information Economy summit:
The value exchange is the trust serum of the data driven economy.
Think about it.

Anyway, this is what Market Watch had on the menu yesterday:
  • Google acquires Divide, an app that separates personal and professional data on your phone - IBNLive
  • Banks trump government on public trust over personal data | Guardian Professional
  • Call for ‘privacy charter’ to protect personal data online - Computing
  • Your banker wants to know if you are pregnant - Forbes
  • Facebook in new privacy push - The Telegraph
  • Internet ‘Do Not Track’ system is in shatters - Computerworld
  • Looking for opportunity in smart devices? Start with the user - Forbes
  • Reading privacy policies lowers trust - Science Daily
  • The Internet of you - MIT Technology Review
  • Why companies should compete for your privacy - Harvard Business School
Note that third item, the call for a "privacy charter" to protect personal data on-line. We're still having to call for such a charter. It doesn't exist. This is serious. There is no trust framework for the personal information economy. As everyone including Ctrl-Shift keeps trying to tell Mydex.

Updated 9.6.14

The venue for the unveiling of Ctrl-Shift's report has at last been announced – KPMG, 15 Canada Square London E14 5GL, 9:00-16:15.

What will the bigwigs of KPMG, HRG, Atkins, Aurora, Bank of America, Lloyds, Barclays and NIST make of it?

Remember, "value exchange is the trust serum of the data driven economy", see above.

And what will they make of the Government Digital Service's 10-minute presentation on IDA, the non-existent identity assurance service?


Updated 12.8.14

The 7 August 2014 copy of Ctrl-Shift News arrives and this time it includes an interview with David Alexander, the CEO of Mydex.

Ctrl-Shift and Mydex are closely associated companies. David Alexander is pretty well interviewing himself. Not that you'd know it from the text.

Mydex is a new sort of company, he tells us, a community interest company (CIC), where individuals become the centre of the circles in which data about them moves, under their control. Actually, if you look at some of Mr Alexander's other presentations, what you see is Mydex at the centre, not the individual, but let that pass for the moment.

How do Mydex claim to empower individuals in this way? According to Mr Alexander, by providing a platform and a trust framework:
The CIC structure was the only way it could work from what we could see, it was all about Trust, everyone had to trust the platform, individuals and organisations. It had to take itself out of the game and create the place where it could all happen safely and securely. We felt this would create a halo of trust for the individual and everyone involved.
A "halo of trust"? He really should talk to Ctrl-Shift about that. There are no trust frameworks. That's what Ctrl-Shift said, see above. And certainly no halos of trust. And so there is no empowerment on offer.

It's not just Ctrl-Shift who believe that there's no such thing as a trust framework. Take a look at this:
Handing over competition sensitive, Personally Identifiable Information (PII), or related Intellectual Property information to a Cloud Provider is indeed an exercise in extreme trust without the ability to independently verify Cloud Provider coherence to purported security guarantees, controls, and associated contracts.

In 2014, in light of the CSA [the Cloud Security Alliance] assessment and analysis of threats to Cloud Providers [The Notorious Nine: Cloud Computing Top Threats in 2013], as well as governments’ perceived nefarious interactions with the telecommunications and data storage, social media, and search industries [see Edward Snowden passim]; it has become evident that blind trust in the service provider is a doomed strategy.
That's an extract from Cloud Insecurity and True Accountability, a primer for CIOs on Guardtime and Keyless Signature Infrastructure (KSI) for Attributed Networking written by Matthew C. Johnson, CTO of Guardtime.

Guardtime believe that "blind trust ... is a doomed strategy". Trust in your cloud services provider and all the related businesses involved in cloud computing can never be earned or awarded. So stop pretending that it can, they say, forget it. Instead, the best you can do is to use their keyless signature infrastructure products so that you and your suppliers will know that security has been breached – then you can try to do something about it.

Guardtime is an Estonian company. And, as we know, Estonia is our future.

Guardtime's products are being promoted by a consultancy called Rainmaker.

And Rainmaker, in turn, is being promoted by Chris Chant on the G-Cloud Twitter account:


Chris, of course, is the only begetter of G-Cloud, the UK government cloud initiative, and even though now retired, he keeps his hand in. The new head of G-Cloud, Tony Singleton, seems to be happy for Chris to promote Guardtime on @G_Cloud_UK and we must assume, therefore, that he supports the idea – the pursuit of trust frameworks is a wild goose chase, whether we're talking about G-Cloud, the PSN (public services network), IDA (the identity assurance service RIP), Mydex or midata.

David Alexander needs to think again. His halo is slipping.


Updated 12.11.14

Armed with his halo of trust, David Alexander, the CEO of Mydex CIC, accepted the invitation from the Open Data Institute (ODI) to write a guest post on the ODI's blog, Open data and personal data, context and consent.

The ODI want to make open data available to everyone, willy-nilly, whereas Mydex is committed to empowering people so that they can share their personal data with no-one except where they have freely given their informed consent.

So what contribution if any do the ODI and Mydex make to each other?

Mr Alexander argues that open data provides the context without which personal data has little meaning: "it's in the interaction with personal data that you often get the best out of open data – they are inextricably linked".

Can open data and personal data be "inextricably linked" without disempowering individuals? Can the halo of trust be kept in place?

Yes, says Mr Alexander:
This personal empowerment can be utterly transformative in public service provision and many other contexts. Equipped with their own personal data store, an individual is able to provide informed consent and share their data with whom they choose, safely and securely, under a legal and technically robust trust framework. And for service providers and developers the interchange can help drive insight, reduce costs, improve data accuracy and build better engagement over time.
But as his close colleagues at Ctrl-Shift can tell him, there is no such thing as a "legal and technically robust trust framework".

So no.


Updated 14.11.14

Probably about time to look at an example of a putative trust framework.

"Today we’re publishing two posts that explain what we’re doing to protect users' privacy when they use GOV.UK Verify", said the lovely Janet Hughes the other day.

One of those posts is How the GOV.UK Verify technical architecture protects users’ privacy, and why it’s appropriate. It promises much but the response to the questions raised in the Comments section is disappointing. Anyone asking how the technical architecture of GOV.UK Verify (previously IDA, GDS's identity assurance scheme) protects users' privacy is told that this is the wrong place to answer.

The other post is Protecting privacy in GOV.UK Verify where we are reminded by one of its members that the hard-working and independent Privacy and Consumer Advisory Group (PCAG) published its first draft identity assurance principles back in June 2013. Nothing much has been heard about them since then.

PCAG have now published an update, version 3.1, in which they set out their trust and control and anti-fraud and security objectives and say:
To deliver these objectives there has to be a framework that gives real meaning to terms such as “individual privacy” and “individual control”. Such a framework is set out in the nine Identity Assurance Principles contained in this document: these Principles have been developed by the independent Privacy and Consumer Advisory Group (PCAG), including open public consultation on earlier working drafts.
So here at last is our example of a trust framework. In summary, it looks like this:
Identity Assurance Principle
Summary of the control afforded to an individual
1. User Control
I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them
2. Transparency
Identity assurance can only take place in ways I understand and when I am fully informed
3. Multiplicity
I can use and choose as many different identifiers or identity providers as I want to
4. Data Minimisation
My interactions only use the minimum data necessary to meet my needs
5. Data Quality
I choose when to update my records
6. Service User Access and Portability
I have to be provided with copies of all of my data on request; I can move / remove my data whenever I want
7. Certification
I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements
8. Dispute Resolution
If I have a dispute, I can go to an independent Third Party for a resolution
9. Exceptional Circumstances
I know that any exception has to be approved by Parliament and is subject to independent scrutiny
Ctrl-Shift predict that this framework can't work, remember – there's no way to enforce it and no money to pay for it even if enforcement was possible.

Are Ctrl-Shift right?
  • Anyone signing up to GOV.UK Verify can have no idea whether exceptions to the principles need to be approved by Parliament (#9).
  • There is no privacy ombudsman and so #8 is being flouted.
  • #7 is an odd one. The fact that governance requirements might be common to all participants is not the point. The requirements need to be confidence-inspiring, not common. They might be common but fail to protect privacy. And the certification authority needs to be independent – there are were some probably unfounded doubts about the independence of tScheme.
  • GDS have made no statement about portability or deletion (#6) ...
  • ... nor about updating your records (#5).
  • What is the minimum amount of data necessary for your interactions with public services? Who decided that? No-one's told you, have they (#4).
  • The more "identity providers" you use, the more it costs GDS. They are already trying to limit your choice. Budget constraints don't disappear by magic (#3).
  • Take a look at the video presentation of the Post Office's registration process for GOV.UK Verify. No attempt whatever is made to explain to the user what they are giving their permission for. The user can't understand and is not fully informed. What's more, their consent is not given freely. What choice is there? Either grant consent like a blank cheque or withhold it and go without benefits (#2).
  • Having once given your consent, what control do you have over the way your data is used? To judge by the presentation, none. It may be shared with anyone (#1).
Yes, Ctrl-Shift are right.


Updated 19.11.14

What does diplomacy look like?

The author of Protecting privacy in GOV.UK Verify referred to above has just published a thoughtful and authoritative reflection on Privacy Seals and Privacy Snake Oil.

"One of the constant problems of privacy is knowing who to trust with your data", he says, "... it's only a matter of time before some bright spark suggests 'maybe we could have a privacy seal to prove we're trustworthy?' ... The problem is, it just doesn't work".

"There are a number of privacy seal schemes out there, but the majority are US-centric", he goes on, "... there are some significant potential downsides to privacy seals ... Firstly, the scheme can only be as good as its underlying standards ... Secondly, the schemes use different approaches to certification. [Some] are ... independently assessed by experts .., whereas the entry point for many other schemes is self-certification ... Thirdly ... is the ability of schemes to monitor and police their members. If you are a scheme operator, dependent upon your members for your income, then the last thing you want to do is to suspend a high-profile member ... or to strike off a member for proven poor privacy practices".

He barely mentions the UK, except to point out that "the [Federal Trade Commission] takes this stuff seriously, and has enforcement powers beyond the UK [Information Commissioner's Office]'s wildest dreams". And he doesn't mention the Government Digital Service once. Nor their identity assurance programme (IDA) and GOV.UK Verify. Nor tScheme. Nor even snake oil.


Updated 15.2.15

February 2015, and Mydex have delivered themselves of another white paper in their series of sales literature, this time The opportunity of attribute exchange – Your data, your way.

Personal data stores (PDSs) are still the answer, whatever the question. Mydex continue to offer security on the web when everyone knows that that is not available. And they continue to promote their trust framework when even their cousins Control-Shift can tell them that there is no such thing. There has been only one change – the halo of trust has become a ladder:
Evidence is accumulated from each organisation that connects to an individual’s PDS. This builds up a 'proof of claim', a trusted confirmation of a fact about themselves or their lives. They can gradually 'climb up a ladder' of trust and certainty about their identity online reaching a higher and higher level of identity assurance. (p.8)
Mydex's claim in this white paper is that everyone would benefit if we individuals maintained a collection of digital certificates in our PDSs, issued by the relevant authorities, certifying that we have certain attributes.

We might for example need confirmation issued by the Department for Work and Pensions that we are on Income Support in order to prove our entitlement to free National Health Service prescriptions. In this example, DWP would issue a digital IsOnIncomeSupport certificate which you would store in your PDS and which a pharmacy could access to check that you don't have to pay for your prescriptions.

That all seems very convenient. No sending photocopies through the post, no hanging on the telephone waiting for the call centre to answer, just a single port of call, a single source of truth – the Mydex PDS – and you're out of the shop, armed with your antibiotics, having paid nothing.

How does the pharmacist know that the certificate was issued by DWP? Or that it was issued to you? How does Mydex know that this is a pharmacist making the enquiry? How does the pharmacist know that that's Mydex on the other end of the enquiry and not a spoof site?

There may be answers to these questions. Mydex don't tell us what they are. We must just leave those sales questions hanging for the moment.

There is one question we can pursue a bit further.

Your situation may change. You may be on Income Support one month but off it the next. And then back on, a few months later. DWP must, in Mydex's world, issue a new digital certificate each time and revoke the previous one – IsOnIncomeSupport as at February 2015 may have to be revoked and replaced with IsNotOnIncomeSupport as at March 2015.

But will IsOnIncomeSupport be replaced in your PDS? That's up to you, according to Mydex:
If the connecting organisation or the individual, changes a piece of information, this gets automatically updated in the individual's PDS, based on their preferences and consent. (p.11)
That's no good to the pharmacist. Just because there's an IsOnIncomeSupport certificate in your PDS doesn't prove that you're entitled to free drugs. The certificate may have been revoked by DWP since it was issued because your circumstances have changed. But you may have withheld consent to update your PDS.

So the pharmacist needs to seek confirmation from DWP themselves. Your PDS isn't good enough and drops out of the attribute exchange procedure.

Either that, or the revoked certificate is removed from your PDS whether you consent or not – the data in your PDS isn't under your control. Whereas Mydex say it is. They can't have it both ways.


Updated 17.2.15

The video has been published now of highlights of the debate about attribute exchange hosted on 4 February 2015 by theInformationDaily.com and sponsored by Mydex. Apparently, Attribute exchange could unlock billions of public sector savings.

No case is made to support this contention.

At 17'11" David Alexander, the CEO of Mydex, the sponsors, asserts that attribute exchange will cause transaction costs to drop by anywhere between 45% and 95%.

But what is included in "transaction costs"? Who will be made redundant to pay for the rosy future he paints of "improved social outcomes" and "streamlined public services" all "under your control"?

He doesn't say. Viewers have no idea as a result how these billions of savings are to be "unlocked".

Once again, the basis of control over people's personal information such that we can give our informed consent to share data, or alternatively withhold our permission, is supposed to be the Mydex trust framework.

And once again, the warnings of Mydex's sister company Ctrl-Shift to the effect that there is no such thing as a trust framework are ignored. The claim that Mydex can grant you control over your personal data once it's in a personal data store is false. It is not in Mydex's power to grant.

The assembled company were all confident that the Government Digital Service's identity assurance scheme, GOV.UK Verify, works:
  • Why? To what extent has it been tested that GOV.UK Verify proves that you are who you say you are on-line?
  • How is GOV.UK Verify proof against hacking in a way that no other on-line system seems to be?
  • How can it be sensible to rely on a single GOV.UK Verify credential to open access to all the on-line services you use?
  • Who is liable when GOV.UK Verify security is breached and your bank account is emptied or your benefits are paid to someone else?
  • What happens to the millions of people who can't register with GOV.UK Verify? What's to stop them just becoming excluded by default from public services?
No answers were given during the debate. But then the questions weren't asked. Where does the confidence come from?

A number of participants in the debate referred to "single customer records" and "personal data stores". To a certain bureaucratic mentality it is obviously attractive to have everything in one place. All your attributes, represented by digital certificates, stored in one record.

But attributes change, digital certificates are revoked and new ones issued to replace them.

If users have control over their data, they can withhold permission to update their personal data store when a certificate is revoked. Which means that the service provider can't rely on the personal data store or single customer record being up to date.

Service providers have to go back to the original certification authority to check whether a certificate has been revoked to be sure about your attributes. The "single source of truth" is a will o' the wisp. Stop chasing it.

No comments:

Post a Comment