Edward Snowden – the penny drops 1

The Edward Snowden revelations began here in the UK on 6 June 2013.

The public response and the response of the national media has been muted. Spies spy. What do you expect? They have to. Surveillance is legal. You'd have to be naïve to think otherwise. It's for our own good.

It's a case of move along, there's nothing to see here, as far as Whitehall is concerned. And in that case the plans to make public services digital by default can proceed. We can carry on saying that it is safe to store our data in the cloud. We can carry on saying that trusted third parties – "identity providers" – can supply us with personal data stores, maintained on "secure websites", which will give us "control" over what happens to our personal data.

There's nothing to see here. Our personal data will be encrypted. The security of the websites is provided by encryption. Encryption works. That's why the third parties can be trusted.

When the cartoon character runs off the edge of a cliff his legs keep going and he keeps moving forwards as long as he doesn't look down.

On 6 September 2013, three months after after running off the cliff, the revelation that the US National Security Agency (NSA) and GCHQ can get round some/many/most forms of encryption has finally made the cartoon character look down. His legs stop. A look of doubt appears on his face, the penny drops and he starts to fall.

Mydex is in poll position to provide the personal data stores for midata, the Department for Business Innovation and Skills initiative to "empower the consumer". Mydex is also one of the UK's appointed "identity providers" and recently signed a contract to supply identity assurance services.

William Heath is the chairman of Mydex. Here, faithfully recorded by Twitter, is what he saw when he looked down:

"What is a backdoor? Currently available for major encryption software – Microsoft Bitlocker, FileVault Be stCrypt TrueCrypt etc"- ibid
— williamheath (@williamheath) September 4, 2013

@williamheath Waaaaat? A backdoor is available for truecrypt too?
— Chris Adams (@mrchrisadams) September 4, 2013

@mrchrisadams Not cool. Wonder what effect that first Tweet will have on some market capitalisations...
— williamheath (@williamheath) September 4, 2013

@williamheath it's a hoax https://t.co/BfFngf7SZr but that gives no info about whether true ;-)
— Caspar Bowden (@CasparBowden) September 4, 2013

Bloody hell @williamheath, just a tad. Truecrypt’s FAQ - http://t.co/Zgy8l7W16a. Relevant cryptome PDF - http://t.co/6jWN1MykoK
— Chris Adams (@mrchrisadams) September 4, 2013

@mrchrisadams @williamheath lolwut: https://t.co/SXXymdxYWk /cc @Rchards
— Sam (@pikesley) September 4, 2013

@pikesley @mrchrisadams @williamheath depressingly had in this case. Read content rather than names.
— Richard Stirling (@Rchards) September 4, 2013

@Rchards @pikesley I think I’m quite happy to be punked in this case :) /cc @williamheath
— Chris Adams (@mrchrisadams) September 4, 2013

@pikesley @Rchards @mrchrisadams Phew :-) Back to: so what was it we were *right* to be paranoid about?
— williamheath (@williamheath) September 4, 2013

@williamheath hoax
— glynwintle (@glynwintle) September 4, 2013

@glynwintle indeed. We're all delighted
— williamheath (@williamheath) September 4, 2013

----------

Updated 29.9.15

"Mydex is in poll position to provide the personal data stores [PDSs] for midata". Written two years ago. Please see above.

It looked then as though Mydex relied on a package called "TrueCrypt" to make their PDSs secure.

If they relied then or rather if they rely now on TrueCrypt, there's a problem. Support for TrueCrypt was withdrawn in May 2014.

"Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data". That's what it says, to this day, at the bottom of Mydex's webpage – "hyper-secure".

Where does this "hyper-security" come from? Not from TrueCrypt. So where?

If your PDS is hacked, that's your fault. That's Mydex's stance and that's why, unlike the banks, they offer no compensation.

Before entering into a no-compensation deal which requires you to store all your personal information in a PDS, you might be wise to check just how secure that PDS is. Wiser still, whoever you get your PDSs from, to assume that hyper-security is impossible and insist on the provision for compensation in the contract.

Edward Snowden – the penny drops 1

The Edward Snowden revelations began here in the UK on 6 June 2013.

The public response and the response of the national media has been muted. Spies spy. What do you expect? They have to. Surveillance is legal. You'd have to be naïve to think otherwise. It's for our own good.

It's a case of move along, there's nothing to see here, as far as Whitehall is concerned. And in that case the plans to make public services digital by default can proceed. We can carry on saying that it is safe to store our data in the cloud. We can carry on saying that trusted third parties – "identity providers" – can supply us with personal data stores, maintained on "secure websites", which will give us "control" over what happens to our personal data.

There's nothing to see here. Our personal data will be encrypted. The security of the websites is provided by encryption. Encryption works. That's why the third parties can be trusted.

When the cartoon character runs off the edge of a cliff his legs keep going and he keeps moving forwards as long as he doesn't look down.

The internet secure? Absurd

While we were all away on holiday a scene from the theatre of the absurd was reported. It had been enacted  a month before, in July, in the basement of the Guardian newspaper's London office.

Dramatis personae:
    A number of GCHQ persons
    A Guardian editor and a Guardian IT person

Props:
    A number of computer disks and chips
    An angle grinder and some other tools

On 20 July 2013, apparently acting on the orders of Sir Jeremy Heywood, the Cabinet Secretary, who was in turn apparently acting on the orders of the Prime Minister himself, the Guardian persons set about destroying the disks and chips with the angle grinder and other tools. The GCHQ persons, having watched but not assisted, left once the job was done.

Thus one copy of the Edward Snowden files was destroyed. Quite pointlessly, as there are other copies. But the Prime Minister insisted, allegedly, the charade went ahead, and the dignity of his office was thereby preserved.

The Snowden revelations continue unabated. Yesterday, the Guardian treated us to US and UK spy agencies defeat privacy and security on the internet while the New York Times gave us N.S.A. Able to Foil Basic Safeguards of Privacy on Web.

If you think that encryption will keep your use of the internet private/confidential/secret, think again.

The US National Security Agency (NSA) and our very own GCHQ have cracked the code and can decrypt your transactions on secure websites, your use of virtual private networks, your emails, web chats and Skype calls, just like that, more or less in real time.

If a cloud computing supplier tells you your data is safe in the cloud because it's encrypted, he or she is probably wrong. HMRC, the MOD, the Home Office and the Government Digital Service (GDS) might like to reconsider their use of Skyscape Cloud Services Ltd.

If a personal data store supplier tells you that your information is safe because it's encrypted – perhaps in connection with the UK's midata project – he or she is probably wrong.

No doubt GDS will tell us that the new electoral roll will be secure. And that the identity assurance service they are about to unleash on HMRC is secure. In what way?

Individuals, companies and government departments can forget about confidentiality on the internet. What was left of it was all hoovered up by the cleaners in the Guardian's basement after the audience had left.

Lawyers, bankers and accountants working on a major takeover, for example, may well continue to use the internet. It's convenient. But they can no longer promise that their clients' data is being kept confidential. Everyone now knows that on the internet that is, to all intents and purposes, impossible.

The internet secure? Absurd

While we were all away on holiday a scene from the theatre of the absurd was reported. It had been enacted  a month before, in July, in the basement of the Guardian newspaper's London office.

Dramatis personae:
    A number of GCHQ persons
    A Guardian editor and a Guardian IT person

Props:
    A number of computer disks and chips
    An angle grinder and some other tools

On 20 July 2013, apparently acting on the orders of Sir Jeremy Heywood, the Cabinet Secretary, who was in turn apparently acting on the orders of the Prime Minister himself, the Guardian persons set about destroying the disks and chips with the angle grinder and other tools. The GCHQ persons, having watched but not assisted, left once the job was done.

Now UC IT

The National Audit Office (NAO) have published their report on Universal Credit (UC). UC is the Department for Work and Pensions (DWP) initiative to rescue benefit claimants from the poverty trap created by the UK's inept welfare system. The idea is to rescue them by making work pay.

Universal Credit: early progress is 60 pages long. 60 pages which document the unrelenting and expensive failure of DWP to get to grips with UC. There is a summary for you kindly prepared by Tony Collins – Will Universal Credit ever work? – NAO report.

By 31 March 2013, DWP had spent £425 million on UC. £425 million spent by intelligent and experienced public servants and there is nothing to show for it.

Accenture have picked up £125 million of that money, IBM £75 million, Hewlett-Packard (HP) £58 million and BT £16 million. That accounts for £274 million. £274 million spent with intelligent and experienced software engineers and there is nothing to show for it.

Is it the politicians' fault (Iain Duncan Smith, the Secretary of State at DWP, and his junior ministers)? Is it the officials' fault (Robert Devereux, Permanent Secretary at DWP, and his staff)? Is it the contractors' and consultants' fault? Yes. In each case.

How on earth can such a catastrophic failure happen? It's happened before, please see for example It's all John's fault. The lessons never seem to be learnt.

It's time to stop this nonsense. DWP have "pressed the reset button" apparently and are taking time out to think. About time, too.

The thinking so far centres on the software engineering methods being used. DWP, it is said, failed to use "agile" methods. Appendix Seven of the NAO report, beginning on p.53, provides a handy cribsheet on agile v. traditional software engineering.

This may be a cul-de-sac. After all, no engineering methodology in history has ever recommended spending £425 million before thinking what it is you're trying to achieve. Also, there is no guarantee that agile methodologies would avoid the same problem.

To the extent that "agile" means anything in Whitehall, it means the Government Digital Service (GDS). GDS are great advocates of agile, they claim to be successful exponents of agile and they want to see central and local government become 100 percent agile.

They're getting their message across.

Howard Shiplee, the man in charge of UC for the past 100 days, says in his Telegraph article Universal Credit: The First 100 days:

As the Secretary of State outlined in July, we are working with the new Government Digital Service (GDS) to explore an enhanced IT programme that would offer more flexibility and security to benefit claimants. We’re planning to take the best of the existing system and make improvements using GDS support.

Why?

The BBC and the Guardian give GDS great publicity, please see GDS PR blitz. So do the Times, please see Toe-curling: GDS PR Blitz.

Why?

The Design Museum declared GDS's only product to date, GOV.UK, to be Design of the Year 2013. The Design and Art Direction charity created a new category this year especially to be able to give GOV.UK a prestigious D&AD award.

Why?

The answer in each case is, presumably, competent public relations. An attractive brand is being created. But is there any substance there? What skills of GDS will stop the next £425 million from being wasted?

According to five IT professors, none.

Martyn Thomas gave evidence to the Public Administration Select Committee to the effect that GDS are wasting their time with agile software engineering, please see Digital-by-default, an open letter to the House of Commons Science and Technology Committee (para.13).

That's one professor.

The other four – Alan W Brown, John A McDermid, Ian Sommerville and Rob Witty – reviewed GDS's Government Digital Strategy and were entirely unimpressed. "Simplistic and highly risky", they said about agile, please see Four professors review the Government Digital Strategy.

Just because GDS's staff are an alternative to the hopeless staff of DWP, Accenture, IBM, HP and BT doesn't mean that they're any better.

D&AD, the Design Museum, the Times, the Guardian, the BBC, Howard Shiplee and the NAO would all do well to consider the expert views of the five professors before assuming that GDS is the answer. In the meantime, for the sake of the £425 million lighter taxpayer, and everyone caught in the poverty trap, another reset button should be pressed. On GDS.

----------

Updated 21 October 2013

1. House of Commons oral evidence taken before the Public Accounts Committee, Universal Credit, Wednesday 11 September 2013
2. Welfare fiasco chief 'to resign'

Updated 14.4.16

In the 2½ years since the post above was written:

• GDS's all-agile system written for DEFRA's Basic Payment Scheme failed, leaving farmers to apply for their EU Common Agriculture Policy subventions using pencil and paper.
• Iain Duncan Smith has resigned.
• Robert Devereux hasn't. And he has become Sir Robert Devereux KCB.
• DWP have fought against Freedom of Information requests to publish the 2011 and 2012 Universal Credit (UC) risk register, issues register and Major Projects Authority (MPA) assessment. They have finally lost that fight.
• The MPA have become the Infrastructure and Projects Authority.
• Some of the documents now disclosed suggest that ministers and officials at DWP did, indeed, mislead everyone about the progress being made on UC. Cyber security arrangements were inadequate, the system would have been open to fraud, there was no precedent for agile being used at the scale of UC and DWP didn't even have a plan for the transition from the existing benefits schemes to UC.

UC is utterly benighted.

As to GOV.UK Verify (RIP), another fairly major infrastructure project where Whitehall keep telling us that there is only good news, indeed the system is meant to go live this month, it's decision time some time in the next 16 days, what do the MPA have to say about cyber security and the use of agile?

Nothing.

The MPA, sitting in the Cabinet Office, haven't assessed the Cabinet Office's GOV.UK Verify (RIP), even though it's meant to provide 60 million people in the UK with an on-line ID, using which we are meant to be able to transact with government.

Risk level? Unmeasured. Could be high. Could be low. The MPA don't know and presumably don't care.

Now UC IT

The National Audit Office (NAO) have published their report on Universal Credit (UC). UC is the Department for Work and Pensions (DWP) initiative to rescue benefit claimants from the poverty trap created by the UK's inept welfare system. The idea is to rescue them by making work pay.

Universal Credit: early progress is 60 pages long. 60 pages which document the unrelenting and expensive failure of DWP to get to grips with UC. There is a summary for you kindly prepared by Tony Collins – Will Universal Credit ever work? – NAO report.

By 31 March 2013, DWP had spent £425 million on UC. £425 million spent by intelligent and experienced public servants and there is nothing to show for it.

You are for sale

The Financial Times have been doing a bit of investigative journalism. Health apps run into privacy snags, they said on 1 September 2013:

Before Celeste Steenburger takes off on her morning run, she taps the orange button on the MapMyRun app on her iPhone to track the exercise. The 30-year-old office manager counts calories, logging the food she eats into a separate Lose It! app. When her menstrual cycle begins, she marks the details in the Period Tracker Lite app. With each bit of health data Ms Steenburger records, third-party companies, some with names she has never heard of, are receiving information about her.

Ms Steenburger thinks she's just dealing with MapMyRun and one or two other apps suppliers to keep track of her health. She's wrong. Behind the scenes these suppliers are selling her health data to other interested parties. The FT mention "advertising companies, ... digital analytics and tracking groups, ... health insurance and pharmaceutical companies":

The trend has serious implications for consumers. Data which an individual has willingly handed over to an app develop[er] to better track their own health, could now land in the hands of a large insurer who might use that data to set policy premiums ... iPeriod will soon have the capability to target ads at a very fine level. So a woman who records in the app that she gets headaches before her period could soon receive an ad for a pain reliever at just the right time of the month ... “By getting certain populations more active, they can reduce the cost burden for employers around those people,” says Chris Glode, the general manager for MapMyFitness. “If you can get people more active, can improve their health outcomes. That’s really cool, we’re really psyched to be part of that.”

"The top 20 most visited apps transmit information to a web of nearly 70 companies", says the FT, naming Google, Apple, Humana, Aetna and Flurry, a mobile data tracking specialist and the recipient of data from nine of the top 20 health-related apps.

That's the business model. You supply the data and the apps developers sell it. Maybe Celeste Steenburger didn't expect that but you should.

Perhaps this business model is restricted to the private sector?

No.

The public sector are at it as well.

It is three years since the Telegraph reported that the Department for Work and Pensions were paying Experian, the credit referencing agency, to analyse the data they hold and try to identify benefit cheats, please see Bounty hunters to cut benefit fraud by £1bn.

And more recently, in May 2013, the Mail told us that Orange/EE (Everything Everywhere) were selling data on their 27 million mobile phone users in the UK and that among the interested parties were the police. In the end, the police didn't buy anything but they were interested and maybe next time ...

Millions of phone records revealing age, address and even the websites you visited were offered for sale to police in controversial deal ... Scotland Yard held a meeting with Ipsos Mori about the possibility of paying for some of the data to fight crime, but yesterday the force said it was not planning to make any offers for it.

Not very convincing, you may say, the public sector hasn't actually bought any personal data from Experian or EE, and they certainly don't sell personal data.

Oh yes they do.

Here's the Guardian on 17 May 2013:

£140 could buy private firms data on NHS patients ... On Monday the government slipped out the news that private insurer Bupa was approved to access England's "sensitive or identifiable" patient data, housed centrally by the Health and Social Care Information Centre (HSCIC). It is now among four private firms that have passed the government's vetting procedures. The charging structure for "bespoke patient-level extracts" was revealed when HSCIC put up a "cost calculator" to work out how much prospective customers would pay for sensitive hospital data. The "indicative fee" for a full set of 20 years' inpatient data was about £8,000 including £140 to make the records identifiable.

It's a lot cheaper in the Mail, please see Your confidential medical records for sale... at just £1: Hunt insists plan to sell details to private firms is vital to combat epidemics - but critics fear 'unprecedented' privacy threat.

"So who cares if you’ve got haemorrhoids or athlete’s foot?", asks the Telegraph in Patient confidentiality? Not if the price is right – the answer they give is "more people than you might think". It's all that Jeremy Hunt's fault, the Secretary of State for Health, Jeremy Hunt plans to give anonymised patient medical records to private firms.

"Anonymised patient medical records"? Anonymised? Oh yeah? Mr Hunt might believe that but he's not a professor of IT. Martyn Thomas is, and he told the Public Administration Select Committee that "anonymised research data" is an oxymoron (para.4) – if the data's anonymised it's no use for research and if it's any use for research then it's not anonymised.

He is not alone in that belief, please see for example The rush to ‘anonymised’ data by Professor Ross Anderson.

"Anonymised data" must join "secure website" in your list of count-your-fingers-after-shaking-hands phrases.

Bang goes medical confidentiality. Secrecy. Privacy.

You were warned. By Stephan Shakespeare. Health data is "open data" or PSI (public sector information), he says. PSI belongs to everyone and processing it will boost the economy.

Not just Mr Shakespeare – Professor Sir Nigel Shadbolt, too. He's told you that he wants to mix your health data and travel data with anything you've put in your midata personal data store, and give the whole lot to apps-writers to improve your life.

For further information on the state destruction of medical confidentiality in the UK, please visit medConfidential. They provide a form you can use to opt out of HSCIC sales of your medical data.

You are for sale

The Financial Times have been doing a bit of investigative journalism. Health apps run into privacy snags, they said on 1 September 2013:

Before Celeste Steenburger takes off on her morning run, she taps the orange button on the MapMyRun app on her iPhone to track the exercise. The 30-year-old office manager counts calories, logging the food she eats into a separate Lose It! app. When her menstrual cycle begins, she marks the details in the Period Tracker Lite app. With each bit of health data Ms Steenburger records, third-party companies, some with names she has never heard of, are receiving information about her.

GDS and privacy

Yesterday's Sunday Times:

Google: we are beyond British law The internet giant says the High Court has no authority to rule over a landmark UK privacy claim ... “They don’t respect privacy and they don’t consider themselves to be answerable to our laws on it” ... Last week Google’s privacy policies came under fresh attack in America after it said that its 425m Gmail users could have no “reasonable expectation” that their messages would remain confidential. The admission came to light in a court filing. In its submission to the High Court, Google’s lawyers argue that any information gleaned from the search engine is not “private or confidential”. This means that the company is under no obligation to hold it in confidence, they say.

You know where you are with Google. No "reasonable expectation" of confidentiality/privacy.

Similarly, you know where you are with the UK Cabinet Office. Francis Maude, the Minister in charge, told the Information Commissioner's Conference:

Sharing data is a key enabler in our ambition to see public services provided digitally by default ...the census is another area where I want to bust the myths around the complexities of data sharing ... we aim to find effective ways of using and sharing data for the good of everyone ...

The provisions designed to limit data-sharing in government are no more than "myths", in his eyes, and will be swept away by Mr Maude's modernisation plans – spearheaded by the Government Digital Service (GDS).

You know where you are with GDS. Ex-Guardian man Mike Bracken, executive director of GDS and senior responsible owner of the pan-government Identity Assurance Programme (IDAP) has told you:

Andrew Nash, Google’s Director of Identity, ran us through the current issues facing identity.He explained how Google aim to grow and be part of an ecosystem of identify providers, and encouraged the UK Government to play its part in a federated system. The UK ID Assurance team and Google agreed to work more closely to define our strategy – so look out for future announcements. Andrew also took the opportunity to walk the Minister through the Identity ecosystem.

Which brings you back to Google and the "reasonable expectation" of privacy – there is none.

The Privacy and Consumer Advisory Group (PCAG) have worked hard to devise nine privacy principles. And ex-Guardian man Mike Bracken has asked for comments on these principles. But you have to ask yourself whether his heart is in it. PCAG is only an advisory group and GDS can ignore their suggestions.

GDS were asked to produce a version of the nine principles with numbered paragraphs to make it easier to refer to them when submitting responses to the consultation exercise. GDS agreed that this would be a good idea. That was on 20 June 2013. Two months later, and no further action has been taken since.

When GDS held their revivalist The Future is Here event back in January 2013, they got everyone to book their place through Eventbrite, a Californian firm of event organisers. A Californian firm of event organisers who now have all the contact details of 300 civil servants "working across Government and its agencies to deliver our digital ambition statement". A marketing man's dream. So much for GDS and the "reasonable expectation" of privacy.

There has been at least one submission made in response to the PCAG consultation. Compiled by Mark King, it is published in full by the great Philip Virgo. Mr King's submission is masterly and suggests that even if GDS were to agree to the nine principles our "reasonable expectation" of privacy would still be disappointed.

These are the dog days of August, no-one can be expected to respond to consultations while we are all in the doldrums. But come September, if you have any desire to protect your reasonable expectations, it could be worth making the effort to respond.

GDS and privacy

Yesterday's Sunday Times:

Google: we are beyond British law The internet giant says the High Court has no authority to rule over a landmark UK privacy claim ... “They don’t respect privacy and they don’t consider themselves to be answerable to our laws on it” ... Last week Google’s privacy policies came under fresh attack in America after it said that its 425m Gmail users could have no “reasonable expectation” that their messages would remain confidential. The admission came to light in a court filing. In its submission to the High Court, Google’s lawyers argue that any information gleaned from the search engine is not “private or confidential”. This means that the company is under no obligation to hold it in confidence, they say.

You know where you are with Google. No "reasonable expectation" of confidentiality/privacy.