DMossEsq

Monday, 19 March 2012

The French people kindly volunteer to pay for any mistakes their banks make

A quoi ça sert la ... signature électronique?

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at one aspect of this scheme – digital signatures (signatures électroniques). Someone needs to tell the French people what their government is letting them in for.

Serge Blisko, député de Paris, has tried to tell them. Bravely. No British MP would try to talk about PKI (the public key infrastructure) and digital certificates. But M. Blisko did. In his immaculate speech of 13 July 2011. Three times:

Cette proposition de loi prévoit, dans son article 2, la création d’une carte d’identité biométrique, comprenant notamment les empreintes digitales des personnes, outre d’autres éléments tels que la taille et la couleur des yeux. L’article 3 crée une fonctionnalité supplémentaire qui pourrait être activée, de manière facultative il est vrai, par le détenteur de la carte nationale d’identité pour ses transactions commerciales sur internet et dans ses relations avec l’e-administration. Cette fonctionnalité lui permettrait de s’identifier sur internet et de mettre en œuvre sa signature électronique. Concrètement, la personne devra tout de même disposer d’un boîtier connecté à son ordinateur, ce qui n’apparaît pas très simple. Elle sera libre de choisir les données personnelles qu’elle veut transmettre ...

En 2005, malgré la technologie de l’époque, le débat était le même qu’aujourd’hui : la création d’une carte nationale d’identité électronique, contenant donc des données biométriques, était déjà envisagée ; elle ouvrait la possibilité de prouver son identité sur internet et de signer électroniquement ...

Dernier aspect déplaisant, sur lequel vous avez glissé un peu rapidement, monsieur le rapporteur : cette proposition de loi est une opportunité pour faciliter les échanges commerciaux. Je ne suis pas contre le fait de sécuriser la signature électronique sur internet pour déclarer ses impôts ou payer une amende au Trésor public, mais la proposition de loi va au-delà du domaine régalien et de ses extensions budgétaires.

France's new ID cards will include facilities for identifying yourself over the web and for signing documents digitally. Let's take an example. Let's say you're buying a car for €30,000. And the document you're signing digitally is the contract for sale.

As M. Blisko says, the exact process for digital signature remains undefined but, having once taken their leap in the dark, the French will find that however it works, it's "pas très simple".

That's a charming understatement. Implementing PKI properly is extremely complicated.

But suppose the French manage to do it. They're good at infrastructure. They've got good people working on the problem. They've got the will. It's a matter of national pride. Marianne, la patrie and all that. Let's assume that France can get a PKI system up and running with 50 million users. No-one else has ever managed that. But, just for the sake of argument, if and when France manage it, what then? What is the effect of signing a document digitally?

M. Blisko doesn't answer that question, for the good reason that he doesn't ask it. Perhaps he assumes that everyone already knows what digital signatures mean. Just in case they don't, though, here is the answer in one word – non-repudiation.

If you sign a document digitally, you cannot repudiate your agreement. You are committed. Irrevocably.

Further, the fact that the document is digitally signed means that you signed it. You cannot claim that someone else signed it. Even if it's true. Even if it is a case of identity theft/l’usurpation d’identité, that is no longer legally relevant. Legally, you signed the document and you owe the car company €30,000. That's the law, as far as digital signatures are concerned.

Without digital signatures, if your credit card is misused, by your daughter's dogy boyfriend for example, a fraud is perpetrated against the bank that issued the card, the bank made a mistake, they shouldn't have authorised the payment, it's their problem. With digital signatures, it's your problem. The risk has been moved from the bank to you.

Is that what you wanted, vous les autres les français? Is that what your parliament told you would happen? Are you happy to change the law and end up underwriting the banks? If the answer is yes, in each case, then my apologies for disturbing you with this irrelevant post, excusez-moi de vous avoir dérangé. But if the answer is no, you might like to have a little word with your député and ask him or her what on earth they think they're doing.

The French people kindly volunteer to pay for any mistakes their banks make

A quoi ça sert la ... signature électronique?

more ►

Thursday, 15 March 2012

Vichy redux

Nine days ago on Tuesday 6 March 2012 the French National Assembly enacted a Bill to protect people from identity theft. The proposition de loi relative à la protection de l’identité is now French law.

You might think that this Act is just like the UK's now repealed Identity Cards Act 2006. Wrong.

There are similarities. Everyone over a certain age will be enrolled in a French population register (a fichier) and will be issued with an identity card. The card will have microchips in it (puces). The chips will somehow use your biometric data (données) to support identity verification. I.e. they will allow you to prove that you are who you say you are. The French are even using the same misinformation – the cards will be "optional" (facultatives), according to an article in Le Monde.

But there's a big difference. The UK ID card scheme was going to use flat print fingerprint technology (empreintes posées) which is cheap, easy to use/no expert required, clean and utterly unreliable. The French know that. They're not stupid. It's French companies that provide this waste of money/snake oil biometric technology. They're hardly likely to make the same mistake.

What they propose instead is to use the same high quality rolled print fingerprinting technology as the police (empreintes roulées), forensic quality technology acceptable as evidence in a court of law. On the whole population. The whole of France is going to be issued with what the FBI call a "Ten Print Rap Sheet" or TPRS, just like Al Capone.

Serge Blisko is the MP (député) for Paris. Here he is speaking on the Bill last year in Parliament:

Intervention de Serge Blisko sur la proposition de loi de protection de l'identité
mercredi 13 juillet 2011 15h31
Catégorie: Société , Interventions
Motion de rejet préalable de Serge Blisko, député de Paris

... tous les citoyens seront désormais contraints de donner leurs empreintes digitales à l’une de ces 2 000 antennes de police administrative que vous avez décrites, monsieur le ministre. Il s’agira, en plus, d’empreintes très particulières. Je me réfère aux auditions des hauts fonctionnaires du ministère de l’intérieur : il faudra donner les empreintes de huit de ses doigts par la technique des empreintes roulées et non pas posées. Elle est très différente de celle de l’empreinte posée car c’est une technique criminologique. Nous ne sommes plus alors dans une démarche de reconnaissance d’identité, mais dans la logique d’un fichier de recherches criminelles ...

It is almost unprecedented for a government to tell its parishioners that they are all regarded as criminals. In fact, Mr Blisko can think of only one case – Vichy France:

Monsieur le ministre, j’ai le regret de rappeler que la France n’a créé qu’une seule fois un fichier général de la population, c’était en 1940. Il fut d’ailleurs détruit à la Libération.

Voici un extrait de la loi du 27 octobre 1940 de l’État français : « Obligation de détenir une carte d’identité à partir de seize ans, comportant les empreintes digitales et la photographie, et de déclarer tout changement d’adresse. Institution d’un fichier central de la population et d’un numéro d’identification individuel. »

Ce fichier central, disais-je, a été détruit à la Libération. C’est donc bien depuis la période de Vichy que la France n’a pas connu et n’a pas voulu un tel fichage de sa population.

France. Our partners in the EU. They wouldn't do that, would they? They wouldn't reintroduce Marshal Pétain's law of 1940. Would they?

They just did. Nine days ago on Tuesday 6 March 2012.

Vichy redux

more ►

The whiff of cordite in Whitehall

Rt Hon Margaret Hodge MBE MP is making a speech today at Policy Exchange. This is the latest battle in her war to make Whitehall accountable to Parliament. Whitehall wastes our money with impunity, as it says at the head of this page. In the attempt to put a stop to this state of affairs, traditionally, Whitehall has always won hands down. Perhaps we should expect history to repeat itself.

Or perhaps not. Never has the ancien régime been led by a general as vulnerable as Sir Gus now Lord O'Donnell, the man to whom we owe the present parlous state of our national finances.

The whiff of cordite in Whitehall

Sunday, 11 March 2012

Cabinet Office using cyber security budget to increase risks to the public

Can someone advise, please, is there a polite way of asking can any British government tell its arse from its elbow?

The Cabinet Office want to deliver all public services over the web. Public services should be "digital by default", as they say.

The web is a dangerous place to be if you want to maintain secrecy/privacy and if there's any money around. The web is perfectly adapted to breach confidences and to steal money. Let today's Sunday Times make the point. In Chinese steal jet secrets from BAE they tell us that:

CHINESE spies hacked into computers belonging to BAE Systems, Britain’s biggest defence company, to steal details about the design, performance and electronic systems of the West’s latest fighter jet, senior security figures have disclosed.

The Chinese have exploited vulnerabilities in BAE’s computer defences to steal vast amounts of data on the £200 billion F-35 Joint Strike Fighter (JSF), a multinational project to create a plane that will give the West air supremacy for years to come ...

Professor Anthony Glees, director of the Centre for Security and Intelligence Studies ... said: “It seems the Chinese were getting plans which allow them to undermine the defence capacity of the country. It’s deeply unsettling that GCHQ [the government eavesdropping centre in Cheltenham] didn’t spot this for so long because they are the people who are meant to be leading the fight against cyber crime.”

There's a wide selection of cock-ups to choose from here:

With £200 billion at stake, the Sunday Times reported on 12 January 2012 that Royal Navy’s new jet cannot land on aircraft carriers. Never mind, you may say, it's only £200 billion and we haven't got an aircraft carrier anyway.

And three years ago, the Sunday Times reported that BT had bought equipment from China's Huawei telecommunications equipment company despite warnings that it could be used to "shut down Britain by crippling its telecoms and utilities" and that "government departments, the intelligence services and the military will all use the new BT network". Patricia Hewitt, trade and industry secretary at the time the contract was being negotiated, declined to intervene because it was "a competitive tender between two commercial companies". How very upright of Ms Hewitt not to let security interfere with competition.

But put those cock-ups aside. For current purposes, consider instead the following.

Rt Hon Francis Maude MP is the Cabinet Office Minister and according to his entry on the Cabinet Office website:

He leads on:

• Public Sector Efficiency and Reform
• UK Statistics
• Civil Service issues
• Government transparency
• Civil Contingencies
• Cyber security
• Overall responsibility for Cabinet Office policy and the Department

With his cyber security hat on, Mr Maude disposes of a budget of £650 million. Much-needed, judging by the success of GCHQ and BAE's attempts to fend off the Chinese.

With his public sector efficiency and reform hat on, Mr Maude wants to put Whitehall on the web. That's what "digital by default " means and that requires him to ignore his cyber security hat.

But it's worse than that. Digital by default requires something called identity assurance, a service which doesn't exist yet but is supposed one day to allow us all to prove who we are, over the web, while we're busy communicating with the government. The development of this service was unfunded until 31 October 2011 when Mr Maude announced that he'd found £10 million of public money to give it.

And where did he get this cyber security-busting £10 million from?

You can have 650 million guesses.

----------

Updated 23.6.14

Whitehall considers security shake-up

The government is understood to be carrying out a review of Whitehall organisations with a remit for electronic and computer security to determine any possibility of consolidation.

Informed sources say that one of the suggestions being considered is that CESG, the government's National Technical Authority for information assurance, should be separated from GCHQ, the signals intelligence agency.

That could mean the Cabinet Office taking over responsibility for CESG, with whom it has an ongoing relationship.

"That could mean the Cabinet Office taking over responsibility for CESG". Oh God.

Cabinet Office using cyber security budget to increase risks to the public

Can someone advise, please, is there a polite way of asking can any British government tell its arse from its elbow?

more ►

Friday, 9 March 2012

You know you've arrived when ...

Towards the end of a long and illustrious career, already garlanded in the seats of power the world over, what bauble could possibly further crown his achievement? This was the conundrum perplexing DMossEsq.

The Governership of Hong Kong? Too late.

The Order of the Garter? All things considered, no.

Could he be the next Pope? His lips are sealed.

The answer recently came to him. At last. As so often in today's global world, it was thanks to Google.

Enter "david moss" "cabinet office" into Google, go down to the bottom of the page, click on 3 or above and, when the page has refreshed, towards the bottom of the page you will see:

In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at ChillingEffects.org.

One hit has been removed from Google's list. Which one? You want to know. You click on the read-all-about-it link and you get:

Notice Unavailable

Defamation Complaint to Google
Sent by: [individual]
To: Google

The cease-and-desist or legal threat you requested is not yet available.

Chilling Effects will post the notice after we process it.

Defamation? What defamation? This could be fruity. Who is the individual who complained? There is a certain dignity in these matters. Pray God it's not someone dull.

ChillingEffects.org? No, me neither.

Some sort of a kangaroo court? No. According to their website, Chilling Effects is:

A joint project of the Electronic Frontier Foundation and Harvard, Stanford, Berkeley, University of San Francisco, University of Maine, George Washington School of Law, and Santa Clara University School of Law clinics ...

Chilling Effects aims to help you understand the protections that the First Amendment and intellectual property laws give to your online activities. We are excited about the new opportunities the Internet offers individuals to express their views, parody politicians, celebrate their favorite movie stars, or criticize businesses. But we've noticed that not everyone feels the same way. Anecdotal evidence suggests that some individuals and corporations are using intellectual property and other laws to silence other online users. Chilling Effects encourages respect for intellectual property law, while frowning on its misuse to "chill" legitimate activity.

Mystifying. Has DMossEsq defamed someone? Allegedly. Has someone allegedly defamed DMossEsq? Who knows? It's not clear. Let's hope that Chilling Effects hurry up and process the "cease-and-desist or legal threat" submission. The suspense waiting for them to post their notice will be hard to bear. Is DMossEsq at last the subject, or even the object, of that must-have for a career to be complete, a superinjunction?

You know you've arrived when ...

more ►