Edward Snowden – the penny drops 1

The Edward Snowden revelations began here in the UK on 6 June 2013.

The public response and the response of the national media has been muted. Spies spy. What do you expect? They have to. Surveillance is legal. You'd have to be naïve to think otherwise. It's for our own good.

It's a case of move along, there's nothing to see here, as far as Whitehall is concerned. And in that case the plans to make public services digital by default can proceed. We can carry on saying that it is safe to store our data in the cloud. We can carry on saying that trusted third parties – "identity providers" – can supply us with personal data stores, maintained on "secure websites", which will give us "control" over what happens to our personal data.

There's nothing to see here. Our personal data will be encrypted. The security of the websites is provided by encryption. Encryption works. That's why the third parties can be trusted.

When the cartoon character runs off the edge of a cliff his legs keep going and he keeps moving forwards as long as he doesn't look down.

On 6 September 2013, three months after after running off the cliff, the revelation that the US National Security Agency (NSA) and GCHQ can get round some/many/most forms of encryption has finally made the cartoon character look down. His legs stop. A look of doubt appears on his face, the penny drops and he starts to fall.

Mydex is in poll position to provide the personal data stores for midata, the Department for Business Innovation and Skills initiative to "empower the consumer". Mydex is also one of the UK's appointed "identity providers" and recently signed a contract to supply identity assurance services.

William Heath is the chairman of Mydex. Here, faithfully recorded by Twitter, is what he saw when he looked down:

"What is a backdoor? Currently available for major encryption software – Microsoft Bitlocker, FileVault Be stCrypt TrueCrypt etc"- ibid
— williamheath (@williamheath) September 4, 2013

@williamheath Waaaaat? A backdoor is available for truecrypt too?
— Chris Adams (@mrchrisadams) September 4, 2013

@mrchrisadams Not cool. Wonder what effect that first Tweet will have on some market capitalisations...
— williamheath (@williamheath) September 4, 2013

@williamheath it's a hoax https://t.co/BfFngf7SZr but that gives no info about whether true ;-)
— Caspar Bowden (@CasparBowden) September 4, 2013

Bloody hell @williamheath, just a tad. Truecrypt’s FAQ - http://t.co/Zgy8l7W16a. Relevant cryptome PDF - http://t.co/6jWN1MykoK
— Chris Adams (@mrchrisadams) September 4, 2013

@mrchrisadams @williamheath lolwut: https://t.co/SXXymdxYWk /cc @Rchards
— Sam (@pikesley) September 4, 2013

@pikesley @mrchrisadams @williamheath depressingly had in this case. Read content rather than names.
— Richard Stirling (@Rchards) September 4, 2013

@Rchards @pikesley I think I’m quite happy to be punked in this case :) /cc @williamheath
— Chris Adams (@mrchrisadams) September 4, 2013

@pikesley @Rchards @mrchrisadams Phew :-) Back to: so what was it we were *right* to be paranoid about?
— williamheath (@williamheath) September 4, 2013

@williamheath hoax
— glynwintle (@glynwintle) September 4, 2013

@glynwintle indeed. We're all delighted
— williamheath (@williamheath) September 4, 2013

----------

Updated 29.9.15

"Mydex is in poll position to provide the personal data stores [PDSs] for midata". Written two years ago. Please see above.

It looked then as though Mydex relied on a package called "TrueCrypt" to make their PDSs secure.

If they relied then or rather if they rely now on TrueCrypt, there's a problem. Support for TrueCrypt was withdrawn in May 2014.

"Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data". That's what it says, to this day, at the bottom of Mydex's webpage – "hyper-secure".

Where does this "hyper-security" come from? Not from TrueCrypt. So where?

If your PDS is hacked, that's your fault. That's Mydex's stance and that's why, unlike the banks, they offer no compensation.

Before entering into a no-compensation deal which requires you to store all your personal information in a PDS, you might be wise to check just how secure that PDS is. Wiser still, whoever you get your PDSs from, to assume that hyper-security is impossible and insist on the provision for compensation in the contract.

Edward Snowden – the penny drops 1

The Edward Snowden revelations began here in the UK on 6 June 2013.

The public response and the response of the national media has been muted. Spies spy. What do you expect? They have to. Surveillance is legal. You'd have to be naïve to think otherwise. It's for our own good.

It's a case of move along, there's nothing to see here, as far as Whitehall is concerned. And in that case the plans to make public services digital by default can proceed. We can carry on saying that it is safe to store our data in the cloud. We can carry on saying that trusted third parties – "identity providers" – can supply us with personal data stores, maintained on "secure websites", which will give us "control" over what happens to our personal data.

There's nothing to see here. Our personal data will be encrypted. The security of the websites is provided by encryption. Encryption works. That's why the third parties can be trusted.

When the cartoon character runs off the edge of a cliff his legs keep going and he keeps moving forwards as long as he doesn't look down.

The internet secure? Absurd

While we were all away on holiday a scene from the theatre of the absurd was reported. It had been enacted  a month before, in July, in the basement of the Guardian newspaper's London office.

Dramatis personae:
    A number of GCHQ persons
    A Guardian editor and a Guardian IT person

Props:
    A number of computer disks and chips
    An angle grinder and some other tools

On 20 July 2013, apparently acting on the orders of Sir Jeremy Heywood, the Cabinet Secretary, who was in turn apparently acting on the orders of the Prime Minister himself, the Guardian persons set about destroying the disks and chips with the angle grinder and other tools. The GCHQ persons, having watched but not assisted, left once the job was done.

Thus one copy of the Edward Snowden files was destroyed. Quite pointlessly, as there are other copies. But the Prime Minister insisted, allegedly, the charade went ahead, and the dignity of his office was thereby preserved.

The Snowden revelations continue unabated. Yesterday, the Guardian treated us to US and UK spy agencies defeat privacy and security on the internet while the New York Times gave us N.S.A. Able to Foil Basic Safeguards of Privacy on Web.

If you think that encryption will keep your use of the internet private/confidential/secret, think again.

The US National Security Agency (NSA) and our very own GCHQ have cracked the code and can decrypt your transactions on secure websites, your use of virtual private networks, your emails, web chats and Skype calls, just like that, more or less in real time.

If a cloud computing supplier tells you your data is safe in the cloud because it's encrypted, he or she is probably wrong. HMRC, the MOD, the Home Office and the Government Digital Service (GDS) might like to reconsider their use of Skyscape Cloud Services Ltd.

If a personal data store supplier tells you that your information is safe because it's encrypted – perhaps in connection with the UK's midata project – he or she is probably wrong.

No doubt GDS will tell us that the new electoral roll will be secure. And that the identity assurance service they are about to unleash on HMRC is secure. In what way?

Individuals, companies and government departments can forget about confidentiality on the internet. What was left of it was all hoovered up by the cleaners in the Guardian's basement after the audience had left.

Lawyers, bankers and accountants working on a major takeover, for example, may well continue to use the internet. It's convenient. But they can no longer promise that their clients' data is being kept confidential. Everyone now knows that on the internet that is, to all intents and purposes, impossible.

The internet secure? Absurd

While we were all away on holiday a scene from the theatre of the absurd was reported. It had been enacted  a month before, in July, in the basement of the Guardian newspaper's London office.

Dramatis personae:
    A number of GCHQ persons
    A Guardian editor and a Guardian IT person

Props:
    A number of computer disks and chips
    An angle grinder and some other tools

On 20 July 2013, apparently acting on the orders of Sir Jeremy Heywood, the Cabinet Secretary, who was in turn apparently acting on the orders of the Prime Minister himself, the Guardian persons set about destroying the disks and chips with the angle grinder and other tools. The GCHQ persons, having watched but not assisted, left once the job was done.

Now UC IT

The National Audit Office (NAO) have published their report on Universal Credit (UC). UC is the Department for Work and Pensions (DWP) initiative to rescue benefit claimants from the poverty trap created by the UK's inept welfare system. The idea is to rescue them by making work pay.

Universal Credit: early progress is 60 pages long. 60 pages which document the unrelenting and expensive failure of DWP to get to grips with UC. There is a summary for you kindly prepared by Tony Collins – Will Universal Credit ever work? – NAO report.

By 31 March 2013, DWP had spent £425 million on UC. £425 million spent by intelligent and experienced public servants and there is nothing to show for it.

Accenture have picked up £125 million of that money, IBM £75 million, Hewlett-Packard (HP) £58 million and BT £16 million. That accounts for £274 million. £274 million spent with intelligent and experienced software engineers and there is nothing to show for it.

Is it the politicians' fault (Iain Duncan Smith, the Secretary of State at DWP, and his junior ministers)? Is it the officials' fault (Robert Devereux, Permanent Secretary at DWP, and his staff)? Is it the contractors' and consultants' fault? Yes. In each case.

How on earth can such a catastrophic failure happen? It's happened before, please see for example It's all John's fault. The lessons never seem to be learnt.

It's time to stop this nonsense. DWP have "pressed the reset button" apparently and are taking time out to think. About time, too.

The thinking so far centres on the software engineering methods being used. DWP, it is said, failed to use "agile" methods. Appendix Seven of the NAO report, beginning on p.53, provides a handy cribsheet on agile v. traditional software engineering.

This may be a cul-de-sac. After all, no engineering methodology in history has ever recommended spending £425 million before thinking what it is you're trying to achieve. Also, there is no guarantee that agile methodologies would avoid the same problem.

To the extent that "agile" means anything in Whitehall, it means the Government Digital Service (GDS). GDS are great advocates of agile, they claim to be successful exponents of agile and they want to see central and local government become 100 percent agile.

They're getting their message across.

Howard Shiplee, the man in charge of UC for the past 100 days, says in his Telegraph article Universal Credit: The First 100 days:

As the Secretary of State outlined in July, we are working with the new Government Digital Service (GDS) to explore an enhanced IT programme that would offer more flexibility and security to benefit claimants. We’re planning to take the best of the existing system and make improvements using GDS support.

Why?

The BBC and the Guardian give GDS great publicity, please see GDS PR blitz. So do the Times, please see Toe-curling: GDS PR Blitz.

Why?

The Design Museum declared GDS's only product to date, GOV.UK, to be Design of the Year 2013. The Design and Art Direction charity created a new category this year especially to be able to give GOV.UK a prestigious D&AD award.

Why?

The answer in each case is, presumably, competent public relations. An attractive brand is being created. But is there any substance there? What skills of GDS will stop the next £425 million from being wasted?

According to five IT professors, none.

Martyn Thomas gave evidence to the Public Administration Select Committee to the effect that GDS are wasting their time with agile software engineering, please see Digital-by-default, an open letter to the House of Commons Science and Technology Committee (para.13).

That's one professor.

The other four – Alan W Brown, John A McDermid, Ian Sommerville and Rob Witty – reviewed GDS's Government Digital Strategy and were entirely unimpressed. "Simplistic and highly risky", they said about agile, please see Four professors review the Government Digital Strategy.

Just because GDS's staff are an alternative to the hopeless staff of DWP, Accenture, IBM, HP and BT doesn't mean that they're any better.

D&AD, the Design Museum, the Times, the Guardian, the BBC, Howard Shiplee and the NAO would all do well to consider the expert views of the five professors before assuming that GDS is the answer. In the meantime, for the sake of the £425 million lighter taxpayer, and everyone caught in the poverty trap, another reset button should be pressed. On GDS.

----------

Updated 21 October 2013

1. House of Commons oral evidence taken before the Public Accounts Committee, Universal Credit, Wednesday 11 September 2013
2. Welfare fiasco chief 'to resign'

Updated 14.4.16

In the 2½ years since the post above was written:

• GDS's all-agile system written for DEFRA's Basic Payment Scheme failed, leaving farmers to apply for their EU Common Agriculture Policy subventions using pencil and paper.
• Iain Duncan Smith has resigned.
• Robert Devereux hasn't. And he has become Sir Robert Devereux KCB.
• DWP have fought against Freedom of Information requests to publish the 2011 and 2012 Universal Credit (UC) risk register, issues register and Major Projects Authority (MPA) assessment. They have finally lost that fight.
• The MPA have become the Infrastructure and Projects Authority.
• Some of the documents now disclosed suggest that ministers and officials at DWP did, indeed, mislead everyone about the progress being made on UC. Cyber security arrangements were inadequate, the system would have been open to fraud, there was no precedent for agile being used at the scale of UC and DWP didn't even have a plan for the transition from the existing benefits schemes to UC.

UC is utterly benighted.

As to GOV.UK Verify (RIP), another fairly major infrastructure project where Whitehall keep telling us that there is only good news, indeed the system is meant to go live this month, it's decision time some time in the next 16 days, what do the MPA have to say about cyber security and the use of agile?

Nothing.

The MPA, sitting in the Cabinet Office, haven't assessed the Cabinet Office's GOV.UK Verify (RIP), even though it's meant to provide 60 million people in the UK with an on-line ID, using which we are meant to be able to transact with government.

Risk level? Unmeasured. Could be high. Could be low. The MPA don't know and presumably don't care.

Now UC IT

The National Audit Office (NAO) have published their report on Universal Credit (UC). UC is the Department for Work and Pensions (DWP) initiative to rescue benefit claimants from the poverty trap created by the UK's inept welfare system. The idea is to rescue them by making work pay.

Universal Credit: early progress is 60 pages long. 60 pages which document the unrelenting and expensive failure of DWP to get to grips with UC. There is a summary for you kindly prepared by Tony Collins – Will Universal Credit ever work? – NAO report.

By 31 March 2013, DWP had spent £425 million on UC. £425 million spent by intelligent and experienced public servants and there is nothing to show for it.

You are for sale

The Financial Times have been doing a bit of investigative journalism. Health apps run into privacy snags, they said on 1 September 2013:

Before Celeste Steenburger takes off on her morning run, she taps the orange button on the MapMyRun app on her iPhone to track the exercise. The 30-year-old office manager counts calories, logging the food she eats into a separate Lose It! app. When her menstrual cycle begins, she marks the details in the Period Tracker Lite app. With each bit of health data Ms Steenburger records, third-party companies, some with names she has never heard of, are receiving information about her.

Ms Steenburger thinks she's just dealing with MapMyRun and one or two other apps suppliers to keep track of her health. She's wrong. Behind the scenes these suppliers are selling her health data to other interested parties. The FT mention "advertising companies, ... digital analytics and tracking groups, ... health insurance and pharmaceutical companies":

The trend has serious implications for consumers. Data which an individual has willingly handed over to an app develop[er] to better track their own health, could now land in the hands of a large insurer who might use that data to set policy premiums ... iPeriod will soon have the capability to target ads at a very fine level. So a woman who records in the app that she gets headaches before her period could soon receive an ad for a pain reliever at just the right time of the month ... “By getting certain populations more active, they can reduce the cost burden for employers around those people,” says Chris Glode, the general manager for MapMyFitness. “If you can get people more active, can improve their health outcomes. That’s really cool, we’re really psyched to be part of that.”

"The top 20 most visited apps transmit information to a web of nearly 70 companies", says the FT, naming Google, Apple, Humana, Aetna and Flurry, a mobile data tracking specialist and the recipient of data from nine of the top 20 health-related apps.

That's the business model. You supply the data and the apps developers sell it. Maybe Celeste Steenburger didn't expect that but you should.

Perhaps this business model is restricted to the private sector?

No.

The public sector are at it as well.

It is three years since the Telegraph reported that the Department for Work and Pensions were paying Experian, the credit referencing agency, to analyse the data they hold and try to identify benefit cheats, please see Bounty hunters to cut benefit fraud by £1bn.

And more recently, in May 2013, the Mail told us that Orange/EE (Everything Everywhere) were selling data on their 27 million mobile phone users in the UK and that among the interested parties were the police. In the end, the police didn't buy anything but they were interested and maybe next time ...

Millions of phone records revealing age, address and even the websites you visited were offered for sale to police in controversial deal ... Scotland Yard held a meeting with Ipsos Mori about the possibility of paying for some of the data to fight crime, but yesterday the force said it was not planning to make any offers for it.

Not very convincing, you may say, the public sector hasn't actually bought any personal data from Experian or EE, and they certainly don't sell personal data.

Oh yes they do.

Here's the Guardian on 17 May 2013:

£140 could buy private firms data on NHS patients ... On Monday the government slipped out the news that private insurer Bupa was approved to access England's "sensitive or identifiable" patient data, housed centrally by the Health and Social Care Information Centre (HSCIC). It is now among four private firms that have passed the government's vetting procedures. The charging structure for "bespoke patient-level extracts" was revealed when HSCIC put up a "cost calculator" to work out how much prospective customers would pay for sensitive hospital data. The "indicative fee" for a full set of 20 years' inpatient data was about £8,000 including £140 to make the records identifiable.

It's a lot cheaper in the Mail, please see Your confidential medical records for sale... at just £1: Hunt insists plan to sell details to private firms is vital to combat epidemics - but critics fear 'unprecedented' privacy threat.

"So who cares if you’ve got haemorrhoids or athlete’s foot?", asks the Telegraph in Patient confidentiality? Not if the price is right – the answer they give is "more people than you might think". It's all that Jeremy Hunt's fault, the Secretary of State for Health, Jeremy Hunt plans to give anonymised patient medical records to private firms.

"Anonymised patient medical records"? Anonymised? Oh yeah? Mr Hunt might believe that but he's not a professor of IT. Martyn Thomas is, and he told the Public Administration Select Committee that "anonymised research data" is an oxymoron (para.4) – if the data's anonymised it's no use for research and if it's any use for research then it's not anonymised.

He is not alone in that belief, please see for example The rush to ‘anonymised’ data by Professor Ross Anderson.

"Anonymised data" must join "secure website" in your list of count-your-fingers-after-shaking-hands phrases.

Bang goes medical confidentiality. Secrecy. Privacy.

You were warned. By Stephan Shakespeare. Health data is "open data" or PSI (public sector information), he says. PSI belongs to everyone and processing it will boost the economy.

Not just Mr Shakespeare – Professor Sir Nigel Shadbolt, too. He's told you that he wants to mix your health data and travel data with anything you've put in your midata personal data store, and give the whole lot to apps-writers to improve your life.

For further information on the state destruction of medical confidentiality in the UK, please visit medConfidential. They provide a form you can use to opt out of HSCIC sales of your medical data.

You are for sale

The Financial Times have been doing a bit of investigative journalism. Health apps run into privacy snags, they said on 1 September 2013:

Before Celeste Steenburger takes off on her morning run, she taps the orange button on the MapMyRun app on her iPhone to track the exercise. The 30-year-old office manager counts calories, logging the food she eats into a separate Lose It! app. When her menstrual cycle begins, she marks the details in the Period Tracker Lite app. With each bit of health data Ms Steenburger records, third-party companies, some with names she has never heard of, are receiving information about her.

GDS and privacy

Yesterday's Sunday Times:

Google: we are beyond British law The internet giant says the High Court has no authority to rule over a landmark UK privacy claim ... “They don’t respect privacy and they don’t consider themselves to be answerable to our laws on it” ... Last week Google’s privacy policies came under fresh attack in America after it said that its 425m Gmail users could have no “reasonable expectation” that their messages would remain confidential. The admission came to light in a court filing. In its submission to the High Court, Google’s lawyers argue that any information gleaned from the search engine is not “private or confidential”. This means that the company is under no obligation to hold it in confidence, they say.

You know where you are with Google. No "reasonable expectation" of confidentiality/privacy.

Similarly, you know where you are with the UK Cabinet Office. Francis Maude, the Minister in charge, told the Information Commissioner's Conference:

Sharing data is a key enabler in our ambition to see public services provided digitally by default ...the census is another area where I want to bust the myths around the complexities of data sharing ... we aim to find effective ways of using and sharing data for the good of everyone ...

The provisions designed to limit data-sharing in government are no more than "myths", in his eyes, and will be swept away by Mr Maude's modernisation plans – spearheaded by the Government Digital Service (GDS).

You know where you are with GDS. Ex-Guardian man Mike Bracken, executive director of GDS and senior responsible owner of the pan-government Identity Assurance Programme (IDAP) has told you:

Andrew Nash, Google’s Director of Identity, ran us through the current issues facing identity.He explained how Google aim to grow and be part of an ecosystem of identify providers, and encouraged the UK Government to play its part in a federated system. The UK ID Assurance team and Google agreed to work more closely to define our strategy – so look out for future announcements. Andrew also took the opportunity to walk the Minister through the Identity ecosystem.

Which brings you back to Google and the "reasonable expectation" of privacy – there is none.

The Privacy and Consumer Advisory Group (PCAG) have worked hard to devise nine privacy principles. And ex-Guardian man Mike Bracken has asked for comments on these principles. But you have to ask yourself whether his heart is in it. PCAG is only an advisory group and GDS can ignore their suggestions.

GDS were asked to produce a version of the nine principles with numbered paragraphs to make it easier to refer to them when submitting responses to the consultation exercise. GDS agreed that this would be a good idea. That was on 20 June 2013. Two months later, and no further action has been taken since.

When GDS held their revivalist The Future is Here event back in January 2013, they got everyone to book their place through Eventbrite, a Californian firm of event organisers. A Californian firm of event organisers who now have all the contact details of 300 civil servants "working across Government and its agencies to deliver our digital ambition statement". A marketing man's dream. So much for GDS and the "reasonable expectation" of privacy.

There has been at least one submission made in response to the PCAG consultation. Compiled by Mark King, it is published in full by the great Philip Virgo. Mr King's submission is masterly and suggests that even if GDS were to agree to the nine principles our "reasonable expectation" of privacy would still be disappointed.

These are the dog days of August, no-one can be expected to respond to consultations while we are all in the doldrums. But come September, if you have any desire to protect your reasonable expectations, it could be worth making the effort to respond.

GDS and privacy

Yesterday's Sunday Times:

Google: we are beyond British law The internet giant says the High Court has no authority to rule over a landmark UK privacy claim ... “They don’t respect privacy and they don’t consider themselves to be answerable to our laws on it” ... Last week Google’s privacy policies came under fresh attack in America after it said that its 425m Gmail users could have no “reasonable expectation” that their messages would remain confidential. The admission came to light in a court filing. In its submission to the High Court, Google’s lawyers argue that any information gleaned from the search engine is not “private or confidential”. This means that the company is under no obligation to hold it in confidence, they say.

You know where you are with Google. No "reasonable expectation" of confidentiality/privacy.

Cyber security is a hangover in Vegas

DEF CON was founded in 1992 or 1993 by Jeff Moss (no relation) and is "one of the world's largest annual hacker conventions, held every year in Las Vegas, Nevada ... Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, and hackers with a general interest in software, computer architecture, phone phreaking, hardware modification, and anything else that can be 'hacked' ...".

Not to be confused with Black Hat Briefings, which was founded in 1997 by Jeff Moss (no relation) and is "a computer security conference that brings together a variety of people interested in information security. Representatives of government agencies and corporations attend, along with hackers. The Briefings take place regularly in Las Vegas, Barcelona, Amsterdam, Abu Dhabi and, occasionally, Tokyo. An event dedicated to the Federal Agencies is organized in Washington, DC ...".

Would you like to attend DEF CON? One young lady who attended this year gave an interview to BuzzFeed magazine that gives you a hangover just to read it: "... But I had a good time. It’s always a good time. As long as you remember most of it. Or maybe you don’t want to remember. It just kicks your ass. But once a year? It isn’t the worst thing for your liver".

She was interviewed because she was the only ovine who had appeared on the Wall of Sheep and was prepared to talk about it. The Wall of Sheep is where the DEF CON organisers display the logon IDs and passwords of everyone at the conference who has foolishly allowed themselves to be hacked.

The way our young lady put it, "... at past Def Cons, I didn't really have to worry about it, because someone else was always there to take care of it. When we would get close, he’d say turn stuff off, don’t let any of your wireless devices accept any open Wi-Fi or anything. Turn off Bluetooth, anything that connects to you. So I had someone watching out for me before, but since this was my first one on my own, I didn't take precautions".

"This 28-year-old graphic designer from Utah agreed to tell her story on the condition that we preserve her anonymity — or what remains of it", say BuzzFeed. Not a lot: "I got my alert on my cell phone [saying] that I was using too much data. I knew something wasn't right, so I started making changes when I could. I left on Saturday, so I spent most of that night and the next day cleaning up my accounts that may be associated. I totally got owned. It's just such a rookie mistake".

We might take more care of our livers but we, too, would "totally get owned" by hackers if the occasion presented itself.

Anyway, DEF CON is the nice conference and, in light of the Edward Snowden revelations, Jeff Moss (no relation) asked the feds to stay away this year. Which they did. They went to Black Hat instead, where General Keith Alexander, the Director of the NSA [National Security Agency] and Commander of the DOD's [Departent of Defense] US Cyber Command was the keynote speaker.

The general would probably have stayed away from DEF CON this year even if Jeff hadn't asked – he was keynote speaker there last year.

Presumably the feds and the hackers attend these events to size each other up. Maybe there's a bit of trading – you tell me how you did x and I'll show you how I do y. Who knows? One thing is clear, though – the rest of us haven't got a clue. Or a chance.

Hypothesis: when we hear that such-and-such website is secure, or this mobile phone operating system or that slab telecommunications facility, we might as well forget it. None of it is secure. Not for the general public. And don't you believe anyone who tells you otherwise.

Cyber security is a hangover in Vegas

DEF CON was founded in 1992 or 1993 by Jeff Moss (no relation) and is "one of the world's largest annual hacker conventions, held every year in Las Vegas, Nevada ... Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, and hackers with a general interest in software, computer architecture, phone phreaking, hardware modification, and anything else that can be 'hacked' ...".

Not to be confused with Black Hat Briefings, which was founded in 1997 by Jeff Moss (no relation) and is "a computer security conference that brings together a variety of people interested in information security. Representatives of government agencies and corporations attend, along with hackers. The Briefings take place regularly in Las Vegas, Barcelona, Amsterdam, Abu Dhabi and, occasionally, Tokyo. An event dedicated to the Federal Agencies is organized in Washington, DC ...".

Would you like to attend DEF CON? One young lady who attended this year gave an interview to BuzzFeed magazine that gives you a hangover just to read it: "... But I had a good time. It’s always a good time. As long as you remember most of it. Or maybe you don’t want to remember. It just kicks your ass. But once a year? It isn’t the worst thing for your liver".

Toe-curling: GDS PR Blitz

The launch of the Government Digital Service's PR campaign on the BBC and in the Guardian was noted here three weeks ago on 14 June 2013.

Last week a new front was opened up in the Times newspaper with an opinion piece by Rachel Sylvester, Geeks in jeans are the Treasury’s new heroes. Are they geeks? Are they in jeans? Are they the Treasury's new heroes? Precisely what have GDS achieved so far? What is the outlook for all their outstanding projects? Ms Sylvester left her readers none the wiser.

Yesterday, again in the Times, the PR campaign went out of control. Laura Pitel wrote Jordan Hatch: boy wonder civil servant with a plan to save £4m:

He has no university degree, no A levels and wears cargo pants to work. Meet the teenage civil servant who is going to save you £4 million ... Jordan Hatch is the poster boy of the Government’s digital revamp ... Bringing a 17-year-old on to the team was seen as the embodiment of a new, more adventurous way of thinking ... the lack of formal qualifications betrays [?] a talent for IT that began when he was barely out of nappies ... Baroness Lane Fox of Soho, recently secured him a role as young digital adviser to the European Commission ...

This ruthless exploitation of Mr Hatch extends all the way to Sir Bob Kerslake, head of the home civil service, and it smacks of desperation:

@1jh makes headlines today for having a terrific impact @gdsteam, and not a bowler hat in sight #csuncovered http://t.co/e6J1i1Hkm1 — Bob Kerslake (@SirBobKerslake) August 6, 2013

Toe-curling: GDS PR Blitz

The launch of the Government Digital Service's PR campaign on the BBC and in the Guardian was noted here three weeks ago on 14 June 2013.

Last week a new front was opened up in the Times newspaper with an opinion piece by Rachel Sylvester, Geeks in jeans are the Treasury’s new heroes. Are they geeks? Are they in jeans? Are they the Treasury's new heroes? Precisely what have GDS achieved so far? What is the outlook for all their outstanding projects? Ms Sylvester left her readers none the wiser.

midata and your money

WHAT'S NEXT POST LAUNCH OF THE MIDATA INNOVATION LAB?

Good question.

That's the title of an interview with Dan Bates, director of the midata Innovation Lab (mIL), published in Ctrl-Shift News, where space is so tight that there isn't room to remind the reader that Ctrl-Shift is one of the 22 Founding Partners of mIL.

"I am proud that we have set the bar high by bringing the mIL to life in just seven weeks from project kick-off", says Dan, too young perhaps to remember that "project kick-off" was 91 weeks ago on 3 November 2011 when the Department for Business Innovation and Skills published Government, business and consumer groups commit to midata vision of consumer empowerment.

mIL has several "learning streams of activity", we learn during the interview, and a "project heartbeat". mIL is an "enabler" and "we have made it easy to get involved". It is a "potential consumer blockbuster" but, before that happens, Dan needs more organisations to sign up.

What kind of organisations? Answer: "these organisations will be trail-blazers who have the humility to acknowledge no-one as yet has all the answers, and thus share and learn, whilst at the same time having the vision and boldness to be the first-movers that accelerate the personal data market".

It's not easy to find organisations like that and Dan's boss, Professor Sir Nigel Shadbolt, has been reduced to trying to buy them in:

Calling all developers - prizes and seed corn funding for best apps in #midata #midatalab - join now http://t.co/B7bwbdg1Gb — Nigel Shadbolt (@Nigel_Shadbolt) July 30, 2013

As well as bold humble visionaries, there are "experts involved in the mIL", Dan wants it to be "transformative" and he wants to "kick start a collective inflection point in business". midata is all about apps. What kind of apps? According to Dan, "really interesting" ones: "I want some really interesting apps and services to come out of the mIL".

You wouldn't fund a project for 91 weeks, would you, based on breathless promises of really interesting transformative apps that will kickstart a collective inflection point?

You just have. And there's no end in sight.

midata and your money

WHAT'S NEXT POST LAUNCH OF THE MIDATA INNOVATION LAB?

Good question.

That's the title of an interview with Dan Bates, director of the midata Innovation Lab (mIL), published in Ctrl-Shift News, where space is so tight that there isn't room to remind the reader that Ctrl-Shift is one of the 22 Founding Partners of mIL.

"I am proud that we have set the bar high by bringing the mIL to life in just seven weeks from project kick-off", says Dan, too young perhaps to remember that "project kick-off" was 91 weeks ago on 3 November 2011 when the Department for Business Innovation and Skills published Government, business and consumer groups commit to midata vision of consumer empowerment.

Cloud – Dale Vile tells it like it is

Freeform Dynamics is an "IT industry analyst firm" distinguished by "straight talking, telling it as it is in down-to-earth language".

Dale Vile, the CEO, is a "cloud advocate", he tells us in SMBs are tumbling into the cloud? Oh get real, and he's not pleased. Large companies and public bodies are adopting cloud computing but small and medium-sized businesses (SMBs) aren't: "we are hardly scratching the surface when it comes to selling cloud options into the SMB space".

What seems to be the problem?

Dale says: "IT policy and planning is down to business people at the lower end" and "where a business person rather than an IT professional is responsible for IT policy, planning and decision-making, cloud is far less likely to be on the agenda".

What's the matter with these business people?

Dale thinks they're hysterics: "... then there’s the MSPs [managed service providers, i.e. cloud shops] who despite the current privacy-related hysteria are still reporting impressive growth that shows no signs of abating".

IT professionals are pretty relaxed about storing their company's data in the cloud and losing control of it but psychologically damaged business people seem to suffer from a primitive need to protect their intellectual property and to honour their promises to keep client data confidential.

If the business people are removed and IT professionals run businesses instead, will that solve the uptake problem suffered by cloud computing?

No.

Dale has another issue: "bloody well appreciate that you aren't going to unlock the SMB space without the channel, so pay more attention to enabling your partners and making sure that cloud is good business for them as well as yourselves".

Cloud – Dale Vile tells it like it is

Freeform Dynamics is an "IT industry analyst firm" distinguished by "straight talking, telling it as it is in down-to-earth language".

Dale Vile, the CEO, is a "cloud advocate", he tells us in SMBs are tumbling into the cloud? Oh get real, and he's not pleased. Large companies and public bodies are adopting cloud computing but small and medium-sized businesses (SMBs) aren't: "we are hardly scratching the surface when it comes to selling cloud options into the SMB space".

What seems to be the problem?

Dale says: "IT policy and planning is down to business people at the lower end" and "where a business person rather than an IT professional is responsible for IT policy, planning and decision-making, cloud is far less likely to be on the agenda".

What's the matter with these business people?

Classical innovation and old-fashioned digital

8:51, Friday morning, 2 August 2013, the BBC Radio 4 Today programme, and Evan Davis interviews Emma Stenning, executive director of Bristol Old Vic, and Max Hole, chairman of Universal Group International. The question is what innovations are needed to make classical music more popular.

The proms at the Bristol Old Vic have introduced a screen allowing the audience to see the conductor in the same way as the orchestra does. That seems eminently sensible, but not innovative – Evan Davis and Max Hole agreed that rock concerts have had big screens "forever".

They have also introduced a standing pit for the promenaders. Again, eminently sensible, and ticket sales have gone up by 20% as a result, but not innovative – Emma Stenning made the point that this was actually a return to the way the theatre was in 1766. (When America had only just ceased to be a British colony ...)

In between these sensible points there was a bit of talk about digital innovation, new technology, digital opportunity and the promenade concerts being made more accessible by exploiting the analogy of a concert with computer games and digital environments in which avatars respond to the music (3'22" to 3'47").

Admittedly someone was driving to a funeral while this piece was broadcast, and was feeling mighty sour, but the digital innovation drivel sounded tired, old-fashioned, tawdry, gratuitous and past its sell-by date. The horse is dead and it's a waste of time to keep flogging it.

How boring an old fart have you got to be to still find computer games exciting?

"Digital" doesn't mean "open" or "welcoming" or "warm" or "informal" or "accessible" or "engaging" or "popular". It doesn't even mean "modern" any more.

Classical innovation and old-fashioned digital

8:51, Friday morning, 2 August 2013, the BBC Radio 4 Today programme, and Evan Davis interviews Emma Stenning, executive director of Bristol Old Vic, and Max Hole, chairman of Universal Group International. The question is what innovations are needed to make classical music more popular.

The proms at the Bristol Old Vic have introduced a screen allowing the audience to see the conductor in the same way as the orchestra does. That seems eminently sensible, but not innovative – Evan Davis and Max Hole agreed that rock concerts have had big screens "forever".

They have also introduced a standing pit for the promenaders. Again, eminently sensible, and ticket sales have gone up by 20% as a result, but not innovative – Emma Stenning made the point that this was actually a return to the way the theatre was in 1766. (When America had only just ceased to be a British colony ...)

In between these sensible points there was a bit of talk about digital innovation, new technology, digital opportunity and the promenade concerts being made more accessible by exploiting the analogy of a concert with computer games and digital environments in which avatars respond to the music (3'22" to 3'47").

Admittedly someone was driving to a funeral while this piece was broadcast, and was feeling mighty sour, but the digital innovation drivel sounded tired, old-fashioned, tawdry, gratuitous and past its sell-by date. The horse is dead and it's a waste of time to keep flogging it.

How boring an old fart have you got to be to still find computer games exciting?

"Digital" doesn't mean "open" or "welcoming" or "warm" or "informal" or "accessible" or "engaging" or "popular". It doesn't even mean "modern" any more.

GDS's grip on public expenditure

It's always a pleasure to read the Government Digital Service's diary, This week at GDS. And never more so than when it's written by Mike Beaven as it was yesterday:

... Carl Meweezen and his team over in ERG (Efficiency and Reform Group), who look at all things spending in government and look at where we’re saving money. Mark O’Neill and Gill (Elderfield) worked with their team over there, to help them build a thing called the ‘Government Interrogation Spending Tool’, or ‘GIST’, as it’s known. That went live and there’s been some really good feedback from Stephen Kelly, Carl and his team, and the Minister (Minister for the Cabinet Office, Francis Maude), saying, “Thanks for creating something that’s very easy to use and intelligent.” So well done to those guys.

The "thing called ... 'GIST'" is an infographic of public spending. We have seen GDS's penchant for arresting graphics before. That was aspirational, at the time. Now it's reality:

It's not just Stephen Kelly and Francis Maude who have provided "some really good feedback" about this infographic.

Here, for example, is Pete Swabey, writing on the Information Age website:

UK government's new spending data site is "an embarrassing mess" GIST website "is a joke", says data visualistation expert Stephen Few, and fails to allow users to make basic comparisons ... It is "either an attempt to obscure the data under the guise of transparency or the work of people who have no knowledge of data visualisation", he told Information Age. "The charts in every case are either inappropriate for the data or appropriate but ineptly designed."

Few. What a scorcher.

ElReg have provided some really good feedback, too:

Ha ha, Osborne, these Gov 2.0 web wranglers have wiped out UK debt "A digital revolution, masterminded by a team of dress-down civil servants, could save the taxpayer billions," The Times newspaper gushed on Tuesday. And behold: it already has. The UK has apparently paid off its national debt years ahead of Chancellor George Osborne's predictions. Alas, it's no miracle, but an infographics cock-up by the dress-down civil servants at the Government Digital Service ...

The "cock-up"  referred to is the unfortunate omission from GDS's infographic of the UK's £50 billion p.a. of debt interest, a point which ElReg picked up from Guido Fawkes's, No Interest in New Government Spending Website – you get the gist.

Readers who submitted comments to ElReg also expressed mystification at the annual Department of Health expenditure quoted in GDS's easy to use and intelligent infographic as £5.1 billion. They were expecting a figure closer to £120 billion.

The "digital revolution, masterminded by a team of dress-down civil servants" quotation comes from Rachel Sylvester's column in the Times on Wednesday, Geeks in jeans are the Treasury’s new heroes, the latest episode in GDS's PR blitz.

Much more positive feedback like Information Age's, ElReg's and Guido Fawkes's and GDS are going to run out of biddable publicists, even at the BBC and the Guardian. And the Times.

Readers may remember POST, the Parliamentary Office of Science and Technology. We last encountered them misbriefing MPs on the subject of on-line identity management.

Now POST have produced a paper on Invasive Alien Plant Species:

Invasive alien plant species (IAPs) exhibit greater abundance, density, or competitive dominance than species native to habitats ... Early detection and eradication is more cost effective and less risky than later interventions, which may have unintended consequences, such as increases in another, previously suppressed invasive alien species.

Are POST trying to tell us something about the effect of the advent of GDS on the habitat in Whitehall?

GDS's grip on public expenditure

It's always a pleasure to read the Government Digital Service's diary, This week at GDS. And never more so than when it's written by Mike Beaven as it was yesterday:

... Carl Meweezen and his team over in ERG (Efficiency and Reform Group), who look at all things spending in government and look at where we’re saving money. Mark O’Neill and Gill (Elderfield) worked with their team over there, to help them build a thing called the ‘Government Interrogation Spending Tool’, or ‘GIST’, as it’s known. That went live and there’s been some really good feedback from Stephen Kelly, Carl and his team, and the Minister (Minister for the Cabinet Office, Francis Maude), saying, “Thanks for creating something that’s very easy to use and intelligent.” So well done to those guys.

The "thing called ... 'GIST'" is an infographic of public spending. We have seen GDS's penchant for arresting graphics before. That was aspirational, at the time. Now it's reality:

It's not just Stephen Kelly and Francis Maude who have provided "some really good feedback" about this infographic.

You'd have to be naïve not to

The third and final episode of Steve Hewlett's report on Privacy Under Pressure was broadcast on Monday 29 July 2013.

The programme took the form of a debate and at one point the participants turned to the Edward Snowden revelations. The US National Security Agency (NSA) and GCHQ here in the UK monitor our phone calls, emails and web browsing on a monumental scale. That makes a nonsense of privacy.

Surveillance is justified, said Lord Carlile, by the state's duty to protect us against terrorists. In other words, in the fight between privacy and surveillance, surveillance must win. That can't be right, said the great Simon Jenkins, not without qualification.

The advocates of freedom admit that we're not free to shout "fire" in a crowded theatre. The advocates of counter-terrorism should similarly admit that there are limits.

Among others, there are financial limits. How many billions, Simon Jenkins wanted to know, should we pay for the NSA and GCHQ's work? Lord Carlile had no answer.

We're back with the arguments advanced by Fraser Nelson and Charles Moore. Of course spies spy. That's their job. Of course we're all under surveillance. You'd have to be naïve to think otherwise. It's for our own good. No-one sensible should be surprised by the Guardian's scoop, it's not a scoop, we've always known all about the interception of communications.

Let's follow the Nelson-Moore-Carlile (NMC) proposition when it next goes out for a walk. See where it leads.

And let's concentrate on money.

In yesterday's Guardian, in addition to learning about X-Keyscore, we also learned about the NSA paying GCHQ tens of millions of pounds. That's handy money. This surveillance lark is expensive and someone's got to pay for it. You'd have to be really naïve not to have worked that one out.

We're following NMC, he bumps into his NSA opposite number and there's an argument. Tempers rise, voices are raised and we can just make out the NSA saying "that's it, you were paid to deliver, you didn't deliver, no more money".

Oh dear. GCHQ's budget is being cut by the UK Exchequer and now the US are turning off the taps (faucets), too. But the state still has a duty to counter terrorism according to NMC. How to fund it?

As luck would have it, in the ordinary course of their work, which is entirely legal according to William Hague (Foreign Secretary) and Sir Malcolm Rifkind (chairman of the Intelligence and Security Committee), GCHQ trip over a lot of useful information.

They knew about Berkshire Hathaway taking over Heinz, for example, months before the news was made public. Should GCHQ do their duty, take advantage of that knowledge and invest, say, £100 million in the target company? That would have yielded a £20 million profit: "Shares in Heinz soared nearly 20% in New York to hit the $72.50 price being offered". If not, why not?

That's one place where NMC leads. And you'd have to be naïve not to realise that.

You'd have to be naïve not to

The third and final episode of Steve Hewlett's report on Privacy Under Pressure was broadcast on Monday 29 July 2013.

The programme took the form of a debate and at one point the participants turned to the Edward Snowden revelations. The US National Security Agency (NSA) and GCHQ here in the UK monitor our phone calls, emails and web browsing on a monumental scale. That makes a nonsense of privacy.

Surveillance is justified, said Lord Carlile, by the state's duty to protect us against terrorists. In other words, in the fight between privacy and surveillance, surveillance must win. That can't be right, said the great Simon Jenkins, not without qualification.

The advocates of freedom admit that we're not free to shout "fire" in a crowded theatre. The advocates of counter-terrorism should similarly admit that there are limits.

Among others, there are financial limits. How many billions, Simon Jenkins wanted to know, should we pay for the NSA and GCHQ's work? Lord Carlile had no answer.

John Naughton, welcome to the club

(Hat tip: Philip Virgo)

John Naughton is professor of the public understanding of technology at the Open University. Writing in yesterday's Observer, 28 July 2013, he says:

... no US-based internet company can be trusted to protect our privacy or data. The fact is that Google, Facebook, Yahoo, Amazon, Apple and Microsoft are all integral components of the US cyber-surveillance system. Nothing, but nothing, that is stored in their "cloud" services can be guaranteed to be safe from surveillance or from illicit downloading by employees of the consultancies employed by the NSA. That means that if you're thinking of outsourcing your troublesome IT operations to, say, Google or Microsoft, then think again. ... when your chief information officer proposes to use the Amazon or Google cloud as a data-store for your company's confidential documents, tell him where to file the proposal. In the shredder.

Where have you heard that before?

John Naughton, welcome to the club

(Hat tip: Philip Virgo)

John Naughton is professor of the public understanding of technology at the Open University. Writing in yesterday's Observer, 28 July 2013, he says:

... no US-based internet company can be trusted to protect our privacy or data. The fact is that Google, Facebook, Yahoo, Amazon, Apple and Microsoft are all integral components of the US cyber-surveillance system. Nothing, but nothing, that is stored in their "cloud" services can be guaranteed to be safe from surveillance or from illicit downloading by employees of the consultancies employed by the NSA. That means that if you're thinking of outsourcing your troublesome IT operations to, say, Google or Microsoft, then think again. ... when your chief information officer proposes to use the Amazon or Google cloud as a data-store for your company's confidential documents, tell him where to file the proposal. In the shredder.

Instrumenting the kettle

Exclusive: sometimes there is a difference between fiction and reality.

Steve Hewlett is presenting a report at the moment on BBC Radio 4, Privacy Under Pressure. Three episodes, Episode 2 was on Monday 22 July 2013, final episode next Monday, don't miss it, 9 a.m.

Everyone remembers Minority Report, the Tom Cruise film where the murder rate has dropped to zero because the "Precrime" unit intervenes before anyone commits a felony.

What is the use of the internet of things? That's what Steve Hewlett.wanted to know. And there was our very own Professor Sir Nigel Shadbolt to tell him.

You remember Sir Nigel. He's head of the Open Data Institute. And midata. He's the one who thinks that the economy will grow if we give all our public and personal data to innovative app-designers. Him and Stephan Shakespeare. Although neither of them can usually think what these apps might do to be useful and profitable.

And you remember the internet of things.That's when you connect every device in the world to the internet and then monitor them.

Worked a treat for the US Chamber of Commerce. They thought they were controlling the central heating in one of their flats remotely. In fact, the thermostat was busy sending stolen data to the Chinese: "months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China".

All this remote monitoring is a bit intrusive, isn't it, said Steve Hewlett but Sir Nigel reckons not. He says that by "instrumenting" the fridge you'll be able to tell remotely that an old person is eating properly. "Elder care", he calls it. And if you see the kettle being turned on, you'll know that the old person is having a cup of tea.

Sir Nigel has obviously never met an elderly relative of DMossEsq's who, in his dotage, every time you served him dinner, carefully picked it up and put it in the dishwasher – to a remote "elder carer", no doubt that would mean he was doing the washing up.

A lot of people on Steve Hewlett's programme keep saying that the benefits of surveillance are undeniable, it would improve the quality of life, it's very positive. There's one old-fashioned lady who says that permanent surveillance will lead to permanent self-censorship, but what does she know?

Is it worth giving up our privacy just so that we know without taking the trouble to go round in person that some old wrinkly has opened the fridge?

Sir Nigel tackled this question head on. Here he is, delivering the coup de grâce to any demented naysayers. Just imagine, he says, a new world where you look out of the window and see the blue flashing lights, and then someone flies through the door and says "we're here to prevent you from having a heart attack".

That's Sir Nigel's charming picture of the new world he's trying to create. Or intelligently design. "Precare", anyone?

Sir Nigel has obviously never met Steven Grisales. And he's not going to meet him, because Steven Grisales is dead. He was murdered by a 15 year-old who was out on parole probation and evaded surveillance by the simple act of removing his electronic tag.

The story is told by Dominic Lawson in the Sunday Times, Clarke plays a deadly game of tagging, 17 June 2012: "Last Wednesday Liz Calderbank, the chief inspector of probation, released a report on electronically monitored curfews, which deserves that overused term 'devastating' — it revealed that 59% of tagged offenders are known to have breached the terms of their curfew".

Perhaps in next Monday's episode Steve Hewlett will settle the question whether the benefits of giving up our privacy really are indubitable. Will the future look like Sir Nigel's idyllic dream? Or will it be more like the squalid nightmare which is surveillance today in the UK, as revealed by Liz Calderbank?

----------

Updated 4.8.14

iKettle: The Wi-Fi kettle review

Hat tip


Updated 24.10.16

"Global internet outages continue as second wave of hacker attacks cripples web servers" – that's what it said in the Daily Telegraph newspaper last week, with more than usual first-hand experience: "Hundreds of popular websites were taken offline for hours on Friday after a critical internet point was hit by multiple cyber attacks ... Hackers brought sites including Twitter, eBay and The Telegraph offline for millions of users after targeting Dyn, a New Hampshire-based company that is responsible for routing internet traffic".

ElReg provided some technical detail. It seems that a lot of dumb devices attached to the internet of things (IoT) were used to launch an onslaught on this company Dyn. Devices including the WiFi kettle above, possibly. Apparently it's terribly easy to do and the caper may have been undertaken by bored children.

Messrs Shadbolt and Shakespeare (please see above) may have their enthusiasm for the IoT undimmed by this episode. You may think differently, though. If bored children knock out the Government Digital Service's GOV.UK Verify (RIP) next time, and if you foolishly rely on that underwhelming identity assurance scheme, then you will cease to exist.


Updated 21.1.17

RIP: Steve Hewlett: Radio 4 presenter dies at the age of 58

Instrumenting the kettle

Exclusive: sometimes there is a difference between fiction and reality.

Steve Hewlett is presenting a report at the moment on BBC Radio 4, Privacy Under Pressure. Three episodes, Episode 2 was on Monday 22 July 2013, final episode next Monday, don't miss it, 9 a.m.

Everyone remembers Minority Report, the Tom Cruise film where the murder rate has dropped to zero because the "Precrime" unit intervenes before anyone commits a felony.

What is the use of the internet of things? That's what Steve Hewlett.wanted to know. And there was our very own Professor Sir Nigel Shadbolt to tell him.

You remember Sir Nigel. He's head of the Open Data Institute. And midata. He's the one who thinks that the economy will grow if we give all our public and personal data to innovative app-designers. Him and Stephan Shakespeare. Although neither of them can usually think what these apps might do to be useful and profitable.

And you remember the internet of things.That's when you connect every device in the world to the internet and then monitor them.

Worked a treat for the US Chamber of Commerce. They thought they were controlling the central heating in one of their flats remotely. In fact, the thermostat was busy sending stolen data to the Chinese: "months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China".

Biometrics – Hollywood v. Kingston upon Thames

Exclusive: sometimes there is a difference between fiction and reality.

Steve Hewlett is presenting a report at the moment on BBC Radio 4, Privacy Under Pressure. Three episodes, Episode 2 was on Monday 22 July 2013, last episode next Monday, don't miss it, 9 a.m.

Everyone remembers Minority Report, the Tom Cruise film where people are identified by the patterns of their irises. As they walk around the shopping mall, personally tailored advertisements invite them to enjoy special offers in the shop they're just passing.

Politicians may believe that this technology already works and is available today. It isn't. Senior civil servants and journalists may believe it but they're wrong, too.

What is available, is a technology claiming to recognise your face – not your irises. Steve Hewlett interviewed James Orwell, a face recognition expert at Kingston University.

How well does face recognition work in a shopping mall today? Hundreds of times better than it used to, said Dr Orwell, but still not well enough. If we had one million people's faces on file and we searched for a match using an image caught by an overhead CCTV today, we'd probably be able to narrow it down to the nearest 5 percent.

That is, we'd know that the person who's just been filmed isn't among these 950,000, he or she is one of the remaining 50,000 people on file. Probably.

Useless. And here he is, saying it.

Minority Report-style biometrics may work in Hollywood. They don't work in Kingston.

Biometrics – Hollywood v. Kingston upon Thames

Exclusive: sometimes there is a difference between fiction and reality.

Steve Hewlett is presenting a report at the moment on BBC Radio 4, Privacy Under Pressure. Three episodes, Episode 2 was on Monday 22 July 2013, last episode next Monday, don't miss it, 9 a.m.

Everyone remembers Minority Report, the Tom Cruise film where people are identified by the patterns of their irises. As they walk around the shopping mall, personally tailored advertisements invite them to enjoy special offers in the shop they're just passing.

Politicians may believe that this technology already works and is available today. It isn't. Senior civil servants and journalists may believe it but they're wrong, too.

"Identity providers" – GDS issue the black spot

One UK citizen said:”I pay the government to identify and verify me when I am born (birth certificate), when I marry (marriage certificate), when I die (death certificate) and when I travel (passport and driving licence). Why should I then have to pay an outside private organisation to verify who I am when I transact with the government online, when I've already paid the government? Let the government – possibly the passport service that is also the national records office – be my identity provider of choice.”

The UK is the proud possessor of not just one "identity provider", not two, but no less than eight of them. Digidentity and Verizon. The Post Office and Experian. Mydex and Ingeus. Cassidian and PayPal.

It's been hard for them. Initially, the Department for Work and Pensions (DWP) offered the "identity providers" £240 million to get the Identity Assurance Programme (IDAP) up and running in the UK. Then ex-Guardian man Mike Bracken stepped in and cut the offer to £30 million. By the time contracts were awarded, that figure was down to £25 million.

The idea was to have IDAP "fully operational" for DWP by March 2013. Four months ago. It wasn't operational then, and it still isn't.

Has IDAP been shelved? Or cancelled? No. Digital by Default News tell us that HMRC will be the first public body to use IDAP.

(It may help to explain that Digital by Default News "is one of a new portfolio of Contentive websites providing critical, real-time intelligence in a wide range of niche industry verticals".)

So things are looking up for the "identity providers"? All those years of hard work negotiating the terms of IDAP and now, at last, it's paid off and they're going to get their hands on the identities of tens of millions of individual and corporate taxpayers' identities?

No.

Take another look at that Digital by Default News article, Citizens would prefer government-owned identity provider. Yes, it spends a bit of time saying that "the scheme will be run by eight private sector organisations which will hold digital ‘passports’ for enrolled UK citizens, enabling them to access online government services".

But the bulk of the article is about how no-one wants private sector "identity providers", what we really want, apparently, we "citizens", is for the old Identity & Passport Service (IPS) to be our one and only "identity provider". "Identity providers", it is saying, "we don't need you, we don't want you, we can do better without you, your presence has delighted us long enough, do not stand upon the order of your going".

The Senior Responsible Owner for IDAP is ex-Guardian man Mike Bracken, see above. He is also the chief executive of the Government Digital Service (GDS), responsible for making public services digital by default, and he's probably the de facto publisher of Digital by Default News N [please see comments below].

What is he up to? He's alienated DWP, the UK's biggest-spending department of state, he's alienated the eight "identity providers" on whom IDAP depends and now he's got no-one left to turn to – the whole point about IPS is that it failed.

He's promising to provide HMRC with identity assurance, having promised and then failed to provide it to DWP last March.

Failing with DWP is one thing. But HMRC is different. The state relies on HMRC raising about £600 billion of tax every year. Failure is unthinkable. No tax, no state.

The question was, what is he up to, and the answer is, who knows, ex-Guardian man Mike Bracken's tactics are incomprehensible, the only point that is clear is that this is the end of IDAP, the end of digital-by-default, which can't work without identity assurance, the end of GDS, the end of midata and Individual Electoral Registration and maybe the end of G-Cloud, too – on 1 June 2013 GDS took over responsibility for G-Cloud.

IDAP never was going to work. Its failure could nevertheless have been long and drawn-out, and expensive. Thanks to this latest slap in the face of the "identity providers", we taxpayers may be lucky – quicker and cheaper failure.

Who do we thank?

Step forward Neil Fisher. Mr Fisher is vice president of Global Security Solutions at Unisys Corporation. He is responsible for the opinion poll results on which the Digital by Default News article is based. They fell for it hook, line and sinker.

He is also, of course, the Cassandra who told ex-Guardian man Mike Bracken and Francis Maude that any project with the word "identity" in its name is doomed.

Thank you.

"Identity providers" – GDS issue the black spot

One UK citizen said:”I pay the government to identify and verify me when I am born (birth certificate), when I marry (marriage certificate), when I die (death certificate) and when I travel (passport and driving licence). Why should I then have to pay an outside private organisation to verify who I am when I transact with the government online, when I've already paid the government? Let the government – possibly the passport service that is also the national records office – be my identity provider of choice.”

The UK is the proud possessor of not just one "identity provider", not two, but no less than eight of them. Digidentity and Verizon. The Post Office and Experian. Mydex and Ingeus. Cassidian and PayPal.

It's been hard for them. Initially, the Department for Work and Pensions (DWP) offered the "identity providers" £240 million to get the Identity Assurance Programme (IDAP) up and running in the UK. Then ex-Guardian man Mike Bracken stepped in and cut the offer to £30 million. By the time contracts were awarded, that figure was down to £25 million.

The idea was to have IDAP "fully operational" for DWP by March 2013. Four months ago. It wasn't operational then, and it still isn't.

Has IDAP been shelved? Or cancelled? No. Digital by Default News tell us that HMRC will be the first public body to use IDAP.

(It may help to explain that Digital by Default News "is one of a new portfolio of Contentive websites providing critical, real-time intelligence in a wide range of niche industry verticals".)