Monday 19 March 2012

The French parliament wants to comply with the European Commission by making France more like Pakistan

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at the journey France is making – where did this scheme come from and where is it going to?

The recent history of biometric ID card schemes in Europe begins with the European Commission. In 1999, as part of the eEurope five-year plan, the Commission initiated a project to specify a system for pan-European biometric identity management. The specification job was given to eESC, the eEurope Smart Card forum and in 2003 they delivered OSCIE, the open smart card infrastructure for Europe.

It's a bit daunting, there are 2,000 pages of OSCIE, but perhaps the best thing is to concentrate on the paper on electronic identity, a mere 66 pages. That is the tune that France is marching to. The tune of 27 unelected and unaccountable satraps in the Berlaymont who have given up the job of governing people, it's too difficult, and decided instead to govern electronic identities.

The advocates of biometric ID always say that the cards are intended to make your life easier. With a biometric ID card, it will be easier to get a passport or to open a bank account or to move jobs, they say. But we can already get a passport and open a bank account and move jobs without a biometric ID card.

What the advocates of biometric ID cards mean is that, once we have OSCIE, life without a card will be impossible. The card will be required for every transaction, every communication, every state benefit, including healthcare and education. No card, no life. Life's optional and so the card is optional. The logic is impeccable.

That's where the project is coming from. And where's it going?

As it happens, there is a country that has been issuing multi-biometric ID cards since the year 2000. 120 million of them have been issued by NADRA, the National Database and Registration Authority. With their multi-biometric ID cards, 120 million people can now enjoy the pleasures of ePassports, electronic access control and attendance records at work, electronic driving licences, eCommerce, eVoting and many more.

And which is this country?

Pakistan.

The French parliament have fallen in with the European Commission plan to make France just that little bit more like Pakistan.

Why? What reason can the French government possibly give to explain this desire to become more like Pakistan?

They can hardly say that it's because they find governing people too difficult. Even if it's true. Nor can they get the population on-side by arguing that they are putty in the hands of the Commission, the Commission can mould them into any shape they please, France has to do what the Commission tells them to do. Even if it's true.

Instead, the French government deploys the identity theft gambit. In his 13 July 2011 speech, Serge Blisko (politely) pours scorn on this move:
Ficher potentiellement 45 à 50 millions de personnes – cette estimation a été avalisée par tous les interlocuteurs auditionnés en commission – dans le seul objectif de lutter contre l’usurpation d’identité qui touche quelques dizaines de milliers de Français par an, peut-il être considéré comme proportionné?
A moment's thought reveals that you don't fingerprint 50 million people just to try to reduce the incidence of identity theft which affects maybe 10,000 people, i.e. 0.02% of the people. It's not proportional.

Two moments' thought suggests that the incidence of identity theft is more likely to rise if you collect everyone's enrolments together in a national population register – if you create a single point of weakness, identity theft won't go down, it will go up.

And three moments' thought reveals that under the French scheme identity theft will become legally impossible anyway, not because cardholders won't be defrauded but because when they are, thanks to digital signatures, they'll be irrevocably liable for the loss themselves.

So identity theft can't be the reason. Not the real reason.

The acceptable reason for biometric ID cards according to the government is given in another part of M. Blisko's speech:
Il est vrai que la lutte contre l’usurpation d’identité est un enjeu industriel et commercial important pour la France puisque les entreprises dont nous avons auditionné les dirigeants sont championnes du monde dans ce domaine et qu’elles travaillent à 90 % à l’exportation.
France has plastic card manufacturers and chip manufacturers and biometric technology suppliers who are "world champions" and who contribute mightily, it is said, towards the country's exports. If the French people themselves will only agree to become walking advertisements for these industries, then exports will be assisted. It is every patriotic Frenchman's duty, according to this way of thinking, to become a human billboard in the marketing campaign of a few illegally subsidised companies. (No point complaining to the Competition Commissionner, of course, about that "unlawful state aid". It is the Commission's bidding that France is doing.)

Normally, advertisers pay for space. In this case, the tables are turned, and the mobile advertising space is paying the campaigners. The national biometric ID card scheme will cost billions of Euros. Those billions will not come out of thin air. They will be paid from the tax contributions of every French citizen and company.

It has a sort of Mephistophelean logic. It might work in some countries. But not France. Not in a nation with 246 different cheeses (© 1962 C. de Gaulle).

The French parliament wants to comply with the European Commission by making France more like Pakistan

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at the journey France is making – where did this scheme come from and where is it going to?

The French people kindly volunteer to pay for any mistakes their banks make

A quoi ça sert la ... signature électronique?

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at one aspect of this scheme – digital signatures (signatures électroniques). Someone needs to tell the French people what their government is letting them in for.

Serge Blisko, député de Paris, has tried to tell them. Bravely. No British MP would try to talk about PKI (the public key infrastructure) and digital certificates. But M. Blisko did. In his immaculate speech of 13 July 2011. Three times:
Cette proposition de loi prévoit, dans son article 2, la création d’une carte d’identité biométrique, comprenant notamment les empreintes digitales des personnes, outre d’autres éléments tels que la taille et la couleur des yeux. L’article 3 crée une fonctionnalité supplémentaire qui pourrait être activée, de manière facultative il est vrai, par le détenteur de la carte nationale d’identité pour ses transactions commerciales sur internet et dans ses relations avec l’e-administration. Cette fonctionnalité lui permettrait de s’identifier sur internet et de mettre en œuvre sa signature électronique. Concrètement, la personne devra tout de même disposer d’un boîtier connecté à son ordinateur, ce qui n’apparaît pas très simple. Elle sera libre de choisir les données personnelles qu’elle veut transmettre ...
En 2005, malgré la technologie de l’époque, le débat était le même qu’aujourd’hui : la création d’une carte nationale d’identité électronique, contenant donc des données biométriques, était déjà envisagée ; elle ouvrait la possibilité de prouver son identité sur internet et de signer électroniquement ...
Dernier aspect déplaisant, sur lequel vous avez glissé un peu rapidement, monsieur le rapporteur : cette proposition de loi est une opportunité pour faciliter les échanges commerciaux. Je ne suis pas contre le fait de sécuriser la signature électronique sur internet pour déclarer ses impôts ou payer une amende au Trésor public, mais la proposition de loi va au-delà du domaine régalien et de ses extensions budgétaires.
France's new ID cards will include facilities for identifying yourself over the web and for signing documents digitally. Let's take an example. Let's say you're buying a car for €30,000. And the document you're signing digitally is the contract for sale.

As M. Blisko says, the exact process for digital signature remains undefined but, having once taken their leap in the dark, the French will find that however it works, it's "pas très simple".

That's a charming understatement. Implementing PKI properly is extremely complicated.

But suppose the French manage to do it. They're good at infrastructure. They've got good people working on the problem. They've got the will. It's a matter of national pride. Marianne, la patrie and all that. Let's assume that France can get a PKI system up and running with 50 million users. No-one else has ever managed that. But, just for the sake of argument, if and when France manage it, what then? What is the effect of signing a document digitally?

M. Blisko doesn't answer that question, for the good reason that he doesn't ask it. Perhaps he assumes that everyone already knows what digital signatures mean. Just in case they don't, though, here is the answer in one word – non-repudiation.

If you sign a document digitally, you cannot repudiate your agreement. You are committed. Irrevocably.

Further, the fact that the document is digitally signed means that you signed it. You cannot claim that someone else signed it. Even if it's true. Even if it is a case of identity theft/l’usurpation d’identité, that is no longer legally relevant. Legally, you signed the document and you owe the car company €30,000. That's the law, as far as digital signatures are concerned.

Without digital signatures, if your credit card is misused, by your daughter's dogy boyfriend for example, a fraud is perpetrated against the bank that issued the card, the bank made a mistake, they shouldn't have authorised the payment, it's their problem. With digital signatures, it's your problem. The risk has been moved from the bank to you.

Is that what you wanted, vous les autres les français? Is that what your parliament told you would happen? Are you happy to change the law and end up underwriting the banks? If the answer is yes, in each case, then my apologies for disturbing you with this irrelevant post, excusez-moi de vous avoir dérangé. But if the answer is no, you might like to have a little word with your député and ask him or her what on earth they think they're doing.

The French people kindly volunteer to pay for any mistakes their banks make

A quoi ça sert la ... signature électronique?

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at one aspect of this scheme – digital signatures (signatures électroniques). Someone needs to tell the French people what their government is letting them in for.

Thursday 15 March 2012

Vichy redux

Nine days ago on Tuesday 6 March 2012 the French National Assembly enacted a Bill to protect people from identity theft. The proposition de loi relative à la protection de l’identité is now French law.

You might think that this Act is just like the UK's now repealed Identity Cards Act 2006. Wrong.

There are similarities. Everyone over a certain age will be enrolled in a French population register (a fichier) and will be issued with an identity card. The card will have microchips in it (puces). The chips will somehow use your biometric data (données) to support identity verification. I.e. they will allow you to prove that you are who you say you are. The French are even using the same misinformation – the cards will be "optional" (facultatives), according to an article in Le Monde.

But there's a big difference. The UK ID card scheme was going to use flat print fingerprint technology (empreintes posées) which is cheap, easy to use/no expert required, clean and utterly unreliable. The French know that. They're not stupid. It's French companies that provide this waste of money/snake oil biometric technology. They're hardly likely to make the same mistake.

What they propose instead is to use the same high quality rolled print fingerprinting technology as the police (empreintes roulées), forensic quality technology acceptable as evidence in a court of law. On the whole population. The whole of France is going to be issued with what the FBI call a "Ten Print Rap Sheet" or TPRS, just like Al Capone.

Serge Blisko is the MP (député) for Paris. Here he is speaking on the Bill last year in Parliament:
Intervention de Serge Blisko sur la proposition de loi de protection de l'identité
mercredi 13 juillet 2011 15h31
Catégorie: Société , Interventions
Motion de rejet préalable de Serge Blisko, député de Paris

... tous les citoyens seront désormais contraints de donner leurs empreintes digitales à l’une de ces 2 000 antennes de police administrative que vous avez décrites, monsieur le ministre. Il s’agira, en plus, d’empreintes très particulières. Je me réfère aux auditions des hauts fonctionnaires du ministère de l’intérieur : il faudra donner les empreintes de huit de ses doigts par la technique des empreintes roulées et non pas posées. Elle est très différente de celle de l’empreinte posée car c’est une technique criminologique. Nous ne sommes plus alors dans une démarche de reconnaissance d’identité, mais dans la logique d’un fichier de recherches criminelles ...
It is almost unprecedented for a government to tell its parishioners that they are all regarded as criminals. In fact, Mr Blisko can think of only one case – Vichy France:
Monsieur le ministre, j’ai le regret de rappeler que la France n’a créé qu’une seule fois un fichier général de la population, c’était en 1940. Il fut d’ailleurs détruit à la Libération.

Voici un extrait de la loi du 27 octobre 1940 de l’État français : « Obligation de détenir une carte d’identité à partir de seize ans, comportant les empreintes digitales et la photographie, et de déclarer tout changement d’adresse. Institution d’un fichier central de la population et d’un numéro d’identification individuel. »

Ce fichier central, disais-je, a été détruit à la Libération. C’est donc bien depuis la période de Vichy que la France n’a pas connu et n’a pas voulu un tel fichage de sa population.
France. Our partners in the EU. They wouldn't do that, would they? They wouldn't reintroduce Marshal Pétain's law of 1940. Would they?

They just did. Nine days ago on Tuesday 6 March 2012.

Vichy redux

Nine days ago on Tuesday 6 March 2012 the French National Assembly enacted a Bill to protect people from identity theft. The proposition de loi relative à la protection de l’identité is now French law.

You might think that this Act is just like the UK's now repealed Identity Cards Act 2006. Wrong.

There are similarities. Everyone over a certain age will be enrolled in a French population register (a fichier) and will be issued with an identity card. The card will have microchips in it (puces). The chips will somehow use your biometric data (données) to support identity verification. I.e. they will allow you to prove that you are who you say you are. The French are even using the same misinformation – the cards will be "optional" (facultatives), according to an article in Le Monde.

But there's a big difference. The UK ID card scheme was going to use flat print fingerprint technology (empreintes posées) which is cheap, easy to use/no expert required, clean and utterly unreliable. The French know that. They're not stupid. It's French companies that provide this waste of money/snake oil biometric technology. They're hardly likely to make the same mistake.

The whiff of cordite in Whitehall

Rt Hon Margaret Hodge MBE MP is making a speech today at Policy Exchange. This is the latest battle in her war to make Whitehall accountable to Parliament. Whitehall wastes our money with impunity, as it says at the head of this page. In the attempt to put a stop to this state of affairs, traditionally, Whitehall has always won hands down. Perhaps we should expect history to repeat itself.

Or perhaps not. Never has the ancien régime been led by a general as vulnerable as Sir Gus now Lord O'Donnell, the man to whom we owe the present parlous state of our national finances.

The whiff of cordite in Whitehall

Rt Hon Margaret Hodge MBE MP is making a speech today at Policy Exchange. This is the latest battle in her war to make Whitehall accountable to Parliament. Whitehall wastes our money with impunity, as it says at the head of this page. In the attempt to put a stop to this state of affairs, traditionally, Whitehall has always won hands down. Perhaps we should expect history to repeat itself.

Or perhaps not. Never has the ancien régime been led by a general as vulnerable as Sir Gus now Lord O'Donnell, the man to whom we owe the present parlous state of our national finances.

Sunday 11 March 2012

Cabinet Office using cyber security budget to increase risks to the public

Can someone advise, please, is there a polite way of asking can any British government tell its arse from its elbow?

The Cabinet Office want to deliver all public services over the web. Public services should be "digital by default", as they say.

The web is a dangerous place to be if you want to maintain secrecy/privacy and if there's any money around. The web is perfectly adapted to breach confidences and to steal money. Let today's Sunday Times make the point. In Chinese steal jet secrets from BAE they tell us that:
CHINESE spies hacked into computers belonging to BAE Systems, Britain’s biggest defence company, to steal details about the design, performance and electronic systems of the West’s latest fighter jet, senior security figures have disclosed.

The Chinese have exploited vulnerabilities in BAE’s computer defences to steal vast amounts of data on the £200 billion F-35 Joint Strike Fighter (JSF), a multinational project to create a plane that will give the West air supremacy for years to come ...

Professor Anthony Glees, director of the Centre for Security and Intelligence Studies ... said: “It seems the Chinese were getting plans which allow them to undermine the defence capacity of the country. It’s deeply unsettling that GCHQ [the government eavesdropping centre in Cheltenham] didn’t spot this for so long because they are the people who are meant to be leading the fight against cyber crime.”
There's a wide selection of cock-ups to choose from here:
  • With £200 billion at stake, the Sunday Times reported on 12 January 2012 that Royal Navy’s new jet cannot land on aircraft carriers. Never mind, you may say, it's only £200 billion and we haven't got an aircraft carrier anyway.
  • And three years ago, the Sunday Times reported that BT had bought equipment from China's Huawei telecommunications equipment company despite warnings that it could be used to "shut down Britain by crippling its telecoms and utilities" and that "government departments, the intelligence services and the military will all use the new BT network". Patricia Hewitt, trade and industry secretary at the time the contract was being negotiated, declined to intervene because it was "a competitive tender between two commercial companies". How very upright of Ms Hewitt not to let security interfere with competition.
But put those cock-ups aside. For current purposes, consider instead the following.

Rt Hon Francis Maude MP is the Cabinet Office Minister and according to his entry on the Cabinet Office website:
He leads on:

• Public Sector Efficiency and Reform
• UK Statistics
• Civil Service issues
• Government transparency
• Civil Contingencies
• Cyber security
• Overall responsibility for Cabinet Office policy and the Department
With his cyber security hat on, Mr Maude disposes of a budget of £650 million. Much-needed, judging by the success of GCHQ and BAE's attempts to fend off the Chinese.

With his public sector efficiency and reform hat on, Mr Maude wants to put Whitehall on the web. That's what "digital by default " means and that requires him to ignore his cyber security hat.

But it's worse than that. Digital by default requires something called identity assurance, a service which doesn't exist yet but is supposed one day to allow us all to prove who we are, over the web, while we're busy communicating with the government. The development of this service was unfunded until 31 October 2011 when Mr Maude announced that he'd found £10 million of public money to give it.

And where did he get this cyber security-busting £10 million from?

You can have 650 million guesses.

----------

Updated 23.6.14

Whitehall considers security shake-up

The government is understood to be carrying out a review of Whitehall organisations with a remit for electronic and computer security to determine any possibility of consolidation.

Informed sources say that one of the suggestions being considered is that CESG, the government's National Technical Authority for information assurance, should be separated from GCHQ, the signals intelligence agency.

That could mean the Cabinet Office taking over responsibility for CESG, with whom it has an ongoing relationship.
 "That could mean the Cabinet Office taking over responsibility for CESG". Oh God.

    Cabinet Office using cyber security budget to increase risks to the public

    Can someone advise, please, is there a polite way of asking can any British government tell its arse from its elbow?