From: Science & Technology Committee [mailto:scitechcom@parliament.uk]
Sent: 09 July 2013 00:01
Subject: Science and Technology Committee Press Release No.18: Embargoed until 00.01am Tuesday 9 July 2013
To:
Attachments: 130617 Chair to Francis Maude.pdf
SCIENCE AND TECHNOLOGY COMMITTEE
Select Committee Announcement
No. 18 (13-14): 8 July 2013
MPS EXPRESS CONCERNS ABOUT THE THE DIGITAL BY DEFAULT STRATEGY
**EMBARGOED until 00.01am Tuesday 9 July 2013**
The Science and Technology Committee has today written to Cabinet Office Minister Francis Maude MP raising a number of concerns about the Government’s Digital by Default strategy – including questions about the potential savings promised by the strategy and its implications for personal data security.
The Committee urges the Government to be clearer about the savings being made as services become Digital by Default, including the costs of designing, or redesigning, online services.
Andrew Miller MP, Chair of the Select Committee said:
“A key justification of the Digital by Default strategy is savings to the taxpayer. Yet it is not evident that the Government is even able to measure these savings.”
In addition, the Committee is concerned that as public services go online, the Government may not keep up with advances in technology and that inadequacies in Government software may lead to security vulnerabilities. There is a risk that third party suppliers providing identity assurance could pass on their security vulnerabilities.
Andrew Miller MP, said:
“Public trust is absolutely essential. The Government must ensure the integrity and security of data and give people sufficient control over their stored personal information otherwise, the Digital by Default strategy will not succeed. We will continue to monitor the implementation of the strategy.”
The Committee considered the recently published draft identity assurance principles and suggests that the Government includes a ninth principle stating that (i) if a dispute arises concerning a citizen’s online dataset, that the citizen should be initially presumed correct; and (ii) if a mistake has been made, the citizen’s data should be instantly corrected.
Digital by Default evidence sessions
Science and Technology Committee
Follow the Committee's business on Twitter @CommonsSTC
FURTHER INFORMATION
Committee Membership:
Andrew Miller (Labour, Ellesmere Port and Neston) (Chair)
Jim Dowd (Labour, Lewisham West and Penge)
Stephen Metcalfe (Conservative, South Basildon and East Thurrock)
David Morris (Conservative, Morecambe and Lunesdale)
Stephen Mosley (Conservative, City of Chester)
Pamela Nash (Labour, Airdrie and Shotts)
Sarah Newton (Conservative, Truro and Falmouth)
Graham Stringer (Labour, Blackley and Broughton)
David Tredinnick (Conservative, Bosworth)
Hywel Williams (Plaid Cymru, Arfon)
Roger Williams (Liberal Democrat, Brecon and Radnorshire)
Specific Committee Information: scitechcom@parliament.uk / 020 7219 2793
Media Information: Nick Davies daviesnick@parliament.uk / 020 7219 3297
Committee Website: www.parliament.uk/science
Watch committees and parliamentary debates online: www.parliamentlive.tv
Publications / Reports / Reference Material: Copies of all select committee reports are available from the Parliamentary Bookshop (12 Bridge St, Westminster, 020 7219 3890) or the Stationery Office (0845 7023474). Committee reports, press releases, evidence transcripts, Bills; research papers, a directory of MPs, plus Hansard (from 8am daily) and much more, can be found on www.parliament.uk.
UK Parliament Disclaimer:
This e-mail is confidential to the intended recipient. If you have received it in error, please notify the sender and delete it from your system. Any unauthorised use, disclosure, or copying is not permitted. This e-mail has been checked for viruses, but no liability is accepted for any damage caused by any virus transmitted by this e-mail.
Tuesday 9 July 2013
"MPs express concern about the digital by default strategy"
C.f. Digital-by-default, an open letter to the House of Commons Science and Technology Committee and Digital-by-default – an eternal mystery? and Four professors review the Government Digital Strategy and IDAP: the stories our MPs are told and Shakespeare's take on property and ...
"MPs express concern about the digital by default strategy"
C.f. Digital-by-default, an open letter to the House of Commons Science and Technology Committee and Digital-by-default – an eternal mystery? and Four professors review the Government Digital Strategy and IDAP: the stories our MPs are told and Shakespeare's take on property and ...
From: Science & Technology Committee [mailto:scitechcom@parliament.uk]
Sent: 09 July 2013 00:01
Subject: Science and Technology Committee Press Release No.18: Embargoed until 00.01am Tuesday 9 July 2013
To:
Attachments: 130617 Chair to Francis Maude.pdf
SCIENCE AND TECHNOLOGY COMMITTEE
Select Committee Announcement
No. 18 (13-14): 8 July 2013
MPS EXPRESS CONCERNS ABOUT THE THE DIGITAL BY DEFAULT STRATEGY
**EMBARGOED until 00.01am Tuesday 9 July 2013**
The Science and Technology Committee has today written to Cabinet Office Minister Francis Maude MP raising a number of concerns about the Government’s Digital by Default strategy – including questions about the potential savings promised by the strategy and its implications for personal data security.
The Committee urges the Government to be clearer about the savings being made as services become Digital by Default, including the costs of designing, or redesigning, online services.
Andrew Miller MP, Chair of the Select Committee said:
“A key justification of the Digital by Default strategy is savings to the taxpayer. Yet it is not evident that the Government is even able to measure these savings.”
In addition, the Committee is concerned that as public services go online, the Government may not keep up with advances in technology and that inadequacies in Government software may lead to security vulnerabilities. There is a risk that third party suppliers providing identity assurance could pass on their security vulnerabilities.
Andrew Miller MP, said:
“Public trust is absolutely essential. The Government must ensure the integrity and security of data and give people sufficient control over their stored personal information otherwise, the Digital by Default strategy will not succeed. We will continue to monitor the implementation of the strategy.”
The Committee considered the recently published draft identity assurance principles and suggests that the Government includes a ninth principle stating that (i) if a dispute arises concerning a citizen’s online dataset, that the citizen should be initially presumed correct; and (ii) if a mistake has been made, the citizen’s data should be instantly corrected.
Digital by Default evidence sessions
Science and Technology Committee
Follow the Committee's business on Twitter @CommonsSTC
FURTHER INFORMATION
Committee Membership:
Andrew Miller (Labour, Ellesmere Port and Neston) (Chair)
Jim Dowd (Labour, Lewisham West and Penge)
Stephen Metcalfe (Conservative, South Basildon and East Thurrock)
David Morris (Conservative, Morecambe and Lunesdale)
Stephen Mosley (Conservative, City of Chester)
Pamela Nash (Labour, Airdrie and Shotts)
Sarah Newton (Conservative, Truro and Falmouth)
Graham Stringer (Labour, Blackley and Broughton)
David Tredinnick (Conservative, Bosworth)
Hywel Williams (Plaid Cymru, Arfon)
Roger Williams (Liberal Democrat, Brecon and Radnorshire)
Specific Committee Information: scitechcom@parliament.uk / 020 7219 2793
Media Information: Nick Davies daviesnick@parliament.uk / 020 7219 3297
Committee Website: www.parliament.uk/science
Watch committees and parliamentary debates online: www.parliamentlive.tv
Publications / Reports / Reference Material: Copies of all select committee reports are available from the Parliamentary Bookshop (12 Bridge St, Westminster, 020 7219 3890) or the Stationery Office (0845 7023474). Committee reports, press releases, evidence transcripts, Bills; research papers, a directory of MPs, plus Hansard (from 8am daily) and much more, can be found on www.parliament.uk.
UK Parliament Disclaimer:
This e-mail is confidential to the intended recipient. If you have received it in error, please notify the sender and delete it from your system. Any unauthorised use, disclosure, or copying is not permitted. This e-mail has been checked for viruses, but no liability is accepted for any damage caused by any virus transmitted by this e-mail.
Monday 8 July 2013
midata and the BBC. The BBC?
from Craig Belsham's midata blog:
Hi I’m Dan, Director of the midata Innovation Lab, part of the midata voluntary programme ... we will help empower UK consumers in a really meaningful way ...
The BBC are not paid to talk twaddle with a lot of armchair economists.
They are wasting our money,
they shouldn't have joined in the first place
and they should resign from mIL now.
Following last week's exciting launch of the midata Innovation Lab (mIL), now that the party's over, let's take a look at the structure of the organisation. It's a partnership apparently, "a collaboration of the following 22 Founding Partners, respected organisations collaborating with real data to work out how the UK both empowers and protects consumers whilst innovating with data":
Back in November 2011, the Department for Business Innovation and Skills (BIS) issued a press release saying:
That's 19 businesses from Avoco Secure to Visa, of whom only three remain "committed to working in partnership with Government to achieve the midata vision". Why have the other 16 dropped out?
The press release also said:
That's seven consumer groups/regulators, of whom only two are left. Why have the other five pulled out?
The following consumer groups and regulators are working with midata to represent consumers' interests and concerns. As well as working towards potential benefits, their input plays an important role in identifying potential risks and helping determine how these can be addressed:
- Citizens Advice
- Communications Consumer Panel
- Consumer Focus
- Information Commissioner’s Office (ICO)
- OFCOM
- Office of Fair Trading (OFT)
- Which?
And why are there still 22 Founding Partners left?
What, for example, is the University of Southampton doing on the list?
Their expertise is in oceanography. Nothing to do with midata.
The answer is all to do with the Open Data Institute (ODI), who are also on the list of Founding Partners. The ODI is headed by Professor Sir Tim Berners-Lee and Professor Sir Nigel Shadbolt. They are both professors at Southampton and presumably the university has come along for the ride.
But they shouldn't be there. The ODI is all about open data. Public data. The opposite of what midata is meant to be about, which is personal data. Private data. The two should not be confused. Nigel Shadbolt himself says so:
 | @DMossEsq #opendata and #midata are entirely distinct varieties of data - and it is essential that people understand the difference |
But there they are, the ODI and Southampton and, what's more, Professor Shadbolt is chairman of the midata programme as well as chairman of the ODI. This is a mess.
The inclusion of O2, Telefonica and Verizon among the founding partners makes a bit of midata sense. The idea behind midata is that consumers should be able to get better value from their phone contracts. Ofcom have failed to ensure good value for money. Having O2, Telefonica and Verizon involved will help to make sure that midata fails as well.
The link between midata and the Government Digital Service's failed Identity Assurance Programme (IDAP) isn't always obvious to other people but readers of this blog will remember that Verizon is one of the UK's eight appointed "identity providers".
They will also remember that, thanks to Edward Snowden, we now know that Verizon hands over its data to the US National Security Agency (NSA), who may or may not share it with the UK's GCHQ. Your personal data may travel via midata even further than Southampton.
from Craig Belsham's midata blog:
My name is Stephen and I head up the work on consumer confidence and trust which is part of the midata voluntary programme ... A data-enabled online market place will create new services that will take your data and do some really interesting things with it ...
The idea behind midata is (also) that consumers should get better value for money from their gas and electricity contracts. It is precisely because Ofgem have failed on that score (along with the Prime Minister) that BIS assert that midata is needed. Having Ofgem and npower on board – as oceanographers say – will ensure that midata fails as well.
midata is meant to help consumers to get better value for money from their current accounts and their debit/credit cards. That's a job MoneySupermarket.com already work at and have done for years which, in turn, is another reason why midata is unnecessary.
The Information Commissioner's Office (ICO) exists to ensure that personal data remains private and that public data is disclosed unless it is exempt under the Freedom of Information Act. If the ICO doesn't close down mIL in the next few days, then it's not doing its job.
from Craig Belsham's midata blog:
I’m Richard and I chair one of the expert working groups looking at what we need to do to ensure that consumers can be confident when they allow their data to be passed to and used by third parties who are developing new and innovative applications to aggregate and use existing data in a way that brings benefits to users of these new services ... A data rich economy will allow lots of innovative companies to create brand new services that will enable you to take your data and do some really interesting things with it ...
Mydex provides personal data stores (PDSs). midata relies on PDSs. That's the way BIS have designed it with the assistance of the midata strategy board. The chairman of Mydex is a member of the midata strategy board. BIS also retain Ctrl-Shift as consultants to advise them on midata. Ctrl-Shift advise BIS to use Mydex and, as readers of this blog know, Alan Mitchell, the director of Ctrl-Shift, set up Mydex with William Heath, the chairman of Mydex, the one who is also a member of the midata strategy board, and Mr Heath used to be a director of Ctrl-Shift and he retains a material shareholding in Ctrl-Shift, so you can understand why BIS, Mydex and Ctrl-Shift are among the Founding Partners of mIL.
Also, of course, Mydex is a UK-appointed "identity provider", like Verizon, reinforcing the link to IDAP.
Jo Swinson is the successor at BIS to Norman Lamb who was the successor to Ed Davey. She wrote an article about midata which was published by Which?, who hosted a lengthy debate about the article on their website – 54 comments. No-one – including Which? – could see how midata would deliver the benefits that Jo Swinson and BIS promised.
Norman Lamb published a report on midata and launched a consultation on it. Question 6 of the consultation is: "What types of new services might be offered by intermediaries (such as, price comparison websites) and what could be the value of this new market?". In their response, Which? said, in full: "Which? has no comment on this question".
On the other hand, they wrote several pages in their response about the dangers of identity theft/fraud and the dangers of the loss of privacy. Are Which? satisfied that these dangers will not be exacerbated by midata? If so, why? And if not, will they, like the ICO, do their job of protecting consumers and warn people against midata?
In the case of all the Founding Partners named so far you can see why they are included in mIL. Even if, like the ODI, they shouldn't be.
But the BBC? What are the BBC doing there? They're a public service broadcaster. That's what the licence fee payers pay them to do. The BBC are not paid to talk twaddle with a lot of armchair economists. They are wasting our money, they shouldn't have joined in the first place and they should resign from mIL now.
When Ed Davey first announced midata, the BBC's own technology correspondent, Rory Cellan-Jones, asked "what's the catch for consumers and why is the government getting involved?". To which we may now add, why is the BBC getting involved?
midata and the BBC. The BBC?
from Craig Belsham's midata blog:
Hi I’m Dan, Director of the midata Innovation Lab, part of the midata voluntary programme ... we will help empower UK consumers in a really meaningful way ...
The BBC are not paid to talk twaddle with a lot of armchair economists.
They are wasting our money,
they shouldn't have joined in the first place
and they should resign from mIL now.
Following last week's exciting launch of the midata Innovation Lab (mIL), now that the party's over, let's take a look at the structure of the organisation. It's a partnership apparently, "a collaboration of the following 22 Founding Partners, respected organisations collaborating with real data to work out how the UK both empowers and protects consumers whilst innovating with data":
Sunday 7 July 2013
Communications Data Bill? Unnecessary
"Où sont les Neigedens d'antan?" Yossarian said ...
We are all naïve, the Spectator said, if we imagine that the security services don't intercept all the communications they can. That's their job. What do we expect? It's for our own good. We'd be rightly furious if they didn't ...
There's something wrong with that argument.
The same thing that's wrong with Charles Moore's column in the Telegraph yesterday, Edward Snowden is a traitor, just as surely as George Blake was:
The Telegraph has covered acres of newsprint with stories about the Communications Data Bill over the past year or so. The Bill is needed, according to the Home Office, to keep the country safe from terrorists:
Public opinion seems to have given a worldly shrug and said, “Obviously, our secret services spy on us in cyberspace; what’s all the fuss?”
9 May 2012 – 'Snooper's charter' web spying Bill announcedBut hang on a minute.
6 September 2012 – Sir Tim Berners-Lee accuses government of 'draconian' internet snooping
9 December 2012 – MPs turn on Home Office over snoopers' charter
15 April 2013 – The Communications Data Bill will strangle new businesses
22 April 2013 – Data Communications Bill: the Home Office is trying to trap Britain in the past
28 April 2013 – It’s not a snoopers’ charter, it’s a life-saver
23 May 2013 – Woolwich attack: Snoopers’ charter 'could have prevented machete tragedy’
28 May 2013 – Spies only have 'very limited' access to terrorist data, says Sir Malcolm Rifkind
30 May 2013 – We can’t fight crime and terrorism while wearing a blindfold
31 May 2013 – Internet companies warn Theresa May over 'snooper's charter'
Etc ...
If the security services already have legal access to telecommunications data, why do we need the Communications Data Bill?
Why is Theresa May, the Home Secretary, consuming a lot of political capital trying to push this Bill through?
Why haven't the Telegraph pointed out that argument about the Bill is just so much hot air, we already have everything it promises to deliver?
Come to that, if everyone sensible already knows that our telecommunications are intercepted, in what way is Edward Snowden a traitor?
No-one – apart from Roger Scruton – writes better than Charles Moore on constitutional matters, politics, religion and Conservative philosophy. He is gifted. And Fraser Nelson in the Spectator is no slouch.
But give them an article to write about Edward Snowden and – utterly uncharacteristically – they both start appealing to opinion polls, they both play the man instead of the ball and they both claim that no-one should be told what everyone already knows.
----------
Updated 7.7.2013 12:34
Some commentators talk sense:
19 June 2013: Britain's response to the NSA story? Back off and shut upUpdated 9.7.13
2 July 2013: Does the US think that only Americans have a right to privacy?
The following letter has not been published by the Telegraph:
From: David Moss
Sent: 07 July 2013 01:15
To: 'dtletters@telegraph.co.uk'
Subject: Charles Moore, 5 July 2013, 'Edward Snowden is a traitor, just as surely as George Blake was'
http://www.telegraph.co.uk/technology/internet-security/10162351/Edward-Snowden-is-a-traitor-just-as-surely-as-George-Blake-was.html
Sir
Charles Moore argues that everyone already knows that the security services intercept our communications to protect us against terrorism. For the past year, the Telegraph has reported on the Home Office's attempts to promote the Data Communications Bill, desperately needed according to Theresa May to protect us against terrorism. They can't both be right. Which is it?
Yours
David Moss
Updated 13 July 2013
To the US secret services, and possibly the UK ones too:
What does "collect" mean?Updated 31 August 2013
And what does "relevant" mean?
20 August 2013: So the innocent have nothing to fear? After David Miranda we now know where this leadsUpdated 2 October 2013
24 August 2013: It's Left-wing prats who are defending our freedoms
30 August 2013: Big Brother is watching us? How comforting
The following letter has been submitted to the Times:
Updated 5 October 2013
From: David Moss
Sent: 01 October 2013 16:41
To: 'letters@thetimes.co.uk'
Subject: Kaya Burgess, 1 october 2013, MI5 playing into hands of ‘twerps like Assange’
http://www.thetimes.co.uk/tto/news/politics/article3883536.ece
Sir
We have it on the authority of Dame Stella Rimington that the security services can intercept any of our internet-based communications.
Two points.
Firstly, the implication is that there is no such thing as a secure website. Secure websites are like unicorns.
Second, the Home Office have been promoting the Communications Data Bill on the grounds that, unless we provide the security services with the tools, they can't defend us against terrorism. The implication was that they don't have the tools needed. As it turns out, they do, and the Home Office were deceiving us.
Yours
David Moss
The letter above was not published by the Times. They did publish one by David Bickford, Former Legal Director, Intelligence, agreeing with Dame Stella Rimington that more oversoght of the security services is required and recommending that it should be provided by the judiciary, independent of the Executive.
Updated 21 November 2013 #1:
The following letter was submitted to the Telegraph:
From: David Moss
Sent: 09 October 2013 09:36
To: 'dtletters@telegraph.co.uk'
Subject: Tom Whitehead, 9 October 2013, 'GCHQ leaks have 'gifted' terrorists ability to attack 'at will', warns spy chief'
http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/10365026/GCHQ-leaks-have-gifted-terrorists-ability-to-attack-at-will-warns-spy-chief.html
Sir
We have it on the authority of the director general of the Security Service that his agents can and do and must intercept all our communications. The Home Office have been advocating the Communications Data Bill since June 2012 on the premise that Mr Parker's agents do not and cannot and should not intercept all our communications: "Nothing in these proposals will authorise the interception of the content of a communication. Nor will it require the collection of all internet data, which would be neither feasible, necessary nor proportionate", as it says on p.2 of the Bill. Presumably the Bill will now be withdrawn.
Yours
David Moss
http://www.official-documents.gov.uk/document/cm83/8359/8359.pdf
Updated 21 November 2013 #2:
Some commentators continue to talk sense:
20 November 2013: The days of believing spy chiefs who say 'Trust us' are over
Updated 28 January 2014:
"Time for GCHQ to come out of the shadows", said Charles Moore in yesterday's Telegraph.
"GCHQ has preferred to sit quietly in Cheltenham, listening not talking ... But this is ... a pity, because GCHQ has quite a story to tell", and Mr Moore proceeds to tell it in what for him are uncharacteristically garish terms.
He has been the editor of the Spectator in his time, the Sunday Telegraph and the Daily Telegraph. And a very good editor, at that. But his nose for a news story deserts him here.
In yesterday's article he says "... the [Snowden] affair has created a demand, stronger in the US than in Britain, for controls ... the politics of intelligence remain unsettled, and Congress might yet cause more trouble ... the Snowden case has revealed something of which GCHQ feels very proud. Since September 11 2001, Cheltenham has conquered the internet ...".
Congress might cause trouble? That's the democratically elected government of the US he's patronising there, de haut en bas. And what the Representatives and the Senators are doing is responding to many Americans' outrage at the infringement of their pretty-well-sacred Constitution – we don't normally call that "causing trouble".
But that doesn't fully describe what Congress are doing. It's part of it but in addition there's a queue at the back door of the Capitol building, a line of chairmen of the US's biggest internet companies all worried about the effect of the Snowden revelations on their turnover.
Mr Moore may not have noticed but the predictions of $30 billion of lost revenue are two-a-penny in the technical press. Goodness knows where that number came from. Why not $100 billion? Never mind. One way and another, a substantial amount of money will not be earned as a result of the security services keeping everyone under surveillance. It won't be earned by a lot of private sector companies who want to do the same thing. They're angry. And Congress are responding.
A cynic might say that Congress
It's not just the "politics of intelligence". It's the economics, too. And the market isn't just "unsettled". It's frightened. And furious.
GCHQ and the NSA haven't so much "conquered the internet", as Mr Moore puts it, as broken it – or, potentially, killed the golden goose. They've queered the pitch and all the king's horses and all the king's men are going to be hard put to it to put trust in the internet back together again.
It's a big story. $1 trillion up in smoke. And he missed it.
Updated 25.6.14
On the one hand we have Charles Moore and Fraser Nelson helpfully trying to defend the government by telling us that we'd have to be naïve not to believe that telecommunications are monitored.
Theresa May: New surveillance powers 'question of life and death'
The Home Secretary has signalled she may resurrect plans for a snoopers’ charter of stronger internet surveillance powers to counter the terror threat from British jihadists in Syria.
Theresa May said ensuring the police and security services had the right powers to uncover terror plots was now “a question of life and death, a matter of national security”.
The threat faced from hundreds of Britons fighting with terrorist groups in Syria is “real and it is deadly”, she warned.
At the same time monitoring communications was becoming harder because of the volume of data and the difficulty of getting hold of it.
The Home Secretary also rejected accusations that the security services were already engaged in unaccountable mass surveillance of the British public, or that intelligence agencies were breaking the law to trawl online communications.
On the other hand the Home Secretary undermines them and their support by saying that there is no such monitoring going on.
See also for example Vodafone: governments use secret cables to tap phones and Social media mass surveillance is permitted by law, says top UK official.
With journalists, the phone companies and the Director General of the Office for Security and Counter-Terrorism all acknowledging that massive telecommunications surveillance systems are already in place, the Home Secretary's position begins to look very lonely.
Updated 15.9.14
Nine months ago we noted the commercial damage being done to IT businesses by the global disdain for privacy and security – "there's a queue at the back door of the Capitol building," we said, "a line of chairmen of the US's biggest internet companies all worried about the effect of the Snowden revelations on their turnover".
Some indication of the scale of the damage is reported in the Financial Times today, Tech chiefs in plea over privacy damage:
What does Eric Schmidt say? He's the chairman of Google:
US commercial cloud companies will lose $22bn-$45bn over the next three years as a result of the Snowden backlash, according to the Information Technology and Innovation Foundation.
And Peter Thiel? He's a director of Facebook:
“It’s easy to blame the tech companies for being insufficiently sensitive – we are way sensitive, trust me.”
22 to 45 billion dollars says there's a way for Mr Schmidt to go and that Mr Thiel is going to have to turn his sensitivity all the way up to 11.
"Facebook would like to be more sensitive to more local concerns."
Otherwise it's going to be slim pickings for the IT industry and for the advertising industry that pays for everything, Martin Sorrell: if you don’t eat your children, someone else will. Someone pass that man a napkin. A big one.
Updated 11.10.14
$30 billion of lost revenue? The cries for help continue to issue from the IT industry. NSA spying will shatter the internet, Silicon Valley bosses warn, it said in The Register yesterday. Those dreadful spooks in the NSA are queering the pitch for all us nice companies who just want to make life better for everyone.
And in a Transatlantic call and response, back comes the answer from GCHQ, Big companies snoop on public more than GCHQ, says spy chief, we spooks are much less despicable than the corporations.
They're in the same business.
The collection and mass sharing or sale of detailed personal and corporate information.
It's partly for national security, including the nation's financial security.
And partly to smooth the path of government, i.e. to make it easier to govern. To govern on-line. For that, everyone needs an on-line ID. We call it "identity assurance" – or "IDA" for short – in the UK. They call it "NSTIC" in the US. Same thing.
IDA, also known for the moment as "GOV.UK Verify", relies on quasi-secret information. To verify our identity, we'll be asked to answer very specific questions that only we are likely to know the answer to. "Knowledge-based verification", it's called.
But how do the "identity providers" know the correct answer? ("Identity providers" is the spooky science fiction name for the middlemen in IDA/NSTIC.) They check with the credit referencing agencies or data aggregators or data brokers, as they're variously known. Experian, for example.
On-line government, or digital government, whatever you want to call it, relies on, depends on, the collection and sharing of detailed personal information. It depends on surveillance, you could say. No surveillance, no IDA, no GOV.UK Verify, no NSTIC.
The spokesmen may have forgotten to tell you that, but don't you forget it, the next time some fresh-faced, reasonable-sounding, butter-wouldn't-melt-in-his-or-her-mouth politician or company chairman tells you that he or she just wants to make government more efficient and cost-effective and responsive to user/citizen needs. To do what it says on the tin, they need to use quasi-secret information about you, information that only you are likely to know, you and Experian, or whoever.
Updated 20.2.15
The Guardian, 19 February 2015:
The Telegraph, 20 February 2015:
Sim card database hack gave US and UK spies access to billions of cellphones
American and British spies hacked into the world’s largest sim card manufacturer in a move that gave them unfettered access to billions of cellphones around the globe and looks set to spark another international row into overreach by espionage agencies.
The National Security Agency (NSA) and its British equivalent GCHQ hacked into Gemalto, a Netherlands sim card manufacturer, stealing encryption keys that allowed them to secretly monitor both voice calls and data, according to documents newly released by NSA whistleblower Edward Snowden.
The Times, 20 February 2015:
British and US spies hacked mobile SIM card keys
British and US intelligence services can tap into mobile voice and data communications of many devices after stealing encryption keys of a major SIM card maker, according to a new report.
The report, from investigative website The Intercept, said the US National Security Agency and its British counterpart GCHQ obtained encryption keys of the global SIM manufacturer Gemalto.
Citing a 2010 document leaked by former NSA contractor Edward Snowden, the report said that with the encryption keys, the intelligence services can secretly monitor a large portion of global communications over mobile devices without using a warrant or wiretap.
"GCHQ has quite a story to tell", as Charles Moore put it just over a year ago on 26 January 2014. Let's hope that he will continue to tell it and that he will, with his customary sagacity, set the story in its proper Constitutional context.
British spies ‘hacked mobile phones worldwide’
British spies stole encryption keys allowing them to secretly listen in to mobile phone conversations around the world, according to leaked documents released by the US whistleblower Edward Snowden.
Details from a secret GCHQ briefing reveals how UK spies worked with American intelligence to hack a major SIM card producer and secretly unlock encrypted phone data, according to documents seen by the US news site The Intercept.
Spies were then able to tap into millions of phone calls, texts and emails from a “large portion of the world’s cellular communications” without having to have to get approval from courts, phone companies or foreign government, the report said.
Gemalto, the Dutch-based company apparently targeted by the hack, reportedly produces around two billion SIM cards each year. They are used by some 450 telecoms companies around the world including numerous major mobile phone operators
Updated 1.3.15
Reuters on the economic consequences of cybersurveillance:
(Hat tip: ElReg, Intel, Apple and Cisco crossed off Chinese Gov's kit list.)
China drops leading tech brands for certain state purchases
(Reuters) - China has dropped some of the world's leading technology brands from its approved state purchase lists, while approving thousands more locally made products, in what some say is a response to revelations of widespread Western cybersurveillance.
Others put the shift down to a protectionist impulse to shield China's domestic technology industry from competition.
The lists cover smaller-scale direct purchases of technology equipment, and central government bodies can only buy items not on the list as part of a competitive tender process.
Chief casualty was U.S. network equipment maker Cisco Systems Inc, which in 2012 counted 60 products on the Central Government Procurement Center's (CGPC) list, but had none left by late 2014, a Reuters analysis of official data shows.
Smartphone and PC maker Apple Inc has also been dropped over the period, along with Intel Corp's security software firm McAfee and network and server software firm Citrix Systems ...
Communications Data Bill? Unnecessary
"Où sont les Neigedens d'antan?" Yossarian said ...
We are all naïve, the Spectator said, if we imagine that the security services don't intercept all the communications they can. That's their job. What do we expect? It's for our own good. We'd be rightly furious if they didn't ...
There's something wrong with that argument.
Thursday 4 July 2013
The on-line safety of the mooncalves
You are being asked to take risks for no known return
Dr Jekyll
You already know about the risks of on-line fraud. Everyone does. The media are full of stories about the dangers.
The UK government is alert to the problem:
- There's a £650 million budget for cybersecurity.
- Last September, the Department for Business Innovation and Skills (BIS) – together with the Foreign Office, the Home Office, the Cabinet Office and GCHQ – called in the chief execs and chairmen of the FTSE 100 companies to get them to spruce up their on-line act.
- The Director of GCHQ is quoted as follows: "Every day, all around the world, thousands of IT systems are compromised. Some are attacked purely for the kudos of doing so, others for political motives, but most commonly they are attacked to steal money or commercial secrets. Are you confident that your cyber security governance regime minimises the risks of this happening to your business? My experience suggests that in practice, few companies have got this right".
... and this:
Looking After Your Passwords
- Never disclose your passwords to anyone else. If you think that someone else knows your password, change it immediately.
- Don't enter your password when others can see what you are typing.
- Change your passwords regularly.
- Use a different password for every website. If you have only one password, a criminal simply has to break it to gain access to everything.
- Don’t recycle passwords (for example password2, password3).
- If you must write passwords down in order to remember them, make sure they are meaningless to, and unusable by other people by writing them in code (substituting the characters in your password with others that you can remember, or easily work out).
- Do not send your password by email. No reputable firm will ask you to do this.
Mr Hyde
Maintaining Your Privacy
- Ensure you always have effective and updated antivirus/antispyware software running.
- In a public or work environment, check your computer physically for any unusual devices that may be plugged in, especially on the keyboard cable.
- Use secure websites when shopping or banking online.
- Use strong passwords, change your passwords regularly and never reveal them to other people.
- Avoid using a work email address for personal use. Instead, have a separate, private email address for private business.
- Make sure your home/office WiFi network is secured.
- Store personal and financial documents securely.
- Shred unwanted personal or financial documents.
- Be careful to whom you disclose personal information.
- Where possible, avoid using your real name online.
- Be cautious about who is trying to befriend you online including via email and social networks/dating sites.
- Be wary of disclosing personal information on a work or personal web site.
- Use a disposable, anonymous webmail account for websites that demand an email address to register.
- Set clear guidelines for children about when and how they can reveal information.
Now consider another BIS initiative. midata. And in particular, the midata Innovation Lab (mIL).
mIL is the jovial centre of midata whose task it is to fan the flames of innovation with a view to "empowering" you and to "boosting" the UK economy.
How does that work?
Let mIL tell you themselves. The four pages of terms and conditions for taking part in their laboratory experiments include this:
Dr Jekyll would not approve.
We ask that you bring along all your personal identity documentation, login user names and passwords for all your accounts, including banking and finances, utilities, telecommunications, loyalty cards, automotive and property rental or mortgage information. Time will be allocated during the event to capture your personal data in a secure way, this will not include your passwords and usernames which will remain confidential to you. Where you are giving access to data from jointly held accounts, please make sure that the other party is happy for you to do so. Agreeing to participate as a consumer volunteertly [sic] held accounts, please make sure that the other party is happy for you to do so.
How will mIL capture your data?
Dr Jekyll would not approve.
Secure internet access via wifi will be provided, please bring a laptop computer if you have one that you can use for this task, however, several desktop computers will also be made available if needed.
Where will your data be stored?
Do you know what a PDS is? Do you know in what way it is "secure"? How will midata succeed where the FTSE 100 companies have failed? What are "consumer focussed applications and services"? How would your PDS be maintained in practice – would it regularly log on to your bank accounts automatically? In that case, your PDS supplier may not know your user ID and password, but that's no comfort, they'll still be there, in the system, accessible to hackers.
Data will be held in a secure personal data store (PDS), which companies exploring the data will access ... Participating companies will access and analyse the data to develop new consumer focused applications and services.
Dr Jekyll would not approve.
What will happen to your PDS?
How long after 31 October? Which 31 October? Who are the other 80% of innovations "designed to benefit"?
Participating companies have agreed to ... delete your data after 31st October [and to] ensure that at least 20% of innovations will be designed to benefit society at large ...
Dr Jekyll would not approve.
Why do mIL want all your personal data?
Is it worth running the risks of on-line fraud just to have Mary Poppins tell you you're spending too much on food, as though you didn't know that anyway?
Imagine a world where you have easy access to the data that companies have about you, so that you can use digital tools like apps and personal analytics that will help you to make choices, save money and manage your life more efficiently. For instance, how about helping to manage your money by sharing your credit card transaction data with an app that can alert you to when you’re spending more than usual on particular types of products or services? Or tapping into a service that joins up information about your travel plans with your health records to check and plan your vaccination and prescription needs while you’re on holiday?
How does midata know about your prescriptions? Is it linked to your health records? Do you want unknown app-writers to have access to your health records? And your travel records.
midata promise that they will help us to get the best deals on mobile phone contracts and gas and electricity contracts and current accounts and credit cards. We already have account-switching applications. Why do we need midata as well?
We already have expensive regulators like Ofcom and Ofgem. If, like the wretched FSA, they have failed to run an orderly market, why should midata succeed? Will you simply end up paying for both the existing regulators and midata in addition, while the tariff problems persist?
The objectives of midata are unclear and have been for years. You are being asked to take risks for no known return. Dr Jekyll would not approve.
Whatever the stated objectives, you are clearly being asked to enrol in an identity management scheme. Why doesn't Mr Hyde say so explicitly?
Schizophrenia
On the one hand, Dr Jekyll is warning you about the dangers of on-line fraud and the loss of privacy. On the other hand, Mr Hyde is luring you into danger. He's confused. Don't you be.
"The initial mIL will run from 4th July [today] to 31st October 201 [sic]". You might be best advised to let it run without you.
The on-line safety of the mooncalves
You are being asked to take risks for no known return
Dr Jekyll
You already know about the risks of on-line fraud. Everyone does. The media are full of stories about the dangers.
The UK government is alert to the problem:
- There's a £650 million budget for cybersecurity.
- Last September, the Department for Business Innovation and Skills (BIS) – together with the Foreign Office, the Home Office, the Cabinet Office and GCHQ – called in the chief execs and chairmen of the FTSE 100 companies to get them to spruce up their on-line act.
- The Director of GCHQ is quoted as follows: "Every day, all around the world, thousands of IT systems are compromised. Some are attacked purely for the kudos of doing so, others for political motives, but most commonly they are attacked to steal money or commercial secrets. Are you confident that your cyber security governance regime minimises the risks of this happening to your business? My experience suggests that in practice, few companies have got this right".
Wednesday 3 July 2013
Wanted: 1,000 mooncalves
You may have mercifully forgotten all about midata.
Well bad luck, because midata excitement is about to sweep the nation.
23 May 2013: "Hi I’m Dan, Director of the midata Innovation Lab, part of the midata voluntary programme. I wanted take this opportunity to share my vision for the lab, or mIL as we call it", said Dan Bates, who is gamely Working with business to fan the flames of innovation.
Only three weeks later, 13 June 2013: "I'm Richard and I chair one of the expert working groups looking at what we need to do to ensure that consumers can be confident when they allow their data to be passed to and used by third parties", said Richard Koch, the man in charge of Authentifying [sic] customers and their representatives.
Two weeks later still, 27 June 2013: "Jo Swinson, Minister for Employment Relations and Consumer Affairs, talks about the Government’s midata programme". That's what it says in Minister for Consumer Affairs talks about the UK Government’s midata programme, followed by a 90-second video of Jo Swinson telling us that thanks to midata, for the first time, we'll get bank statements, as though we've never seen one before.
Mysteriously, that video has disappeared, so that if you click on the link, what you get now is no-one talking about midata.
Next day, there's a salvo on Twitter from Dan:
| RT @midataBIS: One week to go to #midata innovation lab launch: video from @joswinson on why we're doing it http://t.co/JEgPucM6bz |
The unbearable tension in the coiled spring that is midata looks like being released tomorrow, 4 July 2013.
That's when the midata Innovation Lab will be unveiled and presented to a hungry public.
What should we expect?
It's all laid out in a charming little cartoon that even you can understand, Video introduction to midata innovation lab:
All Dan's asking is for 1,000 extraordinary people to give him all their bank account data, gas and electricity bills, and mobile phone usage records. He will then add all their educational records, culled from Nigel Shadbolt's Open Data Institute, all their health records and any travel records he can find and, while keeping your data completely safe, he will give the whole lot to some innovative flame-fanning app developers you've never heard of to develop services which you will find it impossible to live without although quite what those services are likely to be is anyone's guess except to say that they will "empower" you and boost the economy.
You may be a bit worried by all the risks with midata identified by Which? magazine/The Consumers' Association. The cost of accreditation and regulation, the opportunity for fraud, the loss of privacy, and so on. You shouldn't be – you can rightly feel "confident", as Richard says, about this whole Innovation Lab business, the cartoon with the nice guitar music tells you that the midata Innovation Lab is full of nice people you can trust.
Nevertheless, if you don't feel that you personally can help Dan in his mission, don't worry, it's all "voluntary".
Equally, don't be selfish. Perhaps you could at least inveigle three or four of the more socially responsible people you know into volunteering their entire life history in this good cause.
They won't lose anything – as Jo Swinson told us in her disappeared video, their data will still "belong" to them. And Jo. And Dan. And Richard. (And Stephen. Forgot to mention Stephen. Also Stephan 'embrace the change' Shakespeare. And Craig – how could anyone forget Craig?) And Sir Nigel. And the app developers. And the NSA. And GCHQ. And anyone else with access to the cloud.
----------
Updated 9.7.13
| MIL volunteers "offer up their body for science"; ie share Midata with MIL organisations. Thus a few help make it safe for many. |
Updated 10.7.13
Somewhat late in the day, the Department for Business Innovation and Skills have issued a press release about the midata Innovation Lab, Businesses get creative with consumer data at the ‘midata’ Innovation Lab launch.
Wanted: 1,000 mooncalves
You may have mercifully forgotten all about midata.
Well bad luck, because midata excitement is about to sweep the nation.
23 May 2013: "Hi I’m Dan, Director of the midata Innovation Lab, part of the midata voluntary programme. I wanted take this opportunity to share my vision for the lab, or mIL as we call it", said Dan Bates, who is gamely Working with business to fan the flames of innovation.