Sunday 8 September 2013

Edward Snowden – the penny drops 2

While beautiful people dance, beautifully dressed, through the lush pastures and wild flowers singing beautifully, they are stalked all the while by the Gestapo, the Geheime Staatspolizei, the sinister secret state police ...

The Sound of Music? It's a parable of our time, dontcha know.

No it isn't. But you'd never guess that from the way some people have reacted.

Who do you think wrote this in the Guardian?
Government and industry have betrayed the internet, and us.

By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.
Only Bruce Schneier. That's who.

For anyone who doesn't know, Mr Schneier is a wise and expert practitioner and commentator on security whose blog is required reading for level-headed analysis and comprehensive coverage of current security affairs.

Writing like Private Eye's Dave Spart is the last thing you would ever expect of him but there it is in black and white, "government and industry have betrayed us ... undermined a fundamental social contract ... ethical internet stewards ... we need to take it back". Normal service will no doubt resume once he has got over the shock of the latest Edward Snowden revelations.

Is there any way for the ordinary punter to keep their data secure on the internet?

In another Guardian article, NSA surveillance: A guide to staying secure, Mr Schneier tentatively offers a five-point plan and recommends some tools to use:
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about. There's an undocumented encryption feature in my Password Safe program from the command line); I've been using that as well ...

I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on.
So no. There isn't. Not even for Mr Schneier.

It will be said that we are all over-reacting. All of us including Mr Schneier. Things aren't as bad as they look, securitywise, on the internet.

In fact, it's already been said: "Phew :-)  Back to: so what was it we were *right* to be paranoid about? ... hoax ... indeed. We're all delighted".

Too late for that: "it's a hoax ... but that gives no info about whether true ;-)".

The damage is done: "Not cool. Wonder what effect that first Tweet will have on some market capitalisations".

The trust has gone.

There was never any basis for it in the first place.

The internet never was Julie Andrews and a troupe of good-looking children singing in picture postcard-beautiful mountains. Google and Amazon and Facebook and Apple and eBay/PayPal are in it for the money. Martin Sorrell told us so. So did Mydex's very own William Heath:
It’s no more helpful to obsess about identity than to obsess about privacy ... The area to focus on is data logistics ... the compelling reason to pursue better data logistics with user-driven services is saving money.
Not just the money. The power, as well. Which Douglas Carswell should have realised. That's where the NSA and GCHQ come into it. And ex-Guardian man Mike Bracken's Government Digital Service and their friends.

Edward Snowden has done us a favour. The penny has dropped and the Hollywood movie rose-tinted spectacles are off.

Edward Snowden – the penny drops 2

While beautiful people dance, beautifully dressed, through the lush pastures and wild flowers singing beautifully, they are stalked all the while by the Gestapo, the Geheime Staatspolizei, the sinister secret state police ...

The Sound of Music? It's a parable of our time, dontcha know.

No it isn't. But you'd never guess that from the way some people have reacted.

Who do you think wrote this in the Guardian?

Edward Snowden – the penny drops 1

The Edward Snowden revelations began here in the UK on 6 June 2013.

The public response and the response of the national media has been muted. Spies spy. What do you expect? They have to. Surveillance is legal. You'd have to be naïve to think otherwise. It's for our own good.

It's a case of move along, there's nothing to see here, as far as Whitehall is concerned. And in that case the plans to make public services digital by default can proceed. We can carry on saying that it is safe to store our data in the cloud. We can carry on saying that trusted third parties – "identity providers" – can supply us with personal data stores, maintained on "secure websites", which will give us "control" over what happens to our personal data.

There's nothing to see here. Our personal data will be encrypted. The security of the websites is provided by encryption. Encryption works. That's why the third parties can be trusted.

When the cartoon character runs off the edge of a cliff his legs keep going and he keeps moving forwards as long as he doesn't look down.

On 6 September 2013, three months after after running off the cliff, the revelation that the US National Security Agency (NSA) and GCHQ can get round some/many/most forms of encryption has finally made the cartoon character look down. His legs stop. A look of doubt appears on his face, the penny drops and he starts to fall.

Mydex is in poll position to provide the personal data stores for midata, the Department for Business Innovation and Skills initiative to "empower the consumer". Mydex is also one of the UK's appointed "identity providers" and recently signed a contract to supply identity assurance services.

William Heath is the chairman of Mydex. Here, faithfully recorded by Twitter, is what he saw when he looked down:










----------

Updated 29.9.15

"Mydex is in poll position to provide the personal data stores [PDSs] for midata". Written two years ago. Please see above.

It looked then as though Mydex relied on a package called "TrueCrypt" to make their PDSs secure.

If they relied then or rather if they rely now on TrueCrypt, there's a problem. Support for TrueCrypt was withdrawn in May 2014.

"Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data". That's what it says, to this day, at the bottom of Mydex's webpage – "hyper-secure".

Where does this "hyper-security" come from? Not from TrueCrypt. So where?

If your PDS is hacked, that's your fault. That's Mydex's stance and that's why, unlike the banks, they offer no compensation.

Before entering into a no-compensation deal which requires you to store all your personal information in a PDS, you might be wise to check just how secure that PDS is. Wiser still, whoever you get your PDSs from, to assume that hyper-security is impossible and insist on the provision for compensation in the contract.



Edward Snowden – the penny drops 1

The Edward Snowden revelations began here in the UK on 6 June 2013.

The public response and the response of the national media has been muted. Spies spy. What do you expect? They have to. Surveillance is legal. You'd have to be naïve to think otherwise. It's for our own good.

It's a case of move along, there's nothing to see here, as far as Whitehall is concerned. And in that case the plans to make public services digital by default can proceed. We can carry on saying that it is safe to store our data in the cloud. We can carry on saying that trusted third parties – "identity providers" – can supply us with personal data stores, maintained on "secure websites", which will give us "control" over what happens to our personal data.

There's nothing to see here. Our personal data will be encrypted. The security of the websites is provided by encryption. Encryption works. That's why the third parties can be trusted.

When the cartoon character runs off the edge of a cliff his legs keep going and he keeps moving forwards as long as he doesn't look down.

Friday 6 September 2013

The internet secure? Absurd

While we were all away on holiday a scene from the theatre of the absurd was reported. It had been enacted  a month before, in July, in the basement of the Guardian newspaper's London office.

Dramatis personae:
    A number of GCHQ persons
    A Guardian editor and a Guardian IT person

Props:
    A number of computer disks and chips
    An angle grinder and some other tools

On 20 July 2013, apparently acting on the orders of Sir Jeremy Heywood, the Cabinet Secretary, who was in turn apparently acting on the orders of the Prime Minister himself, the Guardian persons set about destroying the disks and chips with the angle grinder and other tools. The GCHQ persons, having watched but not assisted, left once the job was done.

Thus one copy of the Edward Snowden files was destroyed. Quite pointlessly, as there are other copies. But the Prime Minister insisted, allegedly, the charade went ahead, and the dignity of his office was thereby preserved.

The Snowden revelations continue unabated. Yesterday, the Guardian treated us to US and UK spy agencies defeat privacy and security on the internet while the New York Times gave us N.S.A. Able to Foil Basic Safeguards of Privacy on Web.

If you think that encryption will keep your use of the internet private/confidential/secret, think again.

The US National Security Agency (NSA) and our very own GCHQ have cracked the code and can decrypt your transactions on secure websites, your use of virtual private networks, your emails, web chats and Skype calls, just like that, more or less in real time.

If a cloud computing supplier tells you your data is safe in the cloud because it's encrypted, he or she is probably wrong. HMRC, the MOD, the Home Office and the Government Digital Service (GDS) might like to reconsider their use of Skyscape Cloud Services Ltd.

If a personal data store supplier tells you that your information is safe because it's encrypted – perhaps in connection with the UK's midata project – he or she is probably wrong.

No doubt GDS will tell us that the new electoral roll will be secure. And that the identity assurance service they are about to unleash on HMRC is secure. In what way?

Individuals, companies and government departments can forget about confidentiality on the internet. What was left of it was all hoovered up by the cleaners in the Guardian's basement after the audience had left.

Lawyers, bankers and accountants working on a major takeover, for example, may well continue to use the internet. It's convenient. But they can no longer promise that their clients' data is being kept confidential. Everyone now knows that on the internet that is, to all intents and purposes, impossible.

The internet secure? Absurd

While we were all away on holiday a scene from the theatre of the absurd was reported. It had been enacted  a month before, in July, in the basement of the Guardian newspaper's London office.

Dramatis personae:
    A number of GCHQ persons
    A Guardian editor and a Guardian IT person

Props:
    A number of computer disks and chips
    An angle grinder and some other tools

On 20 July 2013, apparently acting on the orders of Sir Jeremy Heywood, the Cabinet Secretary, who was in turn apparently acting on the orders of the Prime Minister himself, the Guardian persons set about destroying the disks and chips with the angle grinder and other tools. The GCHQ persons, having watched but not assisted, left once the job was done.

Thursday 5 September 2013

Now UC IT

The National Audit Office (NAO) have published their report on Universal Credit (UC). UC is the Department for Work and Pensions (DWP) initiative to rescue benefit claimants from the poverty trap created by the UK's inept welfare system. The idea is to rescue them by making work pay.

Universal Credit: early progress is 60 pages long. 60 pages which document the unrelenting and expensive failure of DWP to get to grips with UC. There is a summary for you kindly prepared by Tony Collins – Will Universal Credit ever work? – NAO report.

By 31 March 2013, DWP had spent £425 million on UC. £425 million spent by intelligent and experienced public servants and there is nothing to show for it.

Accenture have picked up £125 million of that money, IBM £75 million, Hewlett-Packard (HP) £58 million and BT £16 million. That accounts for £274 million. £274 million spent with intelligent and experienced software engineers and there is nothing to show for it.

Is it the politicians' fault (Iain Duncan Smith, the Secretary of State at DWP, and his junior ministers)? Is it the officials' fault (Robert Devereux, Permanent Secretary at DWP, and his staff)? Is it the contractors' and consultants' fault? Yes. In each case.

How on earth can such a catastrophic failure happen? It's happened before, please see for example It's all John's fault. The lessons never seem to be learnt.

It's time to stop this nonsense. DWP have "pressed the reset button" apparently and are taking time out to think. About time, too.

The thinking so far centres on the software engineering methods being used. DWP, it is said, failed to use "agile" methods. Appendix Seven of the NAO report, beginning on p.53, provides a handy cribsheet on agile v. traditional software engineering.

This may be a cul-de-sac. After all, no engineering methodology in history has ever recommended spending £425 million before thinking what it is you're trying to achieve. Also, there is no guarantee that agile methodologies would avoid the same problem.

To the extent that "agile" means anything in Whitehall, it means the Government Digital Service (GDS). GDS are great advocates of agile, they claim to be successful exponents of agile and they want to see central and local government become 100 percent agile.

They're getting their message across.

Howard Shiplee, the man in charge of UC for the past 100 days, says in his Telegraph article Universal Credit: The First 100 days:
As the Secretary of State outlined in July, we are working with the new Government Digital Service (GDS) to explore an enhanced IT programme that would offer more flexibility and security to benefit claimants. We’re planning to take the best of the existing system and make improvements using GDS support.
Why?

The BBC and the Guardian give GDS great publicity, please see GDS PR blitz. So do the Times, please see Toe-curling: GDS PR Blitz.

Why?

The Design Museum declared GDS's only product to date, GOV.UK, to be Design of the Year 2013. The Design and Art Direction charity created a new category this year especially to be able to give GOV.UK a prestigious D&AD award.

Why?

The answer in each case is, presumably, competent public relations. An attractive brand is being created. But is there any substance there? What skills of GDS will stop the next £425 million from being wasted?

According to five IT professors, none.

Martyn Thomas gave evidence to the Public Administration Select Committee to the effect that GDS are wasting their time with agile software engineering, please see Digital-by-default, an open letter to the House of Commons Science and Technology Committee (para.13).

That's one professor.

The other four – Alan W Brown, John A McDermid, Ian Sommerville and Rob Witty – reviewed GDS's Government Digital Strategy and were entirely unimpressed. "Simplistic and highly risky", they said about agile, please see Four professors review the Government Digital Strategy.

Just because GDS's staff are an alternative to the hopeless staff of DWP, Accenture, IBM, HP and BT doesn't mean that they're any better.

D&AD, the Design Museum, the Times, the Guardian, the BBC, Howard Shiplee and the NAO would all do well to consider the expert views of the five professors before assuming that GDS is the answer. In the meantime, for the sake of the £425 million lighter taxpayer, and everyone caught in the poverty trap, another reset button should be pressed. On GDS.

----------

Updated 21 October 2013
  1. House of Commons oral evidence taken before the Public Accounts Committee, Universal Credit, Wednesday 11 September 2013
  2. Welfare fiasco chief 'to resign'

Updated 14.4.16

In the 2½ years since the post above was written:
  • GDS's all-agile system written for DEFRA's Basic Payment Scheme failed, leaving farmers to apply for their EU Common Agriculture Policy subventions using pencil and paper.
  • Iain Duncan Smith has resigned.
  • Robert Devereux hasn't. And he has become Sir Robert Devereux KCB.
  • DWP have fought against Freedom of Information requests to publish the 2011 and 2012 Universal Credit (UC) risk register, issues register and Major Projects Authority (MPA) assessment. They have finally lost that fight.
  • The MPA have become the Infrastructure and Projects Authority.
  • Some of the documents now disclosed suggest that ministers and officials at DWP did, indeed, mislead everyone about the progress being made on UC. Cyber security arrangements were inadequate, the system would have been open to fraud, there was no precedent for agile being used at the scale of UC and DWP didn't even have a plan for the transition from the existing benefits schemes to UC.
UC is utterly benighted.

As to GOV.UK Verify (RIP), another fairly major infrastructure project where Whitehall keep telling us that there is only good news, indeed the system is meant to go live this month, it's decision time some time in the next 16 days, what do the MPA have to say about cyber security and the use of agile?

Nothing.

The MPA, sitting in the Cabinet Office, haven't assessed the Cabinet Office's GOV.UK Verify (RIP), even though it's meant to provide 60 million people in the UK with an on-line ID, using which we are meant to be able to transact with government.

Risk level? Unmeasured. Could be high. Could be low. The MPA don't know and presumably don't care.

Now UC IT

The National Audit Office (NAO) have published their report on Universal Credit (UC). UC is the Department for Work and Pensions (DWP) initiative to rescue benefit claimants from the poverty trap created by the UK's inept welfare system. The idea is to rescue them by making work pay.

Universal Credit: early progress is 60 pages long. 60 pages which document the unrelenting and expensive failure of DWP to get to grips with UC. There is a summary for you kindly prepared by Tony Collins – Will Universal Credit ever work? – NAO report.

By 31 March 2013, DWP had spent £425 million on UC. £425 million spent by intelligent and experienced public servants and there is nothing to show for it.

Monday 2 September 2013

You are for sale

The Financial Times have been doing a bit of investigative journalism. Health apps run into privacy snags, they said on 1 September 2013:
Before Celeste Steenburger takes off on her morning run, she taps the orange button on the MapMyRun app on her iPhone to track the exercise.

The 30-year-old office manager counts calories, logging the food she eats into a separate Lose It! app. When her menstrual cycle begins, she marks the details in the Period Tracker Lite app.

With each bit of health data Ms Steenburger records, third-party companies, some with names she has never heard of, are receiving information about her.
Ms Steenburger thinks she's just dealing with MapMyRun and one or two other apps suppliers to keep track of her health. She's wrong. Behind the scenes these suppliers are selling her health data to other interested parties. The FT mention "advertising companies, ... digital analytics and tracking groups, ... health insurance and pharmaceutical companies":
The trend has serious implications for consumers. Data which an individual has willingly handed over to an app develop[er] to better track their own health, could now land in the hands of a large insurer who might use that data to set policy premiums ...

iPeriod will soon have the capability to target ads at a very fine level. So a woman who records in the app that she gets headaches before her period could soon receive an ad for a pain reliever at just the right time of the month ...

“By getting certain populations more active, they can reduce the cost burden for employers around those people,” says Chris Glode, the general manager for MapMyFitness. “If you can get people more active, can improve their health outcomes. That’s really cool, we’re really psyched to be part of that.”
"The top 20 most visited apps transmit information to a web of nearly 70 companies", says the FT, naming Google, Apple, Humana, Aetna and Flurry, a mobile data tracking specialist and the recipient of data from nine of the top 20 health-related apps.

That's the business model. You supply the data and the apps developers sell it. Maybe Celeste Steenburger didn't expect that but you should.

Perhaps this business model is restricted to the private sector?

No.

The public sector are at it as well.

It is three years since the Telegraph reported that the Department for Work and Pensions were paying Experian, the credit referencing agency, to analyse the data they hold and try to identify benefit cheats, please see Bounty hunters to cut benefit fraud by £1bn.

And more recently, in May 2013, the Mail told us that Orange/EE (Everything Everywhere) were selling data on their 27 million mobile phone users in the UK and that among the interested parties were the police. In the end, the police didn't buy anything but they were interested and maybe next time ...
Millions of phone records revealing age, address and even the websites you visited were offered for sale to police in controversial deal

... Scotland Yard held a meeting with Ipsos Mori about the possibility of paying for some of the data to fight crime, but yesterday the force said it was not planning to make any offers for it.
Not very convincing, you may say, the public sector hasn't actually bought any personal data from Experian or EE, and they certainly don't sell personal data.

Oh yes they do.

Here's the Guardian on 17 May 2013:
£140 could buy private firms data on NHS patients

... On Monday the government slipped out the news that private insurer Bupa was approved to access England's "sensitive or identifiable" patient data, housed centrally by the Health and Social Care Information Centre (HSCIC). It is now among four private firms that have passed the government's vetting procedures.

The charging structure for "bespoke patient-level extracts" was revealed when HSCIC put up a "cost calculator" to work out how much prospective customers would pay for sensitive hospital data. The "indicative fee" for a full set of 20 years' inpatient data was about £8,000 including £140 to make the records identifiable.
It's a lot cheaper in the Mail, please see Your confidential medical records for sale... at just £1: Hunt insists plan to sell details to private firms is vital to combat epidemics - but critics fear 'unprecedented' privacy threat.

"So who cares if you’ve got haemorrhoids or athlete’s foot?", asks the Telegraph in Patient confidentiality? Not if the price is right – the answer they give is "more people than you might think". It's all that Jeremy Hunt's fault, the Secretary of State for Health, Jeremy Hunt plans to give anonymised patient medical records to private firms.

"Anonymised patient medical records"? Anonymised? Oh yeah? Mr Hunt might believe that but he's not a professor of IT. Martyn Thomas is, and he told the Public Administration Select Committee that "anonymised research data" is an oxymoron (para.4) – if the data's anonymised it's no use for research and if it's any use for research then it's not anonymised.

He is not alone in that belief, please see for example The rush to ‘anonymised’ data by Professor Ross Anderson.

"Anonymised data" must join "secure website" in your list of count-your-fingers-after-shaking-hands phrases.

Bang goes medical confidentiality. Secrecy. Privacy.

You were warned. By Stephan Shakespeare. Health data is "open data" or PSI (public sector information), he says. PSI belongs to everyone and processing it will boost the economy.

Not just Mr Shakespeare – Professor Sir Nigel Shadbolt, too. He's told you that he wants to mix your health data and travel data with anything you've put in your midata personal data store, and give the whole lot to apps-writers to improve your life.

For further information on the state destruction of medical confidentiality in the UK, please visit medConfidential. They provide a form you can use to opt out of HSCIC sales of your medical data.

You are for sale

The Financial Times have been doing a bit of investigative journalism. Health apps run into privacy snags, they said on 1 September 2013:
Before Celeste Steenburger takes off on her morning run, she taps the orange button on the MapMyRun app on her iPhone to track the exercise.

The 30-year-old office manager counts calories, logging the food she eats into a separate Lose It! app. When her menstrual cycle begins, she marks the details in the Period Tracker Lite app.

With each bit of health data Ms Steenburger records, third-party companies, some with names she has never heard of, are receiving information about her.