Every cloud

You wait months for a post then two come along at once.
This post is meant to give a tiny bit of cheer to all those of us in the UK who are bewailing the recent election results.

(The word “Hallelujah!” even escaped a work colleague when I showed him this link.)

So, every cloud may indeed have a silver lining…. From the Register:

Biometric passport 2.0 scrapped alongside ID cards, NIR
Second-generation biometric passports will be scrapped alongside ID cards and the National Identity Register by the new Tory-LibDem government, probably as part of a merger between the LibDem Freedom Bill, and the Great Repeal Bill advocated by some sections of the Tory party.

******Breaking news*********
Oh, and this:

The new government plans to ban the controversial practice in schools of taking children’s fingerprints without their permission.

The decision is likely to mean a change in the law. According to the Information Commissioner’s Office (ICO), as it stands the Data Protection Act allows schools to take pupil fingerprints without permission, prompting outrage from parents’ groups.

Protect your data

Compulsory ID cards are instruments of evil. They will not make protect you from crime and will not make you safer, unless they end up produced out of bomb proof kevlar and big enough to wear. They serve no purpose for any member of the public but will cost you money. The only conceivable reason why the government is so keen to force the British public into paying for them is to allow the intelligence and security agencies unparalleled access to personal data and activity.

This is actually the only bones to the “make you safer” argument, in that by allowing the Police / Security services access to your ID card data (which would, one assumes, include all the locations where your ID has been checked and what purposes it was checked for) it will increase their ability to find criminals and terrorists. If you have read any of my previous posts you will be well aware that I think this is very, very, wrong. But this is an argument for another day. Today’s ironic turn of events is that even if MI5 have all your data and are watching your every move it wont help – because al-Qaida are actually working for MI5 in the first place.

From today’s Guardian:

A senior Tory MP today called for an investigation into whether MI5 mistakenly recruited al-Qaida sympathisers.

Patrick Mercer, the chairman of the counter-terrorism subcommittee, said six Muslim recruits had been thrown out of the service because of serious concerns over their pasts.

The MP said he was writing to the home secretary, Alan Johnson, to call for an investigation into the matter.

Two of the six men allegedly attended al-Qaida training camps in Pakistan while the others had unexplained gaps of up to three months in their CVs.

The irony here is really not lost on me and points to two issues.

First off, and possibly most importantly, no matter how much vetting takes place BADPEOPLE™ will get into the police or government. This has been the case since the dawn of secrecy. By their very nature spies are people who are able to infiltrate the highest levels of an organisation by appearing trustworthy. Equally, as the police and intelligence/security services well know, agents are people who are currently trusted by an organisation but are vulnerable to being expolited by hostile groups. This is done all the time against “enemies” (criminal or political), and it is even done in the “civilian” business world. I am sure this is stating the obvious but it is important background.

Knowing this, do you think that having all your identity data in one central location is a good idea? For ID cards to work, huge swathes of people need to be able to access the database – which causes errors. The data has to be entered and maintained, which causes errors. These are accidental problems which would be bad enough. Criminals and terrorists have the funding and will to deliberately corrupt the data. The concept of an ID card moves the burden of proof from the government to the “innocent until proven otherwise” citizen. Do you have the resources and will power of an organised crime gang or terrorist group?

If a criminal can compromise one aspect of your ID data that is a BADTHING©™® but you can take steps to rectify it, knowing that it shouldn’t lead to a cascade of ID failures. Stealing your National Insurance number, for example, shouldn’t lead to them getting access to your bank account details or your drivers licence. Crucially, should a criminal use your NI Number – and nothing else –  in the process of a crime (odd but possible) then it is unlikely that you would be the suspect. However, with a central ID card that is not the case.

Now back to MI5 and the other police and security agencies. Given the number of people involved, and recent large scale recruitment campaigns, it is unfathomable that some bad eggs haven’t slipped through the net. In the case of MI5 the pay is so pitiful by London terms that it is equally certain that there are some members of the organisation who would be open to financial corruption – not to mention the ones who could be co-opted in a million different ways. Do you trust them with all your data? Do you trust them to treat you fairly at all times?

Secondly: what sort of crazy world is it where an “unexplained gaps of up to three months” in your CV means you are a terrorist? I hope they never see my CV otherwise its Gitmo for me. Or is it just 3+ month gaps in the CV of people of middle-eastern descent? What is happening?

I’d say the world had gone mad but it seems an understatement. What really worries me is an old saying that keeps going round my head about when everyone else in the world seems mad its probably you…

Let them eat ID cards

Another crazy ID scheme, this time in India.

ID cards planned for India’s 1.1 billion
Hi-tech entrepreneur will lead operation to create huge database (headings from the story in the Independent)

Here the rationale is not just “terrorism” but also a claim that ID cards will benefit the poor.

…..will help in the delivery of vital social services to the poorest in society who often lack – or are at least told they lack – sufficient identification papers. The government has long complained that most of the money set aside for the neediest is diverted as a result of corruption, and it believes the cards could help to tackle identity theft and fraud.

Hmm. An impressive sleight of hand in “ID-card justification” creation, although the Indian government is clearly following a model similar to the UK one. The “fighting poverty” argument is:
(1) Corruption prevents relief of poverty.
(2) ID cards will prevent identity theft and fraud.

Where is the logical connection between 1 and 2?

I will temporary defy logic and try my best to look at the argument from the pro-ID card side.

Even on the assumption that corruption is the only bar to stopping poverty (which is a big and unjustified leap of faith) doesn’t that make dealing with corruption the main priority?

To get from priority 1 to priority 2, you would have to assume that “identity theft” is the only way that “corruption” works.

You would also have to assume that no “corruption” could possibly be involved in handing over billion dollar contracts to major industrialists.

(This is a leap of faith that is far beyond my jumping abilities. Silly me, I would have assumed that pumping resources in to relieve poverty and to stamp out corruption would be the intuitive way to go. You live and learn, hey?)

You would have to assume that identification documents wouldn’t become another incomprehensible/insurmountable burden for the very poorest that would probably make it even harder for them to access resources. (ditto… This is a leap of faith ….)

And you also need to believe that this won’t give rise to a new set of forms of corruption – in distributing ID documents, forging them, and so on.

Which might illustrate an admirable capacity for inventiveness in the face of survival pressures. But it’s quite hard to see how creating new forms of criminal industry would otherwise bring any benefit to the Indian poor.

The Independent says that the poor ” often lack – or are at least told they lack – sufficient identification papers.”

This scheme will provide a whole new set of identification papers for the poor to be told that they lack, then. From the perspective of the poor, this is a scheme that you could best characterise as “adding insult to injury.”

Moral panic of the day

China is so often first with its master-class examples of how moral panics can justify social repression. Here’s another one. China has used an imaginary illness (online gaming addiction) as an excuse to remove Internet users’ anonymity, according to the Times.

The system is aimed at combating gaming addiction particularly among the young, according to the Chinese authorities. Gamers have to give their real names when they register as well as the code from their government ID cards. Gamers are still allowed to use their gaming names in the games themselves (wizardlordofall13571) but their account must have the correct information including the gamer’s age.

“… as well as the code from their government ID cards.” 😀 Western governments will be taking notes. “If you’re not doing anything wrong”, and so on.

Some text-book elements of this strategy are:

  • the use of fear. China doesn’t have The War Against Terror, so they have to use “public health”. What kind of anti-social bastard wouldn’t care about public health?
  • concern for the young. Fragile innocents are under attack. You must protect them by forbidding action x.
  • government must always act to protect its people, whether from others or from from themselves.
  • start a war against an abstract noun (“gaming addiction”)

OK, by the standards of moral panics, this is farce rather than tragedy. It doesn’t turn the public against a hated minority group. So, it won’t end in pograms and ethnic cleansing and massacres. A few thousand gamers will have lost some rights and a few companies will be shut down.

(It might also damage the bizarre WOW-related mini-industry that has grown up in China, with urchins spending long shifts grinding WOW levels to earn online gold, in order to get cash from Western players too lazy or busy to play their own characters. )

The first casualty of war is supposed to be the truth. War-against-abstract-nouns has the highest truth-casualty rate. The war has to start by defining its abstract noun as self-evidently evil. So step up, internet addiction, your time has come.

Addiction is a spurious concept, at best. Internet-gaming addiction is off the far edge of any validity it might have. However, according to ars technica (the Times’ source for the story)

The addictive nature of online gaming has been proven, at least anecdotally, time and time again. While not everyone who jumps into the digital realms of World of Warcraft or the various other massively-multiplayer online role-playing games is liable to get endlessly sucked in, those with addictive personalities certainly run the risk.

LOL. “proven, at least anecdotally.” Somebody skipped Epistemology 101.

There is little doubt that the potential for addiction exists with MMORPGs. ….. countless anecdotes from the East have produced horror stories that have gone so far as to end in death from malnourishment.

Well, there’s plenty of doubt from me. Just because you add up a list of anecdotes, they still don’t constitute scientific proof.

China, Korea, and even Japan have had a long and sordid history with online gaming addiction.

(I am momentarily distracted by the “and even Japan” phrase.) All the examples come from the far east, maybe because of some sense that readers will see the far east as so exotic that it might really have “diseases” with which we westerners are unfamiliar. Like bird-flu.

What are the symptoms of this Asian internet-flu? To quote another ars technica story:

If you find yourself using the Internet for more than six hours per day and exhibit at least one of a number of symptoms, you could be addicted. The list of symptoms is about what you would expect, including things like insomnia, difficulty concentrating, mental or physical stress, irritation, and spending time wishing you were online.

Blimey, we’re all doomed. If you work at a PC – which is most of us – you could find yourself well and truly in the “addicted” range without even logging on at home. The symptoms? I suspect they could be called the “human condition”. But if we can all become unstressed, focussed, easy-going people who sleep like logs, just by not playing WoW, most of us should be already there.

Please, Jacqui, can I have an ID card now

Message from Bizzarro world: People in the UK can’t wait to get their hands on ID cards. They are constantly bothering the Home Secretary, badgering her to hurry up and introduce them.

Well, she says so, anyway.

Jacqui Smith says public demand means people will be able to pre-register for an ID card within the next few months.
The cards will be available for all from 2012 but she said: “I regularly have people coming up to me and saying they don’t want to wait that long.” (from the BBC website)

Are there enough smileys and ROTFLMAOs in the world to do internet justice to this idea? I doubt it but here goes anyway.

😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 😀 ad infinitum

More from our Home Secretary:

“I now want to put that to the test and find a way to allow those people who want a card sooner to be able to pre-register their interest as early as the first few months of next year.”
She told the BBC: “We’ll see where that interest is, and then we’ll see if we can issue some cards to those who’ve expressed an interest by the end of next year.”
People applying for cards and passports from 2012 will have to provide fingerprints, photographs and a signature, which Ms Smith believes will create a market worth about £200m a year.
And in changes to earlier plans the Home Office is talking to retailers and the Post Office about setting up booths to gather biometric data.

A plan to have booths all over the country collecting biometric data is going to create a “market.” A market in what exactly? The economy must be in an even worse state than we’ve been told.

Estimated costs for the ID scheme have been revised upwards yet again to £5.1 billions. Even if the – how can I put this? – fiscally optimistic figure of a new “market” in selling our own biometric data back to us is worth £200 million a year, it’ll take a good few years to recover £5.1 billions. And that’s without taking into account the costs of setting up the booths and taking out the profit margins for those PFI companies that are unwary enough to sign up for the opportunity.

I suggest that anyone who’s been badgering the Home Secretary for an ID card – momentarily assuming such people exist outside the Land of Porkie Pies- get a driving licence or a passport. Problem solved.

Or here’s my alternative instant identity document. Just fill it out and carry it round. OK, it’s only half-thought out but then I’m saving you loads of time and money.

Instant ID card

Instant ID card

Now, stop bothering our busy Home Secretary with your whining demands for something to show you who you are.

Oh, you want it to be stored on a database, do you? Just as cheap and easy. Type all your personal details into any database or spreadsheet program on your PC (or send it to me to store in PHPMyAdmin, if you must be all formal about this) then copy it to a memory stick, get on some public transport and leave it down the back of the seat.

Of course, if you want it to be really secure, find a big overseas-based subcontractor and pay them a lot of money to send it offshore first, before the random jettisoning bit, but I’m just thinking of the savings you’ll make by cutting out the middle man. Read the papers, we’re all supposed to be belt-tightening you know. Do it yourself.

More MOD data goes AWOL

This week’s data-loss story is a Ministry of Defence hard drive that’s gone AWOL. Another example of the UK government’s seemingly bottomless commitment to freeing up access to its data, by distributing it at random around the globe.

Ministry of Defence, that was.

An investigation is under way into the disappearance of a computer hard drive which could contain the details of about 100,000 Armed Forces personnel.

And when it says detail, it means unencrypted detail:

There may also be some personal information including bank and driving licence details, passport numbers, addresses, dates of birth and telephone numbers.

Of serving members of the Armed Forces. Does information get much more personal? It’s not as if that sort of data would be any use to enemies in the ongoing TWAT. (*heavy sarcasm*)

How much confidence does that inspire in the security of the information they’ll have on us mere civilians, when the ID-card scheme includes us all? (*Rhetorical question*)

A commenter said in the Independent

The MoD didn’t lose this data, EDS did. Nobody cares about data that isn’t their own. If this data had been handled in house and the work not outsourced it wouldnt have been lost

EDS is the MOD’s main IT contractor. Here’s their web page.

.. as an HP business group, EDS delivers one of the industry’s broadest portfolios of information technology and business process outsourcing services to customers in the manufacturing, financial services, healthcare, communications, energy, transportation, and consumer and retail industries, and to governments around the world.

The About us page has US contact numbers. It seems to have been written by someone from a Dilbert cartoon. Everything they do is “innovative” and their

highquality, cost-competitive services are provided from the optimal mix of onshore, nearshore and offshore locations.

This determinedly shore-heavy focus may refer to their “related companies”(part-owned companies) which include companies based in the UAE, India (workforce:28,000+ ), the USA and other unspecified locations. One provides “Benefits, Payroll and other HR Administration services to more than 34 million active and retired employees from its client organizations.”

On the 8 September, 2008, prison officers were disturbed about EDS’s loss of their personal data, to the point of threatening a strike.

At that time, Computer Weekly pointed out that EDS already had something of a track record in the data-loss area. The Burton Review Report, published in April 2008, looked into an earlier loss of MOD personnel data, in which EDS were involved.

One of the themes emerging from the Strategy for Transformational Government (2005) was the increased emphasis on sharing services, particularly in information and infrastructure. The Armed Forces have been early pioneers of this approach, through a range of Private Finance Initiative (PFI) and Public Private Partnership (PPP) contracts. (from page 4, Burton Report)

Hmm. Need look no further for the culprit methinks: the whole processes for giving out PFI and PPP contracts.

You might assume that the UK must be desperately short of cash, if it’s prepared to hand over its most crucial information to any company that offers to undercut government employees, while providing a better service and still making a profit. (Well, it must sound convincing to UK governments,) But, it seems that the UK government has a bottomless pit of money for bailing out banks, so shortage of cash can’t be the reason.

If you are interested in looking up the track record of other private companies that keep public data, datalossdb.org could fill in an obsessive hour. Type the name of your chosen PFI company and see what turns up.

Blame the Cold War

Yet another “downside” of the thawing tensions between East and West was announced on the BBC today. Sir Edmund Burton was investigating the MOD’s woeful inability to prevent laptops going missing, and one of his conclusions was reported as:

Armed forces recruits from the “Facebook generation” do not take data security seriously enough, a Ministry of Defence security probe has found. (…)
In a highly critical report, he says the MoD had lost its Cold War discipline for data security and there was “little awareness” of its importance among staff. As a result a major security incident had been “inevitable”.

I sort of agree in that such a loss was (and still is) inevitable. However, I am not convinced it is as clear cut as the “facebook” generation or the end of the cold war.

First off, most of these breaches are not made by inexperienced recruits – they are not the sort of person who carries a laptop around with huge amounts of classified material. The people who do this are senior members of staff (even MPs…), I doubt Hazel Blears is part of the “facebook” generation – she simply had material on her machine that shouldn’t have been there and it got stolen. The MOD losses are similar.

Portable IT equipment is a high value target for theives, by its very nature it lends itself to being carted away easily. Of course people will try to steal things like this so any security plan must take that as an assumption and build from there (such as not putting unnecessary data there in the first place…). It is not the cold war’s fault for having the barefaced cheek to end.

The larger “issue” of all this, is despite the poor record, our government is continually trying to record and store more and more data on its citizens. Imagine the security compromise possible when a laptop containing 25,000,000 (not a made up number) people’s ID card details goes missing…

Remind me again why ID cards are good?