Posted June 16, 2009

Dear Home Secretary,

Welcome to your new post. I hope your advisers have put in your in-tray a copy of the very lucid analysis of the UK’s National Identity Scheme which Toby Stevens has written here on his ComputerWeekly blog. His starting point is to wonder whether your appointment as Home Secretary signals the opportunity to abandon the government’s ID Card policy, and he then draws out some of the many reasons why that policy has degenerated into a probably irredeemable mess.

As to the first question – I agree with Toby’s assessment. It would be a brave Home Secretary, in the current government, who repealed a piece of primary legislation which, in your own words, embodies a manifesto commitment. On the face of it, there seems little sense in handing the opposition, within bow-shot of the next general election, the PR victory of being able to claim that Labour has finally accepted what the Conservatives and Lib Dems have been saying all along… that the Identity Cards Act 2006 has got to go.

However, as the rest of Toby’s post goes on to illustrate, this is by no means just about the Act. The Act itself is a product of the government’s policy objectives, and has to be reflected in policies and implementation if it is to have any practical effect. That relatively flexible relationship between the primary legislation and the practicalities of ID Cards is at once your opportunity and your burden.

It’s an opportunity in the sense that it leaves the way open (as this Guardian article suggests) for you to pay lip service to the Act – implementing it in a couple of well-circumscribed instances – while investing no effort in rolling out a comprehensive national ID Cards scheme.

But it’s a burden in many senses. First, as I say, the Act is a product of the government’s policy objectives… but so many years and Home Secretaries have passed since those policy objectives were first conceived, and political necessities have forced so many twists, tweaks and back-trackings on them that it is, fundamentally, no longer clear why the government wants a National Identity Card, what benefits it expects from one, and what it would do with it if it had one.

Second, your choices are constrained by the flaw which is built into the Act’s very title: it is, unusually, a piece of primary legislation explicitly framed in terms of a specific technology – an identity card. And yet, when push comes to shove, you would doubtless ditch the card itself, if that gave you the leeway to, as Toby puts it, carry on with “biometric passports and the centralisation of biometric and biographical information into the National Identity Register. In other words, all that will change is that we won’t receive the bit of plastic – everything else will continue regardless”.

How can it have come to this – a national identity infrastructure which omits the very thing named in its own primary legislation? On one level, the answer to that question is simple: we’ve arrived at this state of affairs because successive justifications of the National Identity Scheme have sought to portray it as different things. It’s a counter-terrorism measure; it’s to prevent benefit fraud; it’s to cut health-care costs; it’s to secure the UK’s borders; it’s an entitlement card (remember that one?); it’s “the gold standard of identity”, which businesses will queue up to trust… and my favourite: it’s a conveniently portable alternative to a paper passport, for young ladies who want to carry proof of age when they go clubbing.

Unfortunately, these justifications are all ad hoc, and range from the politically expedient to the absurd. They have never been underpinned by a clear, robust and explicit statement of principles to which all the legitimate stakeholders have signed up. And there are multiple legitimate stakeholders here: public admininstration, law enforcement, commerce… oh, and the citizen/cardholder.

My plea is this: be explicit about who the stakeholders are, and acknowledge their legitimate interests, even if those are many, varied and sometimes conflicting. Have the courage to call out the fact that the Act, as drafted, is fundamentally flawed. Explain to the citizen that the small piece of plastic is actually entirely irrelevant, and the important, useful and dangerous part is the National Identity Register.

Be open and honest about the policy purpose of the National Identity Scheme, and what the National Identity Card and the National Identity Register have to do with it. Set out a clear statement of principles which reflects the aims of the government and the interests of the stakeholders – and be prepared to ditch anything which does not put those principles into practice, whether that’s the Act, the Card, the Register or the policy.

Yours sincerely,

Robin Wilton

–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance

Posted on June 15, 2009

One of the points I was happy to have been able to make at last Tuesday’s beingdigital event was this: privacy is not about keeping all my data to myself, it’s about disclosing it, but doing so under conditions of control and consent which reflect a specific context.

I’ve said that before, I know, and will doubtless say it again. The novel part, though, was to look at social networking from that perspective. When you do so, it becomes clear that our ‘online life’ – what James Governor has referred to as “declarative living” – is actually a mass experiment in what happens when we uncouple disclosure from all the normal contextual constraints which we allow to guide us in real-world social interactions.

Not only is social networking an experiment, I would go so far as to argue that it is a consensual hallucination; we’re jamming together two terms and hoping that the resulting phrase makes sense, when actually it does no such thing. As things stand today, you can have “social interaction” as human beings have understood it for millennia, or you can have “networked interaction”. If you want, you can behave as though your networked interactions are exactly equivalent to your social ones, but if you do, you’re deluding yourself.

I was therefore reassured to see that view echoed in comments by Prof Peter Fader and Prof Alessandro Acquisti – of Wharton and Carnegie Mellon University respectively – in this article on the Wharton site.

The article quotes Prof Fader as follows:

‘Research on online social networking and how it may alter privacy norms is just beginning, according to technology observers. “Our kids today will give everything [in terms of personal information] away, but it’s not at all clear how this will shake out in the long run,”‘

and Prof Acquista as follows:

‘”Privacy decision making and valuations are malleable,” but it’s unclear what factors lead to more disclosure. One of those factors might be a “herding effect,” he said. In one study, Acquisti found that that people will divulge information when they see others doing so. That tendency, he believes, may explain why so many people are willing to dish out personal information on the networks.’

I’m not trying to claim that privacy norms are immutable – certainly, they will change as a result of the ways in which we experience the effects of social media – but let’s not blindly go along with the assumption that social and networked interaction are the same thing. Yet.

–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance

Posted on June 10, 2009

Challenged to sum up “digital footprints, personas and privacy” in 30 seconds at the end of yesterday’s panel, I rather lamely blathered on about ‘governance’, and rounded off with the example of CCTV cameras. Why isn’t there a law (as opposed to a rather weedy code of conduct) which makes it obligatory to label any CCTV installation with the contact details of its owner/operator?

I am delighted, therefore, to see that theme reprised in this Guardian article from yesterday evening; Alan Travis cites CCTV regulation as a potential “quick win” for new Home Secretary Alan Johnson. (Along with ditching the ID Card scheme, revising the DNA retention policy and curbing the extent of access to telecomms data).

I’d love to think there was some connection between that and the presence of Mike Bracken (the Guardian’s Head of Consumer Facing Technology) on yesterday’s closing panel, but I very much doubt it.

In retrospect, I should have led with the telecomms data example – it beautifully illustrates the way in which a changing economic and policy climate can lead to a less workable regulatory environment and worse privacy outcomes. Click here to view the image.

You can see the full presentation here; Identity and Privacy in an Economic Downturn.

Just two other notes on yesterday’s event: first, congratulations and thanks to Tony Fish and Simon Grice for a really good event – good speakers and lots of audience interaction.

Second, sincere apologies for wrongly attributing the “Thelma Arnold” breach to Yahoo!, and my thanks to Gary Gale of Yahoo! for pointing out that that distinction belonged to AOL.

–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance

Posted June 9, 2009

Thanks to the IDIS Journal folks for their Twitter post about new formalities to be introduced by the US Transport Security Administration (TSA). According to this article from the SJ Mercury, the TSA’s watch list is compiled in “full name” format – i.e., according to US conventions: first name, middle name, last name – and they will expect all air travel bookings to document passenger names in the same format.

The twist is, apparently, that what they will really be looking for is a passenger name in the booking record which exactly matches the passenger name in the accompanying identity document (passport, US ‘enhanced driver’s license’, etc). However, what I didn’t know is that it is also valid for those to be issued with the holder’s name in the format “first name, middle initial, last name”… thus opening up the possibility of a mis-match between the credential and the watch-list format, even though the credentials in question are valid.

In my case the fun will include the question of whether the TSA’s new matching system can cope with people who have two middle names.

I always got a laugh out of those US police shows where a ‘perp’ with only two names was automatically given a set of police-issue initials… “NMI”, standing for “No Middle Initial”. There’s something glorious about that level of recursive absurdity.

–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance

Posted June 7, 2009

It’s not unusual to hear criticism of UK law enforcement policy on the taking/retention of DNA samples; the National DNA Database (NDNAD or “nidnad”, as I suppose it should be pronounced) has generated controversy and even attracted a ruling from the European Court of Human Rights that the retention of the DNA profiles of innocent people is illegal.

Tellingly enough, UK policy in that regard has not changed since the ruling, which is now more than 6 months old. Some 850,000 people are reckoned to have their DNA profiles on the database and their samples stored, despite the absence of either an arrest, a charge or a conviction.

Not that this has been a short-term issue. In one sense, it started 3 1/2 years ago with the introduction of the Serious Organised Crime and Police Act 2005, which removed from English and Welsh law the notion of an “arrestable offence”. Essentially, it made all offences arrestable. The measure was described, in December 2005, as maintaining ” the crucial balance between the powers of the police and an individual’s rights”… by the recently-departed boat-rocker Hazel Blears (then a minister at the Home Office).

In March 2009, a retired senior police officer, David Gilbertson was quoted as follows in this Guardian article:

“People can now be (and have been) arrested and detained under Section 110 for not wearing a seatbelt, dropping litter, shouting in the presence of a police officer, climbing a tree, and building a snowman.”

The relevance of ‘arrestable offences’ here is that if you’re arrested, you can be required to give a DNA sample. So, if a police officer really wants a sample from you, all he or she has to do is wait until you do something which can be described as giving rise to an offence (such as climbing a tree, building a snowman or, presumably, stepping on the cracks in the pavement), nick you and swab away.

The police can also ask witnesses and victims to provide a sample “to eliminate them from enquiries”… but once that purpose has been served, current practice has apparently been to retain the samples. In December 2005 the NDNAD included over 15,000 profiles from witnesses who had provided them voluntarily.

So much for context. I mention all this because the latest criticism also comes from a police officer – this time, it’s an officer from the Met, who is quoted (here) as saying that people as young as 10 are being targeted for arrest (and therefore DNA profiling) on the following basis:

“It is part of a long-term crime prevention strategy. If you know you have had your DNA taken and it is on a database then you will think twice about committing burglary for a living.” [Thanks to the folks at Privacy International for Twittering a pointer to the story]

Aside from the possibility of a challenge under the UK Human Rights Act 1998 (which, as noted above, can end up in front of the ECHR), it seems to me that this policy, if it’s real, also violates the data protection principles relating to “purpose of collection” and “purpose of use”.

It is, as far as I know, still illegal to require a DNA sample on the basis that someone “might be thinking of committing burglary for a living”; therefore that cannot be a justifiable purpose of collection, and yet it is being cited here as the “purpose of use”.

If these news stories accurately reflect the state of UK law enforcement policy in this area, they paint a depressing picture, not least because the ECHR ruling on DNA retention was so unequivocal:

“In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society.”

The court dismissed all arguments brought by the UK Government, stating that “England, Wales and Northern Ireland appear to be the only jurisdictions within the Council of Europe to allow the indefinite retention of fingerprint and DNA material of any person of any age suspected of any recordable offence”.

–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance

Last month Brett McDowell, executive director of Liberty Alliance, spent some time with Zack Martin of Avisian discussing the history, preliminary goals and early members of Kantara Initiative.  The ten minute podcast offers a great overview of the new organization and dives into the potential use cases and technology, policy and privacy issues the Kantara Initiative community will look to address and solve.

With a focus on the end user, the people who actually use identity solutions, Martin asks McDowell if a person will ever be able to use the same identity on their Facebook page as they would to log into their bank account. McDowell explains that these are the type of scenarios Kantara Initiative was formed to tackle, so that a person may be able to assert their identity – along with the appropriate security and privacy requirements — to any identity-enabled application.

If you’re looking to get up to speed on Kantara Initiative, or wondering where you may want to participate, this two-part series is a great introduction. Check it out on the Digital ID News site here.