Friday, November 07, 2008
It's a start. He needs to understand also that these big databases he's building will be subject to technical failure and attack by people with malign intent.
Systematically and cynically dismissing, ignoring and denigrating the concerns of people who really understand these systems, Mr Brown, his predecessor, Mr Blair, and a long line of incumbents in the Home Office and other cabinet posts have been repeatedly assuring us, for years, that the mountain of personal information we will be compelled to hand over to the government, to feed their ID card and other database schemes, will be secure. Now the Prime Minister blandly slips it into a statement in Qatar, the day before the US presidential election, that hey, people make mistakes, so don't sweat it, or words to that effect.
To continue to deploy these systems in the absolute knowledge that they are completely insecure is not just a negligent derogation of duty on the part of the government, it is criminal. The folk at NO2ID have come up with a nice soundbite in response to the PM's admission:
"The only cure to the problem of data loss is for the government to stop collecting so much personal data. You can't protect it. So don't collect it."
Thursday, November 06, 2008
"“Why does it matter that the brown one won?” my six-year-old daughter asked. “What about beige or yellow or pink? Anyway his hair is grey. I think they voted for the one with the whitest teeth.” My eight-year-old son didn't understand the colour issue either...
He still didn't understand after a conversation about the slave trade and segregation. “That's history. I want him to win because he smiles a lot, he's clever and he doesn't like bombs.”
His class has never discussed race. Korean, Asian, Nigerian and Scottish, they distinguish each other by their Top Trump and football skills. My son doesn't want to know that Barack Obama is half Kenyan, half Kansas and was brought up in Hawaii, unless it means he can surf. He is vaguely interested in Mr Obama's African relatives slaughtering goats but more intrigued by the fact that his children don't receive Christmas presents. What he cares about most is what he can do. “Lewis Hamilton didn't win because he's brown,” he said. “He's just the best.”"
We had a similar conversation at the Corrigan dinner table yesterday evening. Isn't it great that our kids are so much smarter than us.
Wednesday, November 05, 2008
"Now call me paranoid, but I suddenly twigged why I thought the Google announcement about an extension to the Google Visualisation API that will enabl[e] developers to display data from any data source connected to the web (any database, Excel spreadsheet, etc.), not just from Google Spreadsheets could have some consequences.
At the moment, the API will let you pull datatable formatted data from your database into the Google namespace. But suppose the next step is for the API to make a call on your database using a query you have handcrafted; then add in some fear that Google has already sussed out how to Crawl through HTML forms by parsing a form and then automatically generating and posting queries using those forms to find more links from deep within a website, and you can see how giving the Google API a single query on your database would tell them some “useful info” (?!;-) about your database schema - info they could use to scrape and index a little more data out of your database…
Now of course the Viz API service may never extend that far, and I’m sure Google’s T&C’s would guarantee “good Internet citizenry practices”, but the potential for evil will be there…
And finally, it’s probably also worth mentioning that even if we don’t give the Goog the keys to our databases, plenty of us are in the habit of feeding public data stores anyway. For example, there are several sites built specifically around visualising user submitted data, (if you make it public…): Many Eyes and Swivel, for example. And then of course, there’s also Google Spreadsheets, Zoho sheet etc etc.
The race for data is on… what are the consequences?!;-)...
In the previous couple of posts, I’ve rambled about web apps that will find a book from its cover and a song just by playing it and your online contacts across a myriad of services from your username on a single service.
But today I saw something that brought home to me the consequences of aggregating millions of tiny individual actions, in this case photo uploads to the flickr social photo site.
Form my reading of the post, the purple overlays in the images above - not the blue bounding boxes - are generated automatically by clustering geotagged and placename tagged images and extrapolating a well contoured shape around them.
That is, from the photos tagged “London”, the algorithm creates the purple “London city” overlay in the above diagram.
For each an every photo upload, there is maybe a tiny personal consequence. For millions of photo uploads, there are consequences like this… (From millions of personal votes cast, there’s the possible consequence of change…)
And it struck me that even the relatively unsophisticated form of signals intelligence that is traffic analysis was capable of changing the face of war. So what are the consequences of traffic analysis at this scale?
What are the possible consequences? What are we walking into?
(Of course, following a brief moment of “I want to stop contributing to this; I’m gonna kill my computer and go and grow onions somewhere”, I then started wondering: “hmm, maybe if we also mine the info about what camera took each photo, and looked up the price of that camera, we might be able to generate socio-economic overlays over different neighbourhoods, and then… arrghh… stop, no, evil, evil…;-)"
I saw the following on Google Blogoscoped: Search Google Profiles, which describes a new Google search feature. (Didn’t know you had a Google Profile? If you have a Google account, you probably do - http://www.google.com/s2/profiles/me/? And if you want to really scare yourself with what your Google account can do to you, check http://www.google.com/history/… go on, I dare you…)
I had a quick look to see if I could find a link for the new profile search on my profile page, but didn’t spot one, although it’s easy enough to find the search form here: http://www.google.com/s2/profiles. (Maybe I don’t get a link because my profile isn’t public?)"
I've been nagging Tony and other colleagues about the downside of a Googleville Panopticon World for years but it would be a shame if he killed all his computers and devoted his considerable talents to allium ecology. We do, however, need to be actively building the social, legal, economic, architectural and environmental infrastructure to go along with the technological development that the Tony Hirsts of this world are so enthused by, to at least nudge the Googles of this world to behave in better-than-amoral ways. Bottom line - if it costs them, economically, socially, legally etc., to be evil they will be less likely to lean in such a direction. Our capacity to regulate in positive ways however is not good - little understanding amongst the political elite of what they are dealing with technologically - and neither is our record. So despite the hype/hope surrounding Obama's election today I'm not optimistic about this complex systemic mess (of the Ackoff variety) being addressed remotely appropriately any time soon.
Well I hope that means that my kids will never even consider the possibility that the colour of a person's skin would be a factor in the election of someone to such an elevated office. On the up side hopefully Obama will attempt to repair some of the damage done to the US Bill of Rights by previous administrations. He is committed to shutting down the detention and torture centre at Guantamo Bay at least.
On the down side (you can rely on me to find the black lining in the silver cloud) with the Democrats in complete control of Congress and the White House and the massive influence of the entertainment industry in Democratic circles, we can expect a blizzard of extreme IP laws in the first couple of years of the Obama presidency. The copyright cops they recently failed to get President Bush to sign up to will be in; we can also expect a US version of the French 3 strikes law; the pressure to drive ACTA forward will be increased; the Enforcement of IP rights act will got through on the nod; ISP copyright filters may be mandated; copyright term may even be back on the agenda in the US since the Mexico has a longer term...
The president elect has the high expectations of a lot of people resting on his shoulders so is bound to disappoint at least some, especially given the state of the US and world economies, international relations and world's trouble spots. I wish him the best of luck but there was something about the soundbites from his acceptance speech that have been getting repeated air time during the morning that was strangely empty and unsatisfactory... surely the speechwriters could have come up with a bit more substantive than "We may not get there in a year or even in one term... but we will get there. I promise you America we will get there" (I paraphrase but that was basically it)?
Monday, November 03, 2008
"The legislation is the transposition into law of an extra-parliamentary initiative of President Nicholas Sarkozy from last November, the so-called Olivennes accord, in which some 40 stakeholders from the music, cinema and internet service provision sectors agreed that repeat illegal downloaders would have their internet cut off by ISPs. However, the accord was essentially a gentleman's agreement between the parties and without legislative weight."
Note that the linked report correctly points out that the EU parliament voted against 3 strikes but an amendment to that effect in the telecoms directive has been quietly removed contrary to what the EUObserver report says.
"A father and son want Germany to stop using electronic voting machines because they believe them to be vulnerable to manipulation. They have brought their case before Germany's highest court."
Head over to the Google election 2008 website. In the right-hand column, click on Download Historical Voting Results. Google Earth should open (if installed!) when you agree to download the file. Depending on your part of the world you may need to re-orient the globe to get the red/blue picture of the US front and centre. Then click on the circle in the middle of any state to check out its voting data. Zooming in further allows access to the county by county data. You choose the year of interest by scrolling down the 'Places' box in the left margin of Google Earth.
You need to have Google Earth installed and it is a bit slow (particularly on my creaky old Windows 2000 machine in the office) but it's a great example of the kind of thing Tony H. so regularly evangelises about, presenting important historical empirical data in a visually accessible way. And it's fun to play with (well it is on a slightly more modern machine) especially if you're interested in the US elections.
Update: There is a browser based version too.
Study Of Accuracy, Privacy, Usability, Security, and Reliability Issues remains as relevant today regarding the problems relating to these systems, as it was when originally released. Here's the Executive Summary:
The voter registration process may seem simple to most voters. They give their names, addresses, birth date, and in some cases party affiliations to election officials with the expectation that they will be able to vote on Election Day. In reality, election officials must oversee a complex system managing this process. They must ensure that the voters' information is accurately recorded and maintained, that the system is transparent while voter information is kept private and secure from unauthorized access, and that poll workers can access this information on Election Day to determine whether or not any given voter is eligible. A well-managed voter registration system is vital for ensuring public confidence in elections.
State and local governments have managed voter registration using different approaches among different jurisdictions. In 2002, Congress sought to make these disparate efforts more uniform by passing the Help America Vote Act, which required that each state have a computerized statewide voter registration database. In implementing this mandate, state and local governments still have differing approaches, but it is clear that information technology underpins each of their efforts. While technology will help election officials manage this complex system, it also creates new risks that must be addressed.
This study focuses on five areas that election officials should address when creating statewide voter registration databases (VRDs): accuracy, privacy, usability, security, and reliability. Each chapter contains detailed discussions and recommendations. The following are some of the overarching goals for VRDs and selected recommendations for achieving them.
1. The policies and practices of entire voting registration systems, including those that govern VRDs, should be transparent both internally and externally.
VRDs control access to voting; therefore, they have a direct impact on the fairness of elections, as well as the public's perception of fairness. It must be possible to convince voters, political parties, politicians, academics, the press, and others that VRDs are correct and are operating appropriately. Internal procedures and interfaces also must be clear to election workers in order to minimize errors. Transparency can be provided by allowing voters to verify their voter registration status and data; publicly disclosing outside data sources that officials use for verification; indefinitely keeping a secure write-once VRD archive in electronic form to allow audits of previous elections; and using independent experts to audit and review VRD security policies. Other goals such as accountability, audits, and notification also support transparency and are discussed below.
2. Accountability should be apparent throughout each VRD.
It should be clear who is proposing, making, or approving changes to the data, the system, or its policies. Security policies are an important tool for ensuring accountability. For example, access control policies can be structured to restrict actions of certain groups or individual users of the system. Further, users' actions can be logged using audit trails (discussed below). Accountability also should extend to external uses of VRD data. For example, state and local officials should require recipients of data from VRDs to sign use agreements consistent with the government's official policies and procedures.
3. Audit trails should be employed throughout the VRD.
VRDs that can be independently verified, checked, and proven to be fair will increase voter confidence and help avoid litigation. Audit trails are important for independent verification, which, in turn, makes the system more transparent and provides a mechanism for accountability. They should include records of data changes, configuration changes, security policy changes, and database design changes. The trails may be independent records for each part of the VRD, but they should include both who made the change and who approved the change.
4. Privacy values should be a fundamental part of the VRD, not an afterthought.
Privacy policies for voter registration activities should be based on Fair Information Practices (FIPs), which are a set of principles for addressing concerns about information privacy. FIPs typically address collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. There are many ways to implement good privacy policies. For example, we recommend that government both limit collection to only the data required for proper registration and explain why each piece of personal information is necessary. Further, privacy policies should be published and widely distributed, and the public should be given an opportunity to comment on any changes.
5. Registration systems should have strong notification policies.
Voters should be informed about their status, election information, privacy policies of the government, and security issues. As with audit trails, notification procedures can improve transparency; however, they are not always widely embraced. A recent survey found that approximately two-thirds of surveyed states do not notify voters who have been purged from election rolls. Voters should be notified by mail about their polling places, any changes that may affect their ability to vote, or any security breaches that expose private data.
6. Election officials should rigorously test the usability, security and reliability of VRDs while they are being designed and while they are in use.
Testing is a critical tool that can reveal that "real-world" poll workers find interfaces confusing and unusable, expose security flaws in the system, or that the system is likely to fail under the stress of Election Day. All of these issues, if caught before they are problems through testing will reduce voter fraud and the disenfranchisement of legitimate voters. We recommend many different ways to test various aspects of VRDs throughout the report. Examples include, evaluation of VRD interfaces by laypersons and experts for consistency, feedback, and error handling; testing interfaces with real-world users and conditions, including extreme or sub-optimal conditions such as high processor load or network congestion; and allowing thorough, independent evaluations of the security and reliability of the VRD.
7. Election officials should develop strategies for coping with potential Election Day failures of electronic registration databases.
VRDs are complex systems. It is likely that one or more aspects of the technology will fail at some point. Different strategies can be employed to adjust for various failures. For example, Election Day verifications can be done via any of the following: paper systems, personal computers or hand-held devices with DVD-ROMs or other methods of holding static copies of the voter list, or via personal computers or hand-held devices connected by electronic communication links to central VRDs. Regardless of the method used, a fallback process should be devised to deal with a VRD failure. When appropriate, these processes should operate in tandem with provisional balloting and other measures designed to protect the voters' right to vote.
8. Election officials should develop special procedures and protections to handle large-scale merges with and purges of the VRD.
One of HAVA's main requirements is that VRDs be coordinated with other state databases (such as motor vehicle records). Ensuring that voter records reflect up-to-date information from other databases can improve the accuracy of VRD, but coordination can introduce errors from the same databases, thereby undermining accuracy. Because largescale merges and purges can render voters ineligible, the action should only be performed by a senior election official with procedures that force some sort of manual review of the changes. Further, if large-scale purges occur, they should be done well in advance of any election, and anyone purged from the database should receive notification so that any errors can be corrected.
State and local election officials face an ongoing and challenging task in creating and implementing statewide voter registration databases. We hope that the discussion and recommendations in this report will help inform officials and the public on how to meet these challenges.
In issuing this report, we recognize that many states have been working diligently toward meeting the federal requirement to have an operational statewide VRD. Both because many states will not meet this deadline, and because there will be ongoing maintenance and changes to any such system, state and local governments will also face the issues identified in this report well beyond the federal deadline. For this reason, we offer our continued guidance to officials who may wish to discuss any of the topics raised in this report."