Thursday, March 15, 2007

CYA security

Bruce Schneier has a nice essay on cover your ass security in the latest Crypto-gram.

"Since 9/11, we've spent hundreds of billions of dollars defending
ourselves from terrorist attacks. Stories about the ineffectiveness of
many of these security measures are common, but less so are discussions
of *why* they are so ineffective. In short: much of our country's
counterterrorism security spending is not designed to protect us from
the terrorists, but instead to protect our public officials from
criticism when another attack occurs.

Boston, January 31: As part of a guerilla marketing campaign, a series
of amateur-looking blinking signs depicting characters from Aqua Teen
Hunger Force, a show on the Cartoon Network, were placed on bridges,
near a medical center, underneath an interstate highway, and in other
crowded public places.

Police mistook these signs for bombs and shut down parts of the city...They overreacted because the signs were weird...

if a weird device with blinking lights and wires turned out to be a bomb
-- what every movie bomb looks like -- there would be inquiries and
demands for resignations. It took the police two weeks to notice the
Mooninite blinkies, but once they did, they overreacted because their
jobs were at stake.

This is "Cover Your Ass" security, and unfortunately it's very common...

We might be better off as a nation funding intelligence
gathering and Arabic translators, but it's a better re-election strategy
to fund something visible but ineffective, like a national ID card or a
wall between the U.S. and Mexico...

Sadly, though, there might not be a solution. All the money is in
fear-mongering, re-election strategies, and pork-barrel politics. And,
like so many things, security follows the money."

I'd recommend his piece on private police forces too.

French High Court cancels the creation of illegal migrants database

In an interesting decision, the highest administrative court in France has cancelled a ministerial order setting up a database aimed at facilitating the expulsion of illegal migrants. Via EDRI-gram:

"On 2 October 2006, four French NGOs filed this case against the Interior minister: CIMADE and GISTI (two associations defending the rights of migrants), LDH (the French Human Rights League), and French EDRI member IRIS. While the database creation itself is allowed by the French code on immigration and asylum (CESEDA), the NGOs argued that the ELOI file would contain excessive and inadequate personal data on the foreigners themselves, their children, the citizens with which they were staying, and their visitors in retention centres. Moreover, these data were supposed to be kept for an excessive duration."

The court essentially cancelled the order because the ministry of interior set up the database using the wrong procedures. The response of the ministry has been to issue a new order in accordance with what they now consider to be the correct procedures to legitimise the database. They have also stated that they don't accept the substantive arguments about excessive personal data collection or excessive length of retention. The NGOs have responded with a call for the government to respect immigrants rights though I suspect they'll have to start briefing their lawyers again if they want to have any real impact on the latest developments.

The NHS database opt out decoy

Anyone with an interest in patient privacy in the UK should take the time to read The NHS Database: Lord Warner’s opt out decoy by Dr Paul Thornton MPH, FRCGP. Dr Thornton dissects the complex mess that is the NHS programme for IT and some of the driving agendas in a clinical but accessible way (sadly, though, at 12 pages of A4 probably beyond the attention span of the average New Labour minister).

When former health minister Lord Warner gave a public assurance just before Christmas that people would be able to opt out of having their patient records recorded on the new insecure national database, it was right after he had accepted the recommendations of a ministerial taskforce which had stated exactly the opposite i.e. everyone is expected to have their health details recorded on the national database.

"All that is being offered by the ministerial working party is an “opt out” from the “summary care record”. This limited opt out is important because all information in the summary care record will otherwise be accessible to all NHS staff nationally5. Initially the summary care record will include only current medications, allergies to medication and adverse reactions. This is sufficient information to imply highly sensitive diagnoses. If you know the treatment you know the disease. It is intended that the summary care record will include even more data as time passes...

CfH intend that all clinical, psychological and social information will be recorded by professionals in a “Detailed Care Record”, a subset database of the entire scheme. The information will be stored on centralised computers that are remote from the unit treating the patient..

At the planning stages of the project, Connecting for Health reassured that patient information would be protected from widespread inappropriate sharing because software would be used to hide sensitive information that patients did not want revealed, even to other health professionals. The proposals were metaphorically dubbed “sealed envelopes”. These proposals were described even by CfH as necessary to meet the project’s legal obligations on privacy and confidentiality. After substantial delay and failure to produce working software in this regard, CfH documents have just been updated9. It is confirmed that all the inadequacies10 in the proposals persist.

· The software is not yet written or tested
· It will not be available until long after the database is up and running so that
detailed care records will be unprotected
· It will not protect information that is stored in scanned images of historical documents.
· The patient controls can be over ridden
· The sealed envelopes will be ignored in respect of information transferred to
the Secondary Uses Service

Through a further safe guard, “Role based access”, it is intended that staff will only be able to access information that is justified by their job purpose, as indicated when they log on using their chip and pin card... It is just not that simple. The proposal is untested. Already, a Warwickshire hospital A&E department has abandoned the use of chip and pin cards by individual users because they were unable to log on and off quickly enough.11 Warwickshire primary care trust is enabling administrative staff who work at the PCT to be issued with Chip and Pin cards that would misrepresent these staff as employees of the local General Practitioners, thereby allowing access to sensitive patient information"

He goes on to explain succinctly plans for secondary use (such as research) of personally identifiable patient information which will be accessible by NHS staff, universities, the civil service, the police, social services and the pharmaceutical industry. He believes that the independence of the Patient Information Advisory Group (PIAG), charged with advising the Secretary of State on lawful uses of patient information, is compromised because several members of the group are leading participants in the design of the national database. He even quotes minutes of a group meeting where uses of patient data that would be constrained by existing legislation were considered and the group concluded that “consideration should be given to how either the class regulations or primary legislation might be reframed to encompass such uses.”

The current Health Minister, Lord Hunt, is on record as saying:

“With the best of intentions, the NHS has had a tradition for paternalism where much of what is done in the name of science or research relies on the implied consent of patients, but that implied consent has been pushed too far. We saw that example at Alder Hey. There the issue was human organ retention. We see it in many places where confidential patient information is currently used. The most important lesson to be learnt from Alder Hey is that patients' trust will be lost if we fail to forge new relationships based on informed consent.”

The current state of and plans for the NHS programme for IT undermine that principle of patient consent, sometimes for the best of intentions e.g. to facilitate medical research. But medical research is not impeded if the patient data is anonymized. Through a combination of good intentions, political expediency, Machiavellian media manipulation, mulitple conflicting agendas and the sheer complex mess that constitutes the NHS we are going down a path that could do significant damage to patient care and personal privacy. Of course computers can augment the work of the NHS but for now the decision makers need to get right back to clarifying the purpose of national NHS IT programme and completely overhauling the imlpementation.

For those interested in knowing a little more about the NHS IT plans I recommend, as does Dr Thornton, the BCS report on same released just before Christmas. Sadly it didn't get the attention it deserved at the time such was the success of Lord Warner's economical-with- the- truth PR sales pitch that the government had taken on board the concerns of critics and adjusted their plans accordingly.

Thanks to Glyn at ORG for the pointer to Dr Thornton's paper.

Update from today's Guardian: First test launched of NHS's controversial 'Spine' database

Tuesday, March 13, 2007

Thinking outside the disciplinary boundaries of IP

James Boyle has long encouraged his peers to think outside the usual boundaries of intellectual property scholarship and practice for progress towards solutions to IP problems thrown up by the World we know today. A nice example is in his paper on Enclosing the Genome.

"For a second analogy, consider the justice claims that have recently caused ‘access to essential medicines’ to become a fundamental part of drug patent policy both domestically and internationally. Again, these are a set of issues that fit poorly within conventional intellectual property scholarship; but the arguments are not mere exhortations to take drugs away from companies and hand them over the poor and the sick. The essential medicine questions are not simple, either economically or institutionally and – after some initial reticence – the academy now seems to be turning its eyes to the complicated points of treaty interpretation, regional institutional design, international price discrimination, and alternative patent regimes that this particular and real moment of human suffering forces us to think about. Can we really believe that our scholarly focus will be somehow weaker as a result of the forced encounter with claims of distributive justice and human rights? In fact, with any luck, the intensity of feeling about a particular controversy over
AIDS drugs may actually force us to acknowledge the single greatest weakness behind a patent driven drug development policy; a patent driven system for drug development will, if working correctly, deliver drugs on which there is a high social valuation – measured in this case by ability and willingness to pay. To put it another way, to have a patent-driven drug policy is to choose to deliver lots of drugs that deal with male-pattern baldness, but also with real and important diseases: rheumatoid arthritis, various cancers and heart disease. It is to choose not to have a system that delivers drugs for tropical diseases, or indeed for any disease which is suffered overwhelmingly by the national or global poor.
To say this is not to condemn drug patents; it is rather, to suggest precisely the two lines of inquiry I argued for in this article. First, if our goal is truly to help to eliminate human suffering, then we should spend more time thinking about alternative and supplementary ways of encouraging pharmaceutical innovation beyond the drug patent system. Second, when we talk about innovation and progress in the intellectual property system, we quickly and easily substitute some universal
imagined ideal of Progress for the actual specific version of “progress” towards which our current distribution of entitlements and rights will push us. Many policies that might seem justified by the promotion of large “P” progress, might seem more questionable if they were instead pushing us towards the specific vision of progress held latently within the pattern of demand established by our current distribution of rights and wealth. To quote Amartya Sen, “there are plenty of Pareto optimal
societies which would be perfectly horrible places to live.”34 Now if these lessons can be taught us in a concrete and unforgettable way by the debate over drug patents, is there any reason to believe that the larger debate over gene patents will offer us any less insight, or any less provocation? It could be, of course, that the end result would be exactly the same; perhaps all of us would find our conclusions unchanged, even if we were a little more critical about worshiping at the church of innovation, even if we clarified our definitions of that concept and of the notion of efficiency that underpins it, even if we broadened our scholarly focus to include the
kind of institutional and environmentalist inquiries I suggest here, and made our discussion of commodification a little more similar to that which occurs in conventional property scholarship.
Perhaps this change in methodology would leave our substantive positions unchanged, though I doubt it.. Perhaps its effects would only be found in other areas, such as the essential medicines question, or the question of the goals of basic science policy, or the question of the redesign of the institutional framework through which intellectual property policy is made. But even if all that were true, the gene patenting debate could still teach intellectual property scholars a set of lessons we sorely need. At least, that is, if we have the courage to enter it."

FSU report on voting machines in Sarasota County

Florida State University recently released a report on the ES&S iVotronic voting machines used in the 2006 elections in Sarasota County in Florida, the results of which are under review. The report concludes that the voting machines were very insecure but that the anomalies were not down to a concerted attack on the system. Ed Felton agrees with that conclusion:

"The reason is simple: only a brainless attacker would cause undervotes. An attack that switched votes from one candidate to another would be more effective and much harder to detect.

So if it wasn’t a security attack, what was the cause of the undervotes?

Experience teaches that systems that are insecure tend to be unreliable as well — they tend to go wrong on their own even if nobody is attacking them...

The study claims to have ruled out reliability problems as a cause of the undervotes, but their evidence on this point is weak, and I think the jury is still out on whether voting machine malfunctions could be a significant cause of the undervotes...

I want to make the case for the other theory: that a malfunction or bug in the voting machines caused votes to be not recorded. The case sits on four pillars: (1) The postulated behavior is consistent with a common type of computer bug. (2) Similar bugs have been found in voting machines before. (3) The state-commissioned study would have been unlikely to find such a bug. (4) Studies of voting data show patterns that point to the bug theory."

He does believe, though, in spite of all the problems that have emerged with evoting systems, that computers can make voting more secure.

"It’s tempting to eliminate computers entirely, returning to old-fashioned paper voting, but I think this is a mistake. Paper has an important role, as I’ll describe below, but paper systems are subject to well-known problems such as ballot-box stuffing and chain voting, as well as other user-interface and logistical challenges.

Security does require some role for paper. Each vote must be recorded in a manner that is directly verified by the voter. And the system must be software-independent, meaning that its accuracy cannot rely on the correct functioning of any software system. Today’s paperless e-voting systems satisfy neither requirement, and the only practical way to meet the requirements is to use paper.

The proper role for computers, then, is to backstop the paper system, to improve it. What we want is not a computerized voting system, but a computer-augmented one.

This mindset changes how we think about the role of computers. Instead of trying to make computers do everything, we will look instead for weaknesses and gaps in the paper system, and ask how computers can plug them. "

Gilberto Gil Hears the Future, Some Rights Reserved

From the NYT: Gilberto Gil Hears the Future, Some Rights Reserved

Wearing a Red Nose Could get you arrested

A warning fom bloggerheads:


This is the first Red Nose Day to take place since the introduction of the Serious Organised Crime and Police Act 2005.

It is now illegal for you to wear a red nose or promote Red Nose Day in any way within the designated area surrounding Parliament if you do not first seek permission from the Metropolitan Police Commissioner.

Simply wearing a red nose could result in a fine of £1,000.

Organising a Red Nose Day event that takes place within the designated area could result in a fine of £2,500 and/or imprisonment for a term not exceeding 51 weeks.

No, I am not pulling your leg.

Second life and property law students

Elizabeth Townsend Gard has begun an interesting experiment with her latest cohort of property law students, investigating the relationship between tangible and virtual property by exploring property and how it is treated in the online digital world Second Life.

"Each week a group of 7-9 students investigate, experience, and comment upon Second Life. The final product is a screencast. These screencasts will be posted at number of places -- at the Center for Internet and Society at Stanford Law School (where I am a non-resident fellow), here at my academic copyright blog, and then I have set up a special blog for the Fizzy project at"

She has two objectives in mind for her students:

"I want students to experience Second Life, which includes the tasks of avatar maintenance (changing Fizzy's appearance), experiencing different places and events, keeping up with the news, both inside Second Life as out, and most importantly for our course, exploring a property component.

The property question changes each week. The first, week, for example, students looked at the basic legal structure of Second Life and not surprisingly found it was a contract-based system, and not a "property" based regime. Virtual property is contract based. No one was surprised at this; it was just a place to begin. The second week students looked at finders and gifts; the third group is looking at "first in time." These last two examples are common topics for a First Year property course. The goal of this experiment is to get 1L students to apply their very basic knowledge in a different setting. Do they see elements of modern "real life" property being replicated in "virtual property?"

It's a variation on the Cyberone idea about argument/debate in cyberspace tried by Charles and Rebecca Nesson at Harvard.

Monday, March 12, 2007

Microsoft on Google Book

Larry Lessig, unsurprisingly, has an opinion on Microsoft's criticism of Google's lack of respect for copyright.

"Google’s “Book Search service” aims to provide access to three kinds of published works: (1) works in the public domain, (2) works in copyright and in print, and (3) works in copyright but no longer in print. As some of you may recall from the presentation I made a while ago, about 16% of books are in category (1); 9% of books are in category (2), and 75% of books are in category (3).

With respect to categories (1) and (2), Google is “respect[ing] copyright” just as “we at Microsoft are doing it.” With respect to category (1), that “respect” means no permission needed. With respect to (2), that means deals with the publishers whose works are made available — deals which give enhanced access over the default “snippet access.”

So that leaves category (3) — the 75% of works presumptively under copyright, but no longer in print. How do you “respect” copyright with respect to those works?

Well, Microsoft “respects” these copyright holders by not providing any access to their works. Google “respects” these copyright holders by providing “snippet access” — just enough to see a sentence or two around the words you’re searching for, and then links to actually get the book (either at a library, or from a book seller).

This may just be my own vanity, but I suspect that more copyright holders of books no longer in print would like Google’s kind of respect over Microsoft’s. But in any case, it is not true to say that Google could have provided “its Book Search service” in the way that “we at Microsoft are doing it.” If asking first is always required, then because of the insanely inefficient system of property that we call copyright — inefficient again because the government has designed it so that there’s no simple way to know who owns what, the very essence of a property system — 75% of books could not be within a digital view of our past. "

Policy, security and computers

Ed Felten has been explaining how he got entangled in policymaking.

"When I started out in research, I had no idea public policy would become a focus of my work. The switch wasn’t so much a conscious decision as a gradual realization that events and curiosity had led me into a new area. This kind of thing happens all the time in research: we stumble around until we reach an interesting result and then, with the benefit of hindsight, we construct a just-so story explaining why that result was natural and inevitable. If the result is really good, then the just-so story is right, in a sense — it justifies the result and it explains how we would have gotten there if only we hadn’t been so clueless at the start.

My just-so story has me figuring out three things. (1) Policy is deep and interesting. (2) Policy affects me directly. (3) Policy and computer security are deeply connected...

The third realization, that policy and computer security are joined at the hip, can’t be tied to any one experience but dawned on me slowly. I used to tell people at cocktail parties, after I had said I work on computer security and they had asked what in the world that meant, that computer security is “the study of who can do what to whom online.” This would trigger either an interesting conversation or an abrupt change of topic. What I didn’t know until somebody pointed it out was that Lenin had postulated “who can do what to whom” (and the shorthand “who-whom”) as the key question to ask in politics. And Lenin, though a terrible role model, did know a thing or two about political power struggles."

Ed's categorisation has parallel's with the central ethos of the Technology Faculty at the Open University where my colleagues Dick Morris and John Naughton were the chief culprits in shaping the platform of ideas and opportunities that underpin my perspectives on technology and leading to my just-so story that (1) Technology is deep and interesting. (2) Technology affects me directly. (3) Technology and society are deeply connected...

$250,000 Open Architecture Prize announced

Via Yahoo!: $250,000 Open Architecture Prize announced

"Advanced Micro Devices, Inc. (NYSE:AMD - News) and Cameron Sinclair, winner of last year's TED Prize and founder of Architecture for Humanity, today announced the first ever Open Architecture Prize at the annual TED Conference. The $250,000 Open Architecture Prize is the largest prize in the field of architecture and is designed to be a multi-year program that will draw competition from design teams around the world.
Each year, a winning design will be selected from a field of low-cost, sustainable design projects and built in a selected community. The first project for the Open Architecture Prize will be an "e-community center," a centralized building equipped with internet connectivity solutions designed to enable an entire community to access the transformative power of the Internet."

Sunday, March 11, 2007

Digitial Security and Privacy

There is a new book on digital security and privacy the text of which is freely available on the Web.