Saturday, December 01, 2007

Copyright’s Heart of Darkness

Matthew Sag & Mark Schultz have offered a comment on John Tehranian’s “Infringement Nation”.

"John Tehranian’s recent Utah Law Review Essay, Infringement Nation, tells a riveting story about copyright law and the widening gap between law and norms. Like Charles Marlow’s journey into the Congo River, Tehranian has given us a transporting narrative of copyright’s potential despotic application to the life of an “ordinary law professor” named John. At the end of John’s journey down the copyright river, Tehranian asks us to “imagine a world where every act currently deemed infringing under the law were actually prosecuted.”

One can almost hear Kurtz’ whispered cry, “The horror! The horror!”

Tehranian argues that “on any given day, … even the most law-abiding American engages in thousands of actions that likely constitute copyright infringement.” Tehranian makes his case with an imaginative list of seeming benign “infringing” acts and concludes that “if copyright holders were inclined to enforce their rights to the maximum extent allowed by law, [John] would be indisputably liable for a mind-boggling $4.544 billion in potential damages each year.” (emphasis added)

Without any disrespect to Tehranian, we take issue with his argument and almost all of his analysis. To begin with, many of his examples clearly do not qualify as copyright infringement, others are marginal cases at best...

The real problem with copyright law today is not so much the tyranny of the law as eventually applied, but rather the tyranny of uncertainty as to how the law will be applied. This uncertainty is the product of factors including, the opaque structure of the Copyright Act, the complicated and fact specific nature of the fair use doctrine and defenses such as implied licensing. It is easy and rhetorically expedient to construct a dystopian scenario of copyright gone wild, but this kind of exaggeration does little to address public confusion about the law and only emboldens copyright maximalists by lending credence to their most grandiose claims.

What kind of copyright debate do we want to have? The “Orange Alert” strategy employed by too many copyright commentators simply produces a clash between irreconcilable extremes: “information wants to be free” versus “sole and despotic dominion.”

We continue to hope for something more."

A worthy response which should be read in full.

Chinese Computer Scientist Jailed for Copyright Infringement

William Stepp at Against Monopoly reports that a Chinese computer scientist has been jailed for copyright infringement.

"Chen Shoufu, an innovative Chinese computer scientist, was jailed August 16 in Beijing for violating the copyright of China's leading instant-messenging service, Tencent Holdings Ltd., owner of the popular QQ program. Mr. Chen's program Coral QQ made QQ more user friendly by blocking ads, resolving internet addresses, and identifying the computer from which a message is sent at no charge. (Tencent charges for the ID service.) He had previously paid a 100,000 yuan fine, about $13,600. Here is the article in the Wall Street Journal.

He has become a hero in China, the second largest internet market. One blogger decried Tencent for "bullying Chinese users by monopolizing the market."

This is yet another chilling example in a long list of violations of the liberty of people to use their property in non-invasive and very often innovative ways that ironically could improve the lives of their prosecutors, as well as countless other people. "

NYT interactive debate transcript analyzer

Now this is really neat from the NYT - an interactive analyzer of the transcript of the recent Republican presidential candidates' debate.

The Nerd Handbook

Michael Lopp has compiled The Nerd Handbook. Recommended, especially for families and friends of nerds.

I thought I subscribed to them...

Google Reader now makes recommendations of feeds that are related to those you already subscribe to. The top four were ones I thought I already subscribed to, so I guess they've got me pegged.

Friday, November 30, 2007

The Untold Story of the ENIAC Programmers.

Via Mary Hodder: The Untold Story of the ENIAC Programmers.

"Did you know that sixty years ago, six young women programmed the ENIAC, the first all-electronic programmable computer?

And when LIFE magazine published a post-ww2 story about the ENIAC, the women were not mentioned. The article only featured information on the machine, not the engineers who made it work."

A Financial Perspective on DRM

At Kuro5hin: A Financial Perspective on DRM

" I noted yesterday that there seems to be some media fanfare surrounding Amazon's launch of a digital book tablet. It occurred to me that the markets surrounding media such as books, music and movies bear more than a passing resemblance to financial markets, and as such, perhaps they were amenable to a similar method of analysis. Being the owner of a sizable collection of paper books, this led me to consider the drawbacks one faces when Digital Rights Management restrictions are put in place...

when one purchases media encumbered by ... DRM schemes, one is taking on undiversified credit risk with an indefinitely long time horizon -- that is, you're counting on Microsoft or Apple not going out of business any time in your life and making all of your media instantly unreadable. Worse yet, unlike in the credit market, there are no such strong and well-defined legal protections to offer you recourse in the event that the company defaults -- they may choose to end (or more likely, "upgrade") the service at any time and render your library of purchases useless...

While books and music are almost never bought as investments with the expectation of making a profit, in the financial markets, investors rationally demand a high return premium for taking on such extreme risk. Asking consumers to take on such risks with no prospect of them materially benefiting in return is an incredibly unreasonable proposition and, to me, is the chief mechanism standing in the way of widespread adoption. While DRM schemes of this nature may flourish for now, it is only a matter of time before consumers wise up, the markets become more efficient, and people demand a fairer deal from large media companies. Publishers may not like it, but attaining the same characteristics for their digital products as they have for their physical products is the best hope they have for slimming down their distribution costs and stemming the tide of digital piracy."

Interesting perspective.

How Can Government Improve Cyber-Security?

Also from Ed Felten: How Can Government Improve Cyber-Security?

"One of the biggest challenges comes from the broad and porous border between government systems and private systems. Not only are government computers networked pervasively to privately-owner computers; but government relies heavily on off-the-shelf technologies whose characteristics are shaped by the market choices of private parties. While it’s important to better protect the more isolated, high-security government systems, real progress elsewhere will depend on ordinary technologies getting more secure.

Ordinary technologies are designed by the market, and the market is big and very hard to budge. I’ve written before about the market failures that cause security to be under-provided. The market, subject to these failures, controls what happens in private systems, and in practice also in ordinary government systems.

To put it another way, although our national cybersecurity strategy might be announced in Washington, our national cybersecurity practice will be defined in the average Silicon Valley cubicle. It’s hard to see what government can do to affect what happens in that cubicle. Indeed, I’d judge our policy as a success if we have any positive impact, no matter how small, in the cubicle.

I see three basic strategies for doing this. First, government can be a cheerleader, exhorting people to improve security, convening meetings to discuss and publicize best practices, and so on. This is cheap and easy, won’t do any harm, and might help a bit at the margin. Second, government can use its purchasing power. In practice this means deliberately overpaying for security, to boost demand for higher-security products. This might be expensive, and its effects will be limited because the majority of buyers will still be happy to pay less for less secure systems. Third, government can invest in human capital, trying to improve education in computer technology generally and computer security specifically, and supporting programs that train researchers and practitioners. This last strategy is slow but I’m convinced it can be effective."

Slysoft Commercializes Next-Gen DVD Circumvention

From Ed Felten: Slysoft Commercializes Next-Gen DVD Circumvention

"We’ve been following, off and on, the steady meltdown of AACS, the encryption scheme used in HD-DVD and Blu-ray, the next-generation DVD systems. By this point, Hollywood has released four generations of AACS-encoded discs, each encrypted with different secret keys; and the popular circumvention tools can still decrypt them all. The industry is stuck on a treadmill: they change keys every ninety days, and attackers promptly reverse-engineer the new keys and carry on decrypting discs.

One thing that has changed is the nature of the attackers. In the early days, the most effective reverse engineers were individuals, communicating by email and pseudonymous form posts. Their efforts resulted in rough but workable circumvention tools. In recent months, though, circumvention has gone commercial, with Slysoft, an Antigua-based maker of DVD-reader software, taking the lead and offering more polished tools for reading and ripping AACS discs. "

The Cape Town declaration

Martin Weller and Stephen Downes have some thoughtful responses to the Cape Town Open Education Declarion.

Martin's quite positive:

"I would have foregrounded it more, something along the lines of

New technologies, open content and an opening up of opportunities to participate means that radically new models of learning are now possible. These can be based around rich content discovery, social networks, informal learning, commons based peer production, loosely coupled systems, democratic communities and a long tail of interests. Addressing these challenges will require new models of pedagogy, accreditation, guidance, support, licensing and content production.

So will I sign up for it? Yes, there are more people aligned against open education than behind it, so the last thing we need to do is factionalise within our own camp. But, next time, let's eat our own dog food eh? "

Stephen is critical mainly due to the process through which it came about and the demographics of the participants:

"Normally I would expect to enthusiastically add my name to a document supporting free access to open learning resources. This is certainly a cause I have worked toward all my life, one that is expressed in the statement of principle on my home page, one that characterizes the papers I write, the software I code, the speeches I give.

I find myself at odds with the declaration written by a group of mostly American academics and advocates invited by a foundation to a private meeting in South Africa to author a "fixed and final" declaration on open educational resources...

I do not believe that a panel of hand-picked representatives representating overwhelmingly a certain commercial perspective is qualified or able to speak on behalf of the rest of us. The very people they name - "learners, educators, trainers, authors, schools, colleges, universities, publishers, unions, professional societies, policymakers, governments, foundations and others" - are mostly nowhere present in these deliberations."

He also suggests the document should be opened up to us latter folks (I guess I'm a learner, educator, author and other) and I would recommend all in the ed tech community read his critique but like Martin would sign up on the proviso, as he says, that we pay more attention to eating our own dog food.

PlayStations not to blame for UK reading difficulties

Martin Samuels at the Times thinks education secretary Ed Balls is wrong to blame the poor reading performance of Uk children on computer games.

Whilst I agree to the extent that it is not down to gaming, the thought that teachers in classrooms of thirty plus kids, each with a variety of developmental and educational needs (er... 30+ or so) can cure the nation's reading problems, is a little naive, especially when those teachers and the schools they work in are so constrained by government targets.

Publican appeals over right to pick her football satellite

From the Times: Publican appeals over right to pick her football satellite

A publican in Southsea who decided to buy a satellite dish, decoder and card and then subscribe to Greek TV station, Nova, for £800 rather than BSkyB for £6000, is appealing a conviction for criminal copyright infringement. She's already lost one appeal.

Now we all know copyright based companies aspire to be different but this is an EU citizen buying a service from a business in another EU country, rather than buying the equivalent, significantly more costly service from the local EU branch of a multinational organisation. So it must at least raise some interesting legal questions.

I wonder if the excellent Jeremy Phillips and co. have any more informed views on the subject.

Everything is Miscellaneous - The Video

Michael Wesch of Kansas State University has summed up David Weinberger's book Everything is Miscellaneous in a brilliant 5 minute video. Weinberger basically says information is no longer confined to the shelf as it was pre-Web/Net and we shouldn't confine ourselves to thinking about or organising it in that way when we have such fantastic tools at our disposal now to do it better. Prior to the advent of the Web and associated technologies information was kept in a file or on a shelf and managing it involved managing categories. This required experts and was still hard to do. Now it's not confined to experts or categories and assumptions about paper based information don't apply to digital information, the latter for example not necessarily having a fixed material form i.e. it can be molded or adapted to context and we can "rethink information beyond material constraints". We have links and tags etc. We're going through an information {explosion} revolution and the responsibility to
  • harness
  • create
  • critique
  • organise
  • and understand
is ours (all of us); are we ready? It's essentially the up side of the Benker worldview provided we choose to make the best of it.

Have a look at the video. It really is terrific and it will be 5 minutes 28 seconds well spent:

News sites want more control of search engines access

AP via Findlaw:

"The desire for greater control over how search engines index and display Web sites is driving an effort launched Thursday by leading news organizations and other publishers to revise a 13-year-old technology for restricting access.

Currently, Google Inc., Yahoo Inc. and other top search companies voluntarily respect a Web site's wishes as declared in a text file known as "robots.txt," which a search engine's indexing software, called a crawler, knows to look for on a site.

The formal rules allow a site to block indexing of individual Web pages, specific directories or the entire site, though some search engines have added their own commands.

The proposal, unveiled by a consortium of publishers at the global headquarters of The Associated Press, seeks to have those extra commands - and more - apply across the board. Sites, for instance, could try to limit how long search engines may retain copies in their indexes, or tell the crawler not to follow any of the links that appear within a Web page."

The proposed controls are known as Automated Content Access Protocol (ACAP). Google, Yahoo et al are never going to go along with this and sure enough -

"Google spokeswoman Jessica Powell said the company supports all efforts to bring Web sites and search engines together but needed to evaluate ACAP to ensure it can meet the needs of millions of Web sites - not just those of a single community." As Nicholas Carr and David Weinberger and others have said, the more 'free' content there is, the happier Google will be.

Thursday, November 29, 2007

Plan to Review ContactPoint Child Database preceded HMRC data loss

William Heath informs us that despite impressions to the contrary, the plan to review the children's database ContactPoint preceded the HMRC data loss debacle, rather than coming about as a reaction to it.

YouTube suspends account of Egyptian anti-torture activist

Via Citizen Media Project: YouTube Suspends Account of Prominent Egyptian Blogger and Anti-Torture Activist

"According to Reuters Africa, YouTube has recently suspended Abbas's account due to complaints about the content of his postings:
Wael Abbas said close to 100 images he had sent to YouTube were no longer accessible, including clips depicting purported police brutality, voting irregularities and anti-government demonstrations. YouTube, owned by search engine giant Google Inc., did not respond to a written request for comment. A message on Abbas's YouTube user page,, read: "This account is suspended."

"They closed it (the account) and they sent me an e-mail saying that it will be suspended because there were lots of complaints about the content, especially the content of torture," Abbas told Reuters in a telephone interview. Abbas, who won an international journalism award for his work this year, said that of the images he had posted to YouTube, 12 or 13 depicted violence in Egyptian police stations.

Elijah Zarwan, a human rights activist and blogger living in Egypt (and a personal friend), told Reuters that he found it unlikely that YouTube had come under official Egyptian pressure, and was more likely reacting to the graphic nature of the videos."

Privacy International to pursue data breach legal action against UK government

Privacy International, in response to an unprecedented number of complaints about the HMRC data loss have decided to take legal action against the UK government.

The legal experts they have consulted so far say there "most likely a case that can be asserted" but not all of them are optimistic about the potential outcome of such a case.

Wednesday, November 28, 2007

Harry Potter and the (Re)Order of the Artists: Are We Muggles or Goblins?

Thanks to Mike Madison for pointing out that Gary Pulsinelli has written the article probably quite a few IP scholars have been thinking of writing a version of, ever since the last Harry Potter book was published. Abstract:
In Harry Potter and the Deathly Hallows, author J.K. Rowling attributes to goblins a very interesting view of ownership rights in artistic works. According to Rowling, goblins believe that the maker of an artistic object maintain an ongoing ownership interest in that object even after it is sold, and is entitled to get it back when the purchaser dies. While this view may strike some as rather odd when it is applied to tangible property in the ?muggle? world, it actually has some very interesting parallels to the legal treatment of intangible property, particularly in the areas of intellectual property and moral rights. Because of the way these parallels have been developing and growing, we seem to be becoming more goblinish in our willingness to recognize ongoing rights in artistic objects, including allowing the artist to collect a commission on subsequent resale of the work. Practical and social considerations suggest that we are unlikely to go as far as recognizing a permanent personal right in the creator that lets him or her reclaim such an object after a sale or other transfer is made. However, we are moving closer to recognizing some forms of the collective right that the goblins actually seem to demand, a cultural moral right in important cultural objects that enables the descendants of that culture as a group to demand the return of the object. Thus, we muggles may not be as far from the goblins as we may have at first believed.

Must make a point of reading it properly.

Grimmelmann's Library of Babel

Now that we're on the subject of Google I should recommend James Grimmelmann's excellent essay Information Policy for the Library of Babel to be published in the forthcoming edition of the Maryland Journal of Business and Technology Law.
"Borges’s 1941 short story The Library of Babel describes an unbelievably large library containing all possible books. Within the the “total” and “endless” reaches of the Library,”[t]here [is] no personal problem, no world problem, whose eloquent solution [does] not exist—somewhere …” but also “[f]or every rational line or forthright statement there are leagues of senseless cacophony, verbal nonsense, and incoherency.” As Borges describes it, the Library is the greatest imaginable source of information: it contains “The Vindications—books of apologiae and prophecies that would vindicate for all time the actions of every person in the universe and that held wondrous arcana for men’s futures.”

But the Library’s vastness and disorganization also make it almost completely useless: “[T]he chance of a man’s finding his own Vindication … can be calculated to be zero.” The image of the Library is haunting and suggestive. What would we do if we took it at face value? In this bagatelle of an essay, I propose to do just that: set out a few principles of sensible information policy for the Library of Babel."

[James Grimmelmann. 2007. "Information Policy for the Library of Babel" Maryland Journal of Business and Technology Law
Available at:]

The Google Complement - Free Content

Nicholas Carr might suggest that Google is on Martin's side in the future of content debate. Essentially he says Google wants content to be free because this complements its core business thereby making that business stronger.
Because the sales of complementary products rise in tandem, a company has a strong strategic interest in reducing the cost and expanding the availability of the complements to its core product. It’s not too much of an exaggeration to say that a company would like all complements to be given away. If hot dogs became freebies, mustard sales would skyrocket. It’s this natural drive to reduce the cost of complements that, more than anything else, explains Google’s strategy. Nearly everything the company does, including building big data centers, buying optical fiber, promoting free Wi-Fi access, fighting copyright restrictions, supporting open source software, and giving away Web services and data, is aimed at reducing the cost and expanding the scope of Internet use. To borrow a well-worn phrase, Google wants information to be free - and that is why Google strikes fear into so many different kinds of companies.

That actually also goes to the heart of why I (the poor man's Lessig remember) am no longer as pessimistic as I used to be about future limited access to content through tollbooths concentrated in few hands, even though drm is not going away. Large commercial entities are lined up on both sides of the divide and Google is likely to have more weight than all the most rational, evidence-based arguments academics, other experts and activists can muster. As Lessig says of his next ten year project, tackling corruption in US politics, it's all about the money.

The value of play

The Old Bridge Public library in New Jersey held a Wii tournament for senior citizens a few weeks ago, as part of a project to help pensioners become more technically literate. The library assistant director, Allan Kleiman, explained that it was a lot less intimidating and significantly more sociable to learn to use the Wii than to learn to use a computer. He's got a point. The social side of gaming is often overlooked by critics and it's pretty difficult for anyone to have an informed discussion about teh educational and social potential of gaming without having direct experience of using computer games in a variety of contexts.

Making the technology available also draws the younger folks into the library and ironically seems in turn to lead to more books getting loaned out, in contrast to the widely toted notion that computer games take kids away, to the detriment of their development, from the much more cerebral, engaging, but humble book.

It gets back to the Charles Nesson/Yochai Benkler assertion that we will become intelligent and creative 'readers'/users of new technology through being intelligent creators/users of and through new technology i.e. the try it out and see what works model of life. Keep playing and tinkering and find out for yourself rather than waiting for others to dictate to you.

RIAA ordered to detail expenses per song lost in P2P case

In UMG v Lindor, yet another RIAA v individual case the judge has ordered the RIAA to disclose the actual expenses incurred for each of the songs at issue in the case.

The defendant is arguing that the statutory damages of between $750 and $150,000 per song is excessive and they need to have an idea of the real cost to the record companies before damages can be assessed. That seems like a reasonable request.

The RIAA say they can't provide those figures without going to enormous expense. The temptation here is to omit a hollow laugh but actually we could look at this as the record labels finally admitting that no one knows or can possibly know the real extent of the impact of P2P file sharing, infringing and non infringing, on their market, despite the perennial estimates that it amounts to billions of dollars.

U.S. withdraws subpoena seeking identity of 24,000 Amazon customers

Via U.S. withdraws subpoena seeking identity of 24,000 Amazon customers

Super Mario comes out fighting for patent

Earlier this year the UK Patent Office refused to award patent protection to a software technique Nintendo use in the Super Mario Kart game to get crashed cars quickly back on the track. Now another similar decision on software patents has been appealed to the High Court, according to IPKat, who says:

"The appellants allege that the UK-IPO’s practice undermines the ability of British industry to protect inventions reliant upon the development of new software. Each applicant has developed novel software, the control and distribution of which they say is critical to the success of their business. Nicholas Fox of Beresford & Co. said in the lead-up to the appeal,

Copyright protection only protects code against copying. In contrast, patent protection enables a company to monopolise an invention even if competitors independently come up with the same idea. In order to protect their commercial interests companies need patent claims directed towards the products and processes that are sold in the market place. In the case of computer based inventions this means that claims to disks and downloads embodying an invention are required.

In Court, the appellants argued that software on a disk represented a "dormant technical effect in waiting", analogous to a medical pill that just sat there doing nothing until the patient took it. Using the same principle, the software would produce a technical effect when run on the computer. [IPKat comment: this seems a new argument, and an interesting approach, but arguing by analogy is rarely helpful; after all, medicines themselves are not excluded under section 1(2)]

They argued that, following the landmark IBM decision T 1173/97 at the EPO, a computer program product is not excluded from patentability under Article 52(2) and (3) EPC if, when it is run on a computer, it produces a "further technical effect" which goes beyond the normal physical interactions between program and computer, i.e. between software and hardware. The EPO approach has been broadly consistent in its decisions since then."

Thanks to David Gerard via ORG for the link.

The Future of Reading

In the spirit of the debate Martin Weller and I, Will Woods and Patrick McAndrew had several weeks ago, on the future of content, Steven Levy has a terrific article in Newsweek this week on the future of the book, featuring Amazon's new ebook reader, the Kindle.

Tuesday, November 27, 2007

The Biometrics Cure

Ben Goldacre has a nice article on the government's cure-all-security-ills answer - biometrics - to last week's HMRC-NAO data loss.

Essentially ministers who think biometrics will make data misuse impossible are misinformed at best or lying at the other end of the spectrum.

As Ben points out, the thing about biometrics is that they may be unique (though they won't be for long when forged) but they are not secret. We leave fingerprints and bits of dna in the forms of loose hairs or bits of skin lying around all over the place, so our biometrics are most definitely not secret. And biometric technologies are not particularly good, in spite of government ministers' apparent belief to the contrary. So the notion that the HMRC-NAO data leak would not have been a problem if we'd been using biometrics or that we are going to tackle data security through biometrics is naive and stupid.

If you'd like some of succinct but serious and robust outlines of why this is so check out Ross Anderson's book, (chapter 13 current edition, chapter 15 new edition due in the new year), this Jerry Fishenden essay, and the brilliant letter below (which I hope Ian, Ross and co don't mind me re-producing in full) to the UK Parliament's Joint Committee on Human Rights.
Mr Andrew Dismore MP
Chair, Joint Committee on Human Rights
Committee Office
House of Commons
7 Millbank
London SW1P 3JA

cc: Committee members; David Smith, Deputy Information Commissioner

26 November 2007

Dear Mr Dismore,

The government, in response to the recent HMRC Child Benefit data breach, has asserted that personal information on the proposed National Identity Register (NIR) will be 'biometrically secured':

"The key thing about identity cards is, of course, that information is protected by personal biometric information. The problem at present is that, because we do not have that protection, information is much more vulnerable than it should be." - The Chancellor, Hansard Column 1106, 20/11/07

"What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected." - The Prime Minister, Hansard Column 1181, 21/11/07

These assertions are based on a fairy-tale view of the capabilities of the technology, and in addition, only deal with one aspect of the problems that this type of data breach causes.

Ministers assert that people's information will be 'protected' because it will be much harder for someone to pass themselves off as another individual if a biometric check is made. This presupposes that:

(a) the entire population can be successfully biometrically enrolled onto the National Identity Register, and successfully matched on every occasion thereafter - which is highly unlikely, given the performance of biometrics across mass populations generally and especially their poor performance in the only, relatively small-scale, trial to date (UKPS enrolment trial, 2004). Groups found to have particular problems with biometric checks include the elderly, the disabled and some ethnic groups such as Asian women;

(b) biometrics are 'unforgeable' - which is demonstrably untrue. Biometric systems have been compromised by 'spoofing' and other means on numerous occasions and, as the technology develops, techniques for subverting the systems evolve too;

(c) every ID check will be authenticated by a live biometric check against the biometric stored on the NIR or at the very least against the biometric stored on the chip on the ID card which is itself verified against the NIR. [N.B. This would represent a huge leap in the cost of the scheme which at present proposes only to check biometrics for 'high value' transactions. The network of secure biometric readers alone (each far more complex and expensive than, e.g. a Chip & PIN card reader) would add billions to the cost of rollout and maintenance.]

Even if, in this fairy-tale land, it came to pass that (a) (b) and (c) were true after all (which we consider most unlikely), the proposed roll-out of the National Identity Scheme would mean that this level of 'protection' would not - on the Home Office's own highly optimistic projections - be extended to the entire population before the end of the next decade (i.e. 2020) at the earliest.

Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.

The inclusion of biometric data in one's NIR record would make such a record even more valuable to fraudsters and thieves as it would - if leaked or stolen - provide the 'key' to all uses of that individual's biometrics (e.g. accessing personal or business information on a laptop, biometric access to bank accounts, etc.) for the rest of his or her life. Once lost, it would be impossible to issue a person with new fingerprints. One cannot change one's fingers as one can a bank account.

However, this concentration on citizens 'verifying' their identity when making transactions is only one issue amongst many when considering the leakage of personal data. Large-scale losses of personal data can have consequences well beyond an increase in identity fraud. For example, they could be potentially fatal to individuals such as the directors of Huntingdon Life Sciences, victims of domestic violence or former Northern Ireland ministers.

It is therefore our strongest recommendation that further development of a National Identity Register or National Identity Scheme (including biometric visas and ePassports) should be suspended until such time that research and development work has established beyond reasonable doubt that these are capable of operating securely, effectively and economically on the scale envisaged.

Government systems have so far paid little attention to privacy. Last week's events have very significant implications indeed for future government information systems development.

We would be pleased to clarify any of these points or provide further information if useful to the Committee.

Yours sincerely,

Professor Ross Anderson
Dr Richard Clayton
University of Cambridge Computer Laboratory

Dr Ian Brown
Oxford Internet Institute, University of Oxford

Dr Brian Gladman
Ministry of Defence and NATO (retired)

Professor Angela Sasse
University College London Department of Computer Science

Martyn Thomas CBE FREng

Child database plan under attack

From the Independent: Child database plan under attack following missing discs debacle

It seems the schools secretary Ed Balls has ordered a review of the Children Act database(s) in the wake of the HMRC-NAO data loss debacle. Good news on the surface but it has little or no prospect of it having any effect other than window dressing, in a transparent attempt to be seen to be doing something. If he was really serious he'd start by getting Terri Dowty, Ross Anderson, Ian Brown and the other folks who produced the report for the Information Commissioner last year, highlighting the risks to children’s safety of the government’s policy of creating large, centralised databases on children, in a room and listening seriously to them and acting on their advice, rather than treating them as outcasts with agendas to be ignored.

Sunday, November 25, 2007

An analysis of the latest Harry Potter case

C.E. Petit believes that the latest Harry Potter case against the Harry Potter Lexicon folks has more to do with Warner Bros than J.K. Rowling. Couldn't agree more.

BSA make money from threatening small businesses

The BSA are reportedly making a lot of money out of threatening small businesses with expensive court proceedings.

"An analysis by The Associated Press reveals that targeting small businesses is a lucrative strategy for the Business Software Alliance, the main global copyright-enforcement watchdog for such companies as Microsoft Corp., Adobe Systems Inc. and Symantec Corp.

Of the $13 million that the BSA reaped in software violation settlements with North American companies last year, almost 90 percent came from small businesses, the AP found."

ICO launch young people privacy awareness site

The Information Commissioner's Office has launched a web site to encourage young people to take privacy seriously on social networking sites.