Managing Compliance Software

Managing Compliance Software

I have just published on my linkedin blog a little essay on managing software used for the purpose of compliance. One key insight which one might consider is that these programs are being used because you have to not because you want to. Also society does not want businesses innovating the compliance software, we need to know it does what society requires not what the business wants. This makes the governing super strategy for these applications one of “operational efficiency”, or in Dan Remenyi’s model, a “support” system. For compliance systems it is advantageous to buy or adopt a package and to adopt the package’s optimum process; society has confidence that companies are complying with the law, and the companies share the maintenance costs and get a superior product and support. In some cases, the requirement that society has confidence that compliance is correct leads to the regulators giving companies the software or running it themselves.  …

Big Brother. No, not the TV show

The police are building a new super database combining records with “intelligence”. Liberty have withdrawn from the government consultation as they rightly feel that it’s a breach of our privacy rights and even the government admit that much/some of the data has no lawful purpose. (I see an ECHT case coming on.)

I have three comments to add.

The Guardian article states that the database will be held on a private cloud provider’s systems; if US owned, then the databases will be subject to US FISA warrants, so the “encrypted at rest” security solution had better be pretty good as the best in the world may be looking for it.

Secondly, government data leaks! The legal precedents in this country show that while the Government may build systems for one purpose, the courts may force disclosure to them in the resolution of private/civil disputes. The first Norwich Pharmacal warrant was issued against the HMRC as the plaintiff showed that the defendants tax records were relevant to the court. It seems that there is a public interest defence against these now, and ensuring the Government’s ability to keep it’s secrets would seem to be in the public interest but we’ll see.

Thirdly, the intelligence databases as noted probably fail the need for a lawful purpose, and fail to deliver most of the privacy rights legislated for by the GDPR, most obviously the need to ensure that personal data is accurate.

I am glad I am still a member of Liberty, and I’ll help them. …

Tory Conference Data Breach

Over the weekend, it seems to have been established that the Tory Party’s confence app suffers a major secutity flaw and that personal details of its users are available to all. While the BBC seem concerned that the ex-Foreign Secretary’s details are available, its of equal concern that all the journalists are also exposed. The maximum fine for any breach is €20m.

A further problem is that under the new laws, people who suffer a breach of rights no longer have to prove harm. This would seem to be a breach of rights and so will be treated at the serious end of the spectrum and there’s a low burden of proof.

Additionally I would add, this app It should have had a data privacy impact analysis and if deemed a high risk, permission needs to be sought from the ICO to deploy it.

The cyber-security controls should have been defined before and tested before and after the DPIA.

The Tories have 72 hours to notify the ICO of the breach and will need to consider remediation for each an every user impacted.

I am sure the ICO would not want the Tories to be their first case as they would like to have established a precedent based tariff; they wouldn’t want the governing party to be the precedent; expectations are that the ICO will be one of the more forgiving of the European data protection supervisory authorities. …

A failure to serve fans

The European Parliament sent the Copyright Directive to the trialogue process, where the views of the commission, the council and the parliament are negotiated; the final words agreed by the parliament are basically the words lobbied for by the large corporate press and content companies aided at the last gasp by the sports industry. To understand why this is shit we need to go back to basics.

Invention & Improvement

The purpose of copyright and patent laws is to encourage innovation; this has two sources, invention and improvement. Invention is clear, although the intellectual property laws will transfer the ownership to a 2nd party, usually a large corporate. Improvement is the whole arena of derived works. Derived works are as an important source of innovation as original invention and the settled intellectual property laws must encourage both. It would seem for legislators and their citizens that there is a trade-off with wealthy corporates spending large amounts of money to get the laws they want. I think we wish that they listened to their voters more.

There is a supply chain for digital content, from author/creators to distributors, to makers and consumers. We should also consider those citizens that do not give a shit making a fifth role. The makers, I take from Jessica Litman’s paper “Real Copyright Reform”, are all those who invent and trade in items that enhance the content market, from trumpet makers to computer and device manufacturers. Our laws need to encourage the makers as well and we observe that today’s music and film industries would not exist without them. Littman agued in her paper, and I precis in my review, that

The current settlement is disproportionately in the favour of one player, i.e. the distributor … The bulk of economic value accrues to the distributors, because once upon time, that’s where the bulk of the cost was, it required capital investment and risk taking. Capital could only be acquired by Joint Stock Companies. Times have changed and as I have argued we need a new fair settlement that in Ms Litman’s words “produces an ecology”, …

It’s not good for innovation and the supply of entertainment content that Laws favour only or mainly the distributors or the inventors; society needs those that improve and those that invent orthogonally. Our laws backed by international treaty (not the EU this time) do not serve us well.

The right price

Digital content is non-rival and non-excludable, or at least hard to exclude. This means that one person’s use does not deny anyone else, and that unlike say a concert, or film showing where the distributor charges at the door, the use of digital content is much harder to control i.e. harder to exclude; it cannot be done without legal sanction. The non-rival aspect means that there is no economic reason to charge for the items use because we have no need to ration its use. The non-excludable nature of the product means that we have to spend time and money making it monetisable i.e. forcing exclusion and this is sub-optimal. i.e. there is no benefit to society in building exclusion techniques. The right price for non-scarce products is free, as shown by Spotify’s royalty payments.

What is welfare economics?

In a modern, and not so modern, capitalist society, we only use the price mechanism to ration scarce resources, and digital content is not. It brings us back to Simon Indelicate’s question, why should creators get more than a market rate, which in terms of a music track, or an image is now virtually zero. I add the question if you’re a musician or a photographer and not earning enough, ask your distributors why this is?

Fair Use

The implementation of a link tax, the strengthening sports events copyright and the de-facto mandating of upload filters are all measures that favour the so called creators at the expense of other inc. fans. It is based on the premise that all derived works must licence the original content. While much of the agreed copyright law and its proponents might be seen to be based on this view this position is moderated on law, by the concept of fair use, which is recognised by the international intellectual property treaties. In numerous jurisdictions, it is also diminished by anti-monopoly law, in particular, for sports events of national importance. (In the UK, access to the FA Cup,Wimbledon and the domestic legs of the Nations Cup are guaranteed free to air access.) In these limited cases, the law favours fans.

Fair use permits the use of protected content provided the purpose, the nature of the protected work, the amount of the product reused, and the market impact of the new product permits. While the US was amongst the first to increase the period of copyright protection (from 28 years to author’s life + 75 years), they have one of the strongest fair use laws. It is in defence of fair use that the opponents in the European Parliament stressed the idea that the new law would lead to the prohibition on memes (or image based messages). Fair use laws in the EU are weak and authors have little access to the dispute resolution mechanisms. The lack of rights by citizens is one of the reasons why the laws should not be strengthened.

Hyperlinks

The linktax is an attempt by multi-national press organisations to tax the news aggregators such as google & yahoo. It has been tried in Germany and Spain; it raises no revenue for the press organisations and increases the barriers to entry for both news aggregators and the press. It penalises the smaller players. The bigger organisations just stop carrying taxable content. It also jeopardises  years of legal precedent that linking to content is always legal.

Free Speech

Human rights law now states that the right of free expression contains a right to receive information. News cannot be protected by intellectual property law, only the text of any articles, and now it would seem even the headlines. The desire for profit means that the press seek to deny access to their content. We have the right to comment and read and consume. The words around what can be copied into a 3rd party site is unclear and I assume that the hyperlink remains non copyrightable. (This may make citations harder although fortunately Wikipedia has been granted exceptions.) One further disgraceful use of copyright law is in academic publishing where science and knowledge, often funded by the public becomes enclosed behind a copyright protected paywall. (NB Patents which would protect the ideas in white papers last for 20 years, copyright lasts for authors life + 75 years). Parody is an especially important protected form of free speech, no longer in the EU.

Automation/privatisation of justice

Another aspect of the upload filters is that programs cannot and should not be allowed to take judicial decisions. Much of this software is owned by corporations and we cannot cross examine it in court; it does what the authors want not what the public wants. Courts must remain human and we are judged on fact by a jury of our peers.

Alternate business models

The arrogance of the content providers is that they assume, and demand that laws are written to support their business model of author/publisher. Yochai Benkler in his book, the Wealth of Networks identifies eight additional models many of which would require or benefit from other laws. The content owners look to make various open source and creative commons licences weaker. Their laws of exclusivity and the longevity of the protection inhibit the creation of derived works.

Derived works and shared value

In my articles on Bioware & NWN2 & Abba, I show how derived works create demand for the original author’s works. It is to the benefit of all, including authors that we need stronger protection for derived works. Back to basics, intellectual property laws must encourage improvement as well as invention. On the whole they don’t.

We should not that with programs, they are designed with application programming interfaces so that others can use these programs and today, programs are often issued for free partly so that others will share the burden of improving the product. There is virtually no program today that doesn’t need another, this needs to be made easier not harder.

Musician’s trickle down

The attempt to take exclusive monetisation rights by the three monopolists who provide the bulk of the world’s music and film content has created the opportunity for trickle down income created not on the basis of the work undertaken, but on the investment in legal barriers to entry which are often used to create an artificial scarcity, if you can’t find what you once had, then they hope you’ll buy something new.

These laws have been written by corporations in their own interests, and they only support their interests, not those of creators, not those of fans, not those of ‘makers’ and not those who build the silicon age’s industrial capital. It’s time to move on and the 19 Labour MEPs who did so, should not be supporting laws of this nature.

ooOOOoo

I apologise, this is a rant, and too long, I might come back and make something shorter, but I don’t normally. …

Surveillance, ignorance and a chilling effect

The Guardian, not exactly disinterested, publishes a leader on regulating Apple and its competitors. I would argue, Apple is the example of the 5th Industrial Revolution monopoly and we need to learn how to regulate it and is competitors and it is a problem for the US also. The authors  completely miss the fact that there are new forms of oppression, that of surveillance, caused by the datenkraken.

We need new forms of protest and defence even though we’ve know about it forever. It’s for this reason that we established the rights of privacy and free speech as part of the universal declaration of rights.

This quote is important, it establishes commonalities with their predecessors,

All [ the datenkraken] use remarkably few workers to generate their enormous profits. All operate an internal class system, which concentrates power in very few hands. None have any unions worth speaking of. All rely on the unglamorous work being done far from California, usually by subcontractors. All shuffle their profits around the world in an endless game of “Find the lady” with national tax authorities – a factor that should not be overlooked when it comes to asking why they are so immensely profitable. If this is the model of the company of the future, it will have consequences we have not yet learned how to manage.

They finish with,

The downside of the oil-based economy is now obvious all around us. The symptoms of apparently uncontrollable climate change have become undeniable. Cities are choked with polluting traffic while the seas are choked with plastics made from oil. Whole countries have been devastated by oil riches. The digital revolution seems, so far, much more benign. But the loss of trust that social media both causes and exploits may one day be seen as another form of unforgivable pollution.

I think this is weak, the threat is surveillance, ignorance and a chilling effect. …

Thoughts on DaaS

I am still struggling to make a remote DaaS for my tablet.  I have built an amazon image based on Server 2012, which is getting a bit long in the tooth and Skype fails to boot on it, maybe I should ensure I have implemented an Amazon “Desktop” experience, but I am not happy with the price. I wondered if Azure might be cheaper, although on first look it would seem not. I need to be more sure and having a remote DaaS would be cool for the tablet, as bit by bit, services will deprecate the version frozen browser. I suppose that bit by bit RDP will also fail, but let’s see. (Microsoft’s desertion of ARM maybe it’s last act of monopoly actions and is a lesson to both consumers and OEMs of the problems in  not owning your own operating system, a subject I used to write a lot about.)

 …

Eternal vigilance

I have been pointed at China’s Social Credit Scoring plans via two routes. The first is this extract published at Wired from Rachel Botsman’s book, “Who can we trust”. This details the Chinese Governments plan to build a social credit scoring scheme, but the sources and incentives are horrendously comprehensive, including their leading match making agency. (It’s taken me some time to read this article, an I have bookmarked and annotated it in my diigo feed.) Worrying things about the Chinese scheme is that voluntary participation becomes mandatory; while rewards and incentives are at the forefront of everyone’s mind today, control and punishment is planned, in the Chinese case in the short term they are talking about foreign and domestic travel restrictions but as I note, the countries leading dating agency is one of the surveillance agencies. There is also talk of social investment loans (helicopter money) which become available on the basis of social scores.

The second route was an article on Medium by someone who got banned from AirBnB. He pointed at an article on Buzzfeed, “A Chinese-Style Digital Dystopia Isn’t As Far Away As We Think” where a series of regulatory decisions in the USA seem to be paving the way to something similar, a powerful illustration that the argument that surveillance is OK if it’s private sector is horrendously false.

One worrying aspect of the proposed Chinese system is that your reputation is as good as that of your friends and we have idiots trying to replicate it with peeple, and reading up on that has started me worrying about Linkedin and its competitors and we all know we should get off facebook.

The wired article came before machine learning and massive scale AI became a hot topic, but it’ll be interesting to see what happens to social credit scores when they let rip with the application of machine learning. The automated derivation of reputation scores also raises issues of safeguarding, libel and context. Safeguarding and libel laws require the machines to tell the truth, in fact safeguarding may require machines to hide the truth. Context requires a level of nuance that we are unsure if machines will ever have, but even if they get there, justice and judges must remain human and the code must be open; China’s & Facebook’s is not!. The GDPR gives data subjects rights, perhaps its time to revisit the seven principles.

Of course in the UK, we have our very own examples of machines and data sharing getting it wrong. Sajid Javid, the Home Secretary has suspended the intra-government and some of the other immigration data sharing as a result of the backlash on the Windrush scandal. (I wonder if this I an excuse to look again at the DPA Immigration Exemption clauses.) Much of what is happening in China and the USA is also happening in the UK, it’s just that the surveillance agents are the US owned datenkraken and the British State have legalised the hacking of their data streams.

What’s happening in China is terrible, but our governments are following suit! The price of freedom is eternal vigilance. …

Modelling power

I have finally posted my long planned piece, on the way Bioware adopted a permissive licence for their AD&D games at the turn of the century. In doing so they enabled a fan community to create content which increased the value of the game to all its customers and also the demand in volume for the game binaries, and the period over which it was used.

I had planned a Part II having come across Ludovico Prattico’s academic paper, Governance of Open Source Software Foundations: Who Holds the Power? which in the abstract he states,

The research reported in this article attempts to discover who holds the power in open source software foundations through the analysis of governance documents. Artificial neural network analysis is used to analyse the content of the bylaws of six open source foundations (Apache, Eclipse, GNOME, Plone, Python, and SPI) for the purpose of identifying power structures.

I was interested if his techniques could be applied to the Bioware licence and see what one might learn, by comparing the output with Prattico’s findings. He had looked at six open source licences so it would be interesting to see how the formal outputs compared. Prattico used additional documents beyond the licence and used the tool Catpac II, which sadly is not free. (I wonder of Carat II will do instead; I hope not because I was/am looking for something better than a bag of words.)

I also wondered if it could be used for analysing, describing other power relationships, such as national constitutions, or the Labour Party’s rules. The latter would be needed in text form which is not easy to find. …

On Adequacy after Brexit

I attended the Home Affairs Committee on Europol and the European Arrest Warrant yesterday. Don’t say I don’t know how to have a good time. One of the members, suggested that since we have passed a new Data Protection Law, we will be compliant from Day 1, or Day 0 as we engineers call it. I think  not and here’s why. In short, the Government say they’ve implemented the GDPR into British Law, but once we’re a third country, it’s the Commission that has the last word, and they have questions we need to answer. …

Firstly, I don’t think the Commission would act that quickly and they’d need to issue an adequacy decision and there are four questions of substance that the Commission would need to consider.

  1. The European Data Protection Supervisory Board’s predecessor, the Article 29 Working Party and the Commission had outstanding issues with the UK’s implementation of 95 Directive, to the extent that it seems the Commission had started infraction proceedings. (I find it very hard to get explicit data on this, and much of what is available reads like conspiracy theories, but the most vocal campaigner published his views in the Register, here. The author argues that the infraction process proposes to carry forward to the 2018 DPA. ) The author checkpointed his findings in a 2011 blog article, called “European Commission explains why UK’s Data Protection Act is deficient”, he also points to an Out-law Article, “Europe claims UK botched one third of Data Protection Directive” 17 Sep 2007.
  2. The House of Lords Committee on Data Protection found that as a 3rd Country we may be required to meet a higher standard than as a member state. (This is because we will lose the powers granted to member states under Article 23 Restrictions of the GDPR. These powers relate to the exemption of national security organisations and the courts (and others) from some aspects of the GDPR). This is why there is concern with the Investigatory Powers Act, already declared deficient by the UK Courts and the DPA immigration service exception will jeopardise any attempt to obtain an adequacy finding. i.e. a member state might be able to have these laws but a 3rd country may not.
  3. The loss of member state status and privilege means that our intelligence sharing arrangements with the US, a country which still has the death penalty, and operates under a different military legal doctrine may be deemed to be a critical problem in granting adequacy. (We should note that Tom Watson MP, obtained a barrister’s opinion on the legality of sharing intelligence and wrote to the Prime Minister at the time on the legality of this activity; it was taken up by Rights Watch who are pursuing this through the courts.)
  4. Depending on the withdrawal agreement, and it seems that no-one is thinking about this, we may cease to be covered by the US Privacy Shield agreement, and thus will be prohibited from transferring EU citizens personal data to the USA, and they to us. (Actually prohibited is a bit strong, participants in cross border data transfer would need to be covered by model clauses, or binding corporate rules and both of these are under judicial review (Schrems II) and create a barrier to entry because of cost to SMEs).

It should be noted that the ECJ has required the US Safe Harbour agreement to be re-negotiated; its successor allows US corporate self assessment, but also requires EU citizen access to the US Court system. The important thing here is that the Commission consider protections of EU citizens’ personal data, and the establishment of rights against the State’s intelligence, security and police services to be part of an adequacy findings and since the EU is not frightened of a row with the US; it wont be with us. …