Eternal vigilance

I have been pointed at China’s Social Credit Scoring plans via two routes. The first is this extract published at Wired from Rachel Botsman’s book, “Who can we trust”. This details the Chinese Governments plan to build a social credit scoring scheme, but the sources and incentives are horrendously comprehensive, including their leading match making agency. (It’s taken me some time to read this article, an I have bookmarked and annotated it in my diigo feed.) Worrying things about the Chinese scheme is that voluntary participation becomes mandatory; while rewards and incentives are at the forefront of everyone’s mind today, control and punishment is planned, in the Chinese case in the short term they are talking about foreign and domestic travel restrictions but as I note, the countries leading dating agency is one of the surveillance agencies. There is also talk of social investment loans (helicopter money) which become available on the basis of social scores.

The second route was an article on Medium by someone who got banned from AirBnB. He pointed at an article on Buzzfeed, “A Chinese-Style Digital Dystopia Isn’t As Far Away As We Think” where a series of regulatory decisions in the USA seem to be paving the way to something similar, a powerful illustration that the argument that surveillance is OK if it’s private sector is horrendously false.

One worrying aspect of the proposed Chinese system is that your reputation is as good as that of your friends and we have idiots trying to replicate it with peeple, and reading up on that has started me worrying about Linkedin and its competitors and we all know we should get off facebook.

The wired article came before machine learning and massive scale AI became a hot topic, but it’ll be interesting to see what happens to social credit scores when they let rip with the application of machine learning. The automated derivation of reputation scores also raises issues of safeguarding, libel and context. Safeguarding and libel laws require the machines to tell the truth, in fact safeguarding may require machines to hide the truth. Context requires a level of nuance that we are unsure if machines will ever have, but even if they get there, justice and judges must remain human and the code must be open; China’s & Facebook’s is not!. The GDPR gives data subjects rights, perhaps its time to revisit the seven principles.

Of course in the UK, we have our very own examples of machines and data sharing getting it wrong. Sajid Javid, the Home Secretary has suspended the intra-government and some of the other immigration data sharing as a result of the backlash on the Windrush scandal. (I wonder if this I an excuse to look again at the DPA Immigration Exemption clauses.) Much of what is happening in China and the USA is also happening in the UK, it’s just that the surveillance agents are the US owned datenkraken and the British State have legalised the hacking of their data streams.

What’s happening in China is terrible, but our governments are following suit! The price of freedom is eternal vigilance. …

On Adequacy after Brexit

I attended the Home Affairs Committee on Europol and the European Arrest Warrant yesterday. Don’t say I don’t know how to have a good time. One of the members, suggested that since we have passed a new Data Protection Law, we will be compliant from Day 1, or Day 0 as we engineers call it. I think  not and here’s why. In short, the Government say they’ve implemented the GDPR into British Law, but once we’re a third country, it’s the Commission that has the last word, and they have questions we need to answer. …

Firstly, I don’t think the Commission would act that quickly and they’d need to issue an adequacy decision and there are four questions of substance that the Commission would need to consider.

  1. The European Data Protection Supervisory Board’s predecessor, the Article 29 Working Party and the Commission had outstanding issues with the UK’s implementation of 95 Directive, to the extent that it seems the Commission had started infraction proceedings. (I find it very hard to get explicit data on this, and much of what is available reads like conspiracy theories, but the most vocal campaigner published his views in the Register, here. The author argues that the infraction process proposes to carry forward to the 2018 DPA. ) The author checkpointed his findings in a 2011 blog article, called “European Commission explains why UK’s Data Protection Act is deficient”, he also points to an Out-law Article, “Europe claims UK botched one third of Data Protection Directive” 17 Sep 2007.
  2. The House of Lords Committee on Data Protection found that as a 3rd Country we may be required to meet a higher standard than as a member state. (This is because we will lose the powers granted to member states under Article 23 Restrictions of the GDPR. These powers relate to the exemption of national security organisations and the courts (and others) from some aspects of the GDPR). This is why there is concern with the Investigatory Powers Act, already declared deficient by the UK Courts and the DPA immigration service exception will jeopardise any attempt to obtain an adequacy finding. i.e. a member state might be able to have these laws but a 3rd country may not.
  3. The loss of member state status and privilege means that our intelligence sharing arrangements with the US, a country which still has the death penalty, and operates under a different military legal doctrine may be deemed to be a critical problem in granting adequacy. (We should note that Tom Watson MP, obtained a barrister’s opinion on the legality of sharing intelligence and wrote to the Prime Minister at the time on the legality of this activity; it was taken up by Rights Watch who are pursuing this through the courts.)
  4. Depending on the withdrawal agreement, and it seems that no-one is thinking about this, we may cease to be covered by the US Privacy Shield agreement, and thus will be prohibited from transferring EU citizens personal data to the USA, and they to us. (Actually prohibited is a bit strong, participants in cross border data transfer would need to be covered by model clauses, or binding corporate rules and both of these are under judicial review (Schrems II) and create a barrier to entry because of cost to SMEs).

It should be noted that the ECJ has required the US Safe Harbour agreement to be re-negotiated; its successor allows US corporate self assessment, but also requires EU citizen access to the US Court system. The important thing here is that the Commission consider protections of EU citizens’ personal data, and the establishment of rights against the State’s intelligence, security and police services to be part of an adequacy findings and since the EU is not frightened of a row with the US; it wont be with us. …

Big Copyright strikes again

Big Copyright strikes again

This time in the European Parliament. They want upload filters and to tax ISSP’s reuse, but you can do something about it.

Last week a committee of MEPs voted 15 – 10, reported here by one of its members, Julia Reda, the sole Pirate Party MEP, in favour of the EU Copyright Directive’s disastrous Article 13. This misguided measure will introduce upload filters that would change the way that much of the Internet works, from free and creative sharing, to one where anything can be removed without warning, by computers. They also voted in favour of Article 11, which Europeanises a German & Spanish law and places a monetary liability on internet software service providers who use snippets of news articles originally published by for-profit publishers.

This article explains why the measures are wrong, and points to the campaign sites. It was amended on the 5th July after the vote to report the result, which was that the Parliament voted to re-open the discussion in plenary.

Here are the votes, interesting splits. …

Passwords

I was pointed at this article in the Washington Post on password security. It’s quite long and so I summarise:

  1. Length is better than complexity (More than 12 bytes)
  2. Simple transformations are no help (Don’t use 1st letter Caps and last character as 1 or !, mutt5nut5 is considered very easy.)
  3. Don’t reuse passwords for accounts that you care about! (A corollary is to delete the accounts on services you no longer use.)
  4. Write the passwords down in a secure place if you have too many, or use a password manager. (They are in favour, I am not so sure.)
  5. Don’t use personal facts about yourself (Bdays, Place of Birth, Pet’s names)

They have conducted some volume research by cracking and survey which they reference in the article and built a password checker based on these lessons but using it breaches one or maybe two of the rules I set myself in my Linkedin blog article “Password Vaults”. It’s on the internet, and we can’t read the code; that’s not to say it’s not a useful training tool. …

Research

Techdirt, providing a public service as ever have posted a piece on confusion in the US Federal Government agencies. Whenever seeking to censor material, one has to prohibit research into the censored material and the techniques used to enforce the censorship. This is equally true in technology, and since encryption is used to ‘protect’ material, in the US they have prohibited research into circumventing “Digital Rights Management” technology which is used by creative capitalism to manage pay-per-view. This has led to the absurd situation that, in the US, unlocking phones was a prohibited technology for a while. The Copyright Office, often seen as creative capitalism’s agents in Government, have come to the conclusion that the copyright laws interference with security research is a bad thing. Whether they’ll repeal those bits of the law is another matter. …

Wannacry

Having done my best to ensure that my personal systems are as safe as I can make them, I am preparing a personal response to the #wannacry attack last weekend. Meanwhile, I consider this by John Elliot, a great response on the public policy side, and this by David Thomas, a useful look at the IT Security response where he argues that it’s not just about “Vulnerability Management” and that Technical Debt is not just a funky word to get money for the maintenance budget. Neither of them major on the NHS IT Security failings that made them such a target but David makes the points that the UK & NHS weren’t the only victims with Taiwan, Russia, Ukraine and India all suffering from attacks. This is from Microsoft’s Chief Legal Officer, Brad Smith and is also important, He re-states Microsoft’s commitment to all its customers and calls for better government response including the idea of a digital Geneva convention. The Washington Post describes the discussions inside the NSA and reveals aspects of how they decide whether to release security vulnerabilities or weaponise them. It’s argued that the cyber weapon was like “Fishing with dynamite”, but as ever no public evidence to allow the people that pay for this to evaluate their claims. …

On the GDPR

The week before last, I attended the BCS legal day and have finally published my notes on what is now my essay blog. The priority was the coming General Data Protection Regulation. I prefer to write in a style recognising those who have informed me or changed my mind but the notes have been anonymised as I believe that the day was held under Chatham House rules,  The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement.  The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement. …

Compliance

After attending the BCS IS Security Group meeting yesterday, I began to think about how small (or more accurately, medium) companies might deal with the additional compliance actions required of the GDPR. There would seem to be two design patterns, a golden source, or an all knowing switch. The first pattern led me to consider the SaaS solutions, which should be used to dealing with suspects, prospects and customers (CRM), also any employees that might be employed, with the ERP solution catering for personal data located in the supply chain. Over the years I have been made aware of Sugar CRM & OpenBravo (ERP), more recently I have looked at Financial Services KYC problem, and been pointed at kyc.com,  an enhanced CRM system designed for the financial services industry. The gap is an industry leading HR system, and it will surprise none of my long term friends and colleagues, that I think we can assume that fault is in the buying community where the priority would seem to be recruitment and applicant tracking although, of course, payroll was the first SaaS offering by an order of decades. …