Thoughts on DaaS

I am still struggling to make a remote DaaS for my tablet.  I have built an amazon image based on Server 2012, which is getting a bit long in the tooth and Skype fails to boot on it, maybe I should ensure I have implemented an Amazon “Desktop” experience, but I am not happy with the price. I wondered if Azure might be cheaper, although on first look it would seem not. I need to be more sure and having a remote DaaS would be cool for the tablet, as bit by bit, services will deprecate the version frozen browser. I suppose that bit by bit RDP will also fail, but let’s see. (Microsoft’s desertion of ARM maybe it’s last act of monopoly actions and is a lesson to both consumers and OEMs of the problems in  not owning your own operating system, a subject I used to write a lot about.)

 …

Eternal vigilance

I have been pointed at China’s Social Credit Scoring plans via two routes. The first is this extract published at Wired from Rachel Botsman’s book, “Who can we trust”. This details the Chinese Governments plan to build a social credit scoring scheme, but the sources and incentives are horrendously comprehensive, including their leading match making agency. (It’s taken me some time to read this article, an I have bookmarked and annotated it in my diigo feed.) Worrying things about the Chinese scheme is that voluntary participation becomes mandatory; while rewards and incentives are at the forefront of everyone’s mind today, control and punishment is planned, in the Chinese case in the short term they are talking about foreign and domestic travel restrictions but as I note, the countries leading dating agency is one of the surveillance agencies. There is also talk of social investment loans (helicopter money) which become available on the basis of social scores.

The second route was an article on Medium by someone who got banned from AirBnB. He pointed at an article on Buzzfeed, “A Chinese-Style Digital Dystopia Isn’t As Far Away As We Think” where a series of regulatory decisions in the USA seem to be paving the way to something similar, a powerful illustration that the argument that surveillance is OK if it’s private sector is horrendously false.

One worrying aspect of the proposed Chinese system is that your reputation is as good as that of your friends and we have idiots trying to replicate it with peeple, and reading up on that has started me worrying about Linkedin and its competitors and we all know we should get off facebook.

The wired article came before machine learning and massive scale AI became a hot topic, but it’ll be interesting to see what happens to social credit scores when they let rip with the application of machine learning. The automated derivation of reputation scores also raises issues of safeguarding, libel and context. Safeguarding and libel laws require the machines to tell the truth, in fact safeguarding may require machines to hide the truth. Context requires a level of nuance that we are unsure if machines will ever have, but even if they get there, justice and judges must remain human and the code must be open; China’s & Facebook’s is not!. The GDPR gives data subjects rights, perhaps its time to revisit the seven principles.

Of course in the UK, we have our very own examples of machines and data sharing getting it wrong. Sajid Javid, the Home Secretary has suspended the intra-government and some of the other immigration data sharing as a result of the backlash on the Windrush scandal. (I wonder if this I an excuse to look again at the DPA Immigration Exemption clauses.) Much of what is happening in China and the USA is also happening in the UK, it’s just that the surveillance agents are the US owned datenkraken and the British State have legalised the hacking of their data streams.

What’s happening in China is terrible, but our governments are following suit! The price of freedom is eternal vigilance. …

Modelling power

I have finally posted my long planned piece, on the way Bioware adopted a permissive licence for their AD&D games at the turn of the century. In doing so they enabled a fan community to create content which increased the value of the game to all its customers and also the demand in volume for the game binaries, and the period over which it was used.

I had planned a Part II having come across Ludovico Prattico’s academic paper, Governance of Open Source Software Foundations: Who Holds the Power? which in the abstract he states,

The research reported in this article attempts to discover who holds the power in open source software foundations through the analysis of governance documents. Artificial neural network analysis is used to analyse the content of the bylaws of six open source foundations (Apache, Eclipse, GNOME, Plone, Python, and SPI) for the purpose of identifying power structures.

I was interested if his techniques could be applied to the Bioware licence and see what one might learn, by comparing the output with Prattico’s findings. He had looked at six open source licences so it would be interesting to see how the formal outputs compared. Prattico used additional documents beyond the licence and used the tool Catpac II, which sadly is not free. (I wonder of Carat II will do instead; I hope not because I was/am looking for something better than a bag of words.)

I also wondered if it could be used for analysing, describing other power relationships, such as national constitutions, or the Labour Party’s rules. The latter would be needed in text form which is not easy to find. …

On Adequacy after Brexit

I attended the Home Affairs Committee on Europol and the European Arrest Warrant yesterday. Don’t say I don’t know how to have a good time. One of the members, suggested that since we have passed a new Data Protection Law, we will be compliant from Day 1, or Day 0 as we engineers call it. I think  not and here’s why. In short, the Government say they’ve implemented the GDPR into British Law, but once we’re a third country, it’s the Commission that has the last word, and they have questions we need to answer. …

Firstly, I don’t think the Commission would act that quickly and they’d need to issue an adequacy decision and there are four questions of substance that the Commission would need to consider.

  1. The European Data Protection Supervisory Board’s predecessor, the Article 29 Working Party and the Commission had outstanding issues with the UK’s implementation of 95 Directive, to the extent that it seems the Commission had started infraction proceedings. (I find it very hard to get explicit data on this, and much of what is available reads like conspiracy theories, but the most vocal campaigner published his views in the Register, here. The author argues that the infraction process proposes to carry forward to the 2018 DPA. ) The author checkpointed his findings in a 2011 blog article, called “European Commission explains why UK’s Data Protection Act is deficient”, he also points to an Out-law Article, “Europe claims UK botched one third of Data Protection Directive” 17 Sep 2007.
  2. The House of Lords Committee on Data Protection found that as a 3rd Country we may be required to meet a higher standard than as a member state. (This is because we will lose the powers granted to member states under Article 23 Restrictions of the GDPR. These powers relate to the exemption of national security organisations and the courts (and others) from some aspects of the GDPR). This is why there is concern with the Investigatory Powers Act, already declared deficient by the UK Courts and the DPA immigration service exception will jeopardise any attempt to obtain an adequacy finding. i.e. a member state might be able to have these laws but a 3rd country may not.
  3. The loss of member state status and privilege means that our intelligence sharing arrangements with the US, a country which still has the death penalty, and operates under a different military legal doctrine may be deemed to be a critical problem in granting adequacy. (We should note that Tom Watson MP, obtained a barrister’s opinion on the legality of sharing intelligence and wrote to the Prime Minister at the time on the legality of this activity; it was taken up by Rights Watch who are pursuing this through the courts.)
  4. Depending on the withdrawal agreement, and it seems that no-one is thinking about this, we may cease to be covered by the US Privacy Shield agreement, and thus will be prohibited from transferring EU citizens personal data to the USA, and they to us. (Actually prohibited is a bit strong, participants in cross border data transfer would need to be covered by model clauses, or binding corporate rules and both of these are under judicial review (Schrems II) and create a barrier to entry because of cost to SMEs).

It should be noted that the ECJ has required the US Safe Harbour agreement to be re-negotiated; its successor allows US corporate self assessment, but also requires EU citizen access to the US Court system. The important thing here is that the Commission consider protections of EU citizens’ personal data, and the establishment of rights against the State’s intelligence, security and police services to be part of an adequacy findings and since the EU is not frightened of a row with the US; it wont be with us. …

Big Copyright strikes again

Big Copyright strikes again

This time in the European Parliament. They want upload filters and to tax ISSP’s reuse, but you can do something about it.

Last week a committee of MEPs voted 15 – 10, reported here by one of its members, Julia Reda, the sole Pirate Party MEP, in favour of the EU Copyright Directive’s disastrous Article 13. This misguided measure will introduce upload filters that would change the way that much of the Internet works, from free and creative sharing, to one where anything can be removed without warning, by computers. They also voted in favour of Article 11, which Europeanises a German & Spanish law and places a monetary liability on internet software service providers who use snippets of news articles originally published by for-profit publishers.

This article explains why the measures are wrong, and points to the campaign sites. It was amended on the 5th July after the vote to report the result, which was that the Parliament voted to re-open the discussion in plenary.

Here are the votes, interesting splits. …

Privacy & compliance, reprised

I have had a look at the changes in Law, and thus the potential changes in data protection strategy since I first wrote about the conflicts between privacy, compliance and law enforcement.

The US courts have been siding with citizens and their privacy rights, the ECJ has been doing the same. Parliament has been going in the opposite direction, although the Supreme Court has declared the Data Retention laws to be contrary to Human Rights Law and should we actually leave the EU we will find obtaining an “Adequacy” agreement harder than we’d hope as the EU Parliament, Commission and the EU Data Protection Supervisory board focus on the rights of privacy from Governments. This will be a significant problem if the ECJ strikes down the model clauses and binding corporate rules.

I briefly touch on the fact that the European Laws are meant to be implementing the globally agreed seven principles of Data Protection, of Notice, Purpose, Consent, Security, Disclosure, Access and Accountability and that in a rights based jurisdiction, these rights must be protected from the Government as well as from Corporates.

 

The language has developed since 1980 but these principles were agree by the OECD in 1980.

I conclude the article by saying,

Today, under EU law, the lawful purpose would seem to be more flexible, cross border transfers are more restricted, and may become more so, and the EU is more concerned about nation state compliance; it’s what you’d expect from a political entity consisting of states and the children of people surviving fascist or Stalinist rule.

This political heritage should be remembered by those that see these laws merely as a business burden, …

Wannacrypt,a story

The NSA’s hack on old Microsoft operating systems is weaponised and released to the internet, most publicly massively impacting the UK’s NHS, which had taken the decision not to move forward from Windows XP, a product for which support by its authors ceased in 2012. This was meant to be quick and a source list for a blog article, but as ever it took too long.

This is a storify I made at the time and have transferred it to this blog and published as at the date created. …

Freedom of Information

I have been looking at a couple of association/organisation constitutions, both of which have rules controlling the way in which some people, by which we mean those in a minority, can communicate information about the conduct of business to members and/or the public. On thinking about it, I wonder if these rules fall foul of the ECHR Article 10 rights, the freedom of speech right. While the US version is famous, and rightly so, it is much more explicit about speech and publication, the European version, talks of the right to receive information.

Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.

  …

Losing one’s way

Over the last few days, the Guardian has broken the story of the illegal use of personal data in the US 2016 general election. We are now waiting for the trail to come back to UK politics, in particular, the use of Cambridge Analytica (or one of its associates) by the alliance of Leave organisations. The data was stolen, well acquired, from Facebook, but it seems they knew for two years and there is some argument as to their corporate complicity. Their Chief Information Security Officer has been on the way out since the end of last year and some stories suggest it’s because he argued for greater openness in co-operating with the enquiries into Russian state sourced fake news.

Citizens, their representatives and law makers have been arguing that IT companies should have a duty to report security breaches to law enforcement and the EU is introducing such a law now; such Laws exist in California which is where Facebook is headquartered. We should also note that their duty to protect their users personal data is governed by the US privacy laws, the now defunct EU Safe Harbour agreement and its successor, the Privacy Shield. In addition, the US signed up to the 7 Principles of Data Potection when first declared by the OECD.  It is a fact however, that many US business executives (and their employees) consider the European Data Protection laws as non-tariff import barriers, not that this should matter but I have no doubt that considerable time has been spent in determining where the line between legality and illegal activity stands.

There are several factors in the US political culture which often makes it hard for the US to obey foreign laws (and their own), one of them being, that they often have difficulty in legitimising their own laws and law enforcement.

This is, to me, summarised in the 10th Amendment, one of the Bill of Rights amendments to the US Constitution.

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

There is a beauty to the sentiment and an economy to the words, but they are a fundamental challenge to the rule of law. (Is this a bit extreme?) The Citizen’s United ruling, which upheld the citizen’s free speech rights for an association, can be taken to mean that corporations have citizenship rights. US Laws are hard to make and often Laws re challenged in court often to the Supreme Court asking for laws to be struck down as unconstitutional. The upshot of all this is that politicaly citizens can take a view on whether a law is legal in the knowledge that if they win, unlike in Europe & the Antipodes where the Government’s have majorities in their legislatures and will rewrite the laws, they get to do what they want.

The US tradition of a people’s access to justice, showcased by the Judge Judy show is also admirable, if a bit bizarre to UK eyes but it is another dimension of the US commitment to rights and the rule of law; they’e just a bit weaker in understanding collective and inalienable rights, such as privacy (except from Government).

We also have the growing dichotomy between companies Legal and Compliance teams, with Legal advising under the protection of client/attorney privilege in the best interests of their clients and Compliance having a duty to the public advising how not to break the Law.

One can see how US Companies might lose their way. It’s nothing to be proud of though, the UK route to corruption is just shorter as currently viewing the C4 news program on Cambridge Analytica will show.

Do politicians understand? They may not understand the details of the tech., but they do understand Human Rights law and the rule of law, although some of the House of Commons are to quote the shadow chancellor “Fucking Useless”, and the select committees could do with better advisors;  the purpose of the witnesses is to deliver this advice and knowledge, but you need to know the questions and understand the answers. You need a nose for a cover up and to know the 2nd question. …

The subversion of democracy by big data

The subversion of democracy by big data

The fabulous Carol Cadwalladyr brings us the next instalment of undoing the surveillance states control over our democracies.

In an article “The Great British Brexit Robbery”, she and the Guardian showed how the Tories and the Brexit Leave Campaigns had used US Data Aanlytics companies to influence the Brexit referendum. It is alleged that the personal data was obtained illegally, its processing was illegal and that it was an undeclared election/referendum expense. The evidence was sufficient for the Information Commissioner’s Office and the Electoral Commission to launch investigations.

Over the last two days, Facebook have suspended Cambridge Analytica & one other company and the latter’s Principal for breaking their terms and conditions and in one case a breach of contract not to pass data on. The story is reported in the Guardian in a story called, “‘I made Steve Bannon’s psychological warfare tool’: meet the data war whistleblower” , which documents the contractual paper trial. This happened two years ago and it is alleged that Facebook knew of it then. It is a crime in many jurisdictions, including California to not notify either the regulators or the data subjects of a breach/leak of personal data.

Sadly 🤔 they have been accused of misleading the House of Commons, select committee inquiry into Fake News. It has been denied that Cambridge Analytica had Facebook data in a verbal submission. Its Chair, Damian Collins, is quite forthright, accusing Facebook of sending under informed representatives to answer the committee’s questions. The word wilful ignorance comes to mind.

As Brits, we need to see if crimes were committed during the 2015 & 2017 General Elections and/or the Brexit Refrendum but this can’t be good for Facebook’s reputation.

ooOOOoo

I wish we still had Storify, this is one for them.

The image is from the Guardian on the story on Parliament’s reaction. …