The subversion of democracy by big data

The subversion of democracy by big data

The fabulous Carol Cadwalladyr brings us the next instalment of undoing the surveillance states control over our democracies.

In an article “The Great British Brexit Robbery”, she and the Guardian showed how the Tories and the Brexit Leave Campaigns had used US Data Aanlytics companies to influence the Brexit referendum. It is alleged that the personal data was obtained illegally, its processing was illegal and that it was an undeclared election/referendum expense. The evidence was sufficient for the Information Commissioner’s Office and the Electoral Commission to launch investigations.

Over the last two days, Facebook have suspended Cambridge Analytica & one other company and the latter’s Principal for breaking their terms and conditions and in one case a breach of contract not to pass data on. The story is reported in the Guardian in a story called, “‘I made Steve Bannon’s psychological warfare tool’: meet the data war whistleblower” , which documents the contractual paper trial. This happened two years ago and it is alleged that Facebook knew of it then. It is a crime in many jurisdictions, including California to not notify either the regulators or the data subjects of a breach/leak of personal data.

Sadly 🤔 they have been accused of misleading the House of Commons, select committee inquiry into Fake News. It has been denied that Cambridge Analytica had Facebook data in a verbal submission. Its Chair, Damian Collins, is quite forthright, accusing Facebook of sending under informed representatives to answer the committee’s questions. The word wilful ignorance comes to mind.

As Brits, we need to see if crimes were committed during the 2015 & 2017 General Elections and/or the Brexit Refrendum but this can’t be good for Facebook’s reputation.

ooOOOoo

I wish we still had Storify, this is one for them.

The image is from the Guardian on the story on Parliament’s reaction. …

Bitcoin

This is a long diatribe at Hacker Noon about the Bitcoin bubble and the blockchain hype. I had been considering writing something similar although my focus was on the excessive use  & cost of electricity to “mine” coins and the demonstrable industrialisation and economic consolidation of the mining operations.

Bitcoin, in particular, has a shrinking use as a means of exchange, as identified by this business insider preview of a Morgan Stanley opinion. This is compounded by the fact that the transaction fees are now too high for small or micro payments, and that it is not real time, (it can take minutes to clear) and thus cannot be used for transactions that require simultaneous exchange, be it a cup of coffee or a house.

The block chain does not scale well, despite the massively distributed architecture. If its performance is matched with say Visa or other significant global payment processors, VISA is rated at 60,000 transactions/sec (TPS) where as the Bitcoin maxes out at 7 TPS. So not only is it expensive, but it can’t cope with real world volume; it’s just as well that small transactions are deserting the platform.

What started me thinking this time round, was the realisation that the amount of power required to “mine” the currency grows and is now significant. While the compensation for the miners is scrip/free, the real cost in electricity and thus carbon pollution is significant. This adds to the cost, both internal but more importantly the external cost. The planet cannot afford the electricity power and the carbon footprint to virtualise global capitalism’s money supply.

Kai Stinchcombe argues that the lack of regulation is also a disincentive to use crypto currencies and examines the Etherium/DAO hack and draws the conclusion that on the whole society needs contracts to be interpreted by people, not by software.

Money must be a means of exchange, and a store of wealth, block-chain crypto-currencies are struggling and increasingly failing  to be the former and it’s current price peaks , historic volatility and lack of regulator suggests it’s weak as the latter. Is it just a con? …

Working Title

Today, I wrote to Labour List and proposed to write an article for them.

I’ll take help on the title but currently working with “Privacy Law, canvassing and registered supporters”

Next year, 28th May, the EU’s General Data Protection Regulation comes into force. Among other things it will prohibit the storage and processing of canvass returns without freely given, informed and explicit consent. We will have to prove that consent has been obtained and be able to tell electors everything we know about them.

The simplest answer to these new compliance requirements is to extend the registered supporter arrangement, make it an ongoing contract so that the agreement can include privacy clauses. The ambition would be to extend the scheme to high proportions of our voter base. For this purpose, the fee would need to be low, nearer £3 than £25.

ooOOOoo

I should add that without some form of reform, the retention of the Registered Supporters data in the membership system is in my mind questionably legal, as it breaks the storage limitation principle. When compliance ruled that Registered Supporters could not be invited to member’s meetings, they made the sole purpose of holding the data the leadership election. This purpose was confirmed when the NEC required re-registration of the registered supporters at £25 in 2016; the consequence of such a decision to my mind negated the purpose of the original registrations. …

Toxic Combinations

I have written a piece about Segregation of Duties and Toxic Combinations on my linkedin blog. The bulk of the article talks about how to organise staff roles and responsibilities to meet the standard admin/developer segregation of duties rules in IT organisations but it also talks about the need to apply segregation of duties in the justice system. I say a bit more here and comment on lessons for the Labour Party.

In the world of police and justice, the need for a segregation of duties has been long understood. It is known that an uncontrolled police force is the mark of a totalitarian society. In most democracies, the police investigate a crime identifying witnesses and evidence, independent prosecutors take the decision to prosecute, and courts hear the case with the role of Judge who issues penalties, and jury who assess the facts and determine guilt being an additional separation of duties. Measures are taken to eliminate conflicts of interest by having judges step down if there is a conflict of interest, for instance if they are a participant in the case as either complainant/defendent or a witness, and to ensure that crimes committed within each of these roles cannot be covered up. Whether the Independent Police Complaints Commission, the Bar Association, the Judicial Appointments and Conduct Ombudsman or their international equivalents are enough is a question for debate, but their existence is a crucial part of the defence of justice.

In the febrile atmosphere of the Labour Party today, the lack of control over the General Secretary and his staff together with the failure to adopt a modern segregation of duties, means the General Secretary acts as investigator, and prosecutor. He is also the employing manager of the Regional Directors who often also act as Judge & Jury. This growing and serious problem is, in many cases, compounded by a lack of grievance and whistle-blower processes. The aggressive use of the complaints process and the often, dual role of complainants and role holders in the process is also a problem. The Chakrabarti report saw the lack of professional lawyers, a legally qualified Head of Legal, partly as a skills issue but a professional lawyer’s strong binding to act both as an officer of the court and to preserve their professional registration would be a significant advance to what we have today, a bunch of people trained in the worst of student and trade union politics where winning counts for more than justice and there is no accounting of collateral damage. …

Equifax

Bruce Schneier testified to Congress on the Equifax Breach and posted his testimony onto his blog. .Because of the political nature of the content, he is frequently much more technical some of the the comments are very superficial, complaining about the need for more regulation.

The problem is, as he says, that without regulation business wont keep personal data secure. The problem is bad corporate behaviour.

His testimony, in my mind, shows the weakness of seeing this as a consumer protection issue. Much of the bad behaviour comes from 3rd parties; the data subject is not the customer and thus have no rights of tort and in the US, the FTC can’t pursue the data controllers. By placing privacy in a consumer protection framework, they also leave it to the victims of breaches to prove harm.

In the EU, our rights based legal framework means that a breach is harm, because our human rights to privacy have been infringed.

Schneier raises the GDPR as an example of how companies can confirm to better standards and raises the spectre of the EU imposed fines on US companies. He also hints at the fragility of safe harbour/privacy shield. …

At Orgcon 17

I am just back from orgcon17, and here are my notes; this was a two day conference, with many sessions on issues of concern to digital liberty campaigners on regulation of the use personal data. It took place over two days, consisting of lectures & panels and workshops. On the first day, at Friends House, where we had the use of the amazing central meeting room it looked at the coming legislation on investigatory powers, the use of the law to make political advances (it’s slow & uncertain), an interview with Caroline Criada Perez, the campaigner who got the first woman on British bank notes and a women’s statue in Parliament Sq.. It looked at e-voting systems in Taiwan where the government used a consensus building software product to engage the population in traffic management solutions design. Jamie Bartlett spoke about privacy vs. security. There was a session on Digital Liberty & regulation in Nigeria. There was also a session on the privacy vulnerability to the coming “age verification for porn users” regulations. Much of these lectures are available on the ORG’s Video channel.

The second day consisted mainly of workshops focused on campaigning. There was a workshop that reviewed the technical architecture of the investigatory powers bill (as they then were i.e. the architecture and legislative stage). There was a workshop in using the Freedom of Information Laws to enhance campaigning, and also about the likely campaigning tools to be offered by the coming General Data Protection Regulation (GDPR) i.e. enhanced subject access requests, the right to be forgotten, of remediation and to object and stop processing.

There were sessions on building local Open Rights Group groups, how to perform IT security effectively for campaigners and a review of the ORG’s Blocked tool.

I chaired a session on building a Charter of Digital Rights, with Richard Barbrook and Mara Leverkuhn. Richard announced his initiative to put some more detail behind the Jeremy Corbyn’s Digital Manifesto which they created to support his 2016 Leadership Campaign. I documented/advertised this session on my blog https://davelevy.info/digital-liberties/

ooOOOoo

The relevance of this conference to CISSP certification is in the Regulation & Compliance domain. One of the critical to IT organisations is failing to keep up with laws and regulations. The ORG focuses on the law as it relates to privacy, censorship & intellectual property. Businesses need to keep these laws in mind when designing their risk taxonomy and control catalogue.

This was written in Oct 2018, nearly 12 months after the event; I did it to claim CISSP CPD Credits. I have as normal, for me, in these circumstances backdated the article to the time of occurrence. …

Digital Liberties

I am just about to set of for ORGcon 2017. It’s a two day conference and I am chairing a panel tomorrow at 15:00

How to make a People’s Charter of Digital Liberties

Help Labour to make a People’s Charter of Digital Liberties

 

A small panel discussion led by Richard Barbrook, on how Parliament and the people could build a People’s Charter of Digital Liberties. The panel will be chaired by Dave Levy, a Labour Party member of the ORG Supporters Council, the second panellist will be Mara Leverkuhn, a Labour Party digital rights activist.

In his 2016 leadership campaign, Jeremy Corbyn’s Digital Democracy Manifesto promised that Labour would introduce a People’s Charter of Digital Liberties when elected to power.

This panel and discussion is designed to focus on how this digital bill of rights could be developed, how one might use the networked society’s tools to synthesis opinion, crowd source the clauses of the Charter and make an actionable development plan. The panel will be small, and maximum time will be given for attendee contributions. …

Passwords

I was pointed at an article in the Washington Post on password security. It’s quite long and so I summarise:

  1. Length is better than complexity (More than 12 bytes)
  2. Simple transformations are no help (Don’t use 1st letter Caps and last character as 1 or !, mutt5nut5 is considered very easy.)
  3. Don’t reuse passwords for accounts that you care about! (A corollary is to delete the accounts on services you no longer use.)
  4. Write the passwords down in a secure place if you have too many, or use a password manager. (They are in favour, I am not so sure.)
  5. Don’t use personal facts about yourself (Bdays, Place of Birth, Pet’s names)

They have conducted some volume research by cracking and survey which they reference in the article and built a password checker based on these lessons but using it breaches one or maybe two of the rules I set myself in my Linkedin blog article “Password Vaults”. It’s on the internet, and we can’t read the code; that’s not to say it’s not a useful training tool. …