Lightening never strikes twice

Lightening never strikes twice

In my blogs on the Track & Trace failure [blog | linkedin], I make the throwaway comment that Govt. IT often fails repeatedly because no-one is accountable, nor punished and thus they fail to learn but in this case it’s not true; Dido Harding the CEO of the Track & Trace was CEO of Talk Talk when it was fined £ ½m for another data protection breach caused by another failure to in this case close down an application running on an out of date & unpatched version of MySQL, making it vulnerable to a SQL injection attack, one of the OWASP top 10 vulnerabilities.  How unlucky can you get? …

A first domino?

Carol Cadwalladr and others are speculating that the US Federal Trade Commission plan to fine Facebook $5bn for its privacy law breaches. This is reported today in the New York Times, in an article, Facebook Expects to Be Fined Up to $5 Billion by F.T.C. Over Privacy Issues. This documents the breaches which focus on Cambridge Analytica and the Brexit time span and the laws. $5bn is a lot, the EU only fined Google €1.5bn. I posted the NYT article on Facebook with the following comment.

But he still won’t come to the UK to testify to the DCMS select committee, although I have sympathy with the argument that if we aren’t investigating our citizens who have broken the law, why should he put himself at the front of the queue.


Eternal vigilance

I have been pointed at China’s Social Credit Scoring plans via two routes. The first is this extract published at Wired from Rachel Botsman’s book, “Who can we trust”. This details the Chinese Governments plan to build a social credit scoring scheme, but the sources and incentives are horrendously comprehensive, including their leading match making agency. (It’s taken me some time to read this article, an I have bookmarked and annotated it in my diigo feed.) Worrying things about the Chinese scheme is that voluntary participation becomes mandatory; while rewards and incentives are at the forefront of everyone’s mind today, control and punishment is planned, in the Chinese case in the short term they are talking about foreign and domestic travel restrictions but as I note, the countries leading dating agency is one of the surveillance agencies. There is also talk of social investment loans (helicopter money) which become available on the basis of social scores.

The second route was an article on Medium by someone who got banned from AirBnB. He pointed at an article on Buzzfeed, “A Chinese-Style Digital Dystopia Isn’t As Far Away As We Think” where a series of regulatory decisions in the USA seem to be paving the way to something similar, a powerful illustration that the argument that surveillance is OK if it’s private sector is horrendously false.

One worrying aspect of the proposed Chinese system is that your reputation is as good as that of your friends and we have idiots trying to replicate it with peeple, and reading up on that has started me worrying about Linkedin and its competitors and we all know we should get off facebook.

The wired article came before machine learning and massive scale AI became a hot topic, but it’ll be interesting to see what happens to social credit scores when they let rip with the application of machine learning. The automated derivation of reputation scores also raises issues of safeguarding, libel and context. Safeguarding and libel laws require the machines to tell the truth, in fact safeguarding may require machines to hide the truth. Context requires a level of nuance that we are unsure if machines will ever have, but even if they get there, justice and judges must remain human and the code must be open; China’s & Facebook’s is not!. The GDPR gives data subjects rights, perhaps its time to revisit the seven principles.

Of course in the UK, we have our very own examples of machines and data sharing getting it wrong. Sajid Javid, the Home Secretary has suspended the intra-government and some of the other immigration data sharing as a result of the backlash on the Windrush scandal. (I wonder if this I an excuse to look again at the DPA Immigration Exemption clauses.) Much of what is happening in China and the USA is also happening in the UK, it’s just that the surveillance agents are the US owned datenkraken and the British State have legalised the hacking of their data streams.

What’s happening in China is terrible, but our governments are following suit! The price of freedom is eternal vigilance. …

Losing one’s way

Over the last few days, the Guardian has broken the story of the illegal use of personal data in the US 2016 general election. We are now waiting for the trail to come back to UK politics, in particular, the use of Cambridge Analytica (or one of its associates) by the alliance of Leave organisations. The data was stolen, well acquired, from Facebook, but it seems they knew for two years and there is some argument as to their corporate complicity. Their Chief Information Security Officer has been on the way out since the end of last year and some stories suggest it’s because he argued for greater openness in co-operating with the enquiries into Russian state sourced fake news.

Citizens, their representatives and law makers have been arguing that IT companies should have a duty to report security breaches to law enforcement and the EU is introducing such a law now; such Laws exist in California which is where Facebook is headquartered. We should also note that their duty to protect their users personal data is governed by the US privacy laws, the now defunct EU Safe Harbour agreement and its successor, the Privacy Shield. In addition, the US signed up to the 7 Principles of Data Potection when first declared by the OECD.  It is a fact however, that many US business executives (and their employees) consider the European Data Protection laws as non-tariff import barriers, not that this should matter but I have no doubt that considerable time has been spent in determining where the line between legality and illegal activity stands.

There are several factors in the US political culture which often makes it hard for the US to obey foreign laws (and their own), one of them being, that they often have difficulty in legitimising their own laws and law enforcement.

This is, to me, summarised in the 10th Amendment, one of the Bill of Rights amendments to the US Constitution.

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

There is a beauty to the sentiment and an economy to the words, but they are a fundamental challenge to the rule of law. (Is this a bit extreme?) The Citizen’s United ruling, which upheld the citizen’s free speech rights for an association, can be taken to mean that corporations have citizenship rights. US Laws are hard to make and often Laws re challenged in court often to the Supreme Court asking for laws to be struck down as unconstitutional. The upshot of all this is that politicaly citizens can take a view on whether a law is legal in the knowledge that if they win, unlike in Europe & the Antipodes where the Government’s have majorities in their legislatures and will rewrite the laws, they get to do what they want.

The US tradition of a people’s access to justice, showcased by the Judge Judy show is also admirable, if a bit bizarre to UK eyes but it is another dimension of the US commitment to rights and the rule of law; they’e just a bit weaker in understanding collective and inalienable rights, such as privacy (except from Government).

We also have the growing dichotomy between companies Legal and Compliance teams, with Legal advising under the protection of client/attorney privilege in the best interests of their clients and Compliance having a duty to the public advising how not to break the Law.

One can see how US Companies might lose their way. It’s nothing to be proud of though, the UK route to corruption is just shorter as currently viewing the C4 news program on Cambridge Analytica will show.

Do politicians understand? They may not understand the details of the tech., but they do understand Human Rights law and the rule of law, although some of the House of Commons are to quote the shadow chancellor “Fucking Useless”, and the select committees could do with better advisors;  the purpose of the witnesses is to deliver this advice and knowledge, but you need to know the questions and understand the answers. You need a nose for a cover up and to know the 2nd question. …


This is a long diatribe at Hacker Noon about the Bitcoin bubble and the blockchain hype. I had been considering writing something similar although my focus was on the excessive use  & cost of electricity to “mine” coins and the demonstrable industrialisation and economic consolidation of the mining operations.

Bitcoin, in particular, has a shrinking use as a means of exchange, as identified by this business insider preview of a Morgan Stanley opinion. This is compounded by the fact that the transaction fees are now too high for small or micro payments, and that it is not real time, (it can take minutes to clear) and thus cannot be used for transactions that require simultaneous exchange, be it a cup of coffee or a house.

The block chain does not scale well, despite the massively distributed architecture. If its performance is matched with say Visa or other significant global payment processors, VISA is rated at 60,000 transactions/sec (TPS) where as the Bitcoin maxes out at 7 TPS. So not only is it expensive, but it can’t cope with real world volume; it’s just as well that small transactions are deserting the platform.

What started me thinking this time round, was the realisation that the amount of power required to “mine” the currency grows and is now significant. While the compensation for the miners is scrip/free, the real cost in electricity and thus carbon pollution is significant. This adds to the cost, both internal but more importantly the external cost. The planet cannot afford the electricity power and the carbon footprint to virtualise global capitalism’s money supply.

Kai Stinchcombe argues that the lack of regulation is also a disincentive to use crypto currencies and examines the Etherium/DAO hack and draws the conclusion that on the whole society needs contracts to be interpreted by people, not by software.

Money must be a means of exchange, and a store of wealth, block-chain crypto-currencies are struggling and increasingly failing  to be the former and it’s current price peaks , historic volatility and lack of regulator suggests it’s weak as the latter. Is it just a con? …

Privacy and Big Data

I read Privacy and Big Data by Craig and Ludloff towards the end of 2013. The first chapter is called “The Perfect Storm”. The book lists a number of consumer and corporate computing trends, from Google’s search solution and their clustered file systems, the consumer adoption of cloud storage and the realisation of parallel computing models. There is no question that data is growing at an explosive rate and that new computational models are being developed to use these new volumes of data in timescales appropriate to the human. These new models are of interest to both the new internet companies and to Governments yet because of both social media and the distributed nature of modern computing raise questions of privacy. …