On the 5th of December I gave a talk at a journalists’ conference on what tradecraft means in the post-Snowden world. How can a journalist, or for that matter an MP or an academic, protect a whistleblower from being identified even when MI5 and GCHQ start trying to figure out who in Whitehall you’ve been talking to? The video of my talk is now online here. There is also a TV interview I did later, which can be found here, while the other conference talks are here.
Enjoy!
Ross
In previous posts I told the story of how Britain’s curfew tagging system can fail. Some prisoners are released early provided they wear a tag to enforce a curfew, which typically means that they have to stay home from 7pm to 7am; some petty offenders get a curfew instead of a prison sentence; and some people accused of serious crimes are tagged while on bail. In dozens of cases, curfewees had been accused of tampering with their tags, but had denied doing so. In a series of these cases, colleagues and I were engaged as experts, but when we demanded tags for testing, the prosecution was withdrawn and the case collapsed. In the most famous case, three men accused of terrorist offences were released; although one has since absconded, the other two are now free in the UK.
This year, a case finally came to trial. Our client, to whom we must refer simply as “Special Z”, was accused of tag tampering, which he denied vigorously. I was instructed as an expert along with my colleague Dr James Dean of Materials Science. Here is my expert report, together with James’s report and addendum, as well as a video of a tag being removed using much less than the amount of force required by the system specification.
The judge was not ready to set a precedent that could have thrown the UK tagging system into chaos. However, I understand our client has now been released on other grounds. Although the court did order us to hand back all the tags, and fragments of broken tags, so as to protect G4S’s intellectual property, it did not make a secrecy order on our expert reports. We publish them here in the hope that they might provide useful guidance to defendants in similar cases in the future, and to policymakers when tagging contracts come up for renewal, whether in the UK or overseas.
Like many in the tech world, I was appalled to see how the security and intelligence agencies’ spin doctors managed to blame Facebook for Lee Rigby’s murder. It may have been a convenient way of diverting attention from the many failings of MI5, MI6 and GCHQ documented by the Intelligence and Security Committee in its report yesterday, but it will be seriously counterproductive. So I wrote an op-ed in the Guardian.
Britain spends less on fighting online crime than Facebook does, and only about a fifth of what either Google or Microsoft spends (declaration of interest: I spent three months working for Google on sabbatical in 2011, working with the click fraud team and on the mobile wallet). The spooks’ approach reminds me of how Pfizer dealt with Viagra spam, which was to hire lawyers to write angry letters to Google. If they’d hired a geek who could have talked to the abuse teams constructively, they’d have achieved an awful lot more.
The likely outcome of GCHQ’s posturing and MI5’s blame avoidance will be to drive tech companies to route all the agencies’ requests past their lawyers. This will lead to huge delays. GCHQ already complained in the Telegraph that they still haven’t got all the murderers’ Facebook traffic; this is no doubt due to the fact that the Department of Justice is sitting on a backlog of requests for mutual legal assistance, the channel through which such requests must flow. Congress won’t give the Department enough money for this, and is content to play chicken with the Obama administration over the issue. If GCHQ really cares, then it could always pay the Department of Justice to clear the backlog. The fact that all the affected government departments and agencies use this issue for posturing, rather than tackling the real problems, should tell you something.
The 2015 Workshop on the Economics of Information Security will be held at Delft, the Netherlands, on 22-23 June 2015. Paper submissions are due by 27 February 2015. Selected papers will be invited for publication in a special issue of the Journal of Cybersecurity, a new, interdisciplinary, open-source journal published by Oxford University Press.
We hope to see lots of you in Delft!
Last year I taught a systems course to students on the university’s Masters of Public Policy course (this is like an MBA but for civil servants). For their project work, I divided them into teams of three or four and got them to write a case history of a public-sector IT project that went wrong.
The class prize was won by Oliver Campion-Awwad, Alexander Hayton, Leila Smith and Mark Vuaran for The National Programme for IT in the NHS – A Case History. It’s now online, not just to acknowledge their excellent work and to inspire future MPP students, but also as a resource for people interested in what goes wrong with large public-sector IT projects, and how to do better in future.
Regular readers of this blog will recall a series of posts on this topic and related ones; yet despite the huge losses the government doesn’t seem to have learned much at all.
There is more information on our MPP course here, while my teaching materials are available here. With luck, the next generation of civil servants won’t be quite as clueless.
I’m liveblogging WEIS 2014, as I did for WEIS 2013, 2012, 2011, 2010 and 2009. This is the thirteenth workshop on the economics of information security, and the sessions are being held today and tomorrow at Penn State. The panels and refereed paper sessions will be blogged in comments below this post.
Jim Graves, Alessandro Acquisti and I are giving a paper today at WEIS on Experimental Measurement of Attitudes Regarding Cybercrime, which we hope might nudge courts towards more rational sentencing for cybercrime.
At present, sentencing can seem somewhere between random and vindictive. People who commit a fraud online can get off with a tenth of what they’d get if they’d swindled the same amount of money face-to-face; yet people who indulge in political activism – as the Anonymous crowd did – can get hammered with much harsher sentences than they’d get for a comparable protest on the street.
Is this just the behaviour of courts and prosecutors, or does it reflect public attitudes?
We did a number of surveys of US residents and found convincing evidence that it’s the former. Americans want fraudsters to be punished on two criteria: for the value of the damage they do, with steadily tougher punishments for more damage, and for their motivation, where they want people who hack for profit to be punished more harshly than people who hack for political protest.
So Americans, thankfully, are rational. Let’s hope that legislators and prosecutors start listening to their voters.
Today Robert Brady and I will be giving a seminar in Cambridge where we will explain Yves Couder’s beautiful bouncing droplet experiments. Droplets bouncing on a vibrating fluid bath show many of the weird phenomena of quantum mechanics including tunneling, diffraction and quantized orbits.
We published a paper on this in January and blogged it at the time, but now we have more complete results. The two-dimensional model of electromagnetism that we see in bouncing droplets goes over to three dimensions too, giving us a better model of transverse sound in superfluids and a better explanation of the Bell test results. Here are the slides.
The talk will be at 4pm in the Centre for Mathematical Sciences.
Here are videos of two talks I gave when visiting the Technion in Haifa, one on Safety and privacy – health systems in the age of biodata and the second on How can we recover from protocol failure?. There’s also an audio recording of a talk I gave last week at Birmingham on security psychology (slides).
I’m liveblogging the Workshop on Security and Human Behaviour which is being held here in Cambridge. The participants’ papers are here and the programme is here. For background, see the liveblogs for SHB 2008-13 which are linked here and here. Blog posts summarising the talks at the workshop sessions will appear as followups below, and audio files will be here.