All posts by Ross Anderson

Post-Snowden: the economics of surveillance

Academic papers, News coverage, Politics, Privacy technology, Security economics

After 9/11, we worked on the economics of security, in an attempt to bring back some rationality. Next followed the economics of privacy, which Alessandro Acquisti and others developed to explain why people interact with social media the way they do. A year after the Snowden revelations, it’s time to talk about the economics of surveillance.

In a new paper I discuss how information economics applies to the NSA and its allies, just as it applies to Google and Microsoft. The Snowden papers reveal that the modern world of signals intelligence exhibits strong network effects which cause surveillance platforms to behave much like operating systems or social networks. So while India used to be happy to buy warplanes from Russia (and they still do), they now share intelligence with the NSA as it has the bigger network. Networks also tend to merge, so we see the convergence of intelligence with law enforcement everywhere, from PRISM to the UK Communications Data Bill.

There is an interesting cultural split in that while the IT industry understands network effects extremely well, the international relations community pays almost no attention to it. So it’s not just a matter of the left coast thinking Snowden a whistleblower and the right coast thinking him a traitor; there is a real gap in the underlying conceptual analysis.

That is a shame. The global surveillance network that’s currently being built by the NSA, GCHQ and its collaborator agencies in dozens of countries may become a new international institution, like the World Bank or the United Nations, but more influential and rather harder to govern. And just as Britain’s imperial network of telegraph and telephone cables survived the demise of empire, so the global surveillance network may survive America’s pre-eminence. Mr Obama might care to stop and wonder whether the amount of privacy he extends to a farmer in the Punjab today might be correlated with with amount of privacy the ruler of China will extend to his grandchildren in fifty years’ time. What goes around, comes around.

Small earthquake, not many dead (yet)

Banking security, Internet censorship, Legal issues, News coverage, Politics, Privacy technology, Security economics, Social networks

The European Court of Justice decision in the Google case will have implications way beyond search engines. Regular readers of this blog will recall stories of banks hounding innocent people for money following payment disputes, and a favourite trick is to blacklist people with credit reference agencies, even while disputes are still in progress (or even after the bank has actually lost a court case). In the past, the Information Commissioner refused to do anything about this abuse, claiming that it’s the bank which is the data controller, not the credit agency. The court now confirms that this view was quite wrong. I have therefore written to the Information Commissioner inviting him to acknowledge this and to withdraw the guidance issued to the credit reference agencies by his predecessor.

I wonder what other information intermediaries will now have to revise their business models?

Latest health privacy scandal

Legal issues, News coverage, Politics, Privacy technology, Security economics

Today I gave a talk at the Open Data Institute on a catastrophic failure of anonymity in medical research. Here’s the audio and video, and here are the slides.

Three weeks ago we made a formal complaint to the ICO about the Department of Health supplying a large amount of data to PA Consulting, who uploaded it to the Google cloud in defiance of NHS regulations on sending data abroad. This follows several other scandals over NHS chiefs claiming that hospital episode statistics data are anonymous and selling it to third parties, when it is nothing of the kind.

Yesterday the Department of Health disclosed its Register of Approved Data Releases which shows that many organisations in both the public and private sectors have been supplied with HES data over the past year. It’s amazing how many of them are marked “non sensitive”: even number 408, where Imperial College got data with the with HESID (which includes postcode or NHS number), date of birth, home address, and GP practice. How officials can maintain that such data does not identify individuals is beyond me.

Health privacy: complaint to ICO

Legal issues, News coverage, Politics, Privacy technology, Security economics, Security psychology

Three NGOs have lodged a formal complaint to the Information Commissioner about the fact that PA Consulting uploaded over a decade of UK hospital records to a US-based cloud service. This appears to have involved serious breaches of the UK Data Protection Act 1998 and of multiple NHS regulations about the security of personal health information. This already caused a row in Parliament and the Deparatment of Health seems to be trying to wriggle off the hook by pretending that the data were pseudonymised. Other EU countries have banned such uploads. Regular LBT readers will know that the Department of Health has got itself in a complete mess over medical record privacy.

Financial cryptography 2014

Academic papers, Authentication, Banking security, Cryptology, Privacy technology, Protocols, Security economics, Security engineering, Security psychology, Usability

I will be trying to liveblog Financial Cryptography 2014. I just gave a keynote talk entitled “EMV – Why Payment Systems Fail” summarising our last decade’s research on what goes wrong with Chip and PIN. There will be a paper on this out in a few months; meanwhile here’s the slides and here’s our page of papers on bank security.

The sessions of refereed papers will be blogged in comments to this post.

Health privacy: not fixed yet

Uncategorized

I have written a letter to Stephen Dorrell, the chair of the Health Committee, to point out how officials appear to have misled his committee when they gave evidence there on Tuesday.

It is very welcome that the Health Secretary, Jeremy Hunt, announced he will change the law to ban the sale of our medical records collected via HES and care.data. He acted after it became clear that although officials told the Health Committee that our records collected via care.data could not legally be sold, records collected via a different system (HES) already had been. But that is not all.

Officials also said our records would not be sold abroad, and that only coded data would be extracted rather than free text entered by GPs during consultations. Yet our records were offered for sale in the USA; the Department signed a memorandum of understanding with the USA on data sharing; and CPRD (a system operated by MHRA, the regulator) has been supplying free text for mining.

I also sent Mr Dorrell a previously unpublished briefing I wrote for the European Commission last year on the potential harm that can follow if patients lose confidence in confidentiality. Evidence from the USA and elsewhere suggests strongly that tens of thousands of people would seek treatment late, or not at all.

NHS opt out: not what it seems

Legal issues, News coverage, Politics, Privacy technology

On January 23rd we had a conference call with the NHS Information Centre and a couple of its software suppliers about anonymisation. LBT readers will have followed how your GP records are to uploaded to the new central database care.data for resale unless you opt out. Any previous opt outs from other central systems like SCR will be disregarded (even if you wrote saying you opted out of all central systems), along with opt-outs from regional systems.

We’d been told that if you opted out afresh your data would be uploaded only in anonymised, aggregated form; after all the Prime Minister promised. But I persisted. How will the NHS work out doctors’ bonuses in respect of opted-out patients? Doctors get extra payments for meeting targets, such as ensuring that diabetic patients get eye tests; these used to be claimed by practice managers but are now to be worked out centrally. If the surgery just uploads “We have N patients opted out and their diagnostic codes are R1, R2, R3, …” then officials might have to give doctors the benefit of the doubt in bonus calculations.

It turned out that officials were still dithering. The four PC software vendors met them on January 22nd and asked for the business logic so they could code up the extraction, but officials could not make up their minds whether to respect the Prime Minister’s promise (and human-rights law) or to support the bonus calculation. So here we had a major national programme being rolled out next month, and still without a stable specification!

Now the decision has been taken. If you opt out, all your clinical data will be uploaded as a single record, but with your name, date of birth and postcode removed. The government will simply pretend this is anonymous, even though they well know it is not. This is clearly unlawful. Our advice is to opt out anyway while we lobby ministers to get their officials under control, deliver on Cameron’s promise and obey the law.

Why dispute resolution is hard

Academic papers, Banking security, Legal issues, News coverage, Protocols, Security economics, Usability

Today we release a paper on security protocols and evidence which analyses why dispute resolution mechanisms in electronic systems often don’t work very well. On this blog we’ve noted many many problems with EMV (Chip and PIN), as well as other systems from curfew tags to digital tachographs. Time and again we find that electronic systems are truly awful for courts to deal with. Why?

The main reason, we observed, is that their dispute resolution aspects were never properly designed, built and tested. The firms that delivered the main production systems assumed, or hoped, that because some audit data were available, lawyers would be able to use them somehow.

As you’d expect, all sorts of things go wrong. We derive some principles, and show how these are also violated by new systems ranging from phone banking through overlay payments to Bitcoin. We also propose some enhancements to the EMV protocol which would make it easier to resolve disputes over Chip and PIN transactions.

Update (2013-03-07): This post was mentioned on Bruce Schneier’s blog, and this is some good discussion there.

Update (2014-03-03): The slides for the presentation at Financial Cryptography are now online.