Category Archives: News coverage

Media reports that may interest you

A wrecking amendment ?

Internet censorship, Legal issues, News coverage, Politics

For the past few months the Digital Economy Bill (DEB) has been quietly making its way through the House of Lords. As is the way of these things, large numbers of amendments have been proposed, their lordships have had a series of mini-debates on each set of issues, and the Government have been busily amending the Bill in an attempt to fix all the things that they didn’t think through properly.

The main thrust of the DEB’s approach to dealing with unlawful file sharing of copyright material has been a “three strikes” policy. That is, should you be detected to be sharing some popular beat combo’s music without permission, then on the first two occasions you’d receive an admonishing letter, and on the third time then you would be subject to “technical measures” (ie: very slow Internet speeds) or disconnection, the latter doubtless annoying the rest of your family as they would be unable to visit DirectGov / keep up their social life / catch-up TV shows / do their homework / avoid being sacked from their work-from-home job!

However, the Government are concerned that this won’t be enough, and that unlawful sharing of copyright material might occur in new ways in future. So in clause 17 of the DEB they set out a scheme for amendment (in ways that would be decided as future circumstances required) of the Copyright, Designs and Patents Act 1988 through secondary legislation.

It is unusual to grant such open ended powers to amend primary legislation, because Parliament would be presented with an unamendable statutory instrument and invited to vote for it — no such SI has been defeated in the House of Lords since 2000, and the time before that was in 1968.

There was an outcry over the breadth of clause 17, and so the Government set out amendments to restrict it — but last week peers voted for an opposition amendment (120A) to have an alternative arrangement altogether, a regime of High Court injunctions that would force ISPs to block websites.

This is such a dumb (and dangerous) idea that it has all the characteristics of a wrecking amendment, added to the Bill just to eat up parliamentary time so that the whole Bill will fall at the dissolution for the upcoming election.

Continue reading A wrecking amendment ?

More on the SCR

Legal issues, News coverage, Politics

Two weeks ago I posted about the Summary Care Record, a project to centralise medical records in England and Wales under the pretext that central records might be useful in emergency care. At the time, I wrote to the Cabinet Secretary asking whether it was appropriate to use taxpayers’ funds to leaflet millions of homes on a politically sensitive topic during an election campaign; I haven’t yet got a reply.

Doctors’ leaders are now alarmed. Patients are being misinformed, and opt-out is being made difficult.

The information being given to patients is false and misleading. The SCR promotional leaflet says anyone who has access to your records … must be directly involved in caring for you. However, large numbers of officials will have access. And as I already noted, the SCR isn’t as helpful in emergencies as it’s spun. Its purpose is actually different: to provide the basis for a centralised electronic patient record for everyone.

Doctors have noted that in the pilot areas, seven out of ten patients are unaware that an SCR was created for them. The patient information packs don’t contain an opt-out form; you’re supposed to phone the call centre for one. Over two hundred thousand people have downloaded an opt-out letter from www.thebigoptout.org; now the NHS says it wants doctors to ignore this and get everyone who wants to opt out to use this form instead (which GPs can’t order in bulk).The roll-out is rushed and displays typical incompetence: for example, some patients have been sent other patients’ letters. I am sure this story will run and run.

Opting out of health data collection

Legal issues, News coverage, Politics

The Government is rolling out a system – the Summary Care Record or SCR – which will make summaries of medical records available to hundreds of thousands of NHS staff in England. Ministers say it will facilitate emergency and unscheduled care, but the evidence in favour of such systems is slight. It won’t be available abroad (or even in Scotland) so if you are allergic to penicillin you’d better keep on wearing your dogtag. But the privacy risk is clear; a similar system in Scotland was quickly abused. Colleagues and I criticised the SCR in Database State, a report we wrote on how government systems infringe human rights.

Doctors have acted at last. The SCR is being rolled out across London, and the Local Medical Committees there have produced a poster and an opt-out leaflet for doctors to use in their waiting rooms. The SCR is also political: while Labour backs it, the Conservatives and the Lib Dems oppose it. Its roll-out means that millions of leaflets will be distributed to voters, pardon me, patients in London extolling its virtues. A cynic might ask whether this is a suitable use of public funds during an election campaign.

Chip and PIN is broken

Academic papers, Banking security, Legal issues, News coverage, Politics

There should be a 9-minute film on Newsnight tonight (10:30pm, BBC Two) showing some research by Steven Murdoch, Saar Drimer, Mike Bond and me. We demonstrate a middleperson attack on EMV which lets criminals use stolen chip and PIN cards without knowing the PIN.

Our technical paper Chip and PIN is Broken explains how. It has been causing quite a stir as it has circulated the banking industry privately for over 2 months, and it has been accepted for the IEEE Symposium on Security and Privacy, the top conference in computer security. (See also our FAQ and the press release.)

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.
Continue reading Chip and PIN is broken

Relay attack featured on Dutch TV

Academic papers, Banking security, News coverage

Yesterday, the Dutch TV programme “Goudzoekers” featured Saar Drimer and me demonstrating a relay attack against the recently introduced Chip and PIN system in The Netherlands. The video can be found online, in both Windows Media or Silverlight formats as well as Flash below. The production team have published a synopsis (translated version) on their blog, and today there have been some follow-ups in the press, for example De Telegraaf (translated version).

Continue reading Relay attack featured on Dutch TV

When is a leak not a leak ?

Internet censorship, News coverage

WikiLeaks have decided to save other people some bandwidth and make some of my powerpoint slides available on their site. Since they usually publish censored or confidential information, they’re presumably completely unaware of how these slides have been available to the public from two different websites since the day of the talk.

Remarkably similar slides (I’m often lazy!) were also presented in talks I have given this year to INEX (the Irish Internet Exchange Point) [slides here], to EuroBSDCon [slides here] and the BCS (Herts branch) [slides here].

These talks have been covered various technical aspects of the blocking of child sexual abuse images for sites that appear on the IWF list. I’ve been mentioning the blocking of Wikipedia just over a year ago, and the blocking of archive.org up to last February. However, I’ve also thrown in a couple of slides about some more recent research, yet to be published, which explores a different way of determining what is on the IWF list. That seems to have been what has interested WikiLeaks.
Continue reading When is a leak not a leak ?

What does Detica detect?

Legal issues, News coverage, Privacy technology

There has been considerable interest in a recent announcement by Detica of “CView” which their press release claims is “a powerful tool to measure copyright infringement on the internet”. The press release continues by saying that it will provide “a measure of the total volume of unauthorised file sharing”.

Commentators have divided as to whether these claims are nonsense, or whether the system must be deeply intrusive. The main reason for this is that when peer-to-peer file sharing flows are encrypted, it is impossible for a passive observer to know what is being transferred.

I met with Detica last Friday, at their suggestion, to discuss what their system actually did (they’ve read some of my work on Phorm’s system, so meeting me was probably not entirely random). With their permission, I can now explain the basics of what they are actually doing. A more detailed account should appear at some later date.
Continue reading What does Detica detect?

RIP memes

News coverage, Politics

There was a discussion a little while back on the UKCrypto mailing list about how the UK Regulation of Investigatory Powers Act came to be so specifically associated in the media with terrorism, when it is far more general than that ( see for example: “Anti-terrorism laws used to spy on noisy children” ).

I suggested that this “meme” might well be traced back to the Home Office website’s quick overview text which used to say (presumably before they thought better of it):

The Regulation of Investigatory Powers Act (RIPA) legislates for using various methods of surveillance and information gathering for the prevention of crime including terrorism.

Well, I’ve just noticed another source of memes (which may be new, since Google are continually experimenting with their system. or which may have been there for simply ages, unnoticed by me at least).
Continue reading RIP memes