A very rapid betrayal

Legal issues, News coverage, Politics

The coalition Government plans to keep the Summary Care Record, despite pre-election pledges by both the Conservatives and the Liberal Democrats to rip up the system – which is not compliant with the I v Finland judgement of the European Court of Human Rights.

Last year colleagues and I wrote Database State, a report for the Joseph Rowntree Reform Trust, which studied 46 systems that keep information on all of us, or at least a significant minority of us. We concluded that eleven of them were almost certainly illegal under human-rights law, and most of the rest had problems. Our report was well received by both Conservatives and Lib Dems; many of its recommendations were adopted as policy.

Old-timers may recall that back in 1996-7, many of us geeks supported New Labour enthusiastically, as Blair promised not to introduce key escrow. It took him almost a year to renege on that promise; it has taken the coalition less than a month.

Blair’s U-turn on key escrow in 1998 led to the establishment of FIPR, and a two-year fight against what became the RIP Act (where at least we limited escrow to the powers in part 3). What’s the appropriate response now to Cameron and Clegg?

It’s inconceivable that assurances given to farmers, or to soldiers, or to teachers would be tossed aside so casually. Yet half a million of us earn our living in IT in Britain – there’s a lot more of us than of any of them! And many people in other jobs care about privacy, copyright, and other digital issues. So do those of us who care about digital policy have to become more militant? Or do we have to raise money and bribe the ruling parties? Or, now that all three major parties are compromised, should we downgrade our hopes for parliament and operate through the courts and through Europe instead?

Digital Activism Decoded: The New Mechanics of Change

Internet censorship, Legal issues, Politics, Privacy technology, Social networks

The book “Digital Activism Decoded: The New Mechanics of Change” is one of the first on the topic of digital activism. It discusses how digital technologies as diverse as the Internet, USB thumb-drives, and mobile phones, are changing the nature of contemporary activism.

Each of the chapters offers a different perspective on the field. For example, Brannon Cullum investigates the use of mobile phones (e.g. SMS, voice and photo messaging) in activism, a technology often overlooked but increasingly important in countries with low ratios of personal computer ownership and poor Internet connectivity. Dave Karpf considers how to measure the success of digital activism campaigns, given the huge variety of (potentially misleading) metrics available such as page impression and number of followers on Twitter. The editor, Mary Joyce, then ties each of these threads together, identifying the common factors between the disparate techniques for digital activism, and discussing future directions.

My chapter “Destructive Activism: The Double-Edged Sword of Digital Tactics” shows how the positive activism techniques promoted throughout the rest of the book can also be used for harm. Just as digital tools can facilitate communication and create information, they can also be used to block and destroy. I give some examples where these events have occurred, and how the technology to carry out these actions came to be created and deployed. Of course, activism is by its very nature controversial, and so is where to draw the line between positive and negative actions. So my chapter concludes with a discussion of the ethical frameworks used when considering the merits of activism tactics.

Digital Activism Decoded, published by iDebate Press, is now available for download, and can be pre-ordered from Amazon UK or Amazon US (available June 30th now).

Update (2010-06-17): Amazon now have the book in stock at both their UK and US stores.

Digital Activism Decoded

An old scam still works

Academic papers, Banking security, Legal issues, News coverage

In the very first paper I wrote on ATM fraud, Why Cryptosystems Fail, the very first example I gave of a fraud came from the case R v Moon at Hastings Crown Court in February 1992. Mr Moon was a teller at the TSB who noticed that address changes weren’t audited. He found a customer with over £10,000 in her account, changed her address to his, issued a card and pin, and changed the address back. He looted her account and when she complained, she wasn’t believed.

It’s still happening, most recently to a customer of the Abbey. Bank insider issues extra card, steals money, customer blamed – after all, chip and pin is infallible, isn’t it? Expecting banks to keep decent logs might be too much; and I supppose it’s way too much to expect bank fraud staff to read the research literature on their subject.

IEEE best paper award

Academic papers, Awards, Banking security, News coverage, Protocols, Security engineering

Steven Murdoch, Saar Drimer, Mike Bond and I have just won the IEEE Security and Privacy Symposium’s Best Practical Paper award for our paper Chip and PIN is Broken. This was an unexpected pleasure, given the very strong competition this year (especially from this paper). We won this award once before, in 2008, for a paper on a similar topic.

Ross, Mike, Saar, Steven (photo by Joseph Bonneau)

Update (2010-05-28): The photo now includes the full team (original version)

Erasing David

Legal issues, News coverage, Politics

Last night’s documentary Erasing David shows how private eyes tracked down a target by making false pretext telephone calls to the NHS. By pretending to be him they found out when he and his wife were due to attend an ante-natal clinic, and ambushed him as he came out.

The NHS has form on this. Back in 1995 the BMA got me to draw up guidelines for dealing with phone calls; they appeared in the BMJ on Jan 13 1996. When staff at the N Yorks Health Authority were trained to follow these guidelines, they found 30 false-pretext calls a week. When the BMA reported this to the Chief Medical Officer and asked him to implement the protocol throughout the NHS, he was furious at our interference in “his” admninistrative procedures. The NYHA was ordered to stop. I told the story in my book.

I have long considered it unacceptable for the NHS to continue to ignore operational security. The new electronic record systems at a number of hospitals give receptionists access not just to appointment details but to clinical data too. So things are significantly worse than in 1996, and new national systems such as the SCR will compound the problem. The next secretary of state needs to get his act together.

PINs and the burden on customers

Authentication, Banking security

A survey by the Consumers’ Association shows that 10% of cardholders write down or share their PIN. This high proportion surely raises serious doubt about whether it’s fair for banks to claim that such people are “grossly negligent” even if the PIN is well disguised (for example, as part of a phone number in an address book with hundreds of other numbers). And if banks don’t want disabled people to share PINs with carers, they ought to come up with an alternative, or be held to account under disability discrimination laws.

Interestingly, Mark Bowerman (PR for the banks) says in this article that customers should not use the same PIN for multiple cards. We heard him on radio saying exactly the opposite a few years ago. Now he tells people to change PINs to something easy to remember (and easier for criminals to guess).

By giving customers contradictory and impractical advice, the banks are placing an unmeetable burden on them.

The banks also frequently give advice that is simply wrong. Look, for example, at this video by Barclays showing how to enter your PIN at a merchant terminal!

How to get money back from a bank

Banking security, Legal issues, Politics, Security economics

I’ve written enough over the years about people who tried and failed to get money back from banks after seeing transactions on their accounts that they did not recognise. Now I’ve had to go through the process myself.

I got a refund from the NatWest after a dodgy debit appeared on the credit card my wife uses. The bank’s dispute resolution mechanism turned out to be unserviceable, but we got the money back promptly when we sued them in the small claims court. The story is, I believe, an instructive one for people interested in bank security or payment systems regulation.

Continue reading How to get money back from a bank

Protecting Europe against large-scale cyber-attacks

News coverage, Security economics

As on two previous occasions, I’ve been acting as specialist adviser to a House of Lords Committee. This time it was the European Union Committee, who held an inquiry into “Protecting Europe against large-scale cyber-attacks”.

The report is published today and is available in PDF and in HTML. It’s been covered by The Telegraph, the BBC, the Washington Post, and on Parliament’s own TV channel. Interestingly, there’s not all that consensus on what the main story is, or quite what the recommendations were!

Continue reading Protecting Europe against large-scale cyber-attacks

Ineffective self-blocking by the National Enquirer

Internet censorship, Legal issues, News coverage, Politics

It used to be simple to explain how browsing works. You type a link into the browser, the browser asks a DNS server at your ISP to translate the human-friendly hostname into the IP address of the web server, and then the browser contacts the server with an HTTP request requesting the page that you want to view.

It’s not quite that simple any more — which is rather bad news for the National Enquirer, the US tabloid which decided, three years or so ago, following a brush with the UK libel laws, that it would not publish a UK edition, or allow visits to its website from the UK. Unfortunately, the Enquirer’s blocking is no longer working as effectively as it used to.

Continue reading Ineffective self-blocking by the National Enquirer

Panorama looks at unlawful filesharing

Internet censorship, Legal issues, News coverage, Politics

Last night’s Panorama looked at the issue of unlawful filesharing and the proposals within the Digital Economy Bill that the UK Government thinks will deal with it.

The Open Rights Group has criticised the programme for spending too long examing the differences of opinion among music makers, and too little time talking about rights — perhaps that’s an inevitable side effect for fronting the programme with Jo Whiley, a Radio One DJ. This probably increased the audience amongst the under-30s who do a great deal of the file sharing; and for whom this may be the first time that they’ve had the bill’s proposals explained to them. So lose some, win some!

The programme had a number of stunts : they slowed down the broadband of a student household (not only was their MP3 going to take 13 weeks to download, they found they couldn’t effectively look at their email). They got a digital forensics expert to look at a family’s computers, finding copies of LimeWire (tricky stuff forensics!) and portraying this as a smoking gun for unlawfulness. The same expert camped outside the student house and piggybacked on their WiFi (apparently by employing a default password on their broadband router to authorise themselves to have access).

You can also see yours truly:
Richard Clayton on Panorama
demonstrating an anonymity network (it was in fact Tor, but I’d done a little tweaking to ensure that its standard discouragement of file sharing activity didn’t have any impact) : and showing that a Bit Torrent tracker stopped recording me as being in Cambridge, but placed me at the Tor exit node in Germany instead.

I argued that as soon as large numbers of people were getting in trouble for file sharing because they were traceable — then they wouldn’t stop file sharing, but they would stop being traceable.

All in all, within the limitations of a 30-minute prime-time main-channel show, I think the Panorama team provided a good introduction to a complex topic. You can judge for yourself (from within the UK) for the next 7 days on the BBC iPlayer, or in three parts on YouTube (I’m two minutes into part 3, at least until a web blocking injunction bars your access to what might well be an infringement of copyright).