The Earl of Erroll is a Cross Bench Peer who first entered the House of Lords in 1978. Secretary of the All Party Parliamentary Group on Communications. He is Secretary to the All Party Internet Group and is also on the ISSA UK Executive Advisory Board. He sits on the Local Authority Smartcard Standards e-Organisation (LASSEO), is a member of EURIM, member of the Parliamentary Information Technology Committee, is president of the E-business Regulatory Alliance and has a background in computer security and identity management. He can program. He is the founder of the telephony company VoiceXchange and one of the few vocal IT champions in the House of Lords. Has used the phrase "script kiddies" in the House of Lords.

Contacts

House of Lords, London, SW1A 0PW Tel: 020 7219 3885 Email:errollm@parliament.uk

Issues

Computer Misuse Act

House of Lords debate Police and Justice Bill 10 October 2006

My Lords, does the Minister accept that, actually, the sort of tools that are used to test systems and gain remote access are normally used by hackers to gain access to systems illegally? All of them are very likely to be used for that purpose. That is the trouble. If the Government do not intend to catch all these tools, why does "likely" mean "more likely than not"? These systems will be used for that, whether you like it or not.

...

My Lords, I am not sure whether I am speaking at the right time, but now seems logical. The noble Lord, Lord Lawson, is right. I do not believe that the courts will interpret the word "likely" as meaning more likely than not, because it does not say that. This is trying to catch people advertising on the internet who say, "Here you are. Here are some great hacker tools. Why do you not download these?" The trouble is that people who are trying to supply—possibly without selling—a subsidiary company or part of a group things that will help to maintain, assist or test computer systems will be caught also by this wording. It is impossible to write something to maintain a computer system remotely or test the security of a computer system which can be used only for that purpose. Everything written for that purpose can be turned around by someone who wishes to use it for hacking. As the noble Lord, Lord Lawson, said, it will be used by hackers.

Therefore, the word "likely" means that everyone is prosecutable by the courts. I have heard people say, "They can look at what the Minister said", but unless it is ambiguous there is no requirement to look at the parliamentary debate. The word "likely" is unambiguous. Therefore, I am afraid that the courts will find that the Government have a case just to say, "Well, we can prosecute you". They do not even need to look. The intention behind this was not to prosecute the good guys. Nowhere in the Bill says that. Another sentence saying, "If you are a good guy, we won't prosecute you", would perhaps be all right. Between now and Third Reading, the Government need to think of something that means "more likely than not" or "the primary purpose" or something like that. Otherwise, I will come back with something at Third Reading myself.

Joined with the Earl of Northesk in trying to fix the clause that would make it an offence to release a computer tool that is "likely to be used" in a computer offence.

The second point that occurred to me while listening to the noble Earl, Lord Northesk, is that we need a definition for "likely". Perhaps we should put in an entire legal definition of what we think "likely" is likely to mean when it gets to the courts.

[1] [2] [3] [4] [5]

Identity cards

Very against the Identity Cards Bill, still actively giving speeches against it.

The Earl of Erroll said: "An ID card is basically an internal passport. It gives the authorities huge power to control our future movements and other things. It will irretrievably alter the balance between the citizen and the state. Millions have died defending our freedoms. Just because we are frightened of some terrorist attacks, we should not throw away those freedoms lightly."

"The next problem with linking all personal state records isn't a problem if a J Edgar Hoover isn't in charge, but if he is, he can blackmail people who have made some small indiscretion in their past."

"You consider the millions (of pounds) to sort out ID cards. It will cost £584m a year towards an ID card that has not been proven. I could solve a lot of security problems with £584m," said Erroll in a keynote speech. "At the end of the day, people can be seduced too easily. Most people have their price, or they have their ideals,"

The Earl of Erroll House of Lords debates. 15 March 2006 Identity Cards Bill

My Lords, we do not have a power of veto in this House—all we have is the power to delay things. If we keep on voting no, they will then use the Parliament Act. The only consequence of that is that the Home Office will have to vote one more year before it can have its new, shiny, half-a-billion-pound-a-year department to issue the ID cards. That will be the sole consequence. Therefore, we might as well push the matter to the limit to point out that the Magna Carta established the concept that the Executive should not have an unfettered right to do what they want. Since then, Parliament has tried to control the Executive. Unfortunately, the balance of power has changed in another place over the past century in such a way that the Executive to a large extent now control another place and what goes through. The strange doctrine has arisen that the Government have the right to get their business through Parliament—meaning that the Executive have a right to get their business through Parliament. That is the tail wagging the dog and is the opposite of what Magna Carta said. We need to remember that.

The other point, which the noble Lord, Lord McNally, made so well, is that if governments are being elected by a minority of the electorate, what they put in their manifesto statement is very important because that is what the people put them up there to do. For them then to say that they have changed their mind is very dangerous, because you effectively have then elective dictatorship. That is what we are seeing happen. To answer the earlier question, if they had more than 50 per cent or perhaps 60 per cent of the electorate voting for them, maybe we might rethink. But until that situation arises, let us leave it as it is. We do not have a power of veto but we do have a power of delay. I see no problem in using it. It might change things, because it will give people time to think about the issue a bit harder and see whether they really do want to push the Bill through in a year's time.

The right reverend Prelate said that people did not have to worry about things like this a century ago. In the 1850s Britain did not have passports and ID cards, and we could go to the Continent and do what we liked. The continentals could not; they had ID cards, and unless you were either a criminal and bribed your way or one of the ruling elite, you could not move around the place and work where you liked, which is part of the point of this entire debate. I entirely agree with my noble friend Lord Monson, because I am very annoyed that I will be one of the few people who will be liable to a £1,000 fine if I do not notify a change of address quickly enough when I need to renew my passport. Most of the population will be quite free of that obligation.

RIP Act Part III

Worried about a lack of safeguards and clarity in the bill. He spoke at Scrambling for Safety 8.

ZDNet 07 November 2003

Earl of Erroll who muttered that the Home Office was "talking bollocks". This was shortly after Simon Watkin of the HO was argued that it was better to widen RIPA's powers now and then tighten up the flaws later. Wearden was so shocked by this example of noble forthrightness that he couldn't be quite sure what the Earl had said, but fortunately his Lordship boldly reiterated his point. "It's the usual load of Home Office bollocks."

The Earl of Erroll House of Lords debates. 12 July 2000 Regulation of Investigatory Powers Bill

My Lords, I have entered the discussion rather late and I am starting to realise the horrors that might be involved. As access to the Internet speeds up at an extremely rapid pace, if the black boxes do not keep up with that and cannot monitor the traffic fast enough, presumably the Government will either have to give up the idea, persuade people to spend a fortune on developing them, or not monitor the traffic.

I may be able to develop a way round the black boxes. My main e-mail currently resides on a server probably based in Seattle as an American service provider provides my mail box. I assume that my communication goes straight across the Atlantic and is downloaded over there. That provider will not have a black box. If I get a cheap link from one of the telecoms providers to take me across the Atlantic for 3p a minute, presumably I can get round the black box by linking into an American ISP over the telephone line. I would love to know whether that is possible as it would solve a lot of problems.

Internet privacy

In favour of Internet privacy.

Regulating the internet is not the answer

Against any moves to water down the Data Protection Act 9 March 2007

"We need to resist this and make sure that it works. Chinese walls are useful but if we are going to use them we have to make sure they work,"

...

"The government wants to increase data sharing to make joined up government more efficient," ... "Change your address once and it will ripple through the entire organisation. It has lots of benefits but huge dangers. Systems need to be able to handle those who are the exception and who do not want their address and data moved around."

Software Patents

evidence to the select committee on science and technology 7 January 2007 Q327 Earl of Erroll: Are some of those software patents inhibiting your efforts to increase security?

Discgate

The Earl of Erroll said the following about data breaches 23 April 2008

... Data breaches are going to occur. Which is why I think that we need to not keep all our eggs in one basket. This is where I really do agree with the Information Commissioner that we need to limit the amount of data that is being kept by any one about us. Because if its not there it can not be taken or it can not be miss used, so why are we keeping a whole lot of stuff we don’t use. We always think that we can mine it later to catch the bad guys, actually I think more good guys get hurt than you ever catch bad guys in many of these cases. ...

Data Retention

Questioned human rights implications of storing large amounts of communications data. The Earl of Erroll asked: "Is the directive necessary, legal, and balanced? Will it protect citizens from unnecessary access to confidential information?"

Children's Digital Rights

House of Lords debate Children Act 2004 Information Database (England) Regulations 2007 18 July 2007

If you have a big national database, how do you get it to work? There are some silly things in it. For example, when children go abroad for three or more years, they are taken off the system but archived for six years. But they may come back after eight or nine years, and then everything has to be found out about them and re-entered. There is some stuff in here that will go against its purposes.

...

I turn to setting security standards. ISO 27001 is the industry standard, but I hope that the department has also consulted CESG, which sets much higher standards. A good point was raised earlier about the people working on the database having access to it. Unless the database scheme is encrypted so that the data cannot be accessed by the programmers working on it, there is a huge security problem. Some people will be able to get in through the back door. I was always able to do so in the days when I wrote software and designed systems. Further, if the security systems are too cautious, the same problems will arise as those in one of the hospitals—Nottingham or Northampton—used in the trial runs. It took so long to log on to the system that all that happened was that one person would log on at the beginning of the day and everyone else used that one point of access. In effect, the terminal was left open. Care must be taken to make sure that the security is not unworkable. I warn the Minister about that, just in case.

I am delighted to see that something will be done about increasing the penalties for leaking data and selling data. This has been long needed because something like 30 per cent of all lost data has nothing to do with hackers. That is not the problem these days; rather, the problem lies with people who are authorised to use the system. At the same time, we should look at the powers of the Information Commissioner to check that all the procedures and processes are correct and sensible. At the moment the commissioner has to wait until a complaint is filed and then pretty much has to be invited in by the data controller. Unless he has sufficient powers, he cannot find out what is going wrong.

...

The point about the number of people who will have access to the database is very valid. I have worked out that during a child's life, it is theoretically possible that some 1.5 million people will have had access to that child's database—although it is segmented into local authorities and so on. We have to remember that the turnover in social services is running at about 330,000 people a year. Lastly, some people will be needed to keep an eye on the project to see that it is going well and being run properly. The department should not fall into the same trap as HMRC did when it allowed the same company that provided the system to decide when the benchmarks were going to be run. The department should keep control of when the benchmarks will be run on the project.

Links

Earl of Erroll on TheyWorkForYou
Voting Record — The Earl of Erroll
Earl of Erroll on Wikipedia
Earl of Erroll biography on the All Party Internet Group web site.

News

2009-02-17 - ZDNet - Lord criticises proposed data-sharing law: Author: Tom Espiner; Summary: Merlin, Earl of Erroll, told ZDNet UK that changes to data law brought in by the Coroners and Justice Bill would mean people could "suffer". ... Lord Erroll said that he would oppose the Bill on the grounds that "enforcers" such as HMRC should be separate from "helpers" such as the DWP. "The danger is that some people may suffer, or even die, as a result of not giving information to helpers, because they know that the enforcers will get hold of the data," said Errol. "We need some serious protection in the law to prevent this. I will be opposing the bill."

2008-09-09 - ZDNet - Peer proposes data super-watchdog: Author: Tom Espiner; Summary: Merlin, Earl of Erroll on Thursday called for two governmental data watchdogs, the Information Commissioner's Office (ICO) and the Office of Surveillance Commissioners (OSC), to be combined. At present, the ICO endeavours to enforce data laws and regulations, while the OSC monitors covert surveillance operations by public sector agencies. ...

2007-12-10 - Information World Review - Lost HMRC data sounds wake up call for security pros: Author: Clement James; Summary: At the CSO Interchange - a forum for chief security officers – held in London recently, 60 per cent of senior security professionals present professed to having only "some idea" as to where their customer data is stored and "limited controls" over it. ... Speaking at the event, cross bench peer, Lord Erroll, a member of the House of Lords Science and Technology Committee, described the recent HMRC data breach as a "godsend". "With luck the missing CDs have ended up in a landfill site but this fiasco will force the government to start taking security seriously and the powers of the Information Commissioner's Office will be strengthened," he said.

2007-11-09 - ZDNet - Government data sharing may harm public trust: Author: Tom Espiner; Summary: The current push by the government towards increased data sharing could backfire, with negative effects for public confidence, according to Merlin, Earl of Erroll, a member of the House of Lords Science and Technology Committee. Speaking on Thursday at a Eurim event addressing social-inclusion issues, he said that schemes such as the National Identity Register — on which the government plans to hold the personal data of every UK citizen — could lead to an over-intrusive state when combined with data sharing between government departments and services. "With increased sharing of data, there is a greater risk of failure of public services due to the greater complexity of systems, but also people may become frightened of being caught," said Lord Erroll. "If you don't tell the DVLA of a change of address, after a month you're liable to a fine of £1,000, and it will be the same under the National Identity Register. I see a problem of linking up government departments and services, like law enforcement, that are seen as enforcers and those seen as helpers, like [social services]."

2007-10-31 - ZDNet - Lords: Government doesn't get internet threat: Author: Tom Espiner; Summary: The UK government has failed to understand the threat to the continued growth of the internet posed by cybercrime, according to the influential House of Lords Science and Technology Committee. ... Lord Erroll told ZDNet.co.uk that the government had "missed the point" of having a data-breach notification law. He said that not only would this give businesses an incentive to better safeguard customer data, but it would also provide law enforcement with accurate figures to judge the scale of the problem and react accordingly. "One challenge to internet security is that there are no real figures on the scale of the problem, and such a law would provide those figures. Primarily, the law would tighten up company procedures, but no-one really knows the scale of the problem," Erroll said.

2007-10-30 - Lords Science and Technology Committee Press Release - Government fails to understand threat to internet: Summary: The Earl of Erroll, a member of the committee that undertook the inquiry, said: "The Government's response is a huge disappointment. We heard compelling evidence of substantial amounts of e-crime and we were entirely persuaded that individuals were unable, on their own, to continue to keep themselves secure." "The Internet relies on the confidence of millions of users, and that confidence is in danger of being undermined unless we can reverse the trends that our witnesses told us about." "We don't know quite how bad things have become today - there are no reliable figures for e-crime. We recommended that the Government set up a group to develop a scheme for recording all forms of e-crime. The reply just says that the Government 'do not see that there is a need' for this. If you have no idea of the scale of the problem, how can you design solutions? Throughout our inquiry we tried to think outside the box, to look ahead ten years at what the Internet might be like, taking into account the emerging risks and challenges today. That's why our recommendations concentrated on incentives - we must ensure that everyone is motivated to improve security. Unfortunately, the Government dismissed every recommendation out of hand, and their approach seems to solely consist of putting their head in the sand."

2007-03-09 - Computing - Cybercrime must be a priority: Author: Tom Young; Summary: Not enough is being done to prevent low-level cyber-crime because it is not a priority to the police or Home Office, according to independent peer Lord Erroll. ... 'E-Crime is climbing steadily, but it's not a Home Office or police priority,' said Erroll. 'There is a feeling that all we need to do is say use a firewall or anti-virus product and lock the doors of your data. This doesn't work. There is no ability to prosecute level two crimes where the amount lost is low because it is below the individual police area's radar.'

2007-01-17 - THE SELECT COMMITTEE ON SCIENCE AND TECHNOLOGY - PERSONAL INTERNET SECURITY

2006-08-15 - BBC - Police decryption powers 'flawed': Summary: The government faces criticism over plans to give police powers to make suspects produce readable copies of encrypted computer evidence. The Earl of Erroll, a cross-bench member of the House of Lords, said there was a real danger of "scope creep" in which the powers given for use in specific circumstances were turned to other purposes they were never intended to tackle.

2006-08-12 - The Register - Public debate on electronic snooping: Summary: There will also be experts from Cambridge University, London Metropolitan University, Privacy International and University College London, representatives of the Home Office and Ministry of Defence, Lord Phillips of Sudbury and The Earl of Erroll from the House of Lords, and Caspar Bowden, ex-director of the information society think tank, the Foundation for Information Policy Research.

2006-05-08 - vnunet.com - Jury stays out on new e-crime regime: Author: Phil Muncaster and Martin Courtney; Summary: However, some attendees, including security lobbyist Lord Erroll, Sir Merlin Hay, said they were concerned that firms may now be discouraged from disclosing information about attacks on their networks, because local police might not have the right expertise, and the NHTCU’s Confidentiality Charter is no longer in place. "It will be interesting to see how [Soca] beds down," said Hay. "The people in it are good, but it worries me that new police agencies are being set up with huge powers but outside the Police Act – I’d like to see more democratic accountability."

2006-04-28 - vnunet.com - E-crime experts reserve judgement on Soca: Author: Phil Muncaster; Summary: keynote speaker Lord Erroll, Sir Merlin Hay, said he was concerned that firms may now be discouraged from disclosing information about attacks on their networks. "It will be interesting to see how [Soca] beds down," he said. "The people in it are good, but it worries me that new police agencies are being set up with huge powers but outside the Police Act – I’d like to see more democratic accountability."

2006-04-27 - ZDNet - Schneier: ID cards will worsen ID theft: Author: Tom Espiner; Summary: The government's controversial ID card scheme attracted more criticism this week, this time from security expert Bruce Schneier and Lord Erroll. Merlin, Lord Erroll, speaking at the Infosecurity conference on Tuesday, also criticised the scheme for the amount it would cost, saying the money could be better spent on security schemes that focused on e-crime and criminals, rather than a blanket ID card that also logged the details of innocent people. "You consider the millions (of pounds) to sort out ID cards. It will cost £584m a year towards an ID card that has not been proven. I could solve a lot of security problems with £584m," said Erroll in a keynote speech. "At the end of the day, people can be seduced too easily. Most people have their price, or they have their ideals," said Erroll.

2006-04-25 - silicon.com - 'E-crime, not ID cards should be top priority': Author: Dan Ilett; Summary: The government is ploughing too many resources into the ID cards scheme while failing to provide resources to fight e-crime, a member of the House of Lords has claimed. Lord Erroll today said plans to roll out ID cards in the UK have been promoted by the government as a way of fighting crime but he questioned their validity.

2006-03-09 - The Guardian - Techno world has MPs beat: Author: Richard Sarson; Summary: The ID card has absorbed a good deal of parliamentary time but many MPs and peers still tend to log off from matters technological. ... Merlin Erroll (the Earl of Erroll, a hereditary cross-bench peer) is the founder of telephony company VoiceXchange and the most vocal IT champion in the House of Lords. He puts it more forcibly: "If no members of either house know anything about IT, then bureaucrats will take control of our lives, or pretend they can do things they can't."

2006-01-17 - The Guardian - A case of mistaken ID: Author: Simon Hoggart; Summary: To the House of Lords for a debate on ID cards. ... Finally we heard from the Earl of Erroll, whose quite magnificent Who's Who entry reads: "Baron of Slaines, 28th hereditary High Constable of Scotland, Gaelic title Mac Garod Mor, 33rd Chief of the Hays, Senior Great Officer, Royal Household in Scotland, computer consultant." It was in the last capacity from this roll of Gaelic glory that he too opposed the government.

2006-01-17 - silicon.com - ID cards bill in crisis after major defeat in Lords: Author: Andy McCue; Summary: The government's controversial ID card plans have suffered a major defeat in the House of Lords with peers refusing to approve the bill until a detailed cost breakdown of the scheme is made public. The Earl of Erroll, who has a background in computer security and identity management, said the ID cards will provide no benefit to the citizen and joked that people would be more likely to use it to scrape the ice off their car windscreens in winter.

2006-01-13 - ZDNet - ISPs, telcos and police voice fears over data retention cost: Author: Tom Espiner; Summary: The data retention directive contains some serious flaws but the most serious is that it does not make clear who will pay for it, experts say. ... Questions were also raised about the human rights implications of storing large amounts of communications data. The Earl of Erroll, President of the E-business Regulatory Alliance, an organisation that examines legal and regulatory issues in Brussels and Westminster, asked: "Is the directive necessary, legal, and balanced? Will it protect citizens from unnecessary access to confidential information?" The Home Secretary, Charles Clarke, gave an assurance that human rights legislation would be conformed to.

2004-11-20 - silicon.com - Civil Service deletes millions of emails: Author: Dan Ilett; Summary: The Cabinet Office denied on Monday that millions of emails are being deleted in response to a law that will make government information available to the public from 1 January. Lord Erroll, member of European internet security lobbyist EURIM, said: "It's impractical and they're working on an idiotic time scale to do this. But the CO might think what they have is embarrassing. The time scale is unrealistic and there will be some miscarriages of justice. It's a knee-jerk reaction and will have an effect on useful information in cases. If they do purge emails that are only three months old, a lot of background information on things will be lost for good." ... "We should be embracing data and storage," said Erroll. "If we'd only behave more seriously towards emails and realise they are more akin to people talking rather than official documents."

2003-11-07 - ZDNet - Comicbook hero does battle with Spiderman, The Matrix, consultants and the Earl of Erroll?: Author: Rupert Goodwin; Summary: You can read his report of the event in the news section but a couple of points were left out. One was the contribution of the Earl of Erroll who muttered that the Home Office was "talking bollocks". This was shortly after Simon Watkin of the HO was argued that it was better to widen RIPA's powers now and then tighten up the flaws later. Wearden was so shocked by this example of noble forthrightness that he couldn't be quite sure what the Earl had said, but fortunately his lordship boldly reiterated his point. "It's the usual load of Home Office bollocks." Couldn't have put it better myself.

2002-11-08 - vnunet.com - Regulating the internet is not the answer: Author: SA Mathieson; Summary: The Earl of Erroll, a peer who worked in the IT industry for many years, suggested that most people are not interested in online privacy. "Eighty to 90 per cent of people couldn't give a damn, and they are perfectly right, because there is absolutely nothing they are doing that is of interest to the authorities. They would prefer more joined-up government, and most assume that the government has access to their records anyway," he said. But he pointed to the case of the Paddington rail crash campaigner who was checked for political affiliation by Labour party researchers, as leaked emails later revealed. People can suddenly become of interest, and then they do want privacy, said the earl. "What happens when someone has increased power to access these records? If government databases are linked properly, through biometrics, it would be much easier to pin down individuals," he said.

2002-03-21 - vnunet.com - Technology to the rescue: Summary: LORD ERROLL - Cross-bencher, formerly of electronic wallet designer Girovend Holdings "There are problems with personal ID (providing citizens with a single way of accessing state and other services, floated briefly by Labour last autumn). "It looks great, as you don't have to carry lots of cards around, but if someone steals your ID they can use it for absolutely everything." "The next problem with linking all personal state records isn't a problem if a J Edgar Hoover isn't in charge, but if he is, he can blackmail people who have made some small indiscretion in their past. It's the executive, not elected politicians, who would have access to these." "The Prevention of Terrorism Act permits trawling of lots of information, for anything they like, then it can be used for anything they like. There are huge powers, if misused. The Act should be renewed every year."