November 12, 2006 | Glyn Wintle

Trustguide and ID Cards

Trustguide reports on our views, beliefs and needs regarding trust, security and privacy in relation to new technologies. We like it very much - It should be required reading for politicians! Over the last 15 months HP and BT, in conjunction with the DTI, hosted workshops across the UK on a broad range of topics (detailed below). The document is full of participant-responses and is a treasure trove of quotes for journalists.

Topics under consideration:

  • Trust versus risk
  • E-Commerce: Risk and Responsibility
  • Factors that impact on risk taking
  • Mitigated risk
  • ID cards: An aid to security?
  • Use of Biometric data
  • Privacy and health information
  • E-Government and Public Sector IT
  • Awareness and education
  • Use of public access terminals

On the issue of ID Cards, Trustguide concludes we are more concerned with increased vulnerability resulting from a flawed system, than the apparent threat to security which it purports to address. This attitude was revealed despite presenting ID cards as an aid to security and a means of easily identification and authentication.

“I feel more vulnerable having all my data like personal details held in one place electronically than I would having ten separate paper documents held in different places.” “Everything I’ve read on ID cards shows that they are just crossing their fingers; they actually believe that it will be secure and I don’t believe that, not at all.”

Some participants described the cards and database as significantly modifying the relationship between our government and the people, in that all pervasive surveillance is now acceptable. Indeed, some interpet the shift as a sign that government no longer trusts its citizens.

“One of the fundamental problems with ID cards to me is they change the relationship between the citizen and the government of the country.” “If ID cards are brought in it’s now officially legitimate for the government to know who I am and where I am all the time, no matter where that is and it’s officially legitimate. We can no longer complain about CCTV cameras and car registrations and GPS cell phones because we’ve passed legislation saying the government has a right to know who I am and where I am any time they want.”

Very few thought ID cards would aid personal or national security. Concerns were instead directed at Government’s ability to securely hold ID data.

“I don’t think the government are very good at IT and it’s bound to get hacked.” “It won’t make us more secure, that’s rubbish, it’s a hacker’s dream, terrorists will be the first people to hack into it.” “If the government isn’t going to be open about what they’re doing then that means the security must be poor because nobody is checking it, nobody is pointing out the mistakes they’re making, so somebody will find a way in. There may be all these secret plans for what will happen if it goes wrong but surely they should be open about it, if we’re supposed to trust them.”

As NO2ID have stated repeatedly - its not the card that is the threat, but the accompanying database. Trustguide shows the general population now also shares this concern.

“It’s not so much the card that’s the problem as the database, the fact that the government are putting all the data they have about me in one place creates vulnerability. It’s nothing to do with the card itself.”

Approximately half of workshop attendees said they would not voluntarily carry an ID card as described by the current ID Card Bill.

“Why should I allow the State to hold information about me? To what purpose? Who’s in charge of my life, me or the State?”

Concerns were also expressed in terms of function or mission creep. This results from a lack of foresight in how gathered data will be used, particulary how the data might be applied in future. Finally, there was little faith in ID cards achieving Government's stated objectives.

[Read more] (3 comments)

November 07, 2006 | Suw Charman Anderson

Release The Music: Final speaker confirmed

We have finally confirmed our line-up for the Release The Music event on Monday 13 November at the Conway Hall in Holborn, with the addition of Richard Mollet from the British Phonographic Industry. 6.00pm - Registration 6.30 - 7.30pm - Professor Jonathan Zittrain, Oxford University 7.30 - 8.30pm - Should the term of copright protection on sound recordings be extended? Moderator: John Howkins, Adelphi Charter For: Richard Mollet, Director of Public Affairs, BPI; Martin Talbot, Editor, Music Week Against: Dave Rowntree, Blur; Caroline Wilson, Southampton Law School 8.30 - 10.00pm - A pre-1955 DJ set 10.00pm - Close There are still tickets left, so sign up now if you would like to come. releasethemusic

[Read more]

November 06, 2006 | Suw Charman Anderson

Dave Rowntree to speak at Release The Music

I'm delighted to announce that Dave Rowntree from Blur will be taking part in our debate about the extension of the term of copyright protection for sound recordings. He'll join Caroline Wilson from the University of Southampton, School of Law arguing against extension, and will be facing Martin Talbot, Editor of Music Week and an as yet unnamed music industry representative who will be arguing in favour. John Howkins from the Adelphi Charter will moderate.

Our keynote speaker will be Professor Jonathan Zittrain, Chair in Internet Governance and Regulation at Oxford University. We'll make sure that there will be plenty of opportunities for questions from the floor after both the keynote and during the panel discussion.

We're also arranging for the event to be recorded, and hope to be able to post both audio and video afterwards. We can't live stream it, unfortunately, because the venue doesn't have internet access.

If you want to come, please sign up online for your free tickets. Details are:

Date Nov 13, 2006

Time 6:00 pm - 10:00 pm

Location Conway Hall 25 Red Lion Square London, WC1

We hope to see you there!

[Read more]

November 06, 2006 | Michael Holloway

As the world pulls back from e-voting, the UK opts for more pilots

Guest post by Jason Kitcat

Summary: This post summarises the newly announced UK e-voting pilots for 2007 and provides action you can take to help stop the pilots.

On October 17th the Department for Constitutional Affairs and the Electoral Commission officially announced a prospectus for electoral pilots in May 2007. Pilots can include:

* Internet voting * Telephone voting * Polling place electronic voting machines * Electronic counting * Administrative innovations such as early voting

Explicitly excluded are text message voting, digital TV voting and all-postal voting.

Local authorities have been given until 17th November to apply to run a pilot in their area, although it’s clear that at least some authorities were already preparing their applications before the announcement.

This announcement comes at a time when e-voting has been increasingly recognised around the world as a threat to democratic elections. For example:

* The Netherlands has withdrawn e-voting machines by one manufacturer due to vulnerabilities including emitting radio signals which reveal how votes are being cast. The other brand used has been the subject of a widely reported analysis finding multiple major vulnerabilities. more info

* The Canadian province of Quebec has withdrawn all electronic voting machines from elections. This was after a damning report by the province’s chief electoral office into a controversial and problematic election in 2005. more info

* The Republic of Ireland has a moratorium on the use of their e-voting machines after an independent commission found significant problems. more info

* A Japanese municipal authority have shelved e-voting after the result of a 2003 council election was voided. more info

The United States was the first country to make widespread use of voting machines, starting with the lever machines in 1892. Since the 1970s, when electronic machines began to be used, there have been many detailed reports on the fraud, errors and usability problems experienced culminating in the infamous 2000 Presidential election.

Whether allegations can be proved or not, the doubt that electronic voting systems sow in the minds of voters make any outcome open to debate, which ends up undermining our democracy. Because the results are electronic it’s impossible to know what really happened, whether votes were really stored as the voters intended of if they were changed later on.

E-voting makes fraud on an unimaginable scale possible as never before. Electoral fraud is a problem we need to deal with in this country, as recent convictions have shown.

E-voting, unlike e-commerce, is a difficult technical problem where you need to ensure that voters are who they say they are, that they haven’t already voted and can do so secretly. Remote e-voting, from home or work, threatens our secret vote opening electors to vote-buying, peer pressure and threats. E-voting is also incredibly expensive, for a Sheffield pilot the cost was at least £55 per vote cast!

More information about e-voting:

* Communications of the ACM: Special Issue on E-Voting * Jason Kitcat’s e-voting pages * Rebecca Mercuri’s e-voting pages * Louise Ferguson’s e-voting pages * Voting Machines Pro Con (US site but a useful, balanced, overview)

What can we do about it?

There is easy immediate action we can take to stop pilots happening. A pilot will only be approved if a local council applies to take part. So until the application deadline of 17th November we need to ask councillors to get assurances that your council won’t be applying to run an e-voting pilot.

Brighton & Hove and Camden Councils have already ruled out pilots thanks to people contacting their councillors

The areas most likely to apply are those who have already run an e-voting or e-counting pilot so if you live in one of the following areas it’s vital that you take action:

* Basingstoke & Deane Borough Council * Bolton Metropolitan Council * Broxbourne Borough Council * Chester City Council * Chester-le-Street District Council * Chorley Borough Council * Crewe & Nantwich Borough Council * Derwentside District Council * Epping Forest District Council * Ipswich Borough Council * Kerrier District Council * Liverpool City Council * London Borough of Newham * Rugby Borough Council * Rushmoor Borough Council * St Albans City & District * Sheffield City Council * Shrewsbury & Atcham Borough Council * South Tyneside Metropolitan Borough Council * South Oxfordshire District Council * South Somerset District Council * South Tyneside Council * Stratford on Avon District Conucil * Stroud District Council * Swindon Borough Council * Vale Royal Borough Council * Wear Valley District Council * City of Westminster

Contact your councillor via WriteToThem politely asking them to ensure your council doesn’t waste local tax payers’ money on electronic voting pilots. Remember to do it before 17th November!

Please email me the responses you get.

We will be organising an e-voting event in the New Year and will let you know more about that soon.

[Read more]

November 06, 2006 | Suw Charman Anderson

Seven days to apply

If you are interested in taking over the role of Executive Director of the Open Rights Group, don't forget that our deadline for applications is 13 November, i.e. next Monday. More information on this blog post.

[Read more]

October 27, 2006 | Suw Charman Anderson

Release The Music asks: Are you a blogger or podcaster?

If you write a music/MP3 blog, a law/copyright blog, or you are a podcaster and would like to come to the ORG press briefing on copyright term extension for sound recordings, 2pm on Monday 13th November, please contact Michael with your URL and preferred email address and we'll send you a proper invitation with all the details. We have very few places, so please contact us as soon as possible.

[Read more]

October 27, 2006 | Glyn Wintle

Key UK Software Patent Ruling

The Court of Appeal has ruled on two cases involving software patents today. It rejected one and unfortunately granted the other. It was hoped that the ruling would confirm that software development which relates only to new business logic does not have to worry about patent threats. As more and more companies in the United States get tied up in business method patent litigation, this decision should be a worry for UK companies. The full ruling is here, for those of you that are really keen. If you want some more details or are a member of the press I recommend you check out the FFII's comments on the Court of Appeal Judgement in Macrossan and Aerotel.

These two cases are of vital interest to anyone concerned with the ongoing debate over the patentability of software and business methods in the UK and Europe. Both of the cases at issue concern patents in the area of software and business methods and so the appeal presented a historic opportunity for the UK courts to reaffirm the clear exclusion of these areas from the scope of patentability as well as to send an important signal to legislators and patent officials at the European level. It has not done so.

Aerotel’s patent that was granted today claims the making of telephone calls using prepayments. The essential idea is to have a telephone exchange which keeps a record of clients’ credit. Clients can then dial into the exchange, and have their calls completed for as long as they have credit to pay for them.

Why are these cases so important? High Court decisions do not establish binding precedents on other High Court cases, but decisions by the Court of Appeal do bind lower courts. Today's decision is the first time the Court of Appeal have ruled on software and business method patentability since 1997, and gives a definitive statement of the UK law in this area.

Both patents do not contain anything novel except new administrative or business logic, with solely administrative and business consequences. At stake was not only the Court of Appeal's decision, but how it decides it. We will be looking closely at these rulings and posting again to provide you more information.

Macrossan’s patent application was rejected by the UK Patent Office. In the High Court, Macrossan appealed against this rejection, but the appeal was dismissed by Judge Mann, finding that although not specifically a business method, it was a method of performing a mental act by a computer. It has been described by one software contractor as an absolutely conventional “fill-in-the-blanks website that picks the right docs based on guided answers, then fills them in appropriately and disgorges them wherever required”. The only new idea was to apply this to the documents needed to incorporate a company. Quite rightly this patent was rejected today on appeal.

[Read more] (1 comments)

October 26, 2006 | Suw Charman Anderson

UKNOF5: Richard Clayton - Content Filtering

Just popped in to the 5th UK Network Operators Forum to hear ORG advisory Council member Richard Clayton talk on content filtering. Here are my notes: Overview - content blocking system taxonomy - overblocking and other problems - avoiding the blocking altogether - attacking the blocking system - Cleanfeed and the 'oracle attack' - the IWF web site list - the political landscape Taxonomy Three ways of blocking content - DNS poisoning; you arrange for your DNS server to provide the wrong results, so when you look up, say, you are sent to the wrong site and will not find the content you're looking for. Low cost, highly scalable. Can blog an indefinite no. of domains - Blackhole routing; dropping the packets to the bad site. Also low cost, but limited, so will not scale. - Proxy filtering; arrange that all web traffic goes through a web proxy. High cost, but very accurate and allows you to pick out exactly what you want to block. Problems with DNS poisoning People think it's easy, but if you have sub-domains which you don't wish to block, or if you want to allow email but not web traffic, then it's not good enough. West German ISPs, where local government requires to block access to Nazi sites, and most ISPs managed make a mess of it, and managed to block some parts of the site but not the bits they were supposed to block, and all managed to mess up the email. Every ISP made at least one mistake. Blackhole routing Dropping packets will affect every web site hosted at the IP address. So you can't block a single site at one IP address. So useless for sites like Geocities. Useless for huge numbers of other sites. You do not have one IP address per web site. Ben Edelman did a study on 'overblocking', and 87.3% of the sites shared an IP address with at least one other. Some web servers have over 50 sites on them. So ends up blocking innocent sites as well. Proxy filtering No overblocking, but it is expensive. Has costs in kit, and customer satisfaction, because proxies are slower and customers don't like that, and can mess up ability to tell people apart. Not good news for users, but they are the best way of doing precise blocking. Avoidance for clients Some people don't like being blocked and there are tricks for getting round it - use a different DNS server, very easy - use IP addresses instead of the domain name - use a relay, which often encrypts and anonymises; lots of these services out there, marketed to people who want to browse from their office desk but work just as well from home to get around blocks from ISP - people encode requests, (e.g. 'request%73' = requests) to avoid recognition; just look at spam for this. far more complex than it seems to just block domains - send malformed HTTP requests, e.g. multiple HOST protocol elements Avoidance for servers - move your site to another IP address, which is easy - change the port number, which is a bit trickier because we don't have good systems for looking up port numbers - provide the same content on many different URLs, you can send out your spam and arrange that is constant but then put a random string (which also allows you to check which of your spam emails works best) as some blockers don't realise that what comes after the / is irrelevant and end up blocking the whole URL not the domain name. - accept unusually formatted requests BT CleanFeed - CleanFeed is their internal name, but externally it's not called that, but 'anti-child-abuse initiative'. Two stage system from 2004, but similar designs used by other ISPs. - first stage is IP address based, so it checks to see if there might be child pornography and if it is then traffic is redirected to a proxy which then matches URLs, - this is what's publicly known, not covered by NDA Users send their traffic to boundary to BT's network. BT's system decides which traffic is good, and sends it on its way. If it is going somewhere bad, it will go to their proxy and then decide if it's going to a bad site, or somewhere innocent. If it's supposed to be going somewhere bad, then it returns a 404, i.e. no accusations of wrongdoing. Fragile. - evading either stage evades the system, all previous attacks continue to be relevant - plus can attack the system in new ways, e.g. if include IP addresses for innocent sites, like Google or ITunes Music Store, in DNS results for bad sites then that will flood the second stage with legitimate traffic - if they give it local IP address then results in routing loops The oracle attack - can detect the first stage and so can tell which IP address is being blocked. If you sent lots of tcp/80 traffic you can see what comes back and tell whether your traffic is being redirected. Then you can find out which domain names are being hosted and these IP addresses. The Internet Watch Foundation (IWF) - set up in 1996 to deal with child porn on Usenet - operates consumer hot-line for reports - mainly concerned with web sites now - has a database of sites not yet removed - but sites move around very fast, and database needs to be regularly reviewed Politics - in Whitehall they thought it was impossible to censor or block the net until BT deployed CleanFeed, despite blocking systems in Norway, Saudi Arabia and Chine, for e.g. - ISPA claim 80% of consumers covered by systems that block illegal child images - Minster now wants all broadband to block by end 2007 - which is apparently voluntary but 'if it appear that we are not going to meet our target through co-operation, we will review the situation' Whitehall comprehension? - "recently it has become technically feasible for ISPs to block home users access to web sites irrespective of where in the world they are hosted" - they don't understand the cost of the system, how fragile they are, how easy they are to evade, or how they can be attacked or made less secure or less stable. Also don't understand that you can use the system to reverse engineer a list of sites to look at. After the events in August, Fratini (EU) wants the internet to be a 'hostile environment' for terrorists: "very important to explore further possibility of blocking web site that incite to commit terrorist action" - also blog drugs, gambling, holocaust denial. - don't overlook civil cases: defamation, copyright material, MI6 agent list, industrial secrets, lists of company directors, etc. People will want web sites blocked. But people used to think 'it's not possible' but now they are saying it is, and the more people think it's possible the more they want it. More on this in Richard's PhD thesis, Chapter 7, which is available on his site. Biggest problem country is actually the USA - they are not good at removing pedophile material from the internet. How big is the IWF database? 888 items? Can infer what the IWF publish, because they have said 38% of sites are still active after 2 months, so they are checking it. Problem with doing research into the blocking of child porn because, of course, looking at the sites is illegal, so you can't check the content. Only a small percentage of sites reported to the IWF check actually have child porn. IWF and BT refused to allow Richard to have his site added to their blacklist so that he could check to see how well the system works.

[Read more] (2 comments)