November 21, 2007 | Becky Hogge

HMRC fiasco: Government "not interested" in expert warnings

Professor Ross Anderson, UK computer security expert and Chair of the Foundation for Information Policy Research, appeared on Newsnight last night, to discuss the HMRC data loss fiasco. He labelled the fiasco "an accident waiting to happen", and calmly, methodically, indicted the Government for brushing aside the advice of security experts who have been warning them against the centralised, top-down approach they have been taking to electronic government.

I hope Professor Anderson will not object to my transcribing his words in full, and linking to the reports he mentioned and the government responses that have brushed aside expert concerns.

"But if we return to the matter in hand, I'm afraid that there is a policy issue here not an operational issue because the government has repeatedly, over the last few years brushed aside one lot of advice after another about the growing problems of privacy and safety with aggregating more and more data.

We wrote a report for the Information Commissioner in November last year pointing out that the proposed children's databases were both unsafe and illegal. That was brushed aside.

Lord Broers' House of Lords Science and Technology Committee reported earlier this year saying that the government needed to get its act together on personal internet security. A large part of that was Treasury responsibility, better regulation of online banking. That was brushed aside.

The Health Committee reported in September saying that people needed a right to opt out of the large central databases of personal medical information that the NHS is collecting. That was brushed aside.

Again and again and again these warnings have been made in different contexts by expert groups and the Government has not been interested."

[Read more] (4 comments)

November 20, 2007 | Becky Hogge

HMRC loses confidential details of 15 25 million benefit recipients

The confidential details of 15 25 million child benefit claimants are reported to have been lost by HM Revenue and Customs. The BBC is reporting that HMRC's chairman, Paul Gray, has resigned.

BBC political editor Nick Robinson said he understood ministers had been aware of the problem for nine to 10 days.

Here in the ORG offices we are watching the Chancellor, Alistair Darling, make a statement on the matter to the House of Commons.

Update: The Chancellor has now made his statement to the House of Commons. It appears that the BBC under-reported the amount of people affected by this loss. Darling announced that a "password-protected" CD sent by unrecorded delivery contained details of 25 million individuals. That's just under half the population of the UK.

Details contained on the CD include:

  • Name;
  • Children's names;
  • Address;
  • Date of Birth;
  • National Insurance Number;
  • and, where relevant, bank details.

Darling used his statement to reassure citizens that banks had been informed and were taking measures to protect their accounts. The accounts of those whose details were lost had been flagged, said Darling, and were being monitored for irregular activity. He assured UK citizens that any innocent victim of fraud would be protected under the banking code.

According to Darling, the Information Commissioner will be investigating the data protection breaches that were presumably key in leading to this blunder.

[Read more] (11 comments)

November 20, 2007 | Becky Hogge

Double your money with the Open Rights Group

If you've ever:

  • signed the Open Rights Group pledge;
  • said you'd support the Open Rights Group and haven't; or
  • supported ORG in the past and then stopped

...then it's likely you'll have received an email from me today, telling you about our Review of Activities and asking you to dig deep into your pockets to support ORG.

The good news is that if you support ORG now, the Joseph Rowntree Reform Trust Ltd will match the amount you give to us. Which means everything that you give will be worth double to ORG. So get giving!

This arrangement is set to be in place for the next two years, or until the Open Rights Group has received £10,000 in new funds, whichever happens first. Thanks heartily to JRRT Ltd, and thanks especially to all the people who have already reacted to our emails, and are sending in funds.

[Read more] (11 comments)

November 19, 2007 | Becky Hogge

Open Rights Group: Our first two years

Today I'm proud to be able to publish a review of the Open Rights Group's first two years of activity, including our first year's accounts. I hope that ORG supporters will enjoy reading how their contributions - financial, mental and physical - have collectively created an organisation that has had a demonstrable effect on UK digital rights issues. I also hope that ORG's story so far will encourage more people to join the swelling ranks of ORG supporters.

As ORG chair Louise Ferguson writes in her foreword to the Review:

"ORG benefits from all manner of support from the many people involved in this grassroots organisation. From the individuals who support us financially or in kind, to the scores of people who keep our lively email list buzzing and those who generously volunteer their time and expertise, there are hundreds of people who contribute to ORG's success. Our supporters and volunteers, who come from right across the political spectrum, drive our organisation, informing debates on a wide range of issues and providing amazing energy for projects and campaigns"

But today is not all about back-slapping. Now, more than ever, ORG needs your support. 2008 holds new challenges. Content industries, not satisfied with controlling your devices, are seeking to control your internet connection too. And next year will be a decisive one in the fight against the surveillance state, as political energy mounts around securing individual citizens' rights to privacy. ORG needs to be there, speaking up for your digital rights.

So if you're not yet supporting ORG, please start today.

If you're not sure whether you are supporting ORG, please email me or Michael (becky AT; or michael AT openrightsgroup DOT org) and we'll let you know. And if you are supporting ORG, please use today to spread the word about ORG to your friends and colleagues, and let them know why they should be too.

Finally, huge thanks to everyone who has made ORG's first two years such a success - we've tried to namecheck as many of you as possible, but I'm sure we've left some people out. Here's to building on our success, and to a bright future for our digital rights!

Update: The review is now available in html format.

[Read more] (20 comments)

November 15, 2007 | Becky Hogge

Electoral Commission: "e-voting not a mature technology"

Many thanks to Glyn for watching, and transcribing the most interesting bits of, the Scottish Affairs Committee public evidence session in the House of Commons earlier this week. The Open Rights Group were particularly heartened by these words from Peter Wardle, Chief Executive of the Electoral Commission:

"Ron Gould sets his face firmly against [e-voting] for the time being and we would agree with that. We think e-voting is not a mature technology yet and does not command sufficient confidence to be deployed."

This statement sits in stark contrast to the views expressed by the Government on Monday, when they ignored the fundamental failings observed in recent e-voting trials, and the analysis of computer security experts, to instead support "the continued investigation into the benefits of electronic voting including remote electronic voting".

The public evidence session was called by the Committee to examine how voters’ interests can be protected, following the publication of the Gould Review into the Scottish elections in May.

[Read more] (1 comments)

Open Source Summit Review

The resounding message of the Olswang's and Greenberg Traurig's Friday Open Source Summit (PDF) was that software patents are bad for business. Bruce Perens's message against software patents and that the European Patent Litigation Agreement (EPLA) should not become a reality was echoed throughout the day by numerous speakers to be restated once again during Simon Phipps closing keynote. The main argument was that these patents hinder software development because of their high transaction costs, and that Europe can maintain advantages by not allowing these patents (available in the US and elsewhere) on its shores. Naturally enough, there wasn't anyone calling for the abolition of patents, only as they relate to software. But software patents weren't the only theme of the day. Bruce Perens - Opening keynote Perens is one of a handful of early and influential 'founders' of free and open source software (FOSS) and he gave an entertaining and informative overview of the benefits of FOSS and how they fit in with a company's business model. The key for any business is to look at what is the "differentiating software" -- the model or software that makes the business different from others. For non-differentiating software open source is key as it can help control costs while delivering a robust architecture. Beyond his call against software patents, he suggested that the UK and Europe could use a law requiring open source software to at least be considered for (presumably) public purchasing. Heather Meeker, of Greenberg Traurig, gave an excellent overview of the legal side of FOSS licensing. Jim Markwith of Microsoft concentrated on issues surrounding open source in a mergers and acquisition (M&A) context. Often one of the issues is finding inappropriate (copied w/o permission) code in FOSS projects. Many of the problems that he sees in the M&A role at Microsoft are a result of poor IP management and not open source per se. As regards software patents, he only stated that Microsoft takes a different position than the other speakers. On the GPLv3, he did note that "GPLv2 has built up a legal understanding over the past fifteen years and now v3 means that they don't have that understanding." Nigel Swycher, Olswang and chair of the event, and Kat McCabe, Black Duck, both further reviewed FOSS within the M&A context. Black Duck makes a product that reviews and audits software code to make sure that it does not contain illegally copied code. In the afternoon Jan Wildeboer, Red Hat, and Pieter Hintjens, iMatix, both further made the case against software patents and open source business models. Hintjens had the notable quote that the GPL is "an 'ultra capitalist tool' because it allows dual licensing a commercial option plus the GPL version." Dietmar Tallroth, Nokia, discussed some of the practical aspects of managing open source software through his experiences as the legal director of open source and licensing at Nokia. David Wood from Symbian gave an overview of open source and smartphones. John Powell, Alfresco Software, got back to one of the main themes of the conference. From the conference site:

The software development and licensing landscape has changed, and the US are perceived to be leading the way. The Summit seeks to address this imbalance.
Powell blamed the close ties and use of the English language for waves and waves of US commercial interests following a proprietary licensing model for crushing both the UK's indigenous software industry and free and open source software development. In short, because of the lack of a language barrier, UK companies and public sector organisations bought into the FUD against FOSS and thus never got off the ground. Now however is the time for the pendulum to swing the other way and for a UK FOSS community and use to dramatically take off. Graham Taylor, Openforum Europe, discussed open standards and mentioned that in his opinion the UK government has been largely absent when compared to its EU counterparts at European meetings on open standards, open source. Michael Robinson, Deloitte, covered how they saved large amounts of money and introduced greater stability by introducing open source into the Oyster card system for London's transport. Simon Phipps, Sun Microsystems, closed the day with a slight restatement of the day's theme against software patents. He wasn't against them per se, however he thought that their granting should be greatly tightened so that they were very hard to get. There was still some room for their use if limited in this way. He did however note that trade marks are the next wave of legal problems for the FOSS community and that this would be the most troublesome area moving forward. In addition, he gave a load of practical advice on using FOSS within a company and how to relate to the greater open source community. The day was well attended by a diverse set of lawyers, academics, developers and others. A definite tip of the hat to Olswang and their partners on the event Greenberg Traurig for the day.

[Read more] (1 comments)

November 13, 2007 | Becky Hogge

Open Rights Group dismayed by Ministry of Justice response on e-voting

In the May 2007 local elections Open Rights Group observers, accredited by the Electoral Commission, took part in the monitoring of pilot electronic voting and electronic counting schemes. We observed serious failings in the process. Since then, further problems have come to light in other countries leading to many electronic voting solutions being banned or withdrawn. In light of this, yesterday's Government response to an Electoral Commission report is of great concern.

While the Government acknowledges some of the Electoral Commission recommendations for extending implementation periods for systems, it has ignored the fundamental failings observed in trials so far. It has ignored the analysis by computer security experts that shows the technology for secure computer-mediated voting does not currently exist, let alone a secure system for remote electronic voting. Remote voting systems also threaten the privacy of voting, allowing third parties to coerce and influence other voters, particularly within their household.

The only bright spot is that there is a reliable method that permits the secure operation of electronic vote-counting machines: this requires the performing of hand counts on statistical samples and comparing results with the machine tally to detect errors or fraud. Far less brightly, our experience last May was that e-counting didn't have these checks, was rather expensive, and even turned out to be considerably slower than a manual count would have been.

But back to yesterday's Government response. It states that:

"All the pilots supported successful elections... all pilots had comprehensive contingency plans to ensure that electors were not disenfranchised and retained their option of a paper ballot."

This is not the considered view of the observers present at these elections who saw signifcant problems which included disenfranchisement, with voters turned away from the polling station when they found themselves unable to vote by telephone or online (see Open Rights Group, May 2007 Election Report [pdf], page 25).

The Electoral Commission's report made a great deal of sense, in that it made clear their desire to see "a robust, publicly available strategy that has been subject to extensive consultation" before any further pilots took place.

The Government's refusal to halt its pilots is therefore of great concern and reflects a disconnect between Government policy, the evidence and current expert thinking in the field. If the Government's goal of "evidence based policymaking" is to be upheld, then a public debate about the role technology has to play in our electoral process is long overdue. A scheduled public consultation on the introduction of e-voting would be a welcome development.

However, the Government's response to the Electoral Commission's report makes it clear that, from their point of view, this question has already been answered: e-voting is the way forward and the imperative now is to "support [the] implementation of a modernisation strategy", ie to make it work. What public consultation they will engage in will be focused around not if but how e-voting should be introduced. They refuse to accept, despite evidence from the UK and from abroad, that e-voting may not be a viable or desirable area of pursuit.

Elections are one of the most complicated areas it is possible to conceive of to which to apply digital technology. Not only must the system be robust and easy to use, it must ensure voters' anonymity and privacy, yet be transparent and auditable, and be completely secure against both external tampering and fraud by employees, consultants and the outsourced workers often used to develop components of the system.

A single software or hardware engineer can bias marginal seats a percentage point or two and there is a low probability of a professionally executed fraud being detected. In comparison, while fraud is possible with traditional voting systems any large scale fraud would require huge manpower and be difficult to conceal. We are told that e-voting will increase participation, yet the pilots tell a story of voter turnout increased marginally, if at all. The risks posed to our democracy by the introduction of e-voting outweigh these unproven benefits considerably.

Every voter expects their vote to count, and to count once. Until there is consensus that that expectation can be met, remote electronic voting should be reserved for the purposes for which it is fit - naming cats on Blue Peter and voting on the X factor.

[Read more] (2 comments)

November 09, 2007 | Becky Hogge

iPlayer: Open Rights Group on Groklaw

My interview with Sean Daly at Groklaw went online this morning:

Q: Now, let's talk about DRM for a moment. It seems that the current situation the BBC finds itself in with the iPlayer is largely due to the choice to use DRM. My understanding is that without DRM, the rights holders of third-party producers of television programs which are leased to the BBC would withold their programs from online distribution. What do you think is the solution to this? Should those programs just be taken offline?

Becky Hogge: OK, so you're right to identify the problem; in fact you've got it in a nutshell. The BBC is having to negotiate with the people who own the rights in the programs that it broadcasts, because the BBC doesn't own all those rights. For a start, it's bound to use 25% of its commissioning budget to commission programs from independent producers, or "indies" as they're called in the industry. And those indies, most of them, keep the rights, and, like you say, lease them to the BBC for broadcast in a certain window.

Equally, some of the BBC content that the BBC produces itself has got all sorts of complicated rights issues associated with it. That's when the actors, and the cameramen, and all the people that go into it don't necessarily sign over all the rights to the BBC in perpetuity. So this is a really, really difficult problem for the BBC. But at the Open Rights Group, we think that the BBC needs to be tackling this problem head on. Because if it doesn't, it's going to keep having to use digital rights management. And digital rights management is slowly but surely going to eke away the way it can fulfill its public service remit.

This isn't just about a small group of Linux users who can't access iPlayer and are getting stroppy about it. Using DRM is going to push the BBC into more and more of a commercial environment. And what's more, DRM is always going to lead to the kind of platform neutrality issues that the BBC is experiencing now. If you think about it, Apple iTunes, which uses the Apple DRM, is already being accused of distorting the market by regulatory bodies inside the EU. And the BBC is always going to face these issues. Now, what it could do is it could start now to think creatively about how it's going to negotiate with indies and other rights holders in the future.

Read the interview in full here. This morning, I've been at the BBC Future Media and Technology building in White City, recording a podcast for BBC Backstage together with some of the technical team behind iPlayer and Mark Taylor from the Open Source Consortium. I'll post a link to that as soon as it's up.

Update: Here's the BBC Backstage podcast.

[Read more] (1 comments)