UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 508-iii

House of COMMONS

MINUTES OF EVIDENCE

TAKEN BEFORE

HOME AFFAIRS committee

 

 

A SURVEILLANCE SOCIETY?

 

 

Tuesday 12 June 2007

PROFESSOR ROSS ANDERSON, MR PETE BRAMHALL and DR ANDY PHIPPEN

Evidence heard in Public Questions 179 - 235

 

 

USE OF THE TRANSCRIPT

1.

This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

 

2.

Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.

 

3.

Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.

 

4.

Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

 


Oral Evidence

Taken before the Home Affairs Committee

on Tuesday 12 June 2007

Members present

Mr John Denham, in the Chair

Mr Richard Benyon

Ms Karen Buck

Mrs Ann Cryer

Margaret Moran

Gwyn Prosser

Martin Salter

Mr Gary Streeter

Mr David Winnick

________________

 

Examination of Witnesses

 

Witnesses: Professor Ross Anderson, Professor of Security Engineering, University of Cambridge, and Chair of the Foundation for Information Policy Research; Mr Pete Bramhall, Manager, Privacy and Identity Research, Hewlett-Packard Laboratories; and Dr Andy Phippen, Lecturer, School of Computing, Communications & Electronics, University of Plymouth, gave evidence.

Q179 Chairman: Good morning, gentlemen. Thank you very much indeed for coming to give evidence as part of our inquiry into the contention that we are drifting towards the surveillance state, whether that is a good or a bad thing and what we might do about it if it is, and we are grateful to you for coming. Our aim today, as you know, is to get at least some understanding of some of the technological issues involved in these developments and we are very grateful to you for your time. I understand that Caspar Bowden cannot come due to ill-health which is unfortunate, but I am sure that, between you and with the expertise you have got, you will be able to answer the questions that we might have directed to him. Perhaps I could ask each of you to introduce yourselves for the record and then we will make a start.

Professor Anderson: I am Ross Anderson, Professor of security engineering at Cambridge and I also chair the Foundation for Information Policy Research.

Dr Phippen: I am Andy Phippen. I lecture socio-technical studies at the University of Plymouth and am co-author of, amongst other things, the Trustguide Report.

Mr Bramhall: I am Pete Bramhall and I lead a small team of researchers at Hewlett-Packard's corporate research labs in Bristol where we do research on privacy and demanagement technologies.

Q180 Mrs Cryer: May I ask the first question primarily to Professor Anderson and it is in terms of surveillance capability. What do you feel has been the most significant technological development of the past ten years?

Professor Anderson: Almost certainly search engines. It is perhaps slightly more than ten years since we saw the first one, AltaVista, 11 years ago, but certainly Google has come along in the past six or seven years and their use has become very widespread. Previously, lots of information about people was kept on numerous, disparate databases and a lot on paper in filing cabinets. Search engines mean that everything that is searchable is now findable if people have got the wit to look for it and of course there are not merely the publicly available search engines, such as Google, there are search engines on intranets and there are search engines available to government and intelligence services which give access to information which is not generally available to the public, but overall the killer technology is search engines.

Q181 Mrs Cryer: Do you both agree with that?

Mr Bramhall: Yes, I would agree certainly with that and I would perhaps also add the fairly recent rise in social networking capabilities on the Internet, the rise of things like MySpace and YouTube where people can post information about themselves and yes, they are doing it willingly and for what seem to be very desirable purposes for them at the time, although they may actually have cause later in life to regret what they have made available of themselves and, coupled with search engine technology, there might actually be more out there than they would be happy with.

Q182 Mrs Cryer: Dr Phippen, do you go along with that?

Dr Phippen: Yes, I would certainly agree with that.

Q183 Chairman: Can I follow that and ask what the main drivers are of these new technological developments? Search engines and Google are presumably driven by a commercial motive, but things like Facebook and social networking were sort of invented by people out there really, thinking of a way of doing things and making uses of them which probably the original designers had not thought of themselves, so what are the main drivers that are moving technology forward as quickly as it is?

Professor Anderson: I think it is different in the private sector than the public sector. In the private sector, the main driver is the wish to charge different people different prices. This is of course as old as people have been trading; the carpet trader in Istanbul who makes a special price "just for you" is the price discrimination of antiquity. In general, price discrimination is economically efficient, but people tend to resent it because they feel that it is unfair. Now, what is happening is that technology is making price discrimination, firstly, more attractive to businesses because businesses become more like the software business over time and, secondly, easier, so this creates a circle, a vicious circle or a virtuous circle depending on your point of view, which drives the acquisition of ever-more data and ever-more capabilities as part of the process, and a second main driver of course is targeted communications. In the public sector, we have got all the motivations that we have all come to know and love or hate, as may be the case.

Q184 Chairman: Could you say a little more about the public sector motivations though in the sense that there is probably a similar desire to get the right piece of information to somebody or the right service to somebody or the right information about somebody, so is it significantly different and is the public sector driving the technology or is in fact the private sector developing the technology which the public sector makes use of?

Professor Anderson: I think it is the latter. The UK is rather odd in that over the last few years a majority of the business won by our big systems houses has been public sector business rather than private sector business, but they are almost never developing new technology, they are simply using technology which has been developed mostly elsewhere for private sector purposes. It is also difficult for even a mild cynic to escape the supposition that there is some competitive empire-building going on in Whitehall of the "my database is bigger than your database" variety, and this appears to be more pronounced in Britain than in other countries.

Q185 Chairman: Mr Bramhall, as you mentioned it, how significant are these social networking initiatives in driving change? I suppose it goes back certainly to text messaging originally, things where consumers have invented ways of using these systems that people had not previously thought of.

Mr Bramhall: Yes, the technology behind them, I think, tends to come from private sector considerations. Entrepreneurs will think, "Ah yes, if I set up a capability of doing a MySpace or a YouTube, then they will come and use it and it will be commercially successful", but the other factor that drives that success, or otherwise, is essentially how great is the take-up by people. Are they actually as popular as the entrepreneurs who found them would like them to be? We can all look at the numbers of how quickly those sites are mushrooming and so on, but there is perhaps a little bit of evidence that indicates younger people are more happy and willing to participate in them and, therefore, perhaps one of the drivers is actually coming from the youthful recognition or the recognition by the youth that technology is definitely not to be feared, it can do wonderful things, it can be liberating from an individual point of view, it can help form all sorts of personal relationships which again are very important when you are young, and perhaps those are the sorts of drivers of behaviour that lead to the success of these systems which have been enabled initially by private sector technology.

Q186 Chairman: It is probably an impossible question, but, if we looked over the next ten years, what are the technological developments that you think would have the most impact on data security and on the privacy of citizens?

Professor Anderson: I do not think that privacy is fundamentally a technological issue, but fundamentally a policy issue. One of the things that we have learnt over the past six or seven years is that, when systems fail, they largely do so because incentives are misaligned and classically because some of the persons who guard a system are not the persons who bear the full economic costs of failure. One of the things that we are seeing more and more is that, as systems become more complex with more players, so the temptation on players to throw the risk over the fence and make it somebody else's problem becomes pervasive, so I can see this necessarily leading to an increase in regulation and public action of various kinds. As far as the technology is concerned, what we are going to see is probably a move to a world in which more and more objects are a little bit like computers. In ten years' time, most things that you buy for more than about a tenner and which you do not eat or drink will have got some kind of CPU and communications in them and even things that you buy to eat or drink may have RFID tags on them.

Q187 Professor Anderson: At which point, the Committee then goes "What?", so CPU and what was the other thing?

Professor Anderson: Some processing capability and some communications capability. Fifty or 60 years ago, there were a handful of computers and now we have several computers on our person, mobile phones, laptops, iPods, et cetera, and that will go up from a few to dozens. Your car might now have 30 computers in it and it might have 100 in it within ten years' time and many of these computers will talk to each other. What that is going to mean is that more and more businesses will become a little bit like the software business and that means that the problems that we see in the software business, of which surveillance is only one, are going to become more pervasive and this is going to affect, I think, the work of many committees because many of the laws and regulations that we worked out during the 20th Century with, if you like, atomic(?) property are going to have to be reworked with digital property to deal with all its side-effects.

Q188 Chairman: Dr Phippen, any star-gazing?

Dr Phippen: I must admit, I am certainly not as much of a technologist as the other two and, just looking from the citizen perspective which is very much where I focus, I think what you realise in the last couple of years is that the age of the naïve user is pretty much over now. We have spoken to people who had never used a computer before who told us, "You shouldn't buy things on the Internet because the hackers will steal your credit card details", so that is the level of awareness you are now dealing with. On top of that, going back to the previous question about whether citizens drive technology, there is a certain element of narcissism, I guess you would say, with blogging and MySpace and things like that where people like to share their information and certainly with younger people that is very prevalent at the moment. However, what you have not currently got, particularly with young people, is that, whilst they are very comfortable with the veneer of the technology, they are not aware of the threat and they are not aware of the long-term damage, such as when you are going for an interview in ten years' time and someone pulls up you're MySpace page and says, "If you had said that you paid this political party, would you like to elaborate on that?" because what they do not realise is that this stuff stays for ever, especially with Google cashiers and you have got various Internet archive sites that collect websites on a regular basis. I think the citizen perception will increase a great deal, but what I do not see increasing is the awareness of threats from it. Certainly we did quite a lot of work with around 100 school kids and they were very comfortable with technology and actually, since MySpace got bought by Rupert Murdoch, it seems to be a little less cool than it used to be and now things like Facebook and Bebo are the ones to go for, but they are very aware of that and they are very comfortable using MSN and various other messaging technologies and they are very comfortable using SMS technology, but, when you ask them about the threats and you ask them about the potential for stalking and the potential for viruses, they have very little in-depth information.

Q189 Chairman: We will come back to some of those points. Mr Bramhall, just on the technology side, do you have anything to add to what Professor Anderson and Dr Phippen have said about new developments?

Mr Bramhall: Not particularly. I think that in general the technological developments which will come about will still basically be in a context where the privacy issues remain the same and the principles for how one should address those privacy issues will also remain the same. The challenge would be, I think, when one is a system designer, remembering to take account of those principles and not just get captivated and dazzled by the potential of what the technology could do.

Q190 Mr Streeter: In relation to the last ten years, have there been any surprises? Actually I sometimes have a bit of a theory that things do not change quite as rapidly as we think they do, but we can see it going from a long way down, so have there been any dramatic surprises where in the next ten years we might look forward and say that we might have some more like that?

Dr Phippen: I certainly think that SMS technology was not created for kids to bounce messages on to their mates; it was created for engineers to send short messages about mobile network updates. I think there is an awful lot of, if you like, accidental adoption that goes on where people do things in a way that perhaps the creator of the technology did not think.

Q191 Mr Streeter: So a surprise in implementation, not necessarily in the technology or the invention itself?

Dr Phippen: Yes, certainly from the perspective I come from, it is really the use and abuse of the technology in unpredictable ways that is the difficult thing to foresee.

Q192 Chairman: It is almost inevitable that this sort of inquiry moves quite quickly into the threats, the risks and the dangers of the world that we are moving into and I suspect that this session will be no different when we go through the questions, so just before we do, can I just ask each of you to look at the other side of the equation. If we look ten years ahead with the development of these technologies and the spread of these technologies in lots of different systems, how would you assess the benefits that are likely to arise from them, particularly for individuals, and would you think that those benefits are going to be more evident in the public sector or in the private sector?

Professor Anderson: Well, ten years ago the big issue was cryptography policy, the US Government's attempt to ensure that nobody communicated privately on the Internet without the NSA being able to tap the communications. That concern has gone away because encryption has not, as a matter of empirical practice, been widely deployed. Apart from that, ten years ago people were generally very positive about the effects of the Internet. The evidence that we have now ten years later, the most recent study of the correlation, for example, between crime and Internet adoption across the 50 US states, is interesting. It shows that, by and large, the Internet has a positive effect or a beneficial effect in that it reduces some crimes, crimes of sexual violence and crimes of prostitution, which are assumed to be linked with the increasing availability of pornography to young males. The only crime that has gone up are what the FBI class as 'runaways', that is, children leaving home without their parents' consent before age 18, and some cases of runaways are clearly tragic and others are clearly beneficial to the child and we have no further figures on that. The things that we were worried about ten years ago and the things that have happened ten years after that were different, so we have to be cautious when we gaze into the future.

Q193 Chairman: But would you say that there are more benefits to be gained from the spread of computers and communications?

Professor Anderson: Absolutely, otherwise there would not be such an enormous effort and expenditure going into developing the technology. There are some downsides of course, but the gains are very much greater than the losses.

Mr Bramhall: The benefits equal the use at low cost, the removal of physical barriers or physical distances being a barrier for communication, collaboration and so on. Those are clearly the benefits and I see those continuing to evolve. The threat is sort of the other side of the coin simply that, because you are able to get out to the entire world from your house, so the entire world can get into you by the same mechanism.

Q194 Chairman: We touched earlier on the sense that possibly the public sector tends to follow the developments in the private sector in this area. Do you see it over the next ten years being primarily in the private sector and individuals' interaction with the private sector and with other individuals that the benefits will accrue or do you see significant benefits to the public sector?

Mr Bramhall: I think there is the potential for significant benefits for the public sector because the same kinds of points that were made about ease of use and ease of access and so on are all essentially efficiency benefits and enabling benefits which are possible just in terms of public sector internal operations as well as public sector delivery of services to individuals, so those benefits are still equally applicable.

Q195 Mr Winnick: Could I put this point to you, namely that virtually everyone, I would imagine, except Luddites, welcomes the new technology for all kinds of reasons, the computer, the Internet. Certainly my secretary finds that a correction, which otherwise on a typewriter would have taken so long, on a computer takes a matter of seconds. Is there any way in which you feel, gentlemen, that you can have this advance in technology, considerable advance in the last ten or 15 years, and certainly when I came back here in 1979 the first item I bought was a typewriter, so can we have this advance in technology without the intrusion and growing intrusion into privacy? What about you, Professor Anderson, do you have great concerns about safeguards over privacy?

Professor Anderson: Well, privacy intrusions generally stem from the abuse of authorised access by insiders or from failures to regulate such access properly, so privacy is largely a policy matter rather than a technology matter. That said, however, when you have got order of magnitude reductions in the costs of collecting data or storing it and indexing it, of course more information is going to be kept and over time we will move to some new equilibrium which is either going to have to involve more tolerance or more regulation or both, and I expect that the balance will be different on different sides of the Atlantic.

Q196 Mr Winnick: Mr Bramhall?

Mr Bramhall: I take a slightly different view as to the effect. Certainly the policy framework has to be got right and absolutely regarding privacy and the management of it and so on, but I think there is also the potential certainly in the private sector for companies to differentiate themselves by exemplary privacy practices and to get, if you like, a good reputation as being able to manage the personal data of their customers, employees, whatever, in a reliable and privacy-friendly manner and to pay continual attention to this. I think it could become one of those differentiators between companies in the same way as, for example, product quality might be or price of products, so I think it could become a differentiator, particularly as far as the provision of digital services is concerned.

Q197 Mr Winnick: There is a growing tendency for people to put a great deal of personal information on social networking sites which we all know about, although I do not myself do so, MySpace, Facebook. Is there not a danger that people are doing this without recognising the dangers involved in storing up such personal information and is there any way that we in Parliament or the media can warn people of the dangers involved? Just as a matter of interest, have any of you three put up such information?

Dr Phippen: I do not have a MySpace account and I do not blog, I must admit, but I am planning on blogging about one specific topic I research on. I think there is a massive issue in particularly what the youth are currently doing with technology and the fact that they are nowhere near well enough aware of the damage that can come from that. We did an awful lot of work with awareness and education, who is responsible, and it always comes back when you talk to citizens that it is the Government and it is the manufacturers that should be responsible. For some reason, you always get the car analogies, "I wouldn't buy a car and drive it off and then crash it into a wall because they hadn't checked the brakes properly, so why aren't we checking that computers are secure before they sell them to us?" Now, obviously the trouble with that analogy is that, as soon as you connect your computer at home and stick it on line, all sorts of things that the vendor could not possibly have predicted when they sold it to you might happen. Just as an interesting aside, we do a regular experiment where we get a student to drive around Plymouth and detect available wireless networks and generally every year, up until two years ago, it was always 40% secure and 60% unsecure. Last year, we expanded it out to a few other cities in the South West and it was still 40% secure. This year, it was 75% secure. We then expanded it out, did rural towns, did some market towns and did further afield, and it was coming in at around 75% secure, but then, when you start to look down the network descriptions, it is the fact that the vendors are now providing out of the box some level of security, and Professor Anderson will undoubtedly tell you far more than I can about the difference between WEP and WPA encryptions and the relative merits of them. What we are kind of seeing there is that manufacturers are trying to do more, but then there is a separate experiment where we had a student detect unsecure Bluetooth devices and send them an unsolicited message. Over 60% of the people that did that were perfectly happy to receive that on their device and load it up with no problem at all, so the kind of conclusion you are getting from that is that the buck has got to stop with the individual because manufacturers can do a lot, the Government can do a lot by education and I would certainly say that if you looked at Store-Curricula, et cetera, it is not doing enough at the moment. However, there has to be personal responsibility because ultimately it is a personal device. The bewildering thing we found was that people were very, very willing to accept that something is in their personal device, they did not know what it was, they just accepted it. Now, how could a manufacturer protect against that?

Q198 Mr Winnick: I take it, Professor Anderson and Mr Bramhall, you do not put anything on these sites which I mentioned?

Professor Anderson: I have a MySpace site, but I basically use it for one of my hobbies, old music. It is a free repository for out-of-copyright MP3 files and things like that. On the issue of security usability, this is one of the hottest topics in security research over the last three years because of the rise in phishing and other attacks that basically exploit user naivety. Up until now, many of the organisations which ought to know better have taken the view which in safety-critical systems we call 'blame and train'. If somebody cannot use your system, you first blame them and you then make some half-hearted effort to train them. Now, that is known not to work in safety-critical systems. If an aircraft cockpit is unflyable, you redesign the cockpit, for goodness sake. You do not try and make the pilot fly in some strange attitude, and we are going to need a similar change of attitude among banks, for example, whose websites are often particularly vulnerable. There are some interesting public policy issues here and one that we have been looking at recently is what is known as 'gender HCI', the way in which men and women interact with human computer interfaces differently, and this is a subject which started only in the last year or so at Cambridge and Carnegie Mellon. We are beginning to realise that the way many bank websites are designed, for example, likely discriminates against women because they are designed by geeks for geeks. Banks will say things like, "visually pairs the URL and look for the second-last thing before the last slash", and this is a boy-toy kind of approach to things. In such sectors, there is a number of suppliers, not just computer suppliers, but also website operators who really must do better, so this is an active area of research.

Q199 Chairman: I did not want to say this because, as Dr Phippen says, we always seem to get car analogies and I was sitting here with a car analogy! Professor Anderson, as you were saying earlier, most of the breaches are about when people get inside the system rather than the technology, but it does sound like the argument that it is not cars that kill people, it is car drivers, but actually in practice we have done a lot to make cars people-proof over the years because you could not just blame the driver, you actually had to change the design.

Professor Anderson: Well, these are complex socio-technical systems and the reason that we have got about the same number of fatal road traffic accidents now as in 1925, despite having a couple of dozen times more cars, is due to a whole lot of factors, that cars have seatbelts, they have crumple zones, we have speed limits and we enforce them, drunk-driving is no longer socially acceptable, et cetera, et cetera, et cetera, and do not discount the long evolutionary period whereby the Department for Transport looks at the road traffic accident hot-spots and, if two or three people have been killed at some particular interchange, they redesign it. There is a long period of growth, learning and adaptation which has gone behind this reduction in fatalities.

Q200 Mr Winnick: Arising from what you have just been telling us, Professor Anderson, do you feel that large retail stores, banks, insurance societies and so on are asking for too much personal information when it comes to various matters like loyalty cards, travelcards and purchasing items on the Internet? Are they going over the limit as far as personal information that is being requested is concerned?

Professor Anderson: Sometimes too much information is requested and sometimes too little and it depends on the application because surveillance is, after all, about power and it is part of another system, namely the way in which organisations, be they governmental or large private sector organisations, exercise various kinds of power, market power or otherwise. Now, generally, organisations err on the side of collecting too much information simply because it is cheap and it does not cost you very much extra to have an extra computer disk drive or two to hold more information about individuals and, if it is their time that is spent filling out the web form rather than your staff's time, then the marginal cost to your organisation is very low. Now, where things are competitive, there will be limits on that because, if your website is too much of a bother for people to fill out, people will go to other websites, but there may ultimately be a need for systemic controls on the amount of information gathered by public sector bodies or others who are not subject to competitive pressures. America some time ago had a regulation about the maximum amount of time that people would have to spend filling out government forms with the requirement that these actually be tested, and perhaps we will need something similar in the future here.

Q201 Mr Winnick: Arising from what the Chairman said, Mr Bramhall, should people be more concerned that the private sector have information on them equal or perhaps even more than the State have? Generally, people are not too worried, at least in a democracy, which we can emphasise time and time again, about the information that social security departments and so on have on individuals for very obvious reasons, and the Health Department, but is there less confidence when it comes to the private sector?

Mr Bramhall: Yes, and again there is a wide variety of practices and I am certainly not going to tar the private sector with the same brush, but it is not too difficult to find instances where you do feel, as you are interacting with a private sector website, that perhaps it is not only asking more information than is really needed for the purpose that you are interacting with it for, but they might have a different purpose, and increasingly as technology, particularly privacy-enhancing technology, begins to offer possibilities for system designers to design the systems in a way that actually requires less personal information, then I think the incentive to them to do so is not actually apparent at the moment because they are sort of stuck in this habit of gathering more information because it might come in useful some day. I am not going to sort of point fingers or, as I say, tar the whole of the private sector with all of the same brush there, but there are concerns and I think some of those concerns are valid simply because having too much information and having information that is not strictly needed for the purpose runs the risk of leakage, runs the risk of loss and runs the risk of it being found by people who should not find it. In fact, many of the data breaches that one reads about where personal data is disclosed from an organisation that had a valid reason for keeping it, it is quite often just sort of failure of practice and perhaps incompetence even at a fairly low level that just allows it to happen, so there is an opportunity for a better job to be done definitely, but it is not unremittingly awful or anything like that. As I say, most organisations really want to do a good job with handling personal data, public sector and private sector, and they certainly do not wish to risk the opprobrium that comes with the bad publicity surrounding a leak.

Q202 Margaret Moran: Could I just pick up on something Professor Anderson said, and let us not mention DWP in that last context! I was very interested in the comment you were making about recent studies in relation to the gender differential in the ways that technology is used and, therefore, the way that people approach the privacy and security issues. You may be aware that six or seven years ago there was a report called Code Red by Perry Sicks(?) of IPPR, and I actually wrote something called "He Democracy or She Democracy" which looked at the codes behind the software, so we are not actually talking about the car, we are talking about, I guess, the spaghetti in the car, all the electrics in there. The way that codes are used within systems that we all use, whether it is a computer or a hand-held, the way that they are devised actually leads us to a certain form of encryption and security and that is very male-dominated, as you said, the geeks, as we traditionally like to think, in the bedrooms. ow HowHpowjhhow How far do you think that recognition is helpful in identifying more secure forms of data-sharing and the use of the services that we all want to use in a safer way? How far is that developing?

Professor Anderson: I think we are at the very early days of gender HCI. Work started a couple of years ago at Carnegie Mellon looking basically at how you could redesign programmers' toolkits so as to make it easier for women to be programmers. We have been looking at the effects of this on security and, in particular, vulnerability to phishing. Talking about it to a few people over the last few months, it seems there is interest sparking elsewhere and it is the sort of thing I would expect to see more papers on over the next few years and conferences. There are of course a number of established IT policy issues that bear on women, and someone mentioned the children's databases, for example, and there are also supermarket loyalty cards where the majority of these are held by or at least substantially used by women. It would be a large task to pull together all the women's issues in this space and, if your colleagues are interested in getting involved in that, then I would welcome it.

Q203 Margaret Moran: Going on to the PETs, privacy-enchancing technologies, the essence of what you have been saying really is that this is the way forward in terms of being able to deliver what we want, but at the safety level that we require. You will know about the growth of PETs and the idea of the token that Credentia has developed. How far do you think that these systems can be really designed for privacy? With things like data-matching, and people have criticised iris tests, biometric tests, there is a very lively debate on that one, the authentication techniques are getting a lot better and becoming more accurate, but do you think we are getting there in terms of surveillance and can we go further?

Mr Bramhall: Are we talking about surveillance or protection against surveillance?

Q204 Margaret Moran: Protection against surveillance.

Professor Anderson: Well, I think you will find differing views on this from different witnesses. I was involved in the 1990s in developing a number of what would now be called 'privacy-enhancing technologies', and I invented the steganographic file system, for example. In recent years, I have become somewhat of a sceptic because, to a first approximation, privacy-enhancing technologies are just pseudonyms. They can be dressed up in various fancy ways, but at heart they are pseudonyms. There are many circumstances in which it is very, very sensible for people to use pseudonyms and, in particular, teenagers going online and having pages on Facebook or whatever are well advised to use pseudonyms for fairly obvious reasons, everything from personal safety to not being embarrassed in 25 years' time when they are trying to get themselves elected as Prime Minister, but there is only so much you can do with pseudonyms. Companies do not want to deal with pseudonymous individuals, by and large, unless there is some premium in it for them. You can get prepaid credit cards, but they are significantly more expensive and the reason for this is that the information that is collected about you is valuable and it is used for price discrimination, so there are some market niches for privacy-enhancing technologies, but they are by no means the general solution to surveillance problems.

Mr Bramhall: I would actually take a slightly different view on that one and it stems from perhaps a broader definition of what are privacy-enhancing technologies, and I do not agree that they are just pseudonyms; there is a wider set of technologies that can be used. There is quite a useful definition of them in a communication which the European Commission has published recently on this subject and it takes a definition as being a "coherent system of ICT measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system". That then opens up a wider range of possibilities. Certainly what you might regard as the more mathematically rigorous and tighter sets of technologies are the pseudonyms and similar that Professor Anderson refers to, but there are other models by which personal data can be managed or its use be reduced. There are other models which are more to do with helping the organisation that has got that information, that has actually received personal information, helping it do a better job of managing that information, of controlling it, and putting processes in place which design the systems that do those things. Those processes are as much to do with management practice as they are to do with technology and, by themselves, those processes require some technology to help them as well, so I would actually take a wider definition of what constitutes a privacy-enhancing technology. I agree with Professor Anderson's point that, if everyone just takes pseudonymity as a starting point, the incentives there are not very strong for an organisation to pick that up, but there are other technologies too and, as I have already made the point, I believe that privacy can be a differentiator for an organisation.

Q205 Margaret Moran: We have heard evidence from the Royal Academy of Engineering that personal identity will offer the sort of security that people are looking for and they have also said essentially that, if we were better at encrypting and more sophisticated in terms of our encryption, then some of the concerns we are discussing here today would not occur. How far do you agree with that?

Mr Bramhall: I suspect it actually comes back to Dr Phippen's area which is ways of making it usable. I think the basic encryption technology could be made strong enough, et cetera, but the question then becomes how do you make that usable and accessible and to the ordinary person, I would guess.

Dr Phippen: Yes, certainly if you say to an individual, "Use this site, it's got better encryption than before", they are going to go, "So what!" The public's view of encryption is whether the little padlock is on the browser and, if the padlock is on the browser, it is safe. I think the usability issues are extremely significant if you are looking at privacy-enhancing technologies at all and, unless your average person on the street is comfortable with them, guarantees of security will be ignored in a lot of the cases. We generally started our discussions with, "Who do you trust to keep secure information about you?" "Well, there is no such thing as a secure system", is generally the response coming back. "Well, how do you know that?" "Because we've read about it", "Because we've got friends who've got it", "We've had peers that have experienced it", or "I've experienced it myself". "Well, why do you use these things then?" "Convenience, I guess". I do not think security is the big issue, but it depends where you are coming from. If you are looking to get more people online and looking to get more people using public services online, I do not think security and privacy are the issues; I think convenience and education are the issues. You will be amazed at how much personal information someone will give you if you offer them 50 quid off a washing machine or something like that. I guess with a lot of public sector information is that it kind of goes into the, "What's in it for me?" mentality to the individual. If you are buying something online and you are saving yourself 50 quid, it is very clear. There are some very successful public sector e-delivery mechanisms, such as the DVLA and tax returns, and school admissions systems for some reason are incredibly popular because they offer a sort of return in terms of convenience to individuals and they are not saying, "I'm not using that" because you are not using the most up-to-date encryption mechanisms on it, but they are saying, "I'll use that because it will save me having to fill out the form on paper or it saves me having to phone someone up and do it all on the phone".

Q206 Margaret Moran: We have heard from the Surveillance Studies Network that PETs will, or could, lead, as you were saying, to a division within the market and there could be a situation where those who can afford it will have an enhanced level of privacy or, conversely, a lower level of surveillance, whichever way you care to look at it, and that what could be happening through PETs would be a privacy divide where the well-off can protect themselves and have the e-castles around them, if you like, and the rest are without drawbridges. How would you argue that?

Professor Anderson: There are possibly two different issues here. When it comes to the private sector which is interested in price discrimination, anybody who earns significantly above the national average should logically have an incentive to invest in privacy technology, although this may not be technology so much as using pseudonyms, deleting your browser cookies from time to time and so on and so forth, and all of these techniques will eventually become known to people. In the public sector of course there are issues, such as the children's database where the idea is to gather information from health, schools, social work, et cetera, about children who might be at risk of offending and the great problem there, as was pointed out in a report that we wrote for the Information Commissioner, is stigmatisation. Equality activists used to joke about the emotional offence of driving while black and, if we end up with an offence of driving while having more than 50 pints on the Home Office's onset database, then that would be an equally bad state of affairs. These issues perhaps give some insight into why the State will have more incentive to do more surveillance on the poor and why the rich will have more incentive to escape such surveillance as can be conveniently escaped because they do not want to be charged more for their airline tickets.

Mr Bramhall: I think the actual cost of an individual adopting a privacy-enhanced approach to what they do is probably not the issue. I do not think from an individual point of view that using a privacy-enhanced approach to their interactions is going to have a cost impact at all. I think, however, there is a difference between cost and price and the issue then becomes whether the providers of digital services would wish to price perhaps discriminatorily such that the privacy-sensitive services are at a higher price than the other ones. I think then perhaps it becomes a question for society as to how much it is willing to countenance the possibility of a privacy divide, as you described it.

Q207 Chairman: I am struggling here a bit about the emphasis that goes on to individuals because we seem to be getting evidence that says there are systems that you can do now which give a very high level of privacy protection to individuals. Not in every case, but in many of the cases that we are worried about, which is when we are doing financial transactions and things of that sort, those are generally backed up by the use of one of a handful of major credit card organisations. I do not see why it is so difficult to imagine a situation where you have persuaded Mastercard and the rest that they would not accept transactions through websites which did not automatically build in that level of individual protection. We seem to be in the sort of Stone-Age level of debates about what we can expect from the private sector here. It is rather like the old mobile phone debate and the difficulty in getting mobile phone companies to knock the phones off their network when they have been stolen, even though the technology to do that is cheap and available, but they just cannot be bothered. When we keep saying that the individual has got to be persuaded that this is worthwhile, is it not the truth that we are just not making sufficiently strong demands on a small number of quite strategic organisations, particularly credit card companies, which could basically wipe out the websites that did not have high levels of privacy by just saying, "We're not going to accept financial transactions"? I have not really understood, unless there is something basic that I have missed here, why it is so difficult to get that.

Professor Anderson: I do not think that particular approach will work. There have been so far a couple of competition inquiries in the UK which found that the business of acquiring credit card transactions was anti-competitive. Mastercard would not get involved. One of the things that has been brought about by the dotcom boom is that it is now easier, if you are a merchant, to get credit card transactions processed and that has been of enormous benefit to the economy. The real problem here is a consumer issue, namely that in the UK disputed transactions between cardholders and credit card companies and indeed between credit card companies and merchants are not properly regulated; the banks have got too much power in the regulatory system and are too good at dumping costs on cardholders and merchants. Now, I know that is really the ambit of another committee, but, if the members care to watch Newsnight tonight, there is a programme on precisely this topic, so yes, regulatory action would be a good thing, but it is regulatory action that the Financial Services Authority should be taking -----

Q208 Chairman: Absolutely, yes, that is what I am getting at, but it seems to me that, of all the transactions we are worried about, they are actually processed in practice by a relatively small number of strategic companies globally and actually, if you could in some way put the squeeze on them over the way they did these things, we could speed up the intellectual privacy technology.

Professor Anderson: I have argued for the squeeze being put on banks in front of a number of committees over the years, most recently the world Science and Technology Committee in March.

Chairman: Well, we will have a look at their evidence.

Q209 Margaret Moran: I think if Caspar Bowden were here, not speaking within that term, I think he might have a different view from that, so we can ask for his view, and of course the RIPA debate was pretty well all about this as well. Just looking into the future, can you anticipate, or what would you anticipate are, the forthcoming technologies beyond those which we have already discussed which would influence the way that people maintain, protect and use their digital identities? What is it that is coming onstream that might offer us that comfort and will any of it overcome what appears to be a worrying privacy divide that we just touched on?

Professor Anderson: Well, I suppose I might take issue with the concept of a digital identity. I know that there is a great push in government specifically from the Cabinet Secretary to embrace the whole idea of identity management, but this was something which was tried in the private sector in the late 1990s by companies like Verisian and Baltimore, and Versisian survived by getting into a different business and Baltimore went bust, taking £23 billion of pension fund money with it. I do not think that identity management is the right way of thinking about these things. Instead, one should think about the underlying business process of people, when they go to a government office, being dealt with in a fair and reasonable way, whether banks' transactions with their customers are regulated reasonably. The reason for this is that the rhetoric of identity becomes a means of passing the buck. In the old days, if someone went to the Midland Bank, pretended to be me and borrowed £10,000, that was impersonation and it was the bank's fault. Now, it is my identity that has been stolen, so it is supposedly my fault and I end up having a furious row with the credit reference agencies, so the construction of the concept of identity as something that belongs to me that I have to protect with the help of government is not particularly helpful in this debate.

Mr Bramhall: I do not think there is going to be sort of a strongly technology-oriented answer to that question about providing the security and the feelings of security and privacy that people are looking for. I do not think the issue is fundamentally one of the technology and its capability of addressing that issue; I think it is much more about education and awareness and people following good practice and, by that, I do not just mean the individual, but system designers following good practice. Admittedly, that good practice should, where appropriate, use the best and most appropriate technology for the purpose, which might be stronger technology or weaker technology, but it should be fit for purpose, and I think a lot of the issues then revolve around making it clear where information can be readily found as part of that education process, what kind of restitution can be given for where things go wrong and so on, those kinds of things acting as the incentives for affecting the behaviour of both the system designers and the individuals.

Q210 Margaret Moran: Do you agree with Professor Anderson about the regulation of banks? I chair an organisation called EURIM which deals with IT issues which has been arguing to slap an assurance badge on the banks or the credit regulators for some time because it is impossible otherwise to police this whole area of e-crime and so on. Do you agree with that?

Dr Phippen: Yes. Certainly it has been an interesting 12 months for banks because, when we did our initial studies, people would trust banks more than anything else, but, because of the bank charges in particular being very high profile, banks have come in for a bit of a bashing as far as public perception is concerned now and yes, I would certainly agree that they need reining in.

Mr Bramhall: I think, where appropriate, because regulation is obviously the stick, we should not forget to look at the carrot as a way of influencing behaviour as well.

Q211 Mr Winnick: On identity theft, Professor Anderson, you give an illustration that in the Midlands Bank, and I do not know why you put the Midlands Bank, but be that as it may, a good identification, it used to be called, if some money was stolen by criminals, then it was the bank's fault, impersonation. Now, the argument of such financial institutions is that it is identity theft and the responsibility is put on the individual. Should companies not take more precautions to guard against such loss?

Professor Anderson: Well, again this comes down to economics. Now, in the old days, a bank, the Midland Bank of yore or whoever, could decide how vigorously it was going to investigate the background and identity of people who opened accounts with it and every so often they would take hits and that was the cost of doing business. Now, if they can externalise, if they can transfer out some of the costs of that fraud, then the balance point in their business will be different, in other words, they will become more careless. There are further problems in the banking sector in particular with the move to identity as the great buzzword of progress. I was commissioned to do some research for the Federal Reserve Bank a few months ago basically into technological aspects of phishing, fraud and money-laundering, those interested in non-banks and organisations like E.go and so on and how this fits in. One of the things that we found was that the increasing emphasis on identity since 9/11, that is, asking everybody who opens a bank account for a couple of gas bills, had been at the expense of more effective controls because knowing the customer and following the money are not perfect substitutes. Providing that banks can consider that they have discharged their duty by having a couple of copies of gas bills in a filing cabinet, they then feel able to be more careless about perhaps more important issues about the conduct of the account, about whether it is being used to send money to dodgy places and about other things that can go wrong, so for a number of reasons one has to be very careful with this whole identity gospel that is being preached. I know it is fashionable, but that does not make it right.

Q212 Mr Winnick: Without wishing in any way to raise the blood pressure of the Chair, you make the point that dealing with identity theft as a description helps the Home Office to sell identity cards to the public. I agree with you as a matter of fact, but what evidence do you have for that?

Professor Anderson: The Home Office produced a couple of briefing documents a couple of years ago detailing identity theft and saying that identity cards would help to stop this. Lumped in with identity theft, they had all sorts of crimes of impersonation and they also appeared to include pretty well all the UK's credit card fraud. This was discussed extensively at the time and I believe I testified to this Committee in 2004 on the subject. It is clear that the banks saw this as a convenient bandwagon and hitched their liability management campaign to it.

Q213 Mr Winnick: Do you agree with that, Dr Phippen and Mr Bramhall?

Dr Phippen: Yes, I certainly agree with it.

Mr Bramhall: I think there is a role for strong identity in some aspects of people's lives, but, I agree with Professor Anderson, having a strong identity is not the answer to all the problems.

Dr Phippen: I think one issue is the concept of a single online identity. I think citizens are very comfortable with multiple identities for multiple things and the Value Report and things like that are talking about a single signing for all government services and things. The question you get from citizens is, "Why?"

Q214 Mr Winnick: Would you say that security technology in general is keeping pace with the innovation of criminals?

Professor Anderson: It is a constant co-evolution. The most recent innovations in crime have not been principally technological, but principally psychological because, as the technology gets better, so it becomes easier to deceive individuals, so we are seeing an enormous rise in phishing, in pretexting and other things that involve deceiving people. The criminals are not going to stop deceiving machines as well and we are going to see keystroke bloggers, we are going to see the rise in pharming and we are going to see technical crimes going along with crimes that involve deceiving people.

Q215 Mr Winnick: Do you feel that, when identity cards come about, the more sophisticated type of criminal gangs will be able to do a pretty good impersonation of such cards?

Professor Anderson: I do not think identity cards are particularly relevant to online concerns because, like it or not, online technology is designed and built in America and companies like Google, Microsoft and Yahoo could not care less about whether Britain has identity cards or not. There are one or two countries, like Estonia, who have tried to issue national identity cards that are linked to a capability to transact online, but this does not seem to have taken off because from a technical point of view, if you want to use client SSL certificates in your banking system, you can do so anyway. Banks decide not to do that for their own reasons, so for governments to make freely available something that is already freely available in another pharmhouse is unlikely to change very much.

Q216 Mr Benyon: Mr Winnick has cleverly asked most of my questions. I wonder if there are any other drivers behind developments in security engineering that we should be aware of.

Professor Anderson: The two big drivers in security engineering recently have been, firstly, digital rights management and, secondly, trusted computing. Digital rights management was driven by the desire of the record companies, as they saw it, to stop people stealing music by sharing it. It has backfired on them rather spectacularly because it has moved power in the supply chain from the big record companies to online distributors, such as Apple, and this has happened just in the last two years, so by calling for better digital rights management, the music industry basically destabilised itself and may have handed power in this industry to others. The other great driver in security technology has been trusted computing which was an attempt by certain large American technology companies to lock its customers ever more tightly into its products. This is linked with rights management in that Microsoft appears to be trying to gain a worldwide lead in the distribution of high-definition digital video just as Apple has got a lead in the distribution of digital music. It appears to be running into trouble in that Microsoft is having great difficulty in making the technology work. These have both been technology push drivers pushed by particular industrial interests. As with customer pull, the fundamental problem in privacy economics is that, although people say that they value privacy, they behave differently. This is really the elephant in the living room as far as those of us who study the subject are concerned. My own view, for what it is worth, is that it is a matter of delayed reaction among other things in that the technical and political elites have understood for some time that privacy is an issue. That will percolate down to the man on the Clapham omnibus once we have seen a few suitable horror stories in red top newspapers. We see signs of it starting.

Q217 Mr Benyon: You have spoken about the difference in approach on each side of the Atlantic. How does the UK compare with other countries in general in safeguarding digital identities and preventing identity fraud?

Professor Anderson: The words "identity fraud" are not used on the continent. The people who try and market it express frustration from time to time.

Q218 Mr Benyon: Because of what you were talking about earlier, about it being a cop out for the banks and a devious method of governments imposing ----?

Professor Anderson: Because of it being a liability management technology and things have panned out differently in other European countries. Also, a significant difference between the UK and the continent is that there is much more vigorous enforcement of data protection law over there and this makes a real difference. The regulatory regime in Germany, for example, is quite different from the regime in Britain and also the bank regulation regime is different so the pressures and the drivers are different.

Mr Bramhall: I would agree with the point about the motivation in Europe being around stronger data protection. Absolutely. Interestingly in the Far East the member countries of APEC are starting to realise that perhaps they have a privacy issue as well. Obviously the tiger economies are doing extremely well with rises in consumer class and concern is starting to surface there about participation in the online economy. Because there is a much wider diversity of cultures, social norms, political systems and so on in APEC compared with the EU, they do not really have the ability to take the same approach to privacy from a philosophical sense. The European approach is clearly driven from Article 8 of the European Convention on Human Rights. There is no similar kind of instrument in APEC but they realise they need to do something. There is APEC activity going on to formulate guidelines which will be common across the APEC countries. That is still very much work in progress. It looks like it is going to be written around avoiding the notion of harm rather than things like rights to know or rights to be protected against others knowing and so on. There are definitely different models. In terms of how the technology fits, hopefully the technology is neutral and can be applied in a number of different models.

Q219 Chairman: If we all learned to stop saying "identity fraud" and started talking about the crime of impersonation, what practical difference would it make?

Professor Anderson: It would make marketing certain agendas much more difficult. To look for practical solutions using available, reasonable regulatory instruments, one probably has to look at the industries in which particular behaviours have become embedded. For example, if one is looking at credit reference agencies, they are regulated better in the USA where, to give one example, you can opt out of having a credit reference given. You can go through Equifax in the States and say, "I forbid you to ever give a credit reference on me to anybody at all." If you are middle aged, you have your mortgage and you have enough credit cards, that is great. You do not need any further credit. You have the immediate benefit that you get an awful lot less junk mail. Nobody sends you offers for credit cards et cetera.

Q220 Chairman: I am as keen on ID cards as Mr Winnick is opposed to them. I am quite prepared to go round persuading people that they should have ID cards to protect themselves from impersonation rather than identity fraud. A lot seems to be hung on this issue of language but I cannot quite see that if we went back to the old language of talking about impersonation rather than identity fraud it would make a blind bit of difference to any of the issues that we are talking about today. It seems to me to be a semantic argument but you clearly think that somehow by talking about identity fraud either government policies would be different, or bank policies would be different or something. I do not really quite understand.

Professor Anderson: The fundamental issue is an issue of liability. If a bad person whom I have never met goes to a bank with whom I have never done business, how should that be able to ruin my life by causing the debt collectors to call on me and causing all sorts of other derogatory stuff to be propagated about me through the system? It is clearly bad that such things happen. How do you go about stopping it? I suggested in our written submission one practical way of stopping it, namely that the Information Commissioner should enforce the existing law against the credit reference agencies. In the absence of that, what other policy options are available? One can debate this at a number of level. At the legal level, one could talk about various possible private remedies but, at the political level, surely politicians should set the tone for the debate, shaping the debate and deciding what sort of language is used. My point is that the language about identity theft is not helpful from the point of view of consumer rights and security economics.

Q221 Mr Streeter: Focusing on regulation, we mentioned this point earlier about the importance of individual responsibility as consumers and education to make people aware of risks. In terms of protecting privacy, apart from individual responsibility, apart from technological advances in terms of security, can we focus for a few minutes on what could a government do to regulate this incredible market place to protect people's privacy more? If you were advising the UK government, each of the three of you, what is the one thing that they should do which they are not doing? What is the thing that the government should do in terms of regulation?

Professor Anderson: The one thing I would do had I the legislators' power for a day would be to change the UK rules on legal costs to the American rules. In America, constitutional matters, which in this context would mean section eight of the European Convention on Human Rights, can feasibly be enforced by individuals. A young law lecturer wishing to win his spurs and become a professor can go to the Supreme Court and litigate. He does not have to face the prospect of paying $10 million in costs to the government if he loses. That right of private action is not present in Britain because of our rules on costs. That means that there is an assumption that all these actions have to be state actions. As a practical matter, we have an embedded Information Commissioner's office which was designed back in 1981 to be ineffective. David Waddington at the time was quite open about the fact that it was a minimal implementation to keep us legal with Europe. Although the ICO has expanded his gamut somewhat since then, it still remains a very weak body. Are we to wait 50 years for successive ICOs to build up their clout within Whitehall so we can enforce constitutional law? If you want constitutional enforcement to be available to citizens, you have to make private action available as well as public action. That is why I would say let us move to the rules that they have in America or, if that is unacceptable to judges, let us move at least to the rules that they have in Germany where there is very much stricter limitation on taxation on the scale of the costs you have to pay if you lose.

Q222 Mr Streeter: That is a surprising answer but it is slightly outside the box of my question, is it not? It is a brilliant answer and, as a lawyer, I am all in favour of it but surely the government can do something top down as well at the same time as changing the rules on the costs of litigation?

Professor Anderson: The government could do something top down if, for example, the kind of law and practice that one sees in France and Germany on privacy were imposed on government departments, but again you come down to the question of the individual departments and their incentives and how power works in this town or indeed in any town. One suggestion that we made to the Information Commissioner's office was that he should see to it that the data protection officers in various government departments report to him rather than the departmental Parliament secretary, along the lines of CESG cryptosecurity officers reporting to Cheltenham rather than locally. That way, the data protection officer would see his job as enforcing the rules within the department rather than seeing to it that the department has an easy ride with the Information Commissioner. These are all very difficult things to do because they are not the sort of things that you can do easily by means of a simple statute law. How you go about changing a culture of half a million people that has been 800 years in the building is hard.

Dr Phippen: The witness on my left might disagree with this but I think one of the big issues is tougher regulation of the IT suppliers and providers themselves. I spend quite a lot of time trouble shooting between small businesses and it seems to be web development companies in particular who will behave incredibly unethically in terms of what they are going to charge people for. It is a classic case. If you offer an IT supplier half a billion pounds, of course they are going to say, "Yes, we can do it." Why would they not? They will think about the technologies afterwards. At the moment you are looking at the IT "profession". You have a long way to come to achieve the levels of professionalism that exist in other professional practices such as law, accountancy and the medical profession. I think it is getting better. The fact is that the British Computer Society is talking with the government more now. There is a growing code of conduct there but it could possibly do more to make suppliers more responsible for what they are promising. I had a colleague who used to describe IT departments as having all of the power and none of the responsibility because they say, "You signed the spec. That is what you asked for." That kind of thing is changing a bit but it still has a long way to go if you are getting true professional liability within IT professionals.

Q223 Mr Streeter: It is all your fault. Do you want to apologise?

Mr Bramhall: I am just thinking about the phrase I used earlier about tarring everybody with the same brush and how perhaps it might apply. There are two points, one regarding professionalism which I know is not your question but, yes, increased professionalism has to be good. There is in the information security space a new Institute of Information Security Professionals, for example, which is just coming into being and will hopefully have an impact on - I hesitate to use the word "standards" because I do not mean it in the regulatory sense - raising standards of quality in that space. In terms of the specific question you asked about regulation, I must admit I am coming at it as a technology research manager and I do not really feel confident to comment on that side of it, certainly not to the level of detail that Professor Anderson has done. Similarly, we have not conducted any research into the effectiveness of the ICO's power and therefore we should remain silent on that point as well. In general HP does support any actions which the Information Commissioner takes which will increase the general level of confidence that people have about participating online.

Q224 Mr Streeter: I cannot get my mind around the difference between UK regulation and global regulation. So much of this obviously is accessible globally through the worldwide web. Professor Anderson, you have mentioned other European countries which make a better fist of regulation than we do. To what extent is this industry capable of regulation nationally as opposed to internationally? Is there some more regulatory action that should be taken internationally and globally?

Professor Anderson: There are two different issues there. You get better regulation of privacy in France and Germany because you have different constitutional settlements that essentially predate automation or largely so or at least go back to the sixties or seventies. In Germany you have privacy written into the Constitution for reasons that are not particularly surprising. In France more recently there has been a dispensation that Caneal, which is their equivalent of the Information Commissioner's office, is consulted by government departments while they are proposing new system developments and has a veto or something that in practice amounts to a near veto. The second issue which Andy raised is why is the government so awful at developing computer systems. It is generally reckoned that 30%of large IT systems in the private sector fail and 70% of large IT systems in the public sector fail. That was an admission by the Department of Work and Pensions CIO at a conference last month. We have all known this for a while. Why does it happen? FIPR has talked sensibly on the subject. My FIPR colleague, Jim Norton, put together a programme and tried to get our ideas across to permanent secretaries. The gist of the FIPR take on this is that there should never be another government IT project; there should simply be business change projects. Ministers should cease seeing the purchase of a large IT system as a displacement activity, as something that will kick a difficult problem into touch, for the next government to worry about and instead we should have a discipline so that if somebody wishes to change the way their department does business they should specify that and engineer it properly. If IT is part of the solution, then fine. We have been unable so far to sell this idea to Whitehall. I am sure its time will come sooner or later. From the point of view of privacy, some people might take the view that perhaps it is a good thing that 70% of large government IT projects fail.

Q225 Ms Buck: We have covered quite a lot of the questions that I was asked because we have been dipping in and out on a lot of questions about trust, risk assessment and things of that kind. Can I go back to something Professor Anderson said earlier about what it might take to change public consciousness? You used that very vivid language of a few dramatic stories on the front pages of the red tops. You were teasing us a little bit with some thoughts about where that might come from and what it might mean. Can I ask about the research on trust and break it down into categories? What we have tended to do in the last couple of hours is weave in and out of different groups of people and what they mean by trust. There are very different issues - and perhaps you will give us an idea about this kind of risk analysis in greater detail - between children and what children understand and what parents understand about children and risk; about young people and what young people think about risk and about the long term implications of their behaviour, knowing as we do that young people tend not to think long term; and also about adults and their levels of risk and what it might take, perhaps in those different categories to be the shock that requires people as individuals and people in relation to government and the private sector to get some changes.

Professor Anderson: The relevant research here is perhaps that of George Lewinstein at Carnegie Mellon University, who is a behavioural scientist and looks for example at the extent to which people overestimate the happiness that they would get from a good event in their lives or underestimate the sadness that would result from a bad event. He looks for example at how happy people are who are paraplegics or who have had an arm or a leg amputated after cancer and finds that, although most people think that having an arm cut off would be the end of the world, in practice within two or three months people adjust just fine. They report that they are just as happy as they were before. The lesson that he draws from this is that the public's sensitivity to risk basically relates not to the absolute level of risk but to the change in the perceived level of risk. In other words, if a level of risk or threat increases very, very slowly, you will get occasional grumbles from the public but you will not get a great outburst. He refers to this as the boiled frog syndrome after this apochryphal idea that if you put a frog in cold water and boil it it will not jump out. His concern about this is in the context of global warming, that if planetary temperature continues to rise by a per cent every few decades without a dramatic shock the public will never get sufficiently agitated to demand that politicians do something. It strikes me that exactly the same argument applies to trust and to privacy, in that if privacy is slowly eroded then people will get used to it. We might end up in a society that is rather different from our society today and some of us old fossils might, in our bath chairs in our eighties, be grumbling very noisily about what has happened to the world but there will not be a great outburst. If you get a series of shocks all at once, then that may change and public concern may suddenly spike and create the window of opportunity for regulation. This of course can cut both ways. It may very well be that the large number of privacy invasive systems that government has built or talked about building over the past two or three years will together give that spike. Maybe ID cards plus kids' databases plus NHS databases plus ANPR plus and so on finally will hit critical mass and the public will go ballistic. We do not know. This behavioural research would strongly suggest that that is what politicians should watch out for.

Dr Phippen: Our work with young people would suggest that they do not really take any risk analysis when going online. They just go online.

Q226 Ms Buck: We can all vouch for that, with kids.

Dr Phippen: With 100-odd kids we spoke to, we had probably three clear cases of stalking going on and not one of them reported it to the police or went any further than, "I just blocked them from my LSA". "Why did you not report it?" "I did not know how to." "Did you think there was anything dangerous there?" "No, I just thought it was some weird kid and ignored them." The work that CEOP are doing at the moment is making great strides forward in that they are getting into schools. One thing the kids are all saying is, "We do not really cover this in school." When you have a look at the IT and the computing curricula for both GCSE and A level it is not covered at all and they say, "We might touch on it in citizenship", but again it is not covered a great deal. We are hopefully going to be doing some work with CEOP in the near future, looking at kids' responses to that. That is something that definitely needs doing. You have essentially a captive audience with children. You can go into the schools and talk to them. Initially they might say that it is a load of nonsense or whatever but it gets through to them and they do think about it. With adults, it is more interesting in that they start off looking at how you can get people to trust systems. What we realised very quickly was that trust is not really an issue. The issue is convenience and restitution. What people will do is look at the service on offer and think: what is in it for me? What could go wrong? Has anyone else used the site before? If it is fairly positive, then they will probably go for it. When you talk to them about why they go online, they say something different. We spoke an awful lot to people about what makes them use a website and an awful lot of people said that you need human contact at the end of it. It is not just the website. When you say, "What is your most trusted brand on line?" Amazon continually came up as the most trusted brand. You never deal with a human on Amazon. "Yes, but I have a mate; something went wrong and they rectified it very quickly." That is the thing Amazon do very well. They do not say, "This will never go wrong" but when things do go wrong they rectify them. They do not try to hide from them.

Q227 Ms Buck: You make an important point in your report about restitution but how can we learn that lesson from Amazon and expect, either within the private sector or in terms of government's duty in relation to the private sector, to be able to apply that restitution?

Dr Phippen: I feel a little sorry for public sector IT in that you do not have the commercial incentive there that you generally have with the private sector. The first thing to look into is the convenience, which is why the closed systems like DVLA and school registrations work. It needs to be a case of: what is in it for me? What am I going to get out of that? It does not have to be financial; it could be time saving or saving them having to go to local authorities and deal with something like that. I think it is a little more difficult in the public sector because there are immediate convenience measures that you can take. I do not think security is a massive issue in either the public or the private sector. I always think back to education but I think it is the major point. The big concern is people believe that, if they buy something on their credit card and something goes wrong, it is the credit card company's problem, not theirs. Obviously credit card companies are back pedalling from this a great deal at the moment. They do not realise the long term damage in terms of credit referencing and those sorts of issues where, even though they might have had it rectified and they got their £500 back, they might not have gone down the chain and it could ultimately end up with them having a poor credit rating as a result of something. They are not aware of these issues.

Q228 Ms Buck: None of this would lead you to conclude that there is a public readiness in any of those categories to invest time or money in a personal solution? I am not saying that one exists but, were there to be a technological fix on offer or some steps that they could take which would involve some effort and some expense to protect themselves against some of those risks, there is not the public awareness yet to support that?

Dr Phippen: I do not think so. Tom Elubi was behind Egg and is now in charge of GLIC. He spoke to a parliamentary IT committee a while ago. He said that when he was at Egg they did a lot market research for their customers so security is important so they introduced another factor to their authentication process and people stopped using it because it was too inconvenient. They cannot remember all that. I mentioned multiple identify fraud. Most people have multiple identities all with the same password because, no matter what security experts say, you cannot possibly remember 30 or 40 alpha numeric, random strings. I do not ever think there is going to be a silver bullet technology that sells all this because there should not be IT problems or technology problems. There should be process problems which perhaps IT will address. I think the public are aware of that as well. They do not go online because everyone is telling them to. They go on line because it is of benefit to them.

Q229 Ms Buck: To paraphrase, we should raise the school leaving age to 25 in order to be able to accommodate a massive public education programme on this.

Dr Phippen: The biggest problem is the people who have already left school, between the ages of 18 and 60. In those cases, the media have a very strong role to play because all these people tell me, "You should not go online because how do you know that? I read about it in the paper or I saw it on the television." The media obviously are going to be far happier reporting on identity theft or government IT projects going wrong than, "Here is another successful use of IT in society." That is not sexy. That is not interesting. The media have a great responsibility to play in education.

Q230 Ms Buck: Does that make you feel optimistic?

Dr Phippen: No.

Q231 Gwyn Prosser: I have gained the impression from all three witnesses to different degrees that the public are very relaxed about these issues, whether it is CCTV cameras or going online or sharing their personal details. It is mostly certain classes and the media that are making a noise about big brother. You have given us the warning that as these layers of potential intrusion build up we should take a wake up call because it might suddenly come back with a public reaction an a resistance from the public. Is it not a fact that using CCTV, which is perhaps separate from your line of expertise, when it was first introduced in this country, created concern but over the years, as it has increased in areas of surveillance and as these other layers have come on with regard to the internet et cetera, people have become more relaxed about it and in some cases, especially camera surveillance, are demanding of politicians to have more in their patch?

Professor Anderson: The most telling criticism of CCTV is that the money could be better spent on other things. When we did the Information Commissioner's report on the children's databases, we looked at various crime reduction initiatives with a multidisciplinary team. In 1997 the government started off with some very admirable and well researched initiatives including Communities that Care, an initiative whereby people would be got together in tough neighbourhoods, stakeholders, policemen, ministers, councillors, whatever, and would be consulted about what the best crime reduction measures would be for that neighbourhood. The Home Office no doubt would have a budget to spend on these. Similar programmes have been effective in the USA. However, what appears to have happened - there is a reference in our written submission - is that this was subjected to lobbying by the CCTV industry and instead one had programmes to the effect that, "We will give you money for an initiative provided it involves CCTV." This appears to have been one of the reasons why the Communities that Care initiative was not as successful as might reasonably have been expected. Yes, there may be some placebo effect from having large numbers of closed circuit television cameras around, but the analysis of the crime statistics which we cite tends to show that although they are good at reducing crime in car parks they are not so good at reducing crime in town centres and there is a very serious question about whether far too much money has been spent on these and not enough money on other crime reduction initiatives.

Q232 Gwyn Prosser: To what extent do you think the increase in the sophistication of technology to enable the state and private enterprises to scrutinise people's personal information and have access to it will, on that side of the equation, compete with the increasing potential for individuals and companies to protect themselves from that surveillance? Where are we at the moment and how do you see that tension developing?

Professor Anderson: One of the big tensions that we see developing is that of equality of arms and the balance between private and public action. At present it is very easy for the police to get hold of CCTV data or AMPR data to prove that you did something bad but it is a lot more difficult for you to get hold of it to prove that you did not, to establish an alibi. When we move into the realm of civil cases, for example disputes between customers and banks, the same issues arise. The banks can get CCTV data but you cannot. There are also issues about, for example, how you go about tracking people. The Information Commissioner a couple of sessions ago remarked that there had been a website which enabled people to track individuals in the UK from electoral role data. This provoked an outcry from people who had perfectly good reasons not to want to be tracked. It was accordingly shut down by the Commissioner. Yet again, many new pieces of surveillance have to do with people trying to track other people. What sort of mechanisms should be available for someone who has a bona fide reason to want to track down another person? We suggested in our written submission that if there was some means whereby, for example, a wife who was seeking alimony from an absconded husband and had got fed up with the delays involved in the government mechanisms for doing that should be able to go to a court and get an appropriate order to get information from relevant databases to find where hubby is living and where he is working so that she can go to the court and get an attachment order against his wages. Again, these all have to do with the fact that surveillance centralises power. Whether it centralises power in the hands of the state or in the hands of large corporations, it raises all sorts of issues: equality of arms, public versus private action, but I think that successive governments over the next few years are going to have no choice but to think about it.

Mr Bramhall: Right at the beginning of your previous question, I think you said that people are very relaxed about participation and so on. The Trust Guide work showed that that was not the case, and that there was a general unease. It was not a specific unease, but there was a general unease and a wish to move forward.

Q233 Gwyn Prosser: But not sufficient to discourage them from using that access?

Mr Bramhall: No. And again different people took different views on that. Trust Guide was not meant to be a large, statistical sample. It was more qualitative but within the collection of people who participated there were some who felt quite comfortable, some who did not and some who never have but probably would not because of something they have read about. I do not think we can say that people are very relaxed. They are generally uneasy but, you are right. It does not inhibit them.

Q234 Gwyn Prosser: Professor Anderson, you give us the prediction or caution that we will need a number of headline stories in the tabloids about the hard cases before we perhaps wake up to some of the concerns. If you were to look 20 years hence and take into account that these various changes in public perception of policy can take place, would you expect that the private sector and government would have overall more knowledge about us as individuals or less?

Professor Anderson: They will have more knowledge but it will be much better regulated. We have seen the beginning of the push back, for example, on Google with Google now agreeing to de-identify personal data after two years. This is remarkably quick. The issue was raised first at a conference in France in February and now it is already actioned. It is high on the European agenda so these things move up the political agenda as more people become aware of them. The hearings that we are having are, I believe, driven by the fact that there is general raising of public awareness, bringing surveillance onto the agenda. One cannot stop the collection and processing of data becoming cheaper because technology advances but as it affects more people and perhaps also more interests within society, more organised interest, you are going to get a push back because, after all, what tends to stop one large, powerful lobbying force is not people speaking fine words and arguing from principle but the opposition of other large, powerful lobbying forces. Just as the whole intellectual property debate came into balance when the music industry started being faced down by the supermarkets et cetera, so I would expect that in due course in the private sector the action of the Googles, the Microsofts, the Yahoos and other big players will evoke enough lobbying response from those businesses that are losing out.

Q235 Gwyn Prosser: More information and better regulated?

Professor Anderson: More information and better regulated.

Dr Phippen: I would certainly agree more information and hopefully better regulated in the next 20 odd years.

Mr Bramhall: I agree that more information will be known. I agree also that it will be better governed or the governance will be better. Some of that might come from better regulation for the reasons mentioned. I suspect that will be rather patchy. I think it would be true in the UK and Europe. I am not sure we can take that as a global statement. Where regulation is not the motivation for the improvement, also there will be some motivation from individual private sector enterprises wishing to differentiate themselves again by being seen to do a good job and being more trustworthy. That is less determined on the UK, Europe or the rest of the world.

Chairman: Thank you very much indeed. It has been a very useful session.