UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE To be
published as HC 508-iii
House of COMMONS
MINUTES OF EVIDENCE
TAKEN BEFORE
HOME AFFAIRS committee
A SURVEILLANCE SOCIETY?
Tuesday 12 June 2007
PROFESSOR ROSS ANDERSON, MR PETE BRAMHALL and DR ANDY
PHIPPEN
Evidence heard in Public Questions 179 -
235
USE OF THE TRANSCRIPT
1.
|
This is an uncorrected transcript of evidence taken in
public and reported to the House. The transcript has been placed on the
internet on the authority of the Committee, and copies have been made
available by the Vote Office for the use of Members and others.
|
2.
|
Any public use of, or reference to, the contents should
make clear that neither witnesses nor Members have had the opportunity to
correct the record. The transcript is not yet an approved formal record of
these proceedings.
|
3.
|
Members who
receive this for the purpose of correcting questions addressed by them to
witnesses are asked to send corrections to the Committee Assistant.
|
4.
|
Prospective
witnesses may receive this in preparation for any written or oral
evidence they may in due course give to the Committee.
|
Oral Evidence
Taken before the Home Affairs Committee
on Tuesday 12 June 2007
Members present
Mr John Denham, in the Chair
Mr Richard Benyon
Ms Karen Buck
Mrs Ann Cryer
Margaret Moran
Gwyn Prosser
Martin Salter
Mr Gary Streeter
Mr David Winnick
________________
Examination of Witnesses
Witnesses: Professor Ross Anderson, Professor of
Security Engineering, University of Cambridge, and Chair of the Foundation for
Information Policy Research; Mr Pete
Bramhall, Manager, Privacy and Identity Research, Hewlett-Packard
Laboratories; and Dr Andy Phippen,
Lecturer, School of Computing, Communications & Electronics, University of
Plymouth, gave evidence.
Q179 Chairman: Good morning, gentlemen. Thank you very much indeed for coming to
give evidence as part of our inquiry into the contention that we are drifting
towards the surveillance state, whether that is a good or a bad thing and what
we might do about it if it is, and we are grateful to you for coming. Our aim today, as you know, is to get at
least some understanding of some of the technological issues involved in these
developments and we are very grateful to you for your time. I understand that Caspar Bowden cannot come
due to ill-health which is unfortunate, but I am sure that, between you and
with the expertise you have got, you will be able to answer the questions that
we might have directed to him. Perhaps
I could ask each of you to introduce yourselves for the record and then we will
make a start.
Professor Anderson: I am Ross Anderson, Professor of security
engineering at Cambridge and I also chair the Foundation for Information Policy
Research.
Dr Phippen: I am Andy Phippen. I lecture socio-technical
studies at the University of Plymouth and am co-author of, amongst other
things, the Trustguide Report.
Mr Bramhall: I am Pete Bramhall and I lead a small team of
researchers at Hewlett-Packard's corporate research labs in Bristol where we do
research on privacy and demanagement technologies.
Q180 Mrs Cryer: May I ask the first question primarily to
Professor Anderson and it is in terms of surveillance capability. What do you feel has been the most
significant technological development of the past ten years?
Professor Anderson: Almost certainly search engines. It is perhaps slightly more than ten years since
we saw the first one, AltaVista, 11 years ago, but certainly Google has come
along in the past six or seven years and their use has become very
widespread. Previously, lots of
information about people was kept on numerous, disparate databases and a lot on
paper in filing cabinets. Search
engines mean that everything that is searchable is now findable if people have
got the wit to look for it and of course there are not merely the publicly
available search engines, such as Google, there are search engines on intranets
and there are search engines available to government and intelligence services
which give access to information which is not generally available to the
public, but overall the killer technology is search engines.
Q181 Mrs Cryer: Do you both agree with that?
Mr Bramhall: Yes, I would agree certainly with that and I
would perhaps also add the fairly recent rise in social networking capabilities
on the Internet, the rise of things like MySpace and YouTube where people can
post information about themselves and yes, they are doing it willingly and for
what seem to be very desirable purposes for them at the time, although they may
actually have cause later in life to regret what they have made available of
themselves and, coupled with search engine technology, there might actually be
more out there than they would be happy with.
Q182 Mrs Cryer: Dr Phippen, do you go along with that?
Dr Phippen: Yes, I would certainly agree with that.
Q183 Chairman: Can I follow that and ask what the main
drivers are of these new technological developments? Search engines and Google are presumably driven by a commercial
motive, but things like Facebook and social networking were sort of invented by
people out there really, thinking of a way of doing things and making uses of
them which probably the original designers had not thought of themselves, so
what are the main drivers that are moving technology forward as quickly as it
is?
Professor Anderson: I think it is different in the private sector
than the public sector. In the private
sector, the main driver is the wish to charge different people different
prices. This is of course as old as
people have been trading; the carpet trader in Istanbul who makes a special
price "just for you" is the price discrimination of antiquity. In general, price discrimination is
economically efficient, but people tend to resent it because they feel that it
is unfair. Now, what is happening is
that technology is making price discrimination, firstly, more attractive to
businesses because businesses become more like the software business over time
and, secondly, easier, so this creates a circle, a vicious circle or a virtuous
circle depending on your point of view, which drives the acquisition of
ever-more data and ever-more capabilities as part of the process, and a second
main driver of course is targeted communications. In the public sector, we have got all the motivations that we
have all come to know and love or hate, as may be the case.
Q184 Chairman: Could you say a little more about the public
sector motivations though in the sense that there is probably a similar desire
to get the right piece of information to somebody or the right service to
somebody or the right information about somebody, so is it significantly
different and is the public sector driving the technology or is in fact the
private sector developing the technology which the public sector makes use of?
Professor Anderson: I think it is the latter. The UK is rather odd in that over the last
few years a majority of the business won by our big systems houses has been
public sector business rather than private sector business, but they are almost
never developing new technology, they are simply using technology which has
been developed mostly elsewhere for private sector purposes. It is also difficult for even a mild cynic
to escape the supposition that there is some competitive empire-building going
on in Whitehall of the "my database is bigger than your database" variety, and
this appears to be more pronounced in Britain than in other countries.
Q185 Chairman: Mr Bramhall, as you mentioned it, how
significant are these social networking initiatives in driving change? I suppose it goes back certainly to text
messaging originally, things where consumers have invented ways of using these
systems that people had not previously thought of.
Mr Bramhall: Yes, the technology behind them, I think,
tends to come from private sector considerations. Entrepreneurs will think, "Ah yes, if I set up a capability of
doing a MySpace or a YouTube, then they will come and use it and it will be
commercially successful", but the other factor that drives that success, or
otherwise, is essentially how great is the take-up by people. Are they actually as popular as the
entrepreneurs who found them would like them to be? We can all look at the numbers of how quickly those sites are
mushrooming and so on, but there is perhaps a little bit of evidence that
indicates younger people are more happy and willing to participate in them and,
therefore, perhaps one of the drivers is actually coming from the youthful
recognition or the recognition by the youth that technology is definitely not
to be feared, it can do wonderful things, it can be liberating from an
individual point of view, it can help form all sorts of personal relationships
which again are very important when you are young, and perhaps those are the
sorts of drivers of behaviour that lead to the success of these systems which
have been enabled initially by private sector technology.
Q186 Chairman: It is probably an impossible question, but,
if we looked over the next ten years, what are the technological developments
that you think would have the most impact on data security and on the privacy
of citizens?
Professor Anderson: I do not think that privacy is fundamentally
a technological issue, but fundamentally a policy issue. One of the things that we have learnt over
the past six or seven years is that, when systems fail, they largely do so
because incentives are misaligned and classically because some of the persons
who guard a system are not the persons who bear the full economic costs of
failure. One of the things that we are
seeing more and more is that, as systems become more complex with more players,
so the temptation on players to throw the risk over the fence and make it
somebody else's problem becomes pervasive, so I can see this necessarily
leading to an increase in regulation and public action of various kinds. As far as the technology is concerned, what
we are going to see is probably a move to a world in which more and more
objects are a little bit like computers.
In ten years' time, most things that you buy for more than about a
tenner and which you do not eat or drink will have got some kind of CPU and
communications in them and even things that you buy to eat or drink may have RFID
tags on them.
Q187 Professor Anderson: At which point, the Committee then goes
"What?", so CPU and what was the other thing?
Professor Anderson: Some processing capability and some
communications capability. Fifty or 60
years ago, there were a handful of computers and now we have several computers
on our person, mobile phones, laptops, iPods, et cetera, and that will go up from
a few to dozens. Your car might now
have 30 computers in it and it might have 100 in it within ten years' time and
many of these computers will talk to each other. What that is going to mean is that more and more businesses will
become a little bit like the software business and that means that the problems
that we see in the software business, of which surveillance is only one, are
going to become more pervasive and this is going to affect, I think, the work
of many committees because many of the laws and regulations that we worked out
during the 20th Century with, if you like, atomic(?) property are
going to have to be reworked with digital property to deal with all its
side-effects.
Q188 Chairman: Dr Phippen, any star-gazing?
Dr Phippen: I must admit, I am certainly not as much of a
technologist as the other two and, just looking from the citizen perspective
which is very much where I focus, I think what you realise in the last couple
of years is that the age of the naïve user is pretty much over now. We have spoken to people who had never used
a computer before who told us, "You shouldn't buy things on the Internet
because the hackers will steal your credit card details", so that is the level
of awareness you are now dealing with.
On top of that, going back to the previous question about whether
citizens drive technology, there is a certain element of narcissism, I guess
you would say, with blogging and MySpace and things like that where people like
to share their information and certainly with younger people that is very
prevalent at the moment. However, what
you have not currently got, particularly with young people, is that, whilst
they are very comfortable with the veneer of the technology, they are not aware
of the threat and they are not aware of the long-term damage, such as when you
are going for an interview in ten years' time and someone pulls up you're MySpace
page and says, "If you had said that you paid this political party, would you
like to elaborate on that?" because what they do not realise is that this stuff
stays for ever, especially with Google cashiers and you have got various
Internet archive sites that collect websites on a regular basis. I think the citizen perception will increase
a great deal, but what I do not see increasing is the awareness of threats from
it. Certainly we did quite a lot of
work with around 100 school kids and they were very comfortable with technology
and actually, since MySpace got bought by Rupert Murdoch, it seems to be a
little less cool than it used to be and now things like Facebook and Bebo are
the ones to go for, but they are very aware of that and they are very
comfortable using MSN and various other messaging technologies and they are
very comfortable using SMS technology, but, when you ask them about the threats
and you ask them about the potential for stalking and the potential for
viruses, they have very little in-depth information.
Q189 Chairman: We will come back to some of those
points. Mr Bramhall, just on the
technology side, do you have anything to add to what Professor Anderson and Dr
Phippen have said about new developments?
Mr Bramhall: Not particularly. I think that in general the technological developments which will
come about will still basically be in a context where the privacy issues remain
the same and the principles for how one should address those privacy issues
will also remain the same. The
challenge would be, I think, when one is a system designer, remembering to take
account of those principles and not just get captivated and dazzled by the
potential of what the technology could do.
Q190 Mr Streeter: In relation to the last ten years, have there
been any surprises? Actually I
sometimes have a bit of a theory that things do not change quite as rapidly as
we think they do, but we can see it going from a long way down, so have there
been any dramatic surprises where in the next ten years we might look forward
and say that we might have some more like that?
Dr Phippen: I certainly think that SMS technology was not
created for kids to bounce messages on to their mates; it was created for
engineers to send short messages about mobile network updates. I think there is an awful lot of, if you
like, accidental adoption that goes on where people do things in a way that
perhaps the creator of the technology did not think.
Q191 Mr Streeter: So a surprise in implementation, not
necessarily in the technology or the invention itself?
Dr Phippen: Yes, certainly from the perspective I come
from, it is really the use and abuse of the technology in unpredictable ways
that is the difficult thing to foresee.
Q192 Chairman: It is almost inevitable that this sort of
inquiry moves quite quickly into the threats, the risks and the dangers of the
world that we are moving into and I suspect that this session will be no
different when we go through the questions, so just before we do, can I just
ask each of you to look at the other side of the equation. If we look ten years ahead with the
development of these technologies and the spread of these technologies in lots of
different systems, how would you assess the benefits that are likely to arise
from them, particularly for individuals, and would you think that those
benefits are going to be more evident in the public sector or in the private
sector?
Professor Anderson: Well, ten years ago the big issue was
cryptography policy, the US Government's attempt to ensure that nobody
communicated privately on the Internet without the NSA being able to tap the
communications. That concern has gone
away because encryption has not, as a matter of empirical practice, been widely
deployed. Apart from that, ten years
ago people were generally very positive about the effects of the Internet. The evidence that we have now ten years
later, the most recent study of the correlation, for example, between crime and
Internet adoption across the 50 US states, is interesting. It shows that, by and large, the Internet
has a positive effect or a beneficial effect in that it reduces some crimes,
crimes of sexual violence and crimes of prostitution, which are assumed to be
linked with the increasing availability of pornography to young males. The only crime that has gone up are what the
FBI class as 'runaways', that is, children leaving home without their parents'
consent before age 18, and some cases of runaways are clearly tragic and others
are clearly beneficial to the child and we have no further figures on that. The things that we were worried about ten
years ago and the things that have happened ten years after that were
different, so we have to be cautious when we gaze into the future.
Q193 Chairman: But would you say that there are more
benefits to be gained from the spread of computers and communications?
Professor Anderson: Absolutely, otherwise there would not be such
an enormous effort and expenditure going into developing the technology. There are some downsides of course, but the
gains are very much greater than the losses.
Mr Bramhall: The benefits equal the use at low cost, the
removal of physical barriers or physical distances being a barrier for
communication, collaboration and so on.
Those are clearly the benefits and I see those continuing to
evolve. The threat is sort of the other
side of the coin simply that, because you are able to get out to the entire
world from your house, so the entire world can get into you by the same
mechanism.
Q194 Chairman: We touched earlier on the sense that possibly
the public sector tends to follow the developments in the private sector in
this area. Do you see it over the next
ten years being primarily in the private sector and individuals' interaction
with the private sector and with other individuals that the benefits will
accrue or do you see significant benefits to the public sector?
Mr Bramhall: I think there is the potential for significant
benefits for the public sector because the same kinds of points that were made
about ease of use and ease of access and so on are all essentially efficiency
benefits and enabling benefits which are possible just in terms of public
sector internal operations as well as public sector delivery of services to
individuals, so those benefits are still equally applicable.
Q195 Mr Winnick: Could I put this point to you, namely that
virtually everyone, I would imagine, except Luddites, welcomes the new
technology for all kinds of reasons, the computer, the Internet. Certainly my secretary finds that a
correction, which otherwise on a typewriter would have taken so long, on a
computer takes a matter of seconds. Is
there any way in which you feel, gentlemen, that you can have this advance in
technology, considerable advance in the last ten or 15 years, and certainly
when I came back here in 1979 the first item I bought was a typewriter, so can
we have this advance in technology without the intrusion and growing intrusion
into privacy? What about you, Professor
Anderson, do you have great concerns about safeguards over privacy?
Professor Anderson: Well, privacy intrusions generally stem from
the abuse of authorised access by insiders or from failures to regulate such
access properly, so privacy is largely a policy matter rather than a technology
matter. That said, however, when you
have got order of magnitude reductions in the costs of collecting data or
storing it and indexing it, of course more information is going to be kept and
over time we will move to some new equilibrium which is either going to have to
involve more tolerance or more regulation or both, and I expect that the
balance will be different on different sides of the Atlantic.
Q196 Mr Winnick: Mr Bramhall?
Mr Bramhall: I take a slightly different view as to the
effect. Certainly the policy framework
has to be got right and absolutely regarding privacy and the management of it
and so on, but I think there is also the potential certainly in the private
sector for companies to differentiate themselves by exemplary privacy practices
and to get, if you like, a good reputation as being able to manage the personal
data of their customers, employees, whatever, in a reliable and
privacy-friendly manner and to pay continual attention to this. I think it could become one of those
differentiators between companies in the same way as, for example, product
quality might be or price of products, so I think it could become a differentiator,
particularly as far as the provision of digital services is concerned.
Q197 Mr Winnick: There is a growing tendency for people to put
a great deal of personal information on social networking sites which we all
know about, although I do not myself do so, MySpace, Facebook. Is there not a danger that people are doing
this without recognising the dangers involved in storing up such personal
information and is there any way that we in Parliament or the media can warn
people of the dangers involved? Just as
a matter of interest, have any of you three put up such information?
Dr Phippen: I do not have a MySpace account and I do not
blog, I must admit, but I am planning on blogging about one specific topic I
research on. I think there is a massive
issue in particularly what the youth are currently doing with technology and
the fact that they are nowhere near well enough aware of the damage that can
come from that. We did an awful lot of
work with awareness and education, who is responsible, and it always comes back
when you talk to citizens that it is the Government and it is the manufacturers
that should be responsible. For some
reason, you always get the car analogies, "I wouldn't buy a car and drive it
off and then crash it into a wall because they hadn't checked the brakes
properly, so why aren't we checking that computers are secure before they sell
them to us?" Now, obviously the trouble
with that analogy is that, as soon as you connect your computer at home and
stick it on line, all sorts of things that the vendor could not possibly have
predicted when they sold it to you might happen. Just as an interesting aside, we do a regular experiment where we
get a student to drive around Plymouth and detect available wireless networks
and generally every year, up until two years ago, it was always 40% secure and
60% unsecure. Last year, we expanded it
out to a few other cities in the South West and it was still 40% secure. This year, it was 75% secure. We then expanded it out, did rural towns,
did some market towns and did further afield, and it was coming in at around
75% secure, but then, when you start to look down the network descriptions, it
is the fact that the vendors are now providing out of the box some level of
security, and Professor Anderson will undoubtedly tell you far more than I can
about the difference between WEP and WPA encryptions and the relative merits of
them. What we are kind of seeing there
is that manufacturers are trying to do more, but then there is a separate
experiment where we had a student detect unsecure Bluetooth devices and send
them an unsolicited message. Over 60%
of the people that did that were perfectly happy to receive that on their
device and load it up with no problem at all, so the kind of conclusion you are
getting from that is that the buck has got to stop with the individual because
manufacturers can do a lot, the Government can do a lot by education and I
would certainly say that if you looked at Store-Curricula, et cetera, it is not
doing enough at the moment. However,
there has to be personal responsibility because ultimately it is a personal
device. The bewildering thing we found
was that people were very, very willing to accept that something is in their
personal device, they did not know what it was, they just accepted it. Now, how could a manufacturer protect
against that?
Q198 Mr Winnick: I take it, Professor Anderson and Mr
Bramhall, you do not put anything on these sites which I mentioned?
Professor Anderson: I have a MySpace site, but I basically use it
for one of my hobbies, old music. It is
a free repository for out-of-copyright MP3 files and things like that. On the issue of security usability, this is
one of the hottest topics in security research over the last three years
because of the rise in phishing and other attacks that basically exploit user
naivety. Up until now, many of the
organisations which ought to know better have taken the view which in
safety-critical systems we call 'blame and train'. If somebody cannot use your system, you first blame them and you
then make some half-hearted effort to train them. Now, that is known not to work in safety-critical systems. If an aircraft cockpit is unflyable, you
redesign the cockpit, for goodness sake.
You do not try and make the pilot fly in some strange attitude, and we
are going to need a similar change of attitude among banks, for example, whose
websites are often particularly vulnerable.
There are some interesting public policy issues here and one that we
have been looking at recently is what is known as 'gender HCI', the way in
which men and women interact with human computer interfaces differently, and
this is a subject which started only in the last year or so at Cambridge and
Carnegie Mellon. We are beginning to
realise that the way many bank websites are designed, for example, likely
discriminates against women because they are designed by geeks for geeks. Banks will say things like, "visually pairs
the URL and look for the second-last thing before the last slash", and this is
a boy-toy kind of approach to things.
In such sectors, there is a number of suppliers, not just computer
suppliers, but also website operators who really must do better, so this is an
active area of research.
Q199 Chairman: I did not want to say this because, as Dr
Phippen says, we always seem to get car analogies and I was sitting here with a
car analogy! Professor Anderson, as you
were saying earlier, most of the breaches are about when people get inside the
system rather than the technology, but it does sound like the argument that it
is not cars that kill people, it is car drivers, but actually in practice we
have done a lot to make cars people-proof over the years because you could not
just blame the driver, you actually had to change the design.
Professor Anderson: Well, these are complex socio-technical
systems and the reason that we have got about the same number of fatal road
traffic accidents now as in 1925, despite having a couple of dozen times more
cars, is due to a whole lot of factors, that cars have seatbelts, they have
crumple zones, we have speed limits and we enforce them, drunk-driving is no
longer socially acceptable, et cetera, et cetera, et cetera, and do not
discount the long evolutionary period whereby the Department for Transport looks
at the road traffic accident hot-spots and, if two or three people have been
killed at some particular interchange, they redesign it. There is a long period of growth, learning
and adaptation which has gone behind this reduction in fatalities.
Q200 Mr Winnick: Arising from what you have just been telling
us, Professor Anderson, do you feel that large retail stores, banks, insurance
societies and so on are asking for too much personal information when it comes
to various matters like loyalty cards, travelcards and purchasing items on the
Internet? Are they going over the limit
as far as personal information that is being requested is concerned?
Professor Anderson: Sometimes too much information is requested
and sometimes too little and it depends on the application because surveillance
is, after all, about power and it is part of another system, namely the way in
which organisations, be they governmental or large private sector
organisations, exercise various kinds of power, market power or otherwise. Now, generally, organisations err on the
side of collecting too much information simply because it is cheap and it does
not cost you very much extra to have an extra computer disk drive or two to
hold more information about individuals and, if it is their time that is spent
filling out the web form rather than your staff's time, then the marginal cost
to your organisation is very low. Now,
where things are competitive, there will be limits on that because, if your
website is too much of a bother for people to fill out, people will go to other
websites, but there may ultimately be a need for systemic controls on the
amount of information gathered by public sector bodies or others who are not
subject to competitive pressures.
America some time ago had a regulation about the maximum amount of time
that people would have to spend filling out government forms with the
requirement that these actually be tested, and perhaps we will need something
similar in the future here.
Q201 Mr Winnick: Arising from what the Chairman said, Mr
Bramhall, should people be more concerned that the private sector have
information on them equal or perhaps even more than the State have? Generally, people are not too worried, at
least in a democracy, which we can emphasise time and time again, about the
information that social security departments and so on have on individuals for
very obvious reasons, and the Health Department, but is there less confidence
when it comes to the private sector?
Mr Bramhall: Yes, and again there is a wide variety of
practices and I am certainly not going to tar the private sector with the same
brush, but it is not too difficult to find instances where you do feel, as you
are interacting with a private sector website, that perhaps it is not only
asking more information than is really needed for the purpose that you are
interacting with it for, but they might have a different purpose, and
increasingly as technology, particularly privacy-enhancing technology, begins
to offer possibilities for system designers to design the systems in a way that
actually requires less personal information, then I think the incentive to them
to do so is not actually apparent at the moment because they are sort of stuck
in this habit of gathering more information because it might come in useful
some day. I am not going to sort of point
fingers or, as I say, tar the whole of the private sector with all of the same
brush there, but there are concerns and I think some of those concerns are
valid simply because having too much information and having information that is
not strictly needed for the purpose runs the risk of leakage, runs the risk of
loss and runs the risk of it being found by people who should not find it. In fact, many of the data breaches that one
reads about where personal data is disclosed from an organisation that had a
valid reason for keeping it, it is quite often just sort of failure of practice
and perhaps incompetence even at a fairly low level that just allows it to
happen, so there is an opportunity for a better job to be done definitely, but
it is not unremittingly awful or anything like that. As I say, most organisations really want to do a good job with
handling personal data, public sector and private sector, and they certainly do
not wish to risk the opprobrium that comes with the bad publicity surrounding a
leak.
Q202 Margaret Moran: Could I just pick up on something Professor
Anderson said, and let us not mention DWP in that last context! I was very interested in the comment you
were making about recent studies in relation to the gender differential in the
ways that technology is used and, therefore, the way that people approach the
privacy and security issues. You may be
aware that six or seven years ago there was a report called Code Red by Perry Sicks(?) of IPPR, and
I actually wrote something called "He Democracy or She Democracy" which looked
at the codes behind the software, so we are not actually talking about the car,
we are talking about, I guess, the spaghetti in the car, all the electrics in
there. The way that codes are used
within systems that we all use, whether it is a computer or a hand-held, the
way that they are devised actually leads us to a certain form of encryption and
security and that is very male-dominated, as you said, the geeks, as we
traditionally like to think, in the bedrooms.
ow HowHpowjhhow How far
do you think that recognition is helpful in identifying more secure forms of
data-sharing and the use of the services that we all want to use in a safer
way? How far is that developing?
Professor Anderson: I think we are at the very early days of
gender HCI. Work started a couple of
years ago at Carnegie Mellon looking basically at how you could redesign
programmers' toolkits so as to make it easier for women to be programmers. We have been looking at the effects of this
on security and, in particular, vulnerability to phishing. Talking about it to a few people over the
last few months, it seems there is interest sparking elsewhere and it is the
sort of thing I would expect to see more papers on over the next few years and
conferences. There are of course a
number of established IT policy issues that bear on women, and someone
mentioned the children's databases, for example, and there are also supermarket
loyalty cards where the majority of these are held by or at least substantially
used by women. It would be a large task
to pull together all the women's issues in this space and, if your colleagues
are interested in getting involved in that, then I would welcome it.
Q203 Margaret Moran: Going on to the PETs, privacy-enchancing
technologies, the essence of what you have been saying really is that this is
the way forward in terms of being able to deliver what we want, but at the
safety level that we require. You will
know about the growth of PETs and the idea of the token that Credentia has
developed. How far do you think that
these systems can be really designed for privacy? With things like data-matching, and people have criticised iris
tests, biometric tests, there is a very lively debate on that one, the
authentication techniques are getting a lot better and becoming more accurate,
but do you think we are getting there in terms of surveillance and can we go
further?
Mr Bramhall: Are we talking about surveillance or
protection against surveillance?
Q204 Margaret Moran: Protection against surveillance.
Professor Anderson: Well, I think you will find differing views
on this from different witnesses. I was
involved in the 1990s in developing a number of what would now be called
'privacy-enhancing technologies', and I invented the steganographic file
system, for example. In recent years, I
have become somewhat of a sceptic because, to a first approximation,
privacy-enhancing technologies are just pseudonyms. They can be dressed up in various fancy ways, but at heart they
are pseudonyms. There are many
circumstances in which it is very, very sensible for people to use pseudonyms
and, in particular, teenagers going online and having pages on Facebook or
whatever are well advised to use pseudonyms for fairly obvious reasons,
everything from personal safety to not being embarrassed in 25 years' time when
they are trying to get themselves elected as Prime Minister, but there is only
so much you can do with pseudonyms.
Companies do not want to deal with pseudonymous individuals, by and
large, unless there is some premium in it for them. You can get prepaid credit cards, but they are significantly more
expensive and the reason for this is that the information that is collected
about you is valuable and it is used for price discrimination, so there are
some market niches for privacy-enhancing technologies, but they are by no means
the general solution to surveillance problems.
Mr Bramhall: I would actually take a slightly different
view on that one and it stems from perhaps a broader definition of what are privacy-enhancing
technologies, and I do not agree that they are just pseudonyms; there is a
wider set of technologies that can be used.
There is quite a useful definition of them in a communication which the
European Commission has published recently on this subject and it takes a
definition as being a "coherent system of ICT measures that protects privacy by
eliminating or reducing personal data or by preventing unnecessary and/or
undesired processing of personal data, all without losing the functionality of
the information system". That then
opens up a wider range of possibilities.
Certainly what you might regard as the more mathematically rigorous and
tighter sets of technologies are the pseudonyms and similar that Professor
Anderson refers to, but there are other models by which personal data can be
managed or its use be reduced. There
are other models which are more to do with helping the organisation that has
got that information, that has actually received personal information, helping
it do a better job of managing that information, of controlling it, and putting
processes in place which design the systems that do those things. Those processes are as much to do with
management practice as they are to do with technology and, by themselves, those
processes require some technology to help them as well, so I would actually
take a wider definition of what constitutes a privacy-enhancing
technology. I agree with Professor
Anderson's point that, if everyone just takes pseudonymity as a starting point,
the incentives there are not very strong for an organisation to pick that up,
but there are other technologies too and, as I have already made the point, I
believe that privacy can be a differentiator for an organisation.
Q205 Margaret Moran: We have heard evidence from the Royal Academy
of Engineering that personal identity will offer the sort of security that
people are looking for and they have also said essentially that, if we were
better at encrypting and more sophisticated in terms of our encryption, then
some of the concerns we are discussing here today would not occur. How far do you agree with that?
Mr Bramhall: I suspect it actually comes back to Dr
Phippen's area which is ways of making it usable. I think the basic encryption technology could be made strong
enough, et cetera, but the question then becomes how do you make that usable
and accessible and to the ordinary person, I would guess.
Dr Phippen: Yes, certainly if you say to an individual,
"Use this site, it's got better encryption than before", they are going to go,
"So what!" The public's view of
encryption is whether the little padlock is on the browser and, if the padlock
is on the browser, it is safe. I think
the usability issues are extremely significant if you are looking at privacy-enhancing
technologies at all and, unless your average person on the street is
comfortable with them, guarantees of security will be ignored in a lot of the
cases. We generally started our
discussions with, "Who do you trust to keep secure information about you?" "Well, there is no such thing as a secure
system", is generally the response coming back. "Well, how do you know that?"
"Because we've read about it", "Because we've got friends who've got
it", "We've had peers that have experienced it", or "I've experienced it
myself". "Well, why do you use these
things then?" "Convenience, I
guess". I do not think security is the
big issue, but it depends where you are coming from. If you are looking to get more people online and looking to get
more people using public services online, I do not think security and privacy
are the issues; I think convenience and education are the issues. You will be amazed at how much personal
information someone will give you if you offer them 50 quid off a washing machine
or something like that. I guess with a
lot of public sector information is that it kind of goes into the, "What's in
it for me?" mentality to the individual.
If you are buying something online and you are saving yourself 50 quid,
it is very clear. There are some very
successful public sector e-delivery mechanisms, such as the DVLA and tax
returns, and school admissions systems for some reason are incredibly popular
because they offer a sort of return in terms of convenience to individuals and
they are not saying, "I'm not using that" because you are not using the most
up-to-date encryption mechanisms on it, but they are saying, "I'll use that
because it will save me having to fill out the form on paper or it saves me
having to phone someone up and do it all on the phone".
Q206 Margaret Moran: We have heard from the Surveillance Studies
Network that PETs will, or could, lead, as you were saying, to a division
within the market and there could be a situation where those who can afford it
will have an enhanced level of privacy or, conversely, a lower level of
surveillance, whichever way you care to look at it, and that what could be
happening through PETs would be a privacy divide where the well-off can protect
themselves and have the e-castles around them, if you like, and the rest are
without drawbridges. How would you
argue that?
Professor Anderson: There are possibly two different issues
here. When it comes to the private
sector which is interested in price discrimination, anybody who earns
significantly above the national average should logically have an incentive to
invest in privacy technology, although this may not be technology so much as
using pseudonyms, deleting your browser cookies from time to time and so on and
so forth, and all of these techniques will eventually become known to
people. In the public sector of course
there are issues, such as the children's database where the idea is to gather
information from health, schools, social work, et cetera, about children who
might be at risk of offending and the great problem there, as was pointed out
in a report that we wrote for the Information Commissioner, is
stigmatisation. Equality activists used
to joke about the emotional offence of driving while black and, if we end up
with an offence of driving while having more than 50 pints on the Home Office's
onset database, then that would be an equally bad state of affairs. These issues perhaps give some insight into
why the State will have more incentive to do more surveillance on the poor and
why the rich will have more incentive to escape such surveillance as can be
conveniently escaped because they do not want to be charged more for their
airline tickets.
Mr Bramhall: I think the actual cost of an individual
adopting a privacy-enhanced approach to what they do is probably not the
issue. I do not think from an
individual point of view that using a privacy-enhanced approach to their
interactions is going to have a cost impact at all. I think, however, there is a difference between cost and price
and the issue then becomes whether the providers of digital services would wish
to price perhaps discriminatorily such that the privacy-sensitive services are
at a higher price than the other ones.
I think then perhaps it becomes a question for society as to how much it
is willing to countenance the possibility of a privacy divide, as you described
it.
Q207 Chairman: I am struggling here a bit about the emphasis
that goes on to individuals because we seem to be getting evidence that says
there are systems that you can do now which give a very high level of privacy
protection to individuals. Not in every
case, but in many of the cases that we are worried about, which is when we are
doing financial transactions and things of that sort, those are generally backed
up by the use of one of a handful of major credit card organisations. I do not see why it is so difficult to
imagine a situation where you have persuaded Mastercard and the rest that they
would not accept transactions through websites which did not automatically
build in that level of individual protection.
We seem to be in the sort of Stone-Age level of debates about what we
can expect from the private sector here.
It is rather like the old mobile phone debate and the difficulty in
getting mobile phone companies to knock the phones off their network when they
have been stolen, even though the technology to do that is cheap and available,
but they just cannot be bothered. When
we keep saying that the individual has got to be persuaded that this is worthwhile,
is it not the truth that we are just not making sufficiently strong demands on
a small number of quite strategic organisations, particularly credit card
companies, which could basically wipe out the websites that did not have high
levels of privacy by just saying, "We're not going to accept financial
transactions"? I have not really
understood, unless there is something basic that I have missed here, why it is
so difficult to get that.
Professor Anderson: I do not think that particular approach will
work. There have been so far a couple
of competition inquiries in the UK which found that the business of acquiring
credit card transactions was anti-competitive.
Mastercard would not get involved.
One of the things that has been brought about by the dotcom boom is that
it is now easier, if you are a merchant, to get credit card transactions
processed and that has been of enormous benefit to the economy. The real problem here is a consumer issue,
namely that in the UK disputed transactions between cardholders and credit card
companies and indeed between credit card companies and merchants are not
properly regulated; the banks have got too much power in the regulatory system
and are too good at dumping costs on cardholders and merchants. Now, I know that is really the ambit of
another committee, but, if the members care to watch Newsnight tonight, there is a programme on precisely this topic, so
yes, regulatory action would be a good thing, but it is regulatory action that
the Financial Services Authority should be taking -----
Q208 Chairman: Absolutely, yes, that is what I am getting
at, but it seems to me that, of all the transactions we are worried about, they
are actually processed in practice by a relatively small number of strategic
companies globally and actually, if you could in some way put the squeeze on
them over the way they did these things, we could speed up the intellectual
privacy technology.
Professor Anderson: I have argued for the squeeze being put on
banks in front of a number of committees over the years, most recently the
world Science and Technology Committee in March.
Chairman: Well, we will have a look at their evidence.
Q209 Margaret Moran: I think if Caspar Bowden were here, not
speaking within that term, I think he might have a different view from that, so
we can ask for his view, and of course the RIPA debate was pretty well all
about this as well. Just looking into
the future, can you anticipate, or what would you anticipate are, the
forthcoming technologies beyond those which we have already discussed which
would influence the way that people maintain, protect and use their digital
identities? What is it that is coming
onstream that might offer us that comfort and will any of it overcome what
appears to be a worrying privacy divide that we just touched on?
Professor Anderson: Well, I suppose I might take issue with the
concept of a digital identity. I know
that there is a great push in government specifically from the Cabinet
Secretary to embrace the whole idea of identity management, but this was
something which was tried in the private sector in the late 1990s by companies
like Verisian and Baltimore, and Versisian survived by getting into a different
business and Baltimore went bust, taking £23 billion of pension fund money with
it. I do not think that identity
management is the right way of thinking about these things. Instead, one should think about the
underlying business process of people, when they go to a government office,
being dealt with in a fair and reasonable way, whether banks' transactions with
their customers are regulated reasonably.
The reason for this is that the rhetoric of identity becomes a means of
passing the buck. In the old days, if
someone went to the Midland Bank, pretended to be me and borrowed £10,000, that
was impersonation and it was the bank's fault.
Now, it is my identity that has been stolen, so it is supposedly my
fault and I end up having a furious row with the credit reference agencies, so
the construction of the concept of identity as something that belongs to me
that I have to protect with the help of government is not particularly helpful
in this debate.
Mr Bramhall: I do not think there is going to be sort of a
strongly technology-oriented answer to that question about providing the
security and the feelings of security and privacy that people are looking
for. I do not think the issue is
fundamentally one of the technology and its capability of addressing that
issue; I think it is much more about education and awareness and people following
good practice and, by that, I do not just mean the individual, but system
designers following good practice.
Admittedly, that good practice should, where appropriate, use the best
and most appropriate technology for the purpose, which might be stronger
technology or weaker technology, but it should be fit for purpose, and I think
a lot of the issues then revolve around making it clear where information can
be readily found as part of that education process, what kind of restitution
can be given for where things go wrong and so on, those kinds of things acting
as the incentives for affecting the behaviour of both the system designers and
the individuals.
Q210 Margaret Moran: Do you agree with Professor Anderson about
the regulation of banks? I chair an
organisation called EURIM which deals with IT issues which has been arguing to
slap an assurance badge on the banks or the credit regulators for some time
because it is impossible otherwise to police this whole area of e-crime and so
on. Do you agree with that?
Dr Phippen: Yes.
Certainly it has been an interesting 12 months for banks because, when
we did our initial studies, people would trust banks more than anything else,
but, because of the bank charges in particular being very high profile, banks
have come in for a bit of a bashing as far as public perception is concerned
now and yes, I would certainly agree that they need reining in.
Mr Bramhall: I think, where appropriate, because
regulation is obviously the stick, we should not forget to look at the carrot
as a way of influencing behaviour as well.
Q211 Mr Winnick: On identity theft, Professor Anderson, you
give an illustration that in the Midlands Bank, and I do not know why you put
the Midlands Bank, but be that as it may, a good identification, it used to be
called, if some money was stolen by criminals, then it was the bank's fault,
impersonation. Now, the argument of
such financial institutions is that it is identity theft and the responsibility
is put on the individual. Should
companies not take more precautions to guard against such loss?
Professor Anderson: Well, again this comes down to
economics. Now, in the old days, a
bank, the Midland Bank of yore or whoever, could decide how vigorously it was
going to investigate the background and identity of people who opened accounts
with it and every so often they would take hits and that was the cost of doing
business. Now, if they can externalise,
if they can transfer out some of the costs of that fraud, then the balance
point in their business will be different, in other words, they will become
more careless. There are further
problems in the banking sector in particular with the move to identity as the
great buzzword of progress. I was
commissioned to do some research for the Federal Reserve Bank a few months ago
basically into technological aspects of phishing, fraud and money-laundering,
those interested in non-banks and organisations like E.go and so on and how
this fits in. One of the things that we
found was that the increasing emphasis on identity since 9/11, that is, asking
everybody who opens a bank account for a couple of gas bills, had been at the
expense of more effective controls because knowing the customer and following
the money are not perfect substitutes.
Providing that banks can consider that they have discharged their duty
by having a couple of copies of gas bills in a filing cabinet, they then feel
able to be more careless about perhaps more important issues about the conduct
of the account, about whether it is being used to send money to dodgy places
and about other things that can go wrong, so for a number of reasons one has to
be very careful with this whole identity gospel that is being preached. I know it is fashionable, but that does not
make it right.
Q212 Mr Winnick: Without wishing in any way to raise the blood
pressure of the Chair, you make the point that dealing with identity theft as a
description helps the Home Office to sell identity cards to the public. I agree with you as a matter of fact, but
what evidence do you have for that?
Professor Anderson: The Home Office produced a couple of briefing
documents a couple of years ago detailing identity theft and saying that
identity cards would help to stop this.
Lumped in with identity theft, they had all sorts of crimes of
impersonation and they also appeared to include pretty well all the UK's credit
card fraud. This was discussed
extensively at the time and I believe I testified to this Committee in 2004 on
the subject. It is clear that the banks
saw this as a convenient bandwagon and hitched their liability management
campaign to it.
Q213 Mr Winnick: Do you agree with that, Dr Phippen and Mr
Bramhall?
Dr Phippen: Yes, I certainly agree with it.
Mr Bramhall: I think there is a role for strong identity
in some aspects of people's lives, but, I agree with Professor Anderson, having
a strong identity is not the answer to all the problems.
Dr Phippen: I think one issue is the concept of a single
online identity. I think citizens are
very comfortable with multiple identities for multiple things and the Value
Report and things like that are talking about a single signing for all
government services and things. The
question you get from citizens is, "Why?"
Q214 Mr Winnick: Would you say that security technology in
general is keeping pace with the innovation of criminals?
Professor Anderson: It is a constant co-evolution. The most recent innovations in crime have
not been principally technological, but principally psychological because, as
the technology gets better, so it becomes easier to deceive individuals, so we are
seeing an enormous rise in phishing, in pretexting and other things that
involve deceiving people. The criminals
are not going to stop deceiving machines as well and we are going to see
keystroke bloggers, we are going to see the rise in pharming and we are going
to see technical crimes going along with crimes that involve deceiving people.
Q215 Mr Winnick: Do you feel that, when identity cards come
about, the more sophisticated type of criminal gangs will be able to do a
pretty good impersonation of such cards?
Professor Anderson: I do not think identity cards are
particularly relevant to online concerns because, like it or not, online
technology is designed and built in America and companies like Google, Microsoft
and Yahoo could not care less about whether Britain has identity cards or
not. There are one or two countries,
like Estonia, who have tried to issue national identity cards that are linked
to a capability to transact online, but this does not seem to have taken off
because from a technical point of view, if you want to use client SSL
certificates in your banking system, you can do so anyway. Banks decide not to do that for their own
reasons, so for governments to make freely available something that is already
freely available in another pharmhouse is unlikely to change very much.
Q216 Mr Benyon: Mr Winnick has cleverly asked most of my
questions. I wonder if there are any
other drivers behind developments in security engineering that we should be
aware of.
Professor Anderson: The two big drivers in security engineering
recently have been, firstly, digital rights management and, secondly, trusted
computing. Digital rights management
was driven by the desire of the record companies, as they saw it, to stop
people stealing music by sharing it. It
has backfired on them rather spectacularly because it has moved power in the
supply chain from the big record companies to online distributors, such as
Apple, and this has happened just in the last two years, so by calling for
better digital rights management, the music industry basically destabilised
itself and may have handed power in this industry to others. The other great driver in security
technology has been trusted computing which was an attempt by certain large
American technology companies to lock its customers ever more tightly into its
products. This is linked with rights
management in that Microsoft appears to be trying to gain a worldwide lead in
the distribution of high-definition digital video just as Apple has got a lead
in the distribution of digital music.
It appears to be running into trouble in that Microsoft is having great
difficulty in making the technology work.
These have both been technology push drivers pushed by particular
industrial interests. As with customer
pull, the fundamental problem in privacy economics is that, although people say
that they value privacy, they behave differently. This is really the elephant in the living room as far as those of
us who study the subject are concerned.
My own view, for what it is worth, is that it is a matter of delayed
reaction among other things in that the technical and political elites have
understood for some time that privacy is an issue. That will percolate down to the man on the Clapham omnibus once
we have seen a few suitable horror stories in red top newspapers. We see signs of it starting.
Q217 Mr Benyon: You have spoken about the difference in
approach on each side of the
Atlantic. How does the UK
compare with other countries in general in safeguarding digital identities and
preventing identity fraud?
Professor Anderson: The words "identity fraud" are not used on
the continent. The people who try and
market it express frustration from time to time.
Q218 Mr Benyon: Because of what you were talking about
earlier, about it being a cop out for the banks and a devious method of
governments imposing ----?
Professor Anderson: Because of it being a liability management
technology and things have panned out differently in other European countries. Also, a significant difference between the
UK and the continent is that there is much more vigorous enforcement of data
protection law over there and this makes a real difference. The regulatory regime in Germany, for
example, is quite different from the regime in Britain and also the bank
regulation regime is different so the pressures and the drivers are different.
Mr Bramhall: I would agree with the point about the
motivation in Europe being around stronger data protection. Absolutely.
Interestingly in the Far East the member countries of APEC are starting
to realise that perhaps they have a privacy issue as well. Obviously the tiger economies are doing
extremely well with rises in consumer class and concern is starting to surface
there about participation in the online economy. Because there is a much wider diversity of cultures, social
norms, political systems and so on in APEC compared with the EU, they do not
really have the ability to take the same approach to privacy from a
philosophical sense. The European
approach is clearly driven from Article 8 of the European Convention on Human
Rights. There is no similar kind of
instrument in APEC but they realise they need to do something. There is APEC activity going on to formulate
guidelines which will be common across the APEC countries. That is still very much work in
progress. It looks like it is going to
be written around avoiding the notion of harm rather than things like rights to
know or rights to be protected against others knowing and so on. There are definitely different models. In terms of how the technology fits,
hopefully the technology is neutral and can be applied in a number of different
models.
Q219 Chairman: If we all learned to stop saying "identity
fraud" and started talking about the crime of impersonation, what practical
difference would it make?
Professor Anderson: It would make marketing certain agendas much
more difficult. To look for practical
solutions using available, reasonable regulatory instruments, one probably has
to look at the industries in which particular behaviours have become
embedded. For example, if one is
looking at credit reference agencies, they are regulated better in the USA
where, to give one example, you can opt out of having a credit reference given. You can go through Equifax in the States and
say, "I forbid you to ever give a credit reference on me to anybody at
all." If you are middle aged, you have
your mortgage and you have enough credit cards, that is great. You do not need any further credit. You have the immediate benefit that you get
an awful lot less junk mail. Nobody
sends you offers for credit cards et cetera.
Q220 Chairman: I am as keen on ID cards as Mr Winnick is
opposed to them. I am quite prepared to
go round persuading people that they should have ID cards to protect themselves
from impersonation rather than identity fraud.
A lot seems to be hung on this issue of language but I cannot quite see
that if we went back to the old language of talking about impersonation rather
than identity fraud it would make a blind bit of difference to any of the
issues that we are talking about today.
It seems to me to be a semantic argument but you clearly think that
somehow by talking about identity fraud either government policies would be different,
or bank policies would be different or something. I do not really quite understand.
Professor Anderson: The fundamental issue is an issue of
liability. If a bad person whom I have
never met goes to a bank with whom I have never done business, how should that
be able to ruin my life by causing the debt collectors to call on me and
causing all sorts of other derogatory stuff to be propagated about me through
the system? It is clearly bad that such
things happen. How do you go about
stopping it? I suggested in our written
submission one practical way of stopping it, namely that the Information
Commissioner should enforce the existing law against the credit reference
agencies. In the absence of that, what
other policy options are
available? One can debate this at a
number of level. At the legal level,
one could talk about various possible private remedies but, at the political
level, surely politicians should set the tone for the debate, shaping the debate
and deciding what sort of language is used.
My point is that the language about identity theft is not helpful from
the point of view of consumer rights and security economics.
Q221 Mr Streeter: Focusing on regulation, we mentioned this
point earlier about the importance of individual responsibility as consumers
and education to make people aware of risks.
In terms of protecting privacy, apart from individual responsibility,
apart from technological advances in terms of security, can we focus for a few
minutes on what could a government do to regulate this incredible market place
to protect people's privacy more? If
you were advising the UK government, each of the three of you, what is the one
thing that they should do which they are not doing? What is the thing that the government should do in terms of
regulation?
Professor Anderson: The one thing I would do had I the
legislators' power for a day would be to change the UK rules on legal costs to
the American rules. In America,
constitutional matters, which in this context would mean section eight of the
European Convention on Human Rights, can feasibly be enforced by
individuals. A young law lecturer
wishing to win his spurs and become a professor can go to the Supreme Court and
litigate. He does not have to face the
prospect of paying $10 million in costs to the government if he loses. That right of private action is not present
in Britain because of our rules on costs.
That means that there is an assumption that all these actions have to be
state actions. As a practical matter,
we have an embedded Information Commissioner's office which was designed back
in 1981 to be ineffective. David
Waddington at the time was quite open about the fact that it was a minimal
implementation to keep us legal with Europe.
Although the ICO has expanded his gamut somewhat since then, it still
remains a very weak body. Are we to
wait 50 years for successive ICOs to build up their clout within Whitehall so
we can enforce constitutional law? If
you want constitutional enforcement to be available to citizens, you have to
make private action available as well as public action. That is why I would say let us move to the
rules that they have in America or, if that is unacceptable to judges, let us
move at least to the rules that they have in Germany where there is very much
stricter limitation on taxation on the scale of the costs you have to pay if
you lose.
Q222 Mr Streeter: That is a surprising answer but it is
slightly outside the box of my question, is it not? It is a brilliant answer and, as a lawyer, I am all in favour of
it but surely the government can do something top down as well at the same time
as changing the rules on the costs of litigation?
Professor Anderson: The government could do something top down
if, for example, the kind of law and practice that one sees in France and
Germany on privacy were imposed on government departments, but again you come
down to the question of the individual departments and their incentives and how
power works in this town or indeed in any town. One suggestion that we made to the Information Commissioner's
office was that he should see to it that the data protection officers in
various government departments report to him rather than the departmental
Parliament secretary, along the lines of CESG cryptosecurity officers reporting
to Cheltenham rather than locally. That
way, the data protection officer would see his job as enforcing the rules
within the department rather than seeing to it that the department has an easy
ride with the Information Commissioner.
These are all very difficult things to do because they are not the sort
of things that you can do easily by means of a simple statute law. How you go about changing a culture of half
a million people that has been 800 years in the building is hard.
Dr Phippen: The witness on my left might disagree with
this but I think one of the big issues is tougher regulation of the IT
suppliers and providers themselves. I
spend quite a lot of time trouble shooting between small businesses and it
seems to be web development companies in particular who will behave incredibly
unethically in terms of what they are going to charge people for. It is a classic case. If you offer an IT supplier half a billion
pounds, of course they are going to say, "Yes, we can do it." Why would they not? They will think about the technologies
afterwards. At the moment you are
looking at the IT "profession". You
have a long way to come to achieve the levels of professionalism that exist in
other professional practices such as law, accountancy and the medical
profession. I think it is getting
better. The fact is that the British
Computer Society is talking with the government more now. There is a growing code of conduct there but
it could possibly do more to make suppliers more responsible for what they are
promising. I had a colleague who used
to describe IT departments as having all of the power and none of the
responsibility because they say, "You signed the spec. That is what you asked for." That kind of thing is changing a bit but it
still has a long way to go if you are getting true professional liability
within IT professionals.
Q223 Mr Streeter: It is all your fault. Do you want to apologise?
Mr Bramhall: I am just thinking about the phrase I used
earlier about tarring everybody with the same brush and how perhaps it might
apply. There are two points, one
regarding professionalism which I know is not your question but, yes, increased
professionalism has to be good. There
is in the information security space a new Institute of Information Security
Professionals, for example, which is just coming into being and will hopefully
have an impact on - I hesitate to use the word "standards" because I do not
mean it in the regulatory sense - raising standards of quality in that space. In terms of the specific question you asked
about regulation, I must admit I am coming at it as a technology research
manager and I do not really feel confident to comment on that side of it,
certainly not to the level of detail that Professor Anderson has done. Similarly, we have not conducted any
research into the effectiveness of the ICO's power and therefore we should
remain silent on that point as well. In
general HP does support any actions which the Information Commissioner takes
which will increase the general level of confidence that people have about
participating online.
Q224 Mr Streeter: I cannot get my mind around the difference
between UK regulation and global regulation.
So much of this obviously is accessible globally through the worldwide
web. Professor Anderson, you have
mentioned other European countries which make a better fist of regulation than
we do. To what extent is this industry
capable of regulation nationally as opposed to internationally? Is there some more regulatory action that
should be taken internationally and globally?
Professor Anderson: There are two different issues there. You get better regulation of privacy in
France and Germany because you have different constitutional settlements that
essentially predate automation or largely so or at least go back to the sixties
or seventies. In Germany you have
privacy written into the Constitution for reasons that are not particularly
surprising. In France more recently
there has been a dispensation that Caneal, which is their equivalent of the
Information Commissioner's office, is consulted by government departments while
they are proposing new system developments and has a veto or something that in
practice amounts to a near veto. The
second issue which Andy raised is why is the government so awful at developing
computer systems. It is generally
reckoned that 30%of large IT systems in the private sector fail and 70% of
large IT systems in the public sector fail.
That was an admission by the Department of Work and Pensions CIO at a
conference last month. We have all
known this for a while. Why does it
happen? FIPR has talked sensibly on the
subject. My FIPR colleague, Jim Norton,
put together a programme and tried to get our ideas across to permanent
secretaries. The gist of the FIPR take
on this is that there should never be another government IT project; there
should simply be business change projects.
Ministers should cease seeing the purchase of a large IT system as a
displacement activity, as something that will kick a difficult problem into
touch, for the next government to worry about and instead we should have a
discipline so that if somebody wishes to change the way their department does
business they should specify that and engineer it properly. If IT is part of the solution, then
fine. We have been unable so far to
sell this idea to Whitehall. I am sure
its time will come sooner or later.
From the point of view of privacy, some people might take the view that
perhaps it is a good thing that 70% of large government IT projects fail.
Q225 Ms Buck: We have covered quite a lot of the questions
that I was asked because we have been dipping in and out on a lot of questions
about trust, risk assessment and things of that kind. Can I go back to something Professor Anderson said earlier about
what it might take to change public consciousness? You used that very vivid language of a few dramatic stories on
the front pages of the red tops. You
were teasing us a little bit with some thoughts about where that might come
from and what it might mean. Can I ask
about the research on trust and break it down into categories? What we have tended to do in the last couple
of hours is weave in and out of different groups of people and what they mean
by trust. There are very different
issues - and perhaps you will give us an idea about this kind of risk analysis
in greater detail - between children and what children understand and what
parents understand about children and risk; about young people and what young
people think about risk and about the long term implications of their
behaviour, knowing as we do that young people tend not to think long term; and
also about adults and their levels of risk and what it might take, perhaps in
those different categories to be the shock that requires people as individuals
and people in relation to government and the private sector to get some
changes.
Professor Anderson: The relevant research here is perhaps that of
George Lewinstein at Carnegie Mellon University, who is a behavioural scientist
and looks for example at the extent to which people overestimate the happiness
that they would get from a good event in their lives or underestimate the
sadness that would result from a bad event.
He looks for example at how happy people are who are paraplegics or who
have had an arm or a leg amputated after cancer and finds that, although most
people think that having an arm cut off would be the end of the world, in
practice within two or three months people adjust just fine. They report that they are just as happy as
they were before. The lesson that he
draws from this is that the public's sensitivity to risk basically relates not
to the absolute level of risk but to the change in the perceived level of risk. In other words, if a level of risk or threat
increases very, very slowly, you will get occasional grumbles from the public
but you will not get a great outburst.
He refers to this as the boiled frog syndrome after this apochryphal
idea that if you put a frog in cold water and boil it it will not jump
out. His concern about this is in the
context of global warming, that if planetary temperature continues to rise by a
per cent every few decades without a dramatic shock the public will never get
sufficiently agitated to demand that politicians do something. It strikes me that exactly the same argument
applies to trust and to privacy, in that if privacy is slowly eroded then
people will get used to it. We might
end up in a society that is rather different from our society today and some of
us old fossils might, in our bath chairs in our eighties, be grumbling very
noisily about what has happened to the world but there will not be a great
outburst. If you get a series of shocks
all at once, then that may change and public concern may suddenly spike and
create the window of opportunity for regulation. This of course can cut both ways. It may very well be that the large number of privacy invasive
systems that government has built or talked about building over the past two or
three years will together give that spike.
Maybe ID cards plus kids' databases plus NHS databases plus ANPR plus
and so on finally will hit critical mass and the public will go ballistic. We do not know. This behavioural research would strongly suggest that that is
what politicians should watch out for.
Dr Phippen: Our work with young people would suggest that
they do not really take any risk analysis when going online. They just go online.
Q226 Ms Buck: We can all vouch for that, with kids.
Dr Phippen: With 100-odd kids we spoke to, we had probably
three clear cases of stalking going on and not one of them reported it to the
police or went any further than, "I just blocked them from my LSA". "Why did you not report it?" "I did not know how to." "Did you think there was anything dangerous
there?" "No, I just thought it was some
weird kid and ignored them." The work
that CEOP are doing at the moment is making great strides forward in that they
are getting into schools. One thing the
kids are all saying is, "We do not really cover this in school." When you have a look at the IT and the
computing curricula for both GCSE and A level it is not covered at all and they
say, "We might touch on it in citizenship", but again it is not covered a great
deal. We are hopefully going to be
doing some work with CEOP in the near future, looking at kids' responses to
that. That is something that definitely
needs doing. You have essentially a
captive audience with children. You can
go into the schools and talk to them.
Initially they might say that it is a load of nonsense or whatever but
it gets through to them and they do think about it. With adults, it is more interesting in that they start off
looking at how you can get people to trust systems. What we realised very quickly was that trust is not really an
issue. The issue is convenience and
restitution. What people will do is
look at the service on offer and think: what is in it for me? What could go wrong? Has anyone else used the site before? If it is fairly positive, then they will
probably go for it. When you talk to
them about why they go online, they say something different. We spoke an awful lot to people about what
makes them use a website and an awful lot of people said that you need human
contact at the end of it. It is not
just the website. When you say, "What
is your most trusted brand on line?"
Amazon continually came up as the most trusted brand. You never deal with a human on Amazon. "Yes, but I have a mate; something went
wrong and they rectified it very quickly."
That is the thing Amazon do very well.
They do not say, "This will never go wrong" but when things do go wrong
they rectify them. They do not try to
hide from them.
Q227 Ms Buck: You make an important point in your report
about restitution but how can we learn that lesson from Amazon and expect,
either within the private sector or in terms of government's duty in relation
to the private sector, to be able to apply that restitution?
Dr Phippen: I feel a little sorry for public sector IT in
that you do not have the commercial incentive there that you generally have
with the private sector. The first
thing to look into is the convenience, which is why the closed systems like
DVLA and school registrations work. It
needs to be a case of: what is in it for me?
What am I going to get out of that?
It does not have to be financial; it could be time saving or saving them
having to go to local authorities and deal with something like that. I think it is a little more difficult in the
public sector because there are immediate convenience measures that you can
take. I do not think security is a
massive issue in either the public or the private sector. I always think back to education but I think
it is the major point. The big concern
is people believe that, if they buy something on their credit card and
something goes wrong, it is the credit card company's problem, not theirs. Obviously credit card companies are back
pedalling from this a great deal at the moment. They do not realise the long term damage in terms of credit
referencing and those sorts of issues where, even though they might have had it
rectified and they got their £500 back, they might not have gone down the chain
and it could ultimately end up with them having a poor credit rating as a
result of something. They are not aware
of these issues.
Q228 Ms Buck: None of this would lead you to conclude that
there is a public readiness in any of those categories to invest time or money
in a personal solution? I am not saying
that one exists but, were there to be a technological fix on offer or some
steps that they could take which would involve some effort and some expense to
protect themselves against some of those risks, there is not the public
awareness yet to support that?
Dr Phippen: I do not think so. Tom Elubi was behind Egg and is now in charge of GLIC. He spoke to a parliamentary IT committee a
while ago. He said that when he was at
Egg they did a lot market research for their customers so security is important
so they introduced another factor to their authentication process and people
stopped using it because it was too inconvenient. They cannot remember all that.
I mentioned multiple identify fraud.
Most people have multiple identities all with the same password because,
no matter what security experts say, you cannot possibly remember 30 or 40
alpha numeric, random strings. I do not
ever think there is going to be a silver bullet technology that sells all this
because there should not be IT problems or technology problems. There should be process problems which
perhaps IT will address. I think the
public are aware of that as well. They
do not go online because everyone is telling them to. They go on line because it is of benefit to them.
Q229 Ms Buck: To paraphrase, we should raise the school
leaving age to 25 in order to be able to accommodate a massive public education
programme on this.
Dr Phippen: The biggest problem is the people who have
already left school, between the ages of 18 and 60. In those cases, the media have a very strong role to play because
all these people tell me, "You should not go online because how do you know
that? I read about it in the paper or I
saw it on the television." The media
obviously are going to be far happier reporting on identity theft or government
IT projects going wrong than, "Here is another successful use of IT in
society." That is not sexy. That is not interesting. The media have a great responsibility to
play in education.
Q230 Ms Buck: Does that make you feel optimistic?
Dr Phippen: No.
Q231 Gwyn Prosser: I have gained the impression from all three
witnesses to different degrees that the public are very relaxed about these
issues, whether it is CCTV cameras or going online or sharing their personal
details. It is mostly certain classes
and the media that are making a noise about big brother. You have given us the warning that as these
layers of potential intrusion build up we should take a wake up call because it
might suddenly come back with a public reaction an a resistance from the
public. Is it not a fact that using
CCTV, which is perhaps separate from your line of expertise, when it was first
introduced in this country, created concern but over the years, as it has
increased in areas of surveillance and as these other layers have come on with
regard to the internet et cetera, people have become more relaxed about it and
in some cases, especially camera surveillance, are demanding of politicians to
have more in their patch?
Professor Anderson: The most telling criticism of CCTV is that
the money could be better spent on other things. When we did the Information Commissioner's report on the
children's databases, we looked at various crime reduction initiatives with a
multidisciplinary team. In 1997 the
government started off with some very admirable and well researched initiatives
including Communities that Care, an initiative whereby people would be got
together in tough neighbourhoods, stakeholders, policemen, ministers,
councillors, whatever, and would be consulted about what the best crime
reduction measures would be for that neighbourhood. The Home Office no doubt
would have a budget to spend on these.
Similar programmes have been effective in the USA. However, what appears to have happened -
there is a reference in our written submission - is that this was subjected to
lobbying by the CCTV industry and instead one had programmes to the effect
that, "We will give you money for an initiative provided it involves
CCTV." This appears to have been one of
the reasons why the Communities that Care initiative was not as successful as
might reasonably have been expected.
Yes, there may be some placebo effect from having large numbers of
closed circuit television cameras around, but the analysis of the crime
statistics which we cite tends to show that although they are good at reducing
crime in car parks they are not so good at reducing crime in town centres and
there is a very serious question about whether far too much money has been
spent on these and not enough money on other crime reduction initiatives.
Q232 Gwyn Prosser: To what extent do you think the increase in
the sophistication of technology to enable the state and private enterprises to
scrutinise people's personal information and have access to it will, on that
side of the equation, compete with the increasing potential for individuals and
companies to protect themselves from that surveillance? Where are we at the moment and how do you
see that tension developing?
Professor Anderson: One of the big tensions that we see
developing is that of equality of arms and the balance between private and
public action. At present it is very
easy for the police to get hold of CCTV data or AMPR data to prove that you did
something bad but it is a lot more difficult for you to get hold of it to prove
that you did not, to establish an alibi.
When we move into the realm of civil cases, for example disputes between
customers and banks, the same issues arise.
The banks can get CCTV data but you cannot. There are also issues about, for example, how you go about
tracking people. The Information
Commissioner a couple of sessions ago remarked that there had been a website
which enabled people to track individuals in the UK from electoral role
data. This provoked an outcry from
people who had perfectly good reasons not to want to be tracked. It was accordingly shut down by the
Commissioner. Yet again, many new
pieces of surveillance have to do with people trying to track other people. What sort of mechanisms should be available
for someone who has a bona fide reason
to want to track down another person?
We suggested in our written submission that if there was some means
whereby, for example, a wife who was seeking alimony from an absconded husband
and had got fed up with the delays involved in the government mechanisms for
doing that should be able to go to a court and get an appropriate order to get
information from relevant databases to find where hubby is living and where he
is working so that she can go to the court and get an attachment order against
his wages. Again, these all have to do
with the fact that surveillance centralises power. Whether it centralises power in the hands of the state or in the
hands of large corporations, it raises all sorts of issues: equality of arms,
public versus private action, but I think that successive governments over the
next few years are going to have no choice but to think about it.
Mr Bramhall: Right at the beginning of your previous
question, I think you said that people are very relaxed about participation and
so on. The Trust Guide work showed that
that was not the case, and that there was a general unease. It was not a specific unease, but there was
a general unease and a wish to move forward.
Q233 Gwyn Prosser: But not sufficient to discourage them from
using that access?
Mr Bramhall: No.
And again different people took different views on that. Trust Guide was not meant to be a large,
statistical sample. It was more
qualitative but within the collection of people who participated there were
some who felt quite comfortable, some who did not and some who never have but
probably would not because of something they have read about. I do not think we can say that people are
very relaxed. They are generally uneasy
but, you are right. It does not inhibit
them.
Q234 Gwyn Prosser: Professor Anderson, you give us the
prediction or caution that we will need a number of headline stories in the
tabloids about the hard cases before we perhaps wake up to some of the
concerns. If you were to look 20 years
hence and take into account that these various changes in public perception of
policy can take place, would you expect that the private sector and government
would have overall more knowledge about us as individuals or less?
Professor Anderson: They will have more knowledge but it will be
much better regulated. We have seen the
beginning of the push back, for example, on Google with Google now agreeing to
de-identify personal data after two years.
This is remarkably quick. The
issue was raised first at a conference in France in February and now it is
already actioned. It is high on the
European agenda so these things move up the political agenda as more people
become aware of them. The hearings that
we are having are, I believe, driven by the fact that there is general raising
of public awareness, bringing surveillance onto the agenda. One cannot stop the collection and
processing of data becoming cheaper because technology advances but as it
affects more people and perhaps also more interests within society, more
organised interest, you are going to get a push back because, after all, what
tends to stop one large, powerful lobbying force is not people speaking fine
words and arguing from principle but the opposition of other large, powerful
lobbying forces. Just as the whole
intellectual property debate came into balance when the music industry started
being faced down by the supermarkets et cetera, so I would expect that in due
course in the private sector the action of the Googles, the Microsofts, the
Yahoos and other big players will evoke enough lobbying response from those
businesses that are losing out.
Q235 Gwyn Prosser: More information and better regulated?
Professor Anderson: More information and better regulated.
Dr Phippen: I would certainly agree more information and
hopefully better regulated in the next 20 odd years.
Mr Bramhall: I agree that more information will be
known. I agree also that it will be
better governed or the governance will be better. Some of that might come from better regulation for the reasons mentioned. I suspect that will be rather patchy. I think it would be true in the UK and
Europe. I am not sure we can take that
as a global statement. Where regulation
is not the motivation for the improvement, also there will be some motivation
from individual private sector enterprises wishing to differentiate themselves
again by being seen to do a good job and being more trustworthy. That is less determined on the UK, Europe or
the rest of the world.
Chairman: Thank you very much indeed. It has been a very useful session.