Examination of Witnesses (Questions 179
- 199)
TUESDAY 12 JUNE 2007
PROFESSOR ROSS
ANDERSON, MR
PETE BRAMHALL
AND DR
ANDY PHIPPEN
Q179 Chairman: Good morning, gentlemen.
Thank you very much indeed for coming to give evidence as part
of our inquiry into the contention that we are drifting towards
the surveillance state, whether that is a good or a bad thing
and what we might do about it if it is, and we are grateful to
you for coming. Our aim today, as you know, is to get at least
some understanding of some of the technological issues involved
in these developments and we are very grateful to you for your
time. I understand that Caspar Bowden cannot come due to ill-health
which is unfortunate, but I am sure that, between you and with
the expertise you have got, you will be able to answer the questions
that we might have directed to him. Perhaps I could ask each of
you to introduce yourselves for the record and then we will make
a start.
Professor Anderson:
I am Ross Anderson, Professor of security engineering at Cambridge
and I also chair the Foundation for Information Policy Research.
Dr Phippen: I am Andy Phippen.
I lecture socio-technical studies at the University of Plymouth
and am co-author of, amongst other things, the Trustguide Report.
Mr Bramhall: I am Pete Bramhall
and I lead a small team of researchers at Hewlett-Packard's corporate
research labs in Bristol where we do research on privacy and identity
management technologies.
Q180 Mrs Cryer: May I ask the first
question primarily to Professor Anderson and it is in terms of
surveillance capability. What do you feel has been the most significant
technological development of the past 10 years?
Professor Anderson: Almost certainly
search engines. It is perhaps slightly more than 10 years since
we saw the first one, AltaVista, 11 years ago, but certainly Google
has come along in the past six or seven years and their use has
become very widespread. Previously, lots of information about
people was kept on numerous, disparate databases, and a lot on
paper in filing cabinets. Search engines mean that everything
that is searchable is now findable if people have got the wit
to look for it, and of course there are not merely the publicly
available search engines, such as Google; there are search engines
on intranets and there are search engines available to government
and intelligence services which give access to information which
is not generally available to the public. But overall the killer
technology is search engines.
Q181 Mrs Cryer: Do you both agree
with that?
Mr Bramhall: Yes, I would agree
certainly with that and I would perhaps also add the fairly recent
rise in social networking capabilities on the Internet, the rise
of things like MySpace and YouTube where people can post information
about themselves and yes, they are doing it willingly and for
what seem to be very desirable purposes for them at the time,
although they may actually have cause later in life to regret
what they have made available of themselves and, coupled with
search engine technology, there might actually be more out there
than they would be happy with.
Q182 Mrs Cryer: Dr Phippen, do you
go along with that?
Dr Phippen: Yes, I would certainly
agree with that.
Q183 Chairman: Can I follow that
and ask what the main drivers are of these new technological developments?
Search engines and Google are presumably driven by a commercial
motive, but things like Facebook and social networking were sort
of invented by people out there really, thinking of a way of doing
things and making uses of them which probably the original designers
had not thought of themselves, so what are the main drivers that
are moving technology forward as quickly as it is?
Professor Anderson: I think it
is different in the private sector than the public sector. In
the private sector, the main driver is the wish to charge different
people different prices. This is of course as old as people have
been trading; the carpet trader in Istanbul who makes a special
price "just for you" is the price discrimination of
antiquity. In general, price discrimination is economically efficient,
but people tend to resent it because they feel that it is unfair.
Now, what is happening is that technology is making price discrimination,
firstly, more attractive to businesses because businesses become
more like the software business over time and, secondly, easier.
So this creates a circlea vicious circle or a virtuous
circle depending on your point of viewwhich drives the
acquisition of ever more data and ever more capabilities as part
of the process. And a second main driver of course is targeted
communications. In the public sector, we have got all the motivations
that we have all come to know and love or hate, as may be the
case.
Q184 Chairman: Could you say a little
more about the public sector motivations though in the sense that
there is probably a similar desire to get the right piece of information
to somebody or the right service to somebody or the right information
about somebody, so is it significantly different and is the public
sector driving the technology or is in fact the private sector
developing the technology which the public sector makes use of?
Professor Anderson: I think it
is the latter. The UK is rather odd in that over the last few
years a majority of the business won by our big systems houses
has been public sector business rather than private sector business,
but they are almost never developing new technology, they are
simply using technology which has been developed mostly elsewhere
for private-sector purposes. It is also difficult for even a mild
cynic to escape the supposition that there is some competitive
empire-building going on in Whitehall of the "my database
is bigger than your database" variety, and this appears to
be more pronounced in Britain than in other countries.
Q185 Chairman: Mr Bramhall, as you
mentioned it, how significant are these social networking initiatives
in driving change? I suppose it goes back certainly to text messaging
originally, things where consumers have invented ways of using
these systems that people had not previously thought of.
Mr Bramhall: Yes, the technology
behind them, I think, tends to come from private sector considerations.
Entrepreneurs will think, "Ah yes, if I set up a capability
of doing a MySpace or a YouTube, then they will come and use it
and it will be commercially successful", but the other factor
that drives that success, or otherwise, is essentially how great
is the take-up by people. Are they actually as popular as the
entrepreneurs who found them would like them to be? We can all
look at the numbers of how quickly those sites are mushrooming
and so on, but there is perhaps a little bit of evidence that
indicates younger people are more happy and willing to participate
in them and, therefore, perhaps one of the drivers is actually
coming from the youthful recognition or the recognition by the
young that technology is definitely not to be feared, it can do
wonderful things, it can be liberating from an individual point
of view, it can help form all sorts of personal relationships
which again are very important when you are young, and perhaps
those are the sorts of drivers of behaviour that lead to the success
of these systems which have been enabled initially by private
sector technology.
Q186 Chairman: It is probably an
impossible question, but, if we looked over the next 10 years,
what are the technological developments that you think would have
the most impact on data security and on the privacy of citizens?
Professor Anderson: I do not think
that privacy is fundamentally a technological issue, but fundamentally
a policy issue. One of the things that we have learnt over the
past six or seven years is that, when systems fail, they largely
do so because incentives are misaligned and classically because
some of the persons who guard a system are not the persons who
bear the full economic costs of failure. One of the things that
we are seeing more and more is that, as systems become more complex
with more players, so the temptation on players to throw the risk
over the fence and make it somebody else's problem becomes pervasive.
So I can see this necessarily leading to an increase in regulation
and public action of various kinds. As far as the technology is
concerned, what we are going to see is probably a move to a world
in which more and more objects are a little bit like computers.
In 10 years' time, most things that you buy for more than about
a tenner and which you do not eat or drink will have got some
kind of CPU and communications in them and even things that you
buy to eat or drink may have RFID tags on them.
Q187 Chairman: At which point, the
Committee then goes "What?", so CPU and what was the
other thing?
Professor Anderson: Some processing
capability and some communications capability. Fifty or sixty
years ago, there were a handful of computers and now we have several
computers on our person, mobile phones, laptops, iPods, et cetera,
and that will go up from a few to dozens. Your car might now have
30 computers in it and it might have 100 in it within 10 years'
time and many of these computers will talk to each other. What
that is going to mean is that more and more businesses will become
a little bit like the software business and that means that the
problems that we see in the software business, of which surveillance
is only one, are going to become more pervasive. And this is going
to affect, I think, the work of many committees, because many
of the laws and regulations that we worked out during the 20th
Century with, if you like, atomic property are going to have to
be reworked with digital property to deal with all its side-effects.
Q188 Chairman: Dr Phippen, any star-gazing?
Dr Phippen: I must admit, I am
certainly not as much of a technologist as the other two and,
just looking from the citizen perspective which is very much where
I focus, I think what you realise in the last couple of years
is that the age of the naïve user is pretty much over now.
We have spoken to people who had never used a computer before
who told us, "You shouldn't buy things on the Internet because
the hackers will steal your credit card details", so that
is the level of awareness you are now dealing with. On top of
that, going back to the previous question about whether citizens
drive technology, there is a certain element of narcissism, I
guess you would say, with blogging and MySpace and things like
that where people like to share their information and certainly
with younger people that is very prevalent at the moment. However,
what you have not currently got, particularly with young people,
is that, whilst they are very comfortable with the veneer of the
technology, they are not aware of the threat and they are not
aware of the long-term damage, such as when you are going for
an interview in 10 years' time and someone pulls up you're MySpace
page and says, "If you had said that you paid this political
party, would you like to elaborate on that?" because what
they do not realise is that this stuff stays for ever, especially
with Google caches, and you have got various Internet archive
sites that collect websites on a regular basis. I think the citizen
perception will increase a great deal, but what I do not see increasing
is the awareness of threats from it. Certainly we did quite a
lot of work with around 100 school kids and they were very comfortable
with technology and actually, since MySpace got bought by Rupert
Murdoch, it seems to be a little less cool than it used to be
and now things like Facebook and Bebo are the ones to go for,
but they are very aware of that and they are very comfortable
using MSN and various other messaging technologies and they are
very comfortable using SMS technology, but, when you ask them
about the threats and you ask them about the potential for stalking
and the potential for viruses, they have very little in-depth
information.
Q189 Chairman: We will come back
to some of those points. Mr Bramhall, just on the technology side,
do you have anything to add to what Professor Anderson and Dr
Phippen have said about new developments?
Mr Bramhall: Not particularly.
I think that in general the technological developments which will
come about will still basically be in a context where the privacy
issues remain the same and the principles for how one should address
those privacy issues will also remain the same. The challenge
would be, I think, when one is a system designer, remembering
to take account of those principles and not just getting captivated
and dazzled by the potential of what the technology could do.
Q190 Mr Streeter: In relation to
the last 10 years, have there been any surprises? Actually I sometimes
have a bit of a theory that things do not change quite as rapidly
as we think they do, but we can see it going from a long way down,
so have there been any dramatic surprises where in the next 10
years we might look forward and say that we might have some more
like that?
Dr Phippen: I certainly think
that SMS technology was not created for kids to bounce messages
on to their mates; it was created for engineers to send short
messages about mobile network updates. I think there is an awful
lot of, if you like, accidental adoption that goes on where people
do things in a way that perhaps the creator of the technology
did not think.
Q191 Mr Streeter: So a surprise in
implementation, not necessarily in the technology or the invention
itself?
Dr Phippen: Yes, certainly from
the perspective I come from, it is really the use and abuse of
the technology in unpredictable ways that is the difficult thing
to foresee.
Q192 Chairman: It is almost inevitable
that this sort of inquiry moves quite quickly into the threats,
the risks and the dangers of the world that we are moving into
and I suspect that this session will be no different when we go
through the questions, so just before we do, can I just ask each
of you to look at the other side of the equation. If we look 10
years ahead with the development of these technologies and the
spread of these technologies in lots of different systems, how
would you assess the benefits that are likely to arise from them,
particularly for individuals, and would you think that those benefits
are going to be more evident in the public sector or in the private
sector?
Professor Anderson: Well, 10 years
ago the big issue was cryptography policythe US Government's
attempt to ensure that nobody communicated privately on the Internet
without the NSA being able to tap the communications. That concern
has gone away because encryption has not, as a matter of empirical
practice, been widely deployed. Apart from that, 10 years ago
people were generally very positive about the effects of the Internet.
The evidence that we have now 10 years later? The most recent
study of the correlation, for example, between crime and Internet
adoption across the 50 US states, is interesting. It shows that,
by and large, the Internet has a positive effect or a beneficial
effect in that it reduces some crimes, crimes of sexual violence
and crimes of prostitution, and this is assumed to be linked with
the increasing availability of pornography to young males. The
only crime that has gone up is what the FBI classes as `runaways',
that is, children leaving home without their parents' consent
before age 18. Some cases of runaways are clearly tragic, and
others are clearly beneficial to the child, and we have no further
figures on that. The things that we were worried about 10 years
ago and the things that have happened 10 years after that were
different, so we have to be cautious when we gaze into the future.
Q193 Chairman: But would you say
that there are more benefits to be gained from the spread of computers
and communications?
Professor Anderson: Absolutely,
otherwise there would not be such an enormous effort and expenditure
going into developing the technology. There are some downsides
of course, but the gains are very much greater than the losses.
Mr Bramhall: The benefits being
the use at low cost, of the removal of physical barriers or of
physical distances being a barrier for communication, collaboration
and so on. Those are clearly the benefits and I see those continuing
to evolve. The threat is sort of the other side of the coin simply
that, because you are able to get out to the entire world from
your house, so the entire world can get into you by the same mechanism.
Q194 Chairman: We touched earlier
on the sense that possibly the public sector tends to follow the
developments in the private sector in this area. Do you see it
over the next 10 years being primarily in the private sector and
individuals' interaction with the private sector and with other
individuals that the benefits will accrue or do you see significant
benefits to the public sector?
Mr Bramhall: I think there is
the potential for significant benefits for the public sector because
the same kinds of points that were made about ease of use and
ease of access and so on are all essentially efficiency benefits
and enabling benefits which are possible just as much in terms
of public sector internal operations as well as public sector
delivery of services to individuals, so those benefits are still
equally applicable.
Q195 Mr Winnick: Could I put this
point to you, namely that virtually everyone, I would imagine,
except Luddites, welcomes the new technology for all kinds of
reasons, the computer, the Internet. Certainly my secretary finds
that a correction, which otherwise on a typewriter would have
taken so long, on a computer takes a matter of seconds. Is there
any way in which you feel, gentlemen, that you can have this advance
in technology, considerable advance in the last 10 or 15 years,
and certainly when I came back here in 1979 the first item I bought
was a typewriter, so can we have this advance in technology without
the intrusion and growing intrusion into privacy? What about you,
Professor Anderson, do you have great concerns about safeguards
over privacy?
Professor Anderson: Well, privacy
intrusions generally stem from the abuse of authorised access
by insiders or from failures to regulate such access properly,
so privacy is largely a policy matter rather than a technology
matter. That said, however, when you have got order of magnitude
reductions in the costs of collecting data, or storing it and
indexing it, of course more information is going to be kept, and
over time we will move to some new equilibrium which is either
going to have to involve more tolerance or more regulation or
both. And I expect that the balance will be different on different
sides of the Atlantic.
Q196 Mr Winnick: Mr Bramhall?
Mr Bramhall: I take a slightly
different view as to the effect. Certainly the policy framework
has to be got right and absolutely so regarding privacy and the
management of it and so on, but I think there is also the potential
certainly in the private sector for companies to differentiate
themselves by exemplary privacy practices and to get, if you like,
a good reputation as being able to manage the personal data of
their customers, employees, whatever, in a reliable and privacy-friendly
manner and to pay continual attention to this. I think it could
become one of those differentiators between companies in the same
way as, for example, product quality might be or price of products,
so I think it could become a differentiator, particularly as far
as the provision of digital services is concerned.
Q197 Mr Winnick: There is a growing
tendency for people to put a great deal of personal information
on social networking sites which we all know about, although I
do not myself do so, MySpace, Facebook. Is there not a danger
that people are doing this without recognising the dangers involved
in storing up such personal information and is there any way that
we in Parliament or the media can warn people of the dangers involved?
Just as a matter of interest, have any of you three put up such
information?
Dr Phippen: I do not have a MySpace
account and I do not blog, I must admit, but I am planning on
blogging about one specific topic I research on. I think there
is a massive issue in particularly what the youth are currently
doing with technology and the fact that they are nowhere near
well enough aware of the damage that can come from that. We did
an awful lot of work with awareness and education, who is responsible,
and it always comes back when you talk to citizens that it is
the Government and it is the manufacturers that should be responsible.
For some reason, you always get the car analogies, "I wouldn't
buy a car and drive it off and then crash it into a wall because
they hadn't checked the brakes properly, so why aren't we checking
that computers are secure before they sell them to us?" Now,
obviously the trouble with that analogy is that, as soon as you
connect your computer at home and stick it on line, all sorts
of things that the vendor could not possibly have predicted when
they sold it to you might happen. Just as an interesting aside,
we do a regular experiment where we get a student to drive around
Plymouth and detect available wireless networks and generally
every year, up until two years ago, it was always 40% secure and
60% unsecure. Last year, we expanded it out to a few other cities
in the South West and it was still 40% secure. This year, it was
75% secure. We then expanded it out, did rural towns, did some
market towns and further afield, and it was coming in at around
75% secure. But then, when you start to look down the network
descriptions, it is the fact that the vendors are now providing
out of the box some level of security, and Professor Anderson
will undoubtedly tell you far more than I can about the difference
between WEP and WPA encryptions and the relative merits of them.
What we are kind of seeing there is that manufacturers are trying
to do more, but then there is a separate experiment where we had
a student detect unsecure Bluetooth devices and send them an unsolicited
message. Over 60% of the people that did that were perfectly happy
to receive that on their device and load it up with no problem
at all, so the kind of conclusion you are getting from that is
that the buck has got to stop with the individual because manufacturers
can do a lot, the Government can do a lot by education and I would
certainly say that if you looked at School Curricula, et cetera,
it is not doing enough at the moment. However, there has to be
personal responsibility because ultimately it is a personal device.
The bewildering thing we found was that people were very, very
willing to accept that something is in their personal device,
they did not know what it was, they just accepted it. Now, how
could a manufacturer protect against that?
Q198 Mr Winnick: I take it, Professor
Anderson and Mr Bramhall, you do not put anything on these sites
which I mentioned?
Professor Anderson: I have a MySpace
site, but I basically use it for one of my hobbies, old music.
It is a free repository for out-of-copyright MP3 files and things
like that. On the issue of security usability, this is one of
the hottest topics in security research over the last three years
because of the rise in phishing and other attacks that basically
exploit user naivety. Up until now, many of the organisations
which ought to know better have taken the view which in safety-critical
systems we call `blame and train'. If somebody cannot use your
system, you first blame them and you then make some half-hearted
effort to train them. Now, that is known not to work in safety-critical
systems. If an aircraft cockpit is unflyable, you redesign the
cockpit, for goodness' sake! You do not try and make the pilot
fly in some strange attitude, and we are going to need a similar
change of attitude among banks, for example, whose websites are
often particularly vulnerable. There are some interesting public
policy issues here and one that we have been looking at recently
is what is known as `gender HCI', the way in which men and women
interact with human computer interfaces differently, and this
is a subject which started only in the last year or so at Cambridge
and Carnegie Mellon. We are beginning to realise that the way
many bank websites are designed, for example, likely discriminates
against women because they are designed by geeks for geeks. Banks
will say things like, "visually parse the URL and look for
the second-last thing before the last slash", and this is
a boy-toy kind of approach to things. In such sectors, there are
a number of suppliersnot just computer suppliers but also
website operatorswho really must do better. So this is
an active area of research.
Q199 Chairman: I did not want to
say this because, as Dr Phippen says, we always seem to get car
analogies and I was sitting here with a car analogy! Professor
Anderson, as you were saying earlier, most of the breaches are
about when people get inside the system rather than the technology,
but it does sound like the argument that it is not cars that kill
people, it is car drivers, but actually in practice we have done
a lot to make cars people-proof over the years because you could
not just blame the driver, you actually had to change the design.
Professor Anderson: Well, these
are complex socio-technical systems and the reason that we have
got about the same number of fatal road traffic accidents now
as in 1925, despite having a couple of dozen times more cars,
is due to a whole lot of factors: that cars have seatbelts, they
have crumple zones, we have speed limits and we enforce them,
drunk-driving is no longer socially acceptable, et cetera, et
cetera, et cetera. And do not discount the long evolutionary period
whereby the Department for Transport looks at the road traffic
accident hot-spots and, if two or three people have been killed
at some particular interchange, they redesign it. There is a long
period of growth, learning and adaptation which has gone behind
this reduction in fatalities.
|