Select Committee on Home Affairs Minutes of Evidence


Examination of Witnesses (Questions 200 - 219)

TUESDAY 12 JUNE 2007

PROFESSOR ROSS ANDERSON, MR PETE BRAMHALL AND DR ANDY PHIPPEN

  Q200  Mr Winnick: Arising from what you have just been telling us, Professor Anderson, do you feel that large retail stores, banks, insurance societies and so on are asking for too much personal information when it comes to various matters like loyalty cards, travelcards and purchasing items on the Internet? Are they going over the limit as far as personal information that is being requested is concerned?

  Professor Anderson: Sometimes too much information is requested and sometimes too little, and it depends on the application because surveillance is, after all, about power and it is part of another system, namely the way in which organisations, be they governmental or large private sector organisations, exercise various kinds of power, market power or otherwise. Now, generally, organisations err on the side of collecting too much information simply because it is cheap and it does not cost you very much extra to have an extra computer disk drive or two to hold more information about individuals and, if it is their time that is spent filling out the web form rather than your staff's time, then the marginal cost to your organisation is very low. Now, where things are competitive, there will be limits on that because, if your website is too much of a bother for people to fill out, people will go to other websites. But there may ultimately be a need for systemic controls on the amount of information gathered by public sector bodies or others who are not subject to competitive pressures. America some time ago had a regulation about the maximum amount of time that people would have to spend filling out government forms with the requirement that these actually be tested, and perhaps we will need something similar in the future here.

  Q201  Mr Winnick: Arising from what the Chairman said, Mr Bramhall, should people be more concerned that the private sector have information on them equal or perhaps even more than the State have? Generally, people are not too worried, at least in a democracy, which we can emphasise time and time again, about the information that social security departments and so on have on individuals for very obvious reasons, and the Health Department, but is there less confidence when it comes to the private sector?

  Mr Bramhall: Yes, and again there is a wide variety of practices and I am certainly not going to tar all the private sector with the same brush, but it is not too difficult to find instances where you do feel, as you are interacting with a private sector website, that perhaps it is not only asking more information than is really needed for the purpose that you are interacting with it for, but they might have a different purpose, and increasingly as technology, particularly privacy-enhancing technology, begins to offer possibilities for system designers to design the systems in a way that actually requires less personal information, then I think the incentive to them to do so is not actually apparent at the moment because they are sort of stuck in this habit of gathering more information because it might come in useful some day. I am not going to sort of point fingers or, as I say, tar the whole of the private sector with all of the same brush there, but there are concerns and I think some of those concerns are valid simply because having too much information and having information that is not strictly needed for the purpose runs the risk of leakage, runs the risk of loss and runs the risk of it being found by people who should not find it. In fact, in many of the data breaches that one reads about where personal data is disclosed from an organisation that had a valid reason for keeping it, it is quite often just a sort of failure of practice and perhaps incompetence even at a fairly low level that just allows it to happen, so there is an opportunity for a better job to be done definitely so, but it is not unremittingly awful or anything like that. As I say, most organisations really want to do a good job with handling personal data, public sector and private sector, and they certainly do not wish to risk the opprobrium that comes with the bad publicity surrounding a leak.

  Q202  Margaret Moran: Could I just pick up on something Professor Anderson said, and let us not mention DWP in that last context! I was very interested in the comment you were making about recent studies in relation to the gender differential in the ways that technology is used and, therefore, the way that people approach the privacy and security issues. You may be aware that six or seven years ago there was a report called Code Red by Perri 6 of IPPR, and I actually wrote something called "He Democracy or She Democracy" which looked at the codes behind the software, so we are not actually talking about the car, we are talking about, I guess, the spaghetti in the car, all the electrics in there. The way that codes are used within systems that we all use, whether it is a computer or a hand-held, the way that they are devised actually leads us to a certain form of encryption and security and that is very male-dominated, as you said, the geeks, as we traditionally like to think, in the bedrooms. How far do you think that recognition is helpful in identifying more secure forms of data-sharing and the use of the services that we all want to use in a safer way? How far is that developing?

  Professor Anderson: I think we are at the very early days of gender HCI. Work started a couple of years ago at Carnegie Mellon[1] looking basically at how you could redesign programmers' toolkits so as to make it easier for women to be programmers. We have been looking at the effects of this on security and, in particular, vulnerability to phishing. Talking about it to a few people over the last few months, it seems there is interest sparking elsewhere and it is the sort of thing I would expect to see more papers on over the next few years and conferences. There are of course a number of established IT policy issues that bear on women, and someone mentioned the children's databases, for example, and there are also supermarket loyalty cards where the majority of these are held by or at least substantially used by women. It would be a large task to pull together all the women's issues in this space and, if your colleagues are interested in getting involved in that, then I would welcome it.


  Q203  Margaret Moran: Going on to the PETs, privacy-enchancing technologies, the essence of what you have been saying really is that this is the way forward in terms of being able to deliver what we want, but at the safety level that we require. You will know about the growth of PETs and the idea of the token that Credentica has developed. How far do you think that these systems can be really designed for privacy? With things like data-matching, and people have criticised iris tests, biometric tests, there is a very lively debate on that one, the authentication techniques are getting a lot better and becoming more accurate, but do you think we are getting there in terms of surveillance and can we go further?

  Mr Bramhall: Are we talking about surveillance or protection against surveillance?

  Q204  Margaret Moran: Protection against surveillance.

  Professor Anderson: Well, I think you will find differing views on this from different witnesses. I was involved in the 1990s in developing a number of what would now be called `privacy-enhancing technologies', and I invented the steganographic file system, for example. In recent years, I have become somewhat of a sceptic because, to a first approximation, privacy-enhancing technologies are just pseudonyms. They can be dressed up in various fancy ways, but at heart they are pseudonyms. There are many circumstances in which it is very, very sensible for people to use pseudonyms and, in particular, teenagers going online and having pages on Facebook or whatever are well advised to use pseudonyms for fairly obvious reasons—everything from personal safety to not being embarrassed in 25 years' time when they are trying to get themselves elected as Prime Minister—but there is only so much you can do with pseudonyms. Companies do not want to deal with pseudonymous individuals, by and large, unless there is some premium in it for them. You can get prepaid credit cards, but they are significantly more expensive and the reason for this is that the information that is collected about you is valuable and it is used for price discrimination. So there are some market niches for privacy-enhancing technologies, but they are by no means the general solution to surveillance problems.

  Mr Bramhall: I would actually take a slightly different view on that one and it stems from perhaps a broader definition of what are privacy-enhancing technologies, and I do not agree that they are just pseudonyms; there is a wider set of technologies that can be used. There is quite a useful definition of them in a communication which the European Commission has published recently on this subject and it takes a definition as being a "coherent system of ICT measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system". That then opens up a wider range of possibilities. Certainly what you might regard as the more mathematically rigorous and tighter sets of technologies are the pseudonyms and similar that Professor Anderson refers to, but there are other models by which personal data can be managed or its use be reduced. There are other models which are more to do with helping the organisation that has got that information, that has actually received personal information, helping it do a better job of managing that information, of controlling it, and putting processes in place which design the systems that do those things.[2] Those processes are as much to do with management practice as they are to do with technology and, by themselves, those processes require some technology to help them as well, so I would actually take a wider definition of what constitutes a privacy-enhancing technology. I agree with Professor Anderson's point that, if everyone just takes pseudonymity as a starting point, the incentives there are not very strong for an organisation to pick that up, but there are other technologies too and, as I have already made the point, I believe that privacy can be a differentiator for an organisation.


  Q205  Margaret Moran: We have heard evidence from the Royal Academy of Engineering that personal identity will offer the sort of security that people are looking for and they have also said essentially that, if we were better at encrypting and more sophisticated in terms of our encryption, then some of the concerns we are discussing here today would not occur. How far do you agree with that?

  Mr Bramhall: I suspect it actually comes back to Dr Phippen's area which is ways of making it usable. I think the basic encryption technology could be made strong enough, et cetera, but the question then becomes how do you make that usable and accessible and to the ordinary person, I would guess.

  Dr Phippen: Yes, certainly if you say to an individual, "Use this site, it's got better encryption than before", they are going to go, "So what!" The public's view of encryption is whether the little padlock is on the browser and, if the padlock is on the browser, it is safe. I think the usability issues are extremely significant if you are looking at privacy-enhancing technologies at all and, unless your average person on the street is comfortable with them, guarantees of security will be ignored in a lot of the cases. We generally started our discussions with, "Who do you trust to keep secure information about you?" "Well, there is no such thing as a secure system", is generally the response coming back. "Well, how do you know that?" "Because we've read about it", "Because we've got friends who've got it", "We've had peers that have experienced it", or "I've experienced it myself". "Well, why do you use these things then?" "Convenience, I guess". I do not think security is the big issue, but it depends where you are coming from. If you are looking to get more people online and looking to get more people using public services online, I do not think security and privacy are the issues; I think convenience and education are the issues. You will be amazed at how much personal information someone will give you if you offer them 50 quid off a washing machine or something like that. I guess with a lot of public sector information is that it kind of goes into the, "What's in it for me?" mentality to the individual. If you are buying something online and you are saving yourself 50 quid, it is very clear. There are some very successful public sector e-delivery mechanisms, such as the DVLA and tax returns, and school admissions systems for some reason are incredibly popular because they offer a sort of return in terms of convenience to individuals and they are not saying, "I'm not using that" because you are not using the most up-to-date encryption mechanisms on it, but they are saying, "I'll use that because it will save me having to fill out the form on paper or it saves me having to phone someone up and do it all on the phone".

  Q206  Margaret Moran: We have heard from the Surveillance Studies Network that PETs will, or could, lead, as you were saying, to a division within the market and there could be a situation where those who can afford it will have an enhanced level of privacy or, conversely, a lower level of surveillance, whichever way you care to look at it, and that what could be happening through PETs would be a privacy divide where the well-off can protect themselves and have the e-castles around them, if you like, and the rest are without drawbridges. How would you argue that?

  Professor Anderson: There are possibly two different issues here. When it comes to the private sector which is interested in price discrimination, anybody who earns significantly above the national average should logically have an incentive to invest in privacy technology, although this may not be technology so much as using pseudonyms, deleting your browser cookies from time to time and so on and so forth, and all of these techniques will eventually become known to people. In the public sector of course there are issues, such as the children's databases where the idea is to gather information from health, schools, social work, et cetera, about children who might be at risk of offending. And the great problem there, as was pointed out in a report that we wrote for the Information Commissioner, is stigmatisation. Equality activists used to joke about the emotional offence of `Driving while black' and, if we end up with an offence of `Driving while having more than 50 points on the Home Office's ONSET database', then that would be an equally bad state of affairs. These issues perhaps give some insight into why the State will have more incentive to do more surveillance on the poor and why the rich will have more incentive to escape such surveillance as can be conveniently escaped—because they do not want to be charged more for their airline tickets.

  Mr Bramhall: I think the actual cost of an individual adopting a privacy-enhanced approach to what they do is probably not the issue. I do not think from an individual point of view that using a privacy-enhanced approach to their interactions is going to have a cost impact at all. I think, however, there is a difference between cost and price and the issue then becomes whether the providers of digital services would wish to price perhaps discriminatorily such that the privacy-sensitive services are at a higher price than the other ones. I think then perhaps it becomes a question for society as to how much it is willing to countenance the possibility of a privacy divide, as you described it.

  Q207  Chairman: I am struggling here a bit about the emphasis that goes on to individuals because we seem to be getting evidence that says there are systems that you can do now which give a very high level of privacy protection to individuals. Not in every case, but in many of the cases that we are worried about, which is when we are doing financial transactions and things of that sort, those are generally backed up by the use of one of a handful of major credit card organisations. I do not see why it is so difficult to imagine a situation where you have persuaded Mastercard and the rest that they would not accept transactions through websites which did not automatically build in that level of individual protection. We seem to be in the sort of Stone-Age level of debates about what we can expect from the private sector here. It is rather like the old mobile phone debate and the difficulty in getting mobile phone companies to knock the phones off their network when they have been stolen, even though the technology to do that is cheap and available, but they just cannot be bothered. When we keep saying that the individual has got to be persuaded that this is worthwhile, is it not the truth that we are just not making sufficiently strong demands on a small number of quite strategic organisations, particularly credit card companies, which could basically wipe out the websites that did not have high levels of privacy by just saying, "We're not going to accept financial transactions"? I have not really understood, unless there is something basic that I have missed here, why it is so difficult to get that.

  Professor Anderson: I do not think that particular approach will work. There have been so far a couple of competition inquiries in the UK which found that the business of acquiring credit card transactions was anti-competitive. Mastercard would not get involved. One of the things that has been brought about by the dotcom boom is that it is now easier, if you are a merchant, to get credit card transactions processed and that has been of enormous benefit to the economy. The real problem here is a consumer issue, namely that in the UK disputed transactions between cardholders and credit card companies and indeed between credit card companies and merchants are not properly regulated; the banks have got too much power in the regulatory system and are too good at dumping costs on cardholders and merchants. Now, I know that is really the ambit of another committee, but, if the members care to watch Newsnight tonight, there is a programme on precisely this topic, so yes, regulatory action would be a good thing, but it is regulatory action that the Financial Services Authority should be taking—

  Q208  Chairman: Absolutely, yes, that is what I am getting at, but it seems to me that, of all the transactions we are worried about, they are actually processed in practice by a relatively small number of strategic companies globally and actually, if you could in some way put the squeeze on them over the way they did these things, we could speed up the intellectual privacy technology.

  Professor Anderson: I have argued for the squeeze being put on banks in front of a number of committees over the years, most recently the Lords' Science and Technology Committee in March.

  Chairman: Well, we will have a look at their evidence.

  Q209  Margaret Moran: I think if Caspar Bowden were here, not speaking within that term, I think he might have a different view from that, so we can ask for his view, and of course the RIPA debate was pretty well all about this as well. Just looking into the future, can you anticipate, or what would you anticipate are, the forthcoming technologies beyond those which we have already discussed which would influence the way that people maintain, protect and use their digital identities? What is it that is coming onstream that might offer us that comfort and will any of it overcome what appears to be a worrying privacy divide that we just touched on?

  Professor Anderson: Well, I suppose I might take issue with the concept of a digital identity. I know that there is a great push in government—specifically from the Cabinet Secretary—to embrace the whole idea of identity management. But this was something which was tried in the private sector in the late 1990s by companies like Verisign and Baltimore, and Verisign survived by getting into a different business and Baltimore went bust, taking £23 billion of pension fund money with it. I do not think that identity management is the right way of thinking about these things. Instead, one should think about the underlying business process of people, when they go to a government office, being dealt with in a fair and reasonable way; whether banks' transactions with their customers are regulated reasonably. The reason for this is that the rhetoric of identity becomes a means of passing the buck. In the old days, if someone went to the Midland Bank, pretended to be me and borrowed £10,000, that was impersonation and it was the bank's fault. Now, it is my identity that has been stolen, so it is supposedly my fault, and I end up having a furious row with the credit reference agencies. So the construction of the concept of `identity' as something that belongs to me, that I have to protect with the help of government is not particularly helpful in this debate.

  Mr Bramhall: I do not think there is going to be sort of a strongly technology-oriented answer to that question about providing the security and the feelings of security and privacy that people are looking for. I do not think the issue is fundamentally one of the technology and its capability of addressing that issue; I think it is much more about education and awareness and people following good practice and, by that, I do not just mean the individual, but system designers following good practice. Admittedly, that good practice should, where appropriate, use the best and most appropriate technology for the purpose, which might be stronger technology or weaker technology, but it should be fit for purpose, and I think a lot of the issues then revolve around making it clear where information can be readily found as part of that education process,[3] what kind of restitution can be given for where things go wrong[4] and so on, those kinds of things acting as the incentives for affecting the behaviour of both the system designers and the individuals.



  Q210  Margaret Moran: Do you agree with Professor Anderson about the regulation of banks? I chair an organisation called EURIM[5] which deals with IT issues which has been arguing to slap an assurance badge on the banks or the credit regulators for some time because it is impossible otherwise to police this whole area of e-crime and so on. Do you agree with that?

  Dr Phippen: Yes. Certainly it has been an interesting 12 months for banks because, when we did our initial studies, people would trust banks more than anything else, but, because of the bank charges in particular being very high profile, banks have come in for a bit of a bashing as far as public perception is concerned now and yes, I would certainly agree that they need reining in.

  Mr Bramhall: I think, where appropriate, because regulation is obviously the stick, we should not forget to look at the carrot as a way of influencing behaviour as well.

  Q211  Mr Winnick: On identity theft, Professor Anderson, you give an illustration that in the Midlands Bank, and I do not know why you put the Midlands Bank, but be that as it may, a good identification, it used to be called, if some money was stolen by criminals, then it was the bank's fault, impersonation. Now, the argument of such financial institutions is that it is identity theft and the responsibility is put on the individual. Should companies not take more precautions to guard against such loss?

  Professor Anderson: Well, again this comes down to economics. Now, in the old days, a bank, the Midland Bank of yore or whoever, could decide how vigorously it was going to investigate the background and identity of people who opened accounts with it and every so often they would take hits and that was the cost of doing business. Now, if they can externalise, if they can transfer out some of the costs of that fraud, then the balance point in their business will be different, in other words, they will become more careless. There are further problems in the banking sector in particular with the move to identity as the great buzzword of progress. I was commissioned to do some research for the Federal Reserve Bank a few months ago basically into technological aspects of phishing, fraud and money-laundering. They were interested in non-banks and organisations like eGold and so on and how this fits in. One of the things that we found was that the increasing emphasis on identity since 9/11, that is, asking everybody who opens a bank account for a couple of gas bills, had been at the expense of more effective controls, because knowing the customer and following the money are not perfect substitutes. Providing that banks can consider that they have discharged their duty by having a couple of copies of gas bills in a filing cabinet, they then feel able to be more careless about perhaps more important issues about the conduct of the account—about whether it is being used to send money to dodgy places and about other things that can go wrong. So for a number of reasons one has to be very careful with this whole identity gospel that is being preached. I know it is fashionable, but that does not make it right.

  Q212  Mr Winnick: Without wishing in any way to raise the blood pressure of the Chair, you make the point that dealing with identity theft as a description helps the Home Office to sell identity cards to the public. I agree with you as a matter of fact, but what evidence do you have for that?

  Professor Anderson: The Home Office produced a couple of briefing documents a couple of years ago detailing identity theft and saying that identity cards would help to stop this. Lumped in with identity theft, they had all sorts of crimes of impersonation and they also appeared to include pretty well all the UK's credit card fraud. This was discussed extensively at the time and I believe I testified to this Committee in 2004 on the subject. It is clear that the banks saw this as a convenient bandwagon and hitched their liability management campaign to it.

  Q213  Mr Winnick: Do you agree with that, Dr Phippen and Mr Bramhall?

  Dr Phippen: Yes, I certainly agree with it.

  Mr Bramhall: I think there is a role for strong identity in some aspects of people's lives, but, I agree with Professor Anderson, having a strong identity is not the answer to all the problems.

  Dr Phippen: I think one issue is the concept of a single online identity. I think citizens are very comfortable with multiple identities for multiple things and the Varney Report and things like that are talking about a single signing for all government services and things. The question you get from citizens is, "Why?"

  Q214  Mr Winnick: Would you say that security technology in general is keeping pace with the innovation of criminals?

  Professor Anderson: It is a constant co-evolution. The most recent innovations in crime have not been principally technological, but principally psychological because, as the technology gets better, so it becomes easier to deceive individuals, so we are seeing an enormous rise in phishing, in pretexting and other things that involve deceiving people. The criminals are not going to stop deceiving machines as well and we are going to see keystroke loggers, we are going to see the rise in pharming and we are going to see technical crimes going along with crimes that involve deceiving people.

  Q215  Mr Winnick: Do you feel that, when identity cards come about, the more sophisticated type of criminal gangs will be able to do a pretty good impersonation of such cards?

  Professor Anderson: I do not think identity cards are particularly relevant to online concerns because, like it or not, online technology is designed and built in America and companies like Google, Microsoft and Yahoo could not care less about whether Britain has identity cards or not. There are one or two countries, like Estonia, who have tried to issue national identity cards that are linked to a capability to transact online, but this does not seem to have taken off because from a technical point of view, if you want to use client SSL certificates in your banking system, you can do so anyway. Banks decide not to do that for their own reasons, so for governments to make freely available something that is already freely available in another context is unlikely to change very much.

  Q216  Mr Benyon: Mr Winnick has cleverly asked most of my questions. I wonder if there are any other drivers behind developments in security engineering that we should be aware of.

  Professor Anderson: The two big drivers in security engineering recently have been, firstly, digital rights management and, secondly, Trusted Computing. Digital rights management was driven by the desire of the record companies, as they saw it, to stop people stealing music by sharing it. It has backfired on them rather spectacularly because it has moved power in the supply chain from the big record companies to online distributors, such as Apple. This has happened just in the last two years, so by calling for better digital rights management, the music industry basically destabilised itself and may have handed power in this industry to others. The other great driver in security technology has been Trusted Computing which was an attempt by certain large American technology companies to lock its customers ever more tightly into its products. This is linked with rights management in that Microsoft appears to be trying to gain a worldwide lead in the distribution of high-definition digital video just as Apple has got a lead in the distribution of digital music. It appears to be running into trouble in that Microsoft is having great difficulty in making the technology work. These have both been technology-push drivers pushed by particular industrial interests. As with customer pull, the fundamental problem in privacy economics is that, although people say that they value privacy, they behave differently. This is really the elephant in the living room as far as those of us who study the subject are concerned. My own view, for what it is worth, is that it is a matter of delayed reaction among other things in that the technical and political elites have understood for some time that privacy is an issue. That will percolate down to the man on the Clapham omnibus once we have seen a few suitable horror stories in red-top newspapers. We see signs of it starting.

  Q217  Mr Benyon: You have spoken about the difference in approach on each side of the Atlantic. How does the UK compare with other countries in general in safeguarding digital identities and preventing identity fraud?

  Professor Anderson: The words "identity fraud" are not used on the continent. The people who try and market it express frustration from time to time.

  Q218  Mr Benyon: Because of what you were talking about earlier, about it being a cop out for the banks and a devious method of governments imposing—?

  Professor Anderson: Because of it being a liability management technology and things have panned out differently in other European countries. Also, a significant difference between the UK and the continent is that there is much more vigorous enforcement of data protection law over there and this makes a real difference. The regulatory regime in Germany, for example, is quite different from the regime in Britain and also the bank regulation regime is different so the pressures and the drivers are different.

  Mr Bramhall: I would agree with the point about the motivation in Europe being around stronger data protection. Absolutely. Interestingly in the Far East the member countries of APEC are starting to realise that perhaps they have a privacy issue as well. Obviously the tiger economies are doing extremely well with rises in the size of consumer class and concern is starting to surface there about participation in the online economy. Because there is a much wider diversity of cultures, social norms, political systems and so on in APEC compared with the EU, they do not really have the ability to take the same approach to privacy from a philosophical sense. The European approach is clearly driven from Article 8 of the European Convention on Human Rights. There is no similar kind of instrument in APEC but they realise they need to do something. There is APEC activity going on to formulate guidelines which will be common across the APEC countries. That is still very much work in progress. It looks like it is going to be written around avoiding the notion of harm rather than things like rights to know or rights to be protected against others knowing and so on. There are definitely different models. In terms of how the technology fits, hopefully the technology is neutral and can be applied in a number of different models.

  Q219  Chairman: If we all learned to stop saying "identity fraud" and started talking about the crime of impersonation, what practical difference would it make?

  Professor Anderson: It would make marketing certain agendas much more difficult. To look for practical solutions using available, reasonable regulatory instruments, one probably has to look at the industries in which particular behaviours have become embedded. For example, if one is looking at credit reference agencies, they are regulated better in the USA where, to give one example, you can opt out of having a credit reference given. You can go to Equifax in the States and say, "I forbid you to ever give a credit reference on me to anybody at all." If you are middle aged, you have your mortgage and you have enough credit cards, that is great. You do not need any further credit. You have the immediate benefit that you get an awful lot less junk mail. Nobody sends you offers for credit cards et cetera.


1   Note by witness: I was mistaken-the earliest work was at the University of Oregon. See http://euesconsortium.org/gender/ Back

2   Note by witness: Processes which improve the design of these systems. Back

3   Note by witness: Making it clear to both the individual user and the system designer. Back

4   Note by witness: Restitution for individual users. Back

5   European Information Society Group. Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008