TUESDAY 12 JUNE 2007

PROFESSOR ROSS ANDERSON, MR PETE BRAMHALL AND DR ANDY PHIPPEN

  Q220  Chairman: I am as keen on ID cards as Mr Winnick is opposed to them. I am quite prepared to go round persuading people that they should have ID cards to protect themselves from impersonation rather than identity fraud. A lot seems to be hung on this issue of language but I cannot quite see that if we went back to the old language of talking about impersonation rather than identity fraud it would make a blind bit of difference to any of the issues that we are talking about today. It seems to me to be a semantic argument but you clearly think that somehow by talking about identity fraud either government policies would be different, or bank policies would be different or something. I do not really quite understand.

  Professor Anderson: The fundamental issue is an issue of liability. If a bad person whom I have never met goes to a bank with whom I have never done business, how should that be able to ruin my life by causing the debt collectors to call on me and causing all sorts of other derogatory stuff to be propagated about me through the system? It is clearly bad that such things happen. How do you go about stopping it? I suggested in our written submission one practical way of stopping it, namely that the Information Commissioner should enforce the existing law against the credit reference agencies. In the absence of that, what other policy options are available? One can debate this at a number of level. At the legal level, one could talk about various possible private remedies but, at the political level, surely politicians should set the tone for the debate, shaping the debate and deciding what sort of language is used. My point is that the language about identity theft is not helpful from the point of view of consumer rights and security economics.

  Q221  Mr Streeter: Focusing on regulation, we mentioned this point earlier about the importance of individual responsibility as consumers and education to make people aware of risks. In terms of protecting privacy, apart from individual responsibility, apart from technological advances in terms of security, can we focus for a few minutes on what could a government do to regulate this incredible market place to protect people's privacy more? If you were advising the UK government, each of the three of you, what is the one thing that they should do which they are not doing? What is the thing that the government should do in terms of regulation?

  Professor Anderson: The one thing I would do had I the legislators' power for a day would be to change the UK rules on legal costs to the American rules. In America, constitutional matters, which in this context would mean section eight of the European Convention on Human Rights, can feasibly be enforced by individuals. A young law lecturer wishing to win his spurs and become a professor can go to the Supreme Court and litigate. He does not have to face the prospect of paying $10 million in costs to the government if he loses. That right of private action is not present in Britain because of our rules on costs. That means that there is an assumption that all these actions have to be state actions. As a practical matter, we have an embedded Information Commissioner's Office which was designed back in 1981 to be ineffective. David Waddington, the then Home Secretary, at the time was quite open about the fact that it was a minimal implementation to keep us legal with Europe. Although the ICO has expanded his gamut somewhat since then, it still remains a very weak body. Are we to wait 50 years for successive ICOs to build up their clout within Whitehall so we can enforce constitutional law? If you want constitutional enforcement to be available to citizens, you have to make private action available as well as public action. That is why I would say let us move to the rules that they have in America or, if that is unacceptable to judges, let us move at least to the rules that they have in Germany where there is very much stricter limitation on taxation on the scale of the costs you have to pay if you lose.

  Q222  Mr Streeter: That is a surprising answer but it is slightly outside the box of my question, is it not? It is a brilliant answer and, as a lawyer, I am all in favour of it but surely the government can do something top down as well at the same time as changing the rules on the costs of litigation?

  Professor Anderson: The government could do something top down if, for example, the kind of law and practice that one sees in France and Germany on privacy were imposed on government departments, but again you come down to the question of the individual departments and their incentives and how power works in this town or indeed in any town. One suggestion that we made to the Information Commissioner's office was that he should see to it that the data protection officers in various government departments report to him rather than the departmental Parliament secretary, along the lines of CESG cryptosecurity officers reporting to Cheltenham rather than locally. That way, the data protection officer would see his job as enforcing the rules within the department rather than seeing to it that the department has an easy ride with the Information Commissioner. These are all very difficult things to do because they are not the sort of things that you can do easily by means of a simple statute law. How you go about changing a culture of half a million people that has been 800 years in the building is hard.

  Dr Phippen: The witness on my left might disagree with this but I think one of the big issues is tougher regulation of the IT suppliers and providers themselves. I spend quite a lot of time trouble shooting between small businesses and it seems to be web development companies in particular who will behave incredibly unethically in terms of what they are going to charge people for. It is a classic case. If you offer an IT supplier half a billion pounds, of course they are going to say, "Yes, we can do it." Why would they not? They will think about the technologies afterwards. At the moment you are looking at the IT "profession". You have a long way to come to achieve the levels of professionalism that exist in other professional practices such as law, accountancy and the medical profession. I think it is getting better. The fact is that the British Computer Society is talking with the government more now. There is a growing code of conduct there but it could possibly do more to make suppliers more responsible for what they are promising. I had a colleague who used to describe IT departments as having all of the power and none of the responsibility because they say, "You signed the spec. That is what you asked for." That kind of thing is changing a bit but it still has a long way to go if you are getting true professional liability within IT professionals.

  Q223  Mr Streeter: It is all your fault. Do you want to apologise?

  Mr Bramhall: I am just thinking about the phrase I used earlier about not tarring everybody with the same brush and how perhaps it might apply. There are two points, one regarding professionalism which I know is not your question but, yes, increased professionalism has to be good. There is in the information security space a new Institute of Information Security Professionals, for example, which is just coming into being and will hopefully have an impact on—I hesitate to use the word "standards" because I do not mean it in the regulatory sense—raising standards of quality in that space. In terms of the specific question you asked about regulation, I must admit I am coming at it as a technology research manager and I do not really feel confident to comment on that side of it, certainly not to the level of detail that Professor Anderson has done. Similarly, we have not conducted any research into the effectiveness of the ICO's power and therefore we should remain silent on that point as well. In general HP does support any actions which the Information Commissioner takes which will increase the general level of confidence that people have about participating online.

  Q224  Mr Streeter: I cannot get my mind around the difference between UK regulation and global regulation. So much of this obviously is accessible globally through the worldwide web. Professor Anderson, you have mentioned other European countries which make a better fist of regulation than we do. To what extent is this industry capable of regulation nationally as opposed to internationally? Is there some more regulatory action that should be taken internationally and globally?

  Professor Anderson: There are two different issues there. You get better regulation of privacy in France and Germany because you have different constitutional settlements that essentially predate automation, or largely so, or at least go back to the sixties or seventies. In Germany you have privacy written into the Constitution for reasons that are not particularly surprising. In France more recently there has been a dispensation that CNIL, which is their equivalent of the Information Commissioner's Office, is consulted by government departments while they are proposing new system developments and has a veto or something that in practice amounts to a near veto. The second issue which Andy raised is why is the government so awful at developing computer systems. It is generally reckoned that 30% of large IT systems in the private sector fail and 70% of large IT systems in the public sector fail. That was an admission by the Department of Work and Pensions CIO at a conference last month. We have all known this for a while. Why does it happen? FIPR has talked extensively on the subject. My FIPR colleague, Jim Norton, put together a programme and tried to get our ideas across to permanent secretaries. The gist of the FIPR take on this is that there should never be another government IT project; there should simply be business change projects. Ministers should cease seeing the purchase of a large IT system as a displacement activity, as something that will kick a difficult problem into touch, for the next government to worry about. Instead we should have a discipline that if somebody wishes to change the way their department does business, they should specify that and engineer it properly. If IT is part of the solution, then fine. We have been unable so far to sell this idea to Whitehall. I am sure its time will come sooner or later. From the point of view of privacy, some people might take the view that perhaps it is a good thing that 70% of large government IT projects fail.

  Q225  Ms Buck: We have covered quite a lot of the questions that I was asked because we have been dipping in and out on a lot of questions about trust, risk assessment and things of that kind. Can I go back to something Professor Anderson said earlier about what it might take to change public consciousness? You used that very vivid language of a few dramatic stories on the front pages of the red-tops. You were teasing us a little bit with some thoughts about where that might come from and what it might mean. Can I ask about the research on trust and break it down into categories? What we have tended to do in the last couple of hours is weave in and out of different groups of people and what they mean by trust. There are very different issues—and perhaps you will give us an idea about this kind of risk analysis in greater detail—between children and what children understand and what parents understand about children and risk; about young people and what young people think about risk and about the long term implications of their behaviour, knowing as we do that young people tend not to think long term; and also about adults and their levels of risk and what it might take, perhaps in those different categories to be the shock that requires people as individuals and people in relation to government and the private sector to get some changes.

  Professor Anderson: The relevant research here is perhaps that of George Loewenstein at Carnegie Mellon University, who is a behavioural scientist and looks for example at the extent to which people overestimate the happiness that they would get from a good event in their lives or underestimate the sadness that would result from a bad event. He looks for example at how happy people are who are paraplegics or who have had an arm or a leg amputated after cancer, and finds that, although most people think that having an arm cut off would be the end of the world, in practice within two or three months people adjust just fine. They report that they are just as happy as they were before. The lesson that he draws from this is that the public's sensitivity to risk basically relates not to the absolute level of risk but to the change in the perceived level of risk. In other words, if a level of risk or threat increases very, very slowly, you will get occasional grumbles from the public, but you will not get a great outburst. He refers to this as the `boiled frog syndrome' after this apochryphal idea that if you put a frog in cold water and boil it it will not jump out. His concern about this is in the context of global warming, that if planetary temperature continues to rise by a per cent every few decades without a dramatic shock the public will never get sufficiently agitated to demand that politicians do something. It strikes me that exactly the same argument applies to trust and to privacy, in that if privacy is slowly eroded then people will get used to it. We might end up in a society that is rather different from our society today and some of us old fossils might, in our bath chairs in our eighties, be grumbling very noisily about what has happened to the world, but there will not be a great outburst. If you get a series of shocks all at once, then that may change and public concern may suddenly spike and create the window of opportunity for regulation. This of course can cut both ways. It may very well be that the large number of privacy-invasive systems that government has built or talked about building over the past two or three years will together give that spike. Maybe ID cards plus kids' databases plus NHS databases plus ANPR plus and so on finally will hit critical mass and the public will go ballistic. We do not know. This behavioural research would strongly suggest that that is what politicians should watch out for.

  Dr Phippen: Our work with young people would suggest that they do not really take any risk analysis when going online. They just go online.

  Q226  Ms Buck: We can all vouch for that, with kids.

  Dr Phippen: With 100-odd kids we spoke to, we had probably three clear cases of stalking going on and not one of them reported it to the police or went any further than, "I just blocked them from my MSN". "Why did you not report it?" "I did not know how to." "Did you think there was anything dangerous there?" "No, I just thought it was some weird kid and ignored them." The work that CEOP are doing at the moment is making great strides forward in that they are getting into schools. One thing the kids are all saying is, "We do not really cover this in school." When you have a look at the IT and the computing curricula for both GCSE and A level it is not covered at all and they say, "We might touch on it in citizenship", but again it is not covered a great deal. We are hopefully going to be doing some work with CEOP in the near future, looking at kids' responses to that. That is something that definitely needs doing. You have essentially a captive audience with children. You can go into the schools and talk to them. Initially they might say that it is a load of nonsense or whatever but it gets through to them and they do think about it. With adults, it is more interesting in that they start off looking at how you can get people to trust systems. What we realised very quickly was that trust is not really an issue. The issue is convenience and restitution. What people will do is look at the service on offer and think: what is in it for me? What could go wrong? Has anyone else used the site before? If it is fairly positive, then they will probably go for it. When you talk to them about why they go online, they say something different. We spoke an awful lot to people about what makes them use a website and an awful lot of people said that you need human contact at the end of it. It is not just the website. When you say, "What is your most trusted brand on line?" Amazon continually came up as the most trusted brand. You never deal with a human on Amazon. "Yes, but I have a mate; something went wrong and they rectified it very quickly." That is the thing Amazon do very well. They do not say, "This will never go wrong" but when things do go wrong they rectify them. They do not try to hide from them.

  Q227  Ms Buck: You make an important point in your report about restitution but how can we learn that lesson from Amazon and expect, either within the private sector or in terms of government's duty in relation to the private sector, to be able to apply that restitution?

  Dr Phippen: I feel a little sorry for public sector IT in that you do not have the commercial incentive there that you generally have with the private sector. The first thing to look into is the convenience, which is why the closed systems like DVLA and school registrations work. It needs to be a case of: what is in it for me? What am I going to get out of that? It does not have to be financial; it could be time saving or saving them having to go to local authorities and deal with something like that. I think it is a little more difficult in the public sector because there are immediate convenience measures that you can take. I do not think security is a massive issue in either the public or the private sector. I always think back to education but I think it is the major point. The big concern is people believe that, if they buy something on their credit card and something goes wrong, it is the credit card company's problem, not theirs. Obviously credit card companies are back pedalling from this a great deal at the moment. They do not realise the long term damage in terms of credit referencing and those sorts of issues where, even though they might have had it rectified and they got their £500 back, they might not have gone down the chain and it could ultimately end up with them having a poor credit rating as a result of something. They are not aware of these issues.

  Q228  Ms Buck: None of this would lead you to conclude that there is a public readiness in any of those categories to invest time or money in a personal solution? I am not saying that one exists but, were there to be a technological fix on offer or some steps that they could take which would involve some effort and some expense to protect themselves against some of those risks, there is not the public awareness yet to support that?

  Dr Phippen: I do not think so. Tom Illube was behind Egg and is now in charge of Garlik. He spoke to the parliamentary IT committee a while ago. He said that when he was at Egg they did a lot market research for their customers so security is important so they introduced another factor to their authentication process and people stopped using it because it was too inconvenient. They cannot remember all that. I mentioned multiple identities. Most people have multiple identities all with the same password because, no matter what security experts say, you cannot possibly remember 30 or 40 alpha numeric, random strings. I do not ever think there is going to be a silver bullet technology that sells all this because there should not be IT problems or technology problems. There should be process problems which perhaps IT will address. I think the public are aware of that as well. They do not go online because everyone is telling them to. They go on line because it is of benefit to them.

  Q229  Ms Buck: To paraphrase, we should raise the school leaving age to 25 in order to be able to accommodate a massive public education programme on this.

  Dr Phippen: The biggest problem is the people who have already left school, between the ages of 18 and 60. In those cases, the media have a very strong role to play because all these people tell me, "You should not go online because how do you know that? I read about it in the paper or I saw it on the television." The media obviously are going to be far happier reporting on identity theft or government IT projects going wrong than, "Here is another successful use of IT in society." That is not sexy. That is not interesting. The media have a great responsibility to play in education.

  Q230  Ms Buck: Does that make you feel optimistic?

  Dr Phippen: No.

  Q231  Gwyn Prosser: I have gained the impression from all three witnesses to different degrees that the public are very relaxed about these issues, whether it is CCTV cameras or going online or sharing their personal details. It is mostly certain classes and the media that are making a noise about big brother. You have given us the warning that as these layers of potential intrusion build up we should take a wake up call because it might suddenly come back with a public reaction an a resistance from the public. Is it not a fact that using CCTV, which is perhaps separate from your line of expertise, when it was first introduced in this country, created concern but over the years, as it has increased in areas of surveillance and as these other layers have come on with regard to the internet et cetera, people have become more relaxed about it and in some cases, especially camera surveillance, are demanding of politicians to have more in their patch?

  Professor Anderson: The most telling criticism of CCTV is that the money could be better spent on other things. When we did the Information Commissioner's report on the children's databases, we looked at various crime reduction initiatives with a multidisciplinary team. In 1997 the government started off with some very admirable and well-researched initiatives including Communities that Care, an initiative whereby people would be got together in tough neighbourhoods—stakeholders, policemen, ministers, councillors, whatever—and would be consulted about what the best crime reduction measures would be for that neighbourhood. The Home Office no doubt would have a budget to spend on these. Similar programmes have been effective in the USA. However, what appears to have happened—there is a reference in our written submission—is that this was subjected to lobbying by the CCTV industry and instead one had programmes to the effect that, "We will give you money for an initiative provided it involves CCTV." This appears to have been one of the reasons why the `Communities that Care' initiative was not as successful as might reasonably have been expected. Yes, there may be some placebo effect from having large numbers of closed circuit television cameras around, but the analysis of the crime statistics which we cite tends to show that although they are good at reducing crime in car parks they are not so good at reducing crime in town centres and there is a very serious question about whether far too much money has been spent on these and not enough money on other crime reduction initiatives.

  Q232  Gwyn Prosser: To what extent do you think the increase in the sophistication of technology to enable the state and private enterprises to scrutinise people's personal information and have access to it will, on that side of the equation, compete with the increasing potential for individuals and companies to protect themselves from that surveillance? Where are we at the moment and how do you see that tension developing?

  Professor Anderson: One of the big tensions that we see developing is that of equality of arms and the balance between private and public action. At present it is very easy for the police to get hold of CCTV data or ANPR data to prove that you did something bad, but it is a lot more difficult for you to get hold of it to prove that you did not, to establish an alibi. When we move into the realm of civil cases, for example disputes between customers and banks, the same issues arise. The banks can get CCTV data but you cannot. There are also issues about, for example, how you go about tracking people. The Information Commissioner a couple of sessions ago remarked that there had been a website which enabled people to track individuals in the UK from electoral roll data. This provoked an outcry from people who had perfectly good reasons not to want to be tracked. It was accordingly shut down by the Commissioner. Yet again, many new pieces of surveillance have to do with people trying to track other people. What sort of mechanisms should be available for someone who has a bona fide reason to want to track down another person? We suggested in our written submission that if there was some means whereby, for example, a wife who was seeking alimony from an absconded husband, and had got fed up with the delays involved in the government mechanisms for doing that, should be able to go to a court and get an appropriate order to get information from relevant databases to find where hubby is living and where he is working so that she can go to the court and get an attachment order against his wages. Again, these all have to do with the fact that surveillance centralises power. Whether it centralises power in the hands of the state or in the hands of large corporations, it raises all sorts of issues: equality of arms, public versus private action, but I think that successive governments over the next few years are going to have no choice but to think about it.

  Mr Bramhall: Right at the beginning of your previous question, I think you said that people are very relaxed about participation and so on. The TrustGuide work showed that that was not the case, and that there was a general unease. It was not a specific unease, but there was a general unease and a wish to move forward.

  Q233  Gwyn Prosser: But not sufficient to discourage them from using that access?

  Mr Bramhall: No. And again different people took different views on that. TrustGuide was not meant to be a large, statistical sample. It was more qualitative but within the collection of people who participated there were some who felt quite comfortable, some who did not and some who never have but probably would not because of something they have read about. I do not think we can say that people are very relaxed. They are generally uneasy but, you are right. It does not inhibit them.

  Q234  Gwyn Prosser: Professor Anderson, you give us the prediction or caution that we will need a number of headline stories in the tabloids about the hard cases before we perhaps wake up to some of the concerns. If you were to look 20 years hence and take into account that these various changes in public perception of policy can take place, would you expect that the private sector and government would have overall more knowledge about us as individuals or less?

  Professor Anderson: They will have more knowledge but it will be much better regulated. We have seen the beginning of the push back, for example, on Google, with Google now agreeing to de-identify personal data after two years. This is remarkably quick. The issue was raised first at a conference in France in February[6] and now it is already actioned. It is high on the European agenda, so these things move up the political agenda as more people become aware of them. The hearings that we are having are, I believe, driven by the fact that there is general raising of public awareness, bringing surveillance onto the agenda. One cannot stop the collection and processing of data becoming cheaper because technology advances, but as it affects more people and perhaps also more interests within society, more organised interest, you are going to get a push back because, after all, what tends to stop one large, powerful lobbying force is not people speaking fine words and arguing from principle but the opposition of other large, powerful lobbying forces. Just as the whole intellectual property debate came into balance when the music industry started being faced down by the supermarkets et cetera, so I would expect that in due course, in the private sector, the action of the Googles, the Microsofts, the Yahoos and other big players will evoke enough lobbying response from those businesses that are losing out.

  Q235  Gwyn Prosser: More information and better regulated?

  Professor Anderson: More information and better regulated.

  Dr Phippen: I would certainly agree more information and hopefully better regulated in the next 20 odd years.

  Mr Bramhall: I agree that more information will be known. I agree also that it will be better governed or the governance will be better. Some of that might come from better regulation for the reasons mentioned. I suspect that will be rather patchy. I think it would be true in the UK and Europe. I am not sure we can take that as a global statement. Where regulation is not the motivation for the improvement, also there will be some motivation from individual private sector enterprises wishing to differentiate themselves again by being seen to do a good job and being more trustworthy. That is less determined by whether they're UK, Europe or the rest of the world.

  Chairman: Thank you very much indeed. It has been a very useful session.