Examination of Witnesses (Questions 220
- 235)
TUESDAY 12 JUNE 2007
PROFESSOR ROSS
ANDERSON, MR
PETE BRAMHALL
AND DR
ANDY PHIPPEN
Q220 Chairman: I am as keen on ID
cards as Mr Winnick is opposed to them. I am quite prepared to
go round persuading people that they should have ID cards to protect
themselves from impersonation rather than identity fraud. A lot
seems to be hung on this issue of language but I cannot quite
see that if we went back to the old language of talking about
impersonation rather than identity fraud it would make a blind
bit of difference to any of the issues that we are talking about
today. It seems to me to be a semantic argument but you clearly
think that somehow by talking about identity fraud either government
policies would be different, or bank policies would be different
or something. I do not really quite understand.
Professor Anderson: The fundamental
issue is an issue of liability. If a bad person whom I have never
met goes to a bank with whom I have never done business, how should
that be able to ruin my life by causing the debt collectors to
call on me and causing all sorts of other derogatory stuff to
be propagated about me through the system? It is clearly bad that
such things happen. How do you go about stopping it? I suggested
in our written submission one practical way of stopping it, namely
that the Information Commissioner should enforce the existing
law against the credit reference agencies. In the absence of that,
what other policy options are available? One can debate this at
a number of level. At the legal level, one could talk about various
possible private remedies but, at the political level, surely
politicians should set the tone for the debate, shaping the debate
and deciding what sort of language is used. My point is that the
language about identity theft is not helpful from the point of
view of consumer rights and security economics.
Q221 Mr Streeter: Focusing on regulation,
we mentioned this point earlier about the importance of individual
responsibility as consumers and education to make people aware
of risks. In terms of protecting privacy, apart from individual
responsibility, apart from technological advances in terms of
security, can we focus for a few minutes on what could a government
do to regulate this incredible market place to protect people's
privacy more? If you were advising the UK government, each of
the three of you, what is the one thing that they should do which
they are not doing? What is the thing that the government should
do in terms of regulation?
Professor Anderson: The one thing
I would do had I the legislators' power for a day would be to
change the UK rules on legal costs to the American rules. In America,
constitutional matters, which in this context would mean section
eight of the European Convention on Human Rights, can feasibly
be enforced by individuals. A young law lecturer wishing to win
his spurs and become a professor can go to the Supreme Court and
litigate. He does not have to face the prospect of paying $10
million in costs to the government if he loses. That right of
private action is not present in Britain because of our rules
on costs. That means that there is an assumption that all these
actions have to be state actions. As a practical matter, we have
an embedded Information Commissioner's Office which was designed
back in 1981 to be ineffective. David Waddington, the then Home
Secretary, at the time was quite open about the fact that it was
a minimal implementation to keep us legal with Europe. Although
the ICO has expanded his gamut somewhat since then, it still remains
a very weak body. Are we to wait 50 years for successive ICOs
to build up their clout within Whitehall so we can enforce constitutional
law? If you want constitutional enforcement to be available to
citizens, you have to make private action available as well as
public action. That is why I would say let us move to the rules
that they have in America or, if that is unacceptable to judges,
let us move at least to the rules that they have in Germany where
there is very much stricter limitation on taxation on the scale
of the costs you have to pay if you lose.
Q222 Mr Streeter: That is a surprising
answer but it is slightly outside the box of my question, is it
not? It is a brilliant answer and, as a lawyer, I am all in favour
of it but surely the government can do something top down as well
at the same time as changing the rules on the costs of litigation?
Professor Anderson: The government
could do something top down if, for example, the kind of law and
practice that one sees in France and Germany on privacy were imposed
on government departments, but again you come down to the question
of the individual departments and their incentives and how power
works in this town or indeed in any town. One suggestion that
we made to the Information Commissioner's office was that he should
see to it that the data protection officers in various government
departments report to him rather than the departmental Parliament
secretary, along the lines of CESG cryptosecurity officers reporting
to Cheltenham rather than locally. That way, the data protection
officer would see his job as enforcing the rules within the department
rather than seeing to it that the department has an easy ride
with the Information Commissioner. These are all very difficult
things to do because they are not the sort of things that you
can do easily by means of a simple statute law. How you go about
changing a culture of half a million people that has been 800
years in the building is hard.
Dr Phippen: The witness on my
left might disagree with this but I think one of the big issues
is tougher regulation of the IT suppliers and providers themselves.
I spend quite a lot of time trouble shooting between small businesses
and it seems to be web development companies in particular who
will behave incredibly unethically in terms of what they are going
to charge people for. It is a classic case. If you offer an IT
supplier half a billion pounds, of course they are going to say,
"Yes, we can do it." Why would they not? They will think
about the technologies afterwards. At the moment you are looking
at the IT "profession". You have a long way to come
to achieve the levels of professionalism that exist in other professional
practices such as law, accountancy and the medical profession.
I think it is getting better. The fact is that the British Computer
Society is talking with the government more now. There is a growing
code of conduct there but it could possibly do more to make suppliers
more responsible for what they are promising. I had a colleague
who used to describe IT departments as having all of the power
and none of the responsibility because they say, "You signed
the spec. That is what you asked for." That kind of thing
is changing a bit but it still has a long way to go if you are
getting true professional liability within IT professionals.
Q223 Mr Streeter: It is all your
fault. Do you want to apologise?
Mr Bramhall: I am just thinking
about the phrase I used earlier about not tarring everybody with
the same brush and how perhaps it might apply. There are two points,
one regarding professionalism which I know is not your question
but, yes, increased professionalism has to be good. There is in
the information security space a new Institute of Information
Security Professionals, for example, which is just coming into
being and will hopefully have an impact onI hesitate to
use the word "standards" because I do not mean it in
the regulatory senseraising standards of quality in that
space. In terms of the specific question you asked about regulation,
I must admit I am coming at it as a technology research manager
and I do not really feel confident to comment on that side of
it, certainly not to the level of detail that Professor Anderson
has done. Similarly, we have not conducted any research into the
effectiveness of the ICO's power and therefore we should remain
silent on that point as well. In general HP does support any actions
which the Information Commissioner takes which will increase the
general level of confidence that people have about participating
online.
Q224 Mr Streeter: I cannot get my
mind around the difference between UK regulation and global regulation.
So much of this obviously is accessible globally through the worldwide
web. Professor Anderson, you have mentioned other European countries
which make a better fist of regulation than we do. To what extent
is this industry capable of regulation nationally as opposed to
internationally? Is there some more regulatory action that should
be taken internationally and globally?
Professor Anderson: There are
two different issues there. You get better regulation of privacy
in France and Germany because you have different constitutional
settlements that essentially predate automation, or largely so,
or at least go back to the sixties or seventies. In Germany you
have privacy written into the Constitution for reasons that are
not particularly surprising. In France more recently there has
been a dispensation that CNIL, which is their equivalent of the
Information Commissioner's Office, is consulted by government
departments while they are proposing new system developments and
has a veto or something that in practice amounts to a near veto.
The second issue which Andy raised is why is the government so
awful at developing computer systems. It is generally reckoned
that 30% of large IT systems in the private sector fail and 70%
of large IT systems in the public sector fail. That was an admission
by the Department of Work and Pensions CIO at a conference last
month. We have all known this for a while. Why does it happen?
FIPR has talked extensively on the subject. My FIPR colleague,
Jim Norton, put together a programme and tried to get our ideas
across to permanent secretaries. The gist of the FIPR take on
this is that there should never be another government IT project;
there should simply be business change projects. Ministers should
cease seeing the purchase of a large IT system as a displacement
activity, as something that will kick a difficult problem into
touch, for the next government to worry about. Instead we should
have a discipline that if somebody wishes to change the way their
department does business, they should specify that and engineer
it properly. If IT is part of the solution, then fine. We have
been unable so far to sell this idea to Whitehall. I am sure its
time will come sooner or later. From the point of view of privacy,
some people might take the view that perhaps it is a good thing
that 70% of large government IT projects fail.
Q225 Ms Buck: We have covered quite
a lot of the questions that I was asked because we have been dipping
in and out on a lot of questions about trust, risk assessment
and things of that kind. Can I go back to something Professor
Anderson said earlier about what it might take to change public
consciousness? You used that very vivid language of a few dramatic
stories on the front pages of the red-tops. You were teasing us
a little bit with some thoughts about where that might come from
and what it might mean. Can I ask about the research on trust
and break it down into categories? What we have tended to do in
the last couple of hours is weave in and out of different groups
of people and what they mean by trust. There are very different
issuesand perhaps you will give us an idea about this kind
of risk analysis in greater detailbetween children and
what children understand and what parents understand about children
and risk; about young people and what young people think about
risk and about the long term implications of their behaviour,
knowing as we do that young people tend not to think long term;
and also about adults and their levels of risk and what it might
take, perhaps in those different categories to be the shock that
requires people as individuals and people in relation to government
and the private sector to get some changes.
Professor Anderson: The relevant
research here is perhaps that of George Loewenstein at Carnegie
Mellon University, who is a behavioural scientist and looks for
example at the extent to which people overestimate the happiness
that they would get from a good event in their lives or underestimate
the sadness that would result from a bad event. He looks for example
at how happy people are who are paraplegics or who have had an
arm or a leg amputated after cancer, and finds that, although
most people think that having an arm cut off would be the end
of the world, in practice within two or three months people adjust
just fine. They report that they are just as happy as they were
before. The lesson that he draws from this is that the public's
sensitivity to risk basically relates not to the absolute level
of risk but to the change in the perceived level of risk. In other
words, if a level of risk or threat increases very, very slowly,
you will get occasional grumbles from the public, but you will
not get a great outburst. He refers to this as the `boiled frog
syndrome' after this apochryphal idea that if you put a frog in
cold water and boil it it will not jump out. His concern about
this is in the context of global warming, that if planetary temperature
continues to rise by a per cent every few decades without a dramatic
shock the public will never get sufficiently agitated to demand
that politicians do something. It strikes me that exactly the
same argument applies to trust and to privacy, in that if privacy
is slowly eroded then people will get used to it. We might end
up in a society that is rather different from our society today
and some of us old fossils might, in our bath chairs in our eighties,
be grumbling very noisily about what has happened to the world,
but there will not be a great outburst. If you get a series of
shocks all at once, then that may change and public concern may
suddenly spike and create the window of opportunity for regulation.
This of course can cut both ways. It may very well be that the
large number of privacy-invasive systems that government has built
or talked about building over the past two or three years will
together give that spike. Maybe ID cards plus kids' databases
plus NHS databases plus ANPR plus and so on finally will hit critical
mass and the public will go ballistic. We do not know. This behavioural
research would strongly suggest that that is what politicians
should watch out for.
Dr Phippen: Our work with young
people would suggest that they do not really take any risk analysis
when going online. They just go online.
Q226 Ms Buck: We can all vouch for
that, with kids.
Dr Phippen: With 100-odd kids
we spoke to, we had probably three clear cases of stalking going
on and not one of them reported it to the police or went any further
than, "I just blocked them from my MSN". "Why did
you not report it?" "I did not know how to." "Did
you think there was anything dangerous there?" "No,
I just thought it was some weird kid and ignored them." The
work that CEOP are doing at the moment is making great strides
forward in that they are getting into schools. One thing the kids
are all saying is, "We do not really cover this in school."
When you have a look at the IT and the computing curricula for
both GCSE and A level it is not covered at all and they say, "We
might touch on it in citizenship", but again it is not covered
a great deal. We are hopefully going to be doing some work with
CEOP in the near future, looking at kids' responses to that. That
is something that definitely needs doing. You have essentially
a captive audience with children. You can go into the schools
and talk to them. Initially they might say that it is a load of
nonsense or whatever but it gets through to them and they do think
about it. With adults, it is more interesting in that they start
off looking at how you can get people to trust systems. What we
realised very quickly was that trust is not really an issue. The
issue is convenience and restitution. What people will do is look
at the service on offer and think: what is in it for me? What
could go wrong? Has anyone else used the site before? If it is
fairly positive, then they will probably go for it. When you talk
to them about why they go online, they say something different.
We spoke an awful lot to people about what makes them use a website
and an awful lot of people said that you need human contact at
the end of it. It is not just the website. When you say, "What
is your most trusted brand on line?" Amazon continually came
up as the most trusted brand. You never deal with a human on Amazon.
"Yes, but I have a mate; something went wrong and they rectified
it very quickly." That is the thing Amazon do very well.
They do not say, "This will never go wrong" but when
things do go wrong they rectify them. They do not try to hide
from them.
Q227 Ms Buck: You make an important
point in your report about restitution but how can we learn that
lesson from Amazon and expect, either within the private sector
or in terms of government's duty in relation to the private sector,
to be able to apply that restitution?
Dr Phippen: I feel a little sorry
for public sector IT in that you do not have the commercial incentive
there that you generally have with the private sector. The first
thing to look into is the convenience, which is why the closed
systems like DVLA and school registrations work. It needs to be
a case of: what is in it for me? What am I going to get out of
that? It does not have to be financial; it could be time saving
or saving them having to go to local authorities and deal with
something like that. I think it is a little more difficult in
the public sector because there are immediate convenience measures
that you can take. I do not think security is a massive issue
in either the public or the private sector. I always think back
to education but I think it is the major point. The big concern
is people believe that, if they buy something on their credit
card and something goes wrong, it is the credit card company's
problem, not theirs. Obviously credit card companies are back
pedalling from this a great deal at the moment. They do not realise
the long term damage in terms of credit referencing and those
sorts of issues where, even though they might have had it rectified
and they got their £500 back, they might not have gone down
the chain and it could ultimately end up with them having a poor
credit rating as a result of something. They are not aware of
these issues.
Q228 Ms Buck: None of this would
lead you to conclude that there is a public readiness in any of
those categories to invest time or money in a personal solution?
I am not saying that one exists but, were there to be a technological
fix on offer or some steps that they could take which would involve
some effort and some expense to protect themselves against some
of those risks, there is not the public awareness yet to support
that?
Dr Phippen: I do not think so.
Tom Illube was behind Egg and is now in charge of Garlik. He spoke
to the parliamentary IT committee a while ago. He said that when
he was at Egg they did a lot market research for their customers
so security is important so they introduced another factor to
their authentication process and people stopped using it because
it was too inconvenient. They cannot remember all that. I mentioned
multiple identities. Most people have multiple identities all
with the same password because, no matter what security experts
say, you cannot possibly remember 30 or 40 alpha numeric, random
strings. I do not ever think there is going to be a silver bullet
technology that sells all this because there should not be IT
problems or technology problems. There should be process problems
which perhaps IT will address. I think the public are aware of
that as well. They do not go online because everyone is telling
them to. They go on line because it is of benefit to them.
Q229 Ms Buck: To paraphrase, we should
raise the school leaving age to 25 in order to be able to accommodate
a massive public education programme on this.
Dr Phippen: The biggest problem
is the people who have already left school, between the ages of
18 and 60. In those cases, the media have a very strong role to
play because all these people tell me, "You should not go
online because how do you know that? I read about it in the paper
or I saw it on the television." The media obviously are going
to be far happier reporting on identity theft or government IT
projects going wrong than, "Here is another successful use
of IT in society." That is not sexy. That is not interesting.
The media have a great responsibility to play in education.
Q230 Ms Buck: Does that make you
feel optimistic?
Dr Phippen: No.
Q231 Gwyn Prosser: I have gained
the impression from all three witnesses to different degrees that
the public are very relaxed about these issues, whether it is
CCTV cameras or going online or sharing their personal details.
It is mostly certain classes and the media that are making a noise
about big brother. You have given us the warning that as these
layers of potential intrusion build up we should take a wake up
call because it might suddenly come back with a public reaction
an a resistance from the public. Is it not a fact that using CCTV,
which is perhaps separate from your line of expertise, when it
was first introduced in this country, created concern but over
the years, as it has increased in areas of surveillance and as
these other layers have come on with regard to the internet et
cetera, people have become more relaxed about it and in some cases,
especially camera surveillance, are demanding of politicians to
have more in their patch?
Professor Anderson: The most telling
criticism of CCTV is that the money could be better spent on other
things. When we did the Information Commissioner's report on the
children's databases, we looked at various crime reduction initiatives
with a multidisciplinary team. In 1997 the government started
off with some very admirable and well-researched initiatives including
Communities that Care, an initiative whereby people would be got
together in tough neighbourhoodsstakeholders, policemen,
ministers, councillors, whateverand would be consulted
about what the best crime reduction measures would be for that
neighbourhood. The Home Office no doubt would have a budget to
spend on these. Similar programmes have been effective in the
USA. However, what appears to have happenedthere is a reference
in our written submissionis that this was subjected to
lobbying by the CCTV industry and instead one had programmes to
the effect that, "We will give you money for an initiative
provided it involves CCTV." This appears to have been one
of the reasons why the `Communities that Care' initiative was
not as successful as might reasonably have been expected. Yes,
there may be some placebo effect from having large numbers of
closed circuit television cameras around, but the analysis of
the crime statistics which we cite tends to show that although
they are good at reducing crime in car parks they are not so good
at reducing crime in town centres and there is a very serious
question about whether far too much money has been spent on these
and not enough money on other crime reduction initiatives.
Q232 Gwyn Prosser: To what extent
do you think the increase in the sophistication of technology
to enable the state and private enterprises to scrutinise people's
personal information and have access to it will, on that side
of the equation, compete with the increasing potential for individuals
and companies to protect themselves from that surveillance? Where
are we at the moment and how do you see that tension developing?
Professor Anderson: One of the
big tensions that we see developing is that of equality of arms
and the balance between private and public action. At present
it is very easy for the police to get hold of CCTV data or ANPR
data to prove that you did something bad, but it is a lot more
difficult for you to get hold of it to prove that you did not,
to establish an alibi. When we move into the realm of civil cases,
for example disputes between customers and banks, the same issues
arise. The banks can get CCTV data but you cannot. There are also
issues about, for example, how you go about tracking people. The
Information Commissioner a couple of sessions ago remarked that
there had been a website which enabled people to track individuals
in the UK from electoral roll data. This provoked an outcry from
people who had perfectly good reasons not to want to be tracked.
It was accordingly shut down by the Commissioner. Yet again, many
new pieces of surveillance have to do with people trying to track
other people. What sort of mechanisms should be available for
someone who has a bona fide reason to want to track down
another person? We suggested in our written submission that if
there was some means whereby, for example, a wife who was seeking
alimony from an absconded husband, and had got fed up with the
delays involved in the government mechanisms for doing that, should
be able to go to a court and get an appropriate order to get information
from relevant databases to find where hubby is living and where
he is working so that she can go to the court and get an attachment
order against his wages. Again, these all have to do with the
fact that surveillance centralises power. Whether it centralises
power in the hands of the state or in the hands of large corporations,
it raises all sorts of issues: equality of arms, public versus
private action, but I think that successive governments over the
next few years are going to have no choice but to think about
it.
Mr Bramhall: Right at the beginning
of your previous question, I think you said that people are very
relaxed about participation and so on. The TrustGuide work showed
that that was not the case, and that there was a general unease.
It was not a specific unease, but there was a general unease and
a wish to move forward.
Q233 Gwyn Prosser: But not sufficient
to discourage them from using that access?
Mr Bramhall: No. And again different
people took different views on that. TrustGuide was not meant
to be a large, statistical sample. It was more qualitative but
within the collection of people who participated there were some
who felt quite comfortable, some who did not and some who never
have but probably would not because of something they have read
about. I do not think we can say that people are very relaxed.
They are generally uneasy but, you are right. It does not inhibit
them.
Q234 Gwyn Prosser: Professor Anderson,
you give us the prediction or caution that we will need a number
of headline stories in the tabloids about the hard cases before
we perhaps wake up to some of the concerns. If you were to look
20 years hence and take into account that these various changes
in public perception of policy can take place, would you expect
that the private sector and government would have overall more
knowledge about us as individuals or less?
Professor Anderson: They will
have more knowledge but it will be much better regulated. We have
seen the beginning of the push back, for example, on Google, with
Google now agreeing to de-identify personal data after two years.
This is remarkably quick. The issue was raised first at a conference
in France in February[6]
and now it is already actioned. It is high on the European agenda,
so these things move up the political agenda as more people become
aware of them. The hearings that we are having are, I believe,
driven by the fact that there is general raising of public awareness,
bringing surveillance onto the agenda. One cannot stop the collection
and processing of data becoming cheaper because technology advances,
but as it affects more people and perhaps also more interests
within society, more organised interest, you are going to get
a push back because, after all, what tends to stop one large,
powerful lobbying force is not people speaking fine words and
arguing from principle but the opposition of other large, powerful
lobbying forces. Just as the whole intellectual property debate
came into balance when the music industry started being faced
down by the supermarkets et cetera, so I would expect that in
due course, in the private sector, the action of the Googles,
the Microsofts, the Yahoos and other big players will evoke enough
lobbying response from those businesses that are losing out.
Q235 Gwyn Prosser: More information
and better regulated?
Professor Anderson: More information
and better regulated.
Dr Phippen: I would certainly
agree more information and hopefully better regulated in the next
20 odd years.
Mr Bramhall: I agree that more
information will be known. I agree also that it will be better
governed or the governance will be better. Some of that might
come from better regulation for the reasons mentioned. I suspect
that will be rather patchy. I think it would be true in the UK
and Europe. I am not sure we can take that as a global statement.
Where regulation is not the motivation for the improvement, also
there will be some motivation from individual private sector enterprises
wishing to differentiate themselves again by being seen to do
a good job and being more trustworthy. That is less determined
by whether they're UK, Europe or the rest of the world.
Chairman: Thank you very much indeed.
It has been a very useful session.
6 Note by witness: Sorry, January-Economics
of the Software Industries, Toulouse, Jan 18-19; the relevant
discussion was on Jan 19th. Back
|