Robin Wilton
Research Director
26 years IT industry
Robin Wilton is a research director with a particular interest in digital identity and privacy (and their relationship to public policy), access control and single sign-on, and the productive use of public key infrastructures. Read Full Bio
by Robin Wilton | January 27, 2012 | Comments Off
My colleague Avivah Litan has given her insightful and thought-provoking read on the recent US Supreme Court decision here.
Avivah correctly identifies the “opt-in”/”opt-out” dichotomy as a critical element of the discussion. Tracking for law enforcement purposes needs, of course, to be set aside from the debate over user consent… but outside law enforcement – whether in the commercial domain or for public sector service delivery – I strongly believe that there should always be an opt-out available. In fact, my personal opinion is that “opted out” should always be the default, with an opt-in choice if the user wishes.
Of course, if there’s an opt-out, some of the people who exercise it will be virtuous, and some will not. There are those whose take the old “if you have nothing to fear, you have nothing to hide” view – but as anyone who has followed my blogging will know, that’s a view that I find misguided, harmful and pernicious. Avivah’s distinction between law enforcement and the commercial sector helps indicate one of the reasons why: it is clearly not the case that everything the law enforcement authorities know about me should, of right, be made public. Similarly, there are things which commercial service providers know about me which law enforcement authorities have no business knowing. The “nothing to hide, nothing to fear” brigade cannot cope with the idea that those who may seek to harm me can do so whether I have anything to hide or not.
In US v Jones, the Supreme Court was explicit about the citizen’s legitimate expectation of privacy. I tend to take a strong line on that. The ‘default setting’ is not that if I have nothing to hide, I have nothing to fear… it is that unless you have a provable, legitimate reason for doing so, you have no business meddling in my affairs.
Category: Uncategorized Tags:
by Robin Wilton | January 25, 2012 | Comments Off
Well, it may have been a quiet week in Lake Wobegon, but in the privacy and policy domain it has been quite the opposite. Wikipedia and a number of other sites went dark in protest against SOPA/PIPA; the Feds took down the MegaUpload file-sharing site, alleging violation of piracy laws; Anonymous retaliated by taking down a slew of SOPA supporters; and the European Commission has just announced its new, pan-European Data Protection Regulation (link to PDF version).
But let’s not talk about that… let’s talk about the 4th Amendment. For those on the right hand side of the Atlantic, the 4th Amendment is the part of the US Constitution which establishes the individual’s “right to be secure from all unreasonable searches, and seizures of his person, his houses, his papers, and all his possessions”. Like any constitutional law, it has been subject to a great deal of interpretation in the 221 years since it was ratified, not least as the law tries to keep pace with new ways of “searching” and “seizing”.
The 4th Amendment is often considered to be the closest thing US citizens have to a privacy right, and it generally establishes the need for any violation of that right to be backed up by a judicial warrant. Of the current Supreme Court, Justice Antonin Scalia is the one who most commonly dissents from this view, holding that the “reasonableness” test can be satisfied without a warrant. However, in a judgement this week Justice Scalia joined with his peers in finding unanimously in favour of the need for a warrant.
The case at issue was US vs. Jones, and the Supreme Court ruled that US law enforcement authorities had violated Mr Jones’ 4th Amendment rights by fixing a GPS tracker to his wife’s car, and using it to track his movements. Mr Jones was, at that time, suspected of being involved in drug dealing.
The judges ruled that, in attaching the device to Jones’ car, the police had physically intruded into “a constitutionally protected area”, and that this ran counter to a legitimate expectation of privacy in that respect. Justice Sotomayor and Justice Alito both drew attention to the issues of keeping 4th Amendment protections in step with rapid technological change – not least, the fact that so many of our personal actions are tracked by commercial websites and hand-held devices.
The court held back from ruling on what other means of surveillance might violate the 4th Amendment rights, though it is clearly something they thought about in their review of prior case law. As a result, the two aspects I mentioned above (physical intrusion, and expectation of privacy) are very likely to be the basis of future decisions, if it should come to questions of whether, say, traffic camera data can be used to track a suspected criminal. There would be a strong argument that the installation and operation of traffic cameras does not involve intrusion into a constitutionally protected area, and that it does not infringe on an expectation of privacy.
Whether that will extend into the online domain of web tracking remains to be seen.
So much for the 4th Amendment… I’ll see your 4th and raise you one: in a quite separate case, a judge in Denver ruled that an individual could not claim 5th Amendment protection from a law enforcement request to decrypt data on her laptop. (The 5th Amendment is the one establishing, among other things, an individual’s right to refuse to give information which might incriminate them).
In this instance, the suspect declined to decrypt the contents of her hard drive on the grounds that it might incriminate her. The judge held that, even if the police did not know the specific contents of a specific document, the fact of its existence was a foregone conclusion, and that therefore the 5th Amendment did not apply.
I have to admit, I don’t quite follow that chain of reasoning, but like I say,the law is having a job keeping pace with technological change. It has been an interesting week, then… and I dont see the pace of change slowing down any time soon.
Category: Uncategorized Tags:
by Robin Wilton | January 13, 2012 | Comments Off
Neelie Kroes is Vice-President of the European Commission, and also the Digital Agenda portfolio-holder (in which role she is also responsible for the Commission’s policy direction on cloud computing). Ms Kroes took up these posts in the so-called “Barroso 2″ Commission; prior to that re-shuffle, she was the Competition Commissioner. In that role she oversaw the competition case against Microsoft, which resulted in a €497m fine for the company and the enforced release of interoperability documentation relating to Windows.
I mention this background to establish that this is someone well versed in the disciplines of policy formation, strategy-setting, and the practicalities of regulating technology industries.
Ms Kroes has been blogging today about the forthcoming review of the EU Data Protection Directive… She also blogged last June about the review of the ePrivacy Directive, and rightly sees the two as being intimately connected. In terms of policy formulation and direction, I think that’s a great thing. In terms of execution, it concerns me, and here’s why; today’s blog post ends with the following up-beat assessment:
“And I am confident that the Commission will propose “technology savvy” protection for all of us – rules which protect our rights, while taking full account of both the risks and opportunities of the digital age.”
That’s a worthy goal, but the previous experience of the ePrivacy Directive and its measures on cookie regulation give us legitimate grounds to wonder whether the Commission has the skills to achieve it. Let’s not forget that the cookie directive sought to distinguish between “spy” cookies (which are bad, and should not be allowed without the user’s prior and informed consent) and “technical” cookies (which are OK). This, among other things, led one UK IT law specialist to describe the legislation as “breathtakingly stupid“. In the interests of impartiality I, of course, couldn’t possibly comment.. but if you know of a browser that allows you to set separate preferences for “spy” and “technical” cookies, please do point me at it.
As well as establishing one exemption for “technical” cookies (whatever they might eventually turn out to be) the Directive also qualified the need to seek informed consent by saying that this should be done “Where it is technically possible and effective…” – a loophole through which a competent corporate lawyer could probably back a bus while sipping a skinny latte.
I should make clear that “spy” vs “technical” distinction came from one of the other Commissioners, not Ms Kroes. I’m just rather worried that, with the best of intentions, she may be writing “technical savvy-ness” cheques her colleagues can’t cash.
Specifically in terms of data protection and privacy, here are some of the challenges which face the Commission’s legislators. I think it’s safe to say that current laws are:
- mediocre at successfully handling privacy detriment arising out of well-defined lists of PII;
- poor at providing protection against abuse of data which is ‘about’ you but not personally identifiable (see the mess over Google Streetview, wireless MAC addresses and geo-location);
- clueless about how to address the privacy detriments arising out of third party aggregation and data mining;
- ineffective at providing redress in cross-border cases;
- equally clueless about how to factor “potential harm” into regulation that encourages better privacy behaviour.
If those sound vaguely familiar… well, it’s because I’ve just recycled some bullet points from an August 2010 blog post, and the legislation doesn’t really seem to have moved on. The proposed review of the Data Protection Directive has just been further postponed because of “negative feedback” about the leaked draft version which surfaced in December. It’s good that feedback has had a visible effect on the policy-making process, but if the concerns aren’t acted on and new, realistic proposals brought forth pretty soon, another 18 months will go by without effective legislation. That would be bad for commerce, bad for privacy, and bad for the credibility of the legislative process.
Category: Uncategorized Tags:
by Robin Wilton | January 4, 2012 | 3 Comments
Happy New Year!
On the assumption that you probably had enough to do in December, what with the usual year-end rush and the Christmas break, I didn’t blog about the two new reports of mine that came out in the middle of the month. You can get to them if you have an IT1 subscription…
The first is about Simplifying Cross-Border Privacy Compliance; in it, I build on last year’s Catalyst presentation to develop a couple of simple models for analysing privacy risk. The goal is to help organisations define a manageably simple framework for coping with the differing privacy regimes in which they may do business.
The second paper, “Electronic Signature: Is It Safe To Break The Rules Yet?”, reflects my research into how the market for digital signature has evolved since that technology first hit the market in the mid to late 90s. Although most digital signature laws remain unchanged since their introduction around the turn of the millennium, electronic signature, as a business tool, is now a lot more varied and nuanced than “digital signature using public key technology”. This paper looks at the implications of a more pragmatic, business-oriented approach.
As ever, if you have any comments or questions, I’d welcome feedback via the blog (or by email if you’re shy… ;^)
Category: Uncategorized Tags:
by Robin Wilton | December 2, 2011 | Comments Off
Taxi cabs in Oxford may still have to apply for the rather archaically-named Hackney Carriage Licence, but Oxford City Council reckons it is keeping up with the times: it has decided to require all taxi-drivers in the city to install CCTV in their cabs, as a condition of receiving their licence. The cameras, which must capture both audio and video, will run permanently and must store data for 28 days in case police decide they would like retrospective access to the recording.
Privacy advocates are, not surprisingly, questioning the impact of such a move: Big Brother Watch said it showed “total disregard for civil liberties”.
Oxford City Council has, presumably, done a risk assessment of this proposal (after all, a council spokesperson is quoted as saying “The risk of intrusion into private conversations has to be balanced against the interests of public safety, both of passengers and drivers.” It would be fascinating to see the details of that risk assessment.
Interestingly, the UK Information Commissioner’s Office (ICO) Code of Practice on CCTV happens to make explicit mention of the use of audio recording in taxi cabs. It prefaces its comment with a clear warning on audio capture (my emphasis):
“CCTV must not be used to record conversations between members of the public as this is highly intrusive and unlikely to be justified. You should choose a system without this facility if possible. If your system comes equipped with a sound recording facility then you should turn this off or disable it in some other way.”
It goes on to say:
“There are limited circumstances in which audio recording may be justified, subject to sufficient safeguards. These could include:
[...]
- Where recording is triggered due to a specific threat, e.g. a ‘panic button’ in a taxi cab.”
In the limited circumstances where audio recording is justified, signs must make it very clear that audio recording is being or may be carried out.”
That looks to me as though it rules out the option of a permanent audio recording.
The CCTV Code of Practice is itself subsidiary to the Data Protection Act, which includes the following over-arching principle:
“3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
It’s going to be very tricky for Oxford City Council to prove compliance with the Proportionality Principle, because another council (Monmouthshire) has come to precisely the opposite conclusion about whether taxi drivers should record what goes on in their cabs.
Category: Uncategorized Tags:
by Robin Wilton | November 21, 2011 | Comments Off
Well, it seems I was a little optimistic about relaying the Ministers’ Statement from the e-Gov conference: they did draft one at the conclusion of the Ministerial meeting, but it is going to be published along with a broader release from the EU Council of Ministers (Telecomms subset). I’ve been given the target date for that release, so stay tuned and I’ll let you know as soon as I hear more.
In the meantime, I’ll also try and find a moment to blog some of the eID and Identity Assurance news I picked up at the conference, where there was lots to see and hear. Very interesting stories from Austria, Sweden, Belgium, Slovenia and elsewhere.
There is plenty going on in this domain. No-one was shying away from the current economic and political turbulence, indeed most of the people I spoke to felt that a robust, viable and privacy-respecting approach to eID, Identity Assurance was going to be a vital part of e-Government strategies during the challenging period ahead of us. As I say, stay tuned…
Category: Uncategorized Tags:
by Robin Wilton | November 14, 2011 | 1 Comment
I’ll be attending the European e-Government conference in Poznan later this week (I know, I know… Poland in November… why didn’t I get the Gartner IAM Summit in San Diego, or the Symposium on the Australian Gold Coast? No matter: for you, I will make the sacrifice ;^).
The theme is “Borderless e-Government Services for Europeans”, and there is plenty on the agenda to do with e-identity, trust and privacy.
I’m looking forward to seeing the showcase of e-government projects, and finding out how those have evolved since the last conference in Malmö in 2009. If you’ve got a stand at the conference, please let me know and I’ll make sure I drop by and fine out what you’ve been up to.
The conference includes a ministerial meeting, which produces a statement summarising the high-level policy goals for e-government projects over the coming years, so I’ll try to post the highlights of that here as soon as possible after they are released.
Stay tuned…
Category: Uncategorized Tags:
by Robin Wilton | November 8, 2011 | 3 Comments
Well, yesterday I mentioned two strands of the federation concept – so here’s the post about the second one.
This strand has to do with attributes (and yes, I acknowledge that “identity” is an attribute… but let’s set that to one side for the time being). In the ‘traditional’ world of assured identities, attributes are things you hang off a known identity. If you want to know how tall Joe Bloggs is, you first establish which one is Joe Bloggs and then look up the ‘height’ attribute in his records. A set of concepts and disciplines has grown up around that approach – in fact, more than one set of concepts and disciplines. You will hear attributes talked about in terms of “claims”, “assertions”, “tokens” and so on. Mostly, these are different technologists’ perspectives on a similar, if not identical conceptual core, though the technical embodiments of that core may differ. Again, the Higher Education federation community has been a pioneer in this domain, in the sense that they were the first to design a protocol (Shibboleth) which made it possible to grant someone access to resources based purely on an attribute (“is a member of this institution”) without the recipient needing to know the identity of the requester.
The thing is, once you start exchanging clusters of attributes between federated partners, another vital discipline is thrust into the limelight: managing the metadata associated with those attributes. My colleague Ian Glazer is developing some ground-breaking ideas on this theme. So, while the management of attributes may be reasonably well understood, managing metadata is less so – whether we’re talking about a federated environment or even in-house, within a single organisation.
[Here's a brief detour to give an example of how bad most of us are at managing metadata: a basic rule of data protection is that you shouldn't collect data for one purpose and then use it for another; or that you shouldn't keep data for longer than necessary... but how many organisations actually tag information with metadata which states the purpose of collection, or the date of collection and intended retention period? Virtually none, in my experience to date.]
So my second question is: what will drive organisations to manage metadata as effectively as they manage the data which, right now, they perceive as being core to their success? Because I think that if metadata isn’t already, it soon will be just as critical.
And last: where is that attribute-based strand headed? Well, in some senses it’s already there: there are organisations which don’t care who you are, but survive because of the skill with which they process your attributes (and the attributes of others like you). I can think of examples in advertising (especially behavioural/targeted), insurance, social interaction sites and law enforcement where knowing ‘who someone is’ is less critical than having an accurate picture of their attributes.
My third question, though, is about reputation. All of the things I’ve mentioned so far – assurance, attributes, metadata – are attempts to formalise things we, as social animals, understand and act on every day (however imperfectly). We want and/or need to formalise them because our lives are so technically-mediated that we need devices and applications to act as our proxies… and to act on the basis of the same concepts we ourselves rely on.
The third question is: what would make for a successful (online) reputation system?
Convincing answers to all three questions would get you an “A”.
The bonus question for a Distinction is: what could an (online) reputation system do to manage reputation post mortem?
Category: Uncategorized Tags:
by Robin Wilton | November 7, 2011 | 1 Comment
A couple of conversations recently have got me thinking about where we are with federation, particularly in relation to standards, and I wanted to put some thoughts out there for you to mull over/comment on/dispute. You’ll have to be a bit patient, I’m afraid: I do have questions, but the questions only have real purpose if we cover a little history first. Bear with me…
It seems to me that, in the broadest sense, there are two strands to the federation concept, and I’m going to leave the second one until my next post. In the meantime, the first strand is about identities. It started out with the very basic question “how can I [my organisation] authenticate your [organisation's] users?”. In its most basic form, identity federation is an attempt to solve the problem of passing a successful authentication status from one organisation to another. I’d suggest that that is now a comparatively mature concept, robustly implemented and with some successful large-scale deployments.
The business of passing authentication status from one organisation to another, though, raises questions of trust… it’s all very well for me to receive a message from you saying “it’s OK, I’ve authenticated Joe Bloggs successfully, you can let him in” – but my trust in that message rests on all kinds of factors which may or may not be reliable. Indeed, one of the early issues with OpenID was that, in its eagerness to simplify, it cast aside many of the trust factors upderpinning that kind of assertion. The recipient had to take the “it’s OK, I’ll vouch for Joe Bloggs” assertion very much at face value.
Initiatives like the US NSTIC programme are an attempt to move federation beyond simple, inter-organisational assertions and develop a more structured way of assessing the trustworthiness of such assertions. In NSTIC, the higher education federation community and elsewhere, a big chunk of that is being codified in the form of four “Levels of Assurance”… metrics which can, in theory, be objectively assessed, quantified and passed as a parameter in an authentication message. Principally (but not exclusively), Levels of Assurance are aimed at increasing the trust one organisation can place in another organisation’s enrolment processes. There has been massive investment of effort and money in developing the concept of Levels of Assurance, and in some respects that concept, too, is a relatively mature one. It has not yet reached the stage of widespread implementation or deployment, though.
So where next? Well, one thing which the evolution of federation has revealed is that we’re a long way from the comfortable days when the authoritative source of “people I need to authenticate” was “the list of people in the payroll database”. Life used to be so simple. Even basic federation meant that the list of people I need to authenticate now includes people on your payroll, who may well not be on mine. In practice, it also meant ‘customers of yours who aren’t on your payroll either’…
The identity-based strand of federation activity, then, has gone from relying on other organisations’ employee/payroll databases to relying on other organisations’ customer databases, and now to a point where the person you need to let in is, quite possibly, not ‘registered’ with the organisation they came to you from. And yet, still, you have to come to a trust decision about levels of assurance and therefore levels of access.
The leading edge of identity-based federation is, I’d suggest, not a very comfortable place to perch. So the first of my questions is: where can we find reliable trust anchors in that environment?
As for the second strand… well, in the interests of keeping this post (I hope) readably short, I’m going to come to that tomorrow…
Category: Uncategorized Tags:
by Robin Wilton | October 27, 2011 | 1 Comment
Take a moment to think about the way you use the internet… Which characteristic of it is more important to you, as a consumer: the ability to access resources anywhere, from anywhere, or the ability to find out what services are physically in your immediate vicinity? I’d be willing to bet that it’s the former.
Put another way, if you had to choose between a ubiquitous internet which gives you global, virtual access and an internet which tells you everything about what is physically nearest to you, would you honestly prefer the latter?
In fact, when I have used geo-location myself, the useful aspect has not been that I can physically locate a restaurant when I’m near it, but that I can physically locate it from wherever I happen to be.
So, if geolocation isn’t really for my benefit, why do my devices and online services increasingly assume that it is, and enable it by default?
[This micro-rant is, of course, my own personal opinion, should in no way be construed as the view or policy of my employer, and does not reflect any research or factual findings whatsoever...] But seriously… why should we put up with being tracked everywhere and told it’s for our benefit…? I’m just askin’…
Category: Uncategorized Tags:
