By
davebirch posted Jul 30 2007 at 9:38 PM
[Dave Birch] If you ask anyone who actually knows anything about security about risks, they'll always tell you the same thing: insiders are the biggest threat. They might add that insiders who don't understand how to use the most basic computer security measures and don't understand how software that is integral to Web 2.0 works. A Japanese policeman has been sacked
after the personal information of thousands of people relating to criminal investigations was leaked on to the internet from his computer. The officer revealed the details via peer-to-peer (P2P) file-sharing software on his PC. He had allegedly installed the Winny file-sharing software on to his machine and was unaware that sensitive data was being made available to other users via the P2P network, leading to the personal details of 12,000 people related to criminal investigations being shared and along with 6,600 police documents (including interrogation reports, victim statements, and classified locations of automatic licence plate readers). What's more, the files included a list of the names, addresses and personal information concerning 400 members of the notorious criminal gang Yamaguchigumi yakuza. I wouldn't try opening a bank account and taking out a loan in one of their names, to be honest, as they may take a more robust approach to identity theft than the Information Commissioner.
Technorati Tags: identity
Continue reading "Identity theft that matters, not dumb credit card stuff" »
By
davebirch posted Jul 27 2007 at 8:24 AM
[Dave Birch] I've mentioned a few times at various seminars that the way that the Dutch have approached the development of a national contactless smart card for transport ticketing should be studied to see what lessons can be learned and used to inform other developments. The basic reason for this is the structure of the procurement: in short, organisations were asked to tender using whatever standards and interfaces they liked but in the knowledge that whoever won would have to provide the specifications licence-free so that anyone could develop new products and services to use the cards. It's already paid off. When Linkdump reported that
students developing open source applications found a security error in the card, it reinforced to me the wisdom of the Dutch approach. The combination of open source and independent scrutiny makes that system as a whole more, not less, secure.
Technorati Tags: identity
Continue reading "An open source national ID scheme" »
By
davebirch posted Jul 26 2007 at 9:52 AM
[Dave Birch] The American Medical Association (AMA) says that
human RFID tags could pose serious privacy risks. No kidding. But note that their report has few concerns regarding the medical implications of RFID tags. The tags are implanted using a needle in less than a minute. The Assocation does have some concerns regarding possible interference with medical imaging and other medical electronics, but the report does not cite any instances of these actually occurring. So there are no medical issues, but there are privacy issues. Such as? Well, the report says that (sensibly) patients should have to give informed consent to implantation, something that is obviously sensible. It also says that doctors
cannot assure patients that the personal information contained on RFID tags will be appropriately protected
I'd assumed that all that is in the tag is some kind of ID number and that all of the identity management takes place at the back end. Not that this neutralises privacy worries, but let's get the big picture sorted out. It shouldn't make any difference to the overall "privacy state" of the system whether I have the number on a bracelet, a tattoo or an implant, should it?
Technorati Tags: health, identity, management
Continue reading "Department of the Bleedin' Obvious" »
By
davebirch posted Jul 23 2007 at 9:06 PM
[Dave Birch] You wait ages then two come along at once. After going along to the DBERR seminar, I'd spoken at the BCS Information Security Specialist Group "Privacy Day". I remember that, by coincidence, shortly after having woken up that morning, I heard a story on the
Today programme (by forum friend
Rory Cellan-Jones) about privacy. I thought he might be priming the nation for my presentation, but it turns out that the
Information Commissioner, Richard Thomas, had that very day released his annual report. In the report he called the number of companies, government departments and public bodies breaching data protection rules "horrifying".
Technorati Tags: privacy
Continue reading "Privacy seminars are like London buses" »
By
davebirch posted Jul 20 2007 at 8:11 AM
[Dave Birch] I was preparing a presentation that included a couple of remarks about generational issues when it comes to privacy: what Bill Dutton of the Oxford Internet Institute called more "nuanced and textured" views of privacy. This led me back to an article I'd read noting
teenagers generally don't think twice about including their first names and photos on their personal online profiles, but most refrain from using full names or making their profiles fully public, which I now understand more fully after hearing listening to Bill. This and similar news reports were linked to a survey from The Pew Internet and American Life Project which found that two-thirds of teenagers using social networking have restricted access to their profiles in some fashion, such as by requiring passwords or making them available only to friends on an approved list. Social networking sites, such as MySpace and Facebook (or, indeed Linkedin) have responded by offering users more controls over how much they make public and warning them about revealing too much. So perhaps the next generation are not ignoring privacy, but dealing with it in a new way. After all, only 1 in 50 puts their mobile phone number online. Although four-fifths put their photo online and more girls than boys do so. I'm no expert (as may be evident) but they presumably don't see their image as a private part of their identity and, also presumably, want control over it by posting an image that they choose, that is under their control.
Technorati Tags: identity, privacy, security
Continue reading "S/MIME is, like, so last century" »
By
davebirch posted Jul 18 2007 at 6:14 PM
[Dave Birch] An
NIST report shows that machines can out-perform humans at face recognition under certain circumstances. The FRVT 2006, for the first time, integrated measuring human face recognition capability into an evaluation of face recognition technologies and the performance of humans and computers was compared on the same set of images. The experiment found that algorithms are capable of human performance levels, and that at false accept rates in the range of 0.05, machines can out-perform humans. Note also that one of the reports findings is that the performance iris, face and 3D face is comparable
when all three biometrics are acquired under controlled illumination (my italics). Much to the joy of the Bouncer's Union, however, it seems that machines are unlikely to replace nightclub doormen any time soon.
Technorati Tags: biometrics
Continue reading "Man vs. Machine" »
By
davebirch posted Jul 17 2007 at 9:10 PM
[Dave Birch] In his presentation to
EEMA, my colleague Neil McEvoy calls for the creation of an identity utility, to be used by government, business and individuals alike. Neil mentions that the NFC-equipped mobile phone could be the critical device to make this a reality, because the mobile phone can act as both the identity provider and the identity consumer. So will there be enough mobile phones, and will enough of them have NFC, to make this a realistic vision? Well, in many countries (eg, the U.K), mobile penetration is already over 100%. Nokia alone sold 348 million handsets last year. There are nearly half a billion mobile phone users in China. 49 million handsets were shipped in Japan last year.
ABI Research forecasts that by 2012, some 292 million handsets (more than 20% of the global mobile handset market) will ship with built-in near-field-communications capabilities.
Technorati Tags: business, government, identity, management
Continue reading "Building the utility" »
By
davebirch posted Jul 16 2007 at 11:03 AM
[Dave Birch] There's an identity-related debate going on about data sharing by government. I don't mean to take sides on it, except to note that I would prefer to see a more technologically-informed debate, especially around the sharing of biometric data. I was making some notes about this in a data protection context and thought I would mention that the EU's Data Protection Supervisor (a Mr. Peter Hustinx) has been saying that
EU governments risk violating the protection of their citizen's personal data by acting hastily in approving the use of biometrics because it was "rushing in a new era" of using biometric identifiers for security checks while standards for data protection were still not clear. In particular, he warned against cross-linking national biometric databases and he said that Europe needs standardised procedures for collecting biometric data as well as common rules and safeguards for the use of the sensitive information.
Technorati Tags: government, identity, passport
Continue reading "Rushing in" »
By
davebirch posted Jul 13 2007 at 3:10 PM
[Dave Birch] This story about bus ticket machines
going down Down Under may seem of tangential relevance to identity cards, but look at the details. According to the story, bus ticket machines are breaking down an average of 12 times a day, giving passengers free rides and robbing taxpayers of thousands of dollars in revenue. The figures, revealed in Freedom of Information documents, also cast doubt on the replacement smart card system, which drivers claim breaks down more than the current ticket machines – even causing at least one accident. The real cost of loss in revenue is unknown as the Government relies on the ticket machines to provide patronage and fare data. The biggest cause of ticketing machines being out of order was faulty software, followed by printer malfunctions, and breakdowns in electrical and mechanical components.
Technorati Tags: ID cards, transit
Continue reading "Meanwhile, back in the real world" »
By
davebirch posted Jul 12 2007 at 5:59 PM
[Dave Birch] The European Commission are
in favour of PETs. Not the furry (or even scaly) ones, but our favourite kind: Privacy Enhancing Technologies. They are in favour of them because they (correctly) think that the deployment of PETs might do more protect privacy and implement real data protection. If implemented properly, as I have long maintained, they mean that mathematics rather than ombudsmen would ensure compliance! They make a superficially reasonable point about deployment, arguing that PETs should be implemented inside a regulatory framework -- Article 13 of the Data Protection Directive and Article 15 of the ePrivacy Directive, apparently -- that can deliver (negotiable) levels of privacy to individuals. I'm not so sure about that. I think it's better to make the PETs widely available and easy to use and then let the market take over: I'm not sure what regulation adds in this case. The Commission says that it has been promoting the use of PETs by public authorities, and I'm sure we all agree that that's a good thing.
Technorati Tags: ID cards, identity, management, privacy
Continue reading "PET subject" »