Entries Tagged "UK"

Page 13 of 19

Security Plus Privacy

The Royal Academy of Engineering (in the UK) has just published a report: “Dilemmas of Privacy And Surveillance: Challenges of Technological Change” (press release here) where they argue that security and privacy are not in opposition, and that we can have both if we’re sensible about it.

Recommendations

R1 Systems that involve the collection, checking and processing of personal information should be designed in order to diminish the risk of failure as far as reasonably practicable. Development of such systems should make the best use of engineering expertise in assessing and managing vulnerabilities and risks. Public sector organisations should take the lead in this area, as they collect and process a great deal of sensitive personal data, often on a non-voluntary basis.

R2 Many failures can be foreseen. It is essential to have procedures in place to deal with the consequences of failure in systems used to collect, store or process personal information. These should include processes for aiding and compensating individuals who are affected.

R3 Human rights law already requires that everyone should have their reasonable expectation of privacy respected and protected. Clarification of what counts as a reasonable expectation of privacy is necessary in order to protect this right and a public debate, including the legal, technical and political communities, should be encouraged in order to work towards a consensus on the definition of what is a ‘reasonable expectation’. This debate should take into account the effect of an easily searchable Internet when deciding what counts as a reasonable expectation of privacy.

R4 The powers of the Information Commissioner should be extended. Significant penalties—including custodial sentences—should be imposed on individuals or organisations that misuse data. The Information Commissioner should also have the power to perform audits and to direct that audits be performed by approved auditors in order to encourage organisations to always process data in accordance with the Data Protection Act. A public debate should be held on whether the primary control should be on the collection of data, or whether it is the processing and use of data that should be controlled, with penalties for improper use.

R5 Organisations should not seek to identify the individuals with whom they have dealings if all they require is authentication of rightful access to goods or services. Systems that allow automated access to a service such as public transport should be developed to use only the minimal authenticating information necessary. When organisations do desire identification, they should be required to justify why identification, rather than authentication, is needed. In such circumstances, a minimum of identifying information should be expected.

R6 Research into the effectiveness of camera surveillance is necessary, to judge whether its potential intrusion into people’s privacy is outweighed by its benefits. Effort should be put into researching ways of monitoring public spaces that minimise the impact on privacy—for example, pursuing engineering research into developing effective means of automated surveillance which ignore law-abiding activities.

R7 Information technology services should be designed to maintain privacy. Research should be pursued into the possibility of ‘designing for privacy’ and a concern for privacy should be encouraged amongst practising engineers and engineering teachers. Possibilities include designing methods of payment for travel and other goods and services without revealing identity and protecting electronic personal information by using similar methods to those used for protecting copyrighted electronic material.

R8 There is need for clarity on the rights and expectations that individuals have over their personal information. A digital charter outlining an individual’s rights and expectations over how their data are managed, shared and protected would deliver that clarity. Access by individuals to their personal data should also be made easier; for example, by automatically providing free copies of credit reports annually. There should be debate on how personal data are protected—how it can be ensured that the data are accurate, secure and private. Companies, or other trusted, third-party organisations, could have the role of data banks—trusted guardians of personal data. Research into innovative business models for such companies should be encouraged.

R9 Commercial organisations that select their customers or vary their offers to individuals on the basis of profiling should be required, on request, to divulge to the data subjects that profiling has been used. Profiling will always be used to differentiate between customers, but unfair or excessively discriminating profiling systems should not be permitted.

R10 Data collection and use systems should be designed so that there is reciprocity between data subjects and owners of the system. This includes transparency about the kinds of data collected and the uses intended for it; and data subjects having the right to receive clear explanations and justifications for data requests. In the case of camera surveillance, there should be debate on and research into ways to allow the public some level of access to the images captured by surveillance cameras.

The whole thing is worth reading, as is this article from The Register.

Posted on March 29, 2007 at 11:11 AMView Comments

10,000 Fake British Passports in One Year

This is the kind of thing that demonstrates why attempts to make passports harder to forge are not the right way to spend security dollars. These aren’t fake passports; they’re real ones mis-issued. They have RFID chips and any other anti-counterfeiting measure the British government includes.

The weak link in identity documents is the issuance procedures, not the documents themselves.

Posted on March 26, 2007 at 6:46 AMView Comments

Citizen Counter-Terrorists

The greater Manchester police want everyone to help them find terrorists:

In a new anti-terror drive, a tip-off hotline is being relaunched and an advertising campaign will urge people to report any suspicious behaviour. It asks:

* Do you know anyone who travels but is vague on where they’re going?

* Do you know someone with documents in different names for no obvious reason?

* Do you know someone buying large or unusual quantities of chemicals for no obvious reason?

* Handling chemicals is dangerous, maybe you’ve seen goggles or masks dumped somewhere?

* If you work in commercial vehicle hire or sales, has a sale or rental made you suspicious?

* Have you seen someone with large quantities of mobiles?

* Have you seen anyone taking pictures of security arrangements?

* Do you know someone who visits terrorist-related websites?

* Have you seen any suspicious cheque or credit card transactions?

* Is someone is asking for a short-term let on a house or flat on a cash basis for no apparent reason?

This reminds me of TIPS, the ill-conceived U.S. program to have meter readers and the like—people who regularly enter people’s homes—report suspicious activity to the police. It’s just dumb; people will report each other because their food smells wrong, or they talk in a funny language. The system will be swamped with false alarms, which police will have to waste their time following up on. This sort of state-sponsored snitchery is something you’d expect out of the former East Germany, or the Soviet Union—not the U.K.

For comparison’s sake, here’s a similar program that I actually liked.

Posted on March 20, 2007 at 12:26 PMView Comments

Corsham Bunker

Fascinating article on the Corsham bunker, the secret underground UK site the government was to retreat to in the event of a nuclear war.

Until two years ago, the existence of this complex, variously codenamed Burlington, Stockwell, Turnstile or 3-Site, was classified. It was a huge yet very secret complex, where the government and 6,000 apparatchiks would have taken refuge for 90 days during all-out thermonuclear war. Solid yet cavernous, surrounded by 100ft-deep reinforced concrete walls within a subterranean 240-acre limestone quarry just outside Corsham, it drives one to imagine the ghosts of people who, thank God, never took refuge here.

Posted on February 7, 2007 at 2:40 PMView Comments

Cameras Protecting Other Cameras

There is a proposal in Scotland to protect automatic speed-trap cameras from vandals by monitoring them with other cameras.

Then, I suppose we need still other cameras to protect the camera-watching cameras.

I am reminded of a certain building corner in York. Centuries ago it was getting banged up by carts and whatnot, so the owners stuck a post in the ground a couple of feet away from the corner to protect it. Time passed, and the post itself became historically significant. So now there is another post a couple of feet away from the first one to protect it.

When will it end?

Posted on January 31, 2007 at 2:05 PMView Comments

SAS Troops Stationed in London

British special forces are now stationed in London:

An SAS unit is now for the first time permanently based in London on 24-hour standby for counter-terrorist operations, The Times has learnt.

The basing of a unit from the elite special forces regiment “in the metropolitan area” is intended to provide the police with a combat-proven ability to deal with armed terrorists in the capital.

The small unit also includes surveillance specialists and bomb-disposal experts.

Although the Metropolitan Police has its own substantial firearms capability, the fatal shooting of Jean Charles de Menezes, the Brazilian electrician who was mistakenly identified as a terrorist bomber on the run, has underlined the need to have military expertise on tap.

While I agree that the British police completely screwed up the Menezes shooting, I’m not at all convinced the SAS can do better. The police are trained to work within a lawful society; military units are primarily trained for military combat operations. Which group do you think will be more restrained?

This kind of thing is a result of the “war on terror” rhetoric. We don’t need military operations, we need police protection.

I think people have been watching too many seasons of 24.

Posted on January 25, 2007 at 3:34 PMView Comments

MI5 Terror Alerts by E-mail

Sounds like security theater to me:

But he added that one of the difficult questions was what people should do about the information when they receive it: “There’s not necessarily that much information on the website about how you should act and how you should respond other than being vigilant and calling a hotline if you see anything suspicious.”

The first, called Threat Level Only, will inform the recipient if the nationwide terror threat level changes. The condition is currently listed as severe.

The second more inclusive service is called What’s New, and will be a digest of the latest information from MI5, including speeches made by the director general and links to relevant websites.

I’ve written about terror threat alerts in the UK before.

EDITED TO ADD (1/15): System is in shambles and being overhauled:

Digital detective work by campaigners revealed that the alerting system did little to protect the identities of anyone signing up.

They found that data gathered was being stored in the US leading to questions about who would have access to the list of names and e-mail addresses.

Posted on January 10, 2007 at 6:31 AMView Comments

1 11 12 13 14 15 19

Sidebar photo of Bruce Schneier by Joe MacInnis.