Tuesday, May 25, 2010

Pakistan blocks Facebook and YouTube

Pakistan rights activist Sabeen Mahmud has produced some wonderful graphics in response to the Lahore High Court's recent blocking of Facebook and YouTube:

Thursday, May 13, 2010

Deleting the database state

The agreement for coalition government between the Conservative and Liberal Democrat parties includes the following:
  • The scrapping of ID card scheme, the National Identity register, the next generation of biometric passports and the Contact Point Database.

  • Outlawing the finger-printing of children at school without parental permission.

  • Adopting the protections of the Scottish model for the DNA database.

  • Further regulation of CCTV.

  • Ending of storage of internet and email records without good reason.

Glad to see so many suggestions have been taken up from our Database State report. There is nothing detailed in the agreement on the NHS, but I expect the two parties will also scrap the National Programme for IT for the cost savings alone.

"Ending" the storage of Internet and e-mail records will not be possible given the Data Retention Directive that the previous government pushed through in Brussels. However, the Directive is currently being reviewed, so I do hope the UK will be demanding that it be scrapped. Until then, the government could use secondary legislation to reduce the length of time data is stored to six months; stop the "voluntary" storage by ISPs of lists of websites visited by their customers; and seriously reduce the number of government agencies with access to this data. My chapter on regulation of converged communications surveillance contains a number of further suggestions.

I spoke at a College of Law event on Monday on surveillance, alongside an extremely senior police officer with responsibility for CCTV. In his opinion, the £500m+ of public money spent on cameras in the UK since the early 1990s has given a very poor return. Politically, however, it would be difficult to remove existing systems. My suggestion is that all cameras should be subject to a regular value-for-money test. Those not having a significant impact on crime should be automatically removed.

Friday, May 07, 2010

E-voting is not the solution to poll chaos

It has only taken a few hours for e-voting to be proposed as the "answer" to last night's chaos as polling stations closed. It is dismaying to read such badly informed commentary as this:
Andy Williamson, director of digital democracy at the non-partisan think tank, the Hansard Society, argues that "a lack of desire to change" is a better explanation of any resistance to electronic voting than security concerns.

He acknowledges the risks with electronic voting, but says "you have to put this in the context of the current process, which we mostly accept, despite the obvious flaws and risks."

Those risks, he says, include "the lack of positive voter verification, the obvious risk of moving big piles of paper around, and the fallibility of manual counting."

As has been explained over and over and over again: personal computers and the Internet are nowhere nearly trustworthy enough to conduct national elections. Even voting computers at polling stations are far too easy to hack, as Hari Prasad, Alex Halderman and Rop Gonggrijp demonstrated again just last week in India:

Would it be so difficult to employ a few more polling station staff, and pay them overtime to ensure everyone is able to cast their vote?

Secure software development survey

Our visiting researcher Prof. Mingqiu Song is investigating how software firms use secure development processes. If you work in a company using these processes, please fill in her survey — and to say thanks, you can win a £100 Amazon voucher.

Tuesday, May 04, 2010

EU cybersecurity policy

This morning I gave the following invited speech to a session of the European Parliament's industry committee, which was considering a draft report on the Commission's recent Communication on Internet Governance. Also speaking was Ambassador Janis Karklis, chairman of ICANN's Government Advisory Committee; Frederic Donck from the Internet Society; and Prof. Adrian Cheok, director of the National University of Singapore's Mixed Reality Lab. Due to technical difficulties (!) the Internet Governance Forum secretariat's executive coordinator, Markus Kummer, was unable to participate remotely as planned.

Internet governance and cybersecurity

Clearly, European society is increasingly dependent on the Internet and related communications systems. But the security of those systems is not yet at a level appropriate for that dependence. Mr Sosa Wagner's draft report is right to stress the importance of improving the "availability, robustness and resilience" of critical information infrastructures.

The Commission and the Parliament have taken some important steps in improving this situation, especially through the recent telecoms reform package and its obligation for operators to identify risks and ensure continuity of service. I want to outline five key additional steps that the EU should take towards this goal (many of which are being discussed by the institutions):
  1. Bring member states up to a common high level on cybersecurity, with national Computer Emergency Response Teams or networks of sectoral teams. The European Network and Information Security Agency (ENISA) should continue to develop forums for information-sharing, and provide support to less capable member states.

  2. Further increase the effectiveness of ENISA, which needs significantly greater resources. With the entry into force of the Lisbon treaty, ENISA should be able to take action on former third pillar matters such as criminal use of Internet.

  3. Ensure the resilience of key industry sectors through appropriate regulation. There should be further discussion of the designation of critical information infrastructures under Council Directive 2008/114/EC (while addressing concerns over information sharing), and requiring isolation of critical utility systems from public networks.

  4. Widen requirements for security breach notification from communication network operators to other information society services.

  5. Reinforce system and network diversity through competition law, state use of open standards, and procurement policy.

The Commission's Communication on Internet governance states that "the EU should take a leadership role in working towards the goal of increased security and stability of the Internet by initiating dialogue with international partners." The Commission should develop concrete plans with the Parliament and member states on what this leadership role should entail. In addition to promoting at the international level the measures I previously described, this could include:

  • Support for ICANN in its work to ensure the security and stability of the Domain Name System;

  • Work in international venues such as the OECD, United Nations and Council of Europe to improve applicable laws and national coordination on cybersecurity;

  • Discussions on limited liability for software security faults, particularly in the operating system and browser software that is critical to system security.

Finally, it is critical that the Parliament continues its role in promoting fundamental European values such as freedom of expression and privacy. The draft report's suggestion to extend the Rome II regulation to include violations of data protection and privacy is positive, as is the suggestion on the negotiation of international agreements for effective redress. But the EU institutions should be extremely cautious in introducing measures such as powers to revoke IP address blocks and domain names, which was suggested last week by the Council, or requiring Internet blocking (as Commissioner Malmstrom has proposed). These measures would set an extremely damaging precedent for Internet governance by repressive states that do not share European values.