Striking the Balance

Ian G Batten I.G.Batten at ftel.co.uk
Wed, 30 Oct 2002 18:16:58 +0000 

On Wed, 30 Oct 2002, Watkin Simon wrote:
> > Correct, but what I expect from HMG is convincing it *can't* 
> > be abused.
> 
> I've already got that point.  What sort of convincing will be required?

Clear and transparent processes which the government and all its agents
have to follow in order to obtain information, coupled with a strict
oversight regime and meaningful penalties for those that break the
rules.

> Yes, technology makes it easier.  But when itemised phone billing was
> introduced were we all worked up about the fact that it could be possible to
> show who A spoke on a day going back several months?

Yes, which is why (for example) Childline does not appear on itemised
phone bills.  You might also care to ponder the existance of NQR phone
lines, which (aside from their use for people judged to be at risk from
terrorists and other threats) are used to provide relief for victims of
abusive phone calls where the assailant has been able to get the new
phone number of the victim from a CSP.  As happened to some friends of
mine.

> the following.  The CSP does that.  HMG asks the follower.  And yes we need
> a convincing trusted and abuse-safe process. 

With penalities.  Isn't it odd that the RIPA and its offshoots go into
exquisite detail about the penalties for the little people failing to
comply, but provide no penalities for TPTB when they misuse the powers?

> I'm tempted to ask list members who they do trust.  CSPs? Banks?
> Supermarkets?  Multi-national conglomerates?  Corner shops?  Yes, I know
> they don't make law or exercise functions of state but are they trusted with
> personal information?

No, No, No, No, No.  You give each of them the minimum that they require
to do their job, and refuse to hand over anything extra if you don't
think they need it.  CSPs and Banks are very bad (or should that be very
good) at using private information for marketing, which I think is
intrusive.  I think the fear of supermarket loyalty cards is slightly
overstated, for many people, because for those people there is nothing
of interest that could be derived from their shopping habits.  However,
more wide ranging loyalty card schemes are a worry, because of the
breadth of information they provide.

The critical distinction, however, is that none of them have police
forces and none of them have the power to compell me to hand over
information.  Banks, in particular, are in a position where they may
process information which could be used for blackmail, but the risk is
still quite narrow as they are unlikely to build up the comprehensive
picture that a weblog would offer.

> Could functions of state be placed with .... dare I even say it .... trusted
> third parties?  Look I said it!  

See Ross Anderson's piece on Palladium, where he points out that Trusted
is, in security terms, an in-joke, referring to the component in a
system which is empowered to break the otherwise secure model.

ian