From ukcrypto at originalthinktank.org.uk Tue Nov 1 01:32:41 2011 From: ukcrypto at originalthinktank.org.uk (Chris Salter) Date: Tue, 01 Nov 2011 01:32:41 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <4E9F6FFE.1000301@originalthinktank.org.uk> References: <4E9F6FFE.1000301@originalthinktank.org.uk> Message-ID: <4EAF4C39.4060008@originalthinktank.org.uk> Hello UKCrypto, Cabinet Office Press Release: Francis Maude promises ?10 million in funding for Digital by Default delivery programme. Opening Paragraphs. As part of the Government's commitment to delivering world-class digital products, today the Minister for Cabinet Office Francis Maude announced the Identity Assurance programme would be receiving an extra ?10 million in funding. The Identity Assurance programme deals with the way a service provider can be assured that the customer or user is who they say they are as they access Government services. Francis Maude made the announcement at the 'Ensuring Trusted Services with the new Identity Assurance Programme' event. Speaking to heads of leading UK technology firms he updated them on the Identity Assurance programme and issued a call to action for companies to work with the UK Government to develop solutions for the project. End Quote. http://www.cabinetoffice.gov.uk/news/francis-maude-promises-%C2%A310-million-funding-digital-default-delivery-programme or http://preview.tinyurl.com/6756bq2 -- Chris Salter http://www.originalthinktank.org.uk/ http://www.post-polio.org.uk/ From pwt at iosis.co.uk Tue Nov 1 06:27:45 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Tue, 01 Nov 2011 06:27:45 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <4EAF4C39.4060008@originalthinktank.org.uk> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> Message-ID: <4EAF9161.10907@iosis.co.uk> Once again, this is only about securing access to public sector web sites and services, not an open project (cf USA NSTIC programme). I'm facing here a discontinuity between this new material and the previous G-Digital project reports, but that's probably because for personal reasons I have been occupied elsewhere for over a month. Can anyone explain if this programme is an evolution of G-Digital (which appeared to have only Cabinet Office and DoH involved when I last looked)? Peter On 01/11/2011 01:32, Chris Salter wrote: > Hello UKCrypto, > > Cabinet Office Press Release: > > Francis Maude promises ?10 million in funding for Digital by Default > delivery programme. > > Opening Paragraphs. > > As part of the Government's commitment to delivering world-class > digital products, today the Minister for Cabinet Office Francis Maude > announced the Identity Assurance programme would be receiving an extra > ?10 million in funding. > > The Identity Assurance programme deals with the way a service provider > can be assured that the customer or user is who they say they are as > they access Government services. > > Francis Maude made the announcement at the 'Ensuring Trusted Services > with the new Identity Assurance Programme' event. Speaking to heads of > leading UK technology firms he updated them on the Identity Assurance > programme and issued a call to action for companies to work with the > UK Government to develop solutions for the project. > > End Quote. > > http://www.cabinetoffice.gov.uk/news/francis-maude-promises-%C2%A310-million-funding-digital-default-delivery-programme > > or > http://preview.tinyurl.com/6756bq2 > From anish.mohammed at gmail.com Tue Nov 1 11:39:21 2011 From: anish.mohammed at gmail.com (Anish Mohammed) Date: Tue, 1 Nov 2011 11:39:21 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <4EAF9161.10907@iosis.co.uk> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> Message-ID: <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> Hi Peter, I would have assumed this to be reincarnation of identity assurance program, previous government had. This time being run by (most likely ) private entity. Being given access to various government data sets on individuals to provide a score. I would assume most data sets to be IL3 ... I have to admit I haven't followed G-digital that much. My perspective of this is as, Identity as a service. Regards Anish Anish Mohammed Twitter: anishmohammed http://uk.linkedin.com/in/anishmohammed On 1 Nov 2011, at 06:27, Peter Tomlinson wrote: > Once again, this is only about securing access to public sector web sites and services, not an open project (cf USA NSTIC programme). > > I'm facing here a discontinuity between this new material and the previous G-Digital project reports, but that's probably because for personal reasons I have been occupied elsewhere for over a month. Can anyone explain if this programme is an evolution of G-Digital (which appeared to have only Cabinet Office and DoH involved when I last looked)? > > Peter > > On 01/11/2011 01:32, Chris Salter wrote: >> Hello UKCrypto, >> >> Cabinet Office Press Release: >> >> Francis Maude promises ?10 million in funding for Digital by Default delivery programme. >> >> Opening Paragraphs. >> >> As part of the Government's commitment to delivering world-class digital products, today the Minister for Cabinet Office Francis Maude announced the Identity Assurance programme would be receiving an extra ?10 million in funding. >> >> The Identity Assurance programme deals with the way a service provider can be assured that the customer or user is who they say they are as they access Government services. >> >> Francis Maude made the announcement at the 'Ensuring Trusted Services with the new Identity Assurance Programme' event. Speaking to heads of leading UK technology firms he updated them on the Identity Assurance programme and issued a call to action for companies to work with the UK Government to develop solutions for the project. >> >> End Quote. >> >> http://www.cabinetoffice.gov.uk/news/francis-maude-promises-%C2%A310-million-funding-digital-default-delivery-programme >> or >> http://preview.tinyurl.com/6756bq2 >> > From wmheath at gmail.com Tue Nov 1 14:59:24 2011 From: wmheath at gmail.com (William Heath) Date: Tue, 1 Nov 2011 14:59:24 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> Message-ID: It's not a subset of G Digital, though they were briefly linked before the election. This flame has been carried since well before the election by a lone official called David Rennie, who was secretary to the James Crosby review. It precedes NSTIC but is pretty consistent with it. It has by default been largely industry driven because until this week it had zero resources. The big outstanding questions for me are - will the "ID providers" thrive as a separate new business or simply merge into the other sorts of verification service (because verifying a name or an account number is no different from verifying any other attribute) - will organisation in future speak directly unto organisation when verifying something about an individual (cf DVLA tax disk) or will this be done via the individual, who will in future acquire and redeploy a range of tokens or proofs (as has happened for centuries). The latter course implies a degree of new structure and capability at the individual's end (I declare an interest and Mandy Rice-Davies' famous quote applies). I asked that question at the launch. Initially the answer was the former; this was later clarified to the latter. IMHO the whole programme is a misnomer. It's really about attribute or claims verification. William -- Mydex.org On 1 November 2011 11:39, Anish Mohammed wrote: > Hi Peter, > I would have assumed this to be reincarnation of identity assurance > program, previous government had. This time being run by (most likely ) > private entity. Being given access to various government data sets on > individuals to provide a score. I would assume most data sets to be IL3 ... > I have to admit I haven't followed G-digital that much. My perspective of > this is as, Identity as a service. > Regards > Anish > > Anish Mohammed > Twitter: anishmohammed > http://uk.linkedin.com/in/anishmohammed > > On 1 Nov 2011, at 06:27, Peter Tomlinson wrote: > > > Once again, this is only about securing access to public sector web > sites and services, not an open project (cf USA NSTIC programme). > > > > I'm facing here a discontinuity between this new material and the > previous G-Digital project reports, but that's probably because for > personal reasons I have been occupied elsewhere for over a month. Can > anyone explain if this programme is an evolution of G-Digital (which > appeared to have only Cabinet Office and DoH involved when I last looked)? > > > > Peter > > > > On 01/11/2011 01:32, Chris Salter wrote: > >> Hello UKCrypto, > >> > >> Cabinet Office Press Release: > >> > >> Francis Maude promises ?10 million in funding for Digital by Default > delivery programme. > >> > >> Opening Paragraphs. > >> > >> As part of the Government's commitment to delivering world-class > digital products, today the Minister for Cabinet Office Francis Maude > announced the Identity Assurance programme would be receiving an extra ?10 > million in funding. > >> > >> The Identity Assurance programme deals with the way a service provider > can be assured that the customer or user is who they say they are as they > access Government services. > >> > >> Francis Maude made the announcement at the 'Ensuring Trusted Services > with the new Identity Assurance Programme' event. Speaking to heads of > leading UK technology firms he updated them on the Identity Assurance > programme and issued a call to action for companies to work with the UK > Government to develop solutions for the project. > >> > >> End Quote. > >> > >> > http://www.cabinetoffice.gov.uk/news/francis-maude-promises-%C2%A310-million-funding-digital-default-delivery-programme > >> or > >> http://preview.tinyurl.com/6756bq2 > >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From james2 at jfirth.net Tue Nov 1 21:34:33 2011 From: james2 at jfirth.net (James Firth) Date: Tue, 1 Nov 2011 21:34:33 -0000 Subject: More on the "Identity Assurance programme " In-Reply-To: References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> Message-ID: <003a01cc98de$0ded5100$29c7f300$@net> William Heath wrote: > - will the "ID providers" thrive as a separate new business or simply > merge into the other sorts of verification service (because verifying a > name or an account number is no different from verifying any other > attribute) I know it doesn't need saying, but I am going to anyway. Given this, and the obvious commercial and cost-saving benefits to banks etc, why the hell is ?10m of public money being chucked at the problem? (Apologies for using the list like my blog) James Firth From wmheath at gmail.com Tue Nov 1 23:11:54 2011 From: wmheath at gmail.com (William Heath) Date: Tue, 1 Nov 2011 23:11:54 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <003a01cc98de$0ded5100$29c7f300$@net> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> Message-ID: Without wishing to wave red rags my view is there's quite a lot to do and no-one to do it. They're just deciding how to allocate the funds this week but in the grand scheme of things I dont think this is the biggest government IT overspend out there. It's a great deal less than US NSTIC budget (even allowing for larger country). They've got pressing deadlines for huge operational systems (notably Universal Credit) which depend on this. But let's ask. William On 1 November 2011 21:34, James Firth wrote: > William Heath wrote: > > - will the "ID providers" thrive as a separate new business or simply > > merge into the other sorts of verification service (because verifying a > > name or an account number is no different from verifying any other > > attribute) > > I know it doesn't need saying, but I am going to anyway. Given this, and > the > obvious commercial and cost-saving benefits to banks etc, why the hell is > ?10m of public money being chucked at the problem? > > (Apologies for using the list like my blog) > > James Firth > > > -- + 44 7973 115024 ctrl-shift.co.uk mydex.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From james2 at jfirth.net Wed Nov 2 00:01:49 2011 From: james2 at jfirth.net (James Firth) Date: Wed, 2 Nov 2011 00:01:49 -0000 Subject: More on the "Identity Assurance programme " In-Reply-To: References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> Message-ID: <001501cc98f2$9f31cb50$dd9561f0$@net> William Heath wrote: > Without wishing to wave red rags my view is there's quite a lot to do > and no-one to do it. They're just deciding how to allocate the funds > this week but in the grand scheme of things I dont think this is the > biggest government IT overspend out there. It's a great deal less than > US NSTIC budget (even allowing for larger country). They've got > pressing deadlines for huge operational systems (notably Universal > Credit) which depend on this. > > But let's ask. > Fair points, which then makes me wonder whether there are any long term plans to sell such a service to banks and the like, or even float the whole venture. Whilst the government consultation on a Public Data Corporation raises such a possibility for a central agency for "open" public data - quite wrongly, in my view - there's no such suggestion here when, on the surface, such an approach might work and deliver taxpayer value. James Firth From pwt at iosis.co.uk Tue Nov 1 21:50:41 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Tue, 01 Nov 2011 21:50:41 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <003a01cc98de$0ded5100$29c7f300$@net> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> Message-ID: <4EB069B1.7090607@iosis.co.uk> Thinking back to the material about the USA's NSTIC that I followed earlier this year and last year, I got the impression that NSTIC (which is running a Programme Office) expects the private sector to provide ID services, because they will want to use them for commercial purposes (sales over the internet, for example). But NSTIC is about ID services for everyone (public sector service providers, private sector service providers, and users both privately and in the course of business). And I got the impression that big private sector organisations were keen to get involved. Here we seem to be fixated on public sector only, and of course that means the ID providers need paying with public money. This past summer I listened to a presentation that used David Rennie's material, and my immediate response was that once again its the public sector doing something to us instead of doing something with us. I have a feeling that maybe Ian Watmore understands this, but how does he turn his colleagues round to face the real world? Follow NSTIC is the way to go, because that is how the big global players will implement secure online ID. However, as Francis Maude said at the 30th March Public Admin Commons Committee, this is a very centralised country (I saw this coming as long ago as 1968, and so did my father who was a reluctant civil servant, having been dragged in during WWII - he retired in '71 although he could have gone on for a bit longer). Peter On 01/11/2011 21:34, James Firth wrote: > William Heath wrote: >> - will the "ID providers" thrive as a separate new business or simply >> merge into the other sorts of verification service (because verifying a >> name or an account number is no different from verifying any other >> attribute) > I know it doesn't need saying, but I am going to anyway. Given this, and the > obvious commercial and cost-saving benefits to banks etc, why the hell is > ?10m of public money being chucked at the problem? > > (Apologies for using the list like my blog) > > James Firth > > > > From wmheath at gmail.com Wed Nov 2 07:14:03 2011 From: wmheath at gmail.com (William Heath) Date: Wed, 2 Nov 2011 07:14:03 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <001501cc98f2$9f31cb50$dd9561f0$@net> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <001501cc98f2$9f31cb50$dd9561f0$@net> Message-ID: Well, I think they're trying to spend what they need to to get their part done. I dont think they're trying to be entrepreneurial about this: pick winners etc. And I suspect they're right not to. But there surely will in due course be a market in government proofs of claims eg driver licence validity. My view is that part is urgent and inevitable but that 's not where they're starting AFAIK William On 2 November 2011 00:01, James Firth wrote: > William Heath wrote: > > Without wishing to wave red rags my view is there's quite a lot to do > > and no-one to do it. They're just deciding how to allocate the funds > > this week but in the grand scheme of things I dont think this is the > > biggest government IT overspend out there. It's a great deal less than > > US NSTIC budget (even allowing for larger country). They've got > > pressing deadlines for huge operational systems (notably Universal > > Credit) which depend on this. > > > > But let's ask. > > > > Fair points, which then makes me wonder whether there are any long term > plans to sell such a service to banks and the like, or even float the whole > venture. Whilst the government consultation on a Public Data Corporation > raises such a possibility for a central agency for "open" public data - > quite wrongly, in my view - there's no such suggestion here when, on the > surface, such an approach might work and deliver taxpayer value. > > James Firth > > > -- + 44 7973 115024 ctrl-shift.co.uk mydex.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From pwt at iosis.co.uk Wed Nov 2 04:02:18 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 02 Nov 2011 04:02:18 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: References: <4E9F6FFE.1000301@originalthinktank.org.uk><4EAF4C39.4060008@originalthinktank.org.uk><4EAF9161.10907@iosis.co.uk><71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com><003a01cc98de$0ded5100$29c7f300$@net> Message-ID: <4EB0C0CA.8040701@iosis.co.uk> I suspect that organisations such as Symantec/Verisign would like to do it, but not necessarily in the introspective way that it seems the UK proponents are thinking of. As Francis Maude pointed out in that 30th March Public Admin Cttee, Amazon succeeds because it delivers a service that users want to use. FM was commenting on something said to him by a civil servant: the public would have to be trained to use their new online service - FM suggested that the service should be redesigned. Peter On 01/11/2011 23:11, William Heath wrote: > Without wishing to wave red rags my view is there's quite a lot to do > and no-one to do it. They're just deciding how to allocate the funds > this week but in the grand scheme of things I dont think this is the > biggest government IT overspend out there. It's a great deal less than > US NSTIC budget (even allowing for larger country). They've got > pressing deadlines for huge operational systems (notably Universal > Credit) which depend on this. > > But let's ask. > > > William > > > > On 1 November 2011 21:34, James Firth > wrote: > > William Heath wrote: > > - will the "ID providers" thrive as a separate new business or > simply > > merge into the other sorts of verification service (because > verifying a > > name or an account number is no different from verifying any other > > attribute) > > I know it doesn't need saying, but I am going to anyway. Given > this, and the > obvious commercial and cost-saving benefits to banks etc, why the > hell is > ?10m of public money being chucked at the problem? > > (Apologies for using the list like my blog) > > James Firth > > > > > > -- > + 44 7973 115024 > ctrl-shift.co.uk > mydex.org > From tugwilson at gmail.com Wed Nov 2 20:04:38 2011 From: tugwilson at gmail.com (John Wilson) Date: Wed, 2 Nov 2011 20:04:38 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <4EB0C0CA.8040701@iosis.co.uk> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <4EB0C0CA.8040701@iosis.co.uk> Message-ID: On 2 November 2011 04:02, Peter Tomlinson wrote: > As Francis Maude pointed out in that 30th March Public Admin Cttee, Amazon > succeeds because it delivers a service that users want to use. FM was > commenting on something said to him by a civil servant: the public would > have to be trained to use their new online service - FM suggested that the > service should be redesigned. Just when you've convinced yourself that all politicians haven't got a clue one comes along and spoils it for you! John Wilson From fw at deneb.enyo.de Wed Nov 2 22:32:20 2011 From: fw at deneb.enyo.de (Florian Weimer) Date: Wed, 02 Nov 2011 23:32:20 +0100 Subject: More on the "Identity Assurance programme " In-Reply-To: <003a01cc98de$0ded5100$29c7f300$@net> (James Firth's message of "Tue, 1 Nov 2011 21:34:33 -0000") References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> Message-ID: <87bosup34b.fsf@mid.deneb.enyo.de> * James Firth: > I know it doesn't need saying, but I am going to anyway. Given this, and the > obvious commercial and cost-saving benefits to banks etc, why the hell is > ?10m of public money being chucked at the problem? Doesn't EU regulation forbid electronic enrollment? And after that step, why would a bank would want to rely on third party for a core aspect of their customer interaction? (In some markets, this is already a reality with one-time passwords delivered by SMS. I'm not a business guy, so I can't quite grasp why anyone would subject themselves to the whims of mobile phone operators that way.) From james2 at jfirth.net Thu Nov 3 17:19:13 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 3 Nov 2011 17:19:13 -0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <87bosup34b.fsf@mid.deneb.enyo.de> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <87bosup34b.fsf@mid.deneb.enyo.de> Message-ID: <008401cc9a4c$b99b5aa0$2cd20fe0$@net> Floriam Weimer wrote: > Doesn't EU regulation forbid electronic enrollment? Really? For bank accounts? What about PayPal?! (Irony intended - seriously, there are "pseudo-banks" and other services that would benefit). > why would a bank would want to rely on third party for a core > aspect of their customer interaction? I doubt any bank would see identity verification as anything other than a pain. Several high street chains rely on branches, and when it's an internet or business account the branch has to photocopy documents and send to the relevant internal department. And they sometimes don't arrive. And banks without a high street presence (granted, they are owned by banks with a high street presence) have to rely on their parent organisation for this service. Or sending original documents through the post (flawed and hated by customers). > I'm not a business guy, so I can't quite grasp why > anyone would subject themselves to the whims of mobile phone operators > that way.) It's a shitty, costly part of their business banks would rather not do? Taken a stage further, why not subcontract the whole sign-in process? That would alleviate the "forgot my password, account locked" expense of printing and sending a new PIN/Access code. And then there's the secondary identification tokens. I have four bank accounts with four different banks. Thankfully only one provides secondary verification (business account), but if all did, would I have to carry the card reader/fob for every one? It makes sense to subcontract. It makes even more sense from a customer perspective to have a one-stop-shop* * (apart from it introduces a single point of weakness/monitoring/market monopoly). James Firth From lists at internetpolicyagency.com Thu Nov 3 18:39:34 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 3 Nov 2011 18:39:34 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <008401cc9a4c$b99b5aa0$2cd20fe0$@net> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <87bosup34b.fsf@mid.deneb.enyo.de> <008401cc9a4c$b99b5aa0$2cd20fe0$@net> Message-ID: <4CuXimbm$tsOFAk5@perry.co.uk> In article <008401cc9a4c$b99b5aa0$2cd20fe0$@net>, James Firth writes >I have four bank accounts with four different banks. >Thankfully only one provides secondary verification (business account), but >if all did, would I have to carry the card reader/fob for every one? I've got two (bank accounts with card reader/fobs) and they seem to be interchangeable. -- Roland Perry From wmheath at gmail.com Thu Nov 3 18:46:43 2011 From: wmheath at gmail.com (William Heath) Date: Thu, 3 Nov 2011 18:46:43 +0000 Subject: Midata [WAS Re: More on the "Identity Assurance programme "] Message-ID: Meanwhile in another part of town, see today's related midata announcement: http://www.bbc.co.uk/news/technology-15580059 It could deliver huge growth potential to the British economy while transforming the relationship between consumers and corporations. Nothing trivial, then, about the claims being made by the government about its midata project. The plan is to release all sorts of data held by private businesses back to consumers - but the challenge is going to be explaining to the public just why this is so exciting. "It can sound a bit geeky," admitted Professor Nigel Shadbolt, the man trying to push through the government's open data agenda. "But it's about getting the information that companies hold about me and you back to you in a form you can use." The plan is that all sorts of companies will make their data available, and then other firms will help consumers to manage it and build useful applications and services on the back of it..... From anish.mohammed at gmail.com Thu Nov 3 19:16:10 2011 From: anish.mohammed at gmail.com (Anish) Date: Thu, 3 Nov 2011 19:16:10 +0000 Subject: More on the "Identity Assurance programme " Message-ID: <1961667398-1320347770-cardhu_decombobulator_blackberry.rim.net-374868156-@b26.c2.bise7.blackberry> >I've got two (bank accounts with card >reader/fobs) and they seem to be >interchangeable. Defenitely intersting does state something about fob and the banks :) Sent from my BlackBerry? wireless device From amidgley at gmail.com Fri Nov 4 05:04:19 2011 From: amidgley at gmail.com (Adrian Midgley) Date: Fri, 4 Nov 2011 05:04:19 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <008401cc9a4c$b99b5aa0$2cd20fe0$@net> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <87bosup34b.fsf@mid.deneb.enyo.de> <008401cc9a4c$b99b5aa0$2cd20fe0$@net> Message-ID: Identity seems to me to be important toa bank, but who someone is does not. IE if I turn up to take out money they really would like to know that I am the same person who put it in there, openend the account etc, but if I want to be John Smith to them it is no trouble to them, Except as far as governments make it for them. So banks might like to do one part of it, and governments the other part. -- Adrian Midgley?? http://www.defoam.net/ From igb at batten.eu.org Fri Nov 4 10:20:34 2011 From: igb at batten.eu.org (Ian Batten) Date: Fri, 4 Nov 2011 10:20:34 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <87bosup34b.fsf@mid.deneb.enyo.de> <008401cc9a4c$b99b5aa0$2cd20fe0$@net> Message-ID: <37C1DC3C-8EF9-4906-B851-30C8AB74B5A7@batten.eu.org> On 4 Nov 2011, at 05:04, Adrian Midgley wrote: > Identity seems to me to be important toa bank, but who someone is does not. > > IE if I turn up to take out money they really would like to know that > I am the same person who put it in there, openend the account etc, but > if I want to be John Smith to them it is no trouble to them, > > Except as far as governments make it for them. Exactly. The "know your customer" drive, in which banks demand passports from people who have held credit-only accounts for the past fifty years, is a reaction to money laundering legislation, not the banks' own requirements. If the government stopped asking, the banks would stop doing. You may recall that opening a bank account in the 1980s required, or was made much easier, an introduction by an existing customer, rather than a check of formal identity documents. ian From pwt at iosis.co.uk Fri Nov 4 13:46:07 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 04 Nov 2011 13:46:07 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <37C1DC3C-8EF9-4906-B851-30C8AB74B5A7@batten.eu.org> References: <4E9F6FFE.1000301@originalthinktank.org.uk><4EAF4C39.4060008@originalthinktank.org.uk><4EAF9161.10907@iosis.co.uk><71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com><003a01cc98de$0ded5100$29c7f300$@net><87bosup34b.fsf@mid.deneb.enyo.de><008401cc9a4c$b99b5aa0$2cd20fe0$@net> <37C1DC3C-8EF9-4906-B851-30C8AB74B5A7@batten.eu.org> Message-ID: <4EB3EC9F.1010207@iosis.co.uk> On 04/11/2011 10:20, Ian Batten wrote: > On 4 Nov 2011, at 05:04, Adrian Midgley wrote: > >> Identity seems to me to be important toa bank, but who someone is does not. >> >> IE if I turn up to take out money they really would like to know that >> I am the same person who put it in there, openend the account etc, but >> if I want to be John Smith to them it is no trouble to them, >> >> Except as far as governments make it for them. > Exactly. The "know your customer" drive, in which banks demand passports from people who have held credit-only accounts for the past fifty years, is a reaction to money laundering legislation, not the banks' own requirements. If the government stopped asking, the banks would stop doing. You may recall that opening a bank account in the 1980s required, or was made much easier, an introduction by an existing customer, rather than a check of formal identity documents. A solicitor has recently told me that, if they have not been in contact with you for more than 6 months, they have to see the proofs again if you want to engage them again. Peter From fjmd1a at gmail.com Fri Nov 4 13:55:45 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Fri, 4 Nov 2011 13:55:45 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <4EB3EC9F.1010207@iosis.co.uk> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <87bosup34b.fsf@mid.deneb.enyo.de> <008401cc9a4c$b99b5aa0$2cd20fe0$@net> <37C1DC3C-8EF9-4906-B851-30C8AB74B5A7@batten.eu.org> <4EB3EC9F.1010207@iosis.co.uk> Message-ID: 2011/11/4 Peter Tomlinson : > On 04/11/2011 10:20, Ian Batten wrote: > > A solicitor has recently told me that, if they have not been in contact with > you for more than 6 months, they have to see the proofs again if you want to > engage them again. > I don't think anything like that applies to the Bar, see: http://www.barcouncil.org.uk/guidance/moneylaunderingregulations-guidanceforthebar/ Its all about risk: there may be no need to see proofs again or there may be. -- Francis Davey From tugwilson at gmail.com Fri Nov 4 14:29:57 2011 From: tugwilson at gmail.com (John Wilson) Date: Fri, 4 Nov 2011 14:29:57 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <4EB3EC9F.1010207@iosis.co.uk> References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <87bosup34b.fsf@mid.deneb.enyo.de> <008401cc9a4c$b99b5aa0$2cd20fe0$@net> <37C1DC3C-8EF9-4906-B851-30C8AB74B5A7@batten.eu.org> <4EB3EC9F.1010207@iosis.co.uk> Message-ID: On 4 November 2011 13:46, Peter Tomlinson wrote: [snip] > > A solicitor has recently told me that, if they have not been in contact with > you for more than 6 months, they have to see the proofs again if you want to > engage them again. I've just started using a Solicitor I haven't used since 1989 - no request for proof of identity so far. John Wilson From fjmd1a at gmail.com Fri Nov 4 14:40:00 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Fri, 4 Nov 2011 14:40:00 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <87bosup34b.fsf@mid.deneb.enyo.de> <008401cc9a4c$b99b5aa0$2cd20fe0$@net> <37C1DC3C-8EF9-4906-B851-30C8AB74B5A7@batten.eu.org> <4EB3EC9F.1010207@iosis.co.uk> Message-ID: 2011/11/4 John Wilson : > > > I've just started using a Solicitor I haven't used since 1989 - no > request for proof of identity so far. > Our guidance (which shouldn't be much different) is that it only applies to certain kinds of advice or transaction. So, if you came to me to ask me advice concerning an employment dispute, there'd be no money laundering implications and I would not have to carefully check your identity. If, on the other hand, you wanted me to help you start a company, I might well have to do that. -- Francis Davey From matthew at pemble.net Fri Nov 4 15:46:54 2011 From: matthew at pemble.net (Matthew Pemble) Date: Fri, 4 Nov 2011 15:46:54 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: <1961667398-1320347770-cardhu_decombobulator_blackberry.rim.net-374868156-@b26.c2.bise7.blackberry> References: <1961667398-1320347770-cardhu_decombobulator_blackberry.rim.net-374868156-@b26.c2.bise7.blackberry> Message-ID: On 3 November 2011 19:16, Anish wrote: > > >I've got two (bank accounts with card >reader/fobs) and they seem to be > >interchangeable. > Defenitely intersting does state something about fob and the banks :) > > Card readers should be interchangeable - the crypto is on the card. (Some of) The banks just agreed to a common crypto specification which the reader just applies the keyboard and display for. Crypto fobs? If these are interchangeable, then something has gone seriously wrong. Or I've not understood what people are talking about. Which is entirely possible. M. -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Fri Nov 4 19:44:44 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 4 Nov 2011 19:44:44 +0000 Subject: More on the "Identity Assurance programme " In-Reply-To: References: <1961667398-1320347770-cardhu_decombobulator_blackberry.rim.net-374868156-@b26.c2.bise7.blackberry> Message-ID: In article , Matthew Pemble writes >>>I've got two (bank accounts with card reader/fobs) and they seem to >>>be interchangeable. >>Defenitely intersting does state something about fob and the banks :) >Card readers should be interchangeable - the crypto is on the card. >(Some of) The banks just agreed to a common crypto specification which >the reader just applies the keyboard and display for. > >Crypto fobs? If these are interchangeable, then something has gone >seriously wrong. > >Or I've not understood what people are talking about. Which is entirely >possible My fault; I'm talking about only the card readers. I don't mean to suggest there's also an interoperable CryptoCard keyfob (or similar). -- Roland Perry From ukcrypto at philipkatz.eu Fri Nov 4 19:25:02 2011 From: ukcrypto at philipkatz.eu (ukcrypto at philipkatz.eu) Date: Fri, 4 Nov 2011 19:25:02 -0000 Subject: More on the "Identity Assurance programme " In-Reply-To: References: <4E9F6FFE.1000301@originalthinktank.org.uk> <4EAF4C39.4060008@originalthinktank.org.uk> <4EAF9161.10907@iosis.co.uk> <71C5B3F4-3CD3-4EFC-9424-D07743D49734@gmail.com> <003a01cc98de$0ded5100$29c7f300$@net> <87bosup34b.fsf@mid.deneb.enyo.de> <008401cc9a4c$b99b5aa0$2cd20fe0$@net> Message-ID: <000c01cc9b27$738a8730$5a9f9590$@philipkatz.eu> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Adrian Midgley > Sent: Friday, November 04, 2011 5:04 AM > > Identity seems to me to be important toa bank, but who someone is does > not. > > IE if I turn up to take out money they really would like to know that I > am the same person who put it in there, openend the account etc, but if > I want to be John Smith to them it is no trouble to them, Banks do a lot more than just take money on deposit. If a bank is advancing a customer a loan, it might want to ensure that it is not dealing with a known fraudster. Philip From pwt at iosis.co.uk Fri Nov 4 18:25:19 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 04 Nov 2011 18:25:19 +0000 Subject: Pan European eID? Message-ID: <4EB42E0F.20805@iosis.co.uk> Courtesy of Smart Card and Identity News: STORK Reveals How It Has Made The EU One Step Closer To A Digital Single Market STORK (Secure Identity Across Borders Linked), the innovative project which has established EU-wide interoperability of electronic identities (eIDs), invites stakeholders to its 5th and final Industry Group Meeting in Poznan, Poland on Wednesday 16th November 2011, to learn how the project has made the EU one step closer to the digital single market. STORK, a project co-funded by the EU ICT Policy Support Programme under the Competitiveness and Innovation Framework Programme (CIP) was officially launched in May 2008. The objective was to develop and test common specifications for mutual recognition of national electronic identity (eID) between the STORK participating countries and achieve their acceptance in many different pioneer applications (pilot experiences). The project is scheduled to finish in December 2011 and at this meeting the STORK solution to this challenge and its long-term benefits to industry will be revealed. STORK WP7 "Communication and Sustainability" Leader and Executive Director of Gov2u, Vasilis Koulolias states: "The STORK project has successfully united 18 countries and a total of 35 consortium partners from across the public and private sector in its goal to creating a truly interoperable, reliable and sustainable solution for the cross-border use of national electronic identities." He adds: "At this 5th STORK Industry Group meeting it is important all industry stakeholders to attend and learn about the progress the STORK project has made in achieving a sustainable, robust, transparent, safe to us and scalable solution to bring the EU one step closer to a digital single market as the EU Digital Agenda mentions". (Look in Latest News at www.eid-stork.eu ) ******** How does this match up with the new Cabinet Office project? (In 2008 DWP was running our sub-project - it was reported at the 14th Porvoo conference in Cardiff). Peter From james2 at jfirth.net Mon Nov 14 11:42:03 2011 From: james2 at jfirth.net (James Firth) Date: Mon, 14 Nov 2011 11:42:03 -0000 Subject: Sound surveillance plan for all Oxford taxis Message-ID: <002801cca2c2$6f90d6a0$4eb283e0$@net> This doesn't seem right, or lawful: http://www.bigbrotherwatch.org.uk/home/2011/11/big-brother-watching-listenin g.html "Despite being in clear breach of the guidance issued by the Information Commissioners Office (ICO) and a gross invasion of privacy, Oxford Council has decided to make it a condition for all licensed black cabs in the city to record both audio and video. The audio will be available to council officers and the police, and will cover any time the taxi's engine is running and the 30 minutes after the engine has been switched off." James Firth, CEO, Open Digital Policy Organisation www.opendigital.org From anish.mohammed at gmail.com Mon Nov 14 11:47:10 2011 From: anish.mohammed at gmail.com (Anish) Date: Mon, 14 Nov 2011 11:47:10 +0000 Subject: Sound surveillance plan for all Oxford taxis In-Reply-To: <002801cca2c2$6f90d6a0$4eb283e0$@net> References: <002801cca2c2$6f90d6a0$4eb283e0$@net> Message-ID: <2125425756-1321271230-cardhu_decombobulator_blackberry.rim.net-624245570-@b26.c2.bise7.blackberry> Hi James, that looks to me like a defenite breach of privacy. UK privacy invasion sounds more like we live in some middle eastern dictatorships which are being replaced. Regards Anish Sent from my BlackBerry? wireless device -----Original Message----- From: "James Firth" Sender: ukcrypto-bounces at chiark.greenend.org.uk Date: Mon, 14 Nov 2011 11:42:03 To: 'UK Cryptography Policy Discussion Group' Reply-To: UK Cryptography Policy Discussion Group Subject: Sound surveillance plan for all Oxford taxis This doesn't seem right, or lawful: http://www.bigbrotherwatch.org.uk/home/2011/11/big-brother-watching-listenin g.html "Despite being in clear breach of the guidance issued by the Information Commissioners Office (ICO) and a gross invasion of privacy, Oxford Council has decided to make it a condition for all licensed black cabs in the city to record both audio and video. The audio will be available to council officers and the police, and will cover any time the taxi's engine is running and the 30 minutes after the engine has been switched off." James Firth, CEO, Open Digital Policy Organisation www.opendigital.org From Ross.Anderson at cl.cam.ac.uk Thu Nov 17 16:56:37 2011 From: Ross.Anderson at cl.cam.ac.uk (Ross Anderson) Date: Thu, 17 Nov 2011 16:56:37 +0000 Subject: Teaching programming at schools: e-petition Message-ID: Details here http://epetitions.direct.gov.uk/petitions/15081 Ross From chl at clerew.man.ac.uk Sat Nov 19 19:29:38 2011 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Sat, 19 Nov 2011 19:29:38 -0000 Subject: Sound surveillance plan for all Oxford taxis In-Reply-To: <002801cca2c2$6f90d6a0$4eb283e0$@net> References: <002801cca2c2$6f90d6a0$4eb283e0$@net> Message-ID: On Mon, 14 Nov 2011 11:42:03 -0000, James Firth wrote: > This doesn't seem right, or lawful: > > http://www.bigbrotherwatch.org.uk/home/2011/11/big-brother-watching-listenin > g.html > > "Despite being in clear breach of the guidance issued by the Information > Commissioners Office (ICO) and a gross invasion of privacy, Oxford > Council > has decided to make it a condition for all licensed black cabs in the > city > to record both audio and video. > > The audio will be available to council officers and the police, and will > cover any time the taxi's engine is running and the 30 minutes after the > engine has been switched off." Sounds like a breach of RIPA even if of nothing else. If Plod wanted to make such a recording, he would have to get a warrant/whatever. But to record a private conversation is interception of communications according to RIPA, and prior consent of both parties is required, as we have often discussed here. -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From clive at davros.org Sat Nov 19 20:56:19 2011 From: clive at davros.org (Clive D.W. Feather) Date: Sat, 19 Nov 2011 20:56:19 +0000 Subject: Sound surveillance plan for all Oxford taxis In-Reply-To: References: <002801cca2c2$6f90d6a0$4eb283e0$@net> Message-ID: <20111119205619.GA67530@davros.org> Charles Lindsey said: >> "Despite being in clear breach of the guidance issued by the Information >> Commissioners Office (ICO) and a gross invasion of privacy, Oxford Council >> has decided to make it a condition for all licensed black cabs in the city >> to record both audio and video. > Sounds like a breach of RIPA even if of nothing else. If Plod wanted to > make such a recording, he would have to get a warrant/whatever. But to > record a private conversation is interception of communications according > to RIPA, and prior consent of both parties is required, as we have often > discussed here. This isn't interception, since there's no communication within the meaning of Part I (which requires a public telecommunication system, a private telecommunication system - which must be connected to a public one - or a public postal service). If it's anything in RIPA, it's a Part II offence. But: 26(2) Subject to subsection (6), surveillance is directed for the purposes of this Part if it is covert but not intrusive and is undertaken - (a) for the purposes of a specific investigation or a specific operation; and [...] So it's not directed. (3) Subject to subsections (4) to (6), surveillance is intrusive for the purposes of this Part if, and only if, it is covert surveillance that - (a) is carried out in relation to anything taking place on any residential premises or in any private vehicle; and (b) involves the presence of an individual on the premises or in the vehicle or is carried out by means of a surveillance device. [(4) to (6) aren't relevant in this context] That's better, but is a taxi a "private vehicle"? If it is, then an authorisation is needed which, under 32(3): ... is necessary - (a) in the interests of national security; (b) for the purpose of preventing or detecting serious crime; or (c) in the interests of the economic well-being of the United Kingdom. I doubt either this or the proportionality test is satisfied. Unless I've missed an S.I., no council officers are able to issue an authorisation. But, anyway, back to "private vehicle", we have to look at 48(1): "private vehicle" means (subject to subsection (7)(a)) any vehicle which is used primarily for the private purposes of the person who owns it or of a person otherwise having the right to use it; and (7)(a) clearly excludes taxis: the reference to a person having the right to use a vehicle does not, in relation to a motor vehicle, include a reference to a person whose right to use the vehicle derives only from his having paid, or undertaken to pay, for the use of the vehicle and its driver for a particular journey So, I don't think RIPA Part II is relevant. (In any case, you've got to show a separate offence. An authorisation under Part II makes otherwise unlawful behaviour lawful, but failure to get one doesn't make behaviour unlawful per se.) -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From tugwilson at gmail.com Sun Nov 20 11:57:33 2011 From: tugwilson at gmail.com (John Wilson) Date: Sun, 20 Nov 2011 11:57:33 +0000 Subject: Sound surveillance plan for all Oxford taxis In-Reply-To: <20111119205619.GA67530@davros.org> References: <002801cca2c2$6f90d6a0$4eb283e0$@net> <20111119205619.GA67530@davros.org> Message-ID: On 19 November 2011 20:56, Clive D.W. Feather wrote: > Charles Lindsey said: >>> "Despite being in clear breach of the guidance issued by the Information >>> Commissioners Office (ICO) and a gross invasion of privacy, Oxford Council >>> has decided to make it a condition for all licensed black cabs in the city >>> to record both audio and video. > >> Sounds like a breach of RIPA even if of nothing else. If Plod wanted to >> make such a recording, he would have to get a warrant/whatever. But to >> record a private conversation is interception of communications according >> to RIPA, and prior consent of both parties is required, as we have often >> discussed here. > > This isn't interception, since there's no communication within the meaning > of Part I (which requires a public telecommunication system, a private > telecommunication system - which must be connected to a public one - or a > public postal service). If I'm making a telephone call in the back of the cab isn't that a Part 1 interception? John Wilson From nbohm at ernest.net Sun Nov 20 12:18:51 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Sun, 20 Nov 2011 12:18:51 +0000 Subject: Sound surveillance plan for all Oxford taxis In-Reply-To: References: <002801cca2c2$6f90d6a0$4eb283e0$@net> <20111119205619.GA67530@davros.org> Message-ID: <4EC8F02B.6060800@ernest.net> On 20/11/2011 11:57, John Wilson wrote: > On 19 November 2011 20:56, Clive D.W. Feather wrote: >> Charles Lindsey said: >>>> "Despite being in clear breach of the guidance issued by the Information >>>> Commissioners Office (ICO) and a gross invasion of privacy, Oxford Council >>>> has decided to make it a condition for all licensed black cabs in the city >>>> to record both audio and video. >>> Sounds like a breach of RIPA even if of nothing else. If Plod wanted to >>> make such a recording, he would have to get a warrant/whatever. But to >>> record a private conversation is interception of communications according >>> to RIPA, and prior consent of both parties is required, as we have often >>> discussed here. >> This isn't interception, since there's no communication within the meaning >> of Part I (which requires a public telecommunication system, a private >> telecommunication system - which must be connected to a public one - or a >> public postal service). > > If I'm making a telephone call in the back of the cab isn't that a > Part 1 interception? I think that what takes it outside interception is that there is no modification of a telecommunications system for the purpose of making the call available to third parties. All that is happening is eavesdropping that happens to pick up (one side of) a phone call - that's "just" surveillance. Done by a private party, it isn't necessarily unlawful; though if it is made compulsory under taxi licensing powers of a public authority, one must wonder. The imposition of the requirement as a condition of a licence is probably ultra vires and void as being unlawful under the HRA and ART 8 of the Convention. What a pity this won't get the councillors an ASBO apiece. Nicholas -- Contact and PGP key here From marcus at connectotel.com Fri Nov 25 10:08:16 2011 From: marcus at connectotel.com (Marcus Williamson) Date: Fri, 25 Nov 2011 10:08:16 +0000 Subject: New Government "Cyber Security Strategy" Message-ID: http://www.cabinetoffice.gov.uk/news/protecting-and-promoting-uk-digital-world From pwt at iosis.co.uk Fri Nov 25 14:45:10 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 25 Nov 2011 14:45:10 +0000 Subject: New Government "Cyber Security Strategy" In-Reply-To: References: Message-ID: <4ECFA9F6.5030502@iosis.co.uk> Very interesting that Cabinet Office and others continued to review this internally, because in late summer, as I heard at the IAAC Symposium in early Sept, it was expected that it be out by mid Sept. Nicely matured, I hope (not having read it yet). Peter On 25/11/2011 10:08, Marcus Williamson wrote: > http://www.cabinetoffice.gov.uk/news/protecting-and-promoting-uk-digital-world > > > From maryhawking at tigers.demon.co.uk Sat Nov 26 09:35:07 2011 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Sat, 26 Nov 2011 09:35:07 -0000 Subject: Does the US have juristriction over the whole world? Message-ID: http://www.theregister.co.uk/2011/11/25/ms_threatens_au_gov_over_ehealth/ Does anyone know about this - and whether it is true? Apparently it is Microsoft's view that requiring data to be held within a national boundary is a breach of WTO regulations - and, worryingly, that any data held by any organisation which trades with the US is subject to US law. "Any company with a presence in the United States of America (not just those with headquarters or subsidiaries in that country) may be legally required to respond to a valid demand from the United States Government for information the company retains custody over or controls, regardless of where the data is stored or the existence of any conflicting obligations under the laws of the country where the data is located," the submission states Could any other country pass similar legislation? What would happen if, say, Russia or China passed similar legislation: would Microsoft be obliged to release the information they held in the USA? Mary Hawking "thinking - independent thinking - is to humans as swimming is to cats: we can do it if we really have to." Mark Earles on Radio 4. -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 9902 bytes Desc: not available URL: From zenadsl6186 at zen.co.uk Sat Nov 26 14:29:53 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sat, 26 Nov 2011 14:29:53 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: References: Message-ID: <4ED0F7E1.2010202@zen.co.uk> Mary Hawking wrote: > http://www.theregister.co.uk/2011/11/25/ms_threatens_au_gov_over_ehealth/ > > Does anyone know about this - and whether it is true? > Apparently it is Microsoft's view that requiring data to be held within a > national boundary is a breach of WTO regulations - and, worryingly, that any > data held by any organisation which trades with the US is subject to US law. > > "Any company with a presence in the United States of America (not just those > with headquarters or subsidiaries in that country) may be legally required > to respond to a valid demand from the United States Government for > information the company retains custody over or controls, regardless of > where the data is stored or the existence of any conflicting obligations > under the laws of the country where the data is located," the submission > states It is not unusual for US law and US Courts to claim jurisdiction anywhere in the world, eg they do this over the taxpaying requirements of US citizens. Microsoft's statement is probably true in terms of US law, but it isn't quite as straightforward as it might seem. I imagine it goes something like this: Suppose a US Government demand fopr data is made, and a Court order is made. The US branch office cannot obtain the data themselves, and they ask the UK office. The UK office says no. What can a US Court do to enforce the order? A very long story, but in the end, in practice, nothing substantial. So while they may claim jurisdiction, it doesn't mean much. To address the wider issue, what Microsoft are really upset about is clouds. First, some law: -*- Data Protection Act, Schedule 1 part 1, principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Data Protection Act, Schedule 1 part 2 section 11: Interpretation of the seventh principle, Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle? (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures. -*- Another bit of law, about the WTO, but I don't have details to hand - if measures are taken by one country for the purpose of providing data security, they are not actionable under the WTO, even if they restrain trade etc. -*- And what it comes down to is this: Microsoft say that encryption and their "best practices" provide better security against unauthorised processing than let's say only keeping the data in a local office. (the data controller is the only person capable of granting authorisation, as the requirement to follow the principles is upon him and no-one else, that's DPA section 4(4) I think offhand). Which, if Microsoft were correct about the US Government's ability to demand data, would be immediately obvious nonsense - rather than the slightly-less-obvious nonsense it is. (a UK data controller is required by law to protect personal data in his control against the US government as well as spammers and identity thieves. He's also required to protect it against the UK Government, who if they want it must get it through him). It's long past time that the UK and EU/EAA Information Commissioners gave clear guidance that personal data cannot be stored in clouds. Full stop. -- Peter Fairbrother > > Could any other country pass similar legislation? > What would happen if, say, Russia or China passed similar legislation: would > Microsoft be obliged to release the information they held in the USA? > > Mary Hawking > "thinking - independent thinking - is to humans as swimming is to cats: we > can do it if we really have to." Mark Earles on Radio 4. > > > From lists at internetpolicyagency.com Sat Nov 26 16:14:50 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 26 Nov 2011 16:14:50 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4ED0F7E1.2010202@zen.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> Message-ID: In article <4ED0F7E1.2010202 at zen.co.uk>, Peter Fairbrother writes >It's long past time that the UK and EU/EAA Information Commissioners >gave clear guidance that personal data cannot be stored in clouds. Full >stop. Cloud vendors are aware of these issues and have different products for different markets. If you need a cloud-based solution that "stays in the EU" or even "stays in the UK" you can probably find one, but don't expect it to be one of the mass market consumer ones. At a Council of Europe conference last year ago the MS rep said that their standard cloud might not be what you needed in these circumstances (but they might have changed their stance/product in the mean time). -- Roland Perry From zenadsl6186 at zen.co.uk Sat Nov 26 17:37:06 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sat, 26 Nov 2011 17:37:06 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: References: <4ED0F7E1.2010202@zen.co.uk> Message-ID: <4ED123C2.1070700@zen.co.uk> Roland Perry wrote: > In article <4ED0F7E1.2010202 at zen.co.uk>, Peter Fairbrother > writes >> It's long past time that the UK and EU/EAA Information Commissioners >> gave clear guidance that personal data cannot be stored in clouds. >> Full stop. > > Cloud vendors are aware of these issues and have different products for > different markets. If you need a cloud-based solution that "stays in the > EU" or even "stays in the UK" you can probably find one, but don't > expect it to be one of the mass market consumer ones. The problem isn't just staying in the UK/EU, though that is a part of it. It's also that the operators of the cloud - and by that I mean everyone who controls any of the machinery (or even the networking services) in the cloud, not just the people who sell the cloud service - are data processors, and the data controller has a responsibility to ensure that they "provid[e] sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out". Also they data controller must "take reasonable steps to ensure compliance with those measures" If the data controller doesn't even know who is hosting the data he is responsible for, how can he be performing either of these duties? > At a Council of Europe conference last year ago the MS rep said that > their standard cloud might not be what you needed in these circumstances > (but they might have changed their stance/product in the mean time). Not sure what MS meant by "these circumstances", but my comments apply to any processing of "personal data". That would include almost all types of business records (can you be sure there is no personal data in there? - not usually). Really, the only non-personal data which exists in any quantity, and might be suitable for cloud storage, is probably scientific data. -- Peter Fairbrother From lists at internetpolicyagency.com Sat Nov 26 18:05:57 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 26 Nov 2011 18:05:57 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4ED123C2.1070700@zen.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> <4ED123C2.1070700@zen.co.uk> Message-ID: <4Eu3jy+FqS0OFA0O@perry.co.uk> In article <4ED123C2.1070700 at zen.co.uk>, Peter Fairbrother writes >>> It's long past time that the UK and EU/EAA Information Commissioners >>>gave clear guidance that personal data cannot be stored in clouds. >>>Full stop. >> Cloud vendors are aware of these issues and have different products >>for different markets. If you need a cloud-based solution that "stays >>in the EU" or even "stays in the UK" you can probably find one, but >>don't expect it to be one of the mass market consumer ones. > >The problem isn't just staying in the UK/EU, though that is a part of it. > >It's also that the operators of the cloud - and by that I mean everyone >who controls any of the machinery (or even the networking services) in >the cloud, not just the people who sell the cloud service - are data >processors, and the data controller has a responsibility to ensure that >they "provid[e] sufficient guarantees in respect of the technical and >organisational security measures governing the processing to be carried >out". > >Also they data controller must "take reasonable steps to ensure >compliance with those measures" > >If the data controller doesn't even know who is hosting the data he is >responsible for, how can he be performing either of these duties? If the data "stays in the EU/UK" then the assumption is that the various parties are acting lawfully, and thus complying with the relevant data protection requirements. >> At a Council of Europe conference last year ago the MS rep said that >>their standard cloud might not be what you needed in these >>circumstances (but they might have changed their stance/product in >>the mean time). > >Not sure what MS meant by "these circumstances", That you want the data to be guaranteed to stay within an EU/UK jurisdiction. (For the avoidance of doubt, I'm assuming that there's no comfort to be gained from "safe harbour" provisions). -- Roland Perry From ben at liddicott.com Sat Nov 26 18:24:01 2011 From: ben at liddicott.com (Ben Liddicott) Date: Sat, 26 Nov 2011 18:24:01 -0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4ED0F7E1.2010202@zen.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> Message-ID: <3366F539C9DC4581AA51083AC2E10D03@ROCKET> > -----Original Message----- > From: Peter Fairbrother Sent: Saturday, November 26, 2011 2:29 PM (...) > (a UK data controller is required by law to protect personal data in his > control against the US government as well as spammers and identity > thieves. He's also required to protect it against the UK Government, who > if they want it must get it through him). (...) He is not required to protect it against the UK government. There is a general exception to the Data Protection Act for the prevention and detection of crime. Also one for "historical purposes", i.e. keeping it all forever in case your descendants happen to be interested. A partial list of exemptions is: 28. National security.. 29. Crime and taxation.. 30. Health, education and social work.. 31. Regulatory activity.. 32. Journalism, literature and art.. 33. Research, history and statistics. Together they are - a hole the size of a truck for the authorities. You didn't think it was there to protect you from the state, did you? http://www.legislation.gov.uk/ukpga/1998/29/contents The Data Controller CAN say no in these circumstances and ask for a court order. But he *does not have to*. Cheers, Ben From zenadsl6186 at zen.co.uk Sat Nov 26 18:33:07 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sat, 26 Nov 2011 18:33:07 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4Eu3jy+FqS0OFA0O@perry.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> <4ED123C2.1070700@zen.co.uk> <4Eu3jy+FqS0OFA0O@perry.co.uk> Message-ID: <4ED130E3.6060802@zen.co.uk> Roland Perry wrote: > In article <4ED123C2.1070700 at zen.co.uk>, Peter Fairbrother > writes >>>> It's long past time that the UK and EU/EAA Information Commissioners >>>> gave clear guidance that personal data cannot be stored in clouds. >>>> Full stop. >>> Cloud vendors are aware of these issues and have different products >>> for different markets. If you need a cloud-based solution that >>> "stays in the EU" or even "stays in the UK" you can probably find >>> one, but don't expect it to be one of the mass market consumer ones. >> >> The problem isn't just staying in the UK/EU, though that is a part of it. >> >> It's also that the operators of the cloud - and by that I mean >> everyone who controls any of the machinery (or even the networking >> services) in the cloud, not just the people who sell the cloud service >> - are data processors, and the data controller has a responsibility to >> ensure that they "provid[e] sufficient guarantees in respect of the >> technical and organisational security measures governing the >> processing to be carried out". >> >> Also they data controller must "take reasonable steps to ensure >> compliance with those measures" >> >> If the data controller doesn't even know who is hosting the data he is >> responsible for, how can he be performing either of these duties? > > If the data "stays in the EU/UK" then the assumption is that the various > parties are acting lawfully, and thus complying with the relevant data > protection requirements. You may be able to make that assumption IF you know who all the parties are, and have some assurance that they are technically competent, responsible and law-abiding parties - but in a cloud situation you won't even know who the parties are, nevermind whether they are responsible or law-abiding people. The duty on a data controller must surely include a requirement to check whether the parties are at least outwardly law-abiding and responsible - otherwise a data controller could store data at Crooks-and-Spammers Ltd without penalty. >>> At a Council of Europe conference last year ago the MS rep said that >>> their standard cloud might not be what you needed in these >>> circumstances (but they might have changed their stance/product in >>> the mean time). >> >> Not sure what MS meant by "these circumstances", > > That you want the data to be guaranteed to stay within an EU/UK > jurisdiction. I doubt whether a cloud can do this. A dedicated data processing outsourcing company, yes perhaps, but a cloud? I doubt it. Btw, I can't conceive of many situations where staying in the UK/EU was a requirement and the other requirements for processing personal data weren't. -- Peter Fairbrother From zenadsl6186 at zen.co.uk Sat Nov 26 19:06:34 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sat, 26 Nov 2011 19:06:34 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <3366F539C9DC4581AA51083AC2E10D03@ROCKET> References: <4ED0F7E1.2010202@zen.co.uk> <3366F539C9DC4581AA51083AC2E10D03@ROCKET> Message-ID: <4ED138BA.3030902@zen.co.uk> Ben Liddicott wrote: >> -----Original Message----- From: Peter Fairbrother Sent: Saturday, >> November 26, 2011 2:29 PM > (...) >> (a UK data controller is required by law to protect personal data in >> his control against the US government as well as spammers and identity >> thieves. He's also required to protect it against the UK Government, >> who if they want it must get it through him). > (...) > > > He is not required to protect it against the UK government. > > There is a general exception to the Data Protection Act for the > prevention and detection of crime. Also one for "historical purposes", > i.e. keeping it all forever in case your descendants happen to be > interested. > > A partial list of exemptions is: > > 28. National security.. > > 29. Crime and taxation.. > > 30. Health, education and social work.. > > 31. Regulatory activity.. > > 32. Journalism, literature and art.. > > 33. Research, history and statistics. > > Together they are - a hole the size of a truck for the authorities. > > You didn't think it was there to protect you from the state, did you? > > http://www.legislation.gov.uk/ukpga/1998/29/contents > > The Data Controller CAN say no in these circumstances and ask for a > court order. > > But he *does not have to*. Agreed. However, for 29 Crime and taxation.., 32 Journalism, literature and art and 33 Research, history and statistics the data controller does have to ensure that they can't get the data without his authorisation. Those exemptions specifically do not exempt the seventh principle. While it is possible that the seventh principle may be voided by 30 Health, education and social work.. and 31, Regulatory activity.. afaik there are no orders in existence which void the seventh principle for Health, education and social work reasons, and if it ever happens at all for Regulatory activity reasons, it doesn't happen often. The situation in regard to National security matters is more complex, debatable and not relevant enough to go into in detail here, but in general the seventh principle is not voided. So basically he still has a duty to protect the data against the UK Government's unauthorised access (except maybe in some rare national security cases, but even this is debatable.) -- Peter Fairbrother > > Cheers, > Ben > > > > From ben at liddicott.com Sat Nov 26 19:35:39 2011 From: ben at liddicott.com (Ben Liddicott) Date: Sat, 26 Nov 2011 19:35:39 -0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4ED138BA.3030902@zen.co.uk> References: <4ED0F7E1.2010202@zen.co.uk><3366F539C9DC4581AA51083AC2E10D03@ROCKET> <4ED138BA.3030902@zen.co.uk> Message-ID: <6E76FD6F99B04D02B2A52058A5A0C761@ROCKET> The first principle is it must be "processed fairly and lawfully" and "shall not be processed unless(...)". But if it is under an exemption, schedule 1 does not apply, and it is lawful to process it in any manner whether fair or not and whether the conditions are met or not. The seventh principle requires the data controller to protect the data against: "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" That does not include "lawful" processing allowed by the exemptions listed, if "authorised" by the data controller. So he has to protect against MI9 black-cyber-ops hackers, but if MI9 ask nicely there is nothing stopping him giving it to them. The data protection act does not provide any obligation on the data controller to resist any overreaching on the part of the state. Cheers! Ben -----Original Message----- From: Peter Fairbrother Sent: Saturday, November 26, 2011 7:06 PM To: UK Cryptography Policy Discussion Group Subject: Re: Does the US have juristriction over the whole world? Ben Liddicott wrote: >> -----Original Message----- From: Peter Fairbrother Sent: Saturday, >> November 26, 2011 2:29 PM > (...) >> (a UK data controller is required by law to protect personal data in his >> control against the US government as well as spammers and identity >> thieves. He's also required to protect it against the UK Government, who >> if they want it must get it through him). > (...) > > > He is not required to protect it against the UK government. > > There is a general exception to the Data Protection Act for the prevention > and detection of crime. Also one for "historical purposes", i.e. keeping > it all forever in case your descendants happen to be interested. > > A partial list of exemptions is: > > 28. National security.. > > 29. Crime and taxation.. > > 30. Health, education and social work.. > > 31. Regulatory activity.. > > 32. Journalism, literature and art.. > > 33. Research, history and statistics. > > Together they are - a hole the size of a truck for the authorities. > > You didn't think it was there to protect you from the state, did you? > > http://www.legislation.gov.uk/ukpga/1998/29/contents > > The Data Controller CAN say no in these circumstances and ask for a court > order. > > But he *does not have to*. Agreed. However, for 29 Crime and taxation.., 32 Journalism, literature and art and 33 Research, history and statistics the data controller does have to ensure that they can't get the data without his authorisation. Those exemptions specifically do not exempt the seventh principle. While it is possible that the seventh principle may be voided by 30 Health, education and social work.. and 31, Regulatory activity.. afaik there are no orders in existence which void the seventh principle for Health, education and social work reasons, and if it ever happens at all for Regulatory activity reasons, it doesn't happen often. The situation in regard to National security matters is more complex, debatable and not relevant enough to go into in detail here, but in general the seventh principle is not voided. So basically he still has a duty to protect the data against the UK Government's unauthorised access (except maybe in some rare national security cases, but even this is debatable.) -- Peter Fairbrother > > Cheers, > Ben > > > > From zenadsl6186 at zen.co.uk Sat Nov 26 19:40:46 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sat, 26 Nov 2011 19:40:46 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4ED0F7E1.2010202@zen.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> Message-ID: <4ED140BE.8030406@zen.co.uk> Peter Fairbrother wrote: > > It is not unusual for US law and US Courts to claim jurisdiction > anywhere in the world, eg they do this over the taxpaying requirements > of US citizens. BTW, UK law does this too - the Outer Space Act applies to UK citizens activities anywhere in the world. I don't know of any other examples, but Nicholas probably does. -- Peter Fairbrother From clive at davros.org Sat Nov 26 23:43:29 2011 From: clive at davros.org (Clive D.W. Feather) Date: Sat, 26 Nov 2011 23:43:29 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <3366F539C9DC4581AA51083AC2E10D03@ROCKET> References: <4ED0F7E1.2010202@zen.co.uk> <3366F539C9DC4581AA51083AC2E10D03@ROCKET> Message-ID: <20111126234329.GB96321@davros.org> Ben Liddicott said: > He is not required to protect it against the UK government. > > There is a general exception to the Data Protection Act for the prevention > and detection of crime. Also one for "historical purposes", i.e. keeping it > all forever in case your descendants happen to be interested. > > A partial list of exemptions is: [...] > 29. Crime and taxation.. [...] > The Data Controller CAN say no in these circumstances and ask for a court > order. > > But he *does not have to*. However, s.29 only applies if failure to disclose "would be likely to prejudice" the prevention or detection of crime etc. So if the police could reasonably solve their case without the information, s.29 doesn't apply. Now, shocking as it may sound, policemen have been known to be less than completely accurate on occasions, so a simple statement from the police that they need the information is not sufficient to demonstrate that failure would prejudice these matters. So you *can* disclose on a request, but if it turns out the police didn't need the information but were just being lazy, that won't defend you against an unlawful disclosure prosecution or civil case. (The 1984 Act had a defence of "reasonable grounds to believe ...", but this was removed in the 1998 Act.) -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From zenadsl6186 at zen.co.uk Sun Nov 27 00:09:59 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sun, 27 Nov 2011 00:09:59 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <6E76FD6F99B04D02B2A52058A5A0C761@ROCKET> References: <4ED0F7E1.2010202@zen.co.uk><3366F539C9DC4581AA51083AC2E10D03@ROCKET> <4ED138BA.3030902@zen.co.uk> <6E76FD6F99B04D02B2A52058A5A0C761@ROCKET> Message-ID: <4ED17FD7.80804@zen.co.uk> Ben Liddicott wrote: > The first principle is it must be "processed fairly and lawfully" and > "shall not be processed unless(...)". > But if it is under an exemption, schedule 1 does not apply, Schedule 1, or part of it, still applies under most exemptions. For instance, under the Crime and Taxation exemptions, the only part of Schedule 1 which is exempted is the first principle, and even that is only partly voided. However the exemptions are all different. It's verra complicated, Captain. > and it is > lawful to process it in any manner whether fair or not and whether the > conditions are met or not. No - for instance, under the Crime and Taxation exemption data must still be processed in accordance with Schedules 2 and 3. And again, it's different for the different exemptions. None of them are blanket exemptions however. > > The seventh principle requires the data controller to protect the data > against: > "unauthorised or unlawful processing of personal data and against > accidental loss or destruction of, or damage to, personal data" > > That does not include "lawful" processing allowed by the exemptions > listed, if "authorised" by the data controller. So he has to protect > against MI9 black-cyber-ops hackers, and that was my point. If the data is in a cloud he can't do that, so he can't keep personal data in a cloud. QED. As a sidenote, the DPA does not distinguish between encrypted data and unencrypted data. Perhaps encrypting data has no legal effect here - cf the rather unique stance taken about encrypted data in part 2 of RIPA, where the encrypted data apparently is the data, and if the police etc have it then demanding a key isn't self-incrimination, as they already have the evidence/data. > but if MI9 ask nicely there is nothing stopping him giving it to them. Actually. there is. Here I am talking about the national security exemption in S.28, and not any of the other exemptions - so for instance if MI5 asked for data in a criminal investigation, as opposed to a national security investigation (MI5 do both types of investigation), the S.28 exemption would not apply (though a different exemption, under s.29, which has different conditions and different exemptions, would). The exemption in s.28 is only valid if the processing is "required for the purpose of safeguarding national security". If it isn't, the data controller would be committing an offence. Now the minimum standard of how the data controller is supposed to know whether the processing is required for the purpose of safeguarding national security isn't addressed in the Act, though a maximum, in the form of a certificate signed by a minister is. Presumably if the controller reasonably believes the processing is required for the purpose of safeguarding national security then he can take a chance and give out the data - but he might get in trouble for it if he hasn't seen a certificate. > > The data protection act does not provide any obligation on the data > controller to resist any overreaching on the part of the state. I rather think it does, as above: a data controller can't give out data if eg the state are overreaching and falsely claimimg a national security exemption. -- Peter Fairbrother From ukcrypto at sourcetagged.ian.co.uk Sat Nov 26 21:09:23 2011 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Sat, 26 Nov 2011 21:09:23 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4ED140BE.8030406@zen.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> <4ED140BE.8030406@zen.co.uk> Message-ID: <00A677C9-9BE2-48C4-8DC1-0776985738E6@sourcetagged.ian.co.uk> On 26 Nov 2011, at 19:40, Peter Fairbrother wrote: > Peter Fairbrother wrote: > >> It is not unusual for US law and US Courts to claim jurisdiction >> anywhere in the world, eg they do this over the taxpaying >> requirements of US citizens. > > > BTW, UK law does this too - the Outer Space Act applies to UK > citizens activities anywhere in the world. > The difference between UK and US approaches is that UK law only applies extraterritorially to UK subjects or to persons "owing a duty to the crown". The latter has been used in cases where a foreign national is employed by the UK (e.g. a foreign spy employed overseas by the UK can commit treason against the crown). The US approach frequently claims extraterritorial jurisdiction over persons who are not US citizens and have no relationship to the US (e.g. "extraordinary rendition" under bounty-hunting laws or, as we would call it, criminal kidnapping). Ian From maryhawking at tigers.demon.co.uk Sun Nov 27 10:20:05 2011 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Sun, 27 Nov 2011 10:20:05 -0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <00A677C9-9BE2-48C4-8DC1-0776985738E6@sourcetagged.ian.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> <4ED140BE.8030406@zen.co.uk> <00A677C9-9BE2-48C4-8DC1-0776985738E6@sourcetagged.ian.co.uk> Message-ID: <91957FD74D91406EA2DA6F0603964B1D@MaryPC> Reading the original submission by MS to the Australian government, they fail to mention the nub of the matter: the protection (or lack of it) for personal data when it is held/used/misused/misappropriated/lost by the hasting organisation and/or its sub-contractors. I get the impression that, leaving aside governments and government agencies, there is little or no protection in law for non US nationals for, for example, financial details obtained from having to register these at the time of purchasing a ticket to fly into or over or anywhere near the USA. Suppose Microsoft convinces the Australian government that the health records of Australian citizens would be safe wherever they chose to host them, what protection would the individual (or government if Data Controller) have against misuse or loss of their data, where would cases have to be pursued and under what country's (or countries') laws? Mary Hawking "thinking - independent thinking - is to humans as swimming is to cats: we can do it if we really have to." Mark Earles on Radio 4. -----Original Message----- From: Ian Mason [mailto:ukcrypto at sourcetagged.ian.co.uk] Sent: 26 November 2011 21:09 To: UK Cryptography Policy Discussion Group Subject: Re: Does the US have juristriction over the whole world? On 26 Nov 2011, at 19:40, Peter Fairbrother wrote: > Peter Fairbrother wrote: > >> It is not unusual for US law and US Courts to claim jurisdiction >> anywhere in the world, eg they do this over the taxpaying >> requirements of US citizens. > > > BTW, UK law does this too - the Outer Space Act applies to UK > citizens activities anywhere in the world. > The difference between UK and US approaches is that UK law only applies extraterritorially to UK subjects or to persons "owing a duty to the crown". The latter has been used in cases where a foreign national is employed by the UK (e.g. a foreign spy employed overseas by the UK can commit treason against the crown). The US approach frequently claims extraterritorial jurisdiction over persons who are not US citizens and have no relationship to the US (e.g. "extraordinary rendition" under bounty-hunting laws or, as we would call it, criminal kidnapping). Ian From lists at internetpolicyagency.com Sun Nov 27 10:46:50 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 27 Nov 2011 10:46:50 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4ED130E3.6060802@zen.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> <4ED123C2.1070700@zen.co.uk> <4Eu3jy+FqS0OFA0O@perry.co.uk> <4ED130E3.6060802@zen.co.uk> Message-ID: In article <4ED130E3.6060802 at zen.co.uk>, Peter Fairbrother writes >>> If the data controller doesn't even know who is hosting the data he >>>is responsible for, how can he be performing either of these duties? >> If the data "stays in the EU/UK" then the assumption is that the >>various parties are acting lawfully, and thus complying with the >>relevant data protection requirements. > >You may be able to make that assumption IF you know who all the parties >are, and have some assurance that they are technically competent, >responsible and law-abiding parties - but in a cloud situation you >won't even know who the parties are, nevermind whether they are >responsible or law-abiding people. You seem to be wanting a degree of micro-management of the supplier (and their subcontractors etc) far in excess of a normal contractual relationship with that supplier. For example, when you buy something online do you require to know the identity of the co-location facility housing his ecommerce platform, let alone disclosure of the platform's vendor and the name of the operating system it's running on? >The duty on a data controller must surely include a requirement to >check whether the parties are at least outwardly law-abiding and >responsible - otherwise a data controller could store data at >Crooks-and-Spammers Ltd without penalty. And you do that outwardly check by dealing with a reputable company offering a "local cloud" that you can reasonably expect to be law abiding in this respect (and imposing suitable controls on their chain of supply). While the contract will doubtless say "the data will stay within $foo geographical jurisdiction", and it doesn't do any harm for the contract to say "and we will abide by the DPA", you might raise some eyebrows if you insist it also says "we won't employ child labour or use stolen PCs to build our cloud". >>>> At a Council of Europe conference last year ago the MS rep said >>>>that their standard cloud might not be what you needed in these >>>>circumstances (but they might have changed their stance/product in >>>>the mean time). >>> >>> Not sure what MS meant by "these circumstances", >> That you want the data to be guaranteed to stay within an EU/UK >>jurisdiction. > >I doubt whether a cloud can do this. A dedicated data processing >outsourcing company, yes perhaps, but a cloud? I doubt it. A dedicated data processing outsourcing company can implement its offering by using cloud technology (and be quite capable of defining its geographical limits). Such a cloud will have many of the good features customers are looking for - flexibility and resilience for example. Obviously, if they implement the offering by re-selling a slice of a consumer-grade international cloud, then that won't be the case. But that's why there are different offerings, and even the suppliers of those consumer-grade international clouds are happy to admit that their technology may not be suitable for all applications. >Btw, I can't conceive of many situations where staying in the UK/EU was >a requirement It's a reaction from risk-averse customers, who believe that if the cloud offering they buy into has such a restriction, then the supply chain is answerable to DP law and will therefore be sufficiently robust. And that they won't have to start drilling down into complex issues like "safe harbour". I've seen similar reactions from some public authorities who have bans on using clearly US-based email systems for what are largely internal communications, and have to find a UK (or perhaps EU) based email supplier instead. >and the other requirements for processing personal data weren't. Sorry, I can't parse that. -- Roland Perry From lists at internetpolicyagency.com Sun Nov 27 11:03:52 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 27 Nov 2011 11:03:52 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <91957FD74D91406EA2DA6F0603964B1D@MaryPC> References: <4ED0F7E1.2010202@zen.co.uk> <4ED140BE.8030406@zen.co.uk> <00A677C9-9BE2-48C4-8DC1-0776985738E6@sourcetagged.ian.co.uk> <91957FD74D91406EA2DA6F0603964B1D@MaryPC> Message-ID: In article <91957FD74D91406EA2DA6F0603964B1D at MaryPC>, Mary Hawking writes >Suppose Microsoft convinces the Australian government that the health >records of Australian citizens would be safe wherever they chose to host >them, what protection would the individual (or government if Data >Controller) have against misuse or loss of their data, where would cases >have to be pursued and under what country's (or countries') laws? If data is kept within a country, then it's unsurprising that Data Protection Regulators feel they have more control over the situation than if it's offshore. (Where to a first approximation "the EU" counts as one country). And that control includes ease of access to both civil and criminal remedies, in the situation that everything doesn't go according to plan. -- Roland Perry From amidgley at gmail.com Sun Nov 27 11:07:52 2011 From: amidgley at gmail.com (Adrian Midgley) Date: Sun, 27 Nov 2011 11:07:52 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: References: Message-ID: "any organisation which trades with the US" That seems straightforward enough to solve. -- Adrian Midgley?? http://www.defoam.net/ From zenadsl6186 at zen.co.uk Sun Nov 27 13:06:56 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sun, 27 Nov 2011 13:06:56 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: References: <4ED0F7E1.2010202@zen.co.uk> <4ED123C2.1070700@zen.co.uk> <4Eu3jy+FqS0OFA0O@perry.co.uk> <4ED130E3.6060802@zen.co.uk> Message-ID: <4ED235F0.2040403@zen.co.uk> Roland Perry wrote: > In article <4ED130E3.6060802 at zen.co.uk>, Peter Fairbrother [...] >> You may be able to make that assumption IF you know who all the >> parties are, and have some assurance that they are technically >> competent, responsible and law-abiding parties - but in a cloud >> situation you won't even know who the parties are, nevermind whether >> they are responsible or law-abiding people. > > You seem to be wanting a degree of micro-management of the supplier (and > their subcontractors etc) far in excess of a normal contractual > relationship Yes, indeed I do. I have a legal duty to ensure the supplier of data processing services is competent, honest and responsible - he is after all in possession of something I am responsible for. I have no such duty regarding the supplier of office copier paper. I am not responsible for the copier paper in his possession. An analogous situation exists regarding pressure vessels. If I sell new pressure vessels by way of trade, I am legally required to be able to produce documentation as to who made the steel they are made from. Not just who made the pressure vessels, who made the steel. [...] >> The duty on a data controller must surely include a requirement to >> check whether the parties are at least outwardly law-abiding and >> responsible - otherwise a data controller could store data at >> Crooks-and-Spammers Ltd without penalty. > > And you do that outwardly check by dealing with a reputable company > offering a "local cloud" that you can reasonably expect to be law > abiding in this respect (and imposing suitable controls on their chain > of supply). That might work - but I've never come across such a beast. Hmmm, "imposing suitable controls on their chain of supply" sounds very much like "a degree of micro-management of the supplier (and their subcontractors etc) far in excess of a normal contractual relationship". [...] >> Btw, I can't conceive of many situations where staying in the UK/EU >> was a requirement [..] >> and the other requirements for processing personal data weren't. > > Sorry, I can't parse that. perhaps "the other normal conditions for processing personal data weren't a requirement", but that's clumsy too. I meant that if the data has to stay in the EU, in most situations it also has to protected as personal data, ie follow the principles etc. -- Peter Fairbrother From lists at internetpolicyagency.com Sun Nov 27 14:37:22 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 27 Nov 2011 14:37:22 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4ED235F0.2040403@zen.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> <4ED123C2.1070700@zen.co.uk> <4Eu3jy+FqS0OFA0O@perry.co.uk> <4ED130E3.6060802@zen.co.uk> <4ED235F0.2040403@zen.co.uk> Message-ID: In article <4ED235F0.2040403 at zen.co.uk>, Peter Fairbrother writes >> You seem to be wanting a degree of micro-management of the supplier >>(and their subcontractors etc) far in excess of a normal contractual >>relationship > >Yes, indeed I do. > >I have a legal duty to ensure the supplier of data processing services >is competent, honest and responsible - he is after all in possession of >something I am responsible for. Do you do the same for your accountants and bankers? Lots of your money and personal data (self and employees) in their possession. Or do you trust them to act lawfully, given that they clearly understand their responsibilities (as would the people offering one of these specialist clouds). >>> The duty on a data controller must surely include a requirement to >>>check whether the parties are at least outwardly law-abiding and >>>responsible - otherwise a data controller could store data at >>>Crooks-and-Spammers Ltd without penalty. >> And you do that outwardly check by dealing with a reputable company >>offering a "local cloud" that you can reasonably expect to be law >>abiding in this respect (and imposing suitable controls on their chain >>of supply). > >That might work - but I've never come across such a beast. I'm assured there are a range of cloud services available, including the type I described. >Hmmm, "imposing suitable controls on their chain of supply" sounds very >much like "a degree of micro-management of the supplier (and their >subcontractors etc) far in excess of a normal contractual relationship". Their suppliers are one stage removed compared to yourself. So while they should be expected to check out the people they rent rackspace from, you shouldn't need to. Similarly, while the people they rent rackspace from should vet their cleaners, they (or you) shouldn't need to, and so on. >I meant that if the data has to stay in the EU, in most situations it >also has to protected as personal data, ie follow the principles etc. Yes, that's why I'm saying a cloud that stays in the EU should be automatically protected because of the harmonisation of DP law. -- Roland Perry From zenadsl6186 at zen.co.uk Sun Nov 27 14:58:28 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sun, 27 Nov 2011 14:58:28 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: References: <4ED0F7E1.2010202@zen.co.uk> <4ED123C2.1070700@zen.co.uk> <4Eu3jy+FqS0OFA0O@perry.co.uk> <4ED130E3.6060802@zen.co.uk> <4ED235F0.2040403@zen.co.uk> Message-ID: <4ED25014.1050200@zen.co.uk> Roland Perry wrote: > In article <4ED235F0.2040403 at zen.co.uk>, Peter Fairbrother >> Hmmm, "imposing suitable controls on their chain of supply" sounds >> very much like "a degree of micro-management of the supplier (and >> their subcontractors etc) far in excess of a normal contractual >> relationship". > > Their suppliers are one stage removed compared to yourself. So while > they should be expected to check out the people they rent rackspace > from, you shouldn't need to. Perhaps you shouldn't (though I very much think you should). But a data controller is *required* to do so by the DPA. The rackspace people are data processors, and the data controller is required to "choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out" and to "take reasonable steps to ensure compliance with those measures". That is not something he can subcontract out. It's his responsibility to choose _each and every one_ of the data processors in this way. See DPA Sch.1 part2 s.11. -- Peter Fairbrother From lists at internetpolicyagency.com Sun Nov 27 15:45:16 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 27 Nov 2011 15:45:16 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <4ED25014.1050200@zen.co.uk> References: <4ED0F7E1.2010202@zen.co.uk> <4ED123C2.1070700@zen.co.uk> <4Eu3jy+FqS0OFA0O@perry.co.uk> <4ED130E3.6060802@zen.co.uk> <4ED235F0.2040403@zen.co.uk> <4ED25014.1050200@zen.co.uk> Message-ID: In article <4ED25014.1050200 at zen.co.uk>, Peter Fairbrother writes >>> Hmmm, "imposing suitable controls on their chain of supply" sounds >>>very much like "a degree of micro-management of the supplier (and >>>their subcontractors etc) far in excess of a normal contractual >>>relationship". >> Their suppliers are one stage removed compared to yourself. So while >>they should be expected to check out the people they rent rackspace >>from, you shouldn't need to. > >Perhaps you shouldn't (though I very much think you should). But a data >controller is *required* to do so by the DPA. I don't think it can require a one man self employed plumber to vet every component in the chain of supply for his website, which collects personal data in the form of people leaving a message for him to come round and give them a quote. Obviously, if you are running a large enterprise (such as whatever a hypothetical Australian version of the NHS is called) you'll be doing more due diligence on suppliers, but everyone can't be doing everything. >The rackspace people are data processors, and the data controller is >required to "choose a data processor providing sufficient guarantees in >respect of the technical and organisational security measures governing >the processing to be carried out" and to "take reasonable steps to >ensure compliance with those measures". No, the rackspace people are just providing an empty rack, power, aircon and physical security. (The PCs and what runs on them is provided by the cloud computing vendor, but physical security of the data is nevertheless mainly in the hands of the rackspace people, who give keys to the cleaners etc etc). >That is not something he can subcontract out. It's his responsibility >to choose _each and every one_ of the data processors in this way. See >DPA Sch.1 part2 s.11. That's something you take account of in your contract, not by grilling your supplier's suppliers. http://www.out-law.com/page-10763 (Which discusses even data sent outside the EU, although I had in mind situations where the data controller was more risk averse than that and in addition made it a contractual requirement that the data stayed in the EU). -- Roland Perry From tony.naggs at googlemail.com Sun Nov 27 15:28:43 2011 From: tony.naggs at googlemail.com (Tony Naggs) Date: Sun, 27 Nov 2011 15:28:43 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <91957FD74D91406EA2DA6F0603964B1D@MaryPC> References: <4ED0F7E1.2010202@zen.co.uk> <4ED140BE.8030406@zen.co.uk> <00A677C9-9BE2-48C4-8DC1-0776985738E6@sourcetagged.ian.co.uk> <91957FD74D91406EA2DA6F0603964B1D@MaryPC> Message-ID: On 27 November 2011 10:20, Mary Hawking wrote: > Reading the original submission by MS to the Australian government, they > fail to mention the nub of the matter: the protection (or lack of it) for > personal data when it is held/used/misused/misappropriated/lost by the > hasting organisation and/or its sub-contractors. > MS are well aware of the importance of having large contractual financial penalties for their partners, in case of the mishandling their confidential information. It makes it easy for partners to justify spending time and money on security measures, because the cost is so considerably smaller than the potential penalty. > I get the impression that, leaving aside governments and government > agencies, there is little or no protection in law for non US nationals for, > for example, financial details obtained from having to register these at > the > time of purchasing a ticket to fly into or over or anywhere near the USA. > For now governments consider the US is too important a bully to upset by challenging these requirements. In some ways these can be considered to be a balance to their visa waiver. But going through the visa process for various countries I have never been asked what credit card I used to buy my ticket. Regards, Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Sun Nov 27 18:14:13 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 27 Nov 2011 18:14:13 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: References: <4ED0F7E1.2010202@zen.co.uk> <4ED140BE.8030406@zen.co.uk> <00A677C9-9BE2-48C4-8DC1-0776985738E6@sourcetagged.ian.co.uk> <91957FD74D91406EA2DA6F0603964B1D@MaryPC> Message-ID: In article , Tony Naggs writes >But going through the visa process for various countries I have never >been asked what credit card I used to buy my ticket. The most tedious trip I've ever been on from a "security" point of view was one to the USA where my ticket had admittedly been bought by a third party. Apparently this is a big indicator of risk. But in our case (there were several in the party) the third party was HMG, and the hassle was especially irritating for one of the party who was a former diplomat. I even saw that the airline had my name to tick off on a slip of paper as I checked in for the return flight back to the UK - perhaps they were just making sure I made it home safely. Sometimes you just have to go with the flow and ignore whatever it is in your lifestyle that makes you a false positive. -- Roland Perry From david.goodenough at btconnect.com Sun Nov 27 15:45:37 2011 From: david.goodenough at btconnect.com (David Goodenough) Date: Sun, 27 Nov 2011 15:45:37 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: References: <4ED235F0.2040403@zen.co.uk> Message-ID: <201111271545.38087.david.goodenough@btconnect.com> On Sunday 27 Nov 2011, Roland Perry wrote: > In article <4ED235F0.2040403 at zen.co.uk>, Peter Fairbrother > writes > > >> You seem to be wanting a degree of micro-management of the supplier > >> > >>(and their subcontractors etc) far in excess of a normal contractual > >>relationship > > > >Yes, indeed I do. > > > >I have a legal duty to ensure the supplier of data processing services > >is competent, honest and responsible - he is after all in possession of > >something I am responsible for. > > Do you do the same for your accountants and bankers? Lots of your money Both Accountants and Bankers are regulated by UK based standards bodies if they operate in this country, I therefore expect them to operate in a way that in consistent with UK law. There is no such regulatuory body for Cloud operators, either nationally or internationally. David > and personal data (self and employees) in their possession. Or do you > trust them to act lawfully, given that they clearly understand their > responsibilities (as would the people offering one of these specialist > clouds). > > >>> The duty on a data controller must surely include a requirement to > >>> > >>>check whether the parties are at least outwardly law-abiding and > >>>responsible - otherwise a data controller could store data at > >>>Crooks-and-Spammers Ltd without penalty. > >>> > >> And you do that outwardly check by dealing with a reputable company > >> > >>offering a "local cloud" that you can reasonably expect to be law > >>abiding in this respect (and imposing suitable controls on their chain > >>of supply). > > > >That might work - but I've never come across such a beast. > > I'm assured there are a range of cloud services available, including the > type I described. > > >Hmmm, "imposing suitable controls on their chain of supply" sounds very > >much like "a degree of micro-management of the supplier (and their > >subcontractors etc) far in excess of a normal contractual relationship". > > Their suppliers are one stage removed compared to yourself. So while > they should be expected to check out the people they rent rackspace > from, you shouldn't need to. Similarly, while the people they rent > rackspace from should vet their cleaners, they (or you) shouldn't need > to, and so on. > > >I meant that if the data has to stay in the EU, in most situations it > >also has to protected as personal data, ie follow the principles etc. > > Yes, that's why I'm saying a cloud that stays in the EU should be > automatically protected because of the harmonisation of DP law. From fw at deneb.enyo.de Sun Nov 27 21:24:34 2011 From: fw at deneb.enyo.de (Florian Weimer) Date: Sun, 27 Nov 2011 22:24:34 +0100 Subject: Does the US have juristriction over the whole world? In-Reply-To: (Mary Hawking's message of "Sat, 26 Nov 2011 09:35:07 -0000") References: Message-ID: <87ipm5i7hp.fsf@mid.deneb.enyo.de> * Mary Hawking: > http://www.theregister.co.uk/2011/11/25/ms_threatens_au_gov_over_ehealth/ > > Does anyone know about this - and whether it is true? > Apparently it is Microsoft's view that requiring data to be held within a > national boundary is a breach of WTO regulations - and, worryingly, that any > data held by any organisation which trades with the US is subject to US law. > > "Any company with a presence in the United States of America (not just those > with headquarters or subsidiaries in that country) may be legally required > to respond to a valid demand from the United States Government for > information the company retains custody over or controls, regardless of > where the data is stored or the existence of any conflicting obligations > under the laws of the country where the data is located," the submission > states Isn't this true for most countries, not just the U.S.? From fw at deneb.enyo.de Sun Nov 27 21:30:26 2011 From: fw at deneb.enyo.de (Florian Weimer) Date: Sun, 27 Nov 2011 22:30:26 +0100 Subject: Does the US have juristriction over the whole world? In-Reply-To: <00A677C9-9BE2-48C4-8DC1-0776985738E6@sourcetagged.ian.co.uk> (Ian Mason's message of "Sat, 26 Nov 2011 21:09:23 +0000") References: <4ED0F7E1.2010202@zen.co.uk> <4ED140BE.8030406@zen.co.uk> <00A677C9-9BE2-48C4-8DC1-0776985738E6@sourcetagged.ian.co.uk> Message-ID: <87ehwti77x.fsf@mid.deneb.enyo.de> * Ian Mason: > The difference between UK and US approaches is that UK law only > applies extraterritorially to UK subjects or to persons "owing a duty > to the crown". Compelling a UK subsidiary of a foreign company to produce evidence for use in a UK court does not look very extraterritorial to me. Globalization cuts both ways, there are increased opportunities and responsibilities. I think you actually want this because otherwise, UK companies with local ownership are at a competitive disadvantage. From lists at internetpolicyagency.com Mon Nov 28 10:54:41 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 28 Nov 2011 10:54:41 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <201111271545.38087.david.goodenough@btconnect.com> References: <4ED235F0.2040403@zen.co.uk> <201111271545.38087.david.goodenough@btconnect.com> Message-ID: In article <201111271545.38087.david.goodenough at btconnect.com>, David Goodenough writes >> Do you do the same for your accountants and bankers? Lots of your money >Both Accountants and Bankers are regulated by UK based standards bodies >if they operate in this country, I therefore expect them to operate in a way >that in consistent with UK law. I expect all suppliers to act consistent with the law. >There is no such regulatuory body for Cloud operators, either nationally >or internationally. For this aspect of their operations: The Information Commissioner, and their counterparts in the EU. -- Roland Perry From ukcrypto at sourcetagged.ian.co.uk Mon Nov 28 20:05:18 2011 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Mon, 28 Nov 2011 20:05:18 +0000 Subject: Does the US have juristriction over the whole world? In-Reply-To: <87ehwti77x.fsf@mid.deneb.enyo.de> References: <4ED0F7E1.2010202@zen.co.uk> <4ED140BE.8030406@zen.co.uk> <00A677C9-9BE2-48C4-8DC1-0776985738E6@sourcetagged.ian.co.uk> <87ehwti77x.fsf@mid.deneb.enyo.de> Message-ID: <1008C6EA-ECE8-4C9E-BFE9-1F13B804BF25@sourcetagged.ian.co.uk> On 27 Nov 2011, at 21:30, Florian Weimer wrote: > * Ian Mason: > >> The difference between UK and US approaches is that UK law only >> applies extraterritorially to UK subjects or to persons "owing a duty >> to the crown". > > Compelling a UK subsidiary of a foreign company to produce evidence > for use in a UK court does not look very extraterritorial to me. > Globalization cuts both ways, there are increased opportunities and > responsibilities. > > I think you actually want this because otherwise, UK companies with > local ownership are at a competitive disadvantage. > I'm taking the, sometime unusual, tactic of speaking only of what I know, which specifically was the spying reference where I know that this approach to extra-territoriality exists. Now I speculate - I don't think the UK courts would think they were competent to order disclosure of information about a third party, incidentally held on behalf of another third party by the (for arguments sake) Australian subsidiary of a British Company. This is a direct analogy to the claim MS are making about holding data 'in the cloud' for an Australian company. The case you suggest, of a foreign company domiciled in the UK is very different. I don't think the courts would hesitate for a moment to order disclosure from them - as long as there was a basic case for disclosure. Ian From igb at batten.eu.org Wed Nov 30 20:55:26 2011 From: igb at batten.eu.org (Ian Batten) Date: Wed, 30 Nov 2011 20:55:26 +0000 Subject: The Information Commission and the Leveson Inquiry Message-ID: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> Leveson Inquiry, witness statement of Alex Owens, Senior Investigating Officer at the ICO, 1999--2005. http://www.levesoninquiry.org.uk/wp-content/uploads/2011/11/Witness-Statement-of-Alexander-Owens1.pdf He claims that he had a complete paper trail from journalists through PIs to their corrupt sources, but was told by Richard Thomas to keep his hands off the papers. Paragraphs 4.4 to 4.9 are absolutely devastating, along with paragraphs 5.1 through 5.6. Owens essentially accuses Thomas and his subordinates of being too frightened to take on the newspapers, and of then being dishonest about the state of the investigation and the quality of the evidence available to them. Paragraphs 5.10 et seq implicitly accuse the ICO of misleading Parliament. The ICO will be giving evidence on Monday. It will be interesting. ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From fjmd1a at gmail.com Wed Nov 30 21:07:41 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Wed, 30 Nov 2011 21:07:41 +0000 Subject: The Information Commission and the Leveson Inquiry In-Reply-To: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> Message-ID: 2011/11/30 Ian Batten : > Leveson Inquiry, witness statement of Alex Owens, Senior Investigating > Officer at the ICO, 1999--2005. > > http://www.levesoninquiry.org.uk/wp-content/uploads/2011/11/Witness-Statement-of-Alexander-Owens1.pdf > > He claims that he had a complete paper trail from journalists through PIs to > their corrupt sources, but was told by Richard Thomas to keep his hands off > the papers. ? Paragraphs 4.4 to 4.9 are absolutely devastating, along with > paragraphs 5.1 through 5.6. ?Owens essentially accuses Thomas and his > subordinates ?of being too frightened to take on the newspapers, and of then > being dishonest about the state of the investigation and the quality of the > evidence available to them. ?Paragraphs 5.10 et seq implicitly accuse the > ICO of misleading Parliament. I must say I have been finding the enquiry increasingly interesting, if rather alarming in that it confirms one's worst suspicions. Yesterday's "privacy is for peado's" being fairly eye watering. -- Francis Davey From pwt at iosis.co.uk Wed Nov 30 21:36:54 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 30 Nov 2011 21:36:54 +0000 Subject: The Information Commission and the Leveson Inquiry In-Reply-To: References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> Message-ID: <4ED6A1F6.6070100@iosis.co.uk> On 30/11/2011 21:07, Francis Davey wrote: > I must say I have been finding the enquiry increasingly interesting, > if rather alarming in that it confirms one's worst suspicions. > Yesterday's "privacy is for peado's" being fairly eye watering. I have not read yesterday's material, but do have personal experience as the Aspergers son (an adult at the time) of close friends is currently in prison [1] as a result of being drawn into a paedophile ring in a particularly despicable manner. His case was kept secret until the sentencing, and all of us were very grateful for that. What happened to the man who manipulated him, I do not know. Peter [1] In a rehab unit