From lists at internetpolicyagency.com Mon Jan 2 17:09:55 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 2 Jan 2012 17:09:55 +0000 Subject: Y2012k, or coincidence? Message-ID: http://www.mercurynews.com/breaking-news/ci_19656845 "New Year's guests at a Denver Marriott were locked out of their rooms when the clock struck midnight and their room keys stopped working." -- Roland Perry From tugwilson at gmail.com Fri Jan 6 16:48:23 2012 From: tugwilson at gmail.com (John Wilson) Date: Fri, 6 Jan 2012 16:48:23 +0000 Subject: Buckinghamshire CC ANPR cameras Message-ID: Bucks County Council have installed about a dozen ANPR cameras on roads leading in to Aylesbury and in Aylesbury town centre as part of a central Government funded "Urban Traffic Management" scheme. The idea is that this data is to be used to collect journey times to allow them to give warnings of congestion to motorists (quite what the motorists are supposed to do with the information is not explained). They also run CCTV cameras as part of this scheme. The cameras send data to the council control room and to Thames Valley Police as two separate data feeds. It appears that the council also gets data from some TVP cameras but they are a bit cagey about the details. They say that that "To ensure anonymity all VRN information will be depersonalised in accordance with the national UTMC protocol" I've looked at the UTMC site http://www.utmc.uk.com/ but can't find any specification of a "depersonalisation" algorithm. The Council seems to believe that whilst the CCTV images are covered by the DPA but that the "depersonalised" ANPR data are not. Has anybody got experience of similar schemes in other places? Is there a standard "depersonalisation" algorithm? If so anybody know what it is? It seems to me to be reasonably hard to anonymise this data stream and to retain its utility, especially if there is no central spec for the mechanism and Thales or whoever decide that running it through SHA-1 will do the trick. I've put in an FoI request which, amongst other things, asks for the details of the algorithm but with no lively hope of success. John Wilson From lists at internetpolicyagency.com Fri Jan 6 17:10:15 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 6 Jan 2012 17:10:15 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: In article , John Wilson writes >ucks County Council have installed about a dozen ANPR cameras on >roads leading in to Aylesbury and in Aylesbury town centre as part of >a central Government funded "Urban Traffic Management" scheme. ... >Has anybody got experience of similar schemes in other places? I have no extra details, but last year ago it was announced that large numbers of car movements in Royston were to be logged by CCTV. http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-13789111 -- Roland Perry From tugwilson at gmail.com Fri Jan 6 17:36:13 2012 From: tugwilson at gmail.com (John Wilson) Date: Fri, 6 Jan 2012 17:36:13 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: On 6 January 2012 17:10, Roland Perry wrote: > In article > , John > Wilson writes > >> ucks County Council have installed about a dozen ANPR cameras on >> roads leading in to Aylesbury and in Aylesbury town centre as part of >> a central Government funded "Urban Traffic Management" scheme. > > ... > >> Has anybody got experience of similar schemes in other places? > > > I have no extra details, but last year ago it was announced that large > numbers of car movements in Royston were to be logged by CCTV. > > http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-13789111 > f_things_to_come.htm> Thanks, Roland - I remember that one - they were Police ANPR cameras. These are council ones and I've not come across Council owned and operated ANPR cameras before. If I remember correctly a guy in Royston was warned off by the Police because he put the location of the cameras on a web site. This is where the Bucks CC cameras are located http://maps.google.co.uk/maps/ms?msid=211048623917040305292.0004b5b82468bc84f7974&msa=0 To their credit Bucks CC do intend to put the locations on their web site and put up signs saying what the cameras do. John Wilson From ben at links.org Fri Jan 6 17:03:10 2012 From: ben at links.org (Ben Laurie) Date: Fri, 6 Jan 2012 17:03:10 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: On Fri, Jan 6, 2012 at 4:48 PM, John Wilson wrote: > Is there a standard "depersonalisation" algorithm? If so anybody know > what it is? No. Indeed, in general, it is not possible to "depersonalise" and retain any usefulness in the data. So step 1 is probably to find out WTF they're actually doing. From maxsec at gmail.com Fri Jan 6 18:57:19 2012 From: maxsec at gmail.com (Martin Hepworth) Date: Fri, 6 Jan 2012 18:57:19 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: Been around in Oxford for a few years for monitoring traffic flows around the ring road Would be nice to have this info under a common disclosure notice on county websites Martin On Friday, 6 January 2012, Ben Laurie wrote: > On Fri, Jan 6, 2012 at 4:48 PM, John Wilson wrote: >> Is there a standard "depersonalisation" algorithm? If so anybody know >> what it is? > > No. Indeed, in general, it is not possible to "depersonalise" andy > retain any usefulness in the data. > > So step 1 is probably to find out WTF they're actually doing. > > -- -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: From tugwilson at gmail.com Fri Jan 6 19:17:10 2012 From: tugwilson at gmail.com (John Wilson) Date: Fri, 6 Jan 2012 19:17:10 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: On 6 January 2012 18:57, Martin Hepworth wrote: > Been around in Oxford for a few years for monitoring traffic flows around > the ring road > > Would be nice to have this info under a common disclosure notice on county > websites For what it's worth here is the record of the Council's decision to proceed http://democracy.buckscc.gov.uk/mgIssueHistoryHome.aspx?IId=20996&Opt=0 Here is a map of the whole project http://www.transportforbucks.net/Roadworks-Centre/Schemes-and-projects/Our-schemes-and-projects/Urban-Traffic-Management-Centre.aspx The PIA report is quite interesting. They admit that they may have to reveal the location of the Thames Valley Police cameras if presented with an FoI request and suggest that they should claim they are covered by the EIR rather then the FoI as this is less restrictive. To give them credit there are a lot of good intentions as far as disclosure is concerned in this document. The problem is that the people tasked with implementing the disclosure don't seem to see it as a priority. My initial FoI request is for the location and operational status of the cameras, the Memorandum of Agreement with their partners, their data retention policy for the ANPR data and the technical details of the "depersonalise" technique. The last one is probably going to be a problem as I suspect there is no national spec for how it's done and I bet their supplier won't tell them. John Wilson From lists at internetpolicyagency.com Fri Jan 6 21:36:15 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 6 Jan 2012 21:36:15 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: In article , John Wilson writes >If I remember correctly a guy in Royston was warned off by the Police >because he put the location of the cameras on a web site. Are they especially clandestine ones, or the normal green things? http://g.co/maps/mrr43 There's also the much more tubular black ones (here in multiple): http://newsimg.bbc.co.uk/media/images/45626000/jpg/_45626322_anpr_226.jpg -- Roland Perry From ukcrypto at sourcetagged.ian.co.uk Sat Jan 7 02:31:07 2012 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Sat, 7 Jan 2012 02:31:07 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: On 6 Jan 2012, at 17:03, Ben Laurie wrote: > On Fri, Jan 6, 2012 at 4:48 PM, John Wilson > wrote: >> Is there a standard "depersonalisation" algorithm? If so anybody know >> what it is? > > No. Indeed, in general, it is not possible to "depersonalise" and > retain any usefulness in the data. > > So step 1 is probably to find out WTF they're actually doing. > It depends. If they are strictly monitoring traffic flows and journey times then all they have to do is assign a unique journey number to a set of records for a vehicle and drop/delete the registration number when the journey seems complete. Each time the vehicle starts a journey it gets assigned a new unique journey number so that there's no link with previous journeys for the same vehicle and no record of the registration number at all once a journey has completed. Obviously there's detail to work through such as: a vehicle enters the area, is seen by ANPR on entry, then parks up for several days and isn't seen by a second ANPR camera; at what point do you delete the partial journey record that will, of necessity, still contain a registration number. Ian From lists at internetpolicyagency.com Sat Jan 7 09:27:21 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 7 Jan 2012 09:27:21 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: In article , Ian Mason writes >>> Is there a standard "depersonalisation" algorithm? If so anybody know >>> what it is? >> >> No. Indeed, in general, it is not possible to "depersonalise" and >> retain any usefulness in the data. >> >> So step 1 is probably to find out WTF they're actually doing. > >It depends. If they are strictly monitoring traffic flows and journey >times then all they have to do is assign a unique journey number to a >set of records for a vehicle and drop/delete the registration number >when the journey seems complete. Each time the vehicle starts a journey >it gets assigned a new unique journey number so that there's no link >with previous journeys for the same vehicle and no record of the >registration number at all once a journey has completed. aiui the Trafficmaster system (blue cameras) works a lot like this. >Obviously there's detail to work through such as: a vehicle enters the >area, is seen by ANPR on entry, then parks up for several days and >isn't seen by a second ANPR camera; at what point do you delete the >partial journey record that will, of necessity, still contain a >registration number. About an hour after last seeing the plate would be plenty if you are looking at the "flow" of traffic. -- Roland Perry From tugwilson at gmail.com Sat Jan 7 12:06:58 2012 From: tugwilson at gmail.com (John Wilson) Date: Sat, 7 Jan 2012 12:06:58 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: On 7 January 2012 09:27, Roland Perry wrote: > In article , > Ian Mason writes > >>>> Is there a standard "depersonalisation" algorithm? If so anybody know >>>> what it is? >>> >>> >>> No. Indeed, in general, it is not possible to "depersonalise" and >>> retain any usefulness in the data. >>> >>> So step 1 is probably to find out WTF they're actually doing. >> >> >> It depends. If they are strictly monitoring traffic flows and journey >> times then all they have to do is assign a unique journey number to a set of >> records for a vehicle and drop/delete the registration number when the >> journey seems complete. Each time the vehicle starts a journey it gets >> assigned a new unique journey number so that there's no link with previous >> journeys for the same vehicle and no record of the registration number at >> all once a journey has completed. > > > aiui the Trafficmaster system (blue cameras) works a lot like this. > > >> Obviously ?there's detail to work through such as: a vehicle enters the >> area, is ?seen by ANPR on entry, then parks up for several days and isn't >> seen ?by a second ANPR camera; at what point do you delete the partial >> ?journey record that will, of necessity, still contain a registration >> ?number. > > > About an hour after last seeing the plate would be plenty if you are looking > at the "flow" of traffic. That's quite true but it seems clear from the Council documents that they intend to hold the camera even data for some time. There are perfectly legitimate reasons for this. They can, no doubt, get useful information from the bulk data which would help in planning traffic management. I've found the schema for the data packet sent by ANPR cameras which conform to the UTMC standard it has information like the direction of travel and the carriage used. It also has optional fields for vehicle speed and classification (presumably things like, car, motocycle, van, etc). Even if the cameras don't provide this extra information now you would want to build a database to hold it as and when the capabilities become available. John Wilson From lists at internetpolicyagency.com Sat Jan 7 14:06:59 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 7 Jan 2012 14:06:59 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: In article , John Wilson writes >>> Obviously ?there's detail to work through such as: a vehicle enters the >>> area, is ?seen by ANPR on entry, then parks up for several days and isn't >>> seen ?by a second ANPR camera; at what point do you delete the partial >>> ?journey record that will, of necessity, still contain a registration >>> ?number. >> >> About an hour after last seeing the plate would be plenty if you are looking >> at the "flow" of traffic. > >That's quite true but it seems clear from the Council documents that >they intend to hold the camera even data for some time. There are >perfectly legitimate reasons for this. They can, no doubt, get useful >information from the bulk data which would help in planning traffic >management. Unless the entire perimeter is covered (cf London Congestion Charge) then vehicles that 'disappear' could just as easily have taken an unmonitored exit. Indeed, schemes like the London CC only logs entries, and not exits, I thought. -- Roland Perry From tugwilson at gmail.com Sat Jan 7 15:45:51 2012 From: tugwilson at gmail.com (John Wilson) Date: Sat, 7 Jan 2012 15:45:51 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: On 7 January 2012 14:06, Roland Perry wrote: >> That's quite true but it seems clear from the Council documents that >> they intend to hold the camera even data for some time. There are >> perfectly legitimate reasons for this. They can, no doubt, get useful >> information from the bulk data which would help in planning traffic >> management. > > > Unless the entire perimeter is covered (cf London Congestion Charge) then > vehicles that 'disappear' could just as easily have taken an unmonitored > exit. Indeed, schemes like the London CC only logs entries, and not exits, I > thought. It seems the Highways Agency keeps their traffic data for ever http://www.highways.gov.uk/traffic/21002.aspx They use the 24 bit hash value returned from the camera not the registration number, I imagine that Bucks CC will do the same. It appears that the hashing algorithm is a national secret http://www.whatdotheyknow.com/request/anpr_capabilities John Wilson From lists at internetpolicyagency.com Sat Jan 7 16:27:03 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 7 Jan 2012 16:27:03 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: <528XP6gXJHCPFAzy@perry.co.uk> In article , John Wilson writes > >It seems the Highways Agency keeps their traffic data for ever >http://www.highways.gov.uk/traffic/21002.aspx That explains one mystery (assuming they are telling the truth) which is why the police don't use data from those cameras to do useful things for the general public, like trace stolen cars. -- Roland Perry From tugwilson at gmail.com Sat Jan 7 16:37:11 2012 From: tugwilson at gmail.com (John Wilson) Date: Sat, 7 Jan 2012 16:37:11 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <528XP6gXJHCPFAzy@perry.co.uk> References: <528XP6gXJHCPFAzy@perry.co.uk> Message-ID: On 7 January 2012 16:27, Roland Perry wrote: > In article > , John > Wilson writes > >> >> It seems the Highways Agency keeps their traffic data for ever >> http://www.highways.gov.uk/traffic/21002.aspx > > > That explains one mystery (assuming they are telling the truth) which is why > the police don't use data from those cameras to do useful things for the > general public, like trace stolen cars. In Buckinghamshire the police get a full data feed from the Council's cameras which includes the actual registration number. I'm trying to find a good formulation for an FoI request about these hashes. I'm thinking about something along the lines of "Given 1 million random, valid GB registration numbers what's the probability that two will produce same hash value" Suggestions for improvement welcome. In Holland they appear to use MD5 http://albertdeklein.nl/2011/03/13/dude-where-is-my-car/ John Wilson From lists at internetpolicyagency.com Sat Jan 7 16:51:24 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 7 Jan 2012 16:51:24 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <528XP6gXJHCPFAzy@perry.co.uk> Message-ID: In article , John Wilson writes >In Buckinghamshire the police get a full data feed from the Council's >cameras which includes the actual registration number. Has that improved the recovery rate for stolen cars in Bucks? (Maybe another FOI request to make; perhaps phrased as "how many cars which are reported as stolen have been tracked by this scheme", which would include the ones that did get away after all.) It's quite possible the answer is "zero, we don't do that", which would be interesting anyway. -- Roland Perry From igb at batten.eu.org Sat Jan 7 19:39:23 2012 From: igb at batten.eu.org (Ian Batten) Date: Sat, 7 Jan 2012 19:39:23 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <528XP6gXJHCPFAzy@perry.co.uk> Message-ID: <86628682-BA71-449A-BD98-F7713EB35B3F@batten.eu.org> On 7 Jan 2012, at 1651, Roland Perry wrote: > In article , John Wilson writes >> In Buckinghamshire the police get a full data feed from the Council's >> cameras which includes the actual registration number. > > Has that improved the recovery rate for stolen cars in Bucks? (Maybe another FOI request to make; perhaps phrased as "how many cars which are reported as stolen have been tracked by this scheme", which would include the ones that did get away after all.) I got the results of ANPR in terms of convictions from West Midlands police under the FOI a couple of years ago. I'd have to fish them out, but my recollection is that it wasn't impressive. ian From bdm at fenrir.org.uk Sat Jan 7 18:03:03 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Sat, 7 Jan 2012 18:03:03 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: <20120107180303.7806668d@peterson.fenrir.org.uk> On Sat, 7 Jan 2012 09:27:21 +0000 Roland Perry wrote: > >It depends. If they are strictly monitoring traffic flows and journey > >times then all they have to do is assign a unique journey number to a > >set of records for a vehicle and drop/delete the registration number > >when the journey seems complete. Each time the vehicle starts a journey > >it gets assigned a new unique journey number so that there's no link > >with previous journeys for the same vehicle and no record of the > >registration number at all once a journey has completed. > > aiui the Trafficmaster system (blue cameras) works a lot like this. Trafficmaster claims that they tokenize the central part of the registration plate only, but I don't know for certain about this. Some time ago I recall a murder trial involving a murder in Scotland where the suspect(s) travelled up the motorways from England to Scotland and that the police were able to obtain evidence of their vehicle movements from Trafficmaster. I don't have any links to this, but I certainly remember hearing about it although it was a long time ago, possibly a decade. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From lists at internetpolicyagency.com Sun Jan 8 09:43:56 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 8 Jan 2012 09:43:56 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120107180303.7806668d@peterson.fenrir.org.uk> References: <20120107180303.7806668d@peterson.fenrir.org.uk> Message-ID: In article <20120107180303.7806668d at peterson.fenrir.org.uk>, Brian Morrison writes >Trafficmaster claims that they tokenize the central part of the >registration plate only, but I don't know for certain about this. Some >time ago I recall a murder trial involving a murder in Scotland where >the suspect(s) travelled up the motorways from England to Scotland and >that the police were able to obtain evidence of their vehicle movements >from Trafficmaster. That's essentially the same as the 24-bit hash used by the Highways Agency, which while not unique to every vehicle is plenty good enough as evidence in a murder investigation. -- Roland Perry From chris-ukcrypto at lists.skipnote.org Mon Jan 9 15:16:38 2012 From: chris-ukcrypto at lists.skipnote.org (Chris Edwards) Date: Mon, 9 Jan 2012 15:16:38 +0000 (GMT) Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: On Sat, 7 Jan 2012, John Wilson wrote: > They use the 24 bit hash value returned from the camera not the > registration number I guess hashing a registration is pretty easy to reverse. With access to the DVLA database of all UK registrations, you simply compute the hash for each one. This is a one off task. Once you've done it, you know the registration for any given hash. From clive at davros.org Mon Jan 9 15:26:18 2012 From: clive at davros.org (Clive D.W. Feather) Date: Mon, 9 Jan 2012 15:26:18 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: <20120109152618.GE7359@davros.org> Chris Edwards said: > I guess hashing a registration is pretty easy to reverse. With access to > the DVLA database of all UK registrations, you simply compute the hash for > each one. This is a one off task. Once you've done it, you know the > registration for any given hash. You don't even need access to the database. The range of possible registrations isn't that much larger, and it will deal with fake registrations as well. (Hmm, how much larger is it? Let's see. The possible registrations are, roughly: aa nnnn, nnnn aa, aaa nnn, nnn aaa, aaa nnn a, a nnn aaa, aa nn aaa 6.25M 6.25M 14.4M 14.4M 302M 302M The last set is 153M so far, growing at 14.6M per annum. So about 800 million at the moment.] -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From tugwilson at gmail.com Mon Jan 9 16:34:51 2012 From: tugwilson at gmail.com (John Wilson) Date: Mon, 9 Jan 2012 16:34:51 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120109152618.GE7359@davros.org> References: <20120109152618.GE7359@davros.org> Message-ID: On 9 January 2012 15:26, Clive D.W. Feather wrote: > Chris Edwards said: >> I guess hashing a registration is pretty easy to reverse. ?With access to >> the DVLA database of all UK registrations, you simply compute the hash for >> each one. ?This is a one off task. ?Once you've done it, you know the >> registration for any given hash. I've turned up some more information on the hashing mechanism. The Highways Agency say "The processor identifies the number plate in each image and uses optical character recognition to obtain the plate. The plate is then simplified and hashed with a large prime number, to give a non-reversible tag." (http://www.highways.gov.uk/foiresponses/FOIresponses/24242.aspx) This paper from Sheffield University says "a process known as ?character merging? is applied prior to generation of the hash value from the plate characters. In this process, character sets which are commonly mis-read by ANPR systems (such as O, D and 0, or 8, B and 3) are merged (e.g. all Ds are replaced by Os etc) which has the effect of reducing significantly the uniqueness of the hash value" (http://staffwww.dcs.shef.ac.uk/people/C.Fox/fox_ETC2010.pdf) However the number plate layout introduced in September 2001 should not require as much merging as the letters and digits are readily distinguishably by position. The mention of the prime number leads me to guess they are using the sum of products method to create the hash. As the hash is only 24 bits and there are 34.5 million licensed vehicles on the road there must be collisions even if the hash function were perfect (and it's not). It would be fun to run all the currently issued licence numbers through the hash function to see how well it works. Unfortunately the DVLA won't supply a list of the current licence plate numbers and the Highways Agency won't disclose the hashing algorithm. It seems clear that this method as a very poor way of anonymising the data. If I had access to the data I could easily identify and individual's car with out knowing anything at all about the hash function other than it always produces the same hash given the same number plate. I just need to know the precise time they pass one or more cameras or less precise information on several journeys. John Wilson From lists at internetpolicyagency.com Mon Jan 9 16:34:15 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 9 Jan 2012 16:34:15 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: In article , Chris Edwards writes >> They use the 24 bit hash value returned from the camera not the >> registration number > >I guess hashing a registration is pretty easy to reverse. With access to >the DVLA database of all UK registrations, you simply compute the hash for >each one. This is a one off task. Once you've done it, you know the >registration for any given hash. Unless the hash changes, with for example the date. You'd still get hashes consistent enough to work out how fast the traffic's flowing, but each day you get a whole new set of hashes. Although if you knew the date the hash was calculated, you could still compare the hash you wanted to reverse with the full table, but it's much more to compute and store, and could be accused of being security by obscurity. -- Roland Perry From tugwilson at gmail.com Mon Jan 9 16:46:14 2012 From: tugwilson at gmail.com (John Wilson) Date: Mon, 9 Jan 2012 16:46:14 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: On 9 January 2012 16:34, Roland Perry wrote: > In article , Chris Edwards > writes > >>> They use the 24 bit hash value returned from the camera not the >>> registration number >> >> >> I guess hashing a registration is pretty easy to reverse. ?With access to >> the DVLA database of all UK registrations, you simply compute the hash for >> each one. ?This is a one off task. ?Once you've done it, you know the >> registration for any given hash. > > > Unless the hash changes, with for example the date. You'd still get hashes > consistent enough to work out how fast the traffic's flowing, but each day > you get a whole new set of hashes. > > Although if you knew the date the hash was calculated, you could still > compare the hash you wanted to reverse with the full table, but it's much > more to compute and store, and could be accused of being security by > obscurity. The hash doesn't change over time. There's a FOI response from the Highways Agency which confirms that. (http://www.whatdotheyknow.com/request/48353/response/124187/attach/html/2/FOI%20response%20ref%2013068772.doc.html) John Wilson From lists at internetpolicyagency.com Mon Jan 9 16:53:25 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 9 Jan 2012 16:53:25 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> Message-ID: In article , John Wilson writes >It seems clear that this method as a very poor way of anonymising the >data. If I had access to the data Which raises the issue of what form of data loss the anonymising process regards as a threat. Having scooped up all the data form a central store is not the same as eavesdropping the feed from one camera. >I could easily identify and >individual's car with out knowing anything at all about the hash >function other than it always produces the same hash given the same >number plate. I just need to know the precise time they pass one or >more cameras Although if the camera's on a busy road, you may have several cars to choose from. >or less precise information on several journeys. Two samples should reduce the number of cars in both places at the same time to a very small number. -- Roland Perry From tugwilson at gmail.com Mon Jan 9 17:17:14 2012 From: tugwilson at gmail.com (John Wilson) Date: Mon, 9 Jan 2012 17:17:14 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> Message-ID: On 9 January 2012 16:53, Roland Perry wrote: > In article > , John > Wilson writes > >> It seems clear that this method as a very poor way of anonymising the >> data. If I had access to the data > > > Which raises the issue of what form of data loss the anonymising process > regards as a threat. Having scooped up all the data form a central store is > not the same as eavesdropping the feed from one camera. It's not beyond the bounds of possibility for these data to be released voluntarily (as happened in Amsterdam). I wonder what would happen if I put an FoI request in for the dataset which the Highways Agency supplied to the University of Sheffield? They are in quite a difficult position as that have made strenuous efforts to pretend that it contains no personal data and is therefor not covered by the DPA. If they've already extracted it it shouldn't fail the ?600 test. John Wilson From zenadsl6186 at zen.co.uk Mon Jan 9 17:21:47 2012 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Mon, 09 Jan 2012 17:21:47 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> Message-ID: <4F0B222B.9090406@zen.co.uk> If all they want to do is monitor traffic levels and average journey times, then a short - say 10 bit - hash is appropriate. Still not private, but it's enough to get the needed data without overly complicating things. If the hash function is such that the hash changes say every day, or better for every rush hour, then very little private data would be available. -- Peter Fairbrother From tugwilson at gmail.com Mon Jan 9 17:32:04 2012 From: tugwilson at gmail.com (John Wilson) Date: Mon, 9 Jan 2012 17:32:04 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <4F0B222B.9090406@zen.co.uk> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> Message-ID: On 9 January 2012 17:21, Peter Fairbrother wrote: > If all they want to do is monitor traffic levels and average journey times, > then a short - say 10 bit - hash is appropriate. Still not private, but it's > enough to get the needed data without overly complicating things. > > If the hash function is such that the hash changes say every day, or better > for every rush hour, then very little private data would be available. Quite so. However they started with an 18 bit hash and then moved to 24 bits. It looks like they want to have some collisions (so that they can claim it's not personal data) but to have as small a number as possible to allow them to see long term patterns. I'm not against this. I can see that there my well be significant advantage for a planner to have access to detailed travel information over an extended period of time. My problem is that this is effectively personal data and they are using sleight of hand to deny that and hence dodge their responsibility for handling it carefully. John Wilson From lists at internetpolicyagency.com Mon Jan 9 17:32:16 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 9 Jan 2012 17:32:16 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <4F0B222B.9090406@zen.co.uk> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> Message-ID: In article <4F0B222B.9090406 at zen.co.uk>, Peter Fairbrother writes >If the hash function is such that the hash changes say every day, or >better for every rush hour, then very little private data would be >available. I seems it isn't. But if one has access to the output data, then it occurs to me that an easy attack on the hash function (for a particular plate) would be to drive a car, with that as a false numberplate, past a camera at 3am, then looking at the results in the morning. -- Roland Perry From lists at internetpolicyagency.com Mon Jan 9 17:53:58 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 9 Jan 2012 17:53:58 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> Message-ID: In article , John Wilson writes >I can see that there my well be significant >advantage for a planner to have access to detailed travel information >over an extended period of time. My problem is that this is >effectively personal data and they are using sleight of hand to deny >that and hence dodge their responsibility for handling it carefully. Is it enough that the planners [presumably] don't have a tool to turn the hashed data into real cars (so they can for example spy on ex-girlfriends) or is it the danger that 3rd parties involved in more serious data leaks (legal or otherwise) potentially aided by specific attacks on the hashing, which is the bigger concern? -- Roland Perry From tugwilson at gmail.com Mon Jan 9 18:50:19 2012 From: tugwilson at gmail.com (John Wilson) Date: Mon, 9 Jan 2012 18:50:19 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> Message-ID: On 9 January 2012 17:53, Roland Perry wrote: > In article > , John > Wilson writes > >> I can see that there my well be significant >> advantage for a planner to have access to detailed travel information >> over an extended period of time. My problem is that this is >> effectively personal data and they are using sleight of hand to deny >> that and hence dodge their responsibility for handling it carefully. > > > Is it enough that the planners [presumably] don't have a tool to turn the > hashed data into real cars (so they can for example spy on ex-girlfriends) > or is it the danger that 3rd parties involved in more serious data leaks > (legal or otherwise) potentially aided by specific attacks on the hashing, > which is the bigger concern? I would expect that if you have me a hour's M25 data I could reverse engineer the hashing algorithm in a day or so. Once the hashing algorithm is known many things can happen from a jealous spouse tracking a partner through celebrity staking to helping the planning of the assassination of a major public figure. The problem, as I see it, is that the people collecting and storing this information don't believe it's sensitive. If they think it's not sensitive they won't go to the trouble and expense of protecting it properly e.g. they will send raw data - probably on a CD in the post - to random academics and employees of engineering companies. Eventually somebody will buy a hard disk off eBay and find a years worth of traffic data fron central London. John Wilson From lists at internetpolicyagency.com Mon Jan 9 21:30:14 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 9 Jan 2012 21:30:14 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> Message-ID: <3cQ0FhDmx1CPFARZ@perry.co.uk> In article , John Wilson writes >Once the hashing algorithm is known many things can happen from a >jealous spouse tracking a partner through celebrity staking to helping >the planning of the assassination of a major public figure. There are probably simpler ways of knowing where someone will be. I only know of two green camera locations in the Nottingham metro area for example (and they are normally the sort of thing I notice). >The problem, as I see it, is that the people collecting and storing >this information don't believe it's sensitive. If they think it's not >sensitive they won't go to the trouble and expense of protecting it >properly e.g. they will send raw data - probably on a CD in the post - >to random academics and employees of engineering companies. Eventually >somebody will buy a hard disk off eBay and find a years worth of >traffic data And which year would that be? 2005 perhaps. >fron central London. I've never actually seen one of the green cameras in London - maybe the Highways Agency thinks it's unproductive to try and improve flows there. Does anyone here have a map of where the cameras are? -- Roland Perry From igb at batten.eu.org Mon Jan 9 23:04:35 2012 From: igb at batten.eu.org (Ian Batten) Date: Mon, 9 Jan 2012 23:04:35 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> Message-ID: <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> On 9 Jan 2012, at 1850, John Wilson wrote: > > The problem, as I see it, is that the people collecting and storing > this information don't believe it's sensitive. They might also make the point, which is not entirely without merit, that in order to use the data for most of the purposes proposed you would need to breach the data protection act to find the registered keeper of the vehicle, or find the vehicles that your subject is the registered keeper of. And in many cases, especially those you're invoking about assassinations, it's unlikely the target would be the registered keeper anyway. Knowing the registration mark of the vehicle David Cameron travels in from one day to the next is, I suggest, difficult. If your response is "ah, but I know the registration mark of my perhaps-errant spouse's car" then I'd suggest that, rather than go to the effort of stealing data from the ANPR systems, I'd just place a GPS tracker on his/her car, to which I presumably have access. Once you reduce the use-case to vehicles for which you can obtain registration marks without breaching other laws, but which you do not have physical access to, but where coarse-grained data on historic locations would be of value, you're really dredging for applications. > to random academics and employees of engineering companies. Eventually > somebody will buy a hard disk off eBay and find a years worth of > traffic data fron central London. > Suppose I have a copy of the movement data of vehicles from last year. So what? You local garage presumably has ANPR records of every vehicle which has bought petrol there for the past months or years. Suppose it were stolen. What's the risk? I think the idea that you can drive around in public, in a taxed, insured vehicle with big clear identification marks at each end, where there are clear public interests in ensuring that the vehicle is taxed, insured and MoT'd, and where a variety of crimes can be deterred, detected and punished by simply reading the identifying marks placed there for that very purpose, and still have an expectation that you can do so without your location being occasionally made available is fantastical. Cars are dangerous things, which society rightly regulates in terms of who can own and use and the conditions under which they can be owned and used. I think claiming that you have a right to anonymity under those circumstances is a real case of begging the question. ian From ukcrypto at sourcetagged.ian.co.uk Tue Jan 10 08:59:38 2012 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Tue, 10 Jan 2012 08:59:38 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> On 9 Jan 2012, at 23:04, Ian Batten wrote: > > I think the idea that you can drive around in public, in a taxed, > insured vehicle with big clear identification marks at each end, > where there are clear public interests in ensuring that the vehicle > is taxed, insured and MoT'd, and where a variety of crimes can be > deterred, detected and punished by simply reading the identifying > marks placed there for that very purpose, and still have an > expectation that you can do so without your location being > occasionally made available is fantastical. Cars are dangerous > things, which society rightly regulates in terms of who can own and > use and the conditions under which they can be owned and used. I > think claiming that you have a right to anonymity under those > circumstances is a real case of begging the question. > What people have a problem with is their location being made available in circumstances other than those where it is clearly necessary. The clearly necessary circumstances are ones that the vehicle identification marks were designed for - causing damage, breaching the law, etc. Outside those circumstances you do have a right to anonymity and for your privacy not to be interfered with. While many hypothetical cases for privacy have been made here, stalking et al, there is a presumption in law (HRA) and in implicit social codes of conduct for a right to respect for privacy and family life, and systems that can breach those ought to be designed to effectively protect them except in the necessary circumstances and only in those circumstances. In the case in point, monitoring traffic flows by recording individual vehicle movements, there is clearly a risk to legitimate privacy and there are clearly steps that can be taken in the design of systems to do this that would protect privacy without defeating the purpose of the systems or increasing their costs in any significant way. Given that that is the case, these systems should be so designed. Failing to do so is sloppy and shows little respect or even contempt for people's privacy rights. Ian From ukcrypto at sourcetagged.ian.co.uk Tue Jan 10 09:07:57 2012 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Tue, 10 Jan 2012 09:07:57 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> Message-ID: <7B72668E-FC30-4C44-8F54-2F626F5484A8@sourcetagged.ian.co.uk> On 9 Jan 2012, at 17:32, Roland Perry wrote: > In article <4F0B222B.9090406 at zen.co.uk>, Peter Fairbrother > writes >> If the hash function is such that the hash changes say every day, >> or better for every rush hour, then very little private data would >> be available. > > I seems it isn't. > > But if one has access to the output data, then it occurs to me that > an easy attack on the hash function (for a particular plate) would > be to drive a car, with that as a false numberplate, past a camera > at 3am, then looking at the results in the morning. Or to put it in cryptographic terms - a known plaintext attack with complexity of O(1). When put like that, it's so starkly ineffective a protection it amounts to no protection at all. From james2 at jfirth.net Tue Jan 10 11:47:32 2012 From: james2 at jfirth.net (James Firth) Date: Tue, 10 Jan 2012 11:47:32 -0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120107180303.7806668d@peterson.fenrir.org.uk> Message-ID: <002f01cccf8d$a58f6bc0$f0ae4340$@net> Roland Perry wrote: > That's essentially the same as the 24-bit hash used by the Highways > Agency, which while not unique to every vehicle is plenty good enough > as > evidence in a murder investigation. Rather than give the entire feed to the police, surely it is possible to obtain a compromise whereby certain hashes can be added to a "watch list". Upon matching, the entire car index plate, location etc is revealed to the police. Oversight will then consist of accurate reports by the council/HA etc of the number of plates concurrently on the watch list each reporting period. This at least prevents some enterprising police forces storing the raw feed indefinitely. James Firth From igb at batten.eu.org Tue Jan 10 11:51:58 2012 From: igb at batten.eu.org (Ian Batten) Date: Tue, 10 Jan 2012 11:51:58 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> Message-ID: On 10 Jan 2012, at 0859, Ian Mason wrote: > While many hypothetical cases for privacy have been made here, stalking et al, there is a presumption in law (HRA) and in implicit social codes of conduct for a right to respect for privacy and family life, and systems that can breach those ought to be designed to effectively protect them except in the necessary circumstances and only in those circumstances. I would be somewhat surprised were Article 8 rights to extend to driving cars. I'd certainly want to see some case law. > > In the case in point, monitoring traffic flows by recording individual vehicle movements, there is clearly a risk to legitimate privacy I'm not so sure: I think it's at least arguable that driving a car is a privilege, not a right (cf the license you need in order to do it) and the state therefore has different obligations and constraints as compared to something that doesn't require a license. I don't have a dog in this fight, and I'm more interested in exploring the issues rather than declaiming a fixed position, but I'm not at all convinced that a right to drive without data being incidentally gathered about you really exists. Perhaps it should, but I don't think it exists today. ian From lists at internetpolicyagency.com Tue Jan 10 12:01:21 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 10 Jan 2012 12:01:21 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <002f01cccf8d$a58f6bc0$f0ae4340$@net> References: <20120107180303.7806668d@peterson.fenrir.org.uk> <002f01cccf8d$a58f6bc0$f0ae4340$@net> Message-ID: In article <002f01cccf8d$a58f6bc0$f0ae4340$@net>, James Firth writes >> That's essentially the same as the 24-bit hash used by the Highways >>Agency, which while not unique to every vehicle is plenty good enough >> evidence in a murder investigation. > >Rather than give the entire feed to the police, surely it is possible to >obtain a compromise whereby certain hashes can be added to a "watch list". >Upon matching, the entire car index plate, location etc is revealed to the >police. > >Oversight will then consist of accurate reports by the council/HA etc of the >number of plates concurrently on the watch list each reporting period. > >This at least prevents some enterprising police forces storing the raw feed >indefinitely. I'd have thought historic data was of more use, and it depends on the query how intrusive it is. If hypothetically the police asked for "every Range Rover[1] in West London on 26th April 1999", that would be reasonably proportionate and not involve releasing the entire database. [1] HA would have to ask DVLA for some correlating information. -- Roland Perry From tugwilson at gmail.com Tue Jan 10 12:03:26 2012 From: tugwilson at gmail.com (John Wilson) Date: Tue, 10 Jan 2012 12:03:26 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <002f01cccf8d$a58f6bc0$f0ae4340$@net> References: <20120107180303.7806668d@peterson.fenrir.org.uk> <002f01cccf8d$a58f6bc0$f0ae4340$@net> Message-ID: On 10 January 2012 11:47, James Firth wrote: > Roland Perry wrote: >> That's essentially the same as the 24-bit hash used by the Highways >> Agency, which while not unique to every vehicle is plenty good enough >> as >> evidence in a murder investigation. > > Rather than give the entire feed to the police, surely it is possible to > obtain a compromise whereby certain hashes can be added to a "watch list". > Upon matching, the entire car index plate, location etc is revealed to the > police. > > Oversight will then consist of accurate reports by the council/HA etc of the > number of plates concurrently on the watch list each reporting period. > > This at least prevents some enterprising police forces storing the raw feed > indefinitely. In the Bucks CC scheme the Council owned and run cameras produce two data streams. One contains only the hash (it is claimed) and is polled by the Council's data centre. The other contains the full number plate data and is polled by Thames Valley Police. There is a reciprocal arrangement whereby the hash values from the Thames Valley Police cameras around Aylesbury are sent to the Council. In effect all traffic management ANPR cameras are also Police ANPR cameras. I'm not clear on the details of this arrangement but I have an FoI request pending and fully expect to get a copy of the Memorandum of Agreement which covers this. This Bucks CC scheme was funded by central government to the tune of ?350,000 for ANPR and CCTV cameras alone (govt funded the Aylesbury Urban Traffic Management and Control scheme to the tune of ?4m in all). This appears to be seen as a model for further schemes by the traffic management community. Whist the location of the Council owned cameras are published the location of the TVP cameras used by the scheme are not. It's possible an FoI request to the council might force disclosure but I haven't tried that yet. John Wilson From clive at davros.org Tue Jan 10 12:43:23 2012 From: clive at davros.org (Clive D.W. Feather) Date: Tue, 10 Jan 2012 12:43:23 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: Message-ID: <20120110124323.GC59956@davros.org> John Wilson said: > The hash doesn't change over time. There's a FOI response from the > Highways Agency which confirms that. > (http://www.whatdotheyknow.com/request/48353/response/124187/attach/html/2/FOI%20response%20ref%2013068772.doc.html) Actually, it doesn't say that. If the person writing the answer thinks of the hash algorithm as being based on (say) the date rather than the date being something that's hashed, they would have answered the way they did. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From clive at davros.org Tue Jan 10 12:49:24 2012 From: clive at davros.org (Clive D.W. Feather) Date: Tue, 10 Jan 2012 12:49:24 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> Message-ID: <20120110124924.GD59956@davros.org> John Wilson said: > However the number plate layout introduced in September 2001 should > not require as much merging as the letters and digits are readily > distinguishably by position. Unfortunately not. Compare YB 54 ODK with Y 854 ODK with YBS 400 K. All valid registrations. (If you delve far enough, it's possible to find registrations that differ only in the use of I v 1, such as EI 2 versus E 12.) -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From ukcrypto at sourcetagged.ian.co.uk Tue Jan 10 13:21:20 2012 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Tue, 10 Jan 2012 13:21:20 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> Message-ID: <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> On 10 Jan 2012, at 11:51, Ian Batten wrote: > > On 10 Jan 2012, at 0859, Ian Mason wrote: > >> While many hypothetical cases for privacy have been made here, >> stalking et al, there is a presumption in law (HRA) and in implicit >> social codes of conduct for a right to respect for privacy and >> family life, and systems that can breach those ought to be designed >> to effectively protect them except in the necessary circumstances >> and only in those circumstances. > > I would be somewhat surprised were Article 8 rights to extend to > driving cars. I'd certainly want to see some case law. > >> >> In the case in point, monitoring traffic flows by recording >> individual vehicle movements, there is clearly a risk to legitimate >> privacy > > I'm not so sure: I think it's at least arguable that driving a car > is a privilege, not a right (cf the license you need in order to do > it) and the state therefore has different obligations and > constraints as compared to something that doesn't require a > license. I don't have a dog in this fight, and I'm more > interested in exploring the issues rather than declaiming a fixed > position, but I'm not at all convinced that a right to drive without > data being incidentally gathered about you really exists. Perhaps > it should, but I don't think it exists today. > The Article 8 right is not conditioned directly by what you're doing - with the possible exception of the 'no privilege in iniquity' principal. As far as the HRA goes one simply has a right to privacy. If the government wish to interfere with that right they must have (1) a legitimate reason that is acceptable in a democratic society and (2) interfere only just enough (i.e. proportionately) to achieve (1). Now, my whereabouts can most definitely be determined by where my vehicle is as it is (1) registered to me, (2) insured only for me to drive and both bits of information are available to the police and other governmental authorities. Knowing where I am is a question of privacy, the fact that I would object to all and sundry knowing my location at any arbitrary time is, I would argue, prima facie evidence that personal location has some aspect of privacy. If I'm speeding, driving without insurance etc. I think it is reasonable for the government, if they have the ability, to know where I was when this happened. What is not reasonable, or proportionate, is to track where I am and indefinitely store that information just in case I might do something wrong or have done something wrong. The latter is the meat and drink of repressive closed societies like the former East Germany and China that we in the West have rightly and roundly condemned for many years. Why should it be acceptable here? Ian From lists at internetpolicyagency.com Tue Jan 10 13:29:47 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 10 Jan 2012 13:29:47 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120110124323.GC59956@davros.org> References: <20120110124323.GC59956@davros.org> Message-ID: In article <20120110124323.GC59956 at davros.org>, Clive D.W. Feather writes >> The hash doesn't change over time. There's a FOI response from the >> Highways Agency which confirms that. >> (http://www.whatdotheyknow.com/request/48353/response/124187/attach/html/2/FOI%20response%20ref%2013068772.doc.html) > >Actually, it doesn't say that. > >If the person writing the answer thinks of the hash algorithm as being >based on (say) the date rather than the date being something that's hashed, >they would have answered the way they did. Indeed, and we know that "no extra elements are introduced" part is a bit naive, because there's the elements that zero and "oh", or five and "es" are regarded as synonymous. -- Roland Perry From clive at davros.org Tue Jan 10 13:34:35 2012 From: clive at davros.org (Clive D.W. Feather) Date: Tue, 10 Jan 2012 13:34:35 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> Message-ID: <20120110133435.GE59956@davros.org> John Wilson said: > As the hash is only 24 bits and there are 34.5 million licensed > vehicles on the road there must be collisions even if the hash > function were perfect (and it's not). Hmm. Let's assume for the moment that the overall algorithm brings 3 cars into one hash on average. Then that's about 11.5 million hashes. At 2-second spacing, a camera over a lane would see 1800 cars per hour, so let's assume 20,000 cars per day and assume no car passes the camera twice. What's the chance of a hash collision in that lot? If I've done my algebra correctly, I get the probability of no collision as approximately: p = {r^k (n/r)!/(n/r - k)!} / {n!/(n - k)!} where r = 3, n = 11.5 million, k = 20000. So that's: p = 3^20000 * 3833333! * 11480000! / (11500000! * 3813333!) Using Stirling's formula and logs [ln n! = n (ln n - 1) + 0.5 ln n + 1.837877] we get: ln p = 20000 ln 3 + 3833333 (ln 3833333 - 1) + 0.5 ln 3833333 + 11480000 (ln 11480000 - 1) + 0.5 ln 11480000 - 11500000 (ln 11500000 - 1) - 0.5 ln 11500000 - 3813333 (ln 3813333 - 1) - 0.5 ln 3813333 = 21972.2458 + 3833333 (15.15925 - 1) + 0.5 * 15.15925 + 11480000 (16.25611 - 1) + 0.5 * 16.25611 - 11500000 (16.25786 - 1) - 0.5 * 16.25786 - 3813333 (15.15401 - 1) - 0.5 * 15.15401 = -108.09 So the probability of a collision is 1 - 1.14e-47, or just about certain. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From tugwilson at gmail.com Tue Jan 10 13:34:52 2012 From: tugwilson at gmail.com (John Wilson) Date: Tue, 10 Jan 2012 13:34:52 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120110124924.GD59956@davros.org> References: <20120109152618.GE7359@davros.org> <20120110124924.GD59956@davros.org> Message-ID: On 10 January 2012 12:49, Clive D.W. Feather wrote: > John Wilson said: >> However the number plate layout introduced in September 2001 should >> not require as much merging as the letters and digits are readily >> distinguishably by position. > > Unfortunately not. Compare YB 54 ODK with Y 854 ODK with YBS 400 K. All > valid registrations. > > (If you delve far enough, it's possible to find registrations that differ > only in the use of I v 1, such as EI 2 versus E 12.) Yes they are all valid but Y 854 ODK and YBS 400 K were issued before 2001. My point is that the 2001 format is far more ANPR friendly. If you do the 0->O and 3->E transforms they are still unique. It's quite true that pre 2001 number plates should produce more clashes both with each other and with post 2001 number plates but they are a steadily declining proportion of the population. John Wilson From clive at davros.org Tue Jan 10 13:36:03 2012 From: clive at davros.org (Clive D.W. Feather) Date: Tue, 10 Jan 2012 13:36:03 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> Message-ID: <20120110133603.GF59956@davros.org> Ian Mason said: > What is not reasonable, or proportionate, is > to track where I am and indefinitely store that information just in > case I might do something wrong or have done something wrong. The > latter is the meat and drink of repressive closed societies like the > former East Germany and China that we in the West have rightly and > roundly condemned for many years. I'm fairly sure that there's been ECHR case law on this, though I can't be bothered to search right now. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From clive at davros.org Tue Jan 10 13:37:34 2012 From: clive at davros.org (Clive D.W. Feather) Date: Tue, 10 Jan 2012 13:37:34 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <20120110124924.GD59956@davros.org> Message-ID: <20120110133734.GG59956@davros.org> John Wilson said: > My point is that the 2001 format is far more ANPR friendly. If you do > the 0->O and 3->E transforms they are still unique. Will that remain true from 2050 onwards, when we move to ABC 12 DE? -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From tugwilson at gmail.com Tue Jan 10 13:39:53 2012 From: tugwilson at gmail.com (John Wilson) Date: Tue, 10 Jan 2012 13:39:53 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120110124323.GC59956@davros.org> References: <20120110124323.GC59956@davros.org> Message-ID: On 10 January 2012 12:43, Clive D.W. Feather wrote: > John Wilson said: >> The hash doesn't change over time. There's a FOI response from the >> Highways Agency which confirms that. >> (http://www.whatdotheyknow.com/request/48353/response/124187/attach/html/2/FOI%20response%20ref%2013068772.doc.html) > > Actually, it doesn't say that. > > If the person writing the answer thinks of the hash algorithm as being > based on (say) the date rather than the date being something that's hashed, > they would have answered the way they did. The Highways Agency have asid that the hash involves the use of a prime number. The make no mention of date. If you used the date you'd losse track of all vehicles at midnight wich is a pretty bad idea. John Wilson From tugwilson at gmail.com Tue Jan 10 13:46:34 2012 From: tugwilson at gmail.com (John Wilson) Date: Tue, 10 Jan 2012 13:46:34 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120110133435.GE59956@davros.org> References: <20120109152618.GE7359@davros.org> <20120110133435.GE59956@davros.org> Message-ID: On 10 January 2012 13:34, Clive D.W. Feather wrote: > John Wilson said: >> As the hash is only 24 bits and there are 34.5 million licensed >> vehicles on the road there must be collisions even if the hash >> function were perfect (and it's not). > > Hmm. Let's assume for the moment that the overall algorithm brings 3 cars > into one hash on average. Then that's about 11.5 million hashes. At > 2-second spacing, a camera over a lane would see 1800 cars per hour, so > let's assume 20,000 cars per day and assume no car passes the camera twice. > What's the chance of a hash collision in that lot? > > If I've done my algebra correctly, I get the probability of no collision > as approximately: > > ? ?p = {r^k (n/r)!/(n/r - k)!} / {n!/(n - k)!} > > where r = 3, n = 11.5 million, k = 20000. So that's: > > ? ?p = 3^20000 * ?3833333! * 11480000! / (11500000! * 3813333!) > > Using Stirling's formula and logs [ln n! = n (ln n - 1) + 0.5 ln n + 1.837877] > we get: > > ? ?ln p = 20000 ln 3 + ?3833333 (ln ?3833333 - 1) + 0.5 ln ?3833333 > ? ? ? ? ? ? ? ? ? ? ?+ 11480000 (ln 11480000 - 1) + 0.5 ln 11480000 > ? ? ? ? ? ? ? ? ? ? ?- 11500000 (ln 11500000 - 1) - 0.5 ln 11500000 > ? ? ? ? ? ? ? ? ? ? ?- ?3813333 (ln ?3813333 - 1) - 0.5 ln ?3813333 > > ? ? ? ? = 21972.2458 + ?3833333 (15.15925 - 1) + 0.5 * 15.15925 > ? ? ? ? ? ? ? ? ? ? ?+ 11480000 (16.25611 - 1) + 0.5 * 16.25611 > ? ? ? ? ? ? ? ? ? ? ?- 11500000 (16.25786 - 1) - 0.5 * 16.25786 > ? ? ? ? ? ? ? ? ? ? ?- ?3813333 (15.15401 - 1) - 0.5 * 15.15401 > > ? ? ? ? = -108.09 > > So the probability of a collision is 1 - 1.14e-47, or just about certain. Yes, collisions are quite common (they Sheffield paper points that out). Te interesting question, given an arbitrary hash, how many valid number plates could it represent? It's rather like the use of a postcode in "anonymised" data sets. It doesn't have to identify a single subject by itself as long as it narrows down the field sufficiently. John Wilson From david.goodenough at btconnect.com Tue Jan 10 13:53:30 2012 From: david.goodenough at btconnect.com (David Goodenough) Date: Tue, 10 Jan 2012 13:53:30 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120110133435.GE59956@davros.org> References: <20120110133435.GE59956@davros.org> Message-ID: <201201101353.31257.david.goodenough@btconnect.com> On Tuesday 10 Jan 2012, Clive D.W. Feather wrote: > John Wilson said: > > As the hash is only 24 bits and there are 34.5 million licensed > > vehicles on the road there must be collisions even if the hash > > function were perfect (and it's not). > > Hmm. Let's assume for the moment that the overall algorithm brings 3 cars > into one hash on average. Then that's about 11.5 million hashes. At > 2-second spacing, a camera over a lane would see 1800 cars per hour, so > let's assume 20,000 cars per day and assume no car passes the camera twice. > What's the chance of a hash collision in that lot? > > If I've done my algebra correctly, I get the probability of no collision > as approximately: > > p = {r^k (n/r)!/(n/r - k)!} / {n!/(n - k)!} > > where r = 3, n = 11.5 million, k = 20000. So that's: > > p = 3^20000 * 3833333! * 11480000! / (11500000! * 3813333!) > > Using Stirling's formula and logs [ln n! = n (ln n - 1) + 0.5 ln n + > 1.837877] we get: > > ln p = 20000 ln 3 + 3833333 (ln 3833333 - 1) + 0.5 ln 3833333 > + 11480000 (ln 11480000 - 1) + 0.5 ln 11480000 > - 11500000 (ln 11500000 - 1) - 0.5 ln 11500000 > - 3813333 (ln 3813333 - 1) - 0.5 ln 3813333 > > = 21972.2458 + 3833333 (15.15925 - 1) + 0.5 * 15.15925 > + 11480000 (16.25611 - 1) + 0.5 * 16.25611 > - 11500000 (16.25786 - 1) - 0.5 * 16.25786 > - 3813333 (15.15401 - 1) - 0.5 * 15.15401 > > = -108.09 > > So the probability of a collision is 1 - 1.14e-47, or just about certain. Have you factored in that most of the cars in a given area will share part of their number (all cars registered in Oxford in the post 2001 scheme start OX)? On a motorway this will not make much difference, in an urban setting it might well skew the distribution of plates. David From james2 at jfirth.net Tue Jan 10 14:14:37 2012 From: james2 at jfirth.net (James Firth) Date: Tue, 10 Jan 2012 14:14:37 -0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> Message-ID: <004401cccfa2$309d5290$91d7f7b0$@net> Ian Mason wrote: > Now, > my whereabouts can most definitely be determined by where my vehicle > is as it is (1) registered to me, (2) insured only for me to drive and > both bits of information are available to the police and other > governmental authorities. Many people are ensured to drive your vehicle through their own policies, on a temporary basis. > If I'm speeding, driving without insurance etc. I think it is > reasonable for the government, if they have the ability, to know where > I was when this happened. What is not reasonable, or proportionate, is > to track where I am and indefinitely store that information just in > case I might do something wrong or have done something wrong. However, if you also have a mobile phone in your pocket (or many built in to your car) your movements are already tracked and stored as required under the data retention directive. In a legislative environment where the EU has effectively mandated tracking to a far higher, more personalised degree than car number plates, when each car could be driven by any number of people, and each phone is highly unlikely to be carried by another person, then it's hard to make a case about proportionality and effectiveness for the tracking and storage of car number plates at a finite number of fixed locations. I'm not condoning it, just pointing out the absurdity of arguing against one technology whilst another technology has arguably a far more intrusive data capture regime in place. Yes, you can get from A to B without your phone. But you can beg/steal/borrow a car or even run the risk of using false plates. The latter being a clear example of how such laws never target seriously organised criminals - just the riff raff and the general law-abiding public. James Firth From lists at internetpolicyagency.com Tue Jan 10 14:18:31 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 10 Jan 2012 14:18:31 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120110124323.GC59956@davros.org> Message-ID: In article , John Wilson writes >If you used the date you'd losse track of all vehicles at midnight >wich is a pretty bad idea. Not if your stated purpose is measuring the flow of vehicles for road planning purposes. There's so little overnight traffic that it will hardly ever feature in the decision to build a new road. -- Roland Perry From ukcrypto at sourcetagged.ian.co.uk Tue Jan 10 15:07:17 2012 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Tue, 10 Jan 2012 15:07:17 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <004401cccfa2$309d5290$91d7f7b0$@net> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa! 2$309d5290$91d7f7b0$@net> Message-ID: <423D511F-64E0-45C7-A7BF-1BC705CA1A54@sourcetagged.ian.co.uk> On 10 Jan 2012, at 14:14, James Firth wrote: > > I'm not condoning it, just pointing out the absurdity of arguing > against one > technology whilst another technology has arguably a far more > intrusive data > capture regime in place. > There's nothing "absurd" about arguing about a lesser evil while a greater evil exists. By extension it would be absurd to argue about methods of preventing theft while murder, rape and other offences against the person still existed. Moreover, in the case of mobile location data, it is held by telcos and the state has to request (and pay for it) on a case-by-case basis, they don't have a wholesale catalogue of mobile phone movements. In the current ANPR case we're discussing, the state (the police) have the full, un-anonymized, data set directly. From my own direct experience of seeing the police from the inside, once they have a set of data about people they will dip into it casually as it suits their purposes with little or no internal controls operating to ensure that the use is necessary, justified, proportionate or any of the other words we'd like to see associated with such use*. When they have to stump up money to a third party, or a third party knows that there is a possible liability associated with releasing data, both act as controls on the extent of abuse or misuse that is likely. Granted, that is not a primary application of the necessary controls, nor is it as desirable as proper formal controls, but it is better than unfettered access. * I once watched a PNC terminal used to run a check on the registration of the Prime Minister's armoured Jaguar that had just pulled up in front of the nick, "Just to see what it says". The only extant control at the time was a paper log book next to the PNC terminal that had to be filled in for every query. Needless to say, no log entry was made for this query. The terminal next to it provided access to the whole of the UK's electoral rolls, the one next to that accessed BT's directory enquiries system including ex-directory numbers - neither of those even had a log book. Anybody with access to the incident room had access to any of these three terminals. I hope and trust that better controls exist nowadays. Ian From chl at clerew.man.ac.uk Tue Jan 10 16:51:09 2012 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Tue, 10 Jan 2012 16:51:09 -0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120109152618.GE7359@davros.org> References: <20120109152618.GE7359@davros.org> Message-ID: On Mon, 09 Jan 2012 15:26:18 -0000, Clive D.W. Feather wrote: > (Hmm, how much larger is it? Let's see. The possible registrations are, > roughly: > > aa nnnn, nnnn aa, aaa nnn, nnn aaa, aaa nnn a, a nnn aaa, aa nn aaa > 6.25M 6.25M 14.4M 14.4M 302M 302M > > The last set is 153M so far, growing at 14.6M per annum. So about 800 > million at the moment.] > So about 10 cars per member of the population :-( . -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From dfawcus+lists-ukcrypto at employees.org Tue Jan 10 21:52:00 2012 From: dfawcus+lists-ukcrypto at employees.org (Derek Fawcus) Date: Tue, 10 Jan 2012 13:52:00 -0800 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <004401cccfa2$309d5290$91d7f7b0$@net> References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> Message-ID: <20120110215200.GA32625@banjo.employees.org> On Tue, Jan 10, 2012 at 02:14:37PM -0000, James Firth wrote: > > However, if you also have a mobile phone in your pocket (or many built in to > your car) your movements are already tracked and stored as required under > the data retention directive. An unregistered PAYG phone. The phone is tracked, but who is the owner? Yeah - they could to traffic analysis on calls to give hints as to owner. .pdf From ukcrypto at absent-minded.com Wed Jan 11 08:27:02 2012 From: ukcrypto at absent-minded.com (Mark Lomas) Date: Wed, 11 Jan 2012 08:27:02 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120110215200.GA32625@banjo.employees.org> References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> <20120110215200.GA32625@banjo.employees.org> Message-ID: The authorities can deduce useful information about such phones without traffic analysis. I remember a police officer explaining the investigation of a kidnapping. The kidnappers used a PAYG phone that was only switched on while making ransom calls, never used to call any other phones, and taken to a new location each time it was used. Consequently neither an intercept nor traffic analysis would reveal information the police didn't already have. Instead the police took the lists of all other phones in the same cells at the times of the calls (the data James mentioned) and looked for phones that were nearby on more than one occasion. Mark On 10 January 2012 21:52, Derek Fawcus wrote: > On Tue, Jan 10, 2012 at 02:14:37PM -0000, James Firth wrote: > > > > However, if you also have a mobile phone in your pocket (or many built > in to > > your car) your movements are already tracked and stored as required under > > the data retention directive. > > An unregistered PAYG phone. The phone is tracked, but who is the owner? > Yeah - they could to traffic analysis on calls to give hints as to owner. > > .pdf > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bdm at fenrir.org.uk Wed Jan 11 11:18:04 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Wed, 11 Jan 2012 11:18:04 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> <20120110215200.GA32625@banjo.employees.org> Message-ID: <20120111111804.00279e5d@peterson.fenrir.org.uk> On Wed, 11 Jan 2012 08:27:02 +0000 Mark Lomas wrote: > I remember a police officer explaining the investigation of a kidnapping. > The kidnappers used a PAYG phone that was only switched on while making > ransom calls, never used to call any other phones, and taken to a new > location each time it was used. Consequently neither an intercept nor > traffic analysis would reveal information the police didn't already have. > > Instead the police took the lists of all other phones in the same cells at > the times of the calls (the data James mentioned) and looked for phones > that were nearby on more than one occasion. So the disciplined kidnapper needs to ensure that any personal phones are switched off and that they have a number of other PAYG phones to use for other calls which they dispose of carefully after use and have only topped up with cash at places without CCTV. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From james2 at jfirth.net Wed Jan 11 11:52:54 2012 From: james2 at jfirth.net (James Firth) Date: Wed, 11 Jan 2012 11:52:54 -0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120111111804.00279e5d@peterson.fenrir.org.uk> References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> <20120110215200.GA32625@banjo.employees.org> <20120111111804.00279e5d@peterson.fenrir.org.uk> Message-ID: <006c01ccd057$8ec59f70$ac50de50$@net> Brian Morrison wrote: > Mark Lomas wrote: > > > I remember a police officer explaining the investigation of a > kidnapping. > > The kidnappers used a PAYG phone that was only switched on while > making > > ransom calls, never used to call any other phones, and taken to a new > > location each time it was used. Consequently neither an intercept nor > > traffic analysis would reveal information the police didn't already > have. > > > > Instead the police took the lists of all other phones in the same > cells at > > the times of the calls (the data James mentioned) and looked for > phones > > that were nearby on more than one occasion. > > So the disciplined kidnapper needs to ensure that any personal phones > are switched off and that they have a number of other PAYG phones to > use for other calls which they dispose of carefully after use and > have only topped up with cash at places without CCTV. Switching off a phone which is normally otherwise on could also be a giveaway, assuming MNOs are able to provide lists of phones de-registering in any given time frame. An attacker would be better yanking the battery than switching off, as this doesn't de-register the phone and has a similar signature to driving out of range (or is at least harder to spot). Of course the best option would be to leave own phone at home (an even better option being not to kidnap anyone in the first place). I wonder if any civilian network implements the "Ambience Listening" feature of TETRA? http://www.tetramou.com/about/page/12321 James Firth From lists at internetpolicyagency.com Wed Jan 11 12:32:36 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 11 Jan 2012 12:32:36 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <006c01ccd057$8ec59f70$ac50de50$@net> References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> <20120110215200.GA32625@banjo.employees.org> <20120111111804.00279e5d@peterson.fenrir.org.uk> <006c01ccd057$8ec59f70$ac50de50$@net> Message-ID: In article <006c01ccd057$8ec59f70$ac50de50$@net>, James Firth writes >I wonder if any civilian network implements the "Ambience Listening" feature >of TETRA? >http://www.tetramou.com/about/page/12321 It's the phone rather than the network. Easy to do with Android. -- Roland Perry From igb at batten.eu.org Wed Jan 11 12:41:10 2012 From: igb at batten.eu.org (Ian Batten) Date: Wed, 11 Jan 2012 12:41:10 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120111111804.00279e5d@peterson.fenrir.org.uk> References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> <20120110215200.GA32625@banjo.employees.org> <20120111111804.00279e5d@peterson.fenrir.org.uk> Message-ID: <065EC1EC-B056-4057-8EBB-2695E70D4F56@batten.eu.org> > > So the disciplined kidnapper needs to ensure that any personal phones > are switched off and that they have a number of other PAYG phones to > use for other calls which they dispose of carefully after use and > have only topped up with cash at places without CCTV. As a variation on the idea "law abiding criminals" are common, I think what we might call the Moriarty Delusion is another. To criminals who have a predilection to break one law but an utter refusal to break others, and their close relatives the criminals who are obsessed with the idea of breaking a particular law even if it makes no sense for them so to do, we can add criminals who are able to pull off crimes through their absolute adherence to a discipline that is both perfect and perfectly effective. Criminals that are motivated by a common political bond select on how fervent they are, not how competent they are. If they can come up with a scheme that is not being defended against, they might be able to pull something off whilst being operationally leaky (9/11, 7/7), but that's not because they are master criminals, but because they're doing something that is new and difficult to defend against, but mostly because they don't care if they die in the process and our security systems are often built around an assumption that the opponents don't want to be caught, never mind killed. Until the crime starts, you're just another civilian; once the crime is in progress, you're planning to be dead in fifteen minutes: a very difficult thing to defend against. But these sorts of crimes are incredibly rare. Most crime is carried out by people who not merely want to live, but want to make money. Their incentive is economic. If they could carry out a bank robbery netting 1.1x at the same risk level as a kidnapping netting 1x, they will do so: their interest is in the ransom, not the hostage-taking. If there's one criminal, their scope is inherently limited. If there's multiple criminals, they won't operate with military discipline, they won't trust each other, they won't be happy about their share, they won't believe what other criminals tell them thinking it's self-interest, etc, etc. A highly-trained, perfectly-informed, totally disciplined gang of uber-criminals would be a formidable opponent; in reality, either they don't exist, or carry out crimes so subtle that they don't even appear to be crimes. Kidnappings are a desperate crime, carried out by people who are intending to get money. It involves lots of people, not all of them necessarily competent, and as well as needing to build a plan to avoid communications surveillance they have to agree and execute a plan that is complex in many dimensions. They need transport, accommodation, food, money to execute the crime, weapons, a means to launder the money, a means to spend it without detection, an agreement amongst themselves as to whether they're prepared to commit murder, a means to forensically clean everything they do, etc, etc, etc. And a team of people large enough to contain the skills, disciplined enough to use them, and small enough not to form factions and fight over the take. Using PAYG phones is just one tiny part of their problem. ian From chris-ukcrypto at lists.skipnote.org Wed Jan 11 14:49:03 2012 From: chris-ukcrypto at lists.skipnote.org (Chris Edwards) Date: Wed, 11 Jan 2012 14:49:03 +0000 (GMT) Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: On Mon, 9 Jan 2012, Ian Batten wrote: | I think the idea that you can drive around in public, in a taxed, | insured vehicle with big clear identification marks at each end, where | there are clear public interests in ensuring that the vehicle is taxed, | insured and MoT'd, and where a variety of crimes can be deterred, | detected and punished by simply reading the identifying marks placed | there for that very purpose, and still have an expectation that you can | do so without your location being occasionally made available is | fantastical. Cars are dangerous things, which society rightly regulates | in terms of who can own and use and the conditions under which they can | be owned and used. I think claiming that you have a right to anonymity | under those circumstances is a real case of begging the question. Fair enough, but does policing of car use justify the state keeping ANPR type data *indefinitely* ? From chris-ukcrypto at lists.skipnote.org Wed Jan 11 14:56:04 2012 From: chris-ukcrypto at lists.skipnote.org (Chris Edwards) Date: Wed, 11 Jan 2012 14:56:04 +0000 (GMT) Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120111111804.00279e5d@peterson.fenrir.org.uk> References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> <20120110215200.GA32625@banjo.employees.org> <20120111111804.00279e5d@peterson.fenrir.org.uk> Message-ID: On Wed, 11 Jan 2012, Brian Morrison wrote: | On Wed, 11 Jan 2012 08:27:02 +0000 | Mark Lomas wrote: | | > Instead the police took the lists of all other phones in the same cells at | > the times of the calls (the data James mentioned) and looked for phones | > that were nearby on more than one occasion. | | So the disciplined kidnapper needs to ensure that any personal phones | are switched off Right. | and that they have a number of other PAYG phones to use for other calls | which they dispose of carefully after use I'm not sure how kidnapper using a fresh PAYG phone for each call makes any difference (to this exact scenario). Simply given knowledge of what cell each call was made from, the police can look for *other* phones nearby on multiple occasions. From bdm at fenrir.org.uk Wed Jan 11 15:29:03 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Wed, 11 Jan 2012 15:29:03 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> <20120110215200.GA32625@banjo.employees.org> <20120111111804.00279e5d@peterson.fenrir.org.uk> Message-ID: <20120111152903.66df0d85@peterson.fenrir.org.uk> On Wed, 11 Jan 2012 14:56:04 +0000 (GMT) Chris Edwards wrote: > | and that they have a number of other PAYG phones to use for other calls > | which they dispose of carefully after use > > I'm not sure how kidnapper using a fresh PAYG phone for each call makes > any difference (to this exact scenario). Simply given knowledge of what > cell each call was made from, the police can look for *other* phones nearby > on multiple occasions. Which is why I said that such phones should be switched off, if necessary for the entire time that the kidnapping is being done. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From lists at internetpolicyagency.com Wed Jan 11 15:54:47 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 11 Jan 2012 15:54:47 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120111152903.66df0d85@peterson.fenrir.org.uk> References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> <20120110215200.GA32625@banjo.employees.org> <20120111111804.00279e5d@peterson.fenrir.org.uk> <20120111152903.66df0d85@peterson.fenrir.org.uk> Message-ID: In article <20120111152903.66df0d85 at peterson.fenrir.org.uk>, Brian Morrison writes >> | and that they have a number of other PAYG phones to use for other calls >> | which they dispose of carefully after use >> >> I'm not sure how kidnapper using a fresh PAYG phone for each call makes >> any difference (to this exact scenario). Simply given knowledge of what >> cell each call was made from, the police can look for *other* phones nearby >> on multiple occasions. > >Which is why I said that such phones should be switched off, if >necessary for the entire time that the kidnapping is being done. I think what we are missing here is whether or not the location of the ransom call is correlated with where the victim is being held, or where any of the kidnappers lives or did the planning. Without wishing to give anyone ideas, the objective here is to anonymise the location, or if not make sure it's "none of the above". -- Roland Perry From k.brown at bbk.ac.uk Wed Jan 11 15:01:07 2012 From: k.brown at bbk.ac.uk (k.brown at bbk.ac.uk) Date: Wed, 11 Jan 2012 15:01:07 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: As to whether its legal or justified to keep such data, there is, I assume, no law against anyone standing at the side of the road and jotting down registration numbers on a pad. Or storing them in a computer. Its hard to imagine the government passing a law that stops its own agencies doing things that private citizens are permitted to do. Its easy to imagine a law against such things that would also criminalise trainspotting. (Maybe they have one in Greece) From lists at internetpolicyagency.com Wed Jan 11 17:10:50 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 11 Jan 2012 17:10:50 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: In article , "k.brown at bbk.ac.uk" writes >As to whether its legal or justified to keep such data, there is, I >assume, no law against anyone standing at the side of the road and >jotting down registration numbers on a pad. Or storing them in a >computer. Under a personal use exemption, perhaps. But otherwise it's processing personal data and would require compliance with DPA. -- Roland Perry From dfawcus+lists-ukcrypto at employees.org Wed Jan 11 17:14:16 2012 From: dfawcus+lists-ukcrypto at employees.org (Derek Fawcus) Date: Wed, 11 Jan 2012 09:14:16 -0800 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: <20120111171415.GA81624@banjo.employees.org> On Wed, Jan 11, 2012 at 03:01:07PM +0000, k.brown at bbk.ac.uk wrote: > > Its hard to imagine the government passing a law that stops its own > agencies doing things that private citizens are permitted to do. I thought the general rule was that the state is only permitted to do such things as are authorised by statute, vs the people being allowed to do anything not barred by statute (or law)? i.e. without a statue allowing it, they shouldn't do it. .pdf From ben at liddicott.com Wed Jan 11 20:20:14 2012 From: ben at liddicott.com (Ben Liddicott) Date: Wed, 11 Jan 2012 20:20:14 -0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org><4F0B222B.9090406@zen.co.uk><1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: There is a "Domestic Use" exemption in the DPA which doubtless covers a personal hobby, as well as all the recordkeeping required to pay bills, keep in touch with friends, enemies, manage private debts, and everything else which is commonly done domestically. -----Original Message----- From: Roland Perry Sent: Wednesday, January 11, 2012 5:10 PM In article , "k.brown at bbk.ac.uk" writes >As to whether its legal or justified to keep such data, there is, I >assume, no law against anyone standing at the side of the road and >jotting down registration numbers on a pad. Or storing them in a >computer. Under a personal use exemption, perhaps. But otherwise it's processing personal data and would require compliance with DPA. From ben at liddicott.com Wed Jan 11 20:23:50 2012 From: ben at liddicott.com (Ben Liddicott) Date: Wed, 11 Jan 2012 20:23:50 -0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120111171415.GA81624@banjo.employees.org> References: <20120109152618.GE7359@davros.org><4F0B222B.9090406@zen.co.uk><1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120111171415.GA81624@banjo.employees.org> Message-ID: <5EC466314DA344A08002B261B78E63BB@ROCKET> AFAIK, that is correct, or at least that goes for most government agencies, which are delegated to carry out the responsibilities of the Secretaries of State, and cannot do anything not authorised by HM Secretary of State in pursuance of his statutory responsibilities. There are exceptions: Certain things were historically not done authorised by statute for example the issuance of passports, and pardons. But passports are optional - no-one was traditionally entitled to a passport (though that may have changed with the IPS legislation) or obliged to apply for one, and one is not required to leave or re-enter the country. You may need it to enter your destination country however, and the airlines tend to ask for one for that reason. -----Original Message----- From: Derek Fawcus Sent: Wednesday, January 11, 2012 5:14 PM On Wed, Jan 11, 2012 at 03:01:07PM +0000, k.brown at bbk.ac.uk wrote: > > Its hard to imagine the government passing a law that stops its own > agencies doing things that private citizens are permitted to do. I thought the general rule was that the state is only permitted to do such things as are authorised by statute, vs the people being allowed to do anything not barred by statute (or law)? i.e. without a statue allowing it, they shouldn't do it. From jon+ukcrypto at unequivocal.co.uk Wed Jan 11 17:20:35 2012 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Wed, 11 Jan 2012 17:20:35 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120111171415.GA81624@banjo.employees.org> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120111171415.GA81624@banjo.employees.org> Message-ID: <20120111172035.GJ5937@snowy.squish.net> On Wed, Jan 11, 2012 at 09:14:16AM -0800, Derek Fawcus wrote: > On Wed, Jan 11, 2012 at 03:01:07PM +0000, k.brown at bbk.ac.uk wrote: > > Its hard to imagine the government passing a law that stops its own > > agencies doing things that private citizens are permitted to do. > > I thought the general rule was that the state is only permitted to > do such things as are authorised by statute, vs the people being > allowed to do anything not barred by statute (or law)? No, not really. Some government-type bodies are only allowed to do things in pursuit of aims that are explicitly permitted, e.g. local councils. However even this has changed with the passage of the Localism Act 2011. From lists at internetpolicyagency.com Wed Jan 11 21:06:43 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 11 Jan 2012 21:06:43 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: In article , Ben Liddicott writes >Under a personal use exemption, perhaps. But otherwise it's processing >personal data and would require compliance with DPA. There seems to be an echo in here :) -- Roland Perry From nbohm at ernest.net Wed Jan 11 17:30:19 2012 From: nbohm at ernest.net (Nicholas Bohm) Date: Wed, 11 Jan 2012 17:30:19 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: <4F0DC72B.3090807@ernest.net> On 11/01/2012 15:01, k.brown at bbk.ac.uk wrote: > As to whether its legal or justified to keep such data, there is, I > assume, no law against anyone standing at the side of the road and > jotting down registration numbers on a pad. Or storing them in a > computer. > > Its hard to imagine the government passing a law that stops its own > agencies doing things that private citizens are permitted to do. Or it would be hard if the Human Rights Act hadn't done exactly that. Nicholas -- Contact and PGP key here -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at liddicott.com Wed Jan 11 21:25:04 2012 From: ben at liddicott.com (Ben Liddicott) Date: Wed, 11 Jan 2012 21:25:04 -0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org><4F0B222B.9090406@zen.co.uk><1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: Not sure what you are asking here? If the message is wrongly formatted could you please forward it as an attachment for me to see, as it looks OK in my sent items. Thanks, Ben -----Original Message----- From: Roland Perry Sent: Wednesday, January 11, 2012 9:06 PM To: ukcrypto at chiark.greenend.org.uk Subject: Re: Buckinghamshire CC ANPR cameras In article , Ben Liddicott writes >Under a personal use exemption, perhaps. But otherwise it's processing >personal data and would require compliance with DPA. There seems to be an echo in here :) -- Roland Perry From igb at batten.eu.org Wed Jan 11 23:38:21 2012 From: igb at batten.eu.org (Ian Batten) Date: Wed, 11 Jan 2012 23:38:21 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: On 11 Jan 2012, at 1710, Roland Perry wrote: > In article , "k.brown at bbk.ac.uk" writes >> As to whether its legal or justified to keep such data, there is, I >> assume, no law against anyone standing at the side of the road and >> jotting down registration numbers on a pad. Or storing them in a >> computer. > > Under a personal use exemption, perhaps. But otherwise it's processing personal data and would require compliance with DPA. I realise this stuff is meat and drink to you, Roland, but I'd like to see some evidence that the registration plates on cars driving past my house are personal data. Whose? And why? > ?personal data? means data which relate to a living individual who can be identified? > (a)from those data, or > (b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, A car index mark relates to individuals, but clearly doesn't pass test (a), and test (b) isn't met for an individual, and would be a matter for debate about the governance associated with DVLA lookups if the processing is being done by the government. ian From lists at internetpolicyagency.com Thu Jan 12 08:37:42 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 12 Jan 2012 08:37:42 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: <0KtUQWqWvpDPFAZn@perry.co.uk> In article , Ian Batten writes >I'd like to see some evidence that the registration plates on cars >driving past my house are personal data. Whose? And why? http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf "a person may be identified directly by name or indirectly by a telephone number, a car registration number, a social security number, a passport number or by a combination of significant criteria which allows him to be recognized by narrowing down the group to which he belongs (age, occupation, place of residence, etc.)". -- Roland Perry From chris-ukcrypto at lists.skipnote.org Thu Jan 12 09:28:56 2012 From: chris-ukcrypto at lists.skipnote.org (Chris Edwards) Date: Thu, 12 Jan 2012 09:28:56 +0000 (GMT) Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <0KtUQWqWvpDPFAZn@perry.co.uk> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <0KtUQWqWvpDPFAZn@perry.co.uk> Message-ID: nOn Thu, 12 Jan 2012, Roland Perry wrote: | http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf | | "a person may be identified directly by name or indirectly by a | telephone number, a car registration number, a social security | number, a passport number or by a combination of significant | criteria which allows him to be recognized by narrowing down the | group to which he belongs (age, occupation, place of residence, | etc.)". Does that apply to *all* processing of registration numbers ? Or only if the controller can realistically turn it into a name ? E.g a garage collects registrations of its customers, and can turn them into names via it's records. So personal data. But the typical (non-government) ANPR operator may collect loads of registrations, the vast majority of which they are unable (as Ian notes) to turn into a name, as they don't have access to DVLA database. From fjmd1a at gmail.com Thu Jan 12 09:46:27 2012 From: fjmd1a at gmail.com (Francis Davey) Date: Thu, 12 Jan 2012 09:46:27 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <0KtUQWqWvpDPFAZn@perry.co.uk> Message-ID: 2012/1/12 Chris Edwards : > > Does that apply to *all* processing of registration numbers ? ?Or only if > the controller can realistically turn it into a name ? That depends on who you ask. If you ask Directive 95/46/EC it defines personal data as follows: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; Note that the directive does not restrict "identifiable" to "identifiable by the data controller". It seems to me that the purpose of the directive - or at least one of them - is to prevent personal data from being misused not by the data controller but by others, including those who obtain it unlawfully, eg through theft. So, if I process data which, though I could not misuse it, would be mis-usable by someone else, I am held to various standards of data security in order to prevent that happening. The Data Protection Act 1998 doesn't seem to take the same view. It says: ?personal data? means data which relate to a living individual who can be identified? (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, Now that's a much more restrictive definition as it restricts "identifiable" to mean either objectively identifiable from the data or identifiable with additional information by the data controller. Data in my hands that I am unlikely to be able to identify as belonging to an individual would not be personal data. That would, in turn, mean I had no security obligations to prevent it falling into the hands of someone who could identify it. That, in my view, seems like its a failure to implement the directive. My reading of the Commission's objections is that they think so too. The draft regulation would override the DPA in this respect and we'd see a change in English law (or we ought to). > > E.g a garage collects registrations of its customers, and can turn them > into names via it's records. ?So personal data. ?But the typical > (non-government) ANPR operator may collect loads of registrations, the > vast majority of which they are unable (as Ian notes) to turn into a name, > as they don't have access to DVLA database. > Exactly so. EU and English law differ. -- Francis Davey From clive at davros.org Thu Jan 12 10:05:33 2012 From: clive at davros.org (Clive D.W. Feather) Date: Thu, 12 Jan 2012 10:05:33 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <0KtUQWqWvpDPFAZn@perry.co.uk> Message-ID: <20120112100533.GA62241@davros.org> Chris Edwards said: > | http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf > | > | "a person may be identified directly by name or indirectly by a > | telephone number, a car registration number, a social security > | number, a passport number or by a combination of significant > | criteria which allows him to be recognized by narrowing down the > | group to which he belongs (age, occupation, place of residence, > | etc.)". > > Does that apply to *all* processing of registration numbers ? Or only if > the controller can realistically turn it into a name ? The EU says if anyone can realistically turn it into a name. > E.g a garage collects registrations of its customers, and can turn them > into names via it's records. So personal data. But the typical > (non-government) ANPR operator may collect loads of registrations, the > vast majority of which they are unable (as Ian notes) to turn into a name, > as they don't have access to DVLA database. However, they can make an enquiry of DVLA, who publish a long list of situations when they'll release information. It wouldn't be hard to fake up a reason that fits. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From clive at davros.org Thu Jan 12 10:06:37 2012 From: clive at davros.org (Clive D.W. Feather) Date: Thu, 12 Jan 2012 10:06:37 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> Message-ID: <20120112100637.GB62241@davros.org> k.brown at bbk.ac.uk said: > As to whether its legal or justified to keep such data, there is, I > assume, no law against anyone standing at the side of the road and > jotting down registration numbers on a pad. No. > Or storing them in a > computer. Data Protection Act. There may be "personal use" exemptions, but those are narrower than you might think (see the Lindquist case). > Its hard to imagine the government passing a law that stops its own > agencies doing things that private citizens are permitted to do. That's the whole idea of democratic control of the government! -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From clive at davros.org Thu Jan 12 10:39:13 2012 From: clive at davros.org (Clive D.W. Feather) Date: Thu, 12 Jan 2012 10:39:13 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <201201101353.31257.david.goodenough@btconnect.com> References: <20120110133435.GE59956@davros.org> <201201101353.31257.david.goodenough@btconnect.com> Message-ID: <20120112103913.GC62241@davros.org> David Goodenough said: >> So the probability of a collision is 1 - 1.14e-47, or just about certain. > Have you factored in that most of the cars in a given area will share > part of their number (all cars registered in Oxford in the post 2001 > scheme start OX)? Actually, they all start O (apart from personalized registrations), not necessarily OX. > On a motorway this will not make much difference, in > an urban setting it might well skew the distribution of plates. I've assumed that the actual hash algorithm is a good one. That is, once the reduction process (O/0/D -> O, etc.) has been done, two strings differing by only one character are likely to have completely different hashes. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From lists at internetpolicyagency.com Thu Jan 12 11:51:01 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 12 Jan 2012 11:51:01 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <0KtUQWqWvpDPFAZn@perry.co.uk> Message-ID: <36RUc1+lksDPFArU@perry.co.uk> In article , Chris Edwards writes >| http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf >| >| "a person may be identified directly by name or indirectly by a >| telephone number, a car registration number, a social security >| number, a passport number or by a combination of significant >| criteria which allows him to be recognized by narrowing down the >| group to which he belongs (age, occupation, place of residence, >| etc.)". > >Does that apply to *all* processing of registration numbers ? Or only if >the controller can realistically turn it into a name ? > >E.g a garage collects registrations of its customers, and can turn them >into names via it's records. So personal data. But the typical >(non-government) ANPR operator may collect loads of registrations, the >vast majority of which they are unable (as Ian notes) to turn into a name, >as they don't have access to DVLA database. The general rule is that unless you *know for sure* that the (eg) numberplates you've recorded can never be traced back to the keeper, you should treat them as personal data. Remember, the person who initially collected them isn't the only person who might later be able to use them to identify a person. -- Roland Perry From lists at internetpolicyagency.com Thu Jan 12 12:25:07 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 12 Jan 2012 12:25:07 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <0KtUQWqWvpDPFAZn@perry.co.uk> Message-ID: In article , Francis Davey writes >Note that the directive does not restrict "identifiable" to >"identifiable by the data controller". It seems to me that the purpose >of the directive - or at least one of them - is to prevent personal >data from being misused not by the data controller but by others, >including those who obtain it unlawfully, eg through theft. So, if I >process data which, though I could not misuse it, would be mis-usable >by someone else, I am held to various standards of data security in >order to prevent that happening. > >The Data Protection Act 1998 doesn't seem to take the same view. It says: > >?personal data? means data which relate to a living individual who can >be identified? > >(a) from those data, or >(b) from those data and other information which is in the possession >of, or is likely to come into the possession of, the data controller, > >Now that's a much more restrictive definition as it restricts >"identifiable" to mean either objectively identifiable from the data >or identifiable with additional information by the data controller. >Data in my hands that I am unlikely to be able to identify as >belonging to an individual would not be personal data. That would, in >turn, mean I had no security obligations to prevent it falling into >the hands of someone who could identify it. There's a huge loophole in the making here... let's say a phone company gave lots of cellsite data to his fishmonger, who everyone would agree has no way of deciphering it or identifying people, and the fishmonger then gave all the data to the police (who could). Doesn't sound right that a chain-of-custody issue as simple as that could relieve everyone of the responsibility. >That, in my view, seems like its a failure to implement the directive. >My reading of the Commission's objections is that they think so too. -- Roland Perry From chris-ukcrypto at lists.skipnote.org Thu Jan 12 12:29:59 2012 From: chris-ukcrypto at lists.skipnote.org (Chris Edwards) Date: Thu, 12 Jan 2012 12:29:59 +0000 (GMT) Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <0KtUQWqWvpDPFAZn@perry.co.uk> Message-ID: On Thu, 12 Jan 2012, Roland Perry wrote: | There's a huge loophole in the making here... let's say a phone company gave | lots of cellsite data to his fishmonger Presumably the phone company CAN identify people from this data, so have to treat it as personal, and therefore can't simply give it to fishmonger. From lists at internetpolicyagency.com Thu Jan 12 12:52:12 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 12 Jan 2012 12:52:12 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <0KtUQWqWvpDPFAZn@perry.co.uk> Message-ID: <4lnn7sF8dtDPFAaL@perry.co.uk> In article , Chris Edwards writes > >| There's a huge loophole in the making here... let's say a phone company gave >| lots of cellsite data to his fishmonger > >Presumably the phone company CAN identify people from this data, so have >to treat it as personal, and therefore can't simply give it to fishmonger. But where's the harm (they would argue in this hypothetical scenario) in giving the data to someone who cannot use it for identification? -- Roland Perry From bdm at fenrir.org.uk Thu Jan 12 16:50:34 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Thu, 12 Jan 2012 16:50:34 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <3EF22CFB-62A1-46D0-92FF-2ED7C13D9B7E@sourcetagged.ian.co.uk> <39FCC158-8591-47F1-926F-772DCC5BF9FB@sourcetagged.ian.co.uk> <004401cccfa2$309d5290$91d7f7b0$@net> <20120110215200.GA32625@banjo.employees.org> <20120111111804.00279e5d@peterson.fenrir.org.uk> <20120111152903.66df0d85@peterson.fenrir.org.uk> Message-ID: <20120112165034.75b3b437@peterson.fenrir.org.uk> On Wed, 11 Jan 2012 15:54:47 +0000 Roland Perry wrote: > >Which is why I said that such phones should be switched off, if > >necessary for the entire time that the kidnapping is being done. > > I think what we are missing here is whether or not the location of the > ransom call is correlated with where the victim is being held, or where > any of the kidnappers lives or did the planning. Without wishing to give > anyone ideas, the objective here is to anonymise the location, or if not > make sure it's "none of the above". Have a look at Frederick Forsyth's "The Negotiator". A kidnapper in it, although not using mobile phones, uses payphones at many different locations around the M25. He also uses a name that the authorities try to, but can't, link to any previously known criminals, eventually it turns out to have been a composite of the letters in the registration plate of the first car he owned decades before and is thus not linkable to him except by means of extreme lateral thinking. But heck, it's obvious that to carry out a perfect untraceable kidnapping and to obtain and keep the funds realised would require skills that even the most capable agencies on the planet can't achieve reliably so it's a tall order for anyone short of knowledge and resources. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From Andrew.Cormack at ja.net Thu Jan 12 14:08:27 2012 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Thu, 12 Jan 2012 14:08:27 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <0KtUQWqWvpDPFAZn@perry.co.uk> Message-ID: <61E52F3A5532BE43B0211254F13883AE0554E900@EXC001> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Chris Edwards > Sent: 12 January 2012 12:30 > To: UK Cryptography Policy Discussion Group > Subject: Re: Buckinghamshire CC ANPR cameras > > On Thu, 12 Jan 2012, Roland Perry wrote: > > | There's a huge loophole in the making here... let's say a phone > company gave > | lots of cellsite data to his fishmonger > > Presumably the phone company CAN identify people from this data, so > have > to treat it as personal, and therefore can't simply give it to > fishmonger. Chris That's one of a number of unclarities that result from the UK definition. The definition clearly allows for the same data to be personal in one person's hands but not in another, but the Act has no provisions at all to cover the change of state as it passes from one to another. E.g. is such a transfer covered by rules on personal data (in the hands of the giver) or not (in the hands of the recipient)? Particularly relevant if the recipient happens to be outside the EEA... On the other hand the EC definition also has problems, since it allows personal data to be handled by someone who has no way to identify or contact the individual. But the Directive still seems to require the holder to inform the individual about the processing (even though they don't know who they are), and to provide them with subject access (even though they can't validate their identity). My one and only presentation at an academic law conference suggested that a law that contained contradictions whichever way you interpreted the definition must be broken - that comment afterwards was that I was thinking like a mathematician rather than a lawyer ;-) The leaked draft regulation is at least clear on how the definition should be used (it even says explicitly that IP addresses are personal data) but, as far as I can see, doesn't resolve the resulting problems about notification and subject access. Andrew From maryhawking at tigers.demon.co.uk Thu Jan 12 19:34:57 2012 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Thu, 12 Jan 2012 19:34:57 -0000 Subject: Remote access to patient records and security of android apps Message-ID: <823AC815FC524410942FA2BFC157DB49@MaryPC> http://www.ehi.co.uk/news/primary-care/7445/tpp-develops-systmone-android-ap p "TPP said it expected to have the SystmOne Android solution completed and tested within the first half of this year. Following a pilot phase, it will then become available to users via the Android 'marketplace'. Access to the app will be through the user's usual username and password, so nobody will be able to use it unless they are a SystmOne user." This is a confidentiality and security question rather than a crypto one: apologies. In the NHS we have been told, repeatedly, that user name and password are insufficient: there needs to be a smartcard logon for secure identification, and RBAC (Role Based Access Control) to ensure that once identified an individual can only access the information/functions their role requires. My question is twofold:- 1. *can* an android app incorporate smartcard security? 2. if access via logon and password is sufficient security, why were smartcards, RBAC and the system of Registration Authorities considered to be necessary in the first place? Unfortunately, after I had successfully posted this query on EHI, the facility for posting comments was withdrawn from the article and my comment removed. Mary Hawking "thinking - independent thinking - is to humans as swimming is to cats: we can do it if we really have to." Mark Earles on Radio 4. -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 11526 bytes Desc: not available URL: From bdm at fenrir.org.uk Thu Jan 12 22:39:28 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Thu, 12 Jan 2012 22:39:28 +0000 Subject: Buckinghamshire CC ANPR cameras In-Reply-To: <20120112100637.GB62241@davros.org> References: <20120109152618.GE7359@davros.org> <4F0B222B.9090406@zen.co.uk> <1150DAD0-8DA5-4619-9BF9-20CC6FF8AA7E@batten.eu.org> <20120112100637.GB62241@davros.org> Message-ID: <20120112223928.539783ec@peterson.fenrir.org.uk> On Thu, 12 Jan 2012 10:06:37 +0000 "Clive D.W. Feather" wrote: > That's the whole idea of democratic control of the government! Say what? Do we do that here? -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: not available URL: From tony.naggs at googlemail.com Fri Jan 13 00:15:14 2012 From: tony.naggs at googlemail.com (Tony Naggs) Date: Fri, 13 Jan 2012 00:15:14 +0000 Subject: Remote access to patient records and security of android apps In-Reply-To: <823AC815FC524410942FA2BFC157DB49@MaryPC> References: <823AC815FC524410942FA2BFC157DB49@MaryPC> Message-ID: Hi Mary I am not familiar with "SystemOne", and it is not clear from the article what the Android application would be used for. Clearly managing one's calendar, accessing email or editing patient notes have different confidentiality issues. In principle an Android tablet could access a smartcard, as the SIM card in an Android phone is a form of Smartcard - but I have not noticed any tablet computers advertised with Smartcard slot. Also some Android phones are starting to have NFC (Near Field Communications) interfaces that could talk to Smartcards that work wirelessly (similar to an Oyster card). I am also concerned about how whether the data is securely encrypted when sent over the the WiFi or 3G data network. Regards, Tony On 12 January 2012 19:34, Mary Hawking wrote: > > http://www.ehi.co.uk/news/primary-care/7445/tpp-develops-systmone-android-ap > p > "TPP said it expected to have the SystmOne Android solution completed and > tested within the first half of this year. Following a pilot phase, it will > then become available to users via the Android 'marketplace'. > Access to the app will be through the user's usual username and password, > so > nobody will be able to use it unless they are a SystmOne user." > This is a confidentiality and security question rather than a crypto one: > apologies. > > In the NHS we have been told, repeatedly, that user name and password are > insufficient: there needs to be a smartcard logon for secure > identification, > and RBAC (Role Based Access Control) to ensure that once identified an > individual can only access the information/functions their role requires. > > My question is twofold:- > 1. *can* an android app incorporate smartcard security? > 2. if access via logon and password is sufficient security, why were > smartcards, RBAC and the system of Registration Authorities considered to > be > necessary in the first place? > > Unfortunately, after I had successfully posted this query on EHI, the > facility for posting comments was withdrawn from the article and my comment > removed. > > Mary Hawking > "thinking - independent thinking - is to humans as swimming is to cats: we > can do it if we really have to." Mark Earles on Radio 4. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From james2 at jfirth.net Fri Jan 13 09:49:50 2012 From: james2 at jfirth.net (James Firth) Date: Fri, 13 Jan 2012 09:49:50 -0000 Subject: Remote access to patient records and security of android apps In-Reply-To: <823AC815FC524410942FA2BFC157DB49@MaryPC> References: <823AC815FC524410942FA2BFC157DB49@MaryPC> Message-ID: <005401ccd1d8$b2424390$16c6cab0$@net> Mary Hawking wrote: > In the NHS we have been told, repeatedly, that user name and password > are insufficient: there needs to be a smartcard logon for secure > identification, OK it's over 6 years since I worked directly in this field (on TETRA, see here : http://ejf.me/pd ) But smart cards essentially perform two roles: (1) Ensure high entropy in the key without requiring a long passphrase (and the security loophole that comes with this regime - people more likely to write don't difficult to remember passwords) (2) Provide a physical key that can't (easily) be replicated, ensuring that when someone's nicked your smart card, you know about it. Someone could have nicked a password and you could be ignorant of this for many days/weeks/months James Firth From james2 at jfirth.net Fri Jan 13 09:50:55 2012 From: james2 at jfirth.net (James Firth) Date: Fri, 13 Jan 2012 09:50:55 -0000 Subject: Remote access to patient records and security of android apps In-Reply-To: References: <823AC815FC524410942FA2BFC157DB49@MaryPC> Message-ID: <005701ccd1d8$d8d59980$8a80cc80$@net> Tony Naggs wrote: > Also some > Android phones are starting to have NFC (Near Field Communications) > interfaces that could talk to Smartcards that work wirelessly (similar > to an Oyster card). If anyone sees an implementation of this I'm sure my old employee would like to know. I patented something like this we were working on around 10 years ago: ( http://ejf.me/pd ) James Firth From lists at internetpolicyagency.com Fri Jan 13 10:18:54 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 13 Jan 2012 10:18:54 +0000 Subject: Remote access to patient records and security of android apps In-Reply-To: <823AC815FC524410942FA2BFC157DB49@MaryPC> References: <823AC815FC524410942FA2BFC157DB49@MaryPC> Message-ID: In article <823AC815FC524410942FA2BFC157DB49 at MaryPC>, Mary Hawking writes >*can* an android app incorporate smartcard security? Perhaps not a conventional smartcard, but in principle you could have some sort of necessary token stored on a micro-HD card plugged into an Android device. Such a scheme might or might not be proof against an attacker gaining a simple copy of that data (and the Android system allows remote interrogation of the micro-HD card without very much in the way of credentials). A better idea might be some sort of "Cryptocard" token, are they approved for NHS use? -- Roland Perry From lists at internetpolicyagency.com Fri Jan 13 10:21:47 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 13 Jan 2012 10:21:47 +0000 Subject: Remote access to patient records and security of android apps In-Reply-To: References: <823AC815FC524410942FA2BFC157DB49@MaryPC> Message-ID: In article , Tony Naggs writes >In principle an Android tablet could access a smartcard, as the SIM >card in an Android phone is a form of Smartcard - but I have not >noticed any tablet computers advertised with Smartcard slot. Many tablets have a SIM socket (for data access). But what credentials from the SIM might a application be looking for, and why couldn't a patched copy of Android spoof it? >I am also concerned about how whether the data is securely encrypted >when sent over the the WiFi or 3G data network. Couldn't the Android App have its own encryption layer? -- Roland Perry From lists at internetpolicyagency.com Fri Jan 13 10:25:32 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 13 Jan 2012 10:25:32 +0000 Subject: Remote access to patient records and security of android apps In-Reply-To: <005701ccd1d8$d8d59980$8a80cc80$@net> References: <823AC815FC524410942FA2BFC157DB49@MaryPC> <005701ccd1d8$d8d59980$8a80cc80$@net> Message-ID: In article <005701ccd1d8$d8d59980$8a80cc80$@net>, James Firth writes >> Also some >> Android phones are starting to have NFC (Near Field Communications) >> interfaces that could talk to Smartcards that work wirelessly (similar >> to an Oyster card). > >If anyone sees an implementation of this I'm sure my old employee would like >to know. I patented something like this we were working on around 10 years >ago: ( http://ejf.me/pd ) http://www.nfcworld.com/nfc-phones-list/#available [Several NFC Android phones from Samsung]. -- Roland Perry From james2 at jfirth.net Fri Jan 13 10:31:44 2012 From: james2 at jfirth.net (James Firth) Date: Fri, 13 Jan 2012 10:31:44 -0000 Subject: Remote access to patient records and security of android apps In-Reply-To: References: <823AC815FC524410942FA2BFC157DB49@MaryPC> <005701ccd1d8$d8d59980$8a80cc80$@net> Message-ID: <006601ccd1de$8cf6ef40$a6e4cdc0$@net> Roland Perry wrote: > >If anyone sees an implementation of this I'm sure my old employee > would like > >to know. I patented something like this we were working on around 10 > years > >ago: ( http://ejf.me/pd ) > > http://www.nfcworld.com/nfc-phones-list/#available > > [Several NFC Android phones from Samsung]. Thanks, I'm specifically interested in security products which use NFC to access remote keys (in a particular sequence) in order to provide end-to-end encryption between terminals. James Firth From tony.naggs at googlemail.com Fri Jan 13 12:12:34 2012 From: tony.naggs at googlemail.com (Tony Naggs) Date: Fri, 13 Jan 2012 12:12:34 +0000 Subject: Remote access to patient records and security of android apps In-Reply-To: References: <823AC815FC524410942FA2BFC157DB49@MaryPC> Message-ID: On 13 January 2012 10:21, Roland Perry wrote: > In article wQ at mail.gmail.com<2e9KsiPJi4CD_tH0FdxqUH7rO0oN278AsOW3yzSDG6YwQ at mail.gmail.com>>, > Tony Naggs writes > > In principle an Android tablet could access a smartcard, as the SIM card >> in an Android phone is a form of Smartcard - but I have not noticed any >> tablet computers advertised with Smartcard slot. >> > > Many tablets have a SIM socket (for data access). But what credentials > from the SIM might a application be looking for, and why couldn't a patched > copy of Android spoof it? > Security oriented smartcards often have onboard crypto and could authenticate the user to the NHS system, and/or validate the NHS system credentials to the app. (Speculation as I am not familiar with how the NHS use their smartcards.) > I am also concerned about how whether the data is securely encrypted when >> sent over the the WiFi or 3G data network. >> > > Couldn't the Android App have its own encryption layer? > Of course it can, but will it do it correctly? For instance El Reg recently reported on electricity meters that failed to use SSL encryption correctly - http://www.theregister.co.uk/2012/01/09/smart_meter_privacy_oops/ ttfn, Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Fri Jan 13 12:33:19 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 13 Jan 2012 12:33:19 +0000 Subject: Remote access to patient records and security of android apps In-Reply-To: References: <823AC815FC524410942FA2BFC157DB49@MaryPC> Message-ID: In article , Tony Naggs writes >> Couldn't the Android App have its own encryption layer? > >Of course it can, but will it do it correctly? For instance El Reg recently >reported on electricity meters that failed to use SSL encryption correctly >- http://www.theregister.co.uk/2012/01/09/smart_meter_privacy_oops/ There's a big difference between doing it not very well, and failing to do it (the encryption) at all. That would be simply solved in an application such as this by refusing to fall back to plain text. -- Roland Perry From maryhawking at tigers.demon.co.uk Sat Jan 14 09:10:35 2012 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Sat, 14 Jan 2012 09:10:35 -0000 Subject: Remote access to patient records and security of android apps In-Reply-To: References: <823AC815FC524410942FA2BFC157DB49@MaryPC> Message-ID: <97F862189DC9427DAFE92D83AEACEABB@MaryPC> From: Tony Naggs [mailto:tony.naggs at googlemail.com] TN: I am not familiar with "SystemOne", and it is not clear from the article what the Android application would be used for. Clearly managing one's calendar, accessing email or editing patient notes have different confidentiality issues. MH: SystmOne (TPP and supplied under the CSC LSP - Local Service Provider - contract is a "one record per patient" (SSEPR Single Shared Electronic Patient Record) electronic record system designed to be the record of prime entry for not only GP practices but also other primary care and other organisations e.g. community nursing, child health services, speech and language therapy etc.: it has even been used for a referrals management centre. The organisations using the record share content on a security level: every consultation is given a security level of 1-5 (1 low, 5 high) and the default for most things is 3. The sharing and security level need not be reciprocal. It is being aggressively promoted in the areas where CSC holds the LSP contract - Northe, Midlands and East. The app referred to is one to directly access the individual live patient record which is held on a central server. TN: In principle an Android tablet could access a smartcard, as the SIM card in an Android phone is a form of Smartcard - but I have not noticed any tablet computers advertised with Smartcard slot. Also some Android phones are starting to have NFC (Near Field Communications) interfaces that could talk to Smartcards that work wirelessly (similar to an Oyster card). I am also concerned about how whether the data is securely encrypted when sent over the the WiFi or 3G data network. MH: I hope the data is encrypted (it is normally sent over the N3 network) but I don't have any information one way or the other. I believe contactless smartcards have been discussed for use in secondary care, but sorry, no information on that either! The article seems to envisage using any Android tablet - so unless there is a universal means of getting an Android tablet to recognise a smartcard (using Gem Authenticate) and this can be incorporated into the app, I do not see how a smartcard can be used - and how the user can be authenticated to the level the NHS has been saying is necessary to prevent illegitimate access to patient records. Mary Hawking "thinking - independent thinking - is to humans as swimming is to cats: we can do it if we really have to." Mark Earles on Radio 4. _____ -------------- next part -------------- An HTML attachment was scrubbed... URL: From arthur at clune.org Sat Jan 14 09:30:48 2012 From: arthur at clune.org (Arthur Clune) Date: Sat, 14 Jan 2012 09:30:48 +0000 Subject: Remote access to patient records and security of android apps In-Reply-To: <97F862189DC9427DAFE92D83AEACEABB@MaryPC> References: <823AC815FC524410942FA2BFC157DB49@MaryPC> <97F862189DC9427DAFE92D83AEACEABB@MaryPC> Message-ID: Instead of using a directly connected snartcard, the app could use a token based system like rsa keyfobs. That would satisfy the two factor authentication requirement and would work with any hardware including phones. Disclaimer: I've no idea what it actually does Arthur -------------- next part -------------- An HTML attachment was scrubbed... URL: