Today at W2SP I presented a new paper making the case for distributing security policy in hyperlinks. The basic idea is old, but I think the time is right to re-examine it. After the DigiNotar debacle, the community is getting serious about fixing PKI on the web. It was hot topic at this week’s IEEE Security & Privacy (Oakland), highlighted by Jeremy Clark and Paul van Oorschot’s excellent survey paper. There are a slew of protocols under development like key pinning (HPKP), Certificate Transparency, TACK, and others. To these I add s-links, a complementary mechanism to declare support for new proposals in HTML links.

Though it’s unclear which proposals will take hold, deployment will probably be fragmented: some servers will require HTTPS (using HSTS), some may pin keys or use another new protocol, and many will continue to not support HTTPS at all. Clients must know what the server supports prior to initially connecting, or else a middleperson attacker can simulate a server which only supports insecure HTTP (often called a stripping attack). Thus hardening HTTPS includes an enormous policy distribution problem.

The consensus is that querying a new out-of-band trusted server to learn security policy is a non-starter. OCSP, a protocol to check if certificates are revoked, provides a painful example. It was never reliable enough for browsers to fail closed if OCSP servers couldn’t be reached, so it provided negligible security and Chrome eventually disabled it. This leaves very few channels to distribute security policy prior to initial connections. Browser preloads are great, but can’t scale indefinitely. DNSSEC (via extensions like DANE) is a promising approach, but many deployment issues remain.

This leaves secure introduction: if a user agent is referred to a new domain by an already-trusted domain, the referring domain can indicate a minimum security policy required for the initial connection. S-links are a proposal to enable secure introduction in HTML. A stricter HTTPS policy (such as key pins) can be declared in a new “link-security” attribute, which will apply only to requests caused by that element itself (for example, clicks on a link or loading a JavaScript library).

S-links aren’t a panacea: they can’t protect users who manually type a new URL. Still, compared to the alternatives s-links are an efficient and easy-to-deploy channel for security policy. An important lesson from past PKI failures is to build for robustness: multiple protocols will have to be supported and we should build multiple ways of advertising security upgrades. S-links is still a very early-stage project with important details to get right about the user experience and some subtle interactions with the browser’s same-origin policy. I would greatly appreciate feedback.

In a seminar today, we will unveil Rendezvous, a search engine for code. Built by Wei-Ming Khoo, it will analyse an unknown binary, parse it into functions, index them, and compare them with a library of code harvested from open-source projects.

As time goes on, the programs we need to reverse engineer get ever larger, so we need better tools. Yet most code nowadays is not written from scratch, but cut and pasted. Programmers are not an order of magnitude more efficient than a generation ago; it’s just that we have more and better libraries to draw on nowadays, and a growing shared heritage of open software. So our idea is to reframe the decompilation problem as a search problem, and harness search-engine technology to the task.

As with a text search engine, Rendezvous uses a number of different techniques to index a target binary, some of which are described in this paper, along with the main engineering problems. As well as reverse engineering suspicious binaries, code search engines could be used for many other purposes such as monitoring GPL compliance, plagiarism detection, and quality control. On the dark side, code search can be used to find new instances of disclosed vulnerabilities. Every responsible software vendor or security auditor should build one. If you’re curious, here is the demo.

The Queen’s speech at today’s state opening of Parliament includes the prediction:

“In relation to the problem of matching Internet protocol addresses, my Government will bring forward proposals to enable the protection of the public and the investigation of crime in cyberspace”

This is all that remains of the Home Office’s ambition to bring forward a revised version of the Draft Communications Data Bill that two Parliamentary Select Committees were so unimpressed by, and which the Liberal Democrats have declined to support.

The sole issue on which there appears to be political consensus is that “something must be done” about the traceability failure that regularly occurs when the Internet is accessed from a smartphone. The shortage of IPv4 addresses means that the mobile companies cannot give each smartphone a unique IP address — so hundreds of users share the same IP address with only the TCP/UDP source port number distinguishing their traffic. Because this sharing is done very dynamically the mobile phone companies find it problematic to record the source port mapping, and they have argued that the way the EU Data Retention Directive is written they have no obligation to make and keep such records.

I wrote about this issue at some length on this blog in January 2010, although until very recently the Home Office considered it to be tantamount to a state secret and were extremely coy about discussing it in the public.

The Queen’s “bring forward proposals” phrase appears to cover a range of options:

• the mobile companies decide that they can manage to log the source port mapping data after all;
• the Home Office pays for new kit at the mobile companies that will allow source port mapping to be done;
• there is a short bill (or clause in another bill) that requires the logging to be done (this might avoid any question of payments being ultra vires, or would ensure compliance by companies (possibly broadband suppliers) that looked like becoming stragglers;
• there are discussions but nothing happens at all — perhaps because the tide turns against Data Retention as being a necessary and proportionate policy. A number of other EU countries have found it to be incompatible with fundamental human rights.

The Open Rights Group (ORG) have recently produced a pamphlet (available online here) setting out how surveillance might be better approached in this century. I contributed the chapter on the technical issues…

… if you don’t have time to read the whole thing then the New Statesman has an edited version of my chapter; and you can watch a short video of myself (and two other contributors) explaining the major issues.

On Friday I went to a fascinating lobbying meeting on the new EU data protection regulation. Europe is by default the world’s privacy regulator, as America doesn’t care and no-one else is big enough to matter; so this is really important. Some 3000 amendments have been proposed and the regulation is in the final stages of the committee process; the rapporteurs of the various parties are negotiating compromise amendments which should be ready for a vote within weeks. So the pressure is really on.

Friday was extraordinary because all the lobbyists came together in one room to argue their cases. This is because the liberal shadow rapporteur Alexander Alvaro was injured in a car crash last month, so Sarah Ludford, a London MEP, took over at the last minute. Normally lobbyists see MEPs singly or in small groups, but as time was short Sarah called a mass meeting at Europa House in London. So we all got to hear what the others were pushing for. Campaigners for open government say we’d have better laws if more if the process was public; here’s an example where that happened (literally) by accident.

I am posting my notes of the meeting here, as it’s a good case history of how lobbying works, as well as of how our privacy is being lost. There were about 100 people present, of which only 5 were from civil society. Most were corporate lobbyists: good-looking, articulate and impressive, but pushing some jaw-dropping agendas. For example the lovely lady from the Association of British Insurers found it painful that the regulation might ban profiling that was unfair or discriminatory.

Sarah Ludford DPR meeting, 3–6 PM, 26/4/13, Europa House, Smith Square.

Sarah says the shadows’ meeting has not so far gone through the articles in order but cherry-picked; started with articles 2, 3, 81, 83. LIBE committee now realising they have to go back to fundamentals. Sympathises with Beith and McNally at Justice SC and ministry who wrote the brief for the Council and are also Lib Dems.

1. Risk and context-based approach

David Smith of the ICO wants to remove a lot of the prescription in the proposals about how many data protection officers a business should have and the documentation it should keep. Art 6 controller and process obligations: should just say “appropriate”.

Emma Butler, Reed Elsevier: risk ties to many things in the proposal, so it should articulate what risk is (tangible harm, societal harm).

Mumbling Frenchman (Schwarzbert?) about virtues of profiling.

Razvan Antemir, EMOTA, ecommerce association in Brussels. Small businesses, excessive to have a DP officer for firms under 10 people. Members already pay for all sorts of trust marks.

Leo Baumann, Nokia and trade association. Location stuff burdensome as don’t want to have to document millions of processing operations. Need
what’s deemed to be risky.

Jeremy Wilson, BA and Assoc Eur Airlines and IATA. Risk-based vs context.

Yves Schwarzbert, Advertising association: ditto; this is a blanket,
binary approach which defines almost all data as personal data; need a more granular approach so businesses can enhance its approach to protection. Pseudonymisation?

.. James Nation, CBI, wants to maintain discretion, proportionality; worried about commission’s power to come in later by delegated acts.

2. Anonymisation. Recital that anonymised data out of scope. ICO guidance.

Ross Anderson: Anonymisation doesn’t work. Example of postcode and date of birth, and encrypted ANPR data. How to square increase or decrease in risk? Best ensure that liability remains.

Anna Fielder, Privacy International: best to leave out pseudonymisation! As for definitions, best leave them broad and put any exceptions in articles further down. Even things like IP addresses have been used to single people out!

Brad Bryant, Aon. Need to process sensitive health data for a lot of things and it’s hard to pseudonymise it. But we need it for modelling. We want an incentive to pseudonymise.

Kimon Zorbas, IAB Europe: Harmonise definitions across Europe, such as IP addresses. Defining an/pseud-onymous data would provide clarity. Germany does and the definition is stricter than other countries. Be realistic about regulators, stop fights about what is or is not psuedonymsation.

Emma Ascroft, Yahoo: some data very personal such as name and dob, while other data let you single out a user. The use of pseudonymous data is privacy-enhancing for users but the incentives are not there. Need (a) definitions for everybody (b) legal basis – consent not
workable [you have to authenticate the user which means collecting personal data] (c) data subject rights such as access; all linked to article 20 on profiling which seems to make consent the only basis for profiling, which in turn makes many business models illegal

Mark Purvis from Weber Shandwick, representing MasterCard. Lighter regime for pseudonymised data. Right of access 15, rectification 16, be forgotten 17, portability 18. [Sarah Ludford: art 10 already says that if data don't allow identification, you don't have to collect more information just for compliance].

Ian Roy, Telefonica UK: incentivise PETs, Emma describes well. Wants definition to exclude pseudonymous data [Sarah Ludford: that is not going to happen!]

Beth Thompson, Wellcome: “singling out” is a big issue for medical research as in clinical trials you have line data with a line for each patient. Duty on controller / regulator to make anonymisation robust. Code makes it complex

Unknown speaker – “singled out” adds nothing.

David Smith: still doesn’t know what personal data is after 20y. Don’t tinker with the definition; it’s just the way we operate that has changed. Art 29 WP has had a view on what “identify” means. A cookie singles you out as it gives you different ads; that’s “identifiable information” and “personal data”. Are IP addresses pseudonyms? No. But do you apply the full data protection regime? Disproportionate. Pseudonymise? If the same person holds the key it may help security but not protection. It’s a big range, mindblowing, and struggling with
definitions won’t help. Apply a risk based approach and be proportionate.

Emma Ascroft: important to define it to get incentives even if hard. Echoed by French guy.

James Leaton Grey, BBC: has many ways to get consent, and is told that their mechanisms aren’t enough for the Dutch. In any case you get only the computer’s consent.

Michael Smith, Experian: consent can’t be the be-all and end-all as the legitimate interest must also work. Credit reference essential for protecting people from excessive credit, and fraud, and free flow of credit. Many statutory provisions for consumers’ rights. Legitimate interest must not be curtailed

James Milligan, Direct Marketing Association. As Richard Thomas said
we’re turning ourselves into a nation of liars with opt-in boxes. Need multiple levels for the uninterested, the curious and the experts.

Anna Fielder, Privacy International: the proposals are only a small change in a landscape that almost everyone accepts isn’t working well. Consent technologies are evolving too.

Robbie Williams, BEERG, employee relations: HR will be made impossible by art 7(4) which rules out consent where there is a significant imbalance. Sarah Ludford: consent must be “freely given”

Fabrizio Ferraro, IG: art 17 and right to be forgotten – what’s workable solution for financial services?

Heather Wallet, Barclays: if no legitimate interest, then need carve-out for preventing and detecting fraud and crime.

Andrew, Equifax: important for legitimate interests of third parties

Zoltan Precsenyi, Symantec: can’t build an information society from the presumption that processing data “isn’t permitted unless”

Victoria Eva, Pearson: prescriptive stuff, burden of proof, means consent requirements hard to deal with in contexts such as education as parents have to consent to most of what kids do. This isn’t right.

Kim Smouter (?), Esomar, marketing association: some countries treat consent as written so we can’t do phone surveys. JURI said consent should be appropriate

Ed Simpson, Finance and Leasing Association: conflict between the draft and other regulations requiring we know our customer.

Juergen Baensch, ISFE, Eur videogame industry: parental consent in article 8; advocates retention of age 13 to be consistent with the US. But parental consent should not be applied where there are “legitimate interests”

Matilde Fiquet, FEDMA Eur direct marketing: need to extend legitimate interest to third parties.

Ross Anderson: be careful in two cases: legitimate interest of more distant third parties; OK for a third party who subcontracts for the data controller but not OK to sell my data to fifty behavioural advertising firms. Second problem is monopolies which are pervasive in information industries

Julien Fafleur, World federation of advertisers: lawful processing without prejudice to art 10 (not asking for more data for compliance)

Katy Thomas, GMC: right to be forgotten should not apply to medical
records, in relation to possible litigation; and doesn’t want to see consent between two unattractive options not to be seen as free.

Kathryn Whelan from Intel/McAfee: welcome amendments around security as a legitimate interests. Can have security without privacy but cannot have privacy without security.

Helen Wallace: if genome data are retained, particularly by the state, then the proposed amendments on health data are hazardous as genetic data are biometric.

Rachel Merrett, BMA: supports that forgetting must not apply to medical records; and explicit consent applies already to med data so would prefer “explicit” to “meaningful”

James Nation, CBI again: article 5f duty to demonstrate compliance “for each processing operation” cannot stand.

Anna Hansell, Imperial College London: explicit consent hard for med research on records of millions of people, to whom we can’t go back for consent. Already tightly regulated under UK law (balance against GMC explicit consent)

Beth Williams, Wellcome: move to broad consent will allow use of consent more often but also need another legal basis.

Emma Ascroft about legitimate interest and pseudonyms again.

Kim Smouter, ESOMAR(?) – e-privacy directive still applies.

3. Data subject rights arts 11-19

Jennie Weaver, ABI, art 12: lack of proportionality compared to DPA around rigid timeframe to provide data, exempting third-party data.

Ed Simpson, Finance and Leasing: wants lenders to charge a small fee to deter vexatious inquiries by claims management companies.

Mita Mitra, BT: agrees on a nominal fee to curb excessive requests as things get more electronic. General worry about authentication and about portability (where the new right seems aimed at social networks)

Anna Fielder: her husband was the victim of ID theft last year and had to make subject access requests of fifteen companies. The total bill came to over £250. Some companies don’t charge for subject access, and don’t suffer. A fee is also an issue for pensioners and other
vulnerable people.

Unknown: think of sensitive business data.

Unknown: currently the controller can ask the data subject for help to find the data, and this seems to have fallen by the wayside.

Gordon Nardell, general council of the bar: large number of amendments tabled to 14, 15 by legal professions elsewhere in Europe, which would be too broad as they remove all obligations by people under professional secrecy (so it would extend to doctors and priests as well as lawyers). If person A tells a lawyer to do something nasty to person B, then what happens if B does a subject access request?
Client-attorney confidentiality is protected anyway; the concern is that people park nasty stuff with lawyers as a loophole. The Bar Council takes the view that this should be done by national derogations under 21(5)f, which could be strengthened. Can we please do this in a compromise amendment?

Unknown: how do you square the right to be forgotten with cookies? Figuring out what information is linked to a cookie is often very hard. The user can exercise this right himself much more easily by deleting the cookie, so there should be a derogation from article 17
(right to be forgotten) where the user can do this themselves.

Helen Wallace: we need to beware that data protection applies to police and other state bodies as well, and we have to be careful about the crossover (e.g. if your genome is in your med record, can’t be deleted, and the police demand access).

4. Profiling

Michael Smith, Experian: be careful with profiling restrictions in article 20 as this would catch a lot of long-established and beneficial uses such as credit scoring, prevention of ID theft, etc.
+1: a Frenchman.

Mark Purvis, Mastercard: Firms like theirs also do fraud profiling under regulatory obligations and following guidelines of ECB, which should count as lawful processing.

James Milligan, UK Direct Marketing Association: ad targeting and profiling should only be limited insofar as it does actual harm.

Barry Ryan, UK Market Research Society: the text just talks about “the automatic processing of data” so will apply (e.g.) to the use of statistics in research – particularly if the Albrecht amendments prevail

Helen Wallace: profiling is not always helpful, such as health data being used to profile customers to deny them insurance.

Unknown: pseudonymous data could work here, and for website optimisation, so long as there’s a rule not to link back to clear data

Unknown: we have so much more data / analytics nowadays, and it’s not really an optional extra any more. Most doesn’t go anywhere, but some ends up being applied to individuals where rights such as transparency and access become important.

Tim Pethick, Saga/AA: 18 million customers, personalised marketing important, and to insurance in particular. If we couldn’t do risk/fraud detection it would add 4% to premiums.

Victoria Eva, Pearson: worried about restrictions on profiling for education products.

Jennie Weaver, ABI: relationship between policyholder profile risk and expected claims, so the attempts to expand profiling controls (such as those which forbid “unfair and discriminatory” processing) would be a pain

Mark Purvis, Mastercard: art 24 on joint controllers. Making MC a JC with most banks they work with in Europe implies equal access to subject and equal amounts of data, and equal liability for breach. The controller with the most contact with the data subject should be the main point of contact. (Sarah: art 24 says that joint controllers shall determine their joint responsibilities.)

Zoltan Precsenyi, Symantec: security essential for privacy but wants short para obliging people to take appropriate measures; Sarah’s amendments for powers of national authorities would be fine provide they don’t diverge significantly. He prefers Alvaro’s amendment on that.

Siada el Ramly, European Digital Media Assoc: controller-processor responsibilities

Vincent Feiner, Unisys, is worried about art 82, the employment contract. They assess the cost on Eurobiz as €3.2bn, falling on HR functions, and this is consistent with figures Lord McNally put in the House of Lords, and has not been rebutted by the Commission. Delete
article 82, as Voss suggests; it will lead to 20-odd pieces of legislation in Member States.

Leo Baumann, Nokia: amendments to art 22-3 define the accountability principle saying that companies take responsibility for privacy approach, and this is better than detailed requirements for documentation etc that make it harder to do the right thing.

Rosina Robson from FSB, fed of small biz: risk-based approach please.

Unknown: same as Unisys above.

Yves Schwarzbert, advertising association: privacy impact assessments don’t do anything. If they’re in, best include legal privilege as it will be the same lawyers.

Anna Fielder: if you talk about increased accountability you strong possibilities for redress and enforcement. Welcome 73 which allows associations to take up complaints on behalf of many subjects. Stops short of collective redress which BEUC etc want and would be a great
way of getting redress. Collective ADR exists but the vanilla version is out (thanks to JURI – the Frenchman says this was because consumers’ assocs said going to court was too hard)

Unknown: duplicating work between controllers and processors increases costs without providing benefits to customers, especially in cloud situations

Unknown: art 26 is unduly prescriptive, so leave it to contract between controller and processor. Too prescriptive to require that the processor “hand over all the results to the controller”. What does this mean? Also 26(1)f – obligation of processor to assist controller in compliance.

Mita Mitra, BT: breach notification, need flexibility on art 31, 32 (don’t want notification fatigue).

* (1730–1800, after most others left) Medical data – art 81 and 83 for which compromise amendments are already agreed

Sarah Ludford: It was challenging to get them right. May have to revisit after doing things the wrong way round. Got agreement to some wording on S81 that I supplied, to the extent that these are “necessary and proportional and foreseeable by the data subject”. Talking of adding a one-time consent sufficient. Selective opt-out afterwards (or rely on
article 7). Safeguards in 83, involves consent in para 2. National derogation for research with high public interest (Albrecht had “extremely high”). Research data should be anonymised or pseudonymised to highest technical standards. We’ll curtail the power to adopt delegated acts so as to require public consultation and EDP (this might go into a general provision); and notification.

Ross: many but not all of our concerns about privacy in the NHS have been dealt with by Caldicott committee thanks for campaigning by people like Helen here. However that leaves private medicine, industrial medicine, prison and armed forces medical services, and
also colleagues in NL, Austria, etc. We cannot say that just because the UK has more or less adequate regulation we can slack off and exempt medical stuff from data protection.

Beth Thompson, Wellcome: art 83 has moved some way on from Albrecht but the wording there is such that all Section 251 HSCA uses of medical data will become illegal. [Ross Anderson disagrees.] Beth says the DoH agrees. [Anna Fielder: art 21 also has an override for exceptional public interest]

Rachel Merrett, BMA: supports right to opt out but wants complete audit trail in direct care. Supports section 251 and wants to use identifiable data for research when needed but doesn’t want the current measures around consent to be weakened and has concerns about seeking consent just once (as
commissioning, research and 100 other secondary uses are getting more complex).

Helen Wallace, Genewatch: who is a researcher? Helsinki declaration requires transparency, and people want to know which companies have access. They might be happy for universities to be doing it but not Google or other private companies. There’s a bigig difference between care data and research, especially once you’ve got genome stuff. People need to be able to get some stuff deleted.

Ross Anderson: agreed, and this goes to legitimate interests of third parties discussed earlier. If NHS has my genetic data and I become a suspect in a crime then they can get my data; if I then get acquitted I have a right to block their access. The UK has a bad record ofgetting the police to delete DNA data and I need to rely on European law for
that.

Sarah Ludford on Art83: ethics committee taken out yesterday. “Translational and clinical” phraseology and public-health stuff will be kept entirely in Art 81. “Health” as a specific concern out of Art 83. Amendment to 83(1)b about identifying data being kept separate and using the highest technical standards to prevent unwarranted re-identification.

Unknown: need bridge between art 5 and art 83, see Art29WP opinion 3/2/2013

Sarah Ludford: does not like the wording that processing shall not result in data being processed by others such as banking companies; this sort of wording should not appear in legislation. Maybe we should instead have “Consent or member state or union law”

Ross Anderson: research can be an enormous loophole. Does medical research stretch to encompass market research, and drive coach and horses through the whole regulation?

Sarah Ludford: wants to stick to broad horizontal principles

Helen Wallace: all this is precisely why we need consent.

Sarah Ludford: her husband was chair of diabetes assoc, by way of declaration.

I’m at the launch in London of the new campaign for medical privacy, MedConfidential.org. Sam Smith and I will be liveblogging the day’s events in comments below. For background, see here, here, here and here. Most of today’s audience are from groups for whom medical privacy is particularly important, such as charities dealing with rape victims, substance abuse, sexual health and child wefare.

Those of us who love America and have many friends there were delighted at President Obama’s initial reaction to the Boston bombings. He said if whoever attacked the city sought to intimidate victims or shake American values, “it should be pretty clear by now that they picked the wrong city to do it.” It seemed that sanity had at last returned, after all the scaremongering of the “War on terror”, and the ghost of 9/11 was finally being laid to rest.

One day later, a million people were under virtual house arrest; the 19-year-old fugitive from justice happened to be a Muslim. Whatever happened to the doctrine that infringements of one liberty to protect another should be necessary and proportionate?

In the London bombings, four idiots killed themselves in the first incident with a few dozen bystanders, but the second four failed and ran for it when their bombs didn’t go off. It didn’t occur to anyone to lock down London. They were eventually tracked down and arrested, together with their support team. Digital forensics played a big role; the last bomber to be caught left the country and changed his SIM, but not his IMEI. It’s next to impossible for anyone to escape nowadays if the authorities try hard.

With some delay here is the second and final part on our impressions of David Birch’s Tomorrow’s Transactions Forum (TTF13), which we attended thanks to Dave’s generosity (See full agenda and PowerPoint presentations here). See part 1 here.

NOTE: Although written in first person, what follows results from a combination of Laurent Simon’s and my notes.

The theme of day 2 at TTF13 was social inclusion. The kick off question was “How to develop tools to help people deal with money?” (people with no financial culture and based on a transactional account).

This was followed by presentations on “Comic Relief” (the day before ‘the big day’), “Universal Credit” and expert panel on financial inclusion.

Of the above the one that caught my attention was Claudia Wood of DEMOS, who presented a summary of her research on the use of prepaid cards to distribute benefits.

They claimed it was the first piece of research into electronic payments in the social care space. I wonder if that is the case. I will appreciate pointers (either privately or as a comment).

Dating back to circa 1905, when pensions were paid through postal offices, now a number of local authorities are using prepaid cards to distribute benefits as giro payments are phased out together with the Treasury’s budget squeeze. There are apparent cost savings lowering red tape to ascertain when and how benefits were spent (as local authorities have an statutory duty to monitor the expense) as well as easier to credit recipients and opening possibilities to combine multiple budgets (as a range of payments for vulnerable people are fragmented).

Some prepaid seems to be used as ID by young people and she noted the importance of telephone support for the well functioning of the schemes.

Yet a large number of people can’t or won’t take benefits through prepaid cards.

During the afternoon we were privy to the pre-launch of MyBank. An initiative of the European Union to create a pan-European online payments platform. This was interesting for two reasons

a) It seems that what merchants are looking for is to have direct access to the customer’s IP address at the point of the transaction (overcoming credit cards, PayPal, banks and everybody else). This solution was not quite there but seemed, to me, one more step in disintermediating Visa and Mastercard (which Bernardo reckons has been a desired outcome from Brussels for some time).

b) The solution is activated at the end of the transaction. The browser simply follows links embedded in the merchant’s page (via the MyBank button). Think of it as a PayPal button or a Facebook Like. You are then taken to your online banking account log-on page. You log on to the secure online banking environment of your bank following your usual procedure, confirm the details of the transaction and authorise your bank to process the payment. The merchant then received realtime confirmation.

MyBank thus lets the bank deal with security, untrusted websites, and the rest of it. This was surprising because

i) The day before, comments were made about the loss of business by extra “clicks” and people being at awe on Amazon’s “one click” purchase.

ii) Many made comments that this was perhaps a perfect set up for a new wave of phising scams as scammers will use it to get your online banking account credentials. Maybe MyBank will also add some two-factor authentication later (with phone or CAP reader). But nothing else for the moment.

So it will be interesting if at some point there are some stats on the transactions involving MyBank are released. At the moment, though, it seems Bitcoin is getting more attention from the press than the March 25th launch of MyBank.

Finally and to be honest, some of the delay to post this brief summary of day two responds to the fact that I was expecting more of the International Payments Summit 2013 and make this into a three part blog. But although it advertises itself as “Europe’s most prestigious payments conference”, I think it covered about the same range of topics as TTF13. So I gave up the idea of a third instalment for this blog. But you might want to read David Birch’s version of the Payments Bootcamp, featuring a presentation by Bernardo in which we discussed the importance of shared narratives between “technologists” and business people.

The CTSRD Project is advertising two posts in processor, operating system, and compiler security. The first is a research assistant position, suitable for candidates who may not have a research background, and the second is a post-doctoral research associate position suitable for candidates who have completed (or will shortly complete) a PhD in computer science or a related field.

The CTSRD Project is investigating fundamental improvements to CPU architecture, operating system (OS) design, and programming language structure in support of computer security. The project is a collaboration between the University of Cambridge and SRI International, and part of the DARPA CRASH research programme on clean-slate computer system design.

These positions will be integral parts of an international team of researchers spanning multiple institutions across academia and industry. Successful candidate will provide support for the larger research effort by contributing to low-level hardware and system-software implementation and experimentation. Responsibilities will include extending Bluespec-based CHERI processor designs, modifying operating system kernels and compiler suites, administering test and development systems, as well as performing performance measurements. The position will also support and engage with early adopter communities for our open-source research platform in the UK and abroad.

Candidates should have strong experience with at least one of Bluespec HDL, OS kernel development (FreeBSD preferred), or compiler internals (LLVM preferred); strong experience with the C programming language and use of revision control in large, collaborative projects is essential. Some experience with computer security and formal methods is also recommended.

Further details on the two posts may be found in job ads NR27772 and NR27782. E-mail queries may be sent directly to Dr Robert N. M. Watson.

Both posts are intended to start on 8 July 2013; applications must be received by 9 May 2013.

The 3rd USENIX Workshop on Free and Open Communications on the Internet (FOCI ‘13) seeks to bring together researchers and practitioners from technology, law, and policy who are working on means to study, detect, or circumvent practices that inhibit free and open communications on the Internet. We invite two distinct tracks for papers: a technical track for technically-focused position papers or works-in-progress; and a social science track for papers focused on policy, law, regulation, economics or related fields of study.

FOCI will favor interesting and new ideas and early results that lead to well-founded position papers. We envision that work presented at FOCI will ultimately be published at relevant, high-quality conferences. Papers will be selected primarily based on originality, with additional consideration given to their potential to generate discussion at the workshop. Papers in the technical track will also be evaluated based on technical merit. As with other USENIX events, papers accepted for FOCI ‘13 will be made freely available on the USENIX website.

For further details, see the call for papers (PDF version). The submission deadline is 6 May 2013.

Last weekend, my wife and I were in Milton Keynes where we bought a cradle as a present for our new granddaughter. They had only the demo model in the shop, but sold us one to pick up from their store in Cambridge. So yesterday I went into John Lewis with the receipt, to be told by the official that as I couldn’t show the card with which the purchase was made, they needed photo-id. I told him that along with over a million others I’d resisted the previous government’s ID card proposals, the last government had lost the election, and I didn’t carry ID on principle. The response was the usual nonsense: that I should have read the terms and conditions (but when I studied the receipt later it said nothing about ID) and that he was just doing his job (but John Lewis prides itself on being employee-owned, so in theory at least he is a partner in the firm). I won’t be shopping there again anytime soon.

We get harassed more and more by security theatre, by snooping and by bullying. What’s the best way to push back? Why can businesses be so pointlessly annoying?

Perhaps John Lewis are consciously pro-Labour given their history as a co-op; but it’s not prudent to advertise that in a three-way marginal like Cambridge, let alone in the leafy southern suburbs where they make most of their money. Or perhaps it’s just incompetence. When my wife phoned later to complain, the customer services people apologised and said we should have been told when we bought the thing that we’d need to show ID. She offered to post the cradle to our daughter, but then rung back later to say they’d lost the order and would need our paperwork. So that’s another 30-mile round-trip to their depot. But if they’re incompetent, why should I trust them enough to buy their food?

I invite the chairman, Charlie Mayfield, to explain by means of a follow-up to this post whether this was policy or cockup. Will he continue to demand photo-id even from customers who have a principled objection? Will he tell us who in the firm imposed this policy, and show us the training material that was prepared to ensure that counter staff would explain it properly to customers?