After 9/11, we worked on the economics of security, in an attempt to bring back some rationality. Next followed the economics of privacy, which Alessandro Acquisti and others developed to explain why people interact with social media the way they do. A year after the Snowden revelations, it’s time to talk about the economics of surveillance.
In a new paper I discuss how information economics applies to the NSA and its allies, just as it applies to Google and Microsoft. The Snowden papers reveal that the modern world of signals intelligence exhibits strong network effects which cause surveillance platforms to behave much like operating systems or social networks. So while India used to be happy to buy warplanes from Russia (and they still do), they now share intelligence with the NSA as it has the bigger network. Networks also tend to merge, so we see the convergence of intelligence with law enforcement everywhere, from PRISM to the UK Communications Data Bill.
There is an interesting cultural split in that while the IT industry understands network effects extremely well, the international relations community pays almost no attention to it. So it’s not just a matter of the left coast thinking Snowden a whistleblower and the right coast thinking him a traitor; there is a real gap in the underlying conceptual analysis.
That is a shame. The global surveillance network that’s currently being built by the NSA, GCHQ and its collaborator agencies in dozens of countries may become a new international institution, like the World Bank or the United Nations, but more influential and rather harder to govern. And just as Britain’s imperial network of telegraph and telephone cables survived the demise of empire, so the global surveillance network may survive America’s pre-eminence. Mr Obama might care to stop and wonder whether the amount of privacy he extends to a farmer in the Punjab today might be correlated with with amount of privacy the ruler of China will extend to his grandchildren in fifty years’ time. What goes around, comes around.
I’m at the IEEE Symposium on Security and Privacy, known in the trade as “Oakland” even though it’s now moved to San Jose. It’s probably the leading event every year in information security. I will try to liveblog it in followups to this post.
The European Court of Justice decision in the Google case will have implications way beyond search engines. Regular readers of this blog will recall stories of banks hounding innocent people for money following payment disputes, and a favourite trick is to blacklist people with credit reference agencies, even while disputes are still in progress (or even after the bank has actually lost a court case). In the past, the Information Commissioner refused to do anything about this abuse, claiming that it’s the bank which is the data controller, not the credit agency. The court now confirms that this view was quite wrong. I have therefore written to the Information Commissioner inviting him to acknowledge this and to withdraw the guidance issued to the credit reference agencies by his predecessor.
I wonder what other information intermediaries will now have to revise their business models?
Today I gave a talk at the Open Data Institute on a catastrophic failure of anonymity in medical research. Here’s the audio and video, and here are the slides.
Three weeks ago we made a formal complaint to the ICO about the Department of Health supplying a large amount of data to PA Consulting, who uploaded it to the Google cloud in defiance of NHS regulations on sending data abroad. This follows several other scandals over NHS chiefs claiming that hospital episode statistics data are anonymous and selling it to third parties, when it is nothing of the kind.
Yesterday the Department of Health disclosed its Register of Approved Data Releases which shows that many organisations in both the public and private sectors have been supplied with HES data over the past year. It’s amazing how many of them are marked “non sensitive”: even number 408, where Imperial College got data with the with HESID (which includes postcode or NHS number), date of birth, home address, and GP practice. How officials can maintain that such data does not identify individuals is beyond me.
Three NGOs have lodged a formal complaint to the Information Commissioner about the fact that PA Consulting uploaded over a decade of UK hospital records to a US-based cloud service. This appears to have involved serious breaches of the UK Data Protection Act 1998 and of multiple NHS regulations about the security of personal health information. This already caused a row in Parliament and the Deparatment of Health seems to be trying to wriggle off the hook by pretending that the data were pseudonymised. Other EU countries have banned such uploads. Regular LBT readers will know that the Department of Health has got itself in a complete mess over medical record privacy.
On January 23rd we had a conference call with the NHS Information Centre and a couple of its software suppliers about anonymisation. LBT readers will have followed how your GP records are to uploaded to the new central database care.data for resale unless you opt out. Any previous opt outs from other central systems like SCR will be disregarded (even if you wrote saying you opted out of all central systems), along with opt-outs from regional systems.
We’d been told that if you opted out afresh your data would be uploaded only in anonymised, aggregated form; after all the Prime Minister promised. But I persisted. How will the NHS work out doctors’ bonuses in respect of opted-out patients? Doctors get extra payments for meeting targets, such as ensuring that diabetic patients get eye tests; these used to be claimed by practice managers but are now to be worked out centrally. If the surgery just uploads “We have N patients opted out and their diagnostic codes are R1, R2, R3, …” then officials might have to give doctors the benefit of the doubt in bonus calculations.
It turned out that officials were still dithering. The four PC software vendors met them on January 22nd and asked for the business logic so they could code up the extraction, but officials could not make up their minds whether to respect the Prime Minister’s promise (and human-rights law) or to support the bonus calculation. So here we had a major national programme being rolled out next month, and still without a stable specification!
Now the decision has been taken. If you opt out, all your clinical data will be uploaded as a single record, but with your name, date of birth and postcode removed. The government will simply pretend this is anonymous, even though they well know it is not. This is clearly unlawful. Our advice is to opt out anyway while we lobby ministers to get their officials under control, deliver on Cameron’s promise and obey the law.
Today we release a paper on security protocols and evidence which analyses why dispute resolution mechanisms in electronic systems often don’t work very well. On this blog we’ve noted many many problems with EMV (Chip and PIN), as well as other systems from curfew tags to digital tachographs. Time and again we find that electronic systems are truly awful for courts to deal with. Why?
The main reason, we observed, is that their dispute resolution aspects were never properly designed, built and tested. The firms that delivered the main production systems assumed, or hoped, that because some audit data were available, lawyers would be able to use them somehow.
As you’d expect, all sorts of things go wrong. We derive some principles, and show how these are also violated by new systems ranging from phone banking through overlay payments to Bitcoin. We also propose some enhancements to the EMV protocol which would make it easier to resolve disputes over Chip and PIN transactions.
Update (2013-03-07): This post was mentioned on Bruce Schneier’s blog, and this is some good discussion there.
Update (2014-03-03): The slides for the presentation at Financial Cryptography are now online.
If you listen to Radio 4 from 0810 on BBC iPlayer, you’ll hear a debate between Phil Booth of MedConfidential and Tim Kelsey of NHS England – the guy driving the latest NHS data grab.
Tim Kelsey made a number of misleading claims. He claimed for example that in 25 years there had never been a single case of patient confidentiality compromise because of the HES data kept centrally on all hospital treatments. This was untrue. A GP practice manager, Helen Wilkinson, was stigmatised as an alcoholic on HES because of a coding error. She had to get her MP to call a debate in Parliament to get this fixed (and even after the minister promised it had been fixed, it hadn’t been; that took months more pushing).
Second, when Tim pressed Phil for a single case where data had been compromised, Phil said “Gordon Brown”. Kelsey’s rebuttal was “That was criminal hacking.” Again, this was untrue; Gordon Brown’s information was accessed by Andrew Jamieson, a doctor in Dunfermline, who abused his authorised access to the system. He was not prosecuted because this was not in the public interest. Yeah, right. And now Kelsey is going to give your GP records not just to almost everyone in the NHS but to university researchers (I have been offered access though I’m not even a medic and despite the fact that academics have lost millions of records in the past), to drug firms like GlaxoSmithKline, and even to Silicon-Valley informatics companies such as 23andme.
The next three weeks will see a leaflet drop on over 20 million households. NHS England plans to start uploading your GP records in March or April to a central system, from which they will be sold to a wide range of medical and other research organisations. European data-protection and human-rights laws demand that we be able to opt out of such things, so the Information Commissioner has told the NHS to inform you of your right to opt out.
Needless to say, their official leaflet is designed to cause as few people to opt out as possible. It should really have been drafted like this. (There’s a copy of the official leaflet at the MedConfidential.org website.) But even if it had been, the process still won’t meet the consent requirements of human-rights law as it won’t be sent to every patient. One of your housemates could throw it away as junk before you see it, and if you’ve opted out of junk mail you won’t get a leaflet at all.
Yet if you don’t opt out in the next few weeks your data will be uploaded to central systems and you will not be able to get it deleted, ever. If you don’t opt out your kids in the next few weeks the same will happen to their data, and they will not be able to get their data deleted even if they decide they prefer privacy once they come of age. If you opted out of the Summary Care Record in 2009, that doesn’t count; despite a ministerial assurance to the contrary, you now need to opt out all over again. For further information see the website of GP Neil Bhatia (who drafted our more truthful leaflet) and previous LBT posts on medical privacy.
We had a crypto festival in London in London in November at which a number of cryptographers and crypto policy folks got together with over 1000 mostly young attendees to talk about what might be done in response to the Snowden revelations.
Here is a video of the session in which I spoke. The first speaker was Annie Machon (at 02.35) talking of her experience of life on the run from MI5, and on what we might do to protect journalists’ sources in the future. I’m at 23.55 talking about what’s changed for governments, corporates, researchers and others. Nick Pickles of Big Brother Watch follows at 45.45 talking on what can be done in terms of practical politics; it turned out that only two of us in the auditorium had met our MPs over the Comms Data Bill. The final speaker, Smari McCarthy, comes on at 56.45, calling for lots more encryption. The audience discussion starts at 1:12:00.