So where did the Sunday Express get the details of Jacqui Smith’s Virgin Media bill?

In all the fuss about Jacqui Smith’s expenses, one matter that remains obscure is how did the Sunday Express see the documents concerned?  They have not yet been published by the House of Commons authorities.  It seems unlikely that either Jacqui Smith or her husband (or anyone in her Parliamentary office) will have leaked them.  So they were either leaked by someone working in the House of Commons Fees Office or by someone working for Virgin Media.  If the former, I would guess that a lot of MPs (of all Parties) are getting very jumpy and combing over their old expense claims with a fine tooth comb.  If the latter, presumably anyone’s Virgin Media account can be accessed by the press.

Tories spread more confusion over communications data

The House of Lords has just voted by the narrow margin of 93 to 89 to defeat an amendment moved by the Tories to the Data Retention (EC Directive) Regulations 2009. 

These Regulations bring the UK into line with the EU Data Retention Directive of 2006 and require communications providers to retain  certain data for a fixed periodof one year.  (Previously, the UK had postponed applying the regulations – as was required by the Directive – to internet access, internet telephony and email.)

The Tories’ position might have been defensible on the grounds that they do not like EU directives – a point of principle that would be consistent with the decision (announced, but not implemented) to pull their MEPs out of the European Peoples Party grouping in the European Parliament.

However, the reason they gave was the entirely spurious one that this was part of some hidden conspiracy to require service providers to keep the contents of communications.  So one of their backbenchers kept jumping up and down asking whether the Regulations required communications services providers to keep data recovered by deep packet inspection.  The answer was as explicit as it could be:  paragraph 4(5) says “No data revealing the content of a communication is to be retained in pursuance of these Regulations.”  The only purpose in mentioning it  was to sow confusion and to mislead.

I suppose that is what opposition is all about.  And they nearly won the vote. 

However, their amendment was not fatal.  It would still have allowed the Regulations to come into force.  All it did was to add a rider to the approval motion noting the proposals “with regret”. 

So the grounds were spurious, the amendment was spurious (in that it had no effect) and perhaps the indignation was spurious.  If this is opposition, it is pretty spurious itself.

How secure is cloud computing?

I have been at a discussion meeting on information assurance this evening. It was held under the Chatham House rule, so I can’t attribute remarks to particular participants.
However, a senior civil servant (who has therefore to remain nameless) made the following interesting comment about the security of cloud computing:
‘It is like driving at speed into the fog without turning your headlights on.’

Privacy, “Deep Packet Inspection” and the internet

Baroness Sue Miller hosted an interesting meeting earlier today, billed (slightly tendentiously) as “The Internet Threat: Who needs privacy when we can have relevant ads?”.  Speakers included Sir Tim Berners-Lee (inventor of  of the World Wide Web) and a variety of other experts.

Sir Tim Berners-Lee was arguing that the integrity of the internet is under threat by the emergence of Deep Packet Inspection by Internet Service Providers (ISPs) – this now enables ISPs to scan the contents of all communications and the contents of all web pages viewed by their customers, and for that data to be analysed so that customer-specific targetted advertising can be produced.  This raises substantial privacy issues – as one speaker pointed out each person will have a different view as to what is private for them.

Of course, such privacy issues are not new.  Already, websites place cookies on the computers of those visiting the site “to enhance the experience” of those that visit the site again and many of these track what the user does (individuals can of course block cookies or subsequently erase them – so in a sense the user can control this).  Search engines like Google also keep track of the search terms typed in by those who use them and again target advertising and recommend links accordingly.

What is new about Deep Packet Inspection is that for effectively the first time ISPs are looking routinely into the material that is being transferred through their service – it is as though Royal Mail sorting office staff were given access to the content of all the correspondence that they were sorting.

In the US this is apparently explicitly banned.  In the UK, the Regulation of Investigatory Powers Act would appear to forbid this unless (Section 3 (3) (b)) it is “for purposes connected with the provision or operation of that service”.  So is targetted advertising a purpose connected with the provision or operation of that service?  Ultimately, this will no doubt be a question for the Courts, but, so we were told, Home Office guidance suggests that Deep Packet Inspection is permissable ….

Part of the argument has to be that websites and ISPs have to be able to make their money somehow and Peter Bazalgette, consigned to the audience, forcefully pointed out that the internet had destroyed the existing business model of many newspapers, much of the music industry and may do the same for films and books and that service providers had to evolve to find new ways of making revenue.

Some of my Parliamentary colleagues were keen to divert the debate on to the Government’s consultation on the draft Communications Data Bill.  However, there is a world of difference between a government that is accountable to Parliament collecting data and commercial companies that are accountable to no-one but their share-holders doing so.

There is a real debate to be had here and Sue Miller is to be congratulated for facilitating this morning’s meeting.

Postal Services Bill gets its Second Reading without a vote

The Postal Services Bill has had its first full debate today.  The Bill makes provisions for the restructuring of the Royal Mail Group, addresses problems in the Royal Mail Pension Fund and changes some of the regulatory arrangements.

Usually, the House of Lords gives Bills – however controversial – are given an unopposed Second Reading, so that they can be given detailed consideration at the Committee and Report stages.  Today, however, Lord Tony Clarke, a former postman who became Deputy General Secretary of the Union of Postal Workers, put forward an amendment to the motion that the bill be now read a second time, to leave out all the words after “that” and insert “this House declines to give the bill a second reading”.

In introducing the Bill, Lord Peter Mandelson set out clearly the case for modernisation:

“We live in a digital age.  As we send more texts and emails, we send fewer letters. The Mobile Data Association estimates that in 2008, we sent around 216 million text messages per day.  That same year, we sent five million fewer letters per day than we had done just two years ago.


The fall in mail volumes is happening across many modern economies but I do not accept that postal services are locked into an inevitable decline. I believe mail is still a critical part of our social fabric, our communication infrastructure and our economy. And for those reasons, I want to see Royal Mail modernised and made fit for the future.


The Government is fully committed to maintaining the universal service. Royal Mail is at the heart of that service. Only Royal Mail has the ability to collect and deliver letters anywhere in the country, six days a week, for a single, affordable price.


That’s why the Royal Mail’s service requires sustaining not abandoning – and sustaining with a vision that will ensure its commercial success.”


He also made clear the Government’s commitment to:

“a universal service which is reliable, offers good value for money, is innovative and responds to their needs.


Our proposals seek to deliver that.  Part 3 of the Bill sets the standard for the universal service.  It requires Ofcom to ensure that the universal service is maintained.  If Ofcom finds that there is tension between its functions in relation to post, the Bill is explicit in requiring the regulator to give precedence to the universal service. “


In the end, Tony Clarke withdrew his amendment – while making it absolutely clear that he was not convinced by the arguments.  So we didn’t vote today, but there will be no doubt much detailed debate and discussion over the weeks ahead.


Half a page coverage in The Observer is pretty good coverage for any Lords debate

I had recently come to the view that my comments on this blog were receiving more attention than anything I might say in the chamber of the House of the Lords.

So I suppose I should be flattered that the debate I initiated in the Lords on young people and social networking sites should have got a full half-page of coverage in today’s Observer.

Catherine Bennett certainly seems to have got the measure of the effects of being in the Lords on some of my colleagues (I hope not me, but you never know ….) when she writes:

“Given what we now know about the human brain, it is clear that prolonged exposure to an unnatural environment like the House of Lords must have a damaging effect. If the ageing brain is artificially denied stimulation over a long period, it might lead to a condition almost indistinguishable from idiocy.  The effects on communication have been documented for years. Now some leading neuro-scientists are suggesting that flashing lights and bells be fitted to go off regularly in the chamber, in order to induce in members something resembling an average attention span.”

She then weighs in to attack the comments of Baroness Susan Greenfield for her contribution to the debate analysing the impact of social networking and online phenomena like Twitter from her standpoint as a neuro-scientist.  It is a fine polemic and yes the comments from Susan Greenfield were rather tangential to the purpose of my debate which was intended to explore whether more safeguards were needed to protect the interests of children and young people online.

However, the comments (and the whole debate can be read here) were of interest and do deserve some serious discussion.  Twitter and Twittering seems a largely pointless exercise to many and as Catherine Bennett puts it:

“Twitter emphasises its desirability by being unfathomable to anyone a bit inflexible or busy who is neither a self-promoter nor an exhibitionist.”

Now I don’t feel that Susan Greenfield’s speech detracted from the rest of the debate – it is part of the way that the House of Lords operates that colleagues bring their various experiences and expertise to bear on the topics under discussion.  And it certainly didn’t “hijack” the debate as Catherine Bennett suggests.

Catherine Bennett was kind enough to say that “The Lords are right to want to protect vulnerable users from exploitation and from the inadvertent creation of an indelible archive of social networking follies.”  So, if that is so, and she wants to avoid the debate being hijacked, perhaps she might have devoted more than just three lines of her article to the rest of the  debate and what she rightly regarded as its main substance.

Or perhaps I’m missing something ….

At least in the USA they acknowledge the extent of the problem of cyber-attacks on government computer systems

In the UK there’s always been a reluctance to acknowledge the extent to which government computer systems are subjected to and often fall victim to cyber-attacks from those trying to plant malicious code so as to steal or manipulate data. My attempts to obtain statistics (however imperfect) by Parliamentary Questions to Government departments were blocked, as were my offers to arrange external penetration testing of individual systems.

It is refreshing therefore to come across the openness with which these issues are discussed in the United States. The front page of today’s ‘USA Today’ carries a story saying ‘Raids on federal computer data soar’ quoting data from US-CERT (US Computer Emergency Readiness Team) that shows a 40% increase in the installation of hostile programs between 2007 and 2008. According to Joel Brenner, counter intelligence chief in the Office of the Director of National Intelligence, this reflects ‘a dramatic, consistent increase in cybercrime and intelligence activities.’

They take it seriously in the USA – we ought to do the same in the UK. (Of course, maybe we do, but there is nothing public that I have seen that gives me confidence.)

This apparent complacency by Government is exacerbated by complacency in many parts of the private sector (of course, much of the critical national infrastructure is owned or run privately), where I hear many firms are cutting costs to cope with the economic situation by getting rid of information security professionals.

Social networking debate passes off without any new Government commitments

My debate on social networking has just ended. 

In my opening speech, I set the context by citing the OFCOM research that found that virtually all (99%) of children and young people aged 8 to 17 use the internet.  In 2005 the average time spent on line by children was 7.1 hours per week.  By 2007, this had almost doubled to 13.8 hours per week.  And virtually half (49%) of those aged 8 to 17 have set up their own profile on a social networking site.


My thesis was that social networking and video sharing sites, online games, iPods and internet-enabled mobile phones are now an integral part of youth culture.  While many adults worry that their offspring are wasting precious hours online, children and young people themselves see online media as the means to extend friendships, explore interests, experiment with self-expression and develop their knowledge and skills.


However, in the same way that young children are taught how to cross the road and at the same time safety features are built into cars and traffic laws regulate unsafe driving, we need to make sure that our children and young people are protected when they make their way on the internet.


As we know, there are real perils for the unwary.  Children and young people have been the victims of sexual predators as a result of the information they have revealed about themselves on social networking sites; there are increasing problems of cyber-bullying; security weaknesses on sites have led to serious privacy infringements; and young people have discovered the hard way that the permanence of information posted in public cyber-space may not only be embarrassing in later life but may also mean that employment offers (or university places) are not forthcoming.


I went on to argue that:


·     Children throughout their education should be taught digital citizenship so that they can both make the most of the internet but also recognise and deal with any dangers they may encounter.  As most parents acknowledge that their children are more internet literate than they are, there should also be a serious effort in parallel to help parents (and indeed all adults) to keep up with the rapid development of the internet and social digital media.


·     At the same time, privacy laws ought to be strengthened with an age-related component, specifically giving enhanced protection to the data relating to or provided by children and young people.  The US Children Online Privacy Protection Act, whilst not perfect, provides a model that has required a number of US-based companies operating on the internet to improve their standards significantly.


·     There should also be higher expectations on those responsible for social networking sites – particularly those aimed at children or where there are a significant number of users who are children and young people.  These higher expectations should include:

o        Prominent and clear safety information, warning about potential dangers;

o        Simple systems for reporting abuse or inappropriate/threatening behaviour with appropriate links to the police and law enforcement;

o        Increased numbers of suitably-vetted moderators patrolling areas of sites frequented by young people;

o        User-friendly systems enabling people to ignore and erase unwanted comments and to erase permanently their own profiles; and

o    Increased server security to prevent hacking and unauthorised access to personal information.


·     Finally, there should be urgent work undertaken by internet and technology companies to find and agree a simple, efficient and cost-effective means of achieving age-verification on the internet, so as to prevent under-age people accessing inappropriate sites and older people passing themselves off as under-18.


In addition, other peers made a range of interesting points. 

There was a notable contribution from Baroness Susan Greenfield approaching the topic from the stand-point of neuro-physiology. 

Baroness Doreen Massey told the House about the Bill she is introducing on internet age verification and the Minister replying, Lord Bill Brett, almost gave a commitment on behalf of the Government to support it – although when I pressed him on it he entered the most enormous health warning about what he had said.  Nevertheless, it was clear that there was a lot of support in the House for the principle of such legislation.

An exercise in cack-brained lobbying – how not to do it

The debate I have initiated on social networking is this afternoon and I have received a number of briefing/lobbying papers from different companies and organisations about the subject. Nothing improper in that. Some of the material has been helpful and interesting. Some of it less so.

One company – I won’t name them (they know who they are) – had the cack-brained idea to send their submission by registered post to me both at the House of Lords and at home. I got the Lords copy yesterday and read it – moderately interesting. I get home last night to find one of those ‘Sorry you were out’ cards from the Royal Mail saying they had a letter that needed signing for at the Sorting Office. So this morning I made a 45 minute detour to pick it up only to find it was another copy of the letter I read yesterday.
Question: is this more or less likely to make me favourably disposed to what they’re saying?

New Obama administration sets an example on taking cyber-security seriously

Only a few days after he was inaugurated as President, Barack Obama’s new administration has already published its new agenda on cyber-security as part of a wider policy statement on homeland security.  In particular, the President commits himself to:

  • Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
  • Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
  • Protect the IT Infrastructure That Keeps America’s Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
  • Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
  • Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
  • Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.
  • I wish that there was a similarly clear and robust approach in the UK.