I have secured a Lords debate on social networking sites …

I have been successful in the ballot to obtain a two and a half hour debate on the adequacy of the safeguards protecting children and young people using social networking sites on the internet.

The debate will be on the afternoon of Thursday 12th February 2009 and appears on the order paper as:

Lord Harris of Haringey to call attention to the growth in the use of social networking internet sites by children and the adequacy of safeguards to protect their privacy and interests; and to move for papers.

The process was that at the beginning of the session I tabled my debate proposal and waited to see whether it would be successful in the ballot: in fact, I gather it was fourth in the ballot for 12th February but those winning the top two slots couldn’t manage the date.

I have been interested in the issue for some time and I hope the debate will cover the extent to which children and young people are encouraged to post personal information on social networking sites to an extent that damages not only their personal security but also their future job prospects.  Nearly 50% of those aged 8 to 17 living in this country are – according to OFCOM – members of an online network community.  Often the warnings given to those signing on for the first time are inadequate.  The Home Office has issued guidance to social network providers but the guidance is not mandatory and has little effect on sites run from outside the UK.

How significant is the latest MoD information security breach?

I have heard a number of stories about breaches in information security at the Ministry of Defence in the last week.  It sounds as if the problems occurred in a number of places with malicious code compromising a series of computers, including some on board Royal Navy ships.  It has also been suggested that not only did this lead to a variety of system breakdowns but also that information was transmitted away from the secure system.
If these stories are true, it is significant at a number of levels: first, it would appear to have been a co-ordinated attack on multiple systems (therefore highly organised and credibly sponsored by a nation state); second, it appears to have caused major disruption; and third, it successfully penetrated the existing information security systems.
I have been concerned for a number of years about the inadequate priority given to the information security of the UK’s critical national infrastructure.  When I first started raising this in Parliament with a series of questions, I was essentially told that the Government was satisfied that there were adequate protection systems in place and that in any event there was no evidence or intelligence to suggest that either other nation states or terrorists might seek to exploit any information security vulnerabilities.
Since then, we have seen the Titan Rain cyber-attacks on US and UK systems in 2007 (allegedly sponsored by China), and cyber-disruption aimed at Estonia and Georgia in 2008.
The UK Government has started taking the threat much more seriously than it did and I am not in a position to know whether the arrangements now in place are sufficient.  However, this week’s reports of the attacks on Ministry of Defence computers suggest that there is still a lot more to be done.
For about four years, I asked a series of Parliamentary Questions of each Government Department about the number of incidents of malicious breaches of their IT systems.  The answers obtained were interesting if not very meaningful.  Each year, by far the largest number of breaches were reported by the Ministry of Defence.  This possibly suggested that their systems were the subject of more attacks, but certainly indicated that they had the best system for monitoring what was going on within their IT systems.  In a sense, much more worrying was the fact that up to half of Government regularly reported that they had suffered no malicious attacks whatsoever.  This, of course, could mean that their systems to avoid malicious penetration were perfect or that their systems were regarded as so boring that no-one had bothered to attack them.  Much the more likely explanation, however, was that their systems were not detecting when they had been attacked.
Last year, my Parliamentary Questions were answered with a standard answer that “it was not in the national interest” to provide the data as it might provide assistance to those who were trying to undermine our national security.  It is therefore impossible to gauge the significance and relative scale of the latest attack.  However, if it raises the importance attached to having the highest levels of information security surrounding the UK’s critical national infrastructure, then some good will have come of it.
At the moment, I am not sure whether there is anything to be gained by trying to get more details of what has happened and more importantly what is being learned from the latest attack.  Maybe I will feel more energised tomorrow ….

Should Gordon Brown set his sights higher than 100,000 jobs created through public works?

In his New Year interview with The Observer today, Gordon Brown talks about creating 100,000 jobs by a programme of public works, focused on school repairs, new rail links, hospital projects, investment in eco-friendly projects and the broadband infrastructure.

This is all eminently sensible, but should really be on a much greater scale. The 100,000 jobs presumably equates to the £3 billion of public investment included in last month’s PBR statement. I argued then that the balance was wrong with too great an emphasis on boosting consumer spending by cutting VAT.
Nothing that has happened since alters my view.
Yes, there has been a splurge of High Street buying – mainly of imported goods (this will no doubt help maintain world employment levels, but won’t do a lot in the UK and will further push down the value of the £ against the € and the $). Interestingly, elsewhere in The Observer, the excellent Bill Keegan (delightfully appointed a CBE in the New Year honours) points out that much of this High Street spending may have been overseas visitors capitalising on the low exchange rate.
Instead, we should be treating the economic situation as an opportunity to invest in the UK’s long-term future. The Government should set a series of infrastructure objectives to be achieved over the next four or five years and put in place the resources and mechanisms for these objectives to be met. For example, local councils could be tasked to achieve better insulation and energy efficiency in the housing stock in their areas, a major programme to further improve school buildings and health care facilities should be instituted, every home, every school and every NHS facility should be cabled and enabled to have high speed broadband access with public wi-fi access in every town centre etc..
The opportunity should be taken to improve skills and equip young people (and indeed any adult) with the training needed to achieve their aspirations in the modern world.
No doubt this is ambitious, but – as Barack Obama has preached about ‘The Audacity of Hope’ – perhaps in the UK a Labour Government should dare to put that hope into practice.

‘Bad Science’ by Ben Goldacre has lessons for us all and should be required reading for all ‘opinion formers’

I have just finished reading Ben Goldacre’s book, ‘Bad Science’. Much of the book will be familiar to assiduous readers of his regular column in ‘The Guardian’ each Saturday, but even for them it is worth having all the arguments in a fuller form with the detailed references cited.
Ben Goldacre should be essential reading for all ‘opinion formers’ and indeed, given the prevalence in the media of misrepresentation of scientific stories and of pseudo-science masquerading as fact, we would all benefit from the crash course that Goldacre offers.

The book takes the reader through what constitutes a good scientific experiment and a meaningful clinical trial and then looks at how various widely-reported issues measure up. Along the way ear candles, the Brain Gym (shamefully promoted – with the connivance of the Department of Children, Schools and Families – throughout the school system), homeopathy, and most commercial nutritionism are systematically debunked. This leads into a discussion on the ways in which the pharmaceutical industry’s products are promoted and concludes with the way in which the media hyped up a manufactured scare about the MMR vaccine.

So why are people so taken in by pseudo-science, by health scares and health fads? I suspect, while the media should take a large chunk of the blame, the real reason is that as a society we have been collectively undervaluing science and technology for several decades. Not enough is done in schools to promote not only the wonder and excitement of science, but also a basic understanding of scientific principles and method. Perhaps as a first step Ed Balls and senior officials at the DCSF should have as their New Year Resolution to read ‘Bad Science’ and figure out how to include its central message in the National Curriculum.

The RSA poses the question is ICT a barrier to good teaching and how serious is the problem of text-bullying and cyber-bullying, but fails to offer any answersThe RSA poses the question is ICT a barrier to good teaching and how serious is the problem of text-bullying and cyber-bullying, but fails to offer any answers

The Royal Society of Arts last night staged a panel discussion, sponsored by Vodafone, on “Young People and Technology: opportunities and pitfalls in a virtual world”.  The event, chaired by Rory Cellan-Jones, the technology correspondent of BBC News, was rather disappointing, mainly because the discussion meandered around a number of themes without really focusing debate on any of them.

First and foremost, the panel was criticised for not having any young people on it.  Two other main themes emerged – both interesting but not really related to each other.  One was about the alleged pernicious effect of ICT on the quality of teaching.  With Phil Beadle arguing that £100 billion (actually the figures he used, even if accurate, only came to £1 billion) spent on providing inter-active whiteboards in every classroom was not only wasted but, in fact, has led to teachers tied to formal presentations at the front of the classroom and staying up all night to hone their Powerpoint presentations rather than interacting freely and naturally with their pupils.  He also said too often pupils are told to do work on computers to shut them up rather than to teach them.  I have some sympathy with this view, but that doesn’t mean that for some purposes some of the time new ICT tools can’t help communicate material effectively to children in the classroom.  So this strand of the discussion produced some interesting rants but failed to illuminate the more interesting question about whether a society where children spend so long on computer games and interacting by text or via social networking sites will produce adults who cannot interact with each other in more traditional ways.

The other major strand of discussion was about bullying by text or via the internet.  There is no doubt that this is becoming a serious issue – several suicides or attempted suicides stemming from this were mentioned.  However, “traditional” bullying can also have dreadful consequences for those bullied.  So is it a new or inherently different phenomenon?  The key difference, of course, is that it doesn’t end when the victim gets home and shuts the front door – the messages can still be received and there is no safe haven.  However, apart from everyone taking this much more seriously, little was offered as to what works in combating it.


Pakistani President accepts recommendation of House of Lords Committee on internet security but goes just a bit further ….

Let nobody say that House of Lords Select Committee reports are without influence!  It seems that one of the recommendations of the House of Lords Committee inquiry into “Personal Internet Security” has been taken on board by Pakistani President, Asif Ali Zardari.  The Committee, of which I was a member, recommended stiffer penalties for those convicted of cyber-crimes.  However, Zardari’s response has probably gone just a bit further than we had in mind.  He has now issued a decree backdated to the end of September that sets the maximum penalties for internet crime as death or life imprisonment.

Those people who felt I had gone too far when I called for a Sarblanes-Oxley type approach to company directors who fail to take information security seriously enough might care to note what the Zardari solution might be!

The Sunday pundits are missing the point about the Government’s Interception Modernisation Programme

The Sunday newspaper pundits have been working themselves up into an indignant froth about the Government starting to consult about its Interception Modernisation Programme.  Henry Porter in The Observer, for example, regaled his readers with his fantasies about Home Secretary, Jacqui Smith, as a “comic-strip super-villain dominatrix” and describing the proposal as “a very great threat to individual privacy”  It may be that Henry Porter needs a cold bath, but he certainly needs to focus on some facts.

At present, telephone companies keep data on their subscribers who make telephone calls, who they connect to and for how long.  They do this, so that they can bill people.  For many years, it has been possible for the police to access this data as part of their investigations into crime.  To do so, they have to get proper authorisation, certifying that accessing the data is proportionate to the crime being investigated and each case has to be considered individually.  The data can be used as evidence in Court and does not involve tapping the call and listening to the content.  Many trials rely on this evidence for criminals to be convicted – there is a murder trial under way at the moment where the crucial evidence is which mobile phones contacted each other just prior to and immediately after the murder took place.

But – and this seems to have passed the pundits by – technology is changing.  Telecoms companies (both fixed line and mobile operators) are building new networks based on VoIP technology.  This is cheaper and more flexible and – critically – does not require detailed call-by-call billing.  The data on which so many trials now rely will soon cease to exist.  The Government is therefore quite rightly going to consult on what can be done to capture this information and allow it to be used in criminal investigations where necessary.

It is not about giving the police more powers to pry into people’s personal lives.  It is about not losing vital material that is currently used to catch criminals.

And, of course, new forms of communication are being created all the time (eg. on social networking sites and chat facilities built into on-line gaming).  Should the police have powers to find out who is communicating with who in these new ways?  That’s what the consultation is about.  It is not some monstrous new assault on civil liberties.  It is allowing a sensible debate about how existing powers should be modified to reflect the changes in technology.

100 ten-year-olds visit Parliament for the PITCOM awards

It was a delight to welcome over a hundred pupils from primary schools all over Britain to Parliament this afternoon.  The occasion was to award the prizes to the winners of the PITCOM (Parliamentary Information Technology Committee) 2008 Make IT Happen competition.  The schools were asked to use technology to describe how they would change an aspect of their community for the better.  As chair of the judges, I can testify that the final decisions on the national winners were genuinely difficult – the sheer range of ideas, the innovation and enthusiam showed that there is every reason to be confident about the UK’s technological future when these pupils grow up.

Let’s put a monetary value on personal data

Fourteen months after publication, the Select Committee report on “Personal Internet Security” was finally debated on the floor of the House of Lords.  Since we produced the report much has happened. There have been the well-publicised data losses at HM Revenues and Customs and from other Government departments and agencies.  And indeed today, we hear of the loss by EDS of an MoD hard drive containing the details of 100,000 service men and women.  This all confirms my view that the Committee was absolutely right to call for a Data Breach Notification law in the UK.

This is, of course, about the culture within organisations – every employee has got to understand the importance of maintaining data security and their responsibility for doing so.  Perhaps if people recognised the potential value of personal data they might be less cavalier in its treatment. For many people, a stolen identity will take weeks or months of effort to sort out.   The FSA estimate that the cost of identity fraud in the UK (admittedly using a fairly wide definition) is around £1.7 billion.  During the inquiry we were told by Team Cymru that on a single server in a typical month there were for sale the data from 32,000 compromised Visa cards, and 13,000 Mastercards.  The price nearly three years ago was $1 for a US card, $2 for a UK card.  Associated data was also for sale including the card-holder’s mother’s maiden name etc. 

Perhaps if employees were told that each personal record was worth at least £100 – they might treat a memory stick or for that matter that MoD hard drive containing a hundred thousand personal records as though it was worth £10 million – certainly with more respect.  

It maybe that engendering such a change in culture will require more than a Data Breach Notification Law.  Perhaps we need something more akin to the framework created by health and safety legislation, where every manager would have to take personal responsibility for delivering information security in their area or face prosecution.  And perhaps we need an IT equivalent of the US Sarblanes-Oxley requirements to make people at Board level take their responsibilities to heart.