Thursday, 24 March 2016

Brussels - something to think about

The Independent is running a story today:

Brussels attacks: Security officials accused of missing a string of opportunities to stop suicide bombers
Accomplices still on the run after day of conflicting reports and confusion

The following paragraphs are deeply troubling given the emphasis on "banning" encryption and the need for total surveillance:
The French Prime Minister, Manuel Valls, who laid a wreath at the underground station close to the European Commission headquarters where more than 20 people died, said that EU nations had to invest “massively” in their security systems. 
The most direct criticism came from Turkey, which has previously criticised France for what it said was a failure to heed a prior warning about one of the suicide attackers involved in last year’s attack in Paris in which 130 people were killed. 
Turkish officials have previously said that French authorities were warned twice by Turkey about one of the assailants in the attacks on Paris in November. A senior government source told The Independent: “We had warned France before the Paris attacks, now this. It’s ridiculous.” 
The two brothers had been known to police in Belgium for years, and operated in some of the marginalised communities in the capital that had avoided close attention from the intelligence agencies despite problems of jihadist recruitment and terrorist links. 
The Belgian federal prosecutor, Frederic van Leeuw, told reporters that the two brothers, Brussels-born Belgian citizens, had “extensive” criminal records but they were not related to terrorism.
So, ultimately the failure was both of communication between intelligence and police agencies *and* a failure to listen. Worse is that the terrorists involved were already known (last paragraph above). If the signals of possible trouble were not seen in the above then the problem certainly does not lie with extensive data collection. In fact the perpetrators actually gained privacy by effectively hiding in plain sight.

The trouble is that now politicians are in the "do something" mode of operation, where doing anything, regardless of effectiveness, is far better than actually thinking and doing the right thing.

I had the pleasure of speaking with some security experts in counter-terrorism a while back. They effectively said that politicians want more security just to be seen to be doing something - this is why we've ended up with airport security that concentrates on bottles of water but not on mitigating the real risks - queues, delays, bottlenecks. The question of profiling, as seen in Israeli aviation security is too much for the politicians to risk their careers on so everyone will suffer under increasingly intrusive and increasingly ineffective security.

Finally this quote by Simon Jenkins of The Guardian:

Those who live under freedom know it demands a price, which is a degree of risk. We pay the state to protect us – but calmly, without constant boasting or fearmongering. We know that, in reality, life in Britain has never been safer. That it suits some people to pretend otherwise does not alter the fact. 
In his admiral manual, Terrorism: How to Respond, the Belfast academic Richard English defines the threat to democracy as not the “limited danger” of death and destruction. It is the danger “of provoking ill-judged, extravagant and counterproductive state responses”.

Wednesday, 23 March 2016

NSA, BigData and Privacy

We all know that BigData is good and that more data is better. In fact if you could collect everything then you could potentially stop all crimes, stop terrorism, save the World, freedom, puppies...literally do anything and everything!

Except, as most organisations should have realised (ordinary businesses take note!!) that having huge amounts of data doesn't really help you if you have no idea of what you have, what it means and how to actually extract the data you want.

Its worse when you have so much that even running the queries that might extract the right piece of data becomes so complex that you may as well just give up.

Pity the NSA then:

NSA is so overwhelmed with data, it's no longer effective, says whistleblower
One of the agency's first whistleblowers says the NSA is taking in too much data for it to handle, which can have disastrous -- if not deadly -- consequences.
So, we have a paradox in the sense that the more data we get the better we can hide...

Its funny but about 2 years ago there was an idea called the "Slow Data Movement" whose aim was to save the World from BigData madness but concentrating on what you actually need...

In fact we've even heard the argument that mass surveillance is no where as effective as "good old fashioned police work".

In fact, it even seems that the recent attacks in Belgium relied upon unencrypted communications ... which should have been easily spotable, unless of course you've got politicians obsessed with the evils of encryption and too much data to even see the weak signals of ordinary, unencrypted data.


Human evolution and the mobile phone

From the great User Friendly:

Friday, 18 March 2016

Short abstract on privacy processes

Any reasonable implementation of privacy requirements can not be made through legal compliance alone. The belief that a software system can be developed without privacy being an integral engineering  concept and that a privacy policy is sufficient as requirements or compliance check is at best dangerous for the users, customers and business involved.

While requirements frameworks exist, the specialisation of these into the privacy domain have not been made in such a manner that they unify both the legal and engineering domains. In order to achieve this one must develop terminological or ontological structures to aid communication between these domains, provide a commonly acceptable semantics and a framework by which requirements expressed at different levels of abstractness can be linked together to provide refinement of these in some form. One interesting effect of this is to almost completely remove the terms ‘personal data’ and ‘PII’ from common usage and to force a deeper understanding of the data and information being processed.

Once such a structure is in place and even just partially or sparsely populated this provides a formal framework by which not only requirements can be obtained, their application (or not) be justified and a proper risk analysis made. This has further advantages in that privacy requirements and their potential implementations can be explored through the software development process supporting ideas such as agile methods and ‘DevOps’ rather than being an ‘add-on’ exercise - a privacy impact assessment - inappropriately executed at inappropriate times.