Demos Project : For Your Information

Identity and information

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Fri, 22 Aug 2008 14:25:39 -0100

'The Internet was built without a way to know who and what you are connecting to.' - The laws of identity.

Kim Cameron, digital identity 'guru', this week published a simplified version of his 'laws of identity'. The original is somewhat of a milestone in online identity thinking, setting out in detail the key challenge of incorporating what it calls an 'identity layer' - basically a system that solves the problem of there being many different, competing ways that companies and websites get around the problem of finding out who they are interacting with.

I'd recommend giving the original a read. But the need to outline this area in a way that anyone - not just those with an interest in or innate understanding of the area - can read has only grown over recent years. I still feel that not many people have really succeeded in making the case in plain enough terms why people should care about particular kinds of identity systems. And how they can use them.

In FYI: the new politics of personal information, whilst it wasn't our main focus, we argued that focusing on identity in the debate about personal information is difficult but a key challenge. Still, the issue is too often seen as a data protection problem. Which is important, but partly (not only) because it fits into this broader problem of how important personal information is in shaping how institutions and organisations judge the kind of people we are.

So this is really great to see. Here are Kim Cameron's simplified laws:

People using computers should be in control of giving out information about themselves, just as they are in the physical world.
The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necesary.
It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences.
We need choice in terms of who provides our identity information in different contexts.
The system must be built so we can understand how it works, make rational decisions and protect ourselves.
Devices through which we employ identity should offer people the same kinds of identity controls - just as car makers offer similar controls so we can all drive safely.

TechnoPresident?

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Tue, 24 Jun 2008 08:36:26 -0100

In 2006, David Cameron famously described Gordon Brown as an 'analogue politician in a digital age'. It's an image painted consistently by the opposition - a man out of touch with the pace of change. Whatever the merits of these allusions, a similar dynamic seems to be playing out in the US, between Obama and McCain.

In June last year Niamh, Molly and I visited the PDF Conference 2007 in New York, organised by the Personal Democracy Forum. (You can read about our trip here and here.)

It was themed around the ways technology is changing politics, and there was a focus even then on the 2008 presidential campaigns. The feeling was there was a real chance for a candidate to embrace technology like never before, and in doing so, take a big advantage over their rivals. Barack's campaign has so far seemed determined to be a working demonstration of how right this was. He stole a big lead on Hillary Clinton through linking online, grassroots organising with higher political strategising. Will that advantage carry over into the Presidential race proper?

This year's Conference found some coverage in the Guardian today, for a session featuring the internet strategists from the major Presidentail candidates. There seem to be two main points, with relevance not only for the US elections but how politicians use technology generally:

1. McCain is struggling to prove that he 'gets' the internet. And that doesn't mean that he wants to show he can spend all day commenting on Vloggers. Interestingly, Obama hasn't simply created 'fly on the wall' style video. He's largely created the environment where other people are willing to create content, campaign and get involved by themselves. It's not Ask Barack or WebObama, but simple tools people can use. The trick, like with most recent succesful online creations, was making people want to do things themselves.

2. But the Presidential campaign will be where we see whether tech-enhanced campaigning can have a real influence over political decision making. Will Obama's one million Facebok friends be part of a success story for a Presidential race proper?

If you want to follow the conference, or catch up on some of the presentations, there's predictably plenty of content to help you do so here.

Musical 'mares

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Tue, 12 Feb 2008 09:42:58 -0100

It's not Friday - but can I rant?

Unsurprising reports today of some imminent proposals to compel Internet Service Providers to punish users who download pirated material. This follows news a few months back that the government was facilitating talks between ISPs and the music industry. The proposals, as reported at least, seem to be that ISPs would give two warnings to users about the downloading of pirated material, before being banned from their connection.

I wouldn't be surprised if the final consultation Green Paper contains somewhat different proposals. But starting from the presumption that these or similar proposals are really under consideration, there are two points that vex me about this.

Firstly, this would be an interesting and serious change to the principle that ISPs do not discriminate between types of traffic (see (and here) the related network neutrality debate - we touched on this in the FYI pamphlet). There are both ethical and practical reasons for this. For the former, the questions relate to ISPs' mandate to police networks; and the process of deciding what and whose traffic is legitimate and legal. In terms of practicality, it is difficult to see how this will actually work. Can I email my friends mp3s? Will something be scanning what I send? What is the technology that facilitates this? in short, exactly how will ISPs determine what is an illegal piece of data? There's more on this here.)

It is interesting that this is happening in an area less than ethically, culturally and even economically clear-cut (music downloading). Whatever arguments I have heard, I do not see as entirely valid the simplistic connection between stealing a product from a shop and sharing music online - as it is made, for example, by the BPI. Music is more than a product - it is part of our cultural life. It needs to be shared, built upon, talked about and critiqued. Cultural industries are supposed to support people's ability to do this, and not play too strong a role in deciding how it happens.

Which leads to the second point. It strikes me that the music industry are precisely the wrong people to be negotiating with Internet Service Providers. It's like asking non-doms to write their own tax rules. The recent past has, surely, all but destroyed much of the bigger end of the music industry's credibility in the field of promoting the interests of music and culture? The self-interest of some of the biggest players seems to me to have helped to promote misguided technological constraints; has restricted people's ability to use new technology to explore new ways of making and distributing (and selling) music and film; and has almost certainly worked to the financial detriment of their industry (try to find a decent download service for films in the UK, especially for Mac users, for example).

There are lots of people with more innovative ideas about copyright, intellectual property and content like music. The excellent Open Rights Group, for example, are running a 'Creative Business' project exploring just that theme. They have a good blog post on these seemingly silly ideas here.

Apparently the relevant strategy paper will be released in the next few weeks. Keep you eyes peeled.

QDOS

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Thu, 13 Dec 2007 08:55:43 -0100

The FYI pamphlet was big on the need for ideas that can help people manage their personal information - and the trail of information we leave behind us that is often called our 'digital footprint'. That footprint tells other people a lot about the kind of things a person likes and, ultimately, the sort of person they are.

So I thought it was worth mentioning Garlik's new tool 'QDOS', which looks like a really interesting and accessible way to start thinking about, and managing, that digital footprint. It gives you a score and graphic that represents your presence online, and offers ways you might change it. In their own words:

"Our digital presence...increasingly opens up new opportunities and influences real world decisions made about us. We now have a means of measuring and therefore managing the way we look online, we call it digital status. QDOS is how we measure it. QDOS is a mirror that reflects your presence in the digital world. It's designed to give you a starting point to manage and take control of your online status and be seen how you want to be seen."

It's great to see this sort of language matched with a tool that is accessible, and builds on the intuitive ways that people themselves use the internet - socially, as a creative tool. There's no dry language about digital identity and identity theft here - it sticks to the way that people themselves think about what happens online. So it's not about stopping things happening, but finding ways that people can have more influence over what does.

As the recent Ofcom report helps to suggest, that centres on the social values people get from creating and reflecting their (digital) identities. As these practices mature, it has become evident that it is sometimes difficult if not impossible to separate virtual from real identities. The details we give away about ourselves in shaping the former influence how people understand and react to the latter. So, as co-founder and CEO of Garlik Tom Ilube says in his chapter for our forthcoming collection on privacy UK Confidential, our online presence is just as much about promotion as it is protection. Could be interesting to see how this idea develops.

I just read that Barack Obama has overtaken Hillary Clinton in the state New Hampshire. My first QDOS searching revealed Barack is wiping the floor with Hillary with his QDOS score, too - he scores 10632 to her 7361. I'm going to spend some time figuring out what that means.

FYI

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Wed, 12 Dec 2007 10:35:36 -0100

Last Friday, 7th December, we launched FYI: the new politics of personal information, a pamphlet about how and why personal information has become so valuable and important.

We argue that whilst there are many benefits to sharing our personal details, at the moment our approach has seen us lose control over what other people know and think about us. As personal information continues to be something that businesses and government rely upon, it is important that people have more of a stake in shaping the rules that guide how and where personal information is used. We need to put people back in control of their information.

We had the pleasure of hearing some really excellent speakers - Information Commissioner Richard Thomas, Bill Thompson and Natalie Haynes. Thanks to all three, and to all those that came along and helped to make it a great morning.

You can download the pamphlet here. Go to the Demos in the Media section for coverage of the report. And do get in touch if you have any thoughts, ideas or comments.

Demos intern Adam Ruddick made a video to help explain the project and introduce the pamphlet:

The new politics of personal information

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Thu, 22 Nov 2007 10:50:31 -0100

We've been telling anyone that will listen for a long time that personal information is really important. In the past couple of days it seems like we, and people like the Information Commissioner who have long championed this cause, have been proved right.

Monday's story details some terrible mistakes with some potentially challenging consequences, but we can't stop with the bad news story. This also has to be the opportunity to open the serious debate we need about how and why personal information has become so valuable.

That's a debate we're calling for in the pamphlet we're about to launch called FYI: The new politics of personal information. It's featured today on the front page of the Guardian, and in a little more depth on page 8.

For the launch we're delighted to welcome:

Richard Thomas, Information Commissioner
Bill Thompson, BBC technology critic
Natalie Haynes, Comedian and Times columnist.

The report is the result of nine months research, supported by O2. If you would like to come along to the launch send an email to demos_fyi@demos.co.uk.

For Your Information

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Thu, 15 Nov 2007 14:00:23 -0100

Launch of a new Demos pamphlet on the new politics of personal information, with:

Richard Thomas, Information Commissioner
Bill Thompson, BBC technology critic
Natalie Haynes, Comedian and Times Columnist

We live in a surveillance culture. More and more about what we do, say and consume is available for others to see. But this is not ‘1984’. People are increasingly willing to be part of this information society, keen for the benefits it affords. Giving away information about ourselves means we experience more personal and convenient services and have new tools to communicate.

At the same time, it is easier than ever for people in the public and private sector to take decisions about us without our knowledge, with little opportunity for the public to debate how and when that happens. This report offers a new framework to understand the politics of personal information, and sets out how its use can be more open, democratic and transparent.

Written by Peter Bradwell and Niamh Gallagher, the launch marks the culmination of a nine month research project into our increasing reliance on personal information in the public and private sector.

If you would like to attend the event, please write to demos_fyi@demos.co.uk.

Crossing the 'e's

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Thu, 15 Nov 2007 10:07:53 -0100

"The aim of border control is to sort traffic into legitimate and non-legitimate and maximise the effort directed against movements that would, without action by the state, be detrimental to the UK, while minimising the burden on those that would not. Gathering and use of information is at the heart of this."

'Security in Global Hub'; Cabinet Office

Yesterday the Prime Minister announced various anti-terrorism measures, including updates on the 'e-borders' program. There's a comment, about the speech and approach generally, from Timothy Garton-Ash here. I thought it was worth mentioning the e-borders news, especially in the light of our upcoming pamphlet on personal information.

A big part of e-borders involves the use of information about passengers and cargo, with the aim of making better decisions about what is legitimate and illegitmate traffic, or what is risky or not. The Mail have gone big on some of the new proposals, picking out that it is significant that 53 pieces of information will be needed from travellers.

It seems to me that the amount of information is less significant (it probably won't be things that aren't available anyway) than the changes to what happens to it - who gathers it, where it is stored, how it is used and who has access to it, what kind of risk assessments are made on the basis of what sort of watch lists. But the reports, press releases and statements I have seen so far have been typically vague on those questions. Transparency and openness are really important, much more so than saying these things will help reduce risk and stop crime. Especially when the scale of information and the consequences of its misuse are so significant. The report Security in a Global Hub continues:

"(it will mean) better use of data, with more information being collected at an earlier stage in order to better inform risk profiling...Based on early analysis of electronic passenger data collected directly from carriers, (the e-borders programme) will transform the way that data is used to support border operations..."

Risk profiling and intervention means that such large amounts of data needs to be analysed and cross-checked with watch lists, established profiles etc. The contract (about £1.2bn) to manage this has been awarded to a consortia led by Raytheon.

The reports use quite breezy statements about some weighty problems - profiles, watch lists, intervention and risk assessments. Without more transparency on personal information use and how it will be inform these processes, they will seem more like policies designed exclusively to safeguard against blame, and less like ideas to find democratically legitimate ways to treat personal information and make decisions on the basis of it.

The type of information people have matters

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Mon, 05 Nov 2007 15:25:48 -0100

Big 'Big Brother' headline today, on the front of the Daily Mail. A written answer to a question from the Liberal Democrats shows the number of DNA profiles on the National DNA Database (NDNA), as of 25 October, to be about 4.5 million profiles. I can't find the full written answer online yet, but here's some more coverage of it. Some are duplicates - but the proportion of the population on there seems to be about 6-7%.

This isn't really news. The Home Office website proudly boasts that it is the biggest DNA database in the world, and that by the end of 2005 3.4 million profiles loaded on it. The speed with which it is growing is pretty interesting (we've posted about this before). It is not really surprising given that anyone arrested for a recordable offence - regardless of the outcome - can have their DNA taken. And that the requirements for police to delete records after acquittal or release have all but gone.

The NDNA Annual report states one the strategic objectives is to 'maintain public confidence in the security and integrity of the NDNA and its use.'

The only way it can do that, and secure the appropriate legitimacy, is through a much more engaged relationship with the public. It seems pretty obvious that the public have had nothing approaching a decent enough stake in talking about what the DNA database does, where information is gathered and the conditions under which it is used, deleted, interpreted etc.

That's not to question the integrity of how the information is handled (by the Forensic Science Service). But those important questions of data security, scientific integrity and so on are secondary to the kind of debates that Lord Sedley threw himself into - such as who goes on it; for what reasons, and when or if they are taken off. Apparently Meg Hillier has invited that kind of debate - which is lovely. And while it might be four years too late, it will be good to see what that debate looks like.

We'll have a suggestion or two about that in the forthcoming pamphlet on personal information, which will outline why we need a more open approach to the use of personal information like DNA. It will be published in early December; details to follow - we'd love to hear your thoughts.

The structured web

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Thu, 11 Oct 2007 09:00:05 -0100

I just read a really useful post from the Read/WriteWeb blog about where the internet is heading. It summed up really well some of the significant trends:

"Among the evolving aspects of the new web are Semantics, Attention (Implicit Behavior) and Personalization. Regardless of what we are decide to call this next web, the information in it is going to be more meaningful, more automatic, and more tailored to each of us.

A critical piece of the next web evolution is the introduction of structured information. This concept is so basic to us as humans, that we completely overlook the fact that it is quite foreign to computers."

This is something we have been pulling out for our FYI research (which we're busy writing up at the moment). The implications of this tendency towards automatically tailored information specific to individuals, through suffusing the information with meaning, is something we're focused on at the moment. It fits with our interest in the prevalence of personalised or tailored services - and specifically in what is different now, or will be in the future, in the way our personal profiles structure our experiences of information, people, products, services and institutions.

The hair and the home office

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Sat, 06 Oct 2007 14:32:20 -0100

Being pretty geeky, it pleases me when stories that you might assume are a bit tecchie make headline news. So I was delighted to see the BBC all over a story about identity theft, based on an impending report from the All-party Group on Identity Fraud.

Unsurprisingly, and understandably, it has made the news because it is about some potentially serious threats stemming from some very popular behaviour and activities. The group are warning, amongst other things, about the dangers of people's fervent desire to use social networking sites. They think the government should play a role in deepening people's understanding of how useful and valuable the personal details they put online can be to fraudsters - and of the dangers and consequences of being too careless with what we show to who.

What is interesting to us about this stuff is the connections between our willingness to use technology to build incredibly personal profiles and reflections on our everyday experiences, and a technical understanding of identity.

Nielsen//NetRatings statistics from September showed that around 20% of all online Britons used Facebook in August this year, spending an average of around 2 ¹/₂ hours each on the site. But it is difficult sometimes to connect what people do on these sites with 'identity' in a more technical sense - the side of you that businesses or institutions see and interpret. If government wants to intervene, it needs to do a better job of making those connections between on and offline identity.

Niamh and I are currently busy writing the pamphlet on personal information as the grand finale to the FYI project, and similar issues are featuring heavily. We'll be publishing in late November so stay tuned; or get in touch if you have any thoughts.

Incidentally, if it is sometimes difficult to connect these concepts in our heads, which we have certainly found challenging, then fear not. As with so many things, we can leave the hard work to the search engines. Typing in 'identity in the UK' to Google yields the following, helpful result, which I thought was pretty neat:

Hearing difficulties

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Sun, 30 Sep 2007 12:20:26 -0100

The front page of the Mail on Sunday was rather enjoyable today, expressing as it did tangible outrage at the powers of the amended Regulation of Investigatory Powers Act 2000. The story is a great example of how frustrating online newspaper copy can be; but trying to understand the changes it is referring to give a broader sense of how difficult it can be to unravel legislative changes and their impact. The whole process, from inception to commentary, can be pretty opaque.

The newspaper
First up, the Mail imports the principle of the paper as reporter and commentator; of the copy giving its readers all it needs to digest the news and its implications. It's flat text feels particularly arcane in the world of links and references. Anyone wishing to learn a bit more than how to be outraged at something of a Sunday morning is left to their own initiative. Fair enough - but surely a few links to exactly what the story refers to would be helpful? Actually saying what the legislation is called might be useful too - just as a helpful leg up. I'm not sure what that reveals about the incentives behind news reports like this; but maybe the number of shocked and horrified comments gives an idea.

The legislation
So it leaves one to scratch around Google and the poorly signposted websites that contain legislation and supporting files - although, in fairness, it took only a few minutes to locate what the Mail was talking about. It takes a bit longer to sift through the legal jargon to uncover exactly what the documents mean.

RIPA
The substance of the complaint in the Mail is that legislation, with its roots in the EU, has been passed that extends government powers to find out about people's communication data. Or, to 'spy on ALL our phones'. That is correct enough, perhaps. These seem to be the amendments they are talking about: 1, 2, 3.

The 'RIPA' Act mentioned above will mean that a range of public authorities will be able to find out the 'who, when and where' of data - not the content. So that means the date and time of when you rang for a pizza, but not the fact that you rang for a pizza, or what type of pizza you asked for.

There are a couple of key problems that come to mind with how these powers have come about.

1. Accountability: The Information Commissioner, who is the authority with power to oversee how personal information is used, is given the power only to oversee the security of data where it is held. That means ensuring it is not left on a USB key somewhere, or that people have the right sort of access limits and so on. The more important questions of who can access the data and why is not within in his remit, it seems. So those questions have been left to legislation and senior members of staff in the 'relevant' public authorities. Hardly impartial or independent oversight of some important powers.

2. Legitimacy: The problem with that last point is that public deliberation in these changes has been not only limited but, where it has happened, been run on less than perfect information. As usual, the amendments have been championed on national security grounds, or on the basis of fighting serious crime. But the scope of the legislation is far wider, giving lots of different types of authority the ability to use communications data - so claiming. In fact, the scope is almost comically broad, covering such a range of aspects of a vague notion of public good as to be meaningless (see the 'General Extent of Powers' section of the draft code of practice).

The key point is that these are tools that need much greater level of public debate and scrutiny than they are getting, because in the long term they have important implications for how people relate to government and the various departments that offer services. It's just not good enough to justify them through notions of national security; efficiency; or crime reduction. Maybe the public would be willing to make the trade-offs - but we need the ability to decide first.

Did Columbo need DNA?

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Wed, 05 Sep 2007 09:25:49 -0100

There's some coverage on the BBC website of the 'DNA database' - the store that since 2004 has held the DNA of anyone arrested for a recordable offence. Apparently it's the biggest in the world - 5.2% of the country is on it.

Part of this revolves around whether taking select samples of DNA (only from those arrested) is an equitable way to compile a database. The issues range from whether it is right that DNA can be kept on record even if the person is not charged (which is what happens at the moment); to whether the resulting database is, in the words of Professor Alec Jeffreys, 'skewed socio-economically and ethnically'. The big story for most of the coverage is that one judge is arguing that any DNA database should, in the name of equality, include everyone.

There are, of course, lots of big problems and questions - for example, what impact does the temptation to base prevention around more detailed profiling have on how we think about, or respond to, inequality? This is not just Big Brother talk - we need a bit more, as a critique, than stories of a malevolent police state to really think about what the reliance on information gathering and use means. The combination of identifying, and discriminatory information and personalising services, both public and private, pose interesting questions.

This all fits very neatly into the work we are doing on personal information. It isn't about DNA specifically, but DNA is part of the broad debate we are looking at. You can contact us about it here.

There's lots more about the DNA database at GeneWatch; or the Home Office; or for a little more background on DNA use check out the Forensis Sciences Service.

I know what you did last summer - and I can save you 25%

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Tue, 14 Aug 2007 12:20:40 -0100

It’s striking how frequently there are stories about the insecurity of our personal information. There’s a few more today – here’s one, predictably about Facebook. They usually revolve around the idea that we don’t realise our personal information is shared, stolen or abused by lots of people and organisations without our knowledge. I suspect most people probably are aware that it happens. But we’re less sure about exactly why, what the consequences are, why we should care, and what we should do about it.

The vagaries of identity theft warnings don’t particularly help us figure those things out. Even though we're all very concerned by privacy and what happens to our personal information – according to the very interesting Oxford Internet Survey report from this year, from the Oxford Internet Institute, 70% believe that going online puts the users privacy at risk – that doesn’t seem to impact on our behaviour too greatly.

Usually our readiness to offer our details is down to convenience. The ease of armchair shopping is quite a draw. For a start, no other shoppers can see me buying Genesis' Invisible Touch when I download it online. It feels a little less...guilty. And the fact that Sainsbury's can predict that I'd buy an aubergine this week based on their Nectar knowledge of my recent shopping habits might seem like a small cost for the extra special offers and discount points.

The problem of the security of our information is a pressing question, but it misses a big part of the story if we focus too narrowly on it. As part of our FYI and privacy work, we’ve been thinking about how the profiling and sorting that is the flip side of this convenience shapes our choices, behaviour and options. Security of information needs to also - in addition to worrying about criminal use of our information - be seen in that light: how profiling structures our experiences in a very fundamental way.

There’s already some great writing on this sort of surveillance thinking – I’ve been checking out a collection edited by David Lyons called ‘Surveillance as Social Sorting’, which is turning out to be a great read. And Perri 6 and Ben Jupp's Demos report 'Divided by Information' is another great piece. Stay tuned for more of our work on personal information - do get in touch if you have any thoughts; we'd love to hear from you.

Potter Privacy 'Police' Point to Photo 'Prints'

peter.bradwell@demos.co.uk ( Pete Bradwell ) — Thu, 19 Jul 2007 15:53:39 -0100

Just read on Times online how Canon engineers, joining the hunt for the culprit in the leaked Harry Potter SCANDAL, are showing off their information tracing skills. Using the metadata from the illegally taken photographs of the newest wizard novel - apparently available at the Pirate Bay - they are hopeful that they can track the owner of the camera and, by inference, the thief.

Interestingly, they are relying on the owner either having registered the camera, or having had it serviced. They are apparently the only ways that the serial number - revealed through the photo metadata - is matched to an individual. So, privacy fundamentalists - don't register or fix your cameras!

If you print it or photocopy the book illegally, you're not off the hook - there might be similar tactics available.