Saturday, July 31, 2010

Privacy

[update]


The new, right wing government signed a treaty with the US on DNA and fingerprint exchange. Quote (in Dutch): Een woordvoerder van het ministerie benadrukt dat het om een versnelling van een bestaande procedure gaat die alleen geldt voor de gegevens van zware criminelen. Alleen mensen die een straf van minimaal vier jaar hebben gekregen komen terug in de database. Which roughly translates to: A spokesman from the ministry emphasized that is is just a speed-up of existing procedures, that only delas with data on heavy criminals. Only those with a punishment of four years or more in prison are in the database.

I say: create database link goodbye_privacy connect to X identified by Z, and my fingerprints are found, too.
See below: "I am a criminal"

No deal.

The other day, I got an email from the cable company I have internet, phone and (digital) television from. If I were interested to extend the number of digital television channels for a small amount.
Fair enough; I'd get motor channel, travel channels and science channels: all stuff that interests me, for just a few bucks monthly. I was ready to be served, and clicked the link.
However, the second of three screens I had to fill in, insisted on me indicating sex and date of birth. I fail to see why they needed that, and the more I started thinking about it, the stranger the concept became. I closed the browser.

Ownership

Apart from pissing me off, asking details the company already knew (I have a subscription, damned!), I really, really wonder what a cable company wants with the fact whether I'm a boy or a girl. Or when I was born - maybe they toss in a free porn channel when I'm over 21? What do they do with all these data?
I want to be able to see what they know about me, and decide whether or not they need that data. Cable companies do not need birth dates.

Prime

Actually, there's a programme called Prime that handles just that. It helps deciding whether data is needed for a certain transaction (e.g. when ordering from Amazon, an address is handy, but birth date is superfluous), and -what's more- it tags data: "destroy after six months". Check it out.

I'm a criminal

Well, I guess I must be: the government insisted on having my fingerprints taken and stored in a central database. They really twist your arm to get these prints: no passport unless you deliver. I fail to see why they would need my fingerprints. Oh yeah - I heard about the (stupid!) European guideline for a digitally recorded fingerprint in your passport, "to make it safer". But that is one fingerprint, not four!
It has already been demonstrated that remote identity theft by reading the (ill encoded) chip in your passport, is possible, and a matter of minutes with sophisticated machinery. Costly, but that has never been stopping those parties interested in these documents. And no, contrary to popular belief, there's no need for close encounters: distances of up to 10 meters (30 ft) reading chip data, are achieved.
The danger is that most people believe that passports (or other identification means) are safe, and "unbreakable" and thus the bearer of the identity must be that identity. The opposite has been demonstrated.

Iris scan

Before introduction of the fingerprint on passports, security people were consulted, or given room to comment on the idea. I heard that one of the leading security people of Amsterdam Airport was amongst them. He (or she?) opposed to fingerprints as unsafe and too easy to forge. Just search for "forge fingerprint".
Instead, iris scans would be much safer. He/she was muffled: European guidelines say fingerprints. How stupid.
Interestingly, Schiphol Airport frequent flyers can bypass normal check-in and passport(!) procedures by enrolling into the Privium Club, and having their iris scanned upon entrance as a means of identification. I think I'll put scans of my fingers online soon.

Energy

A while ago, the government wanted people to install smart energy meters. By law, punishable by a hefty fine if rejected. It would allow energy distributors to better and more efficiently distribute electricity and it would allow for energy savings by giving insight in your electricity usage. Guess the fact it should be by law was inspired by the eco terrorists in this country.
This meter would upload data every 15 minutes to the power grid, which would then feed the data to the retailer. Consumers would check the retailers web site for their usage.
Of course, that would not only allow thiefs to find out when I was on vacation, it would also make it quite easy to find out where religious Muslims live: they would be up at 5 am in the morning for prayers. Function creep danger: instead of monitoring electricity usage, police can install energy taps in addition to telephone taps.

Now, with some reasoning, the smart meter concept can still be introduced:

Anonymize!

The first thing to do is to make data, relevant to the power distributer (the gird), anonymous. This can be archived by combining data of a couple of hundred homes, or start metering at a block (of houses) level.

Store locally

The second thing to is, is to change the design of the meter to allow local storage - if I want insight in my electricity usage, I can download my meter readings and create a database. A personal database. And by the time the retailer needs the data for billing purposes, I can push the button, and condensed data will be sent to the retailer.
You need to keep your goals clear; do not try to use the electricity meter to archive energy savings as well as smarter grid control. Do not engineer
function creep.

Pay-per-ride

The Dutch pay-per-ride ("rekeningrijden") system (if it ever gets realized) uses local storage. The minister involved was warned in the early stages of the project not to allow real-time positioning of vehicles. In stead, the unit only sends how long, and against what fee the car was driven every now and then. Data about when and where remains in the car. This is good policy, from privacy perspective. As long as no back doors are possible; function creep would allow the police to write speeding tickets based on historical data ("you cannot have driven from Amsterdam to The Hague in 40 minutes during rush hour!").

Hardware

To minimize chance of function creep, hardware should be used as much as possible: no data means no privacy invasion. Licence plate recognition is commonly used by the police in The Netherlands. When matched against a license plate database (e.g. stolen car, car used with heist), it's a "hit", to be acted upon. All other data ("no-hits") should be destroyed, according to Dutch law. It has happened more than once, that this data was stored: "Very convenient for police cases".
When sensors would have been used that only transmit the hits, this function creep could not have happened.

Again: anonymize!

Very often, there's no need for personal data. The dreaded "OV-chip card" could (and should!) be anonymous. In stead, the default is a personal chip card, that allow the card company to register where and when you traveled. There's a so-called anonymous card, which isn't: you cannot pay anonymous cash: it needs a bank account, due to the nature of the crediting system: you pay the maximum amount upon check-in before the journey, and get restitution upon check-out. In order to be sure you will pay, there's a minimum deposit value that needs to be on your card. This means every card has an identity: either name (by default), or number (the "anonymous" card).
I liked those old train tickets; they worked by attributes. Blue ticket: first class. Yellowish-brown: second class. Anonymous. Simple. Transparent.

Call me old fashioned... I'd rather you'd call me prudent. Wary. Superstitious perhaps, especially when the government is involved

Monday, July 19, 2010

DNSSec, please

Or is it "just" an insecure server? Whole story is here.
Oracle TimesTen users may want to check the latest Patch set