Covering up and COV-19

The current pandemic has thrown up a particularly interesting case where conventional thinking doesn’t help us to understand how things could work in the future. We’ve all read with interest the accounts coming from Asia, and now Israel, of the use of mobile phone location data to tackle the dread virus. In the UK, the government has used some aggregate and anonymised mobile phone location data to see whether people were following social distancing guidelines, but it can actually play a much bigger role in tackling pandemics.

China got the virus under control with lockdowns in areas where it was endemic and apps to stop it from getting a foothold where it wasn’t. In Shanghai, which has seen few death, QR codes were used to authorise entry to buildings and to collect a detailed contact history so that control could be targeted in the case of infection. The Economist (21st March 2020) reported that the use of these codes was pervasive, to the point where each individual carriage on a subway train had it’s own code so that if someone tests positive only their fellow passengers need be contacted rather than everyone on the train.

South Korea, a country of roughly 50 million people, appears to have dealt with the pandemic pretty effectively. By mid-March it was seeing less than a hundred new cases per day. It did so without locking down cities or using the kind of authoritarian methods that China had used. What it did was to test over a quarter of a million people and then using contact tracing and strict quarantine (with heavy fines and jail as punishment). They were able to do this because legislation enacted as a result of the Middle Easterners Respiratory Syndrome (MERS) epidemic in 2015 meant that the authorities can collect location data from mobile phones (along with payment data, such as credit card use) from the people who test positive. This data is used to track the physical path of the person and that data, with personally-identfiable information removed, is then shared via social media to alert other people that they need to go and be tested. At the time of writing, South Korea has seen a hundred deaths, Italy (with a similar population) has seen more than thirty times as many.

Infrastructure and Emergency

Why does this make me think about the future? Well, it’s really easy to design a digital identity infrastructure for the most of us for most of the time. Trying to figure out how to help a law-abiding citizen with a passport or driving licence to open a digital bank account or to login remotely to make an insurance claim or to book a tennis court at a local facility is all really easy. It doesn’t provide any sort of stress test of an identity infrastructure and it doesn’t tell us anything about the technological and architectural choices we should be making to construct that infrastructure. That’s why I’m always interested in the hard cases, the edge effects and the elephants in the room. If we are going to develop a working digital identity infrastructure for the always-on and always-connected society that we find ourselves in, then it must work for everybody and in all circumstances. We need an infrastructure that is inclusive and incorruptible.

This is why whenever somebody talks to me about an idea they have for how to solve the “identity problem” (let’s not get sidetracked into what that problem is, for the moment) then I’ll always reach into my back pocket for some basic examples of hard cases that must be dealt with.

(In conference rhetoric, I used to call these the “3Ws”: whistleblowing, witness protection and adult services. In fact, it was thinking about whistleblowing many, many years ago when I was asked to be part of a working group on privacy for the Royal Academy of Engineering. Their report on “Dilemmas of Privacy and Surveillance” has stood the test of time very well in my opinion.)

My general reaction to a new proposal for a digital identity infrastructure is then “tell me how your solution is going to deal with whistleblowers or witness protection and then I will listen to how it will help me pay my taxes or give third-party access to my bank account under the provisions of the second Payment Services Directive (PSD2) Strong Customer Authentication (SCA) for Account Information Service Providers (AISPs)…”. Or whatever.

Healthy Data

The pandemic has given me another “hard case” to add in to my thinking. Now I have 4Ws, because I can add “wellbeing” to the list.  A new question will be: How does your proposed digital identity infrastructure help in the case of a public health emergency?

Whatever we as a society might think about privacy in normal circumstances, it makes complete sense to me that in exceptional circumstances the government should be able to track the location of infectious people and warn others in their vicinity to take whatever might be the appropriate action. Stopping the spread of the virus clearly saves lives and none of us (with a few exceptions, I’m sure) would be against temporarily giving up some of our privacy for this purpose. In fact, in general, I am sure that most people would not object at all to opening their kimonos, as I believe the saying goes, in society’s wider interests. If the police are tracking down a murderer and they ask Transport for London to hand over the identities of everybody who went through a ticket barrier a certain time in order to solve the crime, I would not object at all.

(Transport for London in fact provides a very interesting use case because they retain data concerning the identity of individuals using the network for six weeks after which time the data is anonymized and retained for the purposes of traffic analysis and network improvement. This strikes me as a reasonable trade-off. If a murder is committed or some other criminal investigation is of sufficient seriousness to warrant the disclosure of location data, fair enough. If after six weeks no murders or serious crimes have come to light, then there’s no need to leave members of the public vulnerable to future despotic access.)

It seems to me that the same is true of mobile location data. In the general case, the data should be held for a reasonable time and then anonymized. And it’s not only location data. In the US, there is already evidence that smart (ie, IoT) thermometers can spot the outbreak of an epidemic more effectively than conventional Center for Disease Control (CDC) tracking that replies on reports coming back from medical facilities. Massively distributed sensor network produce vast quantities of data that they can deliver to the public good.

It is very interesting to think how these kinds of technologies might help in managing the relationship between identity, attributes (such as location) and reputation in such a way as to simultaneously deliver the levels of privacy that we expect in Western democracies and the levels of security that we expect from our governments. Mobile is a good case study. At a very basic level, of course, there is no need for a mobile operator to know who you are at all. They don’t need to know who you are to send a text message to your phone that tells you you were in close contact to a coronavirus character carrier and that you should take precautions or get tested or whatever. Or to take another example, Bill Gates has been talking about issuing digital certificates to show “who has recovered or been tested recently or when we have a vaccine who has received it”. But there’s no reason why your certificate to show you are recovered from COV-19 should give up any other personal information.

I think that through the miracles of cryptographic blinding, differential privacy and all sorts of other techniques that are actually quite simple to implement in the virtual world (but have no conventional analogues) we ought to be able to find ways to provide privacy that is a defence against surveillance capitalism or state invasion but also flexible enough to come to our aid in the case of national emergency.

(Many thanks to Erica Stanford for her helpful comments on an earlier draft of this post.)

What if S.P.E.C.T.R.E. had Spectre?

Ruh roh, as they say. Google has just published a paper outlining a serious security flaw in, to all intents and purposes, all computers. They knew about it months ago, but they’ve been waiting for Apple, Microsoft and everyone else to issue patches (which, apparently, mean an unavoidable reduction in processing speeds) before making it public. The paper sets out two “exploits” that take advantage of the flaw. These are called “Meltdown” and “Spectre”. They basically allow software to read data from other software that it’s not supposed to be able to, so that one application (let’s say, the hacker) can read data from another application (let’s say, your browser) to steal secrets.

Spectre Graphic with Text      Meltdown Graphic with Text

As you can imagine, there was a great deal of media coverage about this flaw (as there should have been – it’s a huge deal). I happened to see an comment about it on Twitter, in which someone said words to the effect of “thank goodness it was found by don’t-be-evil Google and not by the bad guys”. This is a very misplaced sentiment. In the paper, the researchers clearly state that they do not know whether these exploits have been used in real attacks. Apart from anything else, Google says that the “exploitation does not leave any traces in traditional log files”.

So what if S.P.E.C.T.R.E. actually knew about Meltdown months ago and had Spectre in the Spring? How would we know? If they are really smart, then they’ll carry on stealing our secrets but cover their tracks so that we don’t know that they know. If you see what I mean.

It might be timely to remember the story of the Zimmerman telegram, a story that is mother’s milk to security experts.

You may recall that in 1917, Britain and Germany were at war. Britain wanted the U.S. to join the effort against the Axis of Edwardian Evil. The Kaiser’s ministers came up with some interesting plans: to persuade inhabitants fo the British (and French) colonies in the Middle East to launch a jihad, for example. Another scheme was to persuade Mexico to enter the war on the German side, thus dividing the potential U.S. war effort and eventually conquering it.

(At this point I thoroughly recommend historian Barbara Tuchman’s 1966 account of the affair, “The Zimmermann Telegram”.) 

To execute this dastardly plot, the German Foreign Secretary, Arthur Zimmermann, sent a telegram to the German ambassador in Mexico, Heinrich von Eckardt. The telegram instructed the ambassador to approach the Mexican government with a proposal to form a military alliance against the United States. It promised Mexico the land acquired and paid for by the United States after the U.S.-Mexican War if they were to help Germany win the war. The German ambassador relayed the message but the Mexican president declined the offer.

Naturally, so sensitive a topic demanded an encrypted epistle and it was duly dispatched encoded using the German top secret “0075″ code. And here it is…

The Zimmermann Telegram

As it happens, “0075” was a code that the British had already cracked. Thus, the telegram was intercepted and decrypted enough to get the gist of it to the British Naval Intelligence unit, Room 40. In next to no time, the decoded dynamite was on the desk of the Foreign Secretary Arthur Balfour, the teutonic perfidy laid bare.

Now the British were faced with the same dilemma that faces S.P.E.C.T.R.E. with Spectre. How can you use intercepted information without revealing that there is a security flaw and that you have exploited it? Consider the options:

  • If the British had complained to the Germans, then the Germans would know that the British had the key to their code and they would switch to another code that the British might not be able to break for months, missing much vital military intelligence along the way. What’s more, the Americans would know that the British were tapping diplomatic traffic into the U.S.

  • If they did not reveal the contents, they might miss a the chance to bring the U.S. into the war.

The codebreaker’s clever solution was to leak the information in such a way as to make it look as if the leak had come from the Mexican telegraph company: since the German relay from Washington to Mexico used a different code, that the Americans already knew to be broken, this was entirely plausible.

If you’re wondering what happened, well despite strong anti-German (and anti-Mexican) feelings in the U.S., the telegram was believed to be a British forgery designed to bring America into the war, a theory bolstered by German and Mexican diplomats as well as the Hearst press empire. However, on March 29th, Zimmermann gave a speech confirming the text of the telegram. On April 2nd, President Wilson asked Congress to declare war on Germany, and on April 6th they complied.

The point of this story is that stupid hackers would reveal their hand, but clever hackers would not. So the fact that, according to BBC Radio 4’s “Today” programme, the UK’s National Cybersecurity Centre says there is no evidence that the flaws have been exploited, that does not reassure me! These bugs are big.

“The Meltdown fix may reduce the performance of Intel chips by as little as 5 percent or as much as 30 — but there will be some hit. Whatever it is, it’s better than the alternative. Spectre, on the other hand, is not likely to be fully fixed any time soon.”

From “Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device? | TechCrunch”.

 

Maybe the way forward is to assume that all machines are compromised and not fix them but instead move the security away from the processors – so going back to the idea of having a Trusted Processing Module (TPM) in every transaction, either built in to the processors (like the “Secure Enclave” in iPhones) or as a separate chip in a PC or as a smart card that is connected to the computer when you want to do something. In this, as in so many other things, Brittany Spears is a beacon to the nations. Eleven years ago I used my Britney Spears smart card (which I still have) to log on to her fan club web site securely. You can read about it here

They are where the money isn’t

When most of us think about bank robbery, we think about people inventing complex derivates and amassing fortunes while the institutions that house them amass fine, bankruptcies and bailouts. But it turns out that your grandparent’s bank robberies are coming back into fashion. American Banker says that violent bank crime has become increasingly less common in the past decade, but that the rate of robberies has ticked back up in recent years.

At first I thought this might be a hipster revolt, like with vinyl records, but that doesn’t seem to be the case. So I’ve no idea. I don’t understand bank robbery. I remember getting into an interesting discussion about bank robbery at a lunch a while back. We were talking about risk and risk analysis. I was trying to make some points about why proper risk analysis like this is a more cost-effective way to proceed than (for example) panicking about newspaper stories on hacking, and that led to a train of thought around cost-benefit analysis for the robber, not the bank. Are robbers put off by thick doors and barred windows and such like? Are robbers deterred by visible, physical symbols of security? Come to that, should be bother with physical security at all in banks?

This is a fair point. So it set me thinking: if you are an amoral sociopath desperate to amass as much money as possible, are you better off robbing a bank or working for it? As a responsible father, I want to help my sons chart the best course for life. Right now, they are at University studying socially useful subjects in science and engineering. Having myself studied science only to become trapped in mortgage serfdom and forced to work until I drop, I am trying to persuade them to become Somali pirates or Wolves of Wall Street, without much success so far. So I understand that side of the equation, but am less certain of the other. Remember that old paper “The Decision-Making Practices of Armed Robbers” by Morrison and O’Donnell. It’s a study of armed robbery in London and one of my favourite papers. It is based on first-hand research (viz, the analysis of over 1,000 police reports and interviews with 88 incarcerated armed robbers).

While it’s about the UK rather than the US, I’m sure the thought processes of the perpetrators must have some similarities. Crucially, the paper notes that “almost all of these robbers evaluated the offence as having been financially worthwhile (aside from the fact that they were eventually caught and punished for their crime)”. So robbing a bank seems like good idea, if you exclude the possibility (in fact, the likelihood) of being caught. I suppose this is standard Jordan Belfort, Bernie Madoff thinking thought isn’t it? Unless people believe they will be caught (and these people don’t) then they only consider the upside.

(One of the interesting snippets it contains is that a great many of the armed robbers in the UK use imitation firearms even though they could have access to real ones. I imagine that in the US the use of imitations is vastly less prevalent, since it’s presumably harder to buy an imitation gun than a real one there.)

So, what to do? While glancing back over the paper I note that the authors say that it doesn’t seem practical to “expect financial institutions and commercial properties to reduce counter cash much more than they already have”. That may have been true when the paper was written a few years ago, but it clearly isn’t true now, since both bank branches and businesses in many countries are becoming cash free. And this is a good thing, because as we all know there is a direct and measurable relationship between the amount of cash out there (more on this later) and the amount of crime. As the paper says, “even when the amount of money obtained was quite small (an element often touted in support of the irrationality of economic criminals), it must be recognised that even apparently small sums may be adequate for the offender’s immediate needs. Hence, gains may be subjectively much larger than they appear”.

Bank robber or management consultant?

 

It’s a stick up

The rewards of armed robbery seem to me, then, as an educated middle-class professional, to be rather low. Yet they are still sufficient to attract the robbers, because their needs are immediate and limited. I want a holiday home in the South of France but the guy in the Nixon mask isn’t robbing a bank to pay his way through college or to obtain seed finance for a start up, he just needs to buy a car or some drugs or whatever. This paper seems, then, to indicate that so long as there is some cash in the till, there will be robberies. This is not an observation confined to banking. A study of the American Electronic Benefit Transfer (EBT) program found that “the EBT program had a negative and significant effect on the overall crime rate as well as burglary, assault, and larceny”.

What they are talking about here are US programmes where benefit recipients are paid electronically and given cards that they can use in shops instead of being given cash. The authors found a 10% drop in crime correlated with the switch to EBT. It seems pretty overwhelming evidence, and even more so if you read the paper, which notes no impact on crimes that do not involve the acquisition of cash. If we can to stop armed robberies, that would surely be an excellent social benefit to the move to cashlessness and would help us to explain the nature of appropriate regulation to legislators.

But back to the specific point about the relationship between bank cash and robberies. With the rewards from robbing banks and businesses falling  armed robbers, like everyone else, follow the money – literally – and so cash-in-transit (CIT) robberies are now the preferred option. We see the same in Europe where countries that have much higher usage of ATMs have much higher CIT robbery rates than countries that have lower ATM usage (see, for example, Sweden and Denmark).

Overall, then, we see another early indication of the emerging post-cash era: Spending on physical bank security is being reduced and spending on virtual bank security is being increased. We do, indeed, live in interesting times.