Privacy is likely to be one of the defining challenges of the digital era, a problem that has to be solved before the internet takes its place as the engine of post-recessionary economic growth. Yet the UK authorities seem to be increasingly doing whatever they can to convince people they will have no privacy rights online at all.

The Sunday Times last weekend picked up on a story that Computing ran late last year about European Union plans to allow police to remotely hack into home computers without a warrant – with the Brussels edict now being adopted in the UK.

Not surprisingly, civil liberties groups are outraged. I’ve been critical in the past of privacy campaigners for what I’d often perceived as knee-jerk over-reactions to anything technology or database related. But in this case, they are absolutely right to protest.

The government has spent years trying to educate home computer users on the importance of security – often drawing the obvious analogy that you wouldn’t leave your front door open and allow thieves to walk in and steal your property, so why do the same online.

Yet this snooping plan allows the police to do just that – and without a warrant. Any suggestion that the police could randomly walk through your front door and inspect your premises at will would rightly be condemned. Just look at the furore when they did precisely that to Conservative MP Damien Green in his workplace.

We have already seen how local councils have abused powers that allow them to undertake legitimate surveillance under anti-terrorist laws, by instead snooping on how people use recycling bins, for example.

The idea that it will be legal for police to perform acts that, if undertaken by you or I would see us rightly branded as hackers, is absurd. We have become sadly used to organised crime realising how they can make use of keylogging software, downloaded malware and drive-by access to wireless networks. To think that the police will be copying them is beyond acceptable limits.

There has to be a balanced and reasoned debate about what privacy means in a digital world where old physical boundaries and principles no longer apply. The government seems to be taking an approach that sees it keep extending its powers until someone will finally say stop.

There are very good reasons why, in the right circumstances, law enforcement authorities should be granted access to digital information that promises to give as much of a boost to evidence gathering as did the development of DNA matching.

But the lines of acceptability in the internet age are blurred and yet to be defined. Those definitions need to be put in place soon – the privacy debate cannot be delayed further.

Last night I was privileged to speak to a gathering of the UK IT security elite, at a dinner event organised by BT. Gathered in the exclusive Westbury Hotel in Mayfair were the great and the good of information security and risk management from the private sector, government and academia.

Putting aside the debates and discussion on the challenges these individuals face – among the toughest and higest-profile tasks in technology management – there was one particularly notable facet of the evening. This wasn’t just a get-together of like-minded professionals of the type you find at any conference or seminar – this was a bunch of mates, albeit with a common professional cause, but meeting on a regular basis to see old friends, have a laugh, and even raise money for charity (congratulations to the organiser, BT’s Ray Stanton, for collecting £1600 for Childline on the night).

In my job, I get to spend a lot of time at events such as this where IT leaders network, meet their peers, make contacts and share experiences – but rarely have I come across a group whose connections go beyond merely the collection of business cards.

Security is the great taboo of IT. Understandably, most organisations are wary of discussing their security and risk management strategies for fear of attracting unwanted attention from potential threats. There is no greater challenge to a hacker than an IT security manager proclaiming his network is hack-proof.

But put these normally reticent individuals together and they recognise their common cause. There are few areas in IT where sharing information and experiences is more likely to produce wider benefits, and the openness that these experts show to each other in private is a lesson for every discipline in IT.

The only area I have come across with similar knowledge sharing is among the most senior IT leaders in the country, who come together through user groups such as CIO Connect, The Corporate IT Forum and the BCS to learn from each other.

But there is a lesson in such sharing that would benefit many more working in IT – it is a sign of a mature profession. Compare with accountants or lawyers, for whom professional knowledge sharing is a key part of their job.

The message to everyone in business technology is clear – you should be talking to each other.

The Tories have decided that e-crime is another weak spot in the Labour government’s policies that is ripe for prodding.

Shadow home affairs minister James Brokenshire told delegates at a McAfee security briefing in London this week that the government’s inaction leaves the country vulnerable to cyber terrorism.

"If you accept cyber criminality you heighten the risk of cyber terrorism,” he said.

Fair point. Can’t argue with that. But the response of the 100 or so IT security chiefs in the audience didn’t exactly display confidence in a Tory alternative.

“He looked about 12,” said one delegate about the youthful MP.

“I’d like to ask him, where has he actually worked?”

And of course, that is the best thing about being in Opposition – it’s easy to say what you want to do, when you don’t have the opportunity to do it.

My perception of the mood of the delegates was that the views and actions of politicians will have little influence on their plans. After all, despite lots of good words, government has hardly rallied to back the IT security profession in the challenges it faces.

First, the well-respected National Hi-Tech Crime Unit disappeared. The Information Commissioner is still largely toothless in his ability to enforce the Data Protection Act. And the decision last year to switch e-crime reporting from the police to banks sent out all the wrong messages.

As Brokenshire pointed out in one of the moments he did connect with the audience – salmon poaching is officially considered a graver offence than cyber crime.

If I walked up to you today and stole £10 from your pocket, I’d be in trouble with the police.

But if I managed to hack £100 from your online banking account, I would just be another statistic in a summary report from your bank.

There is little to suggest that the situation will change soon. The Metropolitan Police spent months trying to convince the Home Office to provide a meagre few million pounds of funding for a new central e-fraud reporting unit.

E-crime is simply not taken seriously by politicians – or at least by those with the power to do anything about it.

Most times I am rather dismissive of the latest technology conspiracy theories.

I’m somehow not convinced that microwave signals are being used to turn inner-city kids into mindless zombies.

Nor was I convinced that the breakdown in submarine cables that led to problems with internet access in the Middle East earlier this year were down to some strange covert underwater sabotage activity.

But for once, the FBI and the US government are doing themselves no favours and providing public domain material to fuel those who are convinced their every electronic move is being watched from afar.

In a House of Representatives judiciary committee hearing last week, FBI director Robert Mueller told California congressman Darrell Issa that, among other things, he sees the need for the FBI to have on the internet “some omnibus search capability utilising filters that would identify the illegal activity as it comes through and give us the ability to pre-empt that illegal activity where it comes through a choke point as opposed to the point where it is diffuse on the internet.”

In other words, monitoring all web traffic as it enters the US (and bear in mind that most international connections route through the US at some point) to prevent the cyber attackers getting inside in the first place. It’s almost an electronic version of having to remove your shoes at the airport before being allowed to enter the country.

Issa also suggested to Mueller that there be a “Cyber Initiative” whereby “ISPs that hypothetically got consent from every single person who signed up to operate under their auspices” – effectively a permanent search warrant issued through every ISP giving permission to the FBI to look at anything we do on the internet.

And to be honest, if I had read that on a conspiracy theory web site, I’d have scoffed.

Putting aside the obvious legal, moral, ethical and technical obstacles to such a move, the FBI must be pretty confident in its ability to play into paranoid US government fears to get backing for exploring such an idea.

Of course they would like to do it – and probably already do to some degree. Anyone remember Carnivore, the proposed FBI internet monitoring device that would, in theory, act as a physical firewall between the US and the rest of the world, enabling US authorities to literally disconnect the country from the internet and vice versa – the electronic equivalent of grounding all the planes after 9/11.

Carnivore was meant to have been scrapped, but it would surprise nobody if it still existed in some form.
So who is the biggest danger to civil liberty – the cyber terrorist or the paranoid administrator? Discuss...

Forget the politics for a moment, forget the challenges of making biometrics and a national identity register work for a little while, and please someone tell the government to employ someone who knows about selling to come up with a reason people will accept ID cards.

With today's announcement of the latest stage in the prolonged rollout of the controversial scheme, once more the biggest element lacking is a coherent and convincing reason why the cards are necessary in the first place.

ID cards will not stop terrorism - they might, in some cases, make it harder to obtain false or multiple identities, but that didn't stop the 7/7 London bombers, fully identified UK citizens all.

Voluntary passports will not work - who would suddenly decide to have a card, having happily gone through their life without one so far?

And perhaps my favourite example of daft politics is the idea that students will be the first to be offered the cards on a voluntary basis because, according to home secretary Jacqui Smith's reported comments on the BBC News web site, "they will be the most willing to accept them as they could help students do things such as open bank accounts."

Pity all those thousands of students unable to open a bank account so far. Where must they keep their student loan? Hope the boxes under their beds are secure.

Let's not forget, students are not exactly renowned for their right-wing tendencies. If one bank decides to mandate ID cards for opening a student account, it is bound to see floods of eager students queueing up - outside its rivals.

There is a case to be made for ID cards - in an increasingly connected world some form of electronic personal identity and authorisation mechanism is going to be inevitable - but the government's ham-fisted attempts to sell its proposals to a sceptical public will not get us any nearer that goal.   

If you’re consumed by doubt over who killed President Kennedy, intrigued about whether or not the Pentagon was actually hit by a plane on 9/11, or if you’re still out to get Prince Philip for driving the white Fiat that took out Princess Diana, then the world of undersea cables is probably taking up a lot of your time at the moment.

Over the past week, four telecoms cables at the bottom of the sea connecting the Middle East and North Africa have “failed”, disrupting internet traffic and telecommunications – and hence electronic trade – in several countries across the region.

Broken undersea cables are, as you can imagine, not a frequent occurrence – but it does happen often enough to warrant a small fleet of repair ships ready to take action.

The unusual number and the particular geography of these problems have kept the internet conspiracists very happy.

First reports suggested that a trailing anchor had damaged a couple of co-located cables near Alexandria, until the Egyptian authorities denied the presence of any ships in that area.

Since then there have been suggestions of CIA dirty tricks, plans to spoil a new Iranian online oil exchange, or even botched attempts to install covert listening devices on the cables themselves.

Matt Walker, a senior analyst at Ovum RHK, gives a very good – and sensible - account of the likely circumstances:

“Of the four reported and confirmed failures, two are on cables in the Mediterranean, two in the Persian Gulf; at least one of these may be a power failure, not a cable cut, and hence the landing station is the likely culprit,’ he wrote.

“The Persian Gulf is shallow but the Mediterranean reaches depths of several kilometres not too far from the coast. Without knowing the exact depth of the Mediterranean outages, accidental damage from fishing/anchors/dredging is certainly possible there, and highly likely in the shallow Gulf. Four breaks in two separate locations in a single week are rare but hardly impossible, or proof of a conspiracy.

"To paraphrase Henry Kissinger, though, even the paranoid have enemies; there may indeed be something sinister lurking. Even if all the outages occurred in shallow water, that doesn't prove that accidental damage from, e.g., a fishing trawler, was the cause, but merely suggests it was physically possible. Intentional sabotage is, after all, probably more feasibly done in shallow waters than deep, and cable security in shallow waters is only modestly more practical. Clearly, undersea cables are a ripe target for those with an interest in wreaking havoc on international communications, whatever their motivation. Another consideration is that undersea cables have been used for submarine/surface surveillance purposes as far back as World War II, with the cooperation of private industry,” he said.

Walker concluded: “In my view, the most likely outcome of this is that a credible explanation for the coincidence will be presented soon, and a few weeks from now, all will be forgotten.”

Believe what you will. The most significant aspect of this incident is to highlight the critical importance that the internet plays in global trade, even in developing nations such as Egypt.

The fact that a temporary and relatively minor disruption to that service in a pressure-cooker region of the world has produced such an outburst of conspiratorial hand-wringing shows that the internet is well and truly as much a part of international relations and political diplomacy as it is central to the corporate IT strategy.

The national media has, unsurprisingly, been full of politicians and commentators calling for the identity cards and NHS electronic records programmes to be reviewed or even scrapped, in light of the outbreaks of “lost” data caused by the missing HM Revenue and Customs CDs.

Shadow home secretary David Davis wrote in The Sunday Times that “we need serious restrictions on the transfer and sharing of such information. The current casual and careless practice is intolerable.”

There is no doubt that Davis is right on this point of principle, and the debate over the security of government databases is a vital one.

But let’s think carefully about some of the facts. Patient records were lost by nine NHS trusts ­ each of which no doubt had different IT and processes in place to cater for data protection. In one case, the records lost were paper-based.

The problem with the lost 25 million child benefit records is not with the database, it was that technology was not better used to protect it.

Secure file transfer and encryption are available ­ the problem was the lack of management controls and processes over the use of that data.

There is a strong technical counter argument to the anti-database cries ­ most of these issues have come as a result of a lack of management control and a patchwork of unco-ordinated databases.

And as we spend more time online, a standardised system for electronic personal identity management in our dealings with government ­ and even the private sector ­ is surely inevitable, whatever form it takes.

The goal is a system that gives each of us the ability to personally manage our electronic identity ­ an individual firewall around all the data that matters to you. That technology does not yet exist in the mainstream, but offers a vision of a secure future. Whatever the government does now should be seen as steps on that path.

The political rights and wrongs of ID cards or electronic patient records is a different debate.

The argument must not be about whether databases should exist. The objective is to make sure that secure, better managed and well-controlled databases exist.

I’ve just been compiling Computing’s news reviews of 2007 for our web site, looking back at the big stories that made the headlines during the year. With such an overload of articles, how can the past 12 months be best summarised?

Well, to be honest, it’s been something of a case of same old, same old. What have we learned this year? 

The government continues to embarrass itself where technology is concerned, sadly negating all the good work that is increasingly taking place in public sector technology. 

Green issues have leaped to the top of IT managers’ agenda, and rightly so. But really, most of the current advice available is simply common sense, good practice IT operational management. We are still painfully short of genuine vendor-free best practice green computing – although there are a few leading companies that are starting to write the rulebooks. 

IT security is just as much of a pain as it has been, but the law enforcement community seems to be drifting further away from being able to address the concerns of business leaders. The great fear is that e-crime will only be tackled once something really bad takes place to make the authorities act. 

What else? 

There are still skills gaps; the profile of the IT leader continues to change; more work is being outsourced; and offshoring is expanding faster than ever. 

Web 2.0 has become the new internet and e-commerce buzzword; stock market valuations for online companies are becoming very silly again; and broadband is an increasingly important economic driver (so let’s hope we get moving on the next-generation infrastructure). 

All in all, it sounds very much like how you would summarise any other mature, business-critical sector of the

UK

economy. The more things change, the more they stay the same, as the French would say if they translated into English. 

In that light, perhaps the most important story of the year came just this month, with news that the UK IT sector is now the second biggest industry in the country, after financial services, contributing 6.4 per cent of the economy – some £66.5bn. 

Maybe in years to come, we will look back at 2007 as a pivotal time, one when IT continued to grow up and establish itself as central to the UK's international success. Technology is increasingly just a part of business, it flows with and influences our lives every day, and perhaps it is a good thing that as the year ends, we are not looking back on any one trend as a defining influence. 

Just another year for a vital part of the way we live, work and play. 

Merry Christmas from everyone at Computing, and best wishes for a prosperous and incident-free technology new year.

 

The ongoing scandal of lost government data containing our personal records is in reality not an outbreak of security problems but an outbreak of honesty.

Would we have been told about the three million missing learner drivers’ records if HM Revenue and Customs had not confessed to losing CDs containing 25 million child benefits records?

Would the Northern Ireland Driver and Vehicle Licensing Agency have admitted to mislaying CDs containing 6,000 drivers’ details?

Or would Leeds Building Society have made public the missing salary and banking details of 1,000 employees – especially since they were simply ‘unaccounted for’ after an office move from one floor of its building to another? 

The real scandal, if you want to use that word, is that we will never know how many similar instances have taken place in the public and private sectors for years without ever being revealed. 

I was told recently of a major global financial services firm that used to post a CD containing 300,000 people’s personal information inside a jiffy bag, using ordinary post – not even registered post – until the head of IT in the UK found out about the practice and stopped it immediately. 

These sort of incidents happen all the time. 

There will be more calls for a data breach notification law of the kind used in the US, where firms are legally responsible for informing people affected by a security breach. The government’s data sharing review will look for other measures – not least the obvious ones such as encryption and electronic, instead of postal, file transfer. And the debate over identity cards and NHS medical records databases will be cranked up as a result. These are all good things, of course, and recent events have served only to raise the profile of a discussion that would have taken place anyway. 

But what will no doubt also happen is yet more questions about the use of databases – it has almost become a taboo word. 

In all this lost data debate, there is one fact that seems to be overlooked: No database has ever “lost” anything. No IT system has allowed information to be retrieved unless it thought the person doing so was meant to be there. No network ever randomly decided to publish the content of its systems. 

Technology is not the villain here – it is the solution. The problem is human error. The HMRC data would not have gone missing were it not for a human being making a very bad decision. 

Simple, everyday technology exists to make data secure, unreadable and inaccessible. We should not be worried about the government creating a database containing the details of 60 million citizens – we should be worried about the fact that human beings are operating it. (Not that the government is creating a single central ID cards database, nor a single, central NHS medical records database, but the complexity of distributed data management is beyond most national news commentators). 

Some newspaper columnists (well, one in particular) have even suggested a return to remembering data or writing it down on paper and not using IT at all. Great idea – after all, nobody ever forgot information they were told, and nobody ever stole or mislaid a piece of paper, did they? 

So the honesty we are seeing now is welcome, if belated and sadly causing many people a lot of worry about the potential for identity theft. 

But let’s not allow the debate to be dragged down to a simplistic and headline-grabbing “all databases are bad.” Like all IT, it is about people, process and technology – and the technology is the easiest part to get right.

[Thanks to a in-depth conversation with my good friend and Computing features editor Mark Samuels for the inspiration behind this blog entry. Happy now, Mark?]