Information security for the UK: making everyone happy?

The Cabinet Office has released their e-Government framework for Information Assurance for draft consultation. The document sets forth guidelines for implementing the transformational government agenda of delivering more effective, more efficient customer-centric public services. These guidelines are intended to inform all transactions (and their supporting infrastructures) between UK government and its citizens.

The document has an interesting list of relevant legislation under appendix B, ‘Related Policy and Guidance’ (cited below).

The principal pieces of legislation that are likely to inform the IA requirements for e-Government service implementations include and are not limited to [links are added]:

• the Human Rights Act and the underlying European Convention on Human Rights set out everyone’s right to privacy in their correspondence;
• the Data Protection Act sets requirements for the proper handling and protection of personal information held within information processing systems;
• the Electronic Communications Act sets the requirements for electronic signatures and their equivalence to conventional signatures;
• the Regulation of Investigatory Powers Act makes it an offence to intercept communication on any public or private network; case and time limited exemptions may be granted subject to warrant;
• the Terrorism Act makes it an offence to take actions which are designed seriously to interfere with or seriously to disrupt an electronic system;
• the Wireless Telegraphy Act controls the monitoring of wireless telegraphy;
• the Police and Criminal Evidence Act defines conditions under which law enforcement may obtain and use evidence;
• the Computer Misuse Act makes attempted of actual penetration or subversion of computer systems a criminal act; the Public Records Act lays down requirements for the proper care and preservation of documentary records of government activities;
• the Official Secrets Act lays down requirements for the proper control of government information;
• the Freedom of Information Act lays down the citizen’s rights of access to government held information.

I’m posting this list because it illustrates what a balancing act information policy is. On the one hand, we fight to preserve open paths of communication to our legislators and civil servants; we encourage all individuals to be involved in their government; we promote citizenship and interaction through digital inclusion of those who might otherwise be marginalised. Similarly, we have charged the same government with protecting us and our communities; we want them to have full access to the ‘bad guys’ and to anticipate — even pre-empt — any threat to us. From those arguments, we should open everything to everyone!

On the other hand, we have agreed that our human rights grant us the freedom to our own confidentiality. We have also agreed, through our democracy, that the government should have some leeway in keeping information from us (particularly about each other) to deliver effective public services to us and our neighbours and to protect us from the bad guys.
Both of these bits of secrecy mean that each party wants to maintain a certain level of control over allowing access into our conversations.

It’s a lot to juggle.

[Consultation on the e-Government framework for Information Assurance runs until 13th March 2007.]

Read Full Post »

Privacy legislation and teenagers: Leave me and my Facebook alone!

Developing an adolescent network of friends

Being a teenager, for me, was largely a trial-and-error process of figuring out how to be an adult. I wanted autonomy, I wanted to succeed, and I wanted to be able to ask for help — but only on my terms. I created a “family” of friends, relying on them for the moral support and frames of reference that I had previously looked to my relatives for. We muddled our way through adolescence, as I imagine most teens do, trying to work out together how to handle our uncertain futures, new relationships and the stress of achieving good grades. We learned together.

Underneath that bonding and grouping, I distinctly remember not just drifting from my family but actively setting up blocks. “I want to do this my way, by myself!” was a big mantra of those years. Supreme Court Justice Louis Brandeis wrote in the 1890s that the US Constitution guarantees “the right to be let alone—the most comprehensive of rights and the right most valued by civilized men”. I was pretty positive Brandeis was writing right to me; as a (self-declared) civilised almost-adult, I thought that right was sacrosanct. I wanted to be let alone with my friends.

Social Networking – the online models of our groups of friends

Social networking platforms like Facebook, Myspace and Bebo allow teenagers to intensify their relationships with members of their group. In creating a profile or home page, they can create and re-create their own identities, experimenting with who they are and how they want to be seen. They get to identify themselves with social groups, be seen as belonging (through displaying their friends) and discover who else belongs with whom. And best of all — the parents aren’t invited. This is a world of their own, ideally suited to the adolescent’s social development.

The tension: Protecting the kids or invading their privacy?

If we can extrapolate my experience to a majority of Internet-using teenagers, social networking sites are supporting them in the social development they’re already doing. The challenge comes in building new relationships, where the lack of context can make it easy for someone with a nefarious agenda to mislead the unsuspecting. (See previous post.) The quick intimacy teenagers build can mask the fact that they don’t actually know who is on the other end of the conversation.

Recent US legislation has attempted to minimise the risks to kids. The Children’s Online Privacy Protection Act of 1998 (COPPA) prohibits site operators from collecting personal data from kids under 13 without verifiable parental consent, and removes their liability for disclosing information to the parent about the child. In a previous post, I have discussed the proposed Deleting Online Predators Act of 2006, and this week the Georgia Senate has begun to consider a bill that would raise the age of parental consent to 18. No minors in Georgia would be allowed to engage in social networks without their parents having full access.

At the same time, the chief privacy officer for Facebook, Chris Kelly, maintains that they are restricted from sharing activity and profile content with parents by federal law. “Under the Federal Electronic Communications Privacy Act, we cannot give anyone access to or control of an individual’s profile on Facebook”, Kelly said. In addition to the overhead if they were required to open up all that data and verify which parent belongs to which kid, the inevitable response would be diminished site activity. If kids knew that Mom and Dad could listen in, they would find somewhere else to talk.

(Facebook of course has an interest in keeping activity levels high and therefore maintaining its revenue stream, which appears to be advertising-based. But it would fall short of its goal of “helping people better understand the world around them” if everyone restrained their contributions to each other’s world views because they felt they were being spied on.)

How do we sort this out?

If we go back to my assertion that social networking is modelling interactions and social development that we all do anyway, then the dangers aren’t actually that new. As an offline teenager, I was certainly taught not to give my address to anyone I didn’t know, and not to talk to strangers. I knew to look both ways before crossing the street. I knew how to listen for conversational cues that I was talking to someone with bad motives, and to recognise that friends of friends aren’t necessarily okay just because they come with a “reference” from somebody I know. All these messages kept me safe in the big bad real world, and I knew them because I was taught.

Teenagers need to form groups, to share information and to grow with their friends. And to establish a bit of independence from their families. Social networking can support this growth, but someone needs to make sure that online safety is included with the “surviving in the real world” lessons every kid gets either at home or at school. Particularly because parents are less involved in the conversation than they were when the children were younger, teenagers must be well prepared to make good decisions on their own. Unfortunately, legislation restricting access or allowing parents to “eavesdrop” won’t teach good judgment. Nor will applying privacy legislation — many kids wouldn’t figure this out on their own. Parents, teachers and role models are still ultimately responsible for these almost-adults, and it should be up to these adults to prepare them properly.

Read Full Post »