net.wars: Surveillance by design

by Wendy M Grossman | posted on 07 March 2003

The last couple of weeks have been spent writing about privacy enhancing technologies. And, friends, the news isn't good. You know how technology can make an end run around law, PGP being the prime example? Well, sometimes practice can make an end run around technology. We're in such a situation now.

Wendy M Grossman

Item: the London Underground is bringing in smart cards. If you've been travelling on the tube lately, you'll have seen the readers popping up on top of the barriers. They're those round, yellow things with the little red light. The smart cards will, eventually, be acceptable as payment not only for travel but for items in nearby shops, and so on. Everything nicely linked. The privacy-enhancing technology known as "anonymous cash" has been available for some time now, and governments (and shops) just hate it.

There has been (as far as I'm aware) no public discussion of the system's design or capabilities, or even a mild query as to what passengers would like such a system to do. Or if they want it at all.

This scheme is costing £1.2 billion and is being phased in starting in August. According to transport officials, it's going to shorten queues and cut fraud. And it's being managed by EDS, our old friends with the giant off-shore government databases. Isn't that nice? That will make it so much easier later, when the government decides it would be easier to cut benefit fraud by taking advantage of the technology built into those smart cards that "people already have and want".

The card hasn't even been launched yet, and already function creep is setting in.

Personally, I think a simpler way to cut queues would be to put in a giant crane to lift out all those people who stop right in the barrier and fish through all their pockets and bags for the "I know it's in here somewhere" card.

Item: London's congestion charge. A lot of ink and electrons have been spilled over this one in recent weeks, but I'll add to them briefly by noting that there is now no way to drive anonymously into London, a right that the public was never asked if it wanted to give up. It would, granted, have been much more expensive and time-consuming to build a system of toll booths so you could pay for the day on your way in.

The upshot so far has been a noticeable level of cloned number plates, so that bewildered grannies in Yorkshire who have never been to London are getting notices that they owe £80. The camera is always right until it's wrong.

With both these schemes - and many other schemes involving smart cards, RFIDs, and so on around the world - privacy could have been built in. But by the time people realise what they've given up, the only recourse will be to pass laws limiting how the stored data can be use. In Finland, where RFIDs were brought in on Helsinki's public transport system, the company supplying them just naturally kept the data. After a public outcry, the practice was stopped.

My guess, however, is that the first public outcry about London Transport's smart cards will be about billing: I bet the cards won't charge us for trips the way they're supposed to or the way people expect. I also bet they won't be as big a success as London Transport thinks.

For those who buy monthly travel tickets it won't make any difference which kind of ticket they buy, but for those who make occasional trips, it's probably going to be more difficult to manage than just buying a ticket when you need one. Plus - and I hope I speak for the majority here - if London Transport was going to pay £1.2 billion to improve any part of its infrastructure, I would have liked to see them spend it on sending around more trains. Call me a lunatic.

But these are just two examples, and there are many more. It's arguable that we do know how to make at least some privacy enhancing technologies and have for some time. But the truly depressing thing I've learned in the last couple of weeks is how little progress has been made in incorporating them.

I've been to at least a dozen conferences over the last decade where people like David Chaum, Carl Ellison, Whitfield Diffie, and Rebecca Mercuri have talked about how to change the way we're building systems such as digital cash, identification, and electronic voting to include privacy considerations. Ellison and Diffie, for example, have often pointed out that most of the time your identity is not important - it's your role that's important.

The transport authority doesn't need to know who you are; it just needs to know you've paid for your ticket. Your bank doesn't really need to know who you are either; it just needs to know how much money is in your account and that you are the person who's authorised to use it. Our persistent single identity does not in fact have to be tied to all these roles.

The reality, though, is that depressingly little privacy enhancing is happening, technically speaking. The problem is that the people designing these giant public systems are not interested: they're designing systems for their purposes, not ours. And if as a side effect they can track us, well, "Hey, we're good guys."

Technorati tags:     

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).