David's Damascene Conversion

Here at Data Grub we’ve so far held off from writing about ID cards, in part because this long-running saga has been so comprehensively covered in most mainstream media.

But we couldn’t let the Rt Hon David Blunkett get away with Tuesday’s speech at, of all places, Essex University. Blunkett, the original panegyrist of ID cards in this country, used his speech in part to propose scrapping compulsory ID cards.

So, what prompted David’s Damascene conversion, especially given that he’s often expatiated on the benefits of ID cards in his News of the World column and was at one point trousering a decent sum as adviser to Entrust, a company interested in bidding to run the UK card scheme?

Well, let’s not get ahead of ourselves. Blunkett went on to recommend that all UK citizens be required to have a fancy biometric passport which is, in effect, an ID card with a handy notebook attached for shopping lists. (Let’s be honest, when was the last time Bermondsey Bob needed a visa?)

Blunkett proposes that ID cards be voluntary but that biometric passports – which contain exactly the same information and will be linked to exactly the same database – will be compulsory. That way, the government can spin ID cards as a handy “mini-passport” that fits snugly into your wallet.

But even if compulsory passports are merely ID cards in disguise, one wonders what his rational is for jumping horses now, especially given that the current Home Secretary is still keen on the cards. Could it be that he wants the law on the statute books before the Tories’ inevitable election in 2010?

Blunkett and his successors have been trying to get make ID cards mandatory for donkeys’ years, but couldn’t do so until a large proportion of the population started carrying them voluntarily.

That’s clearly not going to happen in the next 12 months; but plenty of people have passports – make them compulsory and you’ve got your ID database system sorted.

Of course, all this completely ignores the question of whether ID cards might not, in fact, be quite a Good Thing after all. In spite of the government’s claims that they will prevent benefit fraud and halt terrorists in their tracks, Data Grub remains to be convinced of their utility.

Should Jacqui Smith decide to take Blunkett’s advice by making passports compulsory, it’ll be interesting to see if she employs the traditional ID card arguments (fraud, terrorism) or if Labour spins it some other way.

Watch this space.

Clayton makes a suggestion

Enough has been written about the House of Lords' report into surveillance in Britain, so today we'll be returning to Microsoft's latest version of Internet Explorer.

We've written previously about IE8's notorious InPrivate function, the sole purpose of which is to keep the wife from knowing about the surprise holiday / present you've bought for her online. According to Microsoft, anyway. Let's face it, they weren't going to dub the function "PornCloaking+" were they?

But still, there's nothing inherently evil about InPrivate.

What does cause concern is IE8's "Suggested Sites" feature, which allows users (in Microsoft's words) to "discover websites you might like based on sites you've visited". By activating the service in your browser, you consent to send various data about your browsing activity to Microsoft. This could include the URLs of visited sites, search terms and form data, as well as information that could potentially identify individuals, such as a user's IP address.

It's the classic trade-off: you agree to give up personal data in return for a service. But since users are fully aware of what data they'll be giving up and are able to give their informed consent to the service, this shouldn't present a privacy problem, should it?

Unfortunately for Microsoft, Suggested Sites has attracted criticism from the esteemed Richard Clayton, the Bill Bryson-lookalike and doyen of Internet privacy campaigners.

Dr Clayton says Microsoft must be clearer about explaining the risks, as well as the potential benefits of the service. He points out that full URL sharing via Suggested Sites poses a privacy and security risk and in particular warns that Microsoft should avoid sharing data submitted by surfers with other users of the service.

The risks hinge upon the fact that Microsoft will get the full URL of the site you visit. In some cases, this is essential - knowing that you visited blogger.com ain't going to help Steve Ballmer to suggest sites, but a visit to blogger.com/animals-do-the-funniest-things will help him to point you in the direction of some cutesy squirrel pics.

But sometimes, a full URL may hold clues to your identity, give permissions to others to access the site, or compromise your privacy or security in some other manner, says Clayton.

It's not so much that a Microsoft employee might one day go rogue and start stealing these sensitive URLs; it's the possibility that Microsoft hands the URL to someone with similar tastes and these users visit the exact places that you go to. "Suddenly all that "security through obscurity", the pious hope that no one could possibly guess that URL, goes up in
smoke," says Clayton.

Dr Clayton is a Cambridge academic and an eminently sensible, if somewhat cautious, voice in a debate which is all too often conducted by shrill, ignorant or ill-informed comentators.

Clayton doesn't want to score cheap points by gratuitously slating Microsoft - he merely points out that they could do better, by minimising the data transfer, and only obtaining longer URLs for the sites, like blogger.com, where it actually matters.

In the meantime, they should honest and transparent about the potential risks.

But Clayton's comments do have a silver lining for Microsoft: he points out that selecting the InPrivate mode automatically disables Suggested Sites, even if users have opted in. So, at least they can claim another alternative use for Pr0n-Mode...