A (27:39)

Any questions? Deathly silence. Wait for the microphone.

B (27:49)

A sort of obvious one.

D (27:51)

Why do you think Google won't survive?

C (27:54)

I'll back up. I've got a huge footnote here. Google will not survive as a thriving multinational enterprise with global business presence, as global business interests, unless and until it decides to undertake a major restructure of its corporate assets, its operational methods and its technical architecture. In other words, Google will not survive as it's currently structured. They have two choices. They can either reorganize or stay a US company for the rest of their lives. By which I mean they recently had a bad experience in China where the Chinese told them what rules they had to follow in order to have an office there, to have a trading presence there, to operate their website through. CEO. And they kind of worked with that for a while and then they decided we don't want to work with that anymore. So they pulled out. They just had three executives convicted of a crime in Italy because of the YouTube service. Not anything the three guys did individually, but they were found responsible on sort of a corporate control basis. If they continue to face that kind of liability, they have to make hard decisions. We either change the way we do business and change the way we structure or we start. Maybe they'll pull out of Italy next, maybe they'll pull out of Ruritania and the Land of Nod or any other place where they don't like the rules. I think unless if they want to restructure as a global business, they're going to have to realize that content businesses and telecommunications services businesses are inherently sensitive, will always be subject to some measure of local control, local sovereign intervention. In the same way that BlackBerry RIM has found out recently. And they will, in my opinion, they'd be well served to break themselves up into two different operating groups, which is one operating group or individual operating units that work on a country basis, that liaise with local countries and then have a flagship headquarters office that focuses on technology development and IP licensing so that they can literally sit in California with clean hands and say hey, that's not our Google, that's Google Ruritania. And Google Ruritania is either a wholly owned subsidiary or shoot flog it off to sell it to somebody else. To local shareholders, we license them our technology and we have no control. That's what we have to do to do business. There's. They can either go down that path which we see with things like international energy companies, or they can collapse into their own single market. I don't know which way they'll fly.

A (30:12)

Now that the Internet is localizing, as you say, and it's no longer a frontier. What will criminal law enforcement look like? Online.

C (30:22)

Criminal law enforcement, well, frankly is not my bag. I do almost my entire practice as non criminal so I can only make some really rough high level guesses. I think that more and more money will be and is being put into training law enforcement officials to understand how to deal with Internet related events. There's been a huge amount of training required and still required with respect to computer forensics and network forensics. But criminal law will always suffer from one significant limitation, and that is the inability to extradite criminals from one country to another. I mean, in this country there's one guy who's been awaiting extradition to the US for what's it now, six or ten years or something like that. And I don't want to comment on the merits of his case. There are merits and demerits of his case. But similarly, when the police here find evidence of criminal misdoings in, let's call the country Ruritania, because I don't want to annoy any countries unnecessarily. There's a criminal gang in Ruritania, we can tell you exactly what block they live on. And they're using the Internet to break into banks and steal money from little old ladies and all sorts of things. The police in Ruritania won't give any help. So if you can't enforce the criminal law against those people, somebody better build a better border. Or perhaps somebody had better find a better border enforcement technology. I look for the day when somebody announces we have decided arbitrarily to stop all traffic coming from Country X until they can sort themselves out, or it's all going to go through a scanner or a NAT box or something which goes through police headquarters before it's allowed in.

A (32:03)

Can I just add to that as well that we do have Detective Superintendent Charlie McMurdy from the Police Centrally Crime Unit coming tomorrow, as well as David Blunket.

C (32:12)

Indeed, you can ask her all of those questions about how she's trying to enforce the law. Frankly, she and the police have a very, very difficult job and if they can't do their job, then somebody else at the security level has to find a way to assist in basically protecting the citizens of this country.

A (32:34)

No? Okay, well, thank you very much, Rob. I'd like now to introduce Bob Ayres. Bob is the Vice President of Intelligence and Security Celex and is a fellow Associate Fellow at Chatham House, I believe, ex Associate Fellow at Chatham House and has worked at the US Department of Defence. And his title of the talk. If you click down here, I've got.

B (33:05)

A briefing hidden on here somewhere, don't I?

A (33:07)

Yeah, just click on that one.

B (33:08)

On what?

A (33:10)

Wait, wait, wait. Just start the presentation again and you just need to click next and it'll go straight through technical pickup.

B (33:23)

While they're setting that up, I'll say a few things. In my youth I was counterculture and I've hopefully maintained that throughout my life, back when it was very fashionable to have short hair, I grew mine very long. And when it became fashionable to have it very long, I cut it very short. I stand before you this Evening as a 30 year intelligence officer with the military, politically conservative, and I'm speaking to you on your right to privacy. So I'm maintaining that counterculture question is, is privacy dead? Well, let's explore what the legal basis for privacy is. Universal Declaration of Human Rights says this. I won't read all these to you. The copies will be available. You can get them online, they'll be on the website. The European Convention on Human Rights says you have a right to privacy. There shall be no interference with that right by a public authority. Typically, as citizens, you're required to provide personal information to the State with the expectation that the State will use it for its intended purpose. And here's some examples. You have to give the State information about you. If you want to get a driving license, the state will impose some requirements on you to provide information so they can tax you. All of this information was provided for a specific purpose. And we all assume that when we provide that information to the state, they will use it for the purpose intended. And the same sort of analogy exists for the private sector. You have to provide your bank with information to get an account. You have to provide the airlines with information to buy a ticket. Again, you provide that information with the assumption that it will be used only for the intended purpose. Now, right now we live in an interesting time in which the State has several criminal concerns. One of those is terrorism. And whether terrorism is a crime or an act of war. I won't debate that. The other thing the State says is they are very concerned about organized crime, drug dealing, people smuggling and criminal conspiracies. Pedophilia, activism, political, environmental. I would ask any of you who are here tomorrow night to remember some of the things I say here and ask David Blunkitt about them, because he's responsible for a lot of it. Okay, so the State's concerned about these things I just told you, basically criminal activity. And what has the State's response been to pedophilia, organized crime, people smuggling, drugs, terrorism? Well, they've implemented a lot of things. They've implemented non consensual surveillance, video technical surveillance, listening to your phones. They've introduced various forms of identity validation, and they've increased domestic human intelligence. That's a fancy way of saying they're collecting information on us. Criminal justice system has done some things too in response to Terrorism, organized crime, they've done things like they've extended the period that they can hold you without charging you. They've deprived your liberty through a non judicial process called control orders. And they've even made criminal activity of doing things like glorifying terrorism. So if you say a suicide bomber who blew himself up had to have been a brave man, that may be glorification of terrorism under the law. Problem is there's no definition for what these are. We've also made it criminal to possess information that may be used for a criminal purpose. Not that you'd ever want to do this, but if you go online and you look up something called the Devil's Cookbook, you can find all kinds of information for making bombs and explosives and infernal devices and booby traps. Under the British law today, possessing a copy of that is illegal or could be illegal. Let's look at the magnitude of this response that the state has taken because it impacts directly on our rights to privacy. And we're going to go through these in this order, starting with direct surveillance. Here are some examples of the extent and magnitude of the direct surveillance activity that the British government has implemented in response to those fundamentally criminal or terrorist threats that I talked about. They're reading our license plates as we drive around. They're images as you walk through London, putting electronic tagging on. They're even putting CCTV and microphones to hear what's happening around the TV camera on the streets of London. Some of the things they're planning on doing, or at least they were planning on doing before the government changed, remains to be seen. How many of these will not be followed by the new government using satellites to track cars on the road so they can charge you for it. They've already used satellites to determine whether or not you built a conservatory in the back of your house and as a consequence increased your tax base. So they should tax you more. Some of these are rather interesting. They were putting speakers inside of CCTV cameras. So if you're walking down the street of London, you flip your cigarette butt on the ground. I'm a smoker, so I do that all the time. You can expect to hear this booming voice from above saying, pick up that cigarette butt. This is rather awesome. One of the local councils in London has been hiding cameras inside of baked bean cans and placing them around in your neighborhood to see whether or not you are throwing your trash away illegally and putting it in your neighbor's bin. This is one of those major criminal threats that the state is concerned about have a DNA database. We all know about this. We read about it all the time. There was an article in the Evening Standard tonight where some lawyers were going in. Remember this, Robert? There were some lawyers going in to see their client and the police station changed the rules on where you had to put your briefcase when you went in. They used to throw all their stuff in a briefcase, put it in a locker and then go in. Well, they changed the rules. You could put your briefcase in a locker, but you had to put your memory sticks in another locker. And they didn't know that. And while they were in visiting their client, a policeman came in and said, you put these memory sticks in this thing. They said, oh, you must have changed the rules. He said, we did. They then arrested them, took them away, took DNA swabs, kept them for about four hours in the slammer, then let them go with no charge. Their DNA is in the database. They can't get it out. We are introducing biometric passports. These are some of the modern conveniences that we're expecting to have. School children are being fingerprinted without the permission of their parents. Biometric ID cards were planned when I wrote this. However, they're not plan now because the Tories have done away with them. What's really interesting is one of the responses to these perceived threats is communication surveillance. And this data was current as of 2008. In 15 months, there were almost a half a million requests made to monitor telephone calls, emails and posts. Now, that's a lot. But what's really interesting is in the UK today, there are almost 800 organizations that can apply for and receive permission to monitor your communications. Now, some of those, you'd expect, you know, security services, the police maybe. But some of them are kind of surprising. You know, the fire service and the ambulance service can apply for and be given permission to monitor your communications. Again, remember, this is in response to organized crime, terrorism and fundamental things like pedophilia people and drug smuggling. We all know about the television police, if we're residents here. Some other forms of surveillance are indirect surveillance. We've heard time and time again, microchip your trash can so they can tell how much stuff you're throwing away. That's trivial, but Oyster cards are not. Who uses an Oyster card here? You know, the Oyster card keeps track of where you've been. It doesn't just give you a free ticket to get on the thing. You know, the police can take your Oyster card and use that to reconstruct your journey and see where you've been. And the times you were going, it's happening more and more and more frequently. There's a lot of things that have been thought about that may or may not ever come to pass. You can see some of the things here. One of the big things right now is the use of biometrics and DNA to make decisions about things like employment. We want to employ this person because they have a genetic predisposition toward getting multiple sclerosis or something. There's an interesting discussion right now about DNA becoming readily available. So you can do it almost like a home pregnancy kit. You take a swab, send it in, and you can find out whether or not your child is really your child or whether your child was conceived while you were in Iraq. Remember what the state was concerned about, these things here. So all of that response that I just talked about of gathering information about you is all being done in the name of trying to defeat terrorism. We'll find those terrorists with that camera and that baked bean can for sure. Because we all know terrorists, the first thing they do is they go down the street and throw their trash away. We'll find the drug dealers by fingerprinting our kids. We'll find pedophiles by using satellites to look at your backyard and see if there's any pedophiles running around by your conservatory. I mean, it's kind of silly now. So observation number one. All these things that have been done suggest to me that there's. There's nothing more dangerous to our rights to privacy than a good cause. And taking on pedophiles, catching them, catching drug smugglers, catching people smugglers, these are all good causes. And while we've cheered and applauded the police in trying to intercept these heinous people and arrest them and bang them up, what they've been doing is eroding our rights as citizens to privacy. Now, now let's explore something. Right now. All of us have. In that place that Bob says doesn't exist, we have some Personas. And the word Persona here is used to say there are certain attributes that really reflect us. We have things like a national insurance card, national insurance number, and that's associated with us. We have an auto number plate, and that's associated with our car, and our car is associated with us. You can see more and more examples here. But there's a lot of different various attributes that all are affiliated with us individually. There's also privately held information that's a Persona like information. You know, your phone number is associated with you. Your home address is associated with you. Your Sainsbury loyalty card is associated with you. So we have both public and private information that is being held in the private sector and in the public sector that's uniquely associated with us. And in most cases we've provided that information again in return for a service with the expectation that it would only be used for the purpose to which we provided it. We also increasingly feel compelled to go off and provide information about ourselves to whoever wants to read it. And here's some examples of how we provide that information. The interesting thing about this is once you provide it, you cannot un provide it. You can't take it back. So if you write something down, last night I was drunk and I bonked my sister in law. Well, 20 years from now, when you're running to be the Archbishop of Canterbury, that may sort of impede your nomination. Anyway, let's take a look at what we can start doing with all of these bits of information. Remember, I'm a former intelligence officer, so when I stand before you and say there's some interesting things you can do, you can take it to the bank that I'm not just talking. First one, this is kind of fun. We're talking about today, benefit fraud. Once you start taking all of these different data structures with these various elements in them, it's very possible to start doing things like, let's take Rob. Has Rob owned an overseas banking town lately? Yeah, somewhere in the Bahamas and then flying first class back and forth to Singapore. I wouldn't say too much. He's registered a new Ferrari and he's on benefit. Well, that would suggest that perhaps there's benefit fraud underway. Now that's kind of an example of another one of these good causes of data that we put into this one. The first time I gave this, there was a man in the audience. As I went through this, he blanched. What this says is when you travel, it's very, very easy to determine who's been on the same plane with you more than once. So if you fly back and forth to, say, Paris 15 times a year, you can find out that Rob or this young lady right here was on the plane with you 14 of those 15 times? You can also find out who stayed in your hotel room with you. Was it only you or was it that young lady who sat and decided you wanted to plane 13 times of the 15 you flew to Paris. So if you're traveling with your secretary, you have to be a little careful because you can start putting yourself in a position where simply correlating the information that already exists can get you in real trouble. This is something that I just point out. This is kind of cute. Possessions Activity Analysis. There was a man who was charged with murder in the United States, and his alibi was that he was out of state somewhere else for 30 days right around the time of the murder occurred. And the burglars cut men down by question. I said, well, we've gone for 30 days. Yes. Well, who had access to your house? Nobody. Not me or anything? Nope. Nobody comes in. The door's locked, stays locked. Okay. Did you go back and visit? Nope. You gone 30 days here. Well, what they did is they went into this refrigerator and they pulled the chip out of it. It controls the temperature on the refrigerator. When you open the door and the temperature goes up, chip tells the cooling system to increase the output and it cools down. There's a regular thing. So what they were able to do was to use the chip out of his refrigerator to track all the temperature spikes that showed the door opening and closing and prove that he was in his house going back and forth to the refrigerator while he was gone. So in this case, this man was convicted of murder by his refrigerator, which I find really fascinating. Okay. European Convention on Human Rights says, you have the right to privacy. State shall not interfere with that right. Correct? Well, I kind of left something off. What I left off are the exceptions. And here are the exceptions. You have a right to privacy unless national security interests override that right. You have a right to privacy unless public safety overrides that right. You have a right to privacy unless the economic well being of the country is being jeopardized. You have the right to privacy unless somebody wants to violate your right to privacy to prevent disorder or crime, not catch them, but prevent it. You have the right to privacy for the protection of health or morals. That's a scary thought. And you have the right to privacy unless somebody wants to violate your right to protect the rights and freedoms of others. So what I would suggest to you is that you have a right to privacy unless any of these exception conditions apply, which in a cumulative sense mean you don't really have much of a right to privacy. Now, what's kind of cute is exception conditions exist. That's law. But let me ask you a few questions. Who determines when your right to privacy falls into one of those exception conditions? Who makes that determination? Do you know? No. What legal protections do you have that prevent the state from abusing your right to privacy or the private sector from abusing it? You might want to put that question to Bob, because I haven't seen anyone in the state that has been convicted, at least in the Daily Mail, of heinous privacy violations from ever suffering any punitive sanctions. Second observation. George Orwell was an optimist. Questions? Oh boy, Let me have that thing. I gotta read this. Yeah. This is staggering. Please note, these are guidance for the people that are here. You should issue the following declarations in the first instance. This is if you're doing something bad, like heckling. As chair of this public meeting, I remind you that it is the policy of this school to allow freedom of speech to the visiting speakers. Please stop disturbing the meeting. If it continues, you say, you, sir, madam, are disrupting this meeting. Unless you stop, I will ask you to leave the meeting. This is a public warning to you. Please stop disturbing the meeting. If the disruption continues, you have no alternative but to say, I've asked you twice to stop. I'm reminding you that this school is determined to allow freedom of speech to visiting speakers. Unless you give me a clear undertaking now not to disrupt the meeting, I will ask stewards to remove you. So this is the first time I've ever heard that LSC had its own homegrown version of the riot act. That's really cool. So everybody's very comfortable with their rights to privacy here in the United Kingdom, where you've all abandoned them and given up and decided you don't have any and you're not going to worry about it.

C (52:26)

That too.

B (52:28)

If you do nothing wrong, you will have nothing to fear. Trust us. We're the government.

A (52:34)

It was quite interesting actually. It if any of you made the Steve Ballmer presentation a couple of weeks ago, but he made the observation that his 15 year old son was happy to give away any information about himself as long as he got like something for free. So there is an interesting perspective. Thank you, Bob.

B (52:53)

Ask about that life insurance policy.

C (52:56)

Actually, Bob, since you're here, we have a few minutes. I thought maybe it might be. One of the things that. That struck me is that a lot of the circumstances you were talking about in terms of concerns about privacy dealt with some type of state intervention or invasion of privacy or privacy rights being aggregated with respect to the relationship between the individual and the state. You know, admittedly, whether it's The Metropolitan Police, MI6 or Herringate Council, I suppose that's a very significant, significant difference and some of us are more concerned than others that perhaps it's gone a bit too far. But what about. But do you hold the same sort Of I take your view as relatively pessimistic. Do you take the same view with respect to private invasion of privacy? I mean we've had in the news recently things like Facebook. It turns out that some of those innocuous looking apps about farming and, and you know, sort of mob hits or whatever it is they do on Facebook. I have a Facebook account, but I assiduously refuse to enable any of the apps. And I guess this is another reason I never thought of. But I mean, what about the private invasion of privacy?

B (54:06)

Well, typically the private sector invades your privacy. If a company invades your privacy overtly with malice of forethought and intent, then you have recourse, at least a civil recourse in the courts. It's very difficult to establish a in the public sector who did it, what was the mechanics or the process for allowing that decision to be made? Who made the decision? Where's the record of that decision? So how do you substantiate who violated? Now of course you can always step back and say, would you sue UK plc? But that's something that makes, you know, a very difficult case to win because you don't have the resources to take them on. You can't get one of those law firms that will take on, take you on on a contingency basis to sue the United Kingdom.

C (54:53)

Well, not in this country, no. Because you can't take contingency cases in this country.

B (54:56)

I know, but you can take them for free and then bill hours.

C (55:00)

I'm sorry, I'm a lawyer. You said take something for free. Let me think about that. I mean, actually the concern that I have though, I mean from a practical self protection perspective is that with a lot of these apps, I don't know how someone would take a direct case against some of these people providing the applications. Because I mean, truthfully, one of the reasons that I've never enabled one of these things on my Facebook account is every time I'm getting ready to up comes this window that says, oh, you want to play our game or get involved in our universe or whatever it is. In order to do that, you have to authorize us to big long laundry list. You know, read your contacts, read your wall, post on your wall, post to your contacts, contact other. This big long list. It's like, do you want us to do that? And I'm thinking I've never seen one of those yet where I thought, yeah, I really feel comfortable with you doing that. So I always say no, then forget it. I don't want to Play Farmville that badly?

B (55:50)

Well, the point that I was trying to make is that there are multiple recurring instances in which we all have provided information to somebody for something. And we do that usually with the sort of belief in the back of our minds that when we provide the information to Sainsbury's or to the Post Office or to Barclays bank or to Inland Revenue or to hmrc, that each of those bits of information we've provided are somehow going to be held in confidence. Well, they're supposed to be. They're not supposed to be. We've got local councils selling voting rolls. I mean, they're selling your information.

C (56:30)

By statute, they're required to.

B (56:32)

Yes, well, that's not exactly holding it for the purpose to which we provided it. What I'm trying to suggest to all of us is that there is a cumulative effect to providing this information and the ability to exploit in new and novel ways that aggregate of information is something that very few of us understand nor consider. When we provide information to each of these individual places, it's extremely dangerous to all of us. From what can be done for.

A (57:05)

I have to say, I find it very interesting that the perceived value of personal information seems to be dropping and that people are more and more willing to provide increasing amounts of personal data.

B (57:17)

For.

A (57:20)

Very, very little. And we. Would you say that there's a time bomb here? I mean, if people are giving away all of their personal information now, how will it affect them in the future?

B (57:30)

I think what we're going to see, we're on the cusp of combinatorial database exploitation. We were in a position up until fairly recently in which we were really on the cusp of being in trouble. By that, I mean, the biometric identity cards were going to do something that was going to be extremely dangerous to all of us. Something was this. Right now you go off and you pay your taxes and the tax guy has a database and Barclays bank has a database and Sainsbury's has a database and they're all different and they all put your name in differently and some of them spelled it wrong and it's all screwed up. So if you wanted to search across multiple databases, it's problematic whether or not you could even consult construct a search statement that would actually work against them all. Well, the identity card was going to have a key data element on it that was unique to you. That's the purpose of having it. And so when you want to file your taxes, you use that key data element to represent you. When you get a driving License. Use that key data element to represent you. When you go to the bank, you hand them your ID card and in your bank record goes that key data element that represents you. This propagates across all these data structures over time. And now if someone wants to search for any and all information about you, they've got one key field, that one data element that they can search across all of the databases and any information in them. Resident key to you and your national identity unique identifier pops up a very, very powerful tool. What everybody was fighting about here in the UK was the wrong problem. They were fighting about having a big database with your information on it. That's not the danger. The danger is you now have a data element that will work across all databases.

C (59:21)

Well, the funny thing is that, I mean most of my work is done with the private sector and on that side of the fence we're having just the opposite problem. On behalf of people who are collecting data for a living, we've got things like the recent revision to the Data Communications and Privacy Directive which upped the level of consent required before someone can place or make use of a cookie on a browser. I got clients tearing their hair out trying to figure out how to comply with this thing. Because if you read it literally it suggests that. I said, well, if you want the perfect compliance strategy, then before you place a cookie on someone's machine, you better have a pop up window that explains what you're using the cookie for and who you are and who you know and why you're doing it. And then every time you read the cookie, put another pop up window that says who you are and what you're doing and why you're reading it and get them to agree to it. I said, now I know you're not going to do that, but I mean that is the sort of ultimate compliance strategy in order to do what the law says, which is you must get the consent of the data subject or the end user before you stick a cookie on your machine. Now the funny thing is, is that there are some really valuable things that people do want from that kind of technology, like a persistent shopping basket or to not have to re enter all of your data when you go back to particular websites. So on the one time you're complaining about sort of state intervention and state action which appears to be far too aggressive. On the other hand, I've got a compliance problem with my private sector clients who are trying to figure out, you know, all this legislation, all the regulations coming down on us about trying to respect People's privacy rights. We're having a difficult time figuring out how to actually conduct our business in a way that makes sense. So it seems to me something's kind of gone wrong on the policy making front or on the law making front.

B (61:03)

Yeah. Well, we have a series of very interesting problems when it comes to national policy. We live in an environment now where technology is changing over on about a six month generational basis. Something new in technology comes along about every six months. We have a national government that operates on a five year budget cycle. So the government has to program and budget money today for expenditure five years from now. And in five years from now, the technology that they're trying to target that money toward will have turned over 10 times. It takes years to get a policy into effect. It took almost three years to get the Civil Contingencies act into being. And in that three year period of time, using a nominal six month window, the technology base changed six times. So even if we do write good policy, by the time it is passed into law, it will be obsolete and archaic and it won't work because it won't suit the environment at the time. So we're always going to be in a position whereby the legal framework is trying to catch up with the technology framework. And the legal framework as it exists today is not going to be compatible, consistent, and actually apply to that technical environment as it exists today.

C (62:23)

Well, that's sort of a great summary of data protection law in a nutshell, really debated in the 70s, drafted in the 80s, adopted in the 90s, and now trying to apply to technology in the 21st century.

B (62:33)

Yes. And that statement does not even consider the fact that. Remember Tony Blair? Tony Blair was a great believer in using information technology and the Internet. Excuse me, Rob. To provide goods and services from the state to the citizens. He really believed in that. He was passionate about it. And one of the things Blair said is he was getting ready to resign and leave office. Was. Now I'll have time to get one of my kids to teach me how to log onto the Internet. That's a serious problem when you're talking about legislators or lawyers or judges or police. Because these people that pass our laws, enforce our laws, put people in jail, are technologically unsophisticated, at least in many cases. So you're standing in front of a judge who's, you know, some of the, some of the things you read about, the older judges are mind boggling. Yes, yeah, the judges, you're standing in front of them and your, your life or your liberty is on the line and you're trying to argue some sophisticated IT like issue, and he's sitting there thinking about or he's going to go salmon fishing in the summer because he didn't have a clue what you're talking about.

A (64:01)

Well, I was going to ask you.

C (64:02)

That question from the audience, the actual audience.

B (64:05)

I'm impressed.

C (64:07)

We could ask each other questions all.

A (64:08)

Night when we're done.

C (64:10)

That's what we're planning to do. Bob and I have, you know, we're going someplace. We just question each other for days. Good evening. You said that. On the one hand, there's a problem with legislation keeping up. On the other hand, there's a problem with the enforceability of law in different jurisdictions. So is there any way that individuals can protect themselves or is this really a hopeless case?

B (64:38)

Well, let me, let me protect yourself from what? Let's be a little more specific.

C (64:43)

Bad guys, evil people, black guys, I don't know. Identity. Identity theft, for instance, or someone logging into your bank account just basically doing any harm to.

B (64:55)

There's no way that you as an individual can protect yourself against identity theft because the processes, the other process. We're not talking just about identity theft by somebody emulating you online. We're talking classical identity theft. Go down to the graveyard, find a grave for somebody about your age, born on Tuesday, died on Friday, get a copy of the birth certificate, and now you're that person. You apply for all the other forms based on that, you're taking notes and you've created. Yes. Or you join the intelligence business and we'll build you an identity for you.

C (65:28)

So are we in a hopeless situation in that case?

B (65:31)

It's not hopeless. I mean, don't cut your wrist and bleed in the tub.

A (65:34)

I feel this just for a second. We, we've produced a little bit of advice for people to help them to act safely online. And one of the key things is that what I'm trying to do is get people to think a little bit more before they actually go and do stuff. So simple things like if you're using Facebook, don't put your birth date on.

B (65:56)

There.

A (65:59)

Check your privacy settings and change your passwords. Doing these sorts of things. When you're talking about identity theft, what you're really thinking is somebody opening up a bank account in your name and then taking out money and then leaving you with the bill, effectively. I mean, there are other things you can do. For example, signing up to Experian or another credit ratings agency to check on a regular basis that this hasn't happened. I was speaking to an information security, the global information security manager for Barclays, and it seems that nearly all the banks are very happy to refund every penny that you lose in identity theft as long as you weren't negligent. So the key.

B (66:36)

Well, that's not exactly true.

C (66:38)

Well, it's exactly their obligation under banking law.

A (66:42)

So they. There are some simple things you can do. I mean, ultimately, if somebody's absolutely determined to get at you, there's not an awful lot you can do, which is effectively what you're saying, Bob. I mean, if somebody's targeting you as an individual. But one of the things was it. Someone told me a joke the other day saying that there were two people in the desert or in the savannah in Africa, and they were confronted with a hungry lion. And one said to the other one, you better run away from this. And the other one put his shoes on. And he says, well, you can't outrun the lion. He said, well, I don't need to. I just need to outrun you. So the idea that you're not the least vulnerable person out there, and that's.

C (67:21)

Very often what happens in this kind of environment I've talked about to any number of businesses and information security managers for businesses where basically that's their entire defense at the moment, is there are easier targets than me. Just to correct one thing, though, I didn't mean to suggest that the law wasn't keeping up with technology or that there wasn't enough law out there. On the contrary, I think there is too much law already. Way too much. I think that the Computer Misuse Act 1990 is a law. We could cut about half of that out and not lose very much. What we don't have is the kind of stuff that Bob is talking about, which is knowledge, awareness, training, understanding this, that and the other thing. But when you're. When you're a hammer, every problem looks like a nail. And when you're a politician and a legislator, every problem looks like it needs a new piece of legislation. I remember when labor were out of power, I talked to one of their researchers back in the mid-1990s who was very excited to meet me because they're always looking for an angle. Oh, what, what kind of law should we pass to. To deal with this new Internet thing? I said, I don't really think you need very many new laws, really. If you want to make a splash, then up the budget for computer crime enforcement over at the. Well, that's not very exciting. You know, it's a Very junior person, not speaking on behalf of the party obviously, but it's that sort of thing. I'll tell you in terms of what do. I'll tell you what I do because if you look from, I'm not that difficult to find. Robert Carolina is a slightly unusual name. So there aren't that many of us out there. But I'm not the photographer in the us I'm the lawyer in London and I have Facebook and I have LinkedIn and all that kind of stuff. I do what a lot of people increasingly are doing, which is I tell a lot about myself, but only the part about myself that I want to tell. Like Stephan says, I don't enable display of my birthday. Facebook can reach in and get it if they want to, but you know, I don't just make it easily available. I don't log into all these crazy applications that Facebook has and turns out that was a pretty well founded fear. You know, it's a lot of little things like that, a lot of little tips that you pick up, you know, realizing that when you publish to these places, you're publishing to the world and the world and their dog can see what you're up to.

B (69:30)

Think about what are the, the data elements that would be necessary for someone to behave as a virtual you? I don't mean in virtual world, but I mean steal your identity and act as you. What do they need?

C (69:45)

Name?

B (69:46)

Sure. Birthday? Sure. Address? Sure. Do you have a bank account? Bank account? Sure. If you make a list of the things that are necessary to be able to be a successful identity thief, I'd be willing to bet you that just about everything on that list you've provided somewhere at some point in time online. So it's there. So you're saying I'm worried about identity theft. What can I do about it? Well, right now you can't do anything about it. But you've already done it.

C (70:22)

I'm not quite as pessimistic as you are, Bob.

B (70:25)

Well, you still have rudimentary vestigial remnants of morality.

C (70:30)

I'm sorry, I thought someone explained I'm a lawyer, so that can't quite be right. But I'm not quite as downbeat on it. I mean, I will. I do agree with you, Bob, in the sense that if a government's going to come after you, they're going to get you. Particularly a well financed government that wants to spend a lot of money finding out about you and reaching into your life and making your life misery. I mean, they have infinite resources, relatively speaking, and they can do that. My main concern tends to be the three people who've stolen my identity in the last 12 years and siphoned lots of money out of my bank account, which the bank thoughtfully put back as soon as I drew their attention to it. It's that kind of thing that I'm more worried about. The criminal gangs who seek to grab your debit card number, who shoulder surf it. I mean, I'm less worried about giving my birthday to an online insurance comparison website than I am to using my ATM card at a sort of an airport in a slightly dodgy part of the world. That makes me nervous about who's looking, you know, who's nearby and looking over my shoulder. So I'm. I'm a bit more upbeat generally, but it's. It's one of these, you know, take caution in a lot of things you do in life.

A (71:39)

I mean, it's also worth noting that part of the point of having these talks is to sort of raise a little bit of awareness and make people think. One of the things that many people haven't tweaked is the Facebook privacy policy, for example, states in it near the bottom, I believe that everything you put on their site may or at some point be made public. So that's a thought. Have we got another question at the back?

D (72:03)

Sorry.

B (72:04)

Gentleman has been smiling a lot as we were talking. I'm curious as to what he's going to.

D (72:11)

You may not like the question, though.

B (72:13)

I've got the form that will just accuse you of heckling as long as.

D (72:18)

You don't have to read it too quickly. To me, I agree with a lot of what you're saying, and I'm one of those pessimistic and fearsome people who will not put my or set up a Facebook account. I've read those T's and C's. I don't like them. And so with my wife as a teacher who is advised professionally not to open a Facebook account, having read in the paper accounts of teachers who've been caught by having posted their details up there.

B (72:43)

Yeah.

C (72:44)

Caught in what way?

B (72:49)

One teacher put a picture of herself on there in a very skimpy bikini and got in trouble because the school said, oh, the students will see you like that. And that's not responsible and professional.

D (72:58)

That's exactly the article that I. Yeah.

C (73:01)

Why is that a surprise? Why is that a surprise? What if someone were a schoolteacher and, I mean, how many times have we had cases where.

B (73:09)

Wait, wait, wait. Stop, stop, stop, stop. He never got to his Question. Oh, you're right.

D (73:14)

I was going to say Facebook are nice because they actually say that, but the government don't. And my question is sort of a two pronged one. With all of the examples that you've given and Stefan's suggestion that there's a prevalence of devaluation of personal information, do you see it going so far that the government say all of your information is ours and that we lose right to it? Maybe that will go in cycles, cyclical, to get to that point. Or do you ever see a reaction whereby this general progression of the creation of data items that link all of these separate data database pieces, will that ever be rolled back?

C (73:59)

In my opinion, the part of your question that we could spend days unpacking was the question of is my data mine or does it belong to somebody else? This concept of belonging or ownership doesn't fit really well with data, whether it's personal data or any other kind of data, because we're dealing in intangibles all of a sudden. And you know, when someone asks who owns this data or this database, which I get this kind of question I ask all the time, it's like, well, copyright and database right vests in that person. Data, data subjects have certain data protection rights. You don't really own your data. The government doesn't really. The data doesn't really belong to the government in that kind of strict ownership sense. Because when we talk about the word belong, we tend to think of exclusive ability to use, dispose of, direct at our will, something like that. It's slightly more nuanced. But the answer to your question is the government, when it wants to, can reach in and find out all sorts of things. And different governments have different protections that they put into place. Where Bob and I grew up, we had the fourth and Fifth Amendment, Fourth and Sixth Amendment of the US Constitution, as it's been interpreted in various federal statutes that do this, that and the other thing which the Bush administration then decided to ignore most of and pass other laws to get, you know, in your stuff more easily. This country has very different types of protections. And RIPA 2000 is, in my opinion, a bit of a mishmash. It's. It's not. If you really want to go to sleep, rip read Ripa 2000. Just try. You won't get past section three. But will it ever. Will they ever just say, well, your data is ours? No, because they don't have to. The question isn't whose data is it? The question who has the ability to look at it, collect it Analyze it or otherwise process it. And that's, I think part of what's got Bob upset, and what has me upset as well, is wearing my human rights hat because despite the fact that I'm a private sector lawyer, actually do believe in the cause of human rights. And that does make me a bit nervous. Whenever a state says that, we can look at you and correlate your this data with that data with the other data. It's an incredibly powerful analysis tool. Let me see if I said that.

B (76:13)

Let me see if I can answer that.

C (76:14)

Isn't the genie out of the bottle?

B (76:16)

You might as well think this way. When you fill in the form, whether it's on paper or online, that information is gone. You have no control over it. You shouldn't expect to have any control over it, regardless of why you provided it. Will the phenomenon of data mining and cross database correlation be curtailed, limited, constrained? The answer is no. It's like trying to take a supertanker and make it do a sharp right hand turn at 30 knots. It'll never happen.

C (76:44)

I disagree.

B (76:45)

Well, you can disagree. That's one of the great things about democracy.

C (76:49)

The reason I disagree is because my clients spend a lot of time and a lot of money trying to figure out they would love if what you're saying is right, my clients would be in seventh heaven because it would be, oh, we just take Bob's data and everybody else's data and cross correlate this and sell it to this guy and flog it to those guys and get these marketing people and those marketing people, they spend an enormous amount of time and effort in Europe, at least not in the U.S. but in Europe, at least with European data protection, enormous amounts of time trying to figure out what they can do.

B (77:14)

I can see why you would be concerned if suddenly this was permitted without any legal constraints because all those fees you're.

C (77:23)

I'd lose a lot of revenue.

B (77:25)

Absolutely. It's a terrible threat to a lawyer.

C (77:27)

It is.

B (77:30)

You have to excuse me, but I really, really have to leave. I've got to be over on the other side of town in 12 minutes. So thank you very much. I'm going to run away.

A (77:40)

Fine, thanks. Thank you, Bob. We'll wrap up. I'll give some last comments.

B (77:47)

You. Right. You stepped on your coat. I hope you didn't have anything in my pocket.

C (77:52)

Not anymore.

A (77:52)

No. Not in one piece anyway. Thank you, Bob. Thank you, Rob. Just to sum up, as I say, the intention of this is to get people thinking about some of the issues. It's not necessarily to solve it, everybody's problems. But there are places where you can go to get advice, certainly if there are issues personally that you want to have resolving, especially if you're in LSE. Certainly. Have a look at Rob's blog, internetborders.internetborders.com I didn't get a fee for that.

C (78:25)

Neither do I.

A (78:27)

And there are many resources within LSE if you're an LSE staff or student. We have the laptop surgery. We have advice and guidance guides are available on the Internet on the IT Services website. Please do come back for more if you can stomach it. Tomorrow night is David Blunkett and Detective Superintendent Charlie McMurdy from Police Central Elite Crime Unit. And on Thursday, the cops on the Justice Department. And on Thursday we have Dr. Steve Marsh, who is one of the directors of the Office of Cyber Security and Information Assurance in the Cabinet Office Office, and me talking about issues relating specifically to personal use of the Internet and things that have cropped up at ursi. So thank you very much all for coming and hope you enjoy it.