Thursday 27 February 2014

PPUK Reform

Overview

The Pirate Party UK (PPUK) is a political party in the UK, who typically fight for civil liberties, copyright reform and a more transparant government. Full disclosure, I'm a full, membership-paying member of PPUK.

This is not a reform proposal in the traditional sense. This is a look at how PPUK acts and is perceived, and if that can be altered to be more of a positive. Think of it as a perspective reform.

Where we're at

Historically, we've taken on campaigns at both the local and national level. We should keep on doing this, as both levels are required to effect our goals.

However, our campaigns have almost always been in opposition to something, for example, we opposed the withdrawal of Legal Aid, we opposed the detention of Chelsea Manning, the "snooper's charter", and so on.

When it comes down to it, we expend a disproportionate amount of energy saying "no" to our opponents. We often celebrate in the defeat of our opponents. This gives the impression to the public (well, those that know about us, that's a whole other blog post) that we are adversarial, and against progress.

We need to acknowledge that the stated goals of these schemes may have merit, bring substantial benefit to the public (ex. care.data), and even that they may align with our goals -- but that the proposed implementation has issues; we need to offer alternatives which still support the goal.

Further to this, we don't provide anything to the public -- no tools for activists, we currently have little in the way of getting up and running in a local area, how-tos for running a campaign, nothing.

The Future?

I feel that, once we're a larger organisation, it would be most helpful for us to conduct ourselves in a way that is consistent with the goals and principles laid out in our manifesto. Beyond that I feel that we should be aiming to improve our society.

I think that this means, instead of simply opposing problems, (e.g. pharmaceutical greed, violation of civil liberties, invasion of privacy, etc.) we must support alternative solutions.

The simplest one from that list is the invasion of our privacy -- we can support projects that improve people's privacy online (e.g. HTTPS Everywhere, TOR, GnuPG). We can provide infrastructure, many of our volunteers have skills they could offer (programming, design, UX, etc.), providing them with more public support and exposure, building our own complementary tools, educating people in their proper usage, and so on.

Personally, I feel that one of our most lacking areas is public education. We have so much knowledge, yet we consistently fail to share it.

At our most recent branch meeting, I was asking about how many members we have, and the numbers I got back varied from 300 to 700. I also happen to know that the number who voted in our most recent NEC elections was a mere 57 people for one of the posts. I am strongly of the belief that this is due to disaffection in our own ranks from to our perceived (and, in some cases actual) lack of action. We must do; the future is not opposed, the future is built.

Friday 21 February 2014

The Security of the Proposed care.data Scheme

Overview

Ceri the Duck has a blog post titled "Care.Data – why I am happy for my medical records to be shared for research". In this post, they make the argument that under the care.data scheme, data protection would be improved for patients.

In this post, I will tackle this misconception, which revolves around two core arguments; firstly that there will be limited access to identifiable information, and that the care.data scheme will provide a better security framework to work within.


No Identifiable Information

"care.data will only provide access to ‘potentially identifiable’ information"
If we look at the HSCIC price list, we see that they provide an extract of data "containing personal confidential data".

Even if this data has names, and other directly identifiable data stripped out, we know that anonymised data can be de-anonymised almost trivially (Further reading from Light Blue Touchpaper) in the vast majority of cases.

A Better Security Framework

"I am much happier with the level of data security care.data will provide than with the current ad-hoc arrangements. They will be consistent, with good oversight, the information disclosed will only be what is needed instead of having to comb through a patient’s full record, ..."
This is simply not true. The care.data scheme will be taking medical records from a setting where they are hard to even sort through with legitimate access (as pointed out by the author themselves) to a situation where the records will be much more easily accessible to many thousands of people, none of whom will have undergone any serious training into information security, data protection laws, or the ethical issues surrounding the use and dispersal of this data. It is also highly unlikely that they will have had so much as a criminal record background check.

Granted, the current situation is very poor, but it does not allow for a large scale abuse of the system. Sure, I could target Bob Smith, break into his doctor's surgery and steal his record. With the new system, I could target large swathes of the population by simply bribing the right people. The information gained could be used by all manner of people, be it for surreptitious back ground checks on potential dates, to discrediting a political candidate, and everything in between.

And that's just bribing-based attacks. Think of the rubber hose cryptanalysis opportunities, the social engineering based attacks, physical security attacks, phishing and spear phishing attacks, attacks on end-point security (this is your classical "hacking into the computer" attack), and so on.

Data transfer must occur at some point, and with great data transfer comes great opportunity. How do you conduct the transfer of data, and how do you setup the transfer so that you're definitely sending the data to the person(s) you think you are? These are generally considered to be solved problems in the cryptographic community for the most part (key distribution is hard, for instance), but in practice, it is anything but.

In short, this centralisation effectively paints a massive target on the back of the country's medical records, and gives access to institutions with some of the worst information security going in many places.

The adversaries in this situation will not be small time. Computer crime is big business, and aside from nation states, organised criminals are one of the hardest adversaries to defend against. They are extremely well organised and well funded, with extensive experience attacking high value targets. Once they've breached the system, they have the contacts in to sell the data on and actually turn a profit on this kind of attack.

Conclusion


Security is far harder than most people think, and most people don't know how much they don't know. HSCIC cannot be in the position of implementing this system and not be aware of the serious and numberous risks outlined.

The care.data scheme will suffer a breach, and given how centralised the system is likely to be, I expect the breach to be a large and very serious breach of previously unheard proportions.

New care.data leaflet

Overview

There is a new scheme called "care.data", which will cause previously confidential medical records to be sent from a person's GP surgery to a central database.

Access to this database will then be sold for a fee.

The process of informing the public that their confidential medical records will become a commodity for those who meet the criteria for accessing the records has been spotty at best, and down right misleading at worst.

Leaflet


We (my partner and I at least) will be hitting the streets to distribute an A5 leaflet to the general populace informing them that this is taking place.


This leaflet is licensed CC-BY-4.0, meaning that you are feel to remix, reuse and redistribute as you please, as long as you attribute my partner and I.

You can access the full files: SVG, PNG and PDF. If you feel that this is an important issue, the leaflet is quite amenable to cheap risograph printing, so get yourself a print run done, and get out there on the streets!

Sunday 2 February 2014

The Bet

Overview

 I have entered into a bet with my other half.

The bet is simple. That I can get her to the point where she is capable of running a half marathon in 6 months. She can't run a 5K yet.

About Me

I am what I would think of as "normal". But my parents are unsure of where I get my drive to exercise, my other half seems to see my as some sort of superman, often using words like "inspirational" and "incredible".

Truth be told, I am not a superman, I'm just a guy who happens to do a little bit of running on the side. I've run in a couple of 5Ks, a 10K, a couple of super sprint triathlons (if you're curious, it wasn't quite a super sprint, it was a 400m swim, a 20km ride and a 5km run) and a sprint triathlon (Usual distances).

I do not think of my self as particularly sporty, I'm between 56kg and 58kg depending on when I last ate, and I stand about 1.8m tall.

My History

When I was quite young, I swam. I swam a lot, I got my "honors" badge for swimming before I was in year 7, meaning I swam something like 1km in 40 mins, and in that same session, I extended it to 1.5km to get my 1.5km badge. Nothing like two birds with one stone. I eventually went on to swim for my city in my age group for a year or two, but eventually stopped when I went into senior school. At the time I thought I would be getting lots of homework, but looking back, I really don't know why I stopped -- I knew I wasn't the sort of person to actually do my homework.

Outside of that, I didn't really do sport, and I certainly didn't run. Even doing the breaststroke gave me issues with my knees. At school, we were made to do rugby and cross country running, where my knees were a serious issue. A bad tackle could cause my knee to dislocate, meaning that I'd be stuck squelching in the muddy ground clutching my leg until taken somewhere so that I could fix my knee. It was unpleasant. Cross country running was better, but it caused my knees to hurt a lot, so I ran very slowly. Slower than the over weight guys with asthma.

When I made it to sixth form, we were allowed to choose a sport. I chose badminton, which I knew I'd excel at from doing PE in previous years. I did do very well, often taking on the teacher and actually managing to put up a not-unreasonable fight, but always eventually losing. It was rare for me to lose to my peers.

After that, I went to university, I mostly stopped doing anything sport related in my first year, but my my second year, I'd been invited to come along to a pole exercise session, which I wasn't entirely awful at! I ended up performing at the university "woodstock", and teaching for a couple of years, so I didn't do too badly out of it.

Once I left university, I kept teaching at pole, but also took up running and entered a few triathlons. They were good fun, to say the least! After a couple of triathlons, I joined up with the Jitsu club and promptly put my back out.

After a year and a bit recovery, I was back on the mat, and back to running, but with not nearly as much dedication as I had before. I intend to go back to pole sooner or later, but I don't know when.

The Bet

While in the kitchen with my partner the other evening, our conversation turned to exercise. My other half does not consider herself sporty at all. I made the passing comment that if she gave herself over to me, I could probably have her running a marathon with around 6 months of dedicated training.

Obviously, she didn't believe me, and after a bit of cajoling and back and forth, we entered into a bet that I could have her running a half marathon in 6 months.

I've never run a half marathon, in training or otherwise, but I know what it, theoretically, takes to get there. I like a challenge.

My partner has a large mitigating factor that we need to deal with. She has quite a serious anxiety disorder, meaning that panic attacks in public, and extreme self consciousness are two of our biggest hurdles. Without that, I'd say us just agreeing to stop would be our biggest hurdle. She can do the running, she just doesn't believe that she can.

The First Run

The first run started out more difficult, since letting her keep pace and running side-by-side is quite difficult, especially since I have much longer legs, my natural pace is a bit higher than hers, so I started to pull away, leading to me upsetting her, with her saying that I was leaving her behind,

After she was warmed up, and I kept running a pace or two behind to make sure I was matching her pace, we managed to keep the run going, by simply running for 2 lamp-posts' distance, and then walking the same amount. She even said that while walking she was feeling lazy, because we weren't running!

Unfortunately, during the walk part of our run, a vicar, cheerfully invited us to worship with his parish. I thought that it was a lovely gesture, but he wouldn't be doing so if he knew what I thought about his god. I politely declined, keeping my cool and walking straight on. We would have to run back that way. We did another run section shortly afterwards, and turned round. After a brief walk, we were about to set off again with more running, but I needed to help my other half not freak out about being "Jesus at" if I could so verb my nouns. We got past this, and ran straight past the vicar with no offers of Jesus or other religious figures being politely sent our way.

When it came for the last run, I said that she should run for as long as she could. Before I could finish my sentence, I'd caused a panic attack, what I'd wanted to say was that, between where we where and home, she should run as much of it as she comfortably could, then walk the rest.

Once we'd managed to fix the panic attack, say the right words, we got back on our way. She managed to run all but about 5 meters of the rest of the distance back home (proving to me, but not to her, I think) that she can run for longer than she thinks.

I'm looking forwards to running more with my partner.

Tools of the Trade

We both have Fitocracy for logging our exercise, and our diet is quite simple. We're on our way to being vegetarian, and we explicitly avoid foods that are very high in carbohydrates. I'm looking at you pasta and rice. I think a plant-based diet will really help us in this.

Combined with these blogs and our fitocracy, we should be able to plot our course when we look back at this.