Cloud Computing and vague recollections of the Anarchical Society.



elicited this magnificent response.

Hedley Bull was a famous international political scientist,  he wrote several books. They weren’t easy reading is putting it mildly.  I only read Anarchical Society. At the time I read it, in 1990,  everyone was talking about Francis Fukuyama’s End of History, which, at the risk of over-simplifying it,  predicted that liberal western democracy was the end game of politics, and the totalitarians and the communists were history.  Bull’s view of international politics saw things rather more messily.

Cloud computing architectures today have optimized for and thrived under a Pax Americana construct.  The model being, American cloud providers are the benevolent but hegemonial super power, and they run the world’s data for the rest of us, in a  suzerain system. Sort of like the British East India Company and the empire did with trade in the 19th Century. It is good for us all they tell us, but Amazon, Facebook and others are very much America First.  There has been a relentless centralisation of processing, driven largely economies of scale, technical efficiencies and a lack of regulatory constraint. Where processing takes place in the data colonies, it is has been usually for latency factors,  rather than compliance, but there are of course exceptions.

This model is under threat, from two very different political forces.

In Europe, the data colonised have, after years of inaction, passed a law with some teeth that challenges the US corporate position that data is a commodity that can be appropriated for beads and shells and consent forms that no-one understands. The GDPR will  require the data colonisers to change their behaviour, while Facebook is most egregious example, it would be foolhardy to assume they are the only data pillagers.  This  law is likely to force the colonisers to be a bit more careful with the data from the colonies, and it will embolden other colonials to be a bit more demanding too.  It is not quite the winds of change moment, but it is blowing in that direction.

International political stability  in the analogue world is in its most fragile and unpredictable state, probably since the fall of the Berlin wall.  Any remaining thoughts of America’s benevolent if clumsy peacekeeper role have vanished over the last year. American international politics is now capricious and erratic. Russia has become more belligerent.  Just this week Russian did software equivalent of blocking the Suez Canal, they simply blocked several of the major US cloud providers. Many solutions running on AWS, for instance, were no longer accessible.  Who needs a naval blockade when you can block the cloud port?   The post WWII geo-political landscape is sadly filled with war by proxy, witness Vietnam, Angola, Nicaragua, Afghanistan and so on. Now we have IP proxy wars too.  There is a long history of election manipulation, but it required brute force and sometimes backing coup d’ etat etc, today, that manipulation is through Facebook and Google etc.  Zittrain’s powerful  prediction of ‘digital gerrymandering’ has been vindicated by the Guardian’s revelations.

Software architecture decisions for the last 20 years have been made to optimise for application performance. Going forward things are going to get a lot more awkward. A while ago the Legal Scholar, Christopher Millard, wrote about the question of data sovereignty. Wise stuff.

Architectures of the future need to be designed to cope with an uncertain political and regulatory landscape. The next trade war will not just be about the price of steel, data will be constrained and choked too. Cloud vendors that want to operate effectively globally, are going to have challenge the assumptions that drove the centralisation of the last two decades.  To borrow from Taleb, today’s architectures are not anti-fragile.  We have moved a long way away from the initial decentralised premise of the internet. What started out as the epitome of anti-fragile, has become inherently fragile. The economic forces, aided by  regulatory indifference and incompetence have led to a centralisation and proprietarisation (horrible word, I know) of computing power.

Some will argue that answer is blockchain. I suspect that it, or more likely, the next generation of distributed ledger technologies will be part of the solution, but it not the complete answer. Indeed it was a blockchain application, telegram,  that drove the Russian data blockade decision.

The questions of international order and justice that occupied the minds of Hobbes, Mill, Marx, Hedley Bull and many others deserve closer revisiting in the digital world. I do wonder what Max Weber and JS Mill would have made of Facebook.




The Database state

I would have blogged on this myself, but day job deadlines mean I can’t give it the attention I would like to.  This makes grim reading. 

Instead I will lift Intrepid Ian’s post.

The Joseph Rowntree Reform Trust has this morning published our report on the UK Database State, which finds that:

  • A quarter of all major public sector databases are fundamentally flawed and almost certainly illegal. These should be scrapped or redesigned immediately;
  • The database state is victimising minority groups and vulnerable people, from single mothers to young black men and schoolchildren;
  • Children are amongst the ‘most at risk’ from Britain’s Database State, with three of the largest databases set up to support and protect children failing to achieve their aims;
  • Data sharing is a barrier to socially responsible activities. It is deterring teenagers from accessing health advice and undermining goodwill towards law enforcement;
  • Only 15% of major public sector databases are effective, proportionate and necessary;
  • We spend £16 billion a year on public sector IT and a further £105bn spending is planned for the next five years – but only 30% of public-sector IT projects succeed.

The runaway growth of public sector databases was surprising even to those of us that follow them closely. They have taken six months to catalogue.
You can see coverage of the report in the Guardian, Telegraph, Times, Independent, BBC News, Daily Mail, Metro and from Reuters.

Launching a survey.

As some of you know, I’m labouring away at what must be one of the longest part-time PhDs ever.  My research is looking at how software code and law work or don’t work together. However, there is light at the end of the tunnel.  In order to add a bit of empirical juice to will be a rather dry theoretical legal tome, I’ve decided to do a survey. 

I won’t bore you with the whole long story of the diss. here , but if you are interested in knowing more, please drop me a note and I can send you more details.

Whether it is ERP systems or toasters, software impacts much of our daily lives. We ask and demand software to do things on our behalf;  software transacts, it searches, it assesses, and in some cases it judges us.  Legal systems have evolved over centuries to codify rights and obligations in societies. Throughout history law and technology have interacted, modifying each other along the way.  It is often an uneasy relationship.

Whether it is contract law, licensing, intellectual property, privacy laws, accessibility, liability software and law interact significantly. There is a fairly large field of research looking at this relationship between code and law. (Lessig being the most famous, but there are many others)

However, not much research has focused on the role of the software developer and software firm in this relationship. So I decided to spend part of my dissertation looking more closely at the role of the software firm and the software developer in the code as law relationship. I want to ask as many software people as possible about what they understand of the law that can impact software, and what their attitudes are towards a couple of legal concepts in a software context.

It is designed to gather information about the knowledge, education and attitude of software developers towards the law related to software, and how law is or isn’t built into software. My goal is not to just have a small survey of a couple of hundred developers, but to really survey lots of them.

To do this, I want to tap as many of my readers  as I can to spread the news of the survey, and for as many of you to take the survey as possible. The more answers I can get from around the world, the richer the results will be. I will also be following up with telephone interviews with a much smaller sample group.

In this survey I have used the term software developer rather broadly. I define this to be anyone working professionally to design, build or maintain software (information technology). So if you are a product manager, solution manager, implementation consultant, systems architect, business analyst, or a systems tester, for instance, then we would be just as interested in your responses. The survey isn’t just aimed at those who code, but those who make a living from its construction and maintenance. Much of this group would fall under that definition. The Germans have a rather nice term, informatiker, but it doesn’t really translate very well.

Gartner is supportive of my PhD, this research doesn’t form part of my formal Gartner research agenda. In other words,  it isn’t a Gartner survey!

Several developer friends  have been kind enough to test the survey, and give me feedback, much of which I have incorporated in this final version. (If you tested the earlier versions, please take the test again)

Blunders and errors remain my responsibility.

Here is the survey as it stands today.

Please take this link and spread it to your software friends. colleagues and families.

Thanks to the British Consulate in Düsseldorf

A new passport in three hours.

A consulate is a potentially stressful place, after all people don’t go there to be patriotic. They go when they have issues. 

The Consulate  team in Düsseldorf was friendly and supremely efficient.  Airports could learn something from the security team at the consulate, through, yet welcoming.

My old passport was getting very tatty. Last time I flew, the airline nearly didn’t let me fly.  My problem is that I travel too much to post it in and wait for a new one.  So I had to drive up to Düsseldorf, that took longer than the passport process.

Thanks again for great service.

It has one of these in. But I can’t blame the folks in Düsseldorf for that.


(photo from Kai Hendry)

Lords in the cloud, letting in the sunshine.


(photo from the flickrstream of Swamibu )

It is apparently Sunshine week in United States of America, so please excuse the metaphor collision.

Over in the UK it is goodness to see nine Lords experimenting with a blog.  It is called Lords of the blog. I quote.

Apparently we are going live today. So far, our blog confessions have had a very limited audience, but now anyone may see what we have been doing.

Not that I have anything to hide. Indeed, I suspect that most members of the Lords would be only too happy if the public could and did take more notice of what we do on their behalf. Some of us spent a lengthy afternoon last Thursday debating the best way to get more people – and especially young people – interested in the way Parliament deals with their concerns, hopes and fears.

It is easy to think of the House of Lords as characters in a PG Wodehouse novel, greeting each other with what ho! chum, eating boarding school nosh, and wondering where the empire went. But that would be wrong. I’ve been lucky enough to meet a lord or two, and even though they expressed a fondness for Yorkshire Pudding, they were right on the money as far as software and technology were concerned.  I blogged some time ago about the House of Lords and RFID and the science and technology select committee .

Though the link had come from the most reliable source on all matters UK law, Geeklawyer, I wondered for a moment if this was a put up job, but no, it seems to be the genuine article. The Hansard society is lending a hand.

It is also interesting to see rather than hosting it over on a server in under the woolsack, they are running it on If it had been buried in the depths of a government website somewhere, who would read it?  up on WordPress seems somehow less contrived, and less likely that  a  Sir Humphrey  is moderating things in the background.

Having these Nine Lords blog is a fine thing. I look forward to them asking some probing questions about Phorm………

More on the Privacy-Portability conundrum

(from the cc flickrstream of dalziel 86, thankyou)

My post yesterday on Data Protection Law, Facebook and Scraping garnered more interest than my normal Enterprisey software ramblings. Dennis kindly picked up on my post twice, and I  experienced a considerable spike in traffic and commentary courtesy of  Robert. 

I’d not paid much attention the announcement, so after reading about it over at Dennis’s and Mike’s  and at techcrunch HQ I had a little browse through the website and Ben’s blog

I’m pleased to see the social networking companies getting together and discussing inter-operability issues.  These issues are important, users of these services are right to be concerned about lock in, and the inconvenience of moving from one platform to another.

Sharing is only one side of the equation though, and I would prefer the companies concerned to look at a broader collaboration. They really need to be examining the broader topics  of identity, trust and context.  I hope that they are.

I’d urge the folks involved in this effort to get in touch with the Prime Project and other research projects in this space.  Talk to these folks, for instance. Researchers have been grappling with the challenges of technology, privacy, identity, data reuse for decades. There is a tremendous amount of prior art that should and must be leveraged. This isn’t just a European thing either.  Perhaps check out  Lessig, Rotenberg, Swires,  Litan, Hahn, Cate, Shostack, Westin, Cohen, Burk, Lemley, Acquisiti, Kesan, Froomkin,Samuelson, Solove….and more.

I was a tad harsh yesterday about Alec Sander’s manifesto post, as I later found out it has the backing of one of Canada’s (if not the world’s)  leading Privacy experts, Michael Geist. Thanks and apologies Alec. Oh, and Mike at Techcrunch UK,  I got the joke, eventually. Don’t give up your day job though.

My post yesterday merely glossed over some of the issues with scraping and Facebook, but I’m glad it helped get people talking.  The issue at stake though has little to do with sharing business cards.  It goes a whole lot deeper. If you have a moment, head over and read what JP had to say. a couple of weeks ago.

I am responsible for the contact information I hold. I am accountable for that information. Accountable to friends who have trusted me with that information. And if I pass that information on without their implicit or, in some cases, explicit, permission, I am breaking their trust in me.

This, to me, is issue number one to do with any debate on information “ownership”.


And it’s a biggie.

Then via JP I came across this blog – Freedom to Tinker. Goodness. Subscribed.

Where did we get this idea that facts about the world must be owned by somebody? Stop and consider that question for a minute, and you’ll see that ownership is a lousy way to think about this issue

( Btw also You may find Bill Zeller’s comment illuminating.)

There is significant debate in legal circles about the pros and cons of privacy as a right or/and  as property. Schwarz’s paper here is well worth a read.  As Schwarz notes,

At its core, information privacy has both an individual and a
social value. Hence, I end on a note of caution: ongoing scrutiny of
regulation of personal data is needed because failure in the privacy
market can harm both individual self-determination and democratic

I do think the concept of privacy as property is a good one, especially in places where defining it as a fundamental right is nigh on impossible. There is also some good stuff over on at the Burton Group blog

I’ve suggested before that folks, especially in the US, should read Solove’s latest book. You can download the first chapter here.  I’ll also be getting this for bedside reading.

The more people start thinking about the implications of what they share, the better. Many of the US commentators on the blog felt that EU privacy law was dumb, or worse. It does have its problems, but before you consign it to the bin, check out a bit of privacy law history.  The UK information Commissioner’s website has come on leaps and bounds too. The US site EPIC, is an excellent read.

I’ll leave you with a fabulous quote, from Michelle Dennedy, Sun’s Chief Privacy Officer,  courtesy of one of the  mighty governor‘s excellent posts.

Her own little girl came up with a brilliant take on privacy and what it is:

Privacy is like grass, she told her mom. Why asked Michelle? Because it keeps the dirt from being naked… 

Facebook, Scoble, Manifestos and European Privacy Law.

Thanks to truly brilliant stream of  Auntie P.

I’m very late to this, and originally I wasn’t planning to comment on the Scoble-Facebook thingy, (see techmeme) but after seeing James Governor’s link comment,about Nick Carr’s post, I figured I’d jump in.

James said…

my take: Che? No. Scoble the Mike Huckabee of the A-list. He thinks privacy is “just a theory” but runs awesome home and webspun campaigns… aw shucks

Spot on James. (thanks also to James for getting me into this CC flickr photo thingy)

Part of Robert’s defence is that he was “only” collecting

Names and email address and birthday.

But name, email address and birthday are personal data.

Here in ye old Europe we have a pretty clear legal definition of personal information.

Personal data are defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a of the EU Data Protection Directive)

I don’t want to go into a long history of European privacy law here, but The ancient runes (1980) of the OECD guidelines are a good starting place. The seven principles governing the OECD’s recommendations for protection of personal data were:

   1. Notice—data subjects should be given notice when their data is being collected;
   2. Purpose—data should only be used for the purpose stated and not for any other purposes;
   3. Consent—data should not be disclosed without the data subject’s consent;
   4. Security—collected data should be kept secure from any potential abuses;
   5. Disclosure—data subjects should be informed as to who is collecting their data;
   6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
   7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principle

These principles eventually wound up as the foundation of the Data Protection Directive, which in turn ended up in the national law of all EU countries. They would make a good start for anyone building a terms of service for an offering that consumes personal data too.

The principles in the UK Act are defined as follows

Personal data:

  1. Shall be processed fairly and lawfully
  2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose(s)
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
  4. Shall be accurate and, where necessary, kept up to date.
  5. Processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

Robert Scoble’s actions may be perceived as noble in some quarters, but they don’t impress me. He single-handedly bashed through most of the basic principles of privacy with his scraping exercise, never mind Facebook’s terms of service. Facebook was right to take Robert on here. Facebook is subject to the provisions of European Data Protection Law. Facebook is part of the safe harbor. 

Carr nails it.

Facebook has an obligation to protect the data entrusted to it by its members. At the very least, members should have the right to decide whether or not their personal information can be scraped out of the Facebook database. Scoble did not give them that choice. That doesn’t mean that Facebook is the hero. It, like other social networks, happily scrapes information from members’ email accounts to identify possible new members. Facebook will scrape when it suits its commercial interest but will block scraping when it doesn’t. Still, in this particular case, Facebook did what it needed to do: protect the information and the interests of its members. Until controls are in place, unauthorized scraping of other members’ personal information shouldn’t be allowed.

What the Scoble affair reveals is that the issue of “data portability” is not a simple issue but a fraught one. Data scraping can make our lives easier, but it can also put us at risk.

So does Anne

Even if Scoble’s Facebook friends agreed to let him view their data on Facebook, they didn’t agree to let him take that information wherever he wants to do with what he wants. He could use a screen scraping program to grab data that they consider just-among-friends and stick it out in public without any regard for their privacy settings. You might say, “Scoble wouldn’t do that” but it’s Facebook’s responsibility to see that it doesn’t happen.

Data portability could be designed into Facebook in such a way that it doesn’t compromise user’s privacy. At the very least, an opt-in to profile sharing outside Facebook would need to be provided. Allowing uncontrolled screen scraping is not the answer

And Loren Feldman’s acerbic take is well worth a watch.  See the comments too. This one from Patrica, (who has a super  golf blog)

Though evidently there are a number of geek wannabes out there just itching to join a data martyr movement.

Hat tip gapingvoid’s twitter

You may find this article on the position of Facebook in UK law interesting. Facebook could move at speed to suspend Robert, but seem awfully unwilling to let other people voluntarily remove themselves.  I’ve rambled before about Facebook and data protection law.

Robert, no doubt, had good intentions, but he was breaking the law, both in terms of the Facebook terms and conditions, and for those Europeans lurking in his 5000 “Friends”, a good bit of data protection law too.  Processing 5000 records moves one beyond the realms of Dunbar’s law into data controller mode.

I’m glad to see blawgs joining the discussion, for instance the Canadian Privacy Law Blog.  Also I’m very pleased to see privacy manifestos emerging, such as this one over on gigaOM, but rather than inventing stuff from new, I’d propose that the web 2.0 gurus get talking with some folks who know privacy and its complexities.  It is a lot harder than it looks. 

The right to privacy is one of the most complex legal and technical issues, and not just since web 2.0.  The Germans passed privacy laws in the 1970’s and are still grappling with the balance between privacy, security, freedom of speech.  One of the most famous cases in US law is mainly about privacy rights. 

The more folks start thinking and talking about privacy, and the sooner privacy impacts buying decisions the better. 

Daniel Solove’s recent book is a damn good place to start, especially from a US perspective.

For the technical challenges, Jeff Jonas is a must read. I’d like all developers who touch personal data to read and understand Kim Cameron’s laws of Identity.

I’d love to see more from Pangloss or on this too, oh and a Geeklawyer rant would be nice too.  I hope to be at this conference next year, the 8th Privacy Enhancing Technologies Symposium (PETS 2008).  It would be even better if Facebook sent some folks along too.

Reviewing the Future of Reputation

Daniel Solove called on bloggers with an interest in privacy to drop him a note, and he would send a copy of his latest book for review.  The only condition was that you posted a review.  So here is mine.

Solove is on a mission to get people thinking about privacy who haven’t really thought about it before. Anyone who has a Facebook profile, a blog, or who posts photos online, or has friends and family who do, ought to read it. As a very successful  blogger himself, he brings a practical perspective to the topic of gossip, ‘rumor’ and privacy on the Internet.

It would be a good book for parents to read, as it would able them to understand the mySpace etc dangers and benefits better. It is accessible enough that a teenager could learn from it, without being bored by a lot of legal rhetoric.  Solove writes well, with a deft touch.  It isn’t a dense academic book, although Solove is a highly respected privacy academic. Legal types may wish for more depth, but if so, then head over and read this.

The book works because it uses lots of anecdotes to explain complex issues, simply.  It covers the awkward and subtle tensions between privacy and the first amendment-freedom of speech brilliantly. It also provides an excellent quick tour through US privacy law history. (curious though that I didn’t see  Roe v Wade  mentioned)

Most of my own research into privacy has been about government and big business.  Solove makes the powerful point that there is a significant threat from your friends, lovers and colleagues too.

He effectively challenges the binary private-public divide, arguing coherently we need to understand shades of confidentially and exposure, and uses the burning man event, Washingtonienne, Article III, and other incidents to illustrate this. He eloquently explains the paradox  that we need greater privacy and recourse against unwanted exposure if freedom of speech is to thrive.  The dangers of vigilantism and shaming are given close attention.

He briefly touches on the power of technology to aid privacy protection, but he could have explored this in more depth.  He did call on social networking tools to offer stronger privacy default. This is good advice. I would have liked more on the copyright analogy.

My only significant  gripe was that the book is very US and tort centric. It made passing mention of UK tort, but it made no mention of European Data Protection Law, nor of the right to privacy in the Universal Declaration of Human Rights or other significant legal instruments.

He is more positive than I am about the future of privacy. 

In short, buy it.

Google applies analytics to HR

Over the last 100 years or so, organisational psychology has developed a number of methods and tests to assess personality and competency. Yet despite lots of scientific evidence that proves these tests are dramatically more effective than interviews as a selection technique, most managers dismiss psychometric testing as hocus-pocus.  Yahoo’s position is sadly, all too common.

Yahoo does not use tests, puzzles or tricks, etc., when interviewing candidates,” Jessie Wixon, a spokeswoman for Yahoo, said.

Perhaps Jessie should have a chat with my friend Adrian Furnham,  one of the worlds’s leading psychologists and author of masses of books, including this one. 

It is great to read that Google are apply testing to their recruitment processes. Mr Bock from Google is spot on. Interviews and academic scores suck as predictors for employee success. 

I picked this up from James and Jon Battelle’s search blog.

Deriving Talent, Algorithmically

How will Google scale its massive hiring ramp-up while maintaining its famously intricate screening process for ‘Googley’ employees? With an algorithm of course.

After months of interviewing their employees to decipher trends in personality and interests that mark Googlers, Google has ‘derived’ a complex hiring questionnaire. Google will begin using the surveys with all applicants this month.

I hope Google based this algorithm on valid, fair, reliable, psychological research, that deals with issues of culture and gender bias in testing, and that the results are treated with the privacy they deserve. If they have, you can forget about gaming it.  (if you are interested to see similar tests check out SHL) Judging from the NYT article it looks as if they have involved some psychological rigour to it, but if anyone has anymore info please drop me a comment or an email. 

So, my HR readers, if you have pushback from line managers who think testing is nonsense, then quote them the Google example.

Also, Google, you might have a brilliant HR product here, I’m just not sure that I want my Neo  Disc,  Myers Briggs and  16pf scores  in your cloud.

I wonder how the cosy world of HR testing products would cope with Google muscling in?



Technorati tags: , , ,

Counterpane and SAP

As part of my pre-global-warming-glacier-pace academic efforts I read quite a lot of stuff on application security. I’m just about to send the final version of a paper to the Computer Law and Security Report. It has taken ages to write. Howcome blog posts can be churned out in minutes but papers take months?

Bruce Schneier, the CTO of Counterpane,  is arguably the most famous security guy around. His Blog is well worth reading, covering such topics as forging a boarding pass, airport security and surveillance as art.  His books and heavier stuff are a must if you are interested in security, privacy and so on. If you are interested in this space, also read Jeff Jonas. 

Bruce’s company, Counterpane,  has announced a new solution

Counterpane Introduces Integrated Application Monitoring & Security Auditing for SAP Platform, Empowers Enterprises to Defend Against Unauthorized Activity on SAP Applications
Technological innovations coupled with proven correlation logic and security expertise ensure customers improved compliance, enhanced security posture and prevention of financial loss

Mountain View, CA – October 2, 2006 – Counterpane Internet Security, Inc., The Managed Security Company and the authority on enterprise security, today unveiled Integrated Application Monitoring & Security Auditing for SAP Platform, a new data security solution that leverages its industry leading Managed Security Services.

I’ll be interested to see how this fits together or competes with the SAP GRC offering.  But anyway, having the world’s top security experts helping customers avoid attacks is indeed goodness. I’ll have to ask Frank, he actually does SAP security as his day job.

I also read that they have been acquired by BT Global Services.  Ovum provides comment here.  Interesting that a UK telco firm is acquiring them. (Imagine the reaction if it had been a Chinese telco)

Technorati Tags: , , , , , ,