ntouk.com - Jerry Fishenden's technology policy blog

Who would have thought file formats could generate so much heat and noise? Far be it for me to rain on someone else's party, but I’d like to bring a little clarity and a little sanity to what is all too often an emotive and irrational debate.

Let's take a step back. What's the problem that people are trying to fix? It seems to me there're several key elements underpinning the debate on file formats:

· “openness” – by which I mean that anyone can have access to the specifications and use those file formats with any application they want

· “interoperability” – the idea that the files should be usable with a wide variety of applications

· “future access” – by which I mean the ability to know that the files can be accessed in the future (particularly relevant for historic records, national archives and the like)

These all seem reasonable expectations. But to claim that any one schema is the universal, prescriptive answer seems about as sensible as claiming that there will never be a demand for more than five computers in the world. There are at least 100 industry specific XML schema already in existence (think healthcare, taxation, government forms, insurance, etc). And this is still relatively early in the adoption curve of XML. Some of the more extreme supporters of ODF claim that it's the only answer, that only ODF can deliver against these requirements. Which is rather to turn reality on its head. In any case, even before XML became the Internet's lingua franca, for as long as I can remember different applications have been able to open different file formats: think WordStar, WordPerfect etc – all of which were accessible in other applications.

We've learnt a lot about what makes for successful file formats – in terms of issues like fidelity, interoperability, performance and extensibility. Bear in mind that XML is all about users being able to define and use their own custom schema as much as it is about whether a document should be in bold, blue and Verdana font.

So, at the risk of letting a few awkward facts get in the way of a good bushfire….:

· the Microsoft binary Office file formats and Open XML are already fully open, free in perpetuity – so openness is not the issue here

· the Open XML file format is currently going through an international standards process and will be ratified (firstly by ECMA International and then ISO) in the same way that the Open Office file format has been through OASIS and ISO

· only Open XML is mature and proven enough to take the millions of existing Microsoft Office documents and turn them into XML without any loss of fidelity. This is a key requirement for historic and national archive purposes. It would also be highly irresponsible for us to abandon over 400 million Microsoft Office users and not enable them to move forward into the new world of XML without knowing they can do so without any loss of content or fidelity

ODF is fine for doing what it was designed to do: encapsulate the file format of Open Office and Star Office. In the same way, Open XML is ideally suited for what it is designed to do: ensure the 400 million or so Microsoft Office users can encapsulate their file contents in XML.

I'm genuinely puzzled by Gartner's apparent comment that ISO are unlikely to ratify another XML schema. This would be a first. ISO and other standards bodies have previously approved multiple standards for topics as wide-ranging as MPEG 4 video (14446/10 vs. ISO/IEC 14446/2), wireless networking (802.11g vs. 802.11a vs. b), networks (Ethernet / Arcnet / Token Ring) and even TCP/IP versus IPX/SPX. It would be a strange, colourless world indeed where we had one prescriptive standard for everything: a monochrome world without innovation, diversity, plurality and choice.

And on performance, ZDNet have published the following, highlighting how a version 1.0 of a file format such as ODF is way behind the curve on the experiences we have baked in to a mature file format such as Open XML:

The news that an ODF convertor has been developed for Microsoft Word is also a positive development. We share ODF's commitment to XML: we've been promoting XML for years and have baked it into the core of our products. It's why from the next release of Microsoft Office, XML becomes the default file format rather than merely being an option. Having a variety of formats and schema based on XML is a natural part of ensuring the many needs of customers and organisations around the world.

To suggest that interoperability is somehow magically solved by forcing everyone to adopt a single file format and to insist there can only be a single, global “open standard” flies in the face of reality. Successful interoperability programmes work with existing systems, enabling those systems to participate in a wider information ecosystem. I believe the combination of open and proprietary technical standards and the wide range of other published interfaces, file formats and protocols, provides precisely this: practical interoperability, of high value to customers, partners and organisations.

For anyone who wants to dive deeper into my thoughts on interop, take a look at the paper I authored here.

So, remind me once again: just what is the problem we're trying to fix here?

Open XML Microsoft interoperability ODF technology policy

The phenomenon of mashups continues apace, driving the next phase of Web development with the consumer/citizen at its centre. Great timing for the whole transformational government strategy. From time to time I’ll try to provide an overview and summary of the wide range of fast-moving work happening in this area – and some context for its wider implications.

Some months back we launched the pilot of a 3D mapping programme (known as Windows Live Local, Virtual Earth Technology Preview). This enables users to place themselves in a virtual landscape and experience it “as if they were there”. Well, sort of. You can experience this firsthand at http://preview.local.live.com/. It’s certainly a flavour of things to come.

On top of this now comes MapCruncher. This brings mashups to a whole new level by allowing developers to import entire maps to supplement existing road and aerial imagery with detailed, application-specific information.

“The possibilities are endless: bicycle maps, transit maps, national park maps, university maps, antique city maps, or whatever scale maps you personally find interesting.”

Have a look at this sample Gallery for some idea of what this now makes possible.

Of course, the world of mashups and developer and end-user creativity needs to be supported by making the interfaces and hooks into the wide variety of Web sources as easy to use and build upon as possible. So there’s a great starting point for anyone who wants to take a look in more detail online at http://msdn.microsoft.com/live/

If I was still sitting as a CIO responsible for my organisation’s internal and operational business systems, I’d be looking to bake in this type of facility as a core part of my overall architecture. The consumer is becoming accustomed to services tailored to their needs: what better way to accommodate that than to let them choose the way they bring together information and services online in ways that make sense to them?

It's important that internal business and technical architectures are designed to support these new ways of interacting with data. A well designed architecture, built on Service Oriented principles, making use of Web services, XML, RSS and similar technologies, will help ensure the right information flows to the right people at the right time – both inside and outside of an organisation.

It’s also worth mentioning in the context of creativity, innovation and community the new Codeplex site, since I see this has been getting some media coverage, despite only being in early beta. This is our new code repository site, aimed especially at shared- and open-source programmers. It builds on the recognition that .NET and the Microsoft platform provide the basis for much of the wider community programming work now taking place, both on the Internet and inside organisations.

On this early Codeplex beta site you’ll find work on projects such as:

• an Atlas control toolkit, a set of plug-in components for our AJAX framework
• Turtle a command-line interface for Team Foundation Server
• IronPython, the .NET implementation of the Python programming language.

I’m intending to provide a more formal launch and update on Codeplex next month, when I’m giving a keynote at the European Open Source Business Conference (OSBC) here in London.

Taking advantage of the possibilities opened up by Windows Live and the whole Web 2.0 wave will depend on policy-makers, business decision makers, IT professionals, developers and - most importantly - citizens/consumers understanding its true potential. All of these latest developments are important steps towards developing that understanding - and of providing the tools and technologies that will help deliver the next generation of interactive services.

open source Microsoft Web 2.0 mashup innovation technology

Is ID fraud becoming more commonplace – or merely being better reported?

“Revealed: the cash-for-fake-ID scandal at the heart of the Government” was one attention-seeking strapline in the Independent on Sunday last weekend. “Chip and PIN makes fraud even easier”, added The Sunday Times.

The Indie’s story was about allegations that some civil servants have sold or been misled into providing the personal details of hundreds, possibly thousands, of people to criminal gangs. Apparently, personal details are being taken from government databases and provided to criminals, who then build a fake social footprint: getting utility bills that bear the names and details of the stolen identities, opening new bank accounts, obtaining “replacement” birth certificates – and then using all of these as evidence for a “replacement” passport. These passports are then apparently sold to aid illegal people smuggling.

This will be an interesting one to monitor. If an identity fraud such as this was pervasive enough, it would present a major challenge to attempts to establish higher quality proof of identity. Alongside documents such as birth certificate, driving license, utility bills, passports etc the social footprint is one of the main factors that can help establish the veracity of a claimed identity. But if that has also been compromised, the situation is going to become highly complex and time-consuming.

The Sunday Times’s story contained assertions by Frank Abagnale, a "reformed con man", to highlight ways in which chip and PIN cards have vulnerabilities:

The information sent out by the hand-held card reading devices used in restaurants, for example, is not encrypted. Any criminals nearby with an information receiver can therefore capture the data, including the PIN entered – actually making it easier for them to commit certain types of fraud.

Abagnale said: “Anyone sitting at another table with a laptop would be able to pick up the messages being sent to and from the card readers.

This came on the back of last week’s story that Shell service stations have stopped accepting chip and PIN cards – after more than £1m was stolen from customers’ accounts. Apparently fraudulent engineers installed devices underneath the keypads that cached details of card numbers and PINs. So in fact the Sunday Times’s story is more about pure financial fraud than ID fraud per se: although gathering this financial information might then play a role in a later ID fraud of course.

I’d make some anecdotal observations that concern me in my use of chip and PIN. Numerous outlets seem to have moved to a model where they take your card behind the counter and then ask you to enter your PIN in a second card reader pad on the top of the counter. I am often tempted to refuse: it is fairly easy to install devices between a pad and reader to snaffle card and PIN details. Likewise, there is no form of kitemark or branding on any of the chip and PIN card readers that I am aware of that enables me to ascertain whether it is a trusted device or not. And all of this ignores other problems of course, such as the presence of a CCTV camera trained on the sales counter, easily capable of capturing the whole PIN tapping sequence. And I would also ask whether 4 digits is really enough.

But of course, it’s easy to be overly-paranoid too: everything we do in life is a balance of risk. I would ask however that we debate and discuss a more consistent framework for ensuring that we in the technology industry eliminate risks wherever possible – and help educate users to be better aware of what the risks might be, so they can make better informed decisions.

The move from paper-based systems and separate filing cabinets maintained in separate offices and organisations has of course long since been replaced by a world in which information flows freely. But we need to ensure that the very same benefits that modern technology can bring in terms of improved operational efficiency are not implemented in such a way as to feed the problems associated with ID fraud.

I have called in my evidence to the House of Commons for authoritative, independent research into the risks of monolithic versus distributed databases. Some 20+ years of industry experience prejudices me towards the latter: why should an operator with responsibility for updating address information for example have access to a system that contains anything other than addresses? Why should they also be able to see someone’s NI number or date of birth?

Segmenting the way we hold data and aligning this with the roles and responsibilities around such data is at least a way of minimising unnecessary risk. Nothing will ever eliminate risk – even biometrics at a border control will be little use if an immigration officer watching an arriving traveller says nothing when that traveller uses a gummy bear to provide their fingerprints. No system is ever 100% secure. But we can at least take whatever steps we can to help contain and minimise the probability.

Privacy has often – wrongly – been portrayed as an “enemy” of security. These topical examples from last weekend’s papers demonstrate the opposite: good privacy practice would reinforce security. The Indie also stated:

Figures published last week show that there were 100,000 offences under the Data Protection Act in the DWP and Revenue and Customs between 2000 and 2004.

The industry as much as policy-makers needs to recognise and act on these problems: privacy technology is probably at the same stage security technology was 5-10 years ago. It’s time we all started to ramp up our efforts in this area. Only when we have security and privacy technologies fully aligned, combined with better user understanding (see here for my thoughts on the human dimensions of data protection issues), are we likely to contain and tackle the growing problem of ID fraud.

ID fraud identity privacy technology policy Microsoft

Today sees the launch of a new UK-wide grid computing competition. Aimed at students and young professionals, it hopes to develop solutions to 21st century challenges – using, as the name suggests, the capabilities of grid computing technologies.

It’s being launched by Grid Computing Now! (the DTI’s Knowledge Transfer Network for grid computing) in partnership with the British Computer Society (BCS). I see The Guardian – which has being showing a healthy interest in the topic of grid – has already blogged the competition.

But I’ll put my hand up before I go any further and confess a self-interest: I sit on the Grid Computing Now! Advisory Council, and will also be a judge on this competition, alongside a panel of distinguished fellow judges drawn from the Department of Trade and Industry, University of Southampton, UCL (University College London), Intel, and Oxford University.

I’ve been a keen supporter of this initiative ever since it was first floated as an idea – to the extent that Microsoft is contributing a mix of prizes, such as our high performance computing offering (Compute Cluster Server) and the opportunity to attend the Microsoft European Research and Innovation Day in Brussels. Oh, and did I mention an Xbox 360?

When I was authoring our response to the Transformational Government strategy, I flagged grid computing as a key element for inclusion in the next generation of government architectures:

"Alongside the move to 64-bit computing, another major industry trend highly relevant to the Transformational Government agenda is the move of high performance computing from academia and research into the mainstream.

There are potentially important implications in how public sector organisations think about architecting their services in the future and how common infrastructure will be shared across the sector, potentially crossing inter-agency and inter-departmental boundaries. For example, HPC and Service Oriented Architecture (SOA) could play a key role in rationalising data centres and the architectural models used for government systems."

I’m really looking forward to seeing some breakthrough innovations here and would encourage students and young professionals to be as imaginative as they can be. Grid is moving out of the labs and into the mainstream. The UK, with its great record in computer science, has the opportunity to capitalise upon this - benefitting from a whole new generation of innovation and enterprise with grid at its core.

Microsoft grid computing competition government innovation technology policy student

Much of the talk about how we can improve public services centres on some well-worn topics. How to improve online services for example by improving the quality of Web-based identity management, information and transactions. Inside government, the theme is one of operational efficiency: looking at ideas such as shared services at both the policy and technology level.

These are all a logical extension of the journey we have already begun and represent what has probably already been nicknamed “Government 2.0”, building incrementally on the work that’s been taking place since around the mid 1990s. And they are, of course, valid aspirations that need to be delivered against.

But there are also wider trends abroad that need to be factored into our thinking. This isn’t just about technology improving operations and administration. Technology is becoming a truly pervasive phenomenon. We can witness that around us in the shape of portable media players, mobile phones, webcams and many other commonplace devices. These technologies are changing the very way we live and interact. And they’re just the beginning of more fundamental changes that will challenge the very way we think about public services, how they are delivered and where they are delivered.

Take the simple example of the Smart Beat project – which is enabling the police to spend up to an hour extra out on the beat each shift. That’s an impressive illustration of the way technology can change a whole working model, with benefits all around: both to the police, who can cut their admin and paperwork burdens and gain more rapid access to the information they need in their jobs. And to citizens, who will always welcome the idea of the police being out on the beat longer and not so confined to their desks in a police station.

There is also an emergent market in “ambient assisted living”. This is the use of technology that enables people to stay living in their homes and communities for longer by offering a range of technology-based devices – such as bathroom scales, blood pressure monitors, blood glucose monitors, heart-rate monitors and the like that are all capable of updating the patient and their GP in real time, enabling effective tracking of their progress and the ability to flag any issues that arise.

Not only has this major implications for us as citizens, in that it will enable us to live longer, better quality lives in our own homes. But it also has major implications for how we think about the organisation of public services such as health care and social care in the future.

So my point is this: we should not continue to think about technology purely in terms of providing an additional channel (such as Web site being used alongside more traditional channels such as government offices, Royal Mail and call centres). Likewise, we should also not be thinking about technology purely in terms of helping administrate policies such as benefits claim processing, patient records systems, passport applications and the like.

We should however be thinking about how technology’s pervasive nature will impact policy-making itself and the structure of our public services.

These new technologies will provide automatic sensing and smart processing, evaluation and communication. They will involve measuring a person's location and using location data in a way that benefits them. Such technologies will begin to challenge the existing notions we have of healthcare systems and social services. And such changes will raise some challenging issues around security, interoperability, reliability and privacy. We need to think about the policy frameworks that will guide us successfully – and sustainably – through these developments. And we need to understand and be planning for this world now.

If we think the current debate about identity in the context of the national identity card and online services is complex enough, think about how such issues could scale (both in terms of security and privacy) when we are surrounded by a world of devices sensing and reporting on our presence. Whilst we may move towards this world with the best of intentions, the “law of unintended consequences” will doubtless turn some of these benign intentions into future challenges.

We should start to have the discussions now about how such pervasive technologies should behave (think: Kim Cameron’s “laws” of identity, at least as a starting point for debate). The only alternative is to run the risk of waiting until it is too late: and then realising that we have built a pervasive world that cannot deliver its true benevolent potential for transforming public services, because of the inadequacy of the way it has been designed.

identity privacy public policy government healthcare Microsoft interoperability pervasive computing ambient computing]

How can online public services help deliver more ‘citizen-centric’ facilities, tailored to our individual needs?

I think the answer may lie in bringing together two current themes:

· the consumer as creator trend that is washing across the Internet courtesy of the “Web 2.0” phenomena

· the Transformational Government strategy’s desire to use audience segmentation to provide information better targeted on the citizen’s needs.

Audience segmentation of course is no easy panacea: it can result in a new set of silos that are no more intuitive or useful than the old ones. So the desire to move to say a segmentation oriented on whether someone is a student, a farmer, a motorist, in retirement etc may end up little better than one silo’d on the structure of government departments and their agencies. It’s hard for the provider to both research the necessary audience requirements – and to then structure the delivery of information in a sufficiently flexible way that it will engage the citizen.

In the same way as we’ve seen the outsourcing of order entry to the consumer by successful sites such as Amazon, perhaps this is another area where the problem is best resolved by outsourcing it to the citizen. Let them choose how they bring information and services together rather than trying to second-guess the many permutations there could be. Of course, to do this successfully requires either a degree of ‘tech-savvyness’ on the part of the citizen – or far better designed Web sites that ensure they provide interfaces and services intuitive enough for even the most casual of Internet users to be able to master.

Bringing together the consumer as creator theme and individualised services plays well to the strength of current Internet developments. Take a look at Windows Live, for example. And the associated Gadgets site. Here I think is at least part of the answer: using this model, it’s possible for the provider to develop discrete elements of functionality – and for the citizen/consumer to then decide which of those they want to use and how they would best like to pull them together.

A discrete set of topic-related material, built for specific audience segments, could be provided using Gadgets. Such components could be as simple as using mechanisms such as RSS feeds to stream the latest information relevant to a specific audience (such as, for example, on bird ‘flu advice for poultry farmers). Or the Gadgets could stream highly targeted information – including personal information – by providing a simple interface into back-end systems. Who knows, perhaps there could even be Gadgets that exploit other parts of the emergent shared services infrastructure, such as online authentication, including that provided by the Government Gateway/GovConnects.

In the same way as we see business intelligence ‘dashboards’ providing the ability for managers to oversee all aspects of operations and efficiency within an organisation, the emergence of online facilities like Windows Live and Gadgets enable a similar model to apply in the citizen space. Combine this with other initiatives – such as the potential use of the Creative Commons model to Data Protection (see a previous discussion here) – and we begin to have the building blocks for a compelling technical and policy architecture that does truly place the citizen and their needs at the centre.

Of course, there’s nothing new here in what is effectively the application of the ideas of the Mashup. It’s what the leading techno-luminaries have been pioneering on the Web for a little while now. But its application to the public services space is something I have not yet seen exploited, despite its clear potential to help balance the needs of highly individualised and targeted services with the ability of the producer (ie. Government) to work out how to make that happen. Let’s hope that some of the benefits of the Web 2.0 mindset begin to impact the Transformational Government programme.

technology government Web 2.0

An interesting day yesterday providing evidence to the House of Commons Science and Technology Committee inquiry into how the Government makes use of scientific and technological evidence. The session was focused on the UK identity card and followed on from the sessions a few weeks ago with Katherine Courtney and her team from the Home Office (a draft transcript of which is available online here).

It’s been some years since I last gave evidence to a Committee – when I worked at Parliament it was a routine, if sometimes unpredictable, experience for me in both the Lords and Commons. Perhaps I’m perverse, but I rather enjoy the experience. There’s something about the questioning and answering, the debate and digging into the credibility of evidence and witnesses that makes the work of these Committees the heart of our Parliament for me. It’s good that in a democracy we should all be called to account (and also be given an opportunity to explain ourselves and help inform the wider public debate).

Yesterday there were two panels in front of the Committee. The first of these was myself, Nick Kalisperas (Intellect - the industry body used by the Home Office for consultation), Professor Martyn Thomas (UK Computing Research Committee) and David Birch (Consult Hyperion).

Following our session, the next four up were Dr Tony Mansfield (National Physical Laboratory), Dr John Daugman (University of Cambridge), Dr Edgar Whitley (London School of Economics and Political Science), and Professor Angela Sasse (University College London).

Both panels provided evidence for an hour apiece, with a lot of questions from Committee members about the consultation, risk assessment of the potential ID card business and technical architectures, advice on the reliability of technology and the like.

Of course, when the evidence is published, you’ll be able to see verbatim what we all said and the Committee’s reaction. But in the meantime, I’d summarise some of my comments into three broad areas:

- the ID cards consultation to date has been focused more on the procurement process than the business requirements and technology issues. The Home Office team expressed a desire not to stifle innovation by getting into the specifics of potential architectures. But I think it would be really useful to see a UK government study into the risks, feasibility and comparative merits of centralised versus decentralised identity systems in terms of systems reliability theory, or modern computer security concepts (including the widespread contemporary experience of large scale data breaches, social engineering and phishing attacks).

- given the fastest growth in ID fraud is online (through for example phishing attacks), it was unclear how the ID card would work in online scenarios (would it default for example to just chip and PIN?). And given that the delivery of online public services is a key part of the Transformational Government agenda, this is clearly an area in which a well-designed ID card could yield major benefits and tie in well with other identity initiatives including across health, local and central government and the private sector

- some concerns arose from the limited number of publicly available scenarios of how the ID card could be used in practice. And of those available, there are potential issues with their descriptions of the card’s usage in practice. For example, the scenario here indicates that the ID card will disclose your date of birth to any third party that needs proof of age entitlement (eg to buy alcohol or to get an old age pensioner discount). However, I believe this is not good practice based on our experiences with ID fraud. All that needs to be revealed in such a situation is that the person is over 18 or over 60/65. Neither their date of birth or age needs to be revealed. In fact, handing over personal information such as date of birth to anyone who requests sight of an ID card could generate vulnerabilities elsewhere: for example, telephone banking uses date of birth as one of the ‘secrets’ to prove who you are when you phone up. We need to be very careful that the ID card does not add to any potential identity fraud issues when there is a great opportunity for it to help enhance our privacy, as Dave Birch indicated in his evidence.

Both my written evidence and oral evidence provided yesterday will be published in due course by the Committee along with those of the other witnesses. I’ll let you know when that happens.

I look forward to seeing the Committee’s overall conclusions and recommendations on how scientific and technological evidence is impacting public policy. There are enormous benefits to UK plc to be taken from the incorporation of scientific and technological advice into the very heart of policy-making itself.

In fact, I’d argue that it’s essential for us to do so for our future economic prosperity.

identity ID Cards privacy technology politics Parliament government Microsoft