|
|
Sept 26 2005, the Enterprise Privacy Group and Microsoft
I’m pleased to announce today that Microsoft has joined the Enterprise Privacy Group, adding to other well-respected companies such as Verisign who have already become members:
The Enterprise Privacy Group is an association of organisations working in partnership to understand privacy-related issues and to achieve collaborative solutions.
The Enterprise Privacy Group’s activities are reviewed by an Advisory Group that includes The British Computer Society, The London School of Economics Department of Information Systems and legal firm Olswang. In addition, the Information Commissioner’s Office has taken up Observer status.
I’ve mentioned before the strong emphasis that the best projects are placing on privacy: for example, Frank Moss (Deputy Assistant Secretary for Passport Services, US Department of State) has referenced the value they and NIST (the US National Institute of Standards and Technology) have found in engaging with privacy specialists. In his conference address at the e-borders summit earlier this year, Frank Moss acknowledged that privacy concerns are highly valid and must be dealt with "We need a security in depth process around privacy issues" and taking on privacy feedback has helped produce a much better e-Passport.
As I wrote in my blog entry of July 12:
This is the same point we've been making for some time: well designed systems make a partnership of security and privacy instead of setting them at loggerheads.
Privacy is a strong ally of security. Both need to work well in partnership for systems to be designed well and to succeed. I’ll be looking to help ensure some of the complex issues around identity and interoperability – such as shared services, federated identity and role-based access to information – are among some of the first topics that we address. My intention is to help find collaborative solutions and models that work well at both the security and privacy levels.
Sep 23 2005, the artificial schism of "science" and "the arts"
I have meant to comment before now on the death last month of Bob Moog. For those of you who know me well, the fact I want to comment on the death of someone known better for music-related activities than IT will be no surprise. Moog was of course one of the great innovators in musical synthesis: even if you're not aware of it, the famous Minimoog sound is one you would recognise instantly. (If you want to hear samples from the current version, then visit here).
I have never believed in the relatively modern conceit that "the arts" and "science" are somehow separate fiefdoms with nothing in common. When I was pursuing my MPhil into the applications of artificial intelligence (AI) to music composition, it was astonishing the degree to which the computer scientists were wonderfully ignorant of anything happening outside their immediate sphere of interest. And likewise for the music software developers who seemed completely unaware of some of the computing tools that would have made their task - and that of the users of their software - greatly simplified, if only the two disciplines had been able to find some common forum and vocabulary to communicate with each other. These divides between disciplines are enormously unproductive and we should be working to find ways of bridging them. It seems to me that true breakthroughs and innovations often only occur when we manage to bring together such differing viewpoints and specialisms and hence spark new ways of looking at the world.
At its best, music represents to me one of the best fusions of science, technology and arts that it is currently possible to find. Modern music-making is a compelling combination of science, technology and creative arts. Modern desktop composition systems comprise complex software that involves detailed mathematical and physical modelling of the building blocks of musical synthesis, the manipulation of software tools (such as sampled instruments, sampled voices and even sampled acoustics taken from major concert halls of the world) and the art of mastering these in the creation of new musical compositions. Of course, my old alma mater, City University, was one of the first universities to understand these issues - offering a BSc in Music: what better indication can there be of how science and the arts can be brought together?
When I was observing and researching composers' behaviour to see where AI techniques might be usefully applied to assist in the process, one of the most interesting aspects was the way the best musicians moved between complex manipulation of physical waveforms, mastery of software and the actual composition process itself. In fact, in many ways the composition process was as much about control of the underlying physical and acoustical principles of sound and software programs as it was about the more traditional concept of putting notes on a piece of paper. If science is about applying consistent principles and processes in pursuit of knowledge - and the recognition and formulation of a problem - then modern music composition is often a demonstrative application of scientific principles.
It was innovators such as Moog who first saw the opportunities to apply the physical, acoustical foundations of music to the commercial production of musical tools to assist composers and performers. His death provides a chance to reflect on how the lessons from the world of music might be applied elsewhere to similar dramatic effect. I never cease to be astonished at the type of control and synthesis that the PC has made possible on my desktop: it is now possible to compose music on a home computer that would once have required a full orchestra and a concert hall - and a lot of financial backing. Or a specialist computer costing hundreds of thousands of pounds (I recall, not without some nostalgia, using the early Fairlight CMI systems for example). But more than that, it is now possible to conceive music that would not have been previously possible to produce. I mean by this the production of unique sounds that go beyond the physical boundaries of what was possible with previous generation instruments or human performers. These new soundscapes are equivalent to suddenly discovering a whole new range of colours never previously imagined or seen before.
Indeed, as grid and high performance computing moves from the research world into the mainstream, I have little doubt that modern composers and the music industry will be amongst the first to take real advantage. If current single-processor, single-system desktop composition takes my breath away - what on earth will the upcoming generation of 64-bit, multi-core, grid computing developments do? How far will the acoustical and physical modelling that these systems will make capable take us in the discovery and invention of entirely new sound canvases? In the past, these advanced tools were once limited to specialist research establishments such as IRCAM. Now, they will be on our desktop PCs.
Sep 21 2005, the Internet identity crisis
To Leeds, to talk at the British Computer Society (BCS) Information Security Specialist Group (ISSG) conference. My topic is "The 'laws' of identity and the need for an identity metasystem".
The meeting is a very useful discussion of identity, privacy and security - broadly set within the context of the debate about the proposed UK National Identity Card. There are very productive sessions from the likes of Dr Chris Pounder ("Why is there a privacy fuss?"), Margaret Moore ("ID Management in the NHS"), Stephen Edwards ("The Truth About Biometrics - dispelling the myths") and Phil Cracknell ("Identity, ID Theft and Risks").
Whilst the meeting overall operates under Chatham House rules (which means comments made are not directly attributable to the speaker), for those of you who are following these debates an approximate transcript of my presentation is available here.
Sep 20 2005, science and identity
New Scientist (issue date 17 September 2005) continues its excellent coverage of the many issues around identity (Identity Revolution: Part Two). There is coverage too of fingerprint matching and the errors that have been made in using it in evidence (with the wrong people convicted). From the New Scientists analysis, this seems largely attributable to a less then scientific attitude to assessing its failure rate:
"Fingerprint matching is undoubtedly a valuable tool for catching criminals, but it suffers from one major flaw: nobody knows how often fingerprint examiners make a wrong call. In the US Federal courts, there are standards that scientific evidence must live up to. One of these "Daubert criteria" is that techniques must have a known rate of error. Yet, somehow, fingerprint matching has not been required to meet this standard." (New Scientist, Editorial, p3)
There clearly remains a great deal of misunderstanding about what "science" means. The editorial rightly makes the point that if we do not address such concerns and issues now, we could end up seeing fingerprint evidence entirely discredited which would be a disaster for all concerned. Far better to understand properly how reliable it is and how confident judges, juries and courts should be in assessing fingerprint evidence so that it can continue to be used as a highly valuable investigative and forensic tool.
The broader discussion of identity ("Privacy and prejudice: whose ID is it anyway?") focuses particularly on the related, but broader, issue of biometrics - not just fingerprints, but also iris scans and facial recognition. The widespread concern about the implications of storing all biometric data in a central database - when we know from experience that no system is unhackable and never will be, particularly when we factor in social engineering attacks - is objectively discussed. Such centralised approaches would facilitate the very compromise and theft of identity that these proposed systems aim to prevent: by enabling a digital identity to be accessed, tampered with, or used without the owner's consent. Our biometrics in any case are also leaky - we trail fingerprints and DNA wherever we go and leave our facial image imprints on the numerous CCTV devices we pass daily in our cities and towns. We need to ensure that all these elements are accounted for in any systems designed to make use of biometrics, particularly - as seems likely - if in the future we rely far more on biometrics for authenticating and verifying the true identity of individuals.
The article reminded me of the comments made by Frank Moss (Deputy Assistant Secretary for Passport Services, US Department of State) - that humans should always remain a key element of any identification system. Whilst technology and automated methods can assist, they are not infallible and we need to design systems accordingly. To my mind, this is really a wider version of the message that the New Scientist editorial makes about fingerprint matching: we need to be rigorously honest about what technology on its own can achieve, to scientifically and hence objectively assess the risks, reliability and confidence we should have in different systems. And to ensure that we always remember the human factor too: systems that overlook this key ingredient are systems designed to fail.
Sep 19 2005, Service Oriented Architectures and the Board
To Whittlebury Hall to deliver a Keynote at the Triple i Convention, a "by invitation only" residential convention for senior IT strategists in Enterprise and Public Sector organisations. My talk, 'Exploiting a Service Oriented Architecture for Business Benefit', looks at how the most successful organisations are taking advantage of new approaches to developing and delivering IT solutions.
Connected systems and Service Oriented Architecture (SOA) are some of the most important topics in the IT community. They not only change the way we have traditionally thought about and delivered solutions, but are an important transition to the new world of the intelligent Internet. But SOA needs to be much more than that if it is to succeed and realise its potential. Its implications and benefits need to be communicated to and understood by the Board. We must be able to find common language and terminology that will enable the business community to understand and take a benefit from these new ways of working.
It’s become a commonplace to say that the Internet has changed everything. But for me that doesn’t just mean the obvious – such as browsers, Web servers and the World Wide Web (WWW). I mean the models, processes, services, contracts and architectures that we are now seeing that exploit this infrastructure. Concepts such as "abstraction" and "service orientation" are now building very successfully on the underlying technologies of the Web. Our challenge as IT leaders is how we can convey the significance of this to our organisations and most particularly to our Boards.
In the past, IT solutions were based on a "built to last" principle and "built to purpose" (usually a single purpose). But business is not a static environment, the ball never stops moving: so why have so many "brittle" IT systems been conceived, designed and delivered that do not model business needs? Or if they do, they model business needs that happened to exist at an arbitrary and transient moment in time. No wonder people such as Nicholas Carr have made assertions that IT doesn’t matter. Of course, his views were more about the potential impact of a perceived commoditisation of IT and hence the loss of competitive advantage rather than the way we model IT and business services. But the noise and coverage of his Harvard Business Review article suggests it unfortunately resonated in far too many boardrooms.
The benefits of service-based approaches - speed to service delivery (organisational agility if you prefer), cost efficiency, flexibility and extensibility - represent changes in the way we think about process, modelling, contracts and services across both the business and IT communities. SOA in itself of course is not an answer - any more than TCP/IP or DNS or any other IT building blocks are "answers" to business problems. But it is a significant change in the way we ensure IT maps better onto business needs.
As connectivity has blurred the distinctions we once made about local, regional, national and global markets, the traditional boundaries on roles and responsibilities between organisations have blurred too. Take for example the idea of outsourcing, a common enough model, where the business goals of one organisation are supported by the IT services of another. How can this possibly hope to succeed if we do not have some common ground on which we can express ideas such as contracts and service levels?
For connected systems to be a value to an organisation, they require a new method of negotiating ‘contracts’ between the business and IT realms. Service design – across business and IT communities – needs to be a collaborative process if the requirements for inter- and intra-organisational interoperability and commerce are to be achieved. If we accept the notion that we are driven by different viewpoints and models within our organisations across the business and IT realms, then clearly we need to find common ground and a shared vocabulary if we are to make progress in ensuring IT is applied more aptly to business needs.
Business and IT are two vitally important and organic viewpoints that are supposed to live together in organisations. And quite clearly in our best and most successful organisations these lessons are being learned and applied. But we have a problem. Sometimes – just sometimes? - one viewpoint tends to want to dominate the other. This is neither organic – nor in the best interests of our organisations, for either the business or IT communities. With service orientation as a framework that can model both business and IT realms, we have an alignment that provides the basis for solving real world business problems more efficiently and more effectively than in the past.
In the service oriented world, our models act as a set of abstractions that enable relevant development and the agility for change. In technology speak, in this changing landscape, the right models can abstract and aggregate information from a number of artefacts and support consistency checks and other forms of analysis. In English, for the Board, the IT models are constructed to meet business needs. Service orientation enables technology to be viewed from a business process perspective: it gives us the common vocabulary to make successful modelling possible.
Those organisations who have begun down the path of connected systems, who really understand what service oriented architecture is all about, are at least well placed to ride the coming revolution.
"What revolution?", perhaps you ask. Well, just consider this. We are beginning to see the commercialisation of 64 bit computing. The commercialisation of multi-core processors. The commercialisation of grid and high-performance computing. The model we have long been accustomed to – of server-centric, "big iron" computing - is changing. And so the Internet itself is changing: the next generation Internet is about a network of equals, of intelligent distributed clients alongside the current model of dumb clients and overloaded servers. And it's changing rapidly. Edge computing is on the rise
We have a clear responsibility as IT leaders to work with our Boards to fundamentally re-think and constantly challenge accepted wisdom about the way we design and deliver services – at both the business and technology levels. Connected systems and recent developments such as service orientation enable us not to just better model our businesses and organisations as they exist today - but to ensure they will continue to adapt and succeed into the future.
Sep 13 2005, Setting the bar
I’ve been looking through the Burton Group’s report, excitedly entitled “The Microsoft Superplatform: Setting the Bar in the Superplatform Arms Race”. The somewhat hyperbolic title aside, it makes the point quite articulately that:
Of all the superplatform vendors, Microsoft provides the most cohesive solution. Microsoft's strategy of tightly integrating the application platform with the underlying operating system enables a bedrock foundation for management, administration, security, and tooling that provides a single, consistent, easy experience throughout the platform. Microsoft also offers excellent support for web services and collaboration.
We’ve used the tagline for some time about ‘integrated innovation’. This aspiration to integrate the platform through the entire life-cycle, from development to operational management, is one of many core design elements that I believe distinguishes the Microsoft platform from other IT options. Some time ago we baked in the internationally-recognised OGC ITL guidelines to the way we developed best-practice operational procedures and support into our products. Our latest and continuing investments build on and enrich that support.
One of the biggest headline costs when I managed IT departments was associated with enabling existing systems to work together – and in working to ensure their reliable operational availability. Far too little of my budget was free to focus on adding value to the organisation and bringing forward new innovations in the way we operated. We are making significant headway into this industry problem: reducing the cost and complexity of existing operational support and enabling more resource to be devoted to better supporting the needs of the organisation.
The Burton Group’s assessment shows that the investment Microsoft has made through its year-in, year-out R&D programme is paying dividends. We all know software needs to be simpler: simpler for the user. And simpler for the professionals, from developer to helpdesk operator. With these latest improvements to our platform, developers are increasingly able to help build in support for the full software life-cycle. There is of course more work to be done: but these new waves of technology are significantly better than anything the industry has seen before.
In an age when we have moved on from the out-dated model of software that was built for a single purpose – monolithic and inflexible – to one where software is designed to be agile, updatable, componentised and re-usable, this report is a useful contribution to the debate about various software models: and how successfully they meet business and technical needs.
The Burton Group's verdict that “Microsoft provides the most cohesive solution” is a welcome recognition of the progress we have made to date.
Sep 9 2005, The proposed Internet tax
My colleague Jonathan Murray picks up on some rather strange announcements from Georg Greve (who heads up the European arm of the Free Software Foundation) in his recent blog posting A Flat Tax for the Internet?. Amongst other proposals around a re-write of the GPL, Georg suggests that content producers should be recompensed by implementing a “… cultural flat fee” on Web access rather than being paid as and when specific consumers download music, TV, film etc. As Jonathan comments:
Note to Georg: Have you heard of the digital divide? Do we really think taxing internet access is going to improve the ability of the poor and disadvantaged in society to have access to the tools and information of our increasingly knowledge based society.
I'm not sure why anyone would propose a model other than one where the consumer of a particular good or service is the one who pays for it. This proposal from Georg seems analogous to some of those ideas we saw in the past, where taxes were slapped on blank tapes on the offchance they were doing to be used to record something illegally. If this is the quality of thinking going into the current re-drafting of the GPL I'm not sure it's going to address the issues that have been raised with the current version - particularly concerns about the need to protect intellectual property and return on R&D.
Sep 7 2005, On the identity trail ...
Identity refuses to go away as an issue: I thought Kim Cameron's blog about the privacy conference where they posted up details of everyone's movements based on their bluetooth phones was an interesting reminder of how 'leaky' and inappropriate many of our current technologies are. The idea that we should be told to turn off such features if we don't want to be intruded on or beamed undesired advertising without our consent is a nonsense. It's a bit like someone telling you to tape up your letterbox to stop junk mail being delivered. Clearly no-one would do that since we receive many other items through our letterboxes that we do want to receive. It's not for someone else to tell us what we can and can't do with the technologies we want to use. And whilst some of these issues are related to policy and ensuring informed consent (so as not be obliged to receive bluetooth adverts beamed to our phones), there is clearly a case, as Kim argues, for doing a better job in the way we design these technologies to make them less 'leaky' and inappropriate in their potential uses.
| (C) 2004/2005 J Fishenden
|
