Ross Anderson

[What's New] [MyBook] [Research]

The Campaignfor Cambridge Freedoms seeks to defeat a proposal by the outgoingVice Chancellor that from the beginning of 2003, most of the intellectualproperty generated by faculty members - from patents on bright ideas to bookswritten up from lecture notes - will belong to the university rather than to theperson who created them. At a stroke, Cambridge will no longer have one of themost liberal rules on intellectual property of any British university, but oneof the most oppressive anywhere. There are grave implications for academicfreedom, and for faculty recruitment and retention. We understand that thischange was instigated by the Department of Trade and Industry; yet theconsequences for industry will be dire. The incentivesthat led to the creation of hundreds of high-tech companies in the area will bedestroyed. it seems that civil servants view us not as the goose that lays thegolden eggs, but as a nail that sticks out and needs to be hammered down. Seealso coverage in the Observer,the Telegraph,the CambridgeEvening News, the Independent,ZDNET and THES.There's also the BBC,which our Vice Chancellor told that "The university has a right to a sharebecause I think there are very few true individuals. Most people have to rely onothers". (If he is asserting that the median Cambridge faculty member hasnever published a significant single-author paper, I'd like to see hisstatistics.) The next step will be a Discussion in the Regent House on the 15thOctober: be there!

TheEconomics and Security Resource Page gives you a guide to thehottest research topic in information security. More and more people arerealising that information insecurity is often due to perverse incentives ratherthan to the lack of technical protection mechanisms. There are also manyquestions with an economic dimension as well as a technical one. For example,will digital signatures make the Internet more secure? Is so-called `trustedcomputing' a good idea, or just another way for Microsoft to make money? Andwhat about all the press stories about `Internet hacking' - is this threatserious, or is it mostly just scaremongering by equipment vendors? It's notenough for security engineers to understand ciphers; we have to understandincentives as well.

TCPA/ Palladium FAQ - Frequently Asked Questions on the newIntel/Microsoft `trusted computing' initiative to install digital rightsmanagement hardware in your PC, making music piracy impossible - and softwarepiracy too. The proposed mechanisms could have some disturbing consequences forprivacy, censorship, and innovation.

Opticalprobing attacks provide a new, effective and cheap way to attacksmartcards and other secure microcontrollers. We unveiled this at the Oaklandconference on the 13th May; here is coverage in the NewYork Times, the NewScientist, slashdotand TechTV. The full paper was presented at CHES2002. We developed this attack in 2000, but kept quiet about it while wedeveloped countermeasures. We believe that this attack will catalyse atechnology change in the smartcard industry. Our proposed solution usesself-timed dual-rail logic to make it much harder for an opponent to performattacks based on fault induction, or on power analysis either. Our paperon this technology won the best presentation award in April at Async 2002.The latest journal paper on this technology, with recent test results, is here.

Security engineering is about building systems to remain dependable in theface of malice, error or mischance. As a discipline, it focuses on the tools,processes and methods needed to design, implement and test complete systems, andto adapt existing systems as their environment evolves.

Security engineering is not just concerned with `infrastructure' matters suchas firewalls and PKI. It's also about specific applications, such as banking andmedical record-keeping, and about embedded systems such as automatic tellermachines and burglar alarms. It's usually done badly: it often takes severalattempts to get a design right. It is also hard to learn: although there aregood books on a number of the component technologies, such as cryptography andoperating systems security, there's little about how to use them effectively,and even less about how to make them work together. It's hardly surprising thatmost systems don't fail because the mechanisms are weak, but because they'reused wrong.

My book is attempt to help the working engineer to do better. As well as thebasic science, it contains details of many typical applications - and lot ofcase histories of how their protection mechanisms failed. (Some of these areavailable in the research papers listed below, but I've added many more.) Itcontains a fair amount of new material, as well as accounts of a number oftechnologies (such as hardware tamper-resistance) which aren't well described inthe accessible literature. The reviewshave so far been positive, and there's a nice thread on Slashdot.I hope you'll also enjoy it - and find it seriously useful!

More ...

I lead the securitygroup at the laboratory, where I hold a faculty post as Reader in SecurityEngineering. I supervise a number of research students - MikeBond, Richard Clayton, GeorgeDanezis, Stephen Early,Sergei Skorobogatov and JeffYan. Markus Kuhn, UlrichLang, Harry Manifavas andSusan Pancho have submitted, while Jong-HyeonLee, Frank Stajano and FabienPetitcolas have actually graduated.

My other current personal research interests include:

• Peer-to-Peer systems - including the Eternity Service and the Cocaine auction protocol
• Robustness of cryptographic protocols - including `Programming Satan's Computer'
• Analysis and design of cryptographic algorithms - including our AES candidate Serpent
• Information hiding - including Soft Tempest and attacks on copyright marking systems
• Reliability of security systems - including ATM fraud and ssmartcard hacking
• Security of clinical information systems - including the Iceland database
• Privacy and freedom issues - including FIPR and TCPA

Some of my papers are available in html and/or pdf, but the more technicalones tend to be in postscript, as this has been the standard in the computerscience / maths / electrical engineering communities for many years. If youdon't have a postscript viewer, you can download one from here.

Peer-to-Peer systems

Since about the middle of 2000, there has been an explosion of interest inpeer-to-peer networking - the business of building useful systems out of largenumbers of intermittently connected machines, with virtual infrastructures thatare tailored to the application. One of the seminal papers in the field was TheEternity Service, which I presented at Pragocrypt 96. I had been alarmed bythe Scientologists' success at closing down the penetremailer in Finland, and had been personally threatened by bank lawyers whowanted to suppress knowledge of the vulnerabilities of ATM systems. This made meaware of a larger problem: that electronic publications can be easy for the richand the ruthless to suppress. They are usually kept on just a few servers, whoseowners can be sued or coerced. To me, this seemed uncomfortably like books inthe dark ages: the modern era only started once the printing press enabledseditious thoughts to be spread too widely to ban. The Eternity Service wasconceived as a means of putting electronic documents as far outwith the censor'sgrasp as possible. (The concern that motivated me has unfortunately nowmaterialised; a recentUK court judgment has found that a newspaper's online archives can bealtered by order of a court to remove a libel.)

But history never repeats itself exactly, and the real fulcrum of censorshipin cyberspace turned out to be not sedition, or vulnerability disclosure, oreven pornography, but copyright. Hollywood's action against Napsterhas led to the adoption of the ideas from the Eternity Service by many systemsincluding Publius and Mojonation.Many of these developments were described in a recent book,and the first academicconference on peer-to-peer systems was held this March at MIT. There is anactive mailing list, p2p-hackers,and a free software project, mnet.See also articles by AndyOram and RichardStallman.

My contributions since the Eternity paper include:

• A New Family of Authentication Protocols has turned out to be useful in dealing with one of the toughest technical problems in building censorship-resistant peer-to-peer systems, namely how to forestall service denial attacks. In Freenet, this involves the use of hash chaining to sign digital streams. The idea goes back to our `Guy Fawkes Protocol'; this enables users to sign messages using only two computations of a hash function and one reference to a timestamping service. Our paper presents a new way of doing authentication and digital signatures; it also raises interesting questions about the definition of a digital signature. It inspired various hash chain and stream signature techniques that turn out to be useful in securing sensor networks.
• The XenoService - A Distributed Defeat for Distributed Denial of Service describes novel mechanisms to protect web sites from distributed denial of service attacks. The XenoService is a distributed network of web hosts that respond to an attack on any one site by replicating it rapidly and widely. This could be a valuable line of development for peer-to-peer systems, if they are to provide the kind of service quality expected from commercial web hosting services. The XenoService uses Xenoservers, developed at Cambridge for the distributed hosting of latency- and bandwidth-critical network services.
• Peer-to-peer techniques are not just about creating virtual machines out of many distributed PCs on the Internet, but apply also to other environments where communication is intermittent. Mobile communications, personal area networks and piconets are another rapidly developing field. The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks describes how to do key management between low-cost devices that can talk to each other using radio or infrared, and without either the costs or privacy problems of centralised trusted third parties (there is a recent journal version of the paper here).
• The study of distributed systems which are hidden, deniable or difficult to censor might be described as `subversive group computing'. Our latest publication in this thread is The Cocaine Auction Protocol which explores how commercial transactions can be conducted between mutually mistrustful principals with no trusted arbitrator, while giving a high degree of privacy against traffic analysis.
• The Eternal Resource Locator: An Alternative Means of Establishing Trust on the World Wide Web deals with another hard problem - how to protect naming and indexing information. We describe how trust mechanisms can be embedded in html documents in a natural way. This work was motivated by a project to protect the integrity of online drug databases, and in particular the electronic version of the British National Formulary, developed initially by colleagues at our medical school. This followed work reported in Secure Books: Protecting the Distribution of Knowledge, which describes a project we undertook to protect the authenticity and integrity of electronically distributed treatment protocols in a system called Wax. Later work included Jikzi, a high-availability authentication framework for all kinds of electronic publishing - whether catalogues, music, software, public key certificates or even plain old fashioned books. This works by integrating ERL-type ideas into XML. There are both general and technical papers on Jikzi, and it has led to products now sold by a startup called Filonet.

• API Level Attacks on Embedded Systems describes work done with Mike Bond that has broken most of the commercially available cryptoprocessors using these techniques. The basic idea is that even if a device is physically tamper-proof, it can often be defeated by sending it a suitable sequence of transactions which causes it to leak the key. The upshot is that designers must take a lot more care than at present when designing the APIs of such systems. This line of research originated in an earlier paper of mine, The Correctness of Crypto Transaction Sets, which appeared at Protocols 2000. There's still more in my book.
• Programming Satan's Computer is a phrase coined by Roger Needham and myself to express the problems of designing cryptographic protocols; it has recently been popularised by Bruce Schneier (see, for example, his foreword to my book). The aim is to design programs which run robustly on a network containing a malicious adversary, and this is rather like trying to program a computer which gives subtly wrong answers at the worst possible moments. The paper was written for a general scientific audience, and appeared in Springer's Lecture Notes in Computer Science volume 1000;
• Robustness principles for public key protocols gives a number of attacks on protocols based on public key primitives. It also puts forward some principles which can help us to design robust protocols, and to find attacks on other people's designs. It appeared at Crypto 95;
• The Cocaine Auction Protocol explores how transactions can be conducted between mutually mistrustful principals with no trusted arbitrator, even in environments where anonymous communications make most of the principals untraceable;
• NetCard - A Practical Electronic Cash Scheme presents research on micropayment protocols for use in electronic commerce. We invented tick payments simultaneously with Torben Pedersen and with Ron Rivest and Adi Shamir; we all presented our work at Protocols 96. Our paper discusses how tick payments can be made robust against attacks on either the legacy credit card infrastructure or next generation PKIs. There's more information on this project here;
• The GCHQ Protocol and its Problems points out a number of flaws in a key management protocol widely used in the UK government, and in the French health service. It was promoted by GCHQ as a European alternative to Clipper, until we shot it down with this paper at Eurocrypt 97. Its vulnerabilities allow traceless forgery of government documents and have become a political issue;
• The Formal Verification of a Payment System describes the first use of formal methods to verify an actual payment protocols, that was (and still is) used in an electronic purse product (VISA's COPAC card). This is the teaching example I use to get the ideas of the BAN logic across to undergraduates. There is further information on the actual system in a technical report, which combines papers that appeared at ESORICS 92 and Cardis 94;
• An Attack on Server Assisted Authentication Protocols appeared in Electronics Letters in 1992. It points out a weakness in a digital signature protocol;
• On Fortifying Key Negotiation Schemes with Poorly Chosen Passwords presents a simple way of achieving the same result as protocols such as EKE, namely preventing middleperson attacks on Diffie-Hellman key exchange between two people whose shared secret could be guessed by the enemy.

From September 97 to June 98, I worked with EliBiham and Lars Knudsen to developa candidate block cipher for the AdvancedEncryption Standard. Our algorithm, called Serpent, won through to the finalof the AES competition. It is now in the public domain; the papers describingit, as well as implementations in a number of languages, may be downloaded fromthe Serpent home page.

Other papers on cryptography and cryptanalysis include:

• Two Remarks on Public Key Cryptology is a note on two ideas I floated at talks I gave in 1997-98, concerning forward-secure signatures and compatible weak keys. The first of these has inspired some research by others; the second gives a new attack on public key encryption systems. I've been asked by several people to write these up, and I finally got round to it once my book had shipped to the publishers!
• Two Practical and Provably Secure Block Ciphers: BEAR and LION shows how to construct a provably secure block cipher from a stream cipher and a hash function. It had previously been known how to construct stream ciphers and hash functions from block ciphers, and hash functions from stream ciphers; so our constructions complete the set of elementary reductions. They may also be of practical value, as they provide fast and strong block ciphers whose block sizes are large and variable;
• Tiger - A Fast New Hash Function defines a new hash function, which we designed following Hans Dobbertin's attack on MD4. This was designed to run extremely fast on the new 64-bit processors such as DEC Alpha and IA64, while still running reasonably quickly on existing hardware such as Intel 80486 and Pentium (the above link is to the Tiger home page, maintained in Haifa by Eli Biham; if the network is slow, see my UK mirrors of the Tiger paper, new and old reference implementations (the change fixes a padding bug) and S-box generation documents. There are also third-party crypto toolkits supporting Tiger, such as that from Bouncy Castle);
• Minding your p's and q's points out a number of things that can go wrong with the choice of modulus and generator in public key systems based on discrete log. It elucidated many of the previously classified reasoning behind the design of the US Digital Signature Algorithm, and appeared at Asiacrypt 96;
• Chameleon - A New Kind of Stream Cipher shows how to do traitor tracing using symmetric rather than public key cryptology. The idea is to turn a stream cipher into one with reduced key diffusion, but without compromising security. The effect is that a single broadcast ciphertext is decrypted to slightly different plaintexts by users with slightly different keys. Thus users who re-sell their copy of the plaintext in contravention of a licence agreement can be traced. This paper appeared at the fourth workshop on Fast Software Encryption in Haifa in January 1997;
• Searching for the Optimum Correlation Attack appeared at the second workshop on fast software encryption. It shows that nonlinear combining functions used in nonlinear filter generators can react with shifted copies of themselves in a way that opens up a new and powerful attack on many cipher systems;
• The Classification of Hash Functions appeared at Cirencester 93. It proves that correlation freedom is strictly stronger than collision freedom, and shows that there are many other pseudorandomness properties other than collision freedom which hash functions may need;
• A Faster Attack on Certain Stream Ciphers shows how to break the multiplex shift register generator, which is used in satellite TV systems. I found a simple divide-and-conquer attack on this system in the mid 1980's, a discovery that got me `hooked' on cryptology. This paper is a recent refinement of that work;
• On Fibonacci Keystream Generators appeared at FSE3, and shows how to break `FISH', a stream cipher proposed by Siemens. It also proposes an improved cipher, `PIKE', based on the same general mechanisms.

• A lot of people in Hollywood are hoping to implement copyright marking systems to control the copying of videos, music, pictures and computer games. This came dramatically to public attention when a paper that showed how to break the DVD/SDMI copyright marking scheme was pulled by its authors from the Information Hiding 2001, in Pittsburgh, following legal threats from Hollywood. Curiously, the chosen technique - echo hiding - was among a number that we broke in 1997. The attack is reported in our paper Attacks on copyright marking systems, which we published at the 1998 Info Hiding workshop. We also wrote a survey paper on information hiding, which is probably a good place to start if you're new to the field. The civil liberties implications of the current drive by Hollywood for total usage control of all digital media could be severe, so perhaps it is better that they have turned out to be technically incompetent. Anyway, there is much more about information hiding on the web page of my former student Fabien Petitcolas.
• Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations must be one of the more newsworthy papers I've published in the last few years. It is well known that eavesdroppers can reconstruct video screen content from radio frequency emanations; up till now, preventing such Tempest attacks was seen as an RF engineering task, involving shielding, jammers and so on. However, we developed techniques that enable the software on a computer to control the electromagnetic radiation it emanates. This can be used for both attack and defence. To attack a system, malicious code can hide stolen information in the machine's Tempest emanations and optimise them for some combination of reception range, receiver cost and covertness. To defend a system, a trusted screen driver can display sensitive information using fonts which minimise the energy of RF emanations. This technology is now fielded in PGP (from 6.0.2) and in other security products. You can download a set of Tempest fonts from here.
• There is a followup paper on the costs and benefits of Soft Tempest in military environments, which appeared at NATO's 1999 RTO meeting on infosec, while an earlier version of our main paper, which received considerable publicity, is available here. Finally, there's some attack software here, software you can use to play your MP3s over the radio here, a press article here and information on more recent optical tempest attacks here.
• Another novel application of information hiding is the Steganographic File System. This has the property that it will give you any file whose name and password you know, but if you do not know the correct password, you cannot even tell that a file of that name exists in the system! This is a much stronger protection property than conventional multilevel security, and its main function is to protect users against coercion. Two of our students implemented SFS for Linux: a paper describing the details is here, while the code is available here.
• The threat by some governments to ban cryptography has led to a surge of interest in steganography - the art of hiding messages in other messages. Our paper On The Limits of Steganography explores what can and can't be done; it appeared in a special issue of IEEE JSAC. It is an extended version of Stretching the Limits of Steganography, which appeared at the first international workshop on Information Hiding, whose proceedings are here. I have also compiled a bibliography of the subject which is now maintained by Fabien Petitcolas.
• The Newton Channel settles a conjecture of Simmons by exhibiting a high bandwidth subliminal channel in the ElGamal signature scheme. It appeared at Info Hiding 96.

• The recent row about Palladium and TCPA was sparked by a paper I presented on the security issues relating to open source and free software at a conference on Open Source Software Economics in Toulouse on the 20th June. This paper has two parts. Firstly, I show that the usual argument about open source security - whether source access makes it easier for the defenders to find and fix bugs, or makes it easier for the attackers to find and exploit them - is misdirected. Under standard assumptions used by the reliability growth modelling community, the two will exactly cancel each other out. That means that whether open or closed systems are more secure in a given situation will depend on whether, and how, the application deviates from the standard assumptions. Secondly, the paper draws to attention the fact that the Trusted Computing Platform Alliance (TCPA), which claims to be making the next generation PC more secure, is actually making it more secure for the PC and software vendors rather than for the users. TCPA also poses a direct threat to the free and open source software community, for reasons that have to do with economics at least as much as technology. I therefore believe that the open source security economics debate should focus on this topic instead. (This paper got extensive press coverage; see for example the New York Times, slashdot and news.com.) The followup in The Register sets out some of the implications for free software that I discussed at the conference. I am sure that there will be much more to follow.
• The modern study of the interaction between security and economics was initiated by a paper I presented on Why Information Security is Hard - An Economic Perspective at the Applications Security conference in December 2001, and also as an invited talk at SOSP 2001 For more, see the Economics and Security Resource page.
• We have developed a new, much more secure, CPU for use in smartcards and similar products. It uses self-timed dual-rail logic to make it much harder for an opponent to perform attacks based on power analysis or fault induction. The latest journal paper on this technology, with very positive recent test results, is here. Our first paper on this technology won the best presentation award at Async 2002. This work was funded by the EU G3Card project.
• Our classic paper on hardware security, Tamper Resistance - A Cautionary Note, describes how to penetrate the smartcards and secure microcontrollers of the mid-1990s. It won the Best Paper award at the 1996 Usenix Electronic Commerce Workshop and caused a lot of controversy. Our second paper on this subject was Low Cost Attacks on Tamper Resistant Devices, which describes a number of techniques that low budget attackers can use. The arms race continues, and low-cost attacks based on optical probing were unveiled at the Oakland conference on the 15th May. These use the idea that by shining a laser on a selected transistor in an IC, we can induce a fault of our choosing; we can write arbitrary values into registers or memory, reset protection bits, break out of loops, and cause all sorts of mayhem. See also the home page of our hardware security laboratory which brings together our smartcard and Tempest work, and our page of links to relevant off-site resources;
• Why Cryptosystems Fail has probably been more widely cited than anything else I've written. This version appeared at ACMCCS 93 and goes into the technical aspects of how frauds on ATMs are carried out. We found that almost all failures were due to outright blunders in design and administration. This work did a lot to demolish the banking industry claim that these systems were `infallible', and that any customers who complained about `phantom withdrawals' must be mistaken or lying. Liability and Computer Security - Nine Principles takes this work further. It appeared at ESORICS 94, and examines the problems with relying on cryptographic evidence. Most designers did not realise that to be usable in court, their systems would have to withstand the scrutiny of hostile expert witnesses;
• On the Reliability of Electronic Payment Systems is another of the papers that follow naturally from working on ATMs. It looks at the reliability of prepayment electricity meters, and appeared in the May 1996 issue of the IEEE Transactions on Software Engineering. An ealier version, entitled Cryptographic Credit Control in Pre-Payment Metering Systems, appeared at the 1995 IEEE Symposium on Security and Privacy. Another paper on this subject is The design of future pre-payment systems, which appeared at MATES 96 and discussed how we could build a robust payment infrastructure to support utility networking in the UK after deregulation;
• On the Security of Digital Tachographs looks at the techniques used to manipulate the tachographs that are used in Europe to police truck and bus drivers' hours, and tries to predict the effect of the planned introduction of smartcard-based digital tachographs throughout Europe from the year 2000. This work was done for the Department of the Environment, Transport and the Regions;
• How to Cheat at the Lottery is a paper reporting a novel and, I hope, entertaining experiment in software requirements engineering. The lessons it teaches have the potential to cut the cost of developing safety critical and security critical software, and also to reduce the likelihood that specification errors will lead to disastrous failures;
• The Grenade Timer describes a novel way to protect low-cost processors against denial of service attacks, by limiting the number of processing cycles which an application program can consume;
• The Millennium Bug - Reasons Not to Panic describes our experience in coping with the bug at Cambridge University and elsewhere. This paper correctly predicted that the bug wouldn't bite very hard. (Journalists were not interested, despite a major press release by the University.)
• The Memorability and Security of Passwords -- Some Empirical Results tackles an old problem - how do you train users to choose passwords that are easy to remember but hard to guess? There's a lot of `folk wisdom' on this subject but little that would pass muster by the standards of applied psychology. So we did a randomized controlled trial with a few hundred of our first year science students. While we confirmed some common beliefs, we debunked some others;
• Murphy's law, the fitness of evolving species, and the limits of software reliability shows how we can apply the techniques of statistical theormodynamics to the failure modes of any complex logical system that evolves under testing. It provides a common mathematical model for the reliability growth of complex computer systems and for biological evolution. Its findings are in close agreement with empirical data.

Britain's Parliament has just passedsome regulationson patient privacy that are far from satisfactory. For example, they compeldoctors to give the government copies of all medical records relating toinfectious disease and cancer. This is the thin end of the wedge; I expect othermedical conditions will follow in future regulations. The regulations are madeunder a recent Actthat was rushed through in the shadow of the last election and that givesministers powers to nationalise personal health information. It tilts thebalance of power in medical informatics very sharply away from patients andpracticing doctors, and towards non-clinical users of personal healthinformation such as drug companies and NHS administrators. This is bound to havea chilling effect. The regulations appear to breach the Declarationof Helsinki on ethical principles for medical research, and contravene the Councilof Europe recommendation no R(97)5 on the protection of medical data, towhich Britain is a signatory. There is a list of some more of the problems here,and a letter we've written to the BMJ here.

For the background to all this, the best source may be an editorialfrom the British Medical Journal. There is a discussionpaper on the problems that the bill could cause for medical and otherresearchers, and an impactanalysis commissioned by the Nuffield Trust. See also the Campaignfor Medical Privacy site on the bill; the article in the Observerthat brought this issue to public attention; a leader in the NewStatesman; an article in TheRegister; a letterto the editor of the Times written by senior doctors; and the reports of theParliamentary debate on the originalbill in the Commonsand the Lords.See also the archiveof a mailing list set up for the purpose. You can subscribe to the list here.

The Department of Health justified its data grab by the claim that it wasneeded for cancer registries: yet cancer researchers in many other countriesdon't think so. A report on how things are done in British Columbia can be foundhere;for a more detailed example, see apaper by Bernd Blobel that describes how Germany deals with the problem.After reunification, it was found that the old East German cancer registry,although useful for research, was a privacy nightmare (it had also been used asa data source by the Stasi). The techniques they used to fix the problem inGermany, and in British Columbia, and in New Zealand, and in Switzerland, andelsewhere, could be applied perfectly wellin the UK. The current status of theGerman solution is further described in arecent paper from the European Journal of Medical Research, and there willbe still more appearing in the Journal of Medical Informatics this summer.

In the past, I advised a number of organisations (including the British andIcelandic Medical Associations) on the safety and privacy of medicalinformation. We have been concerned for years that the careless introduction ofcomputer systems is eroding the confidentiality which patients rightly expectfrom their doctors, and may in some cases even endanger patient safety. This hasbecome a hot topic in many countries other than the UK. Some relevant papersare:

• Security in Clinical Information Systems was published by the British Medical Association in January 1996. It sets out a number of rules that are designed to uphold the principle of patient consent and to be independent of the details of specific equipmnent. It was the medical profession's response to creeping infringement of patient privacy by NHS computer systems, and the foundation for much of the later work;
• An Update on the BMA Security Policy - which also appeared at the 1996 workshop - tells the story of the struggle between the BMA and the government, including the origins and development of the BMA security policy and guidelines. The heart of the issue was the government's plan to set up a series of central databases that will contain large amounts of information on the health and treatment of identifiable individuals, and which are outside the control of both patients and clinicians;
• There are comments made at NISSC 98 on the healthcare protection profiles being developed by NIST for the DHHS to use in regulating health information systems privacy. These make a number of mistaken assumptions about the kind of threats to which medical systems are exposed and of the kind of protection mechanisms that are appropriate;
• Remarks on the Caldicott Report raises a number of issues about current policy, and particualrly the wisdom of introducing the NHS number tracing service - the first accurate and up-to-date database of the whereabouts of every adult and child in Britain. This database will be open to large numbers of people in the health service, and the potential for abuse - for example, by private detectives, stalkers, organised criminals and foreign intelligence agencies - is considerable. It can also be used to re-identify the supposedly de-identified data used in medical research and administration;
• Information technology in medical practice: safety and privacy lessons from the United Kingdom provides a high-level overview of the safety and privacy problems we have encountered in UK healthcare computing over the last few years. It appeared in the Australian Medical Journal;
• The DeCODE Proposal for an Icelandic Health Database analyses a controversial proposal to collect all Icelanders' medical records into a single central database that will support genetic and other research, as well as health service management functions. We concluded in 1998 that the proposed controls are inadequate, and this has led to ongoing controversy. I also wrote an analysis of security targets prepared under the Common Criteria for the evaluation of this database. For more, see BMJ correspondence, the Icelandic organisation leading opposition to the database, Skuli Sigurdsson's bibliography and an article by Einar Arnason;
• Clinical System Security - Interim Guidelines appeared in the British Medical Journal on 13th January 1996. It advises doctors and other healthcare professionals on the security measures that it is prudent to take to counter known threats to clinical data, pending implementation of the security policy;
• A Security Policy Model for Clinical Information Systems appeared at the 1996 IEEE Symposium on Security and Privacy. It presents our policy model to the computer security community;
• NHS Wide Networking and Patient Confidentialityfive star hotel in Lillehammer appeared in the British Medical Journal in July 1995 and set out our objections to the government's health network proposals;
• Patient Confidentiality --- At Risk from NHS Wide Networking goes into somewhat more detail, particularly on the security policy aspects. It was presented at Health Care 96;
• Problems with the NHS Cryptography Strategy points out a number of errors in, and ethically unacceptable consequences of, a report on cryptography produced for the Department of Health. These comments formed the BMA's response to that report.

An important recent paper is Privacyin clinical information systems in secondary care which describes a hospitalsystem that implements the BMA security policy. The main government objection toour policy was `it'll never work in hospitals'; this system, which is nowrunning in Hastings, Aintree and Exeter, shows that hospital systems can indeedbe made secure. It is described in more detail in a special issue of the HealthInformatics Journal on data security, confidentiality and safety (v 4 nos3-4, Dec 1998) which I edited.

The same issue also contains a paper on ProtectingDoctors' Identity in Drug Prescription Analysis which describes a systemdesigned to de-identify prescription data properly for commercial use. Thissystem led to the recent `Source Informatics' court case. The UK governmenttried to discourage its owner, Source Informatics, from promoting it; it wouldhave competed with much less privacy-friendly government systems. The governmentlost: the Court of Appeal decidedthat personal health information can be used for research and other secondarypurposes without the informed consent of patients, but provided that thede-identification is done competently. This upset the civil service who saw itas a threat to their control of information, and was one of the motivators forthe new health bill.

Bill Lowrance wrote a good surveyfor the US Department of Health and Human Services of the potential for usingde-identified data ro protect patient privacy in medical research, while a reportby the US General Accounting Office shows how de-identified records are handledmuch better by Medicare than by the NHS. For information on what's happening inthe German speaking world, see Andreasvon Heydwolff's web site. Activist resources include the US med-privacymailing list archives; the US web sites run by Citizensfor Choice in Health Care and GeorgetownUniversity (the latter has a comprehensive survey of UShealth privacy laws); the report from the USNational Academy of Sciences entitled Forthe Record: Protecting Electronic Health Information and a surveyof US patient attitudes. The Health Insurance Portability and Accountability Actthere has stirred up quite a lot of debate as people debate what sort ofregulations should be enacted under it. Other resources include a reportby the US Office of Technology Assessment, GerritBleumer's European project links, and web pages by The Coalitionfor Patient Rights, EPIC,CPT and theInstitute for Health Freedom.

FIPR's most spectacular recent success was amendingthe Export Bill.This bill was designed to give ministers the power to license intangibleexports. It was the result of lobbying by the USA, and specifically by Al Gore,of Tony Blair in 1997; Al was sore at the fact that guys like me could putcrypto source code on our web pages, while our US colleagues weren'tallowed to. In its originalform, its provisions were so broad that it would have given ministers thepower of pre-publication review of scientific papers. Someof the material on this web page would have had to be removed if it they hadhad got it through. But they didn't; we defeatedthe Government in the House of Lords by 150-108, following a vigorouscampaign. (Here are links to some of the press coverage: in the BBC,the Independent,the NewScientist, the Guardianand the Economist.There is also anarticle on free speech I wrote and that appeared in IEEE Computing. But thebest quote I have is also the earliest. The first book written on cryptology inEnglish, by Bishop John Wilkins in 1641, remarked that `Ifall those useful Inventions that are liable to abuse, should therefore beconcealed, there is not any Art or Science which might be lawfully profest'.

FIPR's contribution over the last four years includes a successful campaignto limit the scope of the Regulation ofInvestigatory Powers Act. Originally this would have allowed the police toobtain, without warrant, a complete history of everyone's web browsing activity(under the rubric of `communications data'); a FIPR amendment limited this tothe identity of the machines involved in a communication, rather than the actualweb pages.

Another example of first-class work by FIPR is a research project thatbrought together legal and computing skills to deconstruct the fashionablenotion that `digital certificates' would solve the problems of e-commerce ande-government. Anyone who thinks of buying such a beast, other than for purposesof research or ridicule, should have a look at thisarticle first.

John Curran said in 1790: ``The condition upon which God hath given libertyto man is eternal vigilance; which condition if he break, servitude is at oncethe consequence of his crime, and the punishment of his guilt''. My smallcontributions to keeping the flames of art, science and liberty alight include anumber of technical writings:

• The public-interest issue on which I'm getting the most email at present is `trusted computing'. My TCPA / Palladium FAQ analyses this new Intel/Microsoft initiative to install digital rights management hardware in your PC. It will please Hollywood by making it hard to pirate music and videos; it will please Microsoft by making it hard to pirate software - `getting the Chinese to pay for software' has long been an obsession with Bill. But the proposed mechanisms could have very disturbing consequences for privacy, censorship, and innovation.
• The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption has become perhaps the most widely cited publication on the topic of key escrow. It examines the fundamental properties of current government requirements for access to keys and attempts to outline the technical risks, costs, and implications of deploying systems that would satisfy them. It was originally presented as testimony to the US Senate, and then also to the Trade and Industry Committee of the UK House of Commons, together with some further testimony.
• Comments on Terrorism presents a brief critique of why many of the technical measures that various people have been trying to sell since the 11th September attacks are unlikely to work as promised;
• The Global Trust Register is a book which contains the fingerprints of the world's most important public keys. It thus implements a top-level certification authority (CA) using paper and ink rather than in an electronic system. It provides the missing link in the global CA hierarchy, and has been a useful vehicle for research into certification issues. Its relevance to the crypto policy debate is that it if the DTI had pushed through their original policy on mandatory licensing of cryptographic services, this book would have been banned in the UK. At a critical point in the lobbying, it enabled me to visit the Culture Secretary and ask why his government wanted to ban my book. This got crypto policy referred to Cabinet when otherwise it would have been pushed through by the civil servants;
• The Steganographic File System will give you any file whose name and password you know, but if you do not know the correct password, you cannot even tell that a file of that name exists in the system. It is designed to give a high level of protection against seizure of keys and data as envisaged by the RIP bill. Download the code from here.
• The GCHQ Protocol and its Problems points out a number of serious defects in the protocol that the British government uses to secure its electronic mail, and which it is trying to arm-twist other organisations into using too. This paper appeared at Eurocrypt 97 and it incorporates our replies to GCHQ's response to an earlier version of our paper. Our analysis prevented the protocol from being widely adapted throughout Europe, as the forces of darkness hoped; as far as I know, its only use outside the UK public sector is in the French health service. Its use even in the UK is now under attack as its escrow of signing keys makes the retrospective forgery of government documents easy, thus undermining the Freedom of Information Act;
• Crypto in Europe - Markets, Law and Policy surveys the uses of cryptography in Europe, looks at the technical and legal threats, and discusses the shortcomings of public policy. It appeared at the Conference on Cryptographic Policy and Algorithms, Queensland, July 1995. In it, I first pointed out that law enforcement communications intelligence was mostly about traffic analysis - finding out who was talking to whom - and criminal communications security was mostly traffic security. This was considered heretical at the time but has been confirmed since by the emergence of the prepaid mobile phone as the main threat to police communications intelligence.
• A consultation document from the Foundation for Information Policy Research which makes some interesting comments on multifunction smartcards. It was written in response to a CCTA consultation on smartcards.

Copyright 2002 IQ NETWORKS