Recently, at a press briefing by German IBM boss Stefan Jetter who waxed enthusiastic about Cloud Computing, an elderly journalist rose and asked him a show-stopper: “Where are my data when they’re out there in the Cloud?” Jetter did a double take, but my colleague pressed on: “I mean, physically, where are they?”

Of course, the answer is: On some nameless server somewhere, anywhere in a grid farm in Ohio or Dublin or… In fact, the usual answer is : Who cares?

Well, for one the German privacy protection agencies. Passing data across national boundaries can be a federal offense not only here. The EU Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) mandates that personal data may only be transferred to third countries if that country provides an adequate level of protection – something the U.S., just to name one, does not, at least not according to European standards, especially since foreigners do not benefit from the US Privacy Act of 1974.

Read the rest of this entry »

Since “Minority Report”, where Tom Cruise toted a squishy bag full of spare eyeballs around to hold up in front of iris scanners, thus fooling the access systems, biometrics has been a buzzword, if only a minor one, but it has failed to catch on in a meaningful way. A few years back I speculated that this is because every existing biometric method has serious drawbacks. Fingerprints fade as you grow older, and some people don’t have any because they are afflicted with a rare disease  called “Naegeli syndrome” or dermatopathia pigmentosa reticularis (DPR) that can cause vexing social problems. Recently, two identical twins were indicted for robbing the department store KdW in Berlin, but had to be released when the authorities found that it was impossible to determine which of them had been actually done the heist since they share the same DNA. And many people instinctively refuse to put their eye to an iris scanner because they worry that they may be blinded by a flash of light from a malfunctioning machine.

Read the rest of this entry »

Germans became the best-protected users of computers and the Internet today when the Federal Constitutional Court set out strict rules for government agencies anxious to spy on their hard disks. The decision was widely viewed as a slap in the face for Wolfgang Schaeuble, the hard-liner Interior Minster who has been proposing that law enforcement agencies be given broad powers to monitor the computers and e-mails of suspects on their own authority. No, the court said, you have to ask a judge first. And if during the course of an authorized surveillance the police also happen to stumble across highly personal data, then it is their obligation to erase it “immediately”.

Surprisingly, German turns out to be a rather imprecise language. Forget their perfectionist image: “unverzueglich”, the word used in the court decision, can also mean “promptly”, “unhesitatingly” or even “instantaneously”, depending on context. So that leaves the cops quite a bit of leeway and doesn’t exactly please the digital rights crowd, either. Still, better than nothing, supporters say. Especially since the court also severely limited the use of one of Schaeuble’s favourite high-tech toys, the so-called “Bundes-Trojaner”, or “federal Trojan”; a piece of software allegedly under development at the BND, the German equivalent of the FBI, and designed to sniff out suspicious correspondence between terrorists. Never mind that nobody seems to have figured out how to sneak the state-sponsored malware past a simple virus detector, much less how to get the bad guys to click on the self-extracting application. And never mind that nobody in the Berlin government seems to have heard of PGP or other easily available encryption tools.

The historical dimension, if there is one, lies in the high court’s recognition of the individual’s basic right to being able to use a computer without fear of being observed. Collecting data stored or exchanged on a personal computer “directly encroaches on a citizen’s rights”, the judges decreed, given that fear of state-sponsored snooping could prevent “unselfconscious personal communication” which they deem a human right.

While lawmakers will be able to pass legislation on computer spying as planned, the court has laid down strict ground rules that are intended to limit the number of cases in which it will in fact happen. The greatest hurdle is the requirement of judicial approval in each and every case, with the burden of proof of “clear evidence of a concrete threat to a prominent object of legal protection” (e.g. life, liberty, or property) clearly lying with the authorities.

Unfortunately, the federal judges did not answer a number of basic questions, such as whether hacking personal data stored on another computer is to be considered a crime. This is especially interesting in view of recent German legislation that compels Internet Service Providers to keep records of all e-mail transactions for at least six months in case the police decide they want to see what a delinquent was doing. And while the judges do recognize the danger stemming from cache storage by programs like web browsers on an individual’s machine, it does not discuss caching by providers or search engine operators. Neither is their any mention of personalized portable devices like PDAs or Smartphones, leaving some confusion as to whether these are also covered by the definition “personal computer”. In fact, the brief specifically singles out PCs “such as those in many homes”, so conceivably it’s okay for the bulls to spy on your Blackberry once you leave the house.

Foreigners have long struggled with the concepts behind German privacy law which many, especially Americans, find exaggerated and contra productive. If so, they will have to make an extra effort to get their head around the idea that hard disks, like homes, can be castles. But of course, anyone who has ever taken a boat ride down the Rhine is familiar with the German penchant for castle-building, so maybe it shouldn’t really come as a surprise.

Tom Noonan of IBM ISS talks a mean speech. Yet somehow I came away slightly unconvinced from a press and analyst briefing he gave on Monday at ISS headquarters in Atlanta.

Maybe one reason was that he hardly used the term “identity” as he described in some detail how he perceives the world of IT security and threat management. Instead he has a lot to say about security becoming a utility, about disconnected parts and the need for a “security ecosystem” where the products of each and every vendor can work together to provide seamless and coherent protection of both data (the “new currency”, he call it) and applications.

I was very excited about this vision of a kind of “security open platform” which would bring together the currently deeply fractured worlds of logical IT security and Identity Management (along with physical security, just to round things off; after all, the surveillance cameras all speak IP nowadays, so why not integrate them as well?)

A sentence like “Security will be the control system that creates policies across all applications” sounds great, but where’s the beef, Tom?

In fact, as his VP Tim McCormick later explained to me during an interview I did with him (see “In Our Ecosystem, Anyone Can Play”), the only one’s who will really be able to participate are those that IBM and ISS (still two very different animals, even after a full year of integration) already have existing relationships. Okay, that’s a lot of partners, over 200 at last count. But it is a far step from an industry standard, which is what Tom obviously believes is necessary.

I do too, by the way, so I’m rather concerned that Tom and Tim are not taking the ball as far as they could. Why not assemble an industry-wide gathering of competitors from both IT Sec and IAM, maybe under the auspices of Oasis or some other stands body, and put your chips on the table. Everybody stands to profit from cooperation – because customers will not stand much longer for being forced to deal with a whole host of vendors, each offering some important part of the puzzle, but not the whole picture.

On paper, IBM looks like a pretty likely candidate to lead the way. After all, with the ISS acquisition they are now the market leader in managed security, which is the way to go. And with Tivoli busily buying up companies like Console, Watchfire and the likes, they can play a pretty mean game of business process protection as well as becoming a force to reckon with in the identity & access management space.

Just bringing all that together within the folds of IBM remains a daunting challenge. Taking the concept to its logical end, a security and identity ecosystem that will revolve around the customer and his needs – something where this industry, as Tom Noonan freely admits, has hitherto not really done a very good job – is a different kettle of fish.

Let’s see if, in the end, Tom can do more than just talk the talk.