The tell-tale signs are everywhere. You can see them in our buildings and our transport networks. You can read them in your morning paper. You can hear them echoing down the corridors of Whitehall. Galvanised by fear whipped up by the media, to which our politicians pander persistently in pursuit of power, we’ve changed our society into one where nobody dares take a decision. We live in a post-accountability world where bureaucracies ruin lives for the want of someone – anyone – displaying a bit of courage or leadership or common sense.

Nowhere is this illustrated more starkly than in the case of Paul Chambers.

In the snowy depths of January 2010 Paul sent a message of frustration to his Twitter friends when he discovered the weather could affect his travel plans: “Crap! Robin Hood Airport is closed. You’ve got a week and a bit to get your shit together or I’m blowing the airport sky high!!”

A member of staff at Robin Hood Airport saw the tweet because they were searching Twitter for their employer’s name (goodness knows why). They judged it to be harmless, but reported it anyway, presumably so their ass would be covered if it turned out to be otherwise; and anyway, it didn’t cost them anything personally, so why not? Especially since the consequences of inaction might have proved career-limiting.

I imagine similar thinking drove the airport security team’s decision to tip off the police about the message, or rather, their decision to make it their policy to report every tip-off they receive no matter how improbable it seems. After all, it would have been no skin off their noses to include Paul’s tweet in their routine report, and the consequences would have been unthinkable if they’d failed to mention something that might, just might, have been important. Same with the police: it’s no problem for them to investigate any possible threat. They could have decided Paul’s tweet was a foolish act of bravado, yet if they had declined to act and something bad had happened, it would have been be their responsibility. Far be it for the police to take responsibility. That’s what the Crown Prosecution Service is for, right? Wrong.

At least when cases like this are blown out of proportion by a bunch of jobsworths, they’re usually set straight by the courts, aren’t they? Not this time. This was ass-covering at it’s finest, all the way down the line. Paul was convicted of sending “a message or other matter” which is “grossly offensive or of an indecent, obscene or menacing character” by means of a “public electronic communications network”. His fine currently stands at £384 plus £2600 in costs. He’s been given a criminal record and has lost two jobs as a consequence.

This is bigger than one man’s misguided message. Other tweeters have been arrested under section 127 of the Communications Act 2003 since Paul’s conviction, which was upheld unequivocally by Doncaster Crown Court last Thursday, and those people are still waiting to learn their fate. The chilling effect this ruling could have on freedom of expression is no laughing matter.

This is how the War on Terror has ended. Not with the capture of Osama Bin Laden and the routing of Al-Qaeda. Not with world peace nor by treating each other as we would wish to be treated. Instead, it’s ended with innocent people looking over their shoulders, thinking twice about what they say online and being thankful for every day they escape the dreaded knock that could ruin their lives.

There may be hope yet. Paul and his legal team are considering whether to appeal to the high court. Nobody would blame Paul if he decided to draw a line under this sorry affair and turn his energy towards rebuilding his life. If he decides to continue though (and I hope he does) he deserves our full support.

That’s why some of us are having a rally in Sheffield, tomorrow, to express solidarity with Paul, to protest against his conviction, and to champion the cause of free speech on the Internet.

If you fancy joining us the information you need is here: http://bit.ly/jokesontrial – but be quick. You’ve got less than 24 hours to get your shit together, and if you don’t make it, I’m gonna blow you sky high!!!!1

British civil liberties have been dismantled systematically since 2001. The National Identity Register, biometric passports, the NHS spine, Contactpoint and the Vetting and Barring Scheme are just a few of the most egregious privacy invasions we have suffered.

Our every move is watched with suspicion by the authorities. ANPR systems record every journey we make. Video and audio Surveillance Systems (SS) watch us in every public space and many private ones too. Thousands of public bodies abuse their RIP Act powers to spy on us for trivial reasons. The police can stop us and search us arbitrarily, and they keep “pre-crime” databases on the innocent. Our private communications are monitored, analysed and recorded both by the Government and private companies.

Yet often MPs want one rule for us and another for them. The children of MPs can be “shielded” on ContactPoint to protect their privacy – but ours can’t. Very few MPs have an ID card even though ministers have been doing everything in their power to coerce the public into “volunteering” for them. Many MPs voted to exempt themselves from the Freedom of Information Act, to protect their “privacy”, whilst passing laws that erode ours.

When it comes to liberty in Britain today, all animals are equal, but some are more equal than others. This hypocrisy has to end and the systematic assault on our civil liberties must be reversed.

The Power2010 campaign is conducting a letter writing campaign asking Prospective Parliamentary Candidates to:

…commit that, if you are elected, you will vote to repeal the Identity Cards Act 2006 and will defend our privacy as fiercely as you would defend your own and that of your family.

The above reproduces what I sent to Sheffield Central PPCs. You can take part in the campaign here.

Mobile ANPR cameras are also used by some police forces. These are deployed in popular locations such as shopping centres for so-called “lockdown” operations, where every vehicle entering the area is checked against records as police fish for reasons to impound cars and fine drivers. One such operation in November 2008, which was filmed for television (relevant segment starts at 21m30s), saw 369 vehicles stopped, 84 tickets issued, 51 cars seized and 12 people arrested at Bluewater shopping centre in Kent – in a single day.

It’s no longer a case of “follow that car” but “follow every car.”

ACPO defend their wholesale surveillance system by pointing to a few high-profile cases where ANPR evidence has formed part of a prosecution. They’re less keen to highlight the cases of mistaken identity, inaccurate record-keeping and official ineptitude that have left innocent people standing on the kerbside holding a ticket as an officer drives away in their vehicle. Even if these drivers manage to prove the database wrong they can end up paying hundreds of pounds in fees to get their car back – if it hasn’t been crushed.

Supporters of ANPR technology claim vehicle license-plate data is exempt from the Data Protection Act because it’s not “personal information” (it’s about the vehicle not the driver). However the Driver and Vehicle Licensing Agency (DVLA) sells access to the names and addresses of registered vehicle-keepers for £2.50p a time, making this distinction academic.

In common with the National Identity Register, National DNA Database and all the other tentacles of the database state, once this information is collected there’s nothing to stop it falling into the hands of other public or private organisations, either by accident, commercial arrangement or official decree. Wouldn’t you like to know where your partner really drives off to while you’re at work? I bet there’s a good number of private investigators who would.

The Information Commissioner’s Office is currently “working with” ACPO to determine whether the national ANPR network is “appropriate and proportionate” – which means nobody bothered to ask those questions before the system was commissioned.

Who stands up for the public interest in the rush to implement new technologies like ANPR for official convenience? I don’t recall there being a public or Parliamentary debate on giving the police these game-changing surveillance powers. Has anyone considered the down-side of collecting all this data?

Somehow I doubt it.

Now Ross Anderson and Steven Murdoch, computer security researchers at the University of Cambridge, have published a paper [PDF] analysing 3D-Secure. Announcing the work on his blog, Prof. Anderson said,

From the engineering point of view, [3D-secure] does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace? Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. … This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.

The paper concludes by recommending technical measures that would improve security for card-holders. It also calls for regulation to protect consumers from being forced to accept liability for online fraud.

I hope that the academic rigour of Anderson and Murdoch’s work, backed by the formidable reputation of the University of Cambridge Security Research Laboratory, will help to focus mainstream attention on Visa and Mastercard’s selfish treatment of their customers.

It turns out I wasn’t the only one to notice this potential. Reports last week indicate that a Verified by Visa phishing scam is now circulating by email:

Webroot’s Andrew Brandt claimed that the scam begins with an email that appears to be targeted at holiday shoppers who buy gifts online. Brandt said: “Once you register with the (real) Verified by Visa service, participating merchants permit you to enter a password in addition to your card information.

“In addition to providing the purchaser with an additional layer of safety, the password also gives the merchant some assurance that larger-than-normal transactions (like the ones you make during holiday shopping season) will be approved quickly, without triggering fraud alerts.”

However Brandt pointed that in the email, the user is sent to a web page that asks you for the information you gave the card-issuing bank at the time you first signed up for the credit card. He also commented that the page is clearly more professional, slick and clean than most phishing pages as the form’s businesslike appearance serves to reassure the victim that the page really belongs to Visa.

You might think that credit-card companies have a vested interest in reducing fraud however the reality is subtly different. Their interests lie in reducing their liability not the overall fraud-loss figures. Like chip-and-pin before it, the main benefit to banks and merchants of the 3D-secure system is that it transfers liability for fraud onto the card-holder, not that it improves the intrinsic security of transactions.

Here’s my understanding of how it works: banks first offer to indemnify merchants from any fraudulent transactions they charge that have been authenticated using the scheme. This is a strong incentive for merchants and has ensured widespread adoption. Next the banks adjust their terms and conditions to make their customers liable for all password-authenticated transactions and impose on them a duty to protect their password. Lastly the bank asserts that any password-authenticated transaction must either have originated with the cardholder or be as a result of their neglect – i.e. they have allowed their password to become known to someone else. The customer is then held liable for the cost of the fraud unless they can somehow prove they are not to blame for their password being used without their consent. Both the bank and merchant are protected from loss at the expense of the card-holder.

Is it reasonable to expect credit-card customers to shoulder the blame for the failure of such a fragile security system given the prevelance and increasing sophistication of phishing attacks such as the one reported by Webroot? Implementations of 3D-Secure vary between banks and card companies, however the technology is inherently susceptible to social-engineering attacks, as I noted in my previous post. In addition, even if your password security is meticulous, in some cases all a fraudster needs to reset it are the details on the card and the holder’s date of birth. Hardly a challenge for criminals with a passing knowledge of social-networking and the darknets.

I think fraud liablility should remain with banks and credit-card companies except in cases where they can prove their customers are trying to rip them off. The card companies are best placed to solve the problem of online fraud but there’s no incentive for them to do so if they don’t stand to lose from it.