The Risk Factor

The London Telegraph reports today that the confidential details of 9 million people's investments worth a total of £60 billion continue to be sent by post - and I love this - "HM Revenue & Customs (HMRC) requires these discs to be unencrypted."

The Telegraph article says that the "HMRC requires fund managers to submit details every year of all investors' names, addresses, dates of birth, National Insurance numbers and the amount each individual has invested in Isas and Peps. The intention is to prevent investors exceeding limits on individual savings account (Isa) and personal equity plan (Pep) tax shelters."

"But fund managers are alarmed that HMRC requires this data to be delivered in an unencrypted extended binary coded decimal interchange code (EBCDIC) or American standard code for information interchange (ASCII) text format."

The article goes on to note that there have been least two recent instances where Pep and ISA data has been compromised.

This whole, continuing UK HMSC data security fiasco reminds me of Karl Marx's quote, "History repeats itself, first as tragedy, second as farce." What is it when it repeats a third time?

The LA Daily News reported last week that the LA Unified School District decided to quietly hire two public relations consultants at a cost of about $270 thousand as well as hire the public relations firm Rogers Group for an unspecified cost to focus exclusively on dealing with fallout from the inept implementation of its new payroll system.

As the LA Times pointed out in reference to the LAUSD's hiring of its new image fixers, institutions in crisis tend to focus on their image. But as it also points out, maybe the LAUSD needs to concentrate more of its efforts on fixing the payroll problem, instead of its image.

I wonder if the money spent on PR shouldn't really be counted in as part of the payroll system IT project's budget?

The Washington Post reports today that the DC tax scam has now increased to $44 million from $31 million just a week ago, the latter amount being one which grew from the original $16 million estimate at the beginning of November. The scam also looks like it has been going on for at least nine years now instead of the three year time frame first thought which was then revised to seven years.

The Post also reports that, "New information from the city's chief financial officer indicates that at least two and as many as four top leaders of the D.C. tax office, including its director, should have personally reviewed the refunds before they were issued." When questioned by the Post as to why they didn't, these folks naturally declined to answer.

The Post also reported that,"An FBI affidavit says that five more low-level employees helped process fraudulent refund paperwork before it got to Walters [the alleged ring-leader] but does not address what, if anything, they knew about the alleged scheme."

No doubt, this story will continue for awhile, and again, I say let's impose the same requirements on the equivalent government officials as are laid on those heading public corporations. Taxpayers deserve as much protection as shareholders do.

ComputerWorld is reporting that Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their personal information may have been stolen.

According to the story, a lone identity thief was arrested in August who had been using information taken from the program in an attempted identity theft scheme. Massachusetts officials think that only a small number of identities were involved.

If confession is good for the soul, then the UK government must be feeling awfully good right about now.

The London Telegraph is now reporting that the Department for Work and Pensions "has suspended all 'data exchanges' with local authorities because discs containing details of council tax and housing benefit claimants have been mislaid."

"At least 45,000 names and personal details are known to have gone missing from one council, with the DWP admitting last night that more authorities have lost discs."

According to the Telegraph, the DWP said that discs from only a "tiny number" of councils had been lost, and that the DWP "thinks" that the discs are "somewhere in the system."

The council discs were lost in September but the fact of their being lost - I beg your pardon, "mislaid" - is only coming to light now. I seriously doubt that if the HM Revenue and Customs ID scandal had not happened, the DWP security blunders would never have come to light.

As I was reading the New York Times book review section this morning, I came across a review of David Levy's book, Love and Sex with Robots: The Evolution of Human-Robot Relationships (Harper/HarperCollins Publishers, SBN: 9780061359750; ISBN10: 0061359750, 2007).

Quoting from the review:

"Humans, Levy writes, are hard-wired to impute emotions onto anything with which we’re in intimate contact, to feel love for objects both animate and inanimate. And robots, he argues, might turn out to be even more lovable than some humans. By 2025 'at the latest,' he predicts, 'artificial-emotion technologies' will allow robots to be more emotionally available than the typical American human male. 'The idea that a robot could like you might at first seem a little creepy, but if that robot’s behavior is completely consistent with it liking you, then why should you doubt it?'

The review, by Robin Marantz Henig, a contributing writer for The Times Magazine goes on in its concluding paragraph:

"Levy spends so much time laying out his logical arguments about how and why we will fall in love with robots that he gives short shrift to the bigger questions of whether we would really want to. I’d have liked a little less gee-whiz, and a little more examination about whether a sexbot in every home, a Kama Sutra on legs that never tires, never says no, and never has needs of its own is what we really want."

This book should provoke some interesting discussion. Robots that have are more emotionally available than the typical American human male by 2025? How about French or Italian men? Is that 2030? I guess I'll have to get the book to see what Levy says about the emotional availability of the typical American woman.

Maybe the idea of creating future sex robots can help get students interested in taking up computer science at Cambridge University again.

I love politicians who think they are software architects or system engineers. I wince whenever they pass some ill-conceived legislation, the success of which critically depends on information systems & technology (IS&T) without ever bothering to consider the technological and management risks involved. Like Captain Jean-Luc Picard, they just order, "Make it so."

This time Congress has screwed around and not passed legislation that has another signficiant IS&T component, namely the promised fix to the alternative minimum tax (AMT). The AMT was passed in 1969 as a way to make 155 very wealthy families (of the time) pay some taxes (they were able to avoid doing so by claiming lots of state and federal deductions).

Over time, the AMT has grown (it isn't inflation adjusted) to hit more and more taxpayers - 4 million in 2006. If changes aren't made, it will likely hit 25 million taxpayers this year, most who aren't aware that they will owe lots more money (about $2,000 on average), and possibly penalties for underpaying their taxes.

Congress is supposed to legislate a fix, but squabbling between Congress and the White House has delayed progress. Any legislative change, of course, may require changes to millions of lines of software in IRS computer systems since the AMT affects so many different tax computations. Reprogramming the IRS computer systems to deal with new AMT legislation requires 12 weeks from the time the bill is signed into law; the IRS also needs three weeks to print new tax forms.

The IRS is warning that if Congress waits too much longer, it may have no choice but to delay not only the tax filing season start date of 14 January 2008 to mid-February, but also refund checks for another 25 million taxpayers to the tune of some $87 billion.

I also suspect that, on top of all the confusion that will ensue, those IRS computer systems won't be able to be fully system tested given the schedule pressure, so some AMT-related problems likely won't surface until well into next year. And even though the various makers of home tax preparation software claim the delay is no big deal, I bet it will be if things drag on much longer. The risk of both deliberate and unintended tax noncompliance will soar.

Congress has been warned about this problem for over a year, but I guess it had better things to do.

The Food and Drug Administration (FDA) Science Board's Subcommittee on Science and Technology released a very worrying report late last week on the current state of science and technology at the FDA:

"The Subcommittee concluded that science at the FDA is in a precarious position: the Agency suffers from serious scientific deficiencies and is not positioned to meet current or emerging regulatory responsibilities."

According to the FDA, it is responsible for protecting the public health by assuring the safety, efficacy, and security of human and veterinary drugs, biological products, medical devices, the nation’s food supply, cosmetics, and products that emit radiation. The FDA is also responsible for advancing the public health by helping to speed innovations that make medicines and foods more effective, safer, and more affordable; and helping the public get the accurate, science-based information they need to use medicines and foods to improve their health.

As the Subcommittee points out in its report,"The nation is at risk if FDA science is at risk."

In addition to the scientific deficiencies, another one of the critical findings of the Subcommittee's report is that, "The FDA cannot fulfill its mission because its information technology (IT) infrastructure is inadequate."

As I mentioned the other day, too many politicians pass legislation without understanding the full IT ramifications involved. In the Washington Post on Sunday, blogger-reporter (or is it reporter-blogger) Garrett M. Graff travels a bit further in his essay entitled Prehistoric Pols Don't Know Their Yahoo From Their YouTube.

Graff hopped on Sen. John McCain for saying at last Wednesday's CNN/YouTube debate that he "wouldn't need to lean on his vice president, George W. Bush-style, for national security expertise, but might 'rely on a vice president' for help on less important issues such as 'information technology, which is the future of this nation's economy.' "

"Hold it," Graff says. "Would we allow a serious presidential candidate to admit to knowing so little about any other key subject?"

You can see McCain's full response in Question 25.

Graff points out that all the presidential candidates except possibly Sen. Barack Obama don't know or give much more than lip service to the importance of IT to the nation's economy.

My friend Allan Holmes over at Government Executive magazine amplifies on Graff's point a bit more:

"The problem, as Graff points out, is the odd allowance we as a nation give presidential candidates to admit that they know so little about an industry that is vitally important to the national economy – and for that matter, to national security. Such admissions happen with surprising regularly. We’ve written about Defense Secretary Robert Gates – who oversees the world’s largest military complex, which has pursued network-centric warfare as its primary strategic objective – that he is 'a very low-tech person.' President Bush also has made statements about his ignorance of IT, as my colleague Tom Shoop pointed out in his FedBlog this past summer."

Allan might have noted that Gates doesn't do e-mail, nor did his predecessor Donald Rumsfeld, nor does Homeland Security Secretary Michael Chertoff. Chertoff also doesn't like e-mail because, “When you write an e-mail, you have to be mindful of the fact that nothing ever disappears. It can be deleted, but it is still in the system somewhere.” It's ironic that he is worried about his privacy, but that is another story.

You can be sure that many others in senior government management positions, not only in federal service but also state and local government feel very uncomfortable with IT just like Gates, Rumsfeld and Chertoff, even as they are also supposed to be developing strategies that are critically dependent upon IT's use.

Graff says, "As the United States advances into the information age, it can't afford to have its leaders' base of knowledge be rooted in the industrial era, lest their intellectual capacities come to resemble such relics as the decaying steel mills of Pittsburgh."

I heartily agree.

The London Guardian is reporting that the UK government is today offering a £20,000 reward for the safe return of two missing CDs containing personal details on 25 million UK citizens. The paper said that the Metropolitan Police has issued a statement saying that its primary search had been concluded without recovering the discs.

The London Guardian has a short video of two-legged robots battling out for the Robo-One grand championship at Tokyo's convention center. I particularly liked Mr. Balloon-head.

As first reported yesterday in the Register and then picked up today by ComputerWorld, Microsoft has had to pull the plug on its on-line "artificial-intelligence Santa bot" that was meant to talk to children about what they wanted for Christmas. Seems that the bot, as ComputerWorld put it, "wandered off topic" when certain words - like pizza - were used.

According to ComputerWorld, "Microsoft recently added the artificial Santa as a bot that Windows Live Messenger users could insert into their IM buddy list as northpole@live.com."

You can read about the bot in a Microsoft press release I found from last year titled: For a Jolly Good Time, Chat With Santa on Windows Live Messenger. A line in it is: "Filling Santa in on Christmas wishes and asking all about how the reindeer are doing or what’s new at the North Pole are a few of the things kids can talk to Santa about. Santa can even tell kids where they stand on his list: naughty or nice."

I guess the press release forgot to mention that Santa would be informing the kids about whether he was naughty or nice this year.

Microsoft said in a statement posted on the Register site: "Yesterday we received reports that the automated Santa Claus agent in Windows Live Messenger used inappropriate language. As soon as we were alerted, we took steps to mitigate the issue, including the removal of language from the agent’s automated script."

"We were not completely satisfied with the result of these actions, and have decided to discontinue the automated Santa Claus agent. We apologise for any offence or upset caused by this disturbing incident."

I guess Microsoft tested this year's Santa bot using the same strategy it does on most of its products - let the users find the bugs.

HM Revenue and Customs (HMRC) has finally officially admitted to six (as of now) significant data breaches in the last two years on top of the most recent one that saw the personal details of 25 million citizens go missing, the London Guardian reports.

The acting chairman of HMRC David Hartnett acknowledged that the numerous breaches "may well" indicate a systemic operational failure.

I wonder how many data breaches it would take over a two year period to indicate that it truly does mean a systemic failure exists? Especially after Hartnett explained that after a major data breach in 2006 - that no one in HMRC bothered to tell the public about - more stringent rules were introduced that obviously failed. The HMRC seems to me to have set a pretty high risk threshold.

Another interesting snippet is that the London Telegraph is reporting that the lost HMRC data discs contain the real and new names of hundreds of people in police witness protection programs. A senior police source told the Telegraph that, "This is disastrous. People's lives could be in danger. It makes a mockery of the witness protection programme."

One more bit of information to ponder is that ComputerWeekly says that insurance broker Jardine Lloyd Thompson estimates that the cost of a similar data breach (as the latest one by the HMRC) to a public company would be around £4 billion. No wonder the UK government is trying to pawn off the costs to the banks.

The New York Times this week had an article on smart cars and how one will "soon" be in a showroom near you. It quotes Dr. Sebastian Thrun, a computer scientist who heads up Stanford's Artificial Intelligence Lab, as saying, "Within five years, it’s totally feasible to build an autonomous car that will work reliably in several limited domains."

Furthermore, the article says, "In 20 years, Dr. Thrun figures half of new cars sold will offer drivers the option of turning over these chores to a computer, but he acknowledges that’s just an educated guess. While he doesn’t doubt cars will be able to drive themselves, he’s not sure how many humans will let them."

It will be interesting to see what happens when the first smart car crashes into one driven by a plain old human driver and results in a severe injury or death. Will the smart car's software be blamed? Will the argument be that the human driver has to be at fault since the smart car is assumed to be more carefully driven? And will the case be argued by "smart lawyers," a term that seems somehow oxymoronic to me?

The status of Boeing's Secure Border Initiative (SBI) Project 28 seems to be in limbo. System verification testing of the "virtual fence" was completed at the end of last month, and the US Customs and Border Protection (CBP) agency was expected to quickly make a decision as to accept or reject the project.

In September, Department of Homeland Security (DHS) Secretary Michael Chertoff said successful acceptance testing of the trouble plagued project was critical because he didn't want to get stuck with a lemon.

The Chairman of the House Homeland Security Committee Bernie Thompson fired a warning shot across Chertoff's bow in a letter he released this week, holding him to his "no lemon" pledge:

"If, as it now appears, the technological problems encountered are such that Project 28 has become more of a technology "test bed" than a new operational tool for the Border Patrol, the Department needs to address this directly. Frankly, I am as disturbed about this apparent lack of candor and the attempt to "spin" Project 28's troubles as I am by the technical difficulties you have encountered with the initiative. Technological problems can be fixed. Credibility, once lost, is unlikely ever to be regained."

"To be clear, I strongly support the use of technology to secure our border. I do not, however, support accepting a deliverable that does not provide the Border Patrol with the promised improvements in operational capability. Again, I urge you to defer accepting Project 28 until you can provide this Committee and the American people with an assurance that it does so."

Of course, if SBInet has to be canceled, then CBP can always turn to the Arizona-based Techno Patriots who are putting up their own home-grown version of SBInet.

You may have seen the small typo problem in Georgia where Joe Martins recently closed his account at Wachovia Bank, paid off an outstanding check, and then got a letter about the account closure and his final balance -- a minus $211,010,028,257,303.00. Wachovia apologized to Martins, and promptly blamed the letter and the erroneous amount on a word processing error - the number supposedly owed actually matched the gentleman's bank account number.

A similar computer typo problem, but with real side-effects happened last week in Carver County, Minnesota. Eric Mattson received a real estate assessment notice stating that his 4,400 square foot vacant lot was being assessed at a market value of $189,000,000 (or $42,955 per square foot) and would he please fork over the $2.5 million in property tax he owed. Since is about 10 times the value of prime property in London, which is the most expensive property in the world ($4,585 per square foot), Mattson had a good laugh and called the assessor's office about the obvious error.

The assessor's office wasn't laughing. It was indeed an error, but the County had already budgeted and spent the money.

The LA Times last week reported that Los Angeles Unified School District (LAUSD) has decided to extend its deadline to recoup most of the $53 million that it believes to have been overpaid to about 32,000 employees because of its faulty payroll system.

The Times writes that the LAUSD had originally "set a Nov. 26 deadline for workers to decide whether to repay the entire amount they had reportedly received, repay only the amount they believe they were overpaid, or refuse to pay anything. Employees were also warned that if repayments were not made by Dec. 10, they would also have to repay additional money withheld by the district for state and federal taxes."

The new dates for employees were the December 7th regarding how they wished to proceed, and now they have until Dec. 17 to make any repayments.

About 2,400 LAUSD employees have decided to contest the district's claims and are refusing to pay some or all of the amounts demanded, because they don't trust the figures the LAUSD has provided to them.

The LAUSD is putting none too subtle pressure on those 2,400 to accept the amount they are said to owe nevertheless.

As the Times reports, "those disagreements won't be discussed until next year, when district and union officials can set up a resolution process. But by then the district will have paid taxes on over-payments, and employees will be faced with the prospect of seeking refunds for themselves from tax agencies."

LAUSD officials believe that most of their payroll problems are behind them, but if a large number of its 2,400 employees who are contesting their alleged over-payments are shown to be indeed correct in their suspicions, the mess will have only just begun.

If some convenient major news event isn't happening, then government officials like to use Friday afternoons to bury bad news or to make announcements that they don't want looked at too closely.

As I wrote on Friday, things were pretty quiet on the SBInet front, when, lo and behold, the Department of Homeland Security (DHS) announced Friday afternoon that it had conditionally accepted Boeing's border-surveillance system. DHS Secretary Michael Chertoff said that it was now going to run a 45-day operational system stress test before giving final acceptance.

However, I doubt that the stress test will result in failure, regardless of the real results. Along with this "conditional acceptance" Boeing was awarded a $64 million task order to design, develop and test an upgraded "common operating picture software system" for the Custom and Border Protection (CBP) command centers and agent vehicles to make the system more user friendly. Don't you think if there was any real doubt about accepting the system, the contract award would have been delayed for six weeks?

More likely, the system stress test is meant more to fend off Congressional criticism than as a means of generating information on which to make a final acceptance decision: i.e., dressing up the lemon.

As the Arizona Daily Star reported (subscription may be required), "After the 45 days, officials will put in orders for additional changes, Chertoff said. Full acceptance of the system depends on the results of the test run."

Furthermore, the paper said, that despite the lengthy delays and the doubling of costs in the launch of Boeing's pilot project, Chertoff said that DHS "isn't worried about Boeing designing and implementing similar systems along the rest of the border. 'We picked a particularly demanding area of the border, with a lot of ground clutter,' Chertoff said. 'So it should be a good kind of challenge,and some other parts of the border should be easy.' " I guess Chertoff nor the DHS have ever heard of software system scalability problems especially in using commercial-off-the-shelf (COTS) components.

Boeing was also quoted as saying that that the company "learned valuable lessons" during the work that will reduce future risk. Of course, the whole project was sold as being low risk from the beginning, but who keeps track of those promises, right?

In historian Felipe Fernández-Armesto's survey book Ideas that Changed the World, there is a section entitled "Impossibilism." In it, he reviews some of the paradoxes that philosophers like William of Ockham’s raised for contentious debate in the 14th century, such as “God can order you to commit murder” or “God can reward good with evil.”

If William of Ockham were alive today, he would probably coin something appropriate about Microsoft’s problem reporting.

As I noted a few weeks ago, Microsoft captures and analyzes those errors that unfortunately but not unexpectedly pop up every so often, which on some days provides Microsoft with 50 gigabytes worth of problem data.

I was recently sent a link to a screen shot of an error message that I have never encountered:

Windows Problem Reporting Has Stopped Working
A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.

As the comments at the link note, this error message poses some very interesting philosophical paradoxes and implications. For instance, how can a solution be sent if the problem reporting scheme is not working? How can a solution even be available if the problem is not reported? Or does it really indicate that Windows has developed HAL-like self-awareness? This could help explain Microsoft's Potty Mouth Santa.

All this made me wonder whether:

a) Microsoft has another error monitoring program to watch for when its Window’s Problem Reporting code has an error, and whether there is another one to watch for that one to have an error, and so on: all this watch watching might explain why its operating systems are so large, and;

b) if (a) above is not true, does the Microsoft error analyst team have a category for this specific types of error, waiting in hopes of an error turning up some day indicating that in fact Windows is now self-aware, kind of like the SETI folks do in waiting for that special signal from space to appear?

According to the London Telegraph, "flirting robots" are invading Russian dating websites with the aim of gaining personal information from unsuspecting victims. CyberLover is one such robot that masquerades as a person seeking love on-line, according to the story. It interacts with a potential victim asking questions like, "When's your birthday? Where can I send you a Valentine's Day card?" and so on. The fear is that these robo-lovers could soon be invading popular social networks phishing for information.

I wonder what happens when one robo-lover encounters another on-line? Do they exchange code words so they know that the other is one of their own? Or do they just keep chatting one another up forever?

Last week, Forbes reported that Prime Minister Gordon Brown disagreed with the acting chairman of the HM Revenue and Customs (HMRC) David Hartnett's portrayal that the numerous HMRC data breaches over the past few years "may well" indicate a systemic operational failure.

"I don't accept that that is what the chairman ...said," said Brown.

Okay, I guess he didn't say it.

Over the weekend, the Sunday Telegraph published a story that said senior HMRC officials were warned by auditors in March 2004 that, ".. letting junior staff have access to the entire system was a recipe for disaster." The auditors also said, "... mistakes would not be detected and that the system was open to fraud."

Hmm, again I am left to wonder what actually does constitute a systemic operational failure in the eyes of senior UK government officials?

In today's Wall Street Journal, there was a note regarding a story that is in Seed science magazine regarding the question:

"If aliens are out there, how should Earthlings go about getting in touch with them?"

"The question has provoked arcane but furious debate among scientists searching for extraterrestrials. Because scientists haven't picked up signs of alien life near Earth, the debate is essentially philosophical, revolving around such issues as who rightly speaks for humanity and whether humans want to draw the attention of possibly hostile life forms."

"A dispute erupted recently among scientists over an effort to draft a protocol for messages going from Earth into space, reports David Grinspoon in Seed, a science magazine. Several scientists who believe that governments and other scientists should be consulted prior to any space-bound communications resigned in protest from a prominent study group on extraterrestrial intelligence."

This got me to thinking about my earlier post on Microsoft's error reporting, and my joking reference about it possibility being a search for artificial intelligence. However, what happens if a computer does indeed become self aware? Who speaks for the human race, and does the first self-aware computer speak for ones that come after it?

It is being reported by CTV.CA that private medical information on 140 British Columbia and 480 New Brunswick residents contained on four unencrypted magnetic tapes disappeared. Information on the tapes includes names, Medical Services Plan numbers, birth dates and possibly some description of services rendered and the costs of those services.

The information was "misplaced" on October 5, but New Brunswick medicare authorities were not made aware of the loss until Oct. 25. The province's director of medicare operations did not know about the vanished information until Nov. 29.

B.C. Information and Privacy Commissioner David Loukidelis who is investigating the loss said that he was "appalled that health information is being transmitted in such an insecure way."

UK Prime Minister Gordon Brown was asked MP Edward Leigh during a meeting with the Parliamentary IT body Pitcom about the IT security issues at HM Revenue and Customs (HMRC) and whether they represented a systemic failure. According to the Register, Brown said there was a difference between rules not being followed and failure of procedures and systems. (True, but irrelevant.)

Brown also added that no one had lost any money.

Right then, no harm, no foul. Play on!