ECI4all sytem: Replacement of OCS announced – but who are they?

You may be aware that the European Commission has been supporting the development of an online collection systems for online signatures for the European Citizens Initiative – it’s called OCS and hosted on the JoinUp platform. Now, the OCS has a number of issues which have been documented recently by the ECI campaign here.

It seems a new kid is on the block: a group/person called ‘ECI4All‘ has announced that they/he/she are “working on a product which aims to be a are replacement for the current Online Collection System for ECI”. 

I’ve had a quick look at it and, well, there are some concerns…

But let me start by saying I like the idea of re-implementing the code in PHP, and the use of SourceForge to host the project is fine – though JoinUp and the EUPL would have maybe been a more politically sensitive approach.

First issue: I’m not an expert on GPL3 – but it can be quite restrictive in terms of reusing the code. For instance, you’d not be allowed to change any of it to EUPL even after adjusting it. (In fact I’ve come round to the opinion that a BSD/MIT type licence is the best option because it’s legally so much more simple, but that’s another story.)

Come out, whoever you may be

More serious issue is the anonymity of the developers. In my experiounce it is not normal for serious open source projects to be so secretive about the participants

The author(s) of the ECI4All code seem to go out of their way to maintain anonymity, which is a concern when you’re developing an application which in the end is capturing and verifying a mass of personal contact details.

There is a slight clue when committed code – some of the files are created by another SF user ‘allura’. Allura’s claimed name is Krishna and ‘he’ has been registered since 2004. But there’s not much to be found out about ‘him’ on SF – the two projects linked to the username seem to be dead or  dormant.

Other clues are that the Twitter account which looks legitimate, if new (first tweet 15 January); it claims to be based in Luxembourg. A comment on the blog was signed by someone called ‘Klaus’ (with no profile)

So – I am a little  suspicious! Frankly, it should not be so difficult to work out who we’re dealing with here. What’s the business model or motivation for all this work?

This puts potential users of a system using the ECI4all  code in the position of having to review the code very carefully for any backdoors before having the system go live[*]. Potentially, once the code has been reviewed, it would then be logical to fork it – ie making another GPL3 project which starts from the ECI4all code but retaining transparent control over further development.

A much better solution would be for ECI4all to come out from behind the wall of anonymity and join the active online ECI community!

Disconnected Democracy: what Scotland's Community Councils aren't doing online

Reblogged from Idea15 Blog:

This summer the Edinburgh-based researcher Peter Cruichshank, assisted by volunteer intern Bruce Ryan, carried out the first-ever study of online presence and engagement amongst Scotland's 1370 Community Councils. Their work has now been completed and published to the world.

Read more… 777 more words

Great blog by Heather Burns on the implications of the low level of digital engagement we found amongst Community Councils in Scotland in our recently study.

The resistible rise of Facebook

On a completely different subject: it’s interesting to compare the almost complete dominance of Facebook now with the situation as I found it a couple of years ago.

From the Next Web, 10 June 2012:

Facebook is eating the world, except for China and Russia:

Facebook now rules every country that aligns itself with the USA, and a few that don’t. Even Orkut has been knocked off its perch in Brazil.

For comparison, this is what Europe looked like only 5 years ago:

Pupular SNS Sites – June 2007

What are community councils doing online in Scotland

Over the summer, I have been working with a volunteer intern Bruce Ryan (@mycelliumme). Bruce has been carrying out a survey of the public internet presences of community councils across Scotland . We’re getting to the data analysis and report drafting stage, so now seems a good idea to start sharing our progress.

In 2006, Edinburgh Napier University’s e-Community Council project showed how providing website tools and training could noticeably increase communication between CCs and their communities (Report – PDF). One major hurdle was that Community Councillors often didn’t know how to create and maintain websites. Also websites generally don’t allow two-way conversations between CCs and their constituents.

Social media have since exploded into the public consciousness. Tools such as WordPress and Facebook allow people to interact online, without needing to know anything techie. Such tools are available on smartphones, so online two-way conversations could happen anywhere, any time: you wouldn’t need to go to your local library to find out what your CC is doing and then get involved.

What has made this project particularly interesting is that Bruce was treasurer of St Andrews Community Council in 2004-5, and learnt a bit about how Community Councils (CCs) function, and occasionally malfunction.

Developments in the community council landscape

There have been a few other background developments which make this a topical area for research.

Late in 2011, the Scottish Government set up a short-life working group on CCs. It is now conducting its own research into what CCs do in general and who the councillors  are.

In 2012, the Association of Scottish Community Councils folded, and the status of the National Network of Community Councillors in Scotland remains uncertain.

Recently, both Reform Scotland (Report – PDF) and the Jimmy Reid Foundation (Report – PDF) published reports on the state of local government in Scotland. Both recommended that CCs be given increased powers and status to make up for the remoteness of Scottish local authorities (the biggest in Europe) from their citizens.

So, we wanted to update the picture of what CCs are doing online, and whether they’re using social media to have two-way conversations with their constituents.

Results so far

The extent of the problem

So far, we have found that there are potentially around 1400 CCs. However, only around 1100 are active and about two-thirds of them have some kind of online presence. Only half of these (around 300) are actually up to date, by which we mean had updates in May-July 2012.

We have also identified and categorised CCs’ online presences according to type (such as full website) and content (such as whether they have minutes or planning information).

What’s next?

Finding out what’s happening is only the first step. Bruce has been interviewing a small number of Community Councillors to begin to find out why CCs choose certain ways of being online, and why other active CCs don’t do online at all. Of course this is their choice – we do not intend to tell CCs what they should be doing.

We are not working for the Scottish Government but we have been talking with them to make sure that this research will complement and inform theirs, not duplicate it.

We will publish a detailed report later this year, and will also share our conclusions with the Scottish Government’s working group. Above all, we are aiming to produce some research that enables decisions to be based on facts!

Update: Changed initial paragraph to highlight the amount of work Bruce is doing.

Identity, local citizenship and a modest proposal

This post started its existence about a year ago. I had been involved in a project called Smart Cities. From my perspective, (interested in e-participation and IS security) there were two big questions that I came away with; I am still wondering how to find answers, so forgive the rambling…

The first question comes from the overlap of geography, identity and citizenship online – and how it relates to e-identity. That’s what this blog is about.

The second question came from the problems caused by a checklist approach to compliance with privacy law. That’ll be covered in a (probably much shorter) future blog.

Citizenship and e-identity

It’s a truism that geography doesn’t go away online, as demonstrated by the rise of hyperlocal media and the extensive work on local online empowerment by eparticipation practitioners. People like Catherine Howe have been thinking hard about what it means to create localised online spaces to “encourage people to act like citizens” and you could go worse than read her blogs on hypelocalism – this one in particular.

Now, I think many people feel that they belong to more than location. This raises the question: what does it mean to be a ‘citizen’ of a place (city) when you’re online? Can a location decide you are not a citizen?

It might be fairly easy to agree what it means to be a ‘citizen’ or a resident of a nation state, but it gets more difficult as the geography gets smaller and more local – particularly away from the big cities like London or Amsterdam. For instance, I live in Falkirk and commute to Edinburgh, but have connections with the Scottish Borders: Where do I belong to? Which of these places have a duty to take my opinion seriously or to deliver me an (online) public service? It’s not simply where I pay my local taxes is it?

So the questions: how can a city know if it’s dealing with a real person? How do we define who is entitled to participate in a local space, and to what extent. But first, a small technical diversion…

Entities, Identities and eId

Fundamentally, identity is understood in two ways. There’s the idea of identity that’s been around as long as we’ve been (self-consciously) people: social and psychological. Here physical location (hence citizenship), personality types and social context are central to understanding how and why people behave in the way they do. People are inherently very good at handling and understanding multiple social realities and roles (Goffman in the 1950-70s used a metaphor actors and audience members on multiple stages).

What happens when move to online electronic identity (eID)? In summary: engineers with their inhuman expectations of logic, consistency and clarity.

A nice description of the issues of translating between social identity and eID can be found in Alpar, Hoepman and Siljee (2011). They describe a clear structure that distinguishes how an entity (person) has multiple, online identities fulfilling multiple roles (which can switch to other people). Online identities can be transferred or shared too – right up to having responsibility for a minor, sharing login details for bank accounts, to creating and selling World of Warcraft characters. That is, a well constructed eID infrastructure allows for a many-to-many-to-many relationship between elements on all three levels.

A frequent problem is that the people defining eID systems seem to confuse identity and identifier, identity and role,  or the person and their online identities – and there is no space for the concept of actors and audience working together to perform social roles.

The designers of identification infrastructures often give an impression of wilfully ignoring the social and psychological reality of human identity, though there are honorable exceptions.

Identity and identity providers

When creating an eID infrastructure, core design decisions revolve around the relationship between two key functions: identify providers (IdPs in the jargon) and Relying Parties (RPs). IdPs are responsible for authorising an account within a security realm; An RP is the company or organisation that needs to check a user’s identity before carrying out an action.

As implied above, the battle is currently on to become the dominant identity provider. In the UK at least, the agenda is set by US internet corporations like Facebook and Google. Some people – such as David Birch – have argued that there is no reason why banks or mobile phone companies cannot do this, but this has not yet happened. Also, see David’s TEDX talk: Identity without a name for some important issues around how eID is currently managed.

(I think one of the reasons people feel so uncomfortable with the attempts by Facebook and Google to force people to have “one true identity”: they are conflating entity and identity.)

Are we doomed to rely on US-based corporations?

The problem in the UK at least is that central government is not trusted. Which - though understandable - is a shame. Government can be natural choice and other European countries are putting eID infrastructures in place (Estonia, Sweden, Germany for example) which ensures some level of democratic accountability at least.

One of the issues that both the former UK ID card programme and the American corporations rely on centralised not federated models: that is one big (vulnerable) database which holds all the information about individuals and their activities. In contrast has been the growth of online personal data stores & ID providers such as mydex, miicard which rely on a federated model.

A modest proposal: what about your friendly local library?

So, onto the wildly speculative part. Here are two assertions:

• It seems logical that in the end, even in the UK, the state will have to take a role in guaranteeing the integrity and honesty of ID infrastructure, and perhaps even providing a trusted service itself.
• There will be an ongoing draft towards federated identity infrastructures as the vulnerabilities of centralised databases become obvious through sundry attacks.

I started off by asking how to define who is entitled to participate in a local space, and to what extent.

I wonder if an extention to the existing library card procedures could hold part of the answer?

Public Libraries are almost by definition anchored to place, have a direct route to linking a real person to a claimed identity, and since they have no interest in holding more than basic information about you could act as a trusted federated Identity provider. And you can’t get much more local.

It wouldn’t take much to allow libraries to act as verifiers that you have a connection with a local community, and there’s no reasons why libraries should be interested in whether you’ve registered elsewhere.

Can you think of anyone else you would trust more?

Even more than usual, I look forward to hearing about where I should look to find out more on this area. 

Further reading:

• Gergely Alpár, Jaap-Henk Hoepman, Johanneke Siljee: The Identity Crisis. Security, Privacy and Usability Issues in Identity Management CoRR abs/1101.0427: (2011)
• David Birch: Identity without a name. Top TED talk that brings out the paradoxes around e-identity.

This blog is an expansion on the points I tried to make during a “one minute madness” session at a recent research conference.