The writing has been on the wall for years

About four years ago, I had time to kill in Newcastle.

I went into HMV for a browse.

They were playing a song I hadn’t heard before, but that I liked.

I used Shazam to find out what it was, and bought it on iTunes. That was easier than finding a shop assistant, then finding the CD, then queuing up to pay for it.

Hard for them to make a profit when they can’t even guarantee the sale on an impulse purchase in their own store.

Tax and morality

This probably won’t be a popular post, but the tax affairs of celebrities (and non-celebrities) don’t seem to be leaving the news agenda any time soon, so I wanted to put my thoughts down in writing.

There’s a chance that this will be seen as a defence of Jimmy Carr, or Gary Barlow, or even, heaven forbid, Sir Phillip Green. It certainly isn’t intended as such, and personally I feel that a Keynesian approach to the recession is by far the most sensible. Given that, I do feel that a higher tax burden needs be borne by the more well off.

What I don’t think, however, is that morality should form part of how tax is calculated. Here’s why.

If you cast your mind back, you might remember a fair-sized kerfuffle about certain individuals remuneration in the public sector. Without going into too much detail, certain people with fixed-term contracts, often in senior positions, were being paid through a limited company, rather than as employees. By being paid in this manner, they could take a large proportion of their income as a dividend, attracting a lower rate of tax, rather than as salary. Ed Lester, the head of the Student Loans Company, was one such individual.

This was roundly condemned in the media, and condemned as tax avoidance. There was one point not mentioned in the coverage though. IR35, introduced in 2000, seeks to define “disguised employment”, and means that someone working through a limited company for the purpose of reducing their tax burden, is liable to be taxed as if an employee.

Simply put, if an individual is working in this manner, they’re liable to pay the greater amount of tax. It might be argued that this regulation is not well enforced, but then we should look at better funding for HMRC.

Following on from the Jimmy Carr revelations, newspapers have reported that JK Rowling “pays all her taxes”. I’m sure she does, and she has


The Metropolitan Police and your phone

BBC News has published a story (actually posted last night) with the headline Met Police to extract suspects’ mobile phone data.

The story is seeing some traction on Twitter this morning, so I thought I’d dig in a little, and see what I could find.

It appears that the system that the Met have bought is produced by Radio Tactics. From having a look at their site, my guess is that they’ve bought ACEOS Kiosk. Looking at the “full datasheet”, the selling point of the system is pulling data from various electronic devices, and storing that data securely, with a full audit trail.

Thumbs up to that. If the police want to acquire this data, I want it to be secure. But what else is it doing? Actually, it’s difficult to tell for sure, without a more comprehensive description. what does seem clear is that it understands the layout of data internally on lots of devices, in order to be able to extract (for example) text messages, IM conversations, and so on. The operator doesn’t need to know anything about the internal implementation of the device to be able to extract and archive data on the phone.

What is less clear is whether it can bypass hardware encryption on these devices. My understanding is that all BlackBerry devices, all iOS devices from iPhone 3GS onwards, and recent Android devices (because of the fragmentation of this OS, it wasn’t quite so clear which ones) encrypt, in hardware, all their data stored internally.

This means, that without a passcode, data can’t be read directly from the internal storage. That read access would be how the product extracts information. Nowhere in the description of ACEOS does it detail cracking encryption like this. If it did, I imagine that would be a big selling point. Indeed, if this hardware encryption was easily cracked, that would be a big technology story too.

It seems far more likely to me that this product is about rapidly and efficiently extracting data that would have previously required a forensic specialist. I don’t think that’s a bad thing, and my guess is that it can’t be done without your passcode anyway (you do have one set, don’t you?).

If the police suspect that your phone has been used for criminal activity, then you’ll be obliged to give them the passcode anyway (I think that not doing so is an offence). Encryption or not, they’ll get onto your phone, if they have reasonable suspicion of criminal activity.

So, onto retention of the data, and that’s where the real problem is. From the original article:

A Met Police spokesman told the BBC that when a suspect was released, “data received from the handsets is retained and handled in accordance with other data held by the MPS [Metropolitan Police Service]” – regardless of whether charges had been brought.

So actually, this isn’t a technology story at all. If you refuse to give the police your passcode, or wilfully delete data from the phone, you’ve broken the law anyway. The latest devices have sufficient means to protect your data from casual extraction. The issue here is about data, and retention thereof, and we’ve been down this road with DNA, fingerprints, any information that the police might want to retain to make their job easier.

The solution to this particular problem is a change of policy, not a 79p app that enables you to destroy evidence.

What do IP addresses tell us anyway?

Yesterday I saw some misinformation being distributed about IP addresses. It was in the context of a rather petty disgreement about someone’s identity on Twitter, but it did make me think that this is an area that plenty of people don’t really understand.

With that in mind, here’s a brief run-down of what an IP address is, what it says about you, and what it doesn’t. I’m by no means a networking expert, but I am an IT professional and hope that I have a decent enough grasp of the topic to explain things correctly. Please feel free to correct me if I make any mistakes.

One of these addresses (IPv4 specifically, which is the type of address that is still commonly used across the internet) is formed of four numbers, from 0 to 255, separated by dots. Every device connected to a network will have at least one of these addresses.

The more observant amongst you will have spotted a flaw in the system. If the addresses take the format, then we only have 4,228,250,625 possible addresses. That might seem like a lot, but when you think of every phone, tablet, laptop, and computer in the world, not to mention TVs, DVD players and others, it’s not very many at all.

That’s wny we have the concept of private and public IP addresses. There are ranges of addresses that are designated as “private”, which can be reused on internal networks (like your wi-fi network at home). The most common range used is 192.168.X.X

If you just had a private IP address though, you would never be able to connect to anything on the internet, just to other devices on your home network. This is where your broadband router comes in. It does the clever trick of translating your private IP address into a public one.

Your ISP (that’s BT, or Virgin Media for example) assigns a public IP address to your router, which then shares it with all the devices connected to your network. This is why an IP address isn’t quite enough to identify someone online. The public address could be shared between several people. To someone outside your own home network, they would never know who in the house is connected.

The situation becomes even more confused because of the way ISPs tend to distribute these public IP addresses to their customers’ routers. These addresses tend to be ‘dynamic’, which means that a particular public IP address isn’t tied to a particular account, let alone a particular internet user. What’s my IP address today might be yours tomorrow. 

Don’t be fooled though. My IP address is assigned ‘dynamically’ by my ISP, but it has only changed once in the last three months, when I upgraded my connection speed. In that time, the router was rebooted several times, and it always ended up with the same address.

Even if your ISP does change IP addresses more frequently, it isn’t happening second by second. If you think about it, the IP address is where a web server sends its pages to, where an mail server sends its e-mails to. If that address is constantly changing, then things would fail to arrive, and need to be re-sent, all the time.

Even this dynamic changing doesn’t hide you from law enforcement, obviously. ISPs keep records of which IP address is assigned to which customer at what time. It’s this record-keeping that probably means public IP addresses change less than they might. Some ISPs also offer static public IP addresses, which are useful for users that want to be able to connect to their home network remotely.

Still, you do have a degree of anonymity from people hosting servers, who don’t have a warrant to get your account information. All they can really derive from your IP address is your (rough) geographic location (the accuracy of this varies wildly), and probably who your ISP is. If you’re connecting through a work computer, they probably have a decent idea of the company you work for, but this depends on how large the company is, and whether they have their own public IP addresses.

It’s also worth noting that public IP addresses aren’t shared across ISP customers. If they were, a web server wouldn’t know whether to send the BBC Sport homepage to you, or your neighbour. A public IP address is unique to the router in your home, at a given point in time.

In summary, your IP address isn’t some Prisoner-esque number that identifies you to all and sundry, but neither is it an unidentifable detail that gives nothing away about you.

It could, for example, be used to corrolate two online identities as the same person (or at least on the same private network). That would be a fair assumption if the IP addresses logged were the same, and there wasn’t a lot of time between the requests logged.


Want to know who’s selling on your Gmail address?

Given the latest in a long line of erosion of civil liberties in the UK, I thought I’d quickly post this tip so you can monitor who’s being with the data entrusted to them, and who’s passing it on, presumably for cash.

If you’re a Gmail user, there’s a little known trick you can use to personalise your email address. Google ignores everything in the first part of your address after a ‘+’ sign, that is to say, as far as their mail servers are concerned, the following addresses will all be delivered to Britain’s latest Eurovision entry:

All you need to do is add an appropriate suffix when you give your address to someone, and you’ll know if they’ve shared it with someone else simply by checking the ‘To:’ field on your emails. If you really want to get clever, you can set up filters based around the different addresses.

Dominic Mohan really irritates me

From today’s Guardian:

…[the law should be] rewritten with a clause that emphasises how sacred freedom of expression is.

Which can of course be expressed:

the law should be rewritten with a clause that emphasises how sacred my right to decide how intrusive I want to be is.

His readership doesn’t like the Human Rights Act apparently:

Quite a few of our readers would be in favour of abolishing the Human Rights Act, that’s for sure.

Of course, that’s nothing to do with the way he presents said law in his paper. He’s always fair and balanced when it comes to discussing legal matters that impinge on his newspaper’s business model.