Tom Morris

I have just sent an e-mail to my MP regarding the Coroners and Justice Bill 2008-09, which gets it's Second Reading next week. My objections are rather sketchy and rough - I'm not a legal scholar, and I haven't really studied it in as much detail as I possibly could have done. I've read enough to know I don't like what it represents. If you are concerned about it - and if you care about data protection and liberty, you probably should care about it - then you ought to write to your MP. (Note: don't just copy and paste my post - you should read the Bill and write your own objections.) I think the Coroners and Justice Bill raises another major concern which I will address soon. Anyway, without further ado, this is what I sent to my MP...

I urge you to please consider your position on the Coroners and Justice Bill that is currently in front of the House. Most of the act concerns changes to the functioning of the coroner. Tacked on to these reforms is Part 8 (sections 151-154) which amends the Data Protection Act 1998. The result of these amendments is to allow the Government - specifically cabinet Ministers and Ministers of the devolved Scottish Parliament, Welsh Assembly and the Northern Irish authorities - to make an "information-sharing order".

Use of data issued to Ministers under the information-sharing order does not seem subject to oversight either by judicial means or by Parliament. The Bill specifies that information-sharing orders will be subject to a Code of Practice that will be prepared by the Information Commissioner, which must be approved by both the Secretary of State and Parliament. I'm afraid that I do not consider this enough oversight. The government have added these amendments to the fundamental nature of our laws on data protection and privacy without making the case to the public showing why these changes are necessary. If these modifications are necessary, the Government should make a public case for them, and then make the changes to the Data Protection Act in a new Bill specifically for that purpose, rather than rolling them into a law on the role of the Coroner.

There are further objections that I think it vital to make. In section 152(1)(50B)(2), it states that an information-sharing order may provide for the creation of offences triable either way. The purpose of the creation of these criminal offences is not specified. Is it to regulate the use of information by Government? Will these offences proscribe the behaviour of the general public? Might these offences be used to silence those whose information is being shared? I would have no problem in the first of these scenarios - to provide a criminal sanction to prevent a corrupt Minister from using the information gleaned from the sharing order for illicit ends. But section 152(1)(50B)(2) does not tell me the nature of the class of offences it creates. What would prevent, say, a Minister from using the powers given to him by the amended Data Protection Act to create a new criminal offence totally unrelated to a piece of information he requests? He could send a request to the Department of Work and Pensions to get some figures on unemployment, and in the same order recriminalize sodomy. It may seem rather implausible that a Minister either in the current Government or a future Government of any of the major political parties would do that, but the law does not seem to specify any reason why they cannot. Being only a mere philosophy student and not a lawyer, I may be reading this wrong.

The spirit of the Data Protection Act is to allow citizens of this country to have assurances that the personal data collected by both government and business as a routine part of living in a modern society is protected from abuse. The Government have made not a squeak about the need for these fundamental changes to the laws regarding the privacy of our personal information. Why should Parliament grant the Government these new powers after the frankly colossal blunders they have made with the personal data entrusted to them? Why is this law even necessary? Why not just conveniently 'lose' a USB drive with the data on when walking past the Minister's office?

I would like to know your position on the above-mentioned sections of the Coroners and Justice Bill, and I'd like to humbly request you to reconsider your position if it differs from anything other than solid opposition to these ill-considered intrusions into the civil liberties of the British citizen.

There is a big mismatch in programming between the structure of XML and the tools used to parse it programatically. In XML, you have elements, attributes, CDATA sections, processing instructions, namespaces and text nodes - often in a rather spaghetti-like construction (and sometimes vaguely resembling something like a schema). There isn't a simple mapping from this to the common types in programming languages: booleans, number primitives, strings, tuples/lists, key-value structures, classes, objects and functions. And so we get rather clumsy XML interfaces like the XML Document Object Model, with all those lovely method names like "getElementByTagName", "getAttribute" and so on. Or, even more fun, one can use a SAX-based parser - well-known to be about as much fun as getting raped by a javelin.

Today, Jeremy Keith posted a blog entry about how he added a feature to the excellent Huffduffer using Amazon's product information API and machine tags, but had to handle XML coming out of Amazon. Jeremy then wrote an XSLT to turn the XML into JSON. You can have a look at the XSLT here. It's pretty good. I'd have added some xsl:text elements, and maybe explicitly added an xsl:output element with a 'text' method. Not the best XSLT I've ever seen, but not at all shabby.

There is a problem with this approach - character encoding. If you were to get a text node that contained some encoded ampersand or something, that wouldn't be properly transformed - JSON uses UTF-8 text, wheras XML uses character encoding as per the processing instruction. How to solve this problem? Easy, don't turn it into JSON. Turn it into XML-RPC instead. XML-RPC gives you pretty much the same data model as JSON, except that you don't get a nil (a glaring error in XML-RPC). So, you take the XML from Amazon, turn it into an XML-RPC message, then use an XML-RPC library to turn that into language-native data. For PHP users (as Jeremy is), you then use Simon WIllison's XML-RPC library (Python and Ruby both have built-in XML-RPC libraries - be aware that Ruby's XML-RPC server has had/may still have a notorious security hole, so watch yourself). You should be able to parse the XML-RPC message with Simon's XML-RPC class by just instantiating an IXR_Message object, running the parse() method on that object and then getting the data out of the object's 'params' property. For super-laziness, just wrap those three lines up in a method called xmlrpc_parse(), and you can use it just like the json_parse() method in PHP.

It's not much of a difference (unless, of course, you are transmitting lots of nullness around) - but does mean that you can neatly side-step around character encoding issues going between XML and JSON - something that XSLT 1.0 won't just fix for you by magic.

As for XML-RPC not having nil? Wikipedia says there's an unofficial extension to XML-RPC that allows one to use a nil element - here it is. It's so common sense to have a nil element. In Jeremy's case, this is not a problem. It's not likely that a book on Amazon is going to, say, not be a string but be a nil value. (The other approach to this is to use SOAP, but that's too heavyweight - or to use something like WDDX, which does have a nil value, but doesn't have the tool support that XML-RPC does - the PHP WDDX parser is a compile-in extension, which is notoriously unpossible on shared hosting sites. As for me, I'd turn it into RDF, but I'm not even going to go there.)

Right, having suggested that people stop using JSON and start using XML-RPC - in PHP no less - I shall retire to my bed in disgrace.

MSNBC quotes John Pescatore from Gartner on Barack Obama's electronic security: Take an innocuous example. If (Obama) were to sit down at his personal PC, log into his (presidential) e-mail account and send a congratulatory e-mail to the pilot of the US Airways jet [...] how would the pilot know it was really Obama? If someone else sent out a doctored e-mail pretending to be Obama, how would we know it wasn't really him?

Well, the White House could use GnuPG. It's strong enough that PGP, the software that GnuPG is an open source clone of, used algorithms strong enough that a previous U.S. government determined them to be military strength and subjected them to a totally futile and rather laughable attempt at export control (something which Vice-President Biden presided over - see PGP creator forgives Biden).

Just imagine. You turn on your TV for a message from President Obama, and he says something like: "in the interest of national security, I have decided to use the GNU Privacy Guard on all my e-mails, and I humbly request citizens to adopt similar technology to provide for themselves the guarantees of liberty and freedom through code as the Bill of Rights attempts to provide through law. All e-mail communication from the U.S. federal government will be digitally signed. My public key is (whatever it is), and the keys of all the members of the cabinet are cross-signed."

Diffie and Hellman have solved this problem. There's no reason not to start using their solution in government. Perhaps the Obama administration could put an open source bounty out there for someone to port GPG to the BlackBerry.