Webmasters can add shareNice to their websites if they want to let their users’ share the pages they browse with their friend, via the many social networks platforms.

So, what is different about shareNice, and why should you choose to use it?

• shareNice respects your users’ privacy .
• shareNice is ONLY a social sharing widget.
• shareNice is not an analytic tool, we DO NOT log any of your user’s information.
• shareNice does NOT track your users.
• shareNice is free-software and you can choose to host your own copy if you wish.
• shareNice is NOT a profit making endeavour.

Below is an example screenshot of the shareNice tool being used on The University of Southampton’s OpenData site.

As it stands, shareNice is being used on the following sites : http://data.southampton.ac.uk, http://www.garlik.com, http://mmt.me.uk/, and the http://sharenice.org/ itself. And yes most of these sites are friendlies, but I would love to other people to start making use of the site too!

We are currently working on a WordPress plugin for the shareNice widget, and an eprints plugin too. I would love if someone would like to create a Drupal plugin for shareNice, that would be great!. You can see a list of feature requests on : http://sharenice.org/.

Given that the apache instance which this runs off of doesn’t generate ANY logs, I have no way of know if people are using the service, so please do let me know. Either via my blog, twitter, or github.

Finally, I should name dropped all the nice people which have helped in the development of shareNice: Monika Stepinska, Steve Harris, and Sebastien Francois. You guys rule!

In short:

Google offer a great search experience, they can have my search history, Facebook offer a good way to stay in touch with your friends, Yahoo/Flickr provide a good photo sharing experience, and well Last.fm do an awesome job of recommending me music – get what I am hinting at. I could just used Google to do all of the above, but somehow I feel better about myself spreading my data around a bit (sorry crazy doesn’t it!).

So, I made a start at knocking together my own RSS reader which I can use to catch up on stuff : http://mmt.me.uk/rss/. I used this PHP RSS Reader library. Sadly, it doesn’t understand RSS 1.0 which is RDF, it only seems to parse RSS 2.0.

It was really easy to do not more than an hours work. I am going to start parsing in the descriptions of the items in the RSS feeds, but sadly this isn’t trivial, people are starting to flood their streams with linked to google-analytics, to facebook share (including links to icons hosted on facebook.com [naughty]), and other nastiness. So I will have to write some code to pull out all the evil in the descriptions before adding them to http://mmt.me.uk/rss/, I will update my blog when I get round it to it. I can also release code if people want, just shout…

On a similar topic, the below blog post, states:

“One privacy protection model is to scatter your data about to make it more difficult to parse, akin to keeping valuables in different hiding spots in your house to thwart intruders getting everything in one go.”

When referring to the use of Facebook, as your one stop shop for IM messages, photos, emails and your social graph.

http://blogs.forbes.com/kashmirhill/2010/11/29/how-facebook-applications-can-download-all-the-messages-in-your-inbox/

Hi Team NHS Choices,

So, I just thought I would let you know that, as per my blog post, the NHS Choices website is sharing information with Facebook on pages which DONT have the Facebook Like button, as pointed out by this person, as well as being on my blog post for the last few days:

http://www.privacylives.com/v3-co-uk-ico-probes-nhs-choices-over-data-privacy-fears/2010/11/30/

Note that, NHS Choices keeps stating that its privacy policy is correct, but if you read the last few paragraphs of my blog post, right before the “comments” section, you will see that this is not the case.

http://mmt.me.uk/blog/2010/11/21/nhs-and-tracking/

Do have a look at the following page on your website, there is NO like button, and the same data exchange is STILL happening with Facebook.

http://www.nhs.uk/livewell/depression/pages/depressionhome.aspx

The following screenshot illustrates this. People are free to replicate, all you need is Firefox and the Firebug plugin (both free and open source).

I also talked about how there is a German website which changed the manner in which it implemented the Like button functionality in a non-intrusive manner. That is, a manner which does NOT send any information to Facebook.com unless the user ACTIVELY CLICKS (i.e. OPT-IN) the Like button; quoting my blog post.

“There is a way to deploy the Facebook Like button which would resemble an OPT-IN based user interaction, instead of the intrusive standard iframe based approach. This involves the use of an “onClick” function call in Javascript which would tell Facebook only when explicitly “liked”. Obviously this method of interaction does not display the “social information” such as like counts, and whether or not you would be the first of your friends to “like” a given page. The German social networking site jetzt.de moved from the iframe to the self-hosted version after vigorous backlash from the userbase about being tracked (see for instance http://jetzt.sueddeutsche.de/texte/anzeigen/385237, line 350). This example was given to me by Sören Preibusch from the University of Cambridge.”

Please see the Garlik blog for more information : http://www.garlik.com/blog/?p=419

Warmest Regards,

Mischa

In short there are four third-party, advertising/tracking companies which are informed every time a user visits one of the “conditions pages” on the NHS Choices website. These listed below, all get to make a call from the user’s browser, in turn allowing the four companies to access their cookies, tracking the users (explained in a previous blog post of mine, and in Bala’s research). This means, that if one has ever logged into a Google account, or a Facebook account and then visits one of the pages on the NHS site, the company will then know that their user X was just looking at a page about condition Y on the NHS website.

These are the four third party companies that make requests every time a “conditions page” on http://www.nhs.uk/ is viewed by a user:

jambi:~ mt $ grep "Host" tcpdump.ext.20101121.log | sort -u
Host: l.addthiscdn.com
Host: statse.webtrendslive.com
Host: www.facebook.com
Host: www.google-analytics.com

Two of the four third-party sites (facebook.com and addthiscdn.com) are contacted in order to provider the “social functionality” shown in the following screenshot. This intrusive OPT-OUT method of adding social features to the NHS website, in my opinion is NOT acceptable. I would only deem this to be acceptable if NHS has written declarations from the two aforementioned services stating that they WOULDN’T be tracking peoples’ browsing habits on http://www.nhs.uk/.

And the other two sites contacted (webtrendslive.com and google-analytics.com) seemed to be used for analytics purposes. In my view, this task should NOT be outsourced to a third party. If this was a website about pub reviews these third-party services would be acceptable, but due to the nature of the information on the Choices website, I feel the NHS should be hosting their own analytics code. Ok, I understand that the NHS needs to gather statistics about their website usage, but their user’s privacy should be of utmost importance, there do exist a high number of open sourced analytics software which the NHS should run themselves.

In order to show that I am not making this up, I have captured all of the HTTP requests made by my browser when loading the HIV and AIDS information page on NHS Choices.

http://www.nhs.uk/conditions/HIV/Pages/Introduction.aspx

The below two files are logs of all HTTP requests made when loading the HIV page:

http://mmt.me.uk/misc/nhscookies/tcpdump.full.20101121.log

And this cut down log file shows all of the third-party HTTP requests made by one’s browser when loading the aforementioned page:

http://mmt.me.uk/misc/nhscookies/tcpdump.ext.20101121.log

The above logs where captured using the following bash command:
tcpdump -A -s 1024 -i en0 dst port 80

An example:

My colleague Steve captured output from the HTTP trace via the NHS website, it can be found on http://pastebin.com/4TfDRRZJ

The browser (Safari) had it’s history cleared, logged into facebook, the facebook window closed, then sent to the NHS page.

Bits of confidential data replaced with XXXs

GET /plugins/like.php?href=http%3A%2F%2Fwww.nhs.uk%2fConditions%2fHIV%2fPages%2fIntroduction.aspx&layout=button_count&show_faces=true&width=450&action=like&colorscheme=light&height=21 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-gb) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://www.nhs.uk/conditions/HIV/Pages/Introduction.aspx
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
Cookie: presence=DJ290173073BchADhA_22112.channelH1L60XXXXXXXXXXXXXXXXX4104WMblcMsndPBXXXXXXXXXXXsbPBtA_5b_5dBfAnullBuctMsA0QBblADacP0VXXXXXXXXXXXX0K290173073QQQ; x-referer=http%3A%2F%2Fwww.facebook.com%2Fhome.php%23%2Fhome.php; xs=976XXXXXXXXXXXXXXXXXXX0e11a0e600; sid=2; sct=12XXXXXX70; made_write_conn=12XXXXXX70; lu=ghXXXXXXXXXXXXXXXXXXYgqQ; datr=12XXXXXXXX-XXXXXXXXXXXf24

Possible Data Protection Violation

It was pointed out to me that I was reference the incorrect ICO filing. The data controller for the NHS Choices website is the Department of Health and not NHS Direct.

Find below, my amended version of this and the following section of this blog post. – Mischa 2010-11-24 11:00:00.

In order to see the NHS’s Data Protection Policy, we had a look at their ICO filing, which led me to the following page:

http://www.ico.gov.uk/ESDWebPages/DoSearch.asp?reg=4693360
http://www.ico.gov.uk/ESDWebPages/DoSearch.asp?reg=4906007

I should start this section by saying that I am not a lawyer. But it seems like sections 6 and 4 purpose 2 are is relevant to my question of “how come the NHS website has third-party tracking enabled, especially given that the tracking is provided by for profit advertising companies?”. Firstly, it should be noted that by contacting facebook and google, data is being sent outside of the European Economic Area. Which is in violation of their Data Protection commitment of “Transfers: None outside the European Economic Area”.

And as per the ICO filing the potential recipients are: Business associates and other professional advisers, Central Government, Data subjects themselves, Employees and agents of the data controller, Healthcare, social and welfare advisers or practitioners, Local Government, Ombudsmen and regulatory authorities, Other companies in the same group as the data controller, Persons making an enquiry or complaint, Police forces, Relatives, guardians or other persons associated the data subject, Survey and research organisations.

I will like to point out that no where in the ICO filing can one see that the NHS will be sharing data with advertising companies.

It should be noted that the ICO filing does not make it explicit that the Department of Health would not:

• Sell advertising to patients
• Sell/Provide user data for third party advertising

Next Steps: FOI

I am about to post off a Freedom Of Information request (tomorrow morning), asking the NHS to please supply the minutes of all policy and technical meetings involved in the decision to deploy iframes referencing non-NHS sites and to use third-party analytics software on NHS choices pages.

Next Steps: Official Complaint

Further to the FOI request I am going to submit an official complaint via the official NHS Choices feedback form :http://www.nhs.uk/aboutNHSChoices/Pages/ContactUs.aspx.

I have the latest copy of the FOI Request updated FOI Request and the Letter of Complaint up in .pdf format on my website.

Note that:

There is a way to deploy the Facebook Like button which would resemble an OPT-IN based user interaction, instead of the intrusive standard iframe based approach. This involves the use of an “onClick” function call in Javascript which would tell Facebook only when explicitly “liked”. Obviously this method of interaction does not display the “social information” such as like counts, and whether or not you would be the first of your friends to “like” a given page. The German social networking site jetzt.de moved from the iframe to the self-hosted version after vigorous backlash from the userbase about being tracked (see for instance http://jetzt.sueddeutsche.de/texte/anzeigen/385237, line 350). This example was given to me by Sören Preibusch from the University of Cambridge.

And Finally…

I would like to thank Steve Harris and Dan Brickley for helping me decide how to take this forward. And I would like to thank Richard Northover for the link.

Amendment 2010-11-24 16:57 Conflict in terms of NHS privacy policy
It has been pointed out to me that in relation to the NHS stating that how only on pages with the Like button…. communications with Facebook.com occurs, this is also not true :

See the following page :

http://www.nhs.uk/livewell/depression/pages/depressionhome.aspx

I see no “Like” button on this page. But according to firebug, There is still an HTTP request made to facebook.com from my browser.

The following quote from the NHS Choices privacy policy states :

“While we only share your information with the Data Processors, when you visit pages on our site that display a Facebook Like button, Facebook will collect information about your visit. For more information, read the relevant section of the Facebook privacy policy.”

Which is NOT true.

The following screenshot illustrates this. People are free to replicate, all you need is Firefox and the Firebug plugin (both free and open source).

NHS privacy policy

I thought I would cut and paste the NHS’s privacy policy, in case it changes dated 2010-11-25 15:58:00 GMT

“As a government department, we do not share data with other organisations unless the law permits us to do so. We do not sell individual information. We will share it only with our authorised Data Processors, who must act at all times on our instructions as the Data Controller under the Data Protection Act 1998. Before you submit any information, we will notify you as to why we are asking for specific information and it is up to you whether you provide it.

While we only share your information with the Data Processors, when you visit pages on our site that display a Facebook Like button, Facebook will collect information about your visit. For more information, read the relevant section of the Facebook privacy policy.”

Furthermore

It should be noted that it has been pointed out to me that AddThis’ privacy policy reveals they monetise their product through behavourial targeting. Would you be somewhat surprised if you started to received adverts about their ailments on third-party websites.?

The following example shows the Referrer header of the HTTP request telling facebook.com, that I have just been looking at a page about HIV on the NHS choices website.

GET /
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-gb) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://www.nhs.uk/conditions/HIV/Pages/Introduction.aspx
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
Cookie: presence=DJ290173073BchADhA_22112.channelH1L60X...

I followed instructions on the following blog post http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ to configure my Firefox instance to not send the “referer header”.

In short, the steps needed are as follows:

• Type about:config into your firefox awesome bar, to bring up your settings
• find the setting network.http.sendRefererHeader. This is probably set to 2.
• Choose one of the following values:
  • 0: Completely disables the referer header (mischa’s setting)
  • 1: Sends a referer header when following a link to another page, but not when loading images on the page
  • 2: Always sends the referer header (default)

I am going to experiment with setting it to 0, disabling the referer header all the time, I will post back here to say if it causes me any problems.

What I am most disappointed about (**rant) is the way that Facebook, seem to think that an “OPT-OUT” policy is the right way to go about landing new functionality on their users. By default, Facebook allows your friends to log your geolocation at given point in time. And this is simply NOT ACCEPTABLE. As far as I am aware (and please do let me know if I am wrong), none of the other popular geo-logging services allow for other people to log your location at a given point in time. I see this as a massive invasion of your privacy, and as have others, as discussed in the following CNET article:

Shots already fired over Facebook Places privacy

An OPT-OUT policy to services which compromise your privacy and your personal information is simply NOT acceptable, and DRACONIAN. I mean, Facebook, DID NOT even attempt to inform me, that friends of mine can can geolog my location at any given point in time. I mean, what is stopping a friend of mine, who is hanging out in a brothel from geologging me, and defaming my character, by suggesting that I too was at the same place as him.

I noticed this yesterday, and then I got round to tweeting it, and had a lot of people thanking me for informing them of this change of service. So, I thought I would expand what is going on in a bit more detail. If you would like a more verbose write up on how to disable this new “feature”, visit the Garlik blog article:

Garlik Blog: Disabling Facebook Places.

As far as I am aware there has been no recent changes to Facebook’s privacy policy or their terms of service as illustrated on the awesome Terms of Service Tracking site. From my point of view, Facebook should inform their users about new functionality, especially new functionality which by definition shares your geolocation information both with people within Facebook, and with the Skyhook geolocation gazetteer.

In short, I fear that Facebook via the Facebook Like button which you can find on many high volume, mainstream sites, such as imdb, rottentomatoes, cnn, etc, is tracking you even if you are not logged into Facebook from your browser.

So, I have no solid evidence to say that they are DEFINITELY doing so, but I will explain why it is technically possible for them to do so. And well, the cynic in me thinks that if it is technically possible for facebook to log that my facebook id is on a given page, it will, regardless of whether or not I am logged in or not.

From this point onwards, I will be referring to all of various versions of the Like button, i.e. Like, Recommend, Fan, etc as the Facebook Like button.

So, the Facebook Like button can be implemented in one of two ways, using facebook’s XFBML or via the inclusion of a Facebook iFrame. FWIW, all of the instances of the Like button I have come across have been implemented using the iFrame approach, but I will look into the XFBML method of doing things soon and will blog about it then (he says …)

So, if you are a facebook user, and you have visited facebook
since the last time you cleared you cookies, you will have a facebook cookie in your browser. It is this cookie which allows facebook to inform you of how many of your friends have liked the page your browser is currently pointing to. An example of functionality can be seen in the below screenshot.

I am aware that if you are signed out of facebook you wont see your list of friends which are have already clicked the like button, you will end up seeing something like:

So, given that the Like button is an iFrame, i.e. it is actually hosted on www.facebook.com, it means that facebook can read your facebook.com cookies, and they can tell whether you are logged in (to show you which are of your friends have “liked” the page before you). And well, technically this implies that they know who you are which enables them to tell whether you are logged in or not.

Dan Brickley created a neat drawing of the what a iFrame is actually doing (thanks Dan, and see below). The illustration highlights the fact that a page which seems to be coming from a given web address, if it includes an iFrame, is actually coming from multiple web servers.

This is danbri’s illustration of what an webpage which includes iFrame’s is actually doing

This makes me class the Facebook Like button in the same category as ad tracking sites, insofar as the fact that if you turn up to a page with a Like iFrame, and you have a facebook cookie, you are in theory being tracked, regardless of whether or not you choose to click the Like button or not.

So, why do I class this in with ad trackers, I do this because of the fact that you are being tracked passively, i.e. regardless of whether or not you choose to like something, facebook is theoretically logging the fact that you have been to that website.

So, now to give an example :

Let’s say that you turn up to cnn.com can you visit the below article:

http://www.cnn.com/2010/US/07/29/wisconsin.roush.crash/

The page them subsequently loads up the following iFrame and serves it to you, it renders the Like button on the page, the iframe revolves to a url on facebook.com

http://www.facebook.com/plugins/like.php?action=recommend&…

By going to the first URL, you are also hitting the second one. Your user-agent, which based on http://panopticlick.eff.org/, is kinda uniquely identifiable, and is therefore in facebook’s logs. Given that the iFrame (second URL above) is hosted on facebook’s site, they CAN read your facebook cookies, am NOT saying that they do as I can’t prove that in anyway, but my guestimate is that if they are not, they will be in the future.

So, I can see three scenarios, which are relevant to this

• A user is logged into facebook in their browser, and then visits a site in a different tab, not even knowing that the site has a facebook “like” button, because you will only become aware of the “like” button upon arriving at the page and having it in loaded in your browser, which is too late from my POV. This happened to me last night, and happened to me recently when I went to imdb (sighes).
• A user is not logged into facebook, but has facebook cookies in their browser, they go to cnn.com, facebook knows (with a high probability) that a given facebook ID has visited a given site, by virtue of cookies and stuff
• User has no facebook cookies, and then facebook will only get the user’s user-agent in their access logs, which I bet they store (even though once again I have no proof of this.

Ok, so solutions:

Solution 1 :

You can delete all of you facebook related cookies from your main browser (firefox being browser of choice), and then you can download another browser which you use for facebook’ing, so that you are no longer given facebook the option to track the pages you read on the web.

Solution 2 :

Which is the solution I am going for at the moment is that you can install Adblocker Plus and you can block all of the Facebook Like endpoints, using custom filters.

This is an export of my Facebook Like button filters, it is probably far from complete, and I will put it up a service which you can subscribe to in Adblocks Plus, and will update the list of URLs as and when I come by them (will blog post when I am done with this.)


[Adblock]
! Checksum: 1+81iD/9dKSZiqqW6WtQxA

The following screenshot, shows what my current step looks like in Adblocker plus:

My colleague Vaidas Jablonskis (who is awesome), pointed me to Adbocker Plus which is also totally awesome

Finally, it is worth mentioning that I am not sure whether or not all of these sites which have facebook like buttons are explicit about the fact that their users CAN be tracked passively by facebook. Or whether reputable brands like CNN have any form of agreement with Facebook regarding whether or not their users are being track. Are any of these big companies, breaking their terms and conditions ?

I will post an update on step by step instructions regarding how to subscribe to my Adblock filter list of facebook like buttons endpoints soon.

So, I suggest people download and install Adblock and block facebook like buttons, and subsequently install the Facebook Like plugin , so that they are no longer being passively tracked by Facebook, and so that they are in control of when they tell Facebook that they like a given web page.

Finally, links to existing literature in this space:

http://techcrunch.com/2010/04/23/like-buttons-evil-facebook-not-open/

http://philosophicalzombie.net/post/540799211/has-facebook-just-become-the-evil-empire-whats-wrong

Comment, corrections, or a simple “you are wrong because …” are very welcome

Happy Interneting People

In order to have a zero cache safari instance on my laptop I have taken the following steps :

• 1: Removed spotlight’s prying eyes, by excluding the following directories :
  • /Users/<USERDIR>/Library/Caches
  • /Users/<USERDIR>/Library/Safari
  • /Library/Caches
• 2: Setup two cronjobs to constantly delete Safari cache-dir

*/10 * * * * find /Users/<USERDIR>/Library/Safari -type f -exec rm {} \; 2>&1 > /dev/null
*/10 * * * * find /Users/<USERDIR>/Library/Caches/Metadata/Safari/ -type f -exec rm {} \; 2>&1 > /dev/null

And finally, I have created a wrapper .app file which open’s Safari, and then enables “Private Browsing” mode, as I could not find a way to do this through editing the Safari.plist file. I followed the instructions posted on the MacWorld site, and they go a little something list so:

• 1. One needs to enable the Enable Access for Assistive Devices option, which can be found in the Universal Access system preference.
• 2. Open the AppleScript editor, and type in the following commands :

  
tell application "Safari"
   activate
end tell
tell application "System Events"
   tell process "Safari"
    tell menu bar 1
     tell menu bar item "Safari"
      tell menu "Safari"
       click menu item "Private Browsing"
      end tell
     end tell
    end tell
  end tell
end tell


• 3. Save this shiny new AppleScript as an application (.app file), and I called mine “PrivateSafari.app”.
• 4. I then grabbed the icon file from Safari, and added to the PrivateSafari, and then replace the old shortcut in my Dock, with one to “PrivateSafari.app”.

It should be noted that I am well aware that the private browsing features in most of the modern web browsers have come under a certain amount of scrutiny recently, below are some links to articles for the interested reader :

• Private browsing modes leak data – BBC News
• Private browsing: it’s not so private – Ars Technica
• Private browsing ‘not so private’ – IT Pro
• Private browsing modes in four biggest browsers often fail – The Reg

An example I have used for a while now is the Georgia Sex Offenders mashup

http://www.georgia-sex-offenders.com/maps/offenders.php

IMHO sites like the above one will just end up creating ghettos of sex offenders as real-estate agents start to adopt such online resources to help sell properties to future homeowners. Eventually we will see neighbourhoods of sex offenders as no family would ever choose to live next to a rehabilitated offender. The key word in the previous sentence being “rehabilitated”, as they have been released by the judicial system into the community as reformed human beings.

Now one can install an iPhone App, which tells the phone own about sex offenders in their local area, GPS/web magic, note that this only works in the US :

http://www.telegraph.co.uk/technology/apple/5918923/iPhone-app-tracks-sex-offenders.html

I believe that practical obscurity is a dying concept. At this point in the post I should stress that I DON’T classify sex offences are petty crimes, but I believe that the advent of such data on the web will set a president for other forms of crimes to be being posted to the public domain. I can easily imagine a future where all crimes committed in some US state X are posted to the web.

For example, high-school student Bob gets arrested for shop-lifting and gets a minor punishment that could be community service or something of a similar vain. Alice a classmate of Bob’s finds this so funny that she posts it to whatever cool social network she is currently a member of, pushing it into the public domain. Now after Bob has served his sentence in pre-interweb days this information would have been practically obscure, it would have been logged in a filing cabinet in some local magistrate court, and unless you had the impetus to seek out this information you would probably never have found out about it. Alice would have been able to communicate the “funny story” to her social network, but those conversation’s would not have been in the public domain. And now they would be.

Well that is all from me, would love to know if people in the US have installed this APP, and wonder how many linch mobs are going to run around US cities taking following their trusty iPhone and taking the law into their own hands. Here is a link to an article which describes some of the vigilantism which occured in the UK after the tabloid new paper “The News of the World” published a list of sex offenders in the year 2000. Do excuse the fact that I am pointing to a document on the “world socialist web site”, but it seems to report the story well

Furthermore, Kieron O’Hara, Nigel Shadbolt and I wrote a paper touching on this a while back, it can be downloaded from ECS eprints.