Recently in IT and security Category

Sackings mount over DWP data leaks

| No Comments
| More
DWP CIS security breaches - FOI - 23 MAR 2012.pngPublic bodies have sacked at least 120 staff for abusing their access rights to the Department for Work and Pensions' Customer Information System, a government database containing details of every citizen in the country that will be at the heart of the coalition government's Universal Credit benefits system.

DWP admitted the latest sackings to Computer Weekly as Channel4 closed a year-long investigation into cowboy private investigators who steal private data from government databases for cash. A Channel4 Dispatches documentary, aired last night, revealed how the rogue operators in the burgeoning security industry were getting illegal access to personal data stored in government databases. Undercover reporter Chris Atkins bought with just a few hundred pounds data about people's state benefits, health complaints and criminal records.

Local Authorities sacked 46 staff between January 2010 and March 2012 after they were caught abusing their rights to access the DWP database, Computer Weekly can reveal exclusively.

DWP itself sacked 57 staff in the two years to March 2012 after they were caught snooping for personal data in their own system, the department told Computer Weekly in answer to a Freedom of Information request.

Snoops

The revelations bring to 120 the total known DWP database sackings since 2007. But this could be just the tip of the iceberg. DWP has disclosed information about only a small portion of those staff with access to the CIS. Having previously ignored requests for information about members of its own staff caught snooping, it has now revealed only those who were caught in the last two years.

The DWP citizen database is used by at least 200,000 people across almost the whole of central and local government. The DWP told Computer Weekly, as it has repeatedly since 2009, that it cannot reveal the full extent of data breaches on its national database because it does not "keep central records". HM Revenue & Customs, which employs a staggering 80,000 people, has refused access to information about any of its staff caught abusing their rights to access the DWP database.

Channel4's investigation found in response to another FOI that the DWP had, aside from sackings, disciplined 992 of its own staff in 10 months for breaching security of the CIS - five people every day. Full exposure of breaches and sackings at DWP and HMRC, which are merging their computer systems to form the Universal Credit benefits system, might damage the credibility of the flagship coalition programme.

Three years after Computer Weekly exposed the problem, local councils are still sacking people at the same rate. They have been forced to sack five staff on average every three months for snooping on on the CIS. Between January and March 2012, they sacked seven. Those sacked have been caught looking up celebrities, neighbours, family members, colleagues and acquaintances.

Channel4 Dispatches - Watching the Detectives - Chris Atkins undercover camera.jpegSpooks

The Channel4 documentary exposed a private investigator who bragged and then followed through on a claim that he could use an "internal contact" to get people's personal data for cash.

Stephen Anderson, director of Crown Intelligence and Security Limited, dredged up personal information about activists the undercover reporter said were causing a nuisance for a retail corporation. For £500, Anderson retrieved detailed records about claims for state benefits made by James Leadbitter, a climate change and anti-capitalist activist from Burnley.

On discovering illegal data breach, Leadbitter told the programme: "I feel sick. Why don't they just break into my flat and go through my stuff...I would struggle to get that information out of the DWP."

The source of the data was unconfirmed. The investigator did not reveal whether he used his inside contact or blagged the information by pretending to be someone he wasn't. The benefits data may have come from local authority databases or the DWP CIS. Further investigation not shown in the programme revealed that someone had been trying to blag data from a DWP call centre. It looked like the investigators were testing various well-trod routes to the data.

DWP claims the sackings prove its security checks are adequate: they catch staff who look up information they shouldn't. It records and tracks details of staff accesses on the system. It said the benefits data obtained by Channel4 did not come from DWP.

CSC bags phone support for cyber warriors

| No Comments
| More
Thumbnail image for US Navy Cyber Command look so dorky they wouldnt get their own movie parts - 100804-N-0807W-254.jpgTroubled US outsourcer Computer Sciences Corporation has been offered $145m to do telephone support for US cyber warriors and other grunts connected to an overseas extension of the Navy Enterprise Network.

CSC refused to confirm the contract. But details slipped out in an official procurement notice issued by the Pentagon.

The US Department of Defence said CSC would provide information assurance as well as technical support for ONE-NET*, an adjunct to the HP/EDS-built Navy Enterprise Network, dubbed by generals as the largest corporate intranet in the world.

The Navy has agreed to pay CSC $30.6m for 12 months initial work supporting Fleet Cyber Forces, a unit of cyber warriors hooked into ONE-NET in 16 naval bases in the Asian Pacific, Indian Ocean, Persian Gulf and around the Mediterranean.

DoD said CSC will provide "theater service desk support", field and network technical support, and help operate the network and systems associated with ONE-NET.

The Navy offered CSC possible contract extensions that could pay out $144.7m by 2016. It comes at a crucial time for CSC after a year of bad news, a resurgence of talk about it being a potential take-over target and the pending retirement of CEO Michael Laphen.

Similar extensions have for years given CSC a regular trickle of contract-win announcements for support work on ONE-NET under a previous contract that was due to expire. The last was awarded in March for just six months.

It's share price languishing, it will be under pressure to deliver some good news when it announces its second quarter financial results on Wednesday, particularly in a year when the majority of its announced customer wins have been options customers have taken out under existing contracts.

Bigger fish

The ONE-NET support deal is however small fry for bidders in Washington this winter. The Navy is organising contracts worth a reported $1.7bn portion to implement its Navy Next Generation Network (NGEN), a $10bn programme to continue work done to consolidate networks and plug gaping security holes.

The Navy has bragged that its core intranet has proved unshakeable. It had entirely eliminated network disruptions caused by hackers that, it has been implied, had embarrassed operators of the force's formerly unmanageable network-of-networks.

It did this after spending 10 years consolidating its jungle of disparate networks into a single homogeneous whole called the Navy Marine Corps Intranet (NMCI), under contract with EDS (now HP).

By 2010 it had merged 744 separate Navy networks and deleted 24,000 legacy applications, leaving just 9,000 officially-approved software programs. It is set to become NGEN and is up for grabs.

Baited hook

CSC is bidding for the work with General Dynamics, which built ONE-NET and has outsourced its own IT to CSC since 1991, most recently under a $118m contract.

CSC brought out the big guns to win a piece of NGEN, hiring retired Rear Admiral Kenneth Deutsch last month to lead the bid. Deutsch commanded air raids during the US invasions of Iraq and Afghanistan. He was also networks & comms chief for the Space and Information Warfare division of the Navy and had a lead position in Fleet Cyber Forces, the unit to which CSC is answerable under the ONE-NET contract.

But ONE-GEN has, unusually, begun operation as a civil-government asset.

The Navy recently wrote that it had also agreed to give the US government ownership of NGEN network as it proceeds with the transition from NMCI to NGEN, a move that may reassure those who, even in military circles, warn that the militarisation of the internet is a significant threat to civil society.

The Pentagon has meanwhile agreed to allow the US Department of Homeland Security to take lead responsibility for security of civilian networks, signifying at least some recognition that the majority of "attacks" used by elected representatives to justify the build-up of cyber forces were mostly of a criminal and not military origin.

The ongoing network consolidation led the Navy to remove discretion over network infrastructure from local units of the Navy. It attracted protest over the centralisation of control. But nevertheless delivered a series of consolidated Network Operations Centers, standing orders for server and storage management, a single database environment, and adherence to Federal systems security laws.

This has led, after some serious problems in systems consolidation overseen by CSC and other systems integrators, the Navy to declare it is pursuing a cloud strategy.

The Navy admitted that in its focus to date on network infrastructure it had overlooked the importance of the information it carried. Data had taken a "backseat" while it was concerned with physical interconnection.

The Navy said in January it would address the data issue by developing cloud-based software services and virtualizing its infrastructure. Both also have become central to CSC's strategy.

Navy consolidation also brought about common desktops and operating systems. ONE-NET users are being given 3.2Hz Dell PCs with 40Gbyte hard drives, 512Mbyte of memory and "a two-piece stereo speaker system", the Armed Forces Communications and Electronics Association reported in 2005. They were at the time being loaded with Windows XP.

* ONE-NET is a rare example of a nested acronym and was, it must be concluded, stencilled by network nerds plotting cyber-game-theoristic attack moves round a whiteboard in a poorly pressurised underwater missile base: the Outside Continental United States (OCONUS) Navy Enterprise Network (NET) - ONE-NET.

Godfather of code-breaking leaves legacy of make do and mend

| No Comments
| More
Colossus valves photographed by Andrew Back.pngTony Sale started rebuilding the Colossus computer using his and his wife Margaret's own savings in 1994. It is said no-one believed it was possible.

Just as no-one had believed Tommy Flowers when in 1943 he proposed it, the world's first programmable electronic computer, as a way to automate work being done by the Bletchley Park mathematicians to break the encrypted messages Hitler was sending his generals across Europe.

Sale, who died yesterday aged 80, began the rebuild officially on the same day in 1994 the National Museum of Computing, another of his preservation projects, was opened by the Duke of Kent. It was just as the PC industry was booming and the World-Wide Web taking off.

Then as now, while the industry prospered, the Museum struggled for cash. The computing generation didn't know it was making history. It thought it was making the future.

The Sales had to fund the Colossus rebuild themselves because, Tony Sales said in a booklet he wrote on the project, they couldn't wait any longer. There were too few people with knowledge of the original Colossus computer.

"If the effort was not made immediately there would be nobody still alive to help us with memories of Colossus," he wrote.

Many of those who worked on the original project had died before the 1970s when the British government at last allowed the Colossus secret out. It had destroyed all record of the machine, to hide Britain's proficiency in code-breaking from the Cold War Soviet Union. (Or it thought it had, as Sales was fortunately to discover).

The world meanwhile thought the USA had built the first computer, much to Sale's dismay.

As he wrote: "For far too long the Americans had got away with the myth that their ENIAC was the first computer in the world."

"As 1996 was the 50th anniversary of the switch-on of ENIAC I made sure that Colossus was rebuilt and working in Bletchley Park, just as it was in 1944. There has been a stunned silence from across the water!"

This was one of his motivations for embarking on the ambitious Colossus rebuild, as he put it defiantly in a video on his code-breaking website. He had lived through the war, and though he was too young to fight, had joined the Air Force in the 50s. They were proud times.

Since Britain's pride had been destroyed to preserve its secret, Sale had to rebuild it literally from scraps.

He unearthed eight war-time photographs, 10 fragments of circuit diagrams some of the original engineers had kept illegally, and some general lectures given by lead engineers including Flowers in the 80s.

His effort was helped by British Telecom, which was then decommissioning telephone exchanges that still used equipment Sale could authentically put in the 1940s computer. It had originally been built using Post Office components, most visibly radio valves. Like all good inventions, it had used what was to hand.

Some War-time Post Office engineers joined Sales' rebuild team too. A final break-through came with the publication under US Freedom of Information of reports a US engineer had made about Colossus from Bletchley during the war. It still took them 14 years to complete the rebuild.

The other reason why Sale led the rebuild was to prove how good the 1940s technology was. A Pentium PC, programmed to perform the same tasks as Colossus, took twice as long to do them, Sale said in his 1998 booklet on the project.

Not many people were interested in the mid-90s. Sale eventually secured funding for Colossus from a small charitable fund operated at the bequest of Mrs LD Rope, a Christian family's inheritance. A donation was made by Frank Morrell, one of the original engineers who built the Tunny, the British contraption that emulated the machine that produced the German military's 'unbreakable' ciphers. Keith Thrower OBE, a former president of the Institution of Electronic and Radio Engineers and an author of books about the radio valves used in Colossus, donated money as well. Those firms providing the metal, electrics and valves did so at knock-down rates.

Lately, some of those US firms that grew in the 1990s to dominate the industry have put money into the National Computing Museum also founded by Sale, and which now houses his rebuilt Colossus. Insight Software and IBM were prominent among them.

Though it preserves the memory of the richest of industries, the museum is still so short of cash it relies on volunteers. The Museum's home of Bletchley Park, which was also preserved through Sale's effort, lacks funds to preserve the history of Britain's War-time computing pioneers, though it was recently relieved by funds and publicity from Google. It has made an exhibition of the extraordinary War-time code-breaking machines and put them alongside papers and a most moving sculpture of Alan Turing, the centre's famous mathematician and father of computing.

Sale's accounts of the War-time code-breaking efforts were conspicuous for not mentioning Turing. The latter's memory has tended to overshadow the work of others at Bletchley Park, even while he became the figurehead around whom many of its patrons rallied. Sale was a radio ham who celebrated those Post Office engineers often left out of casual tellings of the code-breaking effort.

Sale himself joined the Air Force because it had been the only way he could afford to get an education. He had been a bit of a whiz-kid, making the news in the late 40s with a life-sized, radio-controlled robot he built out of Meccano. But his tinkering with radio got him into serious work in the RAF. He had to shun the limelight till retirement, and became principal science officer at MI5, like Q in the world of James Bond. What he actually built at MI5 is still a secret.

Tony Sale.pngThe Museum's volunteers took on something of Sale's spirit. They have assembled an impressive selection of hardware and acquired a couple of super computers they are now considering putting head to head over a game of chess. Exasperated by the quality of computing education in schools, they get groups of kids in to teach them how to programme.

If they don't succeed there will be more reasons why Britain is the most appropriate place for a museum of computing. But they, Sales legacy, have like Sale himself carried on the Bletchley pioneers' work of achieving extraordinary things with whatever was to hand. Or as they said in the War, make do and mend.

Give Linux security clearance, US told UK

| No Comments
| More
The British intelligence services pushed the open source Linux operating system through security clearance in order to meet a US request for operational interoperability of computer systems.

GCHQ, the signals intelligence arm of the Ministry of Defence, fast-tracked a version of Linux through computer security checks that must be passed by any software to be used in government communications. The procedure is usually off-limits for open source software because there aren't single large corporate backers prepared to sponsor it.

Kevin Wallis, lead architect at the Ministry of Defence, told an open meeting of the British Computer Society's Open Source Specialist Group last week that it was the only instance he knew where CESG, the information assurance arm of GCHQ, had vetted and approved genuine open source software.

"This one came about because it was an interoperability issue with a partner nation," Wallis told the meeting. "This was an operating system," he said.

"A Linux variant," he told Computer Weekly after the meeting.

"It was certified by NSA (the signals intelligence arm of the US Department of Defence) in the US.

"And then CESG, because there was a government use for it, were prepared to put it through the accreditation and accept it accordingly.

"We needed it. It got through. Its now in the catalogue. It may now be built upon," said Wallis.

Wallis joined a chorus of leading public sector figures who said at the meeting government departments should sponsor open source software through the CESG approval process. If they didn't do it, no-one else would and government open source policy would fall at the first hurdle.

Wallis said it was a "vicious circle".

The fact that open source software didn't get sponsored for CESG approval had impeded government policy to increase the public sector's use of open source software.

Ravi Vitankar, chief technology officer in Fujitsu Services Government Division, told the same meeting that open source software "needs sponsorship from a government department". CESG could not be expected get open source through security clearance without help.

"It can be done but it still needs the sponsorship from the government department. Otherwise, CESG is so over-stretched that you put it there and it will probably sit there for a couple of years because they won't get around to touching it," he said.

Tariq Rashid, Home Office lead architect, called the meeting to ask why open source software was not being used in government despite a two-year old policy that said it would.

There are a number of Linux variants on CESG's list of security assured products. It does not specify which are proprietary and which are open source versions. Linux variants on the CESG list of approved products include those carried by Red Hat, Oracle, MIRACLE LINUX, and SUSE.

G-Cloud: introducing the neo-database state

| No Comments
| More
Now the Home Office has destroyed its prototype ID database in a publicity stunt, the government is putting the finishing touches to plans that would put the real Identity Scheme databases at the heart of a powerful government data sharing system.

The Government Cloud (G-Cloud), an ambitious Cabinet Office scheme to share IT resources and data across the whole of government, is seeking to remove all technical and organisational barriers to public sector data sharing.

Reports published last week by the Cabinet Office describe how G-Cloud will exhume the data sharing systems that underpinned ID Cards, along with the fatal data security risks that went with them. The principles will be applied to all government data. The plans have been overseen by the same executives who oversaw the ID Scheme's data-sharing system, the ill-fated CISx.

Damian Green Destroying ID scheme Hard Disks - February 2011 - 500 by 415 dpi.jpgThe reports state that the only limits to data sharing between government departments in the G-Cloud would be those imposed by law. It is presumed that whatever sharing is required will be permitted.

The principle was established a year ago in the G-Cloud Vision, which was drafted by Martin Bellamy, the same civil servant who advised ministers to proceed with the CISx as one of two core components of the ID scheme.

Bellamy's Vision cited the CISx as an example of the sort of data sharing that would be possible within the G-Cloud. The CISx plan had involved turning the Department for Work and Pensions Customer Information System database (CIS), which contains personal details of everyone in the country, into a system that could be accessed across the whole government.

"As it develops, the G-Cloud will become the repository of a significant portion of Public Sector data," it said.

Linking data

Bellamy's Vision laid out architectural principles explored in greater detail by G-Cloud working groups under the coalition government last year. The most fundamental was that the government should seek to ensure that data items were harmonized across government so they could be linked.

The G-Cloud seeks to harness the power of the internet to create a network of interchangeable and interoperating systems. It is envisaged that the near entirety of public computer systems would be assimilated by the G-Cloud programme in 10 years.

John Suffolk clarified the vision before he stood down as government's chief information officer last year. The government CTO Council would oversee the development of common data standards G-Cloud required.

"These standards will also ease the process of sharing data between different public sector organisations," he said.

After Joe Harley was appointed CIO in January this year, his division of the Cabinet Office put its stamp on the most up-to-date of the draft G-Cloud plans, the G-Cloud Services Specification.

The specification took the idea of G-Cloud as crucible of government data sharing and rebranded it as system for "Information Access". This involved different public bodies sharing one another's applications in order to access one another's data.

Threads and shreds

It used precisely the same language as the year-ago G-Cloud Vision to describe the framework within which G-Cloud data sharing would operate.
 
"This service will only be permitted where statute allows the data to be shared with the requesting public body," said the reports.

The only other data sharing proviso would be that "information assurance requirements for the data are adequately supported across the G-Cloud," they said.

Shredded ID Database parts - Home Office - February 2011 - 5433789496_eeb5941e9b.jpgThis lesson will be fresh in the minds of those in the Cabinet Office putting the finishing touches to the G-Cloud strategy. Harley was CIO at the DWP when the CISx plan was devised and was still there when it was scrapped last year. Ian Watmore, his boss at the Cabinet Office, spearheaded the Transformational Government strategy by which the Labour government had sought to increase public sector data sharing. The CIS got a special mention in the Transformational Government strategy as well.

The Home Office said last week its minister Damian Green (pictured) had destroyed Labour's ID database. But he only destroyed the temporary system the Home Office erected in a hurry so it could get ID cards on the streets before the 2010 election. It had still not proceeded with integrating the real ID databases because it was still trying to work out how to resolve their excruciating data security problems.

The photographs of Green shredding hard disks on an industrial estate in Essex were a publicity stunt staged to destroy a publicity stunt. It was always said the ID cards were a only a token of the sort of computer systems that have already become well established instruments of government.

The databases still exist. The government still has a plan to integrate them. And the security problems inherent in public sector data sharing have still not been resolved.

Advisers foretold ID's doom

| 3 Comments
| More
The Identity Card Scheme offers a lesson in the infeasibility of IT systems held to political ransom. The cost of failure was too high for the Labour government. So the Home Office pressed on Quixotically with the system, despite never overcoming its critical weaknesses.

The picture that has emerged with the publication of last week's Independent Scheme Assurance Panel report is one of a government department hashing together on the fly a system of a size, complexity and sensitivity never before attempted. It may have been too big to fail, but it was also too much to handle.

The Home Office was obliged over the years to issue empty assurances that everything was under control and that it was addressing the repeated warnings given by ISAP. Can you handle a project of this size and complexity, asked ISAP in 2007. Yeah, 'course we can, said the Home Office - we've recruited some more executives.

In failing to deliver on those assurances, the department gave an indication of the amount of strain its IT experts must have been under. Working on a panacea project must be like happy-clapping at a cult.

The inconvenient imperfections of the ID plan were spelled out clearly in ISAP's 2007 report, compiled in the year after the Home Office cut the ribbon on the system blueprint and set their IT chumlies off on their futile quest.

After three years of development, the problems still had to be addressed. And very little of the blame could be put on the poor techies building the system. The snags were political. The fault was incompetent ministerial direction.

Writing on the wall

Data security risks identified in 2007 were never brought under control. And much else ISAP and good sense required of the ID project in 2007 was never fully addressed.

Public trust essential to the scheme was never secured. Inter-departmental differences over the accountability, funding and ownership of the cross-government system architecture were never settled. A "robust and transparent" system of data governance was never established. The system requirements were never properly defined and neither were its benefits, though both were crucial, it was and is commonly said, before the system could be properly designed.

Vital skilled staff were never recruited. A system of competent organisational governance was never established. Cross-government support was ever obtained and a cross-government standard of identity data and management was never agreed.

It was being built, against ISAP's advice and accepted wisdom, on "shifting sands". And contracts with suppliers were let, to satisfy a political timetable, despite these crucial preliminaries not being clarified.

This must have been especially awkward for the Home Office and may explain why it disbanded ISAP in 2009. No matter that the oversight panel was set up after the Home Affairs Select Committee said in 2004 that the Gateway review process (through which the Office of Government Commerce usually seeks to prevent embarrassing IT failures) couldn't be trusted to oversee a "project of this scale". Don't worry, said the Home Office, we'll set up an independent oversight board.

Had the Home Office given ISAP more credence, a lot of time and money may have been saved. The panel's first public warning put the writing on the wall: data loss will lead to a loss of public trust that, it implied, would be the project's ruin. There were real risks of data loss, it said. Something had better be done about it because people won't stand for it.

Mind bending

This was to be done with a PR exercise that would win public trust by showing how security concerns had been addressed. People would be told the system's tolerance for errors. Said system would have not only to be "robust" but also "well respected".

The problem was swept under the carpet. Civil servants were being sacked for snooping on the Customer Information System (the DWP database that was to form the biographical core of the ID system) before the scheme began. They were still being sacked after the scheme was scrapped in 2010. The DWP's precautions were shoddy, the security leaks were proving unmanageable and the DWP refused to reveal the error tolerance of the CIS. It may not even have known.

You have to wonder how the ISAP overseers felt about it all in the end. Nokia CEO John Clarke, Cranfield Professor Brian Collins, ex-First Direct Bank CEO Alan Hughes, BAA IT director Malcolm Mitchell, and ex-HSBC Bank CIO Fergie Williams: these sort of people are not used to being fobbed off.

Being from the commercial world, they are also accustomed to developing systems that rely for their success on customer choice. Paradoxically, they advised that the ID scheme would only succeed if everyone was forced to use it. This exposed the lie in Blair's ID sales patter, the come-on-you-know-you-want-it approach to civil security: everyone was going to get it anyway, whether they liked it or not.

Sad ending

"To be successful," the ISAP said, "the scheme has to become the government's (and the commercial sector's) primary means of identifying individuals and controlling updates to and use of their data."

It sounds preposterous now. Citizens no more like the Home Office watching them for their own good than foreigners like having bombs dropped on their heads for their own good.

The ID scheme gives us one other amusing paradox to ponder. From ISAP's perspective, it demonstrated how a lack of transparency in public policy and execution led inevitably to costly failure. Yet had the government come clean about the risks, it may never have won the public's support in the first place.

Transparency is the only hope we have of overcome the endemic problem of public databases being snooped.

What support people had given ID was befooled. The sands shifted so much under the ID scheme that it's hard to say what it was meant to do in the first place. Someone should nose around the Home Office with that very same question in mind. When they come across its fascistic database of identity-carded foreigners they might ponder whether it would ever have been approved either had the opening sales gambit not been ID-for-all.

Papers please!

| No Comments
| More
The House of Lords has been scrapping Identity Cards this last fortnight. Sort of.

It's not simply a matter of "scrap the ID scheme", as the coalition government promised. It's like one of those magic tricks: the Identity Documents Bill will make ID cards vanish but - tadaah! - the government will still be holding the powers that made them so objectionable in the first place.

This ID scrapping bill won't be enough "to stop the development of a 'papers please' culture in Britain," says No2ID in its brief on the legislation.

That 'papers please culture is the one in which bus conductors have been replaced with revenue inspectors. It's the one in which a jolly whistle and the ting-ting! report of a portable ticket machine have been replaced with the hiss of a walkie talkie and the rustle of bomber jackets as they huddle round.

No2ID takes particular offence at how the ConDem's ID legislation will make it a criminal offence with up to 10 years imprisonment to try and carry off a false ID.

There are no end of reasons why someone might justifiably goof some busybody official into thinking they are someone they are not. They might want to send Transport for London's heavies the the wrong way for a start.

Or they might want to get lashed before they are 18. No2ID reckons the last government lost no time in seconding its terrorist-nabbing ID legislation to the task of bagging underage drinkers.

Yet the strangest thing about the ConDem's ID Doc's Bill are in is its Clause 10. And they are its data sharing powers. The ConDem's will with this bill introduce a wide power for linking disparate data sources to passport records, to keep them for police intelligence and to extend them at the home secretary's discretion. Just the sort of powers they protested about in opposition.

IBM will meanwhile continue operating the stump of the ID system, the National Biometric Identity Service (NBIS) database, as a database of foreigners. Liberty notes rather politely the "divisive and objectionable" fact foreigners will still have to carry ID cards in Britain.

It as though the nation has forgotten the plot to The Great Escape, though it is possibly the most replayed movie in history.

Not that you can compare British officials to Nazi commandants. The ID Docs Bill doesn't give them the power to take you into the woods to have you shot if you have the wrong papers. They will merely have the power to send you to prison for 10 years.

ID v2.0 - the ConDem Pitch

| No Comments
| More
Want to know how the Identity Scheme will look under the ConDems?

Mydex, the company providing the technology for the government pilots* spelled out the vision for ConDem ID v2.0 at Socitm 2010.

We recorded the pitch. You can hear it using the podomatic player below.


The Cabinet Office tells us it dusted off the Crosby report for the occasion. Crosby said in 2008 that if the government wanted a sensible ID scheme it should leave it for citizens to sort it out themselves with the private sector. Be done with this big brother database, said Crosby between the lines. So the government kicked his report into the long grass. And it seemed like we'd never hear of it again... 

Until the  28 August, when the coalition government certified its commitment to a liberal identity scheme in the Official Journal of the European Journal.

It called for companies who can furnish people with a proof of identity the government can use to deliver them services. It wanted ideas for the...

"...establishment of the provenance of identity, verification of a person against an identity, verification of the authority to conduct the transaction, validation of personal data related to the identity, fraud prevention, malware prevention, and assurance of appropriate security when accessing a public service through all channel types including but not limited to online and telephony."

The DWP's Tell Us Once is taking the lead on this. The idea is after all to allow people to look after their own personal data, instead of having the government do it for you, or to you. Just as Crosby recommended. How extraordinary it now seems that it may have been any other way.

Jerry Fishenden, the LSE fellow and Cameronean think-tank compadre, says these plans are so old they go back to the December 2000 plan for an E-government Authentication Framework.

The US has since leapt ahead with the same ideas. They'll probably be doing our ID systems for us before long.

Fishenden's written a paper about what the yanks are doing and why we're now doing it too: it's called The Obama Effect, apparently.

* being run the the DWP, HMRC and Brent, Croydon and Windsor & Maidenhead Councils

MoD admits 16 security breaches were via social media sites

| No Comments
| More

Under the Freedom of Information Act, Lewis PR asked the Ministry of Defence how many incidents there have been of confidential information or records being leaked via social media sites and the internet in the last 18 months.

The MoD said 16. It was more slippery when Lewis PR asked what disciplinary actions had been taken against employees for misuse of social media, and how many have been disciplined.

This was the MoD's reply:

"Service personnel are dealt with under Warnings and Sanctions or Service Law. The number of Service personnel who have been disciplined in the last 18 months is 10 (this figure has been rounded).

"Civilian personnel in the Ministry of Defence could receive informal or formal disciplinary action. The level of detail you requested, disciplinary action for the misuse of social media, is not held centrally.

"The Freedom of Information Act does not require us to change any system or process used by the Ministry of Defence or the Armed Forces to fully respond to requests for information, therefore we are unable to meet this part of your request."

When asked whether its computer networks have been compromised as a result of staff using social media, the MoD again decided, in answering, that there's safety in vagueness

IT suppliers and government dispute costs of IT security

| 2 Comments
| More

Plans to introduce mandatory security improvements across government have become mired in contractual disputes with IT suppliers that do not want to carry the cost. Full story on ComputerWeekly.com homepage. 

Government, understandably, wants improvements to IT security after the loss of two CDs at HM Revenue and Customs.

But IT suppliers, understandably, say it'll cost extra.

Several of the outsourcing suppliers have the government over a barrel: their contracts cannot, in practice, be terminated over a dispute related to extra costs of IT security; and third party companies cannot easily bolt on extra security to another supplier's systems.

Subscribe to blog feed

Archives

-- Advertisement --