The Privacy, Identity & Consent Blog

New Forest District Council has been rapped by the Information Commissioner for posting up personal information on its planning website. The problem is not new, and a number of councils have been warned about this in the past. However, having been warned before about this, New Forest's response to the criticism was: "... signatures and other unique information are not now available for public scrutiny".

Out of interest, I went to their planning portal, punched in a postcode and pulled down the documents from a random applications. Guess what? There's the signature, together with all the other personal information. In the very first document I downloaded. So, is the New Forest District Council lying, or do they not understand their own system? Let's hope the enforcement notice is in Monday's post - because I'm off to steal a pony's identity.

(Partial signature reproduced here)

The BBC is reporting that a man who chose a telephone banking password with Lloyds TSB of "Lloyds is pants" (he wasn't very happy with Lloyds at the time) had it changed to "no it's not" by a member of staff. Apparently "Barclays is better" was also rejected. Lloyds TSB has said that the member of staff concerned no longer works there.

I'm a very happy Lloyds TSB customer, but I won't use telephone banking until I get a two-factor token for authentication. Passwords should be secret, and even if the word is an expletive (which isn't clever, they're pretty high up the list on brute force password cracking dictionaries) then that should be my right to do so - after all, it's nobody else's business, is it?

Another day, another data loss, and another struggle for an original headline. However, the RBS / NatWest / Amex loss of 1m sets of personal information isn't as straightforward as it might at first look.

Continue reading "Meet the new loss, same as the old loss" »

Dave Birch has done an excellent job of describing a point that is oft-discussed in identity/privacy circles: that we in fact rarely need to identify ourselves. Government ministers bang on about how good citizens need to identify themselves many times each day. Utter poppycock. We need to prove entitlement to a service, or authenticate ourselves as the legitimate recipient, but we rarely need to identify ourselves. Please can we sit down with the policymakers and educate them on some of the most elementary principles of ID before they start writing user specifications for massive database systems? (Of course if we educated them properly, the systems wouldn't be massive in the first place).

I get particularly annoyed when I'm asked for inappropriate credentials. Government offices will very often request a credit card so that I can prove who I am when going into a building. What exactly does that prove? That I'm capable of stealing a wallet or making a false credit card? My solution is always to respond to a request for an inappropriate credential with an inappropriate credential: my favourite cards are my National Rifle Association membership (that always leaves security guards with a dilemma) or my CLAS membership (a little piece of laminated card that in theory says I have security clearance, but in practice has nothing to bind it to the bearer other than a name on the front).

Of course the politician's response to this problem is to day that it proves the need for an identity card. Oh no, it doesn't. It proves the need for an identity metasystem, and that's a very different beast indeed.

It's a corny title but an appropriate one: the Home Office has admitted to the loss of a memory stick containing personal information about every one of the 84,000 prisoners in England & Wales. This time the loss wasn't by a 'junior official' but by an organisation that should have known much better - PA Consulting did the lion's share of planning for the National Identity Scheme. Their staff have been immersed in HM Government Information Assurance procedures for some years now, so the very existence of an unencrypted memory stick with that data on it is inexcusable. The questions that need to be answered - and I hope this is by an independent enquiry - include:

• why was such a data set allowed to exist at all outside of the Home Office?
• what was it doing on an unencrypted media device?
• who authorised that transfer?
• what procedures did PA apply to protect the device?
• how do those procedures compare with CESG's requirements for securing data?
• why has it taken (allegedly) several days to reveal the loss?
• what penalties will be applied to the individual, company and department concerned?

At least in the post-HMRC world we've been told about the incident (although the cynic in me asks why - is it possible that someone has found it and coerced them into revealing the loss?). As Deputy Information Commissioner David Smith said, this shows how personal information can become a "toxic liability" if not handled properly. We expect to see a rigourous and transparent clean-up after this particular spill.

Despite more than 20 years of data protection legislation in the UK and efforts to encourage the adoption of privacy friendly technologies and ways of working, progress has been disappointing and data protection and privacy safeguards are often bolted on as inadequate afterthoughts rather than built into new developments from first principles. The Information Commissioner's Office has launched the 'Privacy by Design' project to start addressing this problem, and readers are invited to submit their views to the consultation.

Continue reading "Consultation: Privacy by Design" »

Kim Cameron - Microsoft's Architect of Identity, identity guru and all round decent chap, has been working on a simplified 'plain english' version of his Laws of Identity. This is an important piece of work, since it sets a number of key principles into a language easily understandable by all. If you've been scared off by the complexity of his work, then read on to see what they look like now.

Continue reading "Simplifying the Laws of Identity" »

The BBC is reporting that the Information Commissioner in Schleswig-Holstein, Germany, is calling for tougher privacy laws to tackle the illegal sale of personal data, some of which includes bank account details and phone numbers. And this in a country that already has the toughest privacy laws in Europe. Commissioner Thilo Weichert already has a track record of taking on the big boys - as SWIFT found out - so expect to see real results in this case.

Road pricing is a funny old thing - we get incredibly worked up about the idea of a public authority tracking our vehicle movements, yet we tolerate the fact the mobile phone companies have been tracking us for years. The Department for Transport's road pricing demonstrations programme is moving ahead, but how much of a privacy threat is it?

Continue reading "The spy in the sky?" »

French systems integrator Thales has been awarded an £18m contract for supply to the Identity & Passport Service under the National Identity Scheme. The full details of the contract are not yet clear, but it would appear that Thales will be building and operating the National Identity Register over the next four years.