Privacy, Identity & Consent with Toby Stevens

DLP and Privacy

2009-10-20T16:25:02Z

I attended a very good session at the RSA Conference Europe in London this afternoon, entitled "Privacy Concerns with Adopting DLP Technology". The panel, which comprised RSA's Katie Curtin-Mestre, FFW's Stewart Room, and SAS' Yngve Sunnanbo, considered the privacy implications from intelligent monitoring of the organisation's boundary traffic.

Data Loss Protection (DLP) takes content scanning to the next level by inspecting traffic at a number of levels (including the much-loathed DPI) to identify security risks that might be missed by a regular scanner. Systems may, for example, look for email content that leaves the organisation at 5pm, and returns in a modified form at 7am, which might indicate an employee emailing work home rather than using a more secure method of transfer, then emailing it back when it's complete. Clearly this is the sort of insecure behaviour that organisations need to stop, and DLP is a valuable tool to protect security, and hence privacy, of information.

However, like all tools, you can cut yourself with it if you use it incorrectly: DLP will automatically gather large amounts of personal and sensitive personal information, and there is a risk that organisations using may inadvertently infringe the privacy of employees or third parties during investigations. Furthermore, the DLP log will itself be very sensitive, and must be protected appropriately.

I was particular interested in Stewart's advice in the Q&A, in which he reiterated the importance of intention and action for data protection compliance: say what you're going to do, then do it. Stewart is the author of Butterworth's Data Security Law/Practice, so he knows what he's talking about here.* He also pointed out the importance of transparency in managing the DLP logs: that the log data will, in most cases, be considered personally identifiable, and therefore subject to the Data Protection Act, including the right of access by the Data Subject. In other words, the employee or data subject concerned can demand access to the information held in the log about them. Furthermore, under FoI rules, public bodies operating a DLP system should be prepared to have to provide statistical data about the system's logs, which might have the unintended consequence of revealing the extent of security problems encountered within the organisation.

This of course isn't a good reason not to implement DLP, but it's good advice for any organisation that's installing a system without having properly considered the consequences.

* Declaration of interest: I've no commercial link with Stewart.

Fail to build it... and they will come (and rip us off)

2009-10-14T09:47:47Z

The Evening Standard reports that PC World was asked to withdraw a £750 printer after the Met police "revealed it could produce replicas of the proposed new ID card and EU driving licenses." It's certainly good to see that the police are stamping down on organised criminals and have closed this particular avenue for identity-related fraud - otherwise, we'd all be vulnerable to crime arising from the absence of a proper authentication infrastructure.

This is one of my greatest concerns about the current state of authentication in the UK - we currently rely on passports, driving licenses and utility bills, all of which can be easily forged. Without any proper way to verify the authenticity of those documents, and to bind them to the holder, we have to take a risk judgement on whether they are legitimate or not. The government has pitched biometric ID cards and photo driving licenses as a 'gold standard' for ID that will be infallible, but seems to have forgotten that the system is only as good as the verification mechanism, and in the absence of pervasive biometric readers, these cards might just as well be the printed plastic blanks that will be spewing from the £750 printers that used to be on sale at PC World. At least it was harder to forge a passport (you can't buy blank ones at the local stationers).

My eyes have expired!

2009-10-03T12:54:43Z

Returning from Spain yesterday, I thought I'd jump the queue by using the IRIS biometric entry system. It's been a while since I've used it, since on recent returns to the UK, the gateway has been:

broken;
occupied by an American shouting at the screen wondering why she can't get through the gate;
broken;
backed up with a longer queue than the regular immigration channel, or;
broken.

However, yesterday IRIS seemed to be the preferred route, so in I stepped, gazed confidently into the robot, which in turn buzzed, spewed out a slip of paper and refused to let me in.

The slip explained that whilst it had recognised my iris pattern, my permission to use the system has expired. Why? My passport's good for several years yet. It knows who I am. It must be confident I can't be an imposter. It hasn't deleted my personal information. So why can't I get through? And what am I supposed to do about it - do I have to re-enrol? This isn't exactly a shining example of joined-up systems design...

IPS launches Public Panel and Experts Group

2009-09-17T17:56:10Z

The Identity and Passport Service has just launched a Public Panel and Experts Group. In their words:

The Public Panels will provide an opportunity for IPS to have a conversation with the public and listen to the concerns and views of people in relation to identity cards.

The Experts Group will provide an independent perspective to inform the development of the NIS.

Independent experts will:

Provide clarity where there may be ambiguity and will help the Public Panel understand the detail

Challenge the thought process through the review and analysis of policies and process

Provide alternative solutions through reasoned opinions

Provide a credible and independent view that will serve to enhance and strengthen our direction

Provide an opportunity for experts across disciplines to share knowledge and further their understanding

These groups are the product of the Identity Rights team, which have been notable for their engagement with stakeholders at times when the rest of IPS have been very quiet. Anyone is eligible to apply for either group, and applications will open on 23rd September.

[Declaration of Interests: The Enterprise Privacy Group was commissioned by IPS in 2008 to assist with stakeholder engagement, a contract which closed earlier this year]

Surveillance State Kerplunk

2009-09-16T10:53:37Z

The Conservatives have unveiled their plans for reversing the rise of the surveillance state. Seeking to pull the surveillance infrastructure out of government, their views are commendable, but it will be difficult to pick out the undesirable straws from the necessary ones - in the manner of Kerplunk - without bringing the infrastructure down around us. What are they calling for, and what are the consequences?

]]> The state of the database state

The document describes a stark reality: that New Labour ignored the warnings of the Information Commissioner and the Director of Public Prosecutions, and rubbished the findings of Privacy International and the Joseph Rowntree Reform Trust (JRRT), to push ahead with a new relationship paradigm between citizens and the State - one in which central and local authorities command and control individual's lives.The Conservatives recognise that this approach ignores technology developments, failing to incorporate federation mechanisms and proper security controls in system designs. That last point is vividly demonstrated by quoting the Prime Minister's response to public sector data losses in 2008:

"We can't promise that every single item of information will always be safe."

From a security perspective, that is of course true, but it should not become a design aspiration in a new system, as appears to be the case with a long list of system failures and data losses listed in the Conservative report. The Conservatives pay particular attention to the National Identity Service, quoting Microsoft's former National Technology Officer Jerry Fishenden when he said that the National Identity Register will create

"a 'honey pot effect' for hackers, fraudsters and terrorists..." [leading to] massive identity fraud on a scale beyond anything we have seen before".

They also point out the failure of the plans for the Communication Data Bill (although that particular policy item is still very much alive on the government's agenda), attempts to undermine data sharing controls in the Coroners & Justice Bill, the rollout of ContactPoint, and the JRRT's conclusion that a quarter of public-sector databases are almost certainly illegal. Ironically, one of their best quotes comes from former Home Secretary David Blunkett, the original champion of big databases:

"If we tolerate the intolerable, the intolerable gradually becomes the norm."

Rolling back the Labour years

The Conservatives define eleven policies to extract the State from its current position, underpinned by five guiding principles, which are worth quoting in full:

We want to see fewer - not more – giant centralised databases, amassing personal information on the citizen.

Government should be guided by the principle of proportionality, which means that fewer personal details are accurately recorded and held by specific authorities on a need-to-know basis only, and for limited periods of time justified on the basis of operational necessity.

Wherever possible, personal data will be controlled by individual citizens, who have the power to decide which agencies can access or modify this information.

We need greater checks on data-sharing between government departments, quangos and local councils.

We need stronger duties and sanctions on government, to ensure that the private information it gathers is held securely and that government databases are properly managed.

These are powerful principles, which represent a reversal of much of current government policy. The stated policies are as follow:

Scrap the National Identity Register and ContactPoint databases, flawed systems that will create greater – not less – public exposure to risk.

End the permanent retention of innocent people’s DNA on the National Police DNA database.

Restrict and restrain council access to personal communications data.

Reviewing protection of personal privacy from the surveillance state as part of a British Bill of Rights.

Strengthen the audit powers and independence of the Information Commissioner.

Require Privacy Impact Assessments of any proposals for new legislation or other measures that involve data collection or sharing at the earliest opportunity. Require government to consult the Information Commissioner on the PIA and publish his findings.

Immediately submitting the Home Office’s plans for the retention of - and access to - communications data to the Information Commissioner for pre-legislative scrutiny.

Require any new powers of data-sharing to be introduced into law by primary legislation, not by order, so that they are properly debated and scrutinised in Parliament.

Appoint a Minister and senior civil servant (at Director General level) with responsibility for operational data security.

Task the Information Commissioner to publish guidelines on best practice in data security in the public sector.

Task the Information Commissioner to carry out a consultation with the private sector, with a view to establishing guidance on data security, including examining the viability of introducing an industry-wide kite mark system of best practice.

It's reassuring to see that the Conservatives haven't fallen for the spin that the UK has obligations under EU law to build the NIR for passport purposes (it hasn't), or that it would be more expensive to scrap the NIR than to build it (it wouldn't). An Information Commissioner who reports to Parliament rather than the Ministry of Justice, and will be given the task of auditing government departments and other public bodies, should finally be in a position to take affirmative action when it's needed, in much the same way as we see in the likes of Germany or Canada.

The Conservatives are extending the requirements of the government's own Data Handling Review to ensure that not only are new systems subject to a PIA, but also new legislation: there is little point in conducting a PIA on a fundamentally unjust system when it has been mandated in law and there's no scope to change the deliverables (for example, the Information Commissioner publicly dismissed the idea of PIAs on some or all of the National Identity Service). This is definitely a welcome move.

Setting party politics aside, the Conservatives should find sympathetic ears north of the border, where the Scottish government has long been ahead of the rest of the UK in its understanding of the challenges and consequences of surveillance technologies, and is currently consulting on a set of detailed principles to control government use of personal information.

Consequences of Conservative policy - what does all this mean?

Oliver Letwin's team is developing Tory policy for their (anticipated) first 100 days in power, and that plan will have to deal with both the stated policies and some of the anomalies that may arise from them. I broadly agree with the document, and certainly welcome it as an alternative to current government policies, but there are some loopholes and areas that will need particular attention. A few of these include:

At the broadest level, the Conservatives wish to scrap the National Identity Register. Whilst I would endorse that policy, we must not abandon the provision of population-scale authentication services, which is duty of government and an essential service for the UK if we are to compete in the online economy. We can't just have 'no ID at all' - there are plenty of examples of proportionate, population-scale authentication schemes out there, and we should consider how a citizen-centric scheme, built primarily to service individuals and industry, rather than the needs of the State, could promote economic growth and protect against fraud. The government's own advisor, Sir James Crosby, made this point in his report to the then-Chancellor, Gordon Brown. We shouldn't ditch the idea of strong authentication, just the current fundamentally flawed plans.
If the NIR goes, then decisions will have to be made about whether to also disband the Identity & Passport Service, and how to unwind the current supplier agreements and procurement contracts. We will also need to decide the fate of biometric visa documents issued by UK Borders, which have been pitched as 'ID Cards' to the public, since keeping them in that form would risk the creation of a two-tier identification society, where immigrants are discriminated against using these cards.
If we scrap the NIR and ContactPoint, then government will require clear guidance on what should be used as the 'trusted index' for delivering transformational objectives, or even whether those objectives are still desired. If we are to drop the National Insurance number as a pan-government identifier (which I hope we will) then there has to be a strategy to facilitate accurate and privacy-friendly data sharing where it is necessary and reasonable. Without such guidance, departments will invent a host of fresh ID schemes.
We have many other ID schemes being developed by different departments, local authorities and healthcare providers. If we are to save money, then these should be condensed into the minimum number - ideally just one. Some of that money saved will be needed to help fund the Information Commissioner's new audit team that is called for elsewhere in the document.
From a security and liberty perspective, ContactPoint is indefensible, but we need to create a framework for the discussion of child protection issues without putting children at risk or resorting to the current draconian measures again.
The government just this week announced the appointment of Sir Joseph Pilling as the Identity Commissioner. Do the Conservatives plan to scrap that role?
The Conservative policy document refers to 'ad hoc powers of inspection and financial penalties for the deliberate, reckless of grossly negligent management of data.' I can't really see the point of such punishments within the public sector, since the citizen loses once when their data is misused, and again when the department is fined and left with less money to fulfil its duties. The public sector needs to face up to the current reality of commercial practices - such an offence would be considered a gross breach of contract of employment, and result in dismissal for the responsible individuals.

These are just a few of the points that spring to mind, and if the Conservative policies are to come to fruition, then they need to be resolved before next May. Much of the policy document has been drawn up in partnership with pressure groups and selected experts, and the right move now would be to open it up to public consultation.

If we're serious about handing the balance of power back from the State to the individual, then it's time for individuals and companies to define what - if anything - they want from identity technologies; what a proper and proportionate role for government would be; and how we play Surveillance State 'Kerplunk' without bringing the whole information infrastructure crashing down around it.

Conservatives Reverse the Rise of the Surveillance State

2009-09-16T09:00:55Z

The Conservatives will this morning describe their plans to reverse the rise of the surveillance state. Espousing three principles: that individuals, not the state, own personal information; that when government holds personal information, it is on trust; and that government must be accountable to its citizens.

These principles give rise to a number of policies that include:

scrapping the National Identity Register and ContactPoint databases;
resolving the ongoing illegality over government use of the DNA Database;
restricting local government access to personal communications data;
establishing a Bill of Rights to protect privacy from the surveillance state.

I'll be providing a full analysis of the policy statement shortly.

Happy birthday, DNA fingerprinting

2009-09-10T12:10:38Z

DNA fingerprinting is 25 years old today. Speaking to the BBC, Professor Sir Alec Jeffrey, who pioneered the technique, called for the scrapping of innocent peoples' entries on the National DNA Database:

Innocent people do not belong on that database - branding them as future criminals is not proportionate response in the fight against crime.

Quite agreed.

Wonderful 419 Fraud Email

2009-09-08T19:32:05Z

Once in a while, a spam hits your inbox that raises a smile - which this one did. I've always rather liked Radisson hotels, but was particularly impressed with the list of jobs available in this one. I'm considering a job as a busier, yoga doctor, soup chef (that's wonderful), but might miss out the one listed between Security Officers and Concierge...

Enjoy.

RADISSON HOTEL

22 POTMAN SQUARE,UB3 5AN United Kingdom

HELLO DEAR

THE MANAGEMENT AND STAFF OF RADISSON HOTEL LONDON WISHES TO INFORM YOU ON JOB VACANCIES AT THE HOTEL FROM 15-08-2009 READ CAREFULLY FOR BETTER UNDERSTANDING. THE HOTELS NEED MEN AND WOMEN WHO CAN WORK AND LIVE IN OUR HOTEL HERE IN UK.

Employment decisions are made solely on the basis of qualifications to perform the work for which you are applying. Qualifications include education, training, work experience and other factors which are relevant in determining job performance. Credentials and experience will be verified through schools, former associates and licensing/certification agencies, if applicable. Heathrow hotel decision to hire and promote are made without regard to race, religion, colour sex, nationality, origin, age, disability, or any other classification as proscribed by federal, state or local law.

Would you like to be a part of the Radisson Hotels team? Experienced managerial candidates, as well as entry-level applicants, are invited to apply for positions in rooms operations, food and beverage, sales and marketing, finance, human resources, culinary arts, Director Of Catering and Conference Services, Guest Services Manager, Restaurant Manager, Engineers, Guest Ambassador, Guest Services Driver, Operator, Room Service Server, Director of Food & Beverages, Doormen, Housekeepers, Security Officers, Real sex workers, Concierge, Assistant Controller, Restaurant Manager, Banquet Cook, Banquet Steward, Cold Station Attendant, Convention Service Floor Supervisor, Bell Person, Clerk Attendant, Loss Prevention, Storeroom Manager, Various Restaurant Positions, Various Spa Positions, Potman Express Meeting Sales Manager, Director of Rooms, Bartender/Pool Attendant, Assistant Executive Steward, Yoga doctors ,Director of Purchasing, Soup Chef, Director Of Banquets, , Group reservation Coordinator, Leader in Development in F&B, Utility Steward, Front Desk Agent, Night Manager, Night Auditor, Leader In Development Rooms Division, Housekeeping Supervisor/Dispatcher, Busier, Valet - Parking Attendant, Steward Supervisor

Salary very attractive, excluding family allowance, road allowance,medical allowance, housing allowance transport allowance,miscellaneous allowance etc

Section B Professionals Medical/engineering fields. We implore the services of Doctors/Nurses in Fair Mont outfits also the services of engineers in our engineering department, electrical,mechanical, xerographic technicians, and computer. If you interested, send your CV/Resume Via this mail:radissonhotel_joboffer@hotmail.com Hotel Management offer every selected candidate free Air Ticket, free accommodation, and feeding. Candidates will only responsible for his/her Visa charges in his/her respective Country.

Thanks.

MANAGEMENT

Banning the 'I' word

2009-09-01T08:16:27Z

In the excellent Datonomy blog, Roger provides an interesting overview of the definition of 'Identity'. Arguing that it is about the autonomy of the data subject to control their personal data, he points out that inadequacies in the EU Directive and its local implementation allow many data controllers to ride roughshod over subjects' wishes when it comes to the handling of sensitive personal data.

'Identity' has become one of the most misused and misunderstood concepts in modern government and modern technology. Several years ago we seemed to collectively forget the word's connections with totalitarian regimes throughout history, and the use of identity systems to police the population in times of crisis - or maybe we felt that we had a new and enduring crisis on our hands - and instead decided that 'identity' is aspirational, desirable and achievable. The word has entered common parlance in Whitehall and Westminster, forms part of the functional specification for who-knows-how-many systems, processes and initiatives, has spawned a new marketing approach for companies selling access control systems, and is fast becoming 'part of the way we do things round here'.

This has to stop. We're sleepwalking towards the precipice (insert scary metaphor of your choice here) simply because we've decided that the 'I' word - Identity - is what we aspire to. I don't object to proving my identity, or owning identification credentials, it's just that we so rarely ever need to identify ourselves. When does identity become an issue? Solely in establishing a trust relationship between two parties where there is a claim to entitlement and an imbalance of risk: for example, when claiming entitlement to enter the country, and there is so much for the individual to gain that they may make false claims about their identity or submit false credentials; or when opening a bank account or credit card that will allow them to borrow money. In such circumstances where the individual's assertions about their identity might reasonably be expected to be fraudulent, it is proportionate to use other means to prove who they are - to identify them.

Once that initial identification has taken place, there is no further need for identity. Credentials are issued - a credit card, a digital certificate, a library card etc. - and thereafter the individual simply has to authenticate themselves as the legitimate bearer of the credential in order to obtain their entitlement. Identity processes only kick in again where there are grounds to doubt the legitimacy of the credential or the bearer. Of course there are other circumstances where the need to identify an individual is justifiable, normally in law enforcement and border control if a person can provide no credentials or refuses to disclose any details about themselves. I'm assuming that situation doesn't arise for most of us on a day-to-day basis.

So why does the word identity get me so riled? Our problem is that policymakers lack the technological vocabulary to accurately describe what is required of a system or process. Under pressure to deliver, they demand a new system or process to identify benefits claimants, to identify underage drinkers, to identify passing cars, when in fact what they want is to check an existing credential, to confirm an attribute, or to bill an individual. Through these poor specifications we are unwittingly building a disproportionate and dystopian database state that in the short term strips autonomy from data subjects, but in the longer term will undermine the state itself: when the identity infrastructure becomes pervasive, errors and failures will become so punitive on the data subjects concerned that life will be unbearable for them.

Take the tragic example of Skhumbuzo Mhlongo, a 22-year old South African who was refused an ID Card because of a bureaucratic error that resulted in officials believing he was not a South African national. Unable to work or claim any form of entitlement, and effectively denied any sort of 'official' existence, he ultimately took his life. It would take very few such tragedies to collapse confidence in an identity infrastructure and turn individuals against the State.

My proposal is that we ban the use of the 'I' word in any situation where 'authentication,' 'verification,' 'binding,' or similar terms would more accurately describe what needs to be achieved without creating a panopticon to achieve the outcome. In fact, if anyone feels like setting up a website to monitor inappropriate uses of the 'I' word by government ministers, that might help to raise awareness - much in the same vein as Private Eye's monitoring of the word 'solutions' (perhaps we could name it after their Colemanballs column - 'Blunkettballs?'). It is our duty to stamp out inappropriate use of the 'I' word, to educate policymakers in a more balanced and descriptive language, and to 'I' and publicly ridicule those who believe that 'I' is a proportionate and necessary goal for the greater public good.

(Here ends a somewhat grumpy 'back to school' rant. Normal slightly irritable service will be resumed tomorrow)

Don't talk to us about security

2009-08-16T10:33:41Z

The Home Office has refused to meet with Adam Laurie, the researcher who demonstrated an attack on the Foreign National ID Card last week.

"...the Home Office again refused to see the demonstration, according to investigative journalist Steve Boggan, who has been trying to broker a meeting between Laurie and the government department.

The Home Office said it had declined on the grounds that it did not want to be overwhelmed by individuals wishing to demonstrate ID card cracks."

[Thanks to FIPR for this one]

The business case for privacy

2009-08-14T20:56:41Z

The Information Commissioner's Office has commissioned a study into the business case for privacy. Building on the Privacy by Design report, this project seeks to research and develop an easily understandable and compelling business case that will help organisations to justify and implement privacy protection within their business processes and systems. This is a very important piece of work - for the majority of organisations, the challenge is understanding why they should provide protection of personal information when there are so many competing calls on their budgets. If we can provide a simple, meaningful business case, then we can correctly prioritise privacy needs against others.

The project team, lead by Dr John Leach and Colin Watson, is now soliciting input, and their discussion document can be found here.

Palm Pre Phone Home

2009-08-14T08:35:27Z

The BBC reports that Palm's long-awaited next-generation handset, the Pre, has been returning system and location data to Palm without users being aware or giving consent. Developer Joey Hess noticed some odd traffic going out from the handset and investigated further, only to find that the device was returning daily details of its location, installed applications, usage and crashes.

Palm have responded by saying that they take privacy seriously, and that this service is mentioned in the small print of their Ts & Cs, but it does appear to be unnecessarily invasive. If the iPhone is anything to go by, installed apps can reveal a lot about the users' interests, sexuality, religion, finances and other potentially sensitive information. Couple those with a home location, and you've got a good personal profile.

Palm don't appear to have addressed the issue at the time of writing, but they have a couple of months to do so before the UK launch of the handset.

Has the ID Card been hacked?

2009-08-13T08:37:42Z

Last week the Daily Mail published a feature piece in which it claimed that security expert Adam Laurie had managed to hack an ID Card in 12 minutes. The Home Office rubbished the article and claims that no hack has taken place. Which version of events should we believe?

]]> The Mail's somewhat sensationalist article on the ID Cards hack describes how Laurie used a standard smartcard toolkit to clone a Foreign National ID Card (which incidentally isn't an ID card - it's a biometric visa document issued under the UK Borders Act). He then modified the cloned card to change the details of the holder and add another message.

In its rebuttal, the Home Office pointed out that the card is subject to cryptographic controls that prevent modification or cloning, and that the Mail's hack is therefore not valid since the cloned card would be rejected by any reader. In his blog, Robin reflects upon the challenge of reprogramming a card, and a key point is that without valid signatures the card can't be cloned or modified: that is, unless the attacker has copies of the private keys, or has managed to subvert the cryptographic algorithm, the integrity of the card remains absolute. It would, for practical purposes, be impossible to create a modified or cloned National ID Card - far simpler to try to create a false identity during the enrolment process, or subvert an official to tamper with the National Identity Register.

So all's well and good with the ID Card's security then? Not so. The 'hack' highlights a fundamental flaw in the architecture of the National Identity Service: the fact that for any 'high assurance' authentication to take place, the relying party must be able to verify not only the content of the ID Card, but its signatures as well. To do so requires a card reader that has access to the National Identity Register and associated databases so that the validity of the card and its data can be checked. But the Home Office has yet to discuss plans for putting in readers in any environment outside of border and immigration controls and law enforcement - in other words, the only time a high assurance check will be achievable in the near future will be at an immigration desk or a police station. That suits the Home Office's needs, but leaves the bit of plastic worthless for the rest of us, since creating a clone that looks like an ID Card and even scans like an ID Card will be trivially simple. 'Flash and dash' will become commonplace - individuals using fake cards to establish a false identity or false entitlements in the absence of any way to confirm the validity of the card. The only way to avoid that problem will be to build a huge and expensive network of card readers in every location where the card might be needed.

A better approach would be to make the card itself 'unimportant' in the authentication process: to issue digital certificates that can be embedded in mobile phones and computers so that individuals can assert their identity without having to produce a piece of plastic. This would open up online use of the scheme, and create a secondary market for ID, whereby commercial providers that have verified the individual's ID against the NIR can then issue further digital credentials: for example, underwriting m-commerce transactions using bank certificates to confirm the account-holder's ID and credit status. Furthermore, if certificates complied with relevant open standards then they could be embedded into OpenID, SAML etc. to nurture the growth of a peer-to-peer ID infrastructure that would build trust between individuals, industry and the public sector without the need to issue card readers at all. It worked in Sweden, where very few people actually have a plastic ID card, but most of the population use the associated digital certificates - so why can't it happen here?

So much for the rule of law?

2009-08-11T18:16:48Z

I was very disturbed to read the Guardian's claim that the police have been instructed by the Home Office to ignore the European Court's ruling that the UK DNA Database breaches human rights law, and instead continue to add information on arrestees to the database:

Senior police officers have also been "strongly advised" that it is "vitally important" that they resist individual requests based on the Strasbourg ruling to remove DNA profiles from the national database in cases such as wrongful arrest, mistaken identity, or where no crime has been committed.

Approximately 10% of the UK population is already recorded in the DNA Database, and that number continues to rise rapidly. I've talked in the past about why this disturbs me - it's not the DNA data itself, but the ability to track familial links, coupled with the inevitable failure of the forensic process for using that data, that will lead to injustice. This latest development is even more worrying, since allegedly senior police officers are obeying Home Office officials rather than the rule of law. If a member of the armed forces is issued an order which they believe to be unlawful, it is their duty to disregard the order and escalate their grievance up the chain of command. Does that not apply to the police in the UK? Or are they now above the law?

[Apologies for going all Daily Express letters page on you all, it's one of those weeks...]

A week when databases go bad

2009-08-06T10:15:04Z

Apologies for the lack of blogging over the past few weeks, I've been taking a break that included cycling to Paris and living in the woods for 10 days. In reviewing the mountain of news items that were waiting in my inbox when I returned, I noticed four examples of incidents that blow away the old lie "if you have nothing to hide, you have nothing to fear".

]]> On Monday the Telegraph ran a feature piece on security risks in ContactPoint (aka the Children's Index), the 'junior National Identity Register' that will hold details of England's 11 million children in a single register. The design flaw is simple: by the time it goes live it will have 390,000 authorised users. No system administrator could ever hope to keep track of staff movements and actions across the thousands of schools, hospitals, GPs, councils and other bodies that will inevitably forget to notify the government of staff changes. The government has been keen to reassure everyone about security levels, but the fact remains that it has designed a system that fundamentally depends upon management of an unmanageable user population and assumes endpoint security across a vast population of machines over which it has no control. Criticising ContactPoint's security is a little like shooting very large fish in a very small barrel, but we have to keep doing it so that we can say "we told you so" when the whole thing unravels horribly in the near future.

On Tuesday we saw the revelation that nine individuals have been sacked from local authority service for misuse of the Customer Information Scheme database, which will form part of the National Identity Scheme. If we assume that security managers have only detected a small proportion of misuse (34 incidents were detected), that means that there is a significant population of authorised users digging around in the database that the government expects to underwrite the deep trut h about all of us. Of course some will be benign idiots looking up their own records for fun, but others will most probably be a lot less benevolent.

Wednesday brought a fascinating tale of an error in Southend County Court's database of debtors. Instead of registering a debtor as having settled a £5,000 debt, a clerk updated the record to show £254,000 still owing, with a County Court Judgement to that effect. That's quite shocking - a CCJ effectively instantly shuts down an individual or business' access to credit regardless of the accuracy or cause, and just a typo can effectively circumvent a local magistrate's decision. The individual concerned tried to sue for damages after his business failed, but the judge (Mr Justice Bill Blair QC - for it is he, brother of former PM - an irony that I hope isn't lost on New Labour but probably will be) ruled that the civil service cannot be found liable for damage caused by its own record-keeping mistakes. Yes, if you lose your benefits, your job, your house or your clean criminal record because of an administrative cockup, you have no recourse to compensation. For some reason the government seems to believe that it can still use computers with impunity whilst punishing private sector organisations that get it wrong.

On Wednesday we also had the (not really news because we knew it anyway) revelation that organised criminals are subverting HMRC's online tax return systems to submit fraudulent claims and claim refunds. This has been a problem for as long as the systems have been in use, and has nothing to do with hacking, but rather interception of passwords and impersonation of legitimate taxpayers. Under its previous management team, HMRC became the gold standard for data loss and shoddy systems, and there are still years of work ahead to put those problems straight. Some of the issues are ridiculously simple - an accountant friend informs me that if a company submits an online tax return that shows a refund owing from HMRC, the system issues a receipt for the return then promptly ditches the record because it can't recognise the 'negative' balance. Any queries to HMRC result in an assertion that the tax return was never submitted in the first place, despite the issued receipt.

So, rant over. Public sector data incidents are as bad as ever, but the official approach seems to be to ignore the issues, and when they can't be ignored, to deny any liability whatsoever. In an environment where neither the facts nor the accountability for mistakes are accepted, can anyone really feel they have nothing to fear?