When IT Meets Politics

"Who do you trust? The Government, Marmite, Michael Fish .. Tesco .. ? So begins Matthew Gwyther, in a Management Today editorial on corporate trust. Debate over on-line trust is even more surreal.

Much will be written about the loss of a couple of CDs of personal data by HMRC. But it is those organisations which track their data and report such losses that are publicly crucified. Those that keep quiet and cover up...

Those who believe in the benefits of the on-line world must act rapidly and effectively to turn the current backlash against its perceived insecurity into well-informed votes of customer confidence in those who practice, not just preach, secure information sharing.

Until last week, HMG information assurance policy assumed that hundred of thousands of public servants would follow security procedures better than the Wermacht, Luftwaffe and Gestapo whose codes were broken by Bletchley Park.

The petition calls on 'the Prime Minister to give the formation of a police central e-crime unit, as proposed by the Metropolitan Police and ACPO, urgent priority' including to help limit the damage from recent data leaks.

The petition on the No 10 calling for urgent action on an NHTCU replacement has been signed by two of the House of Lords Committee on Personal Internet Safety, many leading lights of the ICT world and not a few journalists

I have just received the letter asking for inputs to the independent review requested by the Prime Minister. Inputs to this review will be discussed at most of my meetings tomorrow. What will you be doing to help?

The announcements this week of further data losses result from a flurry of overdue reviews across Whitehall. But attention is still focussed on "data protection" rather than "information risk management". It therefore risks doing more harm than good.

The National Audit Office has just reported on the quality of the data systems used to measure progress against the hundred or so public service agreements that were set in the 2004 spending review.

The growing flood of data leak stories means that few, if any, large UK public sector ICT programmes will be progressed until political confidence is rebuilt. That is a major challenge for an industry that has lost touch with reality

From puberty to senility we are urged to put intimate details on-line via services like Bebo, MySpace, Facebook, Linked-In and Friends Re-United to be trawled by friends, predators, on-line marketeers, anti-piracy lawyers and information aggregators.

This evening the Number 10 Website had 8,245 petitions, on all sorts of subject from the serious to the frivolous. That on e-Crime has now climbed out of the noise. It may have only 348 signatures: but what quality!

External directors have the opposite problem to journalists. Under "fin de siecle capitalism" and in public sector "quangoland" they are sacrificial goats: little or no power to effect change but expected to share responsibility for failure. The time has come to butt back.

The debate over the ID cards and register took new turns this week with leaks over the nature of the "incremental approach" and reports of major suppliers losing interest in bidding for a big centralised scheme.

Today is "Internet Safety Day" - it also sees the launch of the "Information Security Awareness Forum" - the UK ICT professional bodies coming together to present common and compatible messages to employers and consumers

Across the UK we can see unholy alliances of data protection and security consultants, technology salesmen and regulatory lawyers bureaucrats queuing up to "help" Sir Humphrey "protect" our privacy.

The authors of the House of Lords Select Committee report on Personal Internet Safety are seeking comment on the Government Response with a view to doing a follow up exercise. The Earl of Erroll, explains why, in this “guest blog”.

I have just received an e-mail from "The Excellent Network" on "10 Thinks you didn't know last week" inviting me to click for actions in the coming week. If arrived just after a reference to another data breach at US supermarket chain; I decided not to trust it. I also concluded that my wife was not irrational when she declined to trust the security of our local supermarket.

I have agreed to chair the session on "Ethical aspects related to the use of government on-line services" at the European Commission workshop on "Ethics and e-Inclusion" in early May. In parallel I am mapping "issues and players" for the new UK Internet Governance Forum. As with climate change it looks as though we are walking backwards into a most uncertain future.

Yesterday at Infosec the Information Commisioner said that the Cabinet Secretary's Review was expected to be focussed on "issues of accountability and governance", indicating that the heads of departments would be personally responsible in the event of serious data breaches. But where is the guidance on how to share information securily going to come from?

There in no excuse for permanent secretaries and senior responsible owners to ignore "The Directors' Guides to Managing Information Risk" published yesterday. Each of the eight guides follows the format a Churchillian "prayer": "pray let me know on one sheet of paper ..."

How ethical is it to try to persuade the socially-excluded and digitally naive to go on-line when you are not going to provide them with easy to use and secure access or keep the data they enter secure from predators, fraudsters or those who would use it to enforce the "honour" of the family, clan, school, gang or other community?

This week the Economist publishes an excellent article describing the ambivalent attitude of the British Public towards Civil Liberties and the Surveillance Society. It could be, but is not, summarised as: "We want to be looked after but do not trust the systems".

The loss of the Home Office prisoner mash-up on an unencrypted USB appears to have triggered a long overdue "review" of the national children's database ("the honeypot for pederasts"). Meanwhile the inflexibility of current contracts and the drop in the value of sterling have triggered similarly fundamental reviews of private sector ICT strategies..

A strong response to the consultation on the "Additional Uses of Patient Data" (e.g. to help planning, research, audit etc) could change the nature of UK debate on data protection and information security . Respond as a patient. Ensure responses from all organisations with which you are involved. Get them to distribute to their employers and members to also reply as patients.

The shut down of the Government Gateway after an apparent compromise may influence your response to the NHS consultation on other uses of oatient data, on which I blogged on Friday. It should not. There is whole array of privacy enhancing technologies that can be used to prevent such failures. The problem is not hardware or software. "Its the wetware stupid".

"A Fine Balance", the joint conference of four Knowledge Transfer Networks in Thursday provided an excellent update on the current state of "privacy enhancing technologies". When I introduced the Earl of  Erroll I made the point that the Lord High Constable of Scotland was not only the sole cybersecurity professional in either House of Parliament, he is also the only person genetically cleared to draw a sword in the presence of the monarch

At a meeting of the steering committee of the Information Security Awareness Forum on tuesday I suggested we do a note on the Twelve Scams of Christmas and what to do about them. Below is the collective wisdom to date.

Twelve Phishers phishing
Eleven Spammers spamming
Ten Bots a' herding
Nine Virus writers coding
Eight Snoopers snooping
Seven Worms a' spreading
Six Crackers cracking
Five Tro-jan Horses
Four Logic bombs
Three Software patches
Two Denials of Service
And a hacker at your back door!

I will not name and shame the authors of the draft but thought it worthy of a wider audience - rather than wait on perfection - comments welcome - especially regarding additional links on how to address the scams. The links given are to Get Safe Online.

Do visit the ISAF website, especially the blog, for updates as the feedback comes in.  

What is the difference between the Larry Page's claim that making Google wipe data after six months would hit Flu Protection and a Ministerial claim that spending umpty £billion on data retention and Interception Modenrisation would help the War Against Terror"? This morning I also received an eloquent lawyer plea "Please kill this cookie monster to save Europe's websites".