This week’s Downtime has called for an end to discussion about the attack on Jeremy Clarkson’s bank account, but the incident does a lot to demonstrate the difference between privacy and security.
We all know the story now – outspoken motoring journalist and Top Gear presenter Clarkson wanted to dismiss the fuss about last year’s HMRC data loss incident, so he published his personal bank account details in his column in the Sun. Some enterprising individual used those details to set up a £500 direct debit to charity Diabetes UK, leading Clarkson to state that “contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy.”
The problem here is that Clarkson was right in the first place. Bank account details are not secret, otherwise they wouldn’t be embossed on debit cards and statements would be securely printed in the manner of PIN mailers. Clearly there is a systemic failure when those public details alone are sufficient to remove funds from an account, and one assumes that the banks already recognise this weakness, since there are established mechanisms to return the funds to source when something goes wrong. The system therefore serves the needs of the banks very well indeed. They have calculated the anticipated losses and taken a risk decision that this is more cost-effective than incorporating tighter security controls.
Unfortunately, things aren’t so simple for the customer who’s had funds removed from their account without authorisation. Bills don’t get paid, fees accrue and the customer’s credit record can be adversely affected. The impact on the customer is proportionally far greater than that on the institution, and this means that the customer needs to reduce their vulnerability to attack by keeping their details private – something the bank isn’t prepared to do on their behalf. It’s probably safe to assume that Clarkson has now changed his bank account number (and if my bank were to feed me hogwash they couldn’t reveal the perpetrator’s details because of the Data Protection Act, I’d be changing bank as well).
Those folks whose details were lost by HMRC (of whom I’m one) shouldn’t have anything to worry about unless they’ve been daft enough to use dates of birth as PIN numbers, but because that institution failed to live up to a public expectation of trustworthy processing, the onus falls on us to protect ourselves. Information that should be public will be treated by us as private, even if some private companies and public authorities are not prepared to do so. And our sense of outrage at future data loss incidents will be all the greater.
So what’s the difference between privacy and security? Just like security, privacy is about controlling who has access to what information about you. But privacy brings in a critical factor of context: the value of a piece of information depends upon what it is, who the data controller and data subject are, and why that data is being disclosed. What’s more, the data controller and data subject are unlikely to have a shared view of either the value or the context of the data, and the value and context change all the time. Context is everything.
Until we have a practical mechanism to express our privacy wishes to the institutions that process our data, these problems will continue to dog us. And only when those institutions show some respect for our data will we be in a position to be a little less private in our dealings with them. After all, to use one of Clarkson’s catchphrases, how hard can it be?