Security and verification concerns dog debate over Data (Use & Access) Bill

One bill to rule them all

As the report describes, the Data Bill is the “one bill to rule them all”. Many other acts of Parliament passed recently rely almost entirely on the data provisions within the new bill to optimise their performance.

The Economic Crime & Corporate Transparency Act, for example, relies on the “recognised legitimate interest” to allow it to scale, and the Companies House reforms require the verification of directors to be defined. Unfortunately, this is where the standards envisaged and signposted to are a dramatic fail, opening up not only to future abuse but baking in existing fraudulent activity.

Regular readers of Computer Weekly over the last few decades may well recall the ongoing debate as to whether British Gas bills (other utility documents are available) were really the international gold standard for identity security, an issue on which the financial services sector has consistently opined to be counter to effective security.

Yet the current “trust” framework - which you can’t trust as there is no liability model behind it - is still harking back to the Gov.uk Verify era Good Practice Guidelines (GPGs).

For those uninitiated with the GPGs, they are so called because they provide good practice for slightly disorganised criminals to follow the guide so they can more readily circumvent controls.

For those of you who follow the excellent Dark Money Files, we can all agree that even the disorganised criminals need no more help in practicing their online filing. However, reference to GPGs in the Data (Use & Access) Bill would cement these flaws into the system.

Given that the bill now builds on open banking it is somewhat counter-intuitive that the addition of all other smart datasets onto open banking should weaken security controls across the board just because the other datasets do not currently have to meet financial services security controls.

Security vulnerabilities

Outside financial crime, failure to address cyber security vulnerabilities risks the general public’s trust in the handling of their data. Some will recall the collapse of the NHS National Programme for IT in 2012, in large part due to the public’s justified concerns about the lack of security over how their data was being handled.

Secretary of state for health and social care Wes Streeting has recently made some excellent points about the need to optimise application of the huge national asset that is NHS data, but this is highly unlikely to be realised without bringing public trust and confidence with it.

With the majority of the population having been a victim of financial crime, it is scarcely reassuring to then inform them that a lower security standard is being adopted for their medical records should they consent to use such services, and this urgently needs to be amended.

Meanwhile, we heard from the Office for National Statistics last month that fraud - already the largest form of crime, responsible for 41% of all crime - is still accelerating. Moreover, this is despite the stronger sector-specific security standards that exempted financial services from the Network Infrastructure Systems Directive (NIS) a decade ago.

The juxtaposition of NIS2 and the Digital Operational Resilience Act (DORA), coming through from the European Union, with a watering down of already lax financial services controls does not bode well for a UK “trust framework”.

The forthcoming Cyber Security & Business Resilience Bill is to be welcomed in aiming to address the vulnerabilities in UK critical national infrastructure, a concern highlighted recently by Heathrow Airport’s closure and the switch-off of Spanish and Portuguese power grids.

Even here, however, strong authentication is critical, as shown in the analysis of the Colonial Pipeline shutdown, discovered to be a basic failure of multi-factor authentication.

Know your customer (KYC) and anti-money laundering (AML) controls ought to be set at a bare minimum, but even beyond that financial services really ought to be implementing the guidance that UK Finance adopted back in 2018 as part of its commitment to the Payment Systems Regulator’s payment strategy forum’s financial crime working group.

Regulatory guidelines

While British standards were adopted at the time as meeting the need for regulatory guidelines, these security measures have yet to be effectively implemented in any organisation, with disparate elements merely being patched together in disjointed fashion.

If that were to actually manifest then the UK could have a true Dreadnought moment, providing actual identity security, potentially offered internationally, for a robust, resilient, secure and actually trusted framework. But until then, we have a lowest common denominator which will ensure that organised crime flourishes on the back of photoshopped driving licences and gas bills.

And for those who are heartened by the inclusion of international biometric chip passports, a quick note that many of our key adversaries are state-sponsored organised crime gangs.

While access to corrupt officials in certain nations has always been a concern, we now have multiple states actively attacking UK services. For those of you who follow Dark Money Files, you will be aware of the scourge of innocent members of the public having their home addresses utilised for fraud.

The Economic Crime and Corporate Transparency Act is supposed to tackle this, but the currently envisaged verification “solution” will simply allow Adolf Hitler to verify that he does indeed live at your address. Having done so this will likely make it even more difficult for you to have his companies that are registered at your home to be taken down.

Ill-fated fiasco

In conclusion, the Data (Use & Access) Bill has much in it which could prove to be a gamechanger both in combatting financial crime and cyber security flaws, but also in allowing a new swathe of smart data applications to transform the UK economy and drive growth.

But if trust in the verification of individuals and organisations is fundamentally undermined by inappropriate and provably vulnerable processes then we risk the ill-fated Gov.uk Verify fiasco dragging on for yet another decade.

Andrew Churchill is policy director at the Cyber Security & Business Resilience Policy Centre and author of the British Standard in Digital Identification & Strong Customer Authentication (BSI PAS499).