Thursday, August 31, 2006

Secure? Come off it!

This article in the Spectator (free registration required, will disappear behind subscription wall at some point) points to the Information Commissioner's report on "blagging" for personal data.

Basically, you can buy non-sensitive (but nevertheless confidential) data like ex-directory phone numbers for less than a hundred quid, and highly sensitive data like police records for at most a few hundred. As well as stalkers and estranged spouses, customers for these services include debt collectors, insurance companies, and journalists.

Frankly, I'm not surprised. An organisation like DVLA is about bureaucratic efficiency, not keeping personal data confidential. So it doesn't keep data very confidential. To do that, you need a culture that takes data protection seriously - I am a lot less worried about MI5 keeping a file on me than the local council doing the same thing, because MI5 isn't going to sell the file to a muckraking journalist without direct orders from Downing Street. Doctors and banks also understand this kind of thing.

This makes the governments plans to share information across the government very dangerous indeed. There are three reasons why information-sharing makes this kind of crime more dangerous.

1) Any given breach of security will yield more information. I can get a non-public address, a date of birth, and a national insurance number from a single hit on the national ID register, rather than having to blag three different government agencies.

2) A culture which believes that data sharing is the right thing to do is not one which values data protection. When "Mr Wooley from the Department of Administrative Affairs" phones up the Child Support Agency to ask them how much child support John Major is paying Edwina Currie, then telling him what he wants to know is a shining example of joined up government. Except that "Mr Wooley" is actually working for the Daily Mirror. (He could still be working for the Daily Mirror even as a real DAA employee - junior civil servants are badly paid and therefor easy to bribe.)

3) If data is shared between government officials, then it is only as secure as the lowest common denominator. This is particularly worrying with children's medical records - which Ruth Kelly wants to be shared with other government bodies dealing with children as part of her super-duper child protection database. A database which more than 300,000 petty officials will have access to.

Basically, if the government can't keep sensitive personal data secure - and they can't if everyone in the government has access to it - they shouldn't store it in such vast quantities. But this takes the biscuit. The government knows that the press can (and does) pay crooks to dig dirt on celebrities. They know that the child database will be about as secure as all the other databases that the crooks get their data from. They are even prepared to do something about it. And yet they still think that children of mere mortals should have sensitive personal information conveniently aggregated for the crooks' viewing pleasure.

When you have your fifteen minutes of fame, expect the journalist who contacts you to know your full name, national insurance number, and daughter's favourite icecream flavour. It doesn't mean that they are working for the mafia - it just means that they paid £500 or so for extra background on the story.

Or we could scrap ID cards, scrap 1984-for-kids, and get the Information Commissioner to explain the principles of data protection to Tony Blair and Ruth Kelly.

Labels: ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home