baldysblog.co.uk

The loss of data on 600,000 recruits or potential recruits to the Armed Forces from a car owned by a Naval Officer in Birmingham, on top of all the other data losses, the most spectacular being 25 million names on two DVDs is staggering in it’s total incompetence. As a Liberal Democrat MP observed, there cannot be anyone in the country who can now believe in Identity Cards and entrusting such data to one source.

I have always been opposed to ID Cards on purely technical grounds rather than the question of Civil Liberties, it is always bad practice to concentrate information in one place where hackers can focus their attention until they crack the database, it is something that you just don’t do in the real world.

Credit and Bank Cards

Consider debit and credit cards as an example, there is the physical card on which information is stored, separately the user has a PIN number and in addition, there is a code on the back of the card for Internet purchases backed up by additional web based security verification requiring a password. For on-line banking, “PIN Sentry” card readers have been issued to customers to generate additional “session pin numbers”. Put simply both the Banks and Credit Card Clearing Houses, who are dealing just with money accounts, take security seriously, Government departments don’t.

However, this latest incident is all the more shocking because it echoes a potentially disastrous incident that took place just prior to the opening of the First Gulf War in 1991. A British Officer stopped off on the A40 to look in a second hand car showroom leaving in his car a laptop PC which was stolen. On that PC it later turned out were all the Allied positions and order of battle for Desert Storm, the point today is that some people just never learn.

The problem is clearly one of “culture” and to be exact, the lack of a culture of data security as is clearly demonstrated by this Naval Officer. Let’s be frank, if a member of our Armed Forces just doesn’t understand the concept of “security”, we have precious little chance of getting a bunch of clerks in Work & Pensions to even start to behave responsibly when dealing with data whether “sensitive” in nature or not. In fact, any data that exists in any government agency should be always be presumed to be “highly sensitive” by default and if it isn’t, they shouldn’t be collecting it.

This Loss

Coming back to this Naval Officer, there are two immediate questions that arise:

No.1. Just why did he have a copy of this database on his laptop ? What on earth was the purpose of carrying around the details of 600,000 people the majority of whom were just names of people who had requested information but also on the same database there were people who had actually enlisted and lots of personal details such as bank accounts, doctors and so on.

No.2. Was that database encrypted so that it would be intelligible to anybody without the appropriate key and security ?

The reality in the commercial world as any IT Department will tell you, if you have a large mobile work force with laptops, in the course of a year there will be a steady stream of breakages and thefts to be dealt with so securing company data becomes a major issue. Quite apart from encryption, what is actually stored on a laptop is restricted to the employees immediate requirements and access to fuller information restricted to the user “being securely connected” to the company’s data centres.

The Real Problem

As written above, the basic problem is one of there not being the right “culture” within Government agencies and the solution is not to tighten up the Data Protection Act so that people can be severely punished after the event, we need to prevent data loss happening in the first place and to do that, we need to start with Parliament and the Government itself.

If we look at the current “credit crunch” where far too many people have over extended themselves financially because they seemed to imagine that the “good times” would last forever, we can see that they have been just mirroring a profligate government who has been doing exactly the same with the public purse.

In other words, the government has created a “culture” of profligacy in its own affairs that has become reflected in the wider economy by all and sundry. And for any who would dispute with me over this, we only have to look at that financial Albatross, Northern Rock to see this in action in a supposed commercial sphere. Just when did any Banker imagine that borrowing short and lending long was a really “ace idea” ?

Start Education from the Top

The point of this slight detour is to demonstrate why change must start at the top. This Government insists that an Identity Card scheme is a good idea, now whilst they are wrong, the reason that they are wrong is far more important than the technicalities. They are wrong because they don’t understand the issues properly. Someone sold them the idea of biometric cards as a wonderful thing and they have since been off with the Fairies singing “Nymphs and Shepard s…” The real crunch factor lies in the database behind this and who has access to what, it’s called a security model.

If a Policeman wants to verify that someone is who he or she says they are, all he needs is a Yes/No answer – Yes they are or No they aren’t. He doesn’t need to be able to read the details held on the database because it is none of his business plus it isn’t efficient or what it is supposed to be about.

Now you may observe that knowing that someone is supposed to be male or female, black, white, brown or yellow and their age group is important under these circumstances but is it ? If you are security checking mass transit, whether the Underground or Heathrow, or people entering a stadium, concert hall or shopping centre, the system needs to be just Yes or No with the “No s” being held for further enquires.

Front line people must never and, the system be designed so that they cannot ever, access the underlying database because if for example they were using a hand-held device to read ID cards and through that, they could access the database, if they lose that device or have it stolen then a thief could also access that data.

There is no way that this Recruitment Officer or any equivalent person in government service should have had a copy of a database on the hard drive of a laptop – it’s total nuts !