That massive HMRC leak of data

Nov. 21st, 2007 11:52 am
fivemack: (Default)
[personal profile] fivemack
This is a classic example of a story the reporting of which is itself the problem. The data has been lost; with reasonably high probability it's been lost to people unable to do anything with it, in which case nothing has actually happened. If it is lost to people able to do things with it, it increases the background risk of identity theft, but there is nothing whatsoever that any given individual can do given this information - it's even less useful than the 'avian flu exists; refrain from handling dead wild birds if at all possible' news items of the start of the year. The useful mitigation has to be done at the level of large-scale identity users, essentially the banks.

But the information has been presented in a way that clearly has worried people; and to worry twenty-five million people about something which ought to be giving sleepless nights to two dozen teams in the back offices of major banks doesn't seem a publicly valuable act ... raising blood-pressures by on average one quarter-micron of mercury will statistically cause some number of heart attacks, which will statistically cause some number of deaths that would be considered front-page, questions-in-the-House bad news if caused by men with knives.

I'm not sure this particular large data-leak can't be spun as a strong argument for ID cards. It means that it can be argued that bad-guys-unspecified have the NI numbers, dates of birth and bank information for near enough everybody, at which point any organisation prepared to let somebody do something to my detriment given only my NI number, date of birth and bank information is presumptively negligent.

I don't think this troubles me too much - I am fairly happy to open bank accounts by appearing in person with a cheque, a passport and a gas bill - but it's clearly troublesome for people for whom getting to the bank is hard, or for whom the cost of getting a passport is significant.

There's certainly an argument that I can imagine being made, of the shape 'previous proof-of-identity systems which we believed adequate are compromised; requiring time-consuming authentication processes from everybody is expensive; what we need to do is to move to some other method of authentication, for example these beautiful high-tech public-key-authentication-on-secure-processor ID-cards what the selfless people at EDS have prepared for us'.
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2007-11-21 12:05 pm (UTC)
From: [identity profile] bugshaw.livejournal.com
Hmm. Blow security-by-obscurity out of the water by making all data public. There must be a flaw...

Date: 2007-11-21 12:41 pm (UTC)
From: [identity profile] shimgray.livejournal.com
My colleage was wondering this morning if she was on it - her youngest son turned 18 in May, so he might or might not have been young enough to be caught by it.

"You know," I said "this would be so much simpler if they published a list of all 25 million names just so we check. You'd need some kind of unique identifier with them, too, to help tell all the John Smiths apart..."

:-)

Date: 2007-11-21 12:10 pm (UTC)
diffrentcolours: (Default)
From: [personal profile] diffrentcolours
We've already had Darling say that if we had the National Identity Register, the data would be "protected by biometrics". Either he's an idiot who doesn't understand the technology, or he's lying to save face.

Assuming that biometric technology is good enough, we could have (at vast expense) a system whereby everybody is authenticated by biometrics. The known issues with biometric security will come to the fore, and once biometrics become more commonly faked, loss of biometric data which can't be altered will be a large problem. However, we can only authenticate biometric identities in person, so we'd have to do away with phone / Internet / postal banking and purchases.

I agree entirely that it needs to be harder to do bad things with personal information like NI numbers; unfortunately it's a fairly hard problem in practice (Schneier has a few good things to say on the issue). Until that's the case however, I'm going to continue to campaign against large-scale databases which will only make these leaks bigger, more frequent and more damaging.

Date: 2007-11-21 01:56 pm (UTC)
From: [identity profile] fivemack.livejournal.com
Obviously you have to be in the same place as the biometrics reader to be able to authenticate yourself biometrically, but there's no reason that the biometrics reader isn't a little box with a display, a keypad, an iris-camera and a fingerprint reader which you keep by the side of your computer: put in the ID-card, enter your PIN to wake up the box, enter a sixteen-digit challenge which the remote requestor gives which encodes your ID number and some entropy, scan your finger, and tell the remote requestor the number that appears on the display.

You need a bit of intelligence, of the wolverine-on-PCP paranoid kind, in the chip on the ID-card, but since the current claim is that ID cards will cost twice as much as an iPod Shuffle, a few megabytes of flash memory and an ARM7 core could easily be put on the card, and a Bunnie Huang or Marcus Kuhn would happily for a few hundred thousand dollars design you a security system that they couldn't break.

You could get the little boxes made by Inventec in Taiwan for about thirty pounds now.

Date: 2007-11-21 10:21 pm (UTC)
diffrentcolours: (Default)
From: [personal profile] diffrentcolours
OK, let's assume you can do that, that it's sufficiently reliable (very very low rate false negatives) and less importantly from the user's perspective, sufficiently secure (low rate false positives, protected from the various known forms of biometric forgeing). There are plenty of people who say this is impossible, but we'll accept it for now.

You're talking about 30 quid for every household computer in the country, plus those at libraries etc., to install these. It's a drop in the ocean compared to the National Identity Register (but the cost of setting up that scheme, dragging people in for interviews etc. still has to be met). Still, compared to the £450m cost of card fraud, it's quite a lot.

And it only protects against problems where people are misrepresenting their identity, rather than their circumstances. I don't have figures to hand, but that seems to be the minority (this is almost certainly covered in the DWP investigation into ID cards which the Government is currently being sued to publish).

(this all being said, I would really like to see some kind of centrally-designed, locally-managed PKI-infrastructure-type biometric ID, without some big database behind it)

Date: 2007-11-21 12:11 pm (UTC)
diffrentcolours: (Default)
From: [personal profile] diffrentcolours
I agree that people shouldn't be panicking too much in the light of this leak, but I also think it's important to highlight yet another, record-setting leak of sensitive personal data by the Government. If these things weren't reported, there'd be less pressure on the Government to be accountable for what they do with our information.

Date: 2007-11-21 12:18 pm (UTC)
ext_8103: (Default)
From: [identity profile] ewx.livejournal.com

If you know that such leaks will be front page news, and have high-profile resignations associated with them, then you have greater incentive to prevent them in the first place. Didn't work in this case, but we don't know how many other leaks didn't or won't happen.

Publicizing the leak also means that you actually know about it and are able to use the fact if your bank does turn out to be negligent (and there's the same sort of incentive effect here too).

Date: 2007-11-21 12:43 pm (UTC)
From: [identity profile] shimgray.livejournal.com
Quite. There were good arguments (as made above) for not telling people, and they still chose to tell people about it...

I don't know. Publicising it worries people, probably more than they needed to, but it's a sign that someone might actually understand "We Fucked Up Real Bad", and that's reassuring!

(Are they under a statutory duty to disclose such breaches? Should they be, if not?)

Date: 2007-11-21 02:09 pm (UTC)
From: [identity profile] fivemack.livejournal.com
Making things embarrassing when they're found out is a recipe for having people hide them, rather than for having them not happen, and is also a recipe for the classic Yes Minister problem of having people behave so as not to be embarrassed rather than in the interests of the public they serve. The correct goal must be to make them either impossible or inconsequential.

I can certainly see an argument for running government offices on encrypted networks without connection to the global internet and in a model in which no data-containing media leaves the site - why anyone apart from the group responsible for backing up the SAN at the HMRC datacentre had access to the whole dataset that got mislaid is not clear to me. But an isolated disconnected network in a building with entry and exit searches is not an optimal work environment.

Date: 2007-11-21 12:28 pm (UTC)
From: [identity profile] martin-wisse.livejournal.com
Considering that yer average's bank has a call centre staffed by lowpaid, not very motivated people who are not really judged on whether or not they prevent identity theft, but on how many products they can sell, and considering that the information in those files seems to be of the kind that is routinely used to i.d. someone over the phone (birthdates and such), I would worry somewhat about this.

Date: 2007-11-21 02:14 pm (UTC)
From: [identity profile] fivemack.livejournal.com
I've just rung TSB to get them to stop sending me credit-card cheques.

They asked for my credit-card number, date of birth, mother's maiden name, amount of last transaction on the credit card, other accounts that I hold at TSB, and a password that they promised I would never be asked to give in full. I would be much happier if they'd asked me to perform some simple interaction with a PIN-protected secureID-type device; it'd have been six times quicker, too.

On the whole, I do not care whether a random Ukrainian hacker can impersonate me to TSB and get them to stop sending me credit-card cheques; I would thank Hrihoriy for saving some wear and tear on my employer's shredder.

Date: 2007-11-21 01:30 pm (UTC)
From: [identity profile] annafdd.livejournal.com
I agree with you, and I hadn't even realized it before you said it. I did blink when I heard Darling speak and think, you are just giving people _ideas_, you know?

Date: 2007-11-21 04:47 pm (UTC)
From: [identity profile] del-c.livejournal.com
I disagree with your model, because it lacks a real-world level of feedback between alarmism and alarmingness. It assumes that if the government and press together had succeeded in not alarming people, the lack of alarm would not encourage truly alarming security breaches to occur at approximately the rate that falsely alarming ones occur in the present situation. Whereas in my model, the equilibrium outcome of dialling down the alarmism is the same number of heart attacks per decade, but now they're justified heart attacks, by reason of being actually scary situations. That doesn't seem like an improvement somehow.

In politics, I'm in favour of being unreasonably alarmist about government blunders, because it's better than waiting until it's right to be reasonably alarmist.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

fivemack: (Default)
Tom Womack
Tom Womack's page

March 2024

S M T W T F S
     12
3456789
10111213141516
17181920212223
24 252627282930
31      

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jan. 29th, 2026 02:29 am
Powered by Dreamwidth Studios