Monday, December 17, 2007

Poynter Report on UK HMRC Data Chernobyl

Today Kieron Poynter of PriceWaterhouseCoopers will publish his report into the failures that led to HM Revenue and Customs (HMRC) losing 25 million confidential records about UK citizens claiming child benefit and there will be a ministerial statement on the review this afternoon.

I wrote to my MP about this (not something I make a habit of but probably should do more often) with more than a little help from ORG. Thanks for the prompt, Glyn. Extract:

"For technologists (amongst whom I count myself, as a senior lecturer in technology and author of 'Digital Decision Making: Back to the Future' published earlier this year by Springer-Verlag), one of the most worrying developments since this crisis has been ministers’ using it as an excuse to push for solutions based around biometrics, solutions that would actually increase the privacy risks we are exposed to. Six leading academics recently wrote to the Parliamentary Joint Committee on Human Rights to express their dismay at how biometrics are seen as a magic fix for improving security. These experts, Professor Ross Anderson, Security Engineering, University of Cambridge, Dr Richard Clayton, University of Cambridge Computer Laboratory, Dr Ian Brown, Oxford Internet Institute, University of Oxford, Dr Brian Gladman, Ministry of Defence and NATO (retired), Professor Angela Sasse, Department of Computer Science, University College London, Professor Martyn Thomas, CBE FREng, Software Engineering, University of Oxford,

“These assertions are based on a fairy-tale view of the capabilities of the technology and in addition, only deal with one aspect of the problems that this type of data breach causes. … Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.”

These technologies are unproven and will not be ready for commercial deployment for another 15 years. I know it is tough to get through to them but please encourage the Government to listen to the facts on biometrics, as experts like Ross Anderson have been doing for years (sadly with little success)...

Professor Anderson has stated repeatedly

“Again and again and again these warnings have been made in different contexts by expert groups and the Government has not been interested.”

And it is not just Professor Anderson who has been saying this. It is whole armies of respected experts who really understand the technologies the government are deploying in such an expensive and dangerous fashion. Kim Cameron (Microsoft’s Chief Architect of
Identity) has described the HMRC 25 million data loss as "Britain’s HMRC Identity Chernobyl". He also says:

'We are living in an age where systems dealing with our identity must be designed from the bottom up not to leak information in spite of being breached. Perhaps I should say, “redesigned from the bottom up”, because today’s systems rarely meet the bar. … There is no need to store all of society’s dynamite in one place, and no need to run the risk of the collosal explosion that an error in procedure might produce.' is essential that you and your many colleagues in parliament encourage the Government to heed the warnings of these and other experts. This privacy timebomb cannot be allowed to be forgotten to tick away merrily once the media frenzy has moved on to some other government failure or failures, as it inevitably will. It is important that we begin to call a halt to the government's deployment of technological systems they don't understand, in contexts and environments to which they are ill suited, and constructed in ways which if suggested by an entry level computer science student would cause him/her to receive a fail grade. The government are not merely failing with these systems, however, they are doing untold damage to the fabric of our society."

Computers are terrifically useful, flexible and fun. We should be using them to solve problems rather than create them.

No comments: