Tag Archives: identity

ID card can’t prove ID

There is an revealing article in the Telegraph today with the headline:‘Man can’t prove ID with ID card’

Darren McTeggart tried to use the £30 card to pick up a replacement credit card from a branch of Santander – formerly Abbey – in Manchester, where the scheme was rolled out on a voluntary basis last year.

Mr McTeggart, one of the first people to get the card, said: “They said it was not on their list of approved ID.

Admittedly, it was an oversight on the part of the bank, but still…

Via No2ID

Data Loss

Up until Monday, we hadn’t had any of our data lost by the government (as far as we knew). We shouldn’t have been one of the 25 million lost due to being child benefit claimants, or one of the many other breaches.

Some of the breaches are potentially very serious should it fall into the wrong hands, for example, the list of military applicants, of prison officers, or (and think of the children!) families with young kids.

However, Monica may have been among the three million lost on Mondays.

It does annoy slightly that they always call it ‘lost’, this can imply that the issue is that government no longer has the information. This isn’t the problem – it’s ‘duplicated, then lost’. The issue is that people who shouldn’t have the information ultimately acquire it.

Having the entire population on one big database is not a way to improve security. It’s a big target for identity theft, and recent history shows that it cannot be kept totally secure.

Having said that, the ‘losses’ that have happened have been rather silly. Lots of data transported without strong encryption, often when there was no need to transport it. It shows a general carelessness that is not befitting anyone claiming to be worthy of trust with this data.

You can take this survey to find out how likely it is that the government has treated your information shoddily.

For more on the proposed ID card database, see the No2ID website, including this rundown of the issues.

The ORG data loss questionnaireYou hand over your personal details to councils, hospitals, employers and businesses all the time. But these institutions don’t always keep that data safe. In fact, since HMRC lost its entire database of child benefit claimants last year, high profile data losses have hit the headlines with worrying regularity. But how does this affect you and your family? Click here to find out how likely it is that a government department or corporate entity has been losing your data recently.

Industry and Government want to aggregate and share more and more of your personal data. Schemes like the National Identity Register, ContactPoint and the Intercept Modernisation Programme are just the tip of the iceberg. But data insecurity is inevitable if large datasets are stored centrally and accessed by hundreds of different people. Data loss can lead to identity fraud and harassment for anyone affected. It is also likely to further complicate or even threaten the lives of those who are fleeing abusive relationships or on witness protection schemes. And that’s without even getting into the debate about how data sharing and aggregation can change the relationship between citizen and state [.pdf].

Once you’ve taken the test, please share the link – http://www.openrightsgroup.org/dataloss/ – with friends. And if you learn of other incidents that should be added to the questionnaire, then please add them to our list of UK privacy debacles, which feeds into the questionnaire.

Thanks to Sam, Glyn, Casey and Rowan, the Open Rights Group volunteers who conceived and realised this project. Finally, please note that the application does not record users’ responses or IP address. In fact we don’t store any user data, which means there is no danger of us losing or leaking anyone’s personal information.

More Data Loss

So, the Government has managed to lose a USB stick containing the details of tens of thousands of criminals.

We should not focus on the fact that this is the data of criminals – that will be of little concern to many – but instead look at what’s happened here in terms of data protection. Once again it has been possible to copy records en masse, save them to removable media unencrypted and walk out with them.

A picture of a USB Key

This time it was a USB key, but in the past it has been CD Roms. Discs have been lost containing the data of 4 million people, of 25 million people and there have been many other cases.

This does not breed confidence in the future security of the ID database – a massive bonanza for identity theft if it got into the wrong hands.

It simply should not be possible to export large amounts of data without a high clearance…. and such clearance should only be given to people who have been drilled until their ears bleed about safeguarding that data. In particular, if on usb, it is attached to a lanyard and doesn’t leave your neck until it is wiped. Even then, the data should not be on any removable media unless encrypted (and this should be automatic to prevent the human-error factor).

More to the point, if the data has to be moved from A to B, what is the problem with an encrypted ssh tunnel from one system straight to the other? What’s wrong with ‘dropping’ fields which are not needed at the receiving end before sending?

NO2ID - Stop ID cards and the database state

These data losses indicate a massive systemic failure in the design of government systems, a carelessness with the data with which they’re entrusted, and a laissez-faire attitude at the highest levels. Just as the loss of the child benefit discs was not the fault one one low-level civil servant, this should not be pinned on the unfortunate who dropped the usb stick (though they should know better). This should be viewed as a failure of design – people should not have been able to do this, even if they were trying to be malicious.

It’s just another case which demonstrates the flaws behind the concept of an ID card database, which if ever compromised would be the biggest boon to identity theft ever seen.

The Nasty Party

‘The Nasty Party’ used to be a term applied to the Tories. This is most emphatically no longer the case.

Putting aside historical issues for a moment and looking at recent weeks:

Kathz wrote about an issue (mirror) which I noted, but did not post about until now. That is of Labour playing nasty in Crewe.

The Labour Party is putting out an official leaflet which carries a picture of the Conservative candidate and the question, “Do you oppose making foreign nationals carry an ID card?”

Maybe the Conservative party policy isn’t clear on the issue. But Labour (government) policy isn’t just about foreign (non-EEC, by the way) nationals. Soon we shall all have to carry ID cards. The government is preparing to collect our biometric details so that it can store them on a database. The ID scheme targeting foreign nationals is simply starting with a soft target – people who don’t have votes.

The Labour leaflet in Crewe hasn’t been published to open up a debate on ID cards. The government has made it very clear that the introduction of ID cards is not open to debate. This leaflet is about race. It’s about fuelling fear and race hatred to hold a vulnerable seat in a parliamentary by-election. The implication of the leaflet is that foreigners are dangerous and only the Labour Party will keep them under surveillance.

Spreading suspicion is dangerous. Mistrust is often a two-way process.

(Another source)

In other news, Labour want to institute a database recording the internet activity and phone calls of everyone in the country ‘just in case’. (source)

Jonathan Bamford, the assistant Information Commissioner, said: “This would give us serious concerns and may well be a step too far. We are not aware of any justification for the State to hold every UK citizen’s phone and internet records. We have real doubts that such a measure can be justified, or is proportionate or desirable. We have warned before that we are sleepwalking into a surveillance society. Holding large collections of data is always risky – the more data that is collected and stored, the bigger the problem when the data is lost, traded or stolen.

Let us all recall that Government doesn’t have a good track record with large databases, with multiple leaks over the past year – including the one leak of the records of some 25million families.

As an interesting aside, Guido notices that the number of stress related sick days at the treasury has dramatically reduced since Brown became PM.

Get your German interior minister’s fingerprint here

A fundamental flaw with biometric ID cards has been demonstrated in a very high profile way.

In the most recent issue of Die Datenschleuder, the Chaos Computer Club printed the image [of the fingerprint of Wolfgang Schauble, Germany’s interior minister] on a plastic foil that leaves fingerprints when it is pressed against biometric readers. (my emphasis)

“The whole research has always been inspired by showing how insecure biometrics are, especially a biometric that you leave all over the place,” said Karsten Nohl, a colleague of an amateur researcher going by the moniker Starbug, who engineered the hack. “It’s basically like leaving the password to your computer everywhere you go without you being able to control it anymore.”

Schauble’s fingerprint was captured off a water glass he used last summer while participating in a discussion celebrating the opening of a religious studies department at the University of Humboldt in Berlin. The print came from an index finger, most likely the right one, Starbug believes, because Schauble is right-handed.

Whoops.

NO2ID - Stop ID cards and the database state