Wednesday, November 21, 2007

Whoops - there goes your identity. Mass hysteria in the UK

I spoke at the high-brow but fun Digital Identity Forum at London's Clink yesterday - on the subject of Reed's Law and the Demand Curve. It was an interesting place to be when news broke of The UK Government's rather careless loss of the personal records of somewhere around half of the entire population.

For those not familiar with the story a Government department was asked for sensitive data records by another - and it chose to send them in the post on a couple of discs - unsecured. Not even recorded delivery. And they didn't arrive.


A story Dr Ian Brown told at Digital Identity (you might have seen him talking on the subject on Newsnight last night) reveals how/why this kind of thing will inevitably happen.
Apparently it was the case in the National Health Service that access to computer terminals involved a swipe card. This card revealed your personal level of clearance. The higher your rank, the greater your access - essentially. Great in theory. Trouble was, each day the most senior person in the department would swipe to log in and then leave the terminal open for all to use - probably because this was expediant.

And in the same way, you could make the data the Government has lost as secure as you like when you control the process, but the moment you introduce human beings, things can go wildly wrong. In this case a human took the expedient course of sticking them in the post. Not wise; But not beyond the realms of reason either.

Even so, I'm not sure there is quite the cause for all this hysteria. The kind of information about me currently available on those missing discs include bank account names and numbers, home address, my child's name etc. Sounds scary. But it's only scary if someone can do something scary with it.

Aren't our security conventions just a little screwed up when they rely on us NOT sharing the name of our child, or our home address. Isn't that just a bit inhuman? Anti-social?

It's time we changed the locking mechanisms, rather than making it the responsibility of users to be less social - to be less like, well, human beings.

It's in our nature. Technologists - design for it!

In any event - isn't my address and other details available publicly on the electoral roll? Sharing the name and number of our bank account gives no one access to remove anything from it. So what's the big deal?

The issue is for other people's security systems. For example - someone could apply for a credit card or some such with 'my' details. Great. They could apply for it. Not me. They are responsible for any bill racked up on it. Not me. So the problem is for the system which makes knowledge of a few social details about me its dirty big key. They are making a few social details equivalent to my identity. Mistake.

Those guys have the problem - get on with making better locks. Leave me to enjoy being human.


  1. Totally agree. The same problem and solution has been highlighted with the Facebook fraud fears which have been blown way out of proportion.

    If banks etc were more proactive and had better security systems, then I wouldn't have to question them when one call centre operative phoned me and asked for account details without any security check and presumed I'd hand them straight over. Then got snotty when I didn't.

    I'd say the first bank which cared enough to get to knowit's customers and was able to give them decent security and reassurance would be onto a winner.

  2. You should have seen the headline in the Standard: "Millions rush to change bank accounts". Ludicrous. Still, every cloud has a silver lining, the media hysteria ended up getting some additional coverage for the Digital Identity Forum!


The rate of change is so rapid it's difficult for one person to keep up to speed. Let's pool our thoughts, share our reactions and, who knows, even reach some shared conclusions worth arriving at?