Sunday, November 25, 2007

UK Child Data Missing: Mother of all data cock-ups?

First let me say that the choice of words in not mine. Apparently it is okay--in the UK--to use the term "cock-up" in a daily newspaper, as in "the mother of all cock-ups that has left half of Britain vulnerable to identity theft." (The Daily Telegraph)

The quote is from an opinion column that summarizes the situation so far. The basic facts are this: Two unecrypted CDs have gone missing, handed to a courier service and never delivered, potentially exposing the names, addresses, dates of birth and National Insurance [Social Security] numbers of the entire UK government child benefit database (this includes the bank account details of more than seven million parents, guardians and carers). As the Washington Post and others point out, that means it could affect more than 40 percent of the British population.

Please note the word "could" because, despite an array of armagedon-style prognostications from pundits, this incident, which is the talk of the nation in the UK at the moment, is not...

the end of the world, at least not yet. As of right now, I'm not aware of any indication that the discs were stolen with the intent to abuse their contents. The discs in question--and they are discs and not disks--may be in a rubbish tip somewhere. They may be stuck behind a counter in a sorting office. They may turn up tomorrow, or not. None of which is much comfort to people whose personal information in on those discs, but it does mean that the major impact of this incident, so far, is to alert the British public and the government as to how sloppy current data handling practices are. This is likely to have a knock-on effect on the debate over National ID cards in the UK (for the record, I don't object to National ID cards per se, just the way that most nations plan to implement them).

The point being, mass abuse of this misplaced personal data is unlikely. If these discs end up in the hands of someone of low morals, someone who decides to try and exploit them for gain rather than earn a nation's gratitude by handing them over to the authorities, there is actually a limit to what can go wrong, as I will explain in a moment. In the mean time there is the usual shortage of common sense in the public debate surrounding data privacy.

I did find some sanity at Steve Bowbricks's blog where he notes "Hysteria about the lost data is practically universal. On the TV last night a 'computer security expert' told the world the data would be of use to paedophiles." As Bowbrick observed with justified sarcasm "Paedophiles, you see, will now be able to confirm that there are children all over Britain." The point being that making alarmist comments about the problem does nothing to aid efforts to rid society of the blight of paedophilia, in fact, it makes things worse.

To exploit this misplaced data for gain would actually take a not inconsequential amount of effort and intelligence, particularly given the high left of alert upon which every institution in the country has been placed by universal media coverage of the incident. The smart thing to do if you plan to abuse this data is sit on it until things cool down, and then use data sparingly rather than en masse. Even trying to fence the data to a third party would be risky in the current climate (a bit like the dilemma you'd face with the Koh-i-Noor diamond in your pocket after a highly publicized break-in at the Tower of London.

I am increasingly tempted to think that, at times like this, we need to think of three things:

  • how to improve the general standard of human behavior and thereby reduce the probability someone in possession of private data will attempt abuse it,

  • how to minimize the extent to which private data can be abused,

  • how to improve security measures and implementation so it doesn't happen again.


Hand-wringing and fear-mongering should not be on the list.

No comments:

Post a Comment