Feeds

ContactPoint goes live despite security fears

Thinking of the children - but is that all?

The Power of One Infographic

Striking a difficult balance

A difficult balance between useability and security needs to be struck, Okin argued.

"A database of this nature is very sensitive, and even more so in this case as the content concerns children. The security of such a database is critical to ensure the safety of the children's personal data. It needs to be ensured that the proper security controls around such data are in place before deploying this system.

"While it is important to facilitate the quick response and handling of these cases and streamline the processes involved with ensuring their safety, this cannot be done at the expense of their security."

Peter Houppermans, an independent security consultant who designed the UK's government GSI intranet while working for Cable & Wireless, said that contrary to what the minister claims, there are "no real security implications in talking about an overall result" of a penetration test.

"If there are issues I think it is worth mentioning that 'further work is required' in the interest of transparency and the taxpayer knowing if value for money is delivered," Houppermans told El Reg.

Houppermans added that questions remain over the minster's assurance that "remote access is impossible from unsecured broadband and public locations".

"If ContactPoint is not part of the GSI or another closed network I would be concerned that the reality differs from what the minister presently understands to be the case. There is no denial that access can take place over wireless, just that this access would be 'secured'."

Houppermans is doubtful about the insistence that data from the database can't be downloaded.

"That would be a challenge unless every single system having access is subject to the same, stringently enforced rules and security policies (such as USB and CD drive lockdown). Not that it's needed - do they have email? How is that secured? And what about that favourite train deposit format, printed paper?"

Like Okin, Houppermans stressed the importance of security awareness training for ContactPoint users if there's to be any hope that the system will be secure.

Tories ready to 'pull the plug'

Of course, the developing and the worrying, may be in vain, as the Conservatives have promised to scrap the system, if elected.

The Conservatives are interested in both the financial and privacy implications of the proposed database. The Tories are calling for the publication of a government-commissioned security report from Deloitte, an executive summary of which was published by the government back in February. The Conservatives also intend to closely monitor the progress of the project ahead of the next readiness assessment, which is due out in June.

Tim Loughton, Shadow Minister for Children and Young People, commented: 'The expert verdict is clear - ContactPoint will not be safe. The Government needs to publish urgently the full security report so that everyone can know just how insecure the database is. The Government have a terrible track record of keeping our data safe - it needs to pull the plug on this unnecessary and potentially dangerous database."

Critics of the system are united in their belief that security has been designed as an afterthought. The presence of sensitive data with no effective opt-out, and questionable security controls, exercising researchers, opposition and other critics such as the Joseph Rowntree Reform Trust (paper of Database State here).

Many are concerned about how the proposed shielding mechanism will work in practice and whether the functions covered by the database will expand over time, so called mission-creep. Because the database provides a mechanism for registering all children that complements the National Identity Register its evolution and progress has become a political hot potato that New Labour government may find difficult to handle, even if the next phase of its roll-out runs smoothly.

Implementation of the system has already been repeatedly delayed by privacy concerns. Despite the ministry's superficially impressive security policy many privacy issues remain and could yet prove the undoing of ContactPoint, leaving a policy vacuum in how to co-ordinate the actions of care agencies that could prove difficult to plug. ®

Maximizing your infrastructure through virtualization

More from The Register

next story
Sit back down, Julian Assange™, you're not going anywhere just yet
Swedish court refuses to withdraw arrest warrant
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
British cops cuff 660 suspected paedophiles
Arrests people allegedly accessing child abuse images online
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.