Feeds

ContactPoint goes live despite security fears

Thinking of the children - but is that all?

Boost IT visibility and business value

Striking a difficult balance

A difficult balance between useability and security needs to be struck, Okin argued.

"A database of this nature is very sensitive, and even more so in this case as the content concerns children. The security of such a database is critical to ensure the safety of the children's personal data. It needs to be ensured that the proper security controls around such data are in place before deploying this system.

"While it is important to facilitate the quick response and handling of these cases and streamline the processes involved with ensuring their safety, this cannot be done at the expense of their security."

Peter Houppermans, an independent security consultant who designed the UK's government GSI intranet while working for Cable & Wireless, said that contrary to what the minister claims, there are "no real security implications in talking about an overall result" of a penetration test.

"If there are issues I think it is worth mentioning that 'further work is required' in the interest of transparency and the taxpayer knowing if value for money is delivered," Houppermans told El Reg.

Houppermans added that questions remain over the minster's assurance that "remote access is impossible from unsecured broadband and public locations".

"If ContactPoint is not part of the GSI or another closed network I would be concerned that the reality differs from what the minister presently understands to be the case. There is no denial that access can take place over wireless, just that this access would be 'secured'."

Houppermans is doubtful about the insistence that data from the database can't be downloaded.

"That would be a challenge unless every single system having access is subject to the same, stringently enforced rules and security policies (such as USB and CD drive lockdown). Not that it's needed - do they have email? How is that secured? And what about that favourite train deposit format, printed paper?"

Like Okin, Houppermans stressed the importance of security awareness training for ContactPoint users if there's to be any hope that the system will be secure.

Tories ready to 'pull the plug'

Of course, the developing and the worrying, may be in vain, as the Conservatives have promised to scrap the system, if elected.

The Conservatives are interested in both the financial and privacy implications of the proposed database. The Tories are calling for the publication of a government-commissioned security report from Deloitte, an executive summary of which was published by the government back in February. The Conservatives also intend to closely monitor the progress of the project ahead of the next readiness assessment, which is due out in June.

Tim Loughton, Shadow Minister for Children and Young People, commented: 'The expert verdict is clear - ContactPoint will not be safe. The Government needs to publish urgently the full security report so that everyone can know just how insecure the database is. The Government have a terrible track record of keeping our data safe - it needs to pull the plug on this unnecessary and potentially dangerous database."

Critics of the system are united in their belief that security has been designed as an afterthought. The presence of sensitive data with no effective opt-out, and questionable security controls, exercising researchers, opposition and other critics such as the Joseph Rowntree Reform Trust (paper of Database State here).

Many are concerned about how the proposed shielding mechanism will work in practice and whether the functions covered by the database will expand over time, so called mission-creep. Because the database provides a mechanism for registering all children that complements the National Identity Register its evolution and progress has become a political hot potato that New Labour government may find difficult to handle, even if the next phase of its roll-out runs smoothly.

Implementation of the system has already been repeatedly delayed by privacy concerns. Despite the ministry's superficially impressive security policy many privacy issues remain and could yet prove the undoing of ContactPoint, leaving a policy vacuum in how to co-ordinate the actions of care agencies that could prove difficult to plug. ®

Boost IT visibility and business value

More from The Register

next story
Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
'Greenhouse effect is real, but as for the rest of it ...'
Adam Afriyie MP: Smart meters are NOT so smart
Mega-costly gas 'n' 'leccy totting-up tech not worth it - Tory MP
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.