Feeds

UK Gov, and privacy invasion without a safety net

Your data, their hands, that button

Maximizing your infrastructure through virtualization

Comment It’s scarcely unusual. You’re preparing an email, you start typing an email address, autocomplete fills one in from you, and then you may or may not notice as the email speeds off that it’s going to someone entirely different from the intended recipient. If the email includes personal details of 10,000 people and the person you’ve just sent it to is a journalist, well…

In the case of the autocomplete disaster that’s just happened to Gwent Police, the original error wasn’t spotted until The Register reported it, and was even compounded by a second email alerting a baffled Chris Williams to an updating of the internal phone directory (but no, at least they didn’t send us the directory as well). As we understand it, Gwent has an officer with a similar name, so unbeknownst to himself our Chris Williams had blundered onto a distribution list, and presumably would have continued to receive Gwent bulletins, perhaps even slowly moving up the distribution pecking order.

That’s if The Register hadn’t informed them, and Gwent’s techies hadn’t spent last weekend ripping autocomplete out of their systems. We are slightly wistful over the loss of a bizarre but potentially useful information conduit that we didn’t know we had until the other day, but we do take people’s privacy seriously, and regard it as having been our responsibility not to use the data, to destroy it, and to give whatever help we can to Gwent in order to stop this kind of leak happening again.

However… Although we accept that Gwent also takes this matter very seriously and will make honest and strenuous efforts to control the data it handles, it is the nature of the beast — the Criminal Records Bureau checking regime — that this kind of leak will happen again and again. Autocomplete errors, poor list management and (we suspect) excessive use of the cc field aside, the elephant in the room is that file — why was it even possible for someone to have that volume of sensitive data in a single file, far less to email it out unencrypted?

Is your data transfer really necessary?

And did six people really need a copy of what appears to have been only a part of the force’s CRB check database? There are two aspects to the real problem here. First, in common with much of government and other organisations in the public and private sector, the force’s systems are not set up to just prohibit the bulk transfer of personal data. It’s conceivable that systems could be built in this way, and in the long run we feel it inevitable that they will be built in this way. But a lot of people’s personal information is going to go walkabout on lost notebooks and USB sticks before that happens.

And quite a lot of it is going to go walkabout because the data has to be bulked up to be sent to an external organisation without the existence of an adequate secure channel. The mother of all leaks was perpetrated by HMRC, which in 2007 contrived to lose 25 million personal records in the post. One could (and one did) question why anybody needed that amount of data in the first place, but granted somebody needed some HMRC data, the only way to actually get it to them was what we used to call sneakernet.

No amount of huffing and puffing about security and encryption, and dumping on the poor saps who pressed the buttons is going to change anything — if data needs to be transferred and there isn’t a secure channel, then it’s going to leak.

Now consider what’s happening with the criminal records checking. Millions of people now have to undergo a CRB check in order to get a job, undertake voluntary work or do anything involving children. Records of the personal data of tens of thousands, maybe even hundreds of thousands of people will be collated and exchanged between organisations.

Industrialising privacy invasion

Some of these organisations will be police forces — who obviously have to be involved although they didn’t exactly ask to have to collate big piles of CRB check results, others will be government and others private sector. The CRB will take in lots of money because of the regime, while at the same time industrialising the process by farming it out to the private sector.

We’re not suggesting the private sector’s data handling will be any worse than the public sector’s (au contraire…), but there’s a monster here that won’t be tamed without a revolution/revelation in government IT planning, design, security and privacy awareness. They’re invading our privacy industrially, systemically and on the cheap via ill-conceived and ineffectual checking regimes, then blaming operator error and carrying on regardless. They should stop building this stuff until they’ve learned how to control it. Or preferably, they should stop building this stuff. ®

Application security programs and practises

More from The Register

next story
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.