Original URL: http://www.theregister.co.uk/2007/05/17/register_mtas/
Will bloggers get the blame for DoH mess?
Criminal charges for who?
Opinion Health Secretary Patricia Hewitt said the mess made of online applications for doctors could lead to criminal charges. But did she mean the people responsible for such a shoddy system or did she mean the bloggers who brought the problems to light are likely to be charged?
A touch surprising to find the Secretary of State for Health, Patricia Hewitt, stating the truth in a written ministerial statement to the Commons on Tuesday:
"Because the investigation has made it clear that criminal offences may have been committed, the MWR analysis and report have been given to the police."
That "may" is a little mild, as it is quite clear that criminal offences have been committed during the wonderful little saga of the medical training application service (MTAS) and its computer system. Over and above the usual political porkies that is, such as this line from the statement:
"There had been two security breaches of the medical training application service (MTAS) that arose on 25 and 26 April."
There was no security breach that arose on 26 April. There was one that was revealed on that date, yes, but the breach went back to the beginnings of the system and was inherent in the design.
The breach itself was one that would ashame the most neophyte of script kiddies. There was no attempt to create a login session when someone entered the system, nor was there any checking of the IP of the machine being used to prevent session hijacking.
As David Gillies has pointed out: "There is NO WAY that this was anything other than gross incompetence. It is inconceivable that MTAS had a working login session mechanism that was then replaced by the brain-dead version it had when the security breaches came to light."
He then goes on to say that this is a level of stupidity likely actionable under the Data Protection Act. "Implementers of systems containing personal information have a statutory duty, I believe, to ensure only authorised persons have access to that data."
So there's our first criminal offence, among those who planned, built, and implemented this system.
Then there are those who brought the problem to light, such as the NHSBlogDoctor. Distressed at being informed of such a gaping loophole in the system he went to have a look for himself. This is a criminal offence - hacking a computer system. Unable to believe what he saw, he asked a few trusties to have a look themselves - another offence, incitement to hack a computer system.
Having committed these offences, what did the Good Doctor do then? He informed the Department of Health and the system was taken down within a few minutes, thus preventing said department from continuing in their own breach of the law.
Only the excessively cynical would believe that Ms Hewitt was referring only to the second set of breaches, rather than the first, or that the police will concentrate on the whistleblower(s) rather than the original problem.
The realists among us though, will note that there is still something of a problem. When alerted to a possible breach of the law by the authorities, it would seem that investigating such breach is in itself a criminal offence. That's certainly the way to bring about some accountability to the system don't you think? A way of preventing the more obvious lunacies, of improving the system?
But, of course, this is paranoia. No one is going to interpret the law that way, are they? In a world where adding ../../../ to a URL is worth £400 plus costs and the loss of your job and career. No, of course not, it's just paranoia. ®
Tim Worstall is a freelance and blogs at www.timworstall.com.