ContactPoint goes live despite security fears
Thinking of the children - but is that all?
Analysis The Government has announced plans to push ahead with the next phase in launch of a controversial child protection database, despite ongoing concerns about the security of data held on the system.
The delayed ContactPoint system, which is due to include names and addresses on every child under 18 in England, will be accessed by frontline care workers in real-life trials for the first time from this Monday.
Security experts contacted by El Reg remain concerned that information housed on the database might leak out despite ministerial assurances on security provisions that will accompany the roll-out of the directory system.
From Monday onwards social workers, police, schools and health officials will have access to data held on the ContactPoint database. The start of frontline trials, announced in the House of Commons last week by Children's Secretary Ed Balls (Hansard extract below), follows repeated delays in the development of the system.
Since January, important progress has been made. Seventeen early adopter local authorities in the north west of England, along with leading national charities, Barnardo’s and KIDS, now have trained management teams in preparation for practitioners to start to use the system. At the same time, as part of the extensive ContactPoint security arrangements, local authorities have shielded the records of children who are potentially at greater risk if their whereabouts were to become known, to provide an additional layer of security, (for example, if a child is fleeing domestic violence or is under witness protection, or in some cases where children have been adopted). Approximately 52,000 records have now been shielded on ContactPoint.
Building on this work, we will continue to take an incremental and steady approach to delivery. We are now moving ahead with the second phase of delivery. From 18 May, and over a period of several weeks, ContactPoint early adopters will train around 800 practitioners to use ContactPoint. They have been hand-picked to ensure they reflect the broad range of professionals working for children’s services organisations who will use ContactPoint when the directory is fully rolled out. We will carefully monitor the activity of those practitioners considering what further improvements may be required in the light of their experience of using the system.
From June to August, we will train management teams in the other local authorities and national partners. This will allow them to prepare for deployment of ContactPoint more widely in due course.
Throughout this second phase, we will continue to evaluate the experience of early adopters. This will ensure that the deployment of ContactPoint continues to take account of the experience of new users in the next stages of delivery.
Creation of the multi-million pound database - which will hold information on an estimated 11m children in England in a form of online directory - was proposed in the wake of Victoria Climbié's killing by her abusive guardians in 2000. Police, social services and health agencies all noted signs of abuse in the run-up to her death, but each agency acted in isolation.
The database is designed to give social workers, police and hospital with common access to contact details on children and other professionals working with them, so that care professionals can more easily contact each other and exchange information. Case history files will not be housed on the system.
The database will include details such name, address, date of birth, gender, and contact details for parents or carers for each child in England. Contact details for the child’s school, family doctor and other careers working with the child will also be included within the same cross-reference entry.
ContactPoint will cost an estimated £224m to set up, followed by annual running costing of around £44m a year. Contact details on an estimated 52,000 at-risk children will be shielded.
Won't someone think of the malware?
During trials due to begin next week, 800 frontline workers in 17 local authorities' areas (largely in North West England) will be trained in using the system. Officials with two childrens' charities - Barnardo's and KIDS - will also be involved in phase two of the roll-out of the system.
Earlier trials of the system have already uncovered problems. For example, adopted children included on the systems were filed by both their original and adopted surnames, creating a greater risk that these potentially troubled kids might be tracked down, the Daily Telegraph reports/a>.
Security researchers have expressed doubts about ministerial assurances on the security of the proposed ContactPoint child protection database.
Such comforting statements are at best incomplete, according to three experts. Concerns about the security of the database expressed by malware expert Chris Boyd of IM security firm FaceTime and Stuart Okin, UK managing director of security consulting Comsec, follow those first raised by confidential Reg sources in the IT testing community last month. Peter Houppermans, architect of the high-profile GSI project, is similarly unconvinced.
Boyd's concerns focus on the possibility that malware-infected laptops might allow access into the system, which will become an attractive target for hackers. Okin highlights issues over the huge number of professionals who will be authorised to access the system.
Answering questions in the House of Commons last month, Beverley Hughes, minister of state at the Department of Children, Schools and Families, brushed away concerns that the system might be vulnerable to unauthorised access or leaks. As well as saying the systems had been subjected to penetration tests, Hughes also responded to questions about remote access to the system.
Practitioners will be able to access ContactPoint remotely (i.e. from locations other than local authority, health service or national partner organisations premises) only via secure remote access solutions authorised and provided by those organisations and compliant with the ContactPoint security policy. Technical security measures prevent access from unsecured wireless broadband or public locations such as internet cafes and wireless "hotspots".
The minister told the House that even authorised users would be unable to download information obtained from the database, either onto a computer or removable media.
Chris Boyd of FaceTime is sceptical on this.
"How can they stop that?"
"The minister states the data cannot be 'downloaded', but what about Trojans that take pictures of your desktop and send those images back to base? If their security precautions don't account for that then there will be lots of people using infected laptops sending data galore on these children to malicious third parties. Not to mention the issue of simply writing the data down. How can they stop that?"
Boyd added that once the system goes live there'll be no shortage of people willing to have a crack at it.
"Two things will likely happen when the database goes live - the first is that hackers will target it simply for the challenge of accessing such supposedly 'unobtainable' data.
"Secondly, desperate ex-partners (the kind that will happily use so-called 'family keyloggers' to monitor their spouse's actions on a PC) could try to jump on this kind of technology in an effort to grab information regarding their estranged family's whereabouts, perhaps by paying blackhats to do the dirty work for them.
"Based on anecdotal tales from groups who help women abused by partners who use such tech, the husbands tend to have a good grasp of malicious programs, so it's not unreasonable to assume they'll easily find a blackhat who can help them out.
"I doubt the creators of this database have prepared for every attack vector imaginative people will come up with - it's just not possible."
Stuart Okin, UK managing director of security consulting Comsec and a foster parent for four years with knowledge of how the system works, also expressed concerns about how to prevent the leak of sensitive information in both the input and output process.
"As data is going to come from multiple sources and a variety of different systems there will be a temptation to use the lowest common transport method, such as non secure channels (e.g. CDs, unencrypted USB sticks etc.) Every input and output channel needs to be as secure as possible. In addition, data leaving the system will need to be examined. There is little that can be done to prevent a legitimate user screen printing - except to educate them in the need to securely dispose of information."
Some data may be hidden or shielded, for example the address and telephone information for those children who have been subject to physical or sexual abuse. Furthermore the database will not store case information, Okin noted.
Okin added that the sheer number of professionals allowed access to the system will become its greatest security challenge over time. Authorised users will include those working in health, education, youth justice, social care and voluntary organisations.
"Commentators have estimated that around 330,000 users could claim legitimate access to the database (upon Criminal Records Bureau check and training)," Okin told El Reg.
"With this large user base, the problem will not be the hacker or malware attack, but more potentially accidental loss or worse intentional data stealing. In addition, if ContactPoint decides to trust the authentication systems with the current local authority Case Management Systems, then the user population could be even larger and audit trails within ContactPoint would be insufficient to help with preventative abuse."
Layered security controls may limit, while not eliminating, the potential risk; but this may itself have drawbacks, Okin explained.
"The only way to secure a system like this, will be to either dramatically reduce the user population or partition the data and access to it (by role) - both of which could affect the usefulness of the system."
Striking a difficult balance
A difficult balance between useability and security needs to be struck, Okin argued.
"A database of this nature is very sensitive, and even more so in this case as the content concerns children. The security of such a database is critical to ensure the safety of the children's personal data. It needs to be ensured that the proper security controls around such data are in place before deploying this system.
"While it is important to facilitate the quick response and handling of these cases and streamline the processes involved with ensuring their safety, this cannot be done at the expense of their security."
Peter Houppermans, an independent security consultant who designed the UK's government GSI intranet while working for Cable & Wireless, said that contrary to what the minister claims, there are "no real security implications in talking about an overall result" of a penetration test.
"If there are issues I think it is worth mentioning that 'further work is required' in the interest of transparency and the taxpayer knowing if value for money is delivered," Houppermans told El Reg.
Houppermans added that questions remain over the minster's assurance that "remote access is impossible from unsecured broadband and public locations".
"If ContactPoint is not part of the GSI or another closed network I would be concerned that the reality differs from what the minister presently understands to be the case. There is no denial that access can take place over wireless, just that this access would be 'secured'."
Houppermans is doubtful about the insistence that data from the database can't be downloaded.
"That would be a challenge unless every single system having access is subject to the same, stringently enforced rules and security policies (such as USB and CD drive lockdown). Not that it's needed - do they have email? How is that secured? And what about that favourite train deposit format, printed paper?"
Like Okin, Houppermans stressed the importance of security awareness training for ContactPoint users if there's to be any hope that the system will be secure.
Tories ready to 'pull the plug'
Of course, the developing and the worrying, may be in vain, as the Conservatives have promised to scrap the system, if elected.
The Conservatives are interested in both the financial and privacy implications of the proposed database. The Tories are calling for the publication of a government-commissioned security report from Deloitte, an executive summary of which was published by the government back in February. The Conservatives also intend to closely monitor the progress of the project ahead of the next readiness assessment, which is due out in June.
Tim Loughton, Shadow Minister for Children and Young People, commented: 'The expert verdict is clear - ContactPoint will not be safe. The Government needs to publish urgently the full security report so that everyone can know just how insecure the database is. The Government have a terrible track record of keeping our data safe - it needs to pull the plug on this unnecessary and potentially dangerous database."
Critics of the system are united in their belief that security has been designed as an afterthought. The presence of sensitive data with no effective opt-out, and questionable security controls, exercising researchers, opposition and other critics such as the Joseph Rowntree Reform Trust (paper of Database State here).
Many are concerned about how the proposed shielding mechanism will work in practice and whether the functions covered by the database will expand over time, so called mission-creep. Because the database provides a mechanism for registering all children that complements the National Identity Register its evolution and progress has become a political hot potato that New Labour government may find difficult to handle, even if the next phase of its roll-out runs smoothly.
Implementation of the system has already been repeatedly delayed by privacy concerns. Despite the ministry's superficially impressive security policy many privacy issues remain and could yet prove the undoing of ContactPoint, leaving a policy vacuum in how to co-ordinate the actions of care agencies that could prove difficult to plug. ®