EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

CyTRAP Labs disaster monitor – 25m child benefit records are lost – a case against large scale ID card systems

November 27th, 2007 · No Comments ·

April 2005 we reported in several stories about the problems with fingerprinting, RFID technology, national identity cards systems and so on. In fact, we criticised the UK government’s ID card proposal as too risky and lacking the trust of the public and provided research evidence to suggest that this was a too insecure approach to justify the public’s trust in the scheme:

A) Spotlight on Privacy, Security and Identity Cards

Last week’s security blunder by HM Revenue and Customs affects around 25 mio people. This massive security breach has left millions of Britons vulnerable to fraud and identity theft as we reported here:

CyTRAP Labs disaster monitor – 25m child benefit records are lost – 7 questions that must be answered to learn from this disaster

But already April and May 2005 some privacy advocates were hoping that research being released about the ID Card bill in the UK would result in its stillbirth. Research pointed out the intellectual and moral foundation for the definsible position AGAINST ID cards. Unfortunately, it appears that neither the UK nor other countries’ governments appear to have droped electronic identification cards. In fact the UK will begin issuing these cards to foreign nationals next year and its own citizens during 2009.

This means that all EU citicens resident in the UK for more than 3 months must get such an ID card. This requirement arguable conflicts with the EU freedom of movement principles and, in particular , with the enacted EU Directive on the Free Movement of Persons, Directive 2004/38/EC. The directive’s Article 27 states that derogations can only be used on a case-by-case basis and not against an entire class of individuals, as these ‘shall not be accepted.’ Hence relying on general claims of public security does not resolve the conflict between the ID card scheme and Article 27. We reported these details a while back here:

B) Spotlight on Privacy, Security and Identity Cards – UK and France – Vive la Difference – RFID YES but

Besides the legal issues that still must be resolved, more damming evidence has been produced about the risks and dangers with such identification schemes – see table about biometrics and their security problems – links to various research reports and white papers are provided as well.

biometric passports and ID cards – problems all over EuropeDo you really know who updates what on your PC? – how to check – KISS
e-passports cracked 1 – safety is non-existent
e-passports cracked 2 – German, Dutch and UK citizens beware and take care
e-passports cracked 3 – Budapest Declaration raises concerns about e-passports, privacy and citizens’ rights
e-passports cracked 4 – will more biometrics make a difference?
Belgium – RFID technology fails to protect data stored in e-passports
past performance does not suggest that we can trust this technology

Her Majesty’s Revenue and Customs (HMRC) roundly breached procedures loosing the 25 mio child benefit records. In fact, a series of errors that culminated in two computer discs containing the details of every child benefit recipient going missing was the outcome and the saga continues.For instance, interesting is that TNT (the courier handling the UK’s government’s internal mail system) has received neither proof from HMRC nor from the police that these discs ever entered the TNT system, let alone that they were lost by the courier service.As well, the revelation 2007-11-24 that more discs got missing on October 30 is putting more attention upon the UK’s efforts regarding the national ID database.

Critics of the controversial ID card scheme say HMRC’s failure to properly manage data is proof the government cannot be trusted with a large volume of highly personal data.

WHAT SHOULD BE DONE TO PROTECT PRIVACY AND AVOID IDENTITY FRAUD

Some important points about the problems with any large scale ID card system – using the NHS Connecting for Health’s National Programme for IT (NPfIT), and in particular its Care Records Service as point of departure are provided by Brian Randell in a paper the was published this July. Providing succinct reasoning the author shows why using  large schemes and databases as required for national electronic ID cards or biometric passports:

– puts people’s privacy at risk,

– increases the likelihood for a substantial surge in the number of cases of identity fraud compared to today AND

– the complexity of such huge databases makes their adqueate protection to assure data confidentiality and integrity a nearly unsurmountable challenge

Check it out:

Randell, Brian (July 2007). A computer scientist’s reactions to NPfIT. Journal of Information Technology 22, 222–234. doi:10.1057/palgrave.jit.2000106 Article published online

Also of interest

ChoicePoint and other mishaps – chronology of security breaches

60% OF OUR READERS SUBSCRIBE

advisory, zero-day exploits and regulatory intell via alert, newsletter or RSS feed

or just make your choices at CyTRAP Labs subscription portal



|

→ No CommentsTags: answered · benefit · child · disaster · learn · lost · monitor · records