Protect your data

Compulsory ID cards are instruments of evil. They will not make protect you from crime and will not make you safer, unless they end up produced out of bomb proof kevlar and big enough to wear. They serve no purpose for any member of the public but will cost you money. The only conceivable reason why the government is so keen to force the British public into paying for them is to allow the intelligence and security agencies unparalleled access to personal data and activity.

This is actually the only bones to the “make you safer” argument, in that by allowing the Police / Security services access to your ID card data (which would, one assumes, include all the locations where your ID has been checked and what purposes it was checked for) it will increase their ability to find criminals and terrorists. If you have read any of my previous posts you will be well aware that I think this is very, very, wrong. But this is an argument for another day. Today’s ironic turn of events is that even if MI5 have all your data and are watching your every move it wont help – because al-Qaida are actually working for MI5 in the first place.

From today’s Guardian:

A senior Tory MP today called for an investigation into whether MI5 mistakenly recruited al-Qaida sympathisers.

Patrick Mercer, the chairman of the counter-terrorism subcommittee, said six Muslim recruits had been thrown out of the service because of serious concerns over their pasts.

The MP said he was writing to the home secretary, Alan Johnson, to call for an investigation into the matter.

Two of the six men allegedly attended al-Qaida training camps in Pakistan while the others had unexplained gaps of up to three months in their CVs.

The irony here is really not lost on me and points to two issues.

First off, and possibly most importantly, no matter how much vetting takes place BADPEOPLE™ will get into the police or government. This has been the case since the dawn of secrecy. By their very nature spies are people who are able to infiltrate the highest levels of an organisation by appearing trustworthy. Equally, as the police and intelligence/security services well know, agents are people who are currently trusted by an organisation but are vulnerable to being expolited by hostile groups. This is done all the time against “enemies” (criminal or political), and it is even done in the “civilian” business world. I am sure this is stating the obvious but it is important background.

Knowing this, do you think that having all your identity data in one central location is a good idea? For ID cards to work, huge swathes of people need to be able to access the database – which causes errors. The data has to be entered and maintained, which causes errors. These are accidental problems which would be bad enough. Criminals and terrorists have the funding and will to deliberately corrupt the data. The concept of an ID card moves the burden of proof from the government to the “innocent until proven otherwise” citizen. Do you have the resources and will power of an organised crime gang or terrorist group?

If a criminal can compromise one aspect of your ID data that is a BADTHING©™® but you can take steps to rectify it, knowing that it shouldn’t lead to a cascade of ID failures. Stealing your National Insurance number, for example, shouldn’t lead to them getting access to your bank account details or your drivers licence. Crucially, should a criminal use your NI Number – and nothing else –  in the process of a crime (odd but possible) then it is unlikely that you would be the suspect. However, with a central ID card that is not the case.

Now back to MI5 and the other police and security agencies. Given the number of people involved, and recent large scale recruitment campaigns, it is unfathomable that some bad eggs haven’t slipped through the net. In the case of MI5 the pay is so pitiful by London terms that it is equally certain that there are some members of the organisation who would be open to financial corruption – not to mention the ones who could be co-opted in a million different ways. Do you trust them with all your data? Do you trust them to treat you fairly at all times?

Secondly: what sort of crazy world is it where an “unexplained gaps of up to three months” in your CV means you are a terrorist? I hope they never see my CV otherwise its Gitmo for me. Or is it just 3+ month gaps in the CV of people of middle-eastern descent? What is happening?

I’d say the world had gone mad but it seems an understatement. What really worries me is an old saying that keeps going round my head about when everyone else in the world seems mad its probably you…

Blame the Cold War

Yet another “downside” of the thawing tensions between East and West was announced on the BBC today. Sir Edmund Burton was investigating the MOD’s woeful inability to prevent laptops going missing, and one of his conclusions was reported as:

Armed forces recruits from the “Facebook generation” do not take data security seriously enough, a Ministry of Defence security probe has found. (…)
In a highly critical report, he says the MoD had lost its Cold War discipline for data security and there was “little awareness” of its importance among staff. As a result a major security incident had been “inevitable”.

I sort of agree in that such a loss was (and still is) inevitable. However, I am not convinced it is as clear cut as the “facebook” generation or the end of the cold war.

First off, most of these breaches are not made by inexperienced recruits – they are not the sort of person who carries a laptop around with huge amounts of classified material. The people who do this are senior members of staff (even MPs…), I doubt Hazel Blears is part of the “facebook” generation – she simply had material on her machine that shouldn’t have been there and it got stolen. The MOD losses are similar.

Portable IT equipment is a high value target for theives, by its very nature it lends itself to being carted away easily. Of course people will try to steal things like this so any security plan must take that as an assumption and build from there (such as not putting unnecessary data there in the first place…). It is not the cold war’s fault for having the barefaced cheek to end.

The larger “issue” of all this, is despite the poor record, our government is continually trying to record and store more and more data on its citizens. Imagine the security compromise possible when a laptop containing 25,000,000 (not a made up number) people’s ID card details goes missing…

Remind me again why ID cards are good?

ID Cards for your own good…

Well, Orwell is still spinning in his grave. Despite some apparently premature optimism, it seems that ID cards are very much on the government’s agenda. Today’s news headlines have been very much about the “ID Card Rethink [bbc as example]” and how we are all going to end up with one.

This is all despite the House of Lords “setback” and the massive online YouGov poll that showed a significant percentage of the population were against the idea. To me, in addition to the hateful ideas of forced identity documents, the fact the government is able and willing to completely ignore over a million of the electorate’s opinions speaks volumes for how modern democracy works…

In a token gesture to people’s opinions, the government is planning to bring ID card by stealth in a phased manner. I assume the thinking is target the least popular / most vulnerable parts of society then, in a few years everyone will have come round to the idea and we will all carry one. Distasteful is an understatement.

In her speech announcing the new Identity Card plans, the Home Secretary, Jacqui Smith made the following statements:

I start from the premise that the National Identity Scheme is a public good.

Starting from a false premise is never going to lead to anything of value… This is largely, Smith saying the assumption was always we were going to have Identity Cards, like it or not.

As citizens, it will offer us a new, secure and convenient way to protect and prove our identity.

What is new about it? How is it more secure than, say, a passport or driving licence? Equally, how the **** does the existence of an ID card protect your identity?

And it will provide us with the reassurance we need that others who occupy positions of trust in our society are who they say they are as well.

This is odd, and the radio news made a big deal about this. What people who occupy positions of trust don’t already carry a form of ID? Lots of news sources go on about how Airport staff will be early ones to get them – oddly, you already need to have an ID card to get airside at an airport. What will have actually changed? Are the current procedures flawed?

Now, at this point I was going to do a line by line rebuttal of her claims but as they are all insane it will take much too long. Nearly every sentence she utters in her speech contains falsehoods and spin to trick people into thinking ID Cards will solve the worlds problems. They wont.

In an effort to be brief, I will try to address her main points.

Surveillance is everywhereFirstly, ID cards are supposed to be brought in to prevent crime and terrorism. Wow. If having to carry an ID card would prevent someone from being a terrorist, why are there still terrorists in the world? Same with crime. Neither activity will be deterred simply by the existence of a voluntary ID scheme. The best that could possibly be hoped for would be for a compulsory ID card, with fingerprint data, that may enable the police to catch people after a crime(*). In years gone by crazy ideas were often supported with a “wont anyone think of the children” (as parodied by the Simpsons), now we have Prevent Terrorism as the buzzword. If the government want to pass laws people will hate it is always linked to prevention of terrorism. Didn’t anyone watch “In the Name of the Father?”

Secondly they are supposed to prevent Identity Fraud. How this happens is never, ever, mentioned and, frankly, defies even the most cursory examination. Again reading through Ms Smith’s speech is an exercise in logical fallacies, there are more appeals to fear than I care to count. The phrases basically go along the lines of criminals steal identities so get an ID card. This sounds good and there is a half-hearted example of one person who defrauded the state out of £2.5m over five years. Compare this to Northern Rock who have taken over £100billion from the state in as many months. Who is the worse criminal? On a more personal level, ID theft is a terrible thing and I genuinely feel for anyone it happens to. Would the national ID card prevent it? Ninety nine times out of a hundred the answer is no, and in the other one is it a maybe.

CCTV Cameras Cover the CountryFor example, if some one hacks your Ebay account and runs up charges would an ID card have protected you? Same with anything online (where most ID theft apparently takes place) and in the offline world it only works when it interacts with the government. Someone can steal your ID and apply for credit cards, loans etc., and unless the issuing authority has access to the central database there is no way to find out.

This leads to the other problem. The database itself becomes a single point of failure. All a person needs to do is attack that to gain a legitimate, but false, identity. As recent months (and years) have shown, the Government is a largely inept organisation when it comes to protecting the data it holds. The news has covered dozens of “accidents” where huge amounts of personal data have been lost into the public domain. Do you feel safe thinking that a group with this track record will hold the gold standard of data about your identity?

Ms Smith has considered this and some reassurance is given:

Private firms will be encouraged to set-up “biometric enrolment centres” where passport and ID card applicants will be fingerprinted. [BBC news]

WTF! To make matters worse, this personal and private data will be collected by non-accountable organisations who have, by definition, their primary goal of making profit. By Toutatis this is madness. Here we will have the situation where staff on a minimum wage will be responsible for inputting your ID details and making sure no one else can get access to them. People who can be bribed with the price of a pint down the pub. Terrifying.

When Ms Smith talks about how they will protect the data the ID system will store, she manages to confuse me as to how it will work:

 The way in which we are designing the National Identity Register, with separate databases holding personal biographic details physically and technologically separately from biometric fingerprints and photographs, will greatly reduce the risk of unauthorised disclosures of information being used to damaging effect. …(followed by)…  I should make it clear that none of the databases will be online, so it won’t be possible to hack into them. [BBC transcript]

Now call me an old fashioned security professional, but there is a bit here that makes sense. By preventing people from getting access to the data you really do reduce the risk of unauthorised disclosure. However, and this shows more madness, if huge segments of society can’t access the data it is useless. The idea as I see it is that you go into the bank to open an account and show them your ID card. They scan it and compare it to the record of you. If it matches you get account. Seems easy, except now it looks like the bank wont have access and even if they did there is an air gap between the two technologies.

How is it supposed to work?

Lastly (phew, I hear you cry), the introduction by stealth. This shows the government KNOW this is an unpopular idea and it would never get off the ground if they tried to roll it out now. Instead they are going to play on the “white working class fear” of the Evil Immigrants by making them carry ID cards (why not force them to carry a sign round…(**)). What effect this will have is beyond me because if I was an immigrant and challenged by “authority” I would simply say I wasn’t an immigrant. Prove me wrong. Next come the “UK citizens and EU nationals who work in ‘sensitive’ airport jobs” who already carry ID cards and aren’t likely to complain, but again the question is “why?” Finally in 2011 it will be an opt-out option on passport renewals. Passports already have biometric data and are acceptable as proof of ID the world over. Why do we need another form of ID?

That is it in a nutshell, though. Why on Earth do we need another form of ID?

(*) remembering to account for the error bars of partial fingerprint matches when you have a database of 60+ million entries, and hoping the criminals are too stupid to wear gloves…

(**) Hmm. This seems familiar. I wonder why…

“Web 2.0, or just Stasi?”

The title is quoted from the Register, in a post entitled “UK ID card service mounts birth, marriage, death landgrab” (The clue is in the title. )

The UK Identity & Passport Service (IPS) has staged an identity landgrab on birth, marriage and death records. From April 2008 the General Register Office, which is responsible for recording these matters and is currently a directorate of the Office of National Statistics, is to become part of IPS, meaning that IPS will be logging you from the moment you’re born until the moment you die.

Not only is the previously respected General Register office about to disappear into the gaping maw of the Orwellian Identity ministry, but its data will now feed

into the somewhat more chilling notion of of a continually updated life record. So was that Web 2.0, or just Stasi?
Considering the new owners, it’s now pretty clear which it is. (The Register, 11th October 2007)

Today, the Treasury announced its plan for cutting out all “avoidable contact” between the public and government services. Partly this consists of shutting down government websites and merging their information into one uber-website for citizens and one for businesses. It also involves minimising the chances that you might get to speak to a human being in the dole office or tax office. It’s supposed to be based on “customer journey mapping” which is supposed to be so successful in the private sector.

I assume that the government ministers and senior civil servants have other people to do their shopping for them. Otherwise they might know what a “customer journey” is like in the real world. There are few activities more infuriating than trying to get an answer to a nonstandard question from a phone-line that tells you how important your call is. Unless you count a call-centre operator with a preset script and limited understanding of any regional accent. Or a website that throws away all the details you have laboriously typed in after hours of searching through pages that were delivered over the Internet at a speed that would embarrass a partly squashed slug.

What does this whole new world of applying customer service principles mean for the UK citizen then? Well basically, yes, you’ve guessed it, extending their data sharing between departments. More ID.

Making better use of the customer information the public sector already holds. The types of transformation covered by this Agreement will simply not be possible unless the public sector can establish the identity of the customer it is dealing with simply and with certainty, and be able to pass relevant information between different parts of government. (The Treasury paper, 11th October 2007)

Bull.

Page 19 of the Treasury document says

MAKING BETTER USE OF THE CUSTOMER INFORMATION THE PUBLIC SECTOR ALREADY HOLDS
3.34 This is a highly complex challenge which will not be entirely solved within the CSR07 period. The public sector can, however, make progress:
• at a strategic level; with the work being lead by the Home Office (on identity management) and by the Ministry of Justice (on information sharing). …
• at a tactical level by tackling these issues within the context of specific projects, most importantly “Tell Us Once”. ….. In addition to “Tell Us Once” the Government will also sponsor and facilitate other specific projects including the Free School Meals pilot which is already
underway …………

This is all boring stuff. The social consequences of applying mad business models to delivering public services makes your eyes start to droop. I know. I feel just the same.

The writers know that peppering documents with enough empty phrases like “the context of specific projects” and “strategic” and “tactical” and “facilitate pilots” will switch us off. This stops us seeing the content.

The No2ID campaign makes the same point as the Register, mentioning “Stasi files. ”

In your face, bungling amateurs in the Stasi. The UK government can teach you a thing or two.

Another reason to say NO to ID cards

Now, of late, the Guardian Money’s obsession with demonising “buy to let” landlords has been more than a little annoying. However in Saturday’s paper, the Capital Letters section had a bit which was quite interesting. Capital Letters is a sort of consumer rights thing, where people write in following problems with various companies and Tony Levene sorts things out for them. Very interesting reading most of the time.

Basically, this week, some one wrote in saying that HM Customs and Excise (Now properly known as HM Revenue and Customs) was threatening to take them to court over non-payment of taxes. The person was complaining because they did not owe any tax and they were on the PAYE scheme where tax is deducted from wages at source. The unfortunate correspondent had tried to convince HMRC about this but was unsuccessful. Continue reading

National ID database

For this, go to the source and read it. No more secrets by Steve Boggan is a very very disturbing account of how “joined-up government” and national ID documents will mean the end of anything resembling privacy.

The blurb on the printed page says:

“Tony Blair insists his government is not building a Big Brother-style super-database. But all the talk of ‘perfectly sensible’ reforms and ‘transformational government’ masks a chilling assault on our privacy”

Brilliant article. It’s almost too much to take in and it might leave you feeling very depressed. But, really, if you live in the UK, you should read it.

Blairspam

This was going to get ignored but, the BBC having beaten us to it by featuring two Downing Street mass spams in a couple of days, it will have to be said. The government response to e-petitions is to fire off a patronising spam telling you that your concern was noted but Tony is now going to explain patronisingly and irritatingly why you are wrong and the government will pay no attention.

The UK government is experimenting with online petitions. Two had massive numbers of people taking part, to express opposition to road-pricing and/or the national ID card. There were over a million against road pricing and around 800,00 against ID. (You can see where people’s priorities lie…)

Now, clearly the only people who sign one of these are those who care strongly enough an issue to sit at at a PC, find the site, find the right petition and send their name, get an email and reply to it. Which requires knowledge of the whole process, plus the will to go through it. You’d imagine that you could multiply these numbers by at least 50 to get a true idea of the strength of feeling.

It’s like cheap MORI poll for the government. It requires an address and postcode. The government can get plenty of very detailed information about which issues people find important and where they live, which could be very useful in an election campaign.

How sane is then, to reply to everyone with emails that set the teeth on edge? I was shown a copy of the ID mail and it basically said

“Thanks for the e-petition. However, the government is not interested. You obviously don’t understand the issues or you wouldn’t have ventured your opinion. ID will fight crime, let you go to America and will hardly cost you anything. in any case it’s inevitable”

Ok, I admit to some exaggeration in the precis here. But it was way too long and boring to read (Yeah, yeah, people who live in glass houses…)

In fact, yesterdays’ blairspam alerted the Opposition to the fact that the ID was to be used as the basis for a national registry of fingerpints. Funny, you didn’t really mention this before, HM Government.

Today’s news item is the road pricing one. This was worded slightly more cagily – over a million opponents, remember – but the impression I got from the BBC was that the government was saying a slight more appeasing version of exactly the same thing “Tough, it’s inevitable but it will be out of our hands and private companies will run it. Nothing we can do mate”

Here’s my response:
**********************
Hi Tony

I welcome your move into the technological world of email spam, Tony. It’s an exciting new contribution to the democratic process.

However, I’m sorry to have to explain to you that there may be some misunderstanding here about the nature of consultation. This is for your own good and it was inevitable that someone would have to do it.

Consultation is not really achieved by hearing contrary views then telling the electorate that they don’t understand the issues and that process x is inevitable and is for our own good really.

It is actually not inevitable that the government carries detailed ID information on those citizens who aren’t engaged in organised crime deeply enough to escape the system.

It’s not inevitable that intrusive technology takes over from competent policework or that the data that we provide the government is dictated by the requirements of the US immigration service or that we even have to stump up our own cash so Big Brother can keep an even closer track of us(probably private sector) These seem a lot like political decisions, Tony.

I will just take this opportunity to explain what a “political decision” is . I have to admit I’m surprised that this is necessary for someone who’s worked his way to the job of Prime Minister, but that’s one of the drawbacks of our tragically underfunded private education sector….
*******************

And what a lucky coincidence that the announcement about partial troop withdrawal from Iraq (for once, slightly better than normal war news) was leaked on ID Emailspam day and released on the Road-price Emailspam day.