Tag Archives: Law-Enforcement

Misguided Security Managers

Posted on by

In the July / August edition of Infosecurity Magazine, there is a fairly interesting article on security matters, and differences, in the public and private sectors. I cant find this article online so you will have to trust me.

There is a quote in the article, from an “anonymous” security manager which sadly echoes comments I have heard right across the public sector, when public servants discuss the need to protect public privacy:

One senior manager at a local council – who ask not to be named – told infosecurity that he would rather be brought before the courts for an information security charge, than because a child or other vulnerable person has been harmed as a result of data not being shared.

(Here, I get visions of Reverend Lovejoy’s wife crying out “wont anyone think of the children”)

In the article this is presented as a dilemma public sector information security professionals face on a regular basis. My experience of said individuals supports this. It is very tabloid friendly. It is also complete nonsense that infuriates me to the point of wanting to choke the life out of the idiots who say it. (note for any future court action – this is purely imaginary, I am not really planning to kill anyone now or in the future)

There are so many things wrong with this it is hard to know where to start.

This person is paid to be a security manager. They are not a child protection professional. They are there to manage the security of the information that the public have entrusted to the council. Nothing else. If their job description means they have to ensure that vulnerable persons are safe in their homes, then I suspect there is something seriously wrong going on.

As a public servant, this “senior manager” is paid by the public, who you would rightly assume should have some expectation of his behaviour. Unless we’ve moved into some weird world where the vulnerable pay more for their services he has no right to unilaterally assume what laws he will follow and what laws he will break. He has no right or authority to compromise my privacy and personal data because he thinks that doing so 100,000 times might save one vulnerable person.

Equally this “manager” (sneer quotes intended) has no way of knowing if he is placing the safety of vulnerable people in further danger. Privacy laws and restrictions on how your personal data can be handled are there to protect everyone. Yes this includes criminals but it also includes vulnerable people. If this senior manager feels sending a copy of the addresses of everyone “at risk” to an agency across town would be helpful sharing of their data, what would he do if it got lost? What is his defence if his information security failures allow a predator to get the details of the vulnerable people he seeks to protect?

Equally importantly, what about those who only become vulnerable because of his lackadaisical attitude? This idea that passing private information and personal data is inherently a GOODTHING™© is insane. An otherwise fine person who has their home address details passed into the hands of a criminal becomes a vulnerable person. They have, through no fault of their own, become open to a vastly different threat – one they may not be prepared for. Is this acceptable behaviour for public servants? Imagine a serial rapist who gets hold of modified electoral roll data indicating addresses (and telephone numbers) of every house in the area where a single female lives. Would you be happy with the response that he would rather be in court over an Infosec case?

I suspect the real problem is that privacy and information security statutes don’t have enough teeth. If this senior manager was facing 20 years in jail for an infosec compromise, I am sure he would think differently. As it stands, nothing he does will get him properly punished in a court of law, so he must be talking about the court of public opinion. This is, sadly, so seriously misled by the tabloids that it is easy to see he would be hounded to the brink of suicide if it turned out he had withheld data that might have possibly prevented the death of a child. In a similar manner, if it turned out he had lost a disk containing the personal details of 250,000 people it would get, maybe, a few column inches.

To an extent this is our fault. We want easy to digest news. We ignore the mights and possibilities in the first instance, so we can get to the meat of saving the child. In the second case, its too technical, too distant and probably doesn’t affect “us” so we don’t really care about it. We, the public, are stupid.

Bad science of the day – minority report

Posted on by

There’s a new contender for the Holy Grail object: The Magic Machine that Can Tell Truth from Lies.

On the face of it, this one seems even more useless than the old-style polygraph. It can be beaten by the simple expedient of “answeringquicklywithouthesitation.”.

The Times reported that psychologist Aiden Gregg has developed:

A new lie detector test shows that it takes on average 30% longer to tell a fib than to be honest.

That sounds an impressive test for truth – objective quantifiable, replicable, easy to measure, and so on.

Gregg said he built the test because he suspected that criminals were finding increasing ways to hide their dishonesty. …..
… The psychologist warned that existing lie detectors such as polygraphs – which monitor physiological changes such as blood pressure and body temperature – implicate too many innocent people. (from the Times)

Government funding for security is so reliable in these cash-strapped times for universities. So, in one way, it’s a great idea, from an academic’s perspective.

But I can’t see anything in this report that backs up its claims as a Holy Grail Machine.

The experiments were done in an environment which was not pressured. Completely unlike a real-world instance, subjects would have no reasons to be anxious about telling either lies or truth. However, thinking up experimental “lies” would mean subjects had to take more time than the took to tell non-lies.

If you were an innocent suspect sitting in front of one of these machines, for real, you would be worried about your answers. You might hesitate before saying anything, as you pondered possible implications. On the other hand, if you were guilty but had practised a good story, you could just reel it out. Quickly.

This machine might work for finding out which of a group of scared twelve-year-olds had graffittied the bus stop. (Although, elementary normal investigation skills would surely achieve that more time-effectively and actually produce valid evidence.)

Practised liars are convincing. They can smile and wail and even sob convincingly, witness Karen Matthews’ performances. The time-delay counting machine would never have uncovered what was true or false in what she said. Any innocent mother, in the position that Karen Matthews pretended to be, would not answer normally. She would fail the test, while the sort of person who could lie about such an event to their closest family and friends would probably come across as being truthful.

Flawed as this whole lie-detector machine concept is, you can pretty well guarantee that politicians will NOT welcome it unless they are confident that they can beat it easily.

So, if it does get the government go-ahead after its trials, you can at least be confident that it doesn’t work at all.

I blame teh skoolz

Posted on by

On the Radio 1 news today there was a snippet (I am not going to look it up but it will be on the BBC website) about some truly stupid youngsters. Apparently, Police in Scotland have become the first in the UK to target people who admit to crimes on social networking sites such as Bebo and Facebook. (*)

Now, for me, I think this is a good idea. If people (mostly “yoofs” according to the news) are stupid enough to commit a crime and then boast about it online they need to be taken out of the gene pool urgently. One of the young lads interviewed had apparently put up pictures of himself in a balaclava carrying a knife. Why he went to these lengths to remain anonymous, then outed himself online is beyond me.

The most frustrating part, and a good example of how taking away the “classical” education has failed children was a young retard complaining about the police scouring social networking sites to find offenders. He actually had the gall to say it was an invasion of his privacy for the police to look over his Bebo page to find out what crimes he has committed. Flabbergasting.

For me, it weakens the real destruction of our privacy when people think things like this are an invasion of privacy. It is like putting a full page advert in a newspaper and then complaining that people reading it are invading your privacy. Idiocy reigns.

* Oddly I cant find this on the real BBC news so I may have dreamed it – but I hope not as I was driving at the time…

Another reason to say NO to ID cards

Posted on by

Now, of late, the Guardian Money’s obsession with demonising “buy to let” landlords has been more than a little annoying. However in Saturday’s paper, the Capital Letters section had a bit which was quite interesting. Capital Letters is a sort of consumer rights thing, where people write in following problems with various companies and Tony Levene sorts things out for them. Very interesting reading most of the time.

Basically, this week, some one wrote in saying that HM Customs and Excise (Now properly known as HM Revenue and Customs) was threatening to take them to court over non-payment of taxes. The person was complaining because they did not owe any tax and they were on the PAYE scheme where tax is deducted from wages at source. The unfortunate correspondent had tried to convince HMRC about this but was unsuccessful. Continue reading

Juking the stats

Posted on by

The Wire (official “best tv series ever”) shows how the need to mess about with statistics distorts the nature of policing. It’s called something impenetrable like “juking the stats” (duking? jooking? dooking? On the basis of a brief Googling, I went with juking as it seems to mean “being deceptive”.)

The drive to constantly improve crime figures – numbers of crime and clear up rates – leads to several wrong-headed initiatitives, such as harrassing large numbers of people for petty misdemeanours in pointless swoops and attempting to ignore the existence of large numbers of bodies left by Stansfield’s crew.

As in art, so in life, to add yet another cliche to the “crimes against cliche use” tally in this blog’s statistics. British police are now protesting about the distortions created by the drive to improve statistics.
Continue reading