Misguided Security Managers

In the July / August edition of Infosecurity Magazine, there is a fairly interesting article on security matters, and differences, in the public and private sectors. I cant find this article online so you will have to trust me.

There is a quote in the article, from an “anonymous” security manager which sadly echoes comments I have heard right across the public sector, when public servants discuss the need to protect public privacy:

One senior manager at a local council – who ask not to be named – told infosecurity that he would rather be brought before the courts for an information security charge, than because a child or other vulnerable person has been harmed as a result of data not being shared.

(Here, I get visions of Reverend Lovejoy’s wife crying out “wont anyone think of the children”)

In the article this is presented as a dilemma public sector information security professionals face on a regular basis. My experience of said individuals supports this. It is very tabloid friendly. It is also complete nonsense that infuriates me to the point of wanting to choke the life out of the idiots who say it. (note for any future court action – this is purely imaginary, I am not really planning to kill anyone now or in the future)

There are so many things wrong with this it is hard to know where to start.

This person is paid to be a security manager. They are not a child protection professional. They are there to manage the security of the information that the public have entrusted to the council. Nothing else. If their job description means they have to ensure that vulnerable persons are safe in their homes, then I suspect there is something seriously wrong going on.

As a public servant, this “senior manager” is paid by the public, who you would rightly assume should have some expectation of his behaviour. Unless we’ve moved into some weird world where the vulnerable pay more for their services he has no right to unilaterally assume what laws he will follow and what laws he will break. He has no right or authority to compromise my privacy and personal data because he thinks that doing so 100,000 times might save one vulnerable person.

Equally this “manager” (sneer quotes intended) has no way of knowing if he is placing the safety of vulnerable people in further danger. Privacy laws and restrictions on how your personal data can be handled are there to protect everyone. Yes this includes criminals but it also includes vulnerable people. If this senior manager feels sending a copy of the addresses of everyone “at risk” to an agency across town would be helpful sharing of their data, what would he do if it got lost? What is his defence if his information security failures allow a predator to get the details of the vulnerable people he seeks to protect?

Equally importantly, what about those who only become vulnerable because of his lackadaisical attitude? This idea that passing private information and personal data is inherently a GOODTHING™© is insane. An otherwise fine person who has their home address details passed into the hands of a criminal becomes a vulnerable person. They have, through no fault of their own, become open to a vastly different threat – one they may not be prepared for. Is this acceptable behaviour for public servants? Imagine a serial rapist who gets hold of modified electoral roll data indicating addresses (and telephone numbers) of every house in the area where a single female lives. Would you be happy with the response that he would rather be in court over an Infosec case?

I suspect the real problem is that privacy and information security statutes don’t have enough teeth. If this senior manager was facing 20 years in jail for an infosec compromise, I am sure he would think differently. As it stands, nothing he does will get him properly punished in a court of law, so he must be talking about the court of public opinion. This is, sadly, so seriously misled by the tabloids that it is easy to see he would be hounded to the brink of suicide if it turned out he had withheld data that might have possibly prevented the death of a child. In a similar manner, if it turned out he had lost a disk containing the personal details of 250,000 people it would get, maybe, a few column inches.

To an extent this is our fault. We want easy to digest news. We ignore the mights and possibilities in the first instance, so we can get to the meat of saving the child. In the second case, its too technical, too distant and probably doesn’t affect “us” so we don’t really care about it. We, the public, are stupid.

More MOD data goes AWOL

This week’s data-loss story is a Ministry of Defence hard drive that’s gone AWOL. Another example of the UK government’s seemingly bottomless commitment to freeing up access to its data, by distributing it at random around the globe.

Ministry of Defence, that was.

An investigation is under way into the disappearance of a computer hard drive which could contain the details of about 100,000 Armed Forces personnel.

And when it says detail, it means unencrypted detail:

There may also be some personal information including bank and driving licence details, passport numbers, addresses, dates of birth and telephone numbers.

Of serving members of the Armed Forces. Does information get much more personal? It’s not as if that sort of data would be any use to enemies in the ongoing TWAT. (*heavy sarcasm*)

How much confidence does that inspire in the security of the information they’ll have on us mere civilians, when the ID-card scheme includes us all? (*Rhetorical question*)

A commenter said in the Independent

The MoD didn’t lose this data, EDS did. Nobody cares about data that isn’t their own. If this data had been handled in house and the work not outsourced it wouldnt have been lost

EDS is the MOD’s main IT contractor. Here’s their web page.

.. as an HP business group, EDS delivers one of the industry’s broadest portfolios of information technology and business process outsourcing services to customers in the manufacturing, financial services, healthcare, communications, energy, transportation, and consumer and retail industries, and to governments around the world.

The About us page has US contact numbers. It seems to have been written by someone from a Dilbert cartoon. Everything they do is “innovative” and their

highquality, cost-competitive services are provided from the optimal mix of onshore, nearshore and offshore locations.

This determinedly shore-heavy focus may refer to their “related companies”(part-owned companies) which include companies based in the UAE, India (workforce:28,000+ ), the USA and other unspecified locations. One provides “Benefits, Payroll and other HR Administration services to more than 34 million active and retired employees from its client organizations.”

On the 8 September, 2008, prison officers were disturbed about EDS’s loss of their personal data, to the point of threatening a strike.

At that time, Computer Weekly pointed out that EDS already had something of a track record in the data-loss area. The Burton Review Report, published in April 2008, looked into an earlier loss of MOD personnel data, in which EDS were involved.

One of the themes emerging from the Strategy for Transformational Government (2005) was the increased emphasis on sharing services, particularly in information and infrastructure. The Armed Forces have been early pioneers of this approach, through a range of Private Finance Initiative (PFI) and Public Private Partnership (PPP) contracts. (from page 4, Burton Report)

Hmm. Need look no further for the culprit methinks: the whole processes for giving out PFI and PPP contracts.

You might assume that the UK must be desperately short of cash, if it’s prepared to hand over its most crucial information to any company that offers to undercut government employees, while providing a better service and still making a profit. (Well, it must sound convincing to UK governments,) But, it seems that the UK government has a bottomless pit of money for bailing out banks, so shortage of cash can’t be the reason.

If you are interested in looking up the track record of other private companies that keep public data, datalossdb.org could fill in an obsessive hour. Type the name of your chosen PFI company and see what turns up.

Don’t make me keep saying this

It’s rare to find good sense in an editorial in the Daily/Sunday Telegraph, but here goes. The Sunday Telegraph investigated how often local councils used the surveillance powers in RIPA (Regulation of Investigatory Powers Act).

As you might guess, they got back a wide list of uses such as spying on noisy children that were never suggested to MPs as likely outcomes of their voting for a supposed anti-terrorism law, a few years ago.

Car boot sales, pizza shops open late, underage kids buying cigarettes and alcohol, fly-tipping, the list of threats to the fabric of British society goes on and on.

Littering and the unauthorised selling of pizzas can be irritating, as can dog fouling and car boot sales (two other activities which RIPA has been used to clamp down on). But no sane person thinks they pose the same threat to public safety as terrorism, or require the same response. (From the Telegraph)

Phew, what a relief. The slightly more ideologically acceptable Observer has an article making some related points on the expansion of policing powers into the realm of non-police bodies..It focuses on the story of the family who put up lamppost notices about their lost dog and were threatened with an “£80 on-the-spot fine for antisocial behaviour.”

Keith Porter says:

As the police retreat from the streets, we are prey to every type of snoop, informant, busybody and vindictive martinet, all of them licensed by the government’s accreditation scheme so that they may demand our names and addresses, photograph us, check car tax discs and seize alcohol, issue fines for truancy, rowdiness, graffiti and dog fouling………
…Even police officers have doubts about the blurring of lines between uniformed officers of the law, whom we know to have received standard training, and these upstarts and busybodies wearing red-and-white prefect’s badges. (from the Observer)

I blame teh skoolz

On the Radio 1 news today there was a snippet (I am not going to look it up but it will be on the BBC website) about some truly stupid youngsters. Apparently, Police in Scotland have become the first in the UK to target people who admit to crimes on social networking sites such as Bebo and Facebook. (*)

Now, for me, I think this is a good idea. If people (mostly “yoofs” according to the news) are stupid enough to commit a crime and then boast about it online they need to be taken out of the gene pool urgently. One of the young lads interviewed had apparently put up pictures of himself in a balaclava carrying a knife. Why he went to these lengths to remain anonymous, then outed himself online is beyond me.

The most frustrating part, and a good example of how taking away the “classical” education has failed children was a young retard complaining about the police scouring social networking sites to find offenders. He actually had the gall to say it was an invasion of his privacy for the police to look over his Bebo page to find out what crimes he has committed. Flabbergasting.

For me, it weakens the real destruction of our privacy when people think things like this are an invasion of privacy. It is like putting a full page advert in a newspaper and then complaining that people reading it are invading your privacy. Idiocy reigns.

* Oddly I cant find this on the real BBC news so I may have dreamed it – but I hope not as I was driving at the time…

01706713200 – BMS – Still Scum

Almost a week ago, I mentioned the problems I have been having with BMS and how they keep phoning me every day from 01706713200. In a nutshell, Bury Marketing Sales (BMS) operate a call centre which basically tries to wear down customers of 3 (telephone provider) until they take up the “Offers.”

Reading round various websites (Google helps) and it seemed that the call centre staff had a tendency to be talkative, which was something I had never experienced. Every single time I answered the phone, all I heard was silence (with call centre background chat) and every time I missed the call, they left me a voice mail which was also about 10 – 20 seconds of silence. I found it quite strange.

On Monday, I had my daily call from 01706713200, I wasn’t too busy, so I answered it. Instead of saying “hello” though, I just accepted the call and waited for about five seconds. Instead of the normal silence, a call centre operator started talking and trying to sell me a new contract. Even when I pointed out my contract was pretty new and had 12 months left to run, he didn’t care. He basically wanted me to take out a second contract with them – when I said it made no sense to have two contracts on one phone with one sim card, he started saying about how different calls would be “routed automatically.” In the end, I tried to be a politely firm as possible but said no thanks. He finished with a “we will call you back to see if you’ve changed your mind.” Blimey.

They certainly kept to their word on this. I now get three or four calls a day. Normally about every two hours between 10am and 3pm. This time it is back to the silent treatment. When I answer there is no one there and when I don’t answer I get silent voice mails. It is like having my own pet stalker (without the fear).

Anyway, on the off chance that there is some one reading this who is in anyway related to marketing or sales: This is NOT the way to do it. At the moment, even if they were offering me the best deal in the world I would turn them down now. It has soured my opinion of 3 (who have apparently sold my details to BMS despite me explicitly saying “no” on the forms) beyond repair and there is no way I will renew my 3 contract when it runs out in two months. (I lied about the 12 months).

For those who are interested (and we get a lot of traffic here on this subject), the registered details of BMS (with Companies House) are:

Bury Marketing and Sales Ltd
47 Sefton Street
Company No. 05802107

Their contact emails are (sales) sales@bmsltd.org and (Customer Services) info@bmsltd.org – feel free to sell these addresses on…

If you are feeling aggrieved by their behaviour, you can also fax them on 0845 299 1672, but as this is not a free (or cheap rate) number, I would advise against my initial idea of faxing them mountains of crap.

I have read a few places online where people are suggesting legal action against either BMS (harassment) or 3 (breach of contract), so if you are trying either of these I would love to hear how you get on.

[tags]Bad Shop, BMS, 01706713200, Bury Marketing Sales, 3, Three, Telecoms, Cell Phone, Mobile Phone, Hutchinson 3g, Hutchinson, Bad Privacy, Breach of Contract, Privacy, Consent, Marketing, Bury, Telephone Preference Service, TPS, Rochdale, Company Information, Email Addresses, N Bhatti, Society[/tags]

Social scrutiny dept

Great concept. with some really funny pages on the Department of Social Scrutiny with such gems as the ID Application Forms pages You can click on each form to get the full detail.

Just go there. Don’t make me quote whole pages from it, please.

Privacy statement zzzzz

The very words “privacy statement” have a hypnotic effect. You see them, click “Yes, Ok I’ve read it” to get to the next bit…… There may be some inbuilt mental process that protects the brain from damage by shutting it off in the presence of the small print on things like loan agreements, the introductory bits of software and so on.

I happen to have read one by accident trying to find out if there was a (potentially illusory) Microsoft product named WI. Googling just took me to the Wisconsin Microsoft Developer’s network, which wouldn’t let me go any further without agreeing to the privacy statement.

Props to Microsoft here, because you can actually read the provisions – indeed you would have to if you decide to go through the gateway. Not having any reason to join the Wisconsin Developer Network – apart from sheer nosiness and apparently a temporary failure of my low boredom threshhold – I obviously didnt.

However, the contents come as a bit of a shock. Here’s an extract:

Collection of your Personal Information
WI Microsoft Technical Community collects personally identifiable information, such as your e-mail address, name, home or work address or telephone number. WI Microsoft Technical Community also collects anonymous demographic information, which is not unique to you, such as your ZIP code, age, gender, preferences, interests and favorites.
There is also information about your computer hardware and software that is automatically collected by WI Microsoft Technical Community. This information can include: your IP address, browser type, domain names, access times and referring Web site addresses. ……

So, to join that particular developer community you just hand over information so far beyond the expected IP and referrer as to be on another level.

You might think “so what”? I hope the BBC article about the private detective agency crackers gives you a little pause.

In which case it may be a good idea to read the privacy statements now and again. ZZZZZZ ZZZZZ