The House of Commons Justice Committee has today released a report into the protection of public data. The report is a good summary of the state of play and, in particular, of developments since the Chancellor announced to Parliament in November last year that HMRC had lost confidential records affecting 25 million UK citizens.

The report recommends a data breach notification law, criminal penalties for data controllers who are responsible for reckless or repeated security breaches and greater powers and resources for the Information Commissioner’s Office. Currently, the Information Commissioner receives roughly £10 million each year to conduct all of his data protection activities.

These recommendations echo those made by the House of Lords Science and Technology Committee in August 2007, recommendations that the Government rejected almost entirely. Perhaps the public outcry following the HMRC data security breach will help Government think again.

Today’s report is explicit about the real risks associated with big databases containing personal data that are open to large numbers of licensed users, and mentions the children’s database ContactPoint, as well as the planned National Identity Register. It also notes further risks associated with obligations to share data with EU member states:

“If data held by the Government is available for inspection outside the jurisdiction, then the importance of restricting the amount of data held, as well as proper policing of who had access to it, takes on even greater importance.”

On Monday next week Kieron Poynter of PricewaterhouseCoopers will publish his report into the failures that led to HM Revenue and Customs (HMRC) losing 25 million confidential records about UK citizens claiming child benefit. The HMRC fiasco, and privacy debacles before and since, demonstrate a public sector culture of complete disregard for the privacy and security of individuals in the UK.

There will be a Ministerial statement about the Poynter Review in the House of Commons on Monday afternoon. If you haven’t already, please write to your MP today and ask her or him to put your concerns to policy-makers during this session. This culture of disregard for personal privacy combined with the Government’s continued belief in the aggregation and sharing of vast amounts of personal data across agencies is a privacy timebomb.

If you’re unsure how to write an effective missive to your MP, then read the ORG wiki’s handy guide. What follow are some key points and requests to put to your MP for you to choose from - click on the links for further ideas and resources.

• How does Government propose to tackle what is clearly a culture of disregard for citizens’ personal and confidential data?
• Why does Government persist in telling the “fairytale of biometrics”
• Shouldn’t Government be ashamed that it has consistently brushed aside the advice of computer security experts?

You could also ask your MP to sign the Early Day Motion proposed by Annette Brooke MP which calls upon the Government to reconsider its decision to proceed with the children’s database ContactPoint.

A culture of disregard

Discgate was not an isolated incident. Seven months before the DVDs went missing, HMRC had already established a practice of recording sensitive data onto DVDs, secured only with a password and dispatched via internal mail. Emails sent back and forth about this debacle, the largest ever data breach to hit the UK, cite cost as the reason given for not filtering personal details out of the data. But how much is your privacy worth to you?

This is not just about the HMRC. The ORG wiki’s log of UK privacy debacles has been struggling to keep up with the public sector bodies who have been queuing up to admit data breaches since the HMRC announcement. The HMRC data breach may be the biggest but it was not the first and it will not be the last.

If you’re MP is wondering why a junior employee was able to download the information to CDs in the first place, then they’re in good company:

“I would question whether anybody should be allowed to download an entire database of this scale without going through the most rigorous pre-authorisation checks.”

“It was a really shocking example of loss of security.”

Information Commissioner Richard Thomas

“How you can have a system which allows you to copy a whole database onto a disk is of concern,”

“Clearly there are issues about when the data was accessed and by whom. They should have had access controls and authorisation levels to make it physically impossible to burn a disc off the database without the say-so of the chairman of HMRC. Why isn’t the technology there to do that? It isn’t rocket science.”

Assistant Information Commissioner Jonathan Bamford

The Information Commissioner described the HMRC breach as “the worst the ICO has encountered” and said it called into question the security of the entire system of data sharing in government. He called for a review of the national identity register, a call which echoes a marked shift in public opinion on ID cards, and a recommendation for more debate about ID cards from thinktank Demos, who concluded a year-long study of data-sharing last week. The Government’s data minister, Michael Wills MP, has said that plans for the national ID register need looking at again. Ask that your MP pressures the government to re-examine the flawed National Identity Register.

On 27 November, children’s Minister Kevin Brennan announced an independent assessment of the security procedures surrounding ContactPoint, to be conducted by Deloitte. An Early Day Motion asking Government to go further, and consider recommendations to scrap the idea, is currently collecting signatures: please encourage your MP to sign.

The fairytale of biometrics

For people in technology, one of the most worrying developments since this crisis has been ministers’ using it as an excuse to push for solutions based around biometrics, solutions that would actually increase the privacy risks we are exposed to. Six leading academics (including two Open Rights Group Advisory Council members) recently wrote to the Parliamentary Joint Committee on Human Rights to express their dismay at how biometrics are seen as a magic fix for improving security:

“These assertions are based on a fairy-tale view of the capabilities of the technology and in addition, only deal with one aspect of the problems that this type of data breach causes. … Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.”

Professor Ross Anderson, Security Engineering, University of Cambridge
Dr Richard Clayton, University of Cambridge Computer Laboratory
Dr Ian Brown, Oxford Internet Institute, University of Oxford
Dr Brian Gladman, Ministry of Defence and NATO (retired)
Professor Angela Sasse, Department of Computer Science, University College London
Professor Martyn Thomas, CBE FREng, Software Engineering, University of Oxford

These technologies are unproven and will not be ready for commercial deployment for another 15 years. Ask your MP to encourage the Government to listen to the facts on biometrics.

Brushing aside expert advice

Unfortunately, the skills and knowledge necessary for successfully procuring, managing and securing computer systems are not commonly possessed by Government Ministers or senior managers in the civil service. This might not be such a problem, were the Government to listen to the advice that has been readily offered by expert groups during the quest towards Transformational Government, and their warnings about giving thousands of people access to large, centralised databases. But then, why should it, when apparently it doesn’t even listen to warnings from its own internal auditors?

“Again and again and again these warnings have been made in different contexts by expert groups and the Government has not been interested.”

Professor Ross Anderson

We are living in an age where systems dealing with our identity must be designed from the bottom up not to leak information in spite of being breached. Perhaps I should say, “redesigned from the bottom up”, because today’s systems rarely meet the bar. … There is no need to store all of society’s dynamite in one place, and no need to run the risk of the collosal explosion that an error in procedure might produce.

Britain’s HMRC Identity Chernobyl - Kim Cameron (Microsoft’s Chief Architect of Identity)

Ask your MP to encourage the Government to heed the warnings of these and other experts.

Together, we can stop the Government’s privacy timebomb. If you haven’t got time to write to your MP today, please write on the weekend. The more missives MPs receive on Monday morning, the more they will recognise the public mood on this issue, and the more likely they will be to raise their objections in Parliament on Monday afternoon.

Professor Ross Anderson, UK computer security expert and Chair of the Foundation for Information Policy Research, appeared on Newsnight last night, to discuss the HMRC data loss fiasco. He labelled the fiasco “an accident waiting to happen”, and calmly, methodically, indicted the Government for brushing aside the advice of security experts who have been warning them against the centralised, top-down approach they have been taking to electronic government.

I hope Professor Anderson will not object to my transcribing his words in full, and linking to the reports he mentioned and the government responses that have brushed aside expert concerns.

“But if we return to the matter in hand, I’m afraid that there is a policy issue here not an operational issue because the government has repeatedly, over the last few years brushed aside one lot of advice after another about the growing problems of privacy and safety with aggregating more and more data.

We wrote a report for the Information Commissioner in November last year pointing out that the proposed children’s databases were both unsafe and illegal. That was brushed aside.

Lord Broers’ House of Lords Science and Technology Committee reported earlier this year saying that the government needed to get its act together on personal internet security. A large part of that was Treasury responsibility, better regulation of online banking. That was brushed aside.

The Health Committee reported in September saying that people needed a right to opt out of the large central databases of personal medical information that the NHS is collecting. That was brushed aside.

Again and again and again these warnings have been made in different contexts by expert groups and the Government has not been interested.”

Today, the Nuffield Council on Bioethics launched their report on the regulation of the National DNA Database. The authors emphasised balancing ethical values, such as liberty, autonomy and privacy, against the database’s benefits to law-enforcement. The headlines echo our own submission to the review:

• Only people convicted of a crime should be permanently recorded, except those charged with serious violent or sexual offences.

• Police should not be given powers to sample and store DNA, without consent, from people arrested for ‘non-recordable’ offences.

• Those who volunteer their DNA (e.g. witnesses) should be able to request - without providing a reason - the removal of their DNA.

• Unless there is a good reason to preserve it, children’s DNA should be removed from the NDNAD on request.

• Lawyers and juries should be given more help to understand the meaning of DNA evidence.

• Familial searching should not be practiced unless it is necessary and proportionate.

• Ethnic inferences should not be part of routine procedure.

• The NDNAD should have an independent ethics and governance framework.

• The regulation of all forensic databases, including oversight of research and other access requests, should be given statutory basis.

Concerns were expressed at this morning’s launch event that Nuffield’s recommendations do not go far enough. Terri Dowty (ARCH) argued that children must be given the right to exclude their own DNA from the register, rather than depending on their - not always reliable - guardians and the courts to aid in the removal of their genetic make-up. Helen Wallace (Genewatch) argued, in line with the Human Genetics Commission, against costly preservation of samples once the necessary profiles are extracted.

Despite these concerns, implementing these recommendations would significantly improve the current position. The Home Office is currently evaluating the aged statutory foundation of this database (the PACE Review) and is due to pronounce on the issue in December 2007.

This morning, the news media are reporting a startling recommendation by one of the UK’s most senior judges: that the Police National DNA Database (NDNAD) should cover every citizen in the UK, and every person who visits the UK. You can listen to Lord Justice Sedley talking with the Information Commissioner on the BBC’s Today programme here.

Bioinformation can reveal extremely private information about an individual’s family relationships and physical health. As we wrote in our submission to the Nuffield Council of Bioethics consultation on the forensic use of bioinformation, the Open Rights Group opposes the DNA sampling of the entire population, and can see no circumstances under which it should be considered.

However, Lord Justice Sedley’s recommendation does highlight the urgent need to address the regulations governing the NDNAD. Currently, DNA records of innocent people, including thousands of children, are kept indefinitely. There is no clear process for getting your DNA records off the database once you have given them to police, even if you only did so as a witness to a crime. Ethnic minorities and young males are disproportionately represented on the database, which is already the largest of its kind in the world. Lord Justice Sedley is right to call the current state of the NDNAD “indefensible”.

If you want to find out more about the NDNAD, visit Genewatch UK’s excellent information and action page, which has lots of suggestions about how to get your voice heard on this issue, as well as information about how to get your records off the database.

Trustguide reports on our views, beliefs and needs regarding trust, security and privacy in relation to new technologies. We like it very much - It should be required reading for politicians! Over the last 15 months HP and BT, in conjunction with the DTI, hosted workshops across the UK on a broad range of topics (detailed below). The document is full of participant-responses and is a treasure trove of quotes for journalists.

Topics under consideration:

• Trust versus risk
• E-Commerce: Risk and Responsibility
• Factors that impact on risk taking
• Mitigated risk
• ID cards: An aid to security?
• Use of Biometric data
• Privacy and health information
• E-Government and Public Sector IT
• Awareness and education
• Use of public access terminals

Read the rest of this entry >

Yesterday’s Guardian ran the story of the wrongful arrest of David Mery on its front page, a story he’s written up in a lot more detail on his site.

‘LONDON (Reuters): - A London underground train station was evacuated and part of a main east-west line closed in a security alert on Thursday, three weeks after suicide bombers killed 52 people on the transport network, police said. A Transport Police spokeswoman said Southwark station was closed and Jubilee Line services suspended between Waterloo and Canary Wharf in the east London business district.’

This Reuters story was written while the police were detaining me in Southwark tube station and the bomb squad was checking my rucksack. When they were through, the two explosive specialists walked out of the tube station smiling and commenting ‘nice laptop’. The officers offered apologies on behalf of the Metropolitan Police. Then they arrested me.

At first glance, this doesn’t seem like a digital rights story, but a civil liberties story. And up to a point, it is. It’s an absolute disgrace that someone can be arrested in the UK on the basis of having a rucksack, wearing a rain coat, and behaving in an entirely normal way on the London Underground system. It’s imperative that we protest such kneejerk reactions by the police in the strongest possible terms, and that we let our MPs know that we do not accept that this sort of regime is necessary for the safety and welfare of the nation.

But this isn’t an ORG matter, right?

Wrong.

This becomes a digital rights matter because the data collected by the police about David Mery is now sitting in the police database - his DNA, interview recordings, photograph, fingerprints, name, address, and whatever other details they take. Let’s get this straight. David was arrested for no discernible reason, having committed no crime and, in fact, without there having been a crime for him to have been arrested on suspicion of. The charge of ’suspicious behaviour and public nuisance’ is a ludicrous accusation, considering that he was doing what the rest of us do every day: waiting for a train.

David was released without charge, but his data wasn’t. (Neither was some of the stuff that the police took from his flat.)

2005-08-31 Wednesday
09:00 I arrive at police station to surrender to custody as required by bail, and am joined by solicitor five minutes later. We are invited into a small room by a plainclothes police officer a further few minutes later. The officer tells us that it’s ‘NFA’ (no further action), explains that this means that they are dropping the charges, and briefly apologises. The officer (DS) in charge of the case is away from the station so the process of clearing up my case is suspended until he signs the papers cancelling the bail and authorising the release of my possessions. The meeting lasts about five minutes.

I send letters to the Data Protection Registrars of the London Underground, Transport for London (replied on 2005-09-05 that the ‘retention period for recording of stations is fourteen days’), the British Transport Police and the Metropolitan Police. The first three letters ask for any data, including CCTV footage, related to the incident on July 28, while the final one is much more generic asking for any data they have on me. They all have forty days to respond.

2005-09-08 Thursday
I talk to my solicitor about ensuring the Police return all my possessions, give us all the inquiry documents (which they may or may not do) and expunge police records (apparently unlikely to happen).

The solicitor sends a letter to the officer in charge of my case asking him to authorise the release of my possessions and forward us a copy of the custody record, and conveying to him how upset I am.

[...]

Under the current laws the Police are not only entitled to keep my fingerprints and DNA samples, but apparently, according to my solicitor, they are also entitled to hold on to what they gathered during their investigation: notepads of the arresting officers, photographs, interviewing tapes and any other documents they collected and entered in the Police National Computer (PNC).

The police have absolutely no reason to retain any data on David, but I fear that the chances of him being able to get his police records deleted are nil. Other than recording that he was wrongfully arrested, I see no good reason why they should retain his DNA, fingerprints, photographs etc., but reason seems to be increasingly absent from the way that security is handled in this country.

We will be keeping in touch with David to see what happens.