ID Database Breached Before It’s Even Begun

The National Identity Register, the database underpinning the government’s continuing plans for ID cards, may not have been instituted yet, but one of the three systems which will comprise its core has already been breached:

Nine local authority workers have been sacked after illegally accessing personal details of the public held on the government’s national identity database.

In total, 34 council workers were found to have illegally accessed the Customer Information System (CIS) database, which is currently earmarked to form part of a linked-up network of three systems constituting the government’s national identity database.

The Identity and Passport Service (IPS) has countered, saying:

“IPS will make the systems supporting the national identity service as secure as possible, building on an excellent track record with the current passport database.

“Our proposals for the development of the national identity service seek to incorporate the use of technology supporting CIS to store biographical information. However, such information would be stored separately from any information held on CIS by the Department for Work and Pensions (DWP) and protected by strict audit and access controls.

“It will be a criminal offence to make any unauthorised disclosure of information and our security arrangements will also be subject to the independent scrutiny of both the information commissioner and a new identity commissioner.”

In order for our very identities to be protected from abuse by the government or simply its employees (and these 34 will be just the tip of the iceberg) we’ll need a government ‘identity commissioner’? How’s about no ID cards (no need/easily forged)? How’s about no National Identity Register? How’s about no National Identity Service? Henry Porter looks at the larger question of database security and how our identities will remain under greater threat because of the ID scheme:

A DWP spokesman suggested that the small number of breaches recorded indicated that unauthorised access by officials was spotted quickly. He did not, of course, acknowledge that these cases came from sample checks generated by the system.

This is absolutely critical. For years Professor Ross Anderson of Cambridge university and NO2ID have been arguing that by their nature large databases will never be free of such abuse. Anderson’s Rule means you cannot construct a database with scale, functionality and security because if you design a large system for ease of access it becomes insecure, while if you make it watertight it becomes impossible to use.

And yet government presses ahead with the grand scheme of linking database together and allowing access to hundreds of thousands of officials

This addiction to databases and the bureaucracies which underpin them is at the heart of most of our problems. Computers and software may make for an efficient way of handling vast amounts of data, but a total reliance on predictability, standardisation and methods of control are destroying the society they’re supposed to be protecting. As a people we resist being overly rational – the system will keep being breached because idiots in the civil service (or contracted out agencies), not to mention organised crime will simply want to. All the ‘identity commisioners’ in the world won’t be able to stop that. To bureaucratise identity itself is to court absolute disaster.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s