Relying on Identity

Yesterday’s news: Government agency loses sensitive data on 25 million people. Not encrypted. Head of agency resigns. El Reg reports something interesting has popped up on ebay.

Meeja gasp in astonishment: how could they? That’s half the country exposed to identity theft and fraud in a single incident. Shock, horror!

But the reality is that this kind of ‘accident’ is becoming a regular event. OK, 25 million at once is not the norm, but losses of six-figure numbers of such records are being reported every few weeks. The culprits are household names, like banks and government agencies. How many such incidents go unreported is unknown. Nor do we know whether this is anything new: what has changed recently is that such losses suddenly became sensitive.

Furthermore, a lot of personal information can be obtained legitimately and cheaply. There are companies who make a business of tracing holders of assets. I’ve recently been contacted by one such about some bonus-shares from one of the Thatcher privatisations, and registered to me at an address I’ve had no connection with since about 1990. My shares are apparently worth about £200, and their finders fee – if I choose to use their service – would be about £20. The fact they can run a business based on that kind of thing demonstrates just how easy it is to trace people!

Conclusion: this is something we’re going to have to live with.

So, how do we live with it? Indeed, why is it a problem in the first place? The idea that we should carefully guard our own personal information is new to those of us with nothing to hide: for example, it’s not so long ago I published my home address on my homepage on the ‘net. Some countries have different attitudes to privacy, and consider some of the information we jealously guard to be public.

The basic problem, as we hear it reported, is one of fraud:

Ring, Ring.

“Hello, this is Gordon Brown, of 10, Downing Street, SW1. I’d like a £50K loan for a flashy new car.”

“Yes Mr Brown. Your credit rating says that’ll be fine. We’ll need you to answer a couple of personal questions so we know it’s really you. What is your mother’s maiden name?”

[… cut …]

“OK, that’s all in order. When do you need the money?”

“Immediately, please. And since I’m away from home until the end of next week, can you send it to me c/o the Mended Drum, Ankh Morpork?”

“Yes sir, that will be fine.”

Apparently that kind of thing really does happen. Enumerating the problems with it is left as an exercise for the reader.

It seems to me that the fundamental problem is not really who has access to information, but rather why do we allow basic, widely available or low-security information to be so profitable? It all smells of the race to the bottom, wherein companies put generating new business and market share above the quality, and in this case security, of that business.

The exception to that is tokens such as passwords and PIN numbers, and how to use strong ones, use them securely, remember them, and not re-use the same tokens for multiple different purposes. Public-key technology can indeed solve that (and without the need for a massive central identity database), but that’s another topic.

Posted on November 21, 2007, in identity, identity theft, rants, uk. Bookmark the permalink. 2 Comments.

  1. Nice article Nick. It’s the first sensible thing I’ve heard on the subject. Given the ease with which data can be stored, copied and transferred these days, this sort of thing will happen. Humans are always the weakest part of any system, but life would be rather boring without them!

    You’re right to acknowledge that big data security mishaps happen in the private sector too. There’s been a lot of “incompetent civil servant” bashing over this, but having been on both sides of the fence, I’ve seen some pretty stupid things done in private sector land as well.

  1. Pingback: Missing HMRC CDs « niq’s soapbox

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: