Category: Believe it or not

Britain's HMRC Identity Chernobyl

The recent British Identy Chernobyl demands our close examination. 

Consider:

  • the size of the breach – loss of one person's identity information is cause for concern, but HMRC lost the information on 25 million people (7.5 million families)
  • the actual information “lost” – unencrypted records containing not only personal but also banking and national insurance details (a three-for-one…)
  • the narrative – every British family with a child under sixteen years of age made vulnerable to fraud and identity theft

According to Bloomberg News,

Political analysts said the data loss, which prompted the resignation of the head of the tax authority, could badly damage the government.

“I think it’s just a colossal error that I think could really rebound on the government’s popularity”, said Lancaster University politics Professor David Denver.

“What people think about governments these days is not so about much ideology, but about competence, and here we have truly massive incompetence.”

Even British Chancellor Alistair Darling said,

“Of course it shakes confidence, because you have a situation where millions of people give you information and expect it to be protected.

Systemic Failure

Meanwhile, in parliament, Prime Minister Gordon Brown explained that security measures had been breached when the information was downloaded and sent by courier to the National Audit Office, although there had been no “systemic failure”.

This is really the crux of the matter. Because, from a technology point of view, the failure was systemic. 

From a technology point of view, the failure was systemic.

We are living in an age where systems dealing with our identity must be designed from the bottom up not to leak information in spite of being breached.  Perhaps I should say, “redesigned from the bottom up”, because today's systems rarely meet the bar.  It's not that data protection wasn't considered when devising them.  It is simply that the profound risks were not yet evident, and guaranteeing protection was not seen to be as fundamental as meeting other design goals – like making sure the transactions balanced or abusers were caught.

Isn't it incredible that “a junior official” could simply “download” detailed personal and financial information on 25 million people?  Why would a system be designed this way? 

To me this is the equivalent of assembling a vast pile of dynamite in the middle of a city on the assumption that excellent procedures would therefore be put in place, so no one would ever set it off.  

There is no need to store all of society's dynamite in one place, and no need to run the risk of the collosal explosion that an error in procedure might produce.  

Similarly, the information that is the subject of HMRC's identity catastrophe should have been partitioned – broken up both in terms of the number of records and the information components.

In addition, it should have been encrypted – even rights protected from beginning to end.  And no official (A.K.A insider) should ever have been able to get at enough of it that a significant breach could occur.

Gordon Brown, like other political leaders, deserves technical advisors savvy enough to explain the advantages of adopting new approaches to these problems.  Information technology is important enough to the lives of citizens that political leaders really ought to understand the implications of different technology strategies.  Governments need CTOs that are responsible for national technical systems in much the same ways that chancellors and the like are responsible for finances.

Rather than being advised to apologize for systems that are fundamentally flawed, leaders should be advised to inform the population that the government has inherited antiquated systems that are not up to the privacy requirements of the digital age, and put in place solutions based on breach-resistance and privacy-enhancing technologies. 

The British information commissioner, Richard Thomas, is conducting a broad inquiry on government data privacy.  He is quoted by the Guardian as saying he was demanding more powers to enter government offices without warning for spot-checks.

He said he wanted new criminal penalties for reckless disregard of procedures. He also disclosed that only last week he had sought assurances from the Home Office on limiting information to be stored on ID cards.

“This could not be more serious and has to be a serious wake-up call to the whole of government. We have been warning about these dangers for more than a year.  

I have never understood why any politician in his (or her) right mind wouldn't want to be on the privacy-enhancing and future-facing side of this problem.

Guess what? Rabodeb is not his “real” name

A rivetting “natural” story of pseudonymity has risen to prime time in America's financial press – partly because government prosecutors have entered the fray. We're not talking here about a teenager, novelist, or garret inhabitant. This involves a corporate executive – John P. Mackey, co-founder of Whole Foods Market, who we have just found out goes by the name of “Rahodeb“. Continue reading Guess what? Rabodeb is not his “real” name

Kafka would have been proud

Here, via MSNBC, is a message in a bottle from some dimension I would not otherwise believe existed: 

VIENNA, Va. – A rule against physical contact at a Fairfax County middle school is so strict that students can be sent to the principal's office for hugging, holding hands or even high-fiving.

Unlike some schools in the Washington area, which ban fighting or inappropriate touching, Kilmer Middle School in Vienna bans all touching — and that has some parents lobbying for a change.

Hugging was Hal Beaulieu's crime when he sat next to his girlfriend at lunch a few months ago and put his arm around her shoulder. He was given a warning, but told that repeat missteps could lead to detention.

“I think hugging is a good thing,” said Hal, a seventh-grader. “I put my arm around her. It was like for 15 seconds. I didn't think it would be a big deal.”

But at a school of 1,100 students that was meant to accommodate 850, school officials think some touching can turn into a big deal. They've seen pokes lead to fights, gang signs in the form of handshakes or girls who are uncomfortable being hugged but embarrassed to say anything.

“You get into shades of gray,” Kilmer Principal Deborah Hernandez said. “The kids say, ‘If he can high-five, then I can do this.’ ”

Hernandez said the no-touching rule is meant to ensure that all students are comfortable and crowded hallways and lunchrooms stay safe. She said school officials are allowed to use their judgment in enforcing the rule. Typically, only repeat offenders are reprimanded.

‘Making out goes too far’

But such a strict policy doesn't seem necessary to 13-year-old Hal and his parents, who have written a letter to the county school board asking for a review of the rule. Hugging is encouraged in their home, and their son has been taught to greet someone with a handshake.

Hal said he feels he knows what's appropriate and what's not.

“I think you should be able to shake hands, high-five and maybe a quick hug,” he said. “Making out goes too far.”

His parents said they agree that teenagers need to have clear limits but don't want their son to be taught that physical contact is bad.

“How do kids learn what's right and what's wrong?” Henri Beaulieu asked. “They are all smart kids, and they can draw lines. If they cross them, they can get in trouble. But I don't think it would happen too often.”

I can't help thinking of Kafka's ironic question, “If judges are putting to death the mentally retarded, why is this judge still alive?” 

For the person who has everything

Whenever a patent is granted, the first sign of it is a flurry of weird mail emanating from a well-oiled spam machine that never seems to fail.  It is delivered right to your home address, presumably because the government releases information without setting any conditions on its use.  Beyond having to sort through more garbage, the whole premise of the marketing campaign is creepy.  Here's an example courtesy of Patent Awards:

Your patent commemorative is more than metal and wood – it is tangible evidence that you have made a contribution to this world and future generations.  One of our customers, Mr. Hank Cutler, said it best:

It is always rewarding to have tangible evidence of one's work, apart from publications.  [Gee!  I didn't know that my father/grandfather/great grandfather did that, but here's a plaque to prove it.  Guess I'll have to do better than that.]  Their presence, in family hostory, fuels future generations to do better things.”

What better reason is there to buy a patent commemorative plaque or frame?  Create your lasting memory so that your “presence, in family history, fuels future generations to do better things” by placing an order for your patent plaque or frame today!

Funny, I think of the tangible evidence as being the success of some technology.  The patent is just a necessity for protecting your business in 2007.

The family history stuff is stupefying.  The last thing I would want is to consciously drive my own children to compete with me.  I'm just glad that they are out of beta . 

But hey.  The plaques are so reasonable – anywhere between $128 and $525.  Let's get a bunch. 

6 year old installs keylogger

Here is a strange one via Pamela Dingle's eternal optimist:

How girl, 6, hacked into MP’s Commons computer

I assume a physical keyboard logger like this could still be used to steal an IdP username & password, even with all the secure desktop stuff that the CardSpace client has built in…

This kind of dongle plugs in between the keyboard and the computer.  So there is one simple solution:  don't type in secrets that could allow someone to gain access to your accounts. 

My view:

  1. CardSpace self-issued cards ( based on public key technology) and managed cards backed by a self-issued card or certificate would both be immune to this attack – assuming no physical access to the computer itself.
  2. Normal Kerberos login would be vulnerable.
  3. Username / password IdP's could be protected from this attack through use of the additional per-card secret described here – assuming non-InfoCard password access was not supported.
  4. One time password (OTP) systems would be unaffected. 

BTW, I now have OTP integrated with my own managed card demo code.  When used with CardSpace it has very nice security properties because the channel from CardSpace to the IdP is encrypted using information in the managed card and the password can never be reused.

A sweep of their tiny fingers

My research into the state of child fingerprinting has led me to this extreme video – you will want to download it.  Then let's look further at the technical issues behind fingerprinting.

Here is a diagram showing how “templates” are created from biometric information in conventional fingerprint systems.  It shows the level of informed discourse that is emerging on activist sites such as LeaveThemKidsAlone.com – dedicated to explaining and opposing child fingerprinting in Britain.

Except in the most invasive systems, the fingerprint is not stored – rather, a “function” of the fingerprint is used.  The function is normally “one-way”, meaning you can create the template from the fingerprint by using the correct algorithm, but cannot reconstitute the fingerprint from the template.

The template is associated with some real-world individual (Criminal?  Student?) During matching, the fingerprint reader again applies the one-way function to the fingerprint image, and produces a blob of data that matches the template – within some tolerance.  Because of the tolerance issue, in most systems the template doesn't behave like a “key” that can simply be looked up in a table.   Instead, the matching software is run against a series of templates and calculations are performed in search of a match.

If the raw image of the fingerprint were stored rather than a template, and someone were to gain access to the database, the raw image could be harnessed to create a “gummy bear” finger that could potentially leave fake prints at the scene of a crime – or be applied to fingerprint sensors.

Further, authorities with access to the data could also apply new algorithms to the image, and thus locate matches against emerging template systems not in use at the time the database was created.  For both these reasons, it is considered safer to store a template than the actual biometric data.

But by applying the algorithm, matching of a print to a person remains possible as long as the data is present and the algorithm is known.  With the negligible cost of storage, this could clearly extend throughout the whole lifetime of a child.  LeaveThemKidsAlone quotes Brian Drury, an IT security consultant who makes a nice point about the potential tyranny of the algorithm:

If a child has never touched a fingerprint scanner, there is zero probability of being incorrectly investigated for a crime. Once a child has touched a scanner they will be at the mercy of the matching algorithm for the rest of their lives.” (12th March 2007 – read more from Brian Drury)

So it is disturbing to read statements like the following by Mitch Johns, President and Founder of Food Service Solutions – whose company sells the system featured in the full Fox news video referenced above:

When school lunch biometric systems like FSS’s are numerically-based and discard the actual fingerprint image, they cannot be used for any purpose other than recognizing a student within a registered group of students. Since there’s no stored fingerprint image, the data is useless to law enforcement, which requires actual fingerprint images.

Mitch, this just isn't true.  I hope your statement is the product of not having thought through the potential uses that could be made of templates.  I can understand the mistake – as technologists, evil usages often don't occur to us.   But I hope you'll start explaining what the risks really are.  Or, better still, consider replacing this product with other based on more mature technology and exposing children and schools to less long term danger and liability.

U.K. wants beerdrinkers’ fingerprints

More news from the the U.K. biometrics front.  Here is a piece by Rogier van Bakel from his site – Nobody's business:

All 12 million kids in the country will have to be fingerprinted. Actually, that's not news — I wrote about it here. What's news (to me) is that parents will likely have no way to opt out on behalf of their children. They can't tell Little Nigel to tell the government's data-miners to shove it.

See if you can follow the logic here without gasping.

David Smith, deputy Information Commissioner, said it was a complex issue that was still being worked out, but it was likely that parents did not have an automatic right to decide whether their children's biometrics could be taken by a school.

“The Data Protection Act talks of consent of the individual — essentially that's consent of the child,” he said. “Now there's a requirement that consent is informed and freely given. That will depend on the age of the child,” he said. “The idea is that as long as children can understand the implications of what they are being asked to do, they can give consent without deferring to their parents. The Data Protection Act is about the pupil's rights, not the parents’ rights over the children's information,” said Smith.

Can a six-year-old understand the implications? A ten-year-old? A thirteen-year-old? It's doubtful, but somehow, the government is fully prepared to consider these pupils — and itself — to be more competent in such matters than the children's own parents.

Also note Mr. Smith's up-is-down government-speak when he spins the ominous legal requirement for children to surrender their biometric data as if it were a really a right — one that must be protected from the ignorant stubbornness of Mum and Dad.

Meanwhile, in the name of crime prevention, U.K. authorities are ordering citizens who visit clubs and pubs to get fingerprinted, too. No joke.

The government is funding the roll-out of fingerprint security at the doors of pubs and clubs in major English cities. Funding is being offered to councils that want to have their pubs keep a regional black list of known trouble makers. The fingerprint network installed in February by South Somerset District Council in Yeovil drinking holes is being used as the showcase. “The Home Office have looked at our system and are looking at trials in other towns including Coventry, Hull & Sheffield,” said Julia Bradburn, principal licensing manager at South Somerset District Council. Gwent and Nottingham police have also shown an interest, while Taunton, a town neighbouring Yeovil, is discussing the installation of fingerprint systems in 10 pubs and clubs with the systems supplier CreativeCode.

In order to qualify for a new license, a pub owner or club manager will have to promise to install a fingerprinting system. If, after the system is in place, customers fail to display a “considerable” reduction in alcohol-related violence, the drinking establishments could have their licenses revoked.

I'll make just a brief comment about both these issues.

I think the student should be able to refuse consent if she doesn't want to be fingerprinted, and the parent should be able to refuse it on her behalf as well.  After all, the child should learn how to protect her self, though ultimate responsibility lies with the parent.  Further as shown by Joy's “No scan, no eat” report, we need some way to prevent the bullying of children (and parents) into submission.

As for fingerprinting people on their way into pubs, all I can say is:  Britain, get a grip!    As a Canadian, it's like watching a loved one losing her mind.

If they don't scan, they don't eat

The more I look into this story, the worse it gets.  We don't have to go to Britain for examples of child fingerprinting – just take a look at this email from a lady in Illinois:

Kim,

My name is Joy and I am continuing to get the word out & tell this true story.

In August 2005, our public school district with less than 500 students decided to start using biometric equipment for “accounting purposes”.  We were told at registration to take our children over and have them scanned.  (There was not an opt out or opt in policy).

I objected and said no – our children are not to use this equipment -especially when there is not a policy to look over.

We were told, “if they don't scan ,they don't eat.”

I explained I believed that to against the law and the rights of the children as well as parental rights.  I was then told that this equipment would put Earlville, Illinois on the map (not like they thought).  A few days later I gave birth to our youngest daughter, on Aug 20, 2005, and explained to my husband that when I recovered I was going to discuss this matter with the district administration again.

Meanwhile my eldest children Brooke & Gunner were still brown bagging it.  Well, Sept 21, 2005 my 7 year old son was scanned anyway – even though he reminded the “tech director” that he was not to scan.

I of course called the school and started recieving excuses from the adminstrative staff.  I went to the local paper, the school board and still did not feel as if we were getting very far with our objection.  I then decided to write to Illinois legislators and the media.

Senator Miquel Del Valle introduced SB 2549 in Jan, 2006. CBN came to our town and interviewed us (as well as Senator Miquel Del Valle on a different date.)  The story aired Nov 7, 2006.  Then Senator Miguel Del Valle stepped down and took another position in Chicago. SB 2549-session sine die.

There I was again writing and calling the media and legislators.  In Jan,  2007 I was invited to speak with some privacy advocates and share this almost unbelievable story.  In Feb, 2007 two bills were introduced and are passing:  HB 1559,  introduced by State Rep Bob Pritchard; and SB 1702, introduced by Senator Kim Lightford.

I have several newspaper articles as well as letters from the Superintendant stating that my 7 yearr old son willingly gave up his finger.  Info about this story can also be found on EFFs deeplinks ,the Cato Institute,The End times and of course the CBN website.   As soon as I get updated on the bills I can notify you.   In the meantime I will continue to get the word out and search for advice on this matter .

I had my finger impression scanned for an Illinois licensure requirement, however I am a mother of five, over 30 and a private detective.

Not a minor child trying to by hot lunch at school.  We know that the data on these children can be sold, given away and anyone who knows how to write a FOIA can have access to this info. 

Joy Robinson-Van Gilder

Make sure children are calm

Continuing to explore the new specialty of child fingerprinting, I came across a nice piece on this phantasmagorical teaching aid:

Not surprisingly, people are responding to this preposterous misuse of identity with sites like leavethemkidsalone.  These people know how to communicate.  Take a look at this little video

Amazingly, those caught up in child fingerprinting have broken the first four laws of identity all in one go.  This will come back to haunt them – and much worse, may stalk some of their little victims.

First, both the parents and the children should have been asked for consent – and given the opportunity to opt out (law 1).  Second, far more information is being collected than is required by what the schools are using it for (law 2).  Third, this information is in the hands of unwarranted parties (law 3).  Fourth, a non-revocable omnidirectional identifier (you can't change fingerprints) is being used in a an interaction where a unidirectional (context-specific) identifier would do just fine, paving the way for many attacks on the individuals’ privacy and security (law 4). 

Strangest of all, though we can predict with near certainty that the information being collected will leak over time, the schools and government seem to have no concern for the unnecessary liability they are assuming.  Strange.  Perhaps, in Britain, they are immune to law suits?

Already we see the first repercussions.  In fact the Dudley school system teaching aid shown above was taken down in response to a leavethemkidsalone story.

3,500 British schools fingerprinting their children

Greg Mulholland, a British MP, has drawn my attention to a misuse of identity technology that not only concerns me, but saddens me. 

I'm a pretty hard-bitten technologist.  I long ago observed that one of the unfortunate characteristics of computers is that they allow people to do stupid things thousands of times more quickly than they did before. 

But this one goes beyond silly to abusive.  It involves inflicting a technology that is not yet ready for use in the real world, on young children.  An analogy might be a decision, by people who don't realize testing is necessary, to inject students with an untested vaccine.  And worse, the parents have no opportunity to opt out. 

This is one of those cases where ignorance breeds Sorcerer's Apprentices who act without the slightest knowledge that there will be consequences to what they do.

On a personal note, I can't help responding as one who has taught – albeit, not to children.  I wonder what has happened to our teachers, whose job must be to know their students intimately and respond, with open hearts, to their needs and abilities?  What macabre pathways led them to introduce impersonal and mechanized technologies like RFID and – the mind boggles – fingerprinting, as a substitute for personal interaction?  I see a tear in Socrates’ eye.

In  Britain, not only do an estimated 3,500 schools already use fingerprinting, but, in astonishing ignorance of the first law of identity, parental consent is not required.  If it had been, the technical and security issues now coming to light would have been raised earlier, and the money which has been poured down this pathetic technology drain could have been used to better ends.

The following is a story on the BBC web site about the growing controversy and the government's new “guidelines” on fingerprinting in schools:

The guidelines, published next month, will “encourage” schools to seek consent before taking biometric data.

The move comes after it emerged some primary schools stored children's thumb prints for computerised class registers and libraries without parental consent.

The Department for Education and Skills (DfeS) says it does not have figures for how many schools are already using biometric data.

However, a web poll by lobby group Leave Them Kids Alone, estimated that 3,500 schools had bought equipment from two DfES-approved suppliers.

Under the Data Protection Act, schools do not have to seek parental consent to take and store children's fingerprints.

‘Sensitive area’

But privacy watchdog the Information Commissioner will urge them to do so from next month after pressure from parents and campaign groups.

“Because this is a fairly sensitive area – because young people are going to be sharing their personal information – we are encouraging schools to adopt best practice and seek the consent of both pupil and parent,” a spokesman for the Information Commissioner said.

Schools will also be reminded that they must not share the data with other organisations.

They have also been told they should only hold fingerprint and other information “as long as it necessary for the purpose for which it is being processed”.

But the moves are unlikely to satisfy campaigners, who have been calling for a change in the law to ban fingerprint scanners from school premises.

‘Social conditioning’

The director of lobby group Action on Rights for Children, Terri Dowty, said having fingerprint technology in schools – allowing students to register, use the library and buy canteen food – was “encouraging children to be casual about their biometric data”.

Her views were echoed by Phil Booth from the anti-identity card campaign group No2ID.

He said: “We're talking about social conditioning. In a school environment it will make kids less concerned about their biometric data.”

But he also raised concerns about storing such information on “relatively insecure databases”.

Parent activist David Clouter said a lack of guidance from the DfES and the Information Commissioner had “produced a juggernaut of companies wanting to jump on the bandwagon” to sell equipment to schools.

‘Stolen identities’

He had been told that having biometric data in school libraries “would encourage people to read”.

“Given that children have been reading for centuries I find that hard to believe”.

A technology expert, Andrew Clymer, who has campaigned to keep biometrics out of the school attended by his children, aged six and eight, said that no IT system was guaranteed to last beyond a few years.

However, a fingerprint taken from a 4-year-old child would last a lifetime.

“Security is always developed with a timeframe, but biometric data is for a lifetime.

“We would potentially be opening up the possibility that in the future kids will have their identities stolen,” Mr Clymer said.

Guidance

Forty-seven MPs have signed a Commons motion tabled by Liberal Democrat MP Greg Mullholland calling for consent to be required for the collection of biometric data.

Shadow schools minister Nick Gibb has also asked schools minister Jim Knight about guidance.

Mr Knight responded that biometric information about pupils should be handled in the same way as other personal data about pupils, and said it was subject to the Data Protection Act 1998.

Under the Act, schools are not obliged to seek consent from parents, but they should provide notification of their use of data to individuals involved.

‘Common sense’

The DfeS said fingerprints were used to help make school libraries, lunches and “management systems” run more smoothly and the information was stored as a “digital number stream” rather than individual prints.

Schools are also required by the Data Protection Act to tell parents about any information being held on their children and what it is being is used for.

A DfeS spokesman said: “It is important to remember that schools have always collected personal information, such as registers and home addresses, on pupils for their own smooth running.

“They are well used to handling all kinds of sensitive information to comply with data protection and confidentiality laws.

“Parents should be engaged in all aspects of school life and it is common sense for schools to talk to them about this and all issues relating to their children.”

The new guidance for schools will be available from the end of March on the website of Becta, the British Educational and Communications Technology Agency.