Do You Know Who Your Children Are? Gordon Brown Does.

One of the ironies that popped up on the Today Programme this morning was a press release from the UK data protection commissioner, warning teenagers about the dangers of exposing personal data online and announcing a probe of Facebook (which also has other issues elsewhere., more on that later).

Wahaha. You have to laugh. In a week when the government lost the personal details of millions of Britain’s children, that’s a bit rich.

There might be worse to come though,. HM Reveniue and Customs’ (former proprietor Gordon Brown) current problems with IT could pale into insignificance when it comes to some of the cockups over children’s private data that’re waiting in the wings.

Take the government’s long planned child information policy for instance. Called ContactPoint, it’s touted as an integrated information sytem that will enable schools and other oganisations to work together to protect at-risk children. No more Victoria Climbies – who could be against that?

ContactPoint was previously known by the working title of the ‘information sharing index’. It is a key element of the Every Child Matters programme to transform children’s services by supporting more effective prevention and early intervention.

ContactPoint is one of a range of tools that will help services work together more effectively on the frontline to meet the needs of children, young people and their families.

It sounds innocuous enough, if well-meaningly vague. So what is it and what does it do? It’s it a massive database of every single child in Britain, containing:

  • Basic identifying information for all children in England (aged up to 18): name, address, gender, date of birth and a unique identifying number.
  • Basic identifying information about the child’s parent or carer.
  • Contact details for services involved with the child: as a minimum, educational setting and GP practice, but also other services where appropriate.
  • A means to indicate whether a practitioner is a lead professional and if they have undertaken an assessment under the Common Assessment Framework.

[My emphasis.]

This database includes fingerprints, already being taken from children nationwide,encouraged and subisdised by the central government, and is to be accessible only to ‘practitioners’:

Access will be restricted to authorised users who need it as part of their work. This will include those working in education, health, social care, youth offending and some voluntary organisations

Some voluntary organisations? Who? Where? Why? And who the hell is an authorised user? A doctor? a nurse? Someone who helps at the local playgroup? Some anonymous, low-paid clerk in your local council’s social services department? The one who lives down the road fron you and gossips with the bloke in the newsagents on the way to work?

From the text it seems a ‘practitioner’ is an ‘authorised user’ – but I note the government is careful not to specify what an ‘authorised user’ actually is.

Who are they? Who authorises them? The document promises criminal records checks – but remember what a dog’s breakfast they made of the crimnal records database? It does not inspire confidence.

When you start to think through just how many people could potentially access this information you realise just how many potential points of leakage there are (and although it does not contain casefiles files still will be flagged) the heart sinks. It’s an accident just waiting, no, itching to happen:

Authorised users will be able to access ContactPoint in three ways – through:

  • A secure web link
  • Some existing case management systems
  • Another authorised user (where appropriate IT is unavailable)

Wherever possible ContactPoint will be automatically updated from existing systems, avoiding the need for practitioners to enter information on a separate system. It will not be possible for an authorised user to access case management systems or to see case data held by another agency on ContactPoint.

[My emphasis again]

That hardly matters when the minor functionaries of local authorities and a range of unaccountable quasi-autonomous agancies have been given the power to snoop into our bank acoounts, email traffic, car and electoral registrations, credit cards, medical records, library use and all manner of other personal data virtually at will.

ADDITIONAL RELEVANT PUBLIC AUTHORITIES FOR THE PURPOSES OF SECTION
25(1) OF THE REGULATION OF INVESTIGATORY POWERS ACT 2000

Government departments
1. The Department for Environment, Food and Rural Affairs.
2. The Department of Health.
3. The Home Office.
4. The Department of Trade and Industry.
5. The Department for Transport, Local Government and the Regions.
6. The Department for Work and Pensions.
7. The Department of Enterprise, Trade and Investment for Northern Ireland.

Local authorities

8. Any local authority within the meaning of section 1 of the Local Government Act 1999.
9. Any fire authority as defined in the Local Government (Best Value) Performance Indicators Order 2000.
10. A council constituted under section 2 of the Local Government etc. (Scotland) Act 1994.
11. A district council within the meaning of the Local Government Act (Northern Ireland) 1972.

NHS bodies in Scotland and Northern Ireland

12. The Common Services Agency of the Scottish Health Service.
13. The Northern Ireland Central Services Agency for the Health and Social Services.

Other bodies

14. The Environment Agency.
15. The Financial Services Authority.
16. The Food Standards Agency.
17. The Health and Safety Executive.
18. The Information Commissioner.
19. The Office of Fair Trading.
20. The Postal Services Commission.
21. The Scottish Drug Enforcement Agency.
22. The Scottish Environment Protection Agency.
23. The United Kingdom Atomic Energy Authority Constabulary.
24. A Universal Service Provider within the meaning of the Postal Services Act 2000.

RIPA 2000 allows for authorisations (as distinct from warrants for telephone-tapping) and the serving of notices by “a person designated” include the following grounds:

a) “in the interests of national security”
b) “for the purpose of preventing or detecting crime or of preventing disorder”
c) “in the interests of public safety”

It wouldnt take much to marry up the data. Think of what an abusive ex-husband or stalker would give to get their hands on that.

But apparently Gordo doesn’t think that the safety of the natiion’s children is worth its own secure stand-alone system, built from the ground up and inaccessible to all but those most closely involved directly with the child.

No, that would cost money more usefully spent pursuing pointless wars, so what we’re getting is another cobbled-together mongrel of a thing, full of bugs and holes.

The blithe assertion that they can successfully integrate and update a patchwork of different systens in national and local government, independent trusts and charities would be have been laughable even without this week’s events, given the government’s abysmal record with IT projects and data security. The thing that really worries me about ContactPoint is off in the future, though: this system is supposed to track and protect children, defined as those under 18. But what happens to their data when they’re 19? Does it get destroyed? Somehow I doubt it…

It’s too easy to get sucked into looking at just the nuts and bolts of the project, though those are interesting and shocking enough. The real question is what is ContactPoint actually for, and why?

All this past week, despite having had the evidence of their own incompetence staring them in the face, the government has still insisted that it’s not the end for the ID card scheme. Why are they so sanguine?

There’s a reason: they know damned well that it doesn’t matter a jot if Brown has to shelve current plans, because our children are having an ID card sytem imposed upon them by stealth, under the guise of their own protection.

When viewed in that light, it’s difficult not see the loss of the CDs containing the personal details of 25 million parents and children as less of a bureaucratic bungle and more of a policy decision, a deliberate and cynical softening up exercise. Those with little trust in New Labour might even see it as an act of information terrorism against its own electorate.

The HMRC debacle could actually work in Gordon Brown’s favour. If their childrens’ current identity details are compromised, how much more likely are parents, perfectly understandably wanting to protect their children from fuure fraud or personal harm, to turn to a verified fingerprinted government ID as the defintive proof of their children’s identity? There, conveniently, is ContactPoint, ready to fill the void.

No, surely not. Surely a British government wouldn’t be so cynical as to make all curent forms of identification worthless so it could bring in ID cards by the back door, would it? Would it?

Comment of the Day: Alex on “The Biggest Data Fart In The World Ever”

Alex is driven round the bend by New Labour’s excuses for not depersonalising the data on the discs what they lost:

You what? Too costly? How? Oh, right, it’s the old standby – “there’s a contract“. We can’t find you the plates for your flak jacket/diagnose your cancer within less than three months/type SELECT (names, addresses) FROM families WHERE child=Yes rather than SELECT * FROM families because there’s a contract.

So how does it work? Do they have a little taxi meter on their desks that increments every time they issue a database query? How much is Crapita or Siemens or whoever charging them per SQL statement?

So it looks like it wasn’t some junior consultant doing a dump of the entire database and bunging it on a cd on their own initiative, but semi-official policy to do so whenever an e-mail that looks like it’s from the National Audit Office arrives. It may have been against official guidelines, but when the system allows you to do this and it’s seemingly impossible to even do anything but dump the entire database because it would cost too much otherwise, guidelines are just lies on paper.

So anyway, looking at it from an IT security point of view, we see a fair few weak spots that cannot be solved by “spot checks” or “guidelines”. Just the fact that it’s possible to get a dump from the entire database and that even junior employees can do it is bad enough, but worse is the fact that the NAO thinks it’s a good idea to audit databases by requesting such a dump rather than inspecting them directly.

In Blogo Veritas

Funny how it’s the most off-the-cuff remarks that can sometimes be the most revealing.

I just took a quick look at BBC politics correspondent Nick Robinson’s blog, where he said something about the data loss scandal that sheds a light on his own bourgeois concerns:

UPDATE, 12:30 PM: It is indeed, as I mentioned above, data loss on a huge scale. I understand that the data of over a million people has been lost by HMRC. It relates, I’m told, to benefit claimants, and not the income tax system or tax credits

Shorter Robinson: “That’s all right then, it’s just scroungers. No worries, we middle-class journos people aren’t affected.”

Hah. He was soon disabused of that notion.

But it raises an interesting point: there are clear class differences in the treatment of the victims of financial and data scandals.

Compare the treatment given to Northern Rock shareholders: Northern Rock was promised a virtually uinlmited amount of taxpayers’ money to keep it afloat (and with it thousands of nmiddle class savers and mortgagees) to the lack of assistance given to the Farepack Christmas Club savers when that company was made insolvent and thousands of poor people lost all their meagre Christmas savings.

Compare it also to the murky scandal of the failed money transfer business in which thousands of British Asians lost enormous amounts of money that they trustingly wired home to their families in the subcontinent and which never arrived. Millions are still misssing.

(Yes there is a difference in scale and in subject matter: but all of these scandals were enabled by sloppy information management.)

The poor people who make up the majority of the victims of the latter two affairs, unlike the Northern Rock savers, had no Treasury protection: they’ll be lucky to get 5 pence in the pound of their money back, if anything at all. Not for them the unlimited guarantee given by Chancellor Alistair Darling to keep the likes of Nick Robinson and his fellow Pooters cosily confortable in countless suburbian villas countrywide.

No, they’re poor, they don’t matter. Ditto with the treasury data scandal – when it’s only claimants affected, it’s an irrelevance.

The attitude displayed by Robinson is incredibly common amongst the media and a commentariat as well as government – as long as something bad happens only to poor people, it doesn’t really happen.

But as with that well-known aphorism about a liberal being a conservative who’s been arrested, something as big as this latest Treasury scandal, which affects 7 million families of all income levels from rich to poor, might make the complacent middlle classes wake up, get off their well-fed rumps and finally get shut of this pisspoor excuse for a government.

Maybe if the Nick Robinsons of this world are forced to personally deal with the sloppily built, managed and policed edifice of data collection and electronic transfer that the government and the banks, in unholy alliance with accountants, PFI consultants and IT companies (sucking up taxpayers’ money in sweetheart deals all the way), have constructed, like poor people have to every day, they’ll wake up.

Maybe it’ll take something as serious as this to make the complacent media bourgeoisie realise that they are as vulnerable to government and financial data mishandling, fraud, incompetence and theft as anyone else, rich or poor, no matter how secure their Heals’ sofas and 4 by 4’s in the drive make them feel.

Maybe monkeys might fly out of my butt.

Speaking of IT clusterfscks…

Somebody tipped me off to the innocent sounding “Interception Modernisation Programme”, but what is this exactly? It’s mentioned in this “Security and Counter-Terrorism Science and Innovation Strategy” document (PDF) from the Home Office, which seems to be some sort of happy face p.r.-minded strategy overview to show how on the ball the government is in combatting terrorism through innovation and science . In this context, the “Interception Modernisation Programme” is only mentioned in an aside and it sounds like it could be anything:

Intercepting terrorist communications

Knowing the content of terrorist communications is vital to the UK’s ability to respond to terrorism. The cutting-edge interception technology required is therefore critical to building up our intelligence and to understanding the nature of the threat.

The Interception Modernisation Programme is a cross-Government programme which aims to maintain the UK’s world-class capability in obtaining and exploiting terrorist communications data. It is a key example of how Government is using innovative and ground-breaking technology to stay well ahead of the terrorists.

Knowing the UK government, this may very well be some wild scheme comparable to Echelon, to have an uptodate capability in place to intercept the internet/mobile phone traffic of anyone in the UK at a moment’s notice, or worse, to go trolling for terrorist plots by searching all internet/mobile phone data for certain keywords, a technique many governments seem enamoured of. A Google search didn’t show more than just the above document plus several job descriptions on recruitment websites that mention the programme. Seems they’re still looking for a commercial analyst and a procurement project manager…

Does anybody know anything more?