How easy would it be to find this information for UK and continental Europe?

“An estimated 8.3 million Americans over the age of 18 were victims of identity theft in 2005, according to an analysis of a phone survey released Tuesday by the FTC. That represented a decline of about 16 percent from an estimated 9.9 million victims in 2003, when the agency last conducted its survey.”

“Identity theft cost U.S. businesses $55.7 billion in 2006, according to Javelin Strategy & Research. The FTC estimates that in 2006 the cost to consumers was $1.2 billion.

But experts say complaints filed with the FTC offer only a glimpse of the actual damage. “Most people don’t even think about calling the government because they are not going to help them get their money back,” Litan said.

The FTC estimates that 1.8 million Americans discovered some type of fraud committed using their personal information, 3.2 million had their credit card accounts misused and 3.3 million experienced misuse of other financial accounts.

Javelin’s estimates back the FTC’s findings. It said 8.4 million people were victims of identity theft in 2007, down from 8.9 million in 2006 and 9.3 million in 2005.”

How can the endless array of people transforming government use social networking to get faster to good outcomes?

That’s a big question we considered when we conceived “Blindside”. If only government knew what it knew about technology, customers, and social evidence and if only the good people doing good things could connect better hozontally, based on ability and ideas regardless of hierarchy, who knows how liberating and effective it would be. This applied especially to how we keep our society and our systems safe. Much of that is based on secrecy, but far more is surely based on openness and what we share.

Note for example progress on the US intelligence blog Intellipedia. It’s not itself open, but there is a blog about its progress and issues here, with links to intelligent discussion about the strengths and weaknesses of webs and wikis in this culture.

And there’s A-Space (a classified version of MySpace or the CIA-backed Facebook) - see description here (there may be better links).

The point is: are we using these things safely and to good effect here in the UK to understand information assurance and the role of good IT in creating the e-enabled society we want? It’s essential this should be a cross-disciplinary conversation. It doesn’t do anyone any good if we put very secure IT procedures onto a fundamentally ill-conceived project, but the IA people may end up carrying the can. We saw what happened at HMRC. Do we really think good IT security procedures will make ContactPoint/eCAF, Connecting for Health, and the ID System/eBorders acceptable and safe socially? The point is that effective, broad, respectful engagement ACROSS disciplines is essential up front. Social networking is a great way to support this.

You don’t need a £multi-m investment with some hungry, old-fashioned IT supplier or rancid old consultancy to do this. Technically don’t need anything more than the tools we use for Blindside (a blog and a wiki hosted on our mate Chris’s server). It needs some moderation and commitment to participate. We need to learn two things better: to express ourselves, and to listen. Web 2.x can help; that’s what it does.

Information Assurance almost by definition starts from the top of an organisation and works down. (Well, at least by my definition, which involves a board-level commitment to risk management, smooth flow of information to appropriate resources, and protection of information from those not explicitly authorised to view it).

But can this work in the public sector? Obviously, it currently does not, but is it feasible? I guess what I would like feedback on is if there is an Information Assurance briefing for those who move into senior levels of public service, get elected, change organisations, etc. Is there a Book? (a movie…?) Is there an IA Seminar 101 for those who move into positions of responsibility?

Then moving down, is there appropriate training for mid-level management? Should cover most of the same issues, but in greater depth as they will have to execute the broad strategies developed up above, right? And then, of course, the front lines. What dedicated training do they receive in information security, good data hygiene, etc.?

If it’s all there and up and running, I’d like to know.

Afterthought: On a Toyota assembly line, any production worker can stop the line if s/he suspects something is going wrong. I would wager that similar devolved authority to front line workers in government would stop a lot of these problems, especially if accompanied by appropriate training beforehand.

If people lose faith in either the technology ennabling next generation public services or the ability of public servants to effectively administer these systems, it becomes an information assurance issue. We can abandon discussion of biometrics, encryption, passwords and identity management. This is strategic corporate governance and risk management, and needs to be analysed at Board (read Cabinet) level.

If the Conservative Party says that it will disassemble the National Identity Card project if elected, this affects tenders and contracts as well as elections. While no government can bind the hands of its successors, and certainly government tenders are less important than treaties, recent events have added unwanted risk to the government’s transformation and shared services agenda and should, in all honesty, cause a rethink of much-discussed initiatives such as the National ID Card project.

If the ID Card project becomes a political football, it could come down to either being continued or abandoned based on public opinion polls. It is recent government experience that has made this a possibility. Should the government of the day wish to defuse this as a possible issue, it needs to have a pretty long period without negative incident to let memories fade and new issues arise.

Does anyone feel confident that government can go through any significant period of time without an IA disaster?

Chris Smith of Vega rather succinctly encapsulates the problem by saying that good health and safety practices are the result of clear lines of responsibility including personal contracts with employees, and that no such regulatory framework exists for information assurance issues–Chris posts here from time to time, and I hope he takes time to elaborate on this here.

What happened at HMRC is an information assurance issue and it affects the future of information assurance in the public sector. To think otherwise is daft, frankly. While we here at Blindside normally look through the other end of the telescope at these issues, to ignore the political reality of recent events does no-one any good.

“A security breach affecting an unknown number of Canadian citizens came to light last week in the Canadian province of Newfoundland and Labrador when a consultant for the Provincial Public Health Laboratory took a laptop containing patient health information home. The consultant was contacted by a person who identified himself as a representative of a computer security company and who claimed that he was able to access to data on the laptop through the consultant’s home Internet connection.”

…”The exposed information includes names, Medical Care Plan numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis.”

In a related news story…. “Trust is fundamental to the effective management of security and privacy in the public realm. Surprised? “Results from a ground-breaking pan-European study show that when it comes to security and identity in electronic public services, trust is a critical issue for European eGovernment. Given recent negative press stories about the security risks associated with personal data on social networking sites such as Facebook, and recent events in the UK where the personal details of some 25 million citizens appear to have been lost, this paper comes as a timely reminder about the need to manage trust and security effectively.” …”The cc:eGov study has identified exceptional good practice in Europe, for example in Estonia where an integrated ID card provides access to public and private services. However, the Estonian Government is rigorous and thorough in its protection of citizens’ data, to the extent where sustained cyber attacks on their systems earlier this year did not result in a breach of security. The trust of citizens was therefore reinforced.”

Well, hope I got the Latin right. This is a bit unnerving (not this part–no application is perfect): “Antivirus software must open and inspect data in hundreds, if not thousands, of file formats. One bug in the software that does this can lead to a serious security breach. Zoller and his colleague Sergio Alvarez have been looking into this issue for the past two years and they’ve found more than 80 parser bugs in antivirus software, most of which have not yet been patched.”

“The flaws they’ve found affect every major antivirus vendor, and many of them could allow attackers to run unauthorized code on a victim’s system, Zoller said.”

It’s this part that is scary–the type of denial that has been the prelude to IT disasters for 20 years:

“Zoller says he has been criticized by his peers in the security industry for “questioning the very glue that holds IT security all together,” but he believes that by bringing this issue to the forefront, the industry will be forced to address a very real security problem. Between 2002 and 2005, nearly half of the vulnerabilities that were discovered in antivirus software were remotely exploitable, meaning that attackers could launch their attacks from anywhere on the Internet. Nowadays, that percentage is close to 80 percent, he said.”

Russ Cooper, a senior scientist with Verizon Business, had some criticism for the work of n.runs. “The research almost appears to be goading criminals into ‘getting better’ at attacking vulnerabilities… hardly helpful,” he said via instant message. “There’s no doubt that the list of vulnerabilities they have already published in security products looks daunting. However, historically, we have not seen this type of vulnerability exploited.”

And if I read this right, I do not want to do business with this company at all–he seems to be saying that there’s no need to fix it until it gets hacked: “Though Cooper agrees that antivirus file parsing vulnerabilities do pose a risk, he said there are several reasons they have not yet been the focus of widespread criminal attacks. For one, criminals are already being effective enough with their current tactics, such as sending malicious e-mail attachments. A second reason is that security software tends to get more scrutiny, meaning that any vulnerability that was being exploited would be quickly patched, and that any criminal involved in an exploit would be more likely to be caught.”

Coda

Security vendors have long known about vulnerabilities in their software, said Marc Maiffret, chief technology officer with eEye digital security. “Security software is just as vulnerable as any other software,” he said via instant message. “We all hire the same developers that went to the same colleges as Microsoft and learned the same bad habits.”

(From Popular Mechanics)” It looks like the latest smartphone-on-steroids, teeming with everything from GPS and wireless to a touchscreen and a stylus. Throw in an SD memory slot, fingerprint authentication and Windows Mobile 5.0, and you’ve got a powerful, easy-to-use PDA in your hands. Trouble is (besides being clunky at nearly twice the size of BlackBerry), once inefficient bureaucrats will be the only ones allowed to use it come 2010.”

(First reaction–why a device that is department specific? Why not a flexible device programmable for different department needs? Nonetheless, the time, cost and (human) energy savings seem real and visible.)

“It’s the U.S. Census Bureau’s first handheld computer (HHC), and it’s coming to survey a home near you. Developed as part of a federal mandate to make census data collection more secure, officials hope the HHC will cut down on time, paper and human error during the next census. “We’re expected to save a billion dollars,” says Mike Murray, the HHC project leader for Harris Corp., the government contractor working on the device, more than 500,000 of which are being manufactured by mobile giant HTC.”

(Does it really take 500,000 people to count 300 million? How many will it take using this device?)

“When census takers get their hands on them, the HHCs will come with 10 hours of battery life to get through a day’s worth of door knocking—plus a built-in GPS unit to them to those doors in the first place. After collecting data with a stylus and step-by-step touchscreen interface, they can simply upload the information to U.S. Census headquarters via Sprint’s encrypted data network. (A dial-up modem comes embedded for remote areas without wireless.) It’s all secured by a biometric fingerprint reader that keeps non-authorized users off the device—and the authorized ones off the phone with the bureau for forgetting passwords (21st-century bureaucracy wasn’t built in a day).”

(Ticking the right boxes so far–encrypted data network, biometric gummy print reader–what happens when it’s lost or stolen?)

“Now U.S. Census officials say the HHC should cut the number of printed forms from 130 million to about 90 million, and save $525 million in workforce reprioritization. And you thought cutting red tape only came for the holidays.”

Big question is, what happens to all 500,000 for the ten-year period between censuses? (censi? What’s the plural of census?)

The iconoclastic Tim Worstall starts the ball rolling here, and refers us to Ben Goldacre’s Guardian column here: “But it’s not. The leak last week wasn’t because of unauthorised access, it couldn’t have been stopped with biometrics; it happened because of authorised access which was managed with a contemptible, cavalier incompetence. The damaging repercussions for 25 million people will not be ameliorated by biometrics.

So will biometrics prevent ID theft? Well, it might make it more difficult for you to prove your innocence. And once your fingerprints are stolen, they are harder to replace than your pin number. But here’s the final nail in the coffin. Your fingerprint data will be stored in your passport or ID card as a series of numbers, called the “minutiae template”. In the new biometric passport with its wireless chip, remember, all your data can be read and decrypted with a device near you, but not touching you.”

Ben Goldacre also has a piece here that refers to an academic paper enchantingly titled “Impact of Artificial “Gummy” Fingers on Fingerprint Systems” by Tsutomu Matsumoto, Hiroyuki Matsumoto, Koji Yamada, and Satoshi Hoshino of the University of Yokohama. “This paper reports that gummy fingers, namely artificial fingers that are easily made of cheap and readily available gelatin, were accepted by extremely high rates by 11 particular fingerprint devices with optical or capacitive sensors. We have used the molds, which we made by pressing our live fingers against them or by processing fingerprint images from prints on glass surfaces, etc. We describe how to make the molds, and then show that the gummy fingers, which are made with these molds, can fool the fingerprint devices.”

We believe it important that a free and open discussion takes place on the HMRC incident and related issues. For a variety of reasons, we think the best place for this is at Ideal Government. We look forward to engaging with you there.

Maybe we all need something to take our minds off the debacle at HMRC, so here’s a bit more about wireless networking devices in hospitals.

Last week we published a post about medical clinical assistants, mobile devices for use by hospital professionals. We profiled one that is coming to market soon. We received two comments which I’m dragging out of the comments box and putting in a post of their own, as I think they deserve a bit more exposure:

Responses to “Information Security and Healthcare”
David French Says:
November 7th, 2007 at 8:22 pm e
… I suspect that the subject of healthcare privacy needs a shake up from top to bottom. A few questions …

* Is it clear what the customer (that’s us, not the health managers) wants?
* What ‘need’ do these ‘wants’ reflect?
* Do the legislation and ethical requirements reflect this underlying need?
* Is there suitable compliance and enforcement of the legislation and ethical requirements?
* Should we get anaesthetists and paediatric cancer specialists before worrying about privacy and security?

When we have a good answer to those, we may be able to evaluate the technical questions about encrypting data at point of entry; securing information over wifi; ensuring that laptops and tablet devices are not attractive to thieves of information, identity or property (because they certainly will be available to all of those). …

Louise Ferguson Says:
November 19th, 2007 at 7:45 pm e
A tablet device is too large and heavy for any kind of pocket (and hospital staff don’t have anything other than pockets), so tends to get treated much as a paper file would: left around on top of drug or record trolleys, unattended in corridors, on patient beds, or just plugged into a base unit for recharging in an often unattended clerk’s area of the ward. At one hospital I was told they had for years had a serious problem with theft of equipment, drugs and so on, reportedly by local junkies, and I understand the same problem exists elsewhere. Ward drug trolleys had to be chained to immovable objects, so tablet devices might suffer similar problems.

If devices are shared, there is no device owner so nobody really takes responsibility for the device (security, recharging and so on). And until costs really come down, I don’t see such devices becoming personal (each ward would require dozens). (Of course many doctors already use their own PDAs, which do fit comfortably in the pocket and are very much personal devices. They don’t get talked about as they are often not hospital equipment or part of a procurement strategy.)

I think hacking and malware come a little way down the list of problems, which tend to be pretty mundane. For example, it’s actually difficult getting a reliable wi-fi connection throughout a hospital ward (partly owing to the built environment in healthcare I guess). If a single set of paper notes is missing, things can be rejigged while they are located, but if you can’t access any patient records at all for several hours across an entire ward (and I’ve seen that happen), the problem is a little more serious.

Picking up a tablet PC from the clerk’s desk and popping into the toilets with it would, in my view, not be a problem in the average hospital ward. Data is stored remotely, but password-sharing is widespread and indeed passwords may be available in the clerk’s area. Many people do not always logout anyway, so as long as the machine has not already auto logged out already, you’re in.

It has to be said that data privacy never seems to have been much of a concern in the paper era: files lie around everywhere for anyone to pick up and read, white boards display sometimes quite personal info to any ward visitor, and telephone conversations about patients take place in the hearing of any passer by. But the difference is in the volume of data to be had for so little effort.

I don’t see any online systems doing away with the traditional informal records that every patient has - handwritten notes tucked into the nurse’s pocket, prepared at shift handover. Or on the SHO’s PDA. Wireless tablet devices promise data input and data availability at the bedside, but I don’t see tablets being used for any serious volume of input. Which may mean people are going to continue writing things down in paper files…