Its good to see that Peter Hustinx EDPS (here and here) is following in the footsteps of our own Richard Thomas, Information Commissioner, (here) by biting at the heels of government, reminding them of their privacy obligations. Balancing the security of the citizen vs the privacy rights of the citizen is not an easy one, but it seems to me that it’s healthy to have advocates in both corners of the debate, particularly when one corner has Uncle Sam as a strong proponent. Mr Hustinx has again reminded the EU not to let political expediency dilute the aims of data protection (here and here). However I do wonder what recourse Mr Hustinx has to ensure the EU institutions do pay due regards to his warnings.

Any views on the security of the citizen vs the privacy rights of the citizen are very welcome.

The Register reports that you can now be forced to reveal decryption keys when required by British authorities. Perhaps more ominously, they can require that you not tell anyone they have told you to do so (except your lawyer). I don’t really think I like the second part of this…

Three stories this week that I think together highlight both the good and bad sides of having the Internet around and the challenge it poses.

The good, user vigilance division: I saw a posting a few days ago on a community board I frequent that eBay was in the middle of being hacked. This eBay forum thread discusses the hack, though I don’t know how long the link will be valid. The story also got Slashdotted and YouTubed (someone made a video of the hack in progress, which involved posting user IDs along with contact and cc information, though eBay said the latter was not associated with the IDs). Someone else logged a list of posted IDs. It’s worth pointing out that this community effort warned people before eBay made an official response - by all accounts it took eBay an hour to an hour and a half to realise what was going on and shut down the Trust and Safety forum, where the information was being posted. How long would it take a government department on a weekend? eBay is, of course, a very big target; large government projects will be even bigger ones.

The good, keeping companies honest division: the comments, here on this week’s Excel bug were, I thought, rather interesting. The MS guy was trying to reassure them by saying that the underlying calculations are correct even though Excel is displaying the wrong values in the spreadsheet. But as the comments point out, this isn’t much comfort. People copy and paste values, and they read aloud and copy from printouts of spreadsheets - an error like this can find its way into all sorts of places. The machines are fine as long as they only talk to each other - it’s crossing the machine/human barrier that’s dangerous. Through the lens of the nanotech conference one might ask whether at some point the machines might decide we’re too risky to talk to. Interesting to speculate what the surfaces of computer programs would look like without the need for human display. (eg, Internet addresses would all be numbers, and there would be no domain name system).

The bad, enabling anonymous distribution of performance-enhancing drugs. This week saw a huge DEA action in the US that took out more than 50 labs churning out steroid pills from powders sourced from China and more than 120 arrests. The pills, which the DEA says were made up in bathtubs and sinks in unsanitary conditions (as much like scare tactics as that sounds - it’s probably true, but it’s not clear how big a risk it is compared to ingesting the steroids themselves), were largely sold over the Internet through Web sites and chat boards to folks like amateur bodybuilders and high school kids, if I’m reading this right. Illegal drug smuggling is of course nothing new, but as much as we make fun of the oft-invoked Four Horsement of the Infocalypse (organised crime, drug dealers, terrorists, and pedophiles) a DEA report from 2003 talks about the setup they’ve since spent two years investigating, and one of the points they make is the difficulty posed to them by services like Hushmail. It dismays me quite a lot that the general answer to this problem overall (and I think if kids are taking steroids to make the football team it *is* a problem) is rampant drug testing with all the privacy invasiveness and presumption of guilt that involves. Going after the distribution network seems to me a better idea, though I doubt long-term it will make much odds. Since WADA’s testing regime began drug use has done little but escalate among athletes at all levels, AFAICT. The Net didn’t make this happen, and correct enforcement is not to shut down privacy-enhancing services or Web forums but to investigate in the physical world. I don’t think, though, that morality plays like last week’s sententious posturing over Floyd Landis’s suspension from cycling, help at all. If anything, they serve to highlight the notion that winners take drugs…

wg

I’m referring to the format, hopefully not the effect.

* The US Department of Homeland Security, which sets the benchmark for IT security practice in America, suffered more than 840 IT security lapses in 2005 and 2006, despite spending $332m on IT security this year.

* Unisys has dismissed reports in the Washington Post that it was to blame for data breaches at the US Department for Homeland Security last year. Unisys said, “The allegation that Unisys did not properly install essential security systems is incorrect. In addition, we routinely follow prescribed security protocols and have properly reported incidents to the customer in accordance with those protocols.”

* Attackers have set their sights on two Microsoft flaws — an unpatched DirectX Media vulnerability and the XML Core Services flaw the software maker patched last week in its MS07-042 security update. Antivirus company Symantec has issued alerts for both exploits in emails to customers of its DeepSight threat management service. The security company said it had raised its ThreatCon to level 2 in response to the threats.

* Hackers managed to steal information from the US Department of Transportation and several firms by using fake job listings for employees, reports Reuters. It is believed information was stolen from around 1,000 corporate PCs. The FBI is now investigating the reported breaches.

* Newham Borough Council has delayed a major desktop roll-out after hitting a barrier in its 10-year strategic relationship with Microsoft and Hewlett-Packard. The council has put back the deployment of Windows Vista in its new 1,500-desktop corporate head office by 12 months, because of a lack of Vista-certified applications from its third-party suppliers. As a result, Newham will incur the cost of deploying XP in the new office, only to have to upgrade the machines to Vista at a later date. The council will now roll out Windows XP in March 2008 instead of Vista as originally planned.

* Reliance on ID systems can take you to some strange places (via Ideal Government): “Supermarket staff refused to sell alcohol to a white-haired 72-year-old man - because he would not confirm he was over 21.”

* (Via Light Blue Touchpaper): “When it rains, it pours. Following the fuss over the Storm worm impersonating Tor, today Wired and The Register are covering the story of a Dan Egerstad, who intercepted embassy email account passwords by setting up 5 Tor exit nodes, then published the results online. People have been sniffing passwords on Tor before, and one even published a live feed. However, the sensitivity of embassies as targets and initial mystery over how the passwords were snooped, helped drum up media interest.”

* (Via Bruce Schneier) “Copper cable has been known as the easily tapped physical transmission medium for years. Conscientious network and security managers either provided tight physical security for cabling or used fiber as an alternative. Many network managers considered fiber relatively safe due to the perceived challenges associated with tapping into an optical cable run. However, fiber is no safer than copper. For less than $1,000, an attacker can purchase the hardware necessary to tap into a fiber run. The tap consists of bending the fiber to the point that it leaks light.”

Via Computer Weekly, we see that “The London Borough of Brent is working on a project to provide a single view of residents’ data which will allow the council to improve customer service and the overall accuracy of council records. When complete in November, the project will allow Brent to conduct customer profiling in order to improve council services and offer additional services to residents. It will also help Brent comply with the Data Protection Act, which requires that information stored on an individual should be accurate.”

This could be very good. “The project has involved mapping out which systems hold the most accurate information. Customer data is extracted from the nine core council systems each night. The Initiate tool then matches customer records from each of these systems and links them together to form a master index of all customer information called the Client Index. Aside from building the master customer record the project also includes identifying change of circumstances eg change of address that have been recorded on council systems. All changes are passed back to council departments to ensure their systems are kept up to date. ”

Does anyone else notice that UK local governments have been leading the way for a couple of years?

Via Kable: The Office of Public Sector Information has launched an online forum on the commercial use of government data.

Go here. Register. Comment.

“Our users have posted a total of 0 articles
We have 1 registered users
The newest registered user is admin
In total there are 4 users online : 0 Registered and 4 Guests ”

If those numbers stay the same, I don’t ever want anyone to complain about how the UK government doesn’t listen, isn’t responsive, blah and yet again blah.

Here is your chance.

The reaction from (I think) almost everyone who contributes to the Blindside project would be no. However, after hearing our impassioned arguments, many in Government still believe it is in the UK’s best interests to order everyone in the UK to submit DNA to government for inclusion in a national database.

Instead of starting off with my reasons why I think this is a seriously flawed idea, I want to focus on the reasons why some think it is good–or at least necessary. I don’t believe that all who support a comprehensive DNA database are either evil or fools, and some clearly have given thought to this.

A national registry of DNA would help government perform some things more efficiently without requiring structural change. Currently, the national media keeps attention focused on certain major issues–crime, and to a lesser extent (this year at least), immigration. Government supporters of a DNA database evidently believe that it would help deal with those issues.

My argument (FWIW) against this is that a DNA database would help in solving crime and identifying current illegal immigrants, but would do much less in preventing crime and future illegal immigration. Similar arguments were advanced regarding CCTV’s potential for deterrence of crime, and these arguments proved invalid. CCTV has not deterred crime, but has helped identify criminals after the fact. I don’t think DNA DB would play out much differently. Hence, to me it seems a major sacrifice of personal liberty for a false hope. If a DNA database proves ineffective in dealing with crime and immigration, they will not throw away the DB in disgust.

But the current structure of police forces, with fewer cops on the beat actually deterring crime, has shifted its focus to high tech resolution of crime instead. A DNA database would allow them to keep the same structure, beefing it up and increasing their powers. A DNA DB would allow the judicial system, currently fighting a backlog at the same time it resists internal technological change, to be (it hopes) more efficient without, again, undergoing structural change.

The persistence of the desire for such a database in the face of all the problems that have been noted in the concept means to me that government feels besieged, not just by crime and immigration (which aren’t nearly as bad as the effects of media coverage of same), but by all the effects of the 20th and 21st centuries, and are searching for a silver bullet that will allow them to do things the way they want to do them.

There has been considerable reorganisation of government departments over the past 5 years, but it’s hard to avoid the impression that much of that has been name changing and seat shuffling. I think the most passionate advocates of a DNA database are really defending their way of life more than anything else.

I do think every discussion of a national DNA registry should include a brief summary of some of the most important objections to it:

1. Data will be entered incorrectly, lost or sold illegally. As the system gets used for more purposes, the effects will be fatal to some. Lives will be lost.

2. People will learn how to defeat the system, reducing its reliability. The most common means will be via corruption of civil servants.

3. The money spent on such a system, if redirected towards a more visible police presence in city centres on Saturday nights and at the principle points of entry into the UK, would actually reduce crime and illegal immigration to the extent that the DNA registry would not be necessary.

4. As currently constituted, the UK government is incapable of holding this information securely. It will be stolen. It will be sold.

5. Maintaining border security by identifying ‘legitimate’ citizens and assuming anyone not on the list is illegitimate will result in wide-scale violations of human rights and crimes against those who do not appear on the list.

I almost got through that list without mentioning human rights, and I didn’t talk about liberty either. They evidently are not a major consideration in this argument, so why beat a dead horse?

Let me just mention what I would support. A database for the NHS with voluntary contributions of DNA to assist in patient care. Mandatory DNA sampling of criminals convicted of a serious crime. That’s it.

And by the way, it should be obvious that arguments against a national DNA registry transfer without much modification to a National Identity Card Programme. As with a DNA registry, it is being proposed to benefit government, and the burden of proof needs to be placed squarely on the shoulders of its proponents.

Via the BBC: “US job website Monster.com has suffered an online attack with the personal data of hundreds of thousands of users stolen, says a security firm.
A computer program was used to access the employers’ section of the website using stolen log-in credentials. Symantec said the log-ins were used to harvest user names, e-mail addresses, home addresses and phone numbers, which were uploaded to a remote web server.”

Oops. Is anybody keeping score on these things? It’d be great to be a journalist covering this subject. Write the story once, use search and replace on the company name, hit submit.

If this is happening to companies that live or die based on their security, what do we expect to happen in situations (such as some government applications) where security is a ‘tick the box’ annoyance? Don’t get me wrong, a lot of people in government are passionate about information security–but by no means is it universal.

What are the possible consequences? Well, the story continues: “The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords. More than 8,000 new variants of Trojans are found each month, according to internet security specialists Sophos.

Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails. They threatened to reveal personal details unless she paid them.

From Computer Weekly,

“Kent Police are pursuing a number of leads following a burglary at Sevenoaks-based Forensic Telecommunications Services (FTS) in which a server containing data on suspicious telephone calls over the past two years was stolen.

A police spokeswoman said, “The computer equipment contained evidence relating to telephone use linked to around 250 cases from police forces and law enforcement agencies across the UK, covering the last two years.

She declined to say whether the data was encrypted.

…A spokesman for FTS declined to provide any details beyond a prepared statement.

However, a Mail on Sunday report said the cases were related to counter-terrorism investigations.”

Well, they’ve published the tender for the The Identity and Passport Service to set up a framework of suppliers to develop the National Identity Card Programme.

Preface: We at Blindside are independent researchers and writers. We don’t speak for HM Government, or for any department therein. We’ve been asked to help government where we can by independently identifying areas where government can be blindsided by technology. Please assimilate that before continuing.

I cannot in all honest say I believe that the UK Government is ready to begin this work. I do not believe they will invite the right people to the party, nor will they write the correct tender specifications, nor will they police the conversations of those they do (and do not) invite into the framework. As shown below, I don’t believe UK Government has widely published or absorbed internally commonly accepted best practice in the set-up and administration of information gathering and dissemination. This is not about philosophy. It is about basic hygiene.

See here. “Millions of homeowners are being left wide open to identity theft because their personal details are being made available on a Government website, campaigners warned yesterday. Details of their mortgage lender, mortgage value and even a copy of their signature can be found on the Land Registry site for just £3.”

See here. Key quote: “As a result, as Channel 4 revealed earlier this evening, all the details of final year medical students applying for hospital jobs were accessible by the general public. We are not just talking names and address. We are talking everything.”

And then see here. Again, key quote: “Given that Sanjib did the right thing, a year ago, and reported the problem to VFS as well as the British High Commission, why am I bothering to write about it now?

Mainly, it has to be said, because after a year that security hole was gaping as wide open as ever. Although I will refrain from posting precise details here, yesterday afternoon I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number. Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it.”

But there’s more:

“Well after a year of being told about the thing privately and ignoring it the FCO and its outsourcers did, sort of, fix the issue by closing the website and an independent inquiry was launched. The investigator’s report has now been produced and no punches are pulled. Here are some of the relevant paragraphs:

108.
UKvisas recently obtained an expert assessment of the basic data security provided by the VFS online website. The findings were that the site had many security weaknesses, and that many of these weaknesses were amongst the most understood and documented security concerns in the computing industry. The expert view was that none should be present within a securely designed website.
109.
I note that during the technical investigations, several screenshots provided by VFS highlighted wider security concerns. These screenshots of the management console used to access and configure the firewalls also showed users actively engaged in Skype3 conversations and logged onto webmail4 packages. These entities are considered to have poor security when used in isolation. Using them whilst accessing security device management consoles shows that standard acceptable usage policies are either not in place or not followed.”

I cannot in all honesty say I believe that the UK Government is ready to commission a framework agreement to begin work on the National Identity Programme.