The HMRC is wrong to suggest that it could not handle the encryption of this data since PGP or GPG (the public domain version of PGP) could do this easily if they put their mind to it. More than this – a dedicated solution based on the HMRC issuing certificates to those it shares this data with would have been quite easy to implement and not that expensive from an HMRC viewpoint (probably less than £1m)

CESG has constantly fought to keep public sector bodies either (a) away from crypto use all together, or (b) use of UK government solutions that are both expensive and cumbersome. They wanted secret government algorithms to be used at a time when their US counterpart NSA was delivering AES as a strong public algoirithm for widespread use in Federal and State Agencies.

An amusing side issue here is that of HMRC and ZIP since it seems that the data was compressed and password protected with ZIP. They have been widely criticised for using ZIP since most people think that ZIP password protection is rubbish, as it was before version 9! But from version 9.0 onwards a new format was introduced that uses AES. And if they used this format with a reasonable password (e.g. 10
characters) the data on the discs would be very safe because the protection is ‘state of the art’. How do I know? I did the design (see http://www.winzip.com/aes_tips.htm)! And it has been reviewed by other experts and no major security flaws have been discovered. So all HMRC had to do was to use a modern version of ZIP _properly_ and they would have had a rock solid defence for the lost discs.

Of course, encryption would not have excused the lax controls on access with HMRC but it would have given some defence. But I would find it ironic if after all of this it turns out that the discs were effectively protected and I had to speak up in HMRC’s defence!

http://www.guardian.co.uk/uklatest/story/0,,-7119897,00.html

Better now? (-: