21 Nov 2007
Four immediate thoughts about the catastrophic HMRC data loss
Four thoughts about the HMRC data loss: about responsibility, the value of the information and the temptation that creates; restitution and the new risk for the taxpayer; and lessons for the ID System.
CIO responsibility
Paul Gray who chairs the Board of HMRC assumed responsibility and has gone, but this is fairly and squarely a CIO responsibility. We need CIOs to run reliable systems that prespect people’s personal data, and to educate their Boards about the political and business risks of what they are being asked to do in creating e-enabled “transformed” public services. I dont believe thay have. I wonder how HMRC’s CIO and the HMG CIO see this today.
It is pretty clear that all the operational aspects, procedures, culture etc reside within the HMRC CIO function. But the failure to do more than pay lip service to the value of personal data, lack o interest in PETs, , the “trust us” culture, and the wilful blindness to the risk from corrupt and incompetent insiders is characteristic over years of mainstream Cabinet Office CIO policy.
People like Ross Anderson are dismissed as “having an agenda” and vilified behind their backs (or in the case of Simon Davies, publicly).
I’ve presented face-to-face and in writing the key points arising from this IdealGov conversation about the characteristics of a foundation of trust in e-enabled public services. We know what it’s like to be politely ignored. It creates ill-feeling in which the tone of our conversation degenerates.
Value of the data
What were those disks worth? The FT tells us a person’s full bank account details sell for £15-200 on the black market. We’re dealing here with a fuller profile also including NI number and dates of birth for the whole family. And there are 25m records, and 7.25m families. Assuming the families have one bank account each that values the data at £100m-£1.5bn. Maybe there’s a bulk discount, or maybe there’s a premium for “total control” of the market for reputation-based financial fraud. Perhaps the wholesale leak floods the market and depresses the price. We need to understand the economics of traded personal data.
Now, it is implied this data was lost by a nitwit, and doubtless there are some honest incompetents still working in the ever-leaner HMRC. But plenty of people working there will be smart. And if it’s possible to create disks of this sort of value, which can easily be copied before they’re posted, we can see there has been an irresistible temptation for some time now. It would be extraordinary, an unbelievable tribute to the universal integrity of human nature (and an insult to the energy and ingenuity of the contempory British crook) if this data had not been stolen already, perhaps many times.
Restitution
After rightly resisting for about six hours the shrill Paxman/Peter (thingy from Radio Five-Live) calls for the government to recompense any financial loss we read in today’s FT that Darling says the government WILL cover losses. This means that banks (who are now the only people able to manage this greatly increased risk) can pay out money to the wrong place confident that the taxpayer will pick up the bill.
People work in banks because they like money. Not every single person working in a bank is entirely honest. Personally and corporately they are drifting into difficult, perhaps desperate times. They now have a huge temptation to arrange financial scams in their own favour. If they can blame the HMRC leak (and who is to disprove that?) the bank gets recompensed by the taxpayer. This risk stretches forward for years. There is no way of predicting what it will cost. As with Northern Rock, this is weak defence of the taxpayers’ interests for short-term popularity.
Lessons for the ID System
The Chancellor seems to think this episode strengthens the case for ID cards. I disagree.
It may underline the case for good ID management now and in future, but underlines that
- government is not the right place to do it (remember the Home Office is way below HMRC on the scale for competence, quality and morale of staff etc)
- such data should not be centralised
- it’s bad enough losing our NI numbers and account details but worse still to put our biometrics into wide circulation
- and that government is clueless about restitution when it all goes wrong (which is the only thing we want - we all know nothing is secure).
The more we control and manage our own data the less likely this sort of thing is to happen. And we are the ones who care about it most.
- Posted by William Heath on 21/11/07 at 10:27am
- Categories · "What do we want?" · Foundation of Trust · Identity · Data nitwittery · "Transformational Government" Permalink
Ideal Government
Let's say what we want from e-enabled government. Let's observe government first-hand. Let's say "Wouldn't It Be Better If" (WIBBI). Become an ethnographer of bureaucracy today! It beats getting frustrated with public services.
Categories
Comment
Anyone is free to comment. Or mail with an article if you want to be an author. I'll post it up and send you a password. This whole thing is supported by Kable.
Sponsor
Authors with password: click here to postBLOGS & CRITICAL FRIENDS
Action on Rights for Children
Big Opt-Out
Dave's public sector blogs
David Osimo
David Milliband
DFID bloggers
FIPR
FutureGov
Ian Brown
Jeff Jonas, IBM
Jerry Fishenden
Kim Cameron, MS
Light blue touchpaper
Matthew Somerville
NHS23
No2ID
Obama team blog
Patient opinion blog
Public strategist
Richard Allan
Robin Wilton, Sun
Sam Smith
Schneier
Spy blog
Toby Stevens/CW
Verified Voting
Whitehall Webby
PERTINENT ART
ACLU privacy pizza
Very model of a notional identity
Swizz of the cards
Handelsman: NSA wiretaps
Handelsman: US spying
Wearcam
Googlezon
Three dead trolls
Stefanos Pantagis
ESSENTIALS
Cluetrain Manifesto
RAE Dilemmas of Privacy
NCC Playlist for public services
Sousveillance
Stefan Brands' book summary
Ross Anderson book
Engelbart Mother of all demos
OTHER ID/SECURITY
ID theft spy
Planet Identity
Pledgebank for refuseniks
Home Office ID cards
Ann Cavoukian, Ontario
MYSOCIETY & SAM'S STUFF
MySociety/
They work for you
Fax your MP
DirectionlessGov
Comment on This
Place-O-Pedia
...and the original
Stand ID card campaign
OUR 2005 MAPS MASHUPS WINNERS
Plymouth Schools
Ben's UK speed cameras
5-day weather forecast
House sale prices
g-Traffic info
More Google maps mashups:
Googlemapsmania blog
Old stuff
RSS in government blog
Stefan Brands old blog
Authors
Member ListSign up for new articles
Copyright
Designed by...
Statistics
This page has been viewed 2107497 times
Entries: 1822 | Comments: 2913 | Trackbacks: 212
Most Recent Entry: 07/03/2009 05:43 pm
Most Recent Comment: 07/02/2009 11:12 am
Members: 185 | Logged in: 0 | Guests: 38
Most recent visitor: 07/04/2009 05:25 pm
Most visitors ever: 443 on 10/12/2005 02:21 pm