29 August 2008

Responding to the announcement of yet another delay to the launch of ContactPoint [1] the projected government database containing personal details of every family with children in the UK, NO2ID this morning called for the immediate scrapping of the entire programme.

Government auditors Deloitte and Touche have already said that ContactPoint can “never be made secure” [2]. (This in an investigation following on the HMRC child benefit data disaster last year.) Indeed, the risk of compromise is so self-evident that the system, which will have an estimated 300,000 official users, has been designed for ‘two tier privacy’ – some details of public figures’ children and families will be obscured, but not those of the general public [3].

The excuse for the latest delay is a design problem with the screens that social workers will see. The government insists it is not having second thoughts about the project itself.

Phil Booth [4], NO2ID National Coordinator said:

Worrying about the drop-down menus is outrageous triviality. This system is about to expose the details of every child in the country, with special flags to indicate the most vulnerable. ContactPoint is a child protection disaster waiting to happen.

The government apparently values administrative convenience more than it does the privacy and security of our children. ContactPoint should be scrapped forthwith. The hundreds of millions in the budget would go a long way towards training more professionals to do actual child protection.

-ENDS-

Notes for editors:

1) http://www.telegraph.co.uk/news/2640147/ContactPoint-child-database-launch-delayed-following-security-fears.html – The Daily Telegraph, 29/8/08

2) The executive summary of Deloitte and Touche report (link below) states that “there will always be a risk of data security incidents occurring” (p4)
and goes on to identify “a significant risk” (p5) from the self-certified security procedures of local councils and other organisations accessing the
database. The government has to date refused to release a copy of the full report, claiming that to do so would ‘undermine’ the public’s confidence in
the system:

http://www.everychildmatters.gov.uk/_files/ED36DA697EF4466123B737C09234D747.pdf

3) NO2ID is the UK-wide non-partisan campaign against ID cards and the database state. See http://www.no2id.net/dbstate.php for a list of ‘database
state’ initiatives that NO2ID is actively opposing.

4) Before joining NO2ID, Phil Booth helped children’s charity The Who Cares? Trust design and develop a secure online system for looked-after children.

22 August 2008

Responding to yet another disastrous data breach [1, 2], NO2ID this morning condemned the casual trafficking of highly sensitive data by the Home Office’s as an “utter disgrace”. Months after the biggest data breach in UK history, and despite ministerial promises and a stream of official reports, it is clear that government policy and culture remains unchanged.

Phil Booth, NO2ID National Coordinator said:

The question is not why was this data lost – it was lost because they had it – but why anyone got hold of individually identifiable mass data from the supposedly secure Police National Computer at all. No more excuses, no more buck-passing. When is this going to stop?

The Home Office’s policy of casual data trafficking, and the Ministry of Justice’s stated goal to ‘remove barriers to data sharing’ [3], are arrogant beyond belief [4]. If they did this with PNC data, what will they do with your personal identity details?

-ENDS-

Notes for editors:

1) http://www.timesonline.co.uk/tol/news/uk/crime/article4583747.ece

2) http://news.bbc.co.uk/1/hi/uk/7575989.stm

3) The Ministry of Justice’s upcoming legislative programme explicitly states the government’s intention “to overcome current barriers to
information sharing within the public sector” (paragraph A.5, p19):

http://www.hm-treasury.gov.uk/media/B/9/pbr_csr07_service.pdf

4) Expect ministers and officials to trot out the line about personal information on the proposed National Identity Register being ‘protected by biometrics’. This is a lie. Adding biometric data to a record will not protect or ‘lock’ it, unless the person is asked to swipe their finger or eye every time *anyone* wants to access the record – which clearly won’t happen.

5) NO2ID is the UK-wide non-partisan campaign against ID cards and the database state. See http://www.no2id.net/dbstate.php for a list of ‘database
state’ initiatives that NO2ID is actively opposing.

6 August 2008

Following a Times report explaining in detail how the “security” of the e-Passport is fatally flawed, privacy campaign NO2ID [1] this morning called for an immediate halt to all government-run biometric ID programmes – which are intended to be based on the same concepts. That the chip in UK passports can be ‘cloned’ was bad enough [2], but the revelation that data on the chip such as the photograph or biometrics can be undetectably replaced [3] has devastating consequences for the government’s entire approach to ID.

Phil Booth, NO2ID National Coordinator, said:

By putting your private information on a chip on a passport or ID card, designed to let it be skimmed-off for official purposes, the whole centralised approach to ID makes it easier for your life to be perfectly stolen.

The government cannot be trusted to look after your identity. Measures it calls ’secure’ are only securing official convenience. With an ID card or chipped passport, you’ll never know who’s walking around pretending to be you.

The ePassports fiasco clearly illustrates why the National Identity Scheme must be scrapped now, before millions more people’s personal security is put at risk.

-ENDS-

Notes for editors:

1) NO2ID is the UK-wide non-partisan campaign against ID cards and the database state. See http://www.no2id.net/dbstate.php for a list of ‘database state’ initiatives that NO2ID is actively opposing.

2) Working with security expert Adam Laurie, NO2ID previously demonstrated serious insecurities in the ePassport, as reported in the Guardian G2 in “Cracked it!”, November 2006:
http://www.guardian.co.uk/idcards/story/0,,1950226,00.html
Shows how scanners built in hours from cheap components can pick up, translate and copy the contents of an e-Passport.

And “‘Safest ever’ passport is not fit for purpose”, Daily Mail, March 2007:
http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=440069&in_page_id=1770
NO2ID demonstrated how the encryption can be cracked and the data read from an e-Passport without even opening the envelope it is sent out from the Passport Office in.

3) “Passports: This isn’t supposed to happen: how a baby became bin Laden” The Times, 6/8/08:
http://www.timesonline.co.uk/tol/news/uk/crime/article4467098.ece