Politics and privacy engineering

Dr Ian BrownOxford Internet Institute

University of Oxford

Revenue & Customs lose 25m records

Two discs containing names, addresses, DoB, NI no. and bank details of 25m people lost in the post

Chairman of HMRC immediately resigned

QuickTime and aﾪTIFF (Uncompressed) decompressor

are needed to see this picture.

Prime Minister’s Questions 21/11/07

QuickTimeﾪ and aH.264 decompressor

are needed to see this picture.

Impact on public opinion

15%

20%

25%

30%

35%

40%

45%

Jul-07

Aug-07

Sep-07

Oct-07

Nov-07

Dec-07

Jan-08

Feb-08

Mar-08

Approve govt record

Vote for tomorrow

Data: YouGov tracker poll for Daily Telegraph, 28/3/2008

Simple audit protocol

NAO: “I do not need address, bank or parent details in the download – are these removable to keep the file smaller?”

HMRC: “I must stress we must make use of [existing] data we hold and not overburden the business by asking them to run additional data scans/filters that may incur a cost to the department.”

£5,000 of code

SELECT Recipient_ID, Date, Amount

FROM Child_Benefit_Paymentsgpg -er NAO benefitdata.csv

Privacy-enhanced audit

§ For each recipient, send to auditor (Recipient_ID, hash(shared_random, recipient data))

§ Auditor requests sample of x records § Only those records are sent, and can be

checked against bit commitments

Individuals affected by UK data breaches since July 2006

1

10

100

1000

10000

100000

1000000

10000000

100000000

Leeds Building Society

DVLA

Scottish Funding CouncilSefton Primary Care TrustCardiff and Vale NHS TrustStockport Primary Care Trust

Russells Hall Hospital

DVLA

HM Revenue and Customs

King's Mill Hospital

Halifax Building SocietySkipton Financial Services

Metropolitan Police

HM Revenue and CustomsWorcestershire County Council

Haringey councilMarks and Spencer

Dept for Work and Pensions

Newcastle City Council

City and Hackney NHS Trust

HSBC

Royal Navy

DVLA

Nationwide Building SocietyHM Revenue and Customs

Basic security needed

Encrypted stored and in-transit data Access control Need-to-know

Measuring system security requirements

1. Scale and complexity2. Number of users3. Sensitivity of data4. Connections to other systems, particularly

untrusted5. Connectivity to the Internet6. Attractiveness as target

Source: B. R. Gladman and I. Brown (2007) Security, Safety and the National Identity Register. In S. G. Davies & I. Hosein (eds), The Identity Project: an assessment of the UK Identity Cards Bill and its implications,

London School of Economics pp.187-200.

Software quality is key

Prof. Martyn Thomas: “almost every IT supplier in the world today is incompetent… the typical rate of delivered faults after full user acceptance testing from the main suppliers in the industry over many years has been steady at around 20 faults per thousand lines of code. We know how to deliver software with a fault rate that is down around 0.1 faults per thousand lines of code and the industry does not adopt these techniques.” Evidence to Home Affairs Select Committee, 24/2/2004

Insider fraudInformation required Price paid to

ￔblaggerￕ Price charged to customer

Occupant search/Electoral roll check (obtaining or checking an address)

not known ﾣ17.50

Telephone reverse trace ﾣ40 ﾣ75 Telephone conversion (mobile) not known ﾣ75 Friends and Fami ly ﾣ60 ﾣ80 not known Vehicle check at DVLA ﾣ70 ﾣ150 ﾣ200 Criminal records check not known ﾣ500 Area search (locating a named person across a wide area)

not known ﾣ60

Company/Director search not known ﾣ40 Ex-directory search ﾣ40 ﾣ65 ﾣ75 Mobile t elephone account enquiries not known ﾣ750 Licence check not known ﾣ250 Source: “What price privacy?”, Information Commissioner, May 2006

Key privacy engineering steps

§ Understand your problem§ Design system to minimise collection,

storage and access to personally identifiable information

§ Engineer security system to enforce privacy policies

§ Enforce controls and audit remaining accesses

Source: S. Marsh, I. Brown and F. Khaki (2008) Privacy Engineering. Cybersecurity KTN white paper

NHS Connecting for Health £20bn programme Patient Summary

Care Records stored on centralised database (“Spine”) with pointers to Detailed Care Records in regional databases

Emergency treatment and research

QuickTime and aﾪTIFF (Uncompressed) decompressor

are needed to see this picture.

Efficacy of NPfIT

Emergency clinicians’ treatment styles Public opposition to unconsented research

Source: The Use of Personal Health Information in Medical Research, Medical Research Council,

June 2007 pp.54-55

Confidentiality problems

“Sealed envelope” limits access to especially sensitive records… but can be opened by the NHS and police and doesn’t actually exist yet!

Pretexting found in N. Yorkshire HA to be occurring 30 times per week (Anderson 1996)

Leeds Teaching Hospitals NHS Trust found 70,000 cases of "inappropriate access" to systems in 1 month

South Warwickshire General Hospitals NHS Trust allows A&E clinicians to share smartcards due to 60-90s login times

General Practitioners’ worries

50% of GPs will refuse to upload medical records to central "Spine" without patients' permission

80% think Spine puts patient confidentiality at risk

79% think new system will be less secure

Source: Medix poll of 1,026 representative GPs, Nov. 2006

ContactPoint & eCAF

Database storing details of 11m UK children’s contact with social services, police, health and education

330,000 users 50% children will have

detailed seven-page assessment

QuickTime and aﾪTIFF (Uncompressed) decompressor

are needed to see this picture.

Cornwall County Council

Purposes of ContactPoint

“[P]rotecting children from abuse or neglect, preventing impairment of their health and development, and ensuring that they are growing up in circumstances consistent with the provision of safe and effective care which is undertaken so as to enable children to have optimum life chances and enter adulthood successfully.”

Victoria Climbie case Crime prevention

Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006) Children’s Databases - Safety and Privacy. Information Commissioner’s Office

Efficacy of ContactPoint

“The practitioners in contact with Victoria knew of each other’s involvement and shared considerable amounts of information. The crucial errors arose from individuals either not paying attention to the information, or giving it a benign interpretation so that the risk to Victoria from abuse was not seen.” -Anderson et al.

Wood for trees Dr Liz Davies Resources and evidence base for interventions

Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006) Children’s Databases - Safety and Privacy. Information Commissioner’s Office

Efficacy of ContactPoint

“[A]ny notion that better screening can enable policy makers to identify young children destined to join the 5 per cent of offenders responsible for 50-60 per cent of crime is fanciful. Even if there were no ethical objections to putting ‘potential delinquent’ labels round the necks of young children, there would continue to be statistical barriers.” -Prof. David Farrington

Impact upon family autonomy

Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006) Children’s Databases - Safety and Privacy. Information Commissioner’s Office

UK National Identity Scheme

S. G. Davies & I. Hosein (eds), The Identity Project: an assessment of the UK Identity Cards Bill and its implications, London School of Economics p.25

Purposes of NIS

Anti-terrorism Social security fraud Identity fraud (£1.7bn pa) Illegal immigration Sense of community

Efficacy of NIS

“If you ask me whether ID cards or any other measure would have stopped [the London bombings], I can't identify any measure which would have just stopped it like that.” -Charles Clarke MP, former Home Secretary

“Benefit fraud that relies on false identity was, at most, 1 or 2 per cent of the total.” -Peter Lilley MP, former Social Security Secretary

“The Home Office's definition of ID fraud doesn't match our definition. We class it as a more serious crime that involves a great deal more hassle than just having your card stolen and having to phone up the bank to cancel it” -APACS

QuickTime and aﾪTIFF (Uncompressed) decompressor

are needed to see this picture.

QuickTime and aﾪTIFF (Uncompressed) decompressor

are needed to see this picture.

QuickTime and aﾪTIFF (Uncompressed) decompressor

are needed to see this picture.

Efficacy of Identity Scheme

"If stop and search is anything to go by, for Black people our ID card is really the colour of our skin.” Karen Chouhan, 1990 Trust

“Terrorists rarely conceal their identity, only their intention - as was apparent in the case of those involved in the 9/11 tragedy, and in Madrid and in Constantinople.” -Peter Lilley MP

QuickTimeﾪ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

IT and the smaller state

"Never again could there be projects like Labour's hubristic NHS supercomputer … The basic reason for these problems is Labour's addiction to the mainframe model - large, centralised systems for the management of information. -David ”Cameron MP

“As chancellor, Brown relentlessly pursued his forlorn vision of a ‘joined-up identity management regime’ across public services. As prime minister, he continues this vain search, like an obsessed alchemist, for a giant database that his closest advisers ominously refer to as a ‘single source of truth’.” -David Davis MP

QuickTimeﾪ and aTIFF (Uncompressed) decompressorare needed to see this picture.

QuickTime and aﾪTIFF (Uncompressed) decompressor

are needed to see this picture.

Conclusion

Privacy engineering is key to making privacy meaningful in information societies

“Collect then protect” is a fundamentally broken model

Understanding problem domain is critical Privacy has become a key element in UK

politics - central to debate over effective checks on state power