Robin Wilton's esoterica

[Apologies - this should have gone up on the blog yesterday, but thanks to a combination of technical reasons and user error didn't quite make it...]

This started out as a reply to William Heath's comment on my previous post, but it grew to the extent that it only made sense as a post in its own right. William was wondering whether the current rash of data breach admissions signals an endemic problem in the UK.

Well, looking across at the US, it seems to me that as more states enact Breach Notification legislation, the initial reaction of data subjects tends to be one of shock, as they are presented with evidence of the unexpected ubiquity and frequency of data breaches. Then, as everyone you speak to has either had their own notification letter or knows someone else who has, a certain anaesthesia sets in.

In large part, this is attributable to some characteristics of identity theft which distinguish it from the theft of physical objects. If someone steals your car, the absence of the car (and the resulting inconvenience) is immediately apparent. If someone inappropriately discloses your identity data, there may be no sign that it has happened. It can be similarly difficult to associate any subsequent identity-related fraud with a specific data breach. Indeed, thinking of the recent HMRC breach, several commenters have recently noted that a competent identity thief would be likely to sit on the data until it is cool enough to risk exploiting it.

The looseness of that link between cause and effect can make for some strange decision-making; as long as it is 'better' for a civil servant to disclose massive amounts of PII than to spend £5,000 on a database query, we can only realistically expect further breaches. There is, incidentally, a whole essay to be written on that equation - another time, perhaps.

This aspect seems to have escape the Chancellor, Alistair Darling, who continues to make reassuring noises to the effect that 'there is no evidence that the data has fallen into the wrong hands'.

In fact, if one looks at the tone of the public statements made about the data breaches, there's a fairly consistent theme of trying to beat that empirical axiom that you can't prove a negative. There's 'no indication of criminal intent'; the disks 'weren't necessarily stolen - they just weren't found where they were expected to be'; it was probably 'a simple case of data room maladministration'... a 'dreadful accident that shouldn't have happpened'... 'just one of those things'. The minister in charge at the time the initial Driving Standards Agency (DSA) loss assumed that 'the subcontractors would get back to his successor with the results of their investigation' - but after being reshuffled, didn't take any positive steps to check that that was the case. According to the Iowa City police spokesman it was "probably unlikely" that the missing disk would be found "but one never knows". Indeed.

Our CPO, Michelle Dennedy, has a short but indispensable rule of thumb: PII is toxic.

Let's use that as the basis for a short logical argument:

P1: A great deal of today's consumer activity and e-government activity is predicated on the exchange (sometimes in mass quantities);

P2: There is currently often no provable link between a given fraud and a specific prior disclosure;

P3: A single data breach can irrevocably nullify any number of other instances of good data custody;

P4: Taken together, P1-P3 can undermine economic activity on a national scale.

C1: The cost-risk analysis for the handling of PII is ripe for a radical review;

C2: It looks increasingly appropriate to treat PII as a 'controlled substance' - much like a Class A drug, fissile material, or the kinds of materiel covered by arms limitation agreements during the Cold War... storage, transfer and destruction would be events subject to positive verification, their release (disclosure) controlled, and limited by design rather than only discretion.

That looks substantially different from today's common practice, culturally, technically and procedurally. It also seems to imply a degree of improvement which will require more than the default 'evolutionary' rate of change.

Now, a mini-rant about something which is increasingly irritating me. It is simply impossible to draw sensible conclusions from the public statements made so far about the protection applied (or not) to the various sets of comromised data. It's also impossible to tell whether those statements reflect a basic ignorance about the technical principles involved or a determination not to reveal the facts (which would have its own involuted irony).

For instance, in the HMRC case, we were told that the data was 'password-protected but not encrypted'. Dave Walker has explained, with his usual thoroughness, why that statement is nonsensical. Dave also links to the evidence submitted to the House of Commons Treasury Select committee lookiong into the breach. This includes the assertion that the inter-departmental transfer of files like this is secured by passwords which are 20-30 characters in length. The Committee will have been left with the impression that the system uses passwords substantially longer than any average user would choose. Anecdotally, though, that is far from the whole story. It was not made clear, for instance, whether the passwords are unique to each data transfer, or chosen from a shared list... and if the latter, whether that list is unique to each pair of sharing departments, or widely shared among public sector bodies. Any of those factors could reduce the effective security of the transfers far below that the Committee might assume to be in place.

In the DSA case, Transport Secretary Ruth Kelly is reported as saying that the lost data was 'formatted specifically to meet the security requirements of the private contractor' and would not be "readily accessible of usable by third parties". With all the respect that statement merits - I haven't smelled so much fudge since I went on the Willy Wonka ride at Alton Towers.

- First, why is it being left to the sub-contractor to specify the security applied to the data, rather than the requirements being determined by the original data controller, which remains legally responsible for ensuring that the data are adequately protected once shipped off-shore?

- Second, what kind of 'specific formatting' renders data 'not readily accessible or usable'? If it's encrypted, say so. If it's not encrypted, its security will not be materially affected by saying so at this stage. Weasel-worded obfuscation does nothing but damage the credibility of the speaker.

Stop Press:

I had hoped to finish writing this post before news broke of another public sector data breach, but alas, it was not to be. Today's story about an HMRC data breach concerns the loss of the personal details of 6,500 customers of a pension provider after the data cartridge in question had been received and signed for at the tax office.

An HMRC spokesman said: "It is very unlikely that any unauthorised person would be able to access the customer information due to the nature of the medium on which the data is held", neatly glossing over the notion that the cartridge dropped out of any system of control in a building which contains exactly the device/s which are capable of reading it, and some number of people with legitimate access to those machines.

I'd be willing to bet that neither that spokesman nor Ms Kelly have read Bruce Schneier's paper on "security through obscurity", but it would be an admirable investment of a few minutes of their time.