Thursday 4 July 2013

The on-line safety of the mooncalves

You are being asked to take risks for no known return

Dr Jekyll
You already know about the risks of on-line fraud. Everyone does. The media are full of stories about the dangers.

The UK government is alert to the problem:
  • There's a £650 million budget for cybersecurity.
  • Last September, the Department for Business Innovation and Skills (BIS) – together with the Foreign Office, the Home Office, the Cabinet Office and GCHQ – called in the chief execs and chairmen of the FTSE 100 companies to get them to spruce up their on-line act.
  • The Director of GCHQ is quoted as follows: "Every day, all around the world, thousands of IT systems are compromised. Some are attacked purely for the kudos of doing so, others for political motives, but most commonly they are attacked to steal money or commercial secrets. Are you confident that your cyber security governance regime minimises the risks of this happening to your business? My experience suggests that in practice, few companies have got this right".
The government's Get Safe Online campaign is backed by every responsible organisation you've ever heard of including BIS and its website is packed with sensible advice on how to protect yourself on-line, e,g, this ...
Looking After Your Passwords
  • Never disclose your passwords to anyone else. If you think that someone else knows your password, change it immediately.
  • Don't enter your password when others can see what you are typing.
  • Change your passwords regularly.
  • Use a different password for every website. If you have only one password, a criminal simply has to break it to gain access to everything.
  • Don’t recycle passwords (for example password2, password3).
  • If you must write passwords down in order to remember them, make sure they are meaningless to, and unusable by other people by writing them in code (substituting the characters in your password with others that you can remember, or easily work out).
  • Do not send your password by email. No reputable firm will ask you to do this.
... and this:
Maintaining Your Privacy
  • Ensure you always have effective and updated antivirus/antispyware software running.
  • In a public or work environment, check your computer physically for any unusual devices that may be plugged in, especially on the keyboard cable.
  • Use secure websites when shopping or banking online.
  • Use strong passwords, change your passwords regularly and never reveal them to other people.
  • Avoid using a work email address for personal use. Instead, have a separate, private email address for private business.
  • Make sure your home/office WiFi network is secured.
  • Store personal and financial documents securely.
  • Shred unwanted personal or financial documents.
  • Be careful to whom you disclose personal information.
  • Where possible, avoid using your real name online.
  • Be cautious about who is trying to befriend you online including via email and social networks/dating sites.
  • Be wary of disclosing personal information on a work or personal web site.
  • Use a disposable, anonymous webmail account for websites that demand an email address to register.
  • Set clear guidelines for children about when and how they can reveal information.
Mr Hyde
Now consider another BIS initiative. midata. And in particular, the midata Innovation Lab (mIL).

mIL is the jovial centre of midata whose task it is to fan the flames of innovation with a view to "empowering" you and to "boosting" the UK economy.

How does that work?

Let mIL tell you themselves. The four pages of terms and conditions for taking part in their laboratory experiments include this:
We ask that you bring along all your personal identity documentation, login user names and passwords for all your accounts, including banking and finances, utilities, telecommunications, loyalty cards, automotive and property rental or mortgage information. Time will be allocated during the event to capture your personal data in a secure way, this will not include your passwords and usernames which will remain confidential to you. Where you are giving access to data from jointly held accounts, please make sure that the other party is happy for you to do so. Agreeing to participate as a consumer volunteertly [sic] held accounts, please make sure that the other party is happy for you to do so.
Dr Jekyll would not approve.

How will mIL capture your data?
Secure internet access via wifi will be provided, please bring a laptop computer if you have one that you can use for this task, however, several desktop computers will also be made available if needed.
Dr Jekyll would not approve.

Where will your data be stored?
Data will be held in a secure personal data store (PDS), which companies exploring the data will access ... Participating companies will access and analyse the data to develop new consumer focused applications and services.
Do you know what a PDS is? Do you know in what way it is "secure"? How will midata succeed where the FTSE 100 companies have failed? What are "consumer focussed applications and services"? How would your PDS be maintained in practice – would it regularly log on to your bank accounts automatically? In that case, your PDS supplier may not know your user ID and password, but that's no comfort, they'll still be there, in the system, accessible to hackers.

Dr Jekyll would not approve.

What will happen to your PDS?
Participating companies have agreed to ... delete your data after 31st October [and to] ensure that at least 20% of innovations will be designed to benefit society at large ...
How long after 31 October? Which 31 October? Who are the other 80% of innovations "designed to benefit"?

Dr Jekyll would not approve.

Why do mIL want all your personal data?
Imagine a world where you have easy access to the data that companies have about you, so that you can use digital tools like apps and personal analytics that will help you to make choices, save money and manage your life more efficiently. For instance, how about helping to manage your money by sharing your credit card transaction data with an app that can alert you to when you’re spending more than usual on particular types of products or services? Or tapping into a service that joins up information about your travel plans with your health records to check and plan your vaccination and prescription needs while you’re on holiday?
Is it worth running the risks of on-line fraud just to have Mary Poppins tell you you're spending too much on food, as though you didn't know that anyway?

How does midata know about your prescriptions? Is it linked to your health records? Do you want unknown app-writers to have access to your health records? And your travel records.

midata promise that they will help us to get the best deals on mobile phone contracts and gas and electricity contracts and current accounts and credit cards. We already have account-switching applications. Why do we need midata as well?

We already have expensive regulators like Ofcom and Ofgem. If, like the wretched FSA, they have failed to run an orderly market, why should midata succeed? Will you simply end up paying for both the existing regulators and midata in addition, while the tariff problems persist?

The objectives of midata are unclear and have been for years. You are being asked to take risks for no known return. Dr Jekyll would not approve.

Whatever the stated objectives, you are clearly being asked to enrol in an identity management scheme. Why doesn't Mr Hyde say so explicitly?

On the one hand, Dr Jekyll is warning you about the dangers of on-line fraud and the loss of privacy. On the other hand, Mr Hyde is luring you into danger. He's confused. Don't you be.

"The initial mIL will run from 4th July [today] to 31st October 201 [sic]". You might be best advised to let it run without you.

No comments:

Post a Comment