Sunday, 8 September 2013

Edward Snowden – the penny drops 1

The Edward Snowden revelations began here in the UK on 6 June 2013.

The public response and the response of the national media has been muted. Spies spy. What do you expect? They have to. Surveillance is legal. You'd have to be naïve to think otherwise. It's for our own good.

It's a case of move along, there's nothing to see here, as far as Whitehall is concerned. And in that case the plans to make public services digital by default can proceed. We can carry on saying that it is safe to store our data in the cloud. We can carry on saying that trusted third parties – "identity providers" – can supply us with personal data stores, maintained on "secure websites", which will give us "control" over what happens to our personal data.

There's nothing to see here. Our personal data will be encrypted. The security of the websites is provided by encryption. Encryption works. That's why the third parties can be trusted.

When the cartoon character runs off the edge of a cliff his legs keep going and he keeps moving forwards as long as he doesn't look down.

On 6 September 2013, three months after after running off the cliff, the revelation that the US National Security Agency (NSA) and GCHQ can get round some/many/most forms of encryption has finally made the cartoon character look down. His legs stop. A look of doubt appears on his face, the penny drops and he starts to fall.

Mydex is in poll position to provide the personal data stores for midata, the Department for Business Innovation and Skills initiative to "empower the consumer". Mydex is also one of the UK's appointed "identity providers" and recently signed a contract to supply identity assurance services.

William Heath is the chairman of Mydex. Here, faithfully recorded by Twitter, is what he saw when he looked down:


Updated 29.9.15

"Mydex is in poll position to provide the personal data stores [PDSs] for midata". Written two years ago. Please see above.

It looked then as though Mydex relied on a package called "TrueCrypt" to make their PDSs secure.

If they relied then or rather if they rely now on TrueCrypt, there's a problem. Support for TrueCrypt was withdrawn in May 2014.

"Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data". That's what it says, to this day, at the bottom of Mydex's webpage – "hyper-secure".

Where does this "hyper-security" come from? Not from TrueCrypt. So where?

If your PDS is hacked, that's your fault. That's Mydex's stance and that's why, unlike the banks, they offer no compensation.

Before entering into a no-compensation deal which requires you to store all your personal information in a PDS, you might be wise to check just how secure that PDS is. Wiser still, whoever you get your PDSs from, to assume that hyper-security is impossible and insist on the provision for compensation in the contract.

No comments:

Post a Comment