Questions have been raised about the advisability of creating population registers on the web.
The Department for Business Innovation and Skills (BIS) have an initiative called "midata" which would require us to enrol in identity registers in the cloud, please see for example Cybersecurity – good news at last, from midata.
(Reuters) - Greek police have arrested a man on suspicion of stealing the personal data of roughly two thirds of the country's population, police officials in Athens said on Tuesday.
The 35-year old computer programmer was also suspected of attempting to sell the 9 million files containing identification card data, addresses, tax ID numbers and license plate numbers. Some files contained duplicate entries, police said.
Greece's population is 11 million ...
BIS and DWP promise us, of course, that the midata and Universal Credit registers will be held in secure websites. No doubt. But then the Greek population register was supposed to be secure, too. Not much help, is it?
Surely this must be a one-off, you object? No. You're forgetting last year's Jerusalem Post, 24 October 2011:
Information was used to create searchable database; computer technician put the database on Internet for anyone worldwide to access.
A contract worker from the Labor and Welfare Ministry was charged with stealing the personal information of over nine million Israelis from the Population Registry, the Justice Ministry announced Monday after a media ban was lifted.
The worker electronically copied identification numbers, full names, addresses, dates of birth, information on family connections and other information in order to sell it to a private buyer ...
Questions have been raised about the advisability of creating population registers on the web.
The Department for Business Innovation and Skills (BIS) have an initiative called "midata" which would require us to enrol in identity registers in the cloud, please see for example Cybersecurity – good news at last, from midata.
What are the policy objectives and the intended effects? Giving consumers access to their transaction data will enable consumers to make better informed decisions and choose products which offer them the best value. This in turn will reward firms offering the best value because they will be able to win more customers, increasing competition and leading to lower prices, improved efficiency and greater innovation. It will allow consumers to analyse and then improve their consumption patterns, particularly by enabling third party ‘choice engines’ to process transactional data on behalf of consumers and advise them on their consumption habits and potential switching options. We expect the release of information to stimulate innovation in and expansion of third party choice engines.
"Choice engines". What a phrase. Who won the office sweepstake last week for that one?*
The idea behind midata is that you should store all your transaction data in a personal data store (PDS) hosted in the cloud, on the web, by a trusted third party like, say, Mydex. Some innovative juvenile writes an app which, given the evidence of your consumption patterns, recommends the best play to go to see in London. You give Mydex permission to share your data with WhatsOnApp® and a stream of unwanted phone calls ensues, trying to get you to see Chicago. Ditto health apps – eat more broccoli. And financial apps – earn more interest, save with Bear Sterns.
You've got to be a bit stupid anyway to open a midata account in the first place and store all your personal data in the worldwide wild West of the web with a third party you've never met and have no reason to trust. Even more stupid to go on to share your personal data with unknown third party apps.
Advocates of midata are forever promising an "ecosystem" of apps developers. That's not the answer to the question. They're more likely to create a natural habitat of the stupid.
The choices made, the preferences expressed, are a function of my personality, if you like, of my character. That's using your language. In my language, personality or character is a choice engine. And choices are made to maximise rewards.
What are the policy objectives and the intended effects?
Giving consumers access to their transaction data will enable consumers to make better informed decisions and choose products which offer them the best value. This in turn will reward firms offering the best value because they will be able to win more customers, increasing competition and leading to lower prices, improved efficiency and greater innovation. It will allow consumers to analyse and then improve their consumption patterns, particularly by enabling third party ‘choice engines’ to process transactional data on behalf of consumers and advise them on their consumption habits and potential switching options. We expect the release of information to stimulate innovation in and expansion of third party choice engines.
"Choice engines". What a phrase. Who won the office sweepstake last week for that one?*
13 November 2012 – Providers announced for online identity scheme
The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.
The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims.
The Minister for Welfare Reform Lord Freud said:
"We are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer an effective, safe and free to use identity service for future online benefit claims."
As well as offering a safe and secure system, providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance.
The online Identity Assurance model will be incorporated into Universal Credit as it’s developed and rolled-out. Over time Identity Assurance will become available to all UK citizens who need to access online public services.
"... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ..." – what's that all about?
At the moment, you have to know separate user IDs and passwords for logging onto Facebook, for example, Twitter, Amazon, eBay, PayPal, your bank, HMRC (self-assessment), HMRC (VAT returns), etc ... That is very inconvenient.
GDS, the Government Digital Service, the people behind identity assurance – remember, ex-Guardian man Mike Bracken is not only chief executive of GDS but also the senior responsible officer owner for the government's identity assurance programme – want to make your life more convenient.
So what they propose is that you give all those user IDs and passwords to your chosen IDP and let them log on for you. You still have to remember the user ID and password you use to log onto your IDP. But as long as you can do that, you're fine, your IDP will remember all other user IDs and passwords and log on for you.
That's obviously convenient. But is it wise?
Take a look at the seven IDPs. Which one would you trust with the user ID and password for your bank accounts? And why? You've never heard of them, have you? Apart from the Post Office. They may all be eminently trustworthy. But suppose some ne'er-do-well teenager with Asperger's hacks into them and just steals all the user IDs and passwords?
Remembering all those user IDs and passwords ourselves may be unavoidable. It may be the price we pay for security. It might be convenient to have someone do our remembering for us but, if we lose our security as a result, it wouldn't be wise.
Have DWP and GDS taken leave of their senses suggesting that we should trust unknown third parties with our user IDs and passwords?
Your only option is to minimise your inevitable losses. Make sure that if one set of defences is breached they aren't all breached. Maintain distinct logon ID-and-password combinations for each on-line service you use.
The Government Digital Service continue to try to breathe life into the corpse of their Identity Assurance programme (IDA). The service is now known as "GOV.UK Verify". GDS continue to ask us to believe against all the evidence that it is secure.
And they continue to advocate having as few logon ID-password combinations as possible on the grounds that that is convenient and the Devil take the risks. No bank would recommend that. But then the banks are liable to compensate you if your bank account is emptied by hackers. GDS aren't. If you're hacked as a result of using GOV.UK Verify, you pay.
The BBC have been drafted in to promote GOV.UK Verify. Here's an extract from BBC Radio 4's World At One news programme, 23 January 2015:
David Alexander, the CEO of Mydex, is interviewed. Mydex is one of the five "identity providers" left at GDS's identity assurance funeral. Use a Mydex personal data store (PDS), says Mr Alexander towards the end of the extract, and let that log on to all your other services for you. That will be much more convenient.
Take him, for example. Currently, he says, he has 705 logon ID-password combinations for on-line services he uses. That's awfully inconvenient. How much better to store them all in his PDS and let Mydex log on to these 705 services for him.
But hang on a minute. If one of those 705 services is hacked at the moment, he's left with 704 services that haven't been hacked. Follow his recommendation, use a Mydex PDS, and one security breach opens the door to all 705 services.
You don't need to be a genius at risk assessment to recognise the disproportionate danger of the PDS idea.
Mr Alexander is in 705 times more danger if he uses GDS's GOV.UK Verify than if he doesn't.
If someone offers you the convenience of a single logon ID-password combination, run a mile.
13 November 2012 – Providers announced for online identity scheme
The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.
The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims.
The Minister for Welfare Reform Lord Freud said:
"We are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer an effective, safe and free to use identity service for future online benefit claims."
As well as offering a safe and secure system, providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance.
The online Identity Assurance model will be incorporated into Universal Credit as it’s developed and rolled-out. Over time Identity Assurance will become available to all UK citizens who need to access online public services.
"... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ..." – what's that all about?
Cybercrime The magnificent power of the web is a double-edged sword. It makes it easy for us all to do our banking on-line. And it makes it easy for cybercriminals to defraud us. Huge brains are working on the side of law-abiding web users and they're holding the line. Thanks to them, fraud is held down, just, to acceptable levels. That could change. Huge brains are working on committing fraud and if they make any serious progress, eBanking and eCommerce in general could have to stop – there is no law of nature that says that eCommerce must be feasible. The web is a dangerous place to do business.
midata Nevertheless, the Department for Business Innovation and Skills (BIS) want to "empower" consumers by getting us all to store all our transactions on-line, on the web, in the cloud, on the servers of unknown so-called "trusted" third parties or their sub-contractors. Is that a good idea? Given the incidence of cybercrime, aren't BIS behaving irresponsibly? With midata, they're inciting their parishioners to take serious and unnecessary risks. They're trying to take powers to force banks, phone companies, energy companies, retailers and others to put all our transaction data on the web.
"Oi, you two, Tesco, Sainsbury's, get over 'ere",
BIS are effectively saying, pointing at the flames,
"and bring the petrol".
Impact assessment Luckily, this proposed legislation requires an impact assessment, listing the putative benefits and the associated risks, please see Impact Assessment for midata – in case of any enquiries, ring Craig Belsham or David Miller.
You remember David Miller. He's the BIS economist who said at the 9 August 2012 open forum that it's very difficult to say if midata would boost the economy. It might. It might not.
Anyway, they're onto it. Under Key assumptions/sensitivities/risks on p.4 it says:
Consumer transaction data held by firms can be valuable commercial information. There is a risk that the existence of a power to compel firms to release this data to consumers may reduce their incentive to collect the information. To minimise this risk the power will only refer to ‘raw’ factual information. Any extension of the sectors beyond energy, mobile telecoms and personal banking/ credit cards will be subject to criteria aimed at promoting price transparency. Consumers will have more of their information in an easily accessible format this could pose a risk of an increase in identity theft or fraud.
"Consumers will have more of their information in an easily accessible format this could pose a risk of an increase in identity theft or fraud" – quite. So, is midata off the menu? Too risky?
Not a bit of it.
Solved Turn to para.123 on p.48:
123. Consumers will increasingly have more of their information in an easily accessible format. With increasing amounts of this data held on home computers or with third party intermediaries, it may increase the likelihood of identity theft or fraud. This may lead to consumers increasing their own cyber security to mitigate this risk. The Government and members of the midata Interoperability Board are undertaking a programme of work to identify and address these issues, which will conclude before any secondary legislation is brought forward.
"The Government and members of the midata Interoperability Board are undertaking a programme of work to identify and address these issues" – sorted. It's hard to think of any sizeable organisation in the world from the Pentagon on down who won't be ringing Craig and David.
Cybercrime
The magnificent power of the web is a double-edged sword. It makes it easy for us all to do our banking on-line. And it makes it easy for cybercriminals to defraud us. Huge brains are working on the side of law-abiding web users and they're holding the line. Thanks to them, fraud is held down, just, to acceptable levels. That could change. Huge brains are working on committing fraud and if they make any serious progress, eBanking and eCommerce in general could have to stop – there is no law of nature that says that eCommerce must be feasible. The web is a dangerous place to do business.
midata
Nevertheless, the Department for Business Innovation and Skills (BIS) want to "empower" consumers by getting us all to store all our transactions on-line, on the web, in the cloud, on the servers of unknown so-called "trusted" third parties or their sub-contractors. Is that a good idea? Given the incidence of cybercrime, aren't BIS behaving irresponsibly? With midata, they're inciting their parishioners to take serious and unnecessary risks. They're trying to take powers to force banks, phone companies, energy companies, retailers and others to put all our transaction data on the web.
"Oi, you two, Tesco, Sainsbury's, get over 'ere",
BIS are effectively saying, pointing at the flames,
When midata was announced a year ago Rory Cellan-Jones, the BBC’s Technology Correspondent, asked “what's the catch for consumers and why is the government getting involved”? Good questions.
Lifestyle choices
... individual users were not yet being allowed to exploit all the information relating to them to make their lives easier. Armed with the information that social networks and other web giants hold about us, he said, computers will be able to "help me run my life, to guess what I need next, to guess what I should read in the morning, because it will know not only what's happening out there but also what I've read already, and also what my mood is, and who I'm meeting later on".
Thus Tim Berners-Lee, inventor of the web, interviewed by the Guardian in April.
Slightly dotty, of course – your computer will know what mood you’re in? But the Department for Business Innovation and Skills (BIS) are trying to promote their midata initiative and it suits their purpose to say, in a press release the other day, that midata will allow consumers to “make better lifestyle choices”.
Even if it was true, what business would it be of the government’s?
None. If there’s a demand for lifestyle software, let the private sector provide it.
Economic growth
BIS also claim that midata would be “good for growth in the economy”. Strange, because at the 9 August 2012 midata open forum David Miller, a BIS economist, was asked how much midata would make the economy grow by and answered, it’s very difficult to say what the macro-economic effects of midata would be.
Banks, phone companies and energy companies already provide us with detailed statements, on-line and on paper, they have done for decades, and the economy isn’t growing. So what’s new about midata?
Personal data stores (PDSs)
Answer – PDSs, please see para.2.19, p.24 of BIS's midata 2012 review and consultation. BIS want us all to have PDSs, databases storing all of our transaction data, which can be processed to make our lifestyle choices for us and which identify us uniquely.
We wouldn’t be expected to maintain the PDSs ourselves. That would be the job of so-called “trusted third parties”, who would store all our personal data on the web, where it would be continuously updated by permanent links with all our suppliers.
What personal data? The BIS press release refers us to a document of theirs, A midata future: 10 ways it could shape your choices. The answer seems to be any contracts you have entered into, any warranties you have taken out, your driving licence, your educational qualifications, your CRB report, your bank accounts, the clothes you buy, your gas and electricity usage and your neighbours’ usage, too, your health records, entertainment preferences and favourite restaurants.
It’s an extensive set of data about you. midata may not help the economy to grow but, in the PDSs which it relies on, it would provide you with an on-line ID card.
Trusted third parties
Who are the third parties you’re meant to trust with all this personal data? Only one is regularly mentioned and most people will never have heard of it – Mydex – so what reason is there to trust it?
Actually, you may have heard of Mydex. You may have read the Department for Work and Pensions (DWP) press release about the Identity Assurance Programme last week, Providers announced for online identity scheme. Mydex is one of the seven “identity providers” appointed for the UK last week by DWP. The idea is that in Whitehall’s new digital-by-default world, if you want to register for benefits, you need an identity provider to vouch for you, to say that you are you – a PDS is an ID card.
----------
They couldn’t answer them last year. Let’s see if BIS can answer Mr Cellan-Jones’s questions now.
About David Moss David Moss has worked as an IT consultant since 1981. The past 9 years have been spent campaigning against the Home Office's plans to introduce government ID cards into the UK. It must now be admitted that the Home Office are much better at convincing people that these plans are a bad idea than anyone else, including David Moss.
When midata was announced a
year ago Rory
Cellan-Jones, the BBC’s Technology Correspondent, asked “what's
the catch for consumers and why is the government getting involved”? Good
questions.
