The Land Registry has attempted to dampen accusations that its online register leaves home owners open to ID fraud. It has denied claims by the NO2ID group that it has not paid sufficient attention to security in making mortgage deeds and leases available online, and that they could reveal information which could be used to …
...that fraud has resulted from the availability of this information from Land Registry
Unfortunately such a statement while necessary is not sufficient.
The entire response from the LR is typical of the communications style adopted by government bodies and is designed to avoid subsequent accusations of misinforming rather than to provide reassurance.
Top much work
Remember it's faaarrrr to much work to blank out the signature and Account number.
I love the attitude, though, got to be admired. "When someone commits a fruad that can be proved back to us, we may do something about it.'
So how about banks saying, "We'll leave the vaults open and the doors unlocked at night. Then if someone knicks all the money, then we'll think about locking up, but only if you can prove it was stolen and not just misplaced"
Not JUST £3 a search
As someone who works at a company who makes serious usage of the Land Registry website I'd make one quibble with this ongoing story of how insecure it is. Both here and in other media (including the BBC's morning scare-a-thon) a big deal is made about "for just £3 you can search someone's details"...
Except before being able to do this you need to be a registered user and that really isn't easy. The hoops they make you jump through to become registered would deter the simply curious and the Land Registry do keep tabs on all the searches. I think NO2ID (who I respect in their campaign to make sure we don't get ID cards, even if they aren't doing so well) should be focussing on making sure the Land Registry vet all applicants for registration thoroughly than trying to scare us with this 'just £3'... i was going to say something rude but i'm too polite for that.
Anyway, just my 2 penneth.
data protection act
isn't the data protection act there to make sure that personal details aren't made public against our wishes? i don't remember agreeing to let my signature be visible to anyone.
or is there some subtle clause in the small print of the mortgage agreement contracts that says all my details including my signature will be made available like this?
Land Registry techies - 66 hours a week for maintenance!
Below is a real email exchange between me and the Land Registry when I questioned why they "shut" their online service (i.e don't process search results) all day Sunday and every evening. I stupidly tried to use their service at a time when I wasn't at work.....
I almost fell off my chair when I saw the reply.
Like hello, internet, 2007 - 66 hours downtime a week for maintenance. These guys must be tech ninjas! ;-)
Dear Ian Tester
Thank you for your email.
I am sorry that you are unable to use Land Register Online during this period.
The reason we shut down the website during these periods is specifically so that we have the ability to carry out essential maintenance.
At the Land Registry we are responsible for maintaining the largest property data base in the world, please note that we need the essential downtime to insure that the data is correct and accessible when most needed.
Sorry for any inconvenience caused.
e-Services Delivery Group
Land Registry Head Office at Peterborough
From: LROnline [mailto:LROnline]
Posted At: 12 August 2007 11:02
Posted To: Ed
Conversation: 1 : Ian Tester
Subject: 1 : Ian Tester
The utter stupidity of not allowing 24 hour record access on the internet: Discuss.
"Our service is currently unavailable. Operating hours are between 7 am and 12 midnight, Monday to Saturday (excluding bank holidays)"
The Land Registry system is not public and its VERY secure as anybody that uses it will know.
And if your going to start worrying about this, then remember that it simply digitalises the processes that were in place before it! Before this system came along you still got exactly the same information by ringing HMLR telephone services. The only difference now is that its cheaper and in an electronic format instead of a hard copy DX'd out.
Not open to the public?
Not sure I understand why people think this is a "private" system, I have recently been looking for a piece of land to buy and have therefore used this quite lot,
Last time I looked I was member of the public....
The anti-ID spokesman quoth: "as signatures are used less and less as a form of authentication, ", what you mean like, er, ID Cards perchance?
Re: Not JUST £3 a search
I don't know what you're talking about. Just this minute I went to the website, entered a postcode, selected a house number, entered credit card details for £3 payment and received a copy of the current title plan of the property I was interested in.
Useful service and simply provides an easier way to get publicly available information.
"Just this minute I went to the website, entered a postcode, selected a house number, entered credit card details for £3 payment and received a copy of the current title plan of the property I was interested in."
And now Her Majesty's Land Registry (and by extension, anyone who successfully hacks into their computers -- not at all unreasonable, since the site seems to be running on IIS) have your name, address and credit card details -- as well as the address of the property you were looking up.
Someone could have a lot of phun with those little nuggets of information.
Hmm, I can go down to the Travis county courthouse look up anybody's records. Mortgage and deed filing. Tax assessments. Reported sales prices. Plans. Plat maps. Liens. All for the amazingly low price of FREE.
Or I can wait about a year and do it online. They don't have a solid price on it, yet, but they are looking at offering a one time charge and an annual user charge. The one real pain is that there is no requirement that sales prices be recorded. Which is a pain when it comes to determining FMV for tax assessments, especially on the pricier houses.
@A J Stiles
Worldpay deals with the payment.
for just £3
Not a lot to ask of well organised cyber criminal gangs.
Not even loose change.
"Worldpay deals with the payment."
-- great, so now Worldpay (and anyone who hacks them) know you've been looking up property details. H.M.L.R. still get your name and address anyway (they're entitled to know that, you're their customer). Even without the credit card details (which would have been massively boosted in utility by the knowledge of an address which might well be vacant), this could be useful information.
Oh, and if they also farm out the postcode lookups to a third party (it's a massive database with just shy of 30 million records), they get to know what postcodes are being looked up and by whom. And if both ends happen to be using *the same* online postcode lookup service, then it may be even possible to work out (by the timing of the requests from Worldpay and H.M.L.R.) who is paying to look up what address.
There's got to be a scam in there somewhere, I'm sure.
someone seeing your signature is not "identity theft", you reveal it every time you sign a letter or cheque!
Your protection is that it is a criminal offence to forge your signature, and that you are not bound by a forged document.
imho the whole concept of "identity theft" is being hyped by financial institutions that don't want to be bothered to take simple precautions (like your photo on bank/ credit cards) and do want to carry out legally dubious transactions (like cardholder not present sales and automated cheque clearance systems that don't compare signatures).
How many real identity theft cases have there been - cases that couldn't be more accurately described as bank fraud?
- there, I feel much better now <bg>
Identity theft is a real problem ... but a public Land Registry isn't ...
Solving identity theft isn't just about taking simple precautions.
Minimising the times when we disclose personal identifiers including account numbers and signatures helps (i.e. self-help).
Institutions such as the Land Registry protecting access to our records by implementing the essential 3 AAA's of IT security (Authentication, Access Control and Auditing) also helps to prevent identity theft (and helps to keep them compliant with the DPA
Aside: incidentally the DPA doesn't prevent disclosure of personal data but merely requires that data should be lawfully processed for the stated purposes including 'sources' (who data comes from) and 'disclosures' (who data goes to).
However in the long run, governments and companies alike need to get to grips with more subtle aspects of identity. Here are just a few ideas of areas that need further exploration:
1. enabling individual control of how their identity is recorded (identity personalisation). Everyone doesn't have to register the same data. The more people are allowed to do this the more distinguishable they will be (this is a win-win both for the individual and the institutions).
2. enabling individual control of what aspects of their identity are not recorded (identity protection). Everyone should be allowed to selectively retain some identifiers so that if there's an identity fraud they can bring these to bear. Clearly the range and number of identifiers that can reasonably be witheld may vary from situation to situation. We can't all expect to fly under 'Donald Duck' aliases, whereas in open internet chatrooms very little of our real identity should be visible to other users (albeit the system operator may need more information to protect the integrity of the system).
3. enabling individual control of what aspects of their identity are shared (identity sharing profiles). We should all be able to impose reasonable constraints on how our identity is shared. We can't do this at present. The DPA doesn't give any such rights. Again this should be personalisable. Individuals should be able to control which disclosures (as listed in the DPA notification) they consent to and ideally which data items they approve to be disclosed.
Putting this all together in a practical example, if I only want to register the 2nd fingerprint of my left hand and the 3rd fingerprint of my righthand then, in combination with one ore more shared secrets that I've chosen and control (probably a pass word/phrase) and one or more shared secrets issued to me by the institution concerned (probably an account ID number or PIN), that should be sufficient to identify me uniquely in a global scale population. Uniqueness comes from the combinations. It should not be necessary for everyone to register the same identifiers!