back to article UK pushes token security line on child database

The British government is bending over backwards to try and calm fears that a new database of every child in the country will inevitably go the way of HMRC's child benefit database when it goes live next year. ContactPoint will feature name, address, gender, date of birth, and a unique number for every child in the country, as …

COMMENTS

This topic is closed for new posts.
Alert

Urgent publicity required

Why don't the GBP know about this honeypot?

Quick, someone tell the Daily Mail.

0
0

Think of the Children

When do they become adults and get removed from this database.

And what happens to the pour kid who ends up with ID number 666?

0
0
Coat

Plus side...

If they ever screwed up and released all those kids details by royal mail, think of the head lines... "Balls up" and other related comments spring to mind...

0
0

How much for a token and a PIN

How many tokens will be current? How are the leavers and role-changers across dozens of different agencies to be managed? What's to stop sharing/borrowing tokens? Who will run the spot check recalls (and report on the outcomes)?

These things will be sold, to PIs and worse. This isn't security theatre -- it doesn't even have that internal consistency. It's just security fluff.

0
0
Coat

Wait for it...

I think they will encrypt it - with ROT13...

thats about our governments level of competency.

0
0
Pirate

Exception is policy

don't know how many times i've tried to explain this to management.

any exception made for anyone, for any reason, becomes policy, as everyone will expect the same exception to happen in the future.

a policy should be developed with this in mind, and required access should be made available within the scope of the policy.

the sad fact is that management is usually too short-sighted, apathetic, or just plain stupid to address this.

0
0
Unhappy

Users, maybe...

"...Users would only be allowed to view the records of children they are working with..."

But DBAs and admin monkeys will need access to the whole thing because they'll need to send data sets to NAO... or KPMG... or into the wide blue yonder.

0
0
Anonymous Coward

I wish they'd shut up

"In the wake of the HMRC debacle, the LibDems have called for the database to be encrypted."

They haven't got a bloody clue. I wish they'd shut the fk up and stop trying to score points with technology about which they know nothing. The call for encryption is meaningless in the context of a centralised repository which will have various methods of access. They've heard the word "encryption", and of a thing called "the database", and are trying to strike a chord with the uninformed masses.

What next - "In the wake of the HMRC debacle the LibDems have called for the database not to be stored on anything circular."

I cannot seem to locate the utter wankers icon.

0
0
Thumb Up

@Users, maybe...

... and the DBAs / admins will be the ones requested to download data (as in the Child Benefit fiasco).

So, each DBA / admin should be accompanied by another person with each request signed and authorised by a Civil Servant at the level of Sir Humphrey. Oh, and breaches of policy are regarded as breaching the official secrets act with a 2 year jail term as punishment...

0
0

Nobody bad will have access to it!

I'm sure there will be no bad people allowed to see this. Doctors, teachers, etc, will all need vetting ... of course, if we had a database of all them then we could really make sure!

As for the script monkeys, they will be put in their own database and we will check them with other databases to make sure they're not in any of them (of course, if a Database manager did find they were in one - they could always delete it!, or I don't know, send it in the post).

Now that I think of it, this database is so secure that no paedophiles will ever get near it ... we should therefore make more of them.

A database of all the old people in the country, with special tags marking their competence, I'm sure pesky scammers who prey on old people would not find them!

Now, isn't it kind of funny with all these databases of perfect victims like children or old people, with so much regard for security, a database of all the padeophiles will probably never get made in the off chance some Sun readers got hold of it and went around to their house ... odd, huh?

0
0

transparency

It's counterintuitive, so they won't do it, but the only way to keep our personal data safe is to make the infrastructure completely open to scrutiny. The proprietary, closed solutions which are favoured by governments are attractive because they are reassuringly expensive and provide somewhere to pass the buck, but they have been shown time and again to be less secure because of their secretive nature. Internet Explorer versus Firefox is a prime example. Make it all open source and the holes are spotted quickly and fixed. Keep it secret and the holes are hushed up or only ever spotted by blackhats.

0
0

@ think of the children

Not until they are 31 in some cases deemed to have diminished capacity or increased vulnerability. It is just that everyone will be on it till they are 18. By which time their notional identity will be nationally managed, or something.

0
0

Transparency

I note that Opera is actually more secure than Firefox despite being closed source and made by a company ... maybe the problem isn't open or closed but complacency that Microsoft and governments have ...

I'm not sure open would be better because its giving it away to the people, they can find a problem and instantly hack ... a bit more of a problem when its a database full of peoples information.

0
0

Transparency

I note that Opera is actually more secure than Firefox despite being closed source and made by a company ... maybe the problem isn't open or closed but complacency that Microsoft and governments have ...

I'm not sure open would be better because its giving it away to the people, they can find a problem and instantly hack ... a bit more of a problem when its a database full of peoples information.

0
0

It's not the technology stupid...

All these calls for encryption and passcodes and tokens...all rubbish.

It is ALL about the HR policies of the internal staff, including their salaries, vettment of training, and especially incentivization to make data loss finanically painful (if not ruinous for senior people involved) - and potential criminal liabilities. "Taking shortcuts" when handling or transmitting data looks a lot less attractive when you may loose half your yearly salary if you get caught not following procedure, or if the data is lost. And if you were a senior exec who WOULD face criminal charges if any of your staff lost or sold data, you would watch it like a hawk - and them.

Sadly, we cannot expect this, as our public servants will not use negative re-inforcement to ensure that our pain is their pain. Instead, we will be told that "they will of course do all that they CAN do" without the need for any punitive threats or penalties. So that manager WILL leave work at 5PM when he can, entrusting that a critical data operation will be handled by "his trusted staff" without oversight...something that I doubt would happen if he knew he would face real pain if security was breached. And PIs and such WILL crack the human element of security, bribing and blackmailing staff to gain access - because if the worst that can happen is they lose that job, well, the bribe will keep them under a roof until they find a new one. And probably for more money.

Unless we as people ourselves demand it, nothing will change. Our lives will become laughably transparent to anyone that cares to see. People with negatively-perceived illnesses will stop getting treatment, just to ensure that a future boss cannot find out that they were undergoing treatment for (HIV/depression/fertility/hepatitis-C/take your pick). Parents will not enroll their children up for needed help, because they will have to fear for their own details and familiy situation being broadcast to any and all that can afford to gain illegal access, or worse, knows someone with access.

it is time to demand punitive measures for our civil servants that mishandle secured information, with both financial and legal measures applied depending upon the nature of the breach, the severity, and the cause (i.e., accidental or intentional). And with these measures, defined responsibilities for PUBLICALLY investigating and documenting such breaches, to ensure that coverups will be difficult. Until such measures are in place, these new databases should be mothballed.

0
0
RW
Alien

The Brain Behind the Curtain

One thing I wonder about all these police-state database proposals: who is proposing them, and doing it so well that Brown et cie stick to demonstrably flawed proposals like glue, through thick and thin?

It's reminiscent of the problems we have here in Canada with Customs: they are always on the warpath against gay porn (porn, I might add, that is perfectly legal to originate and to possess in Canada - it's only in passing through Customs that there's censorship). It's as though some unelected eminence grise in Ottawa or Toronto has so much power that his overt homophobia must be catered to.

So who's the dick who wants a British police state so badly, and where does he get his power from? Maybe it's time to name and shame.

0
0
Unhappy

Hypocrisy

The real scandal is that the general public are going to be enrolled onto this system without any concern for our consent, but celebrities and politicians etc will be able to opt out.

When it's your kids or mine, then the security is perfectly adequate (after all, proles are easily replaced), but the important people obviously deserve a higher standard of protection for their children.

0
0
Anonymous Coward

The other way of looking at this is...

...that all of this information is currently held anyway, just on smaller databases by individual local governmental bodies and schools etc. Would a larger, centrally managed database be any less secure than data that is held by a myriad of other bodies with varying degrees of security?

A lot of the criticism of this scheme, is stuff that could be levelled at any collection of data, anywhere, on any scale.

A proper national database should be *by definition* more secure than dozens of smaller databases dotted all over the place.

Of course, ensuring it is managed competently is an issue...

0
0

transparency

"I note that Opera is actually more secure than Firefox"

That may be a function of having a small userbase (oe perhaps being written by right-minded Scandinavians!). But we're not really talking about the security of IT systems so much as of the way these are used by people. The problem of having a securely encrypted database is largely solved, it's when people get involved that the holes emerge. And I think these procedures should be open to my scrutiny - they've got data on most aspects of my life after all. It's the panopticon principle, but in reverse.

0
0
Silver badge
Coat

@AC

It won't be ROT13, the government is more sophisticated than that. It will probably be double-ROT13,far more secure.

0
0
Unhappy

I despair....

....of this control obsessed (fuckwitted) goverment.

This database of the UK's children exempts, curiously enough, the details of politicians and celebs....on 'security' grounds.

So let me get this straight...the system is 'secure' and staff will be subjected to the highest level of criminal checks, BUT we still think unscrupulous people will manage to circumvent the controls and sell the details relating to the above, to equally unscrupulous malefactors?

So why wouldn't this unscrupulous person sell details about vulnerable and / or ordinary kids (i.e. yours and mine) to pedarists?

Once you centralise this information, you make it a key target for criminals. Just look at how the HMRC was infiltrated and the working tax system ripped off.

For fuck's sake, when will this stop!

0
0
Thumb Down

They think we can trust them with our children's details do they?

You cannot trust this government on IT PERIOD. They do not understand the concept of data security, they try to cut cost, they do not know what they require from a database or IT implementation, all IT projects are subject to mission creep, where the original purpose is forgotten in the desire to do more with the system, thus rendering the original purpose null & void. The net result is they are inept, out of their depth; & should never be trusted with anything involving children's details.

That should rule out ID cards then... shouldn't it........ Don't hold your breath; this corrupt morally bankrupt shower called a government know best, so turn up to give your biometrics there's a good citizen. Oh hell they can get our childrens DNA at birth

if they wish

0
0
Flame

Simple

If there is no reason to store this info - It shouldn't be stored - plain and simple. At most it should store 'child' - yes (not gender specific), age at start of term, (not DOB), what else do they bloody well need for planning? Anything else is just asking for trouble. Statisticians can just f*** off.

0
0
Thumb Down

Data quality

John Imrie: "what happens to the pour kid..."

Robert Hill: "when you may loose half your yearly salary"

Don't worry, you can both sleep soundly: if the data entry clerks pay half as much attention to their accuracy as you do, the data will be so bad even the criminals won't want it.

0
0

Proportionality and consent

This proposed database is disproportionate to an almost unbelievable degree; ContactPoint's own literature says that "at any one time, 3-4 million children in the UK have additional needs which must be addressed if they are to achieve the Every Child Matters outcomes" (whatever that means)...

So, among the UK's under-18s there is a set of about 3-4 million, of which some subset will have needs which can only be met by the combined intervention of more than one agency or service provider (which is why ContactPoint is needed, apparently); of that subset, some proportion will not have a parent, guardian or carer who can be relied on to ensure that each such agency has the correct information about the child; and in order to satisfy this use-case, registration in the database will be universal and compulsory.

It will also record associated data from (at least) the NHS, DWP, DCSF and, presumably, local government social services and education departments.

Do the words "informed consent" and "proportionality" mean nothing to our glorious leaders?

Where's the icon for "OK, I give up in despair/disgust... beam me up..."?

0
0

ContactPoint

> Every Child Matters outcomes" (whatever that means).

This has a very specific meaning. GFE: http://www.everychildmatters.gov.uk/aims/

But these laudable aims have quite intrusive implications.

The real problem is not ContactPoint, which is reduced in scope so far as to be relatively bland. Still pointless, and objectionable, but not the worst part.

The worst part is eCAF. That's the dark horse (just as eBorders is worse than passports).

William www.idealgovernment.com

0
0
This topic is closed for new posts.

Forums