UK pushes token security line on child database

Think of the Children

When do they become adults and get removed from this database.

And what happens to the pour kid who ends up with ID number 666?

How much for a token and a PIN

How many tokens will be current? How are the leavers and role-changers across dozens of different agencies to be managed? What's to stop sharing/borrowing tokens? Who will run the spot check recalls (and report on the outcomes)?

These things will be sold, to PIs and worse. This isn't security theatre -- it doesn't even have that internal consistency. It's just security fluff.

I wish they'd shut up

"In the wake of the HMRC debacle, the LibDems have called for the database to be encrypted."

They haven't got a bloody clue. I wish they'd shut the fk up and stop trying to score points with technology about which they know nothing. The call for encryption is meaningless in the context of a centralised repository which will have various methods of access. They've heard the word "encryption", and of a thing called "the database", and are trying to strike a chord with the uninformed masses.

What next - "In the wake of the HMRC debacle the LibDems have called for the database not to be stored on anything circular."

I cannot seem to locate the utter wankers icon.

Nobody bad will have access to it!

I'm sure there will be no bad people allowed to see this. Doctors, teachers, etc, will all need vetting ... of course, if we had a database of all them then we could really make sure!

As for the script monkeys, they will be put in their own database and we will check them with other databases to make sure they're not in any of them (of course, if a Database manager did find they were in one - they could always delete it!, or I don't know, send it in the post).

Now that I think of it, this database is so secure that no paedophiles will ever get near it ... we should therefore make more of them.

A database of all the old people in the country, with special tags marking their competence, I'm sure pesky scammers who prey on old people would not find them!

Now, isn't it kind of funny with all these databases of perfect victims like children or old people, with so much regard for security, a database of all the padeophiles will probably never get made in the off chance some Sun readers got hold of it and went around to their house ... odd, huh?

transparency

It's counterintuitive, so they won't do it, but the only way to keep our personal data safe is to make the infrastructure completely open to scrutiny. The proprietary, closed solutions which are favoured by governments are attractive because they are reassuringly expensive and provide somewhere to pass the buck, but they have been shown time and again to be less secure because of their secretive nature. Internet Explorer versus Firefox is a prime example. Make it all open source and the holes are spotted quickly and fixed. Keep it secret and the holes are hushed up or only ever spotted by blackhats.

@ think of the children

Not until they are 31 in some cases deemed to have diminished capacity or increased vulnerability. It is just that everyone will be on it till they are 18. By which time their notional identity will be nationally managed, or something.

Transparency

I note that Opera is actually more secure than Firefox despite being closed source and made by a company ... maybe the problem isn't open or closed but complacency that Microsoft and governments have ...

I'm not sure open would be better because its giving it away to the people, they can find a problem and instantly hack ... a bit more of a problem when its a database full of peoples information.

Transparency

I note that Opera is actually more secure than Firefox despite being closed source and made by a company ... maybe the problem isn't open or closed but complacency that Microsoft and governments have ...

I'm not sure open would be better because its giving it away to the people, they can find a problem and instantly hack ... a bit more of a problem when its a database full of peoples information.

It's not the technology stupid...

All these calls for encryption and passcodes and tokens...all rubbish.

It is ALL about the HR policies of the internal staff, including their salaries, vettment of training, and especially incentivization to make data loss finanically painful (if not ruinous for senior people involved) - and potential criminal liabilities. "Taking shortcuts" when handling or transmitting data looks a lot less attractive when you may loose half your yearly salary if you get caught not following procedure, or if the data is lost. And if you were a senior exec who WOULD face criminal charges if any of your staff lost or sold data, you would watch it like a hawk - and them.

Sadly, we cannot expect this, as our public servants will not use negative re-inforcement to ensure that our pain is their pain. Instead, we will be told that "they will of course do all that they CAN do" without the need for any punitive threats or penalties. So that manager WILL leave work at 5PM when he can, entrusting that a critical data operation will be handled by "his trusted staff" without oversight...something that I doubt would happen if he knew he would face real pain if security was breached. And PIs and such WILL crack the human element of security, bribing and blackmailing staff to gain access - because if the worst that can happen is they lose that job, well, the bribe will keep them under a roof until they find a new one. And probably for more money.

Unless we as people ourselves demand it, nothing will change. Our lives will become laughably transparent to anyone that cares to see. People with negatively-perceived illnesses will stop getting treatment, just to ensure that a future boss cannot find out that they were undergoing treatment for (HIV/depression/fertility/hepatitis-C/take your pick). Parents will not enroll their children up for needed help, because they will have to fear for their own details and familiy situation being broadcast to any and all that can afford to gain illegal access, or worse, knows someone with access.

it is time to demand punitive measures for our civil servants that mishandle secured information, with both financial and legal measures applied depending upon the nature of the breach, the severity, and the cause (i.e., accidental or intentional). And with these measures, defined responsibilities for PUBLICALLY investigating and documenting such breaches, to ensure that coverups will be difficult. Until such measures are in place, these new databases should be mothballed.

The other way of looking at this is...

...that all of this information is currently held anyway, just on smaller databases by individual local governmental bodies and schools etc. Would a larger, centrally managed database be any less secure than data that is held by a myriad of other bodies with varying degrees of security?

A lot of the criticism of this scheme, is stuff that could be levelled at any collection of data, anywhere, on any scale.

A proper national database should be *by definition* more secure than dozens of smaller databases dotted all over the place.

Of course, ensuring it is managed competently is an issue...

transparency

"I note that Opera is actually more secure than Firefox"

That may be a function of having a small userbase (oe perhaps being written by right-minded Scandinavians!). But we're not really talking about the security of IT systems so much as of the way these are used by people. The problem of having a securely encrypted database is largely solved, it's when people get involved that the holes emerge. And I think these procedures should be open to my scrutiny - they've got data on most aspects of my life after all. It's the panopticon principle, but in reverse.

Proportionality and consent

This proposed database is disproportionate to an almost unbelievable degree; ContactPoint's own literature says that "at any one time, 3-4 million children in the UK have additional needs which must be addressed if they are to achieve the Every Child Matters outcomes" (whatever that means)...

So, among the UK's under-18s there is a set of about 3-4 million, of which some subset will have needs which can only be met by the combined intervention of more than one agency or service provider (which is why ContactPoint is needed, apparently); of that subset, some proportion will not have a parent, guardian or carer who can be relied on to ensure that each such agency has the correct information about the child; and in order to satisfy this use-case, registration in the database will be universal and compulsory.

It will also record associated data from (at least) the NHS, DWP, DCSF and, presumably, local government social services and education departments.

Do the words "informed consent" and "proportionality" mean nothing to our glorious leaders?

Where's the icon for "OK, I give up in despair/disgust... beam me up..."?

ContactPoint

> Every Child Matters outcomes" (whatever that means).

This has a very specific meaning. GFE: http://www.everychildmatters.gov.uk/aims/

But these laudable aims have quite intrusive implications.

The real problem is not ContactPoint, which is reduced in scope so far as to be relatively bland. Still pointless, and objectionable, but not the worst part.

The worst part is eCAF. That's the dark horse (just as eBorders is worse than passports).

William www.idealgovernment.com