Key issues concerning the massive loss of data by British MoD.
I'd suggest there are a number of key issues to keep in mind when considering the massive loss of data by British MoD. Here's a few to begin with:
1. The data/security paradigm changes when data are moved from hard/paper copy to a machine-readable form. Most people still think of security and access in paper-based terms, not that of electronic data which is a very different animal. Had the records been stored on traditional paper-based record systems then there would have been no breach of security.
2. Data in electronic form acquires a range of new and powerful properties when compared with that of the same records stored on hardcopy/paper. For example, stealing 600,000 plus paper-based records would be nigh on impossible, but this electronic 'loss' is not even theft as far as we know--just incompetence and mishandling. Those handling or using this data do not understand this differences between the electronic data and hard copy paradigms (especially a problem in government bureaucracies). Ipso facto, if they did then this data security breach would not have happened. Unfortunately, this lack of understanding is not unique; even those in the data processing/security game have a very poorly understanding of the problem: for they usually concentrate on specific security issues and technicalities, not why or whether certain facts or information should or should not be committed to electronic storage, or what the implications are if the data falls into unwanted hands.
3. It is questionable whether certain forms of sensitive data should actually be transferred into an electronic format, especially if bound into fully collated databases (as here). If electronic records are absolutely essential then the data can be held in multiple parts in distributed databases--one part alone being useless without others. (The fact that this data is not secured and managed in such a way that its loss would be trivial ought to be of great concern. Computer science just hasn't evolved sufficiently to always guarantee security and simultaneously make it easy and foolproof to implement: only electronic encode that which is essential.)
4. Governments, control freaks and penny-pinching accountants etc.--those with a police state mentality--want all records conveniently to hand, often for very questionable reasons including very little practical justification or need. In this instance, not only have they collected and collated vast amounts of sensitive personal data and stored it in an easily 'losable' form but the very act of doing so is one of utter irresponsibility. The loss of such important data (and on such a grand scale) together with security systems that are so weak and in such disarray--to the extent that they permit such losses--has to be an act of malfeasance.
4.1 Essentially, what has happened here is that an act of treason has been committed against the 'collective of citizens' [who constitute part of the state]--those who gave their personal data on the understanding that their government would keep it secure but who failed though negligence, inter alia.
4.2 There's little doubt that this incident will be hushed up, and there will be an scapegoat or two or possibly not even that. Moreover, I'll bet it happens again sometime soon, remember this is not the first of such incidents. With Britain going to a universal ID card what would happen if Al-Qaeda or similar organization were to ever get such a file? Even a friendly power such as the USA would be only too happy to snap up such valuable data, no questions asked.
5. Whether relevant or not, Governments, bureaucrats and security services have a Nazi-like obsession in collecting vast amounts of data on citizens, and there is no obligation on those collecting it to even tell citizens that they are doing so let alone let the citizen see or review the data. Whether storing so much detail about citizens in vulnerable electronic format (such as in single but comprehensive databases) is warranted or not ought to be publicly debated, especially by those whose data it is. Again, this incident only highlights the privacy debate which isn't happening!
6. It's questionable whether sensitive data of this kind really needs to be fully collated in one location, but if it is then there should be no reason for it to ever move from that location (except to another of the same status/security for backup purposes).
7. There is NO need for any other person or entity to have this data, and--in human rights terms--NOR does anyone else have the right to the data (just on basic privacy grounds alone let alone other reasons). If contractors require data to test systems etc. then non-identifying aggregated data should be supplied. Duplicating such data without the full consent of the citizens involved should be seen as a breach of not only their privacy but also their human rights. Remember, these are no ordinary records, an enemy could use them to annihilate soldiers before they're engaged on a battlefield--the lost records could perhaps put the very security of the country at risk. Even if this loss is not a high risk then the modus operandi that let it happen will inevitably repeat itself sooner or later, and most likely when the stakes are higher.
8. Computers, through their vastly increasing processing capability, are availing governments with new and unprecedented powers by stealth, and we citizens need question and scrutinize them--if but for no other reason than our own safety. Surveillance and monitoring of the citizenry is at an all-time high and justified, as always, in the hoary old name of 'security'--an emotive word whose very use 'justifies' the excuse to quell any in-depth public debate on the subject.
8.1 This incident, and others similar, should never have been allowed to happen. Again, it proves beyond reasonable doubt that governments can and do act irresponsibly towards their citizens whilst knowing better; moreover, they continue to get away with it without necessary scrutiny and public accountability because we continue to let them do so.
Events such as this data 'loss' enable us the citizenry to gain a small insight into the creeping and inextricably increasing powers of governments and we should use every such opportunity to reign in these abuses. If we ignore them then we do so at our own peril.
In the interests of Democracy and good governance, when our governments act so deplorably it is the duty of we citizens to ensure that those responsible be held accountable, and we must insist the issues be widely and publicly debated, and not hidden and whitewashed in the name of security.
Biting the hand that feeds IT
