Politics and privacy engineering Dr Ian Brown Oxford Internet Institute University of Oxford Dr Ian Brown Oxford Internet Institute University of Oxford.

Politics and privacy engineeringPolitics and privacy engineering

Dr Ian Brown

Oxford Internet Institute University of Oxford

Dr Ian Brown

Oxford Internet Institute University of Oxford

Revenue & Customs lose 25m recordsRevenue & Customs lose 25m records

Two discs containing names, addresses, DoB, NI no. and bank details of 25m people lost in the post

Chairman of HMRC immediately resigned

Two discs containing names, addresses, DoB, NI no. and bank details of 25m people lost in the post

Chairman of HMRC immediately resigned

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Prime Minister’s Questions 21/11/07Prime Minister’s Questions 21/11/07

QuickTime™ and aH.264 decompressor


Impact on public opinionImpact on public opinion

15%

20%

25%

30%

35%

40%

45%

Jul-07

Aug-07

Sep-07

Oct-07

Nov-07

Dec-07

Jan-08

Feb-08

Mar-08

Approve govt record

Vote for tomorrow

Data: YouGov tracker poll for Daily Telegraph, 28/3/2008

Simple audit protocolSimple audit protocol

NAO: “I do not need address, bank or parent details in the download – are these removable to keep the file smaller?”

HMRC: “I must stress we must make use of [existing] data we hold and not overburden the business by asking them to run additional data scans/filters that may incur a cost to the department.”

NAO: “I do not need address, bank or parent details in the download – are these removable to keep the file smaller?”

HMRC: “I must stress we must make use of [existing] data we hold and not overburden the business by asking them to run additional data scans/filters that may incur a cost to the department.”

£5,000 of code£5,000 of code

SELECT Recipient_ID, Date, Amount

FROM Child_Benefit_Payments

gpg -er NAO benefitdata.csv

SELECT Recipient_ID, Date, Amount

FROM Child_Benefit_Payments

gpg -er NAO benefitdata.csv

Privacy-enhanced auditPrivacy-enhanced audit

1. For each recipient, send to auditor (Recipient_ID, hash(shared_random, recipient data))

2. Auditor requests sample of x records

3. Only those records are sent, and can be checked against bit commitments

1. For each recipient, send to auditor (Recipient_ID, hash(shared_random, recipient data))

2. Auditor requests sample of x records

3. Only those records are sent, and can be checked against bit commitments

Individuals affected by UK data breaches since July 2006

Individuals affected by UK data breaches since July 2006

1

10

100

1000

10000

100000

1000000

10000000

100000000

Leeds Building Society

DVLA

Scottish Funding CouncilSefton Primary Care TrustCardiff and Vale NHS TrustStockport Primary Care Trust

Russells Hall Hospital

DVLA

HM Revenue and Customs

King's Mill Hospital

Halifax Building SocietySkipton Financial Services

Metropolitan Police

HM Revenue and CustomsWorcestershire County Council

Haringey councilMarks and Spencer

Dept for Work and Pensions

Newcastle City Council

City and Hackney NHS Trust

HSBC

Royal Navy

DVLA

Nationwide Building SocietyHM Revenue and Customs

Basic security neededBasic security needed

Encrypted stored and in-transit data Access control Need-to-know

Encrypted stored and in-transit data Access control Need-to-know

Measuring system security requirementsMeasuring system security requirements

1. Scale and complexity

2. Number of users

3. Sensitivity of data

4. Connections to other systems, particularly untrusted

5. Connectivity to the Internet

6. Attractiveness as target

1. Scale and complexity

2. Number of users

3. Sensitivity of data

4. Connections to other systems, particularly untrusted

5. Connectivity to the Internet

6. Attractiveness as target

Source: B. R. Gladman and I. Brown (2007) Security, Safety and the National Identity Register. In S. G. Davies & I. Hosein (eds), The Identity Project: an assessment of the UK Identity Cards Bill and its implications,

London School of Economics pp.187-200.

Software quality is keySoftware quality is key

Prof. Martyn Thomas: “almost every IT supplier in the world today is incompetent… the typical rate of delivered faults after full user acceptance testing from the main suppliers in the industry over many years has been steady at around 20 faults per thousand lines of code. We know how to deliver software with a fault rate that is down around 0.1 faults per thousand lines of code and the industry does not adopt these techniques.” Evidence to Home Affairs Select Committee, 24/2/2004

Prof. Martyn Thomas: “almost every IT supplier in the world today is incompetent… the typical rate of delivered faults after full user acceptance testing from the main suppliers in the industry over many years has been steady at around 20 faults per thousand lines of code. We know how to deliver software with a fault rate that is down around 0.1 faults per thousand lines of code and the industry does not adopt these techniques.” Evidence to Home Affairs Select Committee, 24/2/2004

Insider fraudInsider fraudInformation required Price paid to

‘blagger’ Price charged to customer

Occupant search/Electoral roll check (obtaining or checking an address)

not known £17.50

Telephone reverse trace £40 £75 Telephone conversion (mobile) not known £75 Friends and Fami ly £60 – £80 not known Vehicle check at DVLA £70 £150 – £200 Criminal records check not known £500 Area search (locating a named person across a wide area)

not known £60

Company/Director search not known £40 Ex-directory search £40 £65 – £75 Mobile t elephone account enquiries not known £750 Licence check not known £250 Source: “What price privacy?”, Information Commissioner, May 2006

Key privacy engineering stepsKey privacy engineering steps

1. Understand your problem2. Design system to minimise collection,

storage and access to personally identifiable information

3. Engineer security system to enforce privacy policies

4. Enforce controls and audit remaining accesses

1. Understand your problem2. Design system to minimise collection,

storage and access to personally identifiable information

3. Engineer security system to enforce privacy policies

4. Enforce controls and audit remaining accesses

Source: S. Marsh, I. Brown and F. Khaki (2008) Privacy Engineering. Cybersecurity KTN white paper

NHS Connecting for HealthNHS Connecting for Health £20bn programme Patient Summary

Care Records stored on centralised database (“Spine”) with pointers to Detailed Care Records in regional databases

Emergency treatment and research

£20bn programme Patient Summary

Care Records stored on centralised database (“Spine”) with pointers to Detailed Care Records in regional databases

Emergency treatment and research



Efficacy of NPfITEfficacy of NPfIT

Emergency clinicians treatment styles Public opposition to unconsented research -

paper last year blog?

Emergency clinicians treatment styles Public opposition to unconsented research -

paper last year blog?

Confidentiality problemsConfidentiality problems

“Sealed envelope” limits access to especially sensitive records… but can be opened by the NHS and police and doesn’t actually exist yet!

Pretexting found in N. Yorkshire HA to be occurring 30 times per week (Anderson 1996)

Leeds Teaching Hospitals NHS Trust found 70,000 cases of "inappropriate access" to systems in 1 month

South Warwickshire General Hospitals NHS Trust allows A&E clinicians to share smartcards due to 60-90s login times

“Sealed envelope” limits access to especially sensitive records… but can be opened by the NHS and police and doesn’t actually exist yet!

Pretexting found in N. Yorkshire HA to be occurring 30 times per week (Anderson 1996)

Leeds Teaching Hospitals NHS Trust found 70,000 cases of "inappropriate access" to systems in 1 month

South Warwickshire General Hospitals NHS Trust allows A&E clinicians to share smartcards due to 60-90s login times

General Practitioners’ worriesGeneral Practitioners’ worries

50% of GPs will refuse to upload medical records to central "Spine" without patients' permission

80% think Spine puts patient confidentiality at risk

79% think new system will be less secure

50% of GPs will refuse to upload medical records to central "Spine" without patients' permission

80% think Spine puts patient confidentiality at risk

79% think new system will be less secure

Source: Medix poll of 1,026 representative GPs, Nov. 2006

ContactPoint & eCAFContactPoint & eCAF

Database storing details of 11m UK children’s contact with social services, police, health and education

330,000 users 50% children will have

detailed seven-page assessment

Database storing details of 11m UK children’s contact with social services, police, health and education

330,000 users 50% children will have

detailed seven-page assessment



Cornwall County Council

Purposes of ContactPointPurposes of ContactPoint

“[P]rotecting children from abuse or neglect, preventing impairment of their health and development, and ensuring that they are growing up in circumstances consistent with the provision of safe and effective care which is undertaken so as to enable children to have optimum life chances and enter adulthood successfully.”

Victoria Climbie case Crime prevention

“[P]rotecting children from abuse or neglect, preventing impairment of their health and development, and ensuring that they are growing up in circumstances consistent with the provision of safe and effective care which is undertaken so as to enable children to have optimum life chances and enter adulthood successfully.”

Victoria Climbie case Crime prevention

Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006) Children’s Databases - Safety and Privacy. Information Commissioner’s Office

Efficacy of ContactPointEfficacy of ContactPoint

“The practitioners in contact with Victoria knew of each other’s involvement and shared considerable amounts of information. The crucial errors arose from individuals either not paying attention to the information, or giving it a benign interpretation so that the risk to Victoria from abuse was not seen.” -Anderson et al.

Wood for trees Dr Liz Davies Resources and evidence base for interventions


Wood for trees Dr Liz Davies Resources and evidence base for interventions


Efficacy of ContactPointEfficacy of ContactPoint

“[A]ny notion that better screening can enable policy makers to identify young children destined to join the 5 per cent of offenders responsible for 50-60 per cent of crime is fanciful. Even if there were no ethical objections to putting ‘potential delinquent’ labels round the necks of young children, there would continue to be statistical barriers.” -Prof. David Farrington


Impact upon family autonomy

“[A]ny notion that better screening can enable policy makers to identify young children destined to join the 5 per cent of offenders responsible for 50-60 per cent of crime is fanciful. Even if there were no ethical objections to putting ‘potential delinquent’ labels round the necks of young children, there would continue to be statistical barriers.” -Prof. David Farrington


Impact upon family autonomy


UK National Identity SchemeUK National Identity Scheme

S. G. Davies & I. Hosein (eds), The Identity Project: an assessment of the UK Identity Cards Bill and its implications, London School of Economics p.25

Purposes of NISPurposes of NIS

Anti-terrorism Social security fraud Identity fraud (£1.7bn pa) Illegal immigration Sense of community

Anti-terrorism Social security fraud Identity fraud (£1.7bn pa) Illegal immigration Sense of community

Efficacy of NISEfficacy of NIS “If you ask me whether ID cards or any other

measure would have stopped [the London bombings], I can't identify any measure which would have just stopped it like that.” -Charles Clarke MP, former Home Secretary

“Benefit fraud that relies on false identity was, at most, 1 or 2 per cent of the total.” -Peter Lilley MP, former Social Security Secretary

“The Home Office's definition of ID fraud doesn't match our definition. We class it as a more serious crime that involves a great deal more hassle than just having your card stolen and having to phone up the bank to cancel it” -APACS

“If you ask me whether ID cards or any other measure would have stopped [the London bombings], I can't identify any measure which would have just stopped it like that.” -Charles Clarke MP, former Home Secretary

“Benefit fraud that relies on false identity was, at most, 1 or 2 per cent of the total.” -Peter Lilley MP, former Social Security Secretary

“The Home Office's definition of ID fraud doesn't match our definition. We class it as a more serious crime that involves a great deal more hassle than just having your card stolen and having to phone up the bank to cancel it” -APACS







Efficacy of Identity SchemeEfficacy of Identity Scheme

"If stop and search is anything to go by, for Black people our ID card is really the colour of our skin.” Karen Chouhan, 1990 Trust

“Terrorists rarely conceal their identity, only their intention - as was apparent in the case of those involved in the 9/11 tragedy, and in Madrid and in Constantinople.” -Peter Lilley MP

"If stop and search is anything to go by, for Black people our ID card is really the colour of our skin.” Karen Chouhan, 1990 Trust

“Terrorists rarely conceal their identity, only their intention - as was apparent in the case of those involved in the 9/11 tragedy, and in Madrid and in Constantinople.” -Peter Lilley MP



IT and the smaller stateIT and the smaller state

"Never again could there be projects like Labour's hubristic NHS supercomputer… The basic reason for these problems is Labour's addiction to the mainframe model - large, centralised systems for the management of information.” -David Cameron MP

“As chancellor, Brown relentlessly pursued his forlorn vision of a ‘joined-up identity management regime’ across public services. As prime minister, he continues this vain search, like an obsessed alchemist, for a giant database that his closest advisers ominously refer to as a ‘single source of truth’.” -David Davis MP

"Never again could there be projects like Labour's hubristic NHS supercomputer… The basic reason for these problems is Labour's addiction to the mainframe model - large, centralised systems for the management of information.” -David Cameron MP

“As chancellor, Brown relentlessly pursued his forlorn vision of a ‘joined-up identity management regime’ across public services. As prime minister, he continues this vain search, like an obsessed alchemist, for a giant database that his closest advisers ominously refer to as a ‘single source of truth’.” -David Davis MP

QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.



ConclusionConclusion

Privacy engineering is key to making privacy meaningful in information societies

“Collect then protect” is a fundamentally broken model

Understanding problem domain is critical Privacy has become a key element in UK

politics - central to debate over effective checks on state power

Privacy engineering is key to making privacy meaningful in information societies

“Collect then protect” is a fundamentally broken model

Understanding problem domain is critical Privacy has become a key element in UK

politics - central to debate over effective checks on state power

Politics and privacy engineering Dr Ian Brown Oxford Internet Institute University of Oxford Dr Ian Brown Oxford Internet Institute University of Oxford.

Documents

recipient data

sensitivity of data

resigned slide

auditor recipient

additional data scansfilters

use of existing data

uk data breaches

public opinion data