Politics and privacy engineeringPolitics and privacy engineering
Dr Ian Brown
Oxford Internet Institute University of Oxford
Dr Ian Brown
Oxford Internet Institute University of Oxford
Revenue & Customs lose 25m recordsRevenue & Customs lose 25m records
Two discs containing names, addresses, DoB, NI no. and bank details of 25m people lost in the post
Chairman of HMRC immediately resigned
Two discs containing names, addresses, DoB, NI no. and bank details of 25m people lost in the post
Chairman of HMRC immediately resigned
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Prime Minister’s Questions 21/11/07Prime Minister’s Questions 21/11/07
QuickTime™ and aH.264 decompressor
are needed to see this picture.
Impact on public opinionImpact on public opinion
15%
20%
25%
30%
35%
40%
45%
Jul-07
Aug-07
Sep-07
Oct-07
Nov-07
Dec-07
Jan-08
Feb-08
Mar-08
Approve govt record
Vote for tomorrow
Data: YouGov tracker poll for Daily Telegraph, 28/3/2008
Simple audit protocolSimple audit protocol
NAO: “I do not need address, bank or parent details in the download – are these removable to keep the file smaller?”
HMRC: “I must stress we must make use of [existing] data we hold and not overburden the business by asking them to run additional data scans/filters that may incur a cost to the department.”
NAO: “I do not need address, bank or parent details in the download – are these removable to keep the file smaller?”
HMRC: “I must stress we must make use of [existing] data we hold and not overburden the business by asking them to run additional data scans/filters that may incur a cost to the department.”
£5,000 of code£5,000 of code
SELECT Recipient_ID, Date, Amount
FROM Child_Benefit_Payments
gpg -er NAO benefitdata.csv
SELECT Recipient_ID, Date, Amount
FROM Child_Benefit_Payments
gpg -er NAO benefitdata.csv
Privacy-enhanced auditPrivacy-enhanced audit
1. For each recipient, send to auditor (Recipient_ID, hash(shared_random, recipient data))
2. Auditor requests sample of x records
3. Only those records are sent, and can be checked against bit commitments
1. For each recipient, send to auditor (Recipient_ID, hash(shared_random, recipient data))
2. Auditor requests sample of x records
3. Only those records are sent, and can be checked against bit commitments
Individuals affected by UK data breaches since July 2006
Individuals affected by UK data breaches since July 2006
1
10
100
1000
10000
100000
1000000
10000000
100000000
Leeds Building Society
DVLA
Scottish Funding CouncilSefton Primary Care TrustCardiff and Vale NHS TrustStockport Primary Care Trust
Russells Hall Hospital
DVLA
HM Revenue and Customs
King's Mill Hospital
Halifax Building SocietySkipton Financial Services
Metropolitan Police
HM Revenue and CustomsWorcestershire County Council
Haringey councilMarks and Spencer
Dept for Work and Pensions
Newcastle City Council
City and Hackney NHS Trust
HSBC
Royal Navy
DVLA
Nationwide Building SocietyHM Revenue and Customs
Basic security neededBasic security needed
Encrypted stored and in-transit data Access control Need-to-know
Encrypted stored and in-transit data Access control Need-to-know
Measuring system security requirementsMeasuring system security requirements
1. Scale and complexity
2. Number of users
3. Sensitivity of data
4. Connections to other systems, particularly untrusted
5. Connectivity to the Internet
6. Attractiveness as target
1. Scale and complexity
2. Number of users
3. Sensitivity of data
4. Connections to other systems, particularly untrusted
5. Connectivity to the Internet
6. Attractiveness as target
Source: B. R. Gladman and I. Brown (2007) Security, Safety and the National Identity Register. In S. G. Davies & I. Hosein (eds), The Identity Project: an assessment of the UK Identity Cards Bill and its implications,
London School of Economics pp.187-200.
Software quality is keySoftware quality is key
Prof. Martyn Thomas: “almost every IT supplier in the world today is incompetent… the typical rate of delivered faults after full user acceptance testing from the main suppliers in the industry over many years has been steady at around 20 faults per thousand lines of code. We know how to deliver software with a fault rate that is down around 0.1 faults per thousand lines of code and the industry does not adopt these techniques.” Evidence to Home Affairs Select Committee, 24/2/2004
Prof. Martyn Thomas: “almost every IT supplier in the world today is incompetent… the typical rate of delivered faults after full user acceptance testing from the main suppliers in the industry over many years has been steady at around 20 faults per thousand lines of code. We know how to deliver software with a fault rate that is down around 0.1 faults per thousand lines of code and the industry does not adopt these techniques.” Evidence to Home Affairs Select Committee, 24/2/2004
Insider fraudInsider fraudInformation required Price paid to
‘blagger’ Price charged to customer
Occupant search/Electoral roll check (obtaining or checking an address)
not known £17.50
Telephone reverse trace £40 £75 Telephone conversion (mobile) not known £75 Friends and Fami ly £60 – £80 not known Vehicle check at DVLA £70 £150 – £200 Criminal records check not known £500 Area search (locating a named person across a wide area)
not known £60
Company/Director search not known £40 Ex-directory search £40 £65 – £75 Mobile t elephone account enquiries not known £750 Licence check not known £250 Source: “What price privacy?”, Information Commissioner, May 2006
Key privacy engineering stepsKey privacy engineering steps
1. Understand your problem2. Design system to minimise collection,
storage and access to personally identifiable information
3. Engineer security system to enforce privacy policies
4. Enforce controls and audit remaining accesses
1. Understand your problem2. Design system to minimise collection,
storage and access to personally identifiable information
3. Engineer security system to enforce privacy policies
4. Enforce controls and audit remaining accesses
Source: S. Marsh, I. Brown and F. Khaki (2008) Privacy Engineering. Cybersecurity KTN white paper
NHS Connecting for HealthNHS Connecting for Health £20bn programme Patient Summary
Care Records stored on centralised database (“Spine”) with pointers to Detailed Care Records in regional databases
Emergency treatment and research
£20bn programme Patient Summary
Care Records stored on centralised database (“Spine”) with pointers to Detailed Care Records in regional databases
Emergency treatment and research
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Efficacy of NPfITEfficacy of NPfIT
Emergency clinicians treatment styles Public opposition to unconsented research -
paper last year blog?
Emergency clinicians treatment styles Public opposition to unconsented research -
paper last year blog?
Confidentiality problemsConfidentiality problems
“Sealed envelope” limits access to especially sensitive records… but can be opened by the NHS and police and doesn’t actually exist yet!
Pretexting found in N. Yorkshire HA to be occurring 30 times per week (Anderson 1996)
Leeds Teaching Hospitals NHS Trust found 70,000 cases of "inappropriate access" to systems in 1 month
South Warwickshire General Hospitals NHS Trust allows A&E clinicians to share smartcards due to 60-90s login times
“Sealed envelope” limits access to especially sensitive records… but can be opened by the NHS and police and doesn’t actually exist yet!
Pretexting found in N. Yorkshire HA to be occurring 30 times per week (Anderson 1996)
Leeds Teaching Hospitals NHS Trust found 70,000 cases of "inappropriate access" to systems in 1 month
South Warwickshire General Hospitals NHS Trust allows A&E clinicians to share smartcards due to 60-90s login times
General Practitioners’ worriesGeneral Practitioners’ worries
50% of GPs will refuse to upload medical records to central "Spine" without patients' permission
80% think Spine puts patient confidentiality at risk
79% think new system will be less secure
50% of GPs will refuse to upload medical records to central "Spine" without patients' permission
80% think Spine puts patient confidentiality at risk
79% think new system will be less secure
Source: Medix poll of 1,026 representative GPs, Nov. 2006
ContactPoint & eCAFContactPoint & eCAF
Database storing details of 11m UK children’s contact with social services, police, health and education
330,000 users 50% children will have
detailed seven-page assessment
Database storing details of 11m UK children’s contact with social services, police, health and education
330,000 users 50% children will have
detailed seven-page assessment
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Cornwall County Council
Purposes of ContactPointPurposes of ContactPoint
“[P]rotecting children from abuse or neglect, preventing impairment of their health and development, and ensuring that they are growing up in circumstances consistent with the provision of safe and effective care which is undertaken so as to enable children to have optimum life chances and enter adulthood successfully.”
Victoria Climbie case Crime prevention
“[P]rotecting children from abuse or neglect, preventing impairment of their health and development, and ensuring that they are growing up in circumstances consistent with the provision of safe and effective care which is undertaken so as to enable children to have optimum life chances and enter adulthood successfully.”
Victoria Climbie case Crime prevention
Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006) Children’s Databases - Safety and Privacy. Information Commissioner’s Office
Efficacy of ContactPointEfficacy of ContactPoint
“The practitioners in contact with Victoria knew of each other’s involvement and shared considerable amounts of information. The crucial errors arose from individuals either not paying attention to the information, or giving it a benign interpretation so that the risk to Victoria from abuse was not seen.” -Anderson et al.
Wood for trees Dr Liz Davies Resources and evidence base for interventions
“The practitioners in contact with Victoria knew of each other’s involvement and shared considerable amounts of information. The crucial errors arose from individuals either not paying attention to the information, or giving it a benign interpretation so that the risk to Victoria from abuse was not seen.” -Anderson et al.
Wood for trees Dr Liz Davies Resources and evidence base for interventions
Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006) Children’s Databases - Safety and Privacy. Information Commissioner’s Office
Efficacy of ContactPointEfficacy of ContactPoint
“[A]ny notion that better screening can enable policy makers to identify young children destined to join the 5 per cent of offenders responsible for 50-60 per cent of crime is fanciful. Even if there were no ethical objections to putting ‘potential delinquent’ labels round the necks of young children, there would continue to be statistical barriers.” -Prof. David Farrington
“The practitioners in contact with Victoria knew of each other’s involvement and shared considerable amounts of information. The crucial errors arose from individuals either not paying attention to the information, or giving it a benign interpretation so that the risk to Victoria from abuse was not seen.” -Anderson et al.
Impact upon family autonomy
“[A]ny notion that better screening can enable policy makers to identify young children destined to join the 5 per cent of offenders responsible for 50-60 per cent of crime is fanciful. Even if there were no ethical objections to putting ‘potential delinquent’ labels round the necks of young children, there would continue to be statistical barriers.” -Prof. David Farrington
“The practitioners in contact with Victoria knew of each other’s involvement and shared considerable amounts of information. The crucial errors arose from individuals either not paying attention to the information, or giving it a benign interpretation so that the risk to Victoria from abuse was not seen.” -Anderson et al.
Impact upon family autonomy
Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006) Children’s Databases - Safety and Privacy. Information Commissioner’s Office
UK National Identity SchemeUK National Identity Scheme
S. G. Davies & I. Hosein (eds), The Identity Project: an assessment of the UK Identity Cards Bill and its implications, London School of Economics p.25
Purposes of NISPurposes of NIS
Anti-terrorism Social security fraud Identity fraud (£1.7bn pa) Illegal immigration Sense of community
Anti-terrorism Social security fraud Identity fraud (£1.7bn pa) Illegal immigration Sense of community
Efficacy of NISEfficacy of NIS “If you ask me whether ID cards or any other
measure would have stopped [the London bombings], I can't identify any measure which would have just stopped it like that.” -Charles Clarke MP, former Home Secretary
“Benefit fraud that relies on false identity was, at most, 1 or 2 per cent of the total.” -Peter Lilley MP, former Social Security Secretary
“The Home Office's definition of ID fraud doesn't match our definition. We class it as a more serious crime that involves a great deal more hassle than just having your card stolen and having to phone up the bank to cancel it” -APACS
“If you ask me whether ID cards or any other measure would have stopped [the London bombings], I can't identify any measure which would have just stopped it like that.” -Charles Clarke MP, former Home Secretary
“Benefit fraud that relies on false identity was, at most, 1 or 2 per cent of the total.” -Peter Lilley MP, former Social Security Secretary
“The Home Office's definition of ID fraud doesn't match our definition. We class it as a more serious crime that involves a great deal more hassle than just having your card stolen and having to phone up the bank to cancel it” -APACS
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Efficacy of Identity SchemeEfficacy of Identity Scheme
"If stop and search is anything to go by, for Black people our ID card is really the colour of our skin.” Karen Chouhan, 1990 Trust
“Terrorists rarely conceal their identity, only their intention - as was apparent in the case of those involved in the 9/11 tragedy, and in Madrid and in Constantinople.” -Peter Lilley MP
"If stop and search is anything to go by, for Black people our ID card is really the colour of our skin.” Karen Chouhan, 1990 Trust
“Terrorists rarely conceal their identity, only their intention - as was apparent in the case of those involved in the 9/11 tragedy, and in Madrid and in Constantinople.” -Peter Lilley MP
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
IT and the smaller stateIT and the smaller state
"Never again could there be projects like Labour's hubristic NHS supercomputer… The basic reason for these problems is Labour's addiction to the mainframe model - large, centralised systems for the management of information.” -David Cameron MP
“As chancellor, Brown relentlessly pursued his forlorn vision of a ‘joined-up identity management regime’ across public services. As prime minister, he continues this vain search, like an obsessed alchemist, for a giant database that his closest advisers ominously refer to as a ‘single source of truth’.” -David Davis MP
"Never again could there be projects like Labour's hubristic NHS supercomputer… The basic reason for these problems is Labour's addiction to the mainframe model - large, centralised systems for the management of information.” -David Cameron MP
“As chancellor, Brown relentlessly pursued his forlorn vision of a ‘joined-up identity management regime’ across public services. As prime minister, he continues this vain search, like an obsessed alchemist, for a giant database that his closest advisers ominously refer to as a ‘single source of truth’.” -David Davis MP
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
ConclusionConclusion
Privacy engineering is key to making privacy meaningful in information societies
“Collect then protect” is a fundamentally broken model
Understanding problem domain is critical Privacy has become a key element in UK
politics - central to debate over effective checks on state power
Privacy engineering is key to making privacy meaningful in information societies
“Collect then protect” is a fundamentally broken model
Understanding problem domain is critical Privacy has become a key element in UK
politics - central to debate over effective checks on state power