WRITTEN ON November 6th, 2008 BY William Heath AND STORED IN Data nitwittery, Foundation of Trust, Identity, Transformational Government, What do we want?
Jerry “The Thunderer” Fishenden has another important opinion piece in The Scotsman. Honorary Scot Jerry is Microsoft’s NTO, former head of IT in Parliament, and sits on this new Scottish privacy advisers council. He’s additional evidence that while not everything Microsoft does is good, it has for some years fallen into the happy habit of hiring good people who do their best to stay good in the machine. He’s the very opposite of a great clunking fist: soft-spoken, a musician and reflective. And he loves technology: it’s his hobby, interest and day job.
His last big Scotsman article broke ranks with the conniving-rentseeking Intellect tendency by questioning the wisdom of the ID System. It sent the Home Office and half the Cabinet Office into an unseemly sulk. The mindguards moved in to try to prevent that conversation going any further and protect the perfect state of groupthink.
His new article is carefully reasoned, proportionate and quietly passionate. He explains the wider risks of government’s recent data losses and argues that that large centralised databases of personal information are not such a good idea. The point is, of course, these are the very building blocks of this hybrid Transformational Government 1.0/War on Terror non-Ideal government IT strategy we’re pursuing.
The most forceful words he uses come from Gordon Brown and Richard Thomas:
The more databases set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made. The more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer. Put simply, holding huge collections of personal data brings significant risks.
Wibbi those i/c planning next stages in government IT policy listened carefully and respectfully to Jerry and to other voices of reason.
Wibbi if the government-Intellect dialogue which has driven the TransformationalGov 1.0/War on Terror government IT strategy evolved into a proper and respectful debate which embraced taxpayers, customers, citizens and generally the perspective of those on the receiving end that all this is intended to help.
PS the full article is something called premium contect so if you want to read it on the web you need to drive to Scotland, get into a time machine, go back to 6 November 2008, buy a copy of the newspaper, type the article into your McBook, upload it, access it via a web browser, and then read it. Or see below:
Why information leaks are a danger to everyone
Published Date: 06 November 2008
By Jerry Fishenden
BARELY a day passes it seems without a new headline appearing about how our personal information has been lost from yet another database. Last week, the Information Commissioner, Richard Thomas, revealed that the number of reported data breaches in the UK has soared to 277 since HMRC lost 25 million child benefit records nearly a year ago. “Information can be a toxic liability,” he commented.
Such data losses are bad news on many fronts. Not just for us, when it’s our personal information that is lost or misplaced, but because it also undermines trust in modern technology. Personal information in digital form is the very lifeblood of the internet age and the relentless rise in data breaches is eroding public trust. Such trust, once lost, is very hard to regain.
Earlier this year, Sir James Crosby conducted an independent review of identity-related issues for Gordon Brown. It included an important underlying point: that it’s our personal data, nobody else’s. Any organisation, private or public sector, needs to remember that. All too often the loss of our personal information is caused not by technical failures, but by lackadaisical processes and people.
These widely-publicised security and data breaches threaten to undermine online services. Any organisations, including governments, which inadequately manage and protect users’ personal information, face considerable risks – among them damage to reputation, penalties and sanctions, lost citizen confidence and needless expense.
Of course, problems with leaks of our personal information from existing public-sector systems are one thing. But significant additional problems could arise if yet more of our personal information is acquired and stored in new central databases. In light of projects such as the proposed identity cards programme, ContactPoint (storing details of all children in the UK), and the Communications Data Bill (storing details of our phone records, e-mails and websites we have visited), some of Richard Thomas’s other comments are particularly prescient: “The more databases set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made. The more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer. Put simply, holding huge collections of personal data brings significant risks.”
The Information Commissioner’s comments highlight problems that arise when many different pieces of information are brought together. Aggregating our personal information in this way can indeed prove “toxic”, producing the exact opposite consequences of those originally intended. We know, for example, that most intentional breaches and leaks of information from computer systems are actually a result of insider abuse, where some of those looking after these highly sensitive systems are corrupted in order to persuade them to access or even change records. Any plans to build yet more centralised databases will raise profound questions about how information stored in such systems can be appropriately secured.
The Prime Minister acknowledges these problems: “It is important to recognise that we cannot promise that every single item of information will always be safe, because mistakes are made by human beings. Mistakes are made in the transportation, if you like – the communication of information”.
This is an honest recognition of reality. No system can ever be 100 per cent secure. To help minimise risks, the technology industry has suggested adopting proposals such as “data minimisation” – acquiring as little data as required for the task at hand and holding it in systems no longer than absolutely necessary. And it’s essential that only the minimum amount of our personal information needed for the specific purpose at hand is released, and then only to those who really need it.
Unless we want to risk a domino effect that will compromise our personal information in its entirety, it is also critical that it should not be possible automatically to link up everything we do in all aspects of how we use the internet. A single identifying number, for example, that stitches all of our personal information together would have many unintended, deeply negative consequences.
There is much that governments can do to help protect citizens better. This includes adopting effective standards and policies on data governance, reducing the risk to users’ privacy that comes with unneeded and long-term storage of personal information, and taking appropriate action when breaches do occur. Comprehensive data breach notification legislation is another important step that can help keep citizens informed of serious risks to their online identity and personal information, as well as helping rebuild trust and confidence in online services.
Our politicians are often caught between a rock and a very hard place in these challenging times. But the stream of data breaches and the scope of recent proposals to capture and hold even more of our personal information does suggest that we are failing to ensure an adequate dialogue between policymakers and technologists in the formulation of UK public policy.
This is a major problem that we can, and must, fix. We cannot let our personal information in digital form, as the essential lifeblood of the internet age, be allowed to drain away under this withering onslaught of damaging data breaches. It is time for a rethink, and to take advantage of the best lessons that the technology industry has learned over the past 30 or so years. It is, after all, our data, nobody else’s.
• Jerry Fishenden is lead technology adviser for Microsoft in the UK