Robin Jones surveys the data privacy scene.
Much has been written recently on the allied topics of privacy and data security as they affect the individual citizen. There is a natural tension between the two. On the one hand, I keep my credit card details private against the possibility of their being used fraudulently. On the other, I necessarily expose them whenever I use it to make a purchase and, in doing so, I lose control of them, potentially for ever. The recipient has only to be less than fastidious in securing the data – however briefly it holds them – for me to be seriously inconvenienced or worse.
The data breach at TJX (TK Maxx in the UK) reported last Spring is an excellent case in point. The number of cards exposed worldwide ran into tens of millions and over 400 000 customers had further identification data, such as driving licences, compromised.
So it would hardly be surprising if people were unwilling to provide personal information to any large organisation. That’s especially true of branches of Government which are often seen as less customer-focussed than the commercial sector. And given the string of recent reports of the apparently cavalier attitude to data security practised in at least some Government departments, one would hardly need to be paranoid to be worried.
Now of course networks should be perfectly secured and sensitive data should always be encrypted and shouldn’t be entrusted to a postal service (public or private) and shouldn’t be removed without authorisation from a secure environment and so on and so on. But the more rules you make and the more people you employ, the more likely it is that someone with break one (rule not person) sooner or later.
Perhaps we should take a step back and ask why the problem is arising now. After all, governments have been keeping data on us since the 11th Century and most people have had dealings with financial institutions of one kind or another for a hundred years or so. However, two independent but parallel contributory developments have taken place over the last forty years.
The first is a loss of personal recognition. When I first held a bank account, in the 1960s, my bank manager recognised me on sight. If I needed a bank service, I went to him. Today, I do not even know where my bank is. Oh, I have its address. It’s in London somewhere but not in an area I know. So, in principle, anyone can now say they are me in a way that simply wasn’t imaginable then.
The second is the extraordinary collapse in the cost of storing and – more importantly – copying data. In the mid-1960s a megabyte of disk storage cost around an average annual salary. Today, the average worker can buy about 6 MB for every second he or she works. And he can easily slip twenty or thirty thousand times that into his shirt pocket, not to mention connect it, without any remarkable expertise, to most computers in the known universe.
Today, the two parallel strands intertwine disastrously. If I still knew my bank manager, cheap data metaphorically falling off the back of a questionable lorry would be relatively unimportant because a fraudster would still have to present himself physically as me. If data storage were expensive, nobody would copy any without thinking very hard first and, probably, getting written permission in triplicate. But I don’t and it isn’t and we can’t put either genie back in its bottle.
There seem to me to be three golden rules, relating directly to the above issues, to minimise future problems.
- 1. Identify data sources directly
The problem is to create a modern equivalent of being recognised by your bank manager. That should be fairly easy. For example, an application for a credit card could be accompanied by a DNA sample to act as a comparator later.
- 2. Provide feedback
In the ’60s, banks monitored their customers individually. Now the process is automated. And it’s done pretty well. Transactions in unlikely places or for suspiciously large amounts are reported. But if you want macro-information about accounts being opened or altered, you have to subscribe to one of the credit reference agencies. Why not bundle such memberships with accounts?
- 3. Keep data as close as possible to its source
Here, the issue is that the more massive the central database, the more potentially disastrous an accidental breach becomes. So distribute it. Take, for example, the planned NHS patient record system. One of its aims is to ensure that, should I walk under a bus in Newcastle with my records in Nuneaton, the medical staff could know if I am allergic to penicillin whether or not I was conscious. There’s an assumption here, namely that I’m carrying a uniquely identifying document at the time of the accident. Well, if that’s the case, why shouldn’t it hold my entire medical record? A number of health care companies in the US are already marketing so-called ‘portable health records’ using credit card format USB devices. “Ah,” I hear you cry, “but what happens when people lose their USB cards?” Well, I can’t answer for you, but I’d rather be responsible for my own data than hand it over and trust a conglomerate – private or public – with it.
There are other things we can do. Learn from the military. When they move dangerous stuff around (and data is dangerous stuff) they binarise it. That is, two inert components are created, which only become a weapon when brought together. The loss of Child Benefit data is (as reported) a case of this rule being stood on its head. The NAO asked for the data to be anonymised before being sent to them but were told this would be ‘too expensive’. If, as a matter of course, databases were designed as sets of semi-anonymous tables, these could be transmitted independently at no extra cost.
The previous paragraph contains a statement that should become our mantra: Data is Dangerous Stuff. Collectively, we demonstrate every day that we don’t really believe this. The Government, quite apart from its data loss problems, has made it more difficult for us to report e-crime by limiting who can talk to SOCA. Insurance company call centre staff have provided customer information to fraudulent callers. Individuals upload masses of their personal data on to social networking Web sites. Most of us don’t secure our mobile phone address books. And so on and so on.
So there’s a massive educational job to be done throughout our entire society. But if you think that’ll be expensive, try ignorance.
[Something you’d like to get off your chest? Email me (Robin Jones) at eo@iap.org.uk.]
