Docstoc

Brown

Document Sample
Brown Powered By Docstoc
					Politics and privacy engineering

                        Dr Ian Brown
              Oxford Internet Institute
                University of Oxford
 Revenue & Customs lose 25m records

 Two discs containing
  names, addresses, DoB,
  NI no. and bank details
  of 25m people lost in
  the post
 Chairman of HMRC
  immediately resigned
Prime Minister‟s Questions 21/11/07
Impact on public opinion




  Data: YouGov tracker poll for Daily Telegraph, 28/3/2008
        Simple audit protocol
NAO: “I do not need address, bank or parent
 details in the download – are these
 removable to keep the file smaller?”
HMRC: “I must stress we must make use of
 [existing] data we hold and not overburden
 the business by asking them to run
 additional data scans/filters that may incur a
 cost to the department.”
        £5,000 of code
SELECT Recipient_ID, Date,
 Amount
FROM Child_Benefit_Payments
gpg -er NAO benefitdata.csv
       Privacy-enhanced audit
1. For each recipient, send to auditor
   (Recipient_ID, hash(shared_random,
   recipient data))
2. Auditor requests sample of x records
3. Only those records are sent, and can be
   checked against bit commitments
Individuals affected by UK data
   breaches since July 2006
        Basic security needed
 Encrypted stored and in-transit data
 Access control
 Need-to-know
Measuring system security requirements
1. Scale and complexity
2. Number of users
3. Sensitivity of data
4. Connections to other systems, particularly
   untrusted
5. Connectivity to the Internet
6. Attractiveness as target

                Source: B. R. Gladman and I. Brown (2007) Security, Safety and the
           National Identity Register. In S. G. Davies & I. Hosein (eds), The Identity
           Project: an assessment of the UK Identity Cards Bill and its implications,
                                            London School of Economics pp.187-200.
        Software quality is key
Prof. Martyn Thomas: “almost every IT supplier in
the world today is incompetent… the typical rate
of delivered faults after full user acceptance testing
from the main suppliers in the industry over many
years has been steady at around 20 faults per
thousand lines of code. We know how to deliver
software with a fault rate that is down around 0.1
faults per thousand lines of code and the industry
does not adopt these techniques.” Evidence to Home
Affairs Select Committee, 24/2/2004
                Insider fraud




Source: “What price privacy?”, Information Commissioner, May 2006
  Key privacy engineering steps
1. Understand your problem
2. Design system to minimise collection,
   storage and access to personally
   identifiable information
3. Engineer security system to enforce
   privacy policies
4. Enforce controls and audit remaining
   accesses
                      Source: S. Marsh, I. Brown and F. Khaki (2008)
                 Privacy Engineering. Cybersecurity KTN white paper
       NHS Connecting for Health
 £20bn programme
 Patient Summary
  Care Records stored
  on centralised
  database (“Spine”)
  with pointers to
  Detailed Care
  Records in regional
  databases
 Emergency
  treatment and
  research
          Efficacy of NPfIT
 Emergency clinicians treatment styles
 Public opposition to unconsented research -
  paper last year blog?
      Confidentiality problems
 “Sealed envelope” limits access to especially
  sensitive records… but can be opened by the NHS
  and police and doesn‟t actually exist yet!
 Pretexting found in N. Yorkshire HA to be
  occurring 30 times per week (Anderson 1996)
 Leeds Teaching Hospitals NHS Trust found
  70,000 cases of "inappropriate access" to systems
  in 1 month
 South Warwickshire General Hospitals NHS Trust
  allows A&E clinicians to share smartcards due to
  60-90s login times
  General Practitioners‟ worries
 50% of GPs will refuse to upload medical
  records to central "Spine" without patients'
  permission
 80% think Spine puts patient confidentiality
  at risk
 79% think new system will be less secure


           Source: Medix poll of 1,026 representative GPs, Nov. 2006
    ContactPoint & eCAF
                           Database storing details of
                            11m UK children‟s contact
                            with social services, police,
                            health and education
                           330,000 users
Cornwall County Council
                           50% children will have
                            detailed seven-page
                            assessment
      Purposes of ContactPoint
 “[P]rotecting children from abuse or neglect,
  preventing impairment of their health and
  development, and ensuring that they are growing
  up in circumstances consistent with the provision
  of safe and effective care which is undertaken so
  as to enable children to have optimum life
  chances and enter adulthood successfully.”
 Victoria Climbie case
 Crime prevention
     Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006)
        Children’s Databases - Safety and Privacy. Information Commissioner’s Office
           Efficacy of ContactPoint
   “The practitioners in contact with Victoria knew of each other‟s involvement
    and shared considerable amounts of information. The crucial errors arose
    from individuals either not paying attention to the information, or giving it a
    benign interpretation so that the risk to Victoria from abuse was not seen.” -
    Anderson et al.
   Wood for trees Dr Liz Davies
   Resources and evidence base for interventions




         Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006)
            Children’s Databases - Safety and Privacy. Information Commissioner’s Office
          Efficacy of ContactPoint
 “[A]ny notion that better screening can enable policy makers to
  identify young children destined to join the 5 per cent of offenders
  responsible for 50-60 per cent of crime is fanciful. Even if there were
  no ethical objections to putting „potential delinquent‟ labels round the
  necks of young children, there would continue to be statistical
  barriers.” -Prof. David Farrington
 “The practitioners in contact with Victoria knew of each other‟s
  involvement and shared considerable amounts of information. The
  crucial errors arose from individuals either not paying attention to the
  information, or giving it a benign interpretation so that the risk to
  Victoria from abuse was not seen.” -Anderson et al.
 Impact upon family autonomy

        Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006)
           Children’s Databases - Safety and Privacy. Information Commissioner’s Office
UK National Identity Scheme




 S. G. Davies & I. Hosein (eds), The Identity Project: an assessment of the UK
      Identity Cards Bill and its implications, London School of Economics p.25
       Purposes of NIS
   Anti-terrorism
   Social security fraud
   Identity fraud (£1.7bn pa)
   Illegal immigration
   Sense of community
    Efficacy of NIS
 “If you ask me whether ID cards or any other
  measure would have stopped [the London
  bombings], I can't identify any measure which
  would have just stopped it like that.” -Charles
  Clarke MP, former Home Secretary
 “Benefit fraud that relies on false identity was,
  at most, 1 or 2 per cent of the total.” -Peter
  Lilley MP, former Social Security Secretary
 “The Home Office's definition of ID fraud
  doesn't match our definition. We class it as a
  more serious crime that involves a great deal
  more hassle than just having your card stolen
  and having to phone up the bank to cancel it” -
  APACS
Efficacy of Identity Scheme
     "If stop and search is anything to go
      by, for Black people our ID card is
      really the colour of our skin.” Karen
      Chouhan, 1990 Trust
     “Terrorists rarely conceal their
      identity, only their intention - as was
      apparent in the case of those involved
      in the 9/11 tragedy, and in Madrid and
      in Constantinople.” -Peter Lilley MP
IT and the smaller state
 "Never again could there be projects like
  Labour's hubristic NHS supercomputer… The
  basic reason for these problems is Labour's
  addiction to the mainframe model - large,
  centralised systems for the management of
  information.” -David Cameron MP
 “As chancellor, Brown relentlessly pursued his
  forlorn vision of a „joined-up identity
  management regime‟ across public services. As
  prime minister, he continues this vain search,
  like an obsessed alchemist, for a giant database
  that his closest advisers ominously refer to as a
  „single source of truth‟.” -David Davis MP
               Conclusion
 Privacy engineering is key to making
  privacy meaningful in information societies
 “Collect then protect” is a fundamentally
  broken model
 Understanding problem domain is critical
 Privacy has become a key element in UK
  politics - central to debate over effective
  checks on state power

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:19
posted:4/12/2011
language:English
pages:27