Politics and privacy engineering

1
Politics and privacy engineering

• Dr Ian Brown
• Oxford Internet Institute University of Oxford

2
Revenue Customs lose 25m records

• Two discs containing names, addresses, DoB, NI
  no. and bank details of 25m people lost in the
  post
• Chairman of HMRC immediately resigned

3
Prime Ministers Questions 21/11/07
4
Impact on public opinion
Data YouGov tracker poll for Daily Telegraph,
28/3/2008
5
Simple audit protocol

• NAO I do not need address, bank or parent
  details in the download are these removable to
  keep the file smaller?
• HMRC I must stress we must make use of
  existing data we hold and not overburden the
  business by asking them to run additional data
  scans/filters that may incur a cost to the
  department.

6
5,000 of code

• SELECT Recipient_ID, Date, Amount
• FROM Child_Benefit_Payments
• gpg -er NAO benefitdata.csv

7
Privacy-enhanced audit

• For each recipient, send to auditor
  (Recipient_ID, hash(shared_random, recipient
  data))
• Auditor requests sample of x records
• Only those records are sent, and can be checked
  against bit commitments

8
Individuals affected by UK data breaches since
July 2006
9
Basic security needed

• Encrypted stored and in-transit data
• Access control
• Need-to-know

10
Measuring system security requirements

• Scale and complexity
• Number of users
• Sensitivity of data
• Connections to other systems, particularly
  untrusted
• Connectivity to the Internet
• Attractiveness as target

Source B. R. Gladman and I. Brown (2007)
Security, Safety and the National Identity
Register. In S. G. Davies I. Hosein (eds), The
Identity Project an assessment of the UK
Identity Cards Bill and its implications, London
School of Economics pp.187-200.
11
Software quality is key

• Prof. Martyn Thomas almost every IT supplier in
  the world today is incompetent the typical rate
  of delivered faults after full user acceptance
  testing from the main suppliers in the industry
  over many years has been steady at around 20
  faults per thousand lines of code. We know how to
  deliver software with a fault rate that is down
  around 0.1 faults per thousand lines of code and
  the industry does not adopt these techniques.
  Evidence to Home Affairs Select Committee,
  24/2/2004

12
Insider fraud
Source What price privacy?, Information
Commissioner, May 2006
13
Key privacy engineering steps

• Understand your problem
• Design system to minimise collection, storage and
  access to personally identifiable information
• Engineer security system to enforce privacy
  policies
• Enforce controls and audit remaining accesses

Source S. Marsh, I. Brown and F. Khaki (2008)
Privacy Engineering. Cybersecurity KTN white
paper
14
NHS Connecting for Health

• 20bn programme
• Patient Summary Care Records stored on
  centralised database (Spine) with pointers to
  Detailed Care Records in regional databases
• Emergency treatment and research

15
Efficacy of NPfIT

• Emergency clinicians treatment styles
• Public opposition to unconsented research

Source The Use of Personal Health Information in
Medical Research, Medical Research Council, June
2007 pp.54-55
16
Confidentiality problems

• Sealed envelope limits access to especially
  sensitive records but can be opened by the NHS
  and police and doesnt actually exist yet!
• Pretexting found in N. Yorkshire HA to be
  occurring 30 times per week (Anderson 1996)
• Leeds Teaching Hospitals NHS Trust found 70,000
  cases of "inappropriate access" to systems in 1
  month
• South Warwickshire General Hospitals NHS Trust
  allows AE clinicians to share smartcards due to
  60-90s login times

17
General Practitioners worries

• 50 of GPs will refuse to upload medical records
  to central "Spine" without patients' permission
• 80 think Spine puts patient confidentiality at
  risk
• 79 think new system will be less secure

Source Medix poll of 1,026 representative GPs,
Nov. 2006
18
ContactPoint eCAF

• Database storing details of 11m UK childrens
  contact with social services, police, health and
  education
• 330,000 users
• 50 children will have detailed seven-page
  assessment

Cornwall County Council
19
Purposes of ContactPoint

• Protecting children from abuse or neglect,
  preventing impairment of their health and
  development, and ensuring that they are growing
  up in circumstances consistent with the provision
  of safe and effective care which is undertaken so
  as to enable children to have optimum life
  chances and enter adulthood successfully.
• Victoria Climbie case
• Crime prevention

Source R. Anderson, I. Brown, R. Clayton, T.
Dowty, D. Korff and E. Munro (2006) Childrens
Databases - Safety and Privacy. Information
Commissioners Office
20
Efficacy of ContactPoint

• The practitioners in contact with Victoria knew
  of each others involvement and shared
  considerable amounts of information. The crucial
  errors arose from individuals either not paying
  attention to the information, or giving it a
  benign interpretation so that the risk to
  Victoria from abuse was not seen. -Anderson et
  al.
• Wood for trees Dr Liz Davies
• Resources and evidence base for interventions

Source R. Anderson, I. Brown, R. Clayton, T.
Dowty, D. Korff and E. Munro (2006) Childrens
Databases - Safety and Privacy. Information
Commissioners Office
21
Efficacy of ContactPoint

• Any notion that better screening can enable
  policy makers to identify young children destined
  to join the 5 per cent of offenders responsible
  for 50-60 per cent of crime is fanciful. Even if
  there were no ethical objections to putting
  potential delinquent labels round the necks of
  young children, there would continue to be
  statistical barriers. -Prof. David Farrington
• Impact upon family autonomy

Source R. Anderson, I. Brown, R. Clayton, T.
Dowty, D. Korff and E. Munro (2006) Childrens
Databases - Safety and Privacy. Information
Commissioners Office
22
UK National Identity Scheme
S. G. Davies I. Hosein (eds), The Identity
Project an assessment of the UK Identity Cards
Bill and its implications, London School of
Economics p.25
23
Purposes of NIS

• Anti-terrorism
• Social security fraud
• Identity fraud (1.7bn pa)
• Illegal immigration
• Sense of community

24
Efficacy of NIS

• If you ask me whether ID cards or any other
  measure would have stopped the London bombings,
  I can't identify any measure which would have
  just stopped it like that. -Charles Clarke MP,
  former Home Secretary
• Benefit fraud that relies on false identity was,
  at most, 1 or 2 per cent of the total. -Peter
  Lilley MP, former Social Security Secretary
• The Home Office's definition of ID fraud doesn't
  match our definition. We class it as a more
  serious crime that involves a great deal more
  hassle than just having your card stolen and
  having to phone up the bank to cancel it -APACS

25
Efficacy of Identity Scheme

• "If stop and search is anything to go by, for
  Black people our ID card is really the colour of
  our skin. Karen Chouhan, 1990 Trust
• Terrorists rarely conceal their identity, only
  their intention - as was apparent in the case of
  those involved in the 9/11 tragedy, and in Madrid
  and in Constantinople. -Peter Lilley MP

26
IT and the smaller state

• "Never again could there be projects like
  Labour's hubristic NHS supercomputer The basic
  reason for these problems is Labour's addiction
  to the mainframe model - large, centralised
  systems for the management of information.
  -David Cameron MP
• As chancellor, Brown relentlessly pursued his
  forlorn vision of a joined-up identity
  management regime across public services. As
  prime minister, he continues this vain search,
  like an obsessed alchemist, for a giant database
  that his closest advisers ominously refer to as a
  single source of truth. -David Davis MP

27
Conclusion

• Privacy engineering is key to making privacy
  meaningful in information societies
• Collect then protect is a fundamentally broken
  model
• Understanding problem domain is critical
• Privacy has become a key element in UK politics -
  central to debate over effective checks on state
  power