As people much cleverer than me have repeatedly pointed out, you cannot have secure system if you are going to give hundreds of thousands of people access to it. A rather obvious case study is the UK government’s database of all children in the UK. It’s called ContactPoint (or the Children’s Index, as was) and will contain the details of every child in the UK. According to the Department for Education and Skills (DfES), the information that will be “visible to users” includes name, address, gender, date of birth, name and contact details of parents, schools, GP, health visitors and other practitioners. There’s some serious thought gone into privacy, though, since when I previously looked at the DfES web site it clearly stated that the Index will not store “fruit and vegetable consumption” (I did not make this up: local authority web sites confirm it). The privacy problem is obvious: child abusers, violent partners, criminals and others could use the Index to obtain, as Ellen Munro of the LSE puts it, “interesting information”.
The database won’t give you the address and phone number of every child: the government has said that people who are rich and/or famous will not have their children’s addresses and phone numbers stored in the index, so that only the offspring of the peasantry can be contacted. They weren’t specific as to the metrics though, and I’m curious to know: how rich do you have to be, for example, or what constitutes sufficient fame (do you have to be inside Heat magazine, or actually on the cover)? I imagine that the Home Office will have to set up some sort of commission to sift through forms from members of parliament, pop singers and Big Brother contestants to determine who qualifies for family privacy. And there’ll have to be appeals process, which I hope will be televised: I’d love to see minor celebrities pleading their case in front of a panel (perhaps Simon Cowell could chair). With text message voting of course.
So why the rich and/or famous exception clause? Clearly, the government have (correctly) concluded that there’s not the slightest possibility of keeping the database contents secure when it has 400,000 users. Government databases that are meant to be as secure as this one, and with many fewer users, have already been compromised. The DVLA, for example. And it’s already happened at the new Identity & Passport Service: where three staff have been sacked and a fourth resigned before disciplinary procedures were concluded.
It’s not a UK problem, it’s not because the UK government is especially insecure or because UK IT suppliers don’t know how to implement secure systems. Look at Australia, to choose a random example, where government employees were caught rummaging through the welfare records of friends, family, neighbours and ex-lovers: 19 staff were sacked and 92 resigned after 790 cases of inappropriate access were uncovered. In the most serious cases, staff members changed peoples’ details without authorisation as they spied on sensitive information.
When Lord Adonis, the education minister, told the House of Lords that the details of children with "celebrity status" would be concealed in some way, he was simply being realistic about the the inevitable consequence of building giant databases with widespread access. Any digital identity expert would have predicted this, wouldn’t they? We need a new approach: one that isn’t founded on building big databases and putting everything in them.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]