Via Bookdrunk writing at the Devil’s Kitchen, this story:
An internal investigation at the Department for Work and Pensions (DWP) has found that civil servants are colluding with organised criminals to steal personal identities on “an industrial scale”.
Ministers have been privately warned that the investigation will show that hundreds of thousands of stolen personal details have been ripped off from official databases, often with inside help.
Those of us opposed to the Identity Cards Act (2006) with its all-encompassing database and audit trail, realised early on that inside corruption would be an issue. Indeed, if anything we underplayed the argument. I recall very early on discussing on a forum that only a 1% level of corruption would be sufficient weakness to undermine confidence and that no system is 100% secure. To be presented with this story rather underlines our concerns. I wonder if the newspaper reading public will make the connection? Certainly the Independent doesn’t overtly do so. Yet it is obvious. Or, is it more obvious that with the NIR being a gold standard database, this ID theft would not only have not happened, but the ID cards and their database would have prevented it from happening? Ah, such is the power of Newspeak.
Longrider wrote: “Or, is it more obvious that with the NIR being a gold standard database, this ID theft would not only have not happened, but the ID cards and their database would have prevented it from happening? Ah, such is the power of Newspeak.”
I don’t think I do Newspeak, but feel free to argue I am mistaken.
I could argue, I think correctly, that the National Identity Scheme would have beneficial effect in preventing identity fraud. That might also include in the circumstances that might just prevail here (see ‘iii’ below).
However, in the current case, I have some different observations:
(i) What has (or is alleged to have) happened is very bad. It is/would certainly be a breach of privacy laws and of the general obligation to keep private such things as are private. In particular, someone’s status in terms of (un)employment or receipt of social security benefit is their business to disclose as they choose, and not anyone else’s business unless they do choose to disclose it to them.
(ii) It’s not clear from the Indy article exactly what has been disclosed, and to whom. Thus it is rather difficult to be certain what risk the disclosure imposes, concerning identity fraud (and other identity misuse).
(iii) I would expect the disclosure to include: name, address, date of birth, National Insurance Number. It does seem to be the case that knowledge of such information is incredibly helpful in identity fraud. However, I would ask why?
Consider the following. Late at night, some chap approaches you with a hard luck story of losing his wallet, etc. He asks you for a loan of £30 for a taxi home (his wife is away, no money in the house), and of course for your name and address to return the money. Are you more inclined to “loan” him the £30 (and disclose your personal info) if he tells you his name, date of birth, address and NI Number? Also, how much more inclined are you to be separated from your £30 if you just happen to have on-line access to a database that confirms the consistancy of those 4 bits of information?
Best regards
The issue (while my tone was mildly facetious) is that any system is as weak as those entrusted with its operation. This case merely highlights what is likely to happen with the NIR. My reference to Newspeak was that the government will try to spin this one out of all recognition and make impossible claims for the NIR.
Your example falls down I’m afraid – I wouldn’t lend the money under any circumstances. Firstly, it is highly unlikely that I would be carrying that much cash (you’ll be lucky to find me carrying as much as a tenner) and secondly, I never respond to hard luck stories of this kind. People who stop me in the street and ask for money receive a polite refusal that is non-negotiable. So, no, I would not want to know his name, address, NI number or worse, be able to access it on-line. Nor would I have a need to part with my personal details. Being a deeply private person, the very thought sends shivers down my spine.
As to why this information is so useful; surely with that, it is a relatively simple matter to build a new identity and run up bank loans, credit card debts and so on, with the original owner of the identity taking the hit for the unpaid losses.
The chain is only as strong as its weakest link.
Longrider writes: “As to why this information is so useful; surely with that, it is a relatively simple matter to build a new identity and run up bank loans, credit card debts and so on, with the original owner of the identity taking the hit for the unpaid losses.”
But why accept knowledge of this information, which is fairly readily available, as proof that some person is person A (their claim), and not some other person B?
All this information is available to HR staff at your employer, and probably to several staff at anywhere you apply for a job, and every employment agency you deal with. That is in addition to to thousands of Inland Revenue and DWP staff. Also most, if not all utility companies that I deal with know much of this information.
It’s time to move forward to some better means of confirming our identities.
Best regards
Indeed – but I’m not saying that we should, necessarily. This is a question best posed to the home office as it is they who wish to use such information to “prove” identity. Given that the NIR will use all the readily available low level “unreliable” information we already use, surely the “gold standard proof” is a paradox before it starts. The biometrics will, at best, confirm that the person providing the information is the person providing the information, not necessarily that they are who they say they are.
However, as this case spells out rather graphically, inside corruption, whether sale of data or a means of bypassing the security, is a weak link. Having all our eggs in one basket with such a weak link is a dangerous move. Despite this, the home office seems unperturbed, but, I guess, it’s us, not they, who will sufferer, so why should they care?
Longrider wrirtes: “The biometrics will, at best, confirm that the person providing the information is the person providing the information, not necessarily that they are who they say they are.”
That’s what they do (if and when they work well enough): confirmation of continuity of identity.
Most of what is required for identity is continuity, rather than absolute identity. If you have provably been (the same) Longrider for decades, you ARE Longrider.
And he writes: “However, as this case spells out rather graphically, inside corruption, whether sale of data or a means of bypassing the security, is a weak link. Having all our eggs in one basket with such a weak link is a dangerous move. Despite this, the home office seems unperturbed, but, I guess, it’s us, not they, who will sufferer, so why should they care?”
I do agree, really, that this security breach is pretty horrendous. I also agree that the reaction of the Government as a whole means that it does not bode well for any private data kept by the Government, including the NIR.
Best regards