Government department selling YOUR details to criminals
The Scotsman reveals that the DVLA have been selling drivers’ personal details to firms, some of which are run by convicted criminals. At a cost of only £3,000 a year, firms including a clamping company found guilty of extorting thousands of pounds from individuals have been able to directly access the DVLA’s database, finding home addresses for people using only their car’s number plate. The Information Commissioner is set to investigate claims that the DVLA have breached data protection laws. They have certainly betrayed the trust of millions of drivers.
Of course, those with nothing to hide have nothing to fear. However, in the case of criminals accessing your data and potentially discovering that your car and you are hundreds of miles away from your probably empty home, we all have something to fear. The National Identity Register will only open more security holes such as this in all our lives. We have no guarantee that our data will not be sold on at bargain prices to whoever comes asking. Indeed, it seems likely that to maintain an “affordable” scheme our data will have to become such a commodity.
November 30th, 2005 at 08:58
The equivalence is not strong, between this problem and any with the proposed National Identity Register (NIR).
The issue with the DVLC is that it is fulfilling its correct and necessary function, of providing the addresses of Registered Keepers for dealing with parking, speeding and other traffic violations, where the perpetrator is no longer present (or is not co-operative). However, it is also creating a risk of providing this information to less desirable people and organisations.
Use of the NIR (excepting that for police and national security purposes) could and should be just to confirm (or deny) correctness of information provided by the registered person (or someone claiming to be them). Thus no information need be extracted from the NIR, beyond a YES/NO decision.
The only exception to this that I see, and it is possibly a useful one, is provision of a digitised photograph of someone who has forgotten to bring their ID card. If that is thought “too risky” then such a service need not be made available.
While this is not the only way that the NIR could be operated, in providing identify verification services, it strikes me as the best thing, to avoid nearly all concerns over infringement of personal privacy.
Further thoughts on the operation of the NIR (and whole NIdS) can be found at: http://www.camalg.co.uk/tk051116a/TK051116A_bcs_02.pdf
Parts of this are too technical to be to everyones’ taste; however bits at the beginning and end are of more general interest.
It is also the case, for both the DVLC and NIR, that all accesses must be by previously authorised organisations and they could and should be logged. Thus there would be evidence, in the case of suspected improper access.
Best regards
December 1st, 2005 at 21:05
I don’t share Nigel’s apparent confidence that the NIR will be operated in a way that will offer any better protection for those whose data it holds than the DVLC database.
Nigel correctly points out that the NIR could, and should, offer better protection. But in my view the important question is not what it could or should offer, but rather what we can reasonably expect it to offer based on our experience of how the government protects data on which our safety and security might depend.
For the most part this is a political question, not a technical one, since even a highly secure system cannot offer any protection if the government willingly provides access to any data it holds to all and sundry without careful scrutiny.
And we now KNOW, based on what the DVLA is doing, that the government is more than willing to give out information that can create very serious risks to our safety and security provided only that the party involved is willing to pay. Moreover, if, as widely reported, the government has been giving out our data to companies being run by people with criminal convictions, then I think we can reasonably conclude that the government doesn’t have the slightest interest in our safety.
In safety and security work, the basic principle is that, in the absense of evidence to the contrary, we must assume the worst. We now know what the worst is and we have no evidence to show that it will not happen.
December 2nd, 2005 at 12:23
As is usually the case, Brian and I agree on the technology.
The pertinent technological issue here is that, if the NIR were designed and implemented to provide only CONFIRM/DENY information to any enquiries (except those for police and national security purposes), then it would impossible for NIR information to leak out through wrongful enquiry by those outside government.
Furthermore, if Parliament were to pass a National Identity Bill that only authorised the Government to build an NIR on the CONFIRM/DENY principle, then the private information of citizens/residents would be better protected.
Brian’s “political” case, if expanded to the general, seems to be that, as government is not perfect in its use of technology, we should assume that they are 100% incompetent. Accordingly, we should not require them to do better and have Parliament license them accordingly, but should ban them from any use of technology. As the Government will clearly continue using technology, Brian’s political approach means we will have to put up with what the Government does to us, rather than look to Parliament to constrain them more appropriately.
If the proposed National Identity Scheme (NIdS) goes ahead (which, of course NO2ID hopes will not happen), surely it would be better than not to reduce the downside risks of misuse of private information. This is especially the case where such limits do not impinge (at all or much) on any benefit of the NIdS to citizens/residents.
Best regards
December 2nd, 2005 at 13:49
Nigel has reasonably responded to my previously expressed views on government incompetence in the exploitation of technology. But in this case my concern has nothing to do with technology.
The DVLA situation is a very real and practical indication of a much more serious issue – one which most certainly does reflect on the true loyalties of those in Parliament who might vote to allow the government to proceed with the NIR.
This is the now demonstrated, appalling mindset within government when it comes to protecting data on which the safety and security of invididual UK citizens might depend.
with best regards