The state, encryption and data loss.
By now, most Britons will be aware of at least some of the numerous cases of data loss by the government and public bodies that seem to occurring on a regular basis, (for example see UK Liberty’s data loss page). It seems the most frequent means by which the data goes missing involve one of the following:
- Someone loses laptops, CDs or memory sticks in the course of their activities.
- CDs or memory sticks go missing in the post.
- Laptops, memory sticks or CDs get stolen.
With modern technology, devices that store huge volumes of data can be carried around in our pockets. E.g. I have a 4 GB memory stick that’s only a few centimetres in length and about 1.5cm wide, and about 0.75 cm thick. Modern mobile phones, PDAs and laptops will also store large amounts of data. It is inevitable that large organisations will lose these devices, and that some of them will suffer from the theft of such devices.
The loss or theft of these devices would not matter so much though, if it weren’t for the fact that the data is not encrypted.
For example when the child benefits database, containing personal information about every family with a child in Britain (at the time) went missing in the post, had the data been properly encrypted, the risk of the data being misused by someone who finds the CDs would be minimal because without the password to decrypt the data, they simply would not have been able to read the information. Of course doing this does not make the data 100% secure, but it does greatly reduce the risks from the loss of such devices.
The advice for any organisation that needs to transfer data in a secure manner is simple. Do not download it onto a CD, laptop, memory stick or any other portable device without encrypting it. But is this advice being followed by the government? Well, with regards to the Home Office, it appears the answer is “no”. Their policy is that they do not always encrypt data before transferring it by disk.
What this means is that we cannot trust the Home Office to take adequate precautions to protect our personal data.
There is no excuse for this. There are numerous encryption packages available, including free open source products such as the GNU Privacy Guard, and for that matter the government itself has helped to develop encryption techniques, e.g. GCHQ pioneered public key encryption. And this bunch of jokers propose to create a national identity scheme, that will record who we do business with throughout our lives, whilst enabling the linking together of disparate databases of personal information and widespread sharing of such data, whilst claiming it will be secure. And that’s just one of their mass surveillance schemes.