“Nothing to hide, nothing to fear”, database security and Britain’s national identity scheme
A common slogan used by many of those who support measures that put the general population under surveillance, such as CCTV and the British national identity scheme, is “if you’ve got nothing to hide, there’s nothing to fear”. I’ve criticised this slogan before, as have Samizdata (e.g. here, at their sister blog White Rose and here), UKLiberty and the No2ID weblog.
However a particularly compelling illustration of why the slogan “nothing to hide, nothing to fear” is so wrong-headed, and how law abiding people can be put at risk by those who gather information about them is provided by the spate of recent stories involving large (often governmental) organisations losing, or otherwise publicly exposing, personal details of the people who deal with them:
- Organisations who are reported to have exposed personal details on the internet include the pharmaceuticals giant Roche, whose systems exposed people’s medical details, RyanAir whose online check-in facility sent confidential information across the internet unencrypted, the Foreign Office, whose system for online application for Visas exposed the details of Indian applicants and Britain’s NHS whose (now scrapped) MTAS system exposed the full personal details of medical students applying for posts as junior doctors.
- Organisations reported to have lost personal data, unwittingly given it away or to have had it stolen include the US Transport and Security Administration who have lost a hard drive containing the details of 100,000 employees and former employees, Southend Borough Council who had a computer containing sensitive files about vulnerable children that ended up being sold on eBay for £1.70 after a mishap in their computer recycling program and UK retailer Marks and Spencer, who had a laptop stolen containing the details of 26,000 members of staff.
The above are just a handful of recent stories, and I’m aware of other examples going back years. For example numerous cases of organisations losing, public exposing or abusing the personal information they store are also documented in UK Liberty’s article on data abuse.
In each of these cases, the personal details of law abiding citizens, often numbered in thousands or tens of thousands, have been compromised and may have fallen into the hands of those who might try and impersonate them or otherwise use the information against them. So much for “nothing to hide, nothing to fear”.
The British government claims its national identity scheme will help combat identity theft, but it seems to me that it is more likely to enable identity theft because not only will it store all all the information needed for someone to pretend to be you in one place, but its National Identity Registration Number will end up indexing both your national identity register entry and your entries in other databases both private and public. The NIRN and much of your personal information on the NIR will be shared with many public and private sector organisations and be accessible by thousand and thousands of officials.
It beggars belief that lapses in security similar to those reported above would be minimised by such a system or that the opportunities for stealing the information would be minimised either. And, unlike the systems above, your participation (if you’re a permanent resident of Britain) in the scheme will not be voluntary if the government gets its way.