IT-Analysis.com
IT-Analysis.com Logo
Business Issues Security & Risk
Enterprise SME Business Issues Technology Services Channels
Compliance Regulation Employment Innovation Security & Risk Costs Change Quality padlock  Login | Free Registration 
Archive  | Papers  | Events  | Newswire  | Blogs  | Find a Technology Supplier  Contact IT-Analysis.com 
Module Header
Philip HowardBloor IM Blog
Philip Howard
8th February - Bribery
Nigel StanleyBloor Security Blog
Nigel Stanley
8th February - Conficker grounds police checks
David NorfolkThe Norfolk Punt
David Norfolk
3rd February - What's wrong with "security"
Laurie McCabeLaurie McCabe
Laurie McCabe
2nd February - What is Total Cost of Ownership, and Why Should You Care?
Philip HowardBloor IM Blog
Philip Howard
2nd February - Calpont finally comes to market
Laurie McCabeLaurie McCabe
Laurie McCabe
29th January - Does IBM Lotus Really Want to Get Small? My Take on Brent Leary's Podcast
Module Header
Q. What features do you want to see on this site?
 
Opinion
Security: Is Technology Saint or Sinner?
Clive Longbottom By: Clive Longbottom, Head of Research, Quocirca
Published: 27th November 2006
Copyright Quocirca © 2006
 Logo for Quocirca

The latest problem to be thrown at us, on top of war, global warming, disease etc, is that we are ‘sleepwalking into a surveillance society’.

The worry is that, owing to all the data being collected these days, we no longer have any real privacy.

We are covered by cameras, the ‘powers that be’ have oodles of information on everyone of us, and the private sector has got in on the act with the likes of loyalty cards.

Yet, the vocal groups (and who knows if these are the minority or the majority) want it all ways.

They want their privacy, while trying to make sure that all these Johnny Foreigners don't come over uninvited, that the ‘man next door’ doesn't claim sickness benefit while on a mountaineering holiday in Tibet and that when needed, the emergency services will have everything at their fingertips to know exactly what drugs can and can't be given to you while you're lying in the road, and/or have access to high-definition CCTV footage to identify who it was who kicked seven shades of the proverbial out of you.

I think that we need to look at pragmatism and try to put ‘privacy’ into context. What do we mean by privacy here?

Do we really think that all of the 13 million CCTV cameras in the UK are being watched by forces which are just waiting for us to inadvertently drop a paper hankie on the street?

Do we really believe that hordes of people are sitting in some dusty basement in Cheltenham reading the email that you sent with that particularly non-PC joke in it?

Are we worried that we might just get caught after we've mugged some poor unfortunate?

Could this be it? We're not really bothered about ‘privacy’ as such, but we're worried that we might get caught? Speed cameras would seem to be a prime example of this ‘privacy’ argument.

There are many groups and individuals whose worries are more pragmatic: the security, integrity and accuracy of the information being held on us. This has less to do with privacy, and more to do with reality.

For example, if I'm the person lying in the middle of the road, I do want the paramedics, police and fire brigade to know that I am allergic to penicillin, that I have epilepsy, and that I am already on a collection of prescription drugs for a range of problems.

This knowledge could save my life and, as I am a simple soul, I don't care who knows all of this. Now, let's say that I was the chief executive of a major company that is just going through a sensitive acquisition.

My medical records could say that I have only a few months to live. This is very important for the medical profession to know, but probably not what I'd want splashed over the financial pages of the papers.

There's also the problem of what the ‘powers that be’ will do with information. All we have to do is look at the likes of Hoover, Beria, Trotsky and Hitler as to what can happen when too much information is given to someone who is a little on the unstable side.

But, the majority of these despots did their dirty work without technology. So is it technology that is to blame? Yes, technology means that we can gather and analyse a lot more information.

Yes, technology means that people thousands of miles away are just like the risks of having cleaners in the office 50 years ago: if you don't take careful steps, you're leaving everything available to them. Yes, the black hats (bad hackers) are cleverer than ever and there are relatively more of them.

But does this mean that we should ban any database of information held on us? Does it mean that all information should be kept in isolation from other information?

If we continue in this way, we'll see more headlines where a child dies owing to information from one group not being available to another, to people who should be being tracked being lost due to insufficient data being available, to the continued billions of pounds being wasted in fraudulent claiming of benefits, of insurance claims, the booming black market economy and so on.

ID theft will continue to rise without any means of being able to prove irrevocably who we are, and that ID can be taken from us.

And for anyone who has had full ID theft occasioned against them, then all of a sudden, you really wish that you'd backed the implementation of ID cards, at least in a correct way.

(Please note that I am not backing the government's half-hearted, half-baked way of providing government-backed false IDs.)

To my mind, it's technology which can help us by ensuring sophisticated controls over access to data. We can design, say, a DNA database that is just that: a genetic fingerprint that is held against an identifier.

We could do the same for iris recognition and/or fingerprinting. Three different databases, none of which actually provides any information against named people.

To get onto these databases, you have to go through three different groups. Why? So that any chance of using insiders to create false IDs is minimised.

Any check against these databases would use full auditing. Any access to any field within the database is time stamped and stamped with an access code showing which user or body nominally accessed that field.

Security profiles then begin to take over; having verified that the DNA, iris and/or fingerprint are in each of the databases, what else do we need to do?

Do we need to be able to carry out another match to ensure that this person is who they are saying they are? Maybe a PIN or something similar? OK, a fourth database, maybe within the private sector.

Again, all that this has is the PIN against a unique identifier. We now have up to four pieces of unique data against four unique identifiers. In comes database number five: a correlation database of unique identifiers.

If all of these unique identifiers correlate as being from the same person, we can pretty much assume that we have a match. And at no stage have we had to go to a database that has any names or other personally identifiable information held within it.

However, if this is the police, ambulance or fire brigade, they may then need to go to a different database where such personal information is held.

Again, all fully audited against access type, named ID and, where necessary, correlated against biometric information of the accessing individual.

For the highest levels of information being held on us, we need the same sort of approach that we have for nuclear warheads being set off: a dual key system.

No single person should be able to access every last item about another without some balance being available.

For me, we have to look at data pragmatism. I want to be able to walk the streets without too much fear of aggravated assault against me, I want to be able to see my insurance premiums go down because thieves find it harder to get away with misdemeanors, I'd like to see my tax go down due to fraud being eradicated.

This won't happen unless we make the most of technology, but also use appropriate technology as the controls against inappropriate usage.

Reader Comments

Sorry, we are no longer accepting comments on this item. We suggest trying to contact the author directly.

28th November 2006: 'adair' said:

Clive makes some very worthwhile points. UNfortunately he seems to use them as a smokescreen or an excuse to avoid looking at the genuine problems on the other side of the 'total surveillance' coin. The problems arise under the boring headings of management, scope, and ownership (or control). The present chaotic and patchy system of 'identity management' still allows individuals to make choices about who hold what about them and how it is used. Under the Govt's proposals ownership and control of personal identity will largley be sold into their hands, and to those contracted in to do the day to day running of things. This is all obviously fine in an ideal world where nothing ever goes wrong and where Govt's. and their sub-contractors can be relied upon to act with total integrity, honesty, and justice at the service of the people---you and I. Unfortunately that is not the world we live in. Clive, if you want to sell you identity down the river at the behest of a snake oil selling Govt. go ahead, it's still a 'free' country. Others of us aim to try and keep the freedom and ditch the snake oil; with properly thought through legislation and projects that genuinely protect and manage people's 'identities' in a digital world. As for scaring people into accepting whatever is chucked at them with stories of 'dying in the street' because X couldn't speak to Y. In this context that is just trash tabloid journalism---a red herring. You should be ashamed of yourself! ;-)

Reply to adair?

28th November 2006: 'JRush' said:

Freedom is risky. I doubt whether this generation is willing to take any personal responsibility for anything. Government needs limits. We've had plenty of historical precedents to underscore this fact. But, "We love Big Brother."

Reply to JRush?

30th November 2006: 'Clive Longbottom' said:

Re: Comments by Adair. Sorry if you find the area of information need for those with certain disabilities "trashy tabloid journalism". As a sufferer from epilepsy, I know what can happen when there is insufficient information - I know of someone who did die, as people stepped over her, thinking that she was a druggie, and even when the ambulance did appear to help her, that was how she was treated - as a person suffering self-inflicted harm, rather than someone who could have been saved by a single injection of the correct anti-epileptic drug. On the greater overall subject, I think that we are in overall agreement. I do not want to have a government which collects as much information on me as possible, and then sells the information, or access to the information, to anyone who has sufficient cash to do so. What I do want is a set of controls that make all people who are accesing the data accountable - and a means of ensuring that the information that makes us "us" is not easily counterfeitable. The use of "worthless vaults" of information, where there is no means of putting together any level of profile of a person through the information held in one place moves us towards this capability. Sure, certain groups will always put together special profiles on certain people (a growing number, and I would be surprised if there isn't a file on me). We can't stop this, but I would hope that we can use technology to make our overall data security better - rather than trying to be like the followers of King Cnut, hoping that some greater mortal power will stop the wave of data misuse from engulfing us just by shouting at it.

Reply to Clive Longbottom?
Advertisement


Analysts
Bloor Research Hurwitz & Associates Hydrasight Interarbor Solutions MWD Advisors Quocirca Sageza Group, Inc. The Information Difference
Advertising | Contact | Site Map | Terms of Use | Privacy | Accessibility
Copyright © IT Analysis Communications Ltd., unless stated otherwise		 Tel: +44 (0)190 888 0760
Fax: +44 (0)190 888 0761

Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761
Email: