Politics and privacy engineering
Dr Ian Brown
Oxford Internet Institute
University of Oxford
Revenue & Customs lose 25m records
 Two discs containing
names, addresses, DoB,
NI no. and bank details
of 25m people lost in
the post
 Chairman of HMRC
immediately resigned
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Prime Minister’s Questions 21/11/07
QuickTime™ and a
H.264 decompressor
are needed to see this picture.
Impact on public opinion
45%
40%
35%
Approve govt record
30%
Vote for tomorrow
25%
20%
15%
Jul07
Aug- Sep- Oct- Nov- Dec- Jan- Feb- Mar07
07
07
07
07
08
08
08
Data: YouGov tracker poll for Daily Telegraph, 28/3/2008
Simple audit protocol
NAO: “I do not need address, bank or parent
details in the download – are these
removable to keep the file smaller?”
HMRC: “I must stress we must make use of
[existing] data we hold and not overburden
the business by asking them to run
additional data scans/filters that may incur a
cost to the department.”
£5,000 of code
SELECT Recipient_ID, Date,
Amount
FROM Child_Benefit_Payments
gpg -er NAO benefitdata.csv
Privacy-enhanced audit
1. For each recipient, send to auditor
(Recipient_ID, hash(shared_random,
recipient data))
2. Auditor requests sample of x records
3. Only those records are sent, and can be
checked against bit commitments
Individuals affected by UK data
breaches since July 2006
100000000
10000000
1000000
100000
10000
1000
100
10
1
r
il
il
s
il st
il st C
s a l ty
s
s
s
y
e
A
A
A ty
st st al
ty
ie VL unc ru Tru Tru pit VL tom pit cie ice olic tom unc unc nce ion unc Tru SB av VL cie tom
c
v
s
s D s os o
e
D o eT S
H al N D So us
u H
So
S Ser n P Cus Co y co Sp en Co HS
C ar H are Ho
C
C
g
l
g
oy
ng nd
d Mill ding ial olita nd nty ge nd nd P City y N
in
i
in y C le N y C Hal
R
n
d
d
u
d
c p
a a
l
r
in
r
il
il
a
a o
e
ui e a
un ma Va ma lls
e g's Bu nan tro ue
C Har rks rk stle kn
B
Bu
F
u
i
i
e
i
n
c
o ca a
a
n Ki ax F Me en ire
e enu
h Pr and Pr ss
e
ds
d
s
W
M
h
i
f
H
i
v
v
i
n
w
t
u
e
t
w ev
e
e ers
al pto
or Ne nd
ot fton diff por R
n
f
Le
R
R
R
t
c
H
o
i
t
a
i
s
S Se ar ck
M
M
y
at HM
Sk
ep
t
C to
H
H rce
i
N
D
C
o
S
W
Basic security needed
 Encrypted stored and in-transit data
 Access control
 Need-to-know
Measuring system security requirements
1.
2.
3.
4.
Scale and complexity
Number of users
Sensitivity of data
Connections to other systems, particularly
untrusted
5. Connectivity to the Internet
6. Attractiveness as target
Source: B. R. Gladman and I. Brown (2007) Security, Safety and the
National Identity Register. In S. G. Davies & I. Hosein (eds), The Identity
Project: an assessment of the UK Identity Cards Bill and its implications,
London School of Economics pp.187-200.
Software quality is key
Prof. Martyn Thomas: “almost every IT supplier in
the world today is incompetent… the typical rate
of delivered faults after full user acceptance testing
from the main suppliers in the industry over many
years has been steady at around 20 faults per
thousand lines of code. We know how to deliver
software with a fault rate that is down around 0.1
faults per thousand lines of code and the industry
does not adopt these techniques.” Evidence to Home
Affairs Select Committee, 24/2/2004
Insider fraud
Information required
Price paid to
‘blagger’
Occupant search/Electoral roll check
(obtaining or checking an address)
Telephone reverse trace
Telephone conversion (mobile)
Friends and Family
Vehicle check at DVLA
Criminal records check
Area search (locating a named person
across a wide area)
Company/Director search
Ex-directory search
Mobile telephone account enquiries
Licence check
not known
Price
charged to
customer
£17.50
£40
not known
£60 – £80
£70
not known
not known
£75
£75
not known
£150 – £200
£500
£60
not known
£40
not known
not known
£40
£65 – £75
£750
£250
Source: “What price privacy?”, Information Commissioner, May 2006
Key privacy engineering steps
1. Understand your problem
2. Design system to minimise collection,
storage and access to personally
identifiable information
3. Engineer security system to enforce
privacy policies
4. Enforce controls and audit remaining
accesses
Source: S. Marsh, I. Brown and F. Khaki (2008)
Privacy Engineering. Cybersecurity KTN white paper
NHS Connecting for Health
 £20bn programme
 Patient Summary
Care Records stored
on centralised
database (“Spine”)
with pointers to
Detailed Care
Records in regional
databases
 Emergency
treatment and
research
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Efficacy of NPfIT
 Emergency clinicians treatment styles
 Public opposition to unconsented research paper last year blog?
Confidentiality problems
 “Sealed envelope” limits access to especially
sensitive records… but can be opened by the NHS
and police and doesn’t actually exist yet!
 Pretexting found in N. Yorkshire HA to be
occurring 30 times per week (Anderson 1996)
 Leeds Teaching Hospitals NHS Trust found
70,000 cases of "inappropriate access" to systems
in 1 month
 South Warwickshire General Hospitals NHS Trust
allows A&E clinicians to share smartcards due to
60-90s login times
General Practitioners’ worries
 50% of GPs will refuse to upload medical
records to central "Spine" without patients'
permission
 80% think Spine puts patient confidentiality
at risk
 79% think new system will be less secure
Source: Medix poll of 1,026 representative GPs, Nov. 2006
ContactPoint & eCAF
QuickTime™ and a
TIFF (Uncomp resse d) de com press or
are nee ded to s ee this picture.
Cornwall County Council
 Database storing details of
11m UK children’s contact
with social services, police,
health and education
 330,000 users
 50% children will have
detailed seven-page
assessment
Purposes of ContactPoint
 “[P]rotecting children from abuse or neglect,
preventing impairment of their health and
development, and ensuring that they are growing
up in circumstances consistent with the provision
of safe and effective care which is undertaken so
as to enable children to have optimum life
chances and enter adulthood successfully.”
 Victoria Climbie case
 Crime prevention
Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006)
Children’s Databases - Safety and Privacy. Information Commissioner’s Office
Efficacy of ContactPoint



“The practitioners in contact with Victoria knew of each other’s involvement
and shared considerable amounts of information. The crucial errors arose
from individuals either not paying attention to the information, or giving it a
benign interpretation so that the risk to Victoria from abuse was not seen.” Anderson et al.
Wood for trees Dr Liz Davies
Resources and evidence base for interventions
Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006)
Children’s Databases - Safety and Privacy. Information Commissioner’s Office
Efficacy of ContactPoint
 “[A]ny notion that better screening can enable policy makers to
identify young children destined to join the 5 per cent of offenders
responsible for 50-60 per cent of crime is fanciful. Even if there were
no ethical objections to putting ‘potential delinquent’ labels round the
necks of young children, there would continue to be statistical
barriers.” -Prof. David Farrington
 “The practitioners in contact with Victoria knew of each other’s
involvement and shared considerable amounts of information. The
crucial errors arose from individuals either not paying attention to the
information, or giving it a benign interpretation so that the risk to
Victoria from abuse was not seen.” -Anderson et al.
 Impact upon family autonomy
Source: R. Anderson, I. Brown, R. Clayton, T. Dowty, D. Korff and E. Munro (2006)
Children’s Databases - Safety and Privacy. Information Commissioner’s Office
UK National Identity Scheme
S. G. Davies & I. Hosein (eds), The Identity Project: an assessment of the UK
Identity Cards Bill and its implications, London School of Economics p.25
Purposes of NIS





Anti-terrorism
Social security fraud
Identity fraud (£1.7bn pa)
Illegal immigration
Sense of community
Efficacy of NIS
QuickTime™ and a
TIFF (Uncompress ed) dec ompres sor
are needed to s ee this pic ture.
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Quic kTime™ and a
TIFF (Unc ompres sed) dec ompres sor
are needed to see this pic ture.
 “If you ask me whether ID cards or any other
measure would have stopped [the London
bombings], I can't identify any measure which
would have just stopped it like that.” -Charles
Clarke MP, former Home Secretary
 “Benefit fraud that relies on false identity was,
at most, 1 or 2 per cent of the total.” -Peter
Lilley MP, former Social Security Secretary
 “The Home Office's definition of ID fraud
doesn't match our definition. We class it as a
more serious crime that involves a great deal
more hassle than just having your card stolen
and having to phone up the bank to cancel it” APACS
Efficacy of Identity Scheme
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
 "If stop and search is anything to go
by, for Black people our ID card is
really the colour of our skin.” Karen
Chouhan, 1990 Trust
 “Terrorists rarely conceal their
identity, only their intention - as was
apparent in the case of those involved
in the 9/11 tragedy, and in Madrid and
in Constantinople.” -Peter Lilley MP
IT and the smaller state
QuickT ime ™an d a
TIFF ( Uncomp res sed) deco mpre ssor
ar e need ed to see this pictur e.
QuickTime™ and a
TIFF (Uncompress ed) dec ompres sor
are needed to s ee this pic ture.
 "Never again could there be projects like
Labour's hubristic NHS supercomputer… The
basic reason for these problems is Labour's
addiction to the mainframe model - large,
centralised systems for the management of
information.” -David Cameron MP
 “As chancellor, Brown relentlessly pursued his
forlorn vision of a ‘joined-up identity
management regime’ across public services. As
prime minister, he continues this vain search,
like an obsessed alchemist, for a giant database
that his closest advisers ominously refer to as a
‘single source of truth’.” -David Davis MP
Conclusion
 Privacy engineering is key to making
privacy meaningful in information societies
 “Collect then protect” is a fundamentally
broken model
 Understanding problem domain is critical
 Privacy has become a key element in UK
politics - central to debate over effective
checks on state power