Showing posts with label hmrc. Show all posts
Showing posts with label hmrc. Show all posts

27 January 2011

HMRC's Latest IT Fail - and What to Do About It

On Monday, I called the HMRC to give them some information they wanted from me. After being placed on hold for about 10 minutes, I finally got through, and was rightly “taken through security”. After all, it's vitally important that HMRC and similar organisations establish that the person they are talking to is indeed that person. Unfortunately, security had been “upgraded”, so you probably know what is coming next....

On Open Enterprise blog.

27 November 2007

Of Lost IDs, ID Cards and Biometric IDiocy

One of the many outrageous aspects of the recent loss by HMRC of crucial data about half the UK population is how the UK government immediately tried to spin this as a reason why we needed ID cards. This follows in a long and dishonourable tradition in this country whereby every failure by the police to catch terrorists/criminals using their extensive powers of surveillance is turned into a justification for giving them even more such powers, when it ought to mean the opposite.

Fortunately a crushing refutation of the faulty logic behind the ID card argument has now been provided by some top academic security expects, who write:

biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.

The inclusion of biometric data in one's NIR record would make such a record even more valuable to fraudsters and thieves as it would - if leaked or stolen - provide the 'key' to all uses of that individual's biometrics (e.g. accessing personal or business information on a laptop, biometric access to bank accounts, etc.) for the rest of his or her life. Once lost, it would be impossible to issue a person with new fingerprints. One cannot change one's fingers as one can a bank account.

(Via The Reg.)

21 November 2007

Decentralise Your Data - Or Lose It

Aside from the obvious one of not trusting the UK government with personal data, the other lesson to be learned from the catastrophic failure of "security" by the HMG is the obverse to one of free software's key strengths, decentralisation. When you do centralise, you make it easy for some twerp - or criminal - to download all your information onto a couple of discs and then lose them. A decentralised approach is not without its problems, but at least it puts a few barriers in the way of fools and knaves.