About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Harry Potter it's not | Main | Is this the world's biggest identity fraud? »

A new law

By Dave Birch posted Jan 23 2008 at 1:50 PM

[Dave Birch] I propose new law, to go alongside Moore's Law and Reed's Law and all of our other useful tools for dong back-of-the-envelope projections of where things will be going in the short- to medium-term. I propose Stoke's Law, which is that

as the amount of data that the government collects grows, so will the number of people who are victims of crimes that were made possible by unauthorised access to government databases.

[From Analysis: Metcalfe's Law + Real ID = more crime, less safety]

We all know it to be intuitively true, but the question is "what is the shape of the curve"? Jon Stoke's links it to Metcalfe's (ie, square) curve, but I wonder if it mightn't be steeper than that because of the variety of criminal interests that might want to exploit different subsets of my personal data. To take a simple case, there might be criminals that want to access my national identity register record because they want to pretend to be in order to allow an illegal immigrant to get a job but they are different from the terrorist interests that want to access my DVLA record because they need to track down people who have cars that use a particular stretch of road every day.

Paranoid? Not really. This figure is almost certainly completely made-up, but nevertheless

A record 37 million items of personal data went missing last year, new research reveals. Most of the data was lost by government officials but councils, NHS trusts, banks, insurance companies and chain stores also mislaid or published personal information about staff or members of the public.

[From Government's record year of data loss - Telegraph]

The biggest chunk of the supposed 37 million "items" that went missing was, of course, the CDs that are down the back of the sofa at HMRC...

The acting chairman of HM Revenue and Customs has revealed that there have been seven incidents of data loss in the last two and a half years. David Hartnett was giving evidence to MPs in place of the former chairman Paul Gray who resigned over the loss of two CDs containing the personal details of 25 million people. When asked if the loss of so much information meant a "systemic failure", Mr Hartnett replied: "It may well do."

[From HM Revenue And Customs: Seven Data Losses |Sky News|UK News]

And in the last couple of days....

The Government is under fire for yet another data breach after revealing a Royal Navy officer's laptop containing the details of 600,000 people has been stolen.

[From Royal Navy Laptop Stolen With 600,000 People's Details |Sky News|UK News]

Now, I'm not highlighting these problems just to indulge in pointless sneering but to emphasis the fact that we have to develop digital identity infrastructure in the real world, where technology doesn't work properly, where people (including government employees) are fallible and where politicians and legislators are making choices founded on Hollywood movies, outdated legal principles and kneejerk newspaper reactions. People are going to lose laptops, so let's design an infrastructure that can live with that fact.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Comments

The problem with calling for more stuff comes down to "interests." The people who have an interest in protecting their individual data, being the "everyone" of us, have no control over the data nor the process.

The people with the control have no interest. It is possible to connect the two with laws, contracts, suits, customs, baseball bats, prison or any number of other things ... but these all suffer from one flaw: they are all blunt weapons.

About the best solution that I have seen is the "class-action-for-damages-on-duty-of-care-tort" path. (you can tell I am not a lawyer...) That is, allow the 25 million children to file a class action suit against the loser of the data. Even if the award is only $1 per child, it is a ruling that is repeatable, verifiable, governed and measured.

The comments to this entry are closed.