Today I have been explaining that I am not against CCTV- but if it is going to be used the cameras should be able to provide clear images and all of the evidence should be usable in court. Currently only 20% is usable. At the moment we just have a placebo effect for Citizen UK.

Many of the Samizdata comments focus on Davis’ support for CCTV as evidence of a less-than-liberal outlook, however I think he makes a partially valid point. I agree that the quality of images from CCTV systems needs to be sufficient to identify individuals: the evidence they collect is useless otherwise. Likewise, cameras should be installed so they are actually capable of capturing images of faces. Lenses on 10m posts look down on nothing but the tops of heads (and blouses, apparently). However, as I have previously noted, calling for better CCTV doesn’t imply support for more CCTV. This is where I too part company with Davis.

I fear the CCTV genie cannot be persuaded back into its bottle by rational argument, as public perception and the psychology of security theatre have significant bearing on the current situation, however I think we should be pressing for a massive reduction in CCTV covareage; effective regulation and licensing of schemes that can be proven useful; and improved installation- and technical standards all round.

Thousands of ‘ultra-secure’ computers costing £6m are to be bought by the NI executive following a series of embarrassing losses of personal data. About 4,000 high-security laptops and 10,000 new desktop computers are being bought. The BBC has also learned the Civil Service is to launch a secure system which may do away with sending people’s details through the post. Discs containing the details of 6,000 NI drivers went missing in December.

The NI executive has apparantly failed to realise that they can’t just buy security - it’s a process not a product. Despite the contrary pleadings of the industry, you can’t just sprinkle security products on your business (or government) like magic fairy dust and expect it to work - a holistic approach is required. How much are they planning to spend on threat analysis, risk assessment, data classification and protective marking, policy, processes and operating procedures, user training, admin training, testing, audits, etc? The report doesn’t say.

“We are not being complacent - the genie is out of the bottle and we have to be seen to be doing something”

Translation: “We have been complacent and we’re spending £6m to buy a better reputation for security than we probably deserve”.

Wouldn’t it be better if public bodies pro-actively secured our data as a matter of course, rather than papering over systemic failures only when forced to “do something” by embarassing headlines?

I predict another BBC article two years from now saying that the NI executive has lost another large batch of citizens’ private information despite having spent £6m on ‘ultra secure’ hardware.

Hat tip: Glyn

The news article is priceless too!

Schneier is a security and cryptography luminary who regularly blogs about silly security-related goings on in order to highlight how ludicrous the actions of many authorities have become in recent years.

I set off the alarm on the way out of my local supermarket at the weekend. The security guard came over and asked whether I’d bought any electronic items. I hadn’t, but I did have a CD in my pocket that I’d bought elsewhere earlier, and its security tag had triggered the system. The guard gave me a knowing look and said that this particular brand of RFID chip is notorious for causing false positives in a number of other stores. He enthusiastically demonstrated the problem by using my CD to set off the alarm a couple more times, and then cheerfully waved me on my way. He also unwittingly revealed a vulnerability in the supermarket’s security procedures.

At no time did the guard examine the content of my shopping bags, which I had left on the street side of the sensors during our entire conversation. In other words, the existence of a false positive was enough of an explanation to convince him I wasn’t a thief.

Luckily for the supermarket, he was right.

Now I know what you’re thinking: surely at this point the guard should eliminate the CD as a possibility and then ask you to push the trolley through the sensor again, right? This is where the social engineering comes in. If you appear to be well dressed, articulate, polite and helpful, chances are you’ll fail to raise any suspicion, and the explanation for the alarm that you’re presenting will be accepted - especially if the guard has seen it happen before. The odds are good that you’ll get away with it.

It’s very difficult to defend against this sort of trickery with minimum wage security guards and a system that is prone to false positives. I’m sure that if you asked any shop with one these alarms, they would say their procedures should prevent this kind of con, but in the real world it’s often possible to get round systems that rely on humans to be effective: people are usually the weakest link in any security system.

Something to think about next time you go through an airport security checkpoint.

This week we learnt that HM Revenue and Customs finally misplaced the 25 million database records they’ve been trying so hard to lose all year through negligence and gross misconduct. I am shocked, but not surprised, at the revelation that the Government has put millions of people at risk of fraud. I’m sure this is just one example of a situation in which public bodies have shown contempt for personal privacy and security.

Why am I not surprised? Because this outcome is the inevitable result of centralising such a large amount of data, then making it available to thousands of authorised users from hundreds of access points. Such databases are IMPOSSIBLE to secure. The Government has been told this many times by eminent security experts, so why does it persist in putting forward ever grander (and riskier) data aggregation and sharing schemes?

The Government wants to take control of our identities, but this incident shows it’s not fit to look after them. The only reason some of the population hasn’t had their security compromised this week is that they don’t have children!

The way to protect sensitive data about individuals is to segregate it, to decentralise it and to empower the individuals to whom it refers to control its use. After all, they’re the ones with the best incentive to take care of it, as it is they who are affected if it falls into malicious hands.

I invite you to join me in rejecting and resisting the data kleptomania of the Government of which you are a member. Rebel! Don’t let these ill-conceived, dangerous policies trample our rights. Help save us all from the tyranny of the database state.

I would be interested to hear your views on the matter of ID cards in particular, and Government’s use of information on citizens in general, in the light of this week’s events.

Yours sincerely

Richard King.