« Spy Blog interview on Radio 5 Live - on the "Wilson Doctrine" | Main | Prime Minister's Questions on ID Cards, IMPACT system delays , Wilson Doctrine »

Charles Clarke absolutely guarantees the security of the National Identity Register and of all other databases which link to it - will he resign when, not if, any of them are breached ?

Home Secretary Charles Clarke has been at it again, when answering an Oral Question on Identity Cards on Monday, He uttered some soundbites which show the NuLabour obsession with grasping at technological "magic fixes" to social and political problems.

Stupidly, in our opinion, he made an absolute promise , to Parliament and to the British public, about the security of the National Identity Register database, and of all other database systems to which it is linked, in all circumstances !

Charles Clarke must resign as Home Secretary, when, not if, the security of any of the databases to which he has alluded to is either breached or put at risk through poor design or day to day management practices.

Identity Cards

8. Miss Anne Begg (Aberdeen, South) (Lab): How the introduction of identity cards will prevent identity theft and fraud. [41776]

The Secretary of State for the Home Department (Mr. Charles Clarke): Identity fraud costs the economy at least £1.3 billion every year, and all the evidence shows that the threat is rising.

Why is he still promulgating this utter lie ?

Charles Clarke's Identity Cards Bill Third Reading speech - repeated lies

Evening Standard: Andrew Gilligan demolishes the £1.3 billion identity fraud hype

"Identity Fraud" does NOT "cost the UK £1.3 billion a year"

The figures do not add up !

The ID cards scheme will tackle the problem by recording biometric information so that we are able to detect people who try to register multiple identities to commit fraud, or for other, worse, purposes. The scheme will also allow individuals and organisations to verify identity to a much greater degree of certainty than at present.

Miss Begg: I thank the Secretary of State for that reply. I have constituents who look forward to the introduction of ID cards because they have had their identities stolen and found it very difficult to prove exactly who they are. However, other constituents who write to me are concerned that the very introduction of ID cards will not be safe and that the data will not be secure because the national database will be susceptible to fraud or to being hacked into so that the data on it are corrupted. What assurances can the Secretary of State give to those constituents that that will not happen?

Mr. Clarke: I hear absolute assurances—[Interruption.] I apologise, Mr. Speaker. I give assurances that the security of the database will be our absolute priority in all circumstances. Perhaps I can go even further. All of the many databases that are held about all of us in this House—whether they concern finances, health or passports, or are in the private or the public sector—are insecure to a degree while we do not have an ID cards system. The ID cards system will

16 Jan 2006 : Column 560

provide security not only for the identity database itself but for all the other databases that hold data about the whole of this country.

These words will come back to haunt him:

"I give assurances that the security of the database will be our absolute priority in all circumstances"

We fear for the health and safety of any computer security experts who have read his words: there is every chance that they could injure themselves whilst they splutter into their coffee cups or risk a hernia when they double up with laughter. 8-)

Charles Clarke then went further than giving an absoute promise !

"Perhaps I can go even further. All of the many databases that are held about all of us in this House—whether they concern finances, health or passports, or are in the private or the public sector—are insecure to a degree while we do not have an ID cards system. The ID cards system will provide security not only for the identity database itself but for all the other databases that hold data about the whole of this country."

Would Charles Clarke care to explain, to simple people like ourselves, how precisely bolting on a massively complicated and untested centralised computer system, to which hundreds of thousands of people will have varying degrees of access, and which will be at risk of "man-in-the-middle" attacks, "will provide security" "for all the other databases that hold data about the whole of this country" ?

Providing "security" cannot be done like this, any more than painting consumer goods packaging green, can somehow magically "save the environment".

This absolute promise means that the controversial Clause 31 Tampering with the Register etc.of the Identity Cards Bill will be interpreted in the most draconian way bythe Home Office, thereby criminalising innocent Civil Servants and IT contractors who are foolish enough to be involved witht the NIR system e.g. up to 10 years in prison and a fine, for either gping on strike, or for installing a faulty software patch or upgrade over which you have no personal control.

We repeat: Charles Clarke must resign as Home Secretary, when, not if, the security of any of the databases to which he has alluded to is either breached or put at risk through poor design or day to day management practices.

Comments

With all due respect Charles Clarke is just a "here today, gone tomorrow" politician, and he's really in no position to guarantee the security of databases or any other kind of IT security. Actually if you read the above text he doesn't give any absolute guarantee (such things are never done in politics), only an "assurance" that security will be a "priority".

As usual with politicians Clarke is just indulging in his own combination of fantasy and technological ignorance (the technical details are always left to others to fill in). No sensible IT contractor would be able to guarantee the security of their databases against being hacked or used for fraudulent purposes. If you read the licence agreements for database software carefully you'll find that even companies like Microsoft can't make any such guarantees.


@ Bob - His predecessor David Blunkett claimed that somehow the magic of biometrics "will make identity theft and multiple identity impossible, not nearly impossible, impossible"

With Clause 31 Tampering with the Register etc. of the Identity Cards Bill, as currently worded, no sane IT Contractor should have anything to do with the proposed National Identity Register or any system which connects to it.

Why risk up to 10 years in prison and an unlimited fine, bearing in mind that you cannot exclude criminal penalties in the small print of a contract or licence agreement ?

If you do anything (i.e. your job) which might, even by an act of omission or if you are "reckless as to wether or not" your activity , anywhere in the UK or anywhere abroad, whether you are a UK citizen or not, has an effect then you will fall foul of

"where it makes it more difficult or impossible for such information to be retrieved in a legible form from a computer on which it is stored by the Secretary of State, or contributes to making that more difficult or impossible."


Charles Clarke did not, it is true, use the word "guarantee", but he did say:

"I give assurances that the security of the database will be our absolute priority in all circumstances."

So if there are any circumstances where the security of the systems can be questioned, circumstances which are all too common with existing large Government IT systems e.g. the latest security patches have not yet been applied, or one or more authorised insiders is corrupt or under duress, then Charles Clarke should resign.


The security of IT systems is constantly in question, whether you apply all the latest patches or not. The trouble is that politicians, and no doubt the expensive consultants who advise them, don't dirty their hands with technical details.

It's technical ignorance of this kind which leads to statements like "will make identity theft and multiple identity impossible". I bet no reputable IT contractor or anyone who has detailed knowledge of biometrics would be able to make such a claim.

Such systems may, if well implemented, make identity theft harder. However, if badly implemented they may make it trivially easy for a hacker to carry out identity fraud on a nationwide scale.


Post a comment