DNA DATABASE DEBATE

In the wake of the convictions of Stephen Wright, Mark Dixie and Levi Bellfield it was perhaps inevitable - if not predictable - that the thorny issue of a national DNA database would crop up, not just on the back of Det Supt Stuart Cundy's (personal) insistence that: "It is my opinion that a national DNA register - with all its appropriate safeguards - could have identified Sally Anne's murderer within 24 hours. Instead it took nearly nine months before Mark Dixie was identified, and almost two-and-a-half years for justice to be done." It is an assertion that is at once emotive (pandering to the earnest wish of us all that the the perpetrators of such vile crimes be brought to justice as speedily as possible), persuasive (on the face of it, 24 hours versus 9 months is an absolute no-brainer) and brave (especially for an individual who may well not be possessed of a great deal of expertise in the design and management of data systems).

Now I wouldn't want to be misunderstood here. No-one, least of all me, disputes that DNA analysis is a hugely important investigative tool for law enforcement agencies (although we should hold in our minds that it is a crime-solving rather than a crime prevention resource). But I cannot help feeling that Det Supt Cundy's assertion is at best moot and may even be both misleading and inaccurate (not least when, for example, it is measured against the 100 or so occasions on which the criminal activities of Levi Bellfield were reported to the police). Here the most important point to be aware of is that database systems are a technological resource, subject to certain innate physical properties and intractable rules. And one of the most fundamental of these, as Ross Anderson has sought to make abundantly clear for a very long time now, is that “You can have security, or functionality, or scale—you can even have any two of these. But you can’t have all three." Therefore, as sure as eggs is eggs, scaling up the DNA database to a national/universal level would have the inevitable effect of compromising either functionality or (more 'preferable' from the Government's point of view?) security.

On top of this we have to factor in not only the fact that the existing DNA database is populated with a fair degree of error already (from memory, something like half a million of the 4.5 or so million samples retained are estimated to have been mis-recorded on entry) but also that, like fingerprints, DNA analysis is not infallible. The point here is that, if the database were to be scaled up, these in-built errors would be magnified, perhaps even to the extent of undermining the value of the resource. In sum it doesn't necessarily follow that a whole-of-population database would, of itself, guarantee speedier investigative results. (Manifestly I have rather less hesitancy about this than that felt by Iain Dale in this post.)

Now, to be scrupulously fair, as Philip Johnston says in this article in the Daily Telegraph "Tony McNulty, the Home Office minister, was commendably quick to reject the calls for a universal DNA database," something which we need not necessarily have anticipated given the witlessness of some of his previous comments about ID cards and the NIR. Against that background, it is perhaps even more surprising that he has demonstrated an uncharacteristic degree of common sense in a number of his comments. He is spot on in maintaining that a national DNA database would not be a "silver bullet". He is spot on in identifying that it "would raise significant practical and ethical issues". He is spot on in saying that (as I imply above) "How to maintain the security of a database with 4.5m people on it is one thing, doing that for 60m people is another." In other words the Home Office wholly reject the idea of a national DNA database.

So far so good - and, honestly, like Philip Johnston, I commend and congratulate him for having put the Home Office's policy in this area into the public domain so concisely and so quickly. But, whilst I have no difficulty in giving him plaudits when they are due, I can't help feeling that he's managed to create a huge intellectual inconsistency for himself and the Government. You see, if we take these policy constraints on a national DNA database at face value, they in turn beg a hugely important question: what is the difference, qualitatively and quantitively between a national DNA database and the NIR or the NPfIT, &c?

The answer (a la Paul Daniels) is "Not a lot!" In fact, under the umbrella of the "Transformational Government" agenda (the proposition whereby the minutiae of every scrap of information held about an individual should be shared seamlessly across the whole of government), these databases are even more intrusive because, as a generality, they do not rely upon onward analysis for required data to be extracted from them. It would therefore be wholly legitimate to assume that, in the interests of consistency, the same policy constraints that the Government has identified in respect of a national DNA database (presumably this is what Tony McNulty's comments were intended to convey rather than a personal opinion) should be applied equally to their grandiose and misguided plans for ID cards, NPfIT, ContactPoint, &c. So, viewed logically, the Government's attitude about a national DNA database damns to hell and back their adherence to other national databases they have in the pipeline. To quote Tony McNulty's own words, the stark reality is that none of these would be a "silver bullet" to address the problems at which they are aimed, all of them "raise significant practical and ethical issues", and all of them fall foul of what could be called Anderson's Law, namely, "How to maintain the security of a database with 4.5m people on it is one thing, doing that for 60m people is another".

I know it's too much to hope for but the prospect of a little bit of joined-up government thinking here (i.e. Ministers being capable of recognising the equivalence between a national DNA database and other databases (both existing and proposed) within the Government's purview) wouldn't go amiss. Well, dreams are free. But I fear it ain't going to happen soon.

HMRC ONLINE SYSTEM CRASH

OK, so this is no big surprise - especially given the Government's record for (in)competence over IT systems. And at least they have had the wit to extend the deadline for filing - no doubt thinking about the horrendous publicity they would receive on the back of the double standard revealed a few days ago.

In advance of any announcement as to what has caused the problem, current speculation (and conventional wisdom) is arguing in favour of a failure to build in to the system adequate capacity/scalability to cope with (inevitable) traffic peaks as the deadline approaches. No doubt this has been a contributory factor - it is a not uncommon problem with the Government's IT systems. But - call me an old softie or maybe I'm just being too optimistic - I'd like to believe it also has something to do with data security improvements to the site/system on the back of the HMRC fiasco. This may be just too incredible - and probably wouldn't be admitted to by Treasury spokjesmen in any event - but, if such an analysis is correct, it would imply that ad hoc attempts to retrieve an irretrievably 'broke' system are likely to cause more problems than they solve. In effect what may be necessary is a root-and-branch re-design/re-build of IT systems to guarantee that proper data security and capacity is built in from the get-go.

I don't doubt that this is an especially scary thought - in policy/financial/&c terms - for the Great Bottler and his team!!!

BREAKDOWN OF TRUST (re DATA SECURITY)

Hot on the heels of their excellent "2007 International Privacy Rankings", those good people at Privacy International have published figures showing a huge collapse of public trust in the Government's ability to hold our personal data securely.

Of course, of itself, this isn't particularly surprising or startling news. In the wake of the HMRC fiasco and the steady and recurring drip of revelations about the failure of individual Departments to protect our data - following on from the scandalous breach of the loss/theft of an RN laptop, this from the Ministry of Justice is merely the latest cock-up that has come to light - I am surprised that anyone has any faith whatsoever in a presumption that the Government can demonstrate even a smidgeon of competence in this field. No, what makes PI's report interesting are two associated consequences/repercussions.

First, it would be naive to assume that this breakdown of trust will confine itself to our interactions with Government. As PI's text points out, it will inevitably leech into the broader context of e-commerce generally - that is to say in both the public and private sectors (something confirmed, at least in part, by the FSA's recent Financial Risk Outlook): "At this stage it is not a simple matter to predict the potential financial impact of such a trend, but it is quite possible that the economy's growth could be inhibited if trust in data security continues to erode. The cost could easily run into billions of pounds per year". With the UK/world economy looking ever-more flaky (post N.Rock, the credit crunch, et al), the timing of this could not be worse, especially in terms of the direction of the psychology of the market (as per recent stock market volatility being a function of a lack of confidence). As Simon Davies says, this makes it a matter of considerable urgency that the Government should get a grip on the means to re-establish trust as soon as possible - although, as this piece from Rosemary Jay at out-law.com makes plain, the prospect of this looks exceedingly remote. Failure to do so could have the unintended consequence of entrenching the downturn in the economy more deeply.

This leads to my second point. I would guess that, whatever their public utterances, the various Government Ministers who have some measure of responsibility in this field are in a blind panic - if not worse, much worse - as to how to retrieve the position. In fact I have it on good authority that they have even resorted to approaching various privacy advocates with whom they have been conducting something akin to open warfare vis a vis ID cards for suggestions/advice. This would be laughable if it wasn't so serious! But their blind adherence to the Government's perceived wisdom about data management/Transformational Government/&c (all that tripe) means that their minds are closed to any sensible suggestions that may come their way. In their current mindset, all that is left to them is to shift the deck-chairs on the Great Bottler's good ship Titanic.

So, dear reader, whoop-de-do, things are going to get worse before they get better, not only in terms of data security/management but also the economy. And I reckon that, in the current climate, the best thing to do is to hold on to that distrust for a while as the best way of riding out the twin storms of Government incompetence over data security and the economic downturn.

GOVERNMENT'S DATA SECURITY WOES

Notwithstanding my previous post, this is by way of a small spot of house-keeping. I can't really let the latest batch of the Government's data security breaches (as per here, here and here) pass without some sort of comment.

Happily others have made appropriate noises about them already - notably Dizzy (who else?)(here and here) who makes the eminently sensible and intelligent suggestion of "a proper technology ministry responsibile for all IT and security". Personally I reckon it needs to go a little further than this. There should be a Cabinet-rank Minister, ideally with some level of technological expertise/knowledge (chance would be a fine thing from our current bunch of politicos!!!), with full responsibility and accountability for IT across the whole of Government not just cross-departmentally. The problem here isn't just about data security but about the whole bundle of IT issues (procurement, project development, infrastructure, &c, &c) which suffer from the dread disease of departmental turf ways and unjoined-up Government. As Dizzy rightly says: "As long as we have a disconnected system of IT development and systems in Government then there will always be someone else to blame".

The other part of the problem is that Government's 'wants and needs' from our data, notwithstanding data protection legislation, are (generally) antipathetic to our own. Worse, there is a cultural malaise within policy development in this area that assumes too readily that our interests should be subsumed to an airy-fairy perception of the 'greater good'. In other words, our data 'wants and needs' for our data play second fiddle to those of Government. The vexed issue of who 'owns' data is inextricably wrapped up in this and gives rise to an extremely persuasive argument that this matter - the rights to privacy of and for data - should be addressed legislatively as a matter of urgency. Quite rightly Dizzy also maintains: "Under no circumstances should any personal data be sent out of the country by Government". Again I favour going further than this. We should revert to a principle that has been floating around for some time, trusted third party "info-mediaries". Responsibility for all data administration and management should be stripped away from the government machine and passed to a sensibly funded, independent (of both the public and commercial sectors) organisation (or organisations) (perhaps akin to the ICO) which would be statutorily charged with all data management, ideally on a federated basis, on behalf of the citizen and the government (in that order).

And finally I slightly disagree with Dizzy when he says: "The Government's proposal for jail time for anyone breaching data security is a misdirected solution". He is of course correct in saying that this is "putting a Band-Aid over a gaping gash". Nevertheless, it seems to me that the complete absence of any effective sanction for "reckless" data security breaches is a major contributory factor to the cavalier/indifferent culture that exists on data security within Government. It therefore follows that some form of deterrent could have the beneficial effect of focussing minds on being rather more assiduous about data security. I can't help thinking that this is a necessary part of the solution.

I have one final point to make. Evidently, the Great Bottler is hoping that the scandals surrounding data security breaches will disappear over the coming weeks - which attitude, incidentally, is itself a manifestation of the cultural malaise of which I speak. If I was in his big tent, I wouldn't have all that much confidence in this expectation. What we know is that the Information Commissioner has made it plain that there is a whole bunch of government-held data has gone 'walkabout' - although none as serious as the HMRC scandal (given the scale of that disaster, we shouldn't be surprised by that). Thus far we've only really been told about the DSA breach. So it is reasonable to suppose that news of others will continue to dribble out for quite some time. Quite apart from that, the whole matter will be revisted by the media and Parliament relatively early in the New Year when the various Reports are published. The issue just isn't going to go away. Additionally, all it would take for the whole issue to flare up again in spades - and for the skids to be put almost terminally under tthe Great Bottler's administration - would be a single instance of fraud or identity theft perpetrated as a result of a loss/breach of government-held data. And that, dear friend, continues to be a seriously viable possibility!!!

(Sorry about that.) But still have a happy Christmas.

UNDERSTATEMENT OF THE YEAR? (CENTURY EVEN?)

So the Great Bottler's (ever-so-gentle) grilling by the Liaison Committee throws up this pearl of wisdom from him: "We've got a long way to go" [to develop a coherent Government IT strategy] (reports here and here; interesting to note that the BBC headline uses an 'edited' version of the phrase, "way to go" rather than "a long way to go"!?!). Talk about stating the bleeding obvious.

One other thing is nagging me about the Government's current focus on data security and trying to do something about it. It is all so much closing the stable door after the horse has bolted. And what really worries me is that I'm wholly unconvinced that the Government (or even Parliament) have the wit/capacity/expertise/inclination to (mixing my metaphors) put the genie back in the bottle. There is a very real and chilling prospect that, as of the current situation, we will just have to live with the simple fact that any rights we may once have had to privacy and the security of our data have been irretrievably compromised by the utter incompetence and complacency of those whom were charged with protecting them!!! Scary stuff!

PRIVACY IMPACT ASSESSMENTS

Once again those splendid chaps over at Ideal Government bring us welcome news, this time about the launch of Privacy Impact Assessments by the Information Commissioner (relevant press release available here). As William Heath suggests, ID cards/ContactPoint/eCAF/Connecting for Health/ eBorders/Scottish bus pass scheme for the elderly/&c would almost certainly have fallen foul of the criteria for assessment. And wouldn't we be in a much better situation if PIAs had been prepared for all these things (and more) so that the necessary and appropriate adjustments/amendments to secure our data and protect our privacy could have been made?

What I'm less certain about is what level of compulsion, if any, the ICO can impose so far as the preparation of PIAs is concerned. So let us hope that some bright spark(s) in Parliament and/or Government (I don't hold out much hope that the latter will) manages to get their head round this and has a go at legislating to make it a statutory duty for Government in all its incarnations to prepare PIAs. Were this to happen it might - just might - limit the almost unrestrained opportunities that our lords and masters have of making a complete and utter horlicks of all their IT schemes and creating hugely expensive 'white elephant' projects all over the place.

"WEB PAGES LOST IN THE POST?" OR STOLEN?

As an addendum to Dizzy's post here about his infuriation with mis-addressed html links/dead addresses/&c in Hansard's reports, I offer you this from John Lettice at The Register. As he says, the Government using URLs "that it hasn't even bothered to buy is possibly a new low" even for them.