We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.
Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]
|
Samizdata quote of the day
NHS North Central London operates under strict data protection guidance and is taking the matter extremely seriously. We have started an investigation into the issues raised by the loss. We are liaising with the office of the Information Commissioner.
– A spokesman from NHS North Central London, responding ineffectually to questions from The Register about having recently lost a laptop containing 8.6 million health records. The laptop was “password protected”, apparently, so everything is okay.
|
Who Are We? The Samizdata people are a bunch of sinister and heavily armed globalist illuminati who seek to infect the entire world with the values of personal liberty and several property. Amongst our many crimes is a sense of humour and the intermittent use of British spelling.
We are also a varied group made up of social individualists, classical liberals, whigs, libertarians, extropians, futurists, ‘Porcupines’, Karl Popper fetishists, recovering neo-conservatives, crazed Ayn Rand worshipers, over-caffeinated Virginia Postrel devotees, witty Frédéric Bastiat wannabes, cypherpunks, minarchists, kritarchists and wild-eyed anarcho-capitalists from Britain, North America, Australia and Europe.
|
Which part are they taking extremely seriously, the protection or the guidance?
From the Register story:
1) How many password attempts does the user get before they are (ostensibly) locked out? And why do I not see the word “encrypted” anywhere in that story?
2) Anyone how their “manual deletion” process works? I have a feeling it’s not quite as complete/irreversible as they think it is.
3) What in the
matrimonial bloody helldevil are 8.63 million records doing on a single laptop?According to the story, the laptop was being used for:
Well, if the postcode information is the full postcode (which usually identifies a street uniquely, and sometimes a building uniquely), and you combine that with information on age and gender, then match that against other readily available databases of personal information and you are going to be able to identify the individual a lot of the time, particularly if information about multiple people living in the same household is grouped together. If the postcode information is only the first part of the postcode (SW18 or whatever) then it may not be quite so bad.
It does sound very bad, though.
I would have thought that after the HMRC debacle, (I mean, it wasn’t that long ago) everyone in the various bureaucracies would have wised up and Bought a Clue. I guess there really isn’t a patch for human stupidity after all.
I did want to thank you for the information on the postcodes. I wasn’t aware they were so detailed.
I hope for the sake of some of the politicians there that a few clever lads from, say, Private Eye don’t get hold of the information and start cross-referencing things. The fact that mental health records were among the information lost might not bode well for a politician or two.
I suppose “password protected” could mean full disk encryption, in which case this is probably a non-story. If it means anything else, though…
Yes, if they had full disk encryption, one could chide them a small amount for losing the laptop and still wonder a little exactly why they needed that many records on a laptop, praise them a larger amount for good security practice, and that would be more or less the end of it.
However, one tends to think that if they did have full disk encryption, they would say this immediately when news of the loss got out and the press asked them about it. That they have nowhere actually used the word “encryption” suggests that they have neither encrypted the data nor understood the need for it. One fears that the actual situation is that all that is needed to get around the password protection is to pull the hard drive out and connect it to another computer. This would not be good.
Anyone care to bet that the password used was “password” or “1234” or something similar?
I have the same combination on my luggage!
Melchett: So, it’s maximum security, is that clear?
Blackadder: Quite so, sir, only myself and the rest of the English-speaking world is to know.
Something tells me that if you hang around ebay.co.uk long enough, you might get a chance to try out your theory firsthand. : /
I couldn’t help but notice that the particular laptop that all the fuss is about is actually only one of twelve that are unaccounted for. However, I’m sure there are only 2.3 million patient records on each of the other eleven machines, so no worries there.
The good news is that this amount of data exceeds the capacity of a single instance of Excel, so a person would need to have several functioning brain cels in order to be able to access all of it.
I will wager good cash money that the data was entirely unencrypted, and that the laptop was ‘password-protected’ in the sense that a password is required, but that said password is written on a smiley-face sticky-note stuck on the screen.
I will further wager that the ‘other identifying information’ is more than enough to identify more than 50% of the patients with better than 99% confidence, using only other public records.
When this sort of thing happens to private enterprises, you can’t keep the lawmakers and the politicians off the TV, talking about more regulations and demanding that the victims be protected in ever-more-expensive ways from the possible consequences. What consequences will anybody associated with this c**k-up suffer?
(Clue – the answer is ‘none whatosever’)
llater,
llamas
Long ago and far away, when ‘portable computers’ morphed into laptops that could truly be pickup up and taken anywhere EASILY ( as opposed to the earlier models which were similar to putting and handle on your refrigerator and calling it ‘portable !! ) an old, now departed, dear friend said that one of the biggest problems with these things was going to be theft !!
That they would vanish FAR too easily and frequently !!
This is just the beginning !
A friend of mine recently came to me with a machine running Windows on which he’d forgotten the password. He asked me if there was anything I could do. I booted up an Ophcrack live CD, which cracked it in three seconds. (It tells you how long it took when it’s finished.)
Just saying.
I expect the governmental response will be to ban such software. ‘Cos that always works: look at guns and heroin. You never hear about those any more, do you?
BART PE does the job quite nicely… takes a bit longer though!
I wonder why data is stored on the laptop in the first place, nowadays, with the advent of mobile internet and cloud computing, a laptop is only used to connect via a VPN to a virtual machine somewhere which has all the data, you don’t actually need either the data or the applications on the laptop, just an internet connection.
This is not a new concept either.
Small organizations can only make small mistakes.
Huge organizations make every mistake huge.