Monday, August 25, 2008

Data Loss and ID Cards

Over at Sadie's place, a post on the government data loss story has spawned something of an argument (no surprise there). As a Labour blogger who does go on about the virtues of ID cards I'd like to explain why government data loss scandals are not proof that the government should not implement ID cards (above and beyond the simple reason that the NIR contains virtually nothing that isn't held elsewhere). I would like to point out that I work as a software developer in the private sector, so what I write is from professional experience and is more than mere party hackery.

First I'd like to talk about data loss, and my views on the matter. I regard data loss as inevitable, our personal data is held by numerous government agencies and often to an even greater extent by commercial companies. One of my previous employers was in the business of selling on personal data (with permission) to third parties for marketing purposes. And let's not even mention the publicly available data on the electoral register (although this is going to be tightened up). Given the huge number of agencies holding data, the number of staff who have access to it, the frequent transmission of the data. Given also the ease with which data can be stolen undetected (for example, a poorly built e-commerce website can have data stolen from it without it's owners realising, an employee with a spreadsheet of customer data could quite easily copy it onto memory stick or send it through webmail undetected) I think there is a good deal of justification for this opinion.

The obvious worry of leaky data is that it could be used to impersonate someone's identity, say to apply for a passport in their name or to open a bank account, obtain credit or apply for benefits. One of the cunning parts of the ID card scheme is the biometric signature. The idea behind this, is that if an agency, say a bank, wants to be really sure you are who you say you are it can perform an biometric ID check. This works like this.

Customer: I'd like to take a out a loan for £5,000
Bank Staff: Could you give me your details please
C: May name is James Somebody, I live at 6 Some Street, London, E6 3ZZ
BS: Put your ID card here, and swipe your finger

Such a check could yield several results, an initial background check could reveal the details as completely fake. Alternatively if the applicant is an ID thief and has done the legwork, then the details would check out, at this point it would compare the fingerprints, the fraud would be detected at this point because they wouldn't match. The point of ID cards is to make neutralise the danger of data loss by strengthening the actual ID check, it would mean that data loss would not matter nearly as much, because the data itself would be insufficient to actually use for ID fraud.

PS: I'm sure someone will point me to Ben Goldacre's article on Biometrics, or the mythbusters video so I would like to point out the following, In order to fool a biometric scanner, you would need to first obtain or clone your target's ID card. You would then need to obtain their fingerprints, it's difficult to get both. A scan could ask for a combination of fingers and this would effectively neutralise the use of fingerprints picked up of the card itself. Storing the prints on the card itself would be a bad idea for this reason. Also, the bank staff might notice that you're using gummi fingers.

Friday, August 22, 2008

Count the If's

This latest data loss scandal, the prisoner's data stick is another storm in a teacup. It's the media giving undue priority to what actually a minor problem.

In order for the data to be misused, first the memory stick needs to be found, in addition the finder will have to be aware of what the data is. If they get this far they can set themselves up to sell the data top people seeking retribution against criminals. In order to do this they will need to have contacts, or find contacts among the private detective world in order to sell this information on.

So, IF the stick is found and IF the finder realises what it is and IF they then decide to try and sell it and IF they can then find an outlet for if THEN there is the possibility that it could cause problems.

Further to this, the main implication of this data loss is that it could be used for retribution, this I would suggest is a very small number of people. I would also suggest that those who would go as far as wanting retribution, then there are plenty of other sources to obtain this information and that the lost data would do little to make the job of finding someone any easier.

Thursday, August 21, 2008

Liberalising Da Kapital Markit

Tim Worstall, often likes to talk about us lefties just don't get da markit, but for all this arrogance this post about liberalising capital market flows is somewhat lacking, he quotes a paper mentioned on Cafe Hayek about how liberalisation of capital markets brings foreign investment and encourages economic growth. Curious, because it's the complete opposite of what I've read about it.

Foreign investment in markets tends to follow a herd behavior moving in when prospects are good and creating a bubble then moving out with equal alacrity in a downturn exacerbating worsening the downturn. For a developing nation that could do with a steady flow of capital this kind of behavoir is deeply harmful. This was demonstrated very clearly in 1997 in the Asian crises. The stock markets of developing nations are especially vunerable to this because of their small size relative to those in the developed world, the largest, in India is 1/30th of the size of the US stockmarket.

The main effect of capital market liberalisation is to cause volatile money flows in and out of a country to no real good effect. There are policies to encourage growth in developing nations, and they do involve opening up the economy to the rest of the world, but this one should be way down the list of priorities.

Tuesday, August 19, 2008

When Projects Go Wrong

Don Paskini has linked an excellent article on IT projects and management consultants explaining just why there seem to be quite so many lurking in the corridors of power. It's a should serve as a very sobering read for any Tory who imagines that as they take control of their department they'll be able to go "consultants, out, now!".

As someone with a fair amount of experience working on IT projects, I agree wholeheartedly with the article and much of the sentiment. The general impression of large government projects (IT and otherwise) in the media is that they frequently go vastly over budget and take forever to deliver. Often the changes in delivery time and cost can often be explained. So, I thought I'd have a crack at explaining why projects sometimes appear to go wrong.

Changing Costs, Changing Deadlines
What most people don't realise is that when an IT system is initially designed, the customers are not totally aware of what it will do. They will have a rough outline, but the fact is that it's very difficult to envisage the final shape of the project at it's inception. If this sounds strange, consider the following example.

A NHS Trust has developed a system that automatically schedules home visits for nurses, every day a nurse with home visits to perform recieves a list of patients, the nurse them gets the appropriate records and goes off to visit the patents. As the system takes shape a number of additional requests get thrown into the mix.

  • Managers suggest that it would be good if visits were grouped together by distance so that nurses completed their visits more quickly.
  • Doctors suggest that rather than have nurses take the patient record, the patient list should include a list of what checks and treatments are required, with the results then recorded afterwards.
  • Accounts suggest that it would save form filling if the travel distances were automatically sent to them for calculating mileage payments.
So what we have is a simple idea that has grown larger over the course of the project. Modern development methodologies recognise that this kind of occurence is not uncommon, meaning that changes can be accomodated without the need to rewrite the system. This project may have been happily recieved by it's users and have delivered a number of efficiency improvements, but on paper looks like it was delayed and over budget.

Another good (although non IT related) example of bad reporting on the subject is the 2012 Olympics, although very little building work has taken place, we get reports of spiralling costs. Whether the costs have overrun or not will not be known until 2012 when everything is built. Most of the cost announcements so far have related to spending plans rather than costs.

Constantly Changing Justifications
Opposition politicians like to bash ID cards because apparently the government is constantly changing it's reasoning for it. One week it's terrorism, the next week it's identity theft. The truth is rather different.

Most government agencies have problems verifying identities, when someone gives them their details they simply have to take that person's word of it. Some checks might be made, but this is often a long and complicated process and in a lot of cases, not worth the hassle. A national identity register, creates a single identity record that is checked in detail when it is created. This gives government agencies far more accurate identity verification, it also gives them the ability to better check their own data against that held by other agencies.

The upshot of this is that government agencies have far more accurate data and much greater ability to act in a more joined up fashion. The result is benefits accross a very large number of departments. To sum up, it's not that the government keeps changing the justification, it's that there are many different justifications.

Sunday, August 17, 2008

Ivan Lewis: Tax the rich not the middle classes

I'm liking Ivan Lewis, he seemed very angry about the Tories "Vermin" press release a few weeks ago. He called it gutter politics and I'd say that was a 100% accurate view on things. In the Times today, he says "Tax the Rich not the Middle Classes", another sentiment I totally agree with.

Often, the suggestion of taxing the rich has long been greeted with the suggestion that such a move is a return to 70's style socialism. The truth is that a minor hike in the top income tax band is nothing of the sort. We already have a progressive taxation system, the principle is sound, what's wrong with making it a little more progressive?

The other major argument against this kind of move is that the rich are good for the economy, they are the wealth creators, the geese laying golden eggs. I disagree with this in that I believe that only a limited subset of the rich are actually these fabled "wealth creators", most contribute no more to society than any ordinary person. Additionally, the tax regime can be structured so that entrepreneurs still see the benefits, entrepreneurs derive much of their income from dividends and capital gains and these are taxed differently to income tax.

Further to the argument that the rich aren't all that good for the economy, I would suggest that some of the consequences are actually destructive. High private sector salaries have had a knock on effect on the top public sector jobs, leading to additional expense for the taxpayer. Wealthy individuals also tend to invest far more of their money, meaning that the price of assets such as houses and shares become inflated, often leading to a squeeze on incomes for everyone.

In conclusion then, I think Ivan Lewis was right to say what he said and the Labour party should be looking to implement policy along these lines.

Crossposted on LabourHome

Thursday, August 07, 2008

Sensible thoughts on housing...

Cliff D'Arcy at the Motley Fool reckons that messing around with Stamp Duty is akin to blowing into a storm and for that reason really a bit pointless, I'm tending to agree. Also worth noting is the that he discloses that he will gain from a housing price crash, I doubt his doom mongering will change anything, but I admire it on principle. Especially since none of the endless property porn shows and estate agent puff piece articles were ever as open.

An interview with Garvis Snook, scaffolders son turned property firm boss who criticises the way the building industry treats it's workers, arguing in favour of health and safety training, directly employing workers (rather than the more common self employed arrangement) and the rights that entails. He's also very critical of the trend towards property ownership arguing for more social housing (Cap Doff: Labour left forum)

Wednesday, August 06, 2008

The Media is Clueless on Identity Theft

Making the news today was a story about identity theft on a gigantic scale. A possible 45 million credit card numbers could have been stolen from US retailers TJX. Obviously a bad thing, but what really annoys me is the level of ignorance in the reporting.

While "identity theft" may be what this is being reported as, a far better term would be "credit card fraud" because that's basically what this was. The diference is that credit card fraud involves using someone's card details to commit fraudulent purchases, it's quite a simple crime. Identity theft is more involved and complicated, it generally involves applying for credit in someone else's name, it's a process that's riskier and involves a lot more legwork.

The important thing to realise is the difference. If your credit card is stolen, a fraudster simply has to do a bit of online shopping, If your personal details are lost, a thief will have to go through a complicated process involving the search for sufficient personal data and obtaining false documents in order convince to convince a financial institution that they are in fact you.

Most data loss scandals (including those by the government) such as lost laptops and similar data loss have generally contained personal details rather than financial information that can be used to commit direct fraud. The media often acts as if the loss of personal data could lead to some terrible occurance, the truth is that the danger in many data loss stories is often seriously overstated.

Friday, August 01, 2008

I Just Don't Get It

One of the few sensible things David Davis said shortly after he stepped down was that sometimes Westminster does seem to exist inside it's own little bubble of reality. At this time, I'm seriously noticing it. I'm not a bag carrier or a policy wond, I'm an outsider, someone who writes programming code for a living who also happens to support Labour.

The way I see it is this, David Milliband writes an article suggesting that Labour ought to be holding it's head high and laying into the Tories. Now I can understand how this could be setting out your stall for the leadership in the current climate of low poll ratings and bad by elections. Perhaps we'll get answers at the press conference.

The way I saw the press conference was that David said that the article was not intended to be the opening salvo in a leadership battle. The press seemed to think that because he did not rictually disembowell himself for his affront to the supreme leader that clearly it was a leadership bid. If that was the case, why did Milliband issue such a clear denial?

Fast forward and number 10 is apparently furious (so say "sources close to the Prime minister"), Marshall-Andrews is calling for Milliband's sacking, the world inside the Westminster bubble has gone mad and on the outside this activist is wondering what on earth is going on.