aargh!
Forgive me, because I need to rant about something…
I am getting sick of the complete fucking incompetance of our government when it comes to matters of technology. Two contemporary issues highlight this for me.
Firstly we have the new Police and Justice Bill, which contains a handful of clauses amending the Computer Misuse Act of 1990. I have concerns over clause 35 of the new bill:
A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—
(a) knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
This clause is designed to outlaw so-called “hacking tools”. Tools that can be used to probe systems for vulnerabilities or to break into computer systems.
The problem is there is no clear distinction in practice between hacking tools and legitimate tools. For example, a packet sniffer can be used to snoop on network traffic for the purpose of capturing passwords and other vital system information. Or it can be used to debug problems with an http based application. Tools I’d use to stress test a system could also be used to launch a denial of service attack.
There are tools out there possessing a distinctly murky history, yet are damned useful to those of us responsible for the security of internet facing systems. The hacker and the system administrator will often use the same tools for different purposes. Some tools were originally developed for legitimate purposes, but can be used illegitimately. Some tools were originally designed by people wanting to break into systems, or they sit within a very grey area, but can and are used for good and authorised reasons.
This clause completely fails to capture the complexity of the situation. I get a strong impression it was written by someone with scarcely any understanding of the area they are legislating within.
I wrote a letter to my MP about this when bill was published, nearly two months ago. He hasn’t yet had the grace to reply.
The second annoying factor is the Identity Cards bill currently bouncing back and forth between Commons and Lords. Specifically, the provision for a National Identity Register. This register will be a centrally held database ultimately containing the personal information of everyone in the country.
The reasons for the National Identity Register are somewhat obscure. If you can find anything published by the government explaining exactly why they need this huge database then you are a better man than I. The bill itself says the register will provide:
… a secure and reliable method for registrable facts about such individuals to be ascertained, recorded, stored and verified wherever that is necessary in the public interest. [Clause 1, 3(b)]
So that’s nice and vague. The closest I can get to a concrete reason is a few references suggesting the database is needed to prevent duplicate applications for cards.
In essence, my new application for a card is checked against the database to make sure that I (identified by my biometric data) haven’t made two applications with differing personal information. Thus we prevent miscreants applying for multiple cards under different identities.
However, to achieve this you don’t need to store personal data centrally. Instead, you store two cryptographic hashes - one a hash of your personal details, the other a hash of your biometric data. When a new application is made, two new hashes are generated and compared to the stored hashes. Any duplicates found will clearly demonstrate that you have a duplicate application. But, importantly. the stored hashes cannot be reversed to retrieve the original data. Ta da! A system safeguarding against duplicate submissions without any need for central storage of personal data.
My card would store all the necessary information to authenticate me on the card itself, rather than in a separate database. The information could be signed using a private key known only to the government office issuing the cards. This would allow us to verify that the information remained unchanged since the card was issued. Furthermore, each individual would be in complete control of their own personal information. The only people with access to your personal details would be those to whom you chose to show your card.
This would be a far simpler underlying system, thus easier and cheaper to roll out.
So why aren’t the government doing this? Either they don’t understand the concept and power of cryptographic hashes, or they have other unstated intentions for the identity register. I generally follow the principle of “never ascribe to malice that which can be explained through incompetance”. So I’m inclined to think they are just bloody incompetant.
Given that Tony Blair can’t even figure out how to work his own ipod, I fear there is little chance he would understand the concept of a cryptographic hashing algorithm. As our glorious leader himself admits:
“I’m not very good with the technology, I’m not very good with any aspect of it.”
Where’s a revolution when you need one?