Wednesday, November 19, 2008

Ethical leaking?

Just as we have long had a debate in digicircles about ethical hacking, do we now have to start having it about ethical online leaking?

Thought inspired by the much bally hooed leak of the entire BNP membership list in breach of court injunction.

WikiLeaks has of course been in this business for a long time - but I suspect rather more of the UK population than before has just begun to wake up to the world in which court gagging orders are simply a waste of time. (I just went there to get the URL, and surprise, it's slashdotted. I don't know if they do have the BNP list.) I could go and torrent that list now anyway, with no danger of the re publisher being tracked(though of course I won't). This is possibly the most effective counter-injunction leak in the UK since people discovered they could get illicit copies of Spycatcher online.

Someone I know has already to her shock found an old family friend on the list. People are scared of losing their jobs. Some of them , like police officers, arguably should. There are children on it enrolled as part of a family membership package -how may they feel? Now or in the future when they have their own views?

Is this really, finally, the transparent society, and if so, do we like it?

2 comments:

Judith said...

As a good privacy and data protection lawyer I must view this as unauthorised processing of sensitive personal data which should be dealt with in the same way as any other data security breach. But I can't help smiling at the prospect of the BNP invoking the Human Rights Act 1998 and at reports that the ICO may also be looking at whether or not the amount of data the BNP holds on its members can be seen as excessive.

Ken Brown said...

Well, there are certainly people I know on that list. And at least one I know very well (though their presence is no surprise to me)

Nick Griffin is talking about the HRA. But it seems that this is something that the BNP did to themselves. IANAL but I'd have guessed that the most relevant field of law is Data Protection. The members have a right to expect the BNP to keep their personal details private, and the BNP failed to do that. Certainly by not taking adequate security precautions, possibly by deliberately leaking it. So if there is a court case Nick Griffin will be the one defending the actions of his own organisation, not the other way round. That's probably why he is bleating so much. This is part of the backlash from a failed coup within the BNP and the losers are trying to take revenge.

The interesting thing about this for the rest of us is that it is evidence, if any were needed, that NO database is safe from public exposure. Whether its leaks like this, or drunk officers leaving their laptops in the taxi home from the pub, or pickpockets snaffling up a memory stick, stuff will get out sooner or later. And these days when it gets out it becomes immortal. Lots of people I know downloaded this list within a few minute of hearing about it on the first evening it became public knowledge (both my daughter and myself did, quite separately - she has obviously been well educated). By the next day people were emailing spreadsheets around. There must be literally millions of copies by now. As long as our civilisation survives, no-one will ever be able to get rid of this stuff. Any more than they will be able to get rid of my 1980s-self's opinions on hemp, crypto, or anti-semitism, as they were expressed on newsgroups or Cix.

Why am I writing this here? You've all known this for decades. You aren't the people who need to learn it. I wish the British government would.

Big centralised databases of personal information are to identity theft what brothels are to sexually transmitted diseases.

The bigger the database, the bigger the risk. I mean in terms of access and links to it, not the amount of data. The bigger the organisation, the larger the group with legitimate access, the more likely it is that somethig will go wrong. Whether it is a political party, a private business, or a government, if someone keeps a record of your details a computer, and if they employ other people to keep it safe, then it only takes ONE of those other people to be pissed off with their boss, or to be bribed, or to make a stupid mistake, or just to be having a really bad day.

I mean a really bad day. Think of the worst day of your life. If there is a database to which 20,000 people have access (tax records maybe? DVLC?) the chances are that, just at random, at least one of them is right now having at least as bad a day as that baddest day ever of yours. These are real human beings. One of them just broke up with the love of their life, one of them has just learned that they have terminal lung cancer, one of them has dead babies. Some of them are insane, some of them are fascists, some of them are wannabe celebrities. Probably more than one is suicidally depressed, quite a lot of them are junkies, hundreds of them haven't yet really recovered from whatever they ate, drank, or snorted last night. Just ordinary folks, who happen to work for the government. And the more of them there are the more likely it is that one of them will do something stupid today.

When we kept personal date on paper files, the most they could nick was probably a few dozen. (Heck - twenty-five years ago I used to have access to the actual tax forms of about half of the richest 10,000 people in Britain, from rock stars to cabinet ministers. Though most of them seemed to be dentists. I could just walk into the room and take them off the shelves and read them. And yes R***** D***** was the highest paid person in the country and L***** C****** did seem to own about half of Northumbria). Nowadays I could load our entire student database here onto the chip I put in my camera. And I have complete access of course, being one of the blokes that runs the computers the stuff is on. So if I met a student I fancied and if I was an Evil Stalker (which I am not) or just Smitten with True Love (which I suppose I could imaginably be, it sounds like fun) and if I wasn't very ethical I could look up her age, place of birth, home address, home phone number, and marital status in a few seconds. Aren't computers fun?

If you want to keep it a secret, don't write it down.