Monday, June 27, 2005

ID cards back on the agenda in the UK

In the United Kingdom, the issue of ID cards is back on the political agenda now. Prior to the general election of May 2005, the previous bill had to be abandoned when parliament was dissolved (see previous blog entry).

Now the government is bringing it back, and tomorrow (28 June) the bill will have its second reading in the House of Commons. This will be very interesting for a number of reasons:
  • The government will for the first time face a vote on a contentious issue with its now reduced majority of 67 in the House – since both Conservatives and Liberal Democrats have pledged to vote against it, and in the face of an as yet unknown number of Labour MPs who may rebel against it (19 did the last time around).
  • The UK's largest trade union, Unison, has joined seven other unions such as the Transport and General Workers Union, in opposition to the ID cards scheme. This is important for two reasons: on the one hand, many Labour MPs are union members, and the unions will lobby these MPs to vote against the bill; on the other hand, implementation of the bill may be threatened if key public sector workers may not cooperate (see the report in The Observer).
  • The London School of Economics and Political Science today published a report assessing the government's plans and finding that the scheme will cost much more than the figure given by the Home Office, which is some £ 6 bn. over ten years. The LSE report (downloadable here) estimates the costs to be more likely in the region of £ 15 bn. Since the main concern in the UK with regard to the ID cards bill has so far been costs and especially how much every citizen would be charged, this may turn out to be a crucial controversy. Accordingly, the government have tried to refute the claims (listen to the Home Office minister Tony McNulty and the LSE's Patrick Dunleavy on the Today program of BBC radio 4).
  • Since all ID card data will also be entered into a nationwide database, rumours about government plans to sell these data to help pay for the costs of the scheme (see the report in the Independent on Sunday) will not be helpful for the government's plans either.
It should be noted that opposition to the bill so far largely centres on the costs, not least to the individual citizen (for which figures varying between £ 100 and £ 200 are mentioned by the government and its opponents). Civil liberties concerns play a minor role compared to that, at least in public discourse so far.

Thursday, June 23, 2005

U.S. Social Security Administration gives FBI access to data post 9/11

The Social Security Administration in the United States has relaxed its privacy restrictions and turned over information on thousands of people to the FBI as part of terrorism investigations since the Sept. 11 attacks, newly disclosed records and interviews show (see reports on the New York Times and International Herald Tribune websites).

As documents obtained by the Electronic Privacy Information Center (EPIC) under a freedom-of-information request show (pdf accessible here), Social Security officials authorized a policy allowing the FBI to gain access in some cases to the documents, including earnings and employer information. Normally, Social Security's privacy rules prohibit the agency from disclosing information to law enforcement officials unless the crime involves Social Security or similar government benefit program, or the individual had been indicted or convicted of a violent crime.

Apparently the rules were changed through the exercise of “ad hoc” authority by the agency's commissioner.

As EPIC put it on their website: “The new policy undermines the Privacy Act and permits disclosure of personal information held by a federal agency with little accountability.”

Saturday, June 18, 2005

Huge security breach of credit card user data

As MasterCard International reported in a press release yesterday, a huge breach of security was detected at a third-party processor of payment card data. According to this, as many as 40 mio credit cards were potentially exposed to fraud, of which about 14 mio are MasterCard branded cards. (See further reports by CNN here and BusinessWeek here). Apparently the data potentially compromised include names of cardholders and banks, and account numbers, but no addresses or Social Security numbers. American Express card holders are also affected, Visa did not yet comment.
The company that processed the data, CardSystems Solutions, Inc., sounded very apologetic in a press release (pdf):
“We understand and fully appreciate the seriousness of the situation. Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter. Our goal is to cooperate fully with the FBI to complete the investigation and ensure that we do nothing that might compromise the investigation.”
Apparently the data were compromised through a virus-like computer script that infiltrated the company's network and captured customer data.

This is only the latest incident in a series of similar breaches of data security to take place in financial institutions such as ChoicePoint, Bank of America, LexisNexis, and Retail Ventures. And that are only the ones this blog reported about in the last four months… I will this time not repeat my musings about whether this will trigger legislative reactions. Let's just say: watch this space!