The sheer scale of this Data Disaster is beyond precedent. I don't think anywhere in the world has there been such a major breach of personal data protection. Britain is now, officially, the most incompetent protector of sensitive personal data on the planet.
Well, it's always good to be number one at something.
The good news of course, is that this has completely skuppered their naive and dangerous plans for massive centralised databases filled with even more sensitive and valuable personal data than that which they have owned up to losing today - their "National Identity Database".
The polls will, no doubt, reflect that immediately. Asked the question: "Do you trust the government to protect the masses of personal data they wish to store about you?" I would now bet that the "Yes" vote would be somewhat less than 10%. And they'll be made up largely of those who don't yet know about the Datastrophe.
Jane Kennedy had the miserable duty of appearing before the Jeremy to defend the indefensible on behalf of the Government. Obviously the mistress of understatement, she accepted that "we need to demonstrate that we can be trusted".
The very first thing they will have to do in order to have even a 1% chance of rebuilding trust is to listen to the 'king experts who have been warning them for YEARS that this kind of disaster is inevitable once you hold massive centralised databases filled with sensitive and valuable personal data to which thousands of people require regular access.
This, as I've said elsewhere, is what (probably) the world's best known expert in this field - Bruce Schneier - tells us about how we can protect massive centralised databases filled with sensitive and valuable personal data to which thousands of people require regular access.
As they obviously didn't hear me last time, you'll pardon me if I shout:
"AS COMPUTER SCIENTISTS, WE DO NOT KNOW HOW TO KEEP A DATABASE OF THIS MAGNITUDE SECURE, WHETHER FROM OUTSIDE HACKERS OR THE THOUSANDS OF INSIDERS AUTHORIZED TO ACCESS IT" (EMPHASIS ADDED - sorry - emphasis added)
Got that? WE DO NOT KNOW
We might think about starting to trust you ever again when you stop pretending you are capable of doing something that the world's leading experts tell us can not be done. It makes you sound as ridiculous as Thabo Mbeki telling his South African AIDS riddled citizens that their illness has nothing to do with HIV
And let me make this plain. The consensus on this issue, amongst those experts who qualify and are taken seriously by the global Crypto and Security community, is much greater than the alleged consensus on Global Warming. It's even greater than the consensus on the link between HIV and AIDS. It is a true consensus. There is zero dissent.
Only those with political or commercial interests claim that such protection is possible.
Got that? Only those with political or commercial interests claim that such protection is possible.
So, if you're genuinely not heading down the American Police State path, and you REALLY want to begin to rebuild our trust, you will have to begin by apologising for your previous intransigence and publicly accepting what the recognised independent experts have been consistently telling us for a very long time. Meanwhile...
You are not Tesco's.
Yes, they can tell us our shopping habits and put them together with our name and address (if we're a card holder, or pay regularly by credit card) and even that relatively trivial level of detail can provide a lot of personal information people probably wouldn't be at all comfortable with if they understood it. For example - Ladies - you do realise that they know when most of you are having your period? You might not care, but if they were inclined, and if they were allowed to, which fortunately, to date, they are not, they could sell that information to the highest bidder. A Tampon manufacturer is likely to win. If and when you start getting relevant monthly SPAM, you might wanna start thinking about that.
Fortunately, though even Tesco's limited dataset is valuable to someone somewhere, it is not, yet at least, so valuable that it is likely to become a magnet to those who know how to exploit data for commercial purposes and are prepared to exercise "unconventional" means to get at it. Do you know what a single "clean" set of bank account details was fetching on the black market yesterday? (Before this disclosure) £400 quid.
Boy are they going to be pissed at you. You assholes have just flooded the market with about £10 BILLION POUNDS WORTH of virginal bank details - which is bound to depress the market price considerably. It might already - given the fuss and high profile - have reduced in value to only a Billion or two. And you really don't think it's going to get into the wrong hands??
If you are thinking like that you still don't get it. There are no right hands for such data to be sitting in. You've just proved - if anyone still doubted it - that this most certainly includes you.
Let me ram the point firmly home. You're stuffed mate. There is no conceivable "happy ending" to this for you. This is your CJD moment. All you can hope for now is that the long term effects are minimal. Even if the disks are found tomorrow morning, and even if they are apparently in a safe place, still on government "controlled" premises, you will still be stuffed, because, like the rest of the world, you cannot prove a negative. You cannot prove that - in the 3 weeks they've already been missing - the disks have not been removed by a skilled attacker, copied, and returned as though innocently mislaid. Your security chappies do this kind of thing all the time. They're not alone.
So even if Darling can rush into the House tomorrow afternoon clutching the disks in his sweaty hands (which would be a bloody stupid thing to do - but within the range of political grandstanding tradition) we will not know for years whether or not this data has been released into the wild. Partly this is because the clever attackers will not try the smash and grab that everybody seems to expect.
Nobody's going to find hundreds or thousands of pounds has gone missing from their accounts. Too obvious. Too traceable. Too easily spotted. Even by the banks. No. They'll set up small random withdrawals from their millions of hijacked accounts to hundreds or thousands of different recipient accounts. These withdrawals will be typical of the account (to whose records they have gained access for computerised analysis). How many victims are ever going to notice £3.72 this month, £2.18 next month and so on? How many are going to do anything about it? (In fact the only evidence we might ever get to see is that fall in the black market price.)
Tesco's data - and even the 25 Million sets of personal data you've just lost - is not a patch on what you bumbling amateurs are storing elsewhere. Tesco's can't connect their information with any other of our personal data because they don't have access to it. This limits, significantly, the risk we run by letting Tesco hold a small amount of our personal data - but it's still non zero as hinted above.
You, on other hand, CAN connect THEIR data to all the other data sets you have access to, because you've recently given yourself the authority to do that kind of thing without, as I recall, the permission of the British People; but then, as the law stands, you don't actually need our permission, do you. So that's alright then.
So if the limited details...
"children's names, addresses, dates of birth, NI numbers and where relevant bank and building society account details"
are worth a few hundred quid per set, what's the market value of a set including tax details, medical history, criminal record, credit records, child benefit records, telephone records, known associations, club memberships, mobile phone records and internet surfing history, to mention but a few? £1,000? £10,000? Pick a number. Now multiply it by the 60 Million sets you retards are talking about storing and you'll realise we're talking figures in excess of American Defence Spending.
Do you understand what that means? It means that it's worth someone spending something close to what the Americans spend on their super inflated military budget in order to get access to data of that quantity and quality. The Americans, of course, will probably be your first customer. And - if you hadn't guessed - we don't trust you to resist the sale.
We may not need to match the attackers budget in full, because, like we do with military defence, we share some of the costs with our allies, but think of it like this: If America ever became our sworn enemy, how much would we have to spend to defend ourselves against them?
Neither can we afford what it would cost - in either economic terms or those of civil liberties and privacy - to defend your proposed massive centralised databases filled with sensitive and valuable personal data to which thousands of people will require regular access. It's a non starter. Learn that lesson, and there is a small chance that your citizens might stop laughing in disbelief at your ludicrous posturing.
And, if you still want an ID card after that, you're going to have to adopt one WITHOUT A MASSIVE CENTRALISED DATABASE FILLED WITH SENSITIVE AND VALUABLE PERSONAL DATA TO WHICH THOUSANDS OF PEOPLE REQUIRE REGULAR ACCESS.
Such as the one I've been trying to tell you about, since 2002, here.
Is that clear?
Good. Now don't do it again!