I was going to title this post, "the Wizard of Id" but decided against it.
It hasn't been a great week for the UK government's HMRC (Revenue & Customs) department, who admitted losing a couple of CDs which had an unencrypted export of the name, address, national insurance number and in some case, bank account details, of some 25m UK citizens, including every child registered for Child Benefit.
The media has gone to town on the department, decrying "how could this possibly happen?" and demanding the head of whoever is responsible. The chairman of HMRC has already resigned, and it wouldn't surprise anyone if other follow.
The public consciousness
There are many questions about the whole sorry affair - such as, why on earth the National Audit Office needed the information in the first place, why HMRC decided to send it on CD rather than using the Government Secure Intranet (GSI) to transfer it, and why it would have been such a big job to filter out bank account information as had been suggested at one point. The Telegraph seems to think it would be at a cost of £5,000 to clean the data up, and take a software engineer a week. I'd be surprised if the content isn't just a giant CSV file or similar; it should be a matter of loading into Excel 2007, deleting the columns to do with bank accounts, then saving again. If HMRC (or anyone else) wants to pay me 5 grand for doing that, I'm at your service.
What is interesting is the raising of the threat of identity theft in the public's mind, from the sudden over-reaction of many to the casual indifference of most, at least until the story broke. Some newspapers have reported of large numbers of customers resetting their bank account PINs, and even wondering if they should move banks...
I personally shred every piece of correspondence which has my name and address in it, unless I need to keep it, and am generally pretty careful about identity. If someone did get hold of my name, address, date of birth, mother's maiden name, bank account details etc, then it's always possible they could mount a serious attempt to compromise my online banking - so the passwords and PINs are always unlinked to anything surrounding them... I wonder how many parents have bank cards with the PIN formed from their child's date of birth?
I remember reading Kim Cameron's Laws of Identity a couple of years ago and being impressed with the clarity, succinctness and yet completeness of what he said. If you've never read Kim's work, go and check out the paper now or just check out the laws as bullet points.
It turns out the UK government breaks every single one of those laws at some level. And the press were saying that the HMRC crisis is a nail in the coffin for national ID cards... at least implementing an ID card system might give the government the opportunity to sort out how it deals with users' data...