ContactPoint access, according to the Draft Contact Point Guidance – Version 1 (65 pages – PDF 388kb), is going to be granted to authorized users by ‘secure token’, username and password.
They define it as:
Security token – an item or device which provides one of the elements of information required for authentication. Examples include a frequently changing numerical code generator or a single-use numerical sent to your phone.
I have seen one of these random number tokens in use by a director of Chase as he accessed his work account over a dialup telephone line while using his laptop.
They work by using time to synchronize a random pin number on this token, to an authentication server on the system where your account sits. You have to use your user name, password and the random number displayed on your token to gain access. This part of the authentication keeps out people who write scripts to try and brute force accounts.
This is the most expensive version. Obviously if you are going to roll this out to 330,000 people, HMG will be loathe to order all of those tokens at, say $69.50 per user. And since they expire every three years they will all have to be replaced regularly.
See below for what this means. Meanwhile, lets look at the ‘Security Principles’ part of the document:
Keeping the information on ContactPoint safe and secure and ensuring that it is only accessed by people who have a right to access it is of paramount importance, this too is a requirement of the Data Protection Act. Everyone who uses, administers and manages ContactPoint must act in ways that preserve the security of ContactPoint.
What this actually means is that the 330,000 people who will be given access to ContactPoint will be given the responsibility of keeping the data safe and secure. Since all of these people will be able to access all of the ContactPoint data, it effectively means they all have superuser status to look at everyone’s accounts no matter who they are or where they live. On a UNIX system, only the superuser can look into everyone’s files; individual users can only look at their own files, and in the case of a Local Authority (for example) they should really only be able to look at the details of people who live in their catchment area, if we were to agree to the principle of ContactPoint in the first place. It is insane that all 330,000 users can see every record.
2.1 Security Principles
Security of ContactPoint and the information held on it is of critical importance. Everyone who uses ContactPoint must take all practicable steps to ensure that their actions do not compromise security in any way.
This is crazy. Imagine if your bank allowed its all of its users to access bank details from any computer at any time over the internets. That would be a recipe for disaster, just like ContactPoint is. Banks that take security seriously, only allow access to their network from terminals inside branches, which are private networks. Of course, even if the architects of contact point specified that terminals must be inside secure buildings, that would not make ContactPoint OK because it is a compulsory system that violates your rights.
Some might say that being on this database is no different to being on the database of people who own passports. The difference is that having a passport allows you to travel, entitles you to consular services when you are abroad, and the database is used only to administer the issuing of passwords, etc etc; in other words, you get something out of it. Everyone on ContactPoint gets nothing out of it, in fact, you LOSE your privacy in return for absolutely nothing.
2.2 To ensure that only legitimate users access ContactPoint, a password and a physical security token (see Glossary), are both required to authenticate identity. This is known as 2 factor authentication.
This is better than a username and password, but it does not eliminate the problems associate with databases and the nature of data. The ‘things you must not do with ContactPoint’ bears this out:
2.3 A number of key principles should be observed, as a minimum, by everyone with access to ContactPoint. These are:
• Adhere to any local organisation policy/guidance on IT security;
What does this mean exactly? If you can access it from anywhere, it doesn’t matter WHAT guidelines are given; you are free to break them whenever you like.
• Never share user accounts, passwords or security tokens with others;
This is going to happen. We KNOW it is going to happen. ContactPoint tokens are going to have a monetary value, multiplied by the number of searches you want to do. There cannot be a single person who does not believe that ContactPoint will not be abused from the first day that it goes online…if it goes online.
• Do not write down your password and take care when entering it to ensure your keyboard is not overlooked;
We all know that shoulder surfing is done all the time. If someone is accessing ContactPoint from their laptop, their home computer or anywhere where there are people around, shoulder surfing will happen. As for writing down passwords, if they are going to use secure tokens, writing down a password will not be useful, since the token number changes every minute. Do they really understand what all of this means?
• Keep security token with you or securely locked up;
People are going to keep their ContactPoint security tokens on the keychain that they use for their house. Many of them are sold with metal rings to facilitate this. No one is going to keep their token in a safe or some other such place. Secondly, they have to deliver 330,000 of these tokens to the users. If even one of them goes astray in this distribution process then copies of the entries can be made. It is well known that identity theft and credit card fraud happens because post is stolen in transit.
• Never leave ContactPoint logged in when you leave your desk;
So, if someone has accessed 100 ContactPoint records on their laptop, and it is stolen, and these records are kept in the browsers cache, then those 100 children are compromised. This will happen.
• Ensure any reports or information you print from ContactPoint are stored securely and destroyed when no longer required;
On the first day that ContactPoint goes online, and all the 330,000 tokens have been distributed, a minimum of 330,000 children will have their records accessed. If these are printed out, they have escaped the database and are in the wild. Unless they are going to supply 330,000 secure shredders to all the ContactPoint users, you can guarantee that these printouts will be lost, sold and misused.
• Do not let others read ContactPoint information from your computer screen, particularly if working within a public environment; and
This will happen. Also, machines that are compromised will be turned into copying stations where ContactPoint information leaks into the hands of bad guys. By the way, every time I use the phrase ‘ContactPoint information’, or ‘ContactPoint entries’ or any other such phrase, remember we are talking about the private and sensitive information of children.
• Do not use public terminals (e.g. internet cafes, public reception areas) to access ContactPoint.
This will happen. For sure. And there is no way for ContactPoint admin to know when this has taken place.
2.4 Users It is your responsibility to prevent others from gaining access to, or making use of, your account. You must not share your password or security token with others. If you intentionally facilitate unauthorised access to ContactPoint, it is likely you are committing an offence under the Computer Misuse Act 1990 (see A10). You are likely to be committing an offence under this act if you make unauthorised or inappropriate use of ContactPoint yourself.
None of this will stop abuse of ContactPoint. No sanction will put the data back in the database, or repair the harm done to a child after the fact.
You must keep your password secret and look after your security token. Failure to do so may result in suspension or closure of your ContactPoint account. You may also be subject to your organisation’s disciplinary procedures. If you forget your password or cannot gain access to the system, contact your user account administrator – they will reset your password if appropriate.
If the token is the password, then this is not correct. Is this three factor authentication (username, password and token) or two factor authentication? see the comment below for the precise reason why this paragraph is here, and how it makes ContactPoint and this method of authentication even more insane.
If you think your password may be known to others, or you have lost your security token then you must inform your user account administrator immediately to enable them to take appropriate action. Any access using your password or security token, will register in the audit trail as activity carried out by you.
So all you have to say is that your stuff was stolen for 48 hours as your account is used to trawl through thousands of records. This is unacceptable by any standards, and of course, once the data is out there, it is out there for good. Or evil, as in this case.
2.5 Staff Managers You should ensure that all users you manage are aware of the importance of security, understand good security practice and act in a way which will not compromise ContactPoint. If you suspect a staff member is breaching security, you should contact the ContactPoint Management Team to discuss necessary steps, which may include disciplinary action.
Horse. Stable door. Bolted. Get me?
2.6 ContactPoint Management Team LA and partner organisation user account administrators – You are responsible for administering user accounts and the security arrangement related to user accounts. User accounts and security tokens must only be issued to individuals who meet ContactPoint access requirements (See 2.7).
so the distribution of the tokens is not going to be centralized, but farmed out to LAs and ‘partner organisations’ whatever that means. This gets worse by the line.
Where a user reports the loss of their security token or the possibility that their password may be known by others, you must suspend the user account immediately to prevent any unauthorised access. You can only reactivate a user account after the user has been provided with a new, secure password and/or token as required.
And the data returned to the database.
2.9 The requirement to have an enhanced CRB disclosure which is renewed every three years is specific to ContactPoint and does not replace existing organisational policies for non-ContactPoint users. Individuals who do not have an enhanced CRB disclosure or have one which is more than 3 years old will have to apply for a new disclosure to become ContactPoint user. Applications for enhanced CRB disclosures should be made in sufficient time to receive it before access is needed (or a previous disclosure reaches 3 years). If evidence of a renewal is not received before the 3 year period the user account may be suspended.
MAY be suspended?
3.9 Misuse of ContactPoint
Using ContactPoint for other purposes than to support practitioners in fulfilling specific duties (see 1.6) or in a manner contrary to this guidance is likely to be misuse (see flowchart at B13). For instance, it would not be appropriate for ContactPoint to be used to assess applications for school places, or to pinpoint an adult suspected of tax-evasion. Nor is it appropriate for ContactPoint users to access records of their own children, or those of their colleagues, friends and neighbours, unless they have a legitimate professional relationship as a provider of services to that child.
There is no way for ContactPoint admin to know why a record on a child is being accessed. They are basically trusting that the 330,000 who will have access will not disobey the guidelines. This database is going to be used for everything and you can guarantee that there will be a special class of account that has no audit trail, for use of the ‘security services’ and the police. If anyone thinks that ContactPoint users will not access the records of their own children, they are COMPLETELY INSANE; that is the first thing that every new user will do. They will check to see that their children’s records are not incorrect, then they will check on all of their relatives and friends. This is a perfectly natural reflex reaction to being in front of a system like this, and there is no way that any admin will be able to sift through the tens of millions of log entries to find these ‘abuses’. This system, because it is accessible by 330,000 people will rack up audit trails into the tens of millions within the first two weeks of it being online. It will be impossible to police, and even if they do catch someone looking at the records for their own children, then what? are they going to gaol them for doing so? kick them off of the system? suspend them? fire them? I don’t think so, and of course, once the violation has happened, it cannot be undone.
These are some of the things that will go wrong are wrong with ContactPoint:
Stolen token access
People will have their tokens and usernames and passwords stolen. All it will take is a few minutes to compromise the system and put children in danger.
No matter what arrangements you have to secure access, if the data is on a screen it can be copied and printed. This means that ContactPoint can never be secure, and any child in it is in danger.
Insiders will leak information from ContactPoint. This has happened in every other government database, and ContactPoint will be no different.
Rich still able to opt out
This proves that ContactPoint is not and cannot ever be secure, and that its users are not trustworthy and can never be trusted. The rich and famous will be able to opt out of ContactPoint. If ContactPoint were secure, there would be no need for this opt out option for the rich.
One insider mega breach is all it takes
All it takes is for one person to leak the database and then it will be out there forever. No matter how secure the access arrangements are, this will always be true.
Tokens for sale: the new money
As I said above, the tokens to access ContactPoint will become a sort of currency. People will sell and rent them to gain access.
Tokens shared over phone in the one minute window
Depending on how it is set up, people will be able to share the random number on the token over the phone. When the session expires, the person selling access can sell a new random number to the scumbag who wants to get access to the data. In this way, the ContactPoint user can keep her token, limit access to her black market data clients and still remain in the system on a long term basis.
Finally, all of this is VERY expensive (expiring tokens needing to be replaced etc), and will not solve the any of the problems associated with child protection; it will in fact cause more problems, and the worst thing about it is, once they decide that ContactPoint is a bad idea, it will be too late; the data will be out there circulating on the black market forever. It will be impossible to shut down or erase. This is the main problem with this idea; it cannot ever be taken back.
Philosophically ContactPoint is indefensible. It usurps the role of the parent, and replaces the parent with the state. No parent should be denied the right to opt out of this system, especially since children of rich will be out of it.
You have every right to remove yourself from this Database, and you should do everything in your power to make sure that you are not put into it.