22 November 2007

The Data Leak

I haven't got round to making a big deal of the loss of Child Benefit data. Like the Samizdatists, I see it as a hopeful development in terms of public recognition of what large-scale government data collection actually means. I'm not disturbed by it for two reasons: first, because I'm not surprised. I have years of professional experience developing and supporting systems using large amounts of data, and I know how difficult it is to keep stuff confidential. I also have a generally low opinion of the competence of government. It's more surprising that this got out than that it happened.

The other reason I'm not disturbed is that in general I'm more worried by what the government will deliberately do with the data than by what it will accidentally do with it. The copies of the data still in government hands may be used to decide, for instance, who can and cannot be allowed to learn basic science. Nothing so unpleasant is likely to develop from the copies that have gone astray.

And, to justify that point, I don't believe in identity theft. It is not that I don't believe that fraudsters use the names of other people in their frauds, but that I don't believe that the person whose name is used is the victim of that crime. The actual victim is the party that the fraudster transacts with, and I do not accept the position often taken by the real victims, that their losses are in fact to be borne by an uninvolved third party.

If, for example, a credit card issuer believes that I owe them money, they should have to prove to a very high degree of certainty that they I actually borrowed it from them. That they have at some point in the past received a piece of paper in the post with my name on should not be enough for them to even go to court on, let alone stand any chance of winning. Some kind of human witness to my being their customer should be the minimum to even start.

If this makes life too difficult for financial services providers that do without local branches, so be it. There are considerable savings made by such remote operation, which are shared with customers, but there is no justification for imposing the resulting costs and risks of fraud on uninvolved third parties. Either they find some way of reconciling their cheap business model with reasonable standards of proof, or we can all go back to visiting our local bank branch for a credit card or personal loan.

Back to the government, I do think the incompetence shown here is significant, like the case a few years ago of the non-deported released prisoners (which resulted in the whole "home office not fit for purpose" furore), because it gives me the impression that attention is not being paid to government simply doing its various jobs properly.

To expand: government departments are answerable to ministers, and through them to parliament, but both sets of politicians are obsessed with changing policy and passing laws. The actual day-to-day implementation of existing policy only ever gets any attention when it spectacularly fails. The few spectacular failures (which are not successfully covered up) are necessarily the tip of a very large iceberg of general incompetence, which will not change for as long as it does not get attention. For the electorate to give it attention is barely possible, because of the difficulty, common to all organisations, of practically measuring performance.

I have no solution to this problem. My familiar answer is "government should do less", which I stand by, but it's not really a solution, because it is a change of policy in its own right. All I can say is that it's up to those who oppose my policy to explain how their policies can be carried through competently by a government.

No comments: