There is a much bigger threat to your children than even the current furore over the fingerprinting of children at school, as highlighted by the Leave Them Kids Alone
campaign, and picked up by Guido Fawkes, and some of the mainstream media.
How safe will your children's personal details and sensitive educational, medical, socia services, criminal and other records, in the hands of the bureaucracy under the forthcoming "E-enablement of the Common Assessment Framework" ?
See Action on Rights for Children's Database Masterclass blog for details of #9 The Common Assessment Framework (CAF) and the numerous other Child Databases (plural) currently under development.
This published document:
is fundamentally flawed.
Some obvious weaknesses:
- This may only be version 1.0 of the document, but there are huge fundamenatal mistakes or deliberate distortions, and it is nowhere nearly detailed enough.
- The fact that even this document is not mandatory, so it does not impose a minimal set of standards on all the users and systems which will be connected to the scheme, is a huge weakness in itself.
- It seems to gives the impression that the existing Athens system is the preferred solution, even before any proper risk assessment has been done.
- All security measures need to be in response to a particular threat model of which there is no mention in this document.
- Everything seems to be either at "Level 3" or at zero .
- The no identification required for "developeres" is utterly wrong. They should at least be identified to the level of a Basic Check security clearance (not much more than the HR department of an
approved Government contractor vouching for their name,address and employment status), but it should not be "zero".
Is this part of a plan to allow the outsourcing of all this
development to, say, India, like Capital plc tend to do ?
- "Level 3" is meant to correspond with the lowest level of UK Government Protectively Marked Material classification of "RESTRICTED", which is what the Government Secure Intranet (GSI) is accredited to work at.
This specifically means no unencrypted (using Government approved cryptographic systems only) internet access, so that blows away the "public" access via the internet handwaving, for a start.
- Conversely, the ban on any Mobile or Working from Home access, is insane and unworkable in the 21st Century- there are ways of doing this as securely as in a Government office, but they cost money.
- The Department for Education is wrong to think that this highest level of classification in their scheme is appropriate for "sensitive names and addresses".
Even the Department for Work and
Pensions and the discredited Child Support Agency, for all their other incompetence, recognises that
names and addresses of battered wives and sexually
molested children cannot simply whizz around their systems at RESTRICTED - such data needs to be at the stricter and more expensive CONFIDENTIAL level or above.
- Even if it were true that RESTRICTED applies to most of the data on an individual record basis, it does not do so where there is the risk of bulk snooping or data copying of millions of records e.g. via a lost or stolen laptop computer. This bumps up the security requirements at least by a couple of levels.
- The reliance on "hardware tokens" is a myth , these do not encrypt data, they only add another level of (ever changing password) - if there is a packet sniffer on the network (either run as part of their standard network monitoring tools by curious or corrupt systems
adminsitrators) or systems are infected with viruses or trojan horse software which also sniffs out sensitive details, then the bulk of the data being transferred as plaintext will still be at risk.
- The numbers of people mentioned in this document who will be given access to this sensitive data is truely frightening.
Relying on "audit trails" has never prevented sensitive data held by the Government from being stolen, or copied, or leaked, or sold to newspapers or private investigators, or from being handed over to terrorists or to foreign intelligence agencies.
Would you trust the safety, security and privacy of your childrenand your family to a Database Scheme scheme like this ?