New to the job?
"said Adnan Malik, Barings Law's head of data breach"
Why do I get a feeling that that role didn't exist two months ago :-)
Capita is facing its first legal claim over the high profile digital burglary in late March that exposed some customer data to intruders and will cost the outsourcing biz around £20 million ($26 million) to clean up. Barings Law, based in England's northwest, says it dispatched a Letter of Claim to Capita last week to outline …
... we should not be submitting the sort of data we really don't want stolen, such as passports etc, for online ID. Governments and local councils are particularly bad at this, demanding every piece of ID you have. The more they have, the more they lose. Biometrics are worse - you can get a new debit card, but you can't get a new eye. Banks demand more online because they are closing branches. There is an opening for high street hubs/POs to offer an in-person ID confirmation service. You pop down there, they check your papers, you pay for a dozen encrypted USB dongles, each can be used with a single specific service - HMRC, Passport Office, Bank. It's not perfect, but with ID, we need to keep unencrypted data from travelling and being stored away from us.
It's definitely a bad advert for centralising all the important data
The problem with things like pensions is that's generated a lot of the sensitive data I would want protected. It goes beyond what I hand over: I want my pension fund to keep a good handle on my entire file
"It's definitely a bad advert for centralising all the important data"
On a similar note, I have various "clearances" from EDBS up to things I can't say I have for various government organisations, pretty much all of which require the exact same data from me. Most of the lower level ones ar esubsets of the higher ones, but having the higher ones doesn't excuse me from having to go through the palaver of the lower ones. They may or may not need to store the data I provide once it's been checked, they really only need to retain the result, which really ought to then be accessible to the other agencies. But much of it is farmed out to commercial vetting agencies and "because competition", none of it is joined up. It's annoying and there's more points of failure.
While I'm sick of the 'Did you buy or own a diesel vehicle between 1000 B.C. and today? Sign up with us to claim a rebate because the pollution data debacle means you might have been mislead' adverts - going after Crapita (or any business that exposes peoples ID) seems like a damn good idea. I can't easily replace my identification - and the effects of a loss could well last for many, many years.
Tarring and feathering all their policy-makers and execs or putting them in the stocks with a sign saying 'unclean' might be a little unsophisticated but, for everyone's sake, something needs to make this kind of problem get the attention it deserves.
In the method we all should have an officially registered* email address, so that any contract above certain financial threshold signed with our name would require a copy sent to this address. Meaning, we will always get informed when our data is used for illegal purposes and could take action immediately. All contracts signed without reference and copy to the official email are void. Optimally such email boxes should not allow message deletion within a year or so, to help stolen access credentials to the inbox. Also there should be an international standard, to simplify international transactions.
*An email registered with our physical presence in some governmental office. Several official addresses could be allowed. It does not have to be an email service, as email delivery is not always guaranteed. Some better alternative could be created to make sure a message has been delivered.
Email is "best effort", so you'd never be able to prove that they didn't actually send it - and conversely, they would not be able to prove you received it.
Aside from that, the details of every registered address would need to be public knowledge, as otherwise it would be impossible for (eg) your landlord to send a copy of the contract.
They couldn't simply believe you, because for such a thing to exist there would be legal consequences for them not sending it - eg sending it to the wrong one or one that doesn't exist.
So it would instantly become so full of spam that you'd literally never be able to find anything whatsoever.
There's a very good reason nobody wants to be in the "Phone Book" anymore.
But what if replying to it was required as a kind of digital signature? And PRECISELY replying, not clicking on links or buttons to avoid malware. Official inbox can even intentionally remove or disable all URLs in the body = lots of spam cases solved.
There is one important reason why social security numbers are so popular for doing business: they uniquely identify a person and compress their legal name, birth date, birth place, and so on. There is no reason why official emails cannot be used this way instead. Such email has a huge advantage compared to a social security number: the email/id gets a message when used in a transaction. Nowadays you will not know if someone used it on your behalf until it is too late.
Yours are valid points against email, but there is one big pro: it is a commonly available and accepted messaging platform. It has been successfully used and proven for legal and trade.
As for spam, my only emails getting spam are those non-public leaked as customer data from my service providers. My public email never gets any spam. Anyway, how spam to existing leaked email addresses is different from spam to the official email?
Ideally official emails should be all digits with delimiters and a checksum: firstname.lastname@example.org. The reasons for digits only is that they are easy to pass over the phone.
"Yours are valid points against email, but there is one big pro: it is a commonly available and accepted messaging platform. It has been successfully used and proven for legal and trade"
Another downside is once government gets involved in something like that, it will get blown up out of all proportion and be put out to tender to be run by a commercial company at great expense and the email will only be a notification telling you to log in to a "secure" website to access your "secure" email. I'm sure most of us have had to use systems like that at some stage, possibly for opening our payslip "email" which kinda makes the "secure" email itself pointless