The Eye Of The Storm

I want to clear up a small misunderstanding

Yesterday, I Tweeted:

#PICONF12 Andy Smith says "never use your real details online" - Martin Hewitt not looking best pleased. Nor the other MP in the room.

— Terence Eden is on Mastodon (@edent) October 25, 2012

In the space of a few hours, the story was on the BBC:

And Slashdot:

I was at the Parliament and Internet Conference yesterday. It was a smallish affair - maybe 200 people. A mixture of MPs, industry analysts, lobbyists, citizens, consumer groups, and journalists. I'll be writing up some more detailed note but, if you can't wait, Paul Bernal has an excellent summary.

Andy Smith is the PSTSA Security Manager - basically, he's in charge of the security of the UK government's Intranet.

He was asked a question from a member of the audience who wanted to know how 192.com had got hold of her real name and address. She claimed that she only used it on a few sites which demanded it - how, therefore, had it leaked out?

Andy, I think, answered the question sensibly; if you don't trust a site, don't give them your real information. I don't have a problem with that. It was ironic that his comments were made after the Metropolitan Police's Martin Hewitt had bemoaned how anonymity made the job of catching criminals harder.

Andy then went on to say that we should trust the government's website with our real details. While I agree that they should be trustworthy, it's hard to believe that they are. Given the number of times laptops and USB sticks have been lost by government employees it would dangerous to assume they had perfect security.

The Earl of Erroll (who is the sole argument for keeping an unelected House of Lords) pointed out that he always sets his birthday to be the first of April 1900. I suspect that an analysis of a few public sites would show unusual clustering around 25th December and other "memorable" dates.

This was, in no way official government advice. It was an (admittedly senior) civil servant describing what most security professionals know to be best practice. Giving away your real data to untrustworthy third parties is not sensible.

The story appears to have been pushed to the BBC by Helen Goodman MP. I know nothing about Helen other than the question she had asked earlier in the conference which was along the lines of "If I need a driving licence in order to buy a car, why can I buy a domain name anonymously? Why doesn't Nominet ask for proof of ID to stop cyber bullying?"

Or, as I said at the time

#piconf12 some crazy MP wants people to have a driving licence to register a domain name. Because that will stop cyber bullying.
WAT?

— Terence Eden is on Mastodon (@edent) October 25, 2012

I appreciate that she is the shadow minister to Ed Vaizey - and so was quite right to attend the conference - but either she needs to get a much better understanding of her brief, or Labour need to find a better candidate. Her lack of knowledge in this area is dangerous.

Finally, I agree with what Alec Muffett told the conference. We have conflated personal information for secret information. Anyone who went to school with you - or works in the same office as you - probably knows your birthday. We need to ensure that such trivially discoverable data is not used as the cornerstone of security.

As Tom Scott pointed out, anyone who is friends with their mum on Facebook is probably revealing their mother's maiden name.

So, to conclude. Expressing fairly good Internet security advice will get you castigated by MPs who don't understand the digital age.

Incidentally, the password for the WiFi in Portcullis House was "123456789012".