NATO Crypto

Ross Anderson Ross.Anderson at cl.cam.ac.uk
Mon, 18 Mar 2002 17:12:36 +0000 

> Have you applied this process to the question of why the NHS doesn't
> have encryption, and when it does will have a single central PKI 
> rather than the quick local implementation that seems relatively
> straightforward between people all of whom are occasionally in the
> same room as each of the others?

The explanation is simple enough. The NHS asked management consultants
how to fix its problems, as that's how civil servants were expected to
behave in the 1980s. The management consultants cynically sold all
sorts of huge centralised information systems projects, as that's the
way to maximise your billing. The classic reference on this is Lewis
Pinault's book, `Consulting Demons' - a whistleblowing book by a 
former partner of Coopers who repented, resigned and `went straight'.

Centralised recordkeeping has an aspect which is a bug, from the
patient's viewpoint, but a feature from almost everyone else's - that
the records are available for all sorts of other purposes. However,
when the BMA realised this (in mid 1995) the civil servants were not
prepared to have a debate on whether records should be centralised.
They preferred to divert the debate into what sort of crypto the NHS
should have. This meant, firstly, that the issue would be kicked into
touch until after the (1997) election; secondly, that GCHQ would take
a lot of the heat for having a no-decent-crypto-for-you policy, and
third, if the worst came to the worst they could always just give you
doctors decent crypto. Even GCHQ would eventually have agreed to the
strong encipherment of records in an architecture where one of the
principals in every conversation is a machine owned by the government.

Encryption in the NHS is a red herring. Given that essentially all
privacy compromises result from abuse of authorised access by
insiders, SMTP and DNS are enough to secure most communications. I
would be quite happy to rely on them myself, if (for example) by GP
would do a repeat prescription by email. But his policy is not even to
do repeats over the phone, but make me to drive five miles to ask at
his reception desk, then drive again two days later to collect.

The name of the game in the NHS is demand suppression, not
efficiency. That's one reason most NHS computing projects founder:
they would cause at least one critical participant to do more work, so
they get sabotaged. It's also perhaps the most powerful institutional
dynamic that still protects privacy.

Ross