Data Sharing Review

Ian Batten ukcrypto at chiark.greenend.org.uk
Thu, 17 Jul 2008 13:22:51 +0100 

>>
>> How?  Just because I need to use my fingerprint to access a system  
>> tells me
>> nothing about who else has access to it.  It just provides a false  
>> sense of
>> security.  It's like those fingerprint reader laptops: all I need  
>> to do is
>> open the drive bay with the handy plastic lugs, remove the hard  
>> drive with
>> the handy pull-off connector (SATA, now, so fewer pins to bend) and  
>> I've got
>> all the data.
>>
>
> really.
> good luck trying to decrypt the data on my laptop's harddrive without
> access to a working quantum computer (probably)

Well done.  Congratulations.  Now, remind me, what proportion of  
machines with fingerprint readers have taken those precautions?  1%?   
So for the other 99%, it's just smoke and mirrors.

If you believe that the mere existence of a fingerprint reader means  
that the Infosec governance issues behind it have been considered, I  
have a bridge to sell you.


>
> fingerprint hash is passphrase for large key hence without it (except
> for specific emergent situation) no data

So after you die, how is the data recovered?  Key Escrow?  Good: now I  
don't need your fingerprint: I just social engineer the key escrow  
mechanism.  As Ross has shown, phoning up a doctor and saying ``I'm a  
doctor, give my XXX's records'' is about 90% successful: similarly  
your key escrow mechanism.

>
> GP as data controller (they act as gatekeepers for all other bits of
> NHS after all)

See above.
>>

>> Except the senior A&E docs would delegate their authority to junior  
>> staff,
>> who would delegate it to the receptionists.
>
> How, by giving them their finger or eye.

No, by logging onto the machine and then leaving it to the junior  
staff.  Or are you proposing a system where I have to keep my finger  
on the pad continuously?  That's going to be a pain to use.

> I believe that there are
> fingerprint devices with pulse oximeters built in to stop this.

You appear to believe that social problems can be solve with technical  
measures.  Good luck with that.  Most crypto / security systems fail  
because the users believe they are doing an overall good by `solving'  
the `problems' the security imposes.

>
> Make it a clinical governance issue and tell them that each time they
> do delegate  it they will lose a discretionary point.

How will you catch them?
> My point is that the patients need to be in control
> of where their data is used or i for one will absolutely refuse to
> have any of my personal data placed anywhere near the system.

And a finger print reader has what relevance to that?

>
>
> <preaching to the choir>
>
> Cryptography is the ideal solution where there are trust issues

People who think their problem can be solved with cryptography don't  
understand their problem and don't understand cryptography.  Trust has  
nothing to do with cryptography: that you have encrypted my records  
AES256 is of no value unless you can prove that only I hold the key.   
You can't.  End of.

ian