1.  ContactPoint is a digital service, and as such is subject to the same rules that all are subject to. This makes the service critically vulnerable and impossible to secure adequately. My evidence below gives the reasons why this is the case, and why the development and deployment of ContactPoint must be delayed until such time that these critical issues can be addressed.

2.  ContactPoint is designed to be delivered over the internet, via standard internet browsers. It will be accessible to authorized users who will be provided with a username, password and URL in order to gain access to the system. This means that anyone, including unauthorized users, with the ContactPoint URL, a username, password and password, can get into the system, and then begin to copy the entries one by one.

3.  A malicious person with limited programming skills could write a simple computer programme to copy the ContactPoint entries one by one over a long period of time and from a variety of different internet locations. All the malicious user needs to do this is to obtain a working user name and password. Since this system is to be widely available (to hundreds of thousands of users) there will be widespread trafficking of usernames and passwords, and it will be impossible to monitor all the users all of the time to make sure that they are all legitimate all of the time.

4.  I direct you to look at the service known as 'Bugmenot'[38] . This service supplies the public with working usernames and passwords to sites on the internet that require authentication for access. The process of using Bugmenot is partially automated via a browser add-on; users need only click inside of their browser to obtain a shared username and password to anyone of millions of websites, and then they are allowed unauthorized access. Should the current shared username and password be disabled, Bugmenot provides alternatives until a. username and password combination works. If no username and password combination succeeds, then Bugmenot prompts the person who wants access to enter their own username and password should they obtain one, so that others may use it. Bugmenot demonstrates that it is easy to not only to share usernames and passwords, but it is possible to automate the collection and distribution of usernames and passwords.

5.  Once ContactPoint data is released, it can never be returned. The ContactPoint policy statement says:

"A range of sanctions are available to manage inappropriate use, and can include disciplinary action, fines and custodial sentences."

This statement betrays a fundamental misunderstanding of the nature of data, and the inherent problems that aggregating sensitive information in this way presents. Inappropriate use of databases cannot be 'managed'. The fundamental nature of data is that it is infinitely replicable. Once a copy of data leaves a storage device and is outside of a secure system, it is able to be copied without detection an infinite number of times with almost no effort. This is true of all data. There is no way to secure data so that it cannot be copied, and all databases are subject to this fundamental nature of data. The disciplinary actions, fines and custodial sentences that the ContactPoint policy statement suggests will not return the illegally copied ContactPoint data to the database, nor will they erase the unauthorized copies spreading in the wild. Once the ContactPoint data is released, it is released forever. When we consider that the data in the case of ContactPoint is the intimate details of every child in Britain, the whole exercise is thrown into a very different light; it becomes instantly clear that ContactPoint is more of a potential threat to children than it is a potential benefit.

6.  Security breaches on the ContactPoint system as outlined below will permanently compromise the safety of every child whose information is leaked. This is clearly an unacceptable risk especially when there are other ways in which the requirements of 'Every Child Matters' can be met in this respect. By assembling this system, all the children of the UK are put at risk. ContactPoint is being created because a statistically small number of children are being mistreated. By creating this system, Her Majesty's government is putting at risk all the children of the UK, where they were not before being put in such a vulnerable position.

Types of security breach

Shared usernames and passwords

7.  Usernames and passwords are routinely shared in offices and IT departments all over the world. Many are displayed on PostIT^® notes attached to the computers used to gain access to systems. In a system as large as ContactPoint, accessible over the internet with hundreds of thousand of authorized user accounts, it is absolutely inevitable that people will share usernames and passwords, and that this sharing will extend beyond the offices of the personnel that have authorized access to the system.

Hackers

8.  Since ContactPoint is going to be delivered over the internet via browsers, this means that it will be possible to attack the database with any computer anywhere, by a number of different methods, ranging from a Distributed Denial of Service attack (DDoS) to a direct breach of the database where its entire contents are copied. If ContactPoint is deployed to its present specifications, it will be one of the most valuable databases ever created, and as such, will be highly sought after prize to hackers, who are motivated mainly by the status of their targets. This is why hackers attempt to penetrate fortress networks and database such as those held at The Pentagon and NASA on a daily basis, since to gain unauthorized access to them earns them the admiration of other hackers.

9.  ContactPoint will be delivered via the internet, and will be accessible by any computer. This means that it will be possible to compromise the database by delivering a virus or Trojan horse programme onto the PCs of ContactPoint users that will allow remote access to hackers. The hacker achieves this by tricking the ContactPoint user into looking at a malicious web page that compromises the user system. The hacker then controls the ContactPoint user's computer remotely, as if he were the authorized user sitting at the computer inside the authorized location. In this scenario, there is no shared username and password required, because the hacker is impersonating an authorized user on their own computer. This attack is very difficult to detect, because every indication is that this is an authorized user. This method can also be used to steal the usernames and passwords of multiple users who access ContactPoint through a particular PC, if it sits in an office.

Piecemeal Duplication

10.  The extraordinarily valuable data in ContactPoint will be accessed many millions of times by the hundreds of thousands of authorized users who browse the system. As this routine use takes place, people will be making copies of the entries and the unique numbers associated with each child. In time (perhaps over a small number of years) every entry in the ContactPoint database will have been accessed and copied at least once. This means that every database entry will be out of the ContactPoint system. It will then be possible to re-create the ContactPoint database in privately held secret databases. This is the best case scenario; where it takes years for the data to be replicated.

Authorized user abuse

11.  The ContactPoint policy statement says that users given access to the system will be subject to 'enhanced criminal records checks'. These criminal record checks can only determine whether or not the person in question has ever previously been convicted of a crime. These checks cannot predict if the user's character will change in the future. Given that hundreds of thousands of people are going to be granted access to ContactPoint, it is guaranteed that some of them leak details to unauthorized persons, and once the leak has occurred, the child's security is permanently compromised. There are many instances of insider abuse in every other government controlled database[39]. The police have experienced many instances of such breaches, as have Whitehall and every other Government department, and once again, no sanction, no matter how severe, can put the data back in the database. ContactPoint will not only be of interest to Paedophiles. It will be a resource worth billions of pounds to marketers of products targeted at children. These commercial entities will be willing to pay for unauthorized access to ContactPoint's database of names, ages, genders and addresses of all the children in the UK, enabling them to use the demographic data to accurately target children and parents. ContactPoint is a business opportunity without precedent. There will be unimaginable pressure to gain both authorized and unauthorized access to it, and this will greatly accelerate the creation of illegal copies of the database.

Conclusion

12.  The idea behind ContactPoint is fundamentally flawed. It puts the children of the UK at risk as never before by aggregating their information into a single, easily accessible and inherently insecure system, where the details of where they live, who their parents are and other information about them can be copied and abused. The creators of ContactPoint have not taken into consideration the nature of data; that it can never be secured and that it can always be copied. They have also failed to understand that a system with hundreds of thousands of users cannot ever be free from insider abuse, and they have failed to learn from the lessons of previous insider abuses that have taken place in other government database systems.

13.  ContactPoint is guaranteed to cause real harm to many more children than are presently harmed by criminal predators. It will cause the numbers of children subjected to abuse to increase, the exact opposite of the intentions of its creators.

14.  Finally, by denying the rights of the Parents to opt out of ContactPoint, Her Majesty's Government is usurping the natural role of the parent as the ultimate guardian of children by dictating what is and is not of benefit to them. The children of the UK are being reduced to the level of numbered chattel by this system, which is unacceptable, no matter how good the intentions of those behind this ill conceived initiative.

Recommendations

15.  If the flaw in the current ContactPoint design and implementation plan cannot be addressed in full, it is my professional opinion that it should not be deployed until such a time that all of its problems are addressed and solved. Parents must be allowed to opt out of ContactPoint, since the children of the rich and famous will be allowed to do so for their own protection, this protection must be extended to all children equally. The fact that this option is going to be given to certain families proves that ContactPoint is a threat to all children.

  29 June 2007

 Back

39   http://news.bbc.co.uk/1/hi/england/staffordshire/3951945.stm

http://tinyurl.com/32kbjj Back