Sep 03 2008
No one should be surprised that I find any governmental database to be suspect. All to often little or no thought is given to the information contained in the database and what it would mean if the wrong person got their hands on it, or if the right person got into sections they shouldn’t. The clients usually assume that the developers already thought of these problems and developers often think of it as someone elses problem. So no one should be surprised when the UK government is ready to release their ContactPoint database and suddenly someone raises the security and privacy flags.
ContactPoint is basically a database of ‘at risk’ children in the UK, children who’ve been abused or otherwise threatened. The information contained in the database can be used to help the children and let police know they have a family that might need special attention. But it also gives the police and social workers access to information that could make a family’s life hell if a person has a vendetta or just misinterperets the data. The fact that the database may also contain a lot of information about celebrity children is just icing on the cake and something that sensationalizes the story for the masses.
I’m just glad that someone is raising awareness of the security problems with this database before it goes live. This is much more serious information that something as trivial as a person’s credit; good, bad or otherwise, the information contained in ContactPoint can easily be used to ruin a life, whether it’s the child’s or the adult accused of abuse. And let’s not forget the fact that it’s a database organized by humans and therefore subject to errors and misinformation.
I’m all for information sharing in situations like this, but security has to be a primary concern, not something that’s bolted on after the fact. This isn’t a new problem or one that’s unique to ContactPoint, it’s a fundemental problem with developers and database development. As much as the UK government can be faulted for not including security in the requirements, the company that’s developing ContactPoint should know how sensitive the information is and treat it accordingly.