Slashdot Mirror
UK ID Card Scheme Data Deleted For £400K
DaveNJ1987 writes "It will cost the British government only £400,000 to destroy the data for its failed ID card initiative. The data compiled by the National Identity Register, which was scrapped last year by the coalition government, will be disposed of for the relatively small sum — in government figures — Home Office minister Damian Green confirmed."
I'll show them how to destroy it for half the price.
I see they've hired some 3rd party firm to do it. That stuff, both kit and data will turn up in a year or so's time. Guaranteed. Laptops on eBay and the data sold to ID thieves.
I want a list of atrocities done in your name - Recoil
Personally as a UK citizen I'd much rather they paid someone who knew what they were doing to do it properly than just "wiped the disks".
For a start, you do realise that for data like this destruction of the physical storage medium is a requirement, right? (It's right there in the article)
It's official. Most of you are morons.
Select All > Delete!
JUST PRESS CTRL+A, then mash the delete key. Press enter to confirm. DONE.
$20 please.
If you read TFA you'll see Labour pissed away £330m on ID cards, so 400K is peanuts by comparison. Also, the same "friends in the city" were the people labour spent that money with.
What they call coalition government we call bipartisanship, right?
As opposed to Labour, who'd set up an organisation for it overseen by a committee with 3 layers of management, and then lose it on a train later? The Tories are arses, but they're nowhere near as putrid as the last lot. This thing was designed to scale up to the whole UK population of 60 million. It's likely they've got to close down an entire data centre.
I will be happy to light a large bonfire for half of the £400k quoted.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
They need private contractors. Government officials are not capable of wiping their own arses, let alone data.
I'm pretty certain there are those in the Conservative party that would love to outsource most of the NHS. The thing stopping them is that the NHS is a sacred cow.
They're effectively working on that right now. GPs are being given the "choice" to do their own admin, so they'll outsource their admin to private companies. Rawnsley said on the radio only this week that there's "no reason why NHS GPs should be civil servants".
1. Pick up servers
2. Drop in industrial shredder
3. ???
4. Profit 400.000 pounds
Personally as a UK citizen I'd much rather they paid someone who knew what they were doing to do it properly than just "wiped the disks".
For a start, you do realise that for data like this destruction of the physical storage medium is a requirement, right? (It's right there in the article)
Obviously, reliable destruction of data costs 400,000 GBP, right?. Please, don't be silly. It's really amusing how people are trying to justify silly things politicians are obviously doing to setup cash for their cronies.
Do you know how seized drugs are often destroyed?
Blast furnace.
Please tell me which data storage medium will survive blast furnace?
And then tell me what can possibly cost 400,000 GBP.
For 400,000 GBP I can build a whole damn system which will reliably destroy data.
Obviously, reliable destruction of data costs 400,000 GBP, right?. Please, don't be silly. It's really amusing how people are trying to justify silly things politicians are obviously doing to setup cash for their cronies.
Do you know how seized drugs are often destroyed?
Blast furnace.
And old tampons are flushed down the toilet. Chalk and cheese.
I put my books on Amazon, Smashwords, Demonoid, ISOHunt and Pirate Bay. Search for 'Michael Cargill'
And old tampons are flushed down the toilet. Chalk and cheese.
So, you are implying that data storage medium should not be destroyed reliably in blast furnace because... they're not the same as drugs?
Thus, it's wiser to spend 400,000 GBP to destroy them by doing exactly what?
"Having IT wipe the disks" is not the way to do this.
And since you seem to know all about data destruction, please tell us what is the right way to do it.
Thanks.
I can see why. Many European countries have independent GPs. None have the crazy health costs that the US has. Overall health isn't that much worse than they're in the UK, and when you focus on the neighborhood (France, Denmark, Belgium, Netherlands) they do better than the UK in fact.
One of the reasons for this is that GPs treat a large number of patients, with common afflictions. Statistics ensures that this has predictable volumes, and also predictable costs. In a sense, they're like band-aids. You can manage on numbers alone. Specialized rare health care is harder to manage on an economic base, which is why closer government oversight could be desired.
£400k is still expensive. Why don't they do what they usually do? Just stick it all on a laptop and leave it at a train station...
So, you are implying that data storage medium should not be destroyed reliably in blast furnace because... they're not the same as drugs?
Thus, it's wiser to spend 400,000 GBP to destroy them by doing exactly what?
No, I am implying that drugs and this data are vastly different things with completely and utterly different consequences attatched to them. Therefore saying that because destroying drugs has X cost destroying this data properly should cost X.
I put my books on Amazon, Smashwords, Demonoid, ISOHunt and Pirate Bay. Search for 'Michael Cargill'
You have to physically unrack every server, remove all of the drives in every server and then securely transport them to a disposal site where they are thrown into a giant shredder. Every batch of drives is tracked during the entire process and a certificate of secure disposal is produced for every batch which is destroyed.
The physical removal will be a team of between five and ten guys working for a couple of days (there's a lot of kit), at multiple sites around the UK. Add transport from those sites to the disposal site, which is multiple trips even if you're only destroying just the drives (& they're planing to destroy the servers, too), plus the cost of actually destroying all of the physical kit in a controlled manner.
This sort of stuff is done by specialised companies, because your mate Dave doesn't know how to handle a secure disposal to UK Government standards and isn't certified to do it anyway. For once the UK Government is actually doing things right and doing it at a reasonable price, believe it or not.
And since you seem to know all about data destruction, please tell us what is the right way to do it.
It isn't simply about destroying the data, it's about making sure it is documented and verified. Same way that a small screw on an aeroplane will cost far more than the one you get in the shop even though they are same thing.
I put my books on Amazon, Smashwords, Demonoid, ISOHunt and Pirate Bay. Search for 'Michael Cargill'
Ok, I spot someone that's never dealt with systems at the high end.
There's a lot of prep work to unpicking things, and removing servers from secure areas, auditing them, planning to have them securely transferred and held in areas that are inaccessible with heavy physical security.
Logged/scanned to provide proof of transit, vetting everyone who handles the data volumes. Ensuring you have all sources of the data, auditing the backups, and pulling all of those, so on, so forth.
Everyone involved in this process will have to be security audited (most likely taken from an existing group of vetted people), and their services carry a premium.
There is a huge difference between destroying the data on your home gaming machine, and the sheer detail involved in transport and destruction of sensitive governmental machines.
£400k is actually a pretty lean number for dismantling the structure of this old project, considering that the infrastructure was sufficient to handle the predicted scale out to cover the entire UK population.
You clearly do not grasp the sheer idiocy, incompetence and utter lack of any skills whatsoever which characterises the British civil service. These days there IS no IT department apart from the outsourced PFI numpties who charge for each and every action performed. This is why whole database dumps get transferred all over the place; there isn't anyone who has the handy database skills to run a quick SQL query and put out only the required data into a twin-key encrypted package, because the way the PFI deal was written every such action costs the Government money.
Add to this the last Government had a number of highly embarrassing incidents of data loss, where USB sticks were let on trains, and in one case CD-ROMs of sensitive data were encrypted, but the password for the encryption was written onto the media disks themselves. The civil servants were complying with the regulations, but doing so in such a way that no hassle over passwords would occur. The same civil servants that did this are still employed, and the UK Home Office (which is dealing with this data) has the reputation of being the dumping ground for all the most incompetent, most useless and most stupid civil servants in Government.
Outsourcing data disposal like this is the safest way to ensure complete destruction without any little unofficial backups being taken and sold on, or people "forgetting" to wipe the disks before ebaying them, and so on. 400K is peanuts compared to the cost of cleanup after a data leak.
Interesting. So you're an expert on Public sector software.
Some of it is a travesty, yes. An awful lot of it is actually pretty decent. And some of the internally developed stuff is absolutely top notch.
I work in the NHS, and the amount of stuff I've had to turn down from commercial vendors because they frankly don't have a clue is astonishing. Stuff written by places like medical physics departments go into the devices that actually get used front line in medical equipment.
Interesting to see you're so sure that the software will get written anyway.. Where did you hear that? With sources? Or are you merely posting hot air?
With the current cuts in the UK, if something isn't actually proven necessary, it's in great danger of vanishing (and speaking of someone on the inside of that, it's not always a bad thing). This project is as dead as the dodo. The work to date is a writeoff, with no new investment.
If you really want to gripe about something, complain about the idiots who started the whole venture, despite being told by everyone who really knew about these things that the whole thing was unworkable, ineffective, costly and a complete waste of money. Every thing it was ever justified as fixing was debunked in a thoroughly methodical manner. Yet still they insisted on starting it up.
Idiots.
In line with some of the posters below: Presumably this mythical IT department has other stuff to do. I know governments are inefficient, but still I reckon you'd be taking a bunch of people away from other necessary work. Secondly, which IT department? I'd guess there are many IT departments that operate for the different parts of the government, you think anyone is going to give their people over to a project outside their remit for free? Do you take on staff to do the job, leaving yourself the difficulty of getting rid of them afterwards?
I think the government wastes money as much as the next guy, but in this case it looks like a reasonable figure (contrasted with the projected - and undoubtedly massively underestimated - costs of the ID card scheme) for the work required, and the most efficient way to do it is to hire some people who have the equipment, experience and expertise to do the job. So long as the contracts are written properly (e.g. fixed time and money, some reasonable method of ensuring that the company doesn't walk off with the cash having done no work etc. etc) then what's the problem. That's the only area that should be under scrutiny, but the only people that ever seem to look at that side of things are Private Eye...
And then tell me what can possibly cost 400,000 GBP.
What costs this much? A few months of a couple of "security consultants" off the approved suppliers list, for a start. Billed at the usual rate for government jobs. It will take them at least that amount of time to attend the meetings, write the proposals, agree the process, appoint the auditors, find all the copies (except for a few which will later leak out), benchmark some data destruction methodologies and finally outsource the whole mess to the lowest bidder who will take the data and fly-tip it somewhere close-by.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I like the circular notion of documenting the disposal of someone's personal information.
"No Mr. Smith, your data was fully deteled. I have the document right here to prove it: 'Mr. A. R. Smith, born 17th Feb 1963, married to Mrs. C. J. Smith, degree from Cambridge, DNA sample number 0900303093029298992,' etc., etc. and here at the bottom, 'Deleted' and it's stamped by three separate officers. Yes sir, your data has definitely been destroyed."
No you didnt. The NIR had nothing to do with the passport service.
They dont have the right equipment, nor hold the appropriate certification, to perform secure data destruction.
The right way to go about a *specialist* task is to hire the appropriate *specialists* in their field. Not general IT staff who have neither the time, qualification or equipment to do the job properly
So the secure transport is free?
The time to derack the servers is free? Oh, and the accredited,SC level people just appear on a whim?
You appear to be dense enough to assume it is all about the final step. It isnt.
Shredding them - as is supposed to be done with all old public computer storage devices in the UK - and that is just part of the process.
I'll see your Constitution and raise you a Queen.
Chuck the disks in the ocean to a depth of say 17,000 feet. Should cost 5 grand tops.
I get reimbursed by the customer for the data anyway.
C'mon, you don't think that whoever does it for these peanuts isn't gonna do that too, do you?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Wasn't there another way to destroy the data?
(Taking it out to a field and sledgehammering it?)
I'm not a lawyer, but I play one on the Internet. Blog
Not really, all you need is a certificate that the data cannot be recovered. DBAN it and resell it on e-bay. Even if they physically destroyed the disks, they're probably getting the whole set of computers, laptops, network equipment etc. from those offices - remove the hard drive, plug a new one in, sell on e-bay. There are services out there that do physical data destruction for free if you donate the computers.
Custom electronics and digital signage for your business: www.evcircuits.com
Did anyone think of just taking a couple of 50Gallons oil drums fill them with gas and shredded old tires put the drives in them and let these burn for a while; I realized that this does not sit well with many people due to the fact that it's bad for the environment. The other solution just melt all the data drives down along with a bunch of steels.
??? isn't quite good enough, since you missed more than one required step. And a "we did something" isn't good enough. Sure you could likely destroy it for less money if you removed all the red tape.
But do you want the government to have requirements and standards and documentation for such things? Or do you want them to just say "yeah, we deleted it. Trust us"?
If you think that adds up to nearly half a million pounds, you're a cretin.
There's those specialist industrial shredders designed just for disk drives that reduce them to a small heap of granules.
A cheaper alternative would be a flowerpot and some charcoal. Or they could send them to a commercial aluminium recycler to make it look more profesional.
£100 to destroy the data, £399,900 to hunt down all the backup tapes, memory sticks, cloud storage, DVDs and laptop copies made by low-level functionaries.
Prove anything by multiplying Huge Number times Tiny Number
Heh... I would do it for next to nothing. Just buy me a ticket over the pond, give me a week in a nice hotel with food paid for then get me back home. Cant be more than a few thousand. And I could guarantee distruction too :-D
Or possibly Walter Mitty.
Paperwork is all routine and doesn't actually cost all that much. The actual physical work is done by minimum wage employees after some basic training.
It isn't simply about destroying the data, it's about making sure it is documented and verified. Same way that a small screw on an aeroplane will cost far more than the one you get in the shop even though they are same thing.
Ah, I see. So, the procedures used for destruction of drugs are not good enough? I mean, it doesn't get documented and drugs are obviously not destroyed good enough.
But I am sure that private cronie company is much better in documentation and following strict procedures than a law enforcement agency.
I see. Your logic is flawless.
You still didn't answer me - how is the data then supposed to be destroyed "correctly", according to you?
Ok, I spot someone that's never dealt with systems at the high end.
There's a lot of prep work to unpicking things, and removing servers from secure areas, auditing them, planning to have them securely transferred and held in areas that are inaccessible with heavy physical security.
Logged/scanned to provide proof of transit, vetting everyone who handles the data volumes. Ensuring you have all sources of the data, auditing the backups, and pulling all of those, so on, so forth.
Everyone involved in this process will have to be security audited (most likely taken from an existing group of vetted people), and their services carry a premium.
There is a huge difference between destroying the data on your home gaming machine, and the sheer detail involved in transport and destruction of sensitive governmental machines.
£400k is actually a pretty lean number for dismantling the structure of this old project, considering that the infrastructure was sufficient to handle the predicted scale out to cover the entire UK population.
Oh my goodness! This sounds just like a job for a fucking law-enforcement agency, and not a crony private company.
I am shocked!
Blast furnace may be used some of the time, but often it's a simple bonfire. Cheaper for sure. Less safe for those tending it as well, but a budget is a budget.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
Yors sincerely
Mr A. Hitman, 003.5
Sent from my ASR33 using ASCII
If I destroy equipment NOT only do I have to pay for the destruction but for the write-off for the equipment.
If I blow up your car the cost to you is NOT 1 stick of dynamite. It is the stick of dynamite, the cost of your car, the bill for the fire department and the kick up your arse for failing so badly at cost calculation.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
After 13 months of Tory rule, you have forgotten the Labour party's previous practices.
Sent from my ASR33 using ASCII
Rubbish. Data destruction is a standard task for most IT departments. What company doesn't want its data wiped when disposing of PCs?
It is also fairly easy, easier in fact for the IT department than an external company. The IT department should know where the data has been saved, where the backups are etc. Ideally it should be encrypted too in which case destroying the key is the first step. After that the usual multi-pass wiping and optionally a degauss and physical media destruction for HDDs. Optical discs can be shredded, or you can get special drives with an erase capability.
The IT department should already be doing this. If they are not then they are inadequate data security.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The underpants gnomes stare at you in disgust.
And yet there probably will be a leak anyways. Makes you wonder whether all that trouble is actually worth it...
May I?
How to destroy data correctly:
1. announce that your web access filters will be disabled for a few days due to upgrade.
2. give the HDs to destroy to your staff as "old drives for backup purposes"
3. wait two days.
The drives will be by then filled with porn and malware. Of course this is nowhere near a multi pass wiping but the staff will guard their new hd closely, so...
4. profit!!!
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
The rankling thing about the ID card project (apart from the masses of irrelevant and intrusive data it was to collect) was that the outgoing Labour government said it was "self financing". So, does the financing fairy come along and sprinkle some pixie dust around, and as if by magic the hundreds of millions needed show up?
No, what they mean is ID cards were to be paid for by those who hold them. Given that the cards were to eventually be compulsory, how is this different from having cards given out for "free" but paid by general taxation? It doesn't (in fact it makes it worse since now they would have needed a completely new payment infrastructure to handle the payments from 60 million people who are compelled by law to buy a card).
Oolite: Elite-like game. For Mac, Linux and Windows
Licensing fees usually aren't so trivial, inspections usually aren't so trivial. Liability probably isn't so trivial.
If it was then someone would have bid less, surely?
The TFA mentions the sum of 400k GBP only for the destruction of the data. I would expect the equipment write-off to be a separate sum, probably bigger.
Nah, somebody bidding less than 400k would be considered unreliable.
I don't have the breakdown but (and I may be giving too much benefit of the doubt) the £400k should cover far more than pressing delete on a database. There's destroying the storage medium, security to make sure nobody's walking out with data... Not forgetting the costs of actually dismantling equipment, and I wouldn't be surprised if there are significant figures for an early property lease termination penalty, dilapidations and staff redundancies.
To digress a little, no it is not uncommon for staff employed at one governmental organisation to be paid a tax-free redundancy even when immediately re-employed at another.
Anyway, the main reason £400k is considered surprisingly small is because what frequently happens when a UK governmental project is scrapped is that there is a contractor somewhere due to be paid a fortune in "lost profits". While such arrangements are common in business, the level of compensation usually seems grossly inflated for government contracts, even allowing for the large scale. It's generally thought this is due to a combination of politicians/civil servants behave rather less cautiously when committing public money; supplier companies being all-too aware of the probability of cancellations of government projects and/or what everybody really thinks: because it becomes that much less likely the politician's pet project will be scrapped no matter how hated. That's not to forget fraud and under-the-table deals, but habit in the UK is not to attribute politicians with true malice what can be explained by arrogance and incompetence.
This'd work: Paper shredder for hard drives
In post Patriot Act America, the library books scan you.
Blast furnace or massive industrial shredder doesn't make much difference (the shredder may be cheaper). The expensive part is hiring well vetted people to remove the drives from the machines and inventory them accurately, secure transport to the destruction facillity and maintaining the audit trail that shows each removed drive ended up in the shredder AND that the drives removed and shredded were all of the drives that contained that data. It would be a shame to do all of that and then have the un-audited replicated storage go up on ebay.
The big un-necessary cost is the lost prorated value of the drives.
i) Pressing 'delete' key - £1.00
ii) Knowing where to find delete key - £399,999.00
No. Labour were bad. Tories are ten times worse.
Chances are because they held onto it, someone has already sold that data to the highest bidder. Thieves love that stuff.
/s
Or someone will screw up and throw it it a garbage can. meanwhile... Thieves will get it.
Or! They already have a copy of all of those IDS stashed, and a few years from now, they find the copies, and someone will be asking this same question all over again. It will cost them $1,000,000.00 extra to get rid of it. Meanwhile... Thieves will still get it.
They are so screwed.