At a time when warnings of breaches in data security are becoming ever more prevalent, it is now that IT security in businesses should be of highest priority (UK firms are warned to tighten up on security, www.computing.co.uk/2220313).

I agree that security is about managing the risk of people and their interactions with information
systems. However, it must be recognised that technology can play a big role in managing this. A good example of this is the use of intelligence tools that can prevent and detect employee/internal fraud by highlighting irregular patterns in employee behaviour.

Using this type of cutting-edge technology, small businesses will have real-time capability to detect and stop internal fraud and security breaches, while pinpointing where fraud is likely to happen in the future.
Not only will UK customer data be kept safe, but the prevention of fraud could potentially benefit small businesses financially.

Mark Elkins

Data privacy should be a higher priority (Data privacy a low priority for IT chiefs www.computing.co.uk/2220132).

The findings of this survey are interesting, especially as they seem to conflict with previous research, from the likes of Gartner and IDC, where security is positioned in the top three priorities.

It seems to me the priority should not only be the protection of data, but also the correct use of, and the safeguarding against, misuse of that data. One of the biggest challenges is inappropriate behaviour by employees  because you have to give  employees access to both customer and company data to do their jobs, but that same data can represent significant business risk if used for criminal purposes.

A top priority for chief information officers should be the monitoring and analysis of employee behaviour if they want to ensure policies are being followed - otherwise they could be the next company splashed across the headlines.

This, ultimately, will affect their bottom line, something which I'm sure is at the top of their priorities.

Richard Kellett

I'm sorry that Mr Cordrey does not understand the nature of security (Payment data rules criticised, www.computing.co.uk/2221187). Since the attack landscape changes almost every day with every new attack, security must change to address these new risks.

The Payment Card Industry Data Security Standard (PCI DSS) is a fluid document based on the fact that the PCI Security Standards Council and the card brands understand that the security landscape does change.

Maybe Mr Cordrey would prefer his company to suffer a breach while he waits to take his time to address his organisation's compliance with the DSS.

Jeff Hall

Laptop computers are so convenient. Until you lose one (Unencrypted NHS laptop lost, www.computing.co.uk/2220345). But a laptop is like a personal organiser - personal. People think: "It's mine - how dare you tell me what I can and cannot do with it."

Think about how many times each day your personal data is entered on a computer. If government departments are incapable of enforcing data security then the battle to secure our privacy is already lost.
For every high-profile event reported there must be thousands less newsworthy that are not reported.

Peter Ridgers

The latest security gaffe at the Cabinet Office poses two key questions: Why were the documents printed and why did they leave the building? If national security is at stake, the opportunity for error simply cannot exist.

The repeated data losses prove the government still underestimates the consequences of human error.
Allowing staff to print confidential material means IT departments are unnecessarily fighting a battle on two fronts: internal and external.

Has it come to the stage where printers should be banned from the public  sector completely and a paperless office enforced? Were this to happen, IT could focus its efforts solely on
protecting electronic files.

Saying "this will never happen again" is not good enough. Unless the public sector takes dramatic steps to change its data protection policies, the risk of human error will continue to  threaten national security.

Robert Chapman,  Firebrand Training

The easy availability of cheap, simple technology to commit phishing and denial of service attacks is a red herring and misses the bigger picture (More villains turn to e-crime, www.computing.co.uk/2218840).

While some criminals may be intent on committing e-crime via the web, many more will relish the opportunity to carry out crimes which more directly affect all of us, safe in the knowledge that data volume and complexity affords them an extra degree of protection.

As the world becomes   increasingly enveloped by  cyberspace it may soon be impossible to find criminals because they will hide in the complexity of the virtual world and only appear in the real world when
absolutely necessary.

Add the phenomenal growth in data volumes and the explosion in global social connectivity, and it
becomes clear that we need to turn our intelligence paradigm on its head.

We must get smarter and formulate the right hypotheses at the outset to guide our search. Otherwise the data volumes will beat us.

David Porter, Detica

The reason diligent school IT staff must think about issues such as security and compatibility is because they are both responsible and accountable for the network (Vice-like grip, letters.computing.co.uk).

If we simply act like robots and do as we are told, do you imagine the staff who asked us to carry out the task will take responsibility for its failure? Of course not. They will point the finger of blame in our direction.

Many schools have very good IT staff because they have large and complex networks. With the abuse they receive from people who know nothing, they should expect better from those who profess to know it all.

Tony Forder

Those of a certain age may remember a television programme called It's A Knockout, in which teams representing their home towns competed against each other in comically outlandish games.

Typically, a milkman from Bradford dressed as a chef would attempt to run along a greased slope to deliver pizzas to his cartoon oven, while attached to a bungee cord that threatened to pull him back to a watery fate.

Today, personal privacy is on that slippery slope and unlike the super-fit milkman of yesteryear, the nation has become rather overweight, myopic and totally unaware of the fate that it will inevitably endure. Things are not funny any more; in fact, everything is getting rather serious.

In my previous letter on this subject (Private life drama - leave me out, letters.computing.co.uk), I attempted to highlight that combining all the various databases that contain our personal information could lead to a situation where criminal investigation is reduced to a data-mining exercise.

Safeguards on the use of personal information need to be put in place, or a fully-fledged Big Brother-style police state will be the inevitable outcome.

Your computerised personal information is just too tempting for criminals to ignore, not to mention post-9/11 governments.

Determining how different pieces of information held on separate databases should be allowed to be combined, cross-referenced and analysed is not going to be an easy job.

But sometimes such onerous work must be squarely shouldered, and the easy way out - ignoring it - will just not do.

We often see depicted in police dramas on TV that evidence is inadmissible unless gathered legitimately. In such dramas, the police are not allowed to pursue their hunches and go on "fishing trips" to see what they can uncover. Mining personal data in the real world should require similar sanctions, with genuinely effective protection against any such mavericks.

Unless strict controls are placed on all personal data and how it is used, it will be  abused. The nation, just like the plucky milkman from Bradford, needs to get back into shape and fight its way back up that slippery slope. What lies at the bottom is too terrible to contemplate.

Concerned of Liverpool

Business continuity planning and testing is obviously a cost to any business (Join the business continuity debate, www.computing.co.uk/2210713).

This being the case, there will always be a challenge to justify costs and approach to these activities. While challenge is a good thing and can prompt a rethink of any proposed solution, there comes a point at which the question must be: "Do we want to pay for this?"

Communication in companies needs to be good to gain commitment to the financial impact and potential risks of an effective business continuity plan.

One approach for obtaining commitment would be to produce mock news articles tracking the demise of the company following a critical incident.

Effective communication of the importance of business continuity is key.

David Creigh

Further to my letter last month (In referendums we must trust, letters.computing.co.uk), I am dismayed to see how little subsequent comment there has been on the ever-increasing powers of the surveillance society.

Computing has attempted to bring these concerns to public attention, but it is a voice that is being lost in a storm of indifference.

While the people of Britain are concerned about their jobs, mortgages, excessive immigration, youths carrying knives, and the price of food and petrol, their civil liberties are under a comprehensive and sustained attack.

Unless the nation voices some sort of opinion on this subject it will suddenly discover that it has no privacy whatsoever, and the act of criminal discovery will become based on a monumental mash-up of disparate data held in what would appear to be innocuous and legitimate locations.

Just because data can be cross-referenced and combined in new and exciting ways, allowing for a detailed picture of an individual's life, does not mean that it should. There should be real limits in place, backed up by the most stringent laws to prevent this.

Computers have empowered a new age and made products and services cost-effective, but they can be used wrongly, in ways that are not immediately apparent.

People have shared many facets of their personal lives through the use of web sites such as Facebook, MySpace, and YouTube. Coupling that information with data held in government databases can paint a picture that many individuals would  not want seen.

People need to develop an awareness of the surveillance society in which they now live, and start to define concrete boundaries. Sometimes the hardest thing to  do is exercise restraint,  but that is exactly what is  required of those in charge of the surveillance of  British society.

Some things are just meant to be hard; investigating a person's private life should be one of them.

Concerned of Liverpool

Where has John Rees been for the past four years? (A good VoIP application is worth paying for). From the Jericho Forum to everyone else - they will all say there is no such thing as a "secure" corporate wide area network.

The future for most businesses lies in the need to collaborate outside their not-secure perimeter. To base your notion of security on a false premise is like building a house on quicksand.

Paul Simmonds

There is no need to have a passport, driving licence and identity card (New approach to ID card scheme). There must be a way to incorporate all three on to one card, which would save taxpayers' money in the long term.

I have an old-style driving licence and did not renew my passport when it expired some years ago. I can no longer do simple tasks, such as putting my property on the market with an estate agent, as they want proof of identity because of money-laundering laws.

Ian Severs

All monitoring by ID cards, biometrics and CCTV cameras is technology-driven (The surveillance society).

The technology exists to capture and preserve our lives and actions on silicon chips, hard disks and CCTV.

The information - or if you like, knowledge - thus recorded is power. And power is a buzz, especially
if government reserves this power for itself and its various agencies. So, of course governments are interested.

Bob McMurray

With US regulatory requirements for multi-factor authentication not providing the protection from online financial fraud that was expected, tokens such as that provided by Verisign will quickly take hold in the financial sector (Are we really so scared when online shopping?, newsdesk.computing.co.uk).

Just one significant fraud can equal the cost of implementing tokens. While banks and customers may hate it, tokens will be here soon - guaranteed.

Name withheld on request

I don't get it. All too often do short-sighted executives think they "know" what their customers want (Abbey wary of two-factor authentication).

If this is true, however, and people find two-factor authentication a hassle, then these people deserve everything they get should they be unfortunate to become victims of identity theft and have their money stolen.I don't like forcing things on the consumer, but in this case it's for their protection.

Scott, submitted on the web

The seventh principle of the Data Protection Act is: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" (Lose data and you go to jail).

IT professionals are already finding it tough to implement and maintain IT solutions to address evolving data security threats.

Vital projects are frequently competing for IT budget and resources.

In my experience, organisational measures - such as the effective communication of policies and procedures and training of employees - have a greater potential to  affect people's behaviour.

Therefore, better habits are acquired and risks truly minimised. Automated solutions which ensure the timely distribution of new and   revised policies and procedures, so that they are read, accepted and proved to be understood, make policy compliance affordable for all organisations, however large and dispersed its workforce.

It is high time that all departments within every organisation recognise  that data security is a
shared responsibility, which demands a collective  response and, dare I say, shared budget.

In this way, simple yet effective cross-function interventions are less likely to be overlooked, as large IT project rollouts take precedence.

Dominic Saunders

It is wrong to report that people will face jail for reckless data breaches, (Lose data and you go to jail).

The Criminal Justice and Immigration Act, which gained royal assent earlier this month, does introduce tough new sanctions for breaches of the Data Protection Act, granting the Information Commissioner's Office (ICO) the power to fine organisations for serious and reckless breaches of the Act.

This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people's   personal information.

Another clause in the new Act allows the Justice Secretary to introduce prison sentences for the separate offence of illegally buying and selling personal information if the black market exposed by the ICO continues.

This threat creates a  powerful deterrent to those tempted to engage in this  illegal practice.

The ICO has repeatedly called for more effective sanctions against organisations that fail to live up to their responsibilities under the Data Protection Act, and we welcome the tougher sanctions.

David Smith, Information  Commissioner's Office

John Jones appears to have all the answers with regard to Building Schools for the Future (BSF) and seems to be putting the blame squarely on IT support staff (Vice-like grip, letters.computing.co.uk).

Maybe if the education system employed teachers who were actually IT-competent, and did more to check on what the pupils are really trying to do with their computers in lessons rather than concentrate on their work, we wouldn't have to block such "innovation".

The only things we have to block is YouTube - because there is little related to education on there - social networking, proxy-bypass and games sites because the pupils cannot control themselves enough to not play games or chat when they should be working.

It gets to the point that we're having to manage behaviour because a teacher cannot.

I've never had to turn a teacher's idea down because of "firewall issues", but I have had to disappoint them when they purchase outdated software designed for Windows 95 or NT or is not designed to be run on a  network because they didn't speak to us first.

Perhaps John has watched far too many TV commercials for teacher training where all the little darlings are polite, friendly and willing to learn.

Instead of "advising",  perhaps he should spend some time in real schools and see the problems we face on a daily basis - threats, abuse, blatant attempts to bypass security, theft and damage.

If the pupils and staff don't respect the equipment we manage, they can hardly expect any respect from us.

Andy Davis

Producing a network security policy is the easy part. The hard part is actually enforcing it and managing the constant review process. Security threats never stand still and neither should a company's security policy (Case study: Leeds Teaching Hospital NHS Trust).

A trusted security adviser can help organisations identify and manage the risks, as well as design, implement, monitor, review and amend the corporate security policy in the light of changing threats. But before outsourcing network security can be contemplated, a company and its chosen security
partner have to build up those high levels of trust.

Staff should never feel the impact of a good security policy; all they should ever experience are the benefits.

Scott Nursten

What patients think about others having access to their medical records depends on what they have been told about who will have access (NHS must learn lessons on centralised patient records).

For example, what if men were told that if they are  prescribed Viagra it would be known by administrative staff for up to six months  after being issued? It is not just current medications that will be on the system.

What if they were told about the NHS secondary uses service, pharmacists,  researchers and so on - would that affect their view on access?

When I contacted a primary care trust about drugs such as anti-depressants, Viagra and medications used in a termination, they seemed to imply that this data would be uploaded. Would all women who had an abortion be happy about uploading anything that implied they have had such an operation?

Dave, submitted on the web

Last July, the Information Commissioner explicitly stressed to UK executives the need for more stringent protection of customer data. Yet a large number of UK public sector organisations are still being extremely remiss when using sensitive customer information  (Data losses revealed at
London councils).

Carelessly leaving information about vulnerable children in a pub - as happened twice last year at Kensington and Chelsea Borough Council - only exacerbates the public's concern.

Public sector bodies need to understand and address internal data infrastructures to prevent data being misused. Furthermore, they need to encourage an organisational culture that realises the vulnerability of  customer information and understands the importance of protecting it.

There are already enough threats to customer data from the criminal community, without organisations adding to them through an array of careless activities.

Jason Goodwin

Mark Surguy suggests that technology is both the problem and the solution when it comes to the issue of data protection and its legal implications (Do you know where your data is?).

However, closer consideration would suggest that technology is not the main concern.

Data is an incredibly valuable commodity. No one would ever consider stuffing a Jiffy bag full of £50 notes and sending it through the post to someone in the hope it arrives intact, if, in fact, it arrives at all. So why does the attitude persist that it is OK to do this with a few  million people's bank details, or the personal information concerning victims of crime, and then begin to worry when the data is lost?
The key to improving data security is changing this  attitude. Technology such as RFID or encryption can offer plenty of solutions to help prevent unauthorised access or corruption in the event of a breach.

However, if the right policies and procedures are already in place to foster a culture of prudence and forethought, these technology solutions should only ever have to offer the comfort of a backup plan.

George Purrio

You ask: are ID cards, CCTV and data sharing acceptable prices to pay for the benefits of improved services and better security? (The surveillance society).

Unless the benefit of surveillance systems is clearly understood by the masses it will never be popular.
However, the foundation of trust in such systems has not been nurtured. Such  need to start slowly and demonstrate that they cannot be abused by anyone.

Access should be severely restricted to those of the highest calibre for only the most important of reasons.

Protecting civil liberties must come first if such systems are to be tolerated, and the adage of "just because we can build it does not mean that we should" must be  revisited regularly.

Such systems can be abused, and that abuse can be directed at any segment of society with an ease that defies belief.

It seems wrong that access to such technology and power is being put into the hands of local councils or debt collection agencies.

The general population needs to wake up to the very real threat of the worst kind of sci-fi future - a dystopia - and that process starts with understanding.

A national referendum seems the only way.

Name withheld on request

Mike Byrne said in his letter that he is concerned he might one day have to present his ID card when buying petrol (Who picks up the ID trail? letters.computing.co.uk).

He need not worry – this is not necessary. At Birchhanger Green services on the M11 I observed a notice that all registration numbers are checked against the Police National Computer before the pump is enabled – and that this information will be retained. I suspect the “Time to next junction” signs on the M25 and others are also recording your number plate as you pass – it is the easiest way to produce the estimate.

Andy Champ

Johan Rock is absolutely right that backups are still one of the least appreciated aspects of IT until, in many cases, it is too late (Back up or face the consequences, letters.computing.co.uk).

I still come across businesses that are so cavalier with their data it is a wonder that they stay in business - unfortunately, many fail after a serious event such as a fire or flood.

What I find even more amazing are the companies that spend large amounts of money on exotic backup architectures, but never find time to test a restore of their backups. Many home PC users are just as much in the dark, which is surprising when just about every PC has a read-write device and with free backup software available on the internet it could not be easier.

It is even more incredible when you think that 8GB memory sticks are now available for less than £50 - less than it costs to fill the average family car with petrol.

Mike McNamara

Mike Byrne raises some interesting questions in his letter (Who picks up the ID trail? letters.computing.co.uk).

If this government's track record on protecting our personal data is an example of the future, Mike will be in for a shock. His scenario of being tracked when buying petrol and using cash machines is already a reality.

From 2009 anyone leaving the UK will need to supply 53 pieces of personal information - see www.tinyurl.com/2ww86f - this could and probably will be linked to the  national identity register database. The government already allows commercial companies to access the  driver and vehicle licensing database.

Bringing all these together worries me a great deal. Mike is right that no real  debate has taken place as
to who controls all this data, and who allows whom to  access it.

Mike McNamara

The best way for government to make ID cards widespread is to do the following (New approach to ID card scheme).

Make it a criminal offence for anyone, government or commercial, to ask for further proof of identity when an ID card has been presented and an identity confirmation received.

Take responsibility for losses incurred when a properly executed identity check using an ID card returns a false result, whether the losses are the commercial organisation's for a false positive or the individual's for a false negative.

Make it a criminal offence to refuse other identity verification offerings, but leave the organisation freedom to set reasonable rules.

This would still allow the paranoid and the refuseniks to stay out of the system and possibly to stay out of it for only some activities.

Jim Blair

One of the major South African banks has a system in place for certain types of internet banking transactions, where a system-defined password that is continually changed is sent in real time to the client's registered mobile number. This number must then be inputted for the transaction to be authorised (Abbey wary of two-factor authentication).

The system has a number of safeguards in that the user requires the banking account user name and password, along with the mobile phone registered on the client's bank profile.

Trevor Grantham

Businesses are quick to blame government, but the UK is just like the US in that businesses do not want to do what is necessary to protect themselves if they are key to the economy and the critical infrastructure (Cyber attack threat is ignored).

Yet they would protest if government set standards for securing their information assets. This is a classic case of "damned if you do and damned if you don't".

Name withheld on request

Having a disaster recovery (DR) plan is a great idea for any business, but many take it too far or do not look at all the options (Join the business continuity debate).

For example, does the business need to provide off-site working facilities for all its staff, or just a subset? Could sufficient infrastructure be put in place to allow users to work remotely during a disaster? It is about balancing the need to keep the business running with the cost of implementing DR.

Without a well-documented and tested DR plan, forget it. A DR plan can become obsolete remarkably quickly if documentation is not updated and IT staff are not made responsible for keeping the plan current.

George Mason

You published a letter from me last month in which I pointed out the dangers of linkage between ID cards and various government databases (The thin end of a scary wedge, letters.computing.co.uk).

In that issue you also published an interview with James Hall, chief executive of the Identity and Passport Service (New approach to ID card scheme), in which he states: "We want to make it cheaper for the bank to secure identity and cheaper for the young person to set up that account."

So either the bank will have a device to check the ID card against an individual's biometrics or it will be able to access the national ID database to verify the ID card. It could be the case that both are required.
It is likely that the cards will be susceptible to fraud a short time after they are issued, so checking cards against physical persons will be unlikely to be accepted. That means banks will be allowed access to the ID database, if IDs are to be used in the way Hall suggests.

Will the government be allowed instant access to bank records? Where will it stop? Will they get supermarkets to check buying habits recorded by store cards? Will you be refused NHS treatment because you bought too many packets of butter?

Several of the original IT suppliers are now shying away from the project. I hope more will follow and that staff will have more regard to infringement of their rights than their employer's profits by refusing to work on this disastrous scheme.

Philip Kellingley

We have reached a point where if an online store's branding and reputation conveys a sense of trust, the brand and its web site displays the key authentication symbols/certificates, we should shop, shop, shop (Are we really so scared when online shopping? newsdesk.computing.co.uk).

The banks cover fraudulent transactions and getting something back from banks these days is a triumph in  itself. Perhaps this is why banks are pushing these highly annoying secondary security systems. It is beginning to defeat the purpose of the exercise, which is speed and convenience.

Having to carry tokens  is impractical and having  to create number/letter combination passwords just forces us to write all our numerous passwords down, again defeating the purpose of the security measures in the first place. Let  technology do its job.

Bryan Hunter

Of course the two convictions on the basis of DNA forensics was good news and just one of many lines of  enquiry that can secure the evidence for conviction (Hysteria clouds database debate, comment.computing.co.uk).

When we have a DNA  profile but no culprit, we only have the means to  identify them when they are known. Consequently, there is a respectable and growing body of opinion that believes routine blood tests should populate the DNA database.

It makes perfect sense to know the "owner" of DNA  beforehand so a match can be made. I have little doubt the time is not far away when routine sampling will be used to populate DNA databases. Then we can   reflect about the benefits of a society that determines  citizenship on the premise that if someone commits a criminal act we will know about it. While I agree databases are simply a way to store information, the  people who design and use them are a different matter.

Richard Mills

The government has spent six years trying to find a plausible reason to force everyone to have an ID card - it cannot (Roll up, roll up, get your voluntary ID cards here, editor.computing.co.uk). There are no good reasons.

This is a piece of control freakery by Whitehall civil servants who want to compile a national population register because it would be convenient for them, with no regard for the  monetary or constitutional costs to the country.

They are hypnotised by the prospect of the Home Office becoming the pre-eminent government department - eclipsing even the Treasury - by interposing itself in every transaction between the
citizen and government,  and many transactions  between the citizen and  private industry.

It is every Home Office mandarin's dream - we would all have to have civil service permission to access healthcare, banking services or even pick up a parcel at the post office.

Think I'm exaggerating? Read examples on the Home Office web site at www.identitycards.gov.uk. Centralising this level of control over our everyday lives is pure folly. The ID scheme must be scrapped, immediately.

Andrew Watson

We have been using SMS for dynamic password sign-on over the internet for more than a year for similar systems to that mentioned in your article without any problems, including SMS ordering (Message in a bottleneck, letters.computing.co.uk).

Are the problems experienced by your correspondent, Andrew, confined to his mobile phone company, or are the delays at one or more particular SMS-originating mobile phone companies? It would be very
interesting to know.

Name withheld on request

The banks introduced chip-and-PIN for increased secur-ity and to cut down on fraud (PINheads, letters.computing.co.uk). The system was supposed to be “good for consumers”. However, we now seem to be in a position where banks have issued a flawed PIN system and we have no redress if, through no fault of our own, someone gets hold of our PIN number and/or card.

We must enter all four numbers of our PIN and in the correct order. But it would be better if banks asked for say, the third and first number, and then two random numbers. That way, even if we were overlooked and someone stole our card, the thief would not know which were the authentic numbers and which were the random numbers. The card could then be locked after three unsuccessful attempts.

According to some  reports, it is now possible to hack chip-and-PIN devices with a paperclip and a
needle. Cards can also be cloned  and the card owner would never know.

Another security flaw is that, once a PIN number is entered, the Barclays PinSentry device announces that it is correct by confirming it. No signature on paper is required, so card owners cannot even prove that the signature is theirs.

Cheques are being refused by some shops and the trend will grow – this means more use of chip-and-PIN by  people who may not be  so careful about who is watching them.

I welcome the idea of  chip-and-PIN and increased security. But the current system seems to have been dumbed down and as a  consequence security has been compromised.

Steve, submitted on the web

Your statement: “to suggest that use of technology is inimically linked to control freakery and surveillance is facile” beggars belief (Hysteria clouds database debate, comment.computing.co.uk).

Go to countries that have had such control freakery in place and ask the local population before you sound off.

Two examples spring to mind – Brazil and Russia. There is no question that the setting up of databases, such as the proposed national ID database here, would have enabled even greater oppression in both countries during periods in which they were run by oppressive regimes.

How easy would it be to develop a system to interrogate, say, your identity data and cross-reference that with your health data, tax records, driver’s licence and car tax records, land registry records, police databases, and so on? The next step would be to allow a two-way transfer of information. And that would mean people accessing data to which they should have no right of access.

Let us be quite clear. The current government is moving, by stealth or otherwise, to the point at which all national databases holding personal details will be linked. Whether or not the government is benign in its intentions is irrelevant. Any future government may not be. And any government with a majority can do what it likes.

It is precisely because the government can use technology to link such systems that we should be worried.

Because once it is all in place it will never be removed.

Philip Kellingley

The biggest privacy problem I have with ID cards – and I have seen precious little debate on this detail – is who has access to the audit trail and under what circumstances? (Roll up, roll up, get your voluntary ID cards here, editor.computing.co.uk).

There is massive scope for the ID card to turn into a people-tracker device by the government increasingly mandating circumstances for which ID card use is mandatory.

Perhaps in the future people will be forced to use their cards when spending more than £50, or buying petrol or visiting their local gym, to the point where it is impossible to live day-by-day without leaving a trail.

What is needed is a serious debate on who will have  access to the audit trail and under what circumstances, and whether or not the government will ever mandate the use of a person’s ID card.

Mike Byrne

It is true that data loss is becoming far too prevalent and the need to back up data is not only applicable to businesses, but also private consumers (It is best to plan for the worst, letters.computing .co.uk).

Our reliance on the numerous forms of technology we use every day means we are unwittingly exposing ourselves to losing valuable personal and private information as never before.

Take mobiles, for example. We store so much information on our phones, yet we do not see the need to make sure these are safe should the phone be lost or stolen.

The prevalence of this issue explains the emergence of numerous services that allow users to back up
mobile content, such as pictures, videos and texts, with ease. Data backup will soon become the norm as consumers and businesses begin to understand the   inconvenience associated with data loss. It is simple, yet so many people do not even consider it.

Johan Rock

The concept of information-sharing platforms that allow vast quantities of sensitive and personal data to be shared across state departments and between caring professions appears to strike an obvious appeal for the government (Calls to scrap youth database).

But it is evidently not possible to secure networked information. In the past, we have relied on sensitive data being protected by keeping it in silos in GP surgeries, and shared by professionals on a need-to-know basis.

The idea of medical data being shared unnecessarily with social workers is disturbing and endangers patient/doctor confidentiality.

The potential value of the information to the shadow economy of such an integrated database should it be hacked, stolen or lost in the post might stimulate interest in attacking the system, and such a breach would compromise citizens' rights more than every other scandal that has broken to date.

Large, networked databases comprising huge quantities of diverse confidential data are therefore unethical, unsafe and must be abandoned for all citizens, not just children.

David E Bennett

It is very sad that the whole story about access and data sharing was missing from this article (NHS database must go ahead, say MPs).

It failed to mention the secondary uses service (SUS), which has staff with access to identifiable data, and it left out others, such as NHS staff at primary care trusts having access to identifiable data held by SUS and researchers.

My medical records are not held on computer because it is the only way my GP can stop others reading them. Patients can already access their full records, they do not need to be stored on a PC to be accessible.

Dave, submitted on the web

It seems that some copyright owners get a very good deal (Legislation plans to tackle piracy and protect creativity).

I do not expect my employer to keep paying me after my retirement, or even my death, for the programs I have written during my working life, no matter how good or useful they might be. The rules need to be evened up in favour of the consumer.

And by the way, if copying is prevented, performers will not receive all the money they like to believe. Most users will simply do without what they consider to be unnecessary.

Neil Harvey

Reports on fraud show that the government and banks should realise that their data protection and chip-and-PIN systems are failing to deter fraudsters (Two UK companies make the top technology pioneers list).

Fake documents have made signature systems unreliable, while skimmers and pinhole cameras have rendered PIN technologies untrustworthy.

We have the option to make signatures reliable by personalising them with ID stickers and by using card key code to make PIN systems reliable, hopefully making the use of stolen and skimmed cards meaningless.

Roger, submitted on the web

Data loss may well be viewed as inevitable, but it would appear that many companies still do not budget for the necessity of data recovery or even include it as part of their contingency plans.

Our research has found that three-quarters of UK firms have no contingency plans for data loss. Clearly the attitude of “it will never happen to me” is still prevalent – or worse still – “it will happen, but I will deal with it when it does.”

This is a risky strategy, and a costly one too, because when a company’s data is destroyed, knowing how to respond quickly can significantly improve the chances of a full recovery as well as minimising financial loss.

Data must be protected at all stages – from creation, through sharing, to deletion.

The sooner IT departments realise and budget accordingly, the sooner we can move away from contingency management and towards true data protection.

Phil Bridge, Kroll Ontrack UK

The £1bn lost by fraud and error through HMRC systems indicates a series of issues (HMRC should threaten EDS with court). It is remarkable that we continue to see such high figures, but there might be light at the end of the tunnel.

For years, private companies have used technology such as voice analysis to minimise the threat of fraud. Some firms are already moving to more effective techniques, such as predictive analytics.

The insurance sector in particular has been innovative in its anti-fraud crusade. By analysing customer behaviour, insurance companies have been able to reduce fraud dramatically, speeding up legitimate claims and improving customer service in the process.

Data breaches and fraud cases continue to hit the headlines, and it is clear that the government faces an uphill struggle.

But by taking a more innovative approach, government departments can improve transparency and efficiency.

Rachel Clinton, SPSS UK

If new laws target downloaders, I think a lot of internet companies will lose a lot of custom (Government to attack download pirates).

Most people have the internet so they can download whatever interests them. I know for a fact that I will cancel my broadband subscription if this is made law.

Perhaps if cinema tickets and DVD hire were cheaper, people would not download as much.
Most of the films being made these days are such rubbish that I cannot see why anyone would want to pay to watch them anyway.

Tony, submitted on the web

There are far more important things surrounding the misuse of the internet that the government should be dealing with before it even thinks about media piracy (Government to attack download pirates).

The government does not seem to care as much when the little people are wronged, but any injustice to industry makes it pulls its finger out.

I doubt the entertainment industry is going to have a lean Christmas because of media piracy.

Dylan, submitted on the web

In his letter, Steve wrote: “One might think that banks had introduced chip-and-PIN merely so they can refuse all refunds on disputed transactions because they can always say: ‘How did they know your PIN?’" (Suspicious minds, Letters blog, letters.computing.co.uk).

Was this not precisely the reason chip-and-PIN was invented? Credit card fraud cost banks more than £150m per year, because the rules said that users would be protected from fraud that was not the user’s fault.

Chip-and-PIN was designed as a way of proving blame. If you can prove it was the card user’s fault, for example they gave away their PIN, you can deny liability.

Phil, submitted on the web

In his letter, Steve wrote: “One might think that banks had introduced chip-and-PIN merely so they can refuse all refunds on disputed transactions because they can always say: ‘How did they know your PIN?’" (Suspicious minds, Letters blog).

Was this not precisely the reason chip-and-PIN was invented? Credit card fraud cost banks more than £150m per year, because the rules said that users would be protected from fraud that was not the user’s fault. Chip-and-PIN was designed as a way of proving blame. If you can prove it was the card user’s fault, for example they gave away their PIN, you can deny liability.

Phil, submitted on the web

I was pleased to read of the launch of a Web 2.0 security forum in Computing (Web 2.0 security forum launches), as our view has been that more and more companies are adopting Web 2.0 technologies without implementing sufficient security policies and practices.

Web 2.0 within the workplace is not a fad that is going to disappear; the technology and applications make a whole new mode of working possible that will lead to increased productivity and profitability. However, it will be necessary for businesses to face up to the accompanying security issues to reap the benefits Web 2.0 promises.

Businesses need to educate staff on best practice and their individual responsibility in helping secure new web applications.

IT departments must also take responsibility for the security below this surface level, which involves keeping a close eye on the network and bandwidth rhythms and professionally auditing applications.
Organisations that work to raise awareness of these issues can only help the overall progress of new, powerful applications in the enterprise, as secure best practice here will enable whole new ways of working.

Simon Haighton-Williams
Web Technology Group

I would like to hear from anyone who has had problems with their bank account showing someone has used their PIN code and card, and what the bank has done about it (Needling over PINs, Letters blog, letters.computing.co.uk).

For example, if someone has your PIN code and stole your card, do you get your money back? How many occurrences have there been? Every day I see people entering their PIN number in shops and I can easily see what they have entered.

One might think that banks had introduced chip-and-PIN merely so they can refuse all refunds on disputed transactions because they can always say: "How did they know your PIN?"

Getting someone's PIN is fairly easy from what I have seen in shops and garage. Do banks publish any numbers on debit card fraud?

Steve, submitted on the web

More than two months after the initial child benefit data fiasco, HM Revenue & Customs (HMRC) is only able to accept self-decrypting files, which rather defeats the object.

I am trying to send a Statutory Return to HMRC which contains details including name, address, postcode, date of birth, place of birth and National Insurance number - great for identity theft or getting hold of a birth certificate, which then also provides your mother's maiden name.

The Information Commissioner recently issued Marks & Spencer with an Enforcement Notice giving the
retailer until 1 April 2008 - only two months - to complete encryption of all its laptops (M&S breached Data Protection Act).

Why does the commissioner not give HMRC 60 days' notice as well?

Keith Appleyard

I understand there are many claims that compulsory identity cards are effectively a universal panacea - an answer to virtually all the evils in the world - among which is the prevention and solution of crime (Card times, Letters blog, letters.computing.co.uk). The reality is far from this Utopian view of the world.

May I draw your readers' attention to an authoritative source, and highlight a rather pertinent quote? It suggests that compulsory ID cards and their underlying databases show no correlation with low crime - whether prevented or solved:

"The crime rate in Belgium is in the high range of industrialised countries. According to the United Nations' sixth annual survey on crime, crime recorded in police statistics showed the crime rate for the grand total of recorded crimes in Belgium to be 8,034.93 per 100,000 inhabitants in 1997. This compares with 1,506.5 for Japan - a country with a low crime rate - and 9,622.1 for the US - a country with high crime rate."

This is taken from Crime and Society, a comparative criminology tour of the world by  Dr Robert Winslow of San Diego State University. For more details click here.

Dominic Pinto

Bill from Belgium is missing the point (Card times, Letters blog, letters.computing.co.uk).

If we all lived in Belgium we would probably not have a problem with ID cards. However, we live in the UK.
The UK is a place where the government does not have a great record for either delivering complex IT projects on time or on budget, or ensuring that personal data is kept secure.

Keith Lyall

Perhaps in Belgium the government is a bit more careful with its citizens'  personal data (Card times, Letters blog, letters.computing.co.uk).

The UK government seems to keep leaving our sensitive data lying around in all sorts of unsuitable places.

Gordon Ansell

There is a policy to force encryption on government communications (Whitehall looks to encryption).

At the same time a number of police forces are putting out tenders for body-worn video camera/recorders for police officers. One of the requirements - which is perhaps not particularly intelligent - is that the video recorded must be capable of being played on any PC with Windows Media Player.

That provides an open opportunity for anyone with a media card or USB drive to obtain a video made by one of these body-worn units and easily play it. How does this fit in the encryption scare?

Lee Tracey

On the security of Barclays' PINsentry home banking security device, some of your correspondents are missing the point (Safety not in PIN numbers, Letters blog, letters.computing.co.uk).

If someone is looking over your shoulder as you enter your PIN in a store or garage, they could later lift your wallet and have three guesses at your PIN without needing any special equipment and in complete privacy. For example, they could pretend to be fiddling with their mobile phone while using its camera to record your key presses as you enter your PIN.

Banks will not give you a refund if someone uses your PIN with your card because they insist that no one knows your PIN except you.

The PIN is the only key to your bank account and Barclays has just distributed thousands of portable, free devices that allow anyone to have three attempts at cracking a PIN with no penalty for trying, other than locking the card after three unsuccessful attempts.

The point was that they had no need to display a "PIN correct" message at all. In doing so they have created a big security hole.

Steve, submitted on the web

I agree with Mike Howse from the BCS that personal data loss must not be tolerated, and that automated enforcement may be required to address part of the problem.

But we should be careful not to underestimate the institutionalised behaviour and cultural issues associated with change in government departments.

The vision of the cost savings and productivity gains of a paperless office has caused many government agencies driven by regulation to concentrate their efforts on electronic records management, and neglect the management of physical information carriers such as paper records or discs.

In fact, under Tony Blair, the government put a mandate on the whole of central government stating that by 2004 all newly-created public records will be electronically stored and retrieved.

It is telling that the resulting approval scheme for records management systems run by the UK National Archives included the management of paper records and markers for physical data carriers as an optional module.

Now, five years after the main hiatus to implement electronic records management systems, we see important data being lost because physical data carriers were not managed as a corporate competency.
So are we really that shocked at the spate of government data losses?

David Oates, Tower Software

What is up with people in the UK - why are some so precious about ID cards? (The surveillance society).

Here in Belgium people have to carry ID cards by law, and I have never heard anyone have an issue with them. If ID cards help prevent and solve serious crime, what is the problem?

Bill, submitted on the web

If I reported all the e-crime I encounter, the Welsh Hi-Tech Crime Unit would be overwhelmed (UK divided on e-crime strategy).

Each day I receive attempted frauds claiming to be from all the well-known banks; Nigerian scams; illegal prescription-only drugs; and a few lame-brained attacks on my system.

Occasionally I fill in their forms with false data or sometimes I paste in code and try to exploit buffer overruns. Sometimes I send them my terms of access to my email address which allows excessive counter-attacks without further warnings. Mostly, though, I ignore them.

Michael Mordechai

It is typical of the government to think that more law reduces crime, the same flawed logic that would suggest taking  cops off the beat and promoting them to chief inspector will solve crime (Too many cooks will spoil ID fraud broth).

What is needed is fewer people pontificating about what we should do about IT crime and more people actually tackling it.

From the few comments I have read on the subject of "low level" IT crime, such as not paying for something on eBay, it is not taken seriously by the police and in this particular example eBay itself would be expected to chase down the villain. Similarly, if you walk into a local police, station the response that you get will tend to be better if the sergeant at the desk happens to be a computer hobbyist, as far as I can deduce.

Until the police are properly resourced and trained to take IT crime as seriously as "normal" crime then not much progress will be made. This probably means at least one properly IT-trained computer crime officer in every major