This week (19 November 2007) must mark the lowest point in trust between UK citizens and their government.  In what can, at best, be described as a stunning situation, the British Prime Minister was compelled to issue a personal apology both to the British Parliament, and to the 25 million people whose personal data had been casually sent, unprotected, from one government department to another, simply, if we are to believe Press reports, because EDS would have made an extra charge to depersonalize the information.

Now I should tell you that we do not subscribe to the typical conspiracy theory type of approach.  For one thing, conspiracy theory assumes that there is positive planning at the heart of what goes on.  But if we are to learn anything from real conspiracies such as Watergate, then we should conclude that they were mainly incompetent, and suffered more from the laws of unintended consequences than ever they did from any real or realistic planning.

No, we take the view, however unpopular, that what happened in Her Majesty’s Revenue and Customs (HMRC) was nothing more than a massive attack of indifference and incompetence.  Indifference, because it is utterly clear that the officials concerned did nothing more than password protect personal financial information relating to 25 million people (even though such methods are so comprehensively discredited that it is actually beyond belief that such a trivial, and, quite frankly, stupid method were chosen), and incompetence, because if you were to choose such a flawed method of protection you would take every possible step to ensure that the information could not possibly be lost or stolen.

It seems that although they could have purchased simple encryption software from ArticSoft Technologies or PGP Corporation (if they were more comfortable buying US products just as they have the US supplier EDS for their systems) they chose not to use simple and very powerful encryption products that can be acquired trivially over the Internet for as little as $65.

So that is what it comes down to.  The agencies of UK government have been publicly shown to equate the importance of protecting the personal data of 25 million citizens as less that 30 quid (I apologize, I actually mean about GBP 32.50).  So that is less than (well, actually it is off the bottom of my calculator) highly close to sod all per person.  But to top it all, HMRC are expecting the banking sector to police the accounts of the people that may have been compromised. 

Now that really must just take the biscuit.  Having disclosed the social security numbers, personal details, addresses, bank account details for 25 million people to person or persons unknown, these same UK government departments then tell the UK banks exactly who are the people drawing government benefit (enabling the banks to knowingly target them as a specific sector of the population, and pass that information to all their internal departments, tame credit card and insurance companies and – please insert the deity or persuasion of our choice here – forbid, any company they choose to declare as being appropriate without asking anyone at any time or for any reason) thus enabling the very same banks to alter credit ratings and plunge the already disadvantaged into greater jeopardy than before.

What has this to do with DRM?

Well, if HMRC had even the slightest glimmer of professionalism (or their suppliers, come to that) then they would have implemented an encryption system that ensure that only those authorized would be able to access controlled information, and that their authority to use could be carefully controlled.

Because that is what DRM systems actually do.  DRM does not merely determine who is an authorized user, but it determines what that specific authorized user is actually entitled to do with the information that they have received. 

Now had a DRM system been in place, none of the political disaster that has already caused the resignation of the head of HMRC, (but may yet claim one or more political scalps) would have happened, simply because the thief (or thieves) would not have been able to trivially access the personal records.

And that is what is so depressingly wrong with what happened in the UK.

There is no shortage of technologies and products available that could have prevented, beyond all reasonable doubt, the disaster that has happened.  DRM technologies that are widely implemented, had they been used, would have made this episode a non-event.  So why was nothing done?

We must leave you to draw your own conclusions on this one.  Spend GBP 32.50 and not have even the potential for a problem, or do not and get comprehensively exposed as being incompetent.  It appears that the lemmings have voted.

Make sure that you don’t leave your own business exposed.  It may be almost impossible to sue a government for the kind of massive and studied indifference that the UK HMRC appear to have demonstrated over the last couple of months, but you can be certain that those self-same organizations will not hesitate to persecute (sorry, did I mean prosecute?) companies that fail to follow the higher standard.