Looks like the British Government is not very good at protecting its citizens identity.

In case you didn’t follow the recent news, HM Revenue & Customs (British equivalent for IRS) has lost CDs with over 25 million names along with their personal and banking details. You can read the full story here and here.

This is causing a CDgate on the other side of the pond. This data is the basis for opening a bank account, and also for getting more information from many government agencies. So if this data falls into the wrong hands, it will be used in ways that will adversely impact those same citizens that the British Government is supposed to protect.

What’s funny (so to speak) is that at the same time there is a study, in UK too, that presents an interesting perspective on what people do reveal on their online profile. I saw this initially on Wikinomics blog, but for whatever reason there is no direct link to this post. So, click here and scroll down until you see the post named “What’s on your profile?”

For your convenience, here is what it says:

A recent survey of 2000 14-21 year olds in the UK reveals some interesting statistics about young people’s not-so-smart behavior online. (The research was done to help promote an online safety website run by the Information Commissioner’s Office) The findings show that most youngsters do very little to safeguard even some of the most sensitive information, freely posting private details on their social network profiles. The survey also shows that most are concerned when they become aware of what can be done with their publicly available information.

A few stats on social networking behavior:

• 60% post date of birth
• 10% post their address
• 33% never read privacy policies
• 66% of girls accept people they don’t know as friends
• 60% have never considered that what they put online might be permanent
• 70% don’t care that their personal profiles can be publicly viewed

Attitudes towards use of online information:

• 95% are concerned with their personal details being used for advertising (Lookout Facebook)
• 71% would not want educational institutions or potential employers to conduct an internet search on them unless they can remove some content from their profiles

The ICO’s new website is a commendable attempt at educating young people about their online behavior. It might also take a few hard lessons to get the point across. For instance a canceled job offer due to an appearance in one of the 5000 or so photos posted on the “30 Reasons Girls Should Call It A Night” Facebook group. (170 254 members)

There are inconsistencies in the answers: 70% don’t care about the public aspect of their personal profile while 71% would not want companies using some or all of that information. This goes along the same vein as a poll recently done on Techcrunch (see image below) where a majority of respondents seemed concerned about new Facebook privacy policies.

For one of the best comments on Facebook privacy concerns, read this post.

So what is all this telling us?

Obviously we know we should be concerned. But we are not (at least collectively).

When asked specific question most (60% for Techcrunch, 71 to 95% for the UK study) respondents will give the “right” answer: I feel concerned. But when you look at their behavior, it is shouting “I don’t care”. And that’s probably not an awareness issue as we are hearing here and there. If people were not aware, they wouldn’t all say that they feel concerned.

So what do we do from here?

Let’s stop worrying about information being exposed. As the Web 2.0 saying goes “Information wants to be free”. So let’s assume that all information, public or private, business or personal, encrypted or free, will ends up, one way or another, being exposed somewhere on the Web.

Let’s stop worrying about information being exposed AND let’s start focusing on better ways and tools to protect one’s identity. The UK problem is not so much that information leaked, but much more what this information can be used for. Indeed my identity has been reduced to a combination of few fields in a database: first name, last name, SSN (or NAS or whatever national ID), date of birth…. and the maiden name of my mother, of course. If you have that data, you can do about whatever on behalf of any individual.

Since history has proven (on many, many occasions) that governments, corporations, associations, and individuals themselves cannot be trusted to protect this data, let’s work on providing individuals with better tools to fight back the villains who try to use their identities!

Well, that doesn’t seem to be the path taken by everyone, so I’ll wait a little bit…

To close on that topic for today, on the other side of the other wider pond, Michael Specht gives some thoughts on what the UK “incident” means for HR. Basically some standard security measures that are too often overlooked.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.