Tag Archives: e-government

gov.uk security stupidity nothing new

Those of you who have been following the comments to my earlier blog posting (Please Use Firefox 2 or IE 6) or my Twitter tweets might be interested in an item I wrote for my newsletter Tales from the Terminal Room, July 2002. Entitled “Inland Revenue’s Cookies Fail Crunch Test” – sorry about the awful pun – it suggests that gov.uk seems to have learned little about security over the last 7 years:

In the UK, it is that time of year when we suddenly realise that we have only a few weeks to complete our tax forms and deliver them to the Inland Revenue. I, says she rather smugly, have already done mine but not online as the UK government continually exhorts us to do. I did have a go last year but the Web site kept crashing and after four attempts I reverted to the good old-fashioned paper form. This year I did not even consider the online route, which is just as well because the service had to be temporarily withdrawn following a security breach.

A problem with cookies allowed users of Inland Revenue’s online self-assessment tax form to see other people’s tax details. An official statement explained: “The way in which the ‘session cookie’ identifying the user was managed meant that it could, in certain rare circumstances, be presented to another user.”

It seems that Inland Revenue’s site allocated the same cookie to more than one user because they were using IP addresses to identify users. Many Internet users, and especially those accessing the Internet from home, use ISPs with dynamic IP addressing: that is the ISP allocates a different IP address to a user each time they access the Net, which means that the same IP address may be assigned to several different users in quick succession.

The Inland Revenue said that examination of activity logs suggested that the web site had compromised the privacy of 47 of the site’s 28,679 users and there were 665 for whom the possibility could not be eliminated.

The problem has now been fixed and the site is back up and running, but I for one am not reassured.

For the Inland Revenue’s side of the story see: http://www.inlandrevenue.gov.uk/news/sa_online.htm

Inevitably, the URL in the final sentence no longer works but you can still view a copy at http://www.archive.org/.  Copy and paste the whole URL into the Waybackmachine Take Me Back box, and on the list of results click on August 2002.  Alternatively, http://web.archive.org/web/20020804140436/http://www.inlandrevenue.gov.uk/news/sa_online.htm should take you straight there.

Please use Firefox 2 or IE 6

This would normally fall into the “I don’t belieeeeve it” category had I not already heard of the problems endured by UK central and local government departments in trying to move on from Internet Explorer 6.

Out of curiosity I decided to see what pittance I might receive from the state when I retire so tried the advertised http://www.thepensionservice.gov.uk/. First of all I could not just use my existing username and password for the government gateway service to use the pension forecasting service. That’s fair enough. I appreciate the additional security level but then I had to wait two weeks for an activation code. This morning it arrived, I “activated” my account and attempted to log in. In a flash, a “Technical Error” page popped up with error and error ID codes, and instructions to phone them for help.

What followed has left me stunned.

“Are you using Firefox or Internet Explorer?” the nice lady asked.

“Firefox”

“Which version?”

“3.5.2” I replied

“If you want to use Firefox, you’ll have to go back to version 2”

A few seconds of silence followed and then I asked if I could use IE 8. No, was the answer, it had to be IE6 or possibly IE7. Google Chrome? Not compatible. Opera? She wasn’t sure but if it was the latest version then no. Safari? Er..probably not. She explained that they haven’t security tested the latest versions of the browsers and Chrome is definitely out.

It is pathetic, stupid and irresponsible. We are all exhorted to keep our browsers up to date as part of our online security measures but the UK government is encouraging us to do the opposite. We are encouraged to file our tax returns online and use the government web sites to obtain information about our entitlements, but to do so we have to use browsers from the stone age. It does not fill me with confidence. Quite the opposite, I am beginning to feel seriously paranoid regarding the security of gov.uk sites.

So have I got my pension forecast? Once I had stopped haranguing the poor lady on the help desk I was transferred to another department, my personal details were taken, and I was told my forecast would be in the post in about 10 days. So much for fast, efficient e-government!

I am still sitting here gobsmacked and wondering if I dreamed the whole thing. I think, after all, that this has to be filed as a Victor Meldrew moment.