Technology Exploration Project – M591



Benefiting from new advancements

Due to the complexities of the way people live their lives today compared to yesterday, its no surprise as to the developments that we have today in identification systems. The developments take shape in may different ways, but most of all with the objective to make peoples lives easier, orderly and with due respect to everyone’s beliefs and rights. This paper will be looking at two organisations, the Police Authority and the Citizens Advice Bureau (CAB). The goal of this paper is to discuss the authentication systems of both organisations together with how they compare. Both organisations are at the very heart of the law and so a certain level of security in how they handle information is very much in the public’s interest. With inputs from representatives from both organisations to show first hand experience of how information is dealt with day to day.

Before exploring the systems used within each organisation we will need to clarify the terms surrounding the role of authenticity and authorization systems and how they correspond to the information collated within the information systems of the chosen industries. As the paper will also be investigating the effects of the identification systems it is therefore necessary to clarify the meanings of the processes involved. Authentication is about obtaining the level of confidence in a claim (Kent, Stephen T, 2003, Who Goes There?: Authentication Through the Lens of Privacy). The claim can vary from one situation to another this could be a claim to resources when logging in on a computer system to use a company network or something like the university account. This then leads to authentication, which is the process of establishing confidence in the truth of some claim. When discussing the data that is collected from clients or suspects or individuals in terms of the police authority and the CAB, these will be referred to as identifiers, attributes or authenticators. Each organisation clearly has a way of system authorisation with which further detail will be revealed through the paper. An identifier points to an individual or a point to an entity being identified; this could be a person’s name, national insurance number. An attribute is a property associated with an individual, these maybe such things are height, employer, and university. Where individuals have to show further proof of when making a claim of some type this is referred to as an authenticator. This is evidence that is presented to support the authentication of a claim, which increases confidence in the truth of the claim (Kent, Stephen T, 2003, Who Goes There?: Authentication Through the Lens of Privacy).

Citizens Advice Bureau


The Citizens Advice Bureau is a registered charity organisation, which was originally set up by the government in 1939. Set up in order to offer freely available advice to community areas for those without the financial means to afford a private solicitor. Advice ranges from debt advice to divorce proceedings. Even though cases range from simple to complicated, because of the information that is exchanged and the laws surrounding keeping such information private and confidential so it necessary to avoid revealing personal information to unwanted parties. This is where security comes in as the primary reason for deployment of authentication systems. With the CAB being in the current field and dealing with peoples’ personal data, security plays a role in insuring privacy of the information held on the computer systems at the bureau about each of the clients that visits. With this in mind the paper will be looking at the information the CAB collects from every client that visits the bureau, looking closely at the attributes used to identify individuals and how these are incorporated in an authentication system used at the CAB.

Due to the nature of the work entailed at the bureau verification of the identity on the first visit in not always necessary seeing as you would not be calling on their services unless needed. Identification such as proof of eligibility to stay in the country or immigration status are not necessary and nor are they asked for. This is because as a charity they would like to appear not to discriminate against anybody on any grounds. Although such details are asked for only when deemed necessary in order to help the client with a case that requires that sort of information. When a client or individual visits the CAB office the representatives collects various identifiers as well as attributes and if necessary an authenticator. An authenticator would be something like proof of address, this can be a home address or work address as you will only be seen at the specific CAB office if you fall within the same borough as the one where the CAB is located. Data collected includes the name, home address, date of birth, telephone number and reasons for the visit. This information is all collected and stored on an electronic cabinet called CASE. CASE is a new system that enables Citizens Advice Bureaux to record client details quickly in an electronic ‘filing cabinet’ and retrieve them instantly throughout the Citizens Advice service (Citizens Advice Bureau, 2007, The Role of the CASE). CASE is protected by strong electronic and physical security measures to ensure that no one outside the CAB service gains access to it. The representative who preferred not to be named stated that the representatives at the bureau are all sworn to secrecy due to the sensitivity of the information they handle on a daily basis. With the system expected to be secure and enabling as much information as possible to be taken about the client, the representative said: “When we get a client, and once all their information is inputted into the system, the system generates a unique identifier”. For security reasons and to protect the client, this number is never given to the clients. If it were used as an authenticator anyone with the details could possibly call in, in an attempt to gather more information about the case the client had visited for. For this very reason the CAB also does not send letters to clients’ addresses to ensure privacy and confidentiality. With the cases they deal with, if a client was seeking help on advice say about an abusive partner, sending a letter to the home address regarding a visit would comprise the client’s safety should the abusive partner find such information. These are just some of the measures or safeguards put in place to ensure security of clients visiting the bureau. Security refers to the collection of safeguards that ensure the confidentiality of information, protect the integrity of the information system and protect the system and/or network used to process information (Kent, Stephen T, 2003, Who Goes There?: Authentication Through the Lens of Privacy). In order to be able to offer appropriate advice or should a referral be necessary it is there for imperative that data taken down about the client is accurate. When asked about authentication systems when clients visit again, the representative replied: “when a client comes back to the bureau, their name is taken and then when their details are brought up on the screen they are asked about their previous visit. This is because the computer generated number is not given to them so we need to ask further questions to make sure that the details on the screen relate to the right person”. This acts as an authentication process and with the correct answers given acting as authenticators. This system also aids in monitoring visitors and ensuring that suspicious individuals are identified and to ensure further discussion into a particular case do not continue with the wrong person.

Police Authority


The police just like the CAB deal with many different types of cases ranging from fraud to murder. Where the police authority’s objective is to have peace and order and in doing so helping a community rid itself of those doing crime and those doing or likely to bring harm to society. Without going into too much detail about what roles the police plays in solving crimes, instead what will be considered here are the details the police take about individuals when booked/arrested. Focusing on what happens to these details once they are in the hands of the police and how the police authenticate the data collected about the individuals whether taken in as a victim or criminal.

When an individual has been booked the police take down their name, date of birth, address, and reason for arrest, fingerprint, DNA sample through swabbing of the mouth and they may also be photographed. These identifiers are taken down whether or not the individual is officially arrested and sent off with a caution. The details remain on file and can be used to compare with evidence found on a future crime scene. So does this mean people lose the right to privacy in keeping their information confidential? There is no right or wrong answer to that question when it comes to this organisation. Confidentiality is kept in that your information will not be available to the public but it is still available to any sector connected to the police force agencies and may be used in any means to solve crimes without compromising your human rights. An individual’s details are added to various databases which may include the criminal record database, eGallery Facial Imaging software Packages (Hampshire Police, 2005, E-Gallery Facial Imaging), which enables the captured image (at crime scene or when being booked), written description or e-fit to be digitally compared with suspects who have been photographed in custody by means of the Prison Management System (PMS).

With the many identifiers and attributes taken down by the police there no doubt they have to be authenticated through the use of identification and this can be done in several ways. These methods can range from having another human witness confirming the identity of a suspect or a victim and under certain circumstances this may be the only way to verify an ID. Human witnesses can, of course, authenticate other individuals; this requires establishing the authority and veracity of the witness (Kent, Stephen T, 2003, Who Goes There?: Authentication Through the Lens of Privacy). With the police being aware of a vast number of fake identity cards available at a price, when verifying someone’s identity it is fairly common to only accept government-issued identity documents such as birth certificates as these can be relied upon a lot more than credit cards or those cards issued by an employer. Also if the individual refuses to verify their own identity the police can then take their fingerprint and check it against their own database. This can be viewed as the “something you are” class of authentication as it is based biometrics. This is if you are not in possession of a driving license or something like an NI card, which are both based on the “something you have” class of authentication, as it is a form of physical token that is presumed to be hard to forge or alter (Kent, Stephen T, 2003, Who Goes There?: Authentication Through the Lens of Privacy). Where before the police would have discarded any information about an individual if not arrested, acquitted or if charges were dropped. With the changes in the law the police now have more power to hold information about an individual whether victim or criminal once you commit a crime or are involved in any incident your details will remain on the system. This is due to the Police and Criminal Evidence Act 1984 (PACE), the police have wide powers to take photographs, fingerprints and body samples of persons without their consent where they had been charged with, or convicted of, a recordable offence. These powers have been considerably extended by amendments contained in the Criminal Justice Act 2003. Under the new powers (Your Rights, 2004, Fingerprints and photos), the police may also take fingerprints and body samples without consent where a person has been detained in consequence of an arrest for a recordable offence.

Similarities and differences

Both organisations deal with attacks and threats from many angles and in turn have systems in place for countermeasures. Both organisations have in place networks that have set permissions to resources through the use of login accounts and passwords. This is part of a system put in place in process of accounting for user’s actions and in particular acts as an audit trail available for all work carried out using the system for integrity purpose. It can be argued that although the login details and correct passwords do not prove that the person assigned those network account details was actually the one logging on to the system at a particular time. So apart from setting up user accounts both organisations must endeavour to make sure those using network computers have the right to do so or should even be on the employee side of the offices. This is to avoid creating an opportunity for anyone who may be in possession of stolen/lost network user account details that would see them looking at confidential information. With rights to privacy one can argue whether on not people still have this although one can claim to this at part as their human rights. In the case of the CAB should an individual even confess to a crime or confess to the likelihood of committing one, they are not in the position to call the police said the CAB representative: “In order for us to call the police authorisation would have to be sough from the Scotland headquarters” as do the police. The police are out of bounds when it comes to entering any CAB office and to do so would need authorisation and at times a court order. Although this may ensure that people feel free to visit the CAB offices without fear of knowing that the police would be on to them with regards to the problems they are seeking advice for but in turn because they CAB cannot reveal or call the police even if a client has just confessed to murder. Is this the price we pay as a society in order to preserve confidentiality? When a member of the police was asked to comment about this, she said: “I cannot really comment too much about that but if a crime is not reported then we wont know about it and in terms of the CAB their offices and any information we may need from, due to the nature of the line of work they are in, we need various authorisations and court orders in order to get information on a particular individual if those details are held with the bureau.”

Under the Human Rights Act the CAB have to abide by the client and solicitor type relationship in that revealing any details about anyone that visits would be breach in confidence which is part of the human right act law protecting confidential information (Your Rights, 2004, Confidential Information). This is where part of the Human Rights Act conflict with the new powers of the police under this law and that of the Anti-terrorism, Crime and Security Act 2001 where the UK, the Regulation of Investigatory Powers (RIP) Act of 2000 allows a limited group of government authorities to demand private information about people's Internet and mobile phone habits from the companies that provide connections (BBC, n.d, Article 12: Right to privacy in home, family and correspondence). With the laws changing this way privacy is slowly being a thing of the past as some maybe also argue that we may soon become a police stay due to the laws changing to allow information we consider to be confidential and private to be freely available should the police feel the need to possess it.

Who is held accountable?
So can the two organisations be held accountable in relation to the topics discussed in this paper in term of authentication of identification? Where accountability is the ability to associate a consequence with a past action of an individual (Kent, Stephen T, 2003, Who Goes There?: Authentication Through the Lens of Privacy). Both organisations are accountable for there actions and how they provide a service to the public as both have systems in place that provide an audit trail should an investigation be required if an individuals rights were abused. In case of the police authority this may come in the form of wrongly accusing an individual where authentication methods wrongly identified an individual as a suspect or criminal or in both the police and CAB services led to an individual being harmed or put at risk due to a leak in confidential information that could led to someone harming an individual who sought help from the police or the CAB. With both being at the very heart of the law, mistakes do happen but if an individual can prove wrong doing on organisation’s part they can be held accountable. After speaking to Ann Rutter a police officer she said: “although the public may see it as a breach of confidentiality about their information being shared with other agencies, the police is within rights to do so as this agencies do come within the same departments of the police force.” The representative at the bureau said: “Under no circumstances do clients’ details leave the CAB’s CASE network system unless a trained representative is escorting a client to a tribunal with their case file otherwise if a representative is found to be sharing confidential information which may compromise privacy they may be up for a disciplinary or even dismissal”

Historical context and potential effects

With both organisations constantly changing and the police force being formed in 1829 (Metropolitan Police, n.d, Time Line 1829-1849), come a long way. The police have changed in many ways and has moved from the previous paper based methods of recording information about incidents they encountered. This has been due to technological advances, which aid in quicker investigation of crimes and making information easily accessible across the board with various departments. From where the police force has a come a long way and technology helping in so many ways to make the job of investigation easier this has also led the police to help bring change about in identification methods and authentication through bids to have laws changed that allow the police to either retain information or help pass laws that create identity specific methods that can be uniquely linked to an individual. This can all be attributed to the claim that the police are working in the interest of the public as in to serve and protect. Although as a unit they are always changing there is still a paper trail when it comes to the police officers detailing incidents when out on the streets. This looks set to change from 2008 as the National Policing Improvement Agency (NPIA) investigate the possibility of using Airwave - the police radio system - to gather information on an officer's daily activities, which they claim will eliminate the need to fill out paper forms (PC Pro, 2007, Police Computer Systems Slammed) which may also aid in loss of confidential information. In terms of the CAB changes in the system where the CASE system was introduced. They have claimed was introduced to reduce the paper trail and to provide easier access to information about their clients and to allow their representatives to have ready the information in one place so they can provide a quicker service. The system in place has shown to be used in many ways but more noticeably that should a client choose to go to another bureau they would not have to explain there problems twice as they would only need to authenticated through questioning by an advisor and their details would be available on screen through a centralised network system.

The potential effects of the data collected by the police mean that should the information held about you match that of the evidence found at an incident scene you would be located and be brought in for questioning. The Citizens Advice co-ordinates social policy, media, publicity, and is involved in the process of policy making (Citizens Advice Bureau, 2007, CAB History). Although collected data about clients is stored on their system when it comes to potential effects of its collection, the information is only used order to help government change policy to better server the public an example of this would be when the CAB help put in place the new tenant deposit protection scheme. This came about when the CAB noticed an increase in disputes over rent deposits. When the information about client is used in this way it is not anything specific about an individual but about the public as a whole in light of the problem trends coming into light.

System fit for purpose

Both organisations have proved to put the public first but in terms of their chosen system, so how does that affect the public’s privacy? With the police appearing to go by the “if you are innocent then you should have nothing to hide” type of principle then one can possibly come to the conclusion that privacy when it comes to law enforcements is vanishing which begs the questions that should the slightest suspicion about you come into question all information about you would be revealed as long as your “human rights” are not trampled on. With personal identification being authenticated by both it said that authentication is the first step in authorization (Kent, Stephen T, 2003, Who Goes There?: Authentication Through the Lens of Privacy). The process happens when the CAB needs to evaluate if a person is entitled to benefits in a way by checking if they are allowed to certain benefits and in the case of the police this can come in a way when an individual seeks police advice before taking the law “in their own hands”. The police have also been recently been criticised with regards to the computer system they have in place. "It remains frustrating how much 'double-keying' still goes on in forces, whose multiple systems still do not interact effectively within one force area, let alone between different forces.”(PC Pro, 2007, Police Computer Systems Slammed). This interactivity problem with other enforcement agencies together with their radio system maybe be prone to eavesdropping in which privacy may be lost for both the police and those whose information is being exchanged, as the current system in place seems to have problems in collating data so that it is centralised between agencies.


Who benefits from all of this?

For the most part the public benefits from the both identification methods used by both organisations. Where the CAB chooses to limit the information requirement and only take down what is considered necessary so the individual can feel more in control of the amount of information the CAB has about them. They do not have to give information they do not feel the need to disclose unless it may affect the level of help they may receive in order to help them with their query. From observation it is put in place so as not to deter people from feeling welcome into visiting the bureau for advice. Where the police is concerned, even though the public benefits in that crimes may be solved more quickly due to the fact that information about all of us will soon be on their databases, it still worries some about the amount of information the police will have on an individual whether innocent or guilty. Also where does it end, is there a limit in the information they can hold about you and how it may be used? With laws changing to address the current social issues the Human Rights Act may be appearing to be getting shorter as the polices’ powers are accommodated to address the public issues today. Although we may have the right access personal information held by organisations via the Data Protection Act 1998 (Metropolitan Police, n.d, Requesting access to personal information), this still does not stop certain organisations retaining information about us and methods involved in authenticating that information that is held is actually proven to be verified to be true. Both the CAB and police are similar in a way as they take the same basic identifiers and attributes before getting more into detail about an individual case. In conclusion although the two industries chosen are different and yet so similar in many ways it is still clear that we may feel that we have control on the information we provide with CAB and not so much with the police. There are still methods of verification of the details provided to both organisation that hidden and it is this that keeps people feeling anxious about the possible lose of privacy that may be lost in the process of authentication whether through information process on external server or information exchange with another organisation in order to verify or authenticate the details presented to them.


Reference list

1. BBC. (2007). Article 12: Right to privacy in home, family and correspondence [Electronic version]. Retrieved October 19th, 2007, from http://www.bbc.co.uk/worldservice/people/features/ihavearightto/four_b/casestudy_art12.shtml

2. Citizens Advice Bureau. (2007). CAB history [Electronic version]. Retrieved October 19th, 2007, from http://www.citizensadvice.org.uk/index/aboutus/factsheets/ourhistory.htm

3. Citizens Advice Bureau. (2007). The role of CASE. [Electronic version]. Retrieved October 19th, 2007, from http://www.citizensadvice.org.uk/index/aboutus/citizensconnect/case.htm

4. Hampshire Police. (2005). 25102 Procedure E-Gallery Facial Imaging [Electronic version]. Retrieved October 19th, 2007, from http://www.hampshire.police.uk/NR/rdonlyres/4048DFF4-932D-4BF6-A9B5-8BF212C32FC2/0/25102.pdf

5. Kent, Stephen T. (2003). Who Goes There?: Authentication Through the Lens of Privacy. [Electronic version]. Retrieved October 19th, 2007, from http://site.ebrary.com/lib/portsmouth/Doc?id=10046903&ppg;

6. Metropolitan Police. (n.d). Requesting access to personal information [Electronic version]. Retrieved October 19th, 2007, from http://www.met.police.uk/information/

7. Metropolitan Police. (n.d). Time Line 1829 - 1849 [Electronic version]. Retrieved October 19th, 2007, from http://www.met.police.uk/history/timeline1829-1849.htm

8. PC Pro. (2007). Police computer systems slammed [Electronic version]. Retrieved October 19th, 2007, from http://www.pcpro.co.uk/news/124847/police-computer-systems-slammed.html

9. Your Rights. (2004). Confidential information [Electronic version]. Retrieved October 19th, 2007, from http://www.yourrights.org.uk/your-rights/chapters/privacy/confidential-information/confidential-information.shtml

10. Your Rights (2004). Fingerprints and Photos [Electronic version]. Retrieved October 19th, 2007, from http://www.yourrights.org.uk/your-rights/chapters/privacy/fingerprints-and-photos/fingerprints-and-photos.shtml