The digital fence of public security

UPDATE: It may have already happened, with maximum damage: Experts believe Trump-supporters hacked electronic votes in 2016-election

As more of our government’s data is moved online, the more risk there is of digital intrusion. We need to have a good digital fence for our data, and although it might never be perfect, it ought to be pretty close to it. I hope e-voting will never happen and hopefully, after reading this blog you will understand why. Let me tell you a story:

Altinn.no is the official platform from the financial governments of Norway. Every year in March, in this case the 20th of March, citizens can log in with their secure ID and see the preliminary tax result. This is extremely popular, as you can see whether you will have to pay more tax for the previous year, or if the government owes you some money. The pressure on the servers these first few days is quite heavy and the infrastructure company has technical staff ready at all hours.

The first problem arose around 4pm. The servers had to be taken down temporarily but were soon back up again. Something was not quite right when they were back up – after logging in with PIN-codes and birth certificate numbers, all users see the same name and financial details: for a man named “Kenneth”. As the phone lines glowed hot with people calling in about this, the system was taken down and a full investigation launched. It would take 64 hours until the system was back up and working. The error was public for only 17 minutes, but by then poor Kenneth and his wife’s economy was known to the land.

Big IP is a cache-software from the American company F5. It caches the static websites in order to minimize the network traffic, such as the login-pages or front page. By some error, Kenneth’s personal site was considered a standard cache-site and was displayed when other users logged in. Hence, they would see his tax report and all communication from the government of financial interest. The quick fix was to remove the whole cache-function, which resulted in slower website loading but at least giving Kenneth a break. (Zachariassen, 2012b, Zachariassen, 2012a)

This is naturally a clear breach of data privacy from a government site, in which you trusted. Not only that, a question that arose was: who is to pay the overtime that all the IT personnel worked in order to fix this? Should the government pay this with taxpayer’s money or will the company that was responsible for the error pay this? The result of this is not known, but Kenneth and his wife sued the responsible party for the web-platform and was given a compensation of 2150 euros.

For Altinn.no, trust has most likely been damaged. A study was done after the Altinn.no incident and it showed that 29% had lost trust in the platform, however only 1% had lost all trust in it. (Hole, 2016, pp.66-74) They do however have a bad reputation now and people are joking about “being a Kenneth” (being a public clown, without consent!)

E-government services should tread carefully as problems only affecting a few will be quickly known publically and the distrust that ensues can sabotage a whole system. (Hole, 2016, pp.66-74)

 

Bibliography

Hole, K. J. (2016) ‘Building Trust in E-Government Services’, Computer, 49 (1), pp.66-74.

Zachariassen, E. (2012a) The Altinn error is found – Tu.no (own translation from Norwegian) [Online] Available from: http://www.tu.no/artikler/altinn-feilen-er-funnet/240523 (Accessed: 12.10.2016).

Zachariassen, E. (2012b) Altinn stopped here – Tu.no (own translation from Norwegian) [Online] Available from: http://www.tu.no/artikler/her-stoppet-altinn/237360 (Accessed: 12.10.2016).

Image source: Didgeman, Pixabay. CC public domain licence. https://pixabay.com/en/barbed-wire-fence-wire-pasture-1512001/