My religious community, numbering approximately one million worldwide has a centralised system for almost everything (both religious and non-religious). One of the non-religious centralised systems that has really irked me over the last couple of years has been the eJamaat system which is maintained by the religious administration.
The eJamaat system (update: now called ITS or Idaratut Ta’reef al Shakhsi) contains personal biodata (name, DOB, address, education, business details, levels of religious learning, blood type, family trees/relationships) of almost all community members worldwide. This system is mainly used to gather data about the community and also to perform registration for attendance of reglious events or sermons. Now – the administration seeks to make entering passport information mandatory as well.
Why does it irk me? It’s not because the system is not needed or because it performs no useful functions. In reality, there is a real need for this system and it is effectively used to manage registration for events. It irks me because of the administration’s compulsion for collecting data that is not required just for the sake of collecting it. Further, there is no disclosure as to how the information is used and no information about what steps are being taken to secure our personal data. For starters, communication is unencrypted because SSL is not used to secure HTTP conversations so any data entry is inherently insecure, especially if you do so over a public wifi signal.
I am genuinely concerned that if this data was to fall into the wrong hands, it would be a treasure trove for individuals seeking to engage in identity theft. With information including full name, father’s name, mother’s name (including maiden name), DOB, passport information, photographs, address, blood type, information about health conditions, business details, educational qualifications it is frankly quite scary to imagine what could happen if this information was stolen by a third party or misused by those with access to the data. Identity theft would be the tip of the iceberg.
It would be reassuring to the community if important information was disclosed (and more importantly followed) regarding what steps are taken to secure the data, under what circumstances data will be shared with other parties, if users will be informed in the case of a data breach, and also why data like passport information is required (personally, I can’t see a legitimate reason for this).
I think it would be naive to think that feeding all this information into a black box with no accountability is a good idea and that there will never be a major breach of confidentiality. With the scope of data contained, it is quite plausible that someone could call a bank and successfully obtain account information and effect transfers, or apply for a library card by post in someone else’s name.
I hope someone can demonstrate that my concerns are unfounded, but I doubt that will happen.
For those who are interested, the Data Protection Act 1998 is the most relevant piece of legislation in the United Kingdom to this discussion (and other countries may have their own equivalents). Accoring to the ICO, there are eight basic principles, which is to make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
[Source: Personal data, Personal rights – Data Protection Act (DPA) – ICO]
The page on legal obligations imposed on data controllers is also interesting:
- Do I really need this information about an individual? Do I know what I’m going to use it for?
- Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
- If I’m asked to pass on personal information, would the people about whom I hold information expect me to do this?
- Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
- Is access to personal information limited to those with a strict need to know?
- Am I sure the personal information is accurate and up to date?
- Do I delete or destroy personal information as soon as I have no more need for it?
- Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
- Do I need to notify the Information Commissioner and if so is my notification up to date?
[Source: Personal privacy, legal obligations – Data Protection Act (DPA) – ICO]
Update 16 November 2008: I have been requested by a legal advisor to Dawat to temporarily remove this post while some issues are being worked on. Certain representations have been made which paint a positive picture of what is going on behind the scenes and if this is followed through it will be a very positive development for all eJamaat users.
For example, the site Malumaat.com requires users to register with an eJamaat number and says that if incorrect information is entered then an account is liable to deactivation. This is interesting because it means that any one of the following cases must be true:
- Malumaat is not able to access eJamaat records in which case Malumaat is purporting to collect eJamaat numbers for a purpose otherwise than what they state and users have no guarantee about the privacy of their data provided (and in any case should be wary of providing unique personal identifiers to a site which has not issued them in the first instance).
One more easy improvement that could be made is to encrypt all website transactions using SSL (preferably EV SSL). At the moment all information entered by users on the eJamaat website is not encrypted and in this day and age there is no legitimate justification for this.