The Irish government closed its genealogy website on Friday after Billy Hawkes, the Data Protection Commissioner, said that the availability of citizens’ data on the site presented “obvious risks”, including the potential for identity theft.
The site – IrishGenealogy.ie – created by the Department of Arts, Heritage and the Gaeltacht, gave people who had been either born or married in Ireland the opportunity to search for civil records, such as birth certificates, in order to aid their investigations of their ancestory.
Unfortunately, and perhaps far too obviously, those same records contain a huge pile of passwords under the guise of mother’s maiden names and dates of birth (sarcasm intended).
[Dr Jessica Barker: “There are different classes of social norms and my talk explained the pitfalls of descriptive norms. If you only use descriptions to explain a problem / solution then people tend to average out their behaviour to match those being described. So if we tell users that most people use their mother’s maiden name as their password, it will have a good effect on those people using their own surname (as they will likely start using their mother’s maiden name!) but research suggests it will lower the behaviour of everyone else.”]
Such sensitive data isn’t defined as being sensitive under Irish data protection legislation, despite the fact that far too many people use it either as a password or as the answer to the all-too-common security questions we see all across the web today. Nonetheless, Mr Hawkes stepped in regardless, saying that:
“I assume it comes under the heading of ‘cock-up’ because anyone with a moment’s thought would have seen this.
Obviously nobody thought about this and it’s a particularly shocking example, frankly, of the public service falling down on the job.”
Hawkes explained that his office had been consulted about the civil records search facility in advance of its Thursday launch but was under the impression that the information available would be historical and solely in reference to people who were already dead.
Hawkes said that it was a “total shock” to discover that the site actually offered “live information” which, he said, could have made it a “treasure trove for people of evil intent.”
The ability to access the information offered by IrishGenealogy.ie is nothing new as it has always been available to the public, though a fee had always been required in order to access an individual record. The problem in this instance was the fact that bulk searches could be performed without cost, which is obviously an appealing proposition for would-be identity thieves, as well as some potential employers who may wish to find answers to questions they are not permitted to ask under Irish employment law.
The search function, which is still unavailable, simply notes that a “further update will be provided.”