Examination of Witnesses (Questions 340
WEDNESDAY 10 JANUARY 2007
Q340 Lord Mitchell:
What is an RFID?
Mr Laurie: Radio frequency identification, so
for example in your new passport if you have a passport that is
issued since October it will have a chip in it and the chip contains
some biometric information. At the moment it is just the photograph
and the data that is printed on the inside of your passport, but
in the future the plans are to also have fingerprints, iris scans,
possibly a scan of your birth certificate that was used to prove
your identity in the first place. This is the same technology
that is going to be used in the ID card. It has already been demonstrated
that those chips in the passports can be cloned, so part of the
reason for putting them in the passport in the first place was
to improve the security of the passport and yet here we are, they
have only been deployed since October and there are already people
making copies of them.
Q341 Lord Harris of Haringey:
Yes, but you would still have to be in possession of the right
fingerprints when you appeared at the point of entry.
Mr Laurie: If the passport has an image of that
fingerprint in it and I can skim the passport from your pocket.
The point about an ID card is that you can read the data on it
without physically having it on your hand. You have to be within
a couple of inches.
It is like an Oyster card?
Mr Laurie: Exactly, that is RFID.
It is like a ski card, they have had them for years.
Mr Laurie: Exactly.
Q344 Lord O'Neill of Clackmannan:
Can I get this right, what is the point of having any security
at all if you are going to be able to rip it off at every turn?
You guys are great at telling us what is wrong but you never give
us any solutions because it seems that one of your other colleagues
is trying to work out how to rip off the next generation. I am
not associating you with them but people in your line of country.
What do we do then, just give up?
Mr Laurie: No, not at all. I think the problem
is appropriate use of technologies.
Q345 Lord Sutherland of Houndwood:
On that can I ask you a) do you have a mobile phoneand
you clearly do because you were scanning at Victoria Stationand
b) do you have protocols that you operate yourself to ensure that
this thing is not vulnerable in the way that you are scaring the
wits out of us?
Mr Laurie: Most of us in the open source security
industry apply our own level of security over and above that which
would be deployed in the normal systems.
Q346 Lord Sutherland of Houndwood:
Are these technical or behavioural?
Mr Laurie: Both.
Q347 Lord O'Neill of Clackmannan:
Do they derive from paranoia? All paranoia is based to an extent
on persecution of a genuine character, but is life maybe not too
Mr Laurie: I think healthy paranoia is good.
As I said, it is putting too much reliance on a new technology.
It is fine if you treat it in the appropriate manner. If you think
these chips are going to be out there for 10 years, what system
have we got currently that was invented 10 years ago, was issued
over a secure system and is still secure now?
You still have to produce your finger and put it on a fingerprint
scanner. I do not agree with you.
Mr Cox: Unfortunately, remember we said earlier
you can make copies of fingerprints. The fingerprint is also on
the chip. I assume the Passport Office use very high quality ones
but to fool a fingerprint scanner all I end up needing to make
is a small piece of plastic that fits over the end of my finger
which is almost invisible.
Mr Laurie: It all sounds very James Bond but
it is actually very easily doable and demonstrably so.
Mr Cox: You can make it with a laser printer,
PVA glue and a couple of printer's tools. That is all it needs.
There would be ways around that would there not if you could inspect
people's fingers! Let me go on to the last question and that is
addressed to you Mr Laurie again because you have drawn attention
in the past to the fact that discarding aeroplane boarding card
stubs does contain frequent flier data which could result in identity
theft. You also note in your evidence that airline websites can
leak personal data to hackers. What can be done to ensure that
businesses take their responsibility for the security of our personal
data seriously? Should businesses such as airlines be legally
liable for individual losses in such circumstances?
Mr Laurie: I guess first of all I should say
that airlines were merely a case in point here and they are no
more likely to leak data than any other website that collects
data. It just happened to be the case that I was looking at that
particular scenario. However of course, the data that they are
collecting is particularly sensitive because it is things like
date of birth and passport number and so on. They already have
a duty of care under the Data Protection Act to look after that
data so I think we already have regulation that should be compelling
them to look after it properly. The question I guess is when there
is a breach and when the data is leaked how one gets to know that
one's data has been leaked or what penalties there are against
them if it does not end up going to court and they are being prosecuted.
Potentially one of the things we could look at is the system that
they have adopted in California (quite a few states have adopted
it now but California was the first) which is that if a company
loses personal data they have to disclose publicly that they have
done so, they have to notify the person affected that their data
has been lost. When I say disclosed publicly they have to inform
the state press; here it would obviously be the national press.
So you are using PR as a tool against them, they get bad publicity
for having bad security and they are then much more likely to
take the next case much more seriously.
Is it your opinion that we should have the same laws here?
Mr Laurie: I think we should.
Chairman: Thank you both very much. I
don't think you have cheered us up, but you have informed us a
great deal, so thank you very much, we appreciate your time.