WEDNESDAY 10 JANUARY 2007

MR ALAN COX AND MR ADAM LAURIE

  Q340  Lord Mitchell: What is an RFID?

  Mr Laurie: Radio frequency identification, so for example in your new passport if you have a passport that is issued since October it will have a chip in it and the chip contains some biometric information. At the moment it is just the photograph and the data that is printed on the inside of your passport, but in the future the plans are to also have fingerprints, iris scans, possibly a scan of your birth certificate that was used to prove your identity in the first place. This is the same technology that is going to be used in the ID card. It has already been demonstrated that those chips in the passports can be cloned, so part of the reason for putting them in the passport in the first place was to improve the security of the passport and yet here we are, they have only been deployed since October and there are already people making copies of them.

  Q341  Lord Harris of Haringey: Yes, but you would still have to be in possession of the right fingerprints when you appeared at the point of entry.

  Mr Laurie: If the passport has an image of that fingerprint in it and I can skim the passport from your pocket. The point about an ID card is that you can read the data on it without physically having it on your hand. You have to be within a couple of inches.

  Q342  Chairman: It is like an Oyster card?

  Mr Laurie: Exactly, that is RFID.

  Q343  Chairman: It is like a ski card, they have had them for years.

  Mr Laurie: Exactly.

  Q344  Lord O'Neill of Clackmannan: Can I get this right, what is the point of having any security at all if you are going to be able to rip it off at every turn? You guys are great at telling us what is wrong but you never give us any solutions because it seems that one of your other colleagues is trying to work out how to rip off the next generation. I am not associating you with them but people in your line of country. What do we do then, just give up?

  Mr Laurie: No, not at all. I think the problem is appropriate use of technologies.

  Q345  Lord Sutherland of Houndwood: On that can I ask you a) do you have a mobile phone—and you clearly do because you were scanning at Victoria Station—and b) do you have protocols that you operate yourself to ensure that this thing is not vulnerable in the way that you are scaring the wits out of us?

  Mr Laurie: Most of us in the open source security industry apply our own level of security over and above that which would be deployed in the normal systems.

  Q346  Lord Sutherland of Houndwood: Are these technical or behavioural?

  Mr Laurie: Both.

  Q347  Lord O'Neill of Clackmannan: Do they derive from paranoia? All paranoia is based to an extent on persecution of a genuine character, but is life maybe not too short?

  Mr Laurie: I think healthy paranoia is good. As I said, it is putting too much reliance on a new technology. It is fine if you treat it in the appropriate manner. If you think these chips are going to be out there for 10 years, what system have we got currently that was invented 10 years ago, was issued over a secure system and is still secure now?

  Q348  Chairman: You still have to produce your finger and put it on a fingerprint scanner. I do not agree with you.

  Mr Cox: Unfortunately, remember we said earlier you can make copies of fingerprints. The fingerprint is also on the chip. I assume the Passport Office use very high quality ones but to fool a fingerprint scanner all I end up needing to make is a small piece of plastic that fits over the end of my finger which is almost invisible.

  Mr Laurie: It all sounds very James Bond but it is actually very easily doable and demonstrably so.

  Mr Cox: You can make it with a laser printer, PVA glue and a couple of printer's tools. That is all it needs.

  Q349  Chairman: There would be ways around that would there not if you could inspect people's fingers! Let me go on to the last question and that is addressed to you Mr Laurie again because you have drawn attention in the past to the fact that discarding aeroplane boarding card stubs does contain frequent flier data which could result in identity theft. You also note in your evidence that airline websites can leak personal data to hackers. What can be done to ensure that businesses take their responsibility for the security of our personal data seriously? Should businesses such as airlines be legally liable for individual losses in such circumstances?

  Mr Laurie: I guess first of all I should say that airlines were merely a case in point here and they are no more likely to leak data than any other website that collects data. It just happened to be the case that I was looking at that particular scenario. However of course, the data that they are collecting is particularly sensitive because it is things like date of birth and passport number and so on. They already have a duty of care under the Data Protection Act to look after that data so I think we already have regulation that should be compelling them to look after it properly. The question I guess is when there is a breach and when the data is leaked how one gets to know that one's data has been leaked or what penalties there are against them if it does not end up going to court and they are being prosecuted. Potentially one of the things we could look at is the system that they have adopted in California (quite a few states have adopted it now but California was the first) which is that if a company loses personal data they have to disclose publicly that they have done so, they have to notify the person affected that their data has been lost. When I say disclosed publicly they have to inform the state press; here it would obviously be the national press. So you are using PR as a tool against them, they get bad publicity for having bad security and they are then much more likely to take the next case much more seriously.

  Q350  Chairman: Is it your opinion that we should have the same laws here?

  Mr Laurie: I think we should.

  Chairman: Thank you both very much. I don't think you have cheered us up, but you have informed us a great deal, so thank you very much, we appreciate your time.