What about the Children?

July 29th, 2007

The visa applications of more than 100,000 people applying to enter the UK were left unprotected and open to manipulation, according to an official report into one of the biggest privacy breaches in recent history.

There are so many things we could do with this article, the first one being substitution for ContactPoint. But I think you get the message.

There are fears that some of the applications may have been doctored to allow terrorists and criminals to enter the UK. GCHQ, the government intelligence agency charged with tracing the applications, is finding it difficult to investigate the claims because of poor quality records.

This is bullshit. There are already enough ‘terrorists’ in the UK by their own reckoning they do not have to enter here by stealth to cause havoc. This logic is completely flawed. It could also have been used to get people in here who simply want to go to the pub.

Last night, politicians described the security failure as ‘shocking’ and said it fatally undermined the government’s claims that electronic ID systems could protect the UK from the heightened terrorist threat.

And yet these are the same people who voted for ID cards, and ContactPoint. THAT is what is shocking.

The findings of the three-month independent investigation into serious breaches of the the visa application process – focusing on system abuses in India, Nigeria and Russia – were slipped out on the last day of Parliament in an apparent attempt to bury bad news.

They always do this.

Its conclusions raise disturbing questions about Britain’s ability to police its borders.


What it DOES raise questions about, questions that you do not have the intelligence to pose, is how are they going to police ContactPoint and the proposed NIR if they cannot protect the integrity of a mere 100,000 Visa applications.

Once again, it is astonishing that they are not using cryptography to solve these problems. It is astonishing that the Visa system is so badly designed. It is astonishing that they are using contractors to do this job when it should be done ‘in house’ by civil servants.

The report focuses on a private company, VFS, contracted by the Home Office and the Foreign and Commonwealth Office to process the online visa applications of Indians wanting to visit Britain. It later won similar contracts in Russia and Nigera.

This is too important, hysteria over immigration and false fear over ‘terrorism’ or not, to be in the hands of a private contractor.

But in 2005 it became apparent that the system was chronically flawed. An applicant informed VFS and UK Visas, the government agency in charge of visa processing, that he was able to obtain confidential information – including passport numbers, criminal convictions, ethnic origin and travel details – about other users of the service. He also showed how he could amend other people’s visa applications online. But despite the warning, the system wasn’t shut down until May 2007.

This is very interesting.

When they say ‘an applicant’ they mean a Nigerian or an Indian or a Russian volunteered this information. I guess all the people trying to get Visas for the UK are not all bad after all!

What this bad article also does not say is that ContactPoint is going to be delivered online also, and that this means that people are going to get in there from anywhere also, and the records of children are going to be accessed.

These Guardian articles routinely fail to connect the dots and make the connections. They really do fail it over and over again.

The official report into the security lapse concludes that the government’s National Infrastructure Security Coordination Centre – the former body charged with evaluating the security of IT projects – would have not approved the scheme if it had been asked.

This is irrelevant. The system of issuing Visas can be made infallible and secure and much more simple than it is now. If you have ever seen the absurd spectacle of Immigration officers with loupes inspecting Visas for forgeries at Heathrow you know what I am talking about.

This is how you might do it.

Firstly, Visas must be issued correctly. They must be issued with all the checks that they have been using historically to good effect.

Then, when the Visa is issued the visa number and an image of the Visa and its ‘owner’ are hashed together with GPG an this package is put on an immigration server that is accessible over the internets. When the person who has the visa arrives at Heathrow, all the operator has to do is check that the visa on the system is the one stuck in the passport. He checks to see if the entry has been tampered by checking the signature on the file. If someone got in there and swapped information or altered it, the signature will fail. This means that even if someone gets into the system, they cannot change entries because changing them breaks them; they become tamper proof.

After this, you will never again see people inspecting Visas for forgeries because they will be impossible to make. The only forged Visas in the system will be the ones put there by the ‘security services’…but that is another story.

This is a similar process to the Meau2 named ISLAND decentralized passport authentication system. It is inexpensive, fool proof (even when it is being operated by fools) and can be done right now.

The report notes that FCO IT security advisers were not asked their opinion about the project and that no third party tests were carried out on the system. The Conservative shadow Foreign Office Minister, David Lidington, said he feared the system may have been exploited by terrorists and criminals.



David Liddington is clearly a moron.

One Response to “What about the Children?”

  1. BLOGDIAL » Blog Archive » Incomplete excision! Says:

    […] What about the Children? […]

Leave a Reply

You must be logged in to post a comment.