Have your say at computerweekly.com
On the view that ID cards are a waste of
money
In response to an interview with security expert Bruce Schneier
in which he said UK plans for biometric ID cards could do more harm
than good (Computer Weekly, 8 March)
Bruce Schneier is way off base with his comments. He obviously does
not understand the true problems facing governments around the
world.
However, on the subject of UK "biometric registration of citizenry"
I think it is a very good idea, as long as it is controlled with a
system of privacy checks and balances. In the US you will soon see
all 50 states enact protection laws covering collected individual
biometric information. Texas, New Jersey and New York have already
passed laws.
Schneier does not seem to realise just how vulnerable the current
worldwide electronic "number" database systems are to fraud and
theft. He sounds like someone that would have kept the common door
lock from being used centuries ago because a thief could break in
through a window.
Darrell E Smith, Biometric homeland security specialist,
US
Bruce Schneier makes an interesting point with his conclusion that
the only way to solve fraud is to make it the banks' problem.
Here in the UK the banks have very cleverly moved the problem to
the merchants with the introduction of chip and Pin technology
under the pretence that somehow this is going to help prevent a
wide range of fraudulent practices.
It seems to me that the likelihood of the banks taking back
responsibility for the £1.4m daily losses in credit card fraud is
about the same as ID cards solving illegal immigration -
zero.
Clearly eradicating identity theft and the associated fraud cannot
and should not be left to just one side or the other and the answer
lies in a concerted, joined-up approach involving banks,
individuals and the IT security industry working together and
seriously addressing the weaknesses in the system.
Stephen Meredith, Swivel Secure
Bruce Schneier comes out with the standard liberal cry of,
"Governments are looking for measures that increase control. It is
being sold as security but it is really control." Like all others
who make this claim he brings no supporting evidence. This is not
surprising as there is none. Any advanced technology can be misused
by any government. This is not the same as it actually being
misused.
Schneier's remarks about US airport security are similarly flawed.
I would far prefer to go through the security procedures than be
blown up in the interests of protecting this mythical privacy he is
so concerned about.
He then makes the statement that, "ID theft will only be solved
when the banks are given the responsibility to prevent it."
However, many credit cards - and virtually all chip and Pin
replacement cards - are sent out pre-activated because it is too
expensive to handle millions of customers calling in to activate
their cards.
Incidentally, who dreamt up the nonsense of chip & Pin? It is
not used for "absent" transactions, such as over the phone or
internet. And many people change all their Pin numbers to the same
one. Once somebody knows that, they can use the cards with impunity
and without the risk of a bright assistant realising they are
forging a signature.
Roger Tilbury, Tilbury Computer Consultancy,
Worthing
On the amount spam costs UK businesses
In response to research which calculated that junk e-mail costs
UK businesses £1.3bn, or £22 per user, a year (Computer Weekly, 8
March)
So spam is costing UK businesses the equivalent of £22 per user per
year, and putting in a server-based anti-spam product costs £69 per
user per year. Sounds like a pretty lousy return on investment to
me.
John Richards, University of Bristol
All grist to the mill for improved
policing
Interest by police forces in England and Wales in adopting Scottish
police intelligence technology (Computer Weekly, 8 March) does not
raise questions about the provision of a national police
intelligence capability.
The Police IT Organisation's work with the police service to
deliver a national intelligence capability under Programme Impact
is not compromised by forces' interest in Scottish technology. Both
approaches are complementary and any effort by forces to explore
local methods of intelligence sharing will feed into the national
programme.
Programme Impact will deliver improved information sharing to
forces incrementally. Pito is already piloting the National Nominal
Index - technology that flags up locally-held police information on
individuals, and we intend to start rolling this out from April to
child abuse intelligence units.
Stephen Dines, head of intelligence business process, Police
IT Organisation
Recognise the limits of your safety net
The news that Chevron Texaco has implemented smartcard access to
its IT systems (Computer Weekly, 22 February) is one step towards
the impossible ideal of a totally secure system. However,
smartcards are not the final answer, but only part of the solution.
True security can never be attained due to the most important
variable in the equation - people.
Although passwords, smartcards and biometrics are all excellent
ways to secure systems, they do not take account of the nefarious
individual. What would happen if one of these cards fell into the
hands of a fraudster? What if an employee needs a replacement card
for one they lost; do they get given default access to the entire
infrastructure? What happens when an employee abuses access
rights?
We must not be lulled into a false sense of security and use
technology as a safety blanket against the cruelties of the real
world.
Peter Dorrington, head of fraud solutions, SAS UK and
Ireland
Workforce is facing 'password panic'
It astounds me that we still allow the mismanagement of passwords
by employees (Computer Weekly, 22 February). You would not buy a
sports car and then leave the keys in the ignition, so why do
businesses tolerate this digital apathy to such an extent?
From recent research, almost 50% of us now have up to 10 passwords
to remember. Inevitably, 50% of workers either write down their
passwords, or forget them, costing business more than £20 each time
they have to reset an individual code.
A password is worthless as soon as it is on paper, so apathy in
terms of keeping them secret is unacceptable. However, long,
complex passwords for multiple systems are just as pointless if
people cannot remember them.
Companies must act now to address this password panic and retain
high levels of security without giving their staff a headache.
Businesses are taking a reactive approach when what is needed is a
radical rethink of the process.
Gary Clark, vice-president, SafeNet
National Projects can still get local
promotion
Socitm is right to raise concerns about the end of central control
of the National Projects (Computer Weekly, 1 March). However, local
authorities have a wealth of support available to them to ensure
long-term success for the initiatives.
Both Socitm and the projects' private sector partners can offer
expert guidance on how to make the most of project outcomes, and
more importantly, how to communicate the results of the projects to
the citizen. We know that more than 50% of adults are prepared to
use online services but do not know what is on offer from their
local authority.
This lack of education needs to be addressed now, before control is
handed over. A united front needs to be shown to the wider public
to ensure their buy-in. If the government appears jittery over the
future of the projects, the whole initiative will fail.
Geoff Neville, group managing director, Sx3
When it comes to truth we are on our own
I would welcome the backing of the Conservative Party for an audit
of the national programme for IT in the NHS (Computer Weekly, 8
March) if I thought there was any substance to it. Time and time
again we see the opposition promising more openness during the
election campaign but failing to deliver once it has been
elected.
Openness suits the opposition but secrecy suits government better.
The recent spate of data destruction in Whitehall is testimony to
their need to conceal the facts; information made public is
occasionally interesting but never relevant to any recent or extant
issue.
In short, the government will tell us and the opposition only what
it wants us to know. We have to work out the truth for
ourselves.
Mark Steele, Northolt
Was Swanwick project really a success?
In your call for an audit of the national programme for IT in the
NHS (Computer Weekly, 8 March), you said that an audit helped to
make the troubled Swanwick air traffic control centre project a
success.
Swanwick was intended to be a completely new en-route air traffic
control centre for England and Wales, replacing West Drayton,
offering a 40% increase in air traffic capacity. It currently only
covers upper airspace and some of its sectors are now handled by
the Scottish centre.
Some of Swanwick's functionality, as revealed by the November 2002
incident over Swansea, reported by Computer Weekly, gives cause for
concern. It relies for its data on legacy systems at West Drayton,
which is still operational.
Indeed, the new air traffic control centre was five years late and
its cost doubled.
If the current NHS projects are similarly "successful" one shudders
for the medical and financial health of the UK.
Stan Price, Price Project Services, Manchester