Feeds

Trial for T5 mandatory biometrics kicks off at Heathrow

Terminal 1 passengers get to be lab rats

Build a business case: developing custom apps

Quietly on Friday, Heathrow Airport recruited quantities of involuntary lab rats to test fingerprint-based security/traffic control system planned for Terminal 5. The luckless pioneers were selected at Terminal 1, where biometrics are now being deducted from any domestic passengers wishing to visit the international lounge.

Unconvincingly, BAA claims that the security system is being used to identify passengers in order to stop them swapping tickets once they're in the departure lounge. Terminal 5, due to open later this year, will mix domestic and international passengers in a single lounge, while although Terminal 1 has two lounges, domestic passengers are allowed to use the international one. So they need separating too - how they've managed previously, we've really no idea.

The system being used was described by The Register a little over a year ago. When fully operational it will take biometrics from all passengers as they pass into the departure lounge, and match them up as they board the aircraft. The biometrics being taken are fingerprints and a digital photograph - not, as incorrectly reported elsewhere, iris scans.

According to BAA the biometrics data will not be passed on to other authorities and will be destroyed at the end of each day. This goes some way to making the system relatively harmless (although 'destroyed on boarding' would be better), so long as we believe them, and for as long as it takes before the government starts saying 'retention of records' and 'access for the security services.'

But let's just rewind to that bit about stopping passengers swapping tickets, and try to figure out how biometric ID could help. The basic pre-biometric system used at Heathrow and most other UK international airports is approximately as follows. Passengers check in, showing their tickets and passports. They pass through the security barriers, and on their way the bar code on their ticket is scanned. In the vicinity of the security barriers their passport may be checked, but recent Register observations indicate that this isn't always the case.

It's therefore perfectly possible that both passport checks, at check-in and boarding, are carried out by the airline's staff, and if online check-in is used, then the only check of the physical passport may be at the gate. It's also perfectly feasible that the passport is never checked for forgery, never has its barcode scanned, nor (for the new ones) has its chip read at any point in the process. Which may strike you as something other than progress towards the government's goal of counting everybody in and out, but no matter.

Whether or not you'd count the personal details filled in during online check-in as an ID check is perhaps debatable, but there is at least one ID check in the process, at the point of departure. So yes, you could get into the departure lounge on a domestic ticket and then switch to an international one, but you'd still need a passport (real or fake) to match the name on the ticket, and someone pretending to be you would have had to get them past security. Granted, future security systems may turn out to be tougher for international passengers and therefore there might be an advantage in ducking through the domestic departures gate, but the process of evasion seems sufficiently logistically challenging for one to doubt that an actual vulnerability exists, at least for passengers starting their journey at Heathrow.

BAA however explains that the actual vulnerability is solely a borders and immigration matter, and goes like this. International passenger arrives at Heathrow as a transit passenger, then switches tickets to a domestic flight, thus evading UK immigration at Heathrow and arriving elsewhere in the UK as a domestic passengers. Which strikes us as one hell of a vulnerability in the routing of transit passengers (sheesh, don't they have security at Heathrow?), but one that could possibly be fixed by some means other than fingerprinting absolutely everybody who uses the place. Or the country, which is the longer-term goal.

Nor are other 'benefits' of the system particularly obvious. It allows you to know who has passed into the lounge, but you know that already from the barcode scan. It tells you when they've got onto the aircraft and who didn't make it, but you know that from the passenger list. And as you're not sharing the data with anybody else and torching it at the end of the day, there's no benefit there either. There might be a benefit if you were proposing to dispense with the ID check at the gate, because that might be faster - but what new vulnerabilities might you introduce there? ®

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.