Feeds

ICO queries Heathrow T5's huge fingerprint scam scan

National security now wholly funded by shopping

Top three mobile application threats

The government, the British Airports Authority and the Information Commissioner's Office are arguing over fingerprinting at Heathrow's new Terminal 5, which is due to open on Thursday. T5 is to use a 'count them all in, count them all out' biometric system to log entry and exit to the departure lounge, but the ICO thinks the move may breach the Data Protection Act, and has demanded an explanation from BAA.

Fingerprints are to be taken because T5 will use a single departure lounge for international and domestic passengers, and there is therefore a need to tie the passengers to their tickets. Otherwise, it is claimed, passengers could swap tickets in the lounge, and incoming terror suspects could slip into the UK via a regional airport without going through immigration. Instead of, one assumes, continuing their transit unhindered to Schiphol or whatever. It is not immediately obvious why someone who's going to be ID'd as a dangerous terrorist by the Borders & Immigration Agency at the immigration desk is not going to be similarly ID'd on the passenger manifest, but this is by no means the only thing that isn't immediately obvious.

The ICO wants the BAA to explain why fingerprinting is needed at all, pointing out that photographs are less intrusive, and are used at other BAA airports which have a single lounge for all passengers. BAA blames the government, and says in a statement: "When BAA announced plans for common departure lounges, the BIA was keen on a reliable biometric element to border control. Fingerprinting was selected as the most robust method by BAA, the BIA and other government departments."

The government, meanwhile, blames BAA. According to the Home Office: "We requested that they take measures to ensure the integrity of the UK border. We are content that the measures they have taken ensure the security of the UK border. The design of the system is a matter for BAA."*

And it's being done at Heathrow, but not at other airports, because Heathrow is special, "because there was a higher risk at Heathrow." Right... Except that it's only being done at Heathrow so far.

The system being deployed at Heathrow has in fact been running, without fingerprinting, at Gatwick for over three years. The Gatwick Common User Lounge System (CULS) was developed by Advantage System Solutions, and "is designed to allow domestic passengers to use CUL facilities (shops, restaurants etc.) at a London airport – which would otherwise only be available to international passengers." From BAA's point of view having all of the passengers in one huge retail complex is good for business, and we should be clear here that single departure lounges are a part of BAA's broad strategic plan, not just some weird design feature of Heathrow Terminal 5.

The Gatwick deployment involves taking a digital photograph on entry to the lounge, and attaching a barcode label to the boarding pass. Scanning this at the departure gate brings the photo up on screen, and security compares it with the live item. The system ought to be fairly reliable provided security is paying attention, and the addition of a facial recognition facility (as anticipated by Advantage), would tighten the system up further.

For Heathrow, however, this system has morphed into PASS, Passenger Authentication Scanning System. PASS consists of three components - ICISS (Integrated Communication Information and Security System), which is used in conjunction with Internet check-in; CULS; and fingerprinting. This last is the only real 'new' feature of PASS, which otherwise seems a repackaging of CULS and ICISS, both of which have been running together for several years. And as they've been doing so at Gatwick without fingerprints, the new feature (the technology is supplied by Germany's Dermalog) is clearly optional, probably disproportionate, and unnecessarily invasive.

* We shouldn't let the Home Office's apparent denial of responsibility for "the integrity of the UK border" pass unnoticed. Aside from the people at the immigration desks, these days Home Office employees can be pretty scarce at UK airports. You check in online or with an airline employee, contract security people scan your ticket, and scan you for weaponry, and airline and contract staff check your ID at the departure gate. The Home Office certainly isn't paying money for very much of that already, and if it's got BAA stumping up for digital photography, fingerprint scanners and watch-list look-ups (which it has), and airlines supplying passenger lists and quaking at the prospect of being fined for shipping in illegal immigrants (which they are), then yes, you begin to see what it means. And to wonder what it's for. ®

3 Big data security analytics techniques

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.