An Airline Ticket to Fraud

Data systems that merge air passenger data make identity theft easier to come by


At the time, Kip Hawley, Transportation Security Administrator, said: 'While the Secure Flight regulation is being developed, this is the time to ensure that the Secure Flight security, operational and privacy foundation is solid.' He said the TSA would continue its passenger pre-screening programme in yet another guise after it had been audited and added that it had plans to introduce more security, privacy and redress for errors - confirming critics' suspicions that no such systems were yet in place.

To the consternation of privacy activists in Europe, the TSA also spelled out plans for its desire for various U.S. government departments to share information, including yours and mine.

Dr Gus Hosein, a visiting fellow at the London School of Economics specialising in privacy and terrorism, is concerned about where the project will go next.

'They want to extend APIS to include data on where passengers are going and where they are staying because of concerns over plagues,' he says. 'If bird flu breaks out, they want to know where all the foreign travellers are.

'The airlines hate this. It is a security nightmare. Soon the U.S. will demand biometric information [fingerprints, retina scans etc] and they will share that around, too.

'But what the BA lapse shows is that companies cannot be trusted to gather this information without it reaching criminals who would abuse it. The potential for identity theft is huge, but the number of agencies among which it will be shared is rapidly growing.' And that is where concern comes in over the UK's proposed ID card, which may one day be needed to travel to the U.S. According to the Home Office, the identity cards bill going through Parliament allows for up to 40 pieces of personal information to be held on the proposed ID card, including biometric details of your fingerprints, your irises and your face, all of which can be transmitted to electronic readers.

The cards will contain a microchip the size of a grain of sand linked to a tiny embedded antenna that transmits all the information when contacted by an electronic reader.

This readable system, known as Radio Frequency Identification, has been installed in new British passports. The Home Office says the information can be transmitted across a distance of only a couple of centimetres because the chips have no power of their own - they simply bounce back a response to a weak signal sent from passport readers at immigration points.

However, the suspicion is that the distance over which the signal can be read relates only to the weakness of the signal sent out by the readers. What if the readers sent out much stronger signals?

Potentially, criminals with powerful readers could suck out your information as you passed by. The Government denies this scenario is viable, but in January, Dutch security specialists Riscure read and de-encrypted information from its country's new biometric passports from a distance of about 30ft.

'The Home Office says British passport information is encrypted, but it's a pretty basic form of encryption,' says Hosein. 'Everyone expects ID cards to be equally insecure. If the Government insists they won't be cracked, read or copied, it's kidding itself and us.' BA has now closed its security loophole after being contacted in March by the Guardian newspaper, but that particular lapse is beside the point. Because of the pressure being applied to airlines by the U.S., breaches will happen again elsewhere as our personal data whizzes around the globe, often without our knowledge or consent.

Meanwhile, accountability remains lamentable. Several calls to the U.S.

Transportation Security Administration were not returned.

Perhaps the last word should go to Mark Broer, the man whose boarding-pass stub started off this virtual paper chase. He is 41 and a successful executive with a pharmaceutical recruitment company. When I told him what we had done with his boarding-pass stub, he was appalled.

'I travel regularly and, because I go to the U.S., I submitted my personal information and passport number - it is required if you are a frequent flyer and want to check yourself in,' he says.

'Experienced travellers today know they have to give up information for ease of travel and to fight terrorism. It is an exchange of information in return for convenience. But as far as I'm concerned, having that information leaked out to people who could steal my identity wasn't part of the deal.'

<<Daily Mail -- 05/08/06>>