[Infowarrior] - UK terror alert system dubbed a 'shambles'

[Richard Forno]

 Alert system dubbed a 'shambles'
By Mark Ward
Technology Correspondent, BBC News website
http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technol
ogy/6262719.stm

MI5 has overhauled an e-mail terror alert system for the public following
detective work by privacy activists.

Digital detective work by campaigners revealed that the alerting system did
little to protect the identities of anyone signing up.

They found that data gathered was being stored in the US leading to
questions about who would have access to the list of names and e-mail
addresses.

THe Cabinet Office denies the changes were a response to the investigation.

Data scramble

The public e-mail alert system was announced on 9 January and will send
messages to subscribers when threat levels change. The move followed the
success of similar public information systems started by MI5 and the Home
Office in August.

Despite the announcement no sign-up form for the service was available on
the MI5 website at the time of the unveiling. This was despite claims from
the Home Office that the system had been under development for some time.

This changed on the evening of 9 January when a web form appeared and this
kicked off an investigation by activists behind the SpyBlog to see how it
worked.

What they found led the group to describe the e-mail alert list as a
"shambles" and drove them to suggest that the system had been put together
in a hurry.

The activists discovered that the whole system had been contracted and some
of it was being run by a company called Mailtrack that specialises in
handling large e-mail mailing lists.

More worryingly when people signed up to use the alert system, the standard
encryption software had been disabled. This would have scrambled personal
data, such as name and e-mail address, to stop others eavesdropping.

Also the computer system to manage the list was based in the US on a server
run by Seattle-based firm What Counts. SpyBlog researchers suggested that
this put it at risk of being snooped on or inspected by US law enforcement
authorities.

"We would not release data to anyone without a subpoena," David Geller,
managing director of What Counts, told the BBC News website.

He said the information being collected for the mailing list was similar to
that collected by many organisations, such as newspapers, to keep customers
informed about updates or special offers.

"It's such a benign use of e-mail," he said, "but we would always encourage
people to move it to their own country."

Following its digital detective work, SpyBlog monitored the MI5 website to
see if any changes were made. On the evening of 12 January, changes were
made that ended the connection with What Counts and started the use of an
encryption system to scramble data.

A spokeswoman for the Cabinet Office said the changes made to the service,
including bringing the data to the UK, were due to happen before SpyBlog
investigated. This was to help cope with the large numbers of people signing
up.

"Moving the data to the UK will enable faster e-mail delivery to
subscribers, most of whom are in the UK and will enable the Security Service
to use Mailtrack's latest technology." said a statement issued by the
Cabinet Office.

SpyBlog noticed that one of the digital security certificates used in the
scrambling process between the MI5 site and a user's browser while they sign
up was only issued two days after the mailing list was unveiled.

SpyBlog said it would be contacting the Information Commissioner over the
way the alert system has been set up.

The Cabinet Office said: "We are confident that the technical arrangements
for this service are entirely compliant with the Data Protection Act".
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/6262719.stm

Published: 2007/01/15 13:19:43 GMT

© BBC MMVII