Wednesday, February 01, 2006

Mobile, Ubiquitous and Continuing Paranoia

Rupert White of the Law Society Gazette points out that an even easier way to stalk someone rather than "borrowing" their mobile phone (see last entry)is to "borrow" their London Oyster card (should they be a Londoner, of course :-) This gives a full printout of everywhere the card carrier has been for the last n months. The Oyster card can be replaced in the stalkee's jacket, with them none the wiser.

The intersting question about this is what if any crime has been committed? My instinct is that this is (yet again) unauthorised access under s 1 of the CMA 1990.

"1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case."

The big issue, of course, is is an Oyster card a "computer"? The 1990 Act, deliberately, has no definition. Ian Lloyd, an expert on computer crime, suggested in his IT Law textbook a while back that given the ubiquity of smart-chip enabled white goods these days, a dishwasher or a smart fridge might be considered a "computer". I myself think it is not stretching the definition to call a smart-chipped Oyster card a computer.

If not, though, where are we? The Law Commissions tied themselves in knots a few years back over whether an offence of "theft of information" other than in well recognised categories like trade secrets, existed. (This was , in fact, one of the reasons the CMA was enacted in the first place.) Data protection law forbids the unfair processing of personal data, which in this case would include processing (or viewing) without consent. "Processing" includes "use" and display. Data subjects whose rights are violated have rights to sue the processor. But I am not convinced there is a criminal offence here. And, of course, there's always the murky waters of simple fraud - especially in Scotland where the offence of fraud can be charged at common law, not under statute. But again, I am not convinced this is actually a case of fraud as the victim is simply stolen from, not lied to or in any way deluded. The English law of fraud is currently being amended to more comprehensively cover "phishing" - where personal data is stolen by deception. But this does not quite fall under that head either. Interesting problem..

Rupert also points out that the Information Commissioner has expressed worries about the transparency and security of data collection via Oyster cards before - but this is more in relation to what London Transport might do with the information than the accessibility of the card itself as a key to access to personal information by strangers. (But I too have pointed out to my students that the public register entry with the ICO for Transport for London represents no barrier whatsoever to aggressive data mining.)

I am not a Londoner so I am not sure just how easy it is to extract data from an Oyster card. Do you need to give a password or other ID to extract the details of stations passed through, or do you just stick it in a smartcard reader? The Oyster web site merely tells you that details of the last 8 weeks' journeys can be extracted. Help appreciated!

3 comments:

Ian Brown said...

As a reluctant pre-pay Oyster owner, I believe anyone in physical possession of a card can check its history. I'll make sure next time I travel!

We need to start Oyster swap-meets, where pre-pay owners can exchange cards and the appropriate cash, to foil the evil Livingstone ;) And/or -- as I saw at the last No2ID meeting -- wrap our cards in tin foil!!

Ian Brown said...

Yep, I was able to obtain a printout of all journeys and value add operations from a ticket office without any authentication beyond posessing the card. Will check at some point if you can do the same at a ticket machine.

Lilian Edwards said...

Hah, thanks Ian. That's pretty much what I picked up from the article in today's Indy (19th feb)