The Home Office Identity Cards Programme has now published a Supplier Form Supplier Form on their website:
"Market Sounding InformationThank you for your interest in the Identity Cards programme. Currently the programme is undertaking "market sounding". This is the process of assessing the reaction of all potential suppliers to a proposed requirement and procurement approach, and is recognised as best practice in Government procurement.
This form has been designed to receive views regarding market capability and capacity and provides suppliers with a means of communicating this information to the programme in an efficient and structured manner. Structuring information in this way will optimise dissemination and use of the information within the programme. Therefore, please make sure that you highlight any vital information by completing the relevant sections provided."
This online form is, of course, potentially insecure, since the Email confirmation of your Personal Details and possibly any confidential stuff that you have decided to fill in, appears to have no username/password or even cookie based authentication whatsoever.
Presumably anybody can use the "Update existing entry" form to upload new email contact details and thereby brute force or dictionary attack existing registrants' entries, and have a confirmation copy of all their registered details emailed to an arbitrary email address.
The Email confirmation also gives a https:// URL, but since the URL resolves to an Akamai load balancing cache farm, the Webserver SSL/TLS Certificate does not match the Home Office URL, and so the concept of online "trust" is fatally flawed. In fact the Akamai servers do not appear to be able to process the form correctly, presumably due to loss of session state.
Apart from the dubious mandatory field "validation", the two drop down lists of countries for the contact address and the company HQ address, are not limited to the UK or even the European Union, but include various Oceans, small Island nations or territories, The Holy See (Vatican City), disputed territories like The West Bank or the Gaza Strip, countries which are subject to various trade sanctions and embargos e.g. North Korea, Zimbabwe etc.
Just to show how geo-politically aware the Home Office appears to be, they have allowed, an official UK Government website to include the words "Falkland Islands (Islas Malvinas)"!
Presumably this will be taken as a signal by the Argentinians that, so far as the Home Office is concerned, the UK Government is now willing to share sovereignty of the Falkland Islands with Argentina. Have they forgotten the war fought over this issue in 1982 ?
This does not auger well for the security and privacy management expertise being displayed by the Identity Cards Programme team. Surely they should have had their own website properly security audited before letting it go live ?
How are the Home Office ever going to convince sceptics like us, that they will not be putting put our privacy and security at risk with their ID Card / Centralised Biometric Database scheme, if they start off the pre-procurement programme in this way ?
If the Home Office Identity Cards Programme team had been more open and transparent, we would have contacted them privately about thse problems with their web form. However, their attitude of refusing to respond positively to even Freedom of Information Act requests, their media spin and disinformation trying to discredit the London School of Economics reports etc. seems to imply that they think that they know best. We beg to differ.
Leave a comment