Security on websites used to apply for UK visas is utter crap, an independent investigator looking into the matter has concluded - in so many words. They should remain shuttered until a list of improvements are completed by the governmental agency responsible for processing applications and the India-based private contractor …
Geez. I read the report, and yes, screwups all around by non-IT people. But what an awful report. Look at the chapter headings, for example. What did the govt. pay for this report?
Couldn't agree more with you Michael... this soft of report wouldn't get past a partner in a big 4/ consulting / law firm.
I mean come on:
"What happened when the technical loophole was first raised in December 2005,
what steps were taken to rectify the problem, and the circumstances surrounding
the closure of the online visa application facility following the communication by
Mr Winder in May 2007"
As a heading....
Surely "Steps taken to rectify initial problem" would have been better! We have the magic of paragraphs for detail!
I think he was trying to win a prize for the worlds longest section headings.
The report seems to have a comprehensive account of what went wrong, and how it should be fixed - and the best criticism the first comment can come up with is that the chapter headings explain what the chapters are about?
It occurs to me that Nigeria is not the best place to deploy an untested, insecure system. I await the emails... "My husband made millions from fraudulent visa applications, and I need your help to get the money out of the country".
Think the UK visa system is grot? Try the USA.
None, or nearly none, of the legislators or functionaries who dream-up these automated processes can write code. Most lack any true understanding of the underlying technologies. Which means that 3rd party contractors usually do all of the actual development work. For the lowest bid.
Since an original contract supplier usually receives "preferred supplier" status w/r to any follow-on work, many of these 3rd parties try to deliver the very minimum acceptable performance. So to encourage the need for additional corrective/enhancement work.
In brief, there is no good reason why problems of this nature should ever go away.
- The Garret
CSC Outsourced Biometrics & the Olympics
See my other post. CSC has been given the job of digitizing the biometrics & fingerprints for visa applications to the UK.
So CSC has created 3 offices in France to handle applications from Luxembourg, Monoco and France. A resident of those countries who needs a UK visa, has to travel to a CSC office in Paris, Marseille or Bordeaux and get their fingerprints taken and their photograph biometricized. Only then are they allowed to apply for a visa.
So soon lots of EU residents information will be on that visa system too. It looks like you'll upload it with your visa application and booking for the Interview. Although it's bad enough that collection of fingerprints has been outsourced to a USA company!
With the Olympics coming to the UK in 2012, it means that all across the world, athletes and VIPs and visitors wanting to see the olympics, will have to travel to the designated CSC office for their country, and get their fingerprints taken and their photograph biometric taken so the UK can build up a nice database of all this info.
I wonder how happy they are about that?
The matter of 'wordy' contents headings is a minor gripe with what seems to be a reasonably well written report. The main point of the article is how UK Government messes up IT projects and the associated security and development oversight issues.
It occurs to me that government departments cannot 'fail' when they instigate development and roll out of any system. If a commercial organisation tries to develop an application that is to be used by many people, in order to increase and/or maintain its revenue and profits, they run the risk of failure and loss of money. The senior staff involved run the risk of career block or even loss, so the organisation will try to place known good people in charge and those people will work hard to make it a success.
In a government department, no one loses money, no one is fired because they are no good. Everything can be explained away by the the 'fact' that the contractors were 'regrettably' not up to it, despite 'best efforts' to ensure that the contractors were suitable.
This has always happened and will continue to happen until senior government functionaries are held responsible for their decisions and are given a financial kick in the wallet or the career path when they foul up in this way.
quality of the investigation report
Your correspondents who are critical of the "chapter" headings in my report may not have read the Terms of Reference for the investigation, which are annexed to the report. I was required by the UK Foreign Secretary to report on the facts and circumstances and on the specific topics identified in the Terms, which, therefore, form the chapters.
As for costs - I was not paid separately for this 5 week investigation, nor was my admin assistant; we continued to be paid salaries whilst on leave of absence from our normal roles. I instructed 2 expert reports and travelled to India - total costs less that £20K.
L M Costelloe Baker
@quality of the investigation report
Investigators critical of criticism for exceedingly poor grammar may not have read the Guides to Etiquette in Public Commentary for online communications, which are not annexed anywhere. Punters are expected to capitalize the first word in the title of their comment.
$40k sounds like an awful lot for 5 weeks expenses, even for two people in India, the land of exotic delights and dynamic expense reporting http://www.theregister.com/2005/09/22/intel_india_sackings/
Don't learn from the rest, learn from the Best - Visit India
A good report. However, the root cause of the sorry saga is yet another woeful govt contract. Even in 2004/5 any customer authority that signed a contract that could involve a web application dealing in sensitive personal information and did not require independent security testing by a competant body was guilty of gross negligence.
In my view the 'finding' that nobody in the UK govt was to blame is a whitewash. The finger points fairly and squarely at whoever from UKvisas put their mark on the contract with VFS, it was their duty to ensure the contract was appropriate and they should have sought expert advice if they did not fully understand the issues involved.
Business as usual
How about an article telling us about a government IT project that was on-time, on-budget and on-spec. Now *that* would be news.
Why is this a surprise?
From the original specification this 'debacle' appears to have been the intended outcome.
Then they waste a load of money on a report. Explaining what went 'wrong'.
Yet, nothing did go wrong because the outcome was what was intended from the outset.
IIRC, they did a similar thing to the Doctors: set up a website, specify that security should be more than lax, gather loads of personal information, wait for the identity thieves to harvest as much as possible, and then shut the stable door. If the outcry is loud enough commission a report, or in extremis put up some doe-eyed PR bunny to say what a terrible thing has happened and it's all the contractors fault.
What I find annoying is that these reports never put this in very large type on the front page. In effect these reports are not just throwing good money after bad, but actually part of the 'modus operandi'.
Why are non-IT companies doing IT?
"I also note that VFS has accepted that it is not an IT company and that it needs to outsource its software writing."
At face value, this appears to be the biggest WTF(though I haven't read the report). If they don't do IT, why were they involved? Since outsourcing is generally confined to non-core activities, that comment indicates that the supplier does not consider "software writing" to be a core activity in delivering online software. What are the core activities? Graphic design? Making tea?
angry about this? do something - make your view known
If you are a subject in the UK (all this Government talk of 'citizen' is incorrect - read the words in your passport!) and you personally experience a security flaw in an official Information System, you lodge a report with 'GovCert'
It is a matter of standing UK Goverment policy that all Information Systems procured for 'official' use are subject to a process of independent scrutiny by an 'Accreditor'. It is the Accreditor who should decide whether the security behaviour of IS meets the appropriate level of performance.
If you are as angry about this particular story as I am please consider doing what I am doing:
1. contact your MP to express your displeasure at an agency of a UK Government department failing in its duty to the centre (be polite - not the MP's fault!)
URL: http://www.upmystreet.com/commons/l/ [to find your MP]
2. ask the MP to consider asking a parliamentary question of the appropriate Minister; this is Ed Milliband at the Cabinet Office
he is responsible for the Central Sponsor for Information Assurance
[It may be that Ukvisas is considered part of the 'Critical National Infrastructure' (but I don't think it is), if it is, then they should have talked to these people:
Regardless, ask your MP to ask Minister the following:
a. Was the Ukvisas information system procurement Accredited in accordance with the Manual of Protective Security and what was the accreditation decision?
b. If not Accredited, why not? Will an Accreditor now be appointed retrospectively to ensure that the obviously necessary improvements to this IS are implemented satisfactorily? If not, why not?
c. What steps is he (Minister) taking to ensure that ALL IS that is procured for official purposes regardless of whether this is directly by a HMG department or by some agency on behalf of a department now and in the future will be Accredited in accordance with policy set by his Office and recorded in the Manual of Protective Security and what regime of reporting back to his Office is in place to ensure that his Office is aware of the Information Assurance status of every such procurement (including those for the Olympics that also come under his control)?
No, we've been citizens for decades now
First subjects, then last century the official description became citizen-subject and later on citizen.
Better than being denizens I suppose.
we've been citizens for decades now
well surprise! - my passport (red) says 'British Citizen'
last time I checked (blue passport but not *decades* ago) I was 'British Subject, Citizen of the United Kingdom and Colonies'.
sadly afaik HM still owns my house (and all Real estate in the UK)