BBC BLOGS - Newsnight: Susan Watts

Archives for February 2010

Time running out for haemophiliacs' bill

Susan Watts | 17:52 UK time, Friday, 26 February 2010

Health Minister Gillian Merron has offered to meet the sponsor of a private members' bill on contaminated blood as the bill ran out of parliamentary time for a second time this afternoon.

The bill aims to help haemophiliacs infected with fatal viruses such as HIV and Hepatitis through the NHS products used to treat them.

With the Conservatives and Liberal Democrats making supportive noises for this community, this could even become an election issue.

The bill was introduced in the House of Lords by Lord Morris, veteran champion of disability rights.

But problems began three Fridays ago when the 2.30pm cut off for private bills approached and the whip on duty, Kerry McCarthy, stood up and shouted "object".

Ms McCarthy said this was a simple matter of procedure, and seemed surprised at the angry reaction of the haemophilia community.

Ms McCarthy tried to explain: "The government's view was that it was not appropriate for the Bill to go through without a proper debate in the Commons, ie the objection was to it going through 'on the nod', rather than to the Bill itself.

I was the duty whip that Friday, so it was my responsibility to announce the government's decision on that occasion."

So the government says it couldn't allow the bill through "on the nod" because it thinks it should be debated. Lord Morris, who fought for compensation for the victims of Thalidomide, and knows a thing or two about parliamentary procedure, knows the tricks a government can use to thwart a bill it dislikes.

He told me: "If she had not shouted object to the bill it would now be in committee, debated line by line. What took place prevented any further debate on the bill. But this bill is not dead, and it remains no less than the haemophilia community deserve."

The bill is back on the books again for next week, and again in March.

None of this is new for haemophiliacs. This month Gordon Brown brought together his two worlds - the personal tragedies of family life and the day-to-day hustle of politics and government - when he chose to talk about his children.

Britain's haemophilia community has had no such choice. For decades, the mundane practicalities of their daily lives have brushed up against politics and government.

It was NHS treatment that meant they became infected with fatal viruses, such as HIV and Hepatitis. They have fought government departments, threatened court action and lobbied politicians to secure payments that they say go only a small way to recognising what has happened to them, and meet their financial needs.

Successive governments have refused to hold a public inquiry into what went wrong. And when Lord Archer held a privately-funded, independent inquiry it took months for this government to reply to its findings.

Lord Archer wanted decent pay-outs for those affected and their families. The government responded with revised payments close to the minimum wage, and only a fraction of those paid out in other countries - most obviously Ireland.

Lord Archer wanted more for widows, many of whom are excluded from financial help, and assistance with things the rest of us take for granted, like life insurance - which haemophiliacs find hard to obtain.

This week saw the first anniversary of the Archer report, yet most of these recommendations have been left unanswered. And there has not been a debate in the House of Commons in government time - as the Archer team was led to expect.

That is when Lord Morris, a supporter of the Archer Inquiry, stepped in with the private members' bill instead.

The haemophiliacs themselves will certainly not let this rest. In fact, next month haemophiliac Andrew March is taking the Department of Health to Judicial Review.

His case challenges the government's decision not to implement Lord Archer's recommendation of compensation at least at the level of that awarded in Ireland.

In the meantime, his haemophiliac friend Haydn Lewis has a tragic family story of his own. Haydn was infected with HIV in the early 1980s via the NHS blood products used to treat him. He inadvertently infected his wife Gaynor with HIV before he knew. He also contracted Hepatitis B and C from the same NHS treatment, and has been told he is at risk of having contracted vCJD.

You can see Haydn here in one of Newsnight's many reports on this issue - this one from February last year:

In order to see this content you need to have both Javascript enabled and Flash installed. Visit BBC Webwise for full instructions. If you're reading via RSS, you'll need to visit the blog to access this content.


In 2008, Haydn was diagnosed with liver cancer - almost certainly as a result of the Hepatitis C virus. Despite chemotherapy, the cancer progressed and eventually he qualified for a liver transplant, though only one known to be infected with Hepatitis C. Doctors operated. Haydn seemed to be doing well.

Then, six months ago cancer re-occurred in the new liver. Haydn underwent aggressive chemotherapy and the tumour responded.

Then last week, he was told he has a new tumour. This one has grown to 7cm in just six weeks - that's fast. Haydn now has to come to terms with knowing that in a worst case he has six months to live... at best, a year.

Haydn used to delight in following the twists and turns of the latest government move. Now friends note that his famous sense of humour is harder to tease out.

Political niceties over debating time seem pretty unimportant as he waits for the latest hospital report. He says he wants to die without the anxiety that Gaynor will struggle financially.

Even the usually mild mannered Haemophilia Society has written to Mr Brown after his show of emotion, seeking a meeting.

The society says that of the 4,670 haemophiliacs infected with viruses from NHS treatments close to 2,000 have already died. Those left alive want to tell the prime minister their personal, tragic stories, and why they're not happy with the government's response to the Archer report.

They believe they are in this position because of a series of blunders and misjudgements within the NHS, by successive governments and their officials - for whatever reason.

Haemophiliacs like Haydn don't have much energy left to campaign, nor the time to wait on parliamentary procedure.

Extraordinary developments in 'Climategate' affair

Susan Watts | 14:33 UK time, Friday, 12 February 2010

There were extraordinary developments last night (Thursday) over the inquiry set up to look into the global controversy sparked by the release last December of hundreds of emails and documents on climate science. Within hours of the inquiry team being unveiled to the media, yesterday morning, one of the six-strong panel had resigned.

This was Dr Philip Campbell, editor-in-chief of Nature magazine - a prestigious journal in which scientists publish research results. There had been questions over the appropriateness of his selection as soon as the panel was named.

First, one of the most widely quoted of the leaked emails referred to "Mike's Nature trick". The "Nature" in that case is Nature magazine.

Then, later in the day critics including Lord Lawson, the former chancellor who called for this inquiry, began to raise concerns - in particular about an editorial in Nature magazine which he claimed accused critics of the scientists of paranoia, and was supportive of the scientists under investigation.

Last night it emerged on a sceptical website that in an interview with China Radio International last December, Dr Campbell appeared to have pre-judged the very issues the inquiry is supposed to examine.

He said: "The scientists have not hidden the data. If you look at the emails there is one or two bits of language that are jargon used between professionals that suggest something to outsiders that is wrong."

He went on: "In fact the only problem there has been is on some official restrictions on their ability to disseminate data otherwise they have behaved as researchers should."

Then in a statement yesterday evening, Dr Campbell announced that he had stepped down.

"I made the remarks in good faith on the basis of media reports of the leaks. As I have made clear subsequently, I support the need for a full review of the facts behind the leaked emails. There must be nothing that calls into question the ability of the independent Review to complete this task, and therefore I have decided to withdraw from the team."

After the press conference yesterday morning I had suggested to Dr Campbell that there might be raised eyebrows over his appointment. I suggested that he may not best placed to judge the evidence before the inquiry since his own publication is part of that picture.

He said: "Where there's any conflict of interest that I perceive or anybody else perceives it right for me to leave the room then I will... And if it becomes so severe a conflict of interest that my continued presence becomes a problem, then I would step down from the whole thing - I don't envisage that..."

So where does this leave the inquiry? Apart from being one panel member short, it is still the subject of continuing questions from critics.

Last night Lord Lawson told Newsnight: "I am very concerned, and I wrote to Sir Muir about this but they're not going to do it, that the inquiry is not going to be held in public... the hearings will be held in private, and the evidence given at the hearings and the interrogation, the transcripts of that are not going to be published...it is singularly lacking in transparency".

The chairman of the panel, Sir Muir Russell, had said that morning that he would be publishing written submissions on a website, saying there will be "no concealment".

He also set out what the panel will, and will not do. They will examine the way science was carried out at the Climatic Research Unit at the University of East Anglia (UEA), but not the quality of that science or its conclusions.

In fact, in a separate and rather over-looked announcement yesterday, UEA said that it is now going to reassess the science involved, science at the heart of the whole climate change debate. And yes, they'll be using yet another independent team.

New flaws in chip and pin system revealed

Susan Watts | 16:56 UK time, Thursday, 11 February 2010

In order to see this content you need to have both Javascript enabled and Flash installed. Visit BBC Webwise for full instructions. If you're reading via RSS, you'll need to visit the blog to access this content.


Most of us do not think twice about paying for something in a high street shop by keying in our pin. It is easy, fast and in most cases it works.

But scratch a little under the surface and there are persistent reports of people who say they have been the subject of fraud of one kind or another on their credit or debit card.

Now a team of computer scientists at Cambridge University has found a flaw in chip and pin so serious they think it shows that the whole system needs a re-write.

Over the past few years, the Cambridge team has uncovered a series of weaknesses in the system, which has been running since 2004.

Shockingly simple

Two years ago, we featured one on Newsnight showing that criminals could tap into the communications between a pin terminal and a customer's card, and read off sufficient information to create a cloned card.

Now, the same team has found a way round the chip and pin system that is so simple it has shocked even them:

bbc226type.jpg

"We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years," Professor Ross Anderson from the Cambridge University Computer Laboratory said.

"This is a flaw in a system that's used by hundreds of millions of people, by tens of thousands of banks by millions of merchants," he added.

In essence the Cambridge researchers have discovered a way to carry out transactions without needing to know a card's pin.

Small kit

So how does the attack work?

We obviously do not want to give out too much detail, but in simple terms, a stolen card sits in an off-the-shelf card reader, inside a backpack.

This allows it to communicate with a chip, running software written by the team and controlled from a laptop.

All of this is hooked up to a fake card, which slots into the actual shop terminal.
The kit would not have to be big - the Cambridge team is already working on miniaturising it all into a unit the size of a remote control.

It is called a "man in the middle" attack because the software is tricking the terminal into thinking the pin has been verified.

"Essentially what it does is to exploit a flaw in the chip and pin system. It makes the terminal think the correct pin has been entered, and the card think the transaction was authorised with a signature," Dr Saar Drimer, one of the Cambridge team, explained.

"At the end the receipt says 'verified by pin' so the bank is going to think the pin is entered directly, but the criminal actually did not know the pin."

Credit and debit cards attacked

We got permission from Cambridge University to try out the attack in one of their cafeterias.

The team tried out four common cards - two credit cards, issued by HSBC and John Lewis, and two debit cards, issued by Barclays and the Co-operative Bank.

There was no particular reason for choosing these cards, they just happened to be the ones in the Newsnight team's wallets.

Using the cards, Dr Drimer keyed in 0000 as the pin. Since there is no need for the criminal to know the actual pin associated with the card, any combination should work.

It did work, and the printout stated that the purchase had been "verified by pin".

Following the attack we approached the Co-Operative Bank, Barclays and HSBC - which also administers the John Lewis card - for comment.

All three stressed that this was an industry-wide issue, not specific to any particular to any provider, that their cards were no different to those offered by any other provider or bank, and each referred us to the banking trade association for further comment.

Low sophistication

The Cambridge researchers have a standard approach when they uncover this kind of flaw. They tell the authorities straight away, suggest fixes, and then publish.

In the last few weeks, they have told the relevant official bodies.

In reality, though, how easy would it be for someone without a PhD in computer science to carry out this attack?

"Even small scale criminal systems have better equipment than what we have. The amount of technical sophistication needed to carry out this attack is really quite low," Dr Steven Murdoch, one of the team, told Newsnight.

"In practice how this attack would work is that one reasonably technically skilled person would build a device that carries out the attack and then sell this equipment on the internet just like criminals already do," he added.

So is this kind of attack already happening in the real world?

According to Phil Jones of the Consumers Association, chip and pin has helped to bring down instances of card crime, but many cases remain unexplained.

"It's very difficult to quantify exactly how big this problem is," he said. "What we do know from our investigations is that say around 14% of consumers on a representative basis have said they have suffered some kind of financial loss which they believe is through fraud.

"The percentage of that which is actually from this type of potential problem with chip and pin is something that is a lot less clear. What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."

Onus on banks

So whose job is it to sort this out?

In November last year the law changed, placing the onus firmly on the banks to prove that a customer has been negligent in any dispute.

In the UK, it is the Financial Services Authority (FSA), which has responsibility for overseeing how that new law works into practice, though they say it is up to the industry itself to decide how best to comply.

Newsnight understands that behind the scenes some of the banks are already working on fixing this flaw.

But they obviously have not all fixed it yet, because the banks did not alert any of us to the purchases we made using the Cambridge attack, our cards and a PIN of 0000.

Data trail

Every time you use a card, data on the transaction is generated along the way.

The Cambridge team thinks that customers would be better protected if banks were forced to produce this entire audit trail in disputed transactions.

However, in practice, banks often ask customers to destroy their card, and therefore its chip, as soon as they report a problem.

Stephen Mason, a lawyer who has represented consumers in cases involving banks and disputed card transactions, told Newsnight that digital evidence is increasingly important:
"Just because 'verified by pin' is printed on a piece of paper that comes out of a machine, it proves nothing.

It's for the bank to prove that it was verified by pin - and that statement is actually totally irrelevant."

The chip and pin system has a 700-odd page manual, but the Cambridge team says it has so many holes in it, the whole thing should be re-written.

"The first thing that banks should do is fix this vulnerability. There are ways they could upgrade the chip and pin system that would prevent this attack working for most of all the transactions that happen in the UK, not all but most," Dr Murdoch said.

They should also look back at previous transactions where the customer said their pin had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud," he added.

Watch Susan Watts' full report on Newsnight on Thursday at 10.30pm on BBC Two, then afterwards on the BBC iPlayer and Newsnight website.

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.