It feels as if everyone has told bankers where to get off in the past couple of years. That’s certainly the case with a letter written by Cambridge University, though this time it’s not a criticism of irresponsible lending and investment. Instead Britain’s banks have been told to go whistle after demanding that a student’s thesis be censored.
The thesis, by Omar Choudary of Darwin College, studying for a Master’s degree in Advanced Computer Science, built on work publicized earlier this year involving “chip and pin” security systems for debit and credit cards.
Choudary and colleagues discovered that it was possible to carry a card reader and stolen card in a bag, then present a dummy card for payment. By exploiting a loophole in the system and using a wireless connection to a laptop outside the store, someone could go around the new security measures.
At the time, the UK Cards Association dismissed the loophole as being too complicated in practice and maintained such misuse would trigger fraud alerts. Now it seems more concerned, writing to the college. The letter, which argues that Choudary’s thesis “breaches the boundary of responsible disclosure”, says that even though genuine fraudsters wouldn’t use the method, it could encourage “nuisance” attacks.
More fundamentally, the banks say they are concerned “that this type of research was ever considered suitable for publication by the University. It gives us cause to worry that future research, which may potentially be more damaging, may also be published in this level of detail.” The letter concluded with a request for the thesis to be removed from public access immediately.
To say the University’s reply was dismissive would be an understatement. After pointing out that technically it was Choudary rather than the university that published the thesis, and that it actually contained less detail than was previously made public, security professor Ross Anderson unleashed a blistering attack (PDF) on the entire principle of the banks’ request:
You seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest ?nds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material.
It’s fair to say the bank’s request has backfired spectacularly. Not only has the dispute drawn further media attention to the entire matter, but Anderson has responded by republishing the thesis as a report from the university, meaning it will be permanently available online in a high-profile fashion even if and when Choudary removes his own copy.