Public transport doesn’t often provide pointers for the humanitarian community. The recent cracking of the London OysterCard (following hot on the heels of the earlier crack of the Dutch transit card system) came as no surprise to digital security experts, but it should teach us fundamental lessons about information security and personal privacy issues.

Security researchers say they’ve found a way to crack the encryption used to protect a widely-used smartcard in a matter of minutes, making it possible for them to quickly and cheaply clone the cards that are used to secure office buildings and automate the collection of mass transportation fares.

No electronic identification scheme is secure. It doesn’t matter how good your technology is, any system which is built by humans can be cracked, and the only defense is to make the cost of cracking it as prohibitive as possible. (The kicker is that you never know if you’ve successfully achieved that - until somebody cracks it and it becomes embarrassingly obvious that you haven’t.) On top of that, the more complex and expensive a system is, the more difficult it is to fix it when something like this happens.

In themselves, these obstacles aren’t insurmountable - largely because they’re technical in nature - but you see the real issues when you look at how these schemes are implemented. Governmental (and intergovernmental) organisations are notorious for a) thinking that technology can fix problems which are not technical in nature (for example, running a public transport system) and b) frequently mismanaging technology projects, often with the assistance of the vendor.

In a public transport system, this is not a life-and-death issue. What if this was a tracking system for food aid, though, where RFID has begun to be introduced as the solution to our logistics inefficiencies? Or a refugee registration database in a country where human rights abuses are endemic? Or an employee identity card scheme in a country where terrorists are targeting UN and NGO offices? You start to see where this might be going…

There was also related news that MI5 have requested “full automated access” to the OysterCard database. In a liberal democracy where the rule of law holds, that might not be too worrying - but there are a number of countries in the world that don’t fit that description, and where giving access to this sort of information to the government might not be in the best interests of the beneficiaries.

The fear of cyber-warfare has climbed Whitehall’s agenda since last year’s attack on the Baltic nation of Estonia, in which Russian hackers swamped state servers with millions of electronic messages until they collapsed. The Estonian defence and foreign ministries and major banks were paralysed, while even its emergency services call system was temporarily knocked out: the attack was seen as a warning that battles once fought by invading armies or aerial bombardment could soon be replaced by virtual, but equally deadly, wars in cyberspace.

It’s only a matter of time before humanitarian organisations come under similar attack - and we’re not prepared for it in the least. None of this means that this technology shouldn’t be used - it absolutely should be. What it means is that we need to be a lot more savvy not just about the technology issues but about the entire range of processes - procurement of the system, implementation within the organisation, sensitivity to the situation (including security concerns), and so forth - in order to make sure that we’re prepared to address these situations when they arise.