12.09.2025 –, C205 - IFG Arena
Language: English
In 2024, we each seperately submitted Freedom of Information requests to our country’s railway operators, asking for specification about how their barcodes worked. This has made a lot of people very angry and has been widely regarded as a bad move.
This talk details the drama, lies, and nonsense, that ensued as seemingly every part of the UK’s and Slovenian rail industry set out to stop us from getting access to the documents we requested.
Train tickets in the UK can be issued in two formats: on security card stock, or as a barcode on a mobile phone. Being the curious beings we are, we were curious about what was in those barcodes. What information on us is processed in them? How do they encode our journeys? Can we do anything interesting with their contents?
We were aware of the reverse engineering work done by eta, but this didn’t give the complete specification, and there were still some bits missing. Additionally, since that work new keys had been introduced, rendering it impossible to read some newer tickets.
Railways in the UK are these days primarily operated by publicy owned companies, and are thus subject to the Freedom of Information Act, or the Freedom of Information (Scotland) Act. Q therefore went to the publicly owned operating companies in November 2024, and submitted FOI requests for these specifications. This has made a lot of people very angry and has been widely regarded as a bad move.
In spite of knowledge from the reverse engineering work about these tickets’ use of public/private key cryptography, and the absolute non-issue of making public keys, well, public, seemingly every part of the UK rail industry put Q’s picture on their office dartboard and vowed to never let them have these documents.
What followed was a, still ongoing as of current, months long process of internal reviews, appeals, and some very stupid arguments from all parties involved. This talk aims to give an overview of the FOI process in the UK in the context of my requests, and how you can fight a public authority being unreasonable in their arguments against your requests.
Before any of this started with the UK, CraftByte submitted a similar request to the Slovenian Railways, which is a subject to the Slovenian Freedom of Information Act (ZDIJZ) in February 2024. Already used to shenanigans that Slovenian Railways pulled on previous FoI requests that they sent them, they came prepared but were still met with resistance from every direction. The process reached an apex when in October 2024, the Information Commissioner named an expert witness into the process. The process is currently still ongoing and has already resulted in breaking the record for the longest FoI appeal since the act was introduced.
Q is a researcher at the Max-Planck Institut für Informatik in Saarbrücken, focusing its work on Internet architecture and security. In its spare time, it runs Glauca Digital, a domain registrar and web host. It's also a massive train nerd 🚄.
Fedi: @q@glauca.space
Website: magicalcodewit.ch
CraftByte is a Security Researcher and Software Developer by day, Freedom of Information Enthusiast and Problem Causer by night. Also a massive train (ticketing) nerd.
Fedi: @anze@treehouse.systems
Website: anze.dev