Dear Network Rail Limited,

There has been many requests for Train Describer configuration files in the past. These files essentially give a meaning to "S-class" messages that are available through your open data platform. Initially these requests have been succesful, but lately requests have been refused. You have explained that the change of policy is because of an increased security risk. I understand there are security concerns that Network Rail and other parties need to be aware of. But the scope of the data and individual files that Network Rail cannot disclose is still not quite clear to me. These are highly complex technical topics.

One of your responses revealed concern about cyber attacks. That is an intresting point of view. By design, the data shall be provided through a secure communication channel that is read-only. This means that no changes to the underlying logic can be made from outside. It would require access inside an interlocking. Most likely it is an insider threat. Therefore, the risk of a cyber attack on the railway itself is low but can affect third-party applications.

In my professional opinion the information contained within the previously released files has been useful to a handful of developers, including myself. We could see new development in areas such as customer information, research and data-analytics. This could lead into new innovative ways to see how efficiently the railway is being used and where it could improve. But the users of open data also need wealth of knowledge to interpret that information. I would also say that most users never get deep into the specifics because of the steep learning curve there is.

My questions are:

1) What is the scope of information in this area of interest that could be disclosed to the public at large?

2) Are we allowed to have any kind of public documentation on individual signalling items that the data in "S-class" messages provides?

3) Should we remove the already released files we have on our computers?

4) Have you carried out a security review of your systems (TD.net)? Is it safe?

5) Would this kind of information be available to a professional developer?

Yours faithfully,

Juhani Pirttilahti

Dear FOI,

I would like to amend my request FOI2018/00673

Question 1 is quite broad and I want to explain it further. I'm looking for advice whether you hold any records covering the publicly available Train Describer data that can be released under FOIA or other legislation. This may be for example in the form of file lists or indexes.

Answering questions 2 and 3 would mean giving out opinions rather than records and I concede that it's not generally good practice to ask for opinions through FOIA. As the documents have public domain status, the situation is clear. Therefore, I would like to withdraw questions 2 and 3.

Question 4 remains as is.

With question 5, I'm looking for information on how a developer could have secure access to the Train Describer files that have been released in the past.

Yours sincerely,

Juhani Pirttilahti