Feeds

UK ID scheme complex, costly, won't work, says expert

Biometric bog-up ahoy...

  • alert
  • submit to reddit

3 Big data security analytics techniques

UK home secretary and serial control freak David Blunkett's national ID card scheme has come under fire from an unlikely source - the company currently deploying Belgium's national ID card scheme. This has a certain piquancy, given that Blunkett thinks the UK is "out of kilter" with Europe on ID cards, yet here we have an outfit that knows what it's talking about reckoning that he is out of kilter with ID card thinking.

Bart Vansevenant, director of European security strategies for Ubizen, says Blunkett is too ambitious in planning to use biometrics in the scheme. "The point of an ID card is to prove that a person is who they say they are. In order to prove one's identity, name, home address, date of birth and ultimately signature will suffice for most 'authorities'. If not, you are probably using the cards to close your million-dollar bank account and further authentication may be needed. Today, if asked to prove your identity, when are you ever asked to leave your fingerprint or to have the iris of your eye scanned? I would think not even once a year."

Vansevenant also notes that biometrics on a piece of ID does not necessarily prove you are who you say you are - it merely proves that you are the person whose biometrics are on the ID. So if there are security holes in the issuing process (or if forgery turns out to be feasible), the authorities merely end up replacing one potentially compromised piece of ID with a more expensive potentially compromised one. A simple example of this relates to the US plans to require biometrics on passports at entry points - countries with corrupt and/or deficient issuing systems will act as sources of false passports, and it will remain extremely difficult for the US immigration services to detect these. On a national scale, as planned in the UK, it will prove extremely expensive to police the issuing of ID. Particularly as it is not entirely unknown for British government agencies to - woops - issue false passports and driving licences.

The ability to check validity with a central database is seen by the home office as one of the biggest advantages of the ID card scheme. Vansevenant however points to the privacy implications of this, the difficulties associated with the control of entry points to the database and the large number of false positives that will be thrown up by such checking. If you are simply checking that the fingerprint, face or whatever of the person with the piece of ID matches both the ID and the central record, then it's just about technically feasible because the data should be a very close match. If however you're checking the face against centrally held pictures of Saddam Hussein, then you will end up wrongfully detaining many, many, people, because that does not yet work.

In summary, Vansevenant feels that the UK will be creating many new problems in attempting to solve one. Compared to Blunkett's plans, the Belgian system seems almost cuddly. In common with most of Europe, Belgium has a compulsory ID card system and its new digital ID system is the next generation of this. Cards are issued via a town hall registration process, and then a root key is used to create a PKI signature on the card. Information on the card is legally limited to your national number, name, address and picture.

Basically the card functions in the same way as the old version did, but the PKI aspect is intended to be used in conjunction with a pin number in order to facilitate electronic transactions with government. Compulsory ID cards are traditional and accepted in Belgium, so the government is able to build the authentication necessary for e-government onto this, and it's probably acceptable in a culture that already accepts compulsory ID cards.

The UK, however, is doing it backwards as usual. Belgium is deploying a system that includes, effectively, the universal "entitlement" card of Blunkett's previous dreams, and it's probably secure enough for that purpose. Blunkett has however switched horses on ID, from entitlement to security, and the over-ambitious objectives of the scheme will make it costly to build, vulnerable to security breaches, threatening to privacy and dubious in value. Vansevenant says when designing such scheme you first have to ask yourself what it is you want to do, and then work out how to do it as reliably and securely as the purpose warrants. It would seem to us that Blunkett is not entirely clear as to what it is he wants to do, but has nevertheless become entranced by a misconceived notion that biometric technology will provide a bulletproof mechanism for him to do it with.

Authentication, says Vansevent, is something you have, something you know, or something you are, the latter being obviously the strongest, so he feels biometrics will eventually provide the "are". But it won't do it now, nor will it do it when (or if) the US goes ahead with its biometrics requirements, currently planned for next year. Privacy issues aside, until such time as it is workable the pro-ID authorities would do well to consider the 'what do you want to do' question and answer it with levels of security that are both achievable and commensurate with the job in hand. ®

Top three mobile application threats

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
Intel sees 'signs of improvement in the PC business' but earnings remain 'Meh...'
Prospects for the future, however, please Wall Street money men
What's a right pain in the ASCII for IBM? Its own leech-like hardware biz
Keep your eyes on our cloud while we remove this pesky thing, say execs
Oracle's Larry Ellison has the MOST MASSIVE PACKAGE IN PUBLIC
Billionaire IT baron earns twice as much as the next in line, Disney chief Bob Iger
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.