Feeds

UK ID scheme complex, costly, won't work, says expert

Biometric bog-up ahoy...

  • alert
  • submit to reddit

Build a business case: developing custom apps

UK home secretary and serial control freak David Blunkett's national ID card scheme has come under fire from an unlikely source - the company currently deploying Belgium's national ID card scheme. This has a certain piquancy, given that Blunkett thinks the UK is "out of kilter" with Europe on ID cards, yet here we have an outfit that knows what it's talking about reckoning that he is out of kilter with ID card thinking.

Bart Vansevenant, director of European security strategies for Ubizen, says Blunkett is too ambitious in planning to use biometrics in the scheme. "The point of an ID card is to prove that a person is who they say they are. In order to prove one's identity, name, home address, date of birth and ultimately signature will suffice for most 'authorities'. If not, you are probably using the cards to close your million-dollar bank account and further authentication may be needed. Today, if asked to prove your identity, when are you ever asked to leave your fingerprint or to have the iris of your eye scanned? I would think not even once a year."

Vansevenant also notes that biometrics on a piece of ID does not necessarily prove you are who you say you are - it merely proves that you are the person whose biometrics are on the ID. So if there are security holes in the issuing process (or if forgery turns out to be feasible), the authorities merely end up replacing one potentially compromised piece of ID with a more expensive potentially compromised one. A simple example of this relates to the US plans to require biometrics on passports at entry points - countries with corrupt and/or deficient issuing systems will act as sources of false passports, and it will remain extremely difficult for the US immigration services to detect these. On a national scale, as planned in the UK, it will prove extremely expensive to police the issuing of ID. Particularly as it is not entirely unknown for British government agencies to - woops - issue false passports and driving licences.

The ability to check validity with a central database is seen by the home office as one of the biggest advantages of the ID card scheme. Vansevenant however points to the privacy implications of this, the difficulties associated with the control of entry points to the database and the large number of false positives that will be thrown up by such checking. If you are simply checking that the fingerprint, face or whatever of the person with the piece of ID matches both the ID and the central record, then it's just about technically feasible because the data should be a very close match. If however you're checking the face against centrally held pictures of Saddam Hussein, then you will end up wrongfully detaining many, many, people, because that does not yet work.

In summary, Vansevenant feels that the UK will be creating many new problems in attempting to solve one. Compared to Blunkett's plans, the Belgian system seems almost cuddly. In common with most of Europe, Belgium has a compulsory ID card system and its new digital ID system is the next generation of this. Cards are issued via a town hall registration process, and then a root key is used to create a PKI signature on the card. Information on the card is legally limited to your national number, name, address and picture.

Basically the card functions in the same way as the old version did, but the PKI aspect is intended to be used in conjunction with a pin number in order to facilitate electronic transactions with government. Compulsory ID cards are traditional and accepted in Belgium, so the government is able to build the authentication necessary for e-government onto this, and it's probably acceptable in a culture that already accepts compulsory ID cards.

The UK, however, is doing it backwards as usual. Belgium is deploying a system that includes, effectively, the universal "entitlement" card of Blunkett's previous dreams, and it's probably secure enough for that purpose. Blunkett has however switched horses on ID, from entitlement to security, and the over-ambitious objectives of the scheme will make it costly to build, vulnerable to security breaches, threatening to privacy and dubious in value. Vansevenant says when designing such scheme you first have to ask yourself what it is you want to do, and then work out how to do it as reliably and securely as the purpose warrants. It would seem to us that Blunkett is not entirely clear as to what it is he wants to do, but has nevertheless become entranced by a misconceived notion that biometric technology will provide a bulletproof mechanism for him to do it with.

Authentication, says Vansevent, is something you have, something you know, or something you are, the latter being obviously the strongest, so he feels biometrics will eventually provide the "are". But it won't do it now, nor will it do it when (or if) the US goes ahead with its biometrics requirements, currently planned for next year. Privacy issues aside, until such time as it is workable the pro-ID authorities would do well to consider the 'what do you want to do' question and answer it with levels of security that are both achievable and commensurate with the job in hand. ®

Next gen security for virtualised datacentres

More from The Register

next story
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Kate Bush: Don't make me HAVE CONTACT with your iPHONE
Can't face sea of wobbling fondle implements. What happened to lighters, eh?
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
Linux Foundation says many Linux admins and engineers are certifiable
Floats exam program to help IT employers lock up talent
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.