Mission impossible? Blunkett's big biometric ID adventure

Why it can't, won't work

  • alert
  • submit to reddit

Intelligent flash storage arrays

Today UK home secretary David Blunkett rolled out his plans for national ID cards. They will cost "£35" over a ten year period for individuals, but will be free for "all those who do not want or need a driving licence or passport" (which means they're already compulsory for these two groups), and the add-on cost, based on the assumption that passport and driving licence will go biometric anyway, will only be £4. Blunkett claimed support of 80 per cent of the public for this £4 bargain, which will nevertheless look remarkably like an extra £35 on passports and driving licences.

In his statement to parliament he also seemed to suggest that costs might be offset by "benefits in the commercial world". Which could be both a worry and a script for disaster, depending on what he means.

But earlier Blunkett put his personal ID card stake in the ground. Biometric identifiers on ID "will make identity theft and multiple identity impossible, not nearly impossible, impossible." That one's tougher to stand up than you think, David, and we're going to hold you to it.

Blunkett was speaking to BBC Radio 4's Today programme, where we believe he has a camp bed, prior to making the statement to parliament on his ID card rollout plans. After what have been described as "brutal" meetings on the subject, Blunkett has secured cabinet approval in principle for a compulsory national ID card, but the final green light for this is contingent on a number of criteria being fulfilled (more details of these here).

Blunkett's championship of biometric identifiers has become increasingly evident as discussion of ID cards has proceeded ('progressed' would we feel be the entirely wrong word), and this morning he has nailed his colours to the biometric mast even more emphatically. Which is appropriate, because successful implementation of biometric identifiers would prove his case, while on the other hand that very successful implementation is going to be hardest of the criteria to fulfill, by a long chalk. Will it be impossible? Read on, then you decide. Note also that Blunkett and the government (and indeed many other governments) are proceeding on the assumption that biometrics are going to be introduced for passport and driving licence anyway, so even if a national ID card scheme were abandoned forever, now, the challenges, and the costs of meeting those challenges, would still exist.

And when the government's deciding a few years down the line, remember what he said: "not nearly impossible, impossible." 'Good enough', 'near enough' will not do.

The first rollouts of biometrics for the general UK population will be in passports, then in driving licences. These are currently the two most reliable pieces of government-issued identity in the UK, but in both cases genuine documents exist which support false identities. It appears that it's even still possible to use the birth certificate loophole exposed by author Frederick Forsyth in the Day of the Jackal in 1972, and fake driving licences are readily available.

These 'relatively reliable' documents are currently used to provide proof of identity in order to obtain one another; a driving licence helps you get a passport, a passport helps you get a driving licence, and once you've got both you're pretty nearly real. National insurance number? No, there's a very good reason why the Home Office is not mooting the use of the current generation of national insurance number as a reliable basis for a unique ID system. The point here is false identities on real documents are already in the system, and that for Blunkett to achieve his "impossible" goal these will have to be shaken out. If the next generation renewal turns out to be simply adding bearer's biometrics onto an existing ID, then it will merely strengthen existing false IDs.

So far so easy, we're only talking about the UK, where the problems may be difficult, but not insuperable. We'll move out into the European Union as a whole now, and consider how you tackle multiple ID while we're about it. States within the EU need to be able to issue ID documents that use documents from other EU states, and the records of other EU states, for their verification. So Blunkett's confidence in the integrity of UK-issued documents can only be as high as his confidence in the reliability of the least reliable documents from any other EU state. No name-calling necessary here, obviously it varies, obviously the speed of implementation of relevant EU rules and directives varies, and obviously newer entrants to the EU will be less likely initially to be in the top ten.

Overcoming difficulties of this sort is again not impossible, but quite clearly high levels of standardisation in documentation and the integrity of issuing authorities throughout the EU will be necessary to achieve "impossible." And, when you consider multiple identity, high levels of data sharing.

How do you use biometric identifiers to make the issuing of multiple identity documents impossible? The biometric database, of course, which is why Blunkett is so keen on getting this set up. But you can only check that the individual in front of you is not in fact several other individuals as well if you do a look-up. At which point you arrive at an upward scale of hardness. For UK issued documents you can compare what you have locally (two pieces, mind, document and actual person have to match) with what you have on file. Determining that you do have something on file means the document is genuinely issued, determining that you (and the rest of Europe) don't have several different IDs with the same biometrics means you don't have multiple IDs present, at least at this level.

Obvious questions dealing with how you do the matching and how reliable the matching can be arise. Obviously you don't do it all every time a document is presented, but the system does require that it's all done sufficiently frequently to catch frauds. Against what would effectively have to be the giant database of the biometric identifiers of everybody in Europe, with each single identifier absolutely verified, no mistakes or frauds in issue. And with all of this shared by every authority in Europe.

The word "impossible" does start to spring to one's lips at this juncture, but not quite in the sense that Blunkett meant it.

Do we need to move out into the rest of the world? Probably not. For the sake of argument we might as well presume that the US is capable of setting up systems that are just as effective as Europe's, and will participate in the biometrics data-sharing arrangements (N.B, 'for the sake of argument' is not the same as 'lay odds on'). And the rest of the world? How confident can you be that documents from anywhere in the world have not been issued fraudulently? How effectively can you match what purports to be a genuine document with a record which may (or may not) be held anywhere else in the world? How effectively can you ring-fence issuing authorities you don't have confidence in? How do you set the boundaries?

How, indeed, do you achieve "not nearly impossible, impossible"? Mission impossible? Note also that all of these difficulties exist before you even consider whether or not it will be possible to forge the new class of ID document. Will this too be impossible? ®

Internet Security Threat Report 2014

More from The Register

next story
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.