Feeds

ID cards: a guide for technically-challenged PMs

Save us all billions - don't do it, Tone...

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Polluted inputs

We've already looked at several examples of polluted inputs that could undermine the system's integrity - false US ID, inadequate, arbitrary or cursory UK checking systems, and input systems from many other parts of the world whose reliability is debatable. These can clearly provide routes for the people you wish to intercept to pass through your control points and swim happily in your system. But what about the broader issue of what you do about those individuals who do not have ID that can be processed by your systems? Most of the world's population currently falls into this category, and that will likely remain the case for many years - so what do you do about them?

Well, in order to process them you need to give them some form of ID that your system can process, and on a small scale we're already doing this. Most people visiting the US will now, one way or the other, have their biometrics on the US database, and the UK can been phasing in fingerprinting of travellers coming from areas with a high incidence of asylum seekers. But what are we actually doing in these cases? Effectively, we're creating an ID that is valid within our system for the individual, and as always that ID is only as good as the inputs on which we base our decision.

The US or British consular official who grants the ID will make the decision on the basis of interview and supporting documentation, but how sure can we be about the validity of the information presented? And the more applications we have to process, the less likely we are to conduct examinations of the detail necessary for us to have confidence in that information. To avoid either being overwhelmed or ending up presiding over a rubber-stamping system, we therefore have to pressure countries to introduce ID systems which we can then presume provide a valid and accurate statement of an individual's identity. But will be really be confident in these, or will we simply be making that presumption in order to stop our own systems breaking down?

So who the hell do you think you are?

We shouldn't get too sniffy about the reliability of identity systems in the developing world, because when it comes down to it we in the west have precious little justification in being so damned sure about identity. Try this little parlour game, which I promise you has a moral to it. Ask yourself who you are, how you know this, and how far back in your life you can get before you start to get a little doubtful. You won't get anything like so far back if you perform the exercise on friends and family, but stick with yourself for the moment. Your family can vouch for you up to a point - but are they telling the truth? You have a birth certificate, but is this really you? Is the information on it correct? How do you know?

Fingerprints don't work when you're born (even David Blunkett doesn't fingerprint newborn babes yet, anyway), and general DNA testing at birth doesn't exist yet either. But say it did, and you were then able to point out that your DNA matched the DNA on the birth record, therefore you were definitely you... Er, who? Of itself this simply means your DNA matches the birth record, which is just as close to establishing ID as your fingerprint matching your passport (we covered this, right?). But it also provides proof that you are related to the people in your immediate family (or not - hey, mom...), and various things about your broader ancestry.

Effectively, what it's doing is establishing an identity for you in relation to the identities of a number of people surrounding and preceding you. But your identity, or what you think of as your identity, is something that has been assumed, generally, and by the accepted systems, as genuine at some point. This is probably around time of birth, but not necessarily, and not entirely - Fergusson, for example, suggests a Fergus as parent (allegedly...) at some point in the past, while Smith suggests an ancestral occupation and Pasteur a dairyman (joke - don't write in).

Identity is actually something that is established through a series of factors, history, occupation, location, parentage, and the whereabouts and circumstances of you or your ancestors when state systems began to require fixed and recorded tagging systems. The existence of these fixed systems does not however mean that you do not have multiple identities or identifiers (more people in my street, for example, will know me as the bloke at the top of the road with the dodgy old motor than will know me by name), nor does it mean that what they regard as fixed is what you personally regard as your identity.

But they've got something they're happy to think of as your unique identity, and we think of what's happening now as a successor to the processes that defined that ID for them. In developed countries at some point in the past couple of centuries the music stopped, censuses were taken and identity standards were defined. Now governments are pushing for a similar, global exercise that will result in everybody having what government will view as a standard identity, and where there is no pre-existing reliable identifier (as in the instances where people who didn't use surnames were assigned them), a new, relatively arbitrary one will be created.

As we've seen, this doesn't get us very far, because what we're interested in is the things that are associated with this identity, rather than the identity itself. Granted that false identities will inevitably be imported into the new systems, we'll need to wait at least a generation for these to work through, and granted that the systems' efficacy in fighting crime is dependent on accurate input of new associations, we'll need to wait a lot longer than that. But we will be able to say who everybody was saying they were when they first entered the system. Cool - but is it helpful, or worth the money? ®

Related stories

Blunkett ready to force through compulsory ID for UK
Draft ID card bill makes it to Queen's speech
Mission impossible? Blunkett's big biometric ID adventure

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.