Feeds

Everything you never wanted to know about the UK ID card

Name, rank, serial number...

  • alert
  • submit to reddit

Security for virtualized datacentres

A pub bore's guide Do you know how the UK's projected compulsory ID card will work, and what it will entail? If you do, you're significantly in advance of David Blunkett and the Home Office, because although a draft bill and consultation document was published at the end of April, these really only provide signposts to what the powers that be would like it to be able to do, and a little bit of evidence as to how they might propose to get it to do these things. But we're considerably further on in terms of information than we were before the draft, and it's not likely to get much better by the time the consultation period ends. So, as our small contribution to the democratic process, we present The Register Idiot's Guide to the UK ID Card.

What do you get, when?

There will be a "family" of ID documents that will be phased in, beginning with passports. These will start to appear in three years, at which point it will not be possible to get an old style non-biometric passport. The system's non-compulsory nature therefore hinges on your not actually wanting a passport any more - otherwise you have to give the Passport Office the £73 for the new one. Rollout periods for other members of the family are not covered in the draft bill, but as these are introduced, the old version will similarly cease to exist. Proud owners of old-style perpetual paper UK driving licences, already smug because they don't have to cough up to renew the existing picture licence, can be even smugger. Until such time as Blunkett hunts us all down. The new ten year biometric driving licence will cost around £69, says the Home Office (what do they mean "around"? £68.99?) and the new ten year ID card £35. Which, if they don't get feature-consolidated pretty quickly, is an impressive outlay every ten years. 80 per cent penetration for the new ID is intended to be achieved by 2013. The draft bill includes power to set a date for the card becoming compulsory, but this will not happen until after "the initial stage of the identity card scheme was in place and following a vote in both Houses of Parliament on a detailed report which sets out all the reasons for the proposed move to compulsion." Correct - that does not specify a date.

The ID document will contain a picture, one or more pieces of biometric ID, and a unique number which will identity you on the central database. The documentation at the moment only talks about what is likely to be visible on the document, with name and date of birth being put forward as the bare minimum. But it is more specific about the information that will be recorded in the database (see below). The Home Office suggests more visible information: "name, age, validity dates, whether a person has a right to work, and an unique number". There you go, feature-creep already. The biometric can be used to tie a specific individual to the ID document, and to look up an individual and identity them from the database. In that case, you theoretically don't need the document to identify someone in the first place, and the Home Office (and Blunkett) do airily suggest that people might want to have a database check performed on themselves in order to establish their identity. But as we explain below, this really is not something it's smart for them to be pinning too much hope on.

Which biometric?

For reasons explained here, previous Home Office studies fix on fingerprint as the best combination of identifier and practicality, but recommend a second biometric to be used as a decider in order to bring false alarms down to a more acceptable level (using fingerprint alone with a reasonable trade-off between false alarms and failed matches, Heathrow would generate in excess of 1,000 false alarms a week). The choice of the second biometric isn't so obvious. Iris is in principle a more effective ID biometric than fingerprint, but you need optimum positioning, lighting etc, so it's not so good for widespread deployment or fast throughput in an immigration queue.

Facial recognition currently doesn't cut it for mass ID purposes, but might just work as a 50:50 'decider throw' secondary biometric for use at entry points. But the big thing it has going for it is that it's been adopted by ICAO (the International Civil Aviation Authority) as the next step for machine-readable passports. So unless ICAO is persuaded to change its mind, it's coming in passports anyway. ICAO's decision, by the way, seems to have been made on the basis that face had a higher "compatibility" rating than fingerprint or iris. By this, they appear to mean that because passport-based identity currently leans heavily on the picture, it makes sense to carry on using the picture (Yes, we know - don't tell us, tell ICAO).

So although the Home Office has kicked off a 10,000 volunteer trial of the three technologies, fingerprint seems the racing certainty for primary biometric, with facial a strong contender for the secondary. The Home Office no doubt has its own reasons for thinking the trial will tell it something useful, but as the target population is over 60m (us, plus all the people we're looking for and have data on), and the British Airport Authority airports processed 134m passengers last year (Heathrow 60m, Gatwick 30m), you could reasonably doubt that it will learn much of value applicable to very large throughputs and databases.

Issues associated with the deployment of the secondary biometric readers (cost, location, environment) could well lead to their not being used outside of entry points and major installations, which might mean non-passport ID would use only the fingerprint. Other differences are likely to creep in; for example, the Home Office appears to be willing to allow veiled pictures for moslem women in ID, but the draft documentation reiterates current passport office guidelines, which amount to 'headscarf OK, veil bad'. So unless somebody's got it wrong, different strengths of ID are already creeping in, and any dreams you had about a single, do-anything document are way, way in the future. The Home Office's suggestion of three different levels of checking (see below), by the way, makes it clear that it in some senses accepts the view that you should use different strengths of security in different situations. But philosophically this doesn't entirely match with its pitching the cards as a single, high-strength security device.

How will it work?

That depends. The basic link is between you and the document, and this can be readily established by using a machine that checks you against the biometrics in the document. This is essentially a local check which depends on the document being valid and untampered with in the first place, but the introduction of biometrics in the document should make it significantly harder to produce forgeries, so we can expect a substantial initial increase in confidence in the piece of ID produced, even if we are simply looking at the picture and not bothering with the biometrics.

Which is A Good Thing, because it's difficult to conceive of biometric readers being either welcome or likely to stay in usable nick for long at point of sale, doctor's surgery, council offices, etc. The Home Office suggests three likely levels of check for non-government purposes. Retailers would check the photo, banks etc would check the biometric and verify it against the database, and employers would check immigration status "via an automated telephone check." These suggestions most likely derive from the Home Office's doomed quest to make us love and demand ID cards, and on a voluntary basis are unlikely to become widespread.

How often do you get asked for ID to back up your credit card? So why should shops want the new passport when they don't want the old passport? Banks do need to make pretty strict checks covering identity and place of residence when you open a bank account, but their existing systems work, and they won't jump into a new and unproven system which, from their point of view, brings little to the table, lightly. Plus they're already reading entirely different kinds of cards. And employee checks? Here comes the stick. Employers don't at the moment have to check immigration status when they hire someone, so why would they? Indeed, why would they care? But under the provisions of the Asylum and Immigration Act 1996 the secretary of state can make orders requiring eligibility checks by employers. This will be considered "closer to the date of implementation" of the ID card scheme.

The Home Office, bless 'em, pitches ID cards as the "key to the UK's future", and witters (in the press release) that "crucially, the cards will help people to live their lives more easily, giving them a watertight proof of identity for use in daily transactions and travel." So it's clear they want all of your personal transactions to be underpinned by the national unique ID, but we've already seen that the private sector is unlikely to be keen. Not only that, it's more likely to be actively hostile. Banks and credit card companies do not want to make their systems dependent on a database they're not in control of, and no matter how much you want all of your credit cards on one piece of plastic (which is a bad idea anyway, trust us), they ain't going to give you it. They really are not going to help the government in its efforts to make the ID card popular. Really.

Moving on from low level and relatively rare operation in the private sector, we get to the government and public sector. There will, as we've already suggested, be considerable resistance to the use of readers and the checking of cards in areas of the public sector, but this will be neither here nor there from the point of view of you, the user. Think about it: not that many of the public services you're likely to be using will be available if you don't establish an ID as part of the process, and you go onto a record as a part of that process. So doctors can be as precious as they like about not checking your ID card, but will still put you onto a list which can and will be checked against the ID register, and if it's not on there, consequences will ensue. As the system matures and increasingly interacts with other public sector ID systems, it will inevitably engulf the whole of the public sector, and it doesn't need support for this to happen.

The arms of government that obviously do want to embrace the system are passports and immigration, and the police. It will most obviously sing and dance at the arrivals terminal, so it's worth at this point taking a small detour so that we understand that the singing and the dancing here will by no means be automatic.

Business security measures using SSL

Next page: Passport Control

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.