Feeds

'RFID the lot of them!' UK ID card to use ICAO reader standard

Hello, the National Tagging Register...

  • alert
  • submit to reddit

Application security programs and practises

Because of the nature of the technology, there will be a risk whenever the card is being used for identification, rather than solely when it is being 'officially' read via its contactless capability. For most purposes this capability is unlikely to be needed.

Burnham says that the forms of verification currently being considered are "card, PIN and biometric identification", i.e. whether the picture matches the face, whether the bearer can enter the PIN and whether the biometrics of the person match either those on the card (local check) or the National Identity Register (online check). These forms of verification are being discussed with "various organisations who would be potential users", and the discussions cover "what performance is acceptable".

The discussions have not yet reached a conclusion, but it seems perfectly possible that the Home Office's vaunted scheme, protected by magic biometric technology, will in most cases operate as picture ID or a pin-protected card, which are the options least likely to add to cost and inconvenience to interested organisations.

In those cases where a biometric check is used, the Home Office has been considering measures that could be employed to combat spoofed biometrics. Burnham didn't give an answer on the use of contact lenses to fool iris recognition, but said that methods to deal with faked fingerprints could include "selecting a random finger for verification, from those available, rather than using only one fingerprint on all occasions. This also gives flexibility around issues arising from short term damage to fingers, such as a cut." This interesting idea, one notes, would inevitably add greatly to delays, confusion and failure rates at border checkpoints, and prove discouraging to commercial organisations considering using the more secure (allegedly...) biometric check.

One of the bodies the Home Office is consulting on biometric security issues is GCHQ's Communications and Electronic Security Group. We note that this organisation's FAQ currently includes this categorical statement: "There are currently no approved biometrics applications, and we do not expect any to be available in the near future as none of the technologies have yet, in our view, reached the stage where we would be happy with them as the sole access control mechanism." Have they told the Home Office?

While they're about it, they might care to discuss the use of single identification numbers, where the Home Office's views seem somewhat underdeveloped. Asked what assessment of the risks posed by the use of a single national identity number had been made, Burnham replied that an "extensive risk assessment of the use of a single identifying number has been conducted by experienced fraud and security experts. This has resulted in the selection of a new single identifying number that is unrelated to any number issued by the Government at the present time." So, the Government has assessed that existing identity number systems are too broken to use, and decided to invent a new, universal one instead.

It's worth noting that the Home Office's answers on issues of verification and security almost all lead to "the integrity of the National Identity Register" as a backstop. Thus, the "performance of one particular identifier or technology [which might be used in verification] is not the key determinant" because during enrolment a false match on one particular biometric "would be resolved by other biometric matches or by inconsistencies with the information held about the applicant and the record against which it had been matched." Which appears to indicate that the primary concern is for the data held by the Government to be solid, with the security offered to the user (which is surely the user's primary concern) coming a distant second or third. Similarly, supervision of enrolment would "reduce" (sic) the likelihood of fake biometrics being successful, and details of how the Government proposes to stop this becoming a simple key to ID fraud cannot be provided "in order to protect the integrity of the National Identity Register."

Effectively, it's a system which by design puts all of its eggs in one basket, and is dependent on that basket being made impregnable via measures which the Government will never reveal or discuss. Trust us...

Costings update

On which subject, the Home Office has published its promised rebuttal of the London School of Economics' report on ID cards. The Home Office document (available here) has a very brief section on costings, which largely boils down to claims that the LSE used the wrong figures, and that the Home Office has access to other figures (which it still won't share with us) that justify its own costings entirely.

As William Heath points out at Ideal Government, "How the assumptions work comes down to whether you trust the Home Office, its intentions, and its manner of doing business. Of course the Home Office has a self-image of itself as the good guys being hampered by a tedious liberties lobby in its fight against evil. It trusts itself. But it hasn't won many friends during all this process. The cause did seem to win Tony Blair as a convert. And there's a cluster of businesses hoping for patronage. But I've yet to hear of anyone won over by the arguments as put by the Home Office."

It's doubtful whether the Home Office rebuttal merits a rebuttal rebuttal, but now the wretched thing exists we face the tedious prospect of Ministers confidently claiming that the LSE study has now been thoroughly discredited. The LSE is preparing its response, but has told Kable that the Home Office document contains substantial material errors and appears ot contain false assumptions about the LSE's alternative blueprint. ®

Related stories:

Make ID cards foolproof pleads Met chief
Clarke's ID card cost laundry starts to break surface
Privacy groups slam US passport technology

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Airbus promises Wi-Fi – yay – and 3D movies (meh) in new A330
If the person in front reclines their seat, this could get interesting
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.