Feeds

'RFID the lot of them!' UK ID card to use ICAO reader standard

Hello, the National Tagging Register...

  • alert
  • submit to reddit

Security for virtualized datacentres

Because of the nature of the technology, there will be a risk whenever the card is being used for identification, rather than solely when it is being 'officially' read via its contactless capability. For most purposes this capability is unlikely to be needed.

Burnham says that the forms of verification currently being considered are "card, PIN and biometric identification", i.e. whether the picture matches the face, whether the bearer can enter the PIN and whether the biometrics of the person match either those on the card (local check) or the National Identity Register (online check). These forms of verification are being discussed with "various organisations who would be potential users", and the discussions cover "what performance is acceptable".

The discussions have not yet reached a conclusion, but it seems perfectly possible that the Home Office's vaunted scheme, protected by magic biometric technology, will in most cases operate as picture ID or a pin-protected card, which are the options least likely to add to cost and inconvenience to interested organisations.

In those cases where a biometric check is used, the Home Office has been considering measures that could be employed to combat spoofed biometrics. Burnham didn't give an answer on the use of contact lenses to fool iris recognition, but said that methods to deal with faked fingerprints could include "selecting a random finger for verification, from those available, rather than using only one fingerprint on all occasions. This also gives flexibility around issues arising from short term damage to fingers, such as a cut." This interesting idea, one notes, would inevitably add greatly to delays, confusion and failure rates at border checkpoints, and prove discouraging to commercial organisations considering using the more secure (allegedly...) biometric check.

One of the bodies the Home Office is consulting on biometric security issues is GCHQ's Communications and Electronic Security Group. We note that this organisation's FAQ currently includes this categorical statement: "There are currently no approved biometrics applications, and we do not expect any to be available in the near future as none of the technologies have yet, in our view, reached the stage where we would be happy with them as the sole access control mechanism." Have they told the Home Office?

While they're about it, they might care to discuss the use of single identification numbers, where the Home Office's views seem somewhat underdeveloped. Asked what assessment of the risks posed by the use of a single national identity number had been made, Burnham replied that an "extensive risk assessment of the use of a single identifying number has been conducted by experienced fraud and security experts. This has resulted in the selection of a new single identifying number that is unrelated to any number issued by the Government at the present time." So, the Government has assessed that existing identity number systems are too broken to use, and decided to invent a new, universal one instead.

It's worth noting that the Home Office's answers on issues of verification and security almost all lead to "the integrity of the National Identity Register" as a backstop. Thus, the "performance of one particular identifier or technology [which might be used in verification] is not the key determinant" because during enrolment a false match on one particular biometric "would be resolved by other biometric matches or by inconsistencies with the information held about the applicant and the record against which it had been matched." Which appears to indicate that the primary concern is for the data held by the Government to be solid, with the security offered to the user (which is surely the user's primary concern) coming a distant second or third. Similarly, supervision of enrolment would "reduce" (sic) the likelihood of fake biometrics being successful, and details of how the Government proposes to stop this becoming a simple key to ID fraud cannot be provided "in order to protect the integrity of the National Identity Register."

Effectively, it's a system which by design puts all of its eggs in one basket, and is dependent on that basket being made impregnable via measures which the Government will never reveal or discuss. Trust us...

Costings update

On which subject, the Home Office has published its promised rebuttal of the London School of Economics' report on ID cards. The Home Office document (available here) has a very brief section on costings, which largely boils down to claims that the LSE used the wrong figures, and that the Home Office has access to other figures (which it still won't share with us) that justify its own costings entirely.

As William Heath points out at Ideal Government, "How the assumptions work comes down to whether you trust the Home Office, its intentions, and its manner of doing business. Of course the Home Office has a self-image of itself as the good guys being hampered by a tedious liberties lobby in its fight against evil. It trusts itself. But it hasn't won many friends during all this process. The cause did seem to win Tony Blair as a convert. And there's a cluster of businesses hoping for patronage. But I've yet to hear of anyone won over by the arguments as put by the Home Office."

It's doubtful whether the Home Office rebuttal merits a rebuttal rebuttal, but now the wretched thing exists we face the tedious prospect of Ministers confidently claiming that the LSE study has now been thoroughly discredited. The LSE is preparing its response, but has told Kable that the Home Office document contains substantial material errors and appears ot contain false assumptions about the LSE's alternative blueprint. ®

Related stories:

Make ID cards foolproof pleads Met chief
Clarke's ID card cost laundry starts to break surface
Privacy groups slam US passport technology

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.