Feeds

'RFID the lot of them!' UK ID card to use ICAO reader standard

Hello, the National Tagging Register...

  • alert
  • submit to reddit

Security for virtualized datacentres

Because of the nature of the technology, there will be a risk whenever the card is being used for identification, rather than solely when it is being 'officially' read via its contactless capability. For most purposes this capability is unlikely to be needed.

Burnham says that the forms of verification currently being considered are "card, PIN and biometric identification", i.e. whether the picture matches the face, whether the bearer can enter the PIN and whether the biometrics of the person match either those on the card (local check) or the National Identity Register (online check). These forms of verification are being discussed with "various organisations who would be potential users", and the discussions cover "what performance is acceptable".

The discussions have not yet reached a conclusion, but it seems perfectly possible that the Home Office's vaunted scheme, protected by magic biometric technology, will in most cases operate as picture ID or a pin-protected card, which are the options least likely to add to cost and inconvenience to interested organisations.

In those cases where a biometric check is used, the Home Office has been considering measures that could be employed to combat spoofed biometrics. Burnham didn't give an answer on the use of contact lenses to fool iris recognition, but said that methods to deal with faked fingerprints could include "selecting a random finger for verification, from those available, rather than using only one fingerprint on all occasions. This also gives flexibility around issues arising from short term damage to fingers, such as a cut." This interesting idea, one notes, would inevitably add greatly to delays, confusion and failure rates at border checkpoints, and prove discouraging to commercial organisations considering using the more secure (allegedly...) biometric check.

One of the bodies the Home Office is consulting on biometric security issues is GCHQ's Communications and Electronic Security Group. We note that this organisation's FAQ currently includes this categorical statement: "There are currently no approved biometrics applications, and we do not expect any to be available in the near future as none of the technologies have yet, in our view, reached the stage where we would be happy with them as the sole access control mechanism." Have they told the Home Office?

While they're about it, they might care to discuss the use of single identification numbers, where the Home Office's views seem somewhat underdeveloped. Asked what assessment of the risks posed by the use of a single national identity number had been made, Burnham replied that an "extensive risk assessment of the use of a single identifying number has been conducted by experienced fraud and security experts. This has resulted in the selection of a new single identifying number that is unrelated to any number issued by the Government at the present time." So, the Government has assessed that existing identity number systems are too broken to use, and decided to invent a new, universal one instead.

It's worth noting that the Home Office's answers on issues of verification and security almost all lead to "the integrity of the National Identity Register" as a backstop. Thus, the "performance of one particular identifier or technology [which might be used in verification] is not the key determinant" because during enrolment a false match on one particular biometric "would be resolved by other biometric matches or by inconsistencies with the information held about the applicant and the record against which it had been matched." Which appears to indicate that the primary concern is for the data held by the Government to be solid, with the security offered to the user (which is surely the user's primary concern) coming a distant second or third. Similarly, supervision of enrolment would "reduce" (sic) the likelihood of fake biometrics being successful, and details of how the Government proposes to stop this becoming a simple key to ID fraud cannot be provided "in order to protect the integrity of the National Identity Register."

Effectively, it's a system which by design puts all of its eggs in one basket, and is dependent on that basket being made impregnable via measures which the Government will never reveal or discuss. Trust us...

Costings update

On which subject, the Home Office has published its promised rebuttal of the London School of Economics' report on ID cards. The Home Office document (available here) has a very brief section on costings, which largely boils down to claims that the LSE used the wrong figures, and that the Home Office has access to other figures (which it still won't share with us) that justify its own costings entirely.

As William Heath points out at Ideal Government, "How the assumptions work comes down to whether you trust the Home Office, its intentions, and its manner of doing business. Of course the Home Office has a self-image of itself as the good guys being hampered by a tedious liberties lobby in its fight against evil. It trusts itself. But it hasn't won many friends during all this process. The cause did seem to win Tony Blair as a convert. And there's a cluster of businesses hoping for patronage. But I've yet to hear of anyone won over by the arguments as put by the Home Office."

It's doubtful whether the Home Office rebuttal merits a rebuttal rebuttal, but now the wretched thing exists we face the tedious prospect of Ministers confidently claiming that the LSE study has now been thoroughly discredited. The LSE is preparing its response, but has told Kable that the Home Office document contains substantial material errors and appears ot contain false assumptions about the LSE's alternative blueprint. ®

Related stories:

Make ID cards foolproof pleads Met chief
Clarke's ID card cost laundry starts to break surface
Privacy groups slam US passport technology

Choosing a cloud hosting partner with confidence

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.