Feeds

KIlling ID cards and the NIR - the Tory and LibDem plans

This week the parties opened up on how they'll go about it

Combat fraud and increase customer satisfaction

Just throw it all away?

LibDem spokesman Chris Huhne's stance is rather more radical, and has a certain appeal for security techies. He'd dump ID cards and the NIR, but he would not be storing biometric data (hence his question to Grayling). He points out that "the document would have the biometric data and it is an additional guarantee of veracity. Why is it necessary to go one step further and store it centrally?"

Huhne's argument here is that so long as one has confidence in the integrity of the document (passport) itself, one can have confidence in the biometric data on the chip. So comparing the bearer's biometric data with the data stored on the chip can be used to provide an accurate identification of the bearer. You don't need a central store or an online lookup, so you don't need to keep the biometric data. Online, or at all? It seems the LibDems are proposing to go for the 'not at all' option, which we think is one of those decisions civil servants would describe as 'courageous'.

But it's a perfectly rational approach, its main defect being that you've no ready mechanism for stopping the same person getting more than one passport, in different names. It assumes that no ID system is invulnerable, and that you're prepared to accept a trade-off between cost and fraud. Which is true - and a 'courageous' admission.

Huhne does however lose points on biometric identification: "During questions today, the Home Secretary was asked about the point of biometric data if they were not on the database, and on that issue we have an important point of difference with Chris Grayling. The answer is easy: biometrics enable the authorities to check that the holder of a passport — or, indeed, a card — is who they say they are. Biometric data such as fingerprints are much less easy to forge and equipment enables them to be checked; we do not need to put the data back on a database to make them useful. A central database is another logical step — a disproportionate one, in our view — in achieving higher security against identity fraud."

Now, how does this work under the proposed LibDem regime? Absent facial recognition software at the border that actually performs better than an attentive human and version one biometric passports are no better and no worse at identifying the bearer than picture ID - because that's what they are. So long as you have a mechanism at the border for determining with a reasonable degree of certainty that the chip hasn't been tampered with, then you can also be reasonably certain that the picture hasn't been tampered with. So if it's not the person pictured in the passport it's somebody who looks a bit like that person, right? This isn't quite the same thing as Huhne is saying (see tedious footnote**).

He is right, however, that fingerprints are much less easy to forge, and can be more readily checked by machine (theoretically - that is reportedly not the case if the machines are part of a Home Office trial). Fingerprint biometrics do tie the bearer to the document more securely than facial ones. But, erm, there's a slight problem here. Although Huhne here appears to be an enthusiast for fingerprints, and in some senses his 'we don't need to keep the data' pitch would be strengthened by their presence in passports, this isn't actually LibDem policy - or at least it wasn't in March, when a LibDem position paper said "The International Civil Aviation Organization (ICAO) only requires that passports are machine readable and contain a facial image. Liberal Democrats would... adhere to the ICAO standards."

Huhne's office actually sent us the policy paper, and we've asked them for clarification of what the policy is now. We'll update as and when they get back to us.

Overall, though, the picture is fairly positive. Both major opposition parties clearly are going to kill the NIR project in addition to dropping ID cards, and what they're saying makes it clear that they're going to have to rein-in IPS as well in order to deliver. IPS' quest to become the UK's standard identity services broker will, unless Labour gets back in, be over. Neither party seems yet to be fully on top of the technicalities of 'biometric' passports, but they both seem to be in the right ballpark, and with the right advice they'll surely get there. ®

** There is a widely - near-universally - held belief that the ICAO biometric passport standard is about identifying people. But it really would be a help if politicians could grasp the more subtle truth when they're considering ID systems. ICAO is about the document, and defending the integrity of the document. It does not issue passports, QED it has neither responsibility for or control over the identity of the person carrying the document, right?

So, the point of the 'biometric' in the passport is that it is one of a number of visible pieces of data in the passport book which are duplicated on the chip in the passport. Changing the visible data has always been and always will be achievable, but changing the data on the chip to match, without it being evident, is a lot harder (some of the reasons why here.) So in rev one, the 'biometric' in the chip is there mainly for document protection purposes, and for identification purposes it's no better and no worse than a picture. By adding fingerprints you do - assuming the widespread deployment of fast and accurate fingerprint readers - tie the document more securely to the individual, hence you have the makings of an ID system. But this isn't really a whole lot to do with ICAO, and it's not an ID system that came 'free' (as Labour would have it) with biometric passports. It's one you bolted onto biometric passports, and there's a whole bunch of other stuff you need to build out in order to make it much use. As a 20th Century ID system, that is. See here for why that's not a good idea.

SANS - Survey on application security programs

More from The Register

next story
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.