Government pitches ID cards as fix for online ID fraud

The Home Office is considering pitching the UK identity card scheme as a fix for online and 'card not present' fraud, according to answers given to parliamentary questions by Home Office Minister Andy Burnham earlier this week. The Home Office has previously indicated that it foresees the possibility of ID cards being used to support financial transactions at some point in the future (for example, when the deployment of future generations of ATMs might allow the ID card to 'piggy back' on the banking networks), but it now seems that it anticipates more immediate financial uses for the ID cards.

According to Burnham, there is "an opportunity for the identity card scheme to combat online fraud", and the Home Office is looking at possible mechanisms for secure remote authentication, "including use of one-time password technology." In recent debates on the ID card scheme, Home Office Ministers suggested that a PIN could be used to allow people to check information held on them in the National Identity Register via the Internet; however, PIN alone is clearly not an adequate gatekeeper for general Internet access to something in the region of 60 million records, and the latest statements suggest that perhaps the Government is beginning to grasp this.

But the Home Office's difficulties here will stem from its belated discovery of the need to bolt aspects of the right kind of ID system onto the wrong one. The UK ID scheme as originally envisaged and currently advertised hinges on the magic of 'biometric security' protecting your identity, but this security is worthless in transactions where the card isn't checked by a card reader or where the bearer's biometrics aren't checked online. It turns out that this will likely be the case with most transactions, and obviously in the case of online ones the basic ID scheme has no mechanism for determining whether the card or the user is actually present (wherever 'present' might be, online).

So the Home Office first considers PINs then, er, moves on to "one-time password technology" and makes aspirational statements about "secure remote authentication", which is a hell of a lot easier to say than to do. Government IT chief Ian Watmore put it rather better by outlining the right kind of ID system in his recent Transformational Government document: "Government will create an holistic approach to identity management, based on a suite of identity management solutions that enable the public and private sectors to manage risk and provide cost-effective services trusted by customers and stakeholders. These will rationalise electronic gateways and citizen and business record numbers. They will converge towards biometric identity cards and the National Identity Register."

That is, Watmore's plans for a radical, citizen-centric approach to Government services and IT will require highly sophisticated identity management systems, and these will (so long as they actually work) be able to underpin transactions in both the public and the private sectors. Watmore needs the right kind of ID systems for this, and we can perhaps allow ourselves a chuckle as we observe them 'converging' towards the wrong one, the national ID scheme - which, as it's a Government policy-totem, we're going to get, and Watmore is going to have to cater for, anyway.

According to Burnham the security technologies the Home Office is currently considering with the help of "representative groups from both private and public sectors" could give "greater assurance of the identity of credit card or account holders when conducting transactions over the internet, telephone or post in the future". But at what point will the Home Office's plans meet Watmore coming in the other direction?

The difficulty here lies in the fact that the Home Office's needs are more immediate than Watmore's. It definitely needs to do something about validating ID when there isn't a card reader available, so effectively it's going to have to add 'good enough' verification systems well in advance of any kind of national identity management systems being ready for deployment. And although representatives from the financial sector will undoubtedly be among the private sector bodies it's consulting, there seems little chance of the banks and credit card companies viewing the ID scheme in its first iteration as able to secure anything other than major transactions (where it might well be viable to check biometrics). So what is it about the forthcoming ID scheme security systems that will provide "greater assurance of identity" than the banks and credit card companies have already got online? We look forward to finding out, and we're also particularly interested in how they will protect, as Burnham suggests, postal transactions.

How the other half represses: Amusingly, David Blunkett's notions of the ID card as a mechanism for building community, a sense of belonging, and general inclusiveness flew like a brick in Home Office focus groups. In Egypt, however, we have ways of making inclusiveness work, and people are demanding (presumably, given the nature of the regime, quietly and politely) ID cards. According to Foreign & Commonwealth Office Minister Kim Howells, the new computerised Egyptian ID card requires citizens to be Moslem, Christian or Jewish, and "Egyptian citizens of other religions will not be entitled to an identity card, and may therefore suffer from lack of access to public services". Among other things, Kim... A resolution in the US House of Representatives earlier this year said that, according to the US Commission on International Religious Freedom's 2005 report on Egypt, "discrimination, intolerance, and other human rights violations committed by Egyptian authorities affect a broad spectrum of Egyptian society, including Muslims, Coptic Christians, Jews, Baha'is and members of other religious communities." So would you rather be suspect because you haven't got an ID card, or suspect because of what your ID card says you are? Decisions, decisions... ®