Original URL: http://www.theregister.co.uk/2004/04/05/uk_id_cards/

ID cards: a guide for technically-challenged PMs

Save us all billions - don't do it, Tone...

By John Lettice

Posted in Security, 5th April 2004 13:55 GMT

Special Report Think about it - it wouldn't be compulsory if you had a choice, would it? David Blunkett's national ID card scheme has had more spikings than Dracula, yet each time has plucked the stake from its heart and continued its purposeful stride towards the statute book.

In early November the British Cabinet opted for voluntary schemes to build a base, with a compulsory scheme coming "when the conditions for moving to a compulsory card are met." Days later, there was Blunkett before Parliament making what sounded like a victory speech. With or without a green light for national ID cards the bulk of the cost is to be incurred anyway, he made it clear. The system is to be brought in for passports, driving licences and a series of special cases (overseas residents, asylum seekers...) anyway, so as Blunkett spun it there's only an extra £4 each to be incurred for the full scheme, so, what the hell, we might as well go ahead.

And just last week Tony Blair gave cards his seal of approval, claiming that civil liberties objections had been largely overcome, and that the main challenges now were technical. Indeed they are, Tony, but we fear you have little grasp of how big they are.

So how the blazes did this happen? Why is the UK sleepwalking into an ID scheme that has not been discussed, but that is nevertheless somehow moving ahead at full steam? And, for that matter, why is Europe doing so? The United States? The world?

We might as well do it, anyway

One of the other major components of Blunkett's standard 'we might as well do it anyway' presentation is the incontrovertible fact that Europe has standardised biometrics for ID roadmapped, and that the US will be requiring biometrics on passports shortly. These two having moved, there does seem a certain inevitability to the rest of the world moving as well. So, if biometrics are to become the global standard for ID, we're obviously going to have to invest in biometric systems for our ID documentation, which is why there's no point in asking people whether or not they want biometrics on their passports and driving licences.

Which is all perfectly logical, except that there's one little nagging question - how did biometrics become the accepted, logical, inevitable international standard for ID in the first place?

Well, it's obvious, isn't it? If your fingerprints are found at the scene of the crime, then you almost certainly did it, didn't you? And similarly, other apparently unique characteristics such as your iris, your DNA and so on can prove conclusively who you are, where you are, and where you've been.

This obviousness clearly drives David Blunkett. He is unshakably convinced that, as biometrics identify the individual with a high degree of certainty, it stands to reason that biometrics provide a sound foundation, probably the only sound foundation, for ID systems. On the one hand we shouldn't be too hard in him for this, because it's a conviction shared by much of the population, but on the other he is part of the team that supposed to be running the country, so it seems to us he has a certain responsibility to think it through. Just a bit.

Given that the alleged free world is already barreling down this route with little or no sign that anybody has paused to think it through, we don't hold out a great deal of hope that they'll do so now, meaning they're all going to have to learn the hard and expensive way. But just in case there is the odd politician out there still prepared to consider the possibility that it does not stand to reason, we here propose a short, readily-understood Register explication of why it does not, and why, if we don't wake up very soon, we will end up spending several billion on proving to ourselves it does not.

Biometrics work

Did we ever say they didn't? In the shape of fingerprints, biometrics have provided a highly accurate mechanism for identifying criminals for many years now. In this role they clearly work, and their accuracy has contributed heavily to the general viewpoint that fingerprinting must therefore surely be a kind of gold standard for identity. But think - what mechanisms are used and what data is required in order to match a suspect up with the scene of the crime? Well, first of all, you need a crime at which a fingerprint is left - note that this will in most cases be absent when a fingerprint is being used to check identity, but a databank containing the relevant fingerprint alongside hundreds of millions of others will exist.

In the case of the scene of the crime fingerprint, the matching is done against a database of known suspects and criminals, and may also be compared with the fingerprints of specific suspects. The matching process can be time-consuming and can involve a considerable amount of manual effort, but this is acceptable on the basis that the search being conducted is limited and relatively targeted. But on a wider, a far, far wider basis, this all gets complicated.

The fingerprints you leave vary to an extent, and although this won't save you if you left them at the murder scene, it can most certainly confuse automated systems. Obviously, the checking of fingerprints that are being used as the standard to validate ID documents has to be automated. You could leave a different print depending on the surface you touch, what you've been touching recently, how clean your hands are, or what you've been working with.

Bricklayers, apparently, tend to have rather faint fingerprints. So you can maybe think of fingerprints as being a little bit analogue, variable enough to confuse machines, although still static enough to be readily-identifiable by human experts. It may be significant that already, just a few months into its introduction of fingerprint checking, the US government has started trying to define standards of compatibility for fingerprint reading equipment. This may be entirely because it's simply concerned about incompatibility, but could also be flagging growing matching problems.

Ultimately these can probably be licked by the application of computing power, but this is not the only difficulty. Let's assume we have a passport or a driving licence with a fingerprint on it, and a bearer we wish to match up. The simplest way to do this is as a local transaction. You have what ought to be a clear and standard print on the passport, you have what ought to be a pretty effective machine for reading fingerprints (sole purpose of machine - if it is ineffective, you have a big problem with your supplier), and you have a finger. Should be easy, right?

Whose identity is it anyway?

Well it is, because all you're doing is checking two things. First you're checking that the finger of the bearer is the finger that left the print in the passport, which ought to be easy, and second, you're checking that the passport is genuine. Which is maybe harder. Virtually all countries have some level of problem with forged and falsely obtained passports. In the case of forgery it's a continual battle to make it harder (and actually, biometrics are a pretty good addition to the armoury in this area, because at this level they're relatively cheap and effective). Falsely obtained passports are however a lot trickier.

Biometrics on a document can by themselves only provide conclusive proof that the person presenting the document is the person whose biometrics are on the document, not who that person is. If you wish to be absolutely certain of this, then you need to be absolutely certain of the integrity of the issuing authority.

In the UK at the moment, we can really only go as far as saying there is a high probability that the integrity of the Passport Office has not been compromised in the case of a particular document, and that there is a fairly high probability that the integrity of the DVLA has not been compromised with respect to a drivers licence. But it happens in both cases, and while steps are slowly (very slowly) being taken to increase the confidence we can have in these documents, only a fool would say fraud can be absolutely eliminated.

It's no accident that passport and drivers licence are being used as the cornerstones of the UK's universal identity card scheme, but beyond that we have a significant percentage of the population which will need to be added, without the creation of new false identities, and the integrity of the system as a whole will only be as good as the integrity of the authorisation used for this part of the population. Although most of these people will have some other kind of identifier, such as a national health or national insurance number, these are already too compromised to provide a solid basis for identity.

The current controversy in the UK over the entry of economic migrants also provides us with an example of how the overall integrity of a national ID system can be compromised. The numbers involved are apparently small in this case, but nevertheless a system which is designed to make decisions on the basis of validated data (in this case, concerning the subject's identity, resources and business plans) has been compromised by the rubber-stamping of applications based on fraudulent data.

This route could have been used to convert false ID into legitimate UK ID. In this case the loophole appears to have been created by the operators (it's not yet clear at what level) overriding control systems in order to deal with backlogs. All large-scale data processing operations are vulnerable to this, and it would be reasonable to presume that large-scale ID data processing systems will at least initially introduce many vulnerabilities of this kind.

Do not worship false identities

Overall in the UK, however, we're sitting comparatively pretty. Our issuing authorities are honest and reasonably efficient, so we can be reasonably confident that the bearer is who the document says they are. This is not the case elsewhere. In the home of the war on terror, the drivers licence is used as a form of universal identity card, has historically been obtainable under assumed names with ease, and has therefore (well after 9/11) therefore provided a ready basis for the creation of false identity. A massive and immediate tightening up of the issuing systems in the US would simply choke off one major source of new false identity, while the elimination of existing ones would be a far more daunting task.

You can, slowly reduce, maybe almost eliminate, false identity in the developed world, but what of the rest? There are plenty countries whose documents, because of fraud, incompetence, inadequate systems or plain old political collapse, you would reasonably suspect. But in between the documents you're fairly sure of and the documents you're reasonably sceptical of you have a fairly large area that will surely be targeted by the sensible terrorist in search of false identity. If one can bribe an issuing officer in a country whose passports nevertheless provide a reasonably high level of confidence (a close ally of the United States would be good), then who needs to mess around with forgeries?

So, back at the desk with the passport and the finger, we can be reasonably sure that a local check will be sufficient in the case of quite a number of documents we're fairly sure we can rely on, but not in the case of large numbers of other documents, which are those most likely to be carried by the people we would like to suspect - illegal immigrants, drug smugglers, terrorists - if we had the means to suspect them. So we need to check more.

I know, let's do the show online!

As the US, with the enthusiastic support of Europe, is to all intents and purposes compelling the world to adopt biometrics as the ID standard, we will have an ever-growing, ever more global, database first of fingerprints, then of faceprints. 60 million for the UK, say 300 million plus for the US (they're already collecting), 4-500 million for Europe, and so it goes on. The arrival of modern standards of biometrics in passports will result in the production of matching (perhaps...) databases in the countries of the issuing authorities, and in an increasing exchange of these databases between countries.

The challenges here are obvious, and the data you're most likely to want to run an online check on (we've already established we'll trust most UK ID) is precisely the data you're going to be least sure of, and have most trouble in keeping up to date. You're not just going to have to check that a usually static data combination of biometrics and name/ID is valid, but all sorts of other stuff as well.

Do the biometrics associated with the ID you're currently checking also apply to a previously used, different, ID? You can only be confident that they don't if you're prepared to crunch through the lot looking for duplicates. Also, you are going to need to be sure that matters that should be associated with the ID (outstanding warrants, recent atrocities, the deep suspicions of the CIA or the Humberside police) have been. So you're really talking about pouring vast amounts of data from many diverse (and unreliable) sources into the global database very, very frequently.

That's clearly a Big Brother nightmare, but it probably needs worrying about more on the grounds of the amount of money we're going to spend on it than because it's actually going to work. The problem for the authorities here, however is that they're going to have to try to make it work if it is going to deliver what they say it's going to deliver. If you do not check for duplicates, for example, then the system is not going to tell you that Fred Bloggs of Solihull is in fact Osama bin Laden. A silly example? Yes and no - obviously, it is not very likely that our current entry systems are going to let someone called Fred Bloggs walk through when they look strangely like Osama bin Laden. However, if he checks out as Fred Bloggs, UK citizen, with no record under our future automated systems, then general appearance is rather less likely to be challenged, or even noticed. So the assumed reliability of the systems could actually increase the security of fugitives in the event of their having successfully obtained clean, genuine ID.

If you take a rational and realistic view of the current capabilities of the technology, and of what it will be capable of in the foreseeable future, then you'll realise that in almost all cases the system will default to the local check, and we'll be running on the current procedures (visual, customs officer's suspicions, watch-lists) to determine when further checking is required. This realistic view is however not necessarily shared by the people commissioning the systems. Some months back Fiona McTaggart, a Home Office Minister (at time of writing anyway) wrote in a self-exculpatory piece in The Guardian that in the future we wouldn't actually need passports and documentation.

Which is absolutely true, if you're checking biometrics against a central database every time, for every individual, whenever identification is required. Under these circumstances documentation, plastic, even clothing is entirely unnecessary, because you are your identity. Fiona did not say at what point in the future this scenario would be technically achievable, but it's all too likely that the Home Office thinks it's a lot closer than it really is, and that it will be developing accordingly.

Polluted inputs

We've already looked at several examples of polluted inputs that could undermine the system's integrity - false US ID, inadequate, arbitrary or cursory UK checking systems, and input systems from many other parts of the world whose reliability is debatable. These can clearly provide routes for the people you wish to intercept to pass through your control points and swim happily in your system. But what about the broader issue of what you do about those individuals who do not have ID that can be processed by your systems? Most of the world's population currently falls into this category, and that will likely remain the case for many years - so what do you do about them?

Well, in order to process them you need to give them some form of ID that your system can process, and on a small scale we're already doing this. Most people visiting the US will now, one way or the other, have their biometrics on the US database, and the UK can been phasing in fingerprinting of travellers coming from areas with a high incidence of asylum seekers. But what are we actually doing in these cases? Effectively, we're creating an ID that is valid within our system for the individual, and as always that ID is only as good as the inputs on which we base our decision.

The US or British consular official who grants the ID will make the decision on the basis of interview and supporting documentation, but how sure can we be about the validity of the information presented? And the more applications we have to process, the less likely we are to conduct examinations of the detail necessary for us to have confidence in that information. To avoid either being overwhelmed or ending up presiding over a rubber-stamping system, we therefore have to pressure countries to introduce ID systems which we can then presume provide a valid and accurate statement of an individual's identity. But will be really be confident in these, or will we simply be making that presumption in order to stop our own systems breaking down?

So who the hell do you think you are?

We shouldn't get too sniffy about the reliability of identity systems in the developing world, because when it comes down to it we in the west have precious little justification in being so damned sure about identity. Try this little parlour game, which I promise you has a moral to it. Ask yourself who you are, how you know this, and how far back in your life you can get before you start to get a little doubtful. You won't get anything like so far back if you perform the exercise on friends and family, but stick with yourself for the moment. Your family can vouch for you up to a point - but are they telling the truth? You have a birth certificate, but is this really you? Is the information on it correct? How do you know?

Fingerprints don't work when you're born (even David Blunkett doesn't fingerprint newborn babes yet, anyway), and general DNA testing at birth doesn't exist yet either. But say it did, and you were then able to point out that your DNA matched the DNA on the birth record, therefore you were definitely you... Er, who? Of itself this simply means your DNA matches the birth record, which is just as close to establishing ID as your fingerprint matching your passport (we covered this, right?). But it also provides proof that you are related to the people in your immediate family (or not - hey, mom...), and various things about your broader ancestry.

Effectively, what it's doing is establishing an identity for you in relation to the identities of a number of people surrounding and preceding you. But your identity, or what you think of as your identity, is something that has been assumed, generally, and by the accepted systems, as genuine at some point. This is probably around time of birth, but not necessarily, and not entirely - Fergusson, for example, suggests a Fergus as parent (allegedly...) at some point in the past, while Smith suggests an ancestral occupation and Pasteur a dairyman (joke - don't write in).

Identity is actually something that is established through a series of factors, history, occupation, location, parentage, and the whereabouts and circumstances of you or your ancestors when state systems began to require fixed and recorded tagging systems. The existence of these fixed systems does not however mean that you do not have multiple identities or identifiers (more people in my street, for example, will know me as the bloke at the top of the road with the dodgy old motor than will know me by name), nor does it mean that what they regard as fixed is what you personally regard as your identity.

But they've got something they're happy to think of as your unique identity, and we think of what's happening now as a successor to the processes that defined that ID for them. In developed countries at some point in the past couple of centuries the music stopped, censuses were taken and identity standards were defined. Now governments are pushing for a similar, global exercise that will result in everybody having what government will view as a standard identity, and where there is no pre-existing reliable identifier (as in the instances where people who didn't use surnames were assigned them), a new, relatively arbitrary one will be created.

As we've seen, this doesn't get us very far, because what we're interested in is the things that are associated with this identity, rather than the identity itself. Granted that false identities will inevitably be imported into the new systems, we'll need to wait at least a generation for these to work through, and granted that the systems' efficacy in fighting crime is dependent on accurate input of new associations, we'll need to wait a lot longer than that. But we will be able to say who everybody was saying they were when they first entered the system. Cool - but is it helpful, or worth the money? ®

Related stories

Blunkett ready to force through compulsory ID for UK
Draft ID card bill makes it to Queen's speech
Mission impossible? Blunkett's big biometric ID adventure