Saturday, April 09, 2005

More on ID cards

Kim Cameron does a speedy summary of the main points in a recent paper on the perils of the ID card initiative, published by the London School of Economics. Kim notes too that, whilst we are all busy, we should make time to read it. I'd encourage the same, but to give you a clue on what you'll come across when you flip through its 117 pages, here's a line from the summary
[ID cards] are too complex, tehnically unsafe, overly prescriptive [and] lack a foundation of public trust and confidence.
You can deduce, then, that they're not fans. They go on to say that the scheme is a "potential danger to the public interest." When I posted on ID cards a couple of weeks ago, I drew a couple of comments. One said that there was no reason that a new Prime Minister would want such a project on his CV. Perhaps the mystery commenter knows something that I don't, or has contacts in Birmingham who are experts in postal voting, but I wasn't expecting a change in PM this time round. The ID card bill may have been shelved for a while, but I don't suppose that the delay will be used to rework it into a new shape that might address the concerns raised in the LSE (or any other report). I know several folks working on the ID card project. I knew one more until yesterday, but they've moved on. The ones I know are at the very top end of my list of clever, practical people. They're not Tefal foreheads who will cover only the conceptual stuff, but folks filled with common sense and high competence in delivery. They are, though, only a minority in the whole team perhaps. Dan also wondered, in response to my question on how a search for any given biometric would be presented, that perhaps there'd be a PIN number to go with the card - you put the card in, type the PIN number, it scans your biometric, goes to the main system, fetches the biometric linked to that PIN number and then checks yours against the master record. Nice and simple I supposed. Of course, the PIN number is actually the ID number, so there'd be no need to type it in (assuming that there is space for 100 million plus variations, it will be a big number, and it will be printed on the card) - so inserting the card would automatically send a message to the big server in the sky to download the scan to compare yours with. Alternatively, the scan could be stored in the card and then compared with your own. Either approach would mean that the search for uniquess would have to be carried out when the card was issued - something that lengthens the issuance process but at least means that later interactions with the card would be quick. Having the scan on the card doesn't deal with the possibility of someone cracking how to produce cards, or alter the data on them. So perhaps Dan's approach is a good way of doing it? I'm still not convinced that I want to spend £5.5bn on it though.

9 comments:

  1. Damn, so he isn't going to retire after all in the third term?

    ReplyDelete
  2. Nope, he's going to go on and on and on. You think Mugabe has been around a long time, wait until you see Blair's record!

    ReplyDelete
  3. Hi Alan -

    I too have been interested to follow Kim's blog and read the LSE report.

    What I could not tell was whether the authors had also read the very interesting Home Office research report of late last year:

    http://www.parliament.uk/commons/lib/research/rp2004/rp04-093.pdf

    Best wishes,
    Robin

    ReplyDelete
  4. I don't know - do you think it helps or hinders the case?

    When I see things in that report like "Can ID cards be forged? invariably yes" I tend to start worrying.

    when I see that fingerprint is secondary to facial recognition and I think how hard it is to match finger prints let alone a large scale facial match database, I worry more.

    And then they go on to say that they doubt the ID database could be secured against hackers, I worry still more.

    A fascinating read, you're right. But it makes me want to spend £5.5bn even less!

    ReplyDelete
  5. I think it helps build the case that a national ID card is an expensive and complex proposition... at this stage, probably more expensive and complex than any benefit would offset.

    Still, at least it's *only* £5.5bn. Bush has already blown $4.5bn on border controls which appear to be useless, and is about to spend $82bn on "Real ID" cards...

    I'll post the links on my blog:
    http://blogs.sun.com/racingsnake

    ReplyDelete
  6. Hi again - here's the first link in the chain...

    http://blogs.sun.com/roller/page/racingsnake/20050510

    That will take you to my blog about Bush's budget for a splurge on technology with questionable cost/benefit prospects...!

    All the best,
    Robin

    ReplyDelete
  7. I thought it was worth leaving another comment, as today sees the re-introduction of the Identity Card Bill, and I suspect most of my original gripes are still valid....
    I've blogged about it here:

    http://blogs.sun.com/roller/page/racingsnake/20050525

    Best wishes,
    Robin

    ReplyDelete
  8. Anonymous2:31 pm

    ID Cards can be forged. Of course they can, but this isn't the issue, as I said to you by EMail a couple of years ago.

    What's special about a modern design of ID card, is that the interaction would be loggable, a chapess uses her ID card to pass through customs at Heathrow and only two minutes later it's used to rent a video at Blockbuster, Mosside. This clearly isn't possible without teleportation.

    It's kid's play to determine this has happened using modern technology, because we know the distances between everything. It's also kid's play to be waiting for the person to come back to drop off the video.

    What cards can and cannot do on their own isn't important anyway, since it's an enabler for lots of other clever things;

    for instance two people both turn up with an ID card at an hotel, and are photographed on the (previously unmentioned) corporate card reader. Bang, the government has the photo of the forger;

    or twenty chinese turn up for their salaries at Morecambe Bay, and bang the employer has to use their card to pay them, or somebody's at any rate, thus the black economy disappears in a puff of smoke.

    It's like credit card validation backed up by the police.

    My guess is the first step after introduction will be a blanket ban on companies and the self-employed paying for casual labour without logging the amount to an ID card. This way the company can't pay illegals (immigrantwise,) and no company can support tax evasion for the little people.

    That said, I wouldn't spend 5.5 billion on it either.

    ReplyDelete
  9. Anonymous1:59 pm

    Actually, I've thought of an enhancement already.

    If ID Cards, when used, had a 16 digit number that was updated from the government server, which was random (ie, not incremental,) and meaningless, but never repeating, then if someone did steal someone's identity, we'd know which of the two cards was the correct one almost immediately.

    At that point, the old bill could see what the dodgy one was being used for.

    ReplyDelete