Schneier on Security
A blog covering security and security technology.
« Sandia on Terrorism Security |
| Finding Nuclear Power Plants »
April 5, 2005
UK National IDs
The London School of Economics recently published a report on the UK government's national ID proposals. Definitely worth reading.
From the summary:
The Report concludes that the establishment of a secure national identity system has the potential to create significant, though limited, benefits for society. However, the proposals currently being considered by Parliament are neither safe nor appropriate. There was an overwhelming view expressed by stakeholders involved in this Report that the proposals are too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence. The current proposals miss key opportunities to establish a secure, trusted and cost-effective identity system and the Report therefore considers alternative models for an identity card scheme that may achieve the goals of
the legislation more effectively. The concept of a national identity system is supportable, but the current proposals are not feasible.
Posted on April 5, 2005 at 12:14 PM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The Report concludes that the establishment of a secure national identity system has the potential to create significant, though limited, benefits for society."
The idea of a NID would be to give limitless benefits to society. Some examples would be ease of use, convenience, levels of trust... etc. Why pursue a project that has concluded it will only provide "limited" benefits? Certainly not off to a good start.
"the potential to create significant, though limited, benefits for society"
Well, which is it? Significant or limited?
I thought this was the most quote-worthy, as it proposed a feasible approach to national security:
"Many of the public interest objectives of the Bill would be more effectively achieved by
other means. For example, preventing identity theft may be better addressed by giving
individuals greater control over the disclosure of their own personal information, while
prevention of terrorism may be more effectively managed through strengthened border
patrols and increased presence at borders, or allocating adequate resources for
conventional police intelligence work."
X must be stopped
Y will help stop X
therefore we must implement Y
ignore the fact that Y also has loads of sideeffects, and that Z would be much better at stopping X
X = identity theft, communism, terrorism, ...
Y = RFID, CCTV, National ID card or some other technological marvel
Z = trained professionals on the ground (police, customs etc.)
I think I would state it slightly differently:
1) Whereas we must control X, and
2) Whereas Y is an effective control for X
3) Therefore be it resolved by the pro-Z business leaders that the government should reduce spending on Y and instead lobby for as much research money and time as possible to develop Z...
Hey, at least after all the Industrial Military largesse of the 1980s the US ended up with a public version of GPS. Funny thing about these giant private industry-led leap-of-faith (e.g. research money) projects -- sometimes you do not know what the public is really going to adopt until the inventor has already sold the rights and retired to an airfield in Arizona.
> Well, which is it? Significant or limited?
Why can't something be significant _and_ limited? Seems logical to me.
The only way the ID card will avoid becoming a white elephant is if citizens directly benefit from easier access to govt AND commercial services. The normal citizen does not interact enough with just the govt to see real benefit over existing ID methods in that domain only.
But for real commercial services to use an ID card, the liability issues have to be fully resolved.
Has anyone heard about european clubs using implanted RFID chips in peoples hands for buying stuff in the clubs?
Think it was in Southern Spain
Unfortunatly it will not give the individual any benifits that are worth while or that they cannot just as easily obtain in different ways at considerably less expense to the individual.
The first problem is that the card only identifies the card, it does not identify an idividual (which is an extreamly difficult task). Basically there are three obvious ways to have a card that identifies you but with somebody elses ID,
1, Tamper with an ID card
2, Find another ID card that you
3, Put false information into the
system that generates the card.
All of the above have been done in the past with other ID systems (passports etc) the assumption by the UK Government (and it's a bad one) is that if the card is High Tech enough then it won't happen (no chance there is always an exploitable weekness in all systems).
THe real reasons behind the cards is two fold,
1, There are a group of UK Civil Servents who have brought ID cards to the attention of the every elected governement in the UK since they where abolished after the second world war. Each time they try a different tack and up untill now every elected government has quite rightly on balance rejected the idea.
2, Money, put quite simply the UK Government has a large number of disparate databases and this costs them money in a number of ways. Primarily it is for fraud reduction, if you have one national ID number then it is easy to check all the DBs for your entries and profile you to find out if you are hiding anything (unpaid tax, double claiming on benifit etc).
The Government also want to bring other non governmental databases into line such as bank system records for the same reason. It is adopting a carrot and stick type approach to this (there is banking legislation comming in in a year or so for mandatory reporting on transactions) part of it is that you will have to provide identification at the bank counter to take out your money. This ID is over and above that supplied by the bank for your account.
The banks cried foul about the expense of checking the ID's used etc, so guess what the National ID card has been touted as the solution, this will soon be the only way you will be able to open an account in the UK and it will be effectivly embeded in your account details in the computer systems (makes life easy for the UK government).
The banks love the idea of the ID cards, it exonerates them from ID theft and other legal niceties (such as the consumer credit act). It provides a single document to check which reduces their costs and it will also enable them to clean up all those old accounts into their profitable suspense system (ie you have to provide the ID to get the money).
Also the banks either part own or have a significant stake holding in a number of the companies bidding for the system. Each UK citizen is going to have to stump up between 50-200USD equivalent for a card, each and every time they need one. So with 50 million UK citizens and an expected 20% loss rate each year with 10% to 40% of people needing to get new cards (moving house etc) it's going to be a nice little earner...
If somebody invents a foolproof system then somebody smarter will manage to come up with a way round it. Just a fact of life.
With regard to identity theft I hear that it is more difficult to assume a false identity when you have to use multiple documents (drivig licence, passport etc) rather than just having to forge a single card.
The idea that somehow they will increase security is just a farce. Even at the height of the 1970-80's there was no ID card system introduced despite the fact that there were real bombs going off on a regular basis. But now, because of some sort of vague threat of international terrorism we all have to go and get our fingerprints taken!?!?!
They are having big problems in Northern Ireland about the cards - as half the population there are not really going to accept being classified as a British citizen! The only alternative for that is for the Irish to introduce an identical system so that people could use either form of card whether or not they live in the North or in the Republic. But for that to work, then there would have to be a sharing of data between the UK and Ireland abou their citizens - which lets face it is not going to happen smoothly, if at all! However Ireland is not exactly keen on the idea of ID cards even though they are being put under a lot of pressure to adopt it.
We'll see what happens.
I object to being biometrically tagged in some sort of livestock management programme where we are all told that it is being done for our own good.
There is a book by Kevin Warrick, Prof of Cybernetics at Reading University (UK), called "I, Cyborg" about his self implantation of a 'chip'.
I agree that chipping club-goers is of no real use in the ID world, but it does illustrate a fixation for high tech solutions instead of KISS. All the clubs need to do is to ensure that membership tickets are not transferable. - OK....Use a Photo! Does it REALLY matter if someone goes to great lengths to forge a ticket - NO!
Its different with national ID, because the risk/liability is far greater. Forgetting the spurious and ridiculous security arguments, a national ID card will always carry a risk of fraudulent enrollment. This risk, however small, will influence its use. The largest potential users of the national ID card are the banks. (in fact in Sweden, the banks issue the ID cards). The banks NEED to know the risk profile so that they can quantify their liabilities for the regulatory authorities. These risks can then be insured against, as HMG is unlikely to carry the liability itself. (An up-to-date Crown Immunity!)
It is always down to cost and risk;
* HMG wants to reduce costs.
* Application providers want to reduce risk
Finally, whilst almost all people will object to being tagged, it does not stop 99% of people acting like sheep!
The Brits ought to read their own BBC more often. Saddam Hussein used national IDs to track, torture, and kill people. From TFA ( http://news.bbc.co.uk/1/hi/world/middle_east/... ):
"Their faces stared up at me in black and white, snap shots of individual lives frozen in time.
Dozens and dozens of Iraqi national identity cards were spread across the chief of police's abandoned large oak desk.
All of them were men, aged between around 20 and 50 - people's sons, husbands, brothers, or fathers.
In Saddam Hussein's Iraq, it is a crime not to carry these identity cards wherever you go, a crime punishable by imprisonment.
We stopped to think why these dozens of men did not need their ID cards anymore."
And, of course, Iraq isn't the only example. The USSR, East Germany, and China did it too (and at least in China's case, continue to do so).
Who's to say the British government -- or U.S. government, or any other government in the world -- can be trusted not to do the same thing?
So that's it. Saddam Hussain became a murderous dictator because (amoungst a few other similarly important things) the existance of ID cards either allowed him to, or tempted him.
Would you accept the single counterexample of Belgium? That is of, equally illogically, proving that ID cards do not cause the occurrence of murderous dictatorships.
Just to amplify the point about Northern Ireland.
If you are born in NI you are allowed under the Anglo Irish Accorde to hold dual nationality, both UK and Eire (Southern Ireland). So as a UK citizen you will be required to carry your bio-metric ID card whilst on UK soil, as a citizen of another country you are not even required to carry your passport or other identifying documents.
Now imagine your are stopped on the UK streets by a policeman you just claim to be "Paddy O'Dontcare" from Eire staying with your mate Fred Smith. The Policeman currently has no way of checking what you say is true (other than by arresting you or phoning Fred).
As I understand it under current UK law it is not an offence to go about your "lawfal occasions" using an assumed name unless it is to be used for the purpose of a crime (such as fraud). Or more oddly for checking into a hotel (belive it or not this is from the original Official Secrets Act).
David Blunkett was actually mad aware of this problem by civil service officials prior to him making any anouncments about UK ID cards. He was also made aware that the French Banks also use the ID cards, and there level of bank fraud is higher than the UK per head of population.
I aslo seem to remember that Eire has some interesting data protection laws that effectivly prevent ID information being handed out to anybody outside of Eire except under court order.
So if it covers passport and other citizen information and a request from non Eire law enforcment then it is not going to happen. Therefore I susspect there is going to have to be some substantial changes to the law in the EU, or the whole ID card businness will be dropped.
Probably stating the obvious...
One of the interesting traits of many of the broad ID schemes is the usually unstated desire by the authorities to have some back doors. An absolute "one identity per person" system would be deadly for undercover investigators, relocated witnesses, and other people allowed legally sanctioned false identities. Only if, in a utopian vision, there is no crime requiring undercover investigations, no possibility of retaliation against witnesses, etc. might this absolute scheme work. So the ID systems need to have an override or a "back door".
Recently, an interesting example was mentioned in a Federal Computer Week article on the new US federal employee ID system being developed:
"A National Treasury Employees Union representative said new policies should permit employees who use authorized pseudonyms for their personal safety to have their cards issued under their pseudonyms. IRS employees, for example, many of whom have been threatened or assaulted, have a statutory right to use a pseudonym."
("Critics wary about biometric smart cards" 24 Jan 2005 )
Although the Bill has been dropped, the UK government does not see this as an obstacle to enforced fingerprinting of the population according to an April 12, 2005 report in The Guardian.
"Ministers are to press ahead with the mandatory fingerprinting of new passport applicants using royal prerogative powers to sidestep the loss of their identity card legislation last week."
I'm not sure whether the UK Government's thinking goes down that deep! You can apply the fingerprinting argument to ANY biometric. Of course, fingerprinting does not work well for the entire population anyway. Some groups' have a higher percentage of false readings than others.
If I wanted to catalog a population, I would use iris scans. - far more reliable.
There is a very important role for the 'Freedom and Liberty' campaigners in the whole National ID proposition. - and I think that Anony Mous has highlighted it. That is, to ensure that the processes, procedures and technologies that will be implemented (There is a momentum that cannot be stopped) are regulated and have enough protection, in law and in design, to ensure that this data is not abused.
At a practical level, if any authoritarian government *really* wanted to 'tag' each citizen, either by biometric-linked ID card or by chip or by tattoo, then they would just force the population to accept it - probably at the end of a gun-barrel.
"If I wanted to catalog a population, I would use iris scans. - far more reliable"
Better than fingerprints but not infallible. All implementations I'm aware of to date to date have been on relatively small and disparate groups.
Its all based on Daugmann's research, which is certainly quite clever. But if you do a bit of sensitivity analysis on the statistics you will see that its not infallible on large populations. If you read through it you will see he has intentionally ignored the last century's research into iris observation, as it was losely associated with homeopathy which he discredits. In so doing he benefits by ignoring some highly inconvenient observation data, including how irises can change, and how some ethnic/racial groups tend to have similar iris types...
Even though it has a cunning algorithm for dealing with obscurations and relections its very dependant on good photography conditions.
Its probably more reliable in some circumstances for matching purposes than a fingerprint, but I'd be deeply unhappy seeing it used as a "catalog"
Although this is not my field of speciality, you could well be right.
The answer is to have a combination of biometrics - the probable choice of the UK govt.
Its got to balance ease of verification 'in the field'. You could always catalog DNA at birth, but then the time it takes to check a match, makes it very impractical at the moment. (Unlike the film 'Gattaca' which is all about ID falsification in a near-future world secured by DNA biometrics)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.