Identity theft without identification infrastructure

Recent comments to my last post about biometric passports have raised wider questions about the general purpose, risks and benefits of new government-supplied identification mechanisms (the wider “ID card debate” in the UK). So here is a quick summary of my basic views on this.

For some years now, the UK government has planned to catch up with other European countries in providing a purpose-designed identification infrastructure in order to make life simpler and reduce the risk of identity fraud (impersonation). The most visible of these plans center around a high-integrity identity register that keeps an append-only lifetime record of who exists and how they can be recognized biometrically. People will be able to get security-printed individual copies of their current record in this register (ID card, passport, biometric certificate), which they can easily present for offline verification. (What exact support is planned for remote identification over the telephone or Internet is not quite clear yet, so I’ll exclude that aspect for the moment, although the citizen PKIs already used in Finland, Belgium, etc., and under preparation elsewhere, probably give a good first idea.)

However, such plans have faced vocal opposition in the UK from “privacy advocates”, who have showed great talent in raising continuous media attention to a rather biased view of the subject. Their main refrain is that rather than prevent identity fraud, an identification infrastructure will help identity thieves by making it easier to access the very data that is today used by business to verify identity. I disagree. And I put “privacy advocates” into quotation marks here, because I believe that the existing practice whose continuation they advocate restricts both my privacy and my freedom.

What the critics neglect to see is that the introduction of a purpose-built identification infrastructure must, of course, go hand in hand with rapidly phasing out relying entirely on the existing weak and vulnerable substitute methods that currently cause so much trouble. None of this is speculation, because purpose-built identification infrastructures have been in place for several decades in most European countries, where the systematic “identity fraud” (professional utility-bill-faking gangs, etc.) that plagues a non-trivial number of UK customers today are practically unknown. In other countries, purpose-designed identification infrastructures are widely perceived by their users as effective means to protect their privacy and freedom, rather than as a threat, and many visitors to the UK consider the ID practices they encounter here more as a matter of ridicule.

There are two big classes of mechanisms in use for quickly establishing the identity of someone in a business transaction:

a) proper identification mechanisms, which were carefully designed and reviewed by security engineers for the very purpose of making impersonation as difficult as we can (including but not limited to passwords, PINs, TANs, biometric records and certificates, passports, ID cards, PKIs, security tokens, keys, etc.)

b) “identification circus”, the use of weak and trivially to break ad-hoc methods of identification that businesses have come up with in countries or situations where proper purpose-designed identification mechanisms are unavailable (e.g., utility bills in the UK, SSN in the US, handwritten signatures, etc.).

From what I hear from various financial industry representatives, identity fraud in the UK is today primarily caused by the prevalent use of “identification circus”, and the only advice I can give on how to combat identity fraud is to phase out the use of mechanisms that were never designed to be reliable forms of identification. This could be easily achieved in three steps:

a) government first must provide high-quality, easily available and easy to use identification mechanisms that were designed for the purpose;

b) legislator must quickly discourage any form of relying on “identification circus” by legally putting the full liability for any damage caused by impersonation fraud on the party who allowed the fraud to happen by not verifying appropriate means of identification;

c) government could finally even take steps to further discredit any use of culturally established “weak secrets” (e.g., the SSN in the US, the passport serial number in some other places) as means of identification by making such data easily publicly available, especially where such a weak secret does not constitute really “private data”, but is nothing but a meaningless random number.

Example: Say, someone commits fraud that involved opening a bank account in my name after presenting two recent utility bills of mine (or more likely colour laser prints that look convincingly similar) plus my mother’s maiden name (found in a genealogy database, already known to bank from past transactions with me). In the legal framework that I would like to see, any bank who accepted these weak not-designed-for identification credentials would have to immediately cover the entire damage caused to me by the fraud and not cause me the slightest hassle.

The advice currently given to protect myself against identity fraud in the age of “identification circus” only leads to restrictions of my personal freedom:

  • I loathe any suggestion that I have to buy a paper shredder to protect myself from identity fraud. They cost money, require space, time and energy and jam or break down easily, and most of all destroy information and evidence that might be useful to me in the future.
  • I hate suggestions that I have to treat trivial personal attributes (such as my mother’s maiden name, my first dog’s name, my favourite food, my date of birth, etc.) as secret as a password and that I am advised to keep such trivial details from my web site.
  • I do not want to have to destroy each and every utility bill or bank statement that I receive the minute that I have read it just because any business would sadly accept these as a valid security token for identifying me. I’d rather have the assurance that only a very small number of purpose-designed security documents will be accepted, which are (a) far easier for me to protect from theft, (b) far easier to verify, (c) far more difficult to fake, and (d) issued only after much more detailed checks.
  • I do not want to have to carry two recent gas or water bills with me at all times or risk being arrested by police for not being able to prove my identity or residence (which almost happened to someone I know last weekend in Cambridge).

I want to have a strong purpose-build identification infrastructure in place, because this protects me from both the hassles of “identification circus” and from the risks of impersonation.

In the end, I am convinced that such an infrastructure is orders of magnitude cheaper to set up and maintain and far more effective than if everyone had to buy a paper shredder and be trained to use and maintain it with appropriate levels of paranoia.

I dream of a time where I finally can tell you all my mother’s maiden name and my passport serial number without fear …

About Markus Kuhn

I'm an Associate Professor at the Department of Computer Science and Technology, working on hardware and signal-processing aspects of computer security.

35 thoughts on “Identity theft without identification infrastructure

  1. If you think that ID cards would stop banks dumping transaction risk on customers, you’re mistaken. Exactly the same kind of abuses happen in Germany as here – I have been an expert in cases in both countries. If you want to argue that ID cards reduce crime, let’s see some figures. There are many countries where ID cards are universal, and many where they aren’t. Gather the statistics. If you can show a correlation, you will become famous. You will get to appear on TV with lots of politicians. You will get fat consulting contracts from smartcard companies. The incentive is there. So, I wonder, why has no-one come out with a study which shows that ID cards work?

    I do agree with you that legislation should put the liability fior impersonation fraud on the relying party, rather than on the person who was impersonated. I also think it might be a good idea to publish all SSNs, mothers’ maiden names and so on so that no-one can shift liability by relying on them. For the rest, let’s see some evidence

    Ross

  2. You make some good arguments, and it’s good to see some balance applied to the debate, but I wonder if there is a more basic concern with identity cards that you don’t address.

    I think this is exemplified by the confusion between government identity cards and benefits entitlement cards. I don’t have a problem with a reliable and effective identity card per se, but I do have a problem with what it’s likely to be used for; if some organisation needs to check my entitlement to something (or authorisation, in more classic security terms) I’d rather they could do that without knowing everything else about me (which, given a reliable and unique identifier they can then discover by data mining).

  3. Do you think Government is the best provider of this kind of identification system?

    Couldn’t the problems of assuring your identity for banking and business transactions be solved by a trusted third party, that would provide these services, on a voluntary basis. i.e. one or more companies.

    Would such a system be illegal under current law, and if not, why is no one providing such a service?

    Do we need legislation to prevent banks from accepting these weak sources of identity, and insist that they see a passport?

  4. These are all good points. The difficulty of identity-fraud is more difficult under this scheme.

    Unfortunately, the analysis fails to take into account the impact that a large-scale indentity infrastructure has on increasing the value of individual identities and hence, the value of identity theft. While the difficulty of identity theft might be decreased (depending on the actual mechanics of the system — ie. its weak points — in practice of course), the value of identity-theft is definitely increased.

    The profit from the crime of Identity theft is proportional to the value of the identity being stolen. Allowing your identity to be used for any and every purpose necessarily increases its value. Further, the presence of an infrstructure that supports your identity being used for every and any decision / purpose encourages its use for any and every purpose because it’s cheaper for any new purpose to employ the pre-existing infrastructure rather than build its own.

    One might therefore expect to see the number of services and businesses requiring access to such an infrastructure to increase following the deployment of that infrastructure.

    (pre-existing evidence of this trend is the number of services/businesses/whatever that now require you to show your driver’s license, despite the fact that often your driver’s license has nothing to do with the service being offered)

    This of course only helps to increase the value of your identity, thereby making it more profitable to steal it. While the difficulty of the crime might be increased, its value is certainly increased, thereby possibiliy mitigating the positive effects of trying to increase the difficulty in the first place.

  5. Ross, correct me if I am wrong, but the cases you talk about here are exclusively (a) phantom withdrawals at ATMs or (b) disputed debit card transactions. You are talking here about implementation weaknesses in particular types of (not very well engineered) automated routine payment transactions, while I am talking here more about general impersonation attacks, where someone begins an entire new relationship under a false identity (the many “I never opened such an account”, “I did honestly not take out this mortgage”, “No, my long dead sister surely did not apply for this credit card” cases ).

    You have heard yourself from industry experts in our past Security Seminars at what substantial scale the latter type of fraud is routinely committed by professional gangs in the UK, and how much time and energy it costs the victims to clean up the damage, while this type of fraud is at the same time practically unknown on the continent.

    There is no TV sensation in the fact that there are no professional utility-bill-faking gangs operating in say Germany or Finland, simply because there is absolutely nothing you can accomplish with a copy of someone’s utility bill or knowing someone mother’s maiden name in Germany or Finland. There are no studies to quote on fraud involving fake utility bills in Germany, simply because there is no such type of fraud that could be studied. Zero.

    In spite of regularly following the relevant literature, I am not aware of even a single case where the very existence of an identity register in Germany has helped anyone to commit fraud, and I have great difficulties to see how this could possibly work. The NO2ID folks make wild predictions of what big damage an ID infrastructure could do without being able to point to any evidence of such damage in the countries that have done this for decades. The burden of proof is not mine here, because I can point to multiple perfectly happy implementations across Europe where the wild predictions have not come true.

    I perfectly agree that a government-provided identity register is not in any way relevant to your particular cases of ATM and Chip&PIN authentication attacks, just like it will not protect, for example, Unix hosts from false logins or keep car thieves from reflashing the firmware in immobilizers.

    Such specific technical weaknesses in particular systems must not distract us from the underlying worry that simply because this government has not yet got its act together to support businesses in easily and securely identifying new customers, UK residents have to guard all their many utility bills and personal details like high-security passwords. I’d rather not have to.

  6. Markus,

    Most of your points are based on the idea of a “free and open society” in which (think) you live, and would appear to be the main focus of your argument, in that you say,

    “I believe that the existing practice whose continuation they advocate restricts both my privacy and my freedom.”

    I would disagree with you for a significant reason you avoided mentioning. Most ID scheams that have been introduced have either not worked (Old Europe) or have been used by those in authority one way or another to persicute people (large number of “third world” countries).

    Since 9/11 and the Dept of Homeland Security in the U.S. and other not disimilar legislation in the U.K. we are comming to accept that Governments are not begnin and will seek any and all information for their own supposed protection (several African Nations have been in the news about this sort of thing in very recent times).

    Also it was not so long ago in the U.K. where personal information has been used to try and discredit other people in several ways.

    Therefore If you allow any Government to accumulate data on people they will eventually use it to somebodies disadvantage in one way or another. Likewise any system that helps the process of information accumulation.

    It was not so long ago that the U.K. Gov let it be known that they where going to buy Credit / Loyalty / store card data to be used in working out the affluence of an area. I guess that will be used to raise more property tax etc. in the short term.

    But how long before they say “you bought to much booze / fags / fast food / stodge in the past 3 years so no you cannot have an operation”?

    It sounds far fetched untill you realise that in the U.S. a retail outlet tried to use just such information to try and discredit somebody who was trying to get compensation for slipping on a wet floor. The retail outlets legal bods effectivly accused the person of being a drunkard just because they bought beer on a regular basis, and therefore they argued was probably not in a totaly sober state at the time of the accident…

    In actual fact any universal ID system makes the problems of protecting your privacy and freedom considerably worse, and adds little or no real benifit to you.

    If you look at the mess that is the U.S. SSN and it’s use as a universal identifier tells you that the minute you as an individual have a “unique tage / number” then all data that is known about you good or bad will sooner rather than later be amalgamated about you. History has shown that in the long term it can really only be to your detriment.

    The U.S. no fly list for instance contains a lot of bad data but nobody is going to clean it up. Why because from the individual buracrats point of view the is no risk to adding somebody and a small risk to them personaly to removing somebody. So the bad data stays simply because a person on the list might just go bad in the future….

    The “tag and amalgamate” idea appears to be one of the fundemental concepts behind having a central repository of data that the U.K. Gov appears to want more desperatly than the ID card it’s self, you have to ask yourself why?

    Also from reading you posting you apear to be under the belief that in some way you control your data and that you can release it or not at your whim, or that its release cannot harm you.

    “I believe that the existing practice whose continuation they advocate restricts both my privacy and my freedom.”

    “I dream of a time where I finally can tell you all my mother’s maiden name and my passport serial number without fear …”

    “I do not want to have to destroy each and every utility bill or bank statement that I receive the minute that I have read”

    Going back to the U.S. your personal data only belongs to you as long as you keep it private, if you release it for whatever reason it becomes the property of the data collecter, form that point on you have no control over it what so ever. So if you have a minor medical problem in the U.S. and it is paid for on Insurance (majority of population) then under the rules the data becomes effectivly available to whom so ever thinks they have a right to know.

    Likewise in the U.K. if you sign up for private health care in most cases you give a blanket permission for the insurance company their agents or associates to trawl through mot just your medical records but your financial and any other records they belive might be relavent to them.

    Previous legislation the U.K. Gov tried to bring in (David Blunkett) would allow just about any civil servant to get access to your phone / bank / medical records with little or no impediment. You have to ask yourself why a sixteen year old clark in your local council tax office would need to access this data etc?

    The current Gov desperatly wants to amalgimate all data on it’s citizens at an obsceanly fast rate, oposition to the idea is treated by trying to discredit those who advise caution and careful consideration, when this does not work “bully boy” tactics are used (NHS Spine and medical records debacle being the most public example).

    So no your freedom is definatly under threat from a universal Identity System, no matter how good or limited you might want to make it.

    Also you say,

    “In the end, I am convinced that such an infrastructure is orders of magnitude cheaper to set up and maintain and far more effective than if everyone had to buy a paper shredder and be trained to use and maintain it with appropriate levels of paranoia.”

    Why? as far as I can tell a shreder is going to cost you less than 20GBP but the cost of an ID card is going to be as high as 300GBP, even though you might only pay “directly” the first 80GBP or so, the rest is going to be taken by taxation which means that one way or another it is going to come from your pocket.

    I think that you have chosen for whatever reason to take a very narow “rose tinted” view on ID. From your comments simply for an “easy life”. You have then painted your picture within that view only (like Lord Hutton etc). So no I do not belive that your arguments hold water in any way shape or form and are at best more than a little naive.

  7. Why should the government provide this? What makes the government more capable?

    The core arguments against the National Identity Register are not to do with the technology, but to do with the change this effects in an individual’s relationship with the government.

    Rather than being a free individual, this is a move to becoming dependent upon the state for your existence. You cannot be a real person without sanction from the state. This is against all the liberal tradition in Britain.

    The government must be treated as a threat in all considerations, it is made up of people just as corruptible and flawed as everyone else (if not more), with the added problem that they are in the business of government to gain power.

    This is also a hugely coercive measure. We are being forced, with threat of violence and detention, to accept this scheme.

  8. The most characteristic attribute of an “identity” is that everyone can have only exactly one. (If you use several names, we normally call these pseudonyms or aliases, not “identities”.)

    This implies that there is only a single such registry of unique identities, which is regularly searched for duplicating entries. I don’t see how such an identity register is a service that the free market could provide, unless what you really want is not identity but broken “cheap identities, buy one get one free!” services.

    My definition of government is basically the provider of all services for which it is only practical to have one single service provider. Other examples are the judiciary (“cheap judges, buy one get one free”), military (“cheap wars, buy one get one free”) and law enforcement (you get the idea).

    That, to me, leaves the government as the natural entity responsible for an identity infrastructure. Besides, they run already several precursor services, including passports and birth certificates.

  9. It is interesting to see that most of the comments in this discussion are not really at all about how to design and run an identification infrastructure that benefits everyone best. This is not really about security engineering, the sort of technical topic that I am naturally most eager to chat about. The focus is much more about the fundamental question whether “the government” can be treated as a trustworthy “service provider”, or rather as some kind of “enemy” that is in constant battle with us as individuals. And the repercussions of that question go far beyond the identity card issue!

    The UK is the third country in which I have spent a substantial part of my life, and I find that a quite frightening proportion of people here see their government much more as an “enemy” than as a “service provider”. That seems a rather undesireable state to me and perhaps the engineering question we really should ask then is: can we fix this?

    What changes in the way that the government works (elections, monitoring, reporting, changing, military, judiciary, legislation, constitution) would help to persuade you to go from the enemy to the service-provider view? Perhaps even to the point that you would feel quite comfortable that your government is benign and competent enough to run an identification infrastructure for you?

    I have a few ideas, but I’d like to hear yours first.

  10. I don’t think that people who have commented necessarily view their governments as enemies, but rather just with sensible suspicion. Anyone who wields a lot of power must be viewed with suspicion if you believe the wisdom that power corrupts.

    From this point of view, no change would alter this perspective. It’s a precondition for liberty and cannot be dispensed with if liberty is to be ensured.

    The price of freedom is eternal vigilance.

  11. I feel that there are many different issues are being muddled up in this debate – to me having an ID document is not synonymous to massive aggregation of my personal data. To me an ID document is something issued by a trusted third party that contains just enough personal information to identify me to another person. Technology also cannot be rejected just because it is somehow connected to a entity that some feel has too much power. Why do we people use credit cards and cellular phones, that could also be tracked, everyday but resist a simple ID document. Are company executives more trustworthy, do they run their business for the good of mankind and a warm fuzzy feeling? If there privacy laws that make us trust large banks and cellular providers more why don’t the government subscribe to them?

    I have heard theories about personal databases and how ID cards will make this a reality, how will it be easier than in the current system? So the theory is that I go to the bank, the hospital, the job centre and my ISP and present my unique ID document, hence linking everything together. Currently I go to the bank, the hospital, the job centre and my ISP and I give them my utility bill/or address and my dog’s name. So instead of big brother building a database around my ID no 12345 they build it around Mr Hancke, British Gas, Address X owning dog named `Sausage’. To me that is the same thing, except when I have to present an ID not everyone who looks in my letter box and hears me calling my dog can go and open bank accounts in my name.

    To me an ID document has its benefits over the current state of affairs. Issuing a unique ID document simply requires some good security engineering, if the proposed UK system requires mass enrollment of private data beyond what is required for personal identification the problem lies not with ID documents but with the specific implementation. Why does one of the privacy lobby groups not come up with an alternative ID document solution? Unfortunately it seems as if one party is stodgily maintaining the system is perfect while the other side is coming up with wild scenarios to draw attention and an acceptable solution is lost somewhere in the middle. Maybe voluntary enrollment in a private third-party service is the way to go – a company issuing personal authentication tokens acting as trusted third party to your bank etc. After one or two years it can serve as a case study of failure or success.

  12. It is good, especially for objectors to ID cards, to see a typically vigorous and lucid argument from Markus.

    He proposes an antithesis between “proper identification mechanisms” and the current UK “identification circus”, and argues that the former would be better.

    But the current UK identification circus is a new phenonmenon, largely created by Government anti-money-laundering rules, which have caused banks and others affected to replace traditional mechanisms with new box-ticking paper-trail production.

    The traditional mechanisms were based on personal references, and while they were never immune to fraud, they avoided the obvious weaknesses to which Markus draws attention.

    It is also important to notice that even within the EU, let alone the wider world, attitudes to what invades freedom or privacy are strongly culturally determined and vary widely. Dutch and Belgian friends have expressed amazement that in the UK one can start a company without official permission, or move house without informing the police. These differences may reflect sharply varying degrees to which the citizens of different countries are willing to trust their own governments.

  13. Just a few experiances from Belgium, which is leading the way in the field of e-id cards.

    The first issue is that Belgium has to issue these documents, not only to its nationals but also all residents. if you work in Belgium you will soon have to have an e-id card. Making working in a country (for registering insurance, opening a bank account, etc) relying on a high-tech unique id is a problem for mobility since it takes a few good months to aquire one. If you work in belgium with a 1 year contract (as I am) this is cumbersome, and rather expensive for the belgian tax payer.

    The second issue is that you still require a utility bill, not to prove your identity but to prove your address! The address is not on the ID card (since it changes too often) and you therefore are required to prove it in another manner: contract or utility bill are the usual ways. (Note that registering in your ‘commune’ is often not a quick option, since a police officer has to come around and check your address: a secure process that takes again a few months.)

    Finally *despite* strong identification being available the police is allowed, not only to check IDs in the street at their discretion, but to also detain you for 11 hours to check it is correct. This is called an ‘administrative detention’ which has as its own purpose to make sure of the authenticity of your ID. I agree with Markus that this is not a bug of ID system, but of good governance, but it is important to put in the picture the context in which ID systems are used.

  14. Ten years ago, in a typical piece of Dutch legislation, having some form of ID was only compulsory if you were caught breaking the law and couldn’t pay the on-the-spot fine (“It is illegal to break the law without carrying at least 1 of the following…”). Everyone smiled for their passport photograph, and fingerprints were only kept for those convicted of serious offences.

    Now all that has changed: being able to show ID is required at all times from the age of 14, and smiling for the new biometric passport is not allowed (indeed, the rules on the facial image are so strict that many people have to have several go’s before it is accepted). For the next version, everyone will have to give their fingerprints, and in a recently passed law compelling criminals to co-operate in the setting-up of a database of DNA profiles, a little known clause extends the meaures to innocent people who are mentally ill. Nurses in psychiatric hospitals are having to hold down their patients and scratch tissue from intimate parts of their body against their will, causing distress and destroying any trust they have painstakingly built up, in order to produce the required input for the latest government database.

    So yes, on the theory and engineering aspects that your piece was originally about, you no doubt have a point, but the practical application in Holland has become rather sickening.

  15. Markus,

    You say,

    “It is interesting to see that most of the comments in this discussion are not really at all about how to design and run an identification infrastructure that benefits everyone best”

    My point is that giving people a serial number (for that is what your ID certificat will be) will be to easily abused if not now but in the future.

    The question is not “who provides the service” but if there should be one at all.

    My vote based on history is not now and not ever.

    The technical matters are therefor realy quite unimportant.

    You go on to say,

    “I find that a quite frightening proportion of people here see their government much more as an “enemy” than as a “service provider”. ”

    In the U.K. we used to have a series of checkes and balances on our elected representatives, the first was the “House of Lords” they tended to act as a moderating influance on the passing of laws. The members of the Lords tended to be “life long” and would therefor see what they did as a duty not as a quick step up to a lucrative series of company directorships and speaking tours. Also the heriditary Lords tended to be fairly immune to intimidation from the elected representatives. Guess what our current elected representatives are trying to replace it with their own “house of favour” as quickly as possible.

    Then there was the Judiciary who are/were supposadly independant of the elected representatives and who would interpret the laws as voted for by Parliment and approved by the Lords into actual working practice. They therefore tempered the laws by the experiance of years of insite. Our current elected representatives appear to be trying to undo this fairly sensible system almost as quickly.

    Also untill recently there was an assumption in the legal process that the state had virtualy unlimited powers, the individual had little or none. Therefor the legal process had certain constraints built in (full disclosure of evidence prior to trial / no double jepody / beyond reasonable doubt etc and most importantly the right to be judged by your peers) the current elected Government in the U.K. has systematicaly stripped these rights away supposedly for “efficiency and cost savings”. Most of these rights have been in existance for more than a thousand years and have proven to have served the people of England well and have kept miscaragies of justice down to (almost) acceptable levels.

    There are a whole load of other things such as John Reid’s 90 days to question terorists. Yet most of those currently arrested for terorisum are released within a week or so and do not see trial. Those that are not are usually formaly charged well within three weeks, so why is 90 days even being considered?

    I could go on and on but I won’t I will simply say,

    I find it quite frightening how few people in the U.K. want to hold our elected representatives to account, and ask if they can actually be trusted. I find those people who do question quickly come to the conclusion that the elected representatives cannot be trusted and therefor do start to see them as the “enemy”.

  16. Markus,

    The question is not about ‘whether “the government” can be treated as a trustworthy “service provider”, or rather as some kind of “enemy” that is in constant battle with us as individuals.’ This is a false choice.

    You can find the government not to be trustworthy. You can also find this government to have demonstrably been repressive and too often reacted in a kneejerk fashing with for instance more than fifty Home Office bills enacted since it came to power. That still doesn’t make it an “enemy” in constant battle. There’s likely at least as much if not more incompetence than conspiracy at play!

    As for practical ways to ‘fix this’, we have to act to ensure our civil liberties are not further eroded. I’ve published a short list of practical suggestions at gizmonaut.net/act. The much longer article that precedes these bullet points details some of the actions that I’ve tried and their outcomes. See which ones you consider efficient and among these which ones you’re interested to follow. Feel free to suggest others.

    Back to the Id cards. I would have no problem with an Id card that I control, ie a card that I can decide who I show the information it contains to and when. However, I share many of the same concerns about the NIR as expressed in other replies.

    The unique id will also implicitely include data that has been explicitely exluded from the NIR. DNA profiles are not to be recorded in the NIR, but due to current legislation the number of innocents with DNA samples taken and retained and DNA profles ending in the NDNAD is growing (already a third of the NDNAD). With all this data available to the governement, it is inevitable that these two databases (among others) will be cross linked when the NDNAD has enough of the population’s DNA profile.

    In France, even though Id cards are common, they’re not compulsory and you also have to show bills as proof of residence. What is rather surprising, compared to the British plan, is that it is free to get an Id card – there isn’t even a token admin cost.

    br -d

  17. Markus,

    I find it interesting that you think that we each only have a single identity. (Comment 8.) Important psychological work, such as “The Presentation of Self in Everyday Life” argues that we all have a number of identities, and that such an approach to life is psychologically healthy.

    “Adam”

  18. Adam, terminology varies a lot between disciplines and “identity” clearly means something very different in mathematics, law, security engineering and biometrics than it does in the social sciences (“cultural identity”, “gender identity”, etc.). The psychological “identity” that you probably refer to, I personally prefer to call “personality”. How healthy having multiple personalities is depends probably on how far you go (see also multiple personality disorder).

  19. Markus

    You think the world would be a better place if only we Brits trusted the government, like you Germans do. Let’s turn the question round. As you know, ‘trust’ can be defined as a ‘warm fuzzy feeling’, and also in that ‘a trusted system or component is one that can break my security policy’. This latter definition, which we got from the NSA, is much better for the security engineer as we know how to reason about it.

    So from the security engineering perspective ‘trusting the government more’ amounts to ‘putting the government in a better position to break my security’. That’s undesirable, but it’s clearly what’s happening. Governments try to centralise; people who devote their lives to seeking elected office tend to be bossy; both Thatcher and Blair swept away large parts of our old way of doing things, in the process creating huge swathes of patronage with which they could reward their supporters. On the global scale, government officials have recovered from the events of 1989 – which seemed at the time to herald a fundamental shift towards low taxes and smaller bureaucracies. This happens even in the USA; Bush is not a small-government guy. Everywhere, officials grow their empires by finding more and more processes in which government can intercalate itself.

    The ID project is a classic case. In the old days, banks knew their customers because (as Nick points out) they insisted on personal references. Now government has regulated that process – and badly, creating the ‘identity circus’ we all despise. But do they learn their lesson and go back to the rules of 1989? No, they meddle further. A couple of years ago the banks were prodded by government to start demanding passports for cash withdrawals over a thousand pounds (contrary to the law established in Swiss Bank vs Robinson). In future, it’s proposed that all sorts of transactions will involve the taking of fingerprints. Hundreds of thousands of shops, doctors’ surgeries and other organisations will have to buy fingerprint readers from government contractors and pay 60p a time to ‘identify’ their customers. Will the government be ready to pass laws curbing the inevitable abuses – for example by shifting the liability back where it belongs? It’s not likely, because civil servants now have a direct stake in the game.

    This rapid regrowth of the state should be opposed by liberals and conservatives on principle; socialists should push for the available tax money to be spent instead on fixing real problems – on child welfare, mental health services etc

    Ross

  20. I’m new to this blog, but I’ve been researching the risk that widespread use of biometrics will lead to social exclusion for three years – just writing up now.

    There are several points to consider here. The first that I’m going to tackle is the assertion that a person has only one identity. As has been pointed out by Adam, above, no-one actually has only one identity. We all compartmentalise our lives – we have different identities at home from those at work, for instance – and it is arguable that ID cards, with the data-trail that is a result, affects people’s sense of security negatively. The ability to compartmentalise is necessary for healthy life. However, that may be a bit metaphysical, so I think a killer argument is that there are situations where people need separate identities. Whilst I would like to cite examples like transgender, this is still more of a social/psychological issue, so instead I cite security and law enforcement personnel. The police are not going to happy about all their personal details being on a database – look at the number of officers that do not have their DNA on the national database. Secondly, undercover personnel need cast-iron proof that they are someone else – a national database undermines this, putting security at risk. Big criminals and those who are a threat to security will be able to hack the database (unless we’re imagining some kind of “Men in Black” deletion of a person’s history).

    Identity is only safe when YOU have control over it, and it should never be aggregated. Sure, if we need secure ID, there should be a way of proving it, but ID is required so rarely. In most cases, mere authorisation is enough – look at how the Marijuana clubs in San Francisco work – no-one is identifiable, but they are authorised to have the weed by a deep initial proof . Authorisation (not identity) cards can and should be administered by third parties, chosen by the individual, who therefore keeps control of the data. The third party can be be held to a contract, and needs to keep customers on their side. Government is exactly the wrong body to do this – expediency gets in the way too often. If a government needs information from a data-source, let them go to court and prove it to a judge.

    So, to answer the questions posed by Markus: IF government is to be seen as a service provider, it needs to move away from involvement in all areas of the individual’s life. It should produce a set of standards for Authorisation Cards which third parties can then produce, so that identifying data is controlled by the individual. For more on this, see “Identity Crisis”, by Jim Harper of the Cato Institute.

  21. Markus,

    In comment 8 you indicate only a single personality, and Adam in comment 17 referes to what you call the “psychological identity” in your reply 19.

    However you have both missed the very real problem of multiple identities due to work and other activities.

    Although it is true I only have one body I do have multiple activities where I have different personas such as,

    1, Partner
    2, Father
    3, Employee for company A
    4, Employee for company B
    5, Member of board of governors
    6, Commity member of association A
    7, Commity member of association B

    Although some of these (1&2) do not require a seperate identity for normal activities the others do.

    If for instance one of the companies I work for should get into financial or other difficulties, unless I had a responsability (ie executive post) towards the problem then it should not be of concern to any of the other parties.

    Having a single unige ID / Serial No means that I cannot maintain this seperation (nor can other people if the only identifier they effectivly see is my ID number). Obviously there are very many situations where this could have a detrimental effect on me or others associated with me simply due to the use of a Unique Identifier.

    And please do not say “we can build safe gaurds in” you cannot as Donald Rumsfeld put it,

    There are known knowns,
    Known unknowns and
    Unknown unknowns.

    The last two of these potentialy negates any safe gaurds you can currently think of…

  22. I come from a country that uses ID cards for quite a long time – Czech Republic. I am not in the position to compare the amount of fraud but there are certainly organised gangs in the Czech Republic exploiting the ID-card based system. They collect found/stolen ID cards and use them as a proof of identity for founding companies that are used only for money laundering or for other kinds of fraud, they use them to get loans that are then obviously left unpaid, or for any other unlawful activity you may find it useful to prove “wrong” identity.

    In one of the latest cases, a guy got stolen his ID card, he reported this to police and even then, he was charged with fraud as his ID card was used to obtain a bank loan afterwards.

    I cannot see a qualitative difference from a citizen’s point of view but there is definitely the difference from the government’s point of view. When I read a letter by Tony Blair when he mentioned, among other things, that the database of fingerprints will be used against the database of fingerprints from unsolved criminal cases, I was seriously shaken. It may sound great but it also may be just the first of many applications that we cannot anticipate now. My immediate question was – what are the ID cards supposed to be used for?

    I’d have nothing against ID cards if there was no central database behind them. It is a good idea to have a reasonably good proof of identity but I do not think there is any need for a database of issued cards (from citizen’s point of view). However, it would be much more beneficial to have a central database of stolen/lost ID cards so that e.g. banks could check whether a particular ID card is still valid.

    And I also do not see nothing bad on people possessing several ID cards if the personal data are correct – the companies will just write down a number – pseudonym that I could freely change.

    We can start talking about system engineering, but I’m afraid we do not know what ID cards should be used for. Or do we…?

  23. Clive, thanks for your comments (21). They cover what I was going to cover, and so I’ll simply add that there are legitimate, legal activities, such as going to the pub, which I might not want linked to my other activities. And, so Markus, while you may wish that our definitions could be different, our technologies get deployed and have effects in the real world.

    So thank you for admitting that your requirements statement is insufficient to meet the real needs previously identified by the social scientists.

  24. “I loathe any suggestion that I have to buy a paper shredder to protect myself from identity fraud. ”

    … because it’s proved insecure, shredded paper is reversible.

    I am almost sure this was proved in the Enron scandal, either way it doesn’t take a days work to write a program that can take thousands of pieces of shredded paper and match them up to form the original documents.

    Maybe egg and teabag stains make it harder.

  25. @Samh

    “… because it’s proved insecure, shredded paper is reversible.”

    Only those that use largish strip sizes ie => 0.25 font size.

    You should always use a cross cut shredder tha produces 5mm size quarels / diamonds (not the silly 5mm by 30mm ones you get at most staioners).

    That said you should not use one on it’s own you should always burn or liquidise after wards.

    Some years ago I was involved with using KeyMat which was either punch paper tape or on (what felt like) blotting paper, the SOP was after use to tear it up and put it in a 1950’s looking kitchen blender with a liquid that was flamable, then it was burnt, the resulting grey ash was then guess what mixed with water and then disposed of by the usual waste facilities you find in most buildings…

  26. @Clive

    “Only those that use largish strip sizes ie => 0.25 font size.

    You should always use a cross cut shredder tha produces 5mm size quarels / diamonds (not the silly 5mm by 30mm ones you get at most staioners).”

    is that true ?

    I’ll have a think about that.

  27. I only have to prove my identity a couple of times a year – most recently for jury service – so I don’t see any benefit in an expensive ID card.

    Logon name-passwords and PINs are just digital keys and nothing to do with any of my identities.

  28. @Samh,

    The U.S. Gov has a series of recomendations for equipment like shreders and safes they have been posted on the Internet a couple of times (No I cannot remember where).

    The German Institute for Standardization (Deutsches Institut für Normung) DIN has a standard for paper shredders DIN 32757, which clasifies shredders into six security levels for comercial and personal use. For confidential level information (the lowest clasification in Europe) they recomend 2mm strip cut. For Secret they recomend either 0.8mm strips in either 12mm or 4mm lengths.

    The big trouble with all strip cuts is that you can easily by eye determine the orientation of a page by the printing and the way the cut edge folds. So much so that forensic identification of individual cut wheels is fairly easily possible.

    Needles to say even the DIN standard is not considered suitable for governmental use so if you have the money and want a higher level of destruction then you need to get a granulator or hammermill shredder their output can go straight on the compost heap without worry.

    But if all you can afford is the 20GBP ones from your local stationery supplier get one of those garden “Spanish” barbeque / heater and burn the shredder output quickly and convieniently (just make sure unburned chads don’t go up the chimney and into your neighbours gardens).

    Once upon a time if you did not like nosy people then you could use a 2mm strip cut and work it in to some nice fresh farm yard muck (pig / cow) which will make the unsorters job somewhat malodorous. However the E.U. have regulations about sthe storage of farm yard waste these days and you need a permit to store / move it which kind of spoils the fun…

  29. Mr Kuhn, you wrote:

    “…I find that a quite frightening proportion of people here see their government much more as an “enemy” than as a “service provider”. That seems a rather undesireable state to me and perhaps the engineering question we really should ask then is: can we fix this?”

    “What changes in the way that the government works (elections, monitoring, reporting, changing, military, judiciary, legislation, constitution) would help to persuade you to go from the enemy to the service-provider view? Perhaps even to the point that you would feel quite comfortable that your government is benign and competent enough to run an identification infrastructure for you?”

    A substantial proportion of the general public distrust government – this isn’t just about security engineers, anti-ID card types and ‘privacy advocates’. Regardless of whether or not the perception of mendacity is justified – in my opinion it is at least partially justified – politicians need to do a lot of work themselves in order to fix this.

    In addition there is plenty of historical precedent to show that employees of the government (and indeed the private sector) will misuse or abuse our personal data for government ends and their private ends. There seems to be a case for rational distrust.

    So how can abuse be prevented, the effects mitigated, and what remedies will be available to the abused?

    This doesn’t seem to have been publicly discussed.

    A major problem with this scheme is how the Government initiated and how it has been managed since. The Government has been secretive, vague, derisive of criticism, and in my opinion it has misled the public particularly with regard to costs.

    It has also moved the goalposts. For example, the National Identity Register, rather than it being one brand new sparkly database, will now be based on two or more pre-existing databases – one of which is already faulty at peak times (the DWP’s CIS). There has been no public discussion about what these means to the scheme.

    Another example: we were assured that the police would not be allowed to go on fishing expeditions, of course this assurance didn’t make it to legislation, and now we have Blair saying that the police will attempt to match 900,000 marks found at crime scenes with records in the database, and the opposition parties are whinging about it.

    With regard to your friend who could not prove his identity. I would hope that this was an isolated case – as (I hope) as Sabbir Ahmed’s – and therefore not something that can be used to substantially support the scheme.

    But I believe the real issue here is this.

    Earlier you wrote:

    “For some years now, the UK government has planned to catch up with other European countries in providing a purpose-designed identification infrastructure in order to make life simpler and reduce the risk of identity fraud (impersonation).”

    However the Identity Cards Act and the proposals go much further than that.

    It seems to be this could be a reason for the difference of opinion between yourself and the critics – they are not seeing the same scheme.

    With respect it seems to me you have too narrow a view of it. I apologise if I misunderstand your position.

    Regards

  30. Can a 14 year old work as a security gaurd or even younger? Is there such as a security gaurd as in the US in British England? Or is this just a scam on the intermet?

  31. I read with interest today (in the London Metro) that the Treasury has issued an edict to all civil servants receiving reports about (negative) effects of Gov IT projects to “securly destroy” after reading…

    Has anybody any further info on it?

Comments are closed.