Over on sticks and carrots Garry Smith was suggesting that this might be a conspiracy to promote ID cards on the back of the inevitable rise in identity theft. (But then changed his mind and decided it had to be incompetence.) (Again.)

Nope, that’s another 25 million “families”. Please multiply by your statistic of choice to get the number of humans afflicted by this latest example of government care.

Unfortunately, I doubt that many will make the connection.

Obviously ID Cards would represent a cataclysmic single point of failure (once they are trusted, they are all you need to steal, or fake, to have someone’s complete identity). But their existence or non-existence doesn’t really have any bearing on this case; except that, if they did exist now, the people affected would have lost (presumably) their card details — the key to their database record — as well as everything else that they have lost.

But that may not be obvious to everyone.

I must say I’m surprised by the relative lack of comments on this. If there was ever an issue that separates the liberal-left from the authoritarian left, this is it.

Martin, no they wouldn’t, one of the big pluses of ID cards is the biometrics. The idea being that when you have to prove your identity you hand over your identity card and then verify that the card is yours by providing a fingerprint.

The idea behind identity theft is that people use your data, your name and address to apply for loans, credit cards or benefits. Once the thieves have got their money the bailiffs come to your house to collect. The idea with an identity card is that when applying for such things you use the ID card as a more conclusive proof of identity. The effort required to fake a fingerprint is of far greater magnitude than the effort required to fill in a loan application with false details.

Let’s be clear here, the HMRC are not the only agency who have your personal details and are not the only agency at risk of losing them. Hundreds of private companies have the records of millions of people on file, some might be encrypted, some might not. Most will have backups, some might store those backups in archives provided by separate companies. There are plenty of points of weakness within system that identity thieves can exploit.

Wow… that is incompetence on a huge scale indeed.

Muddled headed thinking from Andreas Paterson I am afraid.

I know who I am. My friends and family know who I am. My work colleagues, associates and many others know me too. Even my local PCSO and the town’s mayor knows me by sight. There is nothing in our relationships that another could possibly use to impersonate me.

The following don’t know me from Adam: banks, building societies, the Post Office, central Government, the Inland Revenue, ISPs, phone companies, airlines etc. They are all clamouring for ways to check who I am. But whatever I supply, someone will eventually figure out a way of nicking it.

Figure this one out. If your bank manager had meet you face to face, do you think it’s easier or more difficult for someone to walk into your bank branch and walk away with your savings?

“Hundreds of private companies have the records of millions of people on file, some might be encrypted, some might not.”

No, it’s the aggregation of the data that’s the problem. No system can be secure when information is centralised in this way and hundreds of thousands of people need access to the databases to do their jobs. Private companies don’t aggregate information to this degree.

We must keep open the idea that this appalling situation has rendered ones NI number pretty much useless for confirming ID, to join its use as a way of confirming citizenship or proof of even a valid ID (which is not the same as theft) that has been thrown away by the dishing out of NI numbers to all and sundry. As such was it, as Paul @1 suggests, almost allowed? I do not think so, but I do think the HO is rubbing its hands with glee at the “opportunity” this has now presented.

What is important is that the database was accessible by a junior staffer and that the staffer was able to burn a disk or two of the entire database without any real controls at all (it seems). I suppose he just did an SQL query…

I have posted an idea about a possible least worst option for ID here:

http://neuearbeitmachtfrei.blogspot.com/2007/05/identity-private-plural-and-voluntary.html

which at least makes sure the entity that makes such a bungle as we have seen today highly likely to be totally obliterated instead of a few sacrificial lambs slaughtered.

p.s. Tom @4 “I must say I’m surprised by the relative lack of comments on this. If there was ever an issue that separates the liberal-left from the authoritarian left, this is it.”

That might be because many who say that they are liberal are in fact quite the reverse!

re Andreas #5

Shuggy’s is the key point here. There’s nothing wrong with a secure biometric card to identify yourself. The problem is the great big central database that stores and aggregates every aspect of your life, and sits at the heart of government.

Crack that, and a thief could almost be you, or your kids, never mind just borrow your identity to get a 5k loan. Way, way scarier.

Lobster, most people don’t develop face to face relationships with their bank manager, most people I would venture have not even seen their bank manager. Unless you are proposing some major overhaul of the banking business, depending on face to face relationships is simply not a viable option.

I don’t buy “someone will eventually find a way of nicking it” line of reasoning on an identity checking method. Chip and PIN works well as a method for verifying identity for payment, it’s a system that has been around for a few years now and still hasn’t been broken. The effort required to break a biometric ID card system would be far greater and the potential rewards far harder to realise.

Shuggy, in terms of identity theft what’s needed is enough information to pretend that you are someone else, the source of such information or whether that information is centralised is irrelevant. Further aspects of the NIR, are separate issues warranting separate discussion.

Donald, the point here is the biometric that will essentially work like a PIN. You could pretend to be someone else and provide all their details, but unless you could mimic their fingerprints your proof would be invalidated. An identity thief would have to find a way of mimicing fingerprints based on biometric data, not a particularly easy task.

Good point.

But, I feel that a reminder is needed that it’s not the National Identity Register is not the only great big central database that poses this kind of threat to privacy, it’s a host of other schemes – two of the most worrying of which are the NHS Spine (see http://www.nhsconfidentiality.org) and the Children’s Database (see archrights.wordpress.com/).

That should be http://archrights.wordpress.com

Andreas (are you the pro-IDer behind the ‘Citizen Andreas’ blog?): Fingerprint recognition technology is far from failsafe, even for people with normal fingerprints – see http://www.no2id.net/news/newsblog/?p=457.

11. What you’re saying is only true if every transaction in our daily lives has to be through our biometric ID card. Am I not going to be able to do internet banking or apply for a credit card without my ID card?

In complete honesty I have no idea as to the level that ID cards will be forced upon us to be used, but anything less than complete use in all financial transactions and situations susceptible to fraud means that a repeat of this debacle from the centralised database that the ID card system is meant to accompany will be even worse for the residents of the UK than the last couple of days have been. (and the next few months will be)

Do you think that every opportunity will truly be pinned down, and if so are we going to be forced to buy the technology to access internet banking in our own homes as we’re going to be forced to purchase these ID cards?

What are we going to do about data protection?

Turning the poor b***** micromanaged surf into fish food can not be the answer.

I would like to see his direct boss go to prison for a bit, one hour for every man day this has cost might be a good deterrent.

If you can send your boss to prison by just putting a CD in the post security might just be tightened a bit.

Andreas, in comment 11 you said:

in terms of identity theft what’s needed is enough information to pretend that you are someone else

Which I think contains the seed of your downfall Or rather, that of the ID Card and Database scheme.

See, the real problem with the system (apart from the obvious fact that it inherently treats us all like potential criminals or parts in a manufacturing system) is that it introduces a Single Point of Failure, as I suggested above.

What that means is that, instead of having to gather many pieces of information about you to steal your identity, terrorists, organised criminals, or any other horseman of the infocalypse, will only have to steal one. And that one item will, in time, provide access to everything.

Now I know you say that the biometrics provide a degree of security; that may be so, though others above have suggested that they may not be all that reliable. But the whole system is only as secure as its weakest part. And that will be either the government-specced and probably privately-run computer system; or the people who work with it.

All you (where “you” equals the criminal) need to do is to have a corrupt or compromised insider, and you will be able to get, for example, an ID card in my name, with my details, but with your biometrics. To all intents and purposes, to anyone who doesn’t know me personally, you will “be” me.

Combine that with the disabling of my card for a real nightmare scenario.

Here’s a thought that just occurred to me. Some of the new academies are giving the kids swipe cards to get in and out, to get lunch, and so on. But imaging you couldn’t collect your kids from primary school because your ID card was lost, stolen or compromised, and so you couldn’t “prove” that you were their parent?

Yep, the Kafkaesque potential of this is mind boggling. Which is why, in part, it appeals to me. I think too many people have been getting away with various crimes, (frying grilling rather grilling bacon, failing to recycle properly, eating ready salted crisps, smoking in their cars and fishing without a license for example), for far too long, and we should all be treated with far more suspicion by the state.
The existential angst of trying to prove that “you are you” to the government could also have a cathartic and grounding effect on some of the more troublesome members of the populance too, leading them to an exquisite moment of self actualisation when they will discover that they really do love big brother.
Seriously, the left only have themselves to blame for this, tolerating a government that dictates the unimportant makes this sort of totalitarian measure, inevitable. The more information you feed the machine, the more it wants, and the more it gets the less it trusts any of us.

Ian, yes that is my blog, although I find myself lacking the time to do much of the blogging thing these days. On the fake fingers story, I’d like to make the following points, first the story you link to is a 2002 study I think it’s safe to assume that five years on the technology is somewhat better. The second would be to ask whether the fake fingers were created using an image of a biometric or created from an imprint, an identity criminal would need to create these fingers from an image. The third point to make is that any fake finger tricks would need to fool not only the scanner, but also anyone supervising the scanner.

Martin, the problem I have with your reasoning is that you go for what is theoretically possible rather than realistically possible. I you want a cast iron guarantee against identity theft, forget it, if you want to compare odds I’d say ID cards are the safer bet.

Let us take your example of the stolen ID card, if a thief had stolen my ID card they may want to try and take out a loan in my name. In order to to do this the thief would need to fake my biometrics for the scanner when asked to verify their identity. To do this they would need to know what my fingerprints look like, how exactly would they do this?

Compare this to the current situation where all that’s really needed to commit identity theft is someone’s name, address and date of birth.

As for the compromised insider idea, I could apply the same arguments to banking. All the information to steal millions of pounds could quite easily be leaked by an insider. But that’s no reason to keep your money under the bed.

Andreas @19 “To do this they would need to know what my fingerprints look like, how exactly would they do this?”

I may be out of date now, but at some stage the imbeciles putting forward their “solutions” were intending to store the biometrics on the card. If they were not, we could use our driving licenses for that is all the uniqueness we would need on a card. For those who cannot drive, just issue a “no classes” license.

To me, storing on the card is absurd, but that does not mean it will not be done that way.

Andreas, Certainly I was thinking of theoretical possibility: indeed, I was thinking about worst-case scenarios, which you have to do if you’re planning safety-critical systems.

I may have poorly stated my example. Loss or theft of the card should (thought it’s a big “should”) only be a relatively minor inconvenience if, as you suggest, biometrics are used as well. (I don’t doubt that it’s possibly to fake fingerprints, but I don’t think it’s likely to become a big thing.) You lose it, you cancel it, you get a replacement.

Though as a serious question: how do you prove that you are entitled to cancel your card?

No, my real fear is the cracked database, the “hacked” card. If this system were to go live next month, I would fully expect that by, say, February next year, there would be kits available that would allow the criminal to do one or both of: update a stolen card to have a new user’s biometrics (easy enough if the biometrics are stored on the card, as Roger fears, above; very hard — maybe impossible — otherwise); or update the user’s card to access a different user’s details.

Look at how quickly people managed to unlock the iPhone; and they were only doing it for fun.

As to the “compromised insider” attack on the existing banking infrastructure. True: indeed, I believe that’s the main route of banks’ losses to fraud, though they don’t publicise it. But that’s no reason to give the compromised insider access to all your accounts, your medical records, your tax returns…

But all of this only touches on actual or potential technological flaws. We haven’t even started on the civil liberties issues, the change in the relationship between government and citizen, the general wrongness of it all.

Roger, you are correct that there the idea of storing biometrics on the card was mentioned, I also think biometrics are held on the current e-passport. The purpose, I believe was to provide the function for an off line check. For the passport this was a standard compiled by ICAO so that passports could be checked as genuine internationally. For the ID card, this would mean that the biometrics could be checked when disconnected, it would also have the advantage that such a check would be unaudited. It would not be a problem provided that only one or two fingerprints were stored, meaning that the other fingers could be required for stronger security checks. The ideal situation would be if there was a way of storing biometrics so that it was not possible to translate the data back into an image of a fingerprint, I’m not sure whether this is possible, I am nut a humble Labour supporting techie.

Martin, obviously it’s important to consider every possibility of what could go wrong. But it’s important to take into account the amount of effort required for each of the possibilities and the rewards gained from success. If attempting to hack the NIR becomes a difficult task involving a man on the inside, a stolen ID card and a bunch of rubber fingers all for the possibility of accessing one man’s bank account I can see a large number of cyber criminals giving up and trying their hand at hacking badly written online stores for credit card numbers.

As far as creating hacked cards, my guess is that they will be digitally signed, cloning will be a possibility but finding out the private key will take serious amounts of time and computing power.

On the civil liberties issues, Ii’d love to discuss them further, but not tonight, I’m tired.

Andreas,

Just because storing the biometrics makes it easier to check offline does not mean we can waive the obvious flaw in the concept!

Last time I heard, I was able to access any computer from any part of the world via the internet, so we can crosscheck. The new passports are standardized into a global format for international use. If the format can be read internationally offline, then there is no reason to say that arrangements for biometric cross checking cannot also be done internationally on format issues – if you think about it, each check for a UK passport will happen in the UK on departure, in the destination country on arrival, on departure and then back on arrival in the UK. The checks to the database will, roughly, double (slightly higher due to multi-leg trips). The UK database should reject any cross check request that is not being done when the passport has not already checked out of the UK!

The very nature of an offline check opens up the possibility and, I am afraid, probability and almost certainty that we will see offline theft. The issue of security is very very hard to perform. If you have a device that must read a fingerprint and compare it to the data either in a passport or sent form the wire, the need to decrypt it is necessary and this mechanism WILL get out. Further, it is not necessary to accurately reproduce anybody’s fingerprint exactly, all it needs to do is be able to enable the fraudsters to produce a fingerprint that appears to resemble the print as far as a scanner is concerned, so it needs to have the various key points, swirls etc. by which a print is identified, coded and compared. Iris matching is far harder, but the technology was developed in the West and it is less reliable on African and Asian eyeballs which have far less contrast (duh!).

What can be ensured, is that no check for a biometric can be made when the UK passport is not “checked out” of the UK, so this stops fishing by foreign governments building their own database of all the UK population biometrics, but neither will it prevent accumulation incrementally by stealth over time – DO NOT THINK FOR A MOMENT THAT ANY GOVERNMENT WILL NOT DO THAT. I would say that the UK State IT noggins are unlikely to protect us from fishing or keep records to prevent duplicate or fake re-entry by foreign nationals carrying biometric passports. I say this as I have no faith on the State IT procurement process outside of the Military and security services.

What I want, and I make it very clear in my post on this matter at my blog back in early May, is that I want to see whenever ANY agency makes a check on my ID, beit Tesco, the HMRC, a foreign customs checkpoint or whatever. This is simple to do, but again I do not think the either the State wants that, nor that the noggins they hire for IT projects will sort it.

What is a concern is that the UK government will then know where I am at all times without my consent. It again makes out that somehow the UK government “owns” me. THAT IS UNACCEPTABLE.

Andreas,

Your confidence in all this is far greater than mine. I hope it’s justified.

I hope even more that we never have to find out.