Sunday, December 31, 2006

Wishing you all a Happy New Year

This evening, Citizen Andreas will be visiting a reasonably wealthy friend of his in Cambridge.

Citizen Andreas will be enjoying his hospitality and have been guaranteed a prime place on the floor in one of the bedrooms of his rather comfortable abode. Citizen Andreas will not be paying a penny for the privilege.

In the past, Citizen Andreas and his friend have had disagreements on the subject of copyright, he therfore fully expect to be lobbied on the subject.

Citizen Andreas is dreading the Daily Mail headlines in the new year, but would like to wish everyone a happy new year.

citizenandreas [at] slick47 [dot] co [dot] uk

Saturday, December 30, 2006

On Renewal

PragueTory wrote a rather good post on the subject of Renewal of the Labour party. About whether the Labour party has will be able to renew itself and once again capture the hearts and minds of the voters in the way it did in 1997. He suggests that at the moment Brown is very much associated with the status quo, and that if Brown gets to be PM without a fight renewal is an impossiblity and Labour will be launched on the road to electoral defeat. I think he might be right.

I admire Brown, his handling of the economy has been very good (not perfect IMO) but he has presided over years of steady growth in the economy, and left a trail of shadow chanellors in his wake. The problem with Brown I feel is the way that most people view him, the view I get from people is that he is not that likable and not that trustworthy. Brown has his virtues, but they have been very much overshadowed by the more general perception of him as a dour accountant.

What I feel that Gordon will need is a fight, he needs to have his ideas challenged and he needs to reaffirm his passion for his beliefs and he needs to convince the electorate that he is the right person to take the country into the future. A leadership contest is, I feel, the perfect platform for this. The Tory (less said about Lib dems affair the better) leadership contest was a brilliant example of this, as the candidates debated the issues they gained a newfound respect for each other, the whole affair really reinvigorated the Tory party.

While the nature of the Labour party's renewal will have to be different, the electorate will be much more willng to accept a Gordon Brown who has had fight for his position as leader. To that end I would like to see John McDonnell (I would like to see another candidate as well*, but I'm not sure if anyone else will stand) get enough signatures to stand for the leadership, if he gets his signatures, he is far more of a threat since in a leadership contest vote is divided between trade union members, grassroots members and Labour MP's. McDonnell has good support among the grassroots members and is likely to get a good deal of support from the unions. Although I feel Brown would win, I don't think he could afford to be complacent.

*although not Michael Meacher

citizenandreas [at] slick47 [dot] co [dot] uk

Thursday, December 28, 2006

Take away the executive pay...

Top bosses' salaries 'race away' according to the TUC. While us citizens are apparently 6% better off since 2000 when taking inflation into account, top bosses salaries have doubled in the same period.

I'm sure the usual cadre of right wing bloggers will point out that in fact taking x,y or z into account the actual figures are 6.74% for the citizens and that bosses have merely had an 89.7% increase. They'll then no doubt start arguing about restrictions on entepreneurs and how people should be free to earn as much as they like.

I don't believe that British business has become twice as productive in the last 6 years, so how exactly is it justified? This is abuse of power, and in this citizen's opinion the explanation for it lies not in economics but in sociology.

In a large FTSE company, renumeration for a small group of people is not limited by the real world factors, there is no actual market pressure on wages. Executive pay tis judged according to what other executives earn, as this has risen, it has resulted in what seems to be a competition to keep up. It is this pychological competition that hat has driven wages up, rather than any demand for the skills that our executives possess. It is this sociological effect that the government will need to counteract in order to put a lid on exective pay.

citizenandreas [at] slick47 [dot] co [dot] uk

Wednesday, December 27, 2006

Today's word is "Draconian"

After Draco, the Greek scribe who made some really harsh laws, a bit hackneyed in my opinion but a favourite for describing state imposed restriction? My favourite use of the term has to be...

"Repeal of the ban on full automatics -- ownership of which requires some of the most draconian screening procedures on the federal books"

From the site of the Constitution Party's 2004 Presidential Campaign.

On Christmas eve, the Daily Telegraph chose to use the word to describe the potential £1,000 fine that could be levied for failing to inform the NIR of a change of details.

The article is creating a fair deal of alarm about about it, aand is accompanied by an even more disapproving leading article. Perhaps, they should be a little more shocked about fact that another government agency has been getting away with a similarly "draconian" policy for years.

Can anyone tell me how is this dramatically different to the set of fines imposed by the DVLA? The one potential difference I can think of is if there is a charge for doing this. Since forcing people to pay each time they move house, or in the situation of a death or marriage will be quite restrictive (although the charge for making an update will determine how restrictive).

I would hope that this cost has been factored in to the initial cost, I've sumitted a question on the government site about it since it's not something they answer on the site itself. I hope that if there is an associated cost, it is quite small but I'll have to wait to find out.

citizenandreas [at] slick47 [dot] co [dot] uk

Sunday, December 24, 2006

Merry Christmas Citizens

This citizen is signing off for the christmas period, hope you all have a good one.

citizenandreas [at] slick47 [dot] co [dot] uk

Thursday, December 21, 2006

Back on the Subject of ID cards (ish)

The subject of the new UK passport with it's RFID chip has got some people quite worked up. It also encouraged a lot of discussion by security experts. I made the point earlier on that these security vunerabilites would not necessarily apply to the ID card when it was created. In addition to this, I feel that there are a few other myths that need to be addressed.

Initial Points
The first point to make is that the chip on the passport is intended to be read all around the world, the information about how to access the passport has been published by the ICAO. The chip is designed to be readable. So this quote...

“The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a ’secret key’. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat.” deeply misleading, it is that way by design (ICAO's design, not the Home Office's). The protections are in place so that anyone attempting to access the chip needs to open and look at the passport to be able to access the information on the chip.

Accessing the Information
Oft confused are the subjects of encryption, access control and digital signing, this is something that needs clarifying. Encryption is the encoding as data in such a way that it can only be read by someone who has the encryption key. At it's simplest:

"Hello World" -> "Ifmmp Xpsme"

Unreadable unless you can work out the pattern used to encrypt the data. The UK passport encrypts it's conversation to the RFID scanner, but the data held on the passport itself is not encrypted the purpose of this security feature is to prevent "conversations" between a chip and a scanner being eavesdropped.

Authentication is a method of obtaining access to a system, a username and password, or simply a password. The passport is protected a simple access control system. What the Guardian article refers to is the authentication system that uses a password based on data contained on the last page of the passport.

Digital signing is a method of ensuring a document is authentic, it is in essense a unique stamp on a document. A digital signature consists of two parts a private and public key. The private key is kept by the issuing authority and used to sign the document, the public key is distributed and can be used to verify a document's authenticity. Any alterations to a document and the digitial signature is invalidated. The UK passport is digitally signed to prevent forgery.

Why All This Matters
The article puts forward the scenario where a postman is able to steal your passport letter, initiate a brite force attack against the RFID chip and return it a day late having stolen the data on the passport. This sounds plausible and would be very hit and miss, passports are not renewed that often so the number of cloneable passports a single postie could obtain would be very low.

Having stolen this data, it may be theoretically possible to clone a passport, but the data on the chip could not be altered in any way due to the digital signature. This would mean that the ID criminals would need to find someone who looked like you to use the passport. It also means that this method could not be used to clone passports for sale on the black market. Additionally, once biometrics were added to the passport, an identity thief would also need to find a method to mimic these biometrics.

And the dangers...
Traditionally, criminals have obtained fake passports by posing as someone else and applying for either a new passport or a replacement passport, using their photos. If we compare the two methods.

  • Obtain detailed background doucmentation on a person
  • Send off for a passport application

EPassport Cloning
  • Bribe a postie
  • Research the people in the postman's area
  • Obtain passport letters, brute force attack the RFID chip
  • Construct a replica passport with a cloned ID chip
  • Find someone who looks similar to the passport user to use the passport

Passport cloning is far to difficult a process involving far too much effort for it to be worthwile to ID criminals.

citizenandreas [at] slick47 [dot] co [dot] uk

Monday, December 18, 2006

Protectionism Anyone?

I'm an avid reader of the Guardian's economics correspondent Larry Elliot. I like his hard headed matter of fact kind of tone, in this case on the subject of BAe systems and the Saudis.

There is little point in defending what the government has done, the best I can say is that it's realpolitik in action and that I doubt the Tories or the Lib Dems would have behaved any differently had they been in power.

The point that Larry makes is that blocking the SFO enquiry is essentially protectionism, something that is often considered a bad thing among pretty much universally among the main parties. He then makes the point that since the government sees fit to support arms dealers, perhaps it might consider providing support for less controversial industries.

For me, this is one area where my opinions part ways with those of the Labour leadership. Like Larry, I view portectionism as a potentially useful potential policy option. I'll admit sometimes you can't stand in the way of the market, but I question the current PROTECTIONISM=BAD mantra and put it to people that it's not quite as clear cut as that.

citizenandreas [at] slick47 [dot] co [dot] uk

Sunday, December 17, 2006

The "Shambles" memo

Todays Daily Mail has the wonderful story about a leaked downing street memo. Basically suggesting that labour is slowly losing ground to the Tories. It pulls no punches in allocating the blame for this to Gordon Brown.

The key point in the story of me is the line "The memo, written in the past few weeks", this line heavily buried in the story indicates that the memo itself is a few weeks old. Removing the memo from it's original context makes it hard to really judge why it was originally written.

Curously absent from the news and the blogosphere are:

  • The full text of the memo
  • The confirmed identity of the author (Citizen Dale reckons Phillip Gould, commenters on his blog suggest that he does use the kind of hysterical language found in the memo)
  • When it was written (A few weeks is more than just a tad vague)
  • When it was leaked
  • Who leaked it
Sadly non absent are the shouts of glee from right wing bloggers. Let them shout I say, if a Tory paper publishing some outdated government memo really rocks their boat. Who am I to stand in their way? Let's save our big clunking fists for stories that actually matter.

citizenandreas [at] slick47 [dot] co [dot] uk

Monday, December 11, 2006

Database Usage and the Meta Database

NO2ID mention the idea of a meta database on their site, it seems something appropriate to bring up while discussing how private companies might use services provided by the national identity register. Before going on, i'll try to go over one of the key concepts of the ID card database.

In any IT system that keeps track of peoples names and addresses, a common practice is to assign each one a unique number. This ensures that a record can be guaranteed as absolutley unique and be kept track of over it's lifetime in a system.

The IRN (Identity Reference NUmber) is the unique identifier that is assigned to a person when they are first entered on to the system. THe idea being that by performing a Detection of Multiple Identities Check you will be able to ensure that a person is only recorded once on a system and can be told apart from people who may have lived at the same address or have similar names.

Uses and Abuses
In the IT systems of government departments would be able to make use of the IRN to better identify someone. For example, by recording the IRN of a benefit claimant they would be able to check if this IRN is already on the system to see if the person is already claiming benefit. Someone convicted of a child abuse could have their IRN recorded, meaning that by making a background check requiring an ID card you could instantly know if someone was safe to employ.

This cartoon (originally posed by Citizen Dale) demonstrates the potential danger posed by misuse of the IRN. A company could aquire a lot of information based around someones IRN.

For example, companies like Experian currently use a combination of name and address to identify people for credit reference checks. By using the IRN they would be able to keep much better track of people. Marketing companies could potentially consolidate data based around this IRN and know a huge amount about someone (what kind of car you drive, whether you've just had a child, what you tend to buy at the supermarket). If not kept in check, there is a very great danger to people's privacy.

My thoughts
I don't advocate the kind of usage that I've highlighted above, but I dont believe that ID cards will lead to this kind of usage provided it is taken into consideration. I'm not sure exactly what the home office has in mind for making private data available but I would propose the following.

  • No private company should be able to use the NIR to extract data, they may only check data they have been given againt it. (e.g. Rather than being able to ask "this is ID Card number 4612787295, this is their biometric, what are their details?" they can ask "This person claims to be Citizen Andreas of 26 Loyal Citizen street, their ID number is 4612787295 and this is their biometric, are these details correct?")

  • Only a very limited set of companies (I'm mainly thinking banks and financial institutions) should be permitted to make use of the IRN (this would prevent the kind of privacy abuse noted above.

I'm currently in two minds as to whether companies should be allowed to check data they have without a card number and biometric. This would allow marketing companies who send out large mailings to eliminate out of date addresses. I'm open to opinions on the subject.

If these kind of concerns are taken aboard I think it is possible to have an ID card system that addresses many of the legitimate privacy concerns.

Thursday, December 07, 2006

I've not heard this one in a while, but thanks to anyonebutblair for bringing it up.

"We will introduce ID cards including biometric data like fingerprints, backed up by a national register and rolling out initially on a voluntary basis as people renew their passports"

My opinion on this particular argument is that it is a bit of a mess up by whoever wrote this bit of the manifesto. Voluntary in this case meant "it will not be compulsory for everyone to have an ID card initially". Most people I suspect would not interpret to mean this, but I would put it to you that this kind of wording is open to interpretation.

A manifesto is a statement of a party's intent, but I don't think that it's wording should be interpreted in the same way as one might interpret a tightly worded legal document. I'm of the opinion that an ID card scheme will be of maximum benefit when they cover 100% of the population. This delay, I feel would have been one of the first nails in it's coffin.

The issue remains whether the manifesto could be interpreted as misleading the public. On this issue, I would say that anyone who objected to ID cards would simply not have voted Labour and would unlikely have been swayed by the idea that for a short while the scheme would be voluntary.

Common Hacking and Data Theft Tactics, a Spotters Guide #1, Brute Force Attacks

If I were to limit the blog entirely to ID cards it's probably going to get a bit dull, so i'll intersperse it a few posts on computer and data security. I wouldn't count myself as an expert on the subject, but I've written a few authentication systems in my time and know some of the common tactics hackers use.

Brute Force Attacks
I remember an episode of The New Adventures of Superman where when confronted with a password screen superman keeps typing words ant super speed until he gets the right password, this is essentially a brute force attack. An automated computer program fires off login attempts using a dictionary to provide potential passwords.

As an example, assuming it takes about 30,000 attempts to arrive at a password and you can make 5 attempts a second, you should arrive at a password in about over 100 minutes.

Prevention Tactics
Ambiguous Error Messages
In most situations when trying to gain access to a system you need to supply a username and a password. Often the error message will be something in the form of "Your username or password was incorrect" it does not say which is wrong since this could provide additional feedback to a hacker. As in the following example.

Username: johnsmith
Password: aardvark
Your username is incorrect

Username: johnjones
Password: aardvark
Your username is incorrect

Username: johnanderson
Password: aardvark
Your password is incorrect

Username: johnanderson
Password: abacus
Your password is incorrect

A simple tactic is to pad out the time it takes to make a login attempt, force the computer to wait say 2 seconds before performing the actual check. In the example above this would increase the amount of time to gain access to 16 hours and 20 minutes

Strong Passwords
A common tactic is to make a password a combination of letters and numbers, this drastically increases the number of potential combinations.

Another tactic is to only allow a limited number of access attempts before locking the user out of the system. After 10 failed access attempts to an account the system might disable any further attempts for a period of time (say 3 hours), or until a system administrator is called in to re-enable the account.

Sunday, December 03, 2006

Response to an Earlier comment

In one of my earlier posts, I recieved the following comment, i've repuduced it in italics, with my responses as appropriate.

Every one of us will effectively have to apply to the government for permission to exist, or at least exist in any way which involves using public services. And even if the principle does not trouble you, the practical effect will be to create an entirely new layer of hassle.

As you might guess, the principle really doesn't trouble me. I don't believe the remit of the ID card will extend much beyond what existing documentation does. What hassle is caused would seem to be fairly minor.

The innocent, we are told, have nothing to fear. But the lesson of the Family Tax Credit and Child Support Agency fiascos is that no government computer scheme ever avoided massive inconvenience to the innocent. Those schemes were a fraction of this one's complexity and size. Even if the technology works, what if some bureaucrat enters your data wrongly -- as in the case of the 2700 innocent people falsely accused by the Criminal Records Bureau, many of whom were consequently turned down by universities and employers? If your card is lost, damaged or stolen, how many hours of Greensleeves on the call-centre hotline will it take to replace it?

The government has thousands of computer schemes all over the country, a number of high profile ones have had problems but the complexity of the ID cards scheme is overstated. In terms of size and complexity, it is still well behind a number of private sector systems.

The chances of a bureaucrat entering data incorrectly are low, in a previous job I held in the marketing industry, our data entry pool achieved over 99% accuracy despite the fact that they were aiming for volume over accuracy. Even when mistakes were made, they were generally simply typos rather than incorrect addresses. The entry of data in the case of the ID card scheme will focus heavily on accuracy and is likely to have an extremly low level of mistakes.

When your card is lost, it will take time to replace, granted but I don't believe that it will cause any more problems then with the loss of any other official document.

As for the Criminal records bueau, the 2700 people who were falsly accused were accused because of inaccurate identity data, something the ID card scheme is designed to fix.

In an age when everyone agrees on the need to reduce red tape, ID cards will require an enormous and expensive new bureaucracy, complete with a dozen new crimes and offences for the citizen. Did you know that you will be required to tell (and pay) the police every time you move house -- with a £1000 fine if you forget? Did you know that your friends and neighbours can be forced to give information about you? Do you think the constabulary and courts have better things to do? The justification for all this needs to be very strong, but it is not. ID cards are a solution looking for a problem.

I accept that there will be new crimes and some new bureaucracy, but I will already be fined £1,000 if I fail to do the same with my car's V5 Log Book or my driving licence. This just seems to be the standard fines associated with not keeping ID information up to date. As for the bureaucracy, it's will be judged on the benefits it gives.

In all the years of debate and argument, no one has yet explained how exactly the cards will reduce terrorism or crime. Will muggers be obliged to show you their ID before they hit you over the head? Did Spain's compulsory ID system prevent the Madrid bombings? French and Japanese identity cards do not stop illegal immigration to those countries, nor have Italian ones defeated the Mafia.

The government claimed that 35% of terrorists use false or multiple identities: which means, by my reckoning, that 65% of terrorists use their own identities. They do so because they are not known to the authorities as terrorists, a factor which can only increase. ID cards may be able to reduce the use of false and multiple identity among British citizens; but the vast majority of Islamic terrorists are not British citizens.

I don't want to address thgis in too much detail here, since I've covered it earlier in my blog. ID cards are no panacea for terrorism, but they will be a valulable tool in the identification and detection of terrorists.

ID cards might, it is true, help reduce certain types of fraud. But even by the government's own reckoning, identity-related benefit fraud amounts to no more than £50 million a year; NHS tourism to "a few hundred million"; and all identity-related fraud, public and private sector, to a total of £1.3 billion. An ID card scheme would cost at least £6 billion.

The cost of £5.4 billion is described as the set up and running of the scheme over 5 years. If we factor in £50m from ID fraud, and say £200m from health tourism we're halfway there. If we add the little of the total £1.3bn to the mix we're not far off.

"If you've nothing to hide, you've nothing to fear," the goverment insists -- but why then is it hiding its estimate of the true budget despite the orders of the Freedom of Information Commissioner?

Identity cards may seem popular now -- but the more people learn more about it, the the more resentment will build. Making law-abiding citizens pay £100 to take a day off work and report to the police station to be fingerprinted like common criminals will not be quite the vote-winner that Labour thinks.

I believe the information has been witheld since media scutiny might affect the results of the review. The £100 cost is pricey, but it's not miles above the existing cost of renewing a passport. Being fingerprinted is cause for a little trepidation, personally I think that any police access to these fingerprints will have to be very strictly limited.

Wednesday, November 29, 2006


Obviously, a fledgeling blog like mine is unlikely to recive too many comments at this early stage, although I've had a few and pieces. Surprisingly, I've had a fair bit of pro ID cards feedback, interesting because I was expecting very little of that nature.

I value all feedback on the subject, I'm particularly interested in exploring some of the civil liberties issues that are one of the major fears about ID cards.

Any feedback, comments, stuff you want me to cover to citizenandreas [at] slick47[dot]co[dot]uk

Sunday, November 26, 2006

Key Benefits of ID Cards Part #1

Security, Combating of Terrorism
A few frequent soundbytes are often heard on this subject. So we all know that spanish ID cards didn't stop the Madrid bomings. We also know that if we had ID card in this country, the 7/7 bombers would have had them legitimately. However, from here it is implied that ID cards will not fight terror. I don't believe this to be correct.

Consider the following examples:
Terrorist A has been being watched by the security services for some time, it is suspected that he plans to perform an aircraft based terror attack. He has ordered his ticket using a credit card in a false name from a public terminal, therfore it is not known exactly which airport he intends to use, or which flight. When he gets to the airport he intends to use a false passport.

In this case, ID cards would have several benefits, firstly, the credit card in a false name would have been far harder to obtain. The false passport would have not have been accepted, so Terrorist A would have to use their genuine ID. In this case, the security services could have marked up Terrorist A's ID record to ensure that airport searched him before he was allowed through.

Terrorist A and Terrorist B travelled to Afganistan via Pakistan in order to receive terrorist training, several years later Terrorist A commits an act of terror. On investigating the matter, the security services look at the audit trail of his ID card usage, this reveals the original flight to Pakistan. By cross referencing the people on that flight against people of a similar age from the same area they uncover the identity of Terrorist B

What I hope I've show here is that there are hypothetical situations where the proposed ID card scheme will have it's uses in combating terrorism.

Prevention of Benefit Fraud
The majority of losses through the benefits system occur through benefits fraud and mistakes. The ID card could offer potential benefits since it provides goverment departments with a more robust form of identification. This would allow government departments to keep better track of individuals and reduce the amount of time spent by government employees checking up on identities.

Identity theft based fraud such as the Tax credit fiasco form a minor part of the overall benefit fraud at the moment, although this kind of crime is expected to become more common. ID cards would prevent this kind of occurence. By insisting that any bank account to be recieve benefits would have to have a known identity associated with it, any attempt to send the money to a fraudulent account would fail.

Friday, November 17, 2006

In response to the Guardian's "Cracked It" story

While I'm putting together my list of benefits, I was interrupted by this article in the Guardian.

Cracked it!
- The new hi-tech biometric passport is protected by military-level encryption. We cracked it in just 48 hours.

I wanted to make a quick point clarifying the differences between the way the ID card is intended to work and the RFID passport.

The cloning method suggested in the article for creating a biometric passport is a viable technique. The idea being that you read the data off the passport decrypt it, alter the biometric data to your own and make a new clone of the chip, width someone elses, or for that matter some completely imaginary details.

The ID card would not necessarily be vunerable in the same way.

What all this hinges on is whether there is access to the National ID Register (NIR) where the biometric passport is being scanned. When scanning takes place, a biometric sample is taken (finger print or iris probably). If there is access to NIR, the sample can be checked against the biometrics held on the NIR. If not, the sample will have to be checked against the biometrics held on the passport itself, in this case, a cloned passport would be valid.

The point is that although biometric passports can be forged, it does not necessarily follow that the same will be true for ID cards, provided that in situations where the card is used the check is made against the NIR and not information held on the card itself.

On the other subject covered, that of RFID tags I would suggest that these are a case of technology for technology's sake, it seems like it has left these passports uncessarily exposed. I would hope that they are not used in any potential ID card scheme.

Thursday, November 16, 2006

Alternatives to ID cards, a £5.4 billion shopping list

Recently, on the Guardian CiF, someone suggested to me that the cost of the ID cards scheme would be better spend on improving the existing resouces available to the police and security services. I was going to post suggesting alternatives, but I considered it a little pointless before I'd investigated the actual benefits the ID card is supposed to provide.

My gut feeling suggests that with the benefits of ID cards are numerous and varied, and therefore hard to pin down to single succinct answer.

To answer my critic on CiF, I feel it should be made clear the benefits of IT in other areas, one man with a word processor is far more productive than one man with a typewriter. If the ID card scheme does everything the government says it will, it could offer benefits of a similar magnitude.

Next post Citizens, I'll start investigating the benefits.

Sunday, November 12, 2006

Debate on the Reliability of Biometrics

Comment From Jeremy Wickins:
Firstly, an iris or fingerprint is actually not that hard to fake. as security guru Bruce Schneier has famously said "Biometrics are not secrets". Fingerprints can be lifted very easily from any surface, including a credit/debit card. A piece of sellotape can lift a fingerprint sufficiently to fool a fingerprint scanner. Iris scans can equally be spoofed, but it requires a reasonably high-res picture to do so.

On the second point, one of the problems with facial biometrics is exactly that they are so sensitive to changes that the human eye would not be fooled by. In the only large scale test of biometrics in the UK, a woman brushed back her hair from her face between enrolling the facial biometric and verifying it - the system did not recognise her. Hats, beards and spectacles also baffled the system, and we should all become familiar soon with the fact that any facial expression other than the bland one required will result in a refusal of recognition. At the very least these things are denying us the humanity of self-expression.

At the bottom of this article I've added some references to tests performed on Biometric equipment and how it was fooled. From looking at the tests, you can see that every single one of the Biometric devices was eventually fooled. However, I don't see this as suitable reason to pack up and join the anti ID card camp for the following reasons:

First, looking at the tests performed from the references below, the best fingerprint scanner needed a silicon mould constructed from the impression of a fingerprint. Since these tests were performed in 2002 it's safte to say that any scanners used by the time the system comes into play will take at least this level of effort to fool.

Next, we need to examine where these devices will be used. A few guesses of mine are:
  • Getting medical treatment at a Hospital
  • Signing on/ applying for benefit
  • A security check when travelling abroad
  • Applying for a bank account/loan/mortgage
This is a far from extensive list, so please suggest additions, but a common point about them is that there will always be someone present, meaning that using the bit of sellotape or silicon mould technique would not really be an option unless whoever was supervising this were to look the other way.

The combination of these factors mean that in order to pass yourself off as someone els, you would need:
  • Someones ID card (or alternatively a forgery)
  • Suitable copies of someones fingerprints
  • Help on the inside
The difficulty in achieving a combination of these factors means that cheating the system is not as easy as you might think.

Stay out of trouble Citizens

Biometric Sensors Beaten Senseless Article on The Register, a quick outline of the test used to fool biometric scanners.
Test by c't Magazine The full details of the tests

Thursday, November 09, 2006

The purpose of Biometrics

Many people wonder exactly why the biometric element of current ID cards is so important, as I see it the purpose of the biometric element of id card is as follows. If anyone wants to challenge anything I've written, stick in a comment and I'll edit as appropriate.

PIN style Validation
When you use you bank card, the card holds the details of who you are, you confirm who you are by using a PIN. Someone could potentially make a copy of your bank card, but without the PIN they can't get at your money. With a biometric ID card, your fingerprint is the pin, so you make the confirmation with a fingerprint swipe.

The benefit of this is that a fingerprint swipe (or iris scan) is very hard to fake, far harder than a PIN.

Detection of Multiple Identities
Currently, proving your identity is a case of digging out household bills, tennancy agreements, passports etc. The problem with this is that some documents can be quite easily faked, with the right combination of documents it is not particularly difficult to obtain more than one driving licence, or passport. More thorough checks can be performed, but often, there is simply not the capacity available to perform such checks.

Biometric data is recorded to a common standard. This means that unlike a photo, where you can change your hairstyle, grow a beard or use a little subtle makeup a biometric image is very hard to change. This means that that checks can be put in place to prevent people from registering twice.

The mission statement...

A favourite subject for discussion today is the subject of the Governments new ID cards program. Like most things the government decides to do it is viewed with a fair degree of suspicion.

To hear some people talk you might think that we'll become some kind of distopian police state on their introduction.

Personally, this strikes me as misleding and hysterical. Having read quite a lot of the arguments against ID cards, it strikes me that a lot of commonly held beliefs about ID cards and its associated technologies are incorrect.

I'm a Labour party member, so I tend to be reflexively defensive of the current government I don't blindly agree with every single policy, but I'll stand by them when I think they're in the right.

On the subject of ID cards I'm not convinced that the government is particularly in the wrong. My main intention with this blog is to investigate whether I'm right or wrong, to put the subject under a the microscope a little more and to try and expand peoples understanding of the subject.

My professional background is in IT, so I think I should be able to examine the arguments from a fairly thorough and professional point of view.

Go in peace citizen.