Wednesday, November 29, 2006

Feedback?

Obviously, a fledgeling blog like mine is unlikely to recive too many comments at this early stage, although I've had a few and pieces. Surprisingly, I've had a fair bit of pro ID cards feedback, interesting because I was expecting very little of that nature.

I value all feedback on the subject, I'm particularly interested in exploring some of the civil liberties issues that are one of the major fears about ID cards.

Any feedback, comments, stuff you want me to cover to citizenandreas [at] slick47[dot]co[dot]uk

Sunday, November 26, 2006

Key Benefits of ID Cards Part #1

Security, Combating of Terrorism
A few frequent soundbytes are often heard on this subject. So we all know that spanish ID cards didn't stop the Madrid bomings. We also know that if we had ID card in this country, the 7/7 bombers would have had them legitimately. However, from here it is implied that ID cards will not fight terror. I don't believe this to be correct.

Consider the following examples:
Terrorist A has been being watched by the security services for some time, it is suspected that he plans to perform an aircraft based terror attack. He has ordered his ticket using a credit card in a false name from a public terminal, therfore it is not known exactly which airport he intends to use, or which flight. When he gets to the airport he intends to use a false passport.

In this case, ID cards would have several benefits, firstly, the credit card in a false name would have been far harder to obtain. The false passport would have not have been accepted, so Terrorist A would have to use their genuine ID. In this case, the security services could have marked up Terrorist A's ID record to ensure that airport searched him before he was allowed through.

Terrorist A and Terrorist B travelled to Afganistan via Pakistan in order to receive terrorist training, several years later Terrorist A commits an act of terror. On investigating the matter, the security services look at the audit trail of his ID card usage, this reveals the original flight to Pakistan. By cross referencing the people on that flight against people of a similar age from the same area they uncover the identity of Terrorist B

What I hope I've show here is that there are hypothetical situations where the proposed ID card scheme will have it's uses in combating terrorism.

Prevention of Benefit Fraud
The majority of losses through the benefits system occur through benefits fraud and mistakes. The ID card could offer potential benefits since it provides goverment departments with a more robust form of identification. This would allow government departments to keep better track of individuals and reduce the amount of time spent by government employees checking up on identities.

Identity theft based fraud such as the Tax credit fiasco form a minor part of the overall benefit fraud at the moment, although this kind of crime is expected to become more common. ID cards would prevent this kind of occurence. By insisting that any bank account to be recieve benefits would have to have a known identity associated with it, any attempt to send the money to a fraudulent account would fail.

Friday, November 17, 2006

In response to the Guardian's "Cracked It" story

While I'm putting together my list of benefits, I was interrupted by this article in the Guardian.


Cracked it!
- The new hi-tech biometric passport is protected by military-level encryption. We cracked it in just 48 hours.

I wanted to make a quick point clarifying the differences between the way the ID card is intended to work and the RFID passport.

The cloning method suggested in the article for creating a biometric passport is a viable technique. The idea being that you read the data off the passport decrypt it, alter the biometric data to your own and make a new clone of the chip, width someone elses, or for that matter some completely imaginary details.

The ID card would not necessarily be vunerable in the same way.

What all this hinges on is whether there is access to the National ID Register (NIR) where the biometric passport is being scanned. When scanning takes place, a biometric sample is taken (finger print or iris probably). If there is access to NIR, the sample can be checked against the biometrics held on the NIR. If not, the sample will have to be checked against the biometrics held on the passport itself, in this case, a cloned passport would be valid.

The point is that although biometric passports can be forged, it does not necessarily follow that the same will be true for ID cards, provided that in situations where the card is used the check is made against the NIR and not information held on the card itself.

On the other subject covered, that of RFID tags I would suggest that these are a case of technology for technology's sake, it seems like it has left these passports uncessarily exposed. I would hope that they are not used in any potential ID card scheme.

Thursday, November 16, 2006

Alternatives to ID cards, a £5.4 billion shopping list

Recently, on the Guardian CiF, someone suggested to me that the cost of the ID cards scheme would be better spend on improving the existing resouces available to the police and security services. I was going to post suggesting alternatives, but I considered it a little pointless before I'd investigated the actual benefits the ID card is supposed to provide.

My gut feeling suggests that with the benefits of ID cards are numerous and varied, and therefore hard to pin down to single succinct answer.

To answer my critic on CiF, I feel it should be made clear the benefits of IT in other areas, one man with a word processor is far more productive than one man with a typewriter. If the ID card scheme does everything the government says it will, it could offer benefits of a similar magnitude.

Next post Citizens, I'll start investigating the benefits.

Sunday, November 12, 2006

Debate on the Reliability of Biometrics

Comment From Jeremy Wickins:
Firstly, an iris or fingerprint is actually not that hard to fake. as security guru Bruce Schneier has famously said "Biometrics are not secrets". Fingerprints can be lifted very easily from any surface, including a credit/debit card. A piece of sellotape can lift a fingerprint sufficiently to fool a fingerprint scanner. Iris scans can equally be spoofed, but it requires a reasonably high-res picture to do so.

On the second point, one of the problems with facial biometrics is exactly that they are so sensitive to changes that the human eye would not be fooled by. In the only large scale test of biometrics in the UK, a woman brushed back her hair from her face between enrolling the facial biometric and verifying it - the system did not recognise her. Hats, beards and spectacles also baffled the system, and we should all become familiar soon with the fact that any facial expression other than the bland one required will result in a refusal of recognition. At the very least these things are denying us the humanity of self-expression.

At the bottom of this article I've added some references to tests performed on Biometric equipment and how it was fooled. From looking at the tests, you can see that every single one of the Biometric devices was eventually fooled. However, I don't see this as suitable reason to pack up and join the anti ID card camp for the following reasons:

First, looking at the tests performed from the references below, the best fingerprint scanner needed a silicon mould constructed from the impression of a fingerprint. Since these tests were performed in 2002 it's safte to say that any scanners used by the time the system comes into play will take at least this level of effort to fool.

Next, we need to examine where these devices will be used. A few guesses of mine are:
  • Getting medical treatment at a Hospital
  • Signing on/ applying for benefit
  • A security check when travelling abroad
  • Applying for a bank account/loan/mortgage
This is a far from extensive list, so please suggest additions, but a common point about them is that there will always be someone present, meaning that using the bit of sellotape or silicon mould technique would not really be an option unless whoever was supervising this were to look the other way.

The combination of these factors mean that in order to pass yourself off as someone els, you would need:
  • Someones ID card (or alternatively a forgery)
  • Suitable copies of someones fingerprints
  • Help on the inside
The difficulty in achieving a combination of these factors means that cheating the system is not as easy as you might think.

Stay out of trouble Citizens

References
Biometric Sensors Beaten Senseless Article on The Register, a quick outline of the test used to fool biometric scanners.
Test by c't Magazine The full details of the tests

Thursday, November 09, 2006

The purpose of Biometrics

Many people wonder exactly why the biometric element of current ID cards is so important, as I see it the purpose of the biometric element of id card is as follows. If anyone wants to challenge anything I've written, stick in a comment and I'll edit as appropriate.

PIN style Validation
When you use you bank card, the card holds the details of who you are, you confirm who you are by using a PIN. Someone could potentially make a copy of your bank card, but without the PIN they can't get at your money. With a biometric ID card, your fingerprint is the pin, so you make the confirmation with a fingerprint swipe.

The benefit of this is that a fingerprint swipe (or iris scan) is very hard to fake, far harder than a PIN.

Detection of Multiple Identities
Currently, proving your identity is a case of digging out household bills, tennancy agreements, passports etc. The problem with this is that some documents can be quite easily faked, with the right combination of documents it is not particularly difficult to obtain more than one driving licence, or passport. More thorough checks can be performed, but often, there is simply not the capacity available to perform such checks.

Biometric data is recorded to a common standard. This means that unlike a photo, where you can change your hairstyle, grow a beard or use a little subtle makeup a biometric image is very hard to change. This means that that checks can be put in place to prevent people from registering twice.

The mission statement...

A favourite subject for discussion today is the subject of the Governments new ID cards program. Like most things the government decides to do it is viewed with a fair degree of suspicion.

To hear some people talk you might think that we'll become some kind of distopian police state on their introduction.

Personally, this strikes me as misleding and hysterical. Having read quite a lot of the arguments against ID cards, it strikes me that a lot of commonly held beliefs about ID cards and its associated technologies are incorrect.

I'm a Labour party member, so I tend to be reflexively defensive of the current government I don't blindly agree with every single policy, but I'll stand by them when I think they're in the right.

On the subject of ID cards I'm not convinced that the government is particularly in the wrong. My main intention with this blog is to investigate whether I'm right or wrong, to put the subject under a the microscope a little more and to try and expand peoples understanding of the subject.

My professional background is in IT, so I think I should be able to examine the arguments from a fairly thorough and professional point of view.

Go in peace citizen.