Risks of poor design means huge potential security problems

Jerry Fishenden, who is Microsoft's National Technology Officer for the UK, just contributed this first rate piece to the Scotsman:

A WELL-DESIGNED UK national identity card could help tackle many problems, including the upward trend in identity fraud and theft. But important technical, security and privacy issues need to be tackled to ensure its success.

One major challenge is that no computer system is 100 per cent secure. We've seen various prosecutions arising from unauthorised access to computer systems such as the Police National Computer and DVLA. Putting a comprehensive set of personal data in one place produces a “honeypot” effect – a highly attractive and richly rewarding target for criminals. Forty million users’ personal credit card records were compromised recently in the US – highlighting the very real risks such systems face.

We should not be building systems that allow hackers to mine information so easily. Putting all of our personal identity information in a single place is something that no technologist would ever recommend: it leads to increased and unnecessary risk. And it is poor security and poor privacy practice. Inappropriate technology design could provide new hi-tech ways of perpetrating massive identity fraud on a scale beyond anything we have seen before: the very problem the system was intended to prevent.

The UK identity card also intends to exploit advanced biometrics – technology for measuring and analysing human body characteristics (such as scans of your face, fingerprints and retina). Correctly used, biometrics can provide a useful additional technology to assist with identification – acting as a cross-reference when you need to authenticate yourself.

But as the British Computer Society has commented: “No scheme on this scale has been undertaken anywhere in the world and the technology envisioned is to a large extent untested and unreliable on such a scale. Smaller and less ambitious systems have hit technological and operational problems that are likely to be amplified in a large-scale national system.”

The security and privacy implications of storing biometrics centrally are enormous. Unlike other forms of information such as credit card details, if core biometric details such as your fingerprints are compromised, it is not going to be possible to provide you with new ones.

The ID card itself also needs to be carefully designed to ensure it doesn't add to identity fraud problems by carelessly “broadcasting” personal information every time it's used. Using the same identifiers wherever we present the ID card is a highly risky technical design. Would you be happy if online auction sites, casinos or car rental company employees are given the same identity information that provides you with access to your medical records? It's unnecessary: we can already design systems that ensure the disclosure of personal information is restricted only to the minimum information required (a pub landlord, for example, needs only to know that you are over 18). Keeping identity information relevant to the context in which it is used is both good privacy and good security practice.

The US government has already started to re-think the way it approaches some of their large-scale government IT systems: for example, they actively encourage IT privacy and security experts to attempt to find flaws in their new electronic passport system so that it can be improved.

This is proving a successful model that should be more widely adopted, to the benefit of the UK identity card.

A well designed identity card could help simplify our interactions with public services, provide additional protection from identity fraud and improve public service delivery. But we need to ensure technology industry expertise and successful models, such as that being adopted for the US e-Passport programme, become an integral part of projects such as the UK identity card. There is no need to contemplate designing a system embodying so much risk when the same results can be achieved without any risk at all.

After all, if someone were proposing to build the most ambitious bridge the world had ever seen and engineers could see that it would fail, and suggest ways in which it could be improved, we would expect their views to be taken into account.

This is a great article and I hope it will get discussion going about other ways to approach the problems the card is meant to address. Jerry speaks for most of us when he points out the unnecessary and troubling risks of the proposed system. And his analogy with a misdesigned bridge could not be more apt.

Published by

Kim Cameron

Work on identity.