From, here is piece on a leading IBM researcher who has reached the same conclusions I have in evaluating the design of the current proposal for UK identity cards.  Putting privacy issues aside for a moment – as important as they no doubt are – he is repulsed by the design from a security point of view. 

He couldn't be more right.  My central “aha” in studying the British government's proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected in our technical systems.  A technology proposal that aims to eliminate compartmentalization rejects one of the fundamental protective mechanisms society has evolved.  The resulting central database, where everything is connected and visible to everything else, is as vulnerable as a steel ship with no compartments – one perforation, and the whole thing goes down.

The starting point for a security thinker is that there will be perforations.  In low value systems, the breach will come from neglect.  In a high value system, there will be conscious attacks mounted both from without and within, and one must assume that one of these will succeed.

Our art consists in reducing the frequency of such perforations, and – once a breach occurs – minimizing the damage that is done.  The current British proposal masterfully maximizes such damage, like a fire extinguisher full of gasoline.   

IBM researcher Michael Osborne, whose job is research into secure ID cards, slated the UK government's ID cards scheme on the grounds of cost, over-centralisation, and being the wrong tool for the job.

Based in Big Blue's Zurich research labs, where the scanning tunnelling microscope was invented and won its inventors a Nobel Prize, Osborne said that the problem is neither the cards nor the fact that the scheme is intended to use biometric technology.

The big issue is that the UK government, plans to set up a central database containing volumes of data about its citizens. Unlike other European governments, most of whom already use some form of ID card, the central database will allow connections between different identity contexts – such as driver, taxpayer, or healthcare recipient – which compromises security. Centrally-stored biometric data would be attractive to hackers, he said, adding that such data could be made anonymous but that the UK Government's plans do not include such an implementation.

Osborne added that biometric technology is still immature. “It's not an exact science”, he said. In real world trials, some 10 per cent of people identified using iris recognition failed to enrol – which means the system didn't recognise them. Even fingerprinting is no panacea, as four per cent failed to enrol. Scale that up to a whole population – the UK contains nearly 60 million people – and the problem of biometric identification becomes huge, he said.

Osborne also criticised the government for the potential cost of the system. He said that it will cost a lot more than anyone thinks, pointing out that a project of this size hasn't been tried before, so the government's projected costs are not necessarily accurate.

Finally, Osborne also used a dozen criteria, including whether or not such as system is mandatory or time-limited , to show that on all but two, the UK Government's scheme fails – even before controversial civil liberties issues are considered.

And as for whether ID cards are the right tool to defeat terrorists in the first place, security expert Osborne said: “ID cards won't solve the problem because terrorists don't care about identification – and they'll have valid IDs anyway. The issue is the central database.

“But no-one knows if it'll work, or if it'll be accurate enough – it's more about perceived security than actual security.”

Osborne suggested an alternative, which involved keeping the data on the card. With such a system, only the template is downloaded and identity processing happens on the card using Java and local data rather using centralised storage and processing.

He added that since terrorists wanted to be identified, having an ID card was unlikely to be a deterrent. “However, in some previous studies, some criminals were found to be deterred by the need to possess an ID card.”

Osborne's remarks were made in a personal capacity during a visit to the Zurich labs, and did not reflect IBM's corporate viewpoint.

Just by the way, I always have trouble with the “in a personal capacity” disclaimer.  Michael Osborne presumably says the same things about the matters in which he is expert whether at work or not.  IBM should just let him speak freely as the researcher that he is – and learn, as should we all, from what he says.


Published by

Kim Cameron

Work on identity.


  1. Great article! Just a quick comment: The attacks are already succeeding, and we have few defences against identity theft. Systems designs that reduce compartmentalization of identity need to explain why they won't make ID theft that much harder to avoid and recover from.

  2. Pingback: Emergent Chaos

Comments are closed.