Monday, January 24, 2005

Barriers to ID card suppliers

The draft legislation for the national ID card is being rushed through the committee stage in parliament, despite there being nearly 200 amendments already proposed. And Spyblog has pointed out a potentially interesting disincentive to organisations tempted to supply the technical infrastructure. They are stretching a point but Section 31 Tampering with the Register etc, could be interpreted to mean that anyone who supplies technology for the system which does not work perfectly could go to jail for 10 years.

Maybe someone should point that out to the many vendors scrambling for a piece of the ID card action.

On ID cards, the No2ID campaign have issued their latest newsletter, which as usual is very informative. The campaign are paticularly vexed about the government's response to their 3230-signature petition against ID cards.

Though I guess it is necessary, I'm not sure an irritated response to a re-hashed empty public relations statement is going to help progress their cause, which I wholeheartedly agree with.

Essentially they need to get the newspapers, all the established civil liberties groups (who essentially agree with them anyway)and commerce and industry on their side to build up a head of steam. Pointing out the clear negative technical and economic effects of the ID card scheme and the industries which are going to be affected (all of them), would help get the trade associations and multinational companies on board. If major commerce were convinced to start rallying against the cards then New Labour would fold on the scheme overnight (probably to Gordon Brown's relief and Tony Blair's chagrin).

As to the government's notion that the ID card will help prevent ID fraud as a basis for making us more secure, any security specialist who knows their job will tell you that either the government are being economical with truth or they really don't understand what they are dealing with. As Bruce Schneier says,in the context of a possible ID card scheme in the US:

"In fact, everything I've learned about security over the last 20 years tells me that once it is put in place, a national ID card program will actually make us less secure.

My argument may not be obvious, but it's not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.

It doesn't really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names.

Two of the 9/11 terrorists had valid Virginia driver's licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn't be bribed, initial cardholder identity would be determined by other identity documents ... all of which would be easier to forge.

Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse.

Additionally, any ID system involves people... people who regularly make mistakes. We all have stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. It's not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures. Biometrics such as thumbprints show some promise here, but bring with them their own set of exploitable failure modes.

But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American -- one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. As computer scientists, we do not know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.

And when the inevitable worms, viruses, or random failures happen and the database goes down, what then? Is America supposed to shut down until it's restored?

Proponents of national ID cards want us to assume all these problems, and the tens of billions of dollars such a system would cost -- for what? For the promise of being able to identify someone?

What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone's intentions, and their identity has very little to do with that.

And there are security benefits in having a variety of different ID documents. A single national ID is an exceedingly valuable document, and accordingly there's greater incentive to forge it. There is more security in alert guards paying attention to subtle social cues than bored minimum-wage guards blindly checking IDs.

That's why, when someone asks me to rate the security of a national ID card on a scale of one to 10, I can't give an answer. It doesn't even belong on a scale."

No comments: