Tuesday, October 25, 2005

UK ID Card Pie in the Sky

Niels J Bjergstrom, the editor of Information Security Bulletin has been writing again about the UK proposals for a national ID card.

"If you still haven't gotten around to reading LSE's report into the UK government's Identity Project you can fetch it here: http://is.lse.ac.uk/idcard/identityreport.pdf

It's a bit over 300 pages long and fascinating reading. It concludes - like earlier editorials in ISB - that the proposed project is not feasible, saying that the proposals are too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence. LSE's report also concludes that the risk of failure in the current proposal is therefore magnified to the point where the scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals.

I will add to this that the proposals are particularly unimaginative. Given a blank slate for such a fascinating potentially future-shaping project, is this really the best vision politicians and government employees can come up with?

The whole approach to this project is reactive rather than forward-looking and proactive. The justifications for introducing a national identity system in the Bill include 'the interest of national security', 'the enforcement of prohibitions on unauthorised working', 'enforcement of immigration controls' and 'prevention and detection of crime'.

These goals seem to be missing: 'enabling and facilitating a society based on e-commerce', 'increasing individual freedom by enhancing anonymity and privacy', 'enabling irrefutable authentication of humans to machines' and 'providing individuals with transactional security'. These are some of the positive drivers of an eID system, some of the drivers that will actually be able to underpin the acceptance by the public and justify the huge expenses initially associated with establishing and not least running an eID system...

With regard to the UK bill I am not going to argue with it here although - technical issues aside - it certainly is an obnoxious piece of legislation, moving the relationship between state and citizen several hundred years back, introducing important components of a totalitarian state by stealth - the ID card part is in a way the least important. It is a piece of legislation that does not belong in a democratic country (which of course, given the role of the unelected House of Lords, the UK isn't anyway).

Technically, it builds on a range of false assumptions, including the pie-in-the-sky idea that technologies to solve these issues exist and can be deployed. This is not the type of project you can simply give to a vendor or two and expect them to be able to deliver. More than anything I can recall ever seeing, this project requires a top-down architectural design process. It is not a vendor-problem that you can throw existing components at. This problem is so complex that it requires close co-operation between scientists, government and vendors. It will take a small extremely competent work group at least a year to identify possible solutions and consequences.

Unfortunately the current bill is so poorly drafted that it can't form the basis for discussion and amendment - back to square one. Normally that would make me complain bitterly over waste of my tax money but in this case there are only a handful of people in the world competent to do it right. Those are the individuals the UK government needs to find."

No comments: