Saturday, November 18, 2006

IDentity Rant

No swearing this time, I promise.

I am not a "No2ID" purist, although I am a member. I think that the Identity Cards Act 2006 was an awful, regressive piece of legislation. But please consider an analogy.

Let us take some awful waste of public money - say, for one of many examples, Jonathan Ross's current BBC contract. Now, this is appalling (at least for people who consider Woss to be essentially pointless) but it is not actually evil. To consider true evil, no matter how cheap, look at the ministerial component of John Reid's salary (the poor, benighted souls of Airdrie and Shotts did vote for this repressive Stalinist, so now matter how much I loath him, I can't quite bring myself to resent the Parliamentary salary component quite so much.) Now, that is evil.

In the same vein, we have the ID Card itself - expensive and pointless (if it ever worked) - versus the National Identity Register - truly evil.

So, what do I believe? Cards first:
  • There is nothing fundamentally evil about a National Identity Card - although it does change the relationship between state and citizen a bit - although not too much, provided there is no compulsion to carry - I have eight pieces of government issued ID that I normally carry on a working day (and no, I don't work for them, but I am counting the new driving licence as two pieces.)
  • The card should only be used where you are proving who you are in a government mandated way - i.e. to the government itself or one of its agencies, or where the government sets the rules for how you identify yourself - e.g. bank "Know Your Customer" rules for opening new accounts.
  • It would be reasonable to expect a smart card containing simple biometrics, to demonstrate that I am probably the person to whom it was issued (including a hi-resolution picture that can be displayed on a simple user terminal or a PC with a reader), some clever crypto stuff to prove it was issued through the proper process, and a unique reference number, backed up by This would be a readily available register of card numbers and card status, so that anybody can check whether a card is valid - i.e. properly issued and not revoked (lost, stolen or issued incorrectly - whether in error or malice.) It would not contain any personally identifiable data of the card holder. (I can see where including some record of where and how the card was issued might make a degree of sense, but I am not sure that it would not add sufficient additional complexity to make the whole project even less feasible.)
  • The government (not just this current bunch of turkeys, but any likely bunch thereof, while the civil service, particularly the Treasury, work the way they currently do) has very little change of making a project of this size and technical nature work - its record is appalling and getting worse.
Now, the Register is just such a bad, bad thing. The sheer amount of personal data in there would make it "Uncle Target", if there was any way that any government contractor is ever going to make this heffalump fly. Multiple points of write access to the database, including for the commercial sector (and we see how easy the credit reference industry make it for people to apply their rights under Principle 4 of the Data Protection Act) will make it inherently insecure - I am not aware of any way to engineer such a data structure for the necessary level of integrity. Actually, isn't the whole thing just a massive breach of Principles 3 & 5 of DPA98? Sorry, if I keep on at this I am just going to start swearing again. I'll try to continue tomorrow.


No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.