Oct 18 2005, the UK National Identity Card

The text below is the full version of my article that appears in today's "The Scotsman".

A well-designed UK National Identity Card could help tackle many problems, including the upward trend in identity fraud and theft. But important technical, security and privacy issues need to be tackled to ensure its success.

One major challenge is that no computer system is 100% secure. We’ve seen various prosecutions arising from unauthorised access to computer systems such as the Police National Computer and DVLA. Putting a comprehensive set of personal data in one place produces a ‘honeypot’ effect – a highly attractive and richly rewarding target for criminals. 40 million users’ personal credit card records were compromised recently in the US – highlighting the very real risks such systems face.

We should not be building systems that allow hackers to mine information so easily. Putting all of our personal identity information in a single place is something that no technologist would ever recommend: it leads to increased and unnecessary risk. And it’s poor security and poor privacy practice. Inappropriate technology design could provide new hi-tech ways of perpetrating massive identity fraud on a scale beyond anything we have seen before: the very problem the system was intended to prevent.

The UK Identity Card also intends to exploit advanced biometrics – technology for measuring and analysing human body characteristics (such as scans of your face, fingerprints and retina). Correctly used, biometrics can provide a useful additional technology to assist with identification – acting as a cross-reference when you need to authenticate yourself.

But as the British Computer Society has commented, “No scheme on this scale has been undertaken anywhere in the world and the technology envisioned is to a large extent untested and unreliable on such a scale. Smaller and less ambitious systems have hit technological and operational problems that are likely to be amplified in a large-scale national system.”

Your biometric scans could be stored on your Identity Card, or on a central database. But the security and privacy implications of storing biometrics centrally are enormous. Unlike other forms of information such as credit card details, if core biometric details such as your fingerprints are compromised, it is not going to be possible to provide you with new ones.

The ID Card itself also needs to be carefully designed to ensure it doesn’t add to identity fraud problems by carelessly “broadcasting” personal information every time it’s used. Using the same identifiers wherever we present the ID Card is a highly risky technical design. Would you be happy if online auction sites, casinos or car rental company employees are given the same identity information that provides you with access to your medical records? It’s unnecessary: we can already design systems that ensure the disclosure of personal information is restricted only to the minimum information required (a pub landlord for example needs only to know that you are over 18). Keeping identity information relevant to the context in which it is used is both good privacy and good security practice.

The US Government has already started to re-think the way it approaches some of their large-scale government IT systems: for example, they actively encourage IT, privacy and security experts to attempt to find flaws and problems in their new electronic passport system so that it can be improved. Frank Moss, Deputy Assistant Secretary for Passport Services at the US Department of State, has acknowledged the benefits of tapping into existing industry expertise – and that privacy experts’ feedback has helped produce a much better e-Passport. This is proving a successful model that should be more widely adopted, to the benefit of projects such as the UK National Identity Card.

To help reduce the risks traditionally associated with the delivery of identity systems, Kim Cameron – one of the world’s leading identity technologists – has evolved a set of ‘laws’ that provide an important benchmark against which projects can be assessed.

“These ‘laws’ of identity,” explains Kim, “Embody everything we’ve learned since the early 1970s. It is possible to achieve good outcomes from projects such as this and deliver systems that are beneficial to the individual and to society. Systems that are safe against attack over very long periods of time. And systems that are likely to leak as little as possible despite all the conspiring forces of time, overconfidence, incompetence and evil.”

A well designed Identity Card could help simplify our interactions with public services, provide additional protection from identity fraud and improve public service delivery. But we need to ensure that technology industry expertise and successful models such as that being adopted for the US e-Passport programme become an integral part of projects such as the UK National Identity Card. There is no need to contemplate designing a system embodying so much potential risk – when the same results can be achieved without any risk at all. After all, if someone were proposing to build the most ambitious bridge the world had ever seen and engineers could see that it would fail and ways in which it could be improved, we would expect their views to be taken into account.