ID cards cannot do this alone. They are just lumps of metal and plastic and silicon. The card provides a medium, on which to store the voucher. The smart ID cards proposed by the UK's Identity Cards Act 2006 will display the bearer's name and a picture of him and some other details visible to the naked eye. And they will store various machine-readable bits of information, such as his fingerprints. In situations where his identity doesn't actually matter all that much, the fact that he looks a bit like the picture on the card – roughly the right age, roughly the right sex – and that he answers to the name on the card, may be sufficient to establish his identity as Person A. That is not a very powerful check. In other situations, where more confidence is required, it may be deemed important to check that his fingerprints match the fingerprints stored on the card. This check is entirely local. It involves only the person's finger(s), a nearby fingerprint reader, his card, a nearby card reader, and some sort of a monitor. The monitor may be a screen that displays the message "yes, this is Person A" or just a speaker that emits an affirmative sound. Of course this is only feasible as long as there isn't a power-cut. If there is, then it is not clear how you verify someone's identity in the new order, where we will rely on smart cards. And of course it is only feasible if this person is not one of the 20% of people whose identity cannot be verified using the new style of fingerprinting technology. It is not clear what you do if he is one of those people. And it is only feasible if the format in which the fingerprints have been stored on the card is compatible with the formats the software in your fingerprint reader knows how to read. Further, fingerprint readers have to be calibrated. Make the check too strict, and the machine will reject everyone, saying that their fingerprints do not match those stored on the card, they are not Person A. Too lenient, and the machine will let anyone through, even Person B. So one problem is to choose the level at which you feel confident in the verdict of the fingerprint reader. What is the correct calibration? How are you, who are perhaps not an expert in dermatoglyphics, supposed to know? The answers are not clear. Various people have tested fingerprint reading devices and found that they can be fooled with an artificial finger, which has the matching prints etched into it. Or with stick-on false fingertips. Or with nothing more than a photocopy of the right person's fingers. Knowing this, you may want to ask the person in front of you if you can inspect his fingers carefully and maybe feel them. Are you allowed to ask that? Do you want to? Is he bound to agree? It is not clear. None of this is clear. It's one thing when you're there to watch the person using the fingerprint reader, but what about unattended verification? A man letting himself into the office late at night, for example. Does unattended verification have any value? Suppose all these problems have been overcome in this case, and the monitor says that the person in front of you is Person A. Can you be confident that he really is? Perhaps. But in a case where it is really important to be sure, you have to be very suspicious. Suppose the card is a forgery. Suppose the person in front of you made it half an hour ago. Of course the fingerprints match. That doesn't prove that he is Person A. He could be anyone. In this case, the check must be made against records stored by a trusted third party, the Identity and Passport Service (IPS), who operate the National Identity Register (NIR). This is a remote check, involving some sort of quick and reliable telecommunications link, connecting the fingerprint reader and/or the card reader and the monitor at your end, with the NIR at the other. If you have already checked the person's finger against the biometric stored on the card, you now need to check the card against the NIR. The question does arise, of course, why bother to have a card at all? Why not check the finger against the NIR and do away with cards altogether? If the answer is that we need the card for the less important identity verifications, then we have a new question – how do you decide what is and what isn't an important verification? This distinction between low and high importance may turn out to be nugatory. It's not clear. If a job's worth doing, it's worth doing properly. Local checks may not be worth doing. Perhaps all identity verifications should be performed on-line to the NIR. Perhaps. For the moment, let's go back to checking the card against the NIR. There are three questions you want answers to. Is this a card that was issued by IPS? Has it been tampered with since? And was it issued to the person in front of you? You put the card in the card reader, press the button, pay your £25 or whatever, and wait for the NIR's response. After some time, back comes the response, and in the opinion of the NIR, this is, indeed, Person A. Now are you confident? Possibly. But suppose that Person A has an accomplice outside the building who is eavesdropping on the telecommunications link between your office and the NIR. The response from the NIR was actually "no, this is not Person A", but the accomplice intercepted it and changed it to a confirmation. Or suppose that, thanks to the same accomplice, your machine is not connected to the NIR at all but, instead, to a spoof database pretending to be the NIR. Come to that, how does the NIR know that you are a legitimate person to be submitting identity verification enquiries? Perhaps you should first identify yourself by submitting your fingerprints? The NIR needs to check that you are properly authorised. Otherwise, you could be some villain, trawling for information. This is all very far-fetched but we are, ex hypothesi, in a situation where extreme caution is called for. You are on the look-out for attempts to fool the identity verification system. And if someone sets out to fool it, then this is precisely the sort of way in which he would do it and he will rely precisely on your natural diffidence, your feeling that this is all too far-fetched. We are basically in the world of espionage. And the world of espionage solved these authentication problems decades ago with a raft of technologies and procedures known collectively as "PKI", the public key infrastructure. Is IPS going to use PKI in the ID cards scheme? We don't know*. BCSL asked them in 2003 and they wouldn't answer. (What they actually said was "the British public are not ready for PKI".) PKI is the standard solution to authentication problems. Everyone even remotely connected to the security business knows that. It is almost unimaginable that IPS would not use PKI. * In fact, it was confirmed on 19 December 2006 that PKI will be used, but not very well. And if they don't, then the ID card is not a secure document and you cannot be confident that that is the NIR on the other end of the line, you cannot be confident that no-one is eavesdropping and tampering with the messages, you cannot be confident that this card was issued by IPS, you cannot be confident that it hasn't been tampered with since it was issued and, finally, you cannot be confident that this is Person A in front of you. Even with PKI, can you be confident that this person in front of you is Person A? You can if the procedures followed by IPS are good enough. Are they? What procedures are they meant to follow to check people's identity, before issuing them with an ID card? Will they follow the procedures? What if some of the registration staff are tired or dim or lazy or crooked? Suppose their target is to issue 20 ID cards a day and the only way to do that is to cut corners. As long as the IPS registration staff are being trained in an environment where it is held that the chosen biometrics are 100% reliable, they may believe that nothing else matters. They may be quite happy to register this person in front of you as George VI or Che Guevara, even though they know he isn't, because at least they've got his biometrics. But these biometrics are not 100% reliable. They are not even reliable enough to be admissible as evidence in court. What are you going to do if Person A sues you, for withholding some entitlement of his, on the basis of his fingerprints? It is, as ever, not clear. (Not admissible as evidence in court? That's right. DNA evidence is admissible in court. But our new biometric passports and ID cards do not use DNA as a biometric. Traditional fingerprint evidence is admissible in court, i.e. "rolled prints", taken by a police fingerprint expert, using ink. But our new biometric passports and ID cards do not use "rolled prints". They use "flat prints", basically just glorified photocopies of your fingers. And flat prints are not admissible as evidence in court.) PKI has been around for a long time. Long enough for there to be international standards for trusted third parties. I.e. organisations like IPS – registration and certification and revocation authorities, as they are known. Will IPS submit themselves to examination by the various bodies which measure security assurance? If not, are they a trusted third party? If IPS won't submit themselves to security assurance testing, but private sector organisations do, will we see private sector identity growing up alongside national identity, mirroring BUPA and the National Health Service? Maybe, by this stage, you feel that it is no longer your responsibility. In the end, it is IPS who are vouching for this person's identity, they are underwriting it. That is the answer to our question what is an ID voucher scheme. Ultimately the voucher is the word of the Home Secretary. By a legal fiction, the person in front of you is Person A because the Home Secretary says so. But are the government underwriting the ID cards scheme? The Finnish government do, as a matter of pub quiz fact, but there is no provision in the UK legislation to pay compensation to any of the parties involved, in the case of a mistake. In what sense are IPS underwriting the scheme? None. Even if they did pay compensation, whose money would they be paying it with? Yours. Your tax money. Person A's tax money. The two of you would be compensating yourselves, for someone else's mistake, while at the same time continuing to pay that someone else's salary, to do a job that he hasn't done. That much, at least, is clear. |
|