Dematerialised ID — Table of contents

Anonymity/identity

Capture

Dematerialisation

Campaign

Newcomers and returning visitors, please note that you are welcome to talk to the hermit using this new invention, email.

* "IDNet" is BCSL's name for the new national network of ID card readers and biometric verification equipment which would be required for the government's ID cards scheme

Dematerialised ID

The voluntary alternative

to material ID cards

A Proposal by David Moss

of Business Consultancy Services Ltd (BCSL)

Table of contents

Introduction
	Any national ID voucher scheme should be based on mobile phones, not smart cards. It is premature to rely on biometrics. That applies to passports as much as to ID cards. There is no need to create a new National Identity Register. The objectives of the scheme need to be broadened. And choices need to be made logically, on the basis of the evidence.
Mobile phones are today's ID cards
	So we do not need to waste billions on IDNet*, we can avoid the unnecessary risks the government are taking with it and we do not need to wait six years for a working ID voucher scheme.
	Dematerialised ID is at least as universal as the government's scheme. On its own terms – universality – the government's scheme cannot help but fail. There will have to be additional schemes if the government are to achieve universality, which is a political problem of their own making, but it is just not sensible to aim for a single scheme.
	Dematerialised ID has more chance of achieving the government's limited crime-fighting objectives. It helps to identify suspects, it helps to locate suspects and it helps to reduce more crimes – the big prize would come from reducing the various street crimes.
	Dematerialised ID avoids the punitive feel of the government's scheme, it avoids some of the civil liberties problems of that scheme and thus reduces the political risks and it provides clear ways to manage civil liberties.
	The mobile phone is an infinitely better device than the smart card for locating criminals and terrorists. Dematerialised ID avoids wasting money on smart cards, which are inflexible and which will stifle the growth of eCommerce.
	Dematerialised ID can provide strong circumstantial evidence when it is needed to build a case. It has teeth.
	Is there nothing to be said against dematerialised ID? Yes, the high incidence of the loss and theft of mobile phones will inhibit the adoption of mobile eCommerce. Note that ID cards would face the same problems if they ever succeeded.
	Is there nothing to recommend smart cards over mobile phones? Biometrics? No, you can store those just as well, arguably better, on mobile phones. Photographs? No, you can store those just as well, arguably better, on mobile phones. Distribution? No, that is cheaper and quicker with mobile phones. Monitoring? No, that is better done with mobile phones. Payments? No, ID cards would multiply the authentication problems, not reduce them.
	Other countries are deploying ID card schemes based on smart cards. That is no reason for the UK to follow suit.
	The proposed fixed location terminals would be inconvenient. The mobile phone is the ideal device for the mass depolyment of IT systems. Dematerialised ID will empower people, including the disabled, instead of shackling them.
There are many hopes for biometrics
	They could bring to politics all the precision of Marks & Spencer's stock control systems and they have important objectives.
	DNA and traditional fingerprints seem to be reliable biometrics but they are not the biometrics on offer.
	The bar for the biometrics which are on offer has arguably been set too low.
	In theory, irisprints and the new-style fingerprints should work. Facial geometry does not work even in theory. In practice, the results are embarrassing and they confirm that the new-style fingerprints and traditional fingerprints are not the same thing.
	It would be imprudent and unbusinesslike therefore to deploy biometrics now. The biometrics project is a major risk, a risk that the government are taking unnecessarily. The government themselves question how accurately people can be registered. Biometrics do not offer certainty, they do not act as a deterrent and even the Home Office's own consultants do not believe that biometrics are reliable.
	We can learn from the experience of biometrics in the US and from the absence of any success stories for biometrics in the media.
	The ICAO do not provide cover for the introduction of ID cards, nor does EC 2252/2004, nor do the other precedents cited by the Home Office.
	The Home Office make questionable use of their budget figures and the cost of biometrics remains unknown.
	The fact that other countries have deployed biometrics does not make them reliable, nor does the fact that the private sector is introducing biometrics. The private sector can quite legitimately ignore 20% of the population, the government can't. There is a case for prudence here and the banks, prudently, show no sign of ignoring the unreliability of biometrics.
	One implication of all this optimism in the UK? 8,000 detentions per day.
PKI exists
	... but the media do not seem to know about it. So – time to learn.
	PKI is needed for authentication, it is an established technology and it works, sometimes not so well and sometimes too well.
	The Home Office do not seem to know about PKI either, biometrics do not even in theory provide authentication, PKI does, and yet the UK government have not mentioned it. Do the UK government propose to use PKI, yes or no? Finally we know the answer – yes. But will they use it properly? And what are the implications?
	The implementation of PKI for biometric passports seems to fall short of CESG's authentication principle. The same would be true for ID cards. IPS may well authenticate the identity of people undertaking online identity checks but they can't do the same for offline checks. Offline identity checks stretch the PKI paradigm too far. The implementation ends up breaking PKI's most basic rule – IPS are not even encrypting the message. Which leads inescapably to the conclusion that there should be no offline identity checks. Which leads to a further conclusion – there is no need to have ID cards.
	The implementation of PKI for biometric passports seems to fall short of CESG's confidentiality principle. The same would be true for ID cards. Which will prove very useful to ID thieves. What, then, is the government's stance on confidentiality? They are considering whether it might be appropriate to make money by selling the personal data they require us by law to give them in confidence. Why would the government consider selling our personal data? It cannot be to "ensure secure identity". Selling it impugns security by spreading our personal identity details around. There must be some other reason. There is. The government are trying to give themselves a rôle in the UK payments systems.
	There are doubts as to whether the implementation of PKI for biometric passports can meet CESG's integrity principle. The same would be true for ID cards, which suggests another benefit of basing ID voucher schemes on mobile phones rather than smart cards.
	There is no reassurance on the matter of the availability of the biometric passport and ID card scheme computer systems. If the government has its way, when the computers fail, the UK payments systems could grind to a halt.
	The non-repudiation feature of PKI should be regarded with scepticism.
	I s IPS a trusted third party? And will we see the development of a two-tier system of identity – public sector and private sector?
We do not need a new National Identity Register (NIR)
	... which is just as well, the government record with IT systems is lamentable. New project management techniques are introduced but when they are, they are cloaked in secrecy and the only way the public can find out what is happening is through leaks. Leaks which suggest that the Home Office would be unwise to try to build the NIR from scratch.
	They don't have to build a new one anyway – we already have plenty of NIRs and they already include all the personal data required for the purposes of the Identity Cards Act, apart from people's biometrics. Making use of the existing databases would reduce costs, risks and delays.
	What we need is a portal which can search the existing databases. Any new database should concentrate on criminal/terrorist investigations.
The government seem to be the victims of producer capture ...
	… by producers of limited capability – Atos Origin, Identix, Visionics, Viisage, Accenture, PA Consulting – who have captured several very important jobs.
Dematerialisation ...
	... could result in many of us having hundreds of digital certificates instead of our present material vouchers – far too much for smart cards to cope with.
	It can be cheaper to produce digital certificates than material ones. Digital certificates have many other potential advantages. Take, for example, visas, UK tax on overseas income, academic qualifications, tickets to the FA Cup Final and other events, and credit cards, cheques and the clearing system, banknotes, GP prescriptions and credit card fraud.
	Dematerialised ID could expand the economy. It could have attractive benefits and not be just an imposition, and it could give the government an important rôle.
	Digital certificates could be issued to organisations as well as to individuals, thus improving the chances of reducing identity theft and money laundering.
	If this sort of mobile eCommerce with mass authentication by PKI (mCommerce) is ever to take off, then there are certain implications. We shall need better backup and restore facilities and efficient revoke and reissue facilities. mCommerce has not taken off yet and it may never take off, but the government's ID cards scheme certainly wouldn't help.
Blogging
Visitors
References
Evidence
Submissions to parliamentary enquiries
	10 May 2004 – Home Affairs Committee, Identity Cards
	16 May 2004 – Home Affairs Committee, Identity Cards
	19 April 2007 – Home Affairs Committee, Surveillance Society
	4 June 2007 – Constitution Committee, Citizens and their Relationship with the State
Press releases
	28 January 2007 – After a week like that, what does John Reid do about ID cards?
	8 March 2007 – Is the Identity and Passport Service (IPS) out of control?
	29 March 2007 – Increase your vocabulary
	21 May 2007 – Small train crash in London. One party dead
	14 January 2008 – Off the hook
	22 January 2008 – Off the hook (re-release)
	27 January 2008 – Off the hook (re-re-release)
	9 March 2008 – The Crosby Report
	11 April 2008 – What sensible supplier will bid for work on the ID cards scheme?
	4 July 2008 – In a fantasy league of their own
	24 September 2008 – Manchester, China
	6 February 2009 – Home Office press release misleads the public
	26 February 2009 – Read the salvo – the database state is fantastic
	13 April 2009 – UK Border Control by Bertholt Brecht
	16 April 2009 – Interpol and bottled water – are UKBA fit for purpose?
	10 August 2009 – Logic and the Home Office
	11 August 2009 – Confusion and the Home Office
	11 August 2009 – Danger and the Home Office
	12 August 2009 – Fantasy and the Home Office
	12 August 2009 – Tulipmania and the Home Office
	31 October 2009 – The FBI give Alan Johnson some expert scientific advice. Will he fire them?
	29 January 2010 – ID cards, so what's the score?
	5 February 2010 – ID cards in London? Be still my beating heart, at least until Monday
	5 April 2010 – Surely not, Shirley
	17 August 2010 – The case for a £23 ten-year adult passport
	4 October 2010 – Is Francis Maude an idiot?
	22 October 2010 – The £23 passport – medicine for the sick man of Whitehall
	30 October 2010 – The UK Passport Validation Service – whose income is it anyway?
	15 March 2011 – India's ID card scheme – drowning in a sea of false positives
	19 May 2011 – The impulse purchase of biometrics systems