Recent comments to my last post about biometric passports have raised wider questions about the general purpose, risks and benefits of new government-supplied identification mechanisms (the wider “ID card debate” in the UK). So here is a quick summary of my basic views on this.
For some years now, the UK government has planned to catch up with other European countries in providing a purpose-designed identification infrastructure in order to make life simpler and reduce the risk of identity fraud (impersonation). The most visible of these plans center around a high-integrity identity register that keeps an append-only lifetime record of who exists and how they can be recognized biometrically. People will be able to get security-printed individual copies of their current record in this register (ID card, passport, biometric certificate), which they can easily present for offline verification. (What exact support is planned for remote identification over the telephone or Internet is not quite clear yet, so I’ll exclude that aspect for the moment, although the citizen PKIs already used in Finland, Belgium, etc., and under preparation elsewhere, probably give a good first idea.)
However, such plans have faced vocal opposition in the UK from “privacy advocates”, who have showed great talent in raising continuous media attention to a rather biased view of the subject. Their main refrain is that rather than prevent identity fraud, an identification infrastructure will help identity thieves by making it easier to access the very data that is today used by business to verify identity. I disagree. And I put “privacy advocates” into quotation marks here, because I believe that the existing practice whose continuation they advocate restricts both my privacy and my freedom.
What the critics neglect to see is that the introduction of a purpose-built identification infrastructure must, of course, go hand in hand with rapidly phasing out relying entirely on the existing weak and vulnerable substitute methods that currently cause so much trouble. None of this is speculation, because purpose-built identification infrastructures have been in place for several decades in most European countries, where the systematic “identity fraud” (professional utility-bill-faking gangs, etc.) that plagues a non-trivial number of UK customers today are practically unknown. In other countries, purpose-designed identification infrastructures are widely perceived by their users as effective means to protect their privacy and freedom, rather than as a threat, and many visitors to the UK consider the ID practices they encounter here more as a matter of ridicule.
There are two big classes of mechanisms in use for quickly establishing the identity of someone in a business transaction:
a) proper identification mechanisms, which were carefully designed and reviewed by security engineers for the very purpose of making impersonation as difficult as we can (including but not limited to passwords, PINs, TANs, biometric records and certificates, passports, ID cards, PKIs, security tokens, keys, etc.)
b) “identification circus”, the use of weak and trivially to break ad-hoc methods of identification that businesses have come up with in countries or situations where proper purpose-designed identification mechanisms are unavailable (e.g., utility bills in the UK, SSN in the US, handwritten signatures, etc.).
From what I hear from various financial industry representatives, identity fraud in the UK is today primarily caused by the prevalent use of “identification circus”, and the only advice I can give on how to combat identity fraud is to phase out the use of mechanisms that were never designed to be reliable forms of identification. This could be easily achieved in three steps:
a) government first must provide high-quality, easily available and easy to use identification mechanisms that were designed for the purpose;
b) legislator must quickly discourage any form of relying on “identification circus” by legally putting the full liability for any damage caused by impersonation fraud on the party who allowed the fraud to happen by not verifying appropriate means of identification;
c) government could finally even take steps to further discredit any use of culturally established “weak secrets” (e.g., the SSN in the US, the passport serial number in some other places) as means of identification by making such data easily publicly available, especially where such a weak secret does not constitute really “private data”, but is nothing but a meaningless random number.
Example: Say, someone commits fraud that involved opening a bank account in my name after presenting two recent utility bills of mine (or more likely colour laser prints that look convincingly similar) plus my mother’s maiden name (found in a genealogy database, already known to bank from past transactions with me). In the legal framework that I would like to see, any bank who accepted these weak not-designed-for identification credentials would have to immediately cover the entire damage caused to me by the fraud and not cause me the slightest hassle.
The advice currently given to protect myself against identity fraud in the age of “identification circus” only leads to restrictions of my personal freedom:
- I loathe any suggestion that I have to buy a paper shredder to protect myself from identity fraud. They cost money, require space, time and energy and jam or break down easily, and most of all destroy information and evidence that might be useful to me in the future.
- I hate suggestions that I have to treat trivial personal attributes (such as my mother’s maiden name, my first dog’s name, my favourite food, my date of birth, etc.) as secret as a password and that I am advised to keep such trivial details from my web site.
- I do not want to have to destroy each and every utility bill or bank statement that I receive the minute that I have read it just because any business would sadly accept these as a valid security token for identifying me. I’d rather have the assurance that only a very small number of purpose-designed security documents will be accepted, which are (a) far easier for me to protect from theft, (b) far easier to verify, (c) far more difficult to fake, and (d) issued only after much more detailed checks.
- I do not want to have to carry two recent gas or water bills with me at all times or risk being arrested by police for not being able to prove my identity or residence (which almost happened to someone I know last weekend in Cambridge).
I want to have a strong purpose-build identification infrastructure in place, because this protects me from both the hassles of “identification circus” and from the risks of impersonation.
In the end, I am convinced that such an infrastructure is orders of magnitude cheaper to set up and maintain and far more effective than if everyone had to buy a paper shredder and be trained to use and maintain it with appropriate levels of paranoia.
I dream of a time where I finally can tell you all my mother’s maiden name and my passport serial number without fear …