FC: U.K. plan to create huge biometric database, from RISKS Digest

[Declan McCullagh <declan () well com>]

---

Date: Sun, 05 Jan 2003 01:09:40 +0000
From: Markus Kuhn <Markus.Kuhn () cl cam ac uk>
Subject: Risks of diverse identification documents

The Home Office is currently running a consultation exercise on the
introduction of an identity infrastructure for Britain. This would consist
of a biometric database with basic records of the entire population. Anyone
in the database would be able to get an identity card, which would
essentially enable the holder to grant easily read access to his or her
record to any peer who needs some form of assurance about one's
identity. Details on the consultation are on

  http://www.homeoffice.gov.uk/dob/ecu.htm

The system proposed is nothing unusual and quite similar to what most
European and many Asian countries have used successfully for several
decades.

Such identity infrastructures are generally widely accepted in these
countries, where most people consider them today to be a desirable and
effective protection against what has become known in some countries that
still lack them as "identity theft".

Nevertheless, there is fierce opposition to the proposals from various
British privacy advocacy groups. Similar discussions can be observed at the
moment in the US and Japan.

While much of the opposition is of a somewhat religious/tinfoil-hat nature
and therefore difficult to address, some of it has been voiced by notable
computer-security experts and therefore deserves some serious response.

The probably most commonly recurring theme is that the introduction of a
national identity card would lead to over-reliance on a single document. The
need to corrupt only the issuing procedures of a single mechanism -- so the
often expressed concern -- would ultimately make identity theft easier
rather than harder. This is probably based on the implicit assumption that
independent identity systems perform independent checks with statistically
independent failure probabilities. Therefore their security should increase
exponentially with the number of verification systems and more would be
better.

Defense-in-depth and its use of multiple diverse security mechanisms is in
general a feature of sound security engineering. However, applying this
general idea in the context of government infrastructures against identity
theft this way is in my opinion horribly wrong and naive for a number of
reasons, which I'd like to address very briefly.

The most obvious problem is that the UK's present alternative --
identification based on multiple documents and issuing procedures -- adds
very little as none of the currently widely available documents is protected
by controls of desirable strength. This is just illustrated again by recent
media demonstrations on how easily it is to abuse UK birth certificates:

  http://news.bbc.co.uk/1/hi/programmes/kenyon_confronts/2625395.stm

In practice, anyone wishing to verify an identity gets only the *minimal*
protection of all the ID schemes in common use, because as soon as you break
one of them, you can quite easily proliferate your fake identity into
several other systems. Get a fake UK birth certificate (fairly easy) and
apply with it for a fake UK drivers license (therefore also not much more
difficult), use both to get a fake UK passport and all three to comfortably
get fake account access, education degrees, travel documents, security
clearances, etc. etc.  Most of the existing systems depend on each other,
which leads easily to circular verification (A thinks B knows I and B thinks
A knows I).  They all lack the somewhat more expensive direct checks of
non-document evidence that for example a properly protected distributed
add-only database of the biometric long-term history of those registered
could support economically and effectively.

Multiple documents? Unfortunately, the world of fake ID documents currently
works more like "Buy one, get three more free!" The number of systems
doesn't count much after all.

But this is not the only reason why it is so crucial to have at least one
identification scheme that is seriously difficult to break, while having
more than one of these is unlikely to be worth the cost and hassle.

There is first of all also the problem that within a single infrastructure,
it is far easier for those in charge of its integrity to verify and ensure
that the overall policies such as the separation of duties for critical
checks really leads to checks that are independent by design, and not by
chance.

Another reason is that the costs for the training/equipment/time/etc.
necessary for the adequate verification of security documents increases at
least linearly with the number of different document types accepted. And the
risk of fraudsters finding by brute-force search one accepted type of
identification for which a particular verifier is not well prepared to
recognize comparatively simple fakes increases even exponentially with the
overall number of different identification forms accepted.

Hence I am not surprised by the desire in the UK government to finally also
offer its tax payers one single simple cheap properly engineered and run
identity infrastructure. It is needed to replace all the existing often
ridiculously weak alternatives (including old birth certificates, old
driving licenses, magstripe-cards, knowing mother's maiden name or showing a
laser-printed utility bill) that are all currently used by especially the UK
financial industry as acceptable means for gaining access to critical
personal information and property.

Perhaps the discussion should first of all be driven by comparing actual
practical identity-theft versus privacy-violation statistics in countries
with and without proper government-provided identification infrastructures,
instead of naively applying generic security recipes such as
more-mechanisms-are-better to an application area with far more specific
properties.

Markus Kuhn, Computer Lab, Univ of Cambridge, GB
http://www.cl.cam.ac.uk/~mgk25/ 




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------