So, the Obscurer snagged an interview with Gordon Brown. And what did he have to say? Well, he spoke of identity cards. And the news is not good at all. It seems that Brown is ill-informed about his own proposals (something which we have seen already from past ministers), is still committed to the most imperially grandiose fantasies about biometrics, and is not being honest about the Government’s declared policy.
Further, he is barely coherent:
“And I think we’ve got to get the level of debate about, if you like the management, the identity management to a reasonable level.”
That’s almost the level, if you like, Bush-league syntax of mangling. Cheap, I know, but there’s a war on. More seriously, Brown’s actual arguments in favour of ID cards and the NIR are risible:
As far as the individual is concerned, the danger for me and you in the modern world is that our identity is easily stolen.
Yes, for use in non-present transactions, which identity cards will do nothing to prevent because a) they will probably not be required, b) their use would only be meaningful if everyone had a reader, vastly increasing the costs, and c) such readers would by definition be no more secure, because you cannot trust equipment that is in the hands of the potential attacker. This is very basic information security theory; you can’t trust the enemy to play by the rules.
And people feel worried when information that is personal to them is lost, and rightly so.
Clearly the obvious solution to this is to let the same organisations that have demonstrated their utter and total incompetence have even more of it. Biometric ID cards authenticate a person to a card (this card belongs to this person). The unique identifier on the card is a database primary key in the planned NIR. The card biometric says absolutely nothing at all about the security of NIR. It’s as if I was to lock up all my credit cards in a safe to prevent HSBC employees interfering with my account; the two questions do not intersect.
And I think if we were giving a better means by which people could protect their identity, then in the private as well as the public sector people are looking at biometrics. I mean maybe in a few years’ time on your computer you will need biometrics rather than a password.
Well, no. What private sector organisation is trying to market a mass ID scheme? Surely if it was so great there might be profit in it? What some private (and public) organisations do with biometrics is use them to authenticate small numbers of people to get in and out of highly secure installations; rather than having a monster database of everyone’s dabs at IBM worldwide, they have a little one with biometrics for the dozen or so engineers who need to get into a major data centre at night. Because the likelihood of someone in the set of possible burglars in that area also being in the set of possible false positives is incredibly tiny, this works. But the maths is very different when the whole population is the lookup table.
Further, Brown may be surprised to know that actually you’ve been able to buy laptops with fingerprint readers for years; but again, there is no ThinkPad Identity Register. They check the print from someone attempting to log in against that of the authorised user; again, the pools of error are so small that this is safe. Not that it’s necessarily very useful, though, as if you have physical access to the computer you can always physically steal the hard disk and use one of many possible methods to get at its contents, as it cannot check the biometric itself. But it gets worse; much worse.
Maybe when you go to a supermarket, as happens in some parts of the States and Europe, you are going to be safer, instead of carrying a credit card which can easily be stolen, to use your biometrics to shop.
This has to be some kind of record for biometric scienciness; the Government has historically always handwaved reality-based objections to ID cards away by claiming that we wouldn’t need them very often, whilst also floating insanely grandiose visions of biometric imperialism. Charles Clarke, we may recall, advertised them as “making it easier to rent videos”; as well as offering horrific new possibilities for total surveillance, this would have blasted the Government’s hazy costings down to nothing, demanding vast numbers of readers and numbers of transactions per second that even telecoms engineers would consider ambitious. To say nothing of insulting our intelligence.
It’s worth digging into what Brown means here; it can’t be the ID card itself, which could be stolen just as much as a credit card. He is obviously still addicted to the vision of doing direct identification from biometric readings to the NIR; this went out of fashion in the Safety Elephant’s time at the Home Office, on the grounds that the failure rate would just be too high. Consider; even looking at the Government’s own trial of 10,000 volunteers – which, incredibly, is still the only data they are willing to divulge – the failure rate varied between one-third for fingerprinting and 4% for iris recognition. But 4% of a really big number is a lot. 4% of literally billions of transactions is a hell of a lot. I have to keep making this point; it’s just a wall of cretinous innumeracy. And this takes no account at all of the difference between laboratory and field conditions; none of the 10,000 volunteers was trying to resist, drunk, confused and elderly, they could all speak English, etc, the equipment was in perfect condition, it was set up as the manufacturers intended, the operators were specialists, rather than minimum wage teenagers with a target ring-up rate to hit.
And the numbers from that trial, crucially, are not available on the vital all-defining issue of false positive and false negative rates.
Maybe in relation to banking to use biometrics or fingerprint biometrics, you might find that you are safer in your banking transaction than if you carried a card and a number. But the very fact that you’ve got biometrics now in a way that you didn’t have two centuries ago gives you opportunities to protect people’s identity and I don’t think we should rule out the use of that.
Right; if you are stupid enough to carry a card and a number, no security measures will help. Unfortunately, however, the British banks have been historically unwilling to give us real two factor authentication, as (for example) France’s chip-and-PIN system has done for years. PINs are still, in the year of our Lord 2008, stored on the card; as the card is inactive, this means that the enemy has infinite leisure to work out how to read them, at which point there is absolutely no security whatsoever.
Because biometrics have already been hacked – follow the link to find out how!, this proposal is worse than useless. Direct biometrics defeat the object of two-factor authentication; all this tells you is that someone somehow produced a matching hash, or subverted the reader. Unless there is a second factor of authentication independent of the biometric – like a card! or a PIN! – this is actually a significant reduction in security. If Brown was at all interested in this, he’d been bullying the banks into moving away from their not-quite two factor authentication to the real thing and forcing them to take responsibility for the security of their systems.
Incredibly, years after Professor Ross Anderson’s successful war with the banks forced them to admit first that card fraud existed, secondly that it was a problem, and thirdly that one major bank’s IT department was implicated, and finally to replace the system, one of his PhD students is having to refight the war all over again – this time, because the banks are trying to deny that it is possible to breach Chip-and-PIN. Despite the existence of multiple security breaches, notably the failover attack in which readers are sabotaged so that the chip cannot be read, and the reader instead reads data off the back-up magnetic stripe, which is then used to make withdrawals in a non-PIN country, the yes card attack, in which a fake card is prepared whose chip responds “yes” to any given PIN, and the possibility of large-scale reader subversion (at least one type of card reader uses a small linux OS which can be remotely managed over a wide-area network; if the administrator security is compromised, an online attacker could do anything they liked with them. These are the ones involved in the Shell security breach), they are still trying to claim infallibility.
Here’s something Gordon could be doing; his Chancellor is already refashioning the law regarding banks, the reputation of the bankers is in the toilet, but it appears that the Government is just not serious about information security. All we get is village biometrics faith, funny figures, and managerialist crapspeak about how the fact biometrics exist means we must use them. Strange, hovercraft, nuclear rockets, and giant blimps are available; but we don’t use them. I wonder why?
And finally, some actual dishonesty, or else ignorance:
Q:So would it be that British citizens and non-British citizens would need them?
A:Yes, but under our proposals there is no compulsion for existing British citizens.
Wrong. There is a promise of no compulsion within the next parliament; but this is a promise, and worse, a promise from a prime minister who is no longer prime minister. No parliament may bind its successor. There is a requirement in the ID Cards Act for a vote in parliament, but that’s it. The Government policy papers on the issue back to 2004 have repeatedly stated that compulsion is eventually intended. Taken the pledge?