The government is pitching ID cards as a solution for
identity theft. But industry needs to recognise that the current
approach represents a much greater risk of identity theft liability
for businesses, who will be left to pick up the costs if frauds
occur.
If the ID Cards programme is to succeed, then the government
must ensure that the card is the most trusted identity mechanism in
use in Britain, and can be used as the sole means to identify an
individual in any environment.
After all, the cards will carry little credibility if they can’t
be used to open a bank account, take out a loan or obtain a
passport. For this reason, the government will, sooner or later,
have to mandate that businesses accept the ID card as a fail-safe
proof of identity, without reference to other credentials.
Society will quickly come to depend on the integrity of the
scheme.
When it is reduced to its base functions, the purposes of any
identifying scheme are two-fold: to establish the eligibility of
each party to conduct a transaction, and to assign the limitations
of liability in the event of a failure.
A credit card, for example, uses a chip and Pin to prove
eligibility of its holder, and there are very clearly defined
contracts to determine limits of liability in the event of a
fraud.
Passports are designed to prove the eligibility of the holder to
travel, and to identify the jurisdiction that has accepted
liability for that travel document. Clearly liability is at the
heart of any identity system.
The previous Home Secretary promised us that the ID cards system
will be 100% secure. The Home Office has also clearly stated that
it will not accept liability for the financial impacts that may
arise from fraud within the system. In combination, these two
assertions are very dangerous for British business.
Like all IT systems, it is only a matter of time before the
security of the ID cards scheme is compromised by external
attackers, internal fraud, or most likely a combination of the two.
False identities and multiple identities will be issued; legitimate
identities will be stolen or modified; citizens will fail to report
changes in their identity records.
Businesses will be obliged to enter into transactions with only
these compromised credentials to prove the identity of the other
party.
This represents a transfer of liability for the integrity of the
National Identification Register away from the government and on to
businesses. Financial services companies, utility providers, video
libraries will all be obliged to accept a single credential, rather
than being able to choose for themselves what constitutes
acceptable identity.
They will be obliged to pay for the infrastructure to check the
validity of an ID card. And when a fraud occurs, they will also be
obliged to pick up the bill. This is unlikely to engender
commercial support for the scheme.
Clearly it is time to rethink the issue of liability. If
businesses are to trust and support the ID card, then the
government must be prepared to provide limited financial assurance
against fraud, and compensate companies that have fallen victim to
identity crimes.
Industry bodies must make their voices heard before they become
the unwitting insurance underwriters of the ID cards scheme.
Toby Stevens is director of the Enterprise Privacy Group.
His opinions do not necessarily reflect those of the Group or its
Member organisations.
toby.stevens@privacygroup.org
Comment on this article:
computer.weekly@rbi.co.uk