The Identity and Passport Service has announced the award of the first two contracts under the National Identity Scheme. CSC has been awarded the £385m contract for Application and Enrolment, whist IBM got the £265m contract to build the National Identity Register. These are the first in a series of components being procured under the framework agreement, which also includes EDS (HP), Fujitsu and Thales.
The more interesting bit of news was the quotes from James Hall, Chief Executive of IPS, although I don’t know yet know whether these were at a conference or in a one-to-one interview with the BBC. In the article he confirms the long-standing assertion that the primary form of binding between cardholder and card will be Chip and PIN. That’s no surprise, and in the majority of ID Card use scenarios will be the only cost-effective binding mechanism available, since biometric checking will not be practical.
What’s more confusing is his use scenario:
” One of the reasons for the format of the card is we have the opportunity to put it in to card readers and potentially use it in existing networks such as the ATM network.
“We are in discussions with the financial services industry and, if they come forward with a compelling view of the rationale for chip and pin for them, that’s definitely something we’ll take extremely seriously.
“If we conclude that chip and pin is a key part of making it useful, there’s no technical reason why we couldn’t do it.”
I’m lost at what’s being achieved here. So, to prove my identity, I put my ID Card in an ATM and enter a PIN to provide a relatively weak binding: but seeing as nearly every member of the economically active adult population has an ATM card, why would I want to do that? To what purpose?
There’s more sense in the idea of Chip and PIN in, say, a proof of age situation at a nightclub: the individual shows the card to the doorman to provide a visual inspection, then provides Chip and PIN to prove that the card is legitimate and that they are the holder. That I can see. I can also see that working when applying for a financial product rather than having to go through the mess of utilities bills that characterises current ‘know your customer’ procedures (but note that the current EMV network would only confirm the card and its binding, not my home address). Whether these justify the cost and civil liberties implications of an ID Card scheme is, of course, a different matter.
There are some really good reasons for having a population-scale authentication mechanism, but we need to have them enunciated much more clearly from IPS if they’re going to make a business case for expenditure. ATM machines for ID? I’m not convinced.