It’s nearly Christmas so I’m going to get my soapbox out again and comment on the news that for the national ID system information “will be held on three existing, separate databases” as reported by the BBC in an article that you can read here.
Hands up all of you who are not slightly worried, a little bit cynical, or very concerned about this. I know that David Lacey is: he commented on this story yesterday.
As all of us who have ever worked on developing systems of any sort know, trying to shoe-horn new solutions into an existing product and infrastructure is nearly always an exercise in futility. It wont work and the consultant who has suggested this as a low risk solution should go and actually sit in a development environment for a few days.
The original database and systems were developed for a specific purpose. Modifying them for the national ID card system will be a security nightmare because that is not what the systems were made for. And if a politician tells me that this is not the case then I wont believe him anyway because let’s face it, the government does not exactly have a good record when it comes to the development and execution of software systems.
Here are a couple of examples just to push home my point:
For a system such as an ID database, security must be an integral part of the design from the outset. Jury-rigging it up so that it uses existing resources means that security services are bolted on, and, here is my message to the product managers and government in my loudest and most arrogant voice – the security will break!
As to the actual question of whether or not we should have and support a national ID scheme, well, I’m agnostic on the matter. But if we must have this new intrusion on our privacy dictated onto us (ok, maybe not quite so agnostic) then the least the government should do is spend a few quid over and above the cheapest tender on making sure that it is done properly!
Soapbox now safely away. Have a good Christmas.