In asking whether the government has got the business case for ID cards right, we need to understand precisely what that business case is, writes Geraint Price of Information Security Group, Royal Holloway, University of London.
Plenty has been written on how the government has changed its mind on the benefits provided by ID cards since the inception of the programme. If we look at the speech made by Home Secretary Jacqui Smith to Demos in March giving an update on the identity card scheme, the justifications are broadly split into two areas.
First, there are a number of preventative measures which have been previously touted as reasons for the scheme's implementation: illegal immigration, illegal working, benefit fraud, fighting terrorism. Second, and what seems to be particularly emphasised this time around, is the perceived "added convenience" to the citizen.
This change of tack would appear to tie in directly with the change to the roll-out plans by the government. In these revised plans only foreign nationals and those working in "sensitive" positions will, initially, be required to register. UK nationals will then be "encouraged" to register from 2010, and all new passport details entered on the National Identity Register from 2011/12.
The government anticipates that the perceived benefits will convince individuals to register for the scheme leading to a "market driven" uptake of the cards. Many people feel this would appear to be a reaction to the embarrassing rash of data losses by various government departments over the past six months.
Given that there are a number of ways in which the estimated £5.4bn cost of the scheme could be spent to act preventatively (in tackling illegal working, terrorism, etc), we focus our attention here on how the perceived benefits for the average citizen measure up.
The Home Secretary's speech contains a number of facts and figures intended to provide evidential weight to strengthen the argument for the benefits to the individual of ID cards. However some of these reasons - a reduction in identity fraud and ease of identity verification in particular - are difficult to justify.
In terms of reduction of identify fraud, a figure of £1.7bn is quoted as being lost every year in the UK. However, this includes all frauds where existing accounts are misused. ID cards would do very little to help in this scenario. In addition, many instances of opening an account these days happen remotely. As was shown by the BBC television programme The Real Hustle, tens of thousands of pounds worth of debt can be racked up against an individual without the perpetrator having ever to transact with the financial institution face-to-face. Again, ID Cards would do nothing to prevent this type of fraud.
In terms of ease of identity verification, the government's argument that the citizen will benefit relies strongly on the ability of a third party to be able to verify the citizen's identity based on their fingerprints. To quote the Home Secretary from her recent speech: "Because your name will be linked by your fingerprints to a unique entry on the National Identity Register, you will have much greater protection from identity theft - no-one will be able to impersonate you, like they can now, just by finding out your name and address and personal details."
In which case, how many institutions are going to have the wherewithal to implement a robust and reliable mechanism for verifying a user's fingerprint? This requires additional equipment, training for staff, increased transaction cost, physical presence of the customer, etc.
How will a third party be able to securely query the National Identity Register? If, as stated by the Home Secretary, the database will not be online, how will organisations of all sizes and types get access to this information?
How many types of transactions can have their security augmented in this way? Not those transactions which can happen remotely. Even for those where the citizen is physically present, it is unclear how many would be suitable for a fingerprint to be used as part of the authentication process.
In addition, the known failure-rates for biometric technology are not insignificant. The non-match rates, where an authentic user cannot be verified, are of the order of 1-2%. When these percentages are applied to a user population the size of a country, the numbers of errors expected are huge. What happens when someone tries to verify their fingerprint and the match is rejected? These are going to be very real concerns when someone comes to open a bank account or start a new job. And there are significant knock-on effects from this. Firstly, there will need to be processes to deal with these errors, which themselves open up the system to new weaknesses. Secondly, if people frequently encounter errors in the system, the perception of its benefit and reliability are likely to drop significantly.
In addition, the arguments put forward to support the practicality of the scheme - using the examples of how encryption is used on the new biometric passports and how more than one million biometric visas have been issued - have weaknesses in their assumptions.
In terms of the encryption of information used on passports, the Basic Access Control implemented under the International Civil Aviation Organization regulations is known to have existing weaknesses in it. In addition, from the consumer's perspective, it is ultimately the integrity of the data (both in terms of the verifiability of the data by a third party, and how that data is verified at registration) which is key.
In our view, the comparison to the biometric visa system is not valid because the visas are only processed in a small number of dedicated, government-run centres, with carefully vetted and trained members of staff. It is unclear how a similar system would scale to the population of the UK where the verifying party is likely to be any one of a disparate and large number of commercial entities.
Further issues which appear to have been given little attention, but which will play a large part in the effectiveness of the resulting scheme include: reliability of the registration process liability the insider threat how to deal with errors in the database.
All in all, it would appear that the government is determined to pursue the implementation of the ID card scheme. In fact the Home Secretary herself has, on a number of occasions, identified how the government see this as a necessity in achieving their stated goals.
We do not disagree with the premise that a more robust way of asserting identity would be useful for the citizen. However, a person's belief that a given course of action provides a particular benefit should be backed up by reasoned argument. If we leave the questions related to immigration and national security aside (and how the money might be better spent there), we are still to be convinced that the proposal, as it stands, can deliver the perceived benefit to the consumer in a cost-effective manner, and without introducing a number of new threats and vulnerabilities.Read more expert advice from the Computer Weekly Security Think Tank >>