Who will foot the bill for ID card fraud?

Government looks set to push liability on business

The government is pitching ID cards as a solution to identity theft. But industry needs to recognise that the current approach represents a much greater risk of identity theft liability for businesses, which will be left to pick up the costs if fraud occurs.

For ID cards to succeed, the government needs to ensure they are the most trusted identity mechanism and can be used as the sole means of identifying an individual.

The cards will carry little credibility if they cannot be used to open a bank account, take out a loan, or obtain a passport.

So the government will, sooner or later, have to mandate that businesses accept the ID card as a failsafe proof of identity, without reference to other credentials. Society will quickly come to depend on the integrity of the scheme.

When there’s a problem

The two basic purposes of any identifying scheme are to establish the eligibility of each party to conduct a transaction, and to assign the limitations of liability in the event of a problem.

A credit card, for example, uses a chip and Pin to prove eligibility of its holder, and there are very clearly defined contracts to determine limits of liability in the event of a fraud.

Passports are designed to prove the eligibility of the holder to travel, and to identify the jurisdiction that has accepted liability for that travel document. Clearly ¬liability is at the heart of any identity system.

The last home secretary promised that the ID cards system will be 100% secure. The Home Office has also stated that it will not accept liability for the financial impacts that may arise from fraud within the system. In combination, these two assertions are very dangerous for business.

Theft and falsehood

It is only a matter of time before the security of the ID cards scheme is compromised by external attackers, internal fraud, or both.

False identities and
multiple identities will be issued; legitimate identities will be stolen or modified; citizens will fail to report changes in their records. Businesses will be obliged to enter into transactions with only these compromised credentials to prove the identity of the other party.

This represents a transfer of liability for the integrity of the National Identification Register away from the government and on to businesses, which will be obliged to accept a single credential, rather than choosing for themselves what constitutes acceptable identity.

They will be obliged to pay for the infrastructure to check the validity of an ID card. And when a fraud occurs, they will also be obliged to pick up the bill.

Clearly it is time to rethink the issue of liability. If businesses are to trust and support the ID card, then the government must be prepared to provide limited financial assurance against fraud, and compensate companies that have fallen victim to identity crimes.

Toby Stevens is director of industry body the Enterprise Privacy Group

More on the ID cards scheme


Have your say

Do you agree with Toby Stevens’ views? If you have an opinion about this or any article in Computer Weekly, e-mail

Comment on this article: [email protected]

Read more on Identity and access management products