Who's liable for ID cards?

The government is pitching ID cards as a solution for identity theft. But industry needs to recognise that the current approach represents a much greater risk of identity theft liability for businesses, who will be left to pick up the costs if frauds occur.

The government is pitching ID cards as a solution for identity theft. But industry needs to recognise that the current approach represents a much greater risk of identity theft liability for businesses, who will be left to pick up the costs if frauds occur.

If the ID Cards programme is to succeed, then the government must ensure that the card is the most trusted identity mechanism in use in Britain, and can be used as the sole means to identify an individual in any environment.

After all, the cards will carry little credibility if they can’t be used to open a bank account, take out a loan or obtain a passport. For this reason, the government will, sooner or later, have to mandate that businesses accept the ID card as a fail-safe proof of identity, without reference to other credentials.

Society will quickly come to depend on the integrity of the scheme.

When it is reduced to its base functions, the purposes of any identifying scheme are two-fold: to establish the eligibility of each party to conduct a transaction, and to assign the limitations of liability in the event of a failure.

A credit card, for example, uses a chip and Pin to prove eligibility of its holder, and there are very clearly defined contracts to determine limits of liability in the event of a fraud.

Passports are designed to prove the eligibility of the holder to travel, and to identify the jurisdiction that has accepted liability for that travel document. Clearly liability is at the heart of any identity system.

The previous Home Secretary promised us that the ID cards system will be 100% secure. The Home Office has also clearly stated that it will not accept liability for the financial impacts that may arise from fraud within the system. In combination, these two assertions are very dangerous for British business.

Like all IT systems, it is only a matter of time before the security of the ID cards scheme is compromised by external attackers, internal fraud, or most likely a combination of the two. False identities and multiple identities will be issued; legitimate identities will be stolen or modified; citizens will fail to report changes in their identity records.

Businesses will be obliged to enter into transactions with only these compromised credentials to prove the identity of the other party.

This represents a transfer of liability for the integrity of the National Identification Register away from the government and on to businesses. Financial services companies, utility providers, video libraries will all be obliged to accept a single credential, rather than being able to choose for themselves what constitutes acceptable identity.

They will be obliged to pay for the infrastructure to check the validity of an ID card. And when a fraud occurs, they will also be obliged to pick up the bill. This is unlikely to engender commercial support for the scheme.

Clearly it is time to rethink the issue of liability. If businesses are to trust and support the ID card, then the government must be prepared to provide limited financial assurance against fraud, and compensate companies that have fallen victim to identity crimes.

Industry bodies must make their voices heard before they become the unwitting insurance underwriters of the ID cards scheme.

Toby Stevens is director of the Enterprise Privacy Group. His opinions do not necessarily reflect those of the Group or its Member organisations.

 toby.stevens@privacygroup.org


Comment on this article: computer.weekly@rbi.co.uk

Read more on Identity and access management products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close