Dave's Bit Bucket

"Dear Tony..."

I know it's fairly obvious from the press that you no longer consider - or even acknowledge - the opinions of your electorate, but given your recent outbursts on national ID cards, you might like to have a look at the following.

Disclaimer: These are the words of one well-to-do reasonably-savvy computer security geek, who is never likely to vote Labour.

Said words do not necessarily reflect the opinions of my employer, even though I wish they did.

Anyway, Identity cards do not - and cannot - solve the problems you claim they will. Here's why, along with some further thoughts.

The Main Problem

Gathering the data is not the main problem (although that data gathering has its own issues, such as people not having precisely-gatherable biometrics); the main problem is mediating who is allowed to access the data, from where, when, in what manner (readonly / read-write, whether censored / elided or not), on whose behalf, and for what purpose. Managing metadata associated with data sensitivity and access control is the definitive problem which may sink the whole proposal for end-to-end surveillance. There is also the matter of whether the data as gathered is itself reliable; see http://www.antipope.org/charlie/blog-old/2006/05/17/ about the all-too-plausible failure of the NIR from a data integrity perspective (although the dates probably need updating). Such a scenario would spell out the pointlessness of the whole exercise. Labelling of data and accessing entities, as can be done with Trusted Solaris 8 and Solaris 10 (labels comprising a tuple of a hierarchical sensitivity (eg CONFIDENTIAL, SECRET) and a non-hierarchical compartment (eg SECURITY SERVICES, NHS) is a solid foundation upon which to build, but the means to sufficiently express fine-grained access criteria - in terms of delegation, subject duress, etc - are still, AFAIK, being developed or onerous to deploy. See also commentary on the re-emerging proposal for the US equivalent at http://www.schneier.com/blog/archives/2006/10/total_informati.html.

Terrorism

In a world where many terrorists are now "single use" entities - individuals who have no recorded history of terrorist activities, and are frequently required to die in the execution of their single act of terrorism - being able to verify an individual's identity gives little benefit. The September 11th terrorists travelled under their own names using valid passports and visas (and in some cases, genuine Virginia driving licenses obtained fraudulently), and there is no evidence that the Madrid bombers used forged ID. National ID cards would not have prevented the 7/7 attacks, either; the attackers were registered and, until that point, law-abiding British citizens.

If an ID card is to be able to contribute to reducing the threat of terrorism by this kind of terrorist, not only would it need to be produced and verified in order to obtain any ticket for travel on any means of public transport, or when making any vehicle purchase or lease, but all communications associated with all individuals would need to be recorded, analysed for content, sources and destinations, and tied to individuals' identities. US Adm. Poindexter's Total Information Awareness study, which proposes this kind of pervasive communications interception and analysis, fell out of favour but now appears to be re-emerging in the form of Tangram; nonetheless, the Regulation of Investigatory Powers Act 2001 prevents such systems arising here (unless some further excessive blanket characterisation of data happens, to the effect that everyone's movements, transactions and communications are considered to be "matters of national security").

Identity Theft

While an identity card which can be provably associated with a subject (see requirements on "what should be stored on the card" below) reduces the risk of identity theft when the subject and the inspecting officer are physically co-located, the officer has requested the card and the subject has it on their person and is willing to present it rather than lie about it being elsewhere, it has limited effect when the subject is not present in person. If synchronisation and maintenance of synchronisation of data across various departments' databases could be performed under the auspices of the ID card project, however, the ability to masquerade as deceased subjects or subjects who have permanently left the country could be significantly reduced.

However, the principal milieu in which stolen identities are used today is that of credit / debit cards and their use to purchase goods and services. If this area is to be addressed, elements of Government-held identity databases would need to be opened up for read access by credit card companies and vendors of goods and services - alternatively, the identity card, if suitably compartmentalised, could also potentially be used by banks as a replacement for current credit and debit cards provided the Government and the finance industry can put mutually acceptable collaboration and data sharing agreements in place.

Invasive and semi-invasive attacks which can read information stored on a card (cf Skorobogatov's and Anderson's paper at http://www.cl.cam.ac.uk/ftp/users/rja14/faultpap3.pdf) mean that the electronically-stored component of ID cards could almost certainly be "cloned".

"Identity fraud" needs to be re-investigated as a legal concept; see Ross Anderson's security group's blog. There is also the matter of what constitutes "identity" anyway - I suspect cheques are falling out of favour as a payment mechanism as a result of excessive duplication of personal names (http://www.yournotme.com/ tells me that there are another 3590 David Walkers known to be resident in the UK; for your information, it also says that there are 39 Anthony Blairs and 4 Cherie Booths, so at least you are at lower risk of unexpected name collisions).

Benefit Fraud

From a mitigation perspective, this can be considered as a functional equivalent to identity theft, above - the principal difference being that the DWP replaces the vendor of goods or services.

Illegal Immigration

Illegal immigration is unlikely to be significantly reduced by a National ID card scheme, as it has no way of impinging on "people smuggling" activities. Illegal working by illegal immigrants once they are in Britain, however, could possibly be reduced using such a scheme - provided the organisation the would-be worker attempts to gain employment with is itself legitimate and registered, and that all such organisations are mandated to perform identity checks on their workers on pain of serious fines. However it must be borne in mind that such illegal working cannot be eliminated until it becomes impossible to transfer funds in a manner which is not audited and where the transaction is nonrepudiable - ie until banknotes, coins and other unauthenticated promisory instruments are phased out or otherwise made traceable at legitimate point of use (eg by putting barcodes on all of them, and requiring that they be scanned at point of transaction). Even then, some illegal working is likely to continue, by dint of workers being paid in kind, in terms of food and lodging (cf the modus operandi of some gang masters, as revealed after the Morecambe Bay disaster).

Organised crime

As with illegal working above, the ability to transfer ownership of goods or promissory instruments in a manner where the transaction is not subject to Government audit means that organised crime will continue despite the introduction of an ID card.

It recently came to light, for example, that fully 75% of all 500-Euro notes in circulation were issued in Spain; when the Euro was adopted there was some discussion as to whether a note of such high denomination should be printed, as it would make money laundering easier. The Spanish banks do not know where these notes now are. Spain has an ID card scheme where cards are issued to everyone at or above the age of 14, and carrying of the card at all times is compulsory. Go figure.

The Nature of Identity

"Identity" is a complex subject. A person's identity can be considered as being some subset of all the information which is known about them and the items, organisations and other people to whom they are connected. For example, the following information comprises a subset of the information that HM Government already possesses today, in different departments, about a typical British citizen born and resident in the UK:

• Name (and maiden name(s), where appropriate)
• Home address(es)
• Telephone number(s)
• Date of birth
• Place of birth
• Gender
• Parents' names
• Marital status (and spouse's name, if married)
• Children's names (where applicable)
• Driving licence number, endorsements, photograph (for licences issued since 2001)
• Passport number (and photograph without hat or veil)
• Foreign travel history
• Car and motorcyle registration(s)
• NHS number
• Medical history
• National Insurance number
• Tax history, savings information, bank accounts, share dealings, other financial assets
• Employment history
• Social Security benefits claimed
• Signature specimen

Other information, such as criminal record, Government vetting details (whether for Government security clearance or licensing to work with children and vulnerable adults), etc is also held - as are court appearance details, Probate records and many others - however most of these are applicable only to a small subset of citizens.

For the most part, only the person to whom the identity parameters refer is ever likely to need to know about the whole set of parameters (eg under the Freedom of Information Act).

Arbitrary subsets of this information can be considered as an appropriate identity for a subject by various Government departments, and also by private-sector industry.

Biometric information - other than a photograph and signature specimen - is not currently gathered. The proposed National ID Card is intended to change this, for reasons which are debatable.

While this information is known to HM Government for British nationals, "bootstrapping" identity (ie the act of verifying identity and compiling data to a point where a UK National ID card can be issued) is more difficult for foreign nationals who may be resident in the UK. Many citizens of EU member states already have a national ID card or a passport which could be considered as sufficient proof of identity to facilitate issue of a UK identity card, and American citizens resident in the UK will similarly have a passport and (most probably) a US driving licence (although this could have been obtained fraudulently). However, asylum seekers and citizens of other countries who may need a UK national ID card to go about their daily business while resident here will often not have sufficient documentation to constitute proof of their identity, based on records from their nation of origin. While I've seen stories recently regarding how would-be immigrants are to be subject to "deep background checks" when entering the EU, this presupposes that the governments of their home nations will be willing to cooperate - or even that their home nations have a government. Would-be arrivals from Somalia would definitely have problems in this regard.

Further, if an address is considered to be a mandatory datum within an identity, the homeless or travellers will not be able to acquire National ID cards. This may have adverse interactions with the Human Rights Act, if access to services is mediated on the ability to produce a card. Travellers of Romany descent may even feel provoked to raise the issue of Racial Discrimination.

Biometrics

As Bruce Schneier famously wrote in his book "Beyond Fear", "biometrics are not secrets".

The meaning behind this statement is that biometric data cannot be managed with the same efficacy as alternative authentication mechanisms such as passwords or PKIX certificates. Biometric information can be readily captured via innocuous real-world interactions, and cannot readily be revoked or renewed. For example, if a subject leaves their fingerprints on an object, they can be captured and, provided human supervision is not mandated at a biometric authentication point, replayed (see, for example, http://www.schneier.com/crypto-gram-0205.html#5).

The biometric mechanisms understood to be proposed for the National ID Card comprise:

• a photograph - which can be compared with the face of a subject standing in front of a sighted officer suitably authorised to request and examine an ID card, without recourse to a computer. Such a photograph could be laminated into a card equipped with suitable tamper-evident / holographic laminations that forgery would be extremely difficult.
• digital characterisation of a set of fingerprints - which would need to be stored on the ID card in a tamper-proof manner (eg signed with a Home Office private key), so that they can be examined by a suitably authorised officer without having to connect to a central database of such information. Such an officer would need to be equipped with a device to read the information as stored on the card and verify the integrity of the signature (eg by holding a Home Office public key), and also to scan the fingerprints of the subject stood in front of him. It should be borne in mind that the pads of the fingers are easily damaged in accidents - burns while cooking, cuts and grazes while gardening, etc, even wrinkling after an hour's immersion in water - so the ability to match records to the biological entities presented may vary with circumstances.
• digital characterisation of the pattern of blood vessels on the iris - which would need to be stored on the card in the same tamper-proof manner as fingerprint data, and for the same reasons. Scanning irises requires more sophisticated equipment than scanning fingerprints - to the point where it would be difficult and very expensive to equip an officer's portable verification device with such a capability - and is not efficacious in cases where the subject has significantly reduced blood pressure to the eyes (ie has suffered significant injury or is deceased).

Ultimately, an issue of bootstrapping arises. Even for a subject born in the UK, there is no mapping between their identity as described in current national records (such as a birth certificate) and a biometric. I have had personal experience of this:

I was born in the same hospital as another David (no middle names) Walker, on the same day. Granted, our mothers were different women. However, our births were also registered on the same day by the same registrar. Therefore, there is somewhere another David Walker who has a short-form UK birth certificate exactly the same as mine (other than serial number), and which is also completely legitimate.

The long forms of our birth certificates are different, as the long form also contains the mother's signature (it's worth noting that blood groups, other biometrics, etc are not included even on the long form). However there is nothing on paper which could potentially have stopped him masquerading as me or vice-versa based on the short form, as the short form is accepted in legal circles. The only difference between our short forms would be the serial number, and as the hospital and its associated registrar's office closed over 30 years ago, I have no idea where the long forms ended up.

I still don't have the long form of my birth certificate - ie, I can't produce a piece of paper to show that I'm my mother's son - yet this didn't stop me being able to obtain probate and therefore inherit my mother's (not exactly trivial) estate when she died. The other David Walker could conceivably have tried to contest the probate decision on the grounds that I wasn't me, and he was. Fortunately for me, he didn't.

If biometric information is to be gathered and recorded, it therefore needs to be gathered and recorded at birth, rather than the proposed age of 16, if it is to serve to disambiguate individuals reliably. Therefore, full introduction of a properly-bootstrapped, biometrically trackable ID card will take a century to permeate the population pervasively.

Returning to biometrics, the pattern and size of the biometrics proposed changes as the subject ages. If a need is identified to be able to unequivocally match a subject with an identity, irregardless of the physical condition of the subject, then the only biometric currently known which does not change over time - DNA base sequence - needs to be encoded into the documents which are required in order to obtain an ID card (such as the birth certificate), and verified before an ID card can be issued.

The issue of bootstrapping applies to even greater effect for foreign nationals, as discussed above.

What should be Stored on the Card?

Given the proposed physical format of the ID card and the circumstances under which its integrity would need to be verified (ie detecting whether a card is a forgery, and the examining officer not being in a situation where network connectivity was feasible), it is expected that a number of items would need to be encoded onto the card itself. The proposed items to be encoded are:

• a photograph (without hat, dark or mirrored sunglasses, or veil), printed on and laminated into the card in such a manner that it could not be easily replaced or forged
• the subject's name, printed on and laminated into the card in such a manner that it could not be easily replaced or forged
• Home Office imagery and seals / holograms printed onto the card using anti-forgery techniques such as those described in the Secure Printing chapter of Ross Anderson, "Security Engineering"
• digital representation of a set of fingerprints, signed with a Home Office private key
• digital representation of the subject's name and any maiden or previous name(s), signed with a Home Office private key
• an index into the identity database, signed with a Home Office private key Where an officer does not have network connectivity and can therefore cannot connect to the identity database, it will nonetheless be possible to unequivocally verify the integrity of the card provided the officer has a device able to read the digital representation of the subject's name and verify the associated digital signature by virtue of carrying a copy of the appropriate Home Office public key. Even if the officer were unable to examine the fingers of the subject, it will be possible to readily verify the subject as the rightful custodian of the card provided the subject is facially identifiable (ie, any such officer must be empowered to require a veiled woman to remove her veil for facial identification).

  Other biometric information which is not expected to be readily gatherable and analysable by a portable device - such as iris prints and DNA base sequence (which really should be stored, if we're going to go about this reliably) - can be stored in an online identity database instead. Authorised officers' centres of operation will need to be equipped with more sophisticated equipment able to gather and analyse such biometric data against an online identity database.

  The manner in which digital information is stored on an identity card is also a subject for discussion. If a subject is eventually to be expected to carry their ID card at all times, the card must be able to retain the digitally stored data with full integrity in a variety of hostile environments - for example in temperatures between -20 and +40 degrees Celsius, and following immersion in fresh, salt or chlorinated water for up to 24 hours.

  It is therefore suggested that, if possible, digital data should be stored on the card not only in silicon-based storage (eg a smartcard with contact pads) but also printed on the card as a 2D barcode. RFID is likely to be deprecated as a means of communicating data stored on a National ID Card, owing to the likelihood of interference with other RFID devices in proximity, and also the threat of interception or unauthorised reading of the data as stored - in fact, there is an interesting US Dept of Homeland Security draft doc which deprecates RFID for the purposes of people-tracking at http://www.dhs.gov/xlibrary/assets/privacy/privacy_advcom_rpt_rfid_draft.pdf.

  Further, the electronically stored contents of the card should be resistant to attack. Skorobogatov's and Anderson's paper not only expounds on a novel optical method of attacking a chip's contents, but also provides a useful overview of, and references to, other out of band attacks of varying degrees of invasiveness. It is with these attacks in mind that the importance of signing all data stored electronically within the card is emphasised.

  To reduce the possibility of card content forgery which the paper above reveals, the parameters stored electronically on the card should be signed both individually and as an overall tuple - so, for example, an apprently-valid card could not be created which contained the fingerprint data for person A and the name of person B.

  If the card itself were to potentially be used as more than a store of identity information - eg if an ID card was also to be used as a bank ATM card - the storage within the card can be segregated and managed by multiple entities, each authorised to only have write access (and potentially also read access) to their specific area of storage. Such mechanisms were developed some years ago as part of the Multos initiative, and have since reached maturity as part of the JavaCard framework. However, research from Skorobogatov and Anderson, among others, suggests that careful management of the data via encryption and signing is also to be strongly recommended.

  The Identity Register

  HM Government currently stores the information above in disparate, disjoint sets of databases within "stovepipe" infrastructures owned by, and dedicated to the service of, individual Government bodies (eg DVLA, NHS, Home Office). If the identity database which will be required to support the Identity Card scheme is to be constructed as a further isolated "stovepipe", much duplication of data - and growth in inconsistency of data across the stovepipe databases, over time - will result.

  Alternatively, identity federation technologies could be employed to enable the national identity database to synchronise with the existing infrastructures. Provided a common network infrastructure (GSI, xGSI) exists which connects all these stovepipes, the national identity database and its infrastructure could be configured with appropriate workflow to make reference to data stored in the existing stovepipes, and apply synchronisation across stovepipes when existing citizen data needs to be changed. As version 2 of the Liberty protocols enables configurability of the subset of identity information exposed as part of any transaction, and identity provider software provides transforms between identity sets, it would be feasible for this to be done.

  Applying a workflow synchronisation mechanism across multiple databases in this way would itself act to reduce some of the threats the ID card is intended to mitigate - for example, it would no longer be possible to conduct benefit fraud by stealing the identity of someone who has died, since issue of a death certificate and revocation of the deceased's ID card would also remove entitlement to benefits from the benefits databases.

  Another possibility might be to obtain an appropriate aggregative view of data stored on repositories using data repository integration products.

  The database itself is likely to require a significant amount of storage, especially if multiple biometrics need to be stored for each individual - it is expected that, given the current proposals, biometric data will constitute the largest volume of data in the system. Appropriate data for storage for each individual might comprise:

  • 16-point correlation tables for 10 fingers (where each point is stored as a pair of 8-bit coordinates)
  • 16K JPEG image of a photograph (higher quality, requiring more storage, is recommended)
  • correlation images for 2 retinas (400 points each, where each point is stored as a pair of 8-bit coordinates)
  • DNA base sequence (10,000 base pairs)

  Data Security and Privacy

  Clearly, data stored in an identity database must be protected from unauthorised access. Unauthorised acess to such a database would constitute a breach of not only the Data Protection Act, but probably the Human Rights Act. If, rather than having a single "stovepipe" database, an identity database is established which aggregates existing data stored in current "stovepipe" Government databases, the fact that the data is not stored in one place means that, even if one database was to be compromised, not all of the information necessary to steal sufficient data to masquerade as another person could potentially be gathered.

  Also, tight control needs to be kept regarding who is permitted to access which aspects of citizens' identity information. While this could be segregated within a unified "stovepipe" identity database using role-based access control, compromise of the overall system would still result in an attacker having access to the entire set of data.

  Having separate databases under separate administration - as is the status quo - not only makes an attacker's task more difficult in gathering a sufficient body of data to be usable for fraudulent activity, it also makes such an attack more obvious when it happens. Attempting to gather data on many citizens at once from the databases would produce a marked increase in network activity between the various databases, which could be trapped as an anomaly by suitably configured anomaly detection systems.

  However, if the data or subsets of the data are to be made available to appropriate organisations both inside and outside Government, then auditing of access to the data will constitute a significant issue. Not only will tens of millions of user accounts need to be created - especially if each citizen is to be granted access to their own records, and prevented from accessing another individual's records - but several thousands of roles and privileges will need to be created and mapped to these users. The audit records themselves will need to be managed securely, and will constitute a very large set of data to be mined for anomalous activity.

  What is the visible benefit to the Citizen?

  Finally, while a small majority of British citizens were in favour of a National ID card for a while, it is not particularly clear what additional benefit the citizen would receive as a result of having one - in addition to having an "incentive by imposition of fines and denial of access to currently available services" to obtain a card, it would be useful to make clear cases for "incentive by easier interaction with Government".

  In some circumstances, such as moving house, a traditional "stovepipe" database would mean that having an ID card would result in a citizen having yet another required transaction with Government to complete, at further personal expense, if a record of home address is mandated as part of the identity information stored within the identity database.

  However, if identity federation was used to join up the databases of different government departments, a citizen could see practical benefit from having a national ID card - changing home address would require a single notification to the Home Office, at which point the citizen's identity card, driving licence, medical records, council tax details, the V5 vehicle registration document(s) of their vehicle(s), etc could all be updated in synchrony. Similarly, many of the various forms of identification which have to be carried today (driving licence, etc) could be integrated into the one ID card - although passports are likely to remain separate entities, owing to the fact that their nature must be agreed upon with the ICAO.

  If the National ID Card also functions as a smartcard for the purpose of authentication to computers equipped with smartcard readers within a multi-factor authentication scheme, a citizen with a National ID card could potentially use the card to access a Government portal to change their personal details. Alternatively, even if the Government rather than the citizen is considered to have ownership and exclusive change rights to the citizen's identity data, such a portal could be used by a citizen to verify that the details held about them are correct, making compliance with the Freedom of Information Act easier in many cases.

  (2006-11-08 06:51:09.0) Permalink Comments [3]