Robin Wilton's esoterica

MPs have approved the continuation of 28-day detention without charge, as provided for by the Terrorism Act 2006. The requirement to take this review decision was added to the original Bill as an amendment, to answer some of the concerns raised at the time.

I really wish I could tell you what the future of this bill holds:

- will there come a point where that 28-day limit can be rolled back?

- will it only ratchet upwards. towards the 3 months originally aimed for by the legislators? (To date, the Home Office reports that 6 people have been held for the maximum 28 days. Three of them were released without being charged.)

- will there be a further review point in twelve months time?

That last question sounds as though it ought to be pretty easy to answer: just go back to the Bill and look at that amendment.

Well, I tried that and I'm none the wiser. You're welcome to have a go - let me know if you can figure it out. Here's the passage in question:

(1) The Secretary of State must appoint a person to review the operation of the provisions of the Terrorism Act 2000 and of Part 1 of this Act.

(2) That person may, from time to time, carry out a review of those provisions and, where he does so, must send a report on the outcome of his review to the Secretary of State as soon as reasonably practicable after completing the review.

(3) That person must carry out and report on his first review under this section before the end of the period of 12 months after the laying before Parliament of the last report to be so laid under section 126 of the Terrorism Act 2000 before the commencement of this section.

(4) That person must carry out and report on a review under this section at least once in every twelve month period ending with an anniversary of the end of the twelve month period mentioned in subsection (3).

Clear?

And no, I don't mean Park Lane and Mayfair with a hotel on each (Park Place and Boardwalk if you adhere to the Atlantic City sect...).

I'm referring to a very interesting point raised by Caspar Bowden at yesterday's workshop. His question to one of the IPS (Identity and Passport Service) representatives was, roughly, this: "Why do you insist on capturing all 10 fingerprint biometrics at enrolment - particularly when only two of them are actually stored on the ID card. Shouldn't there be provision for users to have at least some of their biometrics for their own exclusive use?"

There are a couple of very interesting principles there.

First, 'who owns my biometrics'? (And on that basis, who has the right to compel me to disclose which of them and why?)

Second, aside from the question of ownership, is it reasonable for the government to insist in capturing all the practically-usable biometric identifiers for each individual (fingerprint, palm, iris, face and so on)?

As things stand now, the assumption seems to be that the government may insist on capturing and storing any and all biometric indicators as it sees fit. I think that if it is unchallenged now, that is an assmuption which we may well live to regret within the next 5-10 years.

The implication is this: every biometric means you have of proving your identity is also shared by the government. In automated authentication systems, that means there is always the theortical possibility that your biometric identifier may be electronically introduced into an authentication process whether or not you are present. Not necessarily maliciously, and not necessarily by the government; but conceivably by someone who has obtained the electronic representation of your biometric identifier from a government-operated system.

Isn't it very odd to envisage a world in which there is no biometric over which I alone exercise sovereignty?

Hmm. That last post was actually supposed to be about something completely different, but the 'preamble' just grew and grew until it was pretty much a post in its own right. So here's what I was going to ask you about in the first place: fingerprint biometrics.

Whatever the scepticism about iris, palm, ear and/or DNA-based biometric systems, fingerprint biometrics feeature prominently in the ID Cards programme, which calls for all 10 of an applicant's fingerprints to be captured at enrolment.

One of yesterday's participants was Andy Smith, Chief Security Architect for the ID Cards programme. When asked, he confirmed that the ID card will hold encrypted images of two of the holder's fingerprints. They will be actual pictorial images, he said, not templates (i.e. abstract representations derived from the pictorial image). Let me say right at the outset that I do not know much about the details of fingerprint biometrics, so this is a genuine request for information, and certainly not intended as an implied criticism of any sort. (For instance. I don't know whether the encryption in question is symmetric or public key, and that makes a difference to some of the risk profile).

It seems to me, first, that there is an inherent risk in encrypting the fingerprint images themselves and storing them on the card for its lifetime. The security of that encryption must be measured on the assumption that the encrypted data could be copied off the card and then subjected to an exahustive attack at the attacker's leisure. The initial, relatively crude "jelly finger" attacks on fingerprint biometric systems have been countered, but who knows what tricks and technology the attackers will apply to the problem next, to spoof metrics such as pulse and body heat. Also, once cracked, possession of the keys in question might enable an attacker to replace the original images with apparently validly-encrypted images of their own choosing.

Second, depending on whether symmetric or public key encryption is in use, there are issues with distributing the keys in question to all those parties who need to be able to verify the fingerprints. If symmetric, there's a riks that a malicious recipient could generate spurious validly-encrypted images. If PKI-based, that risk is lower, but there's an implied key-mamagement burden in the distribution and management of certified public keys from each issuing authority.

For all I know, the IPS, Foreign OFfice, Consular Services and so on may have long since cracked the problem of key management in distributed cross-border systems - but these days things probably need to move a little faster and more frequently than a Queen's Messenger on a commercial airliner.

Third, I asked why store the fingerprint images themselves, rather than capturing the biometric, hashing it or a template, and then signing that and writing it to the card. The answer (and here's where I'd be grateful for your comments) was that cryptographic hashes are too sensitive to bit-level discrepancies between the image capture at enrolment and the subsequent image capture at verification time.

My problem with that assertion is that if it is really true, I can't see how non-human fingerprint matching could ever work in the first place.

Any ideas?

I went to a very interesting event yesterday; a workshop hosted by the DTI Department for Business, Enterprise and Regulatory Reform, and jointly run by the hugely capable team from Kable.

Among other things, it reinforced the fact that there is a healthy, well-informed and experienced UK community of interest around identity and privacy; at the risk of offending someone (whether by inclusion or omission!), my list of the 'usual suspects' would include Dave Birch, Caspar Bowden, Stephen Crane, Conn Crawford, John Harrison, William Heath, Mark Lizar, John Madelin, Luke Razzell and Toby Stevens.

There was also a lot of participation from the academic community, which I found very encouraging; Royal Holloway was represented by Fred Piper, and I also met people from UCL and the Universities of Reading, Edinburgh, Hertfordshire, Newcastle and elsewhere (apologies if I have left you off the list!).

The purpose of the workshop was to help the DBERR's Technical Strategy Board (TSB) air its plans for the Network Security Innovation Platform's programme of work - and as such it represented an extremely welcome opportunity for open and constructive dialogue between stakeholders such as the TSB itself, the Identity and Passport Service, the Information Commissioner's Office, and the academic and vendor communities. Specifically, we were looking at the issues of Privacy and Consent in Identity Management Infrastructures, which is a topic close to my heart.

We also had a series of breakout sessions to consider a list of 17 challenges (only 17, I hear you cry... what lightweights!). I'll cut &N paste them here (so apologies if the formatting is crummy - I'll try and tidy it up if so). Answers, naturally, on a postcard, please...

Challenge 1 - Do the public care about Privacy? How do they define Privacy and Identity Information and measure the value or loss? Are people too trusting, ill informed or just complacent?
Challenge 2 - Can technology help to replicate the risk based decision making seen between two parties in a face to face scenario, in remote online scenarios and what privacy enhancing technologies are available ‘before the fact’ versus ‘after the fact’?
Challenge 3 - Can technology and process really reduce harm (and risk) to an acceptable level and what inconvenience would individuals be prepared to bear to re-gain control and trust?
Challenge 4 - What human interface options could assist the individual to understand the difference between being informed versus participative consent?
Challenge 5 - What consent and technology models exist to allow an individual to consent and understand how his data is collected, stored and disseminated?
Challenge 6 - How can technology aid an individual to revoke his consent such that he has confidence and assurance that no further use or dissemination can occur?
Challenge 7 - If the advance of technology has been a catalyst for the privacy debate, which technologies when combined can answer the range of privacy concerns? (Privacy of what, from whom and at what cost)
Challenge 8 - What harms (risks) exist to an individual’s privacy in the differing identity management approaches and what technology options might mitigate such harms?
Challenge 9 - How can privacy enhancing technologies applied to one identity management architecture be inter-operable with another? (i.e. Centralised non shared translated to Federated)
Challenge 10 - What technologies are privacy protecting, and what ones can detect and respond to breaches in policy including alerting the individual to a breach?
Challenge 11 - If the individual has corroborating evidence of their identity or entitlement how can technology support exposure of only that information specifically required to complete the transaction?
Challenge 12 - If trust and consent models are technically possible, what is the market failure in developing commercial applications, or are there other influencing criteria? (What are the barriers to practical implementation?)
Challenge 13 - What are the limits of technology in privacy and consent schemes being discussed? Beyond those limitations what else would be required to bring realisable solutions? (Can you design technologies which are non discriminatory?)
Challenge 14 - How can technical functionality be supported by legislation to meet the range of privacy needs now and in the next 5 years?
Challenge 15 - Can we and how do we come together to provide more technology enabled services which people want to use because they feel their privacy and consent is foremost?
Challenge 16 - What extra measures/role  for the Information Commissioner Office and what required governance would engender and build trust by the public in any scheme and why?
Challenge 17 - How can privacy policies be both realised and inter-operable across the range of Identity Management approaches and national boundaries?