Date sent:         Tue, 07 Jan 2003 09:34:28 -0800
To:                politech{at}politechbot.com
From:              Declan McCullagh 
Subject:           FC: U.K. plan to create huge biometric database, 
                   from RISKS Digest
Send reply to:     declan{at}well.com

---

Date: Sun, 05 Jan 2003 01:09:40 +0000
From: Markus Kuhn 
Subject: Risks of diverse identification documents

The Home Office is currently running a consultation exercise on the
introduction of an identity infrastructure for Britain. This would 
consist of a biometric database with basic records of the entire 
population. Anyone in the database would be able to get an identity 
card, which would essentially enable the holder to grant easily read 
access to his or her record to any peer who needs some form of assurance 
about one's identity. Details on the consultation are on

   http://www.homeoffice.gov.uk/dob/ecu.htm

The system proposed is nothing unusual and quite similar to what most
European and many Asian countries have used successfully for several
decades.

Such identity infrastructures are generally widely accepted in these
countries, where most people consider them today to be a desirable 
and effective protection against what has become known in some countries 
that still lack them as "identity theft".

Nevertheless, there is fierce opposition to the proposals from various
British privacy advocacy groups. Similar discussions can be observed at 
the moment in the US and Japan.

While much of the opposition is of a somewhat religious/tinfoil-hat nature
and therefore difficult to address, some of it has been voiced by notable
computer-security experts and therefore deserves some serious response.

The probably most commonly recurring theme is that the introduction of a
national identity card would lead to over-reliance on a single document. 
The need to corrupt only the issuing procedures of a single mechanism 
-- so the often expressed concern -- would ultimately make identity theft 
easier rather than harder. This is probably based on the implicit assumption 
that independent identity systems perform independent checks with statistically
independent failure probabilities. Therefore their security should increase
exponentially with the number of verification systems and more would be
better.

Defense-in-depth and its use of multiple diverse security mechanisms is 
in general a feature of sound security engineering. However, applying this
general idea in the context of government infrastructures against identity
theft this way is in my opinion horribly wrong and naive for a number of
reasons, which I'd like to address very briefly.

The most obvious problem is that the UK's present alternative 
-- identification based on multiple documents and issuing procedures 
-- adds very little as none of the currently widely available documents 
is protected by controls of desirable strength. This is just illustrated 
again by recent media demonstrations on how easily it is to abuse UK birth 
certificates:

   http://news.bbc.co.uk/1/hi/programmes/kenyon_confronts/2625395.stm

In practice, anyone wishing to verify an identity gets only the *minimal*
protection of all the ID schemes in common use, because as soon as you 
break one of them, you can quite easily proliferate your fake identity 
into several other systems. Get a fake UK birth certificate (fairly easy) 
and apply with it for a fake UK drivers license (therefore also not much 
more difficult), use both to get a fake UK passport and all three to 
comfortably get fake account access, education degrees, travel documents, 
security clearances, etc. etc. Most of the existing systems depend on 
each other, which leads easily to circular verification (A thinks B knows 
I and B thinks A knows I). They all lack the somewhat more expensive 
direct checks of non-document evidence that for example a properly 
protected distributed add-only database of the biometric long-term 
history of those registered could support economically and effectively.

Multiple documents? Unfortunately, the world of fake ID documents currently
works more like "Buy one, get three more free!" The number of systems
doesn't count much after all.

But this is not the only reason why it is so crucial to have at least one
identification scheme that is seriously difficult to break, while having
more than one of these is unlikely to be worth the cost and hassle.

There is first of all also the problem that within a single infrastructure,
it is far easier for those in charge of its integrity to verify and ensure
that the overall policies such as the separation of duties for critical
checks really leads to checks that are independent by design, and not by
chance.

Another reason is that the costs for the training/equipment/time/etc.
necessary for the adequate verification of security documents increases 
at least linearly with the number of different document types accepted. 
And the risk of fraudsters finding by brute-force search one accepted 
type of identification for which a particular verifier is not well 
prepared to recognize comparatively simple fakes increases even 
exponentially with the overall number of different identification 
forms accepted.

Hence I am not surprised by the desire in the UK government to finally 
also offer its tax payers one single simple cheap properly engineered 
and run identity infrastructure. It is needed to replace all the existing 
often ridiculously weak alternatives (including old birth certificates, 
old driving licenses, magstripe-cards, knowing mother's maiden name or 
showing a laser-printed utility bill) that are all currently used by 
especially the UK financial industry as acceptable means for gaining 
access to critical personal information and property.

Perhaps the discussion should first of all be driven by comparing 
actual practical identity-theft versus privacy-violation statistics 
in countries with and without proper government-provided identification 
infrastructures, instead of naively applying generic security recipes 
such as more-mechanisms-are-better to an application area with far 
more specific properties.

Markus Kuhn, Computer Lab, Univ of Cambridge, GB
http://www.cl.cam.ac.uk/~mgk25/ 


-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------

Cheers, Steve..

---