--- Date: Sun, 05 Jan 2003 01:09:40 +0000 From: Markus Kuhn <Markus.Kuhnat_private> Subject: Risks of diverse identification documents The Home Office is currently running a consultation exercise on the introduction of an identity infrastructure for Britain. This would consist of a biometric database with basic records of the entire population. Anyone in the database would be able to get an identity card, which would essentially enable the holder to grant easily read access to his or her record to any peer who needs some form of assurance about one's identity. Details on the consultation are on http://www.homeoffice.gov.uk/dob/ecu.htm The system proposed is nothing unusual and quite similar to what most European and many Asian countries have used successfully for several decades. Such identity infrastructures are generally widely accepted in these countries, where most people consider them today to be a desirable and effective protection against what has become known in some countries that still lack them as "identity theft". Nevertheless, there is fierce opposition to the proposals from various British privacy advocacy groups. Similar discussions can be observed at the moment in the US and Japan. While much of the opposition is of a somewhat religious/tinfoil-hat nature and therefore difficult to address, some of it has been voiced by notable computer-security experts and therefore deserves some serious response. The probably most commonly recurring theme is that the introduction of a national identity card would lead to over-reliance on a single document. The need to corrupt only the issuing procedures of a single mechanism -- so the often expressed concern -- would ultimately make identity theft easier rather than harder. This is probably based on the implicit assumption that independent identity systems perform independent checks with statistically independent failure probabilities. Therefore their security should increase exponentially with the number of verification systems and more would be better. Defense-in-depth and its use of multiple diverse security mechanisms is in general a feature of sound security engineering. However, applying this general idea in the context of government infrastructures against identity theft this way is in my opinion horribly wrong and naive for a number of reasons, which I'd like to address very briefly. The most obvious problem is that the UK's present alternative -- identification based on multiple documents and issuing procedures -- adds very little as none of the currently widely available documents is protected by controls of desirable strength. This is just illustrated again by recent media demonstrations on how easily it is to abuse UK birth certificates: http://news.bbc.co.uk/1/hi/programmes/kenyon_confronts/2625395.stm In practice, anyone wishing to verify an identity gets only the *minimal* protection of all the ID schemes in common use, because as soon as you break one of them, you can quite easily proliferate your fake identity into several other systems. Get a fake UK birth certificate (fairly easy) and apply with it for a fake UK drivers license (therefore also not much more difficult), use both to get a fake UK passport and all three to comfortably get fake account access, education degrees, travel documents, security clearances, etc. etc. Most of the existing systems depend on each other, which leads easily to circular verification (A thinks B knows I and B thinks A knows I). They all lack the somewhat more expensive direct checks of non-document evidence that for example a properly protected distributed add-only database of the biometric long-term history of those registered could support economically and effectively. Multiple documents? Unfortunately, the world of fake ID documents currently works more like "Buy one, get three more free!" The number of systems doesn't count much after all. But this is not the only reason why it is so crucial to have at least one identification scheme that is seriously difficult to break, while having more than one of these is unlikely to be worth the cost and hassle. There is first of all also the problem that within a single infrastructure, it is far easier for those in charge of its integrity to verify and ensure that the overall policies such as the separation of duties for critical checks really leads to checks that are independent by design, and not by chance. Another reason is that the costs for the training/equipment/time/etc. necessary for the adequate verification of security documents increases at least linearly with the number of different document types accepted. And the risk of fraudsters finding by brute-force search one accepted type of identification for which a particular verifier is not well prepared to recognize comparatively simple fakes increases even exponentially with the overall number of different identification forms accepted. Hence I am not surprised by the desire in the UK government to finally also offer its tax payers one single simple cheap properly engineered and run identity infrastructure. It is needed to replace all the existing often ridiculously weak alternatives (including old birth certificates, old driving licenses, magstripe-cards, knowing mother's maiden name or showing a laser-printed utility bill) that are all currently used by especially the UK financial industry as acceptable means for gaining access to critical personal information and property. Perhaps the discussion should first of all be driven by comparing actual practical identity-theft versus privacy-violation statistics in countries with and without proper government-provided identification infrastructures, instead of naively applying generic security recipes such as more-mechanisms-are-better to an application area with far more specific properties. Markus Kuhn, Computer Lab, Univ of Cambridge, GB http://www.cl.cam.ac.uk/~mgk25/ ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ Recent CNET News.com articles: http://news.search.com/search?q=declan -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 13:24:13 PST