WRITTEN ON July 25th, 2005 BY William Heath AND STORED IN Identity

Chris emailed me this comment on the LSE ID scheme a month ago, and I think I looked at it and thought “great” then never got back to publishing it.

Well, if I were forced to choose this scheme or the Home
Office’s scheme, I’d go for this scheme — it’s much less
offensive. Specifically, I like the procedure for
authenticating people on application, and though the
particular way in which the application is processed looks
over-complicated to me, the general principle of storing
the data locally removes a lot of the risks of the
centralised Register. The biometric aspect at application
looks like a reasonable use of the technology, though it’s
not made clear whether the applicant’s biometric data will
be held anywhere or whether the lookup-person-by-biometric
functionality in the government’s scheme is retained — I
imagine not, but the Telegraph isn’t clear.

But the proposal still has unique identifying numbers for
people (though held on the card and by the third parties,
rather than centrally), rather than just document numbers,
which is dangerous. It’s not clear what elements of
compulsion the system would have, either.

If you asked me to design a scheme (unaccountably, nobody
has) it would look something like this:

– issue cards having a unique document number bearing
name and other personal details (extent decided by
purchaser, and perhaps authenticated by a trust
mechanism something like the LSE’s) and, at the
purchaser’s option, a biometric;

– encrypt data on the card so that it can only be
read with the user’s permission (via a PIN or password
or whatever), and do not store any other copy of it
except with the user’s permission;

– have the data signed by some issuing authority (as in
the ICAO passports scheme), so that, with the user’s
permission, the authenticity of the card can be
determined;

– publish the specifications for all the technical bits
for free and ensure that there are no IP issues
protecting any of it, and get it all subject to public
scrutiny for a year or two before issuing the first
cards;

– legislate to have government and the private sector
recognise the cards as an optional `proof of identity’
(quotes to avoid the philosophical issue here), enable
private industry to sell them to punters at whatever
cost they want, and to prevent likely abuses of the
system, such as: requiring that people have a card, or
that they present it under any particular
circumstances, or that they accept data — most
importantly the biometric — being copied from the
card to another database, etc. etc.

Now stand back and see whether people want the things or
not. Personally, I’d probably be happy to own one for
occasional use — for instance, if you could check in more
quickly at the airport if you presented one, it might be
worth doing so.

So far as I can see this scheme enables all of the
supposed benefits of ID cards to the *user*, which have to
do with convenience. It does create privacy risks but they
are controlled by the user. And it doesn’t have the
built-in surveillance risks of a scheme with a central
register, though obviously if the cards become widespread
then they would make surveillance easier. Also, the scheme
relies in part on the issuing institutions, government
bodies and so forth understanding and obeying the law,
which may be a bit of a leap where (e.g.) the security
services are concerned.

On the technical side there will obviously be cock-ups in
design and implementation, but hopefully the design is
simple enough that these won’t be so numerous or serious
as to make the thing unworkable, and since the only
intelligence is in the cards and anyone can easily get a
new card by the same means they got the first one, it
should be possible to fix any serious security holes as
they arise. This could be assisted by making the issuers
bear the costs arising (presumably by raising the price of
the card to cover insuring themselves).

The costs would obviously be substantial, but should be
smaller than those of the LSE’s scheme (becuase the
issuing process is simpler). And those costs would be born
only by those who perceive that the cards have some
benefit to them.

—
“The second thing Gorbachev did was to introduce Russia to the market.
The problem was that Russia did not have bourgeois civility, so after it
was introduced to the market it did not know what to say to it.”
(Ken Macleod)