Web Design Brisbane - Raycon Web Design Brisbane - Raycon

Articles

View full article list

Identity Cards and Security

Mark Edwards
18-09-2005

Recently, there has been talk of introducing a national identity card as a response to the "terrorist threat". This is in an effort to increase the ability of our national and international agencies to positively identify who we are.



Currently, such cards include a description of us plus some uniquely identifying biometric data like fingerprints. Fingerprints have a long history in criminology and are a mature identification technology. They are not without their problems though.



For example, the problem of false negatives. This is where a fingerprint you provide does not match the one on your identity card. This may be because the original print was badly taken. You may be a manual labourer and have worn off parts of your prints through working. Your finger may be dirty or oily spoiling the sample print. You would have to resort to other means of verifying your identity.



The other, more worrying example, is that of false positives. The reason for an identity card in our current global climate is to prove you are not a terrorist or known associate thereof or someone who speaks in support of those who foster terrorist groups or other person on the ever growing list of undesirables. The way to do that is when you arrive at your checkpoint and present your card, a computer takes your fingerprint and compares it to its database of many millions of known prints. It is certainly possible for your print to "match" one of those prints even though the print is not yours. Should that match be to a person on the undesirables list you might find yourself in some serious hot water.



The answer to the problem of fingerprint reliability is to employ some of the emerging biometric technologies like retinal scans, or facial features, or DNA. The "uniqueness" of a retinal scan is far higher than a fingerprint. When both eyes are used, the chances of a false positive is, to all intents and purposes, zero.



In combination, biometric data is extremely effective at identifying us.



However, does this really make for a secure system of identification? The answer is, no, it does not.



The fundamental weakness of this system is that whilst it is very good at ensuring that the person holding the card matches the biometric data stored in the card, it is no better than any other system at ensuring that the person holding the card is really the person whose name appears on the card.



In fact, the more infallible the card is from a technical standpoint, the more powerful a weapon it is to those intent on circumventing it. If a computer identifies you as John Smith via your ID card, it is extremely unlikely that anyone will question the fact that you are John Smith. The system can never be wrong can it?



There are many ways a system like this can be broken.



One is by simple errors in data entry. When people change address or any other details that the card stores, the database will need updating. There will be instances where the wrong data is entered or the wrong person's data is changed.



The other is by malicious intent. A recent test by Treasury Department inspectors posing as computer technicians found that 35% of IRS (the US tax office) employees would provide their username and password when asked. Do you think the people manning this all knowing ID card database will be any different?



Even more disturbing in the IRS case was that the previous security audit found that 71% of the employees could be duped in this way.



High tech solutions are sold to governments with the notion that all the thinking is done centrally. It removes the mistakes made by people on the "front line".



The reality is that it makes those on the front line reliant on these systems and reduces their need or authority to think. The security provided by such systems is a political mirage.

View full article list