13. Memorandum submitted by
Mark Dziecielewski
1. INTRODUCTION
I am an IT Security Consultant and I have advised
UK Government Departments including the Cabinet Office and the
Department for Work and Pensions, on IT Security and the practicalities
of Smart Card technology.
The Home Affairs Committee Oral Evidence session
on 11 December 2003 raised some questions which require deeper
scrutiny by the Committee.
2. BIOMETRIC
IDENTIFIERS
Copyright and ownership of Biometric Identifiers
No ID Card legislation can be compatible with
the Human Rights Act if it attempts to steal an individual's Biometric
Identifiers. They must belong to the individual and not the state,
and are definately Personal Data and need to be protected as such
under the Data Protection Act. Informed consent is required each
time that they are used for purposes other than what they were
collected for.
UK Biometrics Working Group
These are the UK Government experts on Biometric
technology.
http://www.cesg.gov.uk/site/ast/index.cfm?menuSelected=4&displayPage=4
Their current state of the art advice simply
screams "not suitable for large scale deployment":
eg "Biometric Security ConcernsV1.0 September
2003"
http://www.cesg.gov.uk/site/ast/biometrics/media/BiometricSecurityConcerns.pdf
These experts on Biometrics are very careful
never to say that Biometrics are either "unique" or
"unforgeable", unlike Home Office ministers and civil
servants.
Multiple Biometric Identifier Policy
If multiple Biometric Identifiers are used in
an ID Card, what is the policy going to be if one Biometric check
passes ok, but the other does not ? Will people be harrassed and
fall under suspicion as a result ?
Racial Discrimination with Biometric Identifiers
Different Biometric Identifiers have different
error/acceptance rates depending on say skin colour, or colour
of the iris, or age, or gender.
Does the Government plan to allow different
levels of acceptance for different racial or age related groups?
Will a particular ethnic group end up being discriminated against
by "failing" the Biometric Identifier tests more frequently
than other groups and therefore be subjected to more delays and
suspicion of fraud ?
Biometric Identifier Threshold Settings
In small scale Biometric systems, there is
a temptation for the systems administrators to fiddle with the
individual threshold settings which determine the level of acceptance
or rejection of the Biometric Identifiers of a particular individual.
If such an override facility is permitted at
a local Government Office level, then it will be open to abuse
and fraud ie it will be possible to reduce the thresholds so as
to allow any photo or fingerprint or iris scan to be accepted
by the system.
If reduced threshold levels are stored centrally,
then this is a policy of discrimination and should be illegal.
Why should one set of people have to pass a more or less stringent
test, using secret criteria, than others are forced to ?
Suggestion: Call witnesses from the UK Biometrics
Working Group
Why has no Biometric technology achieved Memorandum
28 status, ie been signed off by the Communications Electronics
Security Group (CESG) as being suitable for UK Government use
and deployment ?
"Intelligence experts question maturity
of biometrics technology" By Peter Warren [10-12-2003], Computing
http://www.computing.co.uk/News/1151462
Suggestion: Call witnesses from the Communications
Electronics Security Group
3. ICAO BIOMETRIC
PASSPORT PKI INCOMPATABILITY
The International Civil Aviation Organisation
(http://www.icao.int/mrtd/Home/Index.cfm) have published their
plans for Biometric Smart Card Machine Readable Travel Documents
(ie Passports and Residence Documents)
"Biometrics deployment of MRTD"
http://www/icao.int/mrtd/download/documents/Biometrics%20deployment%20of%20Machine%20Readable%20Travel%20Documents.pdf
However, they recognise that such a system would
be open to forgery and fraud unless the Biometric Identifiers
stored on the Smart Card are cryptographically protected and assured
through a Digital Signature Public Key Infrastructure (PKI)
"PKI Digital Signatures Tech Report"
http://www.icao.int/mrtd/download/documents/PKI%20Digital%20Signatures.PDF
The ICAO recognise that for their system to
be compatible with other Commercial or Government Public Key Infrastructures
in over 120 countries is too difficult a problem, especially,
as even "advanced" countries like the UK do not have
a working Government PKI with which to be compatible with.
The technical problems include Cross Certification
and Revocation.
Therefore this ICAO Biometric Machine Readable
Travel Document Public Key Infrastructure will be a customised,
non-standard system which will, deliberately not interoperate
with the UK ID Card or any other multiple use system which is
meant to facilitate access to Government services.
This completely negates any chance of a combined
United Kingdom ID Card + Driving Licence + Biometric Passport,
unless the ICAO system is the dominant one, thereby surrendering
UK Sovereignty
4. ENTITLEMENT
TO GOVERNMENT
SERVICES
How will the ID Card help to authenticate anybody
who is trying to access the increasing number of Government Services
via the internet or via a telephone call centre ? eg trying to
pay their taxes to the Inland Revenue via the Government Gateway
https://www.gateway.gov.uk
Other countries eg Belgium, Sweden, Singapore,
Hong Kong etc. either have, or are in the process of creating
a Public Key Infrastructure using Digital Certificates which allow
electronic authentication to online Government and Private Sector
services.
How does the Home Office ID card scheme, which
barely acknowledges the need for a PKI at all, fit in with e-Government
plans ? Or would it, as it stands, actually hinder the delivery
of e-Government services ?
Suggestion: Call Andrew Pinder CBE the outgoing
e-Envoy as a witness.
http://www.e-envoy.gov.uk/ContactUs/ContactUs/fs/en
5. NATIONAL IDENTITY
REGISTER
The Oral Evidence session on 11th December 2003
touched upon, but did not pursue the question of Addresses and
the National Register:
"Stephen Harrison: There will be one record
of identity established in the National Identity Register, along
which those documents then hang off. Each of those agencies continue
to need their own database so that, for example, specific medical
information the DVLA might hold about you which might affect your
entitlement to drive stays only with DVLA and is owned by DVLA.
The basic core identity information like name, address and date
of birth sits once on the shared National Register."
Even the Home Office's own focus group research
highlighted the public's distrust of having one's address on
the face of the ID card or on a central ID Register:
"Public perceptions of identity/entitlement
cards"
http://www.homeoffice.gov.uk/docs2/qualitative—research031111.pdf
"When it became clear that there would
be a database containing information relating to the card, the
tendency was to prefer only limited information on the card, and
more detail on the database, with caveats about the security of
the database. The general feeling was that information on the
card should be restricted to name, date of birth and a photograph.
Some respondents also felt a personal ID number would be useful;
most rejected the idea of addresses being included, primarily
for security reasons. The inclusion of signatures was acceptable
to most, but was thought vulnerable to forgery."
With a Biometric ID Card, there is no actual
need for your address to appear on an ID Card . If you have satisfied
the Entitlement to reside or work in the UK criteria, and have
the supporting primary documentation to prove it during the Entrollment
and Registration process, then it is irrelevant where in the UK
you currently reside. Given that people move address on average
every seven years, and far more often than that in cities, your
initial address on registering for your ID card is likely to be
out of date by the time it expires.
What are the Government plans for Change of
Address Notification? Will this be Compulsory? Will there be criminal
penalties if the central database address does not coincide with
your current actual address? What about people with multiple addresses?
Commons Hansard 11 November 2003: Column 172:
http://www.publications.parliament.uk/pa/cm200203/cmhansrd/cm031111/debtext/31111-04.htm
"Mr. Blunkett:
Parliament would determine under strict criteria
what identifiers were necessary on the chip contained in the card
and, therefore, what should be held on the database itself. It
would not be necessary, for instance, to hold the address of the
individual on the face of the card, as with current driving licences,
therefore reducing rather than increasing risk."
"ID Cards the next steps" Page 12
http://www.official-documents.co.uk/document/cm60/6020/6020.pdf
"24. Data held on the National Identity
Register will be basic identity information such as name, address,
date of birth, gender, immigration status and a confirmed biometric
and this will be set out in statute. Organisations using the National
Register to verify identity will not be able to get to other personal
information, for instance health or tax records, via the Register."
This Address policy needs to be clear at the
outset of even the Voluntary scheme, as any change in this policy
will cause massive cost and logistical problems to the ID Card
scheme.
There are excellent reasons why publishing your
address (even a potentially out of date one) on the human readable
ID Card is a bad idea. Racial and religous discrimination has
not been eradicated in the UK, and having to show that you are
"from the wrong part of town" (eg an address on the
Shankhill Road or the Crumlin Road in Belfast) when all you are
trying to do is prove your age entitlement to get a drink in a
pub etc. is wrong and potentially dangerous.
If you lose your ID Card or it is stolen when
you are on holiday, then burglars will know that your home is
empty—there have been warnings about this sort of thing
on airport luggage labels for many years now.
There should be nothing extra stored on the
central database which is not available for inspection by the
owner of the ID Card, without the need for specialised equipment.
Keeping "hidden" data fields on this system creates
the infrastructure for police state repression or apartheid etc.
What exactly are the ID Card scheme requirements
for Change of Address Notification, if any ?
"Compulsory ID Cards equivalent to being
on a Sex Offender Register ?"
http://www.spy.org.uk/spyblog/archives/000064.html
Home Office Press release Reference: 274/2003—Date:
6 Oct 2003
"SEXUAL OFFENCES BILL TO FURTHER TIGHTEN
SEX OFFENDER MONITORING"
http://www.homeoffice.gov.uk/n—story.asp?item—id=634
If the intention is to use the ID Card to somehow
catch terrorists, who move about much more secretly than Sex Offenders
do, then the Change of Address Regulations for the whole population
are going to have to be at least as harsh as for Sex Offenders
Register
6. PRIVACY AUDIT
TRAILS
The Oral Evidence session on 11 December 2003
touched upon, but did not pursue the question of Privacy Audit
trails.
The main warning indicator against abuse of
say Credit Cards or Bank Accounts or Telephones are the regular
statements or itemised bills which such systems produce for their
customers. It is usually up the individual concerned who spots
anomalous transactions or errors, and then queries the bill or
the statement.
Under the Data Protection Act and the Freedom
of Information Act, an individual should be able to see the full
audit trail of who uses his identity records, when, where, and
under what authority, so that the individual can determine if
there is abuse of their credentials through, perhaps, a replay
attack via a crooked ID Card terminal.
Such audit trails will need to be built into
the system in order to spot unusually active or inactive ID Card
credentials, which may point to errors or to actual ID fraud.
Has the Home Office costed this Data Subject
Access infrastructure into their cost estimates ?
What policy safeguards are there to be to prevent
such audit trails from being used as a backdoor Big Brother tracking
system? ie who will have access to the log files showing which
ID Card was used at which ID Card terminal, thereby recording
the time, date, location and probably the purpose of each ID Card
authentication?
January 2004
| 
