Report - Guardian

More documents

Recommendations

Info

190 The LSE Identity Project <strong>Report</strong>: June 2005EnrolmentThe enrolment stage, in which people's biometrics are recorded and their details enteredinto the National Identity Register, is critical if the authenticity of each identity record isto be ensured. The immediate problem is that of balancing convenience of enrolmentagainst the necessary quality of the result.For example, to make enrolment easy, there will need to be many locations whereenrolment is possible. But if there are many locations, the staff costs will be very largeand the ability of systems managers to maintain control over the integrity of operationswill be degraded. Since enrolment is critical to the integrity of the whole system, it willbe important that staff members are well trained, with at least two people present at anytime so that no single person acting alone can subvert an enrolment operation. Sincethere have to be more staff to cover leave and sickness, the usual assumption for asecure system is that three staff members are needed for every individual role that needsto be performed. This figure increases when management and backroom staff needs aretaken into account.The integrity of the National Identity Register will be compromised even if only a smallnumber of these thousands of staff act improperly. With smaller centres, in particular, itwill become feasible for those who see value in attacking the system to plan aninfiltration strategy based on subverting a single enrolment centre. This will add to therequirements for vetting, auditing and other measures designed to ensure that suchstrategies cannot succeed. This will further increase both the initial and the operatingcosts.If four staff members are needed per enrolment line, then with ten-minute enrolmentinterviews it is unlikely that more than ten interviews can be conducted per staff-day, or2000 interviews per staff-year. With proper interviews and careful checks of foundationdocuments, productivity is likely to be even lower. 5,000,000 enrolments per yearwould thus require an establishment of several thousand staff. This is certainly what willbe needed to maintain the quality of enrolment processes, but experience suggests that itwill soon be seen as an unacceptably low throughput and will thus provoke ‘cornercutting’ to achieve savings, leading to the compromises that so often undermine securityin the real world.It also seems likely that such pressures will promote other enrolment strategiesinvolving fewer centres. However, this is unlikely to make significant cost savings sinceit will simply shift costs onto those who now have to travel some distance in order toenrol. This will also make enrolment much less convenient, adding significantly to thedifficulties faced by those who have to register for ID cards. We may expect particularproblems for the elderly, for people with physical and mental disabilities, and for peopleliving in remote communities.Another issue is that of how citizens will be able to have confidence in enrolmentcentres and those who work in them.
The LSE Identity Project <strong>Report</strong>: June 2005 191Multiple RegistrationsA key aspect of government claims about ID cards is the assertion that it will not bepossible for the same person to register more than once with different details, sincebiometrics will expose attempts to achieve this. However, this assertion should betreated cautiously because it depends on several assumptions that have yet to be proven.Firstly, this assumes a perfect biometric system, whereas it is far from clear thatbiometrics can meet this challenge for a population of over 50 million people.Secondly, this also assumes that the system as a whole is perfect and will not containsecurity weaknesses that can be exploited to create multiple registrations containing thesame biometrics.Of course, this might not be seen as a major problem, as anyone seeking to makemultiple registrations with the same biometrics would presumably have to be lucky tofind themselves with biometrics that are problematic. However, it is possible that waysof creating such situations will be discovered. We can expect technical attacks, wherebypeople try to create false identities using rubber finger covers, printed contact lenses andso on. But it is not ‘normal cases’ that are the source of most problems in securesystems; rather, it is usually one of the many ‘special cases’ that is exploited to subvertsecurity.There will, for example, be people whose biometrics are not fully satisfactory, and forwhom the National Identity Register will have to make special provisions, such asholding data on known false matches. There are certain to be many such special cases,all of which have to be very carefully considered and implemented in a way thatprevents their exploitation. The problem with this situation is that those who are seekingto defend the system only succeed if they find and eliminate all vulnerabilities, whereasan attacker succeeds if he can find just one that has been overlooked. In practice, thisimbalance greatly increases the cost of maintaining security, because each minor changeto the system has to be extensively analysed in order to ensure that it does notinadvertently introduce any exploitable security weaknesses. This is one of the reasonswhy maintenance and support costs for secure systems are enormous when comparedwith those of their insecure counterparts.Of course, insiders will quickly get to know the ‘special cases’ and will be sufficientlyresourceful to recognise how they can be exploited. It is inevitable that this sort ofinformation will filter out to those who want to subvert the system.Banks go to enormous lengths to protect the privacy of their customers’ account details,but they face exactly this dilemma in that the banking system can only operateeffectively if there is widespread sharing of account data. It is thus inevitable that, nomatter how much the banks spend on security, it will still be possible for outsiders toobtain unauthorised access to account details.The basic problem here is easy to understand: the greater the number of people whoknow a secret, the less secret it is. A system such as the National Identity Register,involving thousands of staff, stands little chance of being highly secure.
Page 1:
The Identity Projectan assessment o
Page 5 and 6:
The LSE Identity Project Report: Ju
Page 7:
Page 11 and 12:
Page 13 and 14:
Page 15:
Page 19:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33:
Page 36 and 37:
22 The LSE Identity Project Report:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
100 The LSE Identity Project Report
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154: The LSE Identity Project Report: Ju
Page 157: The LSE Identity Project Report: Ju
Page 160 and 161: 146 The LSE Identity Project Report
Page 199: The LSE Identity Project Report: Ju
Page 255 and 256:
Page 257 and 258:
Page 259:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276 and 277:
Page 278 and 279:
Page 280 and 281:
Page 282 and 283:
Page 284 and 285:
Page 286 and 287:
Page 288 and 289:
Page 290 and 291:
Page 292 and 293:
Page 294 and 295:
Page 296 and 297:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317:
show all

Report - Guardian

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?