Report - Guardian

More documents

Recommendations

Info

192 The LSE Identity Project <strong>Report</strong>: June 2005Identity VerificationIf ID cards are to be more reliable than ‘photo ID’ cards, it is essential that theirbiometric features are widely used with frequent checks against the National IdentityRegister. Additionally, since the government proposes to hold identity-related data inthe National Identity Register, on-line identity checks will be essential in keycircumstances when access to this data is needed.This puts the National Identity Register at the heart of the system, which in turn makesthe security of National Identity Register data and control of access to it absolutelycritical for the safety and security of all who are identified in its records.Subject Consent for Access by Verifier to Data Held in theNational Identity RegisterIn recent months, Government Ministers, including the Prime Minister, have claimedthat data held in the National Identity Register will be safe and secure, and yet theIdentity Cards Bill contains no explicit security requirements that provide a basis forsuch assurances.Clauses 14(1)(a) and 14(1)(b) provide for verifier access with the consent of the subjectbut offer no indication of how this consent will be obtained nor how it will beauthenticated.Clauses 14(5) and 14(6) indicate that the Secretary of State may impose conditions onhow consent is given, but it contains no obligation to do this in a way that provides ahigh level of confidence that the identity of the person seeking access (or giving consentfor access by another party) matches the identity of the person whose National IdentityRegister record is being requested.It is particularly puzzling that the government should seek to introduce a supposedlyhigh-quality system for verifying people’s identity, and yet fail to invoke explicitly thismechanism for authenticating subject access and subject access consent.At very least, a new provision is needed to the effect that:The Secretary of State shall ensure that access under clauses 14(1)(a)and 14(1)(b) will only be granted if both the identity of the subject andtheir consent have been fully authenticated in a way that does not relyon a presumption that the subject trusts the person seeking to obtainsuch access.The Bill should also make it an explicit requirement that access to data held in anNational Identity Register record, other than the biometrics, is conditional onconfirmation that the biometrics of the person purporting to give consent match thebiometrics held in the National Identity Register record to which access is being sought.It would be hypocritical to advocate such services for use by others, yet fail to mandatetheir use in controlling access to the National Identity Register.
The LSE Identity Project <strong>Report</strong>: June 2005 193Although the Secretary of State may accredit those who seek to verify the identity ofothers using the National Identity Register, he is again under no obligation to do so.Given the safety and security risks of allowing unidentified individuals to access dataheld in the National Identity Register, it is again important to make access conditionalon National Identity Register based identity checks upon those who are seeking toverify the identity of others.Although the National Identity Register contains biometric data for verifying a person’sidentity, it also contains alternative provisions based on passwords and securityquestions. It appears that this mechanism has been included to cover situations in whichbiometrics cannot be recorded, measured, or used for a particular reason.The circumstances in which this alternative means of identity verification can beemployed are not specified. In particular it is not clear whether it can only be used whenan entry in the National Identity Register does not contain biometric data, or when asubject is consenting to access by telephone or via the Internet. In consequence, it mightbe possible for those seeking access to the National Identity Register to use this lowquality means of identification instead of high quality biometrics and thereby gainaccess to data in the entry without a strong check on the identity of the person givingconsent.Although it seems that clause 14(2) contains a provision that prevents security-criticaldata such as passwords and the answers to security questions being revealed, in practicethis is not a significant constraint: a verifier can infer this information after a successfulidentity check because he is told if the values he supplies match those in the NationalIdentity Register. This is an example of a well-known class of attacks known as‘inference attacks’, in which an attacker can deduce information that he is notauthorised to obtain from other information that he is given.After one successful access request, a verifier will know the password and other securityanswers and can subsequently use this information to gain access to the NationalIdentity Register without seeking further consent from the subject. Moreover, there isnothing in this Bill that imposes constraints or sanctions on verifiers who misuse data oreven reveal it to others (we will return to this issue later). In addition, there appears tobe no provision whereby a subject can give consent for access only to a subset of theidentity-related data held in the National Identity Register. The recent spate of online“phishing” attacks (where hackers gain access to banking customers’ passwords) showshow easily these security mechanisms can be abused, and how difficult it can be for thepolice to prevent such activities and track down the perpetrators.A worrying aspect of this legislation is that the minimal security provision that it doescontain – passwords and security answers – is seriously flawed, since it has been knownfor many years that information of this character should never be handled in the waythat the Bill proposes. When such obvious errors are made in elementary aspects ofsecurity provision, there is no basis for confidence in the overall security of the NationalIdentity Register.These weaknesses in the proposed system undermine the Government’s claim that dataheld in the National Identity Register will be safe and secure.
Page 1:
The Identity Projectan assessment o
Page 5 and 6:
The LSE Identity Project Report: Ju
Page 7:
Page 11 and 12:
Page 13 and 14:
Page 15:
Page 19:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33:
Page 36 and 37:
22 The LSE Identity Project Report:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
100 The LSE Identity Project Report
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156: The LSE Identity Project Report: Ju
Page 157: The LSE Identity Project Report: Ju
Page 160 and 161: 146 The LSE Identity Project Report
Page 199: The LSE Identity Project Report: Ju
Page 257 and 258:
Page 259:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276 and 277:
Page 278 and 279:
Page 280 and 281:
Page 282 and 283:
Page 284 and 285:
Page 286 and 287:
Page 288 and 289:
Page 290 and 291:
Page 292 and 293:
Page 294 and 295:
Page 296 and 297:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317:
show all

Report - Guardian

Create successful ePaper yourself

Delete template?

Save as template?