Report - Guardian

The LSE Identity Project Report: June 2005 193Although the Secretary of State may accredit those who seek to verify the identity ofothers using the National Identity Register, he is again under no obligation to do so.Given the safety and security risks of allowing unidentified individuals to access dataheld in the National Identity Register, it is again important to make access conditionalon National Identity Register based identity checks upon those who are seeking toverify the identity of others.Although the National Identity Register contains biometric data for verifying a person’sidentity, it also contains alternative provisions based on passwords and securityquestions. It appears that this mechanism has been included to cover situations in whichbiometrics cannot be recorded, measured, or used for a particular reason.The circumstances in which this alternative means of identity verification can beemployed are not specified. In particular it is not clear whether it can only be used whenan entry in the National Identity Register does not contain biometric data, or when asubject is consenting to access by telephone or via the Internet. In consequence, it mightbe possible for those seeking access to the National Identity Register to use this lowquality means of identification instead of high quality biometrics and thereby gainaccess to data in the entry without a strong check on the identity of the person givingconsent.Although it seems that clause 14(2) contains a provision that prevents security-criticaldata such as passwords and the answers to security questions being revealed, in practicethis is not a significant constraint: a verifier can infer this information after a successfulidentity check because he is told if the values he supplies match those in the NationalIdentity Register. This is an example of a well-known class of attacks known as‘inference attacks’, in which an attacker can deduce information that he is notauthorised to obtain from other information that he is given.After one successful access request, a verifier will know the password and other securityanswers and can subsequently use this information to gain access to the NationalIdentity Register without seeking further consent from the subject. Moreover, there isnothing in this Bill that imposes constraints or sanctions on verifiers who misuse data oreven reveal it to others (we will return to this issue later). In addition, there appears tobe no provision whereby a subject can give consent for access only to a subset of theidentity-related data held in the National Identity Register. The recent spate of online“phishing” attacks (where hackers gain access to banking customers’ passwords) showshow easily these security mechanisms can be abused, and how difficult it can be for thepolice to prevent such activities and track down the perpetrators.A worrying aspect of this legislation is that the minimal security provision that it doescontain – passwords and security answers – is seriously flawed, since it has been knownfor many years that information of this character should never be handled in the waythat the Bill proposes. When such obvious errors are made in elementary aspects ofsecurity provision, there is no basis for confidence in the overall security of the NationalIdentity Register.These weaknesses in the proposed system undermine the Government’s claim that dataheld in the National Identity Register will be safe and secure.