Report - Guardian

More documents

Recommendations

Info

196 The LSE Identity Project <strong>Report</strong>: June 2005that the police, the intelligence agencies, and any criminal organisations who havemanaged to penetrate or infiltrate the National Identity Register, will be able toimpersonate not just subjects but also verifiers (assuming they are also identified usingthe National Identity Register mechanisms).These National Identity Register ‘insiders’ will be able to frame citizens – and also tocreate alibis for crooks – by making people appear to have undergone identity checks inlocations that they never in fact visited (verifiers may also be crooked, and try to createfalse identification records using rubber finger impressions or photographs of irises:current biometric equipment mostly assumes honest attendants, rather than operatorstrying to deceive it). It is perhaps fortunate, therefore, that what the Bill actuallyspecifies is inept in security terms, in that it needlessly exposes these items and therebyundermines their evidential value for authenticating the person identified by the NIRrecord in question. Ministers should recall the thinking behind the ElectronicCommunications Act of 2000, which rightly prohibited the mandatory escrow ofsignature keys, as this would have undermined the evidential value of signatures madewith them.Lack of Constraints on the Use of NIR derived Data OnceObtainedAlthough those operating the National Identity Register face criminal sanctions if theymisuse or reveal National Identity Register data without authorisation, the IdentityCards Bill imposes no such sanctions on those who obtain data from the NationalIdentity Register. Hence it seems that the police and intelligence agencies, and eventhose who do no more than use the National Identity Register for identity verification,do not face any meaningful penalties for data misuse.Although those who access and subsequently misuse National Identity Register dataface penalties under the Data Protection Act, in practice these sanctions are weak intheir impact as they are limited to a fine. A specific and serious criminal offence mightgenerate more confidence.The lack of constraints on the misuse of National Identity Register-derived data once ithas been obtained has serious implications. As long as the National Identity Registeroperates alongside the traditional means of identity verification, anyone who obtainsNational Identity Register data is in an ideal position to produce false documents thatcan then be used as a starting point for ‘identity theft’. Far from undermining identitybasedcrime, the National Identity Register could easily facilitate it.Weak National Identity Register access controls could also have a devastating impact onthose who have good reasons for avoiding the existence of easy means of identification.This would include, for example, those in senior government or military positions whomay be terrorist targets, those who might be subject to harassment or attack from‘animal rights’ activists or from other extremist groups. Those who wish to hide fromstalkers or from those who wish to harm them will also be at increased risk. Terroristgroups, in particular, would have an ideal starting point for identifying and locatingtheir targets if they are able to gain easy access to data held in the National IdentityRegister.
The LSE Identity Project <strong>Report</strong>: June 2005 197In the light of these examples of the high risks that the availability of identity data willbring to some, it is worth reflecting on a statement made by David Blunkett, speaking ina debate on the earlier Identity Cards Bill:“Let me make it clear: no one has anything to fear from beingcorrectly identified …” 467It is our view that those who understand the nature of identity would never pursue thetype of centralised approach embodied in the National Identity Register because manyof the security risks identified here are inherent in such an approach.Insider Attacks and AuditingOne of the most difficult and challenging aspects of secure systems design andimplementation is that of providing effective auditing that is capable of detecting andrevealing malign behaviour on the part of system operators or users.The difficulties inherent in the audit requirement can be illustrated by considering theaudit load that will be generated by the National Identity Register. The system will haveto handle (depending on the time of day or hour) up to 100 transactions per secondcontinuously, each of which has to be recorded for audit. This will generate around 1Gigabyte of data per day.Although auditing can generate large quantities of data, the real problem is not thevolume as such, but rather the ‘needle in a haystack’ problem of analysing this data todetect suspicious behaviour by users or system operators. Proactive audit analysis isimportant for the early detection and removal of subverted users and operators, but thevolume of data forces the use of some form of automated or semi-automated auditanalysis, or the random or targeted analysis of the audit records for specific users andoperators.However, although automated audit analysis will often catch ‘amateur’ insider attacks,long term subverted insiders will go to considerable lengths to ensure that their actionsappear unremarkable. As a result, they are only likely to be discovered by manual auditanalysis, meaning that that they can operate as subverted insiders for a considerabletime without fear of detection, unless a high proportion of operators are subject toregular manual audits.The regular manual audit of a high proportion of system operators for a system as largeas the National Identity Register will be an extremely expensive process. Again, it islikely that corner-cutting to reduce costs will curtail effective auditing and exacerbatethe risks of security compromises in the operation of the National Identity Register.467 Commons Hansard, Identity Cards, November 11, 2003.
Page 1:
The Identity Projectan assessment o
Page 5 and 6:
The LSE Identity Project Report: Ju
Page 7:
Page 11 and 12:
Page 13 and 14:
Page 15:
Page 19:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33:
Page 36 and 37:
22 The LSE Identity Project Report:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
100 The LSE Identity Project Report
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157:
Page 160 and 161: 146 The LSE Identity Project Report
Page 183 and 184: The LSE Identity Project Report: Ju
Page 199: The LSE Identity Project Report: Ju
Page 259: The LSE Identity Project Report: Ju
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276 and 277:
Page 278 and 279:
Page 280 and 281:
Page 282 and 283:
Page 284 and 285:
Page 286 and 287:
Page 288 and 289:
Page 290 and 291:
Page 292 and 293:
Page 294 and 295:
Page 296 and 297:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317:
show all

Report - Guardian

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?