That massive HMRC leak of data

[fivemack]

This is a classic example of a story the reporting of which is itself the problem. The data has been lost; with reasonably high probability it's been lost to people unable to do anything with it, in which case nothing has actually happened. If it is lost to people able to do things with it, it increases the background risk of identity theft, but there is nothing whatsoever that any given individual can do given this information - it's even less useful than the 'avian flu exists; refrain from handling dead wild birds if at all possible' news items of the start of the year. The useful mitigation has to be done at the level of large-scale identity users, essentially the banks.

But the information has been presented in a way that clearly has worried people; and to worry twenty-five million people about something which ought to be giving sleepless nights to two dozen teams in the back offices of major banks doesn't seem a publicly valuable act ... raising blood-pressures by on average one quarter-micron of mercury will statistically cause some number of heart attacks, which will statistically cause some number of deaths that would be considered front-page, questions-in-the-House bad news if caused by men with knives.

I'm not sure this particular large data-leak can't be spun as a strong argument for ID cards. It means that it can be argued that bad-guys-unspecified have the NI numbers, dates of birth and bank information for near enough everybody, at which point any organisation prepared to let somebody do something to my detriment given only my NI number, date of birth and bank information is presumptively negligent.

I don't think this troubles me too much - I am fairly happy to open bank accounts by appearing in person with a cheque, a passport and a gas bill - but it's clearly troublesome for people for whom getting to the bank is hard, or for whom the cost of getting a passport is significant.

There's certainly an argument that I can imagine being made, of the shape 'previous proof-of-identity systems which we believed adequate are compromised; requiring time-consuming authentication processes from everybody is expensive; what we need to do is to move to some other method of authentication, for example these beautiful high-tech public-key-authentication-on-secure-processor ID-cards what the selfless people at EDS have prepared for us'.

Comments

[diffrentcolours]

We've already had Darling say that if we had the National Identity Register, the data would be "protected by biometrics". Either he's an idiot who doesn't understand the technology, or he's lying to save face.

Assuming that biometric technology is good enough, we could have (at vast expense) a system whereby everybody is authenticated by biometrics. The known issues with biometric security will come to the fore, and once biometrics become more commonly faked, loss of biometric data which can't be altered will be a large problem. However, we can only authenticate biometric identities in person, so we'd have to do away with phone / Internet / postal banking and purchases.

I agree entirely that it needs to be harder to do bad things with personal information like NI numbers; unfortunately it's a fairly hard problem in practice (Schneier has a few good things to say on the issue). Until that's the case however, I'm going to continue to campaign against large-scale databases which will only make these leaks bigger, more frequent and more damaging.

[fivemack.livejournal.com]

Obviously you have to be in the same place as the biometrics reader to be able to authenticate yourself biometrically, but there's no reason that the biometrics reader isn't a little box with a display, a keypad, an iris-camera and a fingerprint reader which you keep by the side of your computer: put in the ID-card, enter your PIN to wake up the box, enter a sixteen-digit challenge which the remote requestor gives which encodes your ID number and some entropy, scan your finger, and tell the remote requestor the number that appears on the display.

You need a bit of intelligence, of the wolverine-on-PCP paranoid kind, in the chip on the ID-card, but since the current claim is that ID cards will cost twice as much as an iPod Shuffle, a few megabytes of flash memory and an ARM7 core could easily be put on the card, and a Bunnie Huang or Marcus Kuhn would happily for a few hundred thousand dollars design you a security system that they couldn't break.

You could get the little boxes made by Inventec in Taiwan for about thirty pounds now.

[diffrentcolours]

OK, let's assume you can do that, that it's sufficiently reliable (very very low rate false negatives) and less importantly from the user's perspective, sufficiently secure (low rate false positives, protected from the various known forms of biometric forgeing). There are plenty of people who say this is impossible, but we'll accept it for now.

You're talking about 30 quid for every household computer in the country, plus those at libraries etc., to install these. It's a drop in the ocean compared to the National Identity Register (but the cost of setting up that scheme, dragging people in for interviews etc. still has to be met). Still, compared to the £450m cost of card fraud, it's quite a lot.

And it only protects against problems where people are misrepresenting their identity, rather than their circumstances. I don't have figures to hand, but that seems to be the minority (this is almost certainly covered in the DWP investigation into ID cards which the Government is currently being sued to publish).

(this all being said, I would really like to see some kind of centrally-designed, locally-managed PKI-infrastructure-type biometric ID, without some big database behind it)