About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Personal development | Main | Mobile eye-D »

The numbers game

By Dave Birch posted Nov 6 2008 at 10:15 PM

[Dave Birch] I was privileged to be invited along to the Home Secretary's talk on the roll-out of ID cards (not, sadly, because she reads this blog but because I'm a member of the IPS advisory forum). It was basically an update on the development plan outlined earlier in the year, explaining where the procurement is and what happens next. I imagine the focus of the media coverage will be the announcement that the original plan for all airport "airside" workers to get ID cards in the near future has been revised to an experimental 18-month trial of ID cards at two airports (London City and Manchester) and the confirmation that cards for foreign nationals will start on 25th of this month.

She also talked a little about a potential competitive market for enrollment services, which I think is management consulting fantasy (there's no reason to do anything other than enroll at certain post offices, which would provide a convenient income -- Jacqui estimated £200m per annum -- for a network threatened with politically unpopular closures and go with the grain of public expectation), and mentioned that a trial enrollment of 15,000 people had successfully detected duplicates and had no failed enrollments at all.

There was one element of the revised roll-out plan that I want to focus attention on though. it's a small thing, but I think important. Jacqui announced that the National Identity Registration Number (the NIRN) will no longer appear on the card. This is something that a great many people (including me) had asked for some years ago at the earliest phase of the consultation process (in fact it predates the scheme, since we made the same comment concerning the originally-proposed Entitlement Card). Why is this such a big deal? Well, the problem is that if the NIRN were on the card, then organisations would be tempted to use it as an identification number and it would start cropping up in databases, making cross-referencing, abuse and identity theft worse but virtue of its presence. Hence the objections. It may not be a particularly noticeable change to the public or politicians. But it is, to my mind, a very encouraging sign that the government is prepared to listen and act on informed criticism.

How does an identity scheme make life easy if it doesn't have an identity number? After all, if you are the local council and you are trying to stop housing benefit fraud, knowing that I am definitely called "Dave Birch" doesn't really help, since you want to distinguish me from any other Dave Birch. You will still want to have some number to identify me by, and it would clearly be a convenience if my ID card could give it to you. The long-term solution is not to have no identifying numbers, but to have cryptographically-produced sector-, organisation- or application-specific numbers that are the result of "one-way" mathematical functions. In others words, your Health Number, your Barclays Bank Identifier and your World of Warcraft Login might all depend on the NIRN, but you cannot determine either the NIRN or other numbers from any of them. This stops unscrupulous journalists, misguided public servants or identity thieves from trawling databases looking for your ID number: if an identity thief gets hold of my local authority number, it doesn't tell him my financial services number. Likewise, if the police have my law enforcement number, that doesn't give them my health number. If they want to trawl health databases looking for me, then they'll have to get a warrant to search for me by name or obtain my health number from some authorised source.

This "sector-specific number" (SSN) approach -- already adopted in other European countries -- may seem less efficient than simply giving everyone a number and using that number in all circumstances, but I think it is a relatively simple way to increase the net privacy and security of the system simultaneously for relatively little expense.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto


TrackBack URL for this entry:

Listed below are links to weblogs that reference The numbers game:


The comments to this entry are closed.