About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« No, wait, Titanic isn't the right metaphor | Main | Time for a National Privacy Card scheme »

Government interface

By Dave Birch posted Mar 24 2009 at 10:54 AM

[Dave Birch] Government identity is so important that the vigilance of the "issuers" must be unwavering. Thus, the rest of the identity management value network can function. It's so important that one might even go so far as to say that a key role of government should be to test it's own vigilance in an open and transparent way. In other words, shouldn't parts of the government be checking up on other parts of the government and telling us what happened. This would be a really interesting experiment to try here in the UK, now that the government has started issuing identity cards. It would be great to have some reassurance that the process is indeed protecting us from international terrorists, dole scroungers and health tourists. The National Audit Office (NAO) could try and obtain bogus identity documents from the Identity and Passport Service (IPS) and see what happens. Just like the recent experiment in the US.

To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen’s personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State-run passport office.

[From Security Document World]

And the results? Did the ever-vigilant staff, the best IT that money can buy and the process designed by top management consultants come together to defeat these almost trivial attempts to deceive?

In its four tests simulating this approach it was successful in obtaining a genuine U.S. passport in each case.

[From Security Document World]

Uh oh.

Perhaps biometrics might help. I was in Dubai a couple of weeks ago, and there's no messing about letting people get false passports there I'm sure...

About 54,000 people were arrested at Dubai International Airport last year after failing iris scan, a senior official from the Ministry of Interior said on Monday. Brigadier Bin Surour said border security is one of the biggest challenges all countries face in maintaining national security. "We will soon use an individual's DNA as a means to verify people's identity at borders," he said.

[From Gulfnews: Dubai's iris scan helps arrest 54,000 suspects last year]

As anyone familiar with the problem understands, the issues are orthogonal. Using bogus "feeder" documents to obtain a virtual identity (such as an entry in a passport database) is not affected in any way by the use of biometrics to match a physical person to that virtual identity. If anything, biometrics make for a bigger problem: once the bogus identity is in the system, then the use of biometrics means that the identity will never be questioned. Computer says yes, so to speak. If there is going to be a "gold standard" government identity, then anyone able to breach the security of the database on which it rests is then inside the wire and can do what they like, since from then on the biometrics will confirm whatever identity the miscreant has planted.

I quite like the idea of using DNA tests at the borders, though. Anything that works better than IRIS would be great (although to be fair when I came through T5 last week, I was standing in a long line for passport control and I saw three people using the IRIS line, and two of them got through, which is pretty good).

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Government interface:


Oh Lord. Presumably the groupthinkers wont try it here because everyone in government will assume it's 100% safe. And if an external body tries to do the test (eg LSE, JRRT, No2ID) they'll be breaking endless incomprehensible laws and will be pursued by vengeful harpies.

Don't we have some sort of audit body that can do this? I'm sure I heard just a body moaning about the council dunces who invested in Icelandic banks not ten minutes ago on the Today programme.

The comments to this entry are closed.