About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« 4D Secure | Main | Who says? »

Extracting the P

By Dave Birch posted Sep 18 2009 at 2:47 PM

[Dave Birch] Forum friend Toby Stevens of EPG started something of a discussion by putting forward a few conjectures about what might happen to the UK identity card and passport schemes, systems and structures come the expected opposition victory in the forthcoming general election. I don't want to say anything about the rights or wrongs of the current schemes, systems and structures but I want to comment on an observation about the current situation. There is no engineering, technical or security reason for the "I" and "P" to be together in the Identity & Passport Service (IPS). As far as I am concerned, the ID card and the Passport are conceptually distinct. The British government might in time issue ID numbers to everyone on the planet, all six or seven billion of them, because the purpose of the ID scheme is to record that you are known, uniquely, to the British government. That's all. It's a mistake to mix a jumble of biographical details, pointers to government records and other things into the same records. There may be some credentials attached to that you may want to demonstrate to third parties (eg, you have the right to work in the UK, you are over 18, you are registered in the governments new Independent Safeguarding Authority database -- the IS_NOT_PAEDOPHILE attribute) but these are not part of the database. On the other hand, a passport means that you are a British citizen and can travel overseas (and other countries might want to put visas in it, which is another distinguishing characteristic). There will be people who have ID cards but not passports and vice versa. But they both have to be unique. So what to do?

Here's a back of the envelope suggestion. Suppose there were a single biometric database that contains a unique identifying number (the meaningless but unique number, or MBUN). This biometric database contains a facial picture, iris scans and 10 fingerprints. Put aside how they get there for a moment, let's just pretend there's a biometric uniqueness machine (BUM) that can register these biometrics.

Now consider a person applying for a passport. They go to a Post Office claiming to be Dave Birch. They look into the biometric machine and the biometric sends off the iris scans, picture and fingerprints to the biometric database. Either these match in the biometric database, in which case the database returns P(MBUN), the unique passport identifying number, or they are matched in the database, in which case they are stored in the database and the database returns P(MBUN). Let's not delve into what P(x) is, it's just a one-way cryptographic mapping such that given x then P(x) is easy to compute, but given P(x) it's impossible to compute x. Now the passport database can have an entry created for P(x) and the face and fingerprints sent from the BUM to the passport database, and the passport processes continue, and the person provides supporting documentation to label P(x) as indexing Dave Birch.

Now suppose the same person decides they want an ID card so that they can log on to eBay securely. They go to the Post Office to apply for an ID card. They look into the BUM, and the biometric database finds a match for record x and returns I(x). Note that you cannot compute I(x) from P(x) or vice versa. If hackers, or the police, have P(x), they cannot find x no matter what. The police can submit crime scene fingerprints (for example) under warrant and ask the biometric database to return P(x) or I(x) -- if it finds a match -- but not x. Now the identity register can have an entry created for I(x) and the face sent from the BUM to the ID card database. A card pops out of the slot in the Post Office (and for reasons not relevant here, the card might well know x but never disclose it). Now you can prove it is your card, and the cleverest of hackers cannot pretend it is theirs.

We have a passport system, we have an identity register, and we have a biometric database that powers them solely by ensuring that the index numbers are unique.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Extracting the P:


And there's a further problem with linking the I and P together. According to the IPS website there are currently three types of card: an identity card for British citizens (lilac and salmon in colour), an identification card for EU or EEA citizens living in the UK (turquoise and green) and the identity card for foreign nationals.

The UK Identity card "can be used for travel within the EU/EEA and Switzerland". However, in certain circumstances, e.g. football hooligans, travel is not permitted and their passport is revoked. Does this mean that these people will also have their identity card (and all the benefits it provides) revoked?

Or will they be issued with a UK identity card with "Not valid for travel" stamped all over it, allowing everyone who sees it to guess if the holder is a convicted football hooligan or has committed some other offence that prevents them from travelling?

The comments to this entry are closed.