[Dave Birch] According to a letter I saw a while ago in The Daily Telegraph, British supermarkets won't accept a British armed forces ID cards as a proof of age, but they will accept foreign ID cards that they cannot read. Or not. It depends what for.

The student's French ID card was not deemed to be sufficient proof of her age for the staff at Sainsbury's, even though the chain does accpet the card from foreign workers who wish to work in the UK.

[From Sainsbury's denies French student]

So you can use your foreign ID card to get a job at Sainsbury's but not to buy a bottle of champagne. Bizarre, but predictable: this is what happens when we jumble up credentials and identification, absent any well-formed rules for understanding or verifying them. It reminded me of the discussion from a few weeks back concerning the distinction between actual security and security theatre. Here's a simple example: you go to open bank account and the bank asks to see identity, so you show them a passport. If it is a British passport, they can phone a Home Office hotline to see if it is real, whether it has been reported stolen and so forth. If it is, say, a Bulgarian passport, they cannot possibly tell whether it is real or not, so they just photocopy it and file the copy away somewhere, just as the British Attorney General should have done with her maid's work permit (since it is an offence is to not to keep a copy of such documentation). Thus, if you are a criminal then you will always choose to use a Bulgarian passport. Honest citizens are inconvenienced, criminals aren't. This isn't so much security theatre as security pantomime, as the BBC have highlighted.

The banks are worried it is still too easy to use a counterfeit passport from abroad to open a bank account, or to get an overdraft or credit card.

[From BBC NEWS | Business | Fake passports prompt fraud fear]

Well, I suppose they could always not open the account unless they can understand and verify the identification documents. The fact is, it's really, really hard for anyone to understand foreign credentials of any kind. Remember the amusing story of the mystery Polish serial traffic offender being tracked by the Irish police?

It was discovered that the man every member of the Irish police's rank and file had been looking for - a Mr Prawo Jazdy - wasn't exactly the sort of prized villain whose apprehension leads to an officer winning an award... Prawo Jazdy is actually the Polish for driving licence and not the first and surname on the licence.

[From BBC NEWS | Northern Ireland | The mystery of Ireland's worst driver]

This does nicely illustrate a key advantage of digital identity over physical identity: this would never happen. If my reader can't understand your card, that's the end of the discussion. There's a nice binary outcome. Where the results depend on human interpretation of shades of grey, surely the system will always throw up crazy outcomes.

An innocent South Tyneside man was arrested because his MoT certificate was a paler shade of green. Michael Cook, from South Shields, had gone to the Driver and Vehicle Licensing Agency (DVLA) centre in Newcastle to renew his car tax. Staff thought his two-week-old MOT certificate was a forgery because it was a lighter shade than his previous one, and the police were called.

[From BBC NEWS | England | Tyne | Arrest over wrong colour MoT form]

Essential to a functional identity system, then, is a cheap and simple "box" for checking whether the card is valid. You put your French ID card, British Forces ID card or Tesco Clubcard into the box at the checkout and the light goes green or red. That's it.

Unfortunately, the proposed UK national identity scheme has no provision for rolling out terminals and, as far as I can see, no plans to do so. This might well make crime easier, since no one can tell whether a card they are presented with is real or not. In a way, you have to admit that this is actually sort of depressing. Even if you against the idea of a national ID card (which I'm not) then surely you'd still want it to be useful.

The Home Office advises calling the UK Border Agency Card Verification Helpline. So I did just that. It took 19 minutes for someone to answer the phone. Posing as a businessman, I said I had recently been shown a new ID card by a customer as proof of his identity and was uncertain whether I could rely on it. I was told to ask my customer for a 'second proof of identity'. In other words, even the official ID card helpline says it's best to rely on other forms of identity. In which case, why bother having the cards at all?

[From New ID cards are supposed to be 'unforgeable' - but it took our expert 12 minutes to clone one, and programme it with false data | Mail Online]

Quite. That's a good question, and not one to be dismissed. If there is no way to quickly and simply check whether a card is real, then it makes the situation worse, not better. The current situation is untenable. The Attorney General might be able to determine whether an employees card is real or not, but most people won't. And the checkout person at Sainsbury's, the nightclub bouncer and the job centre clerk are not going to spend 20 minutes on the phone.

According to Booth, employers have been told to flick the card and listen for a distinctive sound, if they doubt the card's authenticity.

[From First ID cards issued - ZDNet.co.uk]

As I pointed out a couple of years ago, one plausible means of obtaining the required reader density in an ID system designed for the 21st century might be to use mobile phones. If my mobile phone could read your ID card -- or, more to the point, ask your ID card to prove things about you (like that you are over 18) -- then there would be no need for me to buy an expensive reader at all.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

government, health, privacy, security, smart cards

Comments

I think I disagree with the sense that a digital Id just plugs in and works. Either it works, or we stop the conversation!

One of the biggest problems with this sort of technology is that when it denies a conversation, this is also a training opportunity for the marketplace to bypass the tech. To address this, I generally suggest to simply radically, and that there be only one mode, and it be secure.

But this is just tech talk. Given the politics surrounding such a project as a British National ID card, I don't see it is likely to create anything but one that is simply superficial.

I think you're spot on that such a thing will more likely emerge in the market place. Now that there are phones coming out with open OS and application environments (Android) this clears the last barrier to "difficult" apps like money and ID. IMHO at least.

Posted by: Iang (response post over at CAcert.org) | 16/10/2009 at 04:09 PM