L'Ombre de l'Olivier

The Shadow of the Olive Tree

being the maunderings of an Englishman on the Côte d'Azur

17 August 2007 Blog Home : August 2007 : Permalink

ID Cards. Designed for Mission Creep

This post inspired in part by this CNN article.

Basic Requirements

Some basic rules:
  1. An ID card should be a token that is hard to fake, has a unique identifier that can be used to look up a record in a database and has some information (e.g. a picture) that lets those that need to check, verify that the holder is the person they should be.
  2. In order to make ID cards worth protecting they need to be used infrequently. Because the more they are used the easier it becomes for bad guys to subvert the system somewhere because there will be more readers and more groups permitted to access records etc.
  3. Also the more they are used the more casual we become about tolerating abuse of them because we all instinctively understand that having Big Brother tracking us is an invasion of privacy. More to the point governments have historically proven to be really really bad at protecting data (see here and here for examples) so the more records get tied to the ID card the more dangerous it is if there is a leak.

Nowhere does it say you need to have your name printed on the ID card. In fact as a security measure it may be advisable to omit the name because a simple verbal interrogation obtains that information from the genuine holder but not from someone who has nicked it. Nowhere does it say you should not have duplicates.

Nowhere does it say that ID cards should only link to one database. In fact there are benefits from having multiple databases that are not connected so that if hackers break into one they don't get all your data. Furthermore some details (your age for example, or blood type or serious medical conditions) are things that you may be happy to have anyone read. Others (name, address, driving license records) you may find acceptable for low level security/law enforcement personnel to read, and still others you may not want anyone to read unless its some sort of national emergency*

Nowhere does it say that we should not have a PIN or other password to go along with the ID card to permit access to certain records. And tying in with the multiple databases, nowhere does it say that we should have the same PIN for all government departments.

The people identified by the ID card must know when their ID card is being queried so that they can decide whether to permit it or not.

Put it together and you'd have an ID card system where people would show their ID card occasionally, where they would be validated by both a biomentric (picture) and a PIN (so they would KNOW they had shown their card), and where if the ID card were stolen it wouldn't do much good. Of course it is unclear what such a system would be good for which is why

Mission Creep Means Ignore the Above

Unfortunately all the above corrollories assume that the governments who are ramming ID cards down our throats (or up some other oriface if you prefer) are actually interested in creating a secure identity scheme. The first thing to note is that ID cards have been pushed as the solution to 1001 different problems from (illegal) immigration to terrorism to benefit fraud. And just as laws such as the American RICO statutes were intended merely to be used against organized (drug) criminals, it is sure that once an ID card is introduced to "solve" one problem it will then be extended to "solve" other ones.

Charlis Stross writiing in the comments here, makes the point that once you have invoked 'security' then there is almost ne way to reverse the mission creep:

Let's remember that the global security-industrial complex focussed on anti-terrorism turns over roughly US $90Bn per year, and it's grown to that scale in only six and a half years. This is effectively an industry that depends on a single class of customer -- governments -- and so it focusses its marketing tightly on persuading them to buy more produce. It is also an industry that depends on a negative. If no terrorist incidents occur, then it can point to the absence and claim a victory. If terrorist incidents do occur, then obviously the government didn't buy enough Security™ and needs to cough up more money. Value for money is thus not demonstrated by achieving anything measurable, but by conducting ostentatious displays of Security-Mindedness, as exemplified by all the uniformed flunkies making work for each other (and the flying public) at airports.

This is a pathological condition, because it has no well-defined exit state. For any conceivable movie-plot terrorist outrage, a business case can be made (and presented to terrified politicians) for conducting a security initiative to prevent it. Failure to cough up the money will be a career-limiting move if the threat actually materializes, while publicizing its existence without actually doing something to block it makes any such materialization more likely. Thus, failure to fund any random piece of nonsense dreamed up to deter a non-existent threat may turn it into a self-fulfilling prophecy. (Hence: terrified politicians.)

The problem is that ID cards don't do a good job of stopping terrorism. If you want to stop people hijacking (or blowing up) airliners then screening baggage and people is the way to go and that doesn't require an ID card. In fact all the ID card does is add a pointless hurdle in the process that occasionally catches out a member of the public who has forgotten or lost his 'picture ID'.

Also was noted after the 7/7 bombings in London, ID cards would have made no difference what so ever to the prevention of the attack. The peope concerned were British citizens living and workign quite legally but just building bombs to kill themselves on the side. When terrorists go to training camps in Pakistan/Afghanista etc. they have to show a passport. Except for the occasional embarrassing goof where political correctness means that a person weaing a burkha doesn't get properly checked, passports are checked on entry and exit, so an ID card is a pointless extra.

The only conceivable way that ID cards can catch terrorists is if we have to show them all the time and all these showings are tracked by some gienormous computer which can extract trends from it. There are however problems with this with the biggest being false positives. Say you have to show your ID every time you get on a train/bus, buy petrol etc. Chances are high that people will have odd journeys where they appear to check in but not out, where they are seen on the train from Bradford to Luton on Monday and Wednesday but no record of a return in between, where they buy petrol in Aberdeen and then in London a few hours later and so on. All of these will turn out to have innocent explanations (private jets, lifts in cars, the swipe machine not working) but trend analysis is going to point them out and someone will have to sift through the millions of these false positives to find the one possible real positive. And probably that real positive won't be a terrorist anyway it will be a drug-runner or other criminal. And the same goes for using ID cards to track financial payments, purchasing dangerous goods and anything else, travel is just a simple example.

The second problem is that the smart terrorists (and yes you can laugh at the way the doctors failed to blow themselves up recently but they were clearly intelligent) will figure out they need two or three IDs. They will be helped in obtaining these by the smart criminals, of which there will be many more, who also have a need for fake IDs to conduct their 'business'. The crooks will subvert the ID card system for their advantage but they'll not be averse to a nice little earner selling fake IDs to others who want them, whether they are husbands with mistresses they need to visit secretly or terrorists determined to blow us all up. And because most of us will know teenagers who want to buy booze, plumbers who want to dodge paying income tax, husbands with mistresses, wives who have secret abortions or people who have gay sex with prostitutes or other misdemenours that ID cards will make harder to hide we'll all ignore the one person who has got the fake ID card that we should have reported because we're going to assume that the bad guy was just one of the usual harmless suspects.

And of course the existence of crooks means that there wil have to be security measures to try and stop ID theft and the creation of false IDs. And we know these security measures are going to have holes in them. And we know that the bad guys are going to explit the holes while the good guys are going to end up trapped in the cogs of all the additional security chacks and verifications that have been added on top of each other in order to stop the bad guys. Which leads us to my Zombie story. And so on.

Charlie's comment omits the empire building desires of bureaucrats. ID cards are loved by bureaucrats both because they give them the illusion of control and because they allow them to build empires with large budgets. And this is why governments keep on buying stupid security systems (ID cards are just one). The bureaucrats love the concepts when the security salesman makes his pitch and the bureaucrat then makes the pitch to the politician. The politician has, at this point, also been lobbied (i.e. wined, dined and possibly blown) by the security company or trade association so he agrees. It isn't his money after all so what does he care about the cost, and for that matter, because he's a VIP he mostly doesn't get to experience the impact it has on regular lives.

[Aside: if you want government to fix airport screening queues simply mandate that all MPs and senior civil servants get to go in the 'special' queue where all searches are performed by a couple of arthritic midgets only, and where asking 'don't you know who I am?' leads to an immediate full body cavity search.]

So ID cards in summary: great for IT salesmen, great for empire building bureaucrats, not bad for politicians. Not actually any good at solving a problem. It is obvious why the world is investing heavily into such technology.

* Yes I know the definition of an emergency is in the eye of the petty tyrant who declares it, but in theory we trust the government not to abuse things.