27 November 2007

Of Lost IDs, ID Cards and Biometric IDiocy

One of the many outrageous aspects of the recent loss by HMRC of crucial data about half the UK population is how the UK government immediately tried to spin this as a reason why we needed ID cards. This follows in a long and dishonourable tradition in this country whereby every failure by the police to catch terrorists/criminals using their extensive powers of surveillance is turned into a justification for giving them even more such powers, when it ought to mean the opposite.

Fortunately a crushing refutation of the faulty logic behind the ID card argument has now been provided by some top academic security expects, who write:

biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.

The inclusion of biometric data in one's NIR record would make such a record even more valuable to fraudsters and thieves as it would - if leaked or stolen - provide the 'key' to all uses of that individual's biometrics (e.g. accessing personal or business information on a laptop, biometric access to bank accounts, etc.) for the rest of his or her life. Once lost, it would be impossible to issue a person with new fingerprints. One cannot change one's fingers as one can a bank account.

(Via The Reg.)

No comments: