Following the government´s acceptance on Monday of the Lords´ opposition to plans to make ID cards compulsory, we are a step closer to ID cards incorporating biometrics. These are designed to prevent forgery, but British ID specialists TSSI casts doubts today.
“The main concern with ID cards is forgery. The government has chosen biometrics to prevent this, but this needs careful implementation. Biometrics alone will not prevent forgery, and with it, fraud,” said Stewart Hefferman, COO, TSSI Systems Ltd.
“Despite strong encryption, the Dutch biometric passports have already been hacked. What if someone hacks the UK system and uses this to forge cards? Obviously this would make a mockery of the whole ID card system. The government needs to tread carefully with the implementation of these cards, or the seeds of disaster will be there from the making.”
There is a simple solution to this particular problem: a belt and braces approach. Storing the data as an algorithmic encryption will make it impossible for even the most sophisticated fraudster to read or substitute.
“A second major concern is – why on earth does individual information need to be stored on both card and central database?”
“We do not understand why they need to do this – unless they are planning to extend the usage of the cards in future, which is a major concern for the civil liberty groups. Other countries such as France and Italy have stipulated that biometric information is stored only on the cards themselves – thus still within the possession of the individual. So why has the UK decided to include a central database as well?
“We can understand that from a security point of view, central storage makes the most sense in an online world. But if you´re also storing this on the cards themselves, that invalidates the security argument. Obviously this also raises questions about the government´s long-term intentions for libertarians to tackle.
“We strongly advise that the back-end system enables an audit trail of those personnel who have accessed individual records on the back end systems. This is crucial to enable the government to identify if individual details were breached and thus make it easy to identify fraudsters and trace them.”
“In addition, although the algorithmic approach would not address their primary concern: that the government has this information at all – it would at least prevent its access by non-authorised personnel, and even those authorised would only be able to view binary code, and not the finger, iris and facial data itself.
“The final concern of course is – will the project work? The LSE has raised concerns about this and the government does not have a strong track record here. Will we see the likes of Microsoft or EDS rolling out a proprietary system that will leave the government no avenue for escape? We would strongly advise the use of interoperable biometric standards.”