WRITTEN ON May 5th, 2006 BY William Heath AND STORED IN Uncategorized

Away from the Punch & Judy sagas of the week, in a quiet corner of the Commons heard evidence about how well government listens to scientific evidence. Jerry Fishenden spoke about ID cards. As he says

the ID cards consultation to date has been focused more on the procurement process than the business requirements and technology issues. The Home Office team expressed a desire not to stifle innovation by getting into the specifics of potential architectures. But I think it would be really useful to see a UK government study into the risks, feasibility and comparative merits of centralised versus decentralised identity systems in terms of systems reliability theory, or modern computer security concepts (including the widespread contemporary experience of large scale data breaches, social engineering and phishing attacks).

- given the fastest growth in ID fraud is online (through for example phishing attacks), it was unclear how the ID card would work in online scenarios (would it default for example to just chip and PIN?). And given that the delivery of online public services is a key part of the Transformational Government agenda, this is clearly an area in which a well-designed ID card could yield major benefits and tie in well with other identity initiatives including across health, local and central government and the private sector

- some concerns arose from the limited number of publicly available scenarios of how the ID card could be used in practice. And of those available, there are potential issues with their descriptions of the card’s usage in practice. For example, the scenario here indicates that the ID card will disclose your date of birth to any third party that needs proof of age entitlement (eg to buy alcohol or to get an old age pensioner discount). However, I believe this is not good practice based on our experiences with ID fraud. All that needs to be revealed in such a situation is that the person is over 18 or over 60/65. Neither their date of birth or age needs to be revealed. In fact, handing over personal information such as date of birth to anyone who requests sight of an ID card could generate vulnerabilities elsewhere: for example, telephone banking uses date of birth as one of the ‘secrets’ to prove who you are when you phone up. We need to be very careful that the ID card does not add to any potential identity fraud issues when there is a great opportunity for it to help enhance our privacy, as Dave Birch indicated in his evidence.

Let’s hope the new Home Secretary listens to scientific evidence and is not prone to groupthink.