WRITTEN ON May 22nd, 2006 BY William Heath AND STORED IN Uncategorized

Has IBM joined Microsoft, Sun and Qinetiq and “come out” against the UK ID card scheme?

IBM researcher Michael Osborne has, and is immediately added to our “Speak your mind roll of honour“. Thus he drags his normally taciturn employers IBM into the zone of the intellectually honest – those for whom obeying orders will not be an adequate excuse. Presumably that’s with IBM’s consent and blessing; if not I hope we get invited to his leaving do, because the good guys always throw the best parties. As Techworld.com put it

Osborne said…the big issue is that the UK government, plans to set up a central database containing volumes of data about its citizens…the central database will allow connections between different identity contexts – such as driver, taxpayer, or healthcare recipient – which compromises security. Centrally-stored biometric data would be attractive to hackers, he said, adding that such data could be made anonymous but that the UK Government’s plans do not include such an implementation.

Osborne added that biometric technology is still immature. “It’s not an exact science”, he said. In real world trials, some 10 per cent of people identified using iris recognition failed to enrol – which means the system didn’t recognise them. Even fingerprinting is no panacea, as four per cent failed to enrol. Scale that up to a whole population – the UK contains nearly 60 million people – and the problem of biometric identification becomes huge, he said.

Osborne also criticised the government for the potential cost of the system. He said that it will cost a lot more than anyone thinks, pointing out that a project of this size hasn’t been tried before, so the government’s projected costs are not necessarily accurate.

Finally, Osborne also used a dozen criteria, including whether or not such as system is mandatory or time-limited , to show that on all but two, the UK Government’s scheme fails – even before controversial civil liberties issues are considered.

And as for whether ID cards are the right tool to defeat terrorists in the first place, security expert Osborne said: “ID cards won’t solve the problem because terrorists don’t care about identification – and they’ll have valid IDs anyway.

What are the 12 Osborne criteria I wonder? Not clear from the Techworld article.

Kim’s comment:

My central ‘aha’ in studying the British government’s proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected in our technical systems. A technology proposal that aims to eliminate compartmentalization rejects one of the fundamental protective mechanisms society has evolved. The resulting central database, where everything is connected and visible to everything else, is as vulnerable as a steel ship with no compartments – one perforation, and the whole thing goes down.

The starting point for a security thinker is that there will be perforations. In low value systems, the breach will come from neglect. In a high value system, there will be conscious attacks mounted both from without and within, and one must assume that one of these will succeed.

Our art consists in reducing the frequency of such perforations, and – once a breach occurs – minimizing the damage that is done. The current British proposal masterfully maximizes such damage, like a fire extinguisher full of gasoline.

Thanks to Luke for pointing out Kim’s post about the Techworld article. RSS may be great but there’s nothing like a human network.