27 October 2005

ID card debate: Summary so far.

There has been a lot of points made by Martin at NO2ID, Spyblog, Chris Lightfoot, Pedant-General and others, in the comments, here and here. I will refute a sample of these points. But the general refutation is that the govt will obviously only support a scheme that works. The govt would be utterly stupid to foist an over budget, technically flawed system that is open to abuse, on the public just before an election in 2009. It just won't happen.

The current govt proposals are not set in stone, whether there is a scaling back of the biometrics or an advance in technology, by the time the scheme is voluntarily rolled out in 2008, it will work or the voters will hit Labour hard. The govt know this, they are not stupid.

First, a list of points in favour of ID cards..

1. ID cards are good in principle. NO2ID have no objections in principle to a ID card scheme, indeed they admit there are potential benefits to an ID scheme. Maybe they should change their name to 'NO to the govt's current proposals for ID' to reflect their position more accurately.

2. ID cards work in practise. Sweden has a compulsory NIR which brings many benefits. NO2ID oppose a compulsory NIR but cannot answer the question; if it works in Sweden, why not here?

3. All opinion polls that ask the neutral question; 'Do you want ID cards or not?', have more in favour than against. Of course if you feed them negative statements about the cost and technology and tell them none of the benefits, you will lower the number in favour, but that hardly makes it an unbiased survey, does it?

4. ID cards will not become compulsory until 2013. Before this date the system will have been running for 5 years, any problems will be ironed out. There will also be a general election before this date, so the public will have plenty of time to voice their objections if they are not happy.

5. In 2003, 101,000 people had their identity stolen in the UK, this has risen from just 20,000 in 1999, a 500% increase over 4 years. It is one of the fastest growing crimes. It is undeniable (even opponents agree) that ID cards and a NIR will make it much more difficult to have a false identity.

6. Even opponents of ID cards admit identity fraud cost (latest figure 2002) at least £150 million a year (they also admit this is likely to be an underestimate). The annual running costs of ID cards will be £85 million. So this alone, means ID cards pay for themselves, without all the other benefits in streamlining efficiency, controlling immigration, stopping electoral fraud, proof of age and general convenience. When we consider how fast identity crime is growing, it becomes apparent how important ID cards will be. At the present rate of growth, 1.1 million people in the UK could be affected by identity theft by 2008 when ID cards will be introduced.

7. Biometrics can be encrypted or distorted in such a way that they are almost totally secure and also changeable in the unlikely event of theft by hackers. As this article on 'bio payment' in the US explains;

"Representatives from Pay By Touch and BioPay said when it comes to security, users of biometric payment services can relax because both companies don't store pictures of fingerprints. Instead, tiny measurements unique to each finger are recorded as an algorithm. If a hacker breaks into the system, all he or she would find is a number rather than a usable image of a fingerprint, they said."

Now for some answers to specific points raised

1. Martin, asks about the safety of battered wives, spies, police officers etc. Wouldn't the system be open because all over the country, there are hundreds of thousands of people who can use a photograph to garner iris, face biometrics and gain access to the name and address?

See point 7 above, their biometrics characteristics can be changed so they are untraceable. Also anybody who abused the database machines and gave out any information would be easily caught and prosecuted unless they could hack the NIR from within.

2. Private companies hold a lot of our personal information, but it is with our consent and regulated by the data protection act.

Yes technically, but how much choice do we really have over having a bank account, ISP, mobile phone, credit/debit card etc? Everyone has one or more of these and these companies hold very personal information about us, that is totally open to hackers and relies on the integrity of staff not to abuse it. These are private companies that are only interested in making money out of us, yet we generally trust them. Personally I would trust the govt even more than say, Tesco.

3. I don't see how anybody's civil liberties are affected by false identities.

This is where we totally disagree. 101,000 people in 2003 had their personal information stolen. This would mean contacting police and being under suspicion of fraud and having to argue your innocence with banks, government agencies, loan companies etc. to ensure recompense for stolen money and have records corrected.

I know two people who have been victims, one had £600 stolen from his Barclays account, it took 3 months and much haggling to be re-paid. The other had her medical records changed, because a heroin addict had used her identity to gain extra methodone. This nearly lost her a job she was applying for, she only noticed something was wrong because on a visit to the doctor she just happened to notice on the card the receptionist handed her to give to the doctor, that she apparently had had a child (which was news to her). She later found out the same woman had been signing on in her name and had opened store cards in her name, luckily this was over 100 miles away, so it was easier to prove her innocence but it was very worrying. It took over a year to correct the records and it is still not totally expunged from her credit history. So I think this is a threat to people's civil liberties which ID cards would help stop.

4. You don't say how ID cards would help with so-called "identity fraud". I can't see how a biometric ID card would help with, say, Cardholder Not Present fraud.

The example 3 above provides perfect examples of how ID cards would help stop fraud. My friends had had falsified cards in their names that were used in shops. If the thief had had to produce biometric details at the same time, it would make it impossible for them to do. Ok they could still use the cards over the internet or phone, but this would make it a little more complicated for them and more likely to be caught by having to come up with an address where they could collect the goods.

5. A proportion, which the Government refuses to disclose, of seventy percent of the cost of the ID cards scheme, is money we'd have to spend anyway. The govt refuse to give a breakdown of individual costs.

You rightly point this out and I agree that it may not be the case that 70% of the cost of introducing ID cards is taken up by the cost of the new biometrics in passports, but it will still be a significant amount of the £5.8 billion cost that we will have to spend anyway to comply with the new EU and US regulations. The govt have refused to immediately release this information on the grounds that negotiations are still in progress and it would be commercially sensitive at the present time.

6. As to Germany and Sweden, I don't know what counts as liberal for you if you believe they're liberal countries in some sense.

I really don't understand this comment. Liberal for me, are countries that have a constitution that protects citizen's rights including protecting local democracy. Both are protected in Sweden and Germany and both have local govt that is extremely healthy. Compare that to how our rights and local accountability have been taken away in this country.

7. You're holding up Sweden as an example of a country we should imitate, which I would decry. Sweden was one of the very last countries to abolish compulsory eugenic sterilisation.

To cite Sweden's eugenics scandal as a reason against ID cards is ridiculous. This has nothing to do with ID cards and you know that.

You could find an example of wrong doing in any country. What relevance has that to the ID card debate? The point is ID cards work very well in Sweden, and you have not provided any answer to why that couldn't be the case here.

8. The scheme will not be voluntary for passport applicants. Please read the legislation before making false claims to the effect that the scheme will be voluntary.

Nobody has to have a passport, so it is a voluntary scheme. I know this is a bit of a cop out, but it is the same argument you use when you suggest it is voluntary to have credit cards or debit cards, bank accounts, use supermarket loyalty cards, the internet, the library etc. etc.

9. I'm pretty sure the pre-war Dutch government were a liberal bunch and would never have dreamt of using their system for such evil purposes, but the fact is that it could be and was used by people less liberal than the scheme's architects, when the Nazis used it in 1940.

If you are going to assume a Nazi invasion in the future, maybe we should get rid of all our govt's records about us, just in case. Its a bit of an exceptional thing to do. Lets make everyone's lives worse for an indefinite period just in case the worst case scenario ever happens. We wouldn't do anything if we thought like this. I just don't accept your accusation that this govt is fascist, you are being ridiculous. I don't actually think you believe it either, if the truth be known.

10. You keep arguing that (roughly) the NIR won't make problems of privacy, data-sharing and identity fraud any worse than they are now, because private companies already hold lots of data on us, and this is no more "voluntary" than the government's ID card proposals would be...but as a piece of evidence it argues for strengthening data-protection legislation, not weakening it as the Identity Cards Bill would.

I agree. But that is not an argument against ID cards. I think people are right to take the govt to task over their proposals. They should get them to make improvements, which I think they inevitably will have to make. But I think it is wrong to try and bring the whole ID card system down with it, because this system will bring us many benefits.

11. The private databases are much less intrusive than the NIR would be: for instance, your credit reference file doesn't record when you go to the doctor, as the NIR would.

The NIR would be much more secure than private databases and it doesn't have to record medical information. There are ways around this. I'm sure the govt has stated that medical records would be separate. I would be in favour of no linkage on these aspects, but even if there were, I think the dangers of hacking are wildly exagerated.

44 comments:

  1. One point, Neil, on the battered wives scenario. Of course I have other points, but this one deserves it own post.

    You have misunderstood or ignored the point I made earlier about hashing of biometrics, or "distorting" as you put it. Look around for "DVD" in my comments and you'll find it. You also seem to have misunderstood the article you linked to about biometric payment systems.

    Distorting biometrics stops people from impersonating others by taking information off the NIR (or the cards) to produce imitation iris contact lenses, imitation fingerprints or imitation ID cards. It does not impede searching for the Register record associated with a particular biometric.

    What this "distorting" does is generate a "hash", which is a piece of information from which the original biometric information cannot be mathemetically derived (it would take billions of years of guessing to produce a biometric which generated the same hash value). You store this hash instead of the real biometric. Whenever a biometric check needs to be done, you make a new biometric measurement, and apply the same hashing formula, and you compare the result with the hash you stored earlier. If they are identical, then the biometrics they were based on must be identical as well, and we have a match.

    In the battered wives / IRA informers case, when the subject is registered onto the system, an image is taken of the iris, and hashed, and the hash is registered on the DB and/or the card. Future biometric checks will involve an image being taken and hashed and the hash compared with the registered one. A future biometric search will involve taking an image (either from the real face or a photograph), hashing it, and looking for the hash in the database.

    The hashing really does not make the difference you are claiming it does. What it does is stop people with access to the biometric-derived info on someone's card or their register entry from impersonating them, not stop people with access to the register from finding out who they are.

    ReplyDelete
  2. Neil,from your recent summary"

    "4. You don't say how ID cards would help with so-called "identity fraud". I can't see how a biometric ID card would help with, say, Cardholder Not Present fraud.
    The example 3 above provides perfect examples of how ID cards would help stop fraud. My friends had had falsified cards in their names that were used in shops. If the thief had had to produce biometric details at the same time, it would make it impossible for them to do. Ok they could still use the cards over the internet or phone..."

    So,in fact ID cards won't do anything to address "cardholder not present" fraud. Which do you think is the bigger growth area - use in shops or cardholder not present?

    In any case, if credit card companies have a problem with fraud, why should I pay for ID cards?
    Shouldn't the private sector address its own issues? I thought that was called running a business.

    ReplyDelete
  3. Neil: You keep asserting that the ID card scheme will 'bring many benefits' without specifying in any further detail what they are. Would you care to elaborate on this point with a few specific examples?

    ReplyDelete
  4. Anon, you pay for it through higher prices. So its best we have a system that can reduce it drastically. Like I said not-present fraud is more difficult to do anyway. Crims prefer the real thing, no messing around with false addresses risking being caught.

    Martin, How does the biopay system work then? They say they have no records of fingerprints. Why can't the NIR just store the hash like this system does?

    ReplyDelete
  5. "it will work or the voters will hit Labour hard" At the risk of sparking a great long debate about the slim manadate for ID cards in the first place, this presupposes a single-issue election. If it were true, governments should have fallen over the CSA, the DVLA, the Passport service and various other fiascos with "IT" and "Government" in them. Incidentally - I'm long term supporter and Labour Party member who will be giving up my membership later this week bescause of this awful scheme.

    ReplyDelete
  6. Andrew, I mention that ID fraud at a conservative estimate (that NO2ID accepts) is £150 million per year, the cost of the ID system is £85 million per year. Theres £65 million of benefits straight away. Then there is all the time and worry that thousands of people will save with ID cards protecting their ID. Then there are the efficiency savings for the public, employers, retail and government in an easy method of identifying someone. It will make censuses easier and more accurate. We will have a much better idea how many illegal immigrants are in the country and a much better chance of tracking them. We will have much more effective border controls. etc. etc.

    ReplyDelete
  7. Neil, of course the NIR can have the hash instead of the original biometric. (As can the cards: you can forward-cache the information on the cards and this can be used where less confidence is necessary, just like we allow some people to use their debit cards even when the phoneline to the bank is down).

    But whether the biometric is stored in plaintext or hashed, that doesn't stop someone with the plaintext (derived from a photograph) from searching for the record. If the record only contains the hashed value, the person with the plaintext generates the hash first and searches for that instead. That's what the system in the US article is doing.

    ReplyDelete
  8. Obviously, the "that's what the US system is doing" line should have gone after the first paragraph, not the second.

    ReplyDelete
  9. Neil,

    are you claiming that ID cards would reduce "identity fraud" to zero from 150 million? Even once you accept that cardholder not present fraud will not be decreased (and take into account any increase incurred as a result of making other types of fraud harder), where's the evidence showing that CNP fraud is currently costing zero million pounds, and that all other forms of ID fraud can be solved completely by ID cards?

    You don't make any discount whatsoever when you deduct the cost of the scheme from the cost of ID fraud, to account for such proportion of ID fraud as won't be stopped by the scheme. Why on earth not?

    ReplyDelete
  10. Right, so people might have a fingerprint somehow or a facial biometric off a photograph, but how would they get an iris reading? Surely you can't get an iris reading off a photo?

    ReplyDelete
  11. Like I say £150 million is a very conservative figure, it is likely much higher than this. This is using figures provided by spyblog who oppose ID cards.

    £65 million seems a reasonable guestimate. That is all we can do in these circumstances. It is very likely there would be significant savings. This is just one benefit, there are all the other benefits as well.

    ReplyDelete
  12. "Crims prefer the real thing, no messing around with false addresses risking being caught"

    And you know this - how?

    ReplyDelete
  13. "ID cards are good in principle" Er...no. Things like ID cards need to have a point - some logical justification. There aren't any. They will not bring any of the benefits being touted.

    ReplyDelete
  14. Neil: Nice try, but even if the scheme makes savings of 65mn a year by totally obliterating identity fraud (which it won't), and assuming that the government's estimate for the start-up costs of 6bn are correct (which they aren't), it would take over 900 years to recover the costs of the scheme. After all that time, I'd guess we'll have bigger fish to fry.

    Then there is all the time and worry that thousands of people will save with ID cards protecting their ID.

    ID cards will not protect people's identity. If anything, people's identities will become less secure because all of this data will be both widely accessible, and centrally stored. A honeypot for high-tech thieves. The ID card scheme is transferring the responsibility for safeguarding a person's identity from the person themselves to the government. And I thought you were in favour of localisation?

    Then there are the efficiency savings for the public, employers, retail and government in an easy method of identifying someone.

    which can already be adequately accomplished using a passport, utility bill, driving license, or other personal document. Or are you suggesting that ID cards should be compulsory to carry? You're still very vague about these 'efficiency savings'. I thought that the public sector couldn't sustain any? Wasn't that what your election campaign was based around?

    Censuses, I'll grant you. Except that there will be problems when people don't update their details in a timely manner, or when refuseniks or illegals don't register at all. Problems we have now, in fact. And it seems an expensive way to catalogue the citizenry once every ten years...

    We will have a much better idea how many illegal immigrants are in the country and a much better chance of tracking them.

    How? By their very definition, these people won't be carrying or registering for ID cards. Do you think that having an ID card should be a pre-requisite for getting employment? Do you think that every employer in the country is scrupulous enough to uphold and enforce this?

    We will have much more effective border controls.

    Again, how? Foreign visitors won't be obliged to hold UK ID cards.

    So far, no benefits, or at least, none worth the cost of implementation. Want to try again?

    ReplyDelete
  15. Neil, please don't tell me you've come all this way on the assumption that you can't get an iris scan off a photo. They're both just what happens when you bounce light off someone's eye and record the patterns permanently.

    An iris scan is very much like a photo, when you think about it.

    here go you; this is from the main man behind iris biometrics, who gave the world the technology to do this stuff cheaply.

    ReplyDelete
  16. Oh, on Martin's comment that:

    "Distorting biometrics stops people from impersonating others by taking information off the NIR (or the cards) to produce imitation iris contact lenses, imitation fingerprints or imitation ID cards."

    The Home Office are making a big thing of the compatibility between ID cards and new biometric passports. There are two parts to this claim: the first is to conflate the costs of establishing the Register with the costs of issuing the passports (thereby increasing the cost of a passport by about £30 more than necessary, not to mention the cost to general taxation).

    The second is the implication that ID cards will be functionally compatible with ICAO biometric passports, so that they may be used as travel documents.

    As you will be aware, the biometric passports standard does not specify any hashed biometric formats, because no such formats have been standardised. Instead it will store an image of your face, an image of your irises, and an image of your fingerprints -- exactly the information that a crook would need to produce a forgery of your biometric details.

    Therefore, the claims made by the Government about compatibility between the cards and ICAO biometric passports are incompatible with any claim about using hashed / distorted / noninvertible biometrics on the cards.

    (This doesn't alter any aspect of the problem Martin is discussing, of course, since that depends only on being able to look up data in the NIR by biometric, not invertibility of that biometric; and the Home Office are very keen on lookup by biometric. While one can imagine a system which uses encrypted biometric data in such a way as to prohibit lookup or prohibit lookup without user consent, the Home Office would reject such a scheme, as they did with the LSE "alternative blueprint" which had similar properties.)

    Elsewhere you have written,

    "The govt would be utterly stupid to foist an over budget, technically flawed system that is open to abuse, on the public just before an election in 2009. It just won't happen."

    This is argument from authority; paraphrasing, your argument is, "the government are not stupid, and therefore they wouldn't do anything expensive stupid, because it would annoy people".

    Perhaps you have not heard of the Millenium Dome, the war against Iraq, etc. etc.?

    "The NIR would be much more secure than private databases...."

    Perhaps it would be as secure as the DVLA database? Or as secure as the Police National Computer? Or maybe as secure as a Ministry of Defence laptop?

    Now, in fairness, the security of a lot of databases in the private sector is laughable too. But even if the security of the NIR -- which, remember, is going to have to be accessible to hundreds of thousands of people from tens of thousands of locations, both within and without the public sector -- comes up to the same level as other smaller government databases, it still won't be good enough.

    If you're going to honestly advocate the government obtaining and storing all this information for its own use, you must admit that the information will also be available to others who are unauthorised. Now, you can argue that that doesn't matter much, and that whatever benefits you claim the scheme will have will outweigh the identity fraud, invasion of privacy and other problems it will cause. But you can't just wave your hands and say, "It'll be secure [unlike any other comparable large government or private-sector database]".

    ReplyDelete
  17. On civil Liberties - Freedom not to have my most personal details recorded on a Governemtn database is NOT the same as me asking for a licence to commit fraud and pretend to be someone else. I knwo who I am and I'l happily tell anyone who I THINK needs to know. This scheme changes that into "you're a liar and a cheat if you don't get one" and I object to that profoundly.

    ReplyDelete
  18. Agreed.

    Why are we arguing with this moron? It doesn't do any good: ID Cards are a dogma for him, and the Labour government are his Gods.

    DK

    ReplyDelete
  19. There's no need to be offensive. Moreover, whatever the matter of principle, there are tactical reasons not to be: such behaviour serves as an excuse for the pro-ID side to shut down debate.

    ReplyDelete
  20. Neil, I am puzzled - if as you claim, there is such widespread support for the Government's ID Card database plans, where are all your New Labour friends and supporters leaping to the defence of the Identity Cards Bill scheme ?

    The sad thing is, that by actually having read and written as little about ID Cards as you have, you are now, by the standards of New Labour politicians, an "expert" .

    You are still harbouring some misconceptions:

    Biometric hashes are not as secure as you appear to think. There has already been academic research demonstrating
    how fingerprint hashes can be reveresed back, not to the original fingerprint image, but to a synthetic image which is sufficiently similar to the original to be within the tolerance limits which would allow them to be used to fool the system.

    Why is it that the Government's own Biometric Security experts from GCHQ and the CESG etc. have consistently refused to certify any biometric technology as being sufficiently robust or secure enough for use by Government Departments, i.e. on a much smaller scale than the National Identity Register ?

    By the way, your suggestion that the tolerance settings on a biometric system can be changed for individual , is of course true, and this is done in several commercial systems for small scale use such as door entry systems.

    However to permit this to happen for a national scheme would be tantamount to institutionalised racial discrimination , which is both morally wrong and illegal.

    The mechanism for allowing such settings to be altered on a biometric scanner, would also potentially allow the thresholds to be set so low, that any biometrics presented would be acceptable, thereby effectively nullifying this form of "security".

    You still have not addressed the "35%" or "over one third" of terrorists/criminals etc. use false British identities nonsense.

    Others have already pointed out your selective misreading of the debunking of the Labour politicians' often repeated lies about "£1.3 billion of identity theft" a year.

    There is no way that the extra security of biometrics can be taken advantage of in online web or phone transactions , since there is no way to
    authenticate that your Windows internet connected PC and USB biometric scanner has not been compromised by a computer virus or trojan horse software, or by other man-in-the-middle replay attacks.
    This affects both credit card Customer Not Present fraud, and , increasingly access to e-Government services.

    You are still confusing Sweden's "birth to death" population register with their ID Card scheme. They are not the same, and certainly not the same as what the Identity Cards Bill is proposing.

    It is not necessary to have the bloated Identity Cards Bill scheme in order to have more efficient "joined up e-government", as Gordon Brown's Treasury acknowledges with its "Plan B" Citizien Information Project
    which may eventually get around to biting the bullet and standardising things like the myriad of different Name and Address field formats used by different Government computer systems which have been implented in isolation over the years, and sorting out the scandal of the National Insurance Number (there are about 85 million "legal" NINOs on the system for a working population of less than 40 million people in the UK).

    ReplyDelete
  21. 11. The private databases are much less intrusive than the NIR would be: for instance, your credit reference file doesn't record when you go to the doctor, as the NIR would.

    The NIR would be much more secure than private databases and it doesn't have to record medical information

    You missed the point, Neil. The point was that the NIR audit will record each time your identity is verified. If you wish to prevent health tourism, you will have to present (and have verified) your card at each visit to a medic. The audit records that your ID was verified by the NHS - hence a trail of your visits to a medic (although with no medical data). I don't see why the government needs to hlod a central audit of my every visit to the docs. - can you please say why that is?

    ReplyDelete
  22. There's another reason beyond technical and financial matters. Some of us simply don't want government invading our life at every level and then selling access to that data to "trustworthy" organisations in both public and private sectors.

    I'm afraid the potential for abuse, leaks and other information disasters seems to be beyond Neil's comprehension. Two words, Neil; Pandora's Box.

    ReplyDelete
  23. Oh dear, it looks like the Party has told Neil to stop responding. Well, it was a good debate while it lasted.

    ReplyDelete
  24. Sorry for the delay. Ive been having problems with the server, it has meant a few comments I've tried to post have disappeared. Hope this hasn't affected anyone else?

    Anon, I can assure you I've not had anyone from the party telling me not to respond.

    I am a member of the party, but I argue for what I believe, whether its Labour policy or not. I have criticised govt policy on here a few times and I advocate policies that are not Labour policy many times. Labour are the closest to my views, doesn't mean I agree with everything they do.

    Just check this is posted then I'll answer questions one by one.

    ReplyDelete
  25. "I don't see why the government needs to hold a central audit of my every visit to the docs. - can you please say why that is?"

    A lot is made of the govt having access to all this information about us. I don't think we should flatter ourselves.

    There will be millions and millions of records pouring in every day on all sort of things, do you seriously think the govt or anyone else is going to be that interested to trawl through these records.

    ISPs have got millions of records of people looking at porn and other sensitive stuff, and only when it is really dodgy stuff would the authorities be notified, otherwise it is turned a blind eye to.

    Nobody is bothered, and people trust these private companies with all this personal information. There are all sorts of personal information that are readily available today without ID cards. Nobody gives a toss.

    We all trust doctors, clinic staff and pharmacy staff, (some of whom are on very low wages) with the most detailed personal information and it is extremely rarely divulged. It would be no more risky trusting govt staff with NIR information, probably in fact much less risky.

    ReplyDelete
  26. Neil,

    When authorities gain extra powers they tend to use them whether they need to or not. I'm on holiday in Australia at the moment and there was a report on the telly about pepper spray. The police were issued with the stuff a while ago to help subdue people that were being aggressive during arrest. It appears that it is now becoming almost a routine procedure for anyone that questions why they are being pulled.

    Another thing, I'd suggest you do some research on the phrase "fishing expeditions" with respect to data searches.

    Sorry, but you are being incredibly naive about the use and abuse of power.

    ReplyDelete
  27. But the information is already out there. ID cards won't make it any worse but they will make it more difficult to have your identity stolen.

    If by some reason, I got hold of your phone number. With a little search on the internet, I could soon get your name and address and all of your previous addresses. A little look in your bin, I could get statements, utility bills etc, take out a few loans, credit cards, bank accounts, claim benefits etc.

    I could find a lowly paid someone who works at the clinic, bribe them to get your medical records, get some methodone prescribed.

    ID cards will not make this any easier, but it will make it more difficult, because I will have to present an ID card and better still some biometrics that I can't fake. I wouldn't be able to put my finger on a scanner and give your fingerprint or fake my iris or facial measurements. Bingo, end of false identities.

    ReplyDelete
  28. And how, exactly, will it make it harder to steal my identity? The only way it will protect my identity is during transactions that require it and plenty won't. The latter will still be as vulnerable as they are now.

    There is no doubt much data about me and every facet of my life stored in many places. Any data thief that wants a full picture of me will have to steal it all from multiple locations. Once it's all stored in a central government location it will all be available to the first person that manages to break in. You think that this doesn't happen? Do some more research.

    Even if it manages to stay safe from crooks, what guarantee is there that it won't get passed on to "friendly" governments in other countries under the pretext of helping out in the war on terror? None whatsoever.

    By the way, you won't find any information in my dustbin as all my paper data gets either filed or securely shredded. My digital data is kept encrypted in case my computers get stolen. It's also backed up daily. Yes, I have a clue about data privacy and security and a large one at that as it is how I make my living. I suggest you get a similar clue too before spouting off any more about this subject.

    ReplyDelete
  29. Anon, I'm sure you write off to Experian and Equifax every six months with your £2 cheques as well.

    Like I've said before, cardholder-not-present fraud is easier to catch because crims need to arrange a collect address, which makes their activity more traceable.

    When ID cards are introduced it can be tightened further. It is obviously easier to be able to use cards in person, ID cards will make this extremely difficult, if not impossible.

    ID cards will make it far harder to have a false identity. Do you deny this?

    "The UK has the worst record in Europe,” says Peter Hurst, chief executive of Cifas, the fraud prevention service funded by the financial services industry. “I was at a meeting recently and a European Commission official described Britain as the country of choice in Europe for organised crime.”"

    "In the EU, by contrast, it is less of an issue. Besides the region’s long-standing tradition of identity cards, in much of Europe financial services transactions are more likely to be conducted face-to-face in branches, which deters criminals."

    On the question of the govt having some secret fascist agenda, we just aren't going to agree are we?

    ReplyDelete
  30. "By the way, you won't find any information in my dustbin as all my paper data gets either filed or securely shredded. My digital data is kept encrypted in case my computers get stolen. It's also backed up daily. Yes, I have a clue about data privacy and security and a large one at that as it is how I make my living. I suggest you get a similar clue too before spouting off any more about this subject."

    Anon, I have your IP address, from this I can get a physical address. I'll sit outside your address one morning, wait for the post to arrive and fish out your utility and bank statements with a wire. (NOT REALLY!!)

    This is just to show you how easy it would be to get someone's information if you really wanted it. (As it happens I don't!)

    ReplyDelete
  31. Anon, I have your IP address, from this I can get a physical address.

    Perhaps you'd like to explain how, exactly, you'd do that.

    ReplyDelete
  32. "I don't see why the government needs to hold a central audit of my every visit to the docs. - can you please say why that is?"

    "A lot is made of the govt having access to all this information about us. I don't think we should flatter ourselves.

    There will be millions and millions of records pouring in every day on all sort of things, do you seriously think the govt or anyone else is going to be that interested to trawl through these records."

    So, where is the answer to my question? If they aren't going to do anything with the audit data about my visits to the doctor why do they need it? - would you please answer the qusetion I asked? I have to say i find a faint whiff of the patronising in the "I don't think we should flatter ourselves" - I do flatter myself that I care about not disclosing stuff like this for no good reason - and until you answer the quesiton I'm not sure you know what good reason you think the government has for holding it either. I also can't wait to see your answer about the IP address :-)

    ReplyDelete
  33. Chris, I was just trying to wind the guy up, for being so cocky.

    ReplyDelete
  34. "So, where is the answer to my question? If they aren't going to do anything with the audit data about my visits to the doctor why do they need it?"

    The govt already have this info. The NIR will just be a more efficient and secure place to keep it.

    This information is obviously useful in all sorts of ways, such as determining what services are needed in an area, and how services are used. Sometimes this might be useful to know on an individual basis.

    ReplyDelete
  35. Urko, by the way, here's how you get someone's name and address from their IP address.

    ReplyDelete
  36. Urko, by the way, here's how you get someone's name and address from their IP address.

    Wow - I never knew that - aren't computers great eh? and you are so clever. Now back to the originla point - tell me what my address is - I give you permission to publish it here for anyone to see.

    Seriously though, you aren't making much of a case for ID cards by making claims like that on here. Most people on here probably know much more about IT and stuff like IP addresses than you do (I now know I do) - when you start making macho claims like that you're hurting your case because you can't back it up.

    ReplyDelete
  37. re.

    Chris, I was just trying to wind the guy up, for being so cocky.

    and

    Urko, by the way, here's how you get someone's name and address from their IP address.

    For the avoidance of doubt (and perhaps to save the stupid from forking out $7.98 for the service linked to from the latter comment) the "find address from IP address" service works from WHOIS data. So, for instance, from my current IP address, 212.69.37.114, you can obtain the address,

    IDNet
    The Spirella Building
    Letchworth
    Herts

    Now, that's an address, but it's not my address: it's my ISP's address. You could sit outside their offices for a week and none of my bank statements would fall into your lap (or even a nearby rubbish bin). Similarly, you could find the address associated with the PTR record for that hostname (caesious.beasts.org), then put that into WHOIS. That would give you,

    Mythic Beasts Ltd
    433 Newmarket Road
    Cambridge

    which is (by coincidence) in the right town, but it's not my address: it's the office address of Mythic Beasts Ltd, the company who hold the beasts.org domain name.

    In general it is not possible to infer a person's street address from their IP address, and for good (and obvious!) reasons.

    The lesson here is that if you're going to be cocky, it's best to start on slightly firmer ground.

    ReplyDelete
  38. Hi Neil - thanks for the answer at last - the first part - demand, stats etc could be done with anonymised data - i.e. no-one would need to relate it back to me individually so there's no need to know who I am. The second bit's interesting though - "Sometimes this might be useful to know on an individual basis. " I'd like to know what times - are you talking about criminal investigations or something else?

    ReplyDelete
  39. Cheers for clearing that up Chris, Ok I would struggle to find an address- teach me for being cocky in response, but it MUST be possible. How do they find out addresses of all these guys writing internet viruses?

    Urko, yes I'd would say it was useful for criminal investigations.

    Sorry it took me so long to come back, lots of comments to work through both here and on the NO2ID forum. I'm a bit knackered!

    ReplyDelete
  40. Just to clear things up.

    I admit I was unwise to make the IP address claim. However I have heard it is possible. How do they find these guys who write internet viruses? The ISP must know our addresses, so it must be possible to hack into their database at the very least.

    ReplyDelete
  41. As you infer, you'd need the cooperation (willing or unwilling) of the ISP, who typically has the information for billing purposes. Even that mightn't be enough in the case of a customer using a free dialup service; typically there the originating phone number is logged, and would have to be checked with BT. You might be able to get somewhere with other information -- e.g., from an online shop at which somebody has bought something for delivery from a particular IP -- but most internet users have dynamically-allocated IP addresses, so what you need to know is the address for a particular (IP address, time) combination; generally you can't get this reliably without the cooperation of other parties.

    Getting a little off-topic, I'm always a bit surprised that any virus writers are caught, and I suspect the ones we hear about are inept ones, who do not put enough effort into evading detection.

    ReplyDelete
  42. That German guy they caught was clever enough to write the sasser worm, but not clever enough to avoid detection, suggests you have to be very clever to avoid detection.

    ReplyDelete
  43. Maybe. I understand that (I haven't studied this area specifically) that there are a lot of viruses / worms / whatever which are used for relaying spam, proxying web traffic for spamvertised websites onto legitimate web servers, and even dodgier things like intercepting users' online banking authentication information. Now, these things propagate (there are hundreds of thousands of PCs on broadband connections running these things) and, unlike worms like Sasser, which had no payload, actually do something which is making somebody money.

    Therefore, we infer, somebody is paying to produce and disseminate them. But I don't recall seeing any prosecutions of people involved in this sort of activity -- the typical virus writer who is caught and prosecuted is a bored teenager who didn't cover their tracks properly.

    Now, it's possible that I'm wrong and just haven't noticed news stories on this stuff, but I'd be a bit surprised. Further, it doesn't seem to me all that difficult to cover your tracks in diseminating a virus, if you really put your mind (and some money) towards it.

    ReplyDelete
  44. A lot of these dodgy sites are run from dodgy countries like Belarus, etc, where there are authrorities turning a blind eye. If they run them from the EU or US they would be caught quite easily. ID cards would be run for the UK, there would be no dodgy country to use to avoid prosecution.

    This is a good example of how people who want to remain anononymous can be found using the technology and information already out there.

    ReplyDelete