If you can’t prove how old you are, your days of shopping on the internet may be numbered. Fears that young people could be getting hold of knives, adult DVDs and alcohol are all fuelling a campaign by Margaret Moran, MP for Luton South, to make online age verification compulsory in the UK.[From Online ID checks to limit teen booze and knife purchases | The Register]
I assumed that selling alcohol to someone under 18 was illegal whether you do it in a shop or on the web and so merchants would want to carry out age verification to avoid prosecution. As the reporter says, “Does anyone feel yet another justification for compulsory ID coming on?”
Now, as it happens, I’m concerned about youngsters accessing inappropriate material on the web, just as any concerned citizen or parent would be. The real difference between me and Margaret on this is that I understand a little bit about how the web works, how identity works and how the two intersect. She doesn’t, so this will end up with us having to enter our national ID numbers online every time we want to log in to sites that carry material that may be unsuitable for children (eg, the BBC). So let’s see how this plan has been working elsewhere…
Korea has long required extensive identity information, even to post a comment on a web site. This includes information such as a person’s National ID, address, phone number, mobile phone number, etc.
Web sites turn around and sell this information to telemarketers and, to make matters worse, Korean sites are hacked and this data is then extracted for more malicious use. [Dave’s emphasis]
Korea’s Broadcasting and Communications Commission (BCC) is apparently moving to mandate 8 character passwords that must be changed every three months and an alternate ID system to replace National IDs for online identity.[From Korea’s Online Identity System – Good Security or Privacy Nightmare – PlayNoEvil Game Security News & Analysis]
I can just see us being in this same position, well before 2017 when we’re all supposed to have ID cards. Doesn’t anyone sit and try and think any of this through? Anyway, back to Korea…
The BCC said it will make Web sites adopt complex personal verification systems called iPIN and gPIN, instead of identifying users with their resident registration numbers. The presidential commission is also to make Internet users to use at least eight-digit passwords on sites and to change them every three months to thwart hackers, said Cho Young-hoon, the BCC’s manager of private information protection. The BCC has come up with these measures in response to several massive customer information leaks from the databases of several Internet and telecom firms this month…[From Internet Users Forced to Use 8-Digit Passwords(The Korea Times)]
I note one key point of cultural similarity between pointless Korean bureaucrats and pointless British bureaucrats, however, because the piece goes on to say…
Even the BCC’s own Web site demands resident registration number, address, home phone number, mobile phone number and e-mail address from visitors before allowing them access. “I believe our Web site is collecting this information because it is needed for administrative purposes,” Cho, the BCC manager, said. “I don’t think that identifying Internet users conflicts with the issue of privacy protection.”[From Internet Users Forced to Use 8-Digit Passwords(The Korea Times)]
Well I do, and Margaret Moran should too. In Korea, as in the U.K., organisations just cannot resist collecting personal information for no good reason, and thereby make the management of identity infinitely more complicated. So a well-meaning, if misguided, attempt to “do something” about identity has ended making the problem worse (just as it did in China, remember, where the government created a market in ID numbers that kids “rented” in order to go online).
It could never happen here? Bizarre as all this sounds, the rather toxic combination of well-meaning but ill-informed lobbyists, ignorant headline-seeking MPs, management consultants and media could yet visit this devastation on our green and pleasant interweb. Join me down at Paddy Power and we’ll be put a tenner on the British government requiring identity card numbers for Facebook log-ons within two years.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
I am reminded of the “On the Internet nobody knows you’re a dog” cartoon. How does the government propose to address the issue that the merchant can’t know who’s at the other end of the pipe entering the information requested? Biometric readers for all? It’s not going to be beyond the wit of a thirst teenage to purloin their parent’s ID card number, credit card to make a purchase. Is the government suggesting that we are all issued with biometric scanners of one form or another?
“How does the government propose to address the issue that the merchant can’t know who’s at the other end of the pipe entering the information requested?”
That’s easy. You type your ID card number into the off-licence web site, they pass it to IPS, IPS generate an automated callback to the phone number listed for that number on the register. You answer and answer a randomly-generated question and the system matches your voiceprint against the voiceprint on the register. It’a doddle!