[Dave Birch] Government identity is so important that the vigilance of the “issuers” must be unwavering. Thus, the rest of the identity management value network can function. It’s so important that one might even go so far as to say that a key role of government should be to test it’s own vigilance in an open and transparent way. In other words, shouldn’t parts of the government be checking up on other parts of the government and telling us what happened. This would be a really interesting experiment to try here in the UK, now that the government has started issuing identity cards. It would be great to have some reassurance that the process is indeed protecting us from international terrorists, dole scroungers and health tourists. The National Audit Office (NAO) could try and obtain bogus identity documents from the Identity and Passport Service (IPS) and see what happens. Just like the recent experiment in the US.

To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen’s personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State-run passport office.

[From Security Document World]

And the results? Did the ever-vigilant staff, the best IT that money can buy and the process designed by top management consultants come together to defeat these almost trivial attempts to deceive?

In its four tests simulating this approach it was successful in obtaining a genuine U.S. passport in each case.

[From Security Document World]

Uh oh.

Perhaps biometrics might help. I was in Dubai a couple of weeks ago, and there’s no messing about letting people get false passports there I’m sure…

About 54,000 people were arrested at Dubai International Airport last year after failing iris scan, a senior official from the Ministry of Interior said on Monday. Brigadier Bin Surour said border security is one of the biggest challenges all countries face in maintaining national security. “We will soon use an individual’s DNA as a means to verify people’s identity at borders,” he said.

[From Gulfnews: Dubai’s iris scan helps arrest 54,000 suspects last year]

As anyone familiar with the problem understands, the issues are orthogonal. Using bogus “feeder” documents to obtain a virtual identity (such as an entry in a passport database) is not affected in any way by the use of biometrics to match a physical person to that virtual identity. If anything, biometrics make for a bigger problem: once the bogus identity is in the system, then the use of biometrics means that the identity will never be questioned. Computer says yes, so to speak. If there is going to be a “gold standard” government identity, then anyone able to breach the security of the database on which it rests is then inside the wire and can do what they like, since from then on the biometrics will confirm whatever identity the miscreant has planted.

I quite like the idea of using DNA tests at the borders, though. Anything that works better than IRIS would be great (although to be fair when I came through T5 last week, I was standing in a long line for passport control and I saw three people using the IRIS line, and two of them got through, which is pretty good).

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

2 comments

  1. Oh Lord. Presumably the groupthinkers wont try it here because everyone in government will assume it’s 100% safe. And if an external body tries to do the test (eg LSE, JRRT, No2ID) they’ll be breaking endless incomprehensible laws and will be pursued by vengeful harpies.

  2. Don’t we have some sort of audit body that can do this? I’m sure I heard just a body moaning about the council dunces who invested in Icelandic banks not ten minutes ago on the Today programme.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: