[ Home page | Web log ]
... with careful planning, it can last for the whole of the rest of your life. As a break from bloody ID cards, I'll draw your attention to yet more dreadful stuff in the media about Chip and PIN. Yesterday's Telegraph reported Ross Anderson's refusal to use a PIN for credit card transactions, on the familiar grounds that doing so doesn't offer the customer any protection from credit card fraud and leaves them more vulnerable to cash machine fraud. In the Telegraph piece he also notes an elegant attack which can be used by criminals to avoid having to use the (difficult-to-copy) smart chips on the cards to steal money from banks:
... He said that smart cards from Britain would end up in America, which does not use them, while stolen American cards without smart chips would appear in Britain, where readers would still be able to process old-fashioned cards.
Ross was interviewed on PM yesterday evening on this topic, and the BBC, as ever using balance as a proxy for impartiality, followed this interview with an opportunity for response by Chip and PIN, a propaganda outfit set up by the banks. The spokesperson, one Sandra Quinn, was interviewed (confusingly) by the BBC's Carolyn Quinn: (errors in transcription are mine, but I've tried faithfully to reproduce the errors of diction, grammar, logic etc. of the interviewee)
CQ: Well, let's hear now from Sandra Quinn, who's spokesperson for Chip and PIN, that's an organisation that's acting for the retail and banking industries. Um, Sandra Quinn, what about those concerns raised by Professor Anderson? People are already feeling a bit wary of having to tap in their PIN numbers in front of other people; isn't this just going to increase their concerns?
SQ: The equipment that we're using for chip and PIN has gone through a... a very severe accreditation process. It's extremely robust. The equipment that has been used in supermarkets; the equipments [sic.] that have been made at... used at small independent retailers... all those independent retailers are getting their equipment direct from their banks....
CQ: Well, weren't the same things said about cashpoint machines, and, err... we hear tales now about how they can be defrauded: cameras, and pictures taken, and people slotting things in. So, the, uh, professor's point was that smaller retailers, perhaps, could... could use fake machines or could find some way of getting hold of PIN numbers.
SQ: No, we don't think they can use fake machines, because the machines themselves are engineered to read the chip, so they... must be reading the chip very carefully, and that's... makes the... transaction itself extremely secure. What you will find is that this is an additional level of security to what we already have. As you said in the report yourself earlier, this is much safer than signature, because at the moment all somebody needs to do is to find our... card, learn our signature a couple of times, and start using it. You're not going to be able to have that in the new Chip and PIN environment at all.
Possibly what she was trying to say was that only certified equipment may be used with the Chip and PIN cards and that (presumably) a thief's fake machine would not be so certified. Even if true this would be irrelevant, of course, because certified equipment can always be modified; or a dishonest employee could surreptitiously swipe your card through a separate reader -- to copy the magnetic stripe -- while watching what you type into the keypad, with no fakes or modifications required.
Sandra Quinn's answer here is an illustration of a useful technique. While Carolyn Quinn asked about vulnerabilities of the PIN-entry process in general, she also made the mistake of naming a specific example against which her interviewee was able to argue in detail -- perhaps not convincingly, but more easily than arguing against the proposition that crooks might find, ``some way of getting hold of PIN numbers.''
You can see something similar at work in the second part of her statement. It is true that a thief who takes a Chip and PIN card is unlikely to know the PIN for it and therefore would not be able to use it as easily as they would a card with a signature. (As I've remarked before, this isn't what matters from the cardholder's point of view, since they are insured against loss by the issuing bank. But obviously the bank cares how much it has to pay out, and it can limit this amount either by reducing the number of frauds which occur, or by refusing to pay out the compensation.) What I don't know is how much card fraud follows this pattern. It's certainly not the only way that a crook can steal money using a stolen credit card, and I'd be surprised if it were the predominant way. Yes, Chip and PIN does stop this attack. But there are lots of others it doesn't stop, and new ones it creates. Ms. Quinn mentions this case only because it is easy to argue.
SQ: They will still be able to do that, there's in moderation. [sic. -- I have no idea what that bit was supposed to mean, actually] But what countries who are not going to be using Chip and PIN in the first moment are saying, well, they don't have card fraud.... [ cut various like waffle ]
I'm not really sure whether Sandra Quinn is really claiming that the countries which have not yet adopted Chip and PIN do not suffer from card fraud, but obviously they do. (The rest of the piece was so feeble I couldn't face transcribing it, so you'll have to trust that I haven't quoted the above out of context.)
Actually the whole interview was extremely poor; Carolyn Quinn made a good stab at asking the right questions, but as ever the interviewee wriggles off the hook, though is made to look rather silly. If you listen to the Today Programme you'll hear much the same thing from Cabinet ministers, and I suppose spokesperson for an industry lobby group is much the same sort of job. (As an aside, the interviewee's full glorious incoherence was only made fully obvious once her words were transcribed and written out in full; doing so is a little time-consuming, but a useful exercise. Mark often does much the same on his Spy Blog. No doubt your or my conversation would look just as ill-structured if written down and presented in this format, but hey, I'm not paid to be spokesperson for the government or for a cartel of financial institutions -- and neither, I suspect, are you.)
Of course, media idiocy on this subject isn't confined to interviews. Consider this absurd press release reprinted by Silcon.com, in which we are reassured that there is no risk of robbers `shoulder-surfing' (that is, watching customers typing in their PINs and memorising them) and then mugging those same customers to obtain their cards:
``Someone who sits in their bedroom counterfeiting cards is not going to go out into the streets mugging old ladies,'' [Gary Hocking, `director of chip and PIN implementation at APACS'] said.
I think all I can do here is to express surprise that the credit-card-fraudster demographic has been so exactly characterised. Probably next week they'll be hailed as the new hope for a Tory revival.
Back to ID cards yet again. (Sorry.) In the comments to my last piece, Colin Teubner asks, among others, the question,
First, is it the mere idea of having a National Identity Register at all, complete with some sort of scheme for matching people to it, that worries you, or is it the inevitably poor implementation of it, or both?
The ID cards scheme is likely to be a disaster on financial and systems-integration grounds, but even if it worked as intended -- I admit that I am inferring its intention from clues left in the Bill, consultation documents and various utterances of David Blunkett and ministerial cronies, since its purpose is as yet unexplained -- I would oppose it.
At root, I don't think that it's the government's business to tell me who I am. The government are our servants, not our masters, and we oughtn't to let them forget that. Just as -- see Saki stories passim -- the Edwardian upper classes assigned names of convenience to their servants, David Blunkett intends to assign names of convenience to us. There's no good reason to let him do that, and I don't see why we should.
In more detail: the conceit of the ID cards scheme is that each person should have only one identity; that that identity is given them by the state and recorded authoritatively in the National Identity Register; that each person must notify the state of any changes to it, and such changes will be accepted at the discretion of the government; and that that failure to comply as prescribed by the law will result in various and novel penalties intended to result in compliance with these rules.
I should digress here to say that there is a reasonable question as to what I -- and the Home Office -- mean by a `person' and an `identity' in this context. This question may seem semantic, pretentious and woolly, but it touches on a difficult philosophical point. I try where possible to avoid difficult philosophical points and now is no exception. So: in the context of the current scheme, a `person' means whoever can produce a given set of `biometric' identifiers (probably fingerprints and an iris scan; it is expected that if any of these biometrics change -- for instance, if you scar your finger -- you will obediently report that change to the government); and an `identity' means a name, address, and other personal details which appear on documents (such as passports, identity cards, etc.) issued by the government and recorded in a database (namely, the National Identity Register).
The next step in the scheme is, of course, to require that services provided by the government (the government, being our servant, are compelled to provide services to us) and services provided by private individuals and corporations, are provided only to people who can prove that the government has given them an identity, and that those services are provided only for that identity (so that, for instance, you would not be able to hire a car or open a bank account in a name different from the identity you have been given). (The Home Office's laughable Regulatory Impact Assessment suggests that shops will want to check customers' ID cards using their `Chip and PIN' terminals for almost any transaction....)
The proposed scheme will also record each such check of identity in its database, so that a record of when and where your identity was checked -- whenever you go to the doctor, or your bank, or a shop -- is built up.
Well, 35% of terrorists do, apparently, as Home Office ministers and officials are fond of repeating when asked the purpose of their brainchild. (I think we are expected not to mind being blown up by the other 65% who do not play by their rules.) Other people who sometimes go by more than one identity or change their identity include criminals laundering money, adulterers, benefit fraudsters, informants in high-profile criminal cases, victims of domestic violence, released convicts notorious enough to require protection from a vengeful public, persons of multiple nationality, refugees, married women who wish to take their husband's name but not lose their professional one, persons with nicknames, travellers and other people who live itinerant lifestyles, expatriates, people who run businesses as sole traders, investigative journalists, undercover detectives, spies, celebrities wary of the public eye, sufferers from embarrassing medical conditions, people who need to travel regularly to mutually antagonistic countries (such as Israel and Muslim countries, or, in days gone by, South Africa and many other African nations) and so on and so forth. You can probably think of similar categories.
Obviously not all of these people will be tremendously inconvenienced by the ID cards scheme -- I don't expect people to necessarily give up their nicknames because they differ from the names on their cards, though woe betide you if you are addressed by another name in the presence of a Police officer who knows only your official name -- but many will. And some of these categories are obvious and legitimate targets of law enforcement (though there's no evidence that ID cards will actually make it any easier to detect and prosecute them). Most, however, are not. The National Identity Register is an attempt to impose a simple and unbending set of rules on something which is fluid and anything but simple: how people are known and know themselves.
Now, in a modern state we must exchange measures of freedom for measures of safety, convenience, material wealth or other desirable things. So we are not permitted to drive our cars too fast, bicycle without lights during the hours of darkness, swindle the ill-informed with prohibitively expensive loans, own guns, pollute the atmosphere, etc. etc. The principle is fair enough, though everyone argues about the details.
In this case we are being asked to accept an enormous amount of regulation -- regulation which will intrude into every aspect of our lives -- for no demonstrable benefit and a variety of costs and risks. None of the arguments made for ID cards and a population register are really credible: they won't stop crime, they won't stop terrorism, they won't stop benefit fraud, they won't stop illegal immigration, they won't stop identity theft, ...; and they bring numerous risks, which I have written about more-or-less interminably before.
(Another digression: one other argument which is sometimes made -- often by people who work or have worked in government, after they have trotted out the preceding arguments -- is that a population register will make government `more efficient'. This vague and comforting notion -- really code for `sacking civil servants' -- seems to ignore the fact that those government services which deal with individual, identified people, such as doctors' surgeries, benefits offices, etc., already have databases of their `customers'. Making records in these databases correspond to records in the National Identity Register is likely to be expensive and basically purposeless. There are excellent arguments for, for instance, connecting different hospitals' patient records systems together, but those databases already exist. The National Identity Register is not relevant to this problem, except that it might make solving it more expensive. A further claim is that the Register will make it easier to plan for the future provision of services by providing accurate information about the distribution of the population; it's true that the government can be rubbish at planning for future service provision, but again the National Identity Register is unlikely to help much. It won't be a good way to get population estimates -- even the census missed millions of people -- and anyway most planning of services needs more information than just how many people there are in an area, what they're called, how old they are, and what their fingerprints look like. For instance, if you want to know what facilities a new hospital needs, you need to know about individuals' health -- not planned to be recorded in the Register; if you want to know where to put new roads, you need to know where people travel -- not capable of being recorded in the Register; etc.)
Now, many people will not accept the whole of my reason for objecting to ID cards. You might argue, for instance, that my notions of personal identity are too libertarian (or even, dare I say it, libertoonian) for the Dangerous World In Which We Live Today (as Fox News might put it). Or you might argue that the government waste money on foolish and expensive boondoggles such as the Millenium Dome or the war against Iraq all the time, and while this one does appear to be a very foolish and very expensive boondoggle, why not let them have their fun? They have to spend our money on something, after all -- it's not like they're going to give it back, is it?
That's all fair enough; I'm only making my own case. But I would characterise the pro-ID-cards position as either being unthinking; or, worse, unconcerned by a loss of liberty, or by a massive waste of public money, or by the new material risks which the scheme will bring. Surely there's something there for everyone to oppose?
Just to dispose of one point, David Blunkett has been in the news a lot lately for other reasons. For instance, I happened to see a copy of the godawful bloody Express the other day, which had a headline reading something like,
... to which the answer is, ``no, but not for the reason you think.'' The stock answer to questions about the Home Secretary's private life is, of course, ``it's none of our business; I just wish he'd think the same about ours'', and I'm going to stick to that formula. It's one that the Prime Minister's Official Spokesman endorses, after all:
The Prime Minister said that senior Ministers were entitled to a private life, so long as they continued to do their job.
You can read the Bill on-line; it's substantially the same as the draft. If you haven't looked at either, it's probably worth your while to do so to find out what you'll be made to do before you're summoned to appear at some Capita office to have your irises scanned and all that jazz.
First, to dispel some myths. The government claim that the scheme is voluntary; that you will not be forced to produce an ID card to gain access to a public service to which you are entitled (e.g., to see your GP); and that you will not be forced to carry an ID card nor be required to present it to a police officer or other official on demand.
The first two claims are false. Section 6 of the Bill permits the Home Secretary to force anyone he wants to register for a card (subject to a vote in Parliament, but those wankers will vote for anything, as the passage of various panicked acts after September 11th 2001 shows); section 15 is advertised as preventing the government from making access to services conditional upon presentation of a card, but doesn't apply to people who have been forced to register. So the Home Office can say, ``right, time for everyone to get an ID card'', and suddenly you can be forced to produce one every time you go to the doctor.
Every time you the card is checked, the occasion will be recorded in the Register, for perusal by an extensive list of government bodies (see s.19 of the Bill).
The third statement -- that you will not be forced to carry a card nor to present it on demand -- is true, but according to the Home Office irrelevant. They believe that the `biometric' which will be used on the card is perfect; that is, that each individual can be reliably looked up in the database by scanning their irises or their fingerprints or whatever. They believe that the effect of carrying a card for presentation on demand can be achieved by giving police officers biometric scanners. (As I've remarked before, I expect this to be a godawful cock-up. The Home Office will hand out copies of the National Identity Register on DVDs or something, since they probably won't be able to make a wireless data network that's actually reliable enough for use in this application. Expect to download your copy of the NIR via the peer-to-peer network of your choice about as soon as the thing is implemented in 2008.)
Even more bonkers, the government's Regulatory Impact Assessment suggests that you're quite likely to be asked for a card when you go to the shops, so unless you're a total ascetic you may have to carry the fucking thing at all times anyway.
(It's also worth remarking that the Impact Assessment doesn't consider anything other than direct, monetary costs in its cost/benefit analysis. It doesn't, for instance, measure the effect upon civil liberties. It also -- as usual -- makes the mistake of assuming that the programme will reduce identity fraud. I guess writing these things isn't taken very seriously.)
(1) The Secretary of State may by order impose an obligation on individuals of a description specified in the order to be entered in the Register.
The idea here is that the Home Secretary can require, for instance, anybody who is an eeeeevil foreigner, or a fox-hunter, or Jewish, or whatever, to register for an ID card if he wants them to. Neither the Bill nor the notes explain what the fuck this is for -- to me, it looks as if they're not even trying to not look like crazed authoritarian fucknuts -- but the implication is that this power would be used only to make everyone register. So that's OK then. Because, after all, governments never use powers they're given for any but the originally-stated purpose.
(For the avoidance of doubt: David Blunkett clearly isn't a Nazi, and neither are any of the rest of the present government, so far as I know. But as they keep saying, nothing they do can bind any future Parliament.)
-- this is the same as in the draft, and they haven't even bothered to add `reasonable' as many responses to the consultation suggested. Presumably if some bored Crapita employee does send out a notice of the form,
You are required to attend the summit of Mt. Snowdon at 0300h tomorrow morning so that we can take your fingerprints; failure to attend will be punished by a civil penalty of £1,000. Do not pass `go'.
2(5) is even better -- here, the Home Secretary is given the power to correct errors in the Register, but is freed from the duty to do so. I'm not really sure why the Home Secretary -- who, it should be said, seems awfully keen on putting all our personal information in his database -- wants to be able to keep wrong information in there, but he's giving himself the power to for some reason.
(No but seriously.... One effect of the National Identity Register is to make it impossible to -- for instance -- give new identities to informants who are threatened by the criminals or terrorists against whom they have given evidence, since if everyone in the country is identified on the Register by an iris scan, and the criminals in question have a photograph of the informant, it will be trivial for them to locate him and kill him. It is possible that the Home Office believe that this is undesirable and that 2(5) is a loophole that they've inserted to try to make such false identities practical again. It won't work, of course -- if they get their way, having an inaccurate ID card will be so fucking inconvenient that informants will probably accept the risk of being murdered simply to avoid the hassle -- but it would be nice to think that they're making an effort.)
Elsewhere we have been reassured that the information stored in the Register will be of a limited nature and that, for instance, you will not be required to give a sample of your DNA for recording there. This too is a lie; while the current -- and hardly inextensive -- list of things to be recorded does not include genetic information, s.3(5) allows the Home Secretary to, without giving a reason or requiring the approval of Parliament,
Elsewhere, the government have avoided the temptation to add safeguards to the legislation to in any way soften the trainwreck about to engulf us. I (and presumably many others) pointed out in consultation responses that the existence of a unique identifying number in the National Identity Register will make identity theft much easier and more dangerous (the government lie that their scheme will make identity theft harder!). I wrote,
Frankly I have no idea how you would go about fixing this. If you insist on having a single Register with a single primary key, theres probably nothing that can be done; you just have to put up with increased identity fraud. An alternative would be to issue cards locally (as in many European countries) and ensure that any number assigned to an individual identifies the card, not the person. The card numbers won't be a lot of use to third parties (as they will change when new cards are issued every few years) and so third parties will not be attracted to using them; this removes this particular opportunity for fraud. (It would also make the scheme cheaper and more reliable, since it remove the single point of failure which the national Register constitutes.)
An alternative would be to try to keep the identity numbers secret. I donbt really see how this could be managed, though, unless there are no unique numbers on the card at all. Since the draft Bill isn't tied to any technical solution, I doubt it would be possible to incorporate this safeguard, so we're back to square one.
But while you're still here, please take a moment to read the Bill and NO2ID's useful FAQ; you can still register your support on their petition; and if you're in Cambridge this Monday (6th December) please come to the meeting of the Cambridge group in the Old Spring on Chesterton Road at eight o'clock.
This is all done with wwwitter.
Copyright (c) Chris Lightfoot; available under a Creative Commons License. Comments, if any, copyright (c) contributors and available under the same license.
Hosted and supported by