back to article IPS leak suggests ID card fingerprint chop

A key component of the UK ID card scheme, the central database of fingerprints, may be abandoned, according to a leaked Home Office document obtained by the Observer. The document doesn't suggest entirely scrapping fingerprints, but instead suggests that their value should be assessed for each group of the population enrolled …

COMMENTS

This topic is closed for new posts.
  1. Nomen Publicus
    Boffin

    Why take two forms of ID into the shower?

    Didn't I predict almost exactly this situation last month? Even the government has noticed that there is no rational argument for having both a passport and an ID card. If a passport doesn't uniquely identify a person, exactly what is it useful for; and what then is the point of an ID card if it is _not_ universally usable for identification?

    Combining the passport, driving license and the "id card" into a single object would have resulted in a cost saving, but the government has already rejected this idea.

    As for fingerprints, the government can always get copies from US customs (not by mail obviously.)

    [Can we have a man-in-black icon?]

  2. Anonymous Coward
    Anonymous Coward

    At the risk of...

    ...invoking Godwin in the first post (though someone will almost certainly have beaten me to it by the time I've finished typing), it looks like they're going to make a scheme which already has unhealthy resonances with the Nazi population register share even more characteristics. What's the betting that immigrants who start off having a "foreigner" card with their fingerprint won't have their prints deleted from the database even if they succeed in gaining UK citizenship?

    And can anyone explain the function of fingerprints on a foreigner's card in an environment where fingerprints aren't routinely used as an authentication factor?

  3. TeeCee Gold badge
    Coat

    I feel sorry for the Home Office.

    Ah well, maybe some day their prints will come...

    (Okay, okay, I'm gone..........)

  4. william

    A simple ID System is whats really needed

    The main problem with current government based ID systems (Passports, Driving Licenses etc...) is there is no way to identify stolen or fake ID's - which seems to be the biggest issue these days.

    Why can't we have a simple ID card with a large photo (Whole size of a credit card) a card number, a imbedded chip (only holds the owners private key of verification and digital signatures purposes)

    The card cost would be small, under £1. and as an added services the government could offer verification services via SMS for a small fee, service that could be included are:

    a) Verify if the card is O.K.

    b) card holder is old enough to drink,

    c) card holder can work in the U.K.

    d) card holder has a valid driving license.

    e) Verify a picture of the person against a centrally held copy (the photo's do not need to be held on a online System as the operator could have two systems one online to receive the verification request and another off-net to access the stored photo's.

    e) etc.....

  5. JohnG

    Why not just start with a photo?

    This is what most Western european countries use for their ID cards. A simple photo ID with your name and address is adequate for most situations where you have to provide proof of identity. National identity cards from EU member states or EU photocard driving licenses are deemed to be adequate proof of identity to enter the UK.

    They could always add the other biometric nonsense as and when (or if) they get their act together.

  6. John Mangan
    Thumb Up

    It's a cliche but . . .

    . . . you really couldn't make this stuff up. There's probably a lost 'Yes, Prime Minister' episode on this subject but they just couldn't make it believable.

  7. Damian Gabriel Moran
    Coat

    why not just abandon the whole thing altogether?

    It has never and will never provide the 'security' that the government have been desperately trying to tell us it would. Pour the money that will be wasted on this into something that needs it, heck I would vote labour if they said we are abandoning ID cards, ilegal wars etc and all that money is going to go into education and the health service.

    I do not want to live in a country where I am forced to carry an ID card and if I refuse to do so I become a non-citizen and instantly looked upon with suspicion. Besides I imagine the criminal element are probably able to forge cards already, it happened when we were told Chip and Pin was the answer to card fraud

    anyway I am done ranting. My hat, my coat, my gloves and my phoney dog poo

  8. This post has been deleted by its author

  9. Anonymous Coward
    Anonymous Coward

    Nobody has tied up the EU distate of our electoral system with ID yet

    I was listening to radio 4 the other evening on my way home from work as someone from the EU was twittering about how insecure our elections are because of our lack of ID.

    It sounded to me like an ideal reason for our useless shower of cnuts to continue with the discredited ID card scheme - just the sort of thing they like... 'europe made us do it'.

    Of course, the actual requirement is that the person who registers is the person who voted. This can be accomplished without identifying the person - you only need to ensure it's the *same* person as last time. There are any number of secure systems you can do this with - none of which necessarily require you to actually know who anyone is.

  10. Anonymous Coward
    Anonymous Coward

    I have NO sympathy ....

    ... well, well, well. The whole ID card fiasco was predicted before it had been specced, and anyone who knew a passable bit about IT said it wouldn't work, whilst politicians sat in their chair by the sea and commanded the tide to go back ...

    The worrying thing, is unlike Canute (and was there *ever* a better suited quasi-anagram ?) the politicians appear to believe their own hype ...

    Well, now the real work has to start (if the ludicrous target dates have any chance of being overshot by usual government standards) the house of cards is starting to topple ... scope being narrowed, timescales being "clarified", vendors dropping out (does anyone remember the Inland revenue fiasco when they had to pay rival companies to put together bids they knew they'd never win ?).

    I do hope that eventually the papers realise the truth of the situation, and start asking the *really* awkward questions.

    Could you not have an "Amy Winehouse" icon for when things are in the crapper ?

  11. Anonymous Coward
    Anonymous Coward

    @Damian

    Abandon it?

    Abandon a flagship policy of the last New Labour manifesto? Don't you understand the ID card scheme is the 21st Century version of the 5-year tractor production plan? Just as it didn't matter if the proletariats glorious tractors only had three wheels; it won't matter if the people of Britain don't have working ID cards - they will have ID cards. And isn't that what the late, great David Blunkett would have wanted?

    Give up now, just when unreformed science is saying the whole scheme won't work? You might as well say the Dear Leader before the current Great Helmsman showed signs of human fallibility. And we're not quite ready for Gordon's secret speech to the 20th Party Congress on the topic of 'the Personality Cult and its Consequences.'

    http://en.wikipedia.org/wiki/On_the_Personality_Cult_and_its_Consequences#Excerpts

  12. Billy Goat Gruff

    @Simple ID system

    An excellent idea, but it achieves nothing and should you ever make it useful, it will become redundant...

    'Old enough to drink' - well someone is only old enough if they have proof (a passport or one of those pub-approved schemes) or the seller makes a judgement call. No need for a card. Most of us would never be asked to show the card!

    'Can drive' - drive what? A motorbike? Geared or auto? What CC/HP (you get different license for both of these). A car and a van and a tractor? Or just an auto car? By the time you put all this onto a card you have a drivers license.

    'Cardholder can work in UK' - Useful for employers and govt security agencies, but seems a bit overkill for everyone I know to hold a card. I guess an NI number might do the same thing or how can the employer pay your NI?

    'Verify the card is OK' - well, without issuing card readers everywhere or relying on bouncers to type your card number into a phone and wait for an SMS, it's pretty impossible.

    I can't see the point of this card if you can legally work without it, legally drink without it and legally drive without it.

    To make it cost £1 you'd need to outsource it to, say, Tesco who would love to know the ID of their chosen markets. But as soon as it became useful to, say, underage drinkers they'd be fake ID cards. Same photo, reprogrammed info. Or you get a card from some polish friend who's leaving the UK and skilfully swap the photo so you are now eligible to drink vodka, drive buses and work anywhere in the EU.

    What would be the penalty for not showing the card when requested to do so? Would annoyed barstewards refuse to serve a 40 year old because they didn't show their ID card to prove they were old enough to drink?

    I *like* the idea of a cheap, simple ID card, I just don't think it'd serve any useful purpose :(

  13. Spleen

    Why indeed have a passport?

    Our passport says "Her Britannic Majesty's Secretary of State requests and requires in the Name of Her Majesty all those it may concern to allow the bearer to pass freely without let or hindrance, and to afford the bearer such assistance and protection as may be necessary." Once upon a time this meant something. Nowadays the only force it carries is if you slap someone with it and give them a paper cut. If you happen to be, say, kidnapped by CIA perverts to be used as a torture whore in some godforsaken prison, Her Majesty's government will do exactly f*** all. A passport, like the ID card, is now just a certificate of ownership (of you, by the government).

  14. John Lettice (Written by Reg staff)

    Re: So, who exactly did the feasibilty study? Can the Home Office get their money back?

    We haven't actually had a feasibility study as part of this project. We've had the original 'entitlements cards' consultation that was repurposed to serve as the ID card one. The submissions for this were inaccurately precised by Home Office droids for the report (you can verify this by checking the published response document against those submissions that are still available elsewhere in full). The response report was also backed up by pre-spun focus groups which were intended not to measure public opinion on ID cards, but to identify applications that were likely to be popular with the public. That is, they were asking how they could best sell it, as opposed to whether or not people wanted it. AFAIK practically all subsequent work has been undertaken on the basis that ID cards are non-negotiable, and that the task is therefore to figure out the purposes the public are going to be most OK about. The flaw in this approach is of course obvious... (-:

  15. Charlie

    Crucial difference

    While I agree that the European ID card system seems to be a useful streamlined process, there is (at least) one crucial difference between the English and Continental approach to IDs that people should be aware of - generally, on the continent, you have an obligation to carry identifying card at all times. The police have the right to stop and check that you are who you say you are.

    This isn't the case in England (one of the main reasons we're not in the Schengen zone), and I for one hope it stays that way.

  16. Tom Chiverton Silver badge
    Boffin

    @Mike Richards

    "Abandon a flagship policy of the last New Labour manifesto"

    Election reform (for instance) was in there two, and you'll notice that's not got anywhere...

  17. Anonymous Coward
    Thumb Down

    Why a card at all?

    Although I am 100% opposed to the notion of ID cards I'm always puzzled by why, if we are forced down the biometric route, we would need cards at all.

    If everyone is on some (obviously super-secure) government database somewhere and assuming that they remember to take their fingers with them when leaving the house, then surely all that is needed is for every tinpot local official to have access to a fingerprint scanner linked to the database. Carrying a card which duplicates the data already present on the ends of your fingers seems a bit odd...

  18. Jonathan Richards
    Stop

    Parse error

    > the one single factor that makes it entirely certain (in their view) that you are who you say you are.

    Whereas an infallible biometric measure (supposing there was such a thing) would merely make it entirely certain that you are the biological entity which said it was you when it applied to be registered with your identity.

    How do you prove infallibly who you are at the point in time that you apply for one of these things? Certainty can't be spirited out of thin air!

  19. william

    @Simple ID system

    For many activity's we already require an ID - some of the ID's used today include credit cards, driving licenses etc... for example:

    obtaining credit

    renting a property/car

    getting a Job

    getting your pension

    Entry into some clubs requires an ID.

    You can currently be refused liquor or cigarette's if you do not show proof of age.

    So most people in Britain today need ID. All I'm suggesting is that simple system can provide most of the requirements:

    Cutting and pasting photo's on to ID cards only works if you not sending a picture of the card holder to a central source to be verified.

    Each card has a unique ID, so it maybe possible to copy cards but this does not help as many people will be sending in a photo of the card holder.

    ITV manage to get the SMS network to respond fast enough for voting on "Dancing on ICE", that show's it could work the application does not require sub second response the first four requirements would be happy with day's as a response time and clubs and pub and shops already verify visa cards sub second so verifying an ID cards could also be done sub second.

    NB: The issue with chip & pin is that by closing one hole in the U.K. they opened up another, the rest of the world. Until chip and pin is used by all outlets around the world and a better way of authorising Internet based transactions is used (say some form of secure ID may be the answer) these holes will not be closed.

    So in summary we already need ID's for many functions, lets have some that works and is cheap. Nothing I've seen from the government to date works not even chips in passports they keep looking at the wrong problems.

  20. Anonymous Coward
    Alert

    There *WAS* a "Yes Minister" episode on this ...

    IIRC the whole problem had been doing the rounds at Westminster, until the luckless Hacker got lumbered with it because it was "essentially an administrative task". .....

  21. Anonymous Coward
    Anonymous Coward

    @Why a card at all?

    ... because clearly the government have no faith in the ability to verify a persons prints on-demand, in real-time 24/7 ...

  22. Mark

    "stop and check"

    Oddly you have the absolute right to require any police officer to identify themselves (name, rank, number) to you for any reason whatsoever.

    However, exercising this right will see you done for resisting arrest.

    When you are phoned by the bank, they ask some security questions. When I ask them to prove they are my bank, I get told they can't. I ask what it is about (since there may be a reason why they are talking to me and if I KNOW it's nothing to do with me, I'm being scammed) I'm told they can't until they verify who I am. I tell them that unless I know what it's about I can't tell if I want to let them know it's me. They hang up.

    If you need to prove yourself to vote, won't the people running the place have to prove themselves?

    Can you require full proofs of the board and executive directors to check that your putative employer hasn't been done for fraud (under a different name, even)? Or will asking get you shown the door?

    Now when all this proof is centrally stored and verified, doesn't that mean that I will now have to go to a public office with their ID credentials? Will they let me take them?

  23. Billy Goat Gruff

    @Simple ID system

    "So most people in Britain today need ID. All I'm suggesting is that simple system can provide most of the requirements:"

    All your suggestions are already adequately provided for - Passport, NI, driving license. I know you want a solution that does them all but it will be useless until it becomes useful, in which case it will become useless again.

    "Cutting and pasting photo's on to ID cards only works if you not sending a picture of the card holder to a central source to be verified."

    OK, so when the card itself isn't sufficient they take a picture of you and someone compares it to the central database. And this is easy? This is biometrics my friend, where key pointers of the face, or fingerprint, or iris, are compared to the stored key pointers.

    "Each card has a unique ID, so it maybe possible to copy cards but this does not help as many people will be sending in a photo of the card holder."

    So, to buy a drink, someone would need to take photos and swipe cards (to get the unique number) or perhaps you'd prefer RFID? Wouldn't it be cheaper for a pub to use a passport for the odd customer that looks underage?

    "ITV manage to get the SMS network to respond fast enough for voting on "Dancing on ICE", that show's it could work the application does not require sub second response the first four requirements would be happy with day's as a response time and clubs and pub and shops already verify visa cards sub second so verifying an ID cards could also be done sub second."

    Hmmm I think this is a little wishful thinking. Put your thinking cap on and look at how many ways *you* could bypass such a system. A GSM network blocker holds up the queue to a nightclub before they decide to stop checking with SMS? Flood the bouncers SMS gear with SMS messages?

    As soon as it enabled you to obtain credit then think of the number of ways you could buy a way to bypass it and you get free money under a false ID.

    "NB: The issue with chip & pin is that by closing one hole in the U.K. they opened up another, the rest of the world. Until chip and pin is used by all outlets around the world and a better way of authorising Internet based transactions is used (say some form of secure ID may be the answer) these holes will not be closed."

    Chip&Pin was never meant to stop fraud, in fact it's well known that us citizens are less protected. The difference is that it comes under ATM law and not Cheque law - which means the bank no longer has to automatically refund your money, you have to prove you didn't give someone your card and PIN. A bit hard to prove a negative. Fraud losses have gone down simply because the banks have to pay out less when fraud happens. Which is why they now call it ID theft, because whilst they are responsible for your money, you are responsible for your personal ID number and if anyone steals from your account it is assumed, under ATM law, that you must have given away your pIDn.

    "So in summary we already need ID's for many functions, lets have some that works and is cheap. Nothing I've seen from the government to date works not even chips in passports they keep looking at the wrong problems."

    Unfortunately, so do you... find a problem that doesn't have a solution. Decide whether the cards will be compulsory. Decide who will pay for all the card readers, cameras, etc. Decide if financial transactions will be more secure because of it, and then realise someone will exploit it and mass-produce it. Just as they do with Visa cards, and Visa reacted by making Chip/Pin compulsory where *we* suffer.

    Sorry. I *like* the idea of a cheap ID card but I can't see where it'd be useful.

  24. Anonymous Coward
    Anonymous Coward

    meh

    They should all go back to North Korea.

    All the pro ID/Database people would obviously be happier there where their government know exactly where each of them are, what each of them has been doing and what each of them is expected to do.

    We ran a quarter of the world without even a pocket calculator. Now we can't run England with all the toys modern technology brings.

  25. Anonymous Coward
    Black Helicopters

    Re: @Why a card

    "... because clearly the government have no faith in the ability to verify a persons prints on-demand, in real-time 24/7 ..."

    But without 24/7/52 access to the database, you can't confirm the authenticity of the card (other than the fact that it belongs to the holder - not who the holder really is).

    So if you're trusting the card, you don't need the database at all. Program the card with the users biometrics at one of the interrogation centres.

    The card has never been the *real* issue - the National Identity Register has.

  26. Jeremy Wickins
    Alert

    @william...

    There is no problem with proving your identity - it is what humans (and most other animal species) do. The security in the current system is that there are a number of different systems, not connected to each other. This is security in diversity. If one system breaks (or is broken), the others will - hopefully - not have the same problem. Uniform ID systems allow too much information to be gathered so that any beach is the same as just publishing all your life's details on the internet. Jeremy Clarkson learned how painful that can be!!

  27. Damian Gabriel Moran

    @ mike richards

    huh? ;-)

  28. RW
    Dead Vulture

    @ Mark

    Statistics Canada phoned with questions about my census return. I asked them to provide me with a telephone number listed in the phone book under "Statistics Canada" that I could call to verify the credentials of the caller. (They used to be careful about this but evidently no longer.)

    He couldn't. He offered one number but it wasn't in the phone book. Too bad.

    I refused to answer on the grounds that he had not properly identified himself, that I believed he was a phisher, and that was that.

  29. jimbarter
    Thumb Up

    I already have

    A passport, A driving licence and an NI number, the govt can go for a very long walk on a short pier...

    ...oh - they have - can you hear them drowning?

    glub, glub...

    ...and they prepare to go under for the third time...

  30. Fred
    Thumb Down

    RFID

    Just implant an RFID chip at birth in the back of the skull and be done

  31. Anonymous Coward
    Joke

    Remember, if you have nothing to hide

    you don't know who is watching.

    As someone with the kind of skills they're likely to be seeking for this kind of scheme I have to say that it's not Gordon Brown you need to worry about, it's me. And when I say you need to worry I do of course mean your mum. She's cute, I programmed the citywide cctv to track her when she's wearing that blue number, you know the one? Yummy. Thanks to the tracking systems I also know she shops at Sainsbury's on tuesdays. Guess where I'm going tomorrow?

    Mine's the dirty mac, please.

  32. Gilbert Wham
    IT Angle

    ITV????

    "ITV manage to get the SMS network to respond fast enough for voting on "Dancing on ICE""

    The fact that ITV can do this*, in no way means that the government can. Do be serious.

    *Unless they just pretended to and made the numbers up, of course*

    *which I'm sure the government CAN do...

  33. Mark
    Alien

    @Mycho

    Not as much a joke as it should be.

    In US malls, the guards watching the CCTV spend most of the time checking out the cute women.

    And when people say "I want my child/wife/sister/granny to feel safe" or similar tosh, I ask would they be OK with a pervert watching their daughter go to school *by CCTV*! I mean, they aren't going to pay much, are they. There's no way you're going to see them watching her either. And if they haven't yet been caught, who's going to find out?

    Haven't yet had an answer.

  34. Nomen Publicus
    Black Helicopters

    Vague Requirements

    One of the fundamental problems with identity that the government doesn't seem to understand is the difference between government and commercial needs. In the commercial world all that is really wanted is proof of the ability to service a debt. This is why a passport is not acceptable proof of identity in the video rental shop; it may "prove" identity (in some limited sense) but it doesn't demonstrate an ability to pay bills. Thus a recent gas or electricity bill is far more acceptable even though it is a very weak form of proof of identity.

    The government is more concerned with benefit fraud but confuses it with identity theft. Even then, the government seems more concerned with multiple claims rather than fraudulent claims. To solve the multiple claim problem, all you need are finger prints on the claim form and a means to compare them with other claimants OF THE SAME benefit. You don't need some huge centralized database of all 60 million residents to prevent multiple claims but that is the solution we will be paying 10 to 20 billion for.

  35. Cappendell

    @Why a card

    I am aware that this point has already, at least partially, been made, but, a card/document based system is infinitely preferable to a central database because it is much harder to abuse.

    Anyone discovering a way of manipulating/abusing a central database, or being in a position to manipulate/abuse it, can cause far more damage for far less effort than someone able to create counterfeit cards.

    Experience here in Germany has shown that, with a little personnel training, only a vanishingly small percentage of counterfeit ID Cards cannot be identified as counterfeit.

    Public Key Cryptography does allow the "Signing" of digital documents in such a way that it can be verified that the signing party was in fact the government and this requires no direct "online" access.

    I do not think that ID Systems are useless, indeed having a reliable way of identifying people for important transactions is very useful indeed, for all parties in a transaction. What is needed is a decentralized system that allows no third party to track what is being done - as would be the case with a central database.

    I agree that it is very silly indeed to have two systems that should prove identity - a single system is really the only way to go.

    A decentralized card based system, with no central database, where biometric data, cryptographically signed at time of issue as correct, is only available on the card, would be the way to go, in my opinion.

    As not all transactions require the biometric data, and humans can't read the data without an electronic reader anyway, I would plead for a document that is as difficult to forge physically as it is electronically.

  36. Anonymous Coward
    Paris Hilton

    @Mark

    Believe me the joke alert was only because it's not really my own plan. I have worked with cctv, have found snapshots of people shagging in carparks who I couldn't testify were over 16, have logged in to check cameras to find them pointing at windows across the road. Of course nobody gets dealt with for this the hard drives are routinely cleaned and staff turn over quickly enough that whoever did it is long gone by now.

    Paris because she reminds me of your mum.

  37. Andy Davies

    Why not just start with a photo?

    I have, quite seriously always thought that this was because David Blunkett was blind. The human brain has an amazingly accurate facial recognition system, much better than any software, but DB would not *know* this and all his hangers on would be too PC to tell him. A photo card offers a very quick and easy 'first fence' id check, add a public key encrypted version of the photo to the card then provided that HMG can keep *one* secret the card becomes unforgeable.

    AndyD 8-)#

  38. Jeremy Wickins
    Thumb Up

    @ Andy Davies

    Brilliant!!! I'd never actually thought of that. It has the ring of truth that cannot be denied...

This topic is closed for new posts.