Thursday, February 28, 2008

UK ID card strong points

The centralised UK identity card proposals are pretty stupid in every dimension. The strongest bits are probably the IT security measures:

Minister defends National ID Register security | The Register: "Meg Hillier"

... but IT security is the smallest part of the problem. Look at the recent security leaks and personal data losses and you'll see hardly any cracked systems. Mostly the problem is people being asked to look after highly valuable data and either being corrupted or making a stupid mistake.

So the fact that great care is being taken to make the IT parts of the proposed system secure just makes the most secure bit more secure (perhaps). The gaping holes are elsewhere.

If there is an ID card system (and I hope there is not) then it should be distributed to minimise the value of the data in any one place. All the personal data should be under the control of the individual subject (e.g. on the card itself) and this should be digitally signed so that if a duly authorised person wished to see the data they can ask the subject, get the data from the card and verify that the data is good.

No comments: