ID cards already play a significant role in our working and social lives, yet at a national level we have no recognised single scheme for proving age, identity, entitlement or address.
We also lack any kind of uniform ID system that could be used in the workplace, unifying entry to a building with access to the network, servers or your desktop PC.
Successive governments have toyed with introducing a state ID card, but have always scrapped plans amid accusations of Big Brother behaviour and compromising civil liberties.
According to John Newton, a government consultant with Fujitsu Consulting, part of the problem with a government-sponsored ID lies in the letter of the law rather than just in culture.
"There's a long-held view in English law that you don't have to prove who you are. It's up to anyone who disputes your identity to disprove it," he explained.
"Although this may have been useful in some Victorian past, the modern world can only exist if services and facilities are used only by those entitled to do so.
"However, once you build processes around proof of identity, people will try to exploit these dishonestly."
Government IDs
But government-sanctioned ID cards are not completely unthinkable. In the UK, a photo driving licence was successfully introduced three years ago. Although it is already serving as an ID card for many people, it is not a catch-all mechanism.
The Home Office is also looking at an entitlement card, with the following broad objectives:
- Making it easier for you to prove your identity
- Countering illegal immigration and employment
- Combating identity fraud
- Allowing access to services
He foresees a model where you'll have a 'secure' driving licence if you drive, a 'secure' passport if you travel, and an ID card if you do neither. In short, multiple cards with one unifying platform.
This raises a lot of questions about processes to acquire information and ensure the integrity of that identity at the time of issue: to create and maintain secure information stores for validation that can't be copied; to make the scheme as counterfeit-proof as possible; and to make it acceptable to the public at large.
One example on trial is the Privium ID system, developed by Schiphol airport in Amsterdam in conjunction with the Dutch Ministry of Justice, as well as various police agencies around the world. It checks passenger details against criminal records prior to the card being issued.
Registration for the service takes 15 minutes and involves both eyes being scanned. Privium members are then given a smartcard which holds the 256 unique characteristics by which an individual iris can be recognised.
When passing through border controls, Privium members simply pass their smartcard through a checkpoint and these details are verified at another iris-recognition point.
Business and holiday travellers can save enormous amounts of time by not having to queue at passport control. The Privium service has more than 6,000 users, of which about 800 are from the UK.
Applications for ID cards
The everyday role of ID cards and card technology in the workplace is growing, as companies turn to authentication either to secure access to data, or simply automate the process of monitoring employee movements to ensure that their activities within the building are legitimate.
The problem with staff ID technologies is that, in many cases, they are not suited to all environments. Indeed, there are some workplaces where ID card technology could seriously hamper productivity, such as the health service.
"User authentication is a big, albeit tricky, issue in the health service," explained Nick Collett, Bluerose division manager at Xograph Imaging Systems, a UK supplier of medical imaging equipment.
"The dilemma is getting the balance right between security of systems, staff ease of use and protection of patient confidentiality."
The NHS presents an interesting test environment for applying security. Many records are still in paper form, and people from several different departments of a hospital or clinic will need contact with patient records, equipment and drugs during the course of a day.
ID card systems can be hard to implement in such a busy and often open-plan environment, but they can provide audit trails and secure access to certain parts of a hospital, such as the pharmacy.
"A hospital has many different systems inside it that often require multiple log-ins before staff reach the information required," said Collett.
"Smartcards and user ID swipe cards have been used for some time as methods of security that bridge all the log-ins.
"Thumbprints are a more sophisticated method of security being considered for the future that will ensure instant access to medical systems.
"However, in some areas of hospitals, where gloves are necessary and patients are in a critical condition, this route would not provide rapid enough access.
"The protection of patient data from unauthorised entry is a prime consideration within the health service.
"But this needs to be traded off against ease of use when caring for patients in a health-critical environment. It may be that there will always be a need for more than one approach to security in some areas of healthcare."
The legality of ID card schemes
According to Rupert Battcock, of law firm Nabarro Nathanson, there are three considerations any organisation must address before deploying an ID scheme in either purely digital or card form:
- Contractual issues: make sure that your smartcard provider is signed up to relevant service commitments, accepts appropriate liability, and meets appropriate security and other obligations.
- Data protection issues: ensure that the smartcard scheme operates within data protection laws. Many bodies will find it important not just to scrape by in terms of legal compliance, but to reach a high standard of best practice compliance under the Data Protection Act.
- Authentication requirements: there are several legal issues over authentication requirements and reliability.
Despite the various technical, social and cultural barriers to localised or national ID schemes, it appears likely that localised schemes will continue to grow in use, particularly as people try to consolidate the number of cards and official documents they have to carry.
"Identity is already being declared by the average person many times each day," said Fraser Thomas, chief executive at authentication technology developer Swivel.
"People don't mind having their right to be authenticated brought into play. The problem for the future seems to be about declaring your identity rather than just proving that you are entitled to do something or be in a particular place."
With that in mind, it would appear likely that we will move closer to a government-sponsored national ID card soon.
Given its role in provision and access to online services, it would have to either link in with an existing digital platform, such as Microsoft Passport or that proposed by digital ID consortium the Liberty Alliance, or use its own platform unique to the government and administered by a central independent body - an equivalent of the Bank of England and the Royal Mint, but for IDs.
"My guess would be that the government will make its case and we'll be having to get used to a national ID card within the next five years or so," said Newton.
Transport for London prepares to crack an oyster One of two schemes being introduced in the UK with government backing is the Oyster card, a Transport for London smartcard that forms part of an overhaul of ticketing systems used on trains, tubes and buses in the capital.
The body responsible for London's transport has adopted a contact-less smartcard system. Instead of inserting the card into a reader, data is read wirelessly by yellow proximity detectors fitted to buses and security barriers at underground stations.
The system is not too different to that used by many companies for ID and access cards, although it can hold more detailed information rather than basic flags for access.
Oyster cards don't need to be removed from purses or wallets to pass through tube gates or to board bus, DLR and Tramlink services. They cannot be de-magnetised and will last longer than card or paper tickets.
While not intended as a national ID card at launch, it provides a useful model that could be used in such a way, or at least built upon.
The platform being used for Oyster supports integration with online systems (in this case, the purchase of tickets and travelcards online in advance) and can contain far more information than existing magnetic tickets and travelcards. It is also far harder to forge or tamper with than a conventional laminated photocard.
As far as Transport for London and London Underground are concerned, the objectives of the Oyster scheme are to:
- Improve customer service.
- Provide better information about customers' travel patterns.
- Reduce opportunities for fraud.
- Offer greater flexibility for adapting or introducing fares and ticketing policies.
The Belgians are famous for something at last Use of government-issued and government-sponsored ID cards are already in limited use in mainland Europe.
Countries such as Greece and Belgium have used them as their main form of identification and authentication for access to government services and for international travel for several decades.
The Belgian government plans to overhaul its system, with the announcement of a new smart ID card, making it the first country in Europe to adopt digital technology for a mass-population document.
The card, which is the same size as a credit card, will include a picture of the user and a digital scan of their signature.
It will also feature a smart chip with an embedded digital certificate to allow citizens to communicate online with the government.
This not only involves the issue of a physical card, but ties in with a government-sponsored digital identity system. This has the potential to be used for single sign-on and single point of authentication by online services such as retail, banking and credit services, and by corporate ID systems.
The signature, based on public key infrastructure (PKI) technology, is robust enough to be used as an authentication method for a whole range of transactions online, including e-banking, paying taxes and even e-voting.
Belgium's ID card has already been absorbed into everyday life, as it is the key personal document needed to access government services such as social security payments and healthcare, as well as being necessary to get a job.
The project has been entrusted to security vendor Ubizen, with certification from Globalsign.
Ubizen is responsible for managing the complex infrastructure of the public key infrastructure system, something a government is not best placed to do because of the lack of skill and knowledge of technology and logistics.
"The PKI market has not delivered on its promise because the implementation and maintenance of an in-house PKI requires highly specialised internal staff," explained Ubizen chief executive Stijn Bijnens.
"What customers such as the Belgian government want are digital certificates to secure their applications. They don't want the hassle of implementing and maintaining a complex PKI environment."
Quelle: Vnunet
