Pin-up

16 March 2006

Apparently, national identity cards are going to be equipped with PINs. Unlike Justin, I don’t think this is as bad an idea as he makes out; in fact it serves one very useful purpose, namely that it correctly sets apart the separate concepts of identitifcation and verification – the former being who you are, the latter how you prove it. With a purely biometric system, relying on your fingerprint, iris scan, face scan etc., if something goes wrong and the system starts getting false positives – i.e. someone else is being mistaken for you, either by accident or by malice, you can’t get a new eyeball or set of fingers. But if you or the card issuer think your PIN has been compromised, then you can change it or have a new one reissued (This seem familiar? It’s because I have gone on about this before).

Of course, Justin points out the many problems of PINs which I’m sure we all know or love – they can be forgotten, snooped upon – either via a hacked device or from an insider, or even the good old-fashioned “look over your shoulder while you enter your PIN, then nick your wallet” approach. What really matters is what the mechanism is when fraudulent or mistaken transactions are made, and who is liable for the error; it isn’t just the PIN that matters, but it combined with all the supporting systems around it. With credit cards (at least for purchases, though not for ATM transactions), liability lies with the issuer for not correctly verifying your identity (I bet they really hate that). With identity cards, the liability as the Bill currently lays out is with… you. The Bill puts all liability for possible errors or mistakes with the cardholder*, not the government nor the technology provider, assuming that the system will be perfect and any error is entirely down to the individual concerned.

Still, I keep on reminding myself that the cards themselves are only a small part of the matter; while the technical problems with them are important, particularly as many citizens’ own experience of the system (and any problems) will be from direct use of the card; possibly more pernicious is the possibility of errors in and malicious use of the National Identity Register itself. Which leads me onto a vaguely related note, which is that the police have cottoned on to using Oystercard data in their investigations; which is fine if used for criminal investigations and requests are made and judged on a case-by-case basis. Give it a few years and some function creep, and it could be quite possible it will be used for pre-surveillance as well. All the other components for an automated Big Brother system are in place – your name and address are held by TfL (as most Oystercards are registered), and they have access to 1,400 or so CCTV cameras; hook them up together (with some route prediction software too, maybe) and you’ve got a way of tracking people in a near-real time basis. Maybe. I could just be paranoid.

Right, enough about ID cards. Next up: Kanye West. No, really.

* Actually, the Bill is mainly concerned with mistakes on the register, rather than mistakes with the biometric stored on the card; but given the government’s reluctance to accept responsibility for the former I doubt it will take much responsibility for the latter either.


5 Responses

The BBC report on Oyster Card data says:

“A Transport for London spokesman said: “Very few authorised individuals can access this data and there is no bulk disclosure of personal data to third parties for any commercial purposes.”"

This does not8,500 or so currently installed still mostly analogue CCTV cameras is the antiquated nature and lack of modern high speed data networks , a situation which is changing daily, and their collective incompetence.

This does not preclude the use of Oyster card centralised database trawling under the “national security” and “for the prevention or detction of crime” loopholes in the Data protection Act and the Human Rights Act.

There are now around 8.500 CCTV cameras installed by Transport for London

(apologies for the errror above, but there is no preview option)

Niels Rakhorst

I take your pointabout being able to change your PIN, where you can’t change your eyeball, but I think you’ve missed a point. You mention credit cards as an example, which is what most people will use PINs for, but credit cards exist to prove you (whoever you are) have access to money to pay for stuff, regardless of who you are. The PIN verifies that you are the account holder, near enough.
However ID cards are being introduced as a form of ID. The government has quietly dropped the anti-terror pitch, and has focussed on the use of these cards to fight identity theft, benefits fraud, that sort of thing.
Putting a PIN on and ID card is like having to use a second PIN with your credit card. In doing so the government has quietly admitted that they will do no such thing, in themselves. The system will be vulnerable to forgery and/or error, only mitigated through the PIN system.

By not admitting this outright, they do not allow us to choose meaningfully. In fact, it makes them look a bit suspicious, since the scheme is even less valuable than advertised.

Using PINs for ID cards has been mooted for a while, and every time it’s mentioned it’s made to seem like a big climb-down; now, obviously from the point of view of somebody who wants to see the scheme fail, preferably before implementation, that’s not a bad thing, but it is slightly misleading.

The previously-advertised fantasy was that all checks against the cards would be biometric, so that (e.g.) if you go to the doctor, or a job interview, or want to withdraw some money from your bank, you have to present your card and have your fingerprints read or whatever. Now, even supposing that every site where readers are deployed also has a fingerprint scanner, there will still be a significant number of cases where people’s fingerprints don’t read correctly right then — the reader may be dirty, or broken, or the subject’s fingers may have been injured, or maybe they don’t have fingers, or their fingerprints didn’t read correctly when they were originally enrolled. At the moment the biometric technology is pretty unreliable (especially at the level of cheap off-the-shelf devices, which these will have to be if there’s to be significant take-up); now, presumably it’ll improve over time, but there’s always going to be some error rate at time of reading.

So whatever happens you need to have a fallback from the biometric “authentication” for the cases where it doesn’t work. PINs are no worse a choice than some other alternatives. Of course, if a PIN is good enough — and since there are some people for whom and locations at which the biometric technology will never work, so PINs will have to be — why bother with the biometrics for authentication at all? (This is separate from the argument about preventing multiple enrollment.)

Another question to ask here is, what is the cardholder being protected from by being made to enter their PIN or supply their fingerprints or whatever? Typically the argument is something about your card being stolen and used to impersonate you. But — and in fairness, this is something that almost all institutions which care about identity spend a lot of effort trying to obfuscate — in that case it’s not your problem, but the problem of the organisation which has let itself be fooled by a stolen ID card. From the point of view of the cardholder, one-factor authentication (show the card) is no more or less “secure” than two-factor authentication (show card and type PIN / present fingerprint).

Robin Of Loxley

PINS, fingerprints, eye scanners, don’t need any of ‘em…If, when ID cards become compulsory, and I am asked to prove who I am, I will simply point the askee to the nearest Tesco supermarket, because it seems that Lady Porter’s chums know more about me than I do, being as how they are busy collecting info. about us all…So who needs ID cards?

If you think that this comment is rubbish, you should read my blog…It’s worse!