Apparently, national identity cards are going to be equipped with PINs. Unlike Justin, I don’t think this is as bad an idea as he makes out; in fact it serves one very useful purpose, namely that it correctly sets apart the separate concepts of identitifcation and verification – the former being who you are, the latter how you prove it. With a purely biometric system, relying on your fingerprint, iris scan, face scan etc., if something goes wrong and the system starts getting false positives – i.e. someone else is being mistaken for you, either by accident or by malice, you can’t get a new eyeball or set of fingers. But if you or the card issuer think your PIN has been compromised, then you can change it or have a new one reissued (This seem familiar? It’s because I have gone on about this before).
Of course, Justin points out the many problems of PINs which I’m sure we all know or love – they can be forgotten, snooped upon – either via a hacked device or from an insider, or even the good old-fashioned “look over your shoulder while you enter your PIN, then nick your wallet” approach. What really matters is what the mechanism is when fraudulent or mistaken transactions are made, and who is liable for the error; it isn’t just the PIN that matters, but it combined with all the supporting systems around it. With credit cards (at least for purchases, though not for ATM transactions), liability lies with the issuer for not correctly verifying your identity (I bet they really hate that). With identity cards, the liability as the Bill currently lays out is with… you. The Bill puts all liability for possible errors or mistakes with the cardholder*, not the government nor the technology provider, assuming that the system will be perfect and any error is entirely down to the individual concerned.
Still, I keep on reminding myself that the cards themselves are only a small part of the matter; while the technical problems with them are important, particularly as many citizens’ own experience of the system (and any problems) will be from direct use of the card; possibly more pernicious is the possibility of errors in and malicious use of the National Identity Register itself. Which leads me onto a vaguely related note, which is that the police have cottoned on to using Oystercard data in their investigations; which is fine if used for criminal investigations and requests are made and judged on a case-by-case basis. Give it a few years and some function creep, and it could be quite possible it will be used for pre-surveillance as well. All the other components for an automated Big Brother system are in place – your name and address are held by TfL (as most Oystercards are registered), and they have access to 1,400 or so CCTV cameras; hook them up together (with some route prediction software too, maybe) and you’ve got a way of tracking people in a near-real time basis. Maybe. I could just be paranoid.
Right, enough about ID cards. Next up: Kanye West. No, really.
* Actually, the Bill is mainly concerned with mistakes on the register, rather than mistakes with the biometric stored on the card; but given the government’s reluctance to accept responsibility for the former I doubt it will take much responsibility for the latter either.