ID Cards 3: Better by design
Lets get the design out in the open.
Following on from my last posting on ID cards (and the National Identity Register), one of the points in our consultation response (and made in comments as well) is that 'security by obscurity' is a bad idea. From the official consultation response:
"In particular, the BCS view is that commercial confidentiality and project expediency are not sufficient reasons for a lack of public scrutiny. Whilst hidden design elements may be of some limited benefit to security, highly-effective secure architectures can be openly published without compromising security. The reverse may be true, in that wide scrutiny with benign intent and effect is only possible in an open environment, while malicious scrutiny may not be overly-hindered by attempts to conceal designs."
Security guru Bruce Schneier writes along similar lines in a Guardian article, although more forcefully put, in the context of the cracking of the technology behind Oyster cards. He points out that the company relied in part on the secrecy of their designs, and that when the design became public it was clear that the design was in fact cryptographically weak. Again, he puts it more forcefully:
"The security of Mifare Classic is terrible. This is not an exaggeration; it's kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design."
The idea of a design being more secure if it is in the public domain is somewhat counterintuitive - at least to those of us outside the rarefied world of information security. Putting it bluntly, if the design of the national identity scheme is out in the open, then it can be scrutinised, tested and refined...and highly secure. Not perfect, but better. If it is secret, and a flaw is discovered (as with the Oyster system), then the entire system could collapse. In the case of the ID card system, what will it take with it?
Therefore, it is vitally important that the fundamental design is in the public domain.
Search this blog
Comments (7)
Leave Comment"Therefore, it is vitally important that the fundamental design is in the public domain." I couldn't agree more. Perhaps the BCS could ask the Home Office's "Development Partner", PA Consulting, to share the design with some of their technical experts? Having spent several years and tens of millions of pounds, I'm sure the design must be in pretty good shape by now.
Report Comment
Whilst I am principly against ID cards in there current form, I do share this articles point of view. If we are going to be forced into some form of central ID card, it is important that there can be scrutiny of the system before it is implemented. Not just from UK professionals but from international professionals. If we go down this road I would go further; I would like to see it created under a GPL, after all we are paying for it and the system could be come a national resource. I do wonder how this concept relates to current ID systems such as Passports and the DVLA. Should the same principles not be applied retrospectively to these systems, as the ID system is only as strong as it weakest link. What is the Authors opinion? -p
Report Comment
For those involved in engineering open standards, the huge benefits are obvious. For those concerned with contract negotiations and, lets face it, politics, the benefits of openness are obscured and set against more pressing and complex issues. Fundamentally, what is required is not a simple decision to open up designs, but a restructuring of the approach to public sector IT procurement. Interestingly, I think this new paradigm is deeply embedded in the www.showusabetterway.com project.
Report Comment
David, I am a long-time BCS member and am deeply dissatified with the Society's "politically correct" stance on ID Cards. The issue is not to do with the technology, but rather who controls the technology -- in a word 'trust'. For example, would you be happy for your 9-year old daughter to have her DNA registered against her national ID. After all it might mean she gets quicker/better medical treatment. However it might also mean the same data is used years later to discriminate against her when she is 19 and looking to gain work, or 29 and looking to take out a mortgage. Unfortunately when you give data away you can never get it back. Not without a time machine. For many, the issue boils down to 'Is it wise or even ethical to trust all future governments with our most personal information'. This fundamental aspect is not being brought to the debate. I feel that the BCS is in a unique position to to so and make a stand, even if it is unpopular with the Government of the day. To not do so is a serious failing, with the consequence that the Society is unfortunately seen as increasing irrelevant to this issue. Sadly, if ID Cards are forced through, and liberties lost (inevitable problems) then the day will come when people will ask, what was the BCS doing about this? regards, Nemo
Report Comment
Thanks for the comment, Nemo, and I certainly do sympathise with your position. To some extent, you're right that there is no barrier to BCS commenting on an issue except that which we apply to ourselves. Yet we do have to draw a line, and won't satisfy everyone over where we do so. The question you put is a good one - "Is it wise or even ethical to trust all future governments with our most personal information". But is it a question within the domain of expertise of IT professionals? Perhaps to some extent, but only peripherally. This is a question more for philosophers, political scientists, politicians and lawyers. If none of them were publicly discussing the topic, then maybe there would be an onus on BCS to raise it. But they are, and loudly. What do we add to that? We add our view as IT professionals on the areas where we have collective expertise, which is the intention behind that consultation response. I can certainly understand why that looks like political correctness or even cowardice, but what I believe it to be is actually ethical behaviour on our part! I stand to be corrected, however...
Report Comment
Am I the only one just a little bit worried that PA Consultants for the ID card security and national database is the same company that has just lost a memory stick with UK prisoners data unencrypted. They should have known that it was totally inappropriate to hold such sensitive personal data in plain text form. If that can go missing and their ID design relies in any way on security through obscurity then we are already sunk. The design and in particular the cryptography behind it needs to be scrutinised by the worlds best academic experts if it is to stand any chance of holding up against determined attack. If they ever manage to get it working I think the national database will fail by a much simpler human factors insecurity - an unencrypted database copy lost by contractors.
Report Comment
Martin - you're not the only person that's worried, I'm sure. Fundamentally, this is about a failure to appreciate one of the points made in the BCS 'Trustworthy e-Government' project, which is that when you concentrate such large amounts of information you generate huge levels of risk. To some extent that's fine, but you have to protect it to a level commensurate with the risk. If you do that, it may well be so expensive as to not be worthwhile. In other words, do it properly or not at all!
Report Comment
Post a comment