IDiot Cards
Saturday, November 24th, 2007One of my pet topics has bubbled to the forefront of media attention in Britain over the past week. The reason for this was a howling blunder on behalf of the HMRC governmental department (Her Majesty’s Revenue and Cockups) who managed to mislay personal details of 25 million UK citizens including their names, addresses, date of births, National Insurance numbers and bank account details. A junior official at HMRC was able to download this information onto a couple of CDs and pop them in the regular post, where of course they subsequently disappeared. Oops.
This is the same government advocating compulsory ID cards for all UK citizens, that will contain substantially more information than was on these CDs. But this argument is well trodden, and I am against ID cards for reasons more fundamental than of potential fraud: it is the wrong relationship between the citizen and the state: they do not own us – they work for us.
Ethics aside, it is also doomed to failure. As long as humans are humans, we will always be susceptible to error – an asset for evolution, but not so hot for super-sized security logistics. It only takes a single error for any national identity scheme to be compromised. Once the data is out there, it can never ever be retrieved.
Human error within the “system” is only one potential fallibility, the other is the system itself. Ministers are touting biometric data as the silver bullet to fraud prevention. They point towards finger print data (pardon the pun) as a means of secure authentication. The fact that you can replicate someone’s fingerprints using encoded data on a biometric chip, some cryptographic know-how and a £12.50 trip to Maplin’s seems to have been conveniently ignored. If we rely solely on this kind of technology in the future then we’re in for Trouble.
And don’t expect the banks to look after you either, they care as much about security as turkeys do for Christmas. For example, when I phone my bank I am asked a series of “security” questions for authentication. Fine, no problem. But whenever the bank phones me, they still ask for the same authentication! This is so utterly, utterly stupid. I could phone up anyone pretending to be from a bank and demand all sorts of personal information. Banks fail to understand that authentication is a 2-way process.
Not that authentication seems to bother HSBC too much either. About a month ago I received a letter, addressed to “Ms X” at my address. As Ms X has never lived here I phoned the bank to see what was going on and to suggest that someone was using my address for potentially fraudulent purposes. Next week I received 2 statements and a paying-in book. Another phone call to the “fraud” department, in New Delhi. A few days later, a cheque book arrived. Another phone call. The following week, a PIN number arrived in the post as did a note from a courier attempting to deliver a credit card. Another phone call to HSBC. There has been nothing for a few days now so perhaps they’ve got the message, but I wouldn’t trust this bunch of fools with my money if that’s the way they treat fraud.
I fear that the ID cards issue has now become too politicised to be debated rationally. Yes we need an alternative to using utility bills for authentication, and there are many things we can all do to achieve this – using a little common sense for a start – but investing in billions for a system that could be outwitted by bowl of bananas certainly isn’t the answer.