Vehicle Identity

There have been a couple of identity related stories in the media over the past couple of days that grabbed my attention. First was the (long awaited, on my part) “identity” connection with John Darwin, in which it’s finally been revealed that he used a “Day of the Jackal” style identity switch to get a new passport.

For those that don’t know, this method is simply one of getting a replacement birth certificate for someone born roughly the same time as yourself (so your physical age appears right for your new identity), preferably one who doesn’t have too many other formal records attached to them (Darwin managed to get a certificate for someone who died at a few months of age). All one needs to apply for a passport is, essentially, a birth certificate (which are public record). What I find amusing is that this sort of “attack” was supposed to have been stopped – the BBC has a story on it from over four years ago… (although I confess that I’ve not checked exactly when Darwin got his new passport).

Darwin’s exploits were only secondary in my thoughts in comparison to the latest scandal involving UK Government departments and data leakage. This time round it’s the DVLA (Driver and Vehicle Licensing Agency) in Northern Ireland who sent unencrypted disks, via public courier to the agency’s head office (Swansea), which have gone missing.

Whilst there was a huge outcry over the recent events involving child benefit data this seems to have attracted less attention, but still may result in some major problems. I concede that events involving people directly, especially bank account details and even more when it involves children’s details are more emotive, but much of the data leaked there was public record anyway (for anyone who thinks handing your bank details to a stranger is a bad idea I suggest you look at your chequebook sometime).

This case of data leakage contains car information – makes, models, colours, registration plates, chassis numbers &c – all of which is incredibly useful to someone wishing to clone a vehicle. Vehicle cloning is, apparently, on the increase, and the way that our systems handle this needs to be looked at. With the right information it wouldn’t be too difficult to make any of the same model car look like another – a quick respray and plate change should do it. The victim wouldn’t know until the fines start rolling in (or worse – the cloned vehicle is used for a more serious crime and the police come knocking at the door). Aside from the stupidity of sending unencrypted, critical, data through public networks (whatever the channel), there are two things that come to mind about this situation.

Firstly, this highlights the problems caused by having an automated justice system with a reliance on cameras, IT systems and “business logic”. It’s something I’ve commented on before, but we’ve lost the human touch in security and law enforcement – a well trained, experienced (and well paid) policeman with the ability to make decisions and trust their own judgement is far better than a computer – when something is “wrong” they can tell and take action, when someone innocent is “bending” the law they can take action without over-penalising them. If a vehicle is being used illegally there may be other ways to tell it’s cloned – most likely by cross-referencing the driver and car. This would require a stop and search, but with appropriately targetted action I don’t see the issue – and we take a far more scattergun approach to drink driving…

The second point is related to a comment I made previously about biometric identifiers in humans. Once an identifier has been cloned these are very difficult to correct for the victim – unenrollment is simply not possible. If someone uses my fingerprints for regular nefarious activity I can’t just change mine to avoid being arrested every few days – likewise, if my car is cloned I can’t (easily) change the major identifiers for it.

Essentially, in almost all areas of life, it is the reliance on automated systems, computers and oversight that creates the environment where identity fraud, car cloning (and worse crimes like human trafficking) can thrive. The presence of a human touch is the best deterrent to these crimes. I realise that modern life means a return to the days of seeing your bank manager to get a loan is unlikely – we have to deal with processes that scale well, but there has to be some element of humanity in every system – preferably close to where it interfaces with the people that really matter. Like everything else in security, it’s a trade-off.

UK DNA Database

This morning’s news sees a call from Lord Justice Sedley for all people in the UK including visitors to be required to submit DNA to the national database that is currently being populated. Sedley’s reasons for saying this are not primarily political, but more about fairness and removing the bias that exists in these systems, but regardless, I think this marks a dangerous move for the judiciary.

There are a number of potential problems with a DNA database, which will start to become more apparent as the number of records increases and technology moves on. A comment from Sedley demonstrates my biggest concern with any such database

It also means that a great many people who are walking the streets and whose DNA would show them guilty of crimes, go free 

This displays the very real public opinion that DNA (along with fingerprints, for that matter) are infallible proof of guilt of a crime when, in fact, there can be errors made at any stage of the process. DNA gets around – look in my car, for example, there are DNA samples from me, my family, my colleagues, the guy who changed a tyre recently and probably many more. If my car becomes a crime scene just how many people will be under suspicion?

Taking this a step further, it’s already possible to plant DNA evidence (it’s easy enough to collect, as my car demonstrates) and at some point in the future will be a trivial task to synthesise it and no doubt to mask it as well. What needs to happen is that the police perform robust investigation, collecting real evidence and determining motive; DNA samples can never be anything other than circumstantial and should certainly not be used as prima facie evidence of guilt.

One of the biggest issues with any biometric identifier is that it is impossible to change – once my DNA (or my fingerprint) has been used for some nefarious purpose then I can never change – there could be someone who (within the bounds of scanning accuracy) is my genetic “twin” to whom I am permanently linked. Every crime he commits would result in my arrest! We’ve seen this situation with the no-fly lists using names (which admittedly are certainly not as unique as DNA).

As with many of these discussions, it’s not the database itself that’s the problem, but the purposes to which it can be put. Unfortunately no legal restraints can be put in place that will guarantee such a system will not be abused and therefore I have little choice but to criticise the initial implementation – as I’ve done already with other systems in our “database state”. I do have nothing to hide, but there is still plenty to fear from this.

Fingerprinting Children

Over the past week the use of biometrics in schools (in particular) has received a lot of media attention – one of the key uses being to “pay” for school meals. Such a system has some big advantages – the reduction in bullying and the loss of stigma for those children who receive subsidised meals are two key benefits (the social inclusion element was a matter actually mentioned at this event).

The usual arguments for both sides were bandied around the media. My own initial thought on the matter was that it probably isn’t such a bad thing – after all, the full fingerprint isn’t stored in the system and as long as data isn’t shared with other systems (the criminal justice IDENT1 programme, for instance) and is deleted at the appropriate time, then the privacy of the child can be maintained and the benefits realised (not that I have any faith at all in our Government to not actively encourage should data leakage).

It seems I wasn’t alone in this belief – Kim Cameron has written a series of posts on the topic (starting here in which some of the myths about convention biometrics are dealt with. This post in particular is instructive and shows how current biometric systems work – producing a template of the biometric with a known algorithm – against which a result is matched. For some reason I’d assumed that these systems worked more in the way of what I now know to be Biometric Encryption (link to PDF by Ann Cavoukian and Alex Stoianov), but this is obviously not the case!

Kim follows this up with a further explanation from Cavoukian and Stoianov which describes how easily standard biometric templates can be matched across discrete databases – even when there is no explicit link between them!

“The linking of the databases can be done offline using template-to-template matching, in a very efficient one-to-many mode.”

Kim concludes with the statement

I had not understood that you can so easily correlate conventional biometric templates across databases. I had thought the �fuzziness� of the problem would make it harder than it apparently is. This raises even more red flags about the use of conventional biometrics.

This is where my provisos on when this is acceptable come in – identity data and biometrics in particular need to handled with sensitivity (even more so when it concerns children), but even with the right political and economic safeguards the technology has to be correct. As things stand we have a scenario where inadequate technology is being used for unsuitable purposes under the umbrella of a “higher goal” that is ill advised at best.

Identity Discussion

On Thursday evening I attended an event hosted by Oracle in London – “Information Security and ID Management Strategies” – as part of their architect’s club (the first I’d attended).

Apart from being an excellent networking opportunity (to which I stupidly forgot to take business cards!) there were a couple of excellent speeches from John Madelin (formerly of RSA, but who now works for BT) and Des Powley (of Oracle), before a rigorous Q&A session. Madelin’s presentation was a very “blue skies” look at identity federations and how that will change with the increasing connectedness of our world – one thing that was very significant was the use of the word fragments to describe the separate parts of ones identity. We increasingly find that those fragments are being pieced together to allow others to see a whole that in many cases the owner of an identity themselves cannot view.

The Q&A session introduced Toby Stevens (along with the other speakers) and the questions came forth from a surprisingly willing audience! First and foremost on peoples minds when the word identity is used seems to be that of ID cards, but what I think becomes very clear is that these are merely representational of the process of de-fragmenting identity, but on a large scale, in the current guise. Identity on a national scale should be about enabling, not just access control (which tends to be the focus of corporate identity projects) and there needs to be part of that focusing on privacy aspects – it’s not desirable to have everyone knowing everyone’s business! There were some wonderful examples given of where privacy is paramount, but where individuals require access to services (therefore the system must adhere to Law 2 of Kim Cameron’s Laws of Identity disclosing the least amount of data required). This is very much at odds of most people’s concept of an ID card – and certainly at odds with what the Government is proposing (the idea of allowing privately owned stores to read data from a card when a purchase is made is ludicrous!)

Right at the very end of the session, the question was raised of how the concept of roles fits into this, but unfortunately the discussion was brought to a close… My own take on this is that identity is best dealt with in classes (or roles) of individuals – a good (my favourite) example of this is the case of a person wishing to buy beer. The thing that the bar tender requires is NOT proof of age, but merely that the person presenting the card is over the age of eighteen, presumably verified by a trusted third party (of course there must be some authentication method present, I’d expect a visual one would be adequate for this!). In this parlance the bar habitué needs belong to the role of “Over 18s”, but no other data are released during the transaction – using current identification methods there are data leaked (a driving license contains an address, DOB, endorsements etc). This convergence of roles into the wider identity space is something I think should be explored further.

Perhaps the best thing to come out of the event was a realisation by some of my more sceptical colleagues that privacy IS important after all, and that bodes well for persuading the general public.

Addendum (14/11/06 @ 00:28): Paul Toal was also there.

Identity Metasystem Demo

Kim Cameron’s Identity Weblog » Ping’s Identity Metasystem demo

This is well worth seeing for anyone with an interest in where digital identity is going. The demo itself shows cardspace (if there’s anyone who hasn’t seen it yet!) along with interoperability between a number of applications. The guys at Ping have done a great job with this and I’d hope this brings together these various strands of identity management (it’s certainly helped me, not least from an architectural point of view). Things are starting to look very exciting!

Open or Siloed Identity?

Kim Cameron’s Identity Weblog » GOOGLE’S AUTHENTICATION VERSUS MICROSOFT’S LIVE ID

I was fortunate enough to hear Kim talk at the MS Security Summit I attended today. Whilst I thought I had a pretty good understanding of Infocards/”Cardspace” and the Identity Metasystem, hearing it explained in this way was very useful and I’ve left with an even greater understanding. Whilst the demo’s were obviously using the Microsoft implementation of the ideas the open-ness of the system was evident and the effect that this will have on our industry in the future. I’ve a couple of technical questions that have come up, but I’ll get back to those later (and unfortunately I’d been booked to be elsewhere this afternoon so was unable to hang around for questions in person!)

Having seen this post tonight (one of the best things about RSS feeds is that I can miss a few days and have everything sat waiting for me to catch up!), it’s a striking comparison between the two giants’ approaches to the problem. I’ve previously written about how the trust in the two companies is different and it’s been noted again that, perhaps at least part of the reason for the new Microsoft open approach is the failure of Passport (as an Internet-wide universal Identity, at least) whereas Google thinks it can avoid those same mistakes with its siloed identity systems (Google seems to be increasingly arrogant in all areas of its business).

One thing that does worry me is that one of the reasons, IMHO, that Passport failed was that by that time, Microsoft’s reputation was already low – security was always a problem in Windows. In contrast, Google has an almost unhealthy positive reputation amongst most web users. They are quite capable of churning out substandard products and services that somehow get rave reviews in the media and from a certain group of people – whilst there is another group becoming more suspicious (and critical) of Google and everything it does. Unfortunately I get the feeling that this second group is suffering from the echo-chamber effect of the blogosphere and not much is getting out to the wider world. Given this, it’s entirely possible that the Google way could gain some traction, despite the activities of all those involved in the work so far – maybe some more publicity is required to prevent this from happening..?

Rohan Pinto also points to Kim’s post.

Addendum: Paul has already asked the questions I wanted to.