Australia’s new ID cards
p2p news view / p2pnet: Good lord, not again! Australia is looking to introduce a national identity card, as reported by the Sydney Morning Heral a few days ago.
The Australian Prime Minister, John Howard is again dragging out the tired old, "It’ll make us safer" reasoning and rather than just whinging about vague civil liberty issues, we should be focusing on specific civil liberty issues and the fact that a national ID card will not actually make us safer at all.
Bruce Schneier, Founder and cto of Counterpane Internet Security wrote an excellent essay on national ID cards a few years ago where he unequivocally states, "everything I’ve learned about security over the last 20 years tells me that once it is put in place, a national ID card program will actually make us less secure."
As he states, security isn’t measured by how well it works, butby how badly it fails.
Anybody who remembers the complete systematic failure that allowed the 9/11 attackers to carry out that devastating attack on America will agree on this point. In such cases, 99% effectiveness is as good as having no security at all: try telling the grieving families you "almost" stopped the hijackers.
Also, if this really is going to be The Last Card You’ll Ever Need, the technology for reading these cards is going to be commercial and widely used. And you can be sure that when the Most Secure Card Ever arrives, there’ll be a very small, very smart group of people who’ll make it their sole aim in life to hack that card. It can’t NOT be hacked because the incentive to exploit the uber-card will be absolutely hug.
You could be one of maybe a dozen people carrying an un-fakeable fake ID. You could slip through the cracks, rent a truck and…
That’s actually a bit sensationalist because to get the new ID, you have to prove who you are using all the currently available and (according to the government) incredibly insecure forms of ID out there at the moment. People with fake IDs now can simply upgrade them and their second identities will go into the database along with everyone else’s.
And that brings us to the database. There’ll be literally thousands of people with varying degrees of access and some of them will abuse that access, whether for personal gain ("Mmmm, free holiday in Fiji in exchange for medical info"), social engineering ("Hi, this is Jack and I forgot the password for my social security login") or plain incompetence ("Do we really have to wipe these old hard drives twice before sending them to auction?").
Take a look at how seriously we take security now, where stolen laptops can compromise the personal information of hundreds of thousands of people and say "that will never happen here" while keeping a straight face.
Leaving internal security aside for a moment, does anybody really expect the database to actually be accurate? Only 4% of Australian organizations have someone who’s ultimately responsible for the accuracy of their data, according to Australian data quality software company QAS, so the likelihood that even the basic information such as the spelling on your last name, or the possibikitgy that your home address will be wrong, is pretty high, and cause for justifiable concern.
And let’s not forget "function creep" either.
A fantastic example of function creep is copyright. It used to be about letting authors exploit their work for a limited time, but it’s evolved into a system whereby the author’s great grandchildren never have to work a day in their lives (also known as About A Boy Syndrome). Someone, at some point, will suggest that including sexual orientation on the ID cards would be a really good idea (probably for welfare administration), but I’m betting that religion will get on there first.
And even after all that, there will still be screw ups because IDing people is a fucking boring job.
Only last week I was out on the town with some mates and at the first place we went to, the doorman handed back my ID to my friend and my friend’s ID to me. We visited four other venues and it was only until we were trying to get into the last one that the doorman twigged that we were holding each other’s drivers licenses. That’s three people in a row who didn’t look at the photos printed clearly on our cards before letting us through the doors. I really hope we have airport guards who are a bit more switched on.
But at $9 per hour after tax, I wouldn’t be paying much attention either.
In the file sharing world, we’ve known since the fall of Napster that centralization is bad. Napster couldn’t withstand attack from a determined foe and it would be naive to think the inevitable database that holds all the information will not be a target for hackers, viruses and well coordinated DDoS attacks.
Decentralised p2p hasn’t been shut down even with the RIAA, MPAA, BPI, ARIA, CRIA, etc, throwing millions of dollars at the (alleged) problem.
Grid computing is starting to take off because (get this) it’s a really good way of handling and processing lots and lots of data.
Why in God’s name are people seriously proposing that we ignore these new processes and revert back to the old systems that we’ve been trying to get away from?
And as Bruce Schneier asks, "what good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone’s intentions, and their identity has very little to do with that."
Maybe a national ID card would have been a good idea when John Howard opposed it back in 1985, but as he’s telling us now, "the world is a very different place" and we shouldn’t be trying to have an American-style national "feel good" drive anyway.
ID cards have no place in Australia today.
Alex H, p2pnet – Sydney, Australia
[Alex is an operations manager for an ATM (automatic teller machine) supplier and he specialises in infrastructure development and maintenance, and logistics. He's also an[other] active member of the Shareaza community. He also runs the Tech Loves Art blog on which you’ll find previous p2pnet posts as well as other good stuff.]
April 28th, 2006 at 8:10 pm
have no place ANYWHERE!!!!!!!
April 30th, 2006 at 4:12 pm
The aspect to National ID cards that gets little attention from the politicians (likely because they have no clue of their workings) is the back end of the system, or the so-called “data base”. I sincerely doubt that it would be possibly to select a single platform, database product, Query language, report generator, debugger (yes, you will absolutely need this), etc, let alone develop a schema for a single data base to fulfill all of the requirements that all of the bureaucrats, security apparatchiks, pointy-headed academic researchers, and pointy-haired bosses (like Dilbert’s) are going to ascribe to “The Database.”
Rather, it’s going to be what it is now, a collection of disparate, poorly networked (if at all), incompatible data repositories on a myriad of different platforms, implemented with many different incompatible products, protocols, character sets, query languages, and record structures with on data that’s experienced little or no quality control that will produce mounds of errors upon any attempt at correlation. It will also likely lead to the misidentification of law-abiding citizens as criminals, faithful taxpayers as tax dodgers and cheats, and dedicated philatelists as perverted pedophiles.
Perhaps it would be a good idea to get all the “gee-whiz, techno-gizmo, hocus-pocus, nerdy geek stuff” working first before we start handing out the ultra-secure, tamper resistant, forgery-proof, unalterable, impact resistant, waterproof, stain-resistant, launderable, smart-chipped, self-repairing uber-duber cards? You know, like MasterCharge (now ‘card’) and BankAmericard (now Visa) and Amex and Diners Club did BEFORE they starting issuing simple plastic charge plates (without mag stripes) embossed with one’s account number and name, back in the days of key punches, card readers, and line printers. Just a suggestion.
–TurboGeek
(If my suggestion is adopted into the law authorizing such ID cards, it will be at least two decades before the first one is issued given the way government bureacracies pile requirements onto newly enacted ‘mandatory’ programs. SSSSSHHHHHH!!!!!)