ID Cards

Germany is introducing new ID cards with embedded RFID. This being the case and despite the current UK government having cancelled plans for such cards here, I have decided to discuss my thoughts on the issue.

I have, in a small way, helped to campaign against the identity cards proposed by Tony Blair's New Labour government.

I am not against ID cards per se.

Like many enlightened Britons I had particular reasons to oppose the proposed system, partly practical and partly political. The political reasons boil down to the government's misrepresentation ( in my opinion ) of the use of identity cards; there were claims that they would help to combat terrorism.

Those claims were nonsense. Terrorists do not operate by publicly declaring their status as such so unless there were a foolproof way to identify persons with violent intent, then they could not be singled out by identity. If the idea was that persons without ID cards should be treated as terrorists then that ceases to recognise the proportion who are citizens of the countries they attack.

That is the surface of my political objection but the practical matter is somewhat more straight forward, if broader. First was the cost; it was projected that setting up the system would cost a frankly absurdly large amount, money which could be better spent funding the NHS, education, social services and so on. Not only would the taxpayer have to foot the bill for this, but we were then to pay, personally, for our compulsory ID cards. Both taxes and a personal fee to fund an unpopular innovation.

Supposing that the system had been implemented, I always wondered how much extra paperwork it would create for the police, given the trend for bureaucratic red tape over the last decade or so. While the German government claims that their system "allows German authorities to identify people with speed and accuracy," a claim upon which I do not feel able to comment, in the UK I think the opposite would have been true.

Leaving out various other concerns that I had, I come now to the problem which I saw in the system proposed here which is clearly shared by the German system: RFID.

I recognise that opinions on the security risks posed by RFID are divided, but when it comes to matters of personal security and the modern threat of identity theft I prefer to take a cautious line. I see no reason to assume that some enterprising crook would not be able to copy RFID data verbatim, which is a clear risk.

Assuming that the RFID signal is used as a key to access a database, as I believe is the usual implementation, then stealing someone's identity becomes as simple as copying their RFID tag to your own. It would take alert authorities to ensure against this, no matter how much biometric data was included, because humans become complacent when repeating the same task many times — that has been proven in credit card fraud.

If the fraudster targeted people displaying certain features, such as particular hair and eye colour or the general shape of the face, then many of the biometric details become useless. Meanwhile they carry allegedly indisputable proof that they are who they claim to be, endangering the reputation, wealth and livelihood of the victim.

As I say, I am not against carrying some form of paperwork for identification, any more than I object to carrying a passport when I travel or a license when I drive. I object instead to poor, needlessly expensive and unwise implementations.

I don't even mind the idea of an ID card that carries a key to a database, but I do object to that datum being broadcast by radio, no matter how low powered. If an ID card must carry such a key then I would suggest two simple security measures. First, require either manual reproduction ( i.e. a printed ID number ) or direct interface to a chip with no RF output. Second, require that the user provide a PIN to be checked against that database.

No system will ever be foolproof or impregnable, but authorities should take every possible measure to prevent their innovations from endangering their citizens. RFID ID cards can not be said to fulfil that.