infinite ideas machine

Re-posted from archive of infinite ideas machine 2004:

Will Atos Origin, originally formed in 2000 by the merging of French (Axime + Sligos = Atos) & Dutch (Origin = Royal Philips Electronics subsidiary) IT management and services companies, who later acquired KPMG Consulting (to trade in the UK as Atos KPMG Consulting) turn out to be the soon-to-be-appointed “development partner bringing in detailed expertise from outside Government” as announced in last week’s Home Office press release?

They are, after all, the ones running the current UK Passport Service Six Month Biometrics Enrolment Trial, which started only a couple of months behind schedule – an all-time record for a UK Government IT project!

Of course, their recent acquisition of / merger with the world’s leading smartcard solution provider, SchlumbergerSema (January 2004) would make them the *obvious* choice – but could it possibly be a little arrogant of them to assert on their UK home page that:

“The increased strength and depth of our end-to-end solutions and services, coupled with our expertise in Enterprise, Financial Services, Medical Services, Public Sector, Telecom, Media and Utilities and Transport ensures that the new Atos Origin is the future of IT services in the UK.” [emphasis added]

Is Atos Origin becoming so powerful that it can basically take over any company that it sees as having the potential to ‘interfere’ with its lucrative Public Sector contracts? Are current or future Governments likely to act (e.g. regarding anti-competitive practices) against a supplier that delivers the very core of their information infrastructure?

I’m not a great one for conspiracy theories – its hard to believe in an all-powerful, evil ‘them’ when greed, stupidity and untrammelled ‘free’ market forces seem to do just as good a job of screwing things up. The managements of the mega-consultancies, manufacturers and service companies are simply doing what comes naturally in business – i.e. keeping an eye to the bottom line – while certain politicians seem hell-bent on pissing away billions of our tax pounds, while simultaneously and systematically corrupting and undermining the fundamentals of an equal and fair Information Society.

UPDATED 5/5/04: Thanks to Trevor Mendham for pointing out the recent FT article ‘Companies wary about running ID cards scheme’ on his UK ID Cards blog. The article refers to concerns voiced by Capita and Serco – and mentions that Atos, EDS and Capgemini (who just last week were ’embracing a new consulting paradigm’) are ‘talking to the Home Office about how to build the database’!

Re-posted from archive of infinite ideas machine 2004:

They may not have a snowball’s chance in hell of winning a General Election, but it appears there may be some sensible politicians out there after all. The Liberal Democrats seem to be, literally, living up to their name with their 10 point rejection of the ID card / NIR scheme, see: DRAFT ID CARDS BILL IS FLAWED.

Nothing you won’t have heard before, but they do lay the gauntlet down to the Conservatives – pointing out that a cross party coalition in the Lords is the only way to defeat the Government on this. Hmmm…

Re-posted from archive of infinite ideas machine 2004:

Spyblog makes the point that 10 years in jail for “possession of a false document” seems an unduly harsh punishment, especially as this would be an entirely new offence created by the introduction of ID cards – but simultaneously extended to, e.g. even non-UK driving licenses.

Clauses 27-36 of the Draft Bill [553 KB PDF file] do bear a little scrutiny – and beg a couple of questions:

Why is it that possession of false ID documents carries with it a maximum penalty of 10 years in prison, when unauthorised disclosure of ID information – an abuse of power / position that potentially undermines trust in the entire ID system – is punishable by a maximum sentence of 2 years and/or a fine?

Clause 31, though, reveals a level of uncertainty and paranoia that should not go unchallenged: why double the sentence for hacking the NIR? If you ‘hack’ pretty much any database in the country, the maximum penalty is five years – but tamper with the National Identity Register, and you’ll get ten.

This is pure lunacy.

If you (have to) double the sanctions against hacker attacks to ‘protect’ your systems, then you demonstrate a basic lack of confidence in your security measures – which, no doubt, will make them even more attractive to ‘recreational’ (if somewhat foolhardy) hackers. And will have no effect whatsoever on the ‘foreign nationals’ who are highly incentivised to break in and compromise your systems.

Which brings me to another point – what platform(s) will the NIR use? Not Microsoft ones, surely (cf. the Governmemt Gateway)! The National Identity Register will, almost of necessity, be distributed across a number of systems and be vulnerable to attack via inherent weakesses in each. So I hope that someone in Government understands the many ways in which, e.g. Redmond’s current version of ‘Trustworthy Computing’ is anything but…

On a broader point, if the general population is to be able to trust the security of the NIR / ID card system as implemented the Government should (must!) allow ‘White Hat’ hackers to probe its defences. The ‘Black Hats’ will be doing their best, so it would be crazy to penalise or threaten those who offer truly independent checks on what the Government and its chosen supplier(s) assert is the security of the system. Criminalising this sort of thing indictaes either a lack of faith in your security or a deluded assumption of infallability.

In the same way that exploits and cracks of common applications and Operating Systems are discovered and fixed, the NIR can only be made more secure – or be proved to be (techno)logically insecure – by the authorities and its suppliers addressing each known method of compromise. The reporting mechanism might get a little fouled up by the threat of 10 years in prison, but there doesn’t seem to be an offense (yet) dealing with the publishing of exploits…

I can’t quite imagine there being a ‘Report a NIR vulnerability’ button on the Home Office website any time in the near future!

Re-posted from archive of infinite ideas machine 2004:

Privacy International – in association with Liberty, Statewatch, Stand and the Foundation for Information Policy Research – are holding an afternoon meeting at the London School of Economics on 19th May called MISTAKEN IDENTITY, all about the Government’s proposed National Identity Card.

They promise ‘key figures in the fields of law, politics, security, technology and human rights’ will be there, with details of the programme available at the the conference site.

UPDATED 6/5/04: The draft programme (with invited speakers) has now been published – subject to change, but its looking very interesting:

13.30 Welcome. Simon Davies, London School of Economics

13.40 The Rt. Hon David Blunkett, Home Secretary (invited)

14.00 Mark Oaten MP, Lib-Dem Home Affairs spokesman
David Winnick MP, Labour
Simon Thomas MP, Plaid Cymru
Lord Phillips of Sudbury

14.35 Q&A with audience

14.45 Dr Iqbal Sacranie, Secretary General, Muslim Council of Britain

15.00 Roger Smith, Director, JUSTICE

15.15 Q&A with audience

15.25 Sir John Stevens, Commissioner, Metropolitan Police (invited)

15.40 Paul Whitehouse, former Chief Constable, Sussex Police

15.50 Q&A with audience

16.00 Peter Williamson, President of the Law Society

16.15 Professor Ross Anderson, Cambridge University

16.30 Jonathan Bamford, Assistant Information Commissioner

16.45 Q&A with audience

16.55 Next steps

17.00 Close

Re-posted from archive of infinite ideas machine 2004:

In an information society, absolute privacy exists only inside your own head.

Most people would agree with or admit to the need for at least a degree of privacy in everyday life (indeed it seems some, e.g. celebrities and politicians, are desperate for it!), but many do not fully appreciate the nuanced and often complex relationship between privacy and identity. Make no mistake, they are related – and, in the context of ID cards and a National Identity Register, a serious erosion of your own personal privacy may be just a single (mandatory) data field away!

An informative consideration of the privacy issues and options arising when implementing biometric security systems, the BioPrivacy Application Impact Framework and Technology Risk Ratings offered by the IBG BioPrivacy Initiative are well worth a few minutes’ study.

The problem with using biometrics to ‘tie everything together’ in the NIR is that it will, once and for all time, give the State ownership of your identity: you will be who the State says you are – even if they are mistaken (and they do make mistakes!) – not who you assert, and can prove in a variety of State-and-otherwise-sanctioned ways, that you are. This really would be a fundamental change in UK civil society and has, justifiably, been characterised as the end of ‘presumption of innocence’.

What may seem like a good idea now to those who believe that “if you’ve got nothing to hide, you’ve got nothing to worry about” may seem distinctly otherwise when, e.g. it is their 16 year old granddaughter who gets a permanent black mark on her ID record for having hung around with a dodgy crowd after school – some of whom were caught shoplifting.

As I understand it, the State exists to serve the people. With ID cards and an NIR, we are teetering on the edge of a slippery slope (of indeterminate steepness…) that leads to the State dictating who is a person. In a few short years if I don’t want a State identity I will become, by default, either a criminal or a non-person!