Trying to work out if someone is who they say they are is a slippery problem. And the consequences are being seen everywhere. According to the Federal Trade Commission, identity theft of all kinds costs US businesses $50 billion to $60 billion a year, with 56% of the reported incidents related to banking activity. Despite the introduction of security codes and chip and PIN technologies credit card fraud is rising, affecting both online and offline retailers. And spyware and other eavesdropping techniques are compromising individuals' passwords at both a personal and business level.
Governments – and private sector organisations – are desperately looking to technology to provide them with an answer, hoping they can find a means of determining who is lying and who is not. But at this point in terms of technology, processes and social acceptance, ambition is running ahead of capability – a worrying situation in light of the government's forthcoming National ID card scheme.
On the face of it, the scheme should be able to help considerably with identity assurance. Although the government has yet to spell out exactly how the system will work, the card will definitely include biometric data, so that the card holder's identity can be confirmed on presentation. But ID cards will not just be for government use.
Both public sector and private sector organisations will be able to apply for licences to use the cards for identity assurance. In theory, therefore, any organisation that is concerned about identity theft would be able to sign up for the scheme, provided the licensing costs and the £700-£1,000 price tag on each reader are not prohibitive, and mandate that any potential customers use their ID cards to identify themselves.
There are, however, a number of flaws in the scheme that would make it impractical for use by most organisations. Firstly, the card will not necessarily adhere to any current standards: it will be the choice of vendor and the vendor's choice of technology that will determine what standards are implemented. Although the government's white paper hints heavily that NCR will be the preferred supplier of ID card technology, other vendors are certainly not out of the running.
HP, in conjunction with Microsoft, has developed a modular system based around .Net and digital certificates. To make it enticing to governments that cannot afford the potentially colossal costs in setting up an assurance infrastructure, HP is even willing to provide the technology for free and recoup the costs through payments for each card. It is a policy that is already working for HP in certain Eastern European countries and Africa, among others. Similarly, Siemens Business Services has had success in Italy and Hong Kong with their ID card technology.
The differing approaches being adopted raises the question of interoperability: Any identity assurance scheme based around ID cards would need ways of validating other countries' cards – particularly EU countries, where border controls have been relaxed between member states. Either one vendor's scheme would need to become the de facto standard or some fast technical negotiations are needed by governments to decide on some interoperability standards.
Reliance on biometrics can also be problematic. A test by Atos Origin of current biometrics using 10,000 volunteers showed that while 90% of people could successfully enrol on the scheme, only 61% of disabled volunteers were able to do so. When used for identity assurance, fingerprint matches sometimes produced false results (a success rate of 81%); facial recognition revealed problems with slight changes in appearance between enrolment and verification; and iris recognition was slow and again had poor results for disabled people.
Any organisation that used the biometric data within the proposed ID card for assurance would also need to consider whether its customers found the idea of providing biometric information acceptable. Would a bank want to require its customers to undergo iris recognition to use a cashpoint? Also ID cards would do nothing at all for online identity assurance, unless every customer's PC was equipped with a biometric reader, something that could cost more than twice as much as the PC.
While ID cards could offer fast identity verification for a majority of the population in face-to-face situations, there would be enough exceptions that the cards – which would only be issued on demand and for a fee that could be as high as £300, according to the London School of Economics – would be as useful as a driving licence for identity assurance.
With the Bill still passing through parliament, and most of the technical details removed from it, there is considerable opportunity for the scope of the card and its implementation to change. But in all likelihood, the UK National ID card will do almost nothing to help organisations with the problem of identity assurance.