The Last Card You'll Ever Need
Good lord, not again! As reported by the Sydney Morning Heral a few days ago, Australia is looking to introduce a national identity card.
The Australian Prime Minister, John Howard is again dragging out the tired old, "It'll make us safer" reasoning and rather than just whinging about vague civil liberty issues, we should be focusing on specific civil liberty issues and the fact that a national ID card will not actually make us safer at all.
Bruce Schneier, Founder and CTO of Counterpane Internet Security wrote an excellent essay on national ID cards a few years ago where he unequivocally states, "everything I've learned about security over the last 20 years tells me that once it is put in place, a national ID card program will actually make us less secure."
As he argues, security isn't measured by how well it works, but by how badly it fails. Anybody who remembers the complete systematic failure that allowed the 9/11 attackers to carry out that devastating attack on America will agree on this point. In such cases, 99% effectiveness is as good as having no security at all: try telling the grieving families you "almost" stopped the hijackers.
Also, if this really is going to be The Last Card You'll Ever Need, the technology for reading these cards is going to be commercial and widely used. And you can be sure that when the Most Secure Card Ever arrives, there'll be a very small, very smart group of people who'll make it their sole aim in life to hack that card. It can't NOT be hacked because the incentive to exploit the uber-card will be absolutely huge: you could be one of maybe a dozen people carrying an un-fakeable fake ID. You could slip through the cracks, rent a truck and...
That's actually a bit sensationalist because to get the new ID, you have to prove who you are using all the currently available and (according to the government) incredibly insecure forms of ID out there at the moment. People with fake IDs now can simply upgrade them and their second identities will go into the database along with everyone else's.
And that brings us to the database. There'll be literally thousands of people with varying degrees of access and some of them will abuse that access, whether for personal gain ("Mmmm, free holiday in Fiji in exchange for medical info"), social engineering ("Hi, this is Jack and I forgot the password for my social security login") or plain incompetence ("Do we really have to wipe these old hard drives twice before sending them to auction?").
Take a look at how seriously we take security now, where stolen laptops can compromise the personal information of hundreds of thousands of people and say "that will never happen here" while keeping a straight face.
Leaving internal security aside for a moment, does anybody really expect the database to actually be accurate? Only 4% of Australian organizations have someone who is ultimately responsible for the accuracy of their data, according to Australian data quality software company QAS, so the likelihood that even the basic information such as the spelling on your last name, or the possibility that your home address will be wrong, is pretty high and cause for justifiable concern.
And let's not forget "function creep" either.
A fantastic example of function creep is copyright. It used to be about letting authors exploit their work for a limited time, but it's evolved into a system whereby the author's great grandchildren never have to work a day in their lives (also known as About A Boy Syndrome). Someone, at some point, will suggest that including sexual orientation on the ID cards would be a really good idea (probably for welfare administration), but I'm betting that religion will get on there first.
And even after all that, there will still be screw ups because IDing people is a fucking boring job.
Only last week I was out on the town with some mates and at the first place we went to, the doorman handed back my ID to my friend and my friend's ID to me. We visited four other venues and it was only until we were trying to get into the last one that the doorman twigged that we were holding each other's drivers licenses. That's three people in a row who didn't look at the photos printed clearly on our cards before letting us through the doors. I really hope we have airport guards who are a bit more switched on.
Then again, at $9 per hour after tax I wouldn't be paying much attention either.
In the file sharing world, we've known since the fall of Napster that centralization is bad. Napster couldn't withstand attack from a determined foe and it would be naive to think the inevitable database that holds all the information will not be a target for hackers, viruses and well coordinated DDoS attacks.
Decentralised p2p hasn't been shut down even with the RIAA, MPAA, BPI, ARIA, CRIA, etc, throwing millions of dollars at the (alleged) problem.
Grid computing is starting to take off because (get this) it's a really good way of handling and processing lots and lots of data.
Why in God's name are people seriously proposing that we ignore these new processes and revert back to the old systems that we've been trying to get away from?
And as Bruce Schneier asks, "what good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone's intentions, and their identity has very little to do with that."
Maybe a national ID card would have been a good idea when John Howard opposed it back in 1985, but as he's telling us now, "the world is a very different place". Should we really be trying to have an American-style national "feel good" drive anyway? You know, that war-with-somebody-is-better-than-war-with-nobody reasoning that gets the U.S. into hot water whenever they try it.
0 Comments:
Post a Comment
<< Home