ID fraud
Bruce quoting an article from The Register about the UK ID scheme.
Uhh.. don’t even get me started on the ID-s. I used to work for a pretty advanced ID scheme and was in contact with many other European schemes. The short bottom line here is that it’s difficult for me to take seriously any Briton or American who speaks about the subject, since they haven’t implemented or seen a single proper large-scale secure electronic government or private-sector application, with or without the ID-s.
I intend to post more about the subject as the next year and its news unfold but just a few cursory comments about what Bruce and the commenters say.
The “Anonymous Swiss” comment is reasonable there, continental Europe, even with the privacy obsessiveness of the Germans, does seem to have a much more reasonable and balanced approach.
Also, as “drew” puts it:
I personally feel that any ID which is not continually verified (i.e. at each point of use) against secured databases is worthless. The validation can be cursory (zip code of billing address against credit card) or comprehensive (criminal and driving records check) but without validation, it’s just a bliddly piece of paper or plastic with funny writing on it.
Just two examples from my home country Estonia, where a lot of interesting developments about e-government, e-banking and other fields have happened and continue to happen. Unfortunately, not much organized online material is available in English, so you’ll have to take my word here.
The Estonian police has equipped most of its patrol cars with uplink to police registers. They can enter the name or ID code of a person or the license plate number of a car and instantly pull out data from the relevant registers, including the person’s photo and all that. It used to be so that they needed to go through an operator and could only use verbal communication, but now they have rich terminals in the cars and can use the system independently of the “station”. So even if you approach them with a fake ID, chances of getting by are pretty slim, because just as “drew” put it above, whatever data you present is validated against a central register. And by now, through improvement in processes and regulations, you can rely on the central data to be pretty secure and have a good audit trail and access restrictions and all that. (It wasn’t necessarily so in mid-90s ten years ago, when you could literally go to the market and buy a CD which had a dump of the population register, phone companies’ subscriber records and car/driver registration details.)
Kersti Kaljulaid is a member of the European Court of Auditors, having formerly worked in Estonian banking as well as executive government. Just this morning, I heard her on a radio show where she described her efforts of trying to implement more computerized and automated processes at ECA. It wasn’t until Estonia had electronic voting in this year’s municipal elections which also caught international press, that her colleagues at ECA told her “so wait… you mean this electronic stuff really works in Estonia? so there’s a good chance you actually know what you’re talking about.” Yes, it does work and she does know.
Double checking ID cards by the police has no effect when the ID card hasnt been reported stolen in the first place. The issue is not creating a fictional ID card, but creating a “fake” one containing real data. This is of course the case even now with passports all over the world. Having lived most of my life in the Czech republic which I dare say is coming from the same state controlled background as Estonia I can say that it doesnt really make much of a difference for the bad guys. In this regard I wouldnt play down any concerns by the British or Americans, they are right only sometimes its for the wrong reasons
.
laku — I don’t really see where this “creating a fake card with real data” would take you. the data on the card is correlated with data in the database. if they match, then Im not sure if its even an offence if you create your own ID card with exactly the same data as your real one. well, legally it’s an offence but morally I don’t see anything wrong with it. and fraudsters are usually interested in impersonation, i.e presenting themselves as someone else, but as both the ID documents and the database have a photo, it’s difficult to pull that through.
I don’t downplay the British and American concerns in the sense that it’s always educational to read what they think and what’s their identity discourse. but really, many people are just not “getting” it. (and it’s a “product” problem also, the whole ID field has been in the domain of the government and thus really undermarketed, creating FUD.)