SIR - Following the Governemts's acceptance of the House of Lords' opposition to any plans to make national ID cards compulsory, we are now a step closer towards ID cards incorporating biometrics. They are designed to prevent forgery, but biometrics alone cannot do so.

Despite strong encryption, the Dutch biometric passports have already been hacked. What if someone hacks into the UK system and uses this to forge cards? Obviously, that occurrence would make a mockery of the whole ID card system. The Government needs to tread carefully with the implementation of these cards, or the seeds of disaster will be there from the outset.

There is a simple solution to this particular problem, though. A belt-and-braces approach. Storing the data as an algorithmic encryption will make it impossible for even the most sophisticated fraudster to read or substitute.

A second major concern is why on Earth does individual information need to be stored on both card and central database? We do not understand why they need to do this, unless of course they are planning to extend the usage of the cards as years go by (which would be of major concern for the civil liberties groups).

Other countries such as France and Italy have stipulated that biometric information be stored only on the cards themselves, and thus it's still within the possession of the individual concerned. So why has the UK Government determined to include a central database?

From a pure security point of view, we can understand why central storage makes the most sense in an online world. However, if the data is also being stored on the cards themselves, that totally invalidates the security argument. Obviously, this also raises questions about the Government's long term intentions for libertarians to tackle.

We strongly advise that the back-end system enables an audit trail of those personnel who have accessed individual records on the back-end systems. This is crucial to enable the Government to identify whether or not individual details were breached, and thus make it easier to identify fraudsters and, subsequently, track them.

Although the algorithmic approach would not address their primary concern - ie that the Government has this information at all - it would at least prevent its access by non-authorised personnel. Even those authorised would only be able to view binary code, and not the finger, iris and facial data itself.

The final concern centres on whether or not the whole project will work. The London School of Economics has raised concerns in this regard, and the Government does not have a strong track record with projects like this one.

Will we see the likes of Microsoft or EDS rolling-out a proprietary system that leaves the Government no room for escape? We would strongly advise the use of interoperable biometric standards.

Stewart Hefferman Chief Operations Officer TSSI Systems

Source

SMT