The new UK ID card’s security was easily broken by a computer expert hired the Daily Mail UK. The expert, Adam Laurie, had “one of 51,000 ID cards issued by the Home Office to foreign nationals currently working or studying in Britain.” This is similar to the ID card for UK citizens that will be released later this year.
Embedded inside the card for foreigners is a microchip with the details of its bearer held in electronic form: name, date of birth, physical characteristics, fingerprints and so on, together with other information such as immigration status and whether the holder is entitled to State benefits.
This chip is the vital security measure that, so the Government believes, will make identity cards ‘unforgeable’.
But as I watch, Laurie picks up a mobile phone and, using just the handset and a laptop computer, electronically copies the ID card microchip and all its information in a matter of minutes.
He then creates a cloned card, and with a little help from another technology expert, he changes all the information the card contains – the physical details of the bearer, name, fingerprints and so on. And he doesn’t stop there.
With a few more keystrokes on his computer, Laurie changes the cloned card so that whereas the original card holder was not entitled to benefits, the cloned chip now reads ‘Entitled to benefits’. […]
The card unveiled by the Home Secretary will not hit the streets until the end of this year, so Laurie has not had the chance to test the precise design.
But according to the UK Identity And Passport Service, it is essentially the same and potentially just as vulnerable as the Home Office’s ‘foreign nationals’ card we tested.
In the U.S., there has been substantial debate around the REAL ID national identification system. The REAL ID Act of 2005 mandates that state driver’s licenses and ID cards follow federal technical standards and verification procedures issued by the Department of Homeland Security. I believe it creates a national ID system: it enables tracking, surveillance, and profiling of the American public through the proposed interlinking of the motor vehicle databases of all 56 states and territories, the use of an unencrypted machine-readable zone on the state ID cards and driver’s licenses, and the ability for the system to be used for much more than the few purposes set out by the 2005 law. Currently, the debate has shifted to the PASS ID Act (introduced in the US Senate in June), which would replace the REAL ID system with a different ID proposal.
However, though the program names will change, there are increasing proposals for something like a national ID card. This Daily UK story proves the point that I have been trying to make about national ID cards and systems where one ID card will be used for myriad uses within government and in the private sector: Centralized systems of identification will lead to more harm when they are, inevitably, compromised. A better system is one of decentralized identification, which reduces the risks associated with security breaches and the misuse of personal information. If one ID is compromised, all of the ID card are not spoiled and identity thieves cannot access all of your accounts.