ID fraud

Jan 01, 2006

Bruce quoting an article from The Register about the UK ID scheme.

Uhh… don't even get me started on the ID-s. I used to work for a pretty advanced ID scheme and was in contact with many other European schemes. The short bottom line here is that it's difficult for me to take seriously any Briton or American who speaks about the subject, since they haven't implemented or seen a single proper large-scale secure electronic government or private-sector application, with or without the ID-s.

I intend to post more about the subject as the next year and its news unfold but just a few cursory comments about what Bruce and the commenters say.

The "Anonymous Swiss" comment is reasonable there, continental Europe, even with the privacy obsessiveness of the Germans, does seem to have a much more reasonable and balanced approach.

Also, as "drew" puts it:

I personally feel that any ID which is not continually verified (i.e. at each point of use) against secured databases is worthless. The validation can be cursory (zip code of billing address against credit card) or comprehensive (criminal and driving records check) but without validation, it's just a bliddly piece of paper or plastic with funny writing on it.

Just two examples from my home country Estonia, where a lot of interesting developments about e-government, e-banking and other fields have happened and continue to happen. Unfortunately, not much organized online material is available in English, so you'll have to take my word here.

The Estonian police has equipped most of its patrol cars with uplink to police registers. They can enter the name or ID code of a person or the license plate number of a car and instantly pull out data from the relevant registers, including the person's photo and all that. It used to be so that they needed to go through an operator and could only use verbal communication, but now they have rich terminals in the cars and can use the system independently of the "station". So even if you approach them with a fake ID, chances of getting by are pretty slim, because just as "drew" put it above, whatever data you present is validated against a central register. And by now, through improvement in processes and regulations, you can rely on the central data to be pretty secure and have a good audit trail and access restrictions and all that. (It wasn't necessarily so in mid-90s ten years ago, when you could literally go to the market and buy a CD which had a dump of the population register, phone companies' subscriber records and car/driver registration details.)

Kersti Kaljulaid is a member of the European Court of Auditors, having formerly worked in Estonian banking as well as executive government. Just this morning, I heard her on a radio show where she described her efforts of trying to implement more computerized and automated processes at ECA. It wasn't until Estonia had electronic voting in this year's municipal elections which also caught international press, that her colleagues at ECA told her “so wait… you mean this electronic stuff really works in Estonia? so there's a good chance you actually know what you're talking about.” Yes, it does work and she does know.