Yesterday I heard Andy Smith, the Chief Security Architect for the Identity and Passport Service (IPS) speak at the BCS Central London branch meeting about the security behind the new National Identity Register which supports the National Identity Card.
On one slide he highlighted what he considered the three biggest threats to Information Security:
- Inattention*(Andy called it Human Error, but I hope he’ll excuse my re-wording to fit into the familiar triad)*
So now there’s three security meanings for C, I and A.
- Confidentiality, Integrity and Availability : The original
- Common Sense, Intent and Application : Plan on doing sensible things well, and keep doing them
- Complacency, Inattention and Apathy : It is really hard for humans to do security things 100% of the time
Andy’s presentation was really interesting and I’m glad to have had the opportunity of hearing his views, but in my view the session failed to address the publicised topic of “ID Cards: The end of the Private Citizen – or good corporate ID management?” There wasn’t a speaker to address whether this was the “end of the Private Citizen” and questioners were discouraged from being “too political”. As IT professionals it is really important we participate in the debate about state-wide databases and the consequences of insecurity and secondary uses. That’s not a political discussion, but a socio-technical discussion about the future application of technology. The UK chapter of the ISSA held a similar event in July this year which included former home secretary David Blunkett, a speaker from the Home Office, Pete Bradwell from Demos along side many technical presentations. Perhaps it was the table I was sat on but our discussion ranged widely through technology, security and ethical issues.
At last night’s BCS event I’d have like to have heard Andy talk more about the technical details of how his team resolved some of the many interesting challenges they will have faced over the past few year, especially the architectural solutions and processes devised to maintain separation of duties within the IPS.
As a root identity provider the ID card and the NIR are attractive, however I can’t help thinking of Bruce Schneier’s 2007 essay on The Risks of Data Reuse which ended:
“History will record what we, here in the early decades of the information age, did to foster freedom, liberty and democracy. Did we build information technologies that protected people’s freedoms even during times when society tried to subvert them? Or did we build technologies that could easily be modified to watch and control? It’s bad civic hygiene to build an infrastructure that can be used to facilitate a police state.”