Re-posted from archive of infinite ideas machine 2004:
Spyblog makes the point that 10 years in jail for “possession of a false document” seems an unduly harsh punishment, especially as this would be an entirely new offence created by the introduction of ID cards – but simultaneously extended to, e.g. even non-UK driving licenses.
Clauses 27-36 of the Draft Bill [553 KB PDF file] do bear a little scrutiny – and beg a couple of questions:
Why is it that possession of false ID documents carries with it a maximum penalty of 10 years in prison, when unauthorised disclosure of ID information – an abuse of power / position that potentially undermines trust in the entire ID system – is punishable by a maximum sentence of 2 years and/or a fine?
Clause 31, though, reveals a level of uncertainty and paranoia that should not go unchallenged: why double the sentence for hacking the NIR? If you ‘hack’ pretty much any database in the country, the maximum penalty is five years – but tamper with the National Identity Register, and you’ll get ten.
This is pure lunacy.
If you (have to) double the sanctions against hacker attacks to ‘protect’ your systems, then you demonstrate a basic lack of confidence in your security measures – which, no doubt, will make them even more attractive to ‘recreational’ (if somewhat foolhardy) hackers. And will have no effect whatsoever on the ‘foreign nationals’ who are highly incentivised to break in and compromise your systems.
Which brings me to another point – what platform(s) will the NIR use? Not Microsoft ones, surely (cf. the Governmemt Gateway)! The National Identity Register will, almost of necessity, be distributed across a number of systems and be vulnerable to attack via inherent weakesses in each. So I hope that someone in Government understands the many ways in which, e.g. Redmond’s current version of ‘Trustworthy Computing’ is anything but…
On a broader point, if the general population is to be able to trust the security of the NIR / ID card system as implemented the Government should (must!) allow ‘White Hat’ hackers to probe its defences. The ‘Black Hats’ will be doing their best, so it would be crazy to penalise or threaten those who offer truly independent checks on what the Government and its chosen supplier(s) assert is the security of the system. Criminalising this sort of thing indictaes either a lack of faith in your security or a deluded assumption of infallability.
In the same way that exploits and cracks of common applications and Operating Systems are discovered and fixed, the NIR can only be made more secure – or be proved to be (techno)logically insecure – by the authorities and its suppliers addressing each known method of compromise. The reporting mechanism might get a little fouled up by the threat of 10 years in prison, but there doesn’t seem to be an offense (yet) dealing with the publishing of exploits…
I can’t quite imagine there being a ‘Report a NIR vulnerability’ button on the Home Office website any time in the near future!