This entry has been sitting in Draft for a while now, but – especially given this week’s upcoming Missing Identity meeting – I’m becoming more and more convinced that it must be worth trying.
Back at the end of March, Irdial Discs published his No Central Biometric Database idea in reference to biometric passports, picked up in John Lettice’s article on 19th April, ‘Fingerprints as ID – good, bad, ugly?’. I have seen a number of subsequent references to it, but no evidence that the approach – or principle! – has been given any serious consideration by the ‘powers that be’.
Simply stated, and in his own words:
This is how you do it.
- Each passport or ID document contains a cryptographically signed digital portrait of the holder, signed by the passport issuing authority.
- When your passport is swiped, your picture comes up on the screen, loaded from the passport, and NOT a central database.
- The digital signature of the passport photo is also downloaded.
- A PGP-like signature check is done against the public key of the national passport issuing authority, which is stored on the keyring of the swiping device.
If the signature is good, the document is genuine.
If the signature is bad, the document is a forgery.
It is an elegant and potentially far cheaper solution than Blunkett’s proposed scheme that solves the specific problem of forged identity documents in a way that addresses most, if not all, of the publically-expressed goals of ID cards and a National Identity Register – without requiring a central database.
The Home Office has requested feedback on the Draft Bill, and would – I believe – have to respond to a practical demonstration of such an approach. At the very least it may smoke out some of the ulterior motives / thinking behind the NIR, and at best it may raise / provoke a (techno)logical debate that currently doesn’t seem to be happening.
This sort of fits with some of the things I have been doing professionally over the past few years (e.g. CareZone, where we had to grapple with lots of the issues around smartcards and security) and is very much in line with the philosophy of virtualised (a current joint venture – site in development), so I intend to dedicate a proportion of my time in the coming weeks to trying to build, document and – hopefully! – demonstrate a working version of a biometric (i.e. facial photo) ‘ID document’ that uses no central database.
I should say at the outset that I am NOT a ‘hands-on’ programmer, but I do have a fair amount of IT skills and experience – especially in the area of conceiving and getting prototypes built. Much of what seems to be required is in the public domain and if all that comes of this is a thorough written response to the Home Office then, in my opinion, it won’t have been a complete waste of time.
Any help offered would, of course, be gratefully received.
N.B. I am aware that I may well be biting off more than I can chew, but I would at this point rather fail trying than not try at all.