Monday, February 07, 2005

More on ID Cards

The proposed National ID system is Machine Age technology: controlling, centralized, expensive, politically explosive & very vulnerable. But caught by the net suggests a modern alternative - user controlled data.

In this model, every citizen carries or wears a stripped-down PDA that holds their personal information. Unlike an ID card + database, the data is owned by and fully under the control of the citizen & is not centrally replicated. The initial dataset collected might be recommended by Parliament & extensions added only after full debate (lawmakers would be mindful that people won't collect data unless it's useful to them). Then add the capability to, at the user's discretion, beam selected information to third parties, e.g. law enforcement or retailer.

Add beamed input so that agencies can, again with the users permission, add entries to the file, for example blood pressure, cholesterol level, allergies. Saves re-keying time & errors without loss of user control. The user can always delete undesired information.

Ballpark cost under 2 Billion (60 Million people + 10 Million organizations at £25 volume unit cost). Peanuts compared with ID database. No monster projects. No mass Al Queda intrusions. Just issue the RFQ for the PDA & run a competitive tender.

Of course the PDA can be stolen or lost & data can forged. But no more (or less) than ID cards.

Problem solved.

Incidentally I already hold on my Palm the dataset called for in the draft ID legislation, plus its equivalent for two other countries, plus a bunch of useful stuff they haven't thought of, like emergency medical data.

Need to do more work on vulnerabilities. Compromising a National Identity database is easy, since such systems have well-known vulnerabilities. But distributed systems have different vulnerabilities, all suggestions welcome.