A national identity system is something I've been thinking about a lot lately. No real answers here, just musings...
There are many departments at all levels of Government that need to track people for various reasons, but each implements its own system and no system is universal;
The status quo
In the United States of America, a Social Security is the de facto standard, CGP Grey made a great video Social Security Cards Explained which covers some of the problems with that.
- At the Federal level, there is the Australian Tax Office, with whom most people have a Tax File Number.
- At the State level, there are the Licensing Departments, with whom most people have a Drivers License (and specifically a drivers license number)
- At the Local level, there are the local councils, to whom homeowners pay council rates and each council has its own way of tracking people.
While things like a TFN, a passport or a drivers license number might cover 90% of the Australian adult population there will be many people that don't have these.
The ultimate ID card
I can imagine a national identity system where people get an ID card that is a veritable Swiss Army knife of modern identity.
The card would have all the usual things on an ID card;
- Full Name
- Date of birth
- Unique ID number1
- Validity Dates
But the card would also have NFC, with a certificate and private key stored on the card.
The certificate would contain the same information that's visible on the card (e.g. Photo, name, etc...).
Much like with TLS, the certificate would need to be signed by a trusted Certification Authority (e.g. The Federal Government) which would also need to publish a public Certificate Revocation List (CRL) for things like lost or stolen cards.
The utopian vision
To make this vision truly utopian, the standards used by the card would all need to be fully open and public. That way anyone could make use of the cards, not just the Government.
At the moment I've got about a dozen ID cards in my a wallet. An RFID card the building I work in, A Mifare card for our public transport system, my driver's license and so on.
Imagine if I could just give my Unique ID number to my employer, who could add that into the system and I could use my Government issued ID card to open the doors at work. I could use that same card for public transport, my local library, my driver's license2, or the Hackerspace down the road.
Better yet if you're using a PC / laptop / smartphone with NFC, the card could act as a universal second factor. You swipe your ID card over an NFC reader, which gives the "Something you have" and automatically populates your username, and then enter your password.
There is no reason this would have to be just one country. If the standards were open and public any nation (or anyone at all) could start issuing compatible cards. Want your system to accept cards from Bangladesh? No problem just add their root CA. Don't trust "Honest Abe's Legitimate Card Issuing Authority"? not a problem, don't add their CA to your root trust.
The possibilities are endless, software companies could build it into their system. What if Adobe Reader (or your PDF viewer of choice) added a way you could use your card to add a cryptographic signature to documents. Just click sign, wave your card over an NFC reader and you're done.
Sure someone could steal your card an sign a document, but it's got to be better than the scanned image of pen on paper that we use now. And that segues nicely into...
Problems with this system
There are many problems with this system, but I feel they fall broadly into two main categories, Privacy implications and Implementation issues.
I'm not going to dig too much into the implementation issues. Suffice to say implementing a system like this would be a herculean task, wouldn't trust commercial companies with vast resources and great expertise like Google or Apple to implement a system like this without at least some hiccups and flaws. Let alone a federal government agency where this sort of project would instantly become a political football and important bits get outsourced to the lowest bidder.
More interesting to look at are the privacy implications. All through my utopian vision, I've assumed a benevolent government, one that builds roads, schools, hospitals, provides social services and support for people in need.
But even if we have a benevolent government today, there is no guarantee we won't have a tyrannical dictator next year.
A national identity card would be a very invasive, especially one that could be tracked each time you use it, by making a query back to base. It might not be quite as Orwellian as rolling out a national facial recognition database but in the near future, we are going to have to ask ourselves.
Do we want to trade the privacy that comes with having many, simple, siloed identity systems; for the convenience and efficiency that could come from a unified digital identity system?
Actually I'm thinking that it would need two Unique ID's one on the front that says the same for the life of the cardholder, and one on the back that's unique for each card, and would be the fingerprint of the public key. ↩
The idea here is you could read the NFC tag on a tablet which queries a license database (over a public API) and a screen pops up with my name, photo and what types of vehicles I'm allowed to drive. To stop people bulk querying the database, each query would need to be signed by the private key on the card it's looking for, so you would need physical access to the card to query the details. ↩