Proof of Age in UK Pilot
There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:”
It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint biometrics and NFC to allow young people to prove that they are 18 years or over at licensed premises (e.g. bars, clubs).
The principle is simple: a young person brings their proof of age document (Home Office rules stipulate this must be a passport or driving licence) to a participating Post Office branch. The Post Office staff member checks document using a scanner, and confirms that the young person is the bearer. They then capture a fingerprint from the customer, which is converted into a hash and used to encrypt the customer’s date of birth on a small NFC sticker, which can be affixed to the back of a phone or wallet. No personal record of the customer’s details, document or fingerprint is retained either on the touch2id enrolment system or in the NFC sticker – the service is completely anonymous.
So first, I’m excited to see this. I think single-purpose credentials are important.
Second, I have a couple of technical questions.
- Why a fingerprint versus a photo? People are good at recognizing photos, and a photo is a less intrusive mechanism than a fingerprint. Is the security gain sufficient to justify that? What’s the quantified improvement in accuracy?
- Is NFC actually anonymous? It seems to me that NFC likely has a chip ID or something similar, meaning that the system is pseudonymous
I don’t mean to try to allow the best to be the enemy of the good. Not requiring ID for drinking is an excellent way to secure the ID system. See for example, my BlackHat 2003 talk. But I think that support can be both rah-rah and a careful critique of what we’re building.
Untrained people are actually fairly rubbish at recognizing photos, especially when there could be makeup, bad lighting, etc. interfering with the process. I seem to recall that when photo ID for credit cards was trialled in the UK, it was possible to find an adequately similar photo for any person given a pool of 20 photos or so for each sex.
Still, photo ID is considered good enough now, so it should be good enough for the new system. Maybe fingerprints are just selected due to perception of security, or maybe they want a system where the decision to refuse entry can be made by an impersonal computer and to avoid arguments with security guards.
It will have one, but the NFC chips used for ePassports for some countries are mandated to change their chip ID each time they turn on. Something similar could be done here. Then you are left with fingerprinting the RF signal (possible, but harder). I’ve no idea what they have done though.
Sure, untrained people are bad at judging photos, but (as I recall) even a 5 or 10 minute training regime can alter that in a fairly dramatic way.