Police Fingerprint Checking on the street

Motorists to give fingerprints

I read today about the police using handheld fingerprint scanners to identify motorists. Seems I have been a bit slow on the up take of this story. Paul Squires has already posted his thoughts here. My thoughts are very similar to his.

The story that I picked up from “The Register” indicates that your fingerprint will be checked against a database of 6.5m prints. My question is, where are all these prints coming from. As far as I know my fingerprints are not on record anywhere since I haven’t been arrested. All of my immediate friends and family are the same. I’m sure there are thousands of other people in a similar position. Therefore, since this handheld device doesn’t store any prints, then the police will be no better off trying to identify me by my print then they would be asking for my drivers license. Based on the information available, the police will scan both index fingers. That mean, assuming the database will only contain index fingerprint then it implies that it contains the prints of 3.25m people. There are approximately 60m people in the UK. So by my maths that means that the database only contain about 5% of the UK. How do we check the other 95%?

I also have to take issue with the statement that fingerprints won’t be recorded and stored. Maybe not as of today, but its only a small step from using these readers to check fingerprints to using the readers to record fingerprints and transmit them into the database. According to reports the trial is currently optional with the stopped individual being asked for their permission to check their prints. If the pilot is successful (hard to see how), then how long before it is mandatory.

I could go on, but I think i’ll leave it for now. I’m sure plenty more will be said by many more people over the coming days and months about this scheme.

Technorati Tags: , , , , ,

OpenID issue solved

Paul Madsen and I have been playing ‘blog tennis’ regarding a problem with my OpenID plugin for WordPress (i’m sure email was invented for this). His latest post is here.

I can now confidently say that the problem is solved.

After digging deeper into the code it appears that if you selected either DeadJournal or LiveJournal from the drop down list then the plug-in tried to be clever by pre-pending the URL of the relevant server to your name. However, this wasn’t made clear in the comments form and i’m guessing Paul was entering the full URI of his server instead of just his name. The exception to this was the “Other OpenID” option which didn’t do anything clever with the name and requires you to enter a full URI.

Anyway, as you will now see from my comments form, I have removed any ambiguity by getting rid of the drop down box and therefore forcing people to enter a full URI regardless of which server they are using.

Hopefully, this should now work. I would appreciate someone testing this and leaving me a comment to prove it works (hint, hint Paul)

Once again Paul, thanks for the heads up on the problem. I will pay more attention next time. Oh and BTW, I don’t know why Google wouldn’t listen to an Identity guru like yourself. Their loss in my eyes ๐Ÿ™‚

As a separate point, my email address is publicly accessible via my website @ http://www.pdtoal.com/aboutme.html

Technorati Tags: , ,

OpenID Authentication and WordPress

Yesterday, Paul Madsen commented on his blog about the WordPress plug-in that I use to allow users to use OpenID authentication when leaving comments.

He questions the use of both the drop down box to select the IdP as well as the box to supply your URI. Paul, I can see and understand your point and when I get a minute, I
will remove the drop down selector so that you only have to enter your
OpenID server URL.

I must admit that I was guilty of installing the plug-in ‘as is’ out of the box without too much REAL thought to how it works. From looking at the code for the plug-in, the only real purpose of the drop down box is to change the icon within the field next to it to match the type of server you will be using. Other than changing the icon, it serves no real purpose.

I am slightly concerned that you claim my OpenID server doesn’t work as I have tested it on numerous occasions (albeit not lately) and it was fine when I tested it. I will check it again.

Thanks for the heads-up.

BTW: Paul, I did try to leave a comment on your blog in response but since I don’t have a Blogger account and the CAPTCHA image generation doesn’t seem to work with Firefox I couldn’t log in to leave a comment. Maybe you should consider OpenID enabling your site ๐Ÿ™‚

Identity and Privacy

One of my good friends (and ex-boss) Mel Holloway has recently started blogging.

In his second post he talks about the Oracle Architects club that we both attended a couple of weeks ago. He seemed to agree with my feeling (I have already commented on the event here) that the event was quite academic and a bit “blue sky” in its thinking. This opinion was also shared by Paul Squires.

However, I do have to take issue with something Mel said in response to Drew Wagars thoughts on the event. When talking about identity and privacy an example of school meals is used. In his post Mel states:

Utilising the EMV as Drew says would enhance that privacy, again in this example the users identity is totally irrelevant, the card reader does not care who they are, its only concern is the card holderโ€™s entitlement (role)

Whilst I can see what Mel is trying to say, I would disagree that the card is only concerned with the entitlement of the user. If the user is not entitled to free school meals then it is necessary to know the identity of the child in order to debit their card and charge the lunch to that person. What Mel seems to be talking about is more like an ATM type card where the ATM doesn’t care about the identity of the holder of the card.  The ATM isn’t concerned with the identity of the ‘user’ holding the card, just that the person holding the card and holding the correct PIN is authorised to perform transactions against the account. If I understand Mel correctly he is saying exactly the same thing. This is almost saying, only give the cards to children who are entitled to free meals since we only need to know if they are entitled or not. This goes against the principle of what Drew was trying to say in that using the cards enhances privacy by treating all children the same on the outside.

ID Theft from Council web sites

A couple of years ago there was a big push by the Central Government within England to get local Government to put more of their services online so that the public had more access to them. This created a big push which resulted in lots of online services from a large number of local governments.

One of the services that seemed to be popular to publish were Planning Permission Applications. I assume this was popular since it was fairly easy to achieve as a number of the applications that supported this were already web-based. As a result it was now possible to view all applications or track your own application online. The advanced ones even let you leave comments about applications.

Today within one of the free London newspapers “London Lite”, I was reading how ID thieves are using the information on these planning applications to steal people’s identity. The problem is caused because many councils scan the entire application form electronically and then publish that form. They seem to have missed the fact that these forms can contain, among other things:

  • Full names
  • Addresses
  • Contact phone numbers
  • Signatures

I didn’t believe the story so I checked for myself. One of the culprits cited was Westminster Council. Sure enough after a bit of clicking around I was able to download a PDF of a scanned application form containing all of the above information. I did a cursory search of a few other council websites and most seem to be a bit better than Westminster. They tended to blank out the sensitive information.

It seems that in the case of some councils, their rush to get services online meant that security and privacy were not taken into account (isn’t that all too common). This is a prime example of users not being in control of their own identity information and how it is disseminated.

Hopefully, Westminster and other guilty councils will correct this mistake quickly!

Technorati Tags: , , , ,

powered by performancing firefox

CardSpace Demo

I know I have been a little behind the curve in keeping up with postings over the past few week, but I am slowing catching up with the world. One of the things that I have seen is that Ping Identity has released a demo of a CardSpace Managed Card IdP together with a demo relying party which accepts the cards. I found this demo while reading Ashish’s blog here. Kim also seems impressed by this demo.

Its great to see actual working examples of the concepts that the identity community has been talking about for some time. This is also seem in other places such as more and more sites that now support OpenID as their authentication method. Sites such as claimID & Opinity to name but a couple. It seems that user centric identity is starting to slowly become a reality.

There is still a way to go yet though.

powered by performancing firefox

Oracle Architects Club

Last week I attended Oracle’s 3rd Enterprise Architects Club held in London. The main topic of conversation was a presentation on “Identity Federation” by John Madelin of BT. The presentation was really good and it was the first time I have heard John speak in person. However, whilst I enjoyed the speech which was focused on the strategic impact of identity federation, I did find it a bit ‘blue sky’ thinking and felt it lacked the detail of how we might go about the ‘change’ that John saw we would have to undertake. He did however, make an interesting and sensible distinction between complex and complicated problems. There was also a good, albeit short presentation from Des Powley (Oracle).

The highlight of the evening was a Q+A session with John, Des, Toby Stevens* (EPG) & Steven Heaney (Atos Origin). This session was a very passionate one which focused around National ID cards. How can a UK Q+A session on Identity not discuss this ๐Ÿ™‚ The panel responded extremely well to the questions posed to them.

In general, I thought the event was very good and I met some other interesting people working in the same space, including a number of people who work for the same employer as me but who I haven’t had chance to meet before.

I look forward to the next meeting.

Technorati Tags: , , , ,

* Toby is a privacy expert and therefore there has to be some irony that when I first went to look for his blog I couldn’t find it. It was thanks to Paul Squires’s post on the same event that I found the link to Toby’s blog!

Congratulations!!

At the weekend my sister Michelle got married. I was so amazingly proud of her. She looked absolutely stunning and it made me so happy to be part of her special day. The entire day was organised to perfection and could not have gone better. The venue “Clandon Park” was an ideal location for the day and even better, the English, November weather held out and there was even some sunshine.

Not only was I at the wedding but I had to privilege of giving her away. It was the most amazing experience, but also very moving since I was performing the role of our dad who is no longer with us. I hope I managed to make my sister proud.

I want to wish both Michelle and her new husband, Pete all the best for the future and hope they have a very long and prosperous marriage.

I have published our ‘unofficial’ photos of the event here.

Need a distraction

Last week a colleague at work pointed me at an online game called Finger Frenzy. It seems from sites like Digg that I am about the last person on the planet to have heard about this game.

The basic idea is to see how fast you can type the alphabet. There are some hi-scores of 1.001 seconds. They sound very much like a macro has been run.

As for me, I spent about 20 minutes trying and ended up with a lowest time of 3.395 seconds. I don’t know about you, but i’m fairly proud of it. To make sure you believe me, here is the proof:

Give it a go and let me know if you can improve on my score (without cheating)!