Experts question high-street ID card enrolment

The sheer number of outlets could lead to more data breaches, say experts, but the Identity and Passport Service is putting its faith in data-security standards

Security and legal experts have questioned the viability of a government plan to capture biometrics in high-street shops for its ID card scheme.

The Home Office announced on Wednesday that organisations, including the Post Office and the National Pharmacy Association, were in talks to collect and transmit biometric information for ID card enrolment. The outlets will allow people to scan fingerprints and facial photographs for storage on the cards and in a central database.

Susan Hall, a partner and IT law expert at Cobbetts solicitors, told ZDNet UK on Thursday that biometric data is very valuable to identity thieves. That means it requires a high level of protection, which high-street stores do not have the culture to provide.

"[The government] is creating a situation where high-street outlets are acting as a conduit for highly sensitive information, with a high value," said Hall. "Even pharmacies may have some difficulty with the idea of the necessary level of data security."

The talks with the Post Office and others could result in a large number of outlets for the biometric collection. That would exponentially increase the risk of personal data being compromised, Hall said.

"How do you ensure a completely secure collection, storage and transmission process? Clearly, this is not possible," said Hall. "The more you multiply the entry points to a system, the more points of vulnerability you have."

The Identity and Passport Service (IPS) on Thursday said that high-street retailers would be able to capture and store biometrics securely, and that the government would introduce a data-security standard for this.

"We would never implement an approach which would jeopardise the security and integrity of a person's biometric data or allow it to be used in any way in the application process other than for the purpose of that application itself," said an IPS spokesperson. "We will also be taking a standards-based approach, whereby we will set certain strict standards that will need to be met by any organisation that is involved any part of application process and this will include issues around secure transmission and data loss."

The spokesperson went on to say that organisations would be subject to an accreditation process, which will involve ongoing reviews. "Clearly, there would be a requirement to notify us of any breach of those standards," said the spokesperson.

However, Hall suggested that high-street organisations could become liable for any data loss, and that outlets signing up would be taking on a high level of risk.

"If I were a government department signing up [organisations], I would want pretty strong contracts," said Hall. "In particular, I would specify that outlets have contractually secure systems, that they would report data breaches, and that they would indemnify against all loss and damage."

The IPS declined to say whether high-street organisations would be liable for any data loss.

Jamie Cowper, EMEA marketing manager for security company PGP Corporation, said even if the data were collected and transmitted securely, there was still a question as to whether the government could be trusted with it.

"Even if these high-street outlets can prove they are able to process and record this data in a highly secure manner, there remains serious concern about how all this information will be centrally stored by the government," said Cowper. "Given the numerous public-sector data breaches of late, the public is fully justified in expressing unease about these proposals."