Microsoft exec: ID cards pose security risk

Microsoft has warned that the U.K.'s national identity card plans pose a security risk that could increase the likelihood of confidential data falling into the hands of criminals.

Jerry Fishenden, a top security and identity management expert at Microsoft, said that the British government's current technology proposals are flawed. He also criticized other technology suppliers for failing to speak out publicly about their concerns for fear of damaging any future bids for part of the lucrative contract for ID cards.

Fishenden, national technology officer at Microsoft UK, said that the plans for a central national identity register could lead to "huge potential breaches" and a leakage of personal information.

"I have concerns with the current architecture and the way it looks at aggregating so much personal information and biometrics in a single place," he said. "There are better ways of doing this. Even the biometrics industry says it is better to have biometrics stored locally."

Fishenden said no systems are ever completely secure and warned that putting vast amounts of personal data and biometric information such as iris, fingerprint and facial scans in one central database could prove too tempting a target for hackers and other criminals.

The U.K. government is backing a bill to make ID cards compulsory for all British residents. The cards, which are intended to help combat terrorism, illegal immigration and organized crime, will be based on biometric data. They have run into opposition both for the potential cost to holders and over worries about privacy and reliability.

Microsoft has expressed its concerns directly to the ID cards team at the U.K. government's Home Office, Fishenden said. Other suppliers are keeping quiet about their fears over the viability of the proposals because they want a piece of what would be a multibillion-pound project.

"Every supplier I talk to privately expresses their concerns," he said. "They seem happy to express their reservations to each other. But I don't think we have been as vocal as we should have been on this debate."

The Microsoft executive's comments come as British members of parliament are due to vote on a third reading for the Identity Cards Bill and just a day after Home Office minister Tony McNulty admitted that the proposed biometric technology has problems recognizing some people, such as those with brown eyes.

McNulty's statement followed a report in the U.K. newspaper the Independent on Sunday warning that one in 1,000 people could be incorrectly identified by the biometric systems because of difficulties in identifying those such as manual laborers who wear down their fingerprints.

Andy McCue of Silicon.com reported from London.

M$

Jerry Fishenden, a top security and identity management expert at Microsoft, said that the British government's current technology proposals are flawed. So Microsoft is speaking out against flawed systems.. seems so... hypocritical

MS knows a lot about security risks..

But I agree with him.

[aabcdefghij987654321]

Like, Microsoft knows anything about security?

My guess is M.S. wasn't awarded any contracts on this project. So they now decided to bash anything within reach.

[requiem--2008]

About time

For once, Microsoft's size is a good thing; they
have less to lose by speaking the truth.

And for the other posters, there is real talent
in Redmond. It just seems that there's enough
anti-talent to put in flaws before stuff gets
shipped.

[Down_with_M$]

Which side of the fence are you on?

The last company expect to hear say anything about security flaws is the leader in developing said flaws. If there is talent in Redmond they sure do a good job of keeping them hidden. Here comes for F.U.D. again!

[Anon-Y-mous]

Biometric data: The ONE thing you CANNOT change if stolen

You can change your PIN, you can change your credit card numbers, heck, you can even change your address if any of this information is stolen by criminals from an insecure site or from malicious insiders.

However you can NEVER change anything biometric like your fingerprint, your DNA, your iris scan. If this encoded information gets out, you are FOREVER compromised.

Regardless if you like MS or not... what this person said is true. Storing this type of data as a form of ID is inherently flawed and VERY scary. This is Orwellian.

Give me 10 pins to remember anyday over some company storing my iris scan. I can change the PIN easily if it's compromised.

[lbut]

Microsoft? Security? Flaws?

Who's microsoft to talk about security and strong software, when their own OS is bashed by hackers and virus writers non-stop? They shoul improve their own software instead of complaining. I can't believe this

[Lawrence Ricci]

Time for Logic, not Name Calling

The prevailing "M$ is evil" doctrine is of limited use when developing a real strategy for ID security.

The real issue here is very serious, and has nothing to do with MS software security. It has everything to do with centralized, government custody of irrevocable, un-editable identity data. UK citizens should consider this very carefully.

What government employees will have access to this DB? Can every citizen in the UK trust every one of them? These questions have nothing to do with Microsoft or Linux or Oracle security.

[Oleg Simkin]

Anti-Microsoft Religion

The ppl who are in the Anti-Microsoft religion are so up in arms about bashing anything microsoft says that if a guy from microsoft comes out and says hey the american flag is red, white and blue they would state that its solid red, just to contradict him.

So to all the people who are posting things like who is MS to say anything about security they are the ppl who are constatly bataling against people who are constatly atacking them so they know what it is like to be a major target for people are are interested in geting at the data.

So stop the foaming at the mouth and actually LISTEN to what is being said, and not pay attention to who is saying it.