British Telecom Pushes Universal ID Check System
miladus writes "URU (You Are You) is a new ID verification scheme from BT designed to
allow government and businesses to confirm identities on the net. The BBC has a full report on how, according to BT officials, 'URU will be a major ingredient in transforming and joining up government... and how it will
become ubiquitous for citizens, businesses, etc.'. Apparently, URU complies with European privacy laws."
How does this fit in with the Liberty Alliance / Passport authentication schemes? Is this yet another one developers will have to choose between, or this limited to UK systems? What's the point of using a single login system if there are a 1,000 such systems users have to register with and log into?
AFAIK, Britain has no mandatory ID card. This sounds weird to a lot of European people, since most European countries require every citizen to have a government-issued personal identity card which identifies them uniquely (a passport is generally accepted as an alternative). Maybe Britain is just thinking about skipping the physical step completely and going directly to the electronic ID stage. This would certainly make sense, since they are probably going to decide to create a mandatory ID anyway.
what does my electric asset number have to do with my unique ID? Whay if three of the george foreman kids live in the same apartment? then they all get the same id?
what if you move a lot? does your number change every time?
Wouldn't something a little more unique and static be of more use?
Here in the US, "diving" through one's trash to glom semi-precious information about them is a common identify-theft method.
If the Meter ID of every BT customer is on their bill, one only needs there name and address (probably on the same bill!) to act on their behalf.
This seems to fly in the face of how any private key system would work. If it is a public key, what are the channels that ensure nobody else can use such an identity?
I predict this will go up in flames. I see the electric bills of past residents of apartments all the time, simply floating into mailboxes long after they've left. If BT still thinks they live there, then "IMU" when I use this info.
Forgive me if this opinion results from ignorance of BT magical "meter id" number. But nevertheless, private passwords exist for a reason. None of the source info here seems quite secure.
mug
I can see obvious problems with this, having had my identity stolen a little in the UK.
2 years ago I had a cheque (check) book and American Express card stolen from the post. They were stolen by either
From that information the thieves now had my full name, bank details and details of a credit card I held (albeit a cancelled cards and cancelled cheques). From this information they purchased mobile phones, billed to me and applied for numerous store cards. I only discovered this when the bills started arriving.
Now, if BT's scheme goes off information available on the Electricity bill (keep in mind there are NUMEROUS electricity suppliers, so numerous databases to tie together), what is to stop someone stealing your electricity bill? Note that the electricy reference is per household, not per person. Now, tie this into the electoral role (which is already sold to marketers, and you can check and query it at your local library, so it's not private) that might almost be adequate.
Except the electoral role is updated once a year. You can actually manage to miss it completly if you move at exactly the wrong time.
Also people can choose to opt out of the data sharing that the electoral role provides (but not the information sharing to the credit agencies).
Lets not forget that BT is a private company, not answerable to anyone except the shareholders. I'm not sure if this is better or worse than the government forcing a scheme through.
Short of Government Desk Jockeys, Domestic Intelligence Agencies, and Identity Thieves, I really don't who would find this all that useful.
The fact that I CHOOSE to call myself EvilTwinSkippy, and that I am EvilTwinSkippy on a few other websites is a voluntary choice on my part. I have selected that persona, and if the persona no longer suits me at some point, I'll put it down and start a new persona.
A number is a highly impersonal thing, like a license plate or a MAC address. Having gotten parking tickets because the meter maid was a digit off (how else could my white ford escort be mistaken for a blue chevy pickup) the oppertunity for error is amazing. Hell, my wife is getting junk mail (right down to credit card offers) for her sister because a catalogue company mixed up their 2 accounts. It also doesn't hurt that one is Sara and the other Dara. (S and D are right next to each other on a standard US Qwerty style keyboard.)
Now harmless junkmail is ok, but imagine if medical records got crisscrossed, or criminal records? And it doesn't even have to be family, imaging if you are TT-1231-12512 and TT-2231-12512 is a wanted terrorist? Or if TY-1231-12512 has an outstanding warrent in New Jersey for driving without a license?
URU is a very bad idea. A very very very bad idea, especially for causual use by business and beaurocrats.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming