About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

22 July 2009

ID Numbers, ID theft and Privacy

There has been a lot of talk recently on the rise of identity theft in South Africa. Popular press has recently jumped on the bandwagon, and there are articles talking about how ID numbers should not be disclosed to anyone and that there is a need to keep the ID numbers secret.

In addition, there is the new privacy bill (which I still haven't read) - but since it is based on the EU privacy directives, I am very confident that it will list the ID number as private information and ask that it should be protected.

The problem is, we are trying to shut the gate once the horse has already bolted. The need to supply ID numbers is ubiquitous - and in many cases it does not make sense. Some buildings require you to provide a number (not any supporting documentation, just the number) to enter. Interact with a bank or any personal business relationships (credit applications, phone applications, post box etc.) you need an ID number. Need a job - you need an ID book. The numbers are everywhere, in multitude of systems, and they are also published online with no regards to data sanitisation. For example, here is a PDF I found detailing ID numbers of restaurant owners who applied for liquor licenses in Gauteng. I was looking for the address of one of the listed restaurants ... Oh, and Government gazettes are public documents, and the bylaws require that the information should be published.

The problem is that we use ID numbers for things we are not supposed to be using it for; namely authentication of persons. To illustrate, let's examine the definition of authentication (as a process) in RFC 2828.

An authentication process consists of two steps:

  1. Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.)

  2. Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier.



The ID number is an identifier. It is a 13 digit numeric string that is unique to all legal South African permanent residents (citizens and non-citizens). The verification step rests solely with the Department of Home Affairs. However, companies never make that leap - the Identity number and the associated Identity book has become a one stop authentication solution which it was not designed to be (or it would have other built in verification steps). Since business rely solely on the ID book and the ID number, the verification step is incomplete and thus ID fraud takes place.

The ID number does not necessarily need to be private. it is after all an unique identifier for persons - a more unique name. What is required is an easier, usable and secure verification service. That is the answer to identity theft resulting from "stolen" identity numbers. As for privacy of identity numbers - the number itself does not need to be private - it is after all an identifier. However, that does not mean that every one should collect the numbers. There should still be a reason to collect information, and should it be collected, there needs to be secure storage of the data. In these regards the EU privacy directive is absolutely correct.

19 July 2009

Music: Chromium and The Frail

It's another thing I have not realy got used to in Johannesburg - gigs start a lot earlier and finish mostly around 12. Maybe it's bylaws - so while there were quite a few bands at Roxy's last night - I only got round to seeing two.

Chromium, is an ex PE based, currently Johannesburg based, metal band. I am impressed that they even have a Wikipedia page! A 4-piece band - they have great music, and well written songs. And they seem to have a fairly large following - it was really packed for their gig, and it wasn't all friends and family.

The Frail, are a band from Secunda - and are a testament to the possibility of great music being produced by bands from obscure towns. Great songs, and great stage presence (from the vocalist at least). The crowd was not as big as Chromium's, but I think the mosh pit was a lot bigger.