SubscribeIt used to be so simple. Your signature was all it took to: authorise a payment; confirm agreement to a contract; or validate receipt of goods, payment or service.
There's no doubt that a signature is the most familiar and authoritative way of signifying agreement and approval. It confirms intent and is integral to the legal process. Signing is a method that's natural to all adults and easy to use.
Identity appears to have become more complex as part of electronic processes and although we make do with passwords and PINs for many processes requiring knowledge of a user's identity and even use such mechanisms to authorise transactions; it is appreciated by the majority that passwords and PINs identify no one. They are forgotten, given away, and falsely obtained so that there is no binding between the individual and their password or PIN. So increasingly we now look to biometrics for irrefutable identity.
What mode of biometric or biometrics that get considered has had an emphasis that's mainly been driven by the standards set by the International Civil Aviation Organisation (ICAO). The ICAO is an agency set up in 1944 by the United Nations to promote safe international civil aviation. The ICAO decided to adopt a biometric scheme for machine readable passports involving facial recognition optionally supported by fingerprints and iris recognition. These are the biometrics (minimum of facial biometric) that are being included in the chip based passports now being issued by the UK and increasing more countries world-wide.
It is also these biometrics and often only these biometrics that get considered for other forms of personal identification, for example visas, national ID cards, international citizen cards, driving licenses, government workers, seafarers, etc. The ICAO standard appears to have restricted the vision of system designers in the choice of biometric modalities. We seem to have forgotten the simple signature we started with for identity. Signatures and the dynamics of signing are unique to an individual making them a behavioural biometric. It is widely accepted that the dynamics of a person's signature make forgeries almost impossible. So why not include the dynamic signature biometric in our thinking?
It is interesting that although the signature appears to have been ignored it is used in the process of ID Card registration for individuals to authorise the handing over of their other biometrics. Why? Because it is only the signature that has any legal status amongst the biometrics; it is only the signature that demonstrates intent; it is only the signature that has inherent non-repudiation. That is why the signature has to be taken to authorise the taking of the other biometrics for ID. So why not include the dynamic signature biometric on the card?
Now let's look at the proposed UK ID Card in particular. It will have facial and fingerprint biometrics. As the ID card is intended to be used as an EU travel document without the need to also carry a passport, then these two modes of biometric are a necessity. If the authorities want to be able to check through to the criminal justice databases then these two modes of biometric are a necessity. However, it is precisely because of the connotations of the later case that the public would be reluctant to use facial recognition and fingerprints for other interactions with the government or commercial organisations. It has already been established that the signature is still required for legal transactions. If the dynamic signature biometric is not part of the ID card then even if it is used in a legal process to provide legal intent, then the binding between the identification proven by the biometrics on the ID card and the signature used in the transaction is lost. So why not include the dynamic signature biometric on the card?
One can envisage many citizen government interactions that are much simplified and protected against fraud with sound identification. One can see uses within social services, the tax regime, and within local government. However, if as a citizen I have to continue to carry additional forms of ID for commercial use, for example two utility bills with my name and address; then the benefit of the National ID card appears biased towards the government and not the individual.
The National ID card needs to be universally accepted across government and commercial sectors. So that it is of benefit when setting up a bank account or agreeing to a contract. However, the majority of people would not trust commercial business with access to the government database holding our biometric data. One reason might be the public saw what happened to card PINs when you increase access from the 57,000 secure ATMs to the multiple hundreds of thousands of retail outlets. This increased exposure was exploited by criminals and PINs were compromised with significant impact on individuals. Would this happen with government held biometrics?
Probably not, but perception is everything when it comes to privacy. So why not include the dynamic signature verification on the card itself? This user accepted form of ID can then be verified locally without the need to interrogate a central government database. Commercial and Government authorities could both make use of local authentication. The signature can again be used to demonstrate legal intent and provide non-repudiation. So why not include the dynamic signature biometric on the card?