UK's Verify programme contains "severe privacy and security problems"
Government dismisses idea that its Verify identification technology can be used to monitor population.
UK Government Verify programme
According to a research paper titled Toward Mending Two Nation-Scale Brokered Identification Systems, the service has "severe privacy and security problems" and a major flaw within its architecture that could be used to undertake mass surveillance.
The main problem lies with the hub that acts as a go-between for government departments, identity providers and citizens. Verify was created by the Government Digital Service as a way for the public to prove who they are when needing to access government services online. The uptake of the service has been slow.
The authors of the report claimed that Verify suffers “from serious privacy and security shortcomings, fail[s] to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy.”
"Notably, the hub can link interactions of the same user across different service providers and has visibility over private identifiable information of citizens. In case of malicious compromise it is also able to undetectably impersonate users," the report said.
“If compromised, the hub can even actively impersonate users to gain access to their accounts (and the associated private data) at service providers. This represents a serious danger to citizen privacy and, more generally, to civil liberties.”
It added: “The described vulnerabilities are exploitable and could lead to undetected mass surveillance, completely at odds with the views of the research community whose scientific advances enable feasible solutions that are more private and secure.”
But the government has hit back at the allegations and denied that Verify could be used in mass surveillance.
“Gov.uk Verify does not allow for mass surveillance. It does not have any other connection with or ability to monitor people or their data,” it said in a blog post.
“Only minimal data passes through the Gov.uk Verify hub. The person's name, address and date of birth [and gender] is sent through the hub to a government department the person is trying to access.
“No data about the person's interactions or activities within certified companies or government departments passes through the hub.”
The researcher said that the service could be improved by recommending that “a formal framework for brokered authentication be devised” and that such a framework would “integrate all the security, privacy and auditability properties at stake, while considering an adversarial model in which any party, including the hub, may be compromised and/or collude with other parties.”
Dr Kevin Curran, senior member of the IEEE told SCMagazineUK.com that a core problem is that you cannot create a GDS-built hub overnight, release it and then expect it to be adopted universally and to work perfectly.
“It simply cannot happen. In the world of network security, you never prove the 'absolute security' of a product but what we do is to repeatedly test it along with others and then, and only then, depending on the numbers, can we decide upon its relative strengths or weaknesses. That is the proven model in computer security,” said Curran.
He described the plan to provide a UK-wide decryption hub as “nuts”.