UK's Verify programme contains "severe privacy and security problems"

News by Rene Millman

Government dismisses idea that its Verify identification technology can be used to monitor population.

The UK government has been forced to deny allegations that its identity assurance service, Verify, is littered with security problems and could be used to spy on citizens.

According to a research paper titled Toward Mending Two Nation-Scale Brokered Identification Systems, the service has "severe privacy and security problems" and a major flaw within its architecture that could be used to undertake mass surveillance.

The main problem lies with the hub that acts as a go-between for government departments, identity providers and citizens. Verify was created by the Government Digital Service as a way for the public to prove who they are when needing to access government services online. The uptake of the service has been slow.

The authors of the report claimed that Verify suffers “from serious privacy and security shortcomings, fail[s] to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy.”

"Notably, the hub can link interactions of the same user across different service providers and has visibility over private identifiable information of citizens. In case of malicious compromise it is also able to undetectably impersonate users," the report said.

“If compromised, the hub can even actively impersonate users to gain access to their accounts (and the associated private data) at service providers. This represents a serious danger to citizen privacy and, more generally, to civil liberties.”

It added: “The described vulnerabilities are exploitable and could lead to undetected mass surveillance, completely at odds with the views of the research community whose scientific advances enable feasible solutions that are more private and secure.”

But the government has hit back at the allegations and denied that Verify could be used in mass surveillance.

“ Verify does not allow for mass surveillance. It does not have any other connection with or ability to monitor people or their data,” it said in a blog post.

“Only minimal data passes through the Verify hub. The person's name, address and date of birth [and gender] is sent through the hub to a government department the person is trying to access.

“No data about the person's interactions or activities within certified companies or government departments passes through the hub.”

The researcher said that the service could be improved by recommending that “a formal framework for brokered authentication be devised” and that such a framework would “integrate all the security, privacy and auditability properties at stake, while considering an adversarial model in which any party, including the hub, may be compromised and/or collude with other parties.”

Dr Kevin Curran, senior member of the IEEE told that a core problem is that you cannot create a GDS-built hub overnight, release it and then expect it to be adopted universally and to work perfectly.

“It simply cannot happen. In the world of network security, you never prove the 'absolute security' of a product but what we do is to repeatedly test it along with others and then, and only then, depending on the numbers, can we decide upon its relative strengths or weaknesses. That is the proven model in computer security,” said Curran.

He described the plan to provide a UK-wide decryption hub as “nuts”.

“Not because it cannot be done technically but because it is quite simply nuts,” he warned.

“I teach computer networks and computer security. I teach ethical hacking. I am in the rare minority of people who actually understand the principles of encryption. I understand anonymity, proxies, packet sniffers, public and symmetric encryption, brute forcing, SSL etc.

“This plan, however, is nuts. Encryption serves a genuine purpose. It ensures for instance that when you wish to make a payment via a service such as PayPal, that when you do it, the traffic is not snooped by others and that the site you provided your password and user details to is actually the genuine PayPal. Encryption basically also allows us to conduct communications with others around the world safe in the knowledge that our communications are private.”

He said that once a central key or secret is lost or revealed, all the best methods employed elsewhere in the system are useless.

“A number of years ago when the US TSA tried to roll-out a universal lock which they held a master key to, what happened was that thieves copied the master key and broke into those locks much easier,” said Curran.

“Even if the government push ahead with this dumb, un-implementable idea, then what is to stop any of us from using encryption tools which bypass this government enforced backdoor? Yes, nothing. Thank goodness that in any democratic country it is virtually impossible to ban such sites which have as much use for legitimate purposes (eg, protecting company IP, fear of oppression, etc) as illegitimate purposes,” added Curran.

Curran said that there are issues that most of the “UK government numbskulls are unaware of”.

“How many Tory ministers or advisors have computer science degrees or PhDs? How many crypto experts have they spoken to about this? I bet very few and even if they have, it is pretty obvious that they have completely ignored the advice that any security expert would have given them.”

Wim Remes, EMEA strategic services manager at Rapid7 told that the research paper made some good points about the chosen, brokered identification system.

“One has to remember that .gov systems have a very complex set of use cases, resulting in solutions that are equally complex. As an example, the system has to work for citizens, but also often for expats, temporary residents, etc,” said Remes.

“This obviously doesn't mean that security should be at the bottom of the requirements list. Looking at other countries, we notice the adoption of electronic ID cards which add a second factor to the authentication process, making the data in the centralised databases of considerably less value to perpetrators.”

Remes said Verify is a step in the right direction, which is using technology to bring government services closer to the citizens.

“It's not likely that we will see organisations switch to Verify completely in the early stages. Organisations considering reliance on Verify should investigate their threat model in depth and make sure that they implement the right controls to safeguard their clients,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews