Charlie's Diary

[ Site Index] [ Feedback ]

Fri, 31 Mar 2006

On the unworkability of the National Identity Register

Over at ("Chronicling the demise of the New Labour Project") Tom has an interesting post in which he estimates the workload the NIR registration centres will have to handle, just 32 months from now.

So adding it all up, from NIR Day 1 for ten years you've got to keep processing people at the rate of 50 per hour at every centre, or one every 72 seconds, each of whom requires a scan of the whole central NIR to avoid multiple registrations, so the database has to be up and accessible every minute of the day to avoid delay.

In the early days it's a nailed on certainty that we'll get failures, resulting in potentially hundreds of people making pointless journeys ...

Assuming 99% reliability (which is pretty hysterically funny for a large distributed government program lashed together in 32 months, as it exceeds the MTBF of the client desktop PCs the staff will be accessing the register through) he figures the NIR will be processing 700,000 people a year and roughly 71,000 people are going to be making trips to the office in vain. "I'd suggest that anything much below 99.9% reliability is going to be seriously political in terms of people claiming loss of earnings, loss of holidays etc.," he remarks.

I think Tom is an optimist (in favour of the NIR being unrealistically efficient). The devil is in the details of what the NIR is trying to track. This isn't just a passport system, folks, they want to know where you live, they want to know where your dog goes to school. Unfortunately the Blairwatch comment system seems to have swallowed my reply, so here it is. (I can't be bothered re-writing it, as I've got an annoying cold and it's time to go get some dinner. Go read his figures first, then come back here ...

There is a reason we need to renew our passports every decade; the photograph ages. The same is going to be true of the biometrics on the ID card. There are also all those status changes to take into account. The average marriage lasts just 12 years, for example, and getting married or divorced is obviously an ID Register update. Right?

On top of the on-going 700,000 teens per year I think you need to add the following ongoing overhead updates:

  • Marriages: (90% of folks get married, so that's another 650,000 p/y)
  • Divorces: (40% of marriages end in divorce, so about 300,000 p/y)
  • Deaths: (100% of us die, cumulative death rate is roughly equal to birth rate, so 7,000,000 p/y leaving the register)
  • 10 year biometric updates: 7,000,000 per year. (Do you look the same at 39 as you did at 29? I think not ...)
  • Mutilations: people who lose eyeballs or fingers or otherwise experience changes to their body that would interfere with the biometrics are obviously going to need their records updating. (I'd say this is probably cumulative to somewhere between 5 and 10% of the population, so another 350,000-700,000.)
  • Change of Address: people who move are required to provide proof of change of address. Say we live in a given house for an average of roughly 10 years. Yippee! We've just doubled that 7M figure again!
  • Loss or damage to ID Card: that's going to be a report-to-processing-center job too, isn't it? In 25 years I've damaged one passport and lost another. But these ID cards are going to be riding around in wallets, an environment more like that in which credit cards are used. Personally, I'd be surprised if the half-life of an ID card was much over 2 years in practice, so that'd actually multiply the replacement processing rate by a factor of 5. But that's ridiculous so I'm going to leave it out of the calculation below.

In upshot, I reckon the mature system will have to handle more like 15M to 25M updates per year on an ongoing basis, rather than Tom's 7M updates at first and 700K after 10 years. If we include a card life more like a credit card than a passport, make that 50-100M updates per year.

And this is in addition to the initial registration rate during the first decade as they try to shovel us all into the database!

Bluntly, they're not going to be processing people at the rate of one per 72 seconds -- it's going to be an order of magnitude worse, minimum.

And that's before we look at other updates. Maybe 500,000 people come into contact with the criminal justice system every year -- their records are going to be updated. (If resistance to the ID Card reaches levels associated with the Poll Tax in Scotland in 1989-90, you can ramp that number to more than 10 million a year -- believe it or not, the Councils in Scotland are still trying to clear up the Poll Tax backlog.) As we integrate further with the EU, I'd be unsurprised to see immigration/emigration figures close to 500K per year, too.

Bluntly, the figures don't add up. They're not going to be able to process people properly without an order of magnitude expansion of the processing offices. Nor have we factored in the half-million or so folks a year taking days off work (with a vaunted 99% efficient system), or a whole load of other special cases.

Build a distributed high-security database that's got to add a complex record every second, add three-nines or better availability, will be checked probably an order of magnitude more frequently as well, and ensure that the data integrity is preserved? And do it in 32 months, using the usual New Labour contractors like Capita and EDS? Go pull the other one, Mr Clarke.

[Link] [Discuss ID Cards]

posted at: 21:26 | path: /politics | permanent link to this entry

The UK National ID card

You may have noticed the House of Lords resistance to the ID Card bill collapse earlier this week. You may have shrugged and wondered what it means to you. If you live in the UK, here's what it means:

You Will:

ATTEND an appointment to be photographed, have your fingerprints taken and iris scanned, or be fined up to £2500. Additional fines of up to £2500 may be levied each time you fail to comply until you submit to these procedures.

PROMPTLY INFORM the police or Home Office if you lose your card or it becomes defective, or face a fine of up to £1000. If you find someone else's card and do not immediately hand it in, you may have committed a criminal offence punishable by imprisonment for up to two years or a fine, or both.

PROMPTLY INFORM the National Identity Register of any change of address or face a fine of up to £1000 (you will supply evidence of your previous addresses, not just your current address).

PROMPTLY INFORM the National Identity Register of significant changes to your personal life or any errors they have made or face a fine of up to £1000. You may also be obliged to submit to being re-interviewed, re-photographed, re-fingerprinted and re-scanned, or face a fine.

PAY between £30 and £93 (Home Office estimates — every other body involved says it will be substantially more) to be registered, with further charges possible to change your details and to replace a lost or stolen card.

When ID cards were introduced in this country during World War II, they had three functions. By the time they were abolished in 1952 they had 39 administrative uses. So what won't we be able to do without an ID card, according to Government plans?

If you don't have an ID card ...

You will not (be able to):

Rent or sell a home

Stay in a hotel

Buy or sell a car

Buy a mobile phone

Open or close a bank account

Travel overseas

Obtain medical care

Attend an institute of education

Work or run a business

Be declared dead (or alive)

Be registered to vote

I have four words to sum this up: Tony Blair's Poll Tax.

And if you don't like this and want to do something about it, you should start by supporting the No2ID campaign and/or The Open Rights Group.

[Discuss ID Cards]

posted at: 17:36 | path: /politics | permanent link to this entry

Wed, 22 Mar 2006

2006 Hugo shortlist

The shortlist for the 2006 Hugo awards is now officially out, and I'm very happy to announce that "Accelerando" is on the ballot for best SF or Fantasy novel of 2005.

I'd like to congratulate everybody else who's on the Hugo ballot; and I'd especially like to single out John Scalzi, who's still new enough at this game that he's on the Campbell Award ballot for best new writer as well.

Incidentally, if you're an eligible voter and haven't read "Accelerando" yet, you can download it for free as an ebook. (Or get the paperback when it ships, probably sometime in June.)

posted at: 10:11 | path: /writing | permanent link to this entry

Tue, 21 Mar 2006

I love the sound of deadlines whizzing past my head ...


Ah well. I think that's it — the first draft of a book provisionally titled "The Merchants' War", #4 in the Merchant Princes series, sputtered to a halt yesterday evening. Normally I expect to know damn well when I've finished a book, but this one is the middle of a three book story within an ongoing series: it's there to recomplicate a pre-existing plot, add character development, ramp up the tension, and end on a high note of anticipation. I think. (Doubtless my editor and I will have lots to say on the subjectwhen he gets his hands on the MS, but I'll jump that fence when I come to it ...)

Incidentally, that's not the only reason I've been quiet lately — I've done two SF conventions in the past four weeks, and have another two to go to in the next four weeks, plus the Clarke Award ceremony ("Accelerando" is on the shortlist this year). And today I started writing the next novel. Both books are due on their respective editor's desks in September. They're very different: this next one, "Halting State", is going to be a near-future thriller set in Edinburgh about ten years from now, in the hazy zone where contemporary crime novels cross over with science fiction. In fact, it's going to be so close to the moment that I'm in danger of perpetrating a work of mundane SF.

Being inclined towards crazy stunt performances, I'm planning on writing "Halting State" on my mobile phone. This is technologically feasible because the phone in question has more memory and online storage than every mainframe in North America in 1972 (and about the same amount of raw processing power as a 1977-vintage Cray-1 supercomputer). It's a zeitgeist thing: I need to get into the right frame of mind, and I need to use a mobile phone for the same reason Neal Stephenson used a fountain pen when he wrote the Baroque cycle. Afters all, I want to stick my head ten years into the future. Personal computers are already passé; sales are declining, performance is stagnating, the real action is all in the interstitial networked devices that keep washing up on the beaches of our bandwidth ocean, crazy-weird things like 3G phones and battery-powered network attached storage boxes and bluetooth-controlled vibrators. (It's getting weird out there in embedded intelligence land; the net is alive to the sound of pinging toasters, RFID chips are the latest virus target, and people are making business deals inside computer games.) The internet's old hat too, even with a second dot com boom (and bust) looking: in ten years' time we'll be up to Web 3.1415926535 and counting. Gibsonian cyberspace fits the picture about the way the US interstate highway system fits in a 1960s road movie. It's time to move on.

As part of the research for "Halting State" I've been wallowing around in a whole bunch of blogs. You can get the official line on a community or culture by reading its publications, things like "RFID World" magazine or The Job (the London Metropolitan Police's newspaper), but the view at worm's eye level is very different and I suspect more likely to give you an idea of where things are really going. Strange communities are popping up everywhere on the web as it integrates ever more closely with our ordinary society. On the one hand, there are the academic and technical specialists: I'm inclined to wonder what Jaron Lanier or Michael Benedikt would have made of Terra Nova if you'd waved a dot matrix printout of it at them back in 1990? And then there's the furtively anonymous subculture of the blogging cops — Cough the Lot, A year in the life of a Police dispatcher, The Policeman's Blog, and so on. (Why focus on these two? Well, among other things I'm interested in seeing what happens when you mash the two cultures together, the VR eggheads seeing the 1980s skiffy idea of cyberspace turn into a 2000s commercial phenomenon and a 2010s social scene, and the police who're going to end up with a whole lot of new headaches as the physical world acquires a virtual mapping.)

But that's enough for now.

[Discuss Writing (3)]

posted at: 16:58 | path: /writing | permanent link to this entry

Mon, 06 Mar 2006

Gone Phishing

Identity fraud is something of a current-day worry. We've probably all heard about it, or heard horror stories from someone who's been on the receiving end of it. But how do you tell when someone is trying to do it to you?

The most important thing you can know, to make yourself safe, is this: before some thief can empty your bank account, they have to know how to impersonate you convincingly on paper or on the telephone. And because your bank call center doesn't know you from a dalek by voice, this means they need the password or private information the bank depends on to identify you.

If you've been on the internet for any length of time, you probably get phishing emails — messages purporting to be from financial institutions to you, their customer, warning that your account is in jeopardy and that you need to click here to update your details or log in or something. The "click here" button invariably leads to a convincing fake copy of the bank's web site, and if you enter your details the scammers will be into your real online banking account faster than a greased Jack Russell terrier down a rabbit hole. I get about two or three of these a day for my bank account, ten to twenty a day for my ebay/Paypal accounts, and another twenty to fifty for banks I've never dealt with in my life. Needless to say, I'm blase and cynical about them. On the other hand, things are different for folks who aren't used to the internet — different enough that these thieves find it a lucrative line of work.

A somewhat rarer fraud requires a bunch of people in an office, with a set of telephone lines. I got one of these today. The first sign was around 1pm, when the phone rang. I picked it up: silence on the line. I put it down in disgust, immediately — the silent line means some automatic polling software at the far end is dialing numbers but there were no call centre staff ready to launch into a sales script. And that, I thought, was that.

Then the phone rang again at 4pm. I picked it up, hearing a silent line, which immediately raised my suspicions. But a moment later, someone came on the line. "Hello, I'm J from Barclays banking security. Can I speak to Mr Stross, please?"

As it happens, I do bank with Barclays, and once in a while I get a phone call from their security people. But that silent couple of seconds at the beginning of the call had got me on edge. (Why would the bank's security department be using a polling dialer?) "Speaking," I said. "What is the purpose of this call?"

"We've had a notification about some suspicious activity on your current account and we're phoning to check into it." So far, this was following the standard Barclays script. However, a second odd thing about the call caught my attention: my caller's accent. Barclays have not, as far as I know, outsourced their call centres from the UK, but his accent was definitely foreign. I'm bad at accents: I initially thought "Indian", but as he continued I shifted to "South African". Still, that's not damning. When I visited my bank branch this lunch-time, the cashier who dealt with me was Polish. But you can add up points here, and this was the second oddity about the call.

Then: "can I just confirm your identity sir? If I can ask you for your date of birth and your mother's maiden name ..."

That is what really started the alarm bells ringing.

You see, Barclays use these bits of information to authenticate callers. You go through a switchboard system, punch in your account number, and then talk to a call centre cashier. Who uses these questions to confirm that you are who you say you are. But this guy was asking me to break the first rule of security, which is know who you're talking to. He had called me. How did I know he really was from Barclays' security department? All I had was his word for it. If he was a bad guy, then he knew my name and phone number. If he had access to my bank statement (with account number and sort code printed on it) then all he needed was my pass information and he could impersonate me. Tell the bank I've moved to his own address, request new debit cards, and bang — that's my account stolen.

Hint: Your mother's maiden name is a matter of public record. Banks who use this as a customer password are just asking to be hit on by fraudsters. Me, I lie to the bank: the name they've got on file as my response to that question is not my mother's maiden name, so any identity thieves who go researching me are going to get it wrong.

"Excuse me, but I don't know who you are," I said. "Give me you department's phone number and I'll call you back."

A little confusion, then he rattled off a number (0800 389 1652) and I hung up on him.

First stop: caller-ID. I dialed BT's last number service and got "the caller withheld their number". That's odd, but not utterly implausible for a real bank (they do silly stunts with offshore voice-over-IP to save money). Second stop:, to see if I could find that telephone number anywhere. Funnily enough, the number (0800 389 1652 — a commercial freephone number) wasn't listed in Barclays' page of contact numbers. Third stop: google. Nope, nobody seems to have a web page with that phone number on it listed.

Fourth stop: after some mild irritation digging it out of the web, I called Barclays customer services, and got through to a helpful fellow. Because I initiated the call, I didn't mind giving him the password. "No, there's no outstanding notes on your account. Let me call that number you were given and see if it's one of ours ..." (It seems big banks haven't yet cottoned onto the idea of an in-house phone book with reverse lookup). "That's odd, it hung up after it rang three times. I'll try again." And no dice that time, either. "I'll make a note on your account."

And now for the punch-line. Some bastard just tried to steal my bank account. I have no idea how they decided to target me, but from the sound on the line they're running a call centre, and from the accent, they may not be based in the UK at all. If I had taken it on trust that my caller was from my bank and answered their questions, I would be in a world of hurt right now. I'm pretty sure they don't have my bank details (I don't leave statements lying around) but there's one due real soon now that hasn't arrived yet ... and you can never be sure what's happened to the mail that you haven't received. Barclays aren't a major high street presence in Scotland (they've got three branches in the whole country) and my phone number has the Edinburgh dialing code, so to be targeted that way implies that they knew beforehand that I am a Barclays customer and were just looking to fill in the gaps they need. Which is worrying. It implies they know more about me than they'd get by just sticking a pin in the phone book. (I should add that I won't be a Barclays customer for much longer — I've been meaning to change banks for a while now, and this is just the final straw.)

Anyway, in this particular case I didn't get phished — but it's bloody easy if you lose track of the essentials: never disclose secret information — like your banking details or passwords — through a communications channel which you did not initiate for yourself.

Oh, and J, if you're out there and reading this, I'm looking for you. And when I find you, I'm going to do my best to put you in prison. Sleep tight.

[Discuss spam]

posted at: 17:27 | path: /spam | permanent link to this entry

Thu, 02 Mar 2006

Hugo nomination deadline approaching

Just a reminder that if you attended last year's world science fiction convention, or are registered as a member of this year's con, you can nominate works for the Hugo awards. You can vote online here, or by post. Nominations are closing soon — midnight PST on Friday, March 10th.

Hint: my eligible novels are Accelerando (which you can download for free from that link) and "The Hidden Family". My eligible short fiction is "Snowball's Chance" (published in Nova Scotia: the new anthology of Scottish speculative fiction), and, um, that's about it.

[Discuss Writing (2)]

posted at: 16:03 | path: /writing | permanent link to this entry


Is SF About to Go Blind? -- Popular Science article by Greg Mone
Unwirer -- an experiment in weblog mediated collaborative fiction
Inside the MIT Media Lab -- what it's like to spend a a day wandering around the Media Lab
"Nothing like this will be built again" -- inside a nuclear reactor complex

Quick links:

RSS Feed (Moved!)

Who am I?

Contact me

Buy my books: (FAQ)

Missile Gap
Via Subterranean Press (US HC -- due Jan, 2007)

The Jennifer Morgue
Via Golden Gryphon (US HC -- due Nov, 2006)

Via (US HC -- due June 30, 2006)

The Clan Corporate
Via (US HC -- out now)

Via (US HC)
Via (US PB -- due June 27, 2006)
Via (UK HC)
Via (UK PB)
Free download

The Hidden Family
Via (US HC)
Via (US PB)

The Family Trade
Via (US HC)
Via (US PB)

Iron Sunrise
Via (US HC)
Via (US PB)
Via (UK HC)
Via (UK PB)

The Atrocity Archives
Via (Trade PB)
Via (Trade PB)
Via Golden Gryphon (HC)
Via (HC)
Via (HC)

Singularity Sky
Via (US HC)
Via (US PB)
Via (US ebook)
Via (UK HC)
Via (UK PB)


Some webby stuff I'm reading:

Engadget ]
Gizmodo ]
The Memory Hole ]
Boing!Boing! ]
Futurismic ]
Walter Jon Williams ]
Making Light (TNH) ]
Crooked Timber ]
Junius (Chris Bertram) ]
Baghdad Burning (Riverbend) ]
Bruce Sterling ]
Ian McDonald ]
Amygdala (Gary Farber) ]
Cyborg Democracy ]
Body and Soul (Jeanne d'Arc)  ]
Atrios ]
The Sideshow (Avedon Carol) ]
This Modern World (Tom Tomorrow) ]
Jesus's General ]
Mick Farren ]
Early days of a Better Nation (Ken MacLeod) ]
Respectful of Otters (Rivka) ]
Tangent Online ]
Grouse Today ]
Hacktivismo ]
Terra Nova ]
Whatever (John Scalzi) ]
Justine Larbalestier ]
Yankee Fog ]
The Law west of Ealing Broadway ]
Cough the Lot ]
The Yorkshire Ranter ]
Newshog ]
Kung Fu Monkey ]
S1ngularity ]
Pagan Prattle ]
Gwyneth Jones ]
Calpundit ]
Lenin's Tomb ]
Progressive Gold ]
Kathryn Cramer ]
Halfway down the Danube ]
Fistful of Euros ]
Orcinus ]
Shrillblog ]
Steve Gilliard ]
Frankenstein Journal (Chris Lawson) ]
The Panda's Thumb ]
Martin Wisse ]
Kuro5hin ]
Advogato ]
Talking Points Memo ]
The Register ]
Cryptome ]
Juan Cole: Informed comment ]
Global Guerillas (John Robb) ]
Shadow of the Hegemon (Demosthenes) ]
Simon Bisson's Journal ]
Max Sawicky's weblog ]
Guy Kewney's mobile campaign ]
Hitherby Dragons ]
Counterspin Central ]
MetaFilter ]
NTKnow ]
Encyclopaedia Astronautica ]
Fafblog ]
BBC News (Scotland) ]
Pravda ]
Meerkat open wire service ]
Warren Ellis ]
Brad DeLong ]
Hullabaloo (Digby) ]
Jeff Vail ]
The Whiskey Bar (Billmon) ]
Groupthink Central (Yuval Rubinstein) ]
Unmedia (Aziz Poonawalla) ]
Rebecca's Pocket (Rebecca Blood) ]

Older stuff:

June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
(I screwed the pooch in respect of the blosxom entry datestamps on March 28th, 2002, so everything before then shows up as being from the same time)

[ Site Index] [ Feedback ]

Powered by Blosxom!