The new Brazilian ID system

The new Brazilian ID-card
The new Brazilian ID-card (from Renato Siqueira's Conversa Digital)

There are more details of the new Brazilian ID card and system on Renato Siqueira’s Conversa Digital blog, including some informative images and photos. It seems that far from eliminating the various different numbers currently used, this new system will merely create a kind of overlay. And, not only that, but the CPF, RG and electoral number will be printed on the back. Unless every single transaction will actually require the taking of fingerprints or the verification of photos, this card will be even more of a convenient source of personal information to thieves and fraudsters than ever before. Plus the chip technology is the same standard format that has proved to easy to clone and access illicitly elsewhere…

Identity and Identification in Brazil

My host and colleague here at PUCPR, Rodrigo Firmino, and I are working on a small bit of research and a paper for The Second Multidisciplinary Workshop on Identity in the Information Society (IDIS 09), at the the London School of Economics, on June 9th this year.

Our paper is based around a case of identity theft, which is endemic in Brazil, which we use to open up the laws, practices and technologies of identification here. One thing that is already clear is that Brazil is a highly bureaucratic state – for example, the forms you need to fill in just to get a mobile phone are incredible in their detail – yet the forms of identification which one needs for every transaction with the state and many private organisations too, are highly insecure.

One example is that every personal cheque has printed on it not only the usual information (bank name and address, bank sort code, account holder name and account number), but also has the 11-digit Cadastro de Pessoas Fisicas (CPF) (a taxpayer’s card) number and the 9-digit Registro Geral (RG) (the national ID card) number. This must be a utter joy to fraudsters and identity thieves!

What’s more, all these are not just numbers in a database somewhere but physical documents in their own right, and on each there is a lot of this cross-identification: the CPF card also has the name and date of birth, the CPF number is ubiquitous, appearing also on the RG card and the driving licence. The latter has its own 11-digit registration number, but also has the RG number, name, and place and date of birth. What is even more interesting is that the RG card not only contains a photo and a thumbprint (the state database contains prints of all 10 fingers and thumbs), but also the names of both parents. This means it can be related more easily to the birth certificate. It reminds me a little of the Japanese system which still prioritises the family above the individual in some ways, but there is no actual equivalent of the koseki, the Japanese family register.

Now, in the name of security and “para integrar os bancos de dados de diversos órgãos dos sistemas de identificação do Brasil” (to inegrate the databases of the diverse organisations of identification systems in Brazil), the Ministry of Justice is proposing to merge some of these – the RG, CPF, Driving Licence and Electoria Regisirtation, into a new, smart, Registro de Identidade Civil (RIC) card based on a unique number. Whilst this will have many of the same problems as new smart ID systems everywhere else, at the very least it might stop Brazilian citizens carrying around multiple documents that list almost everything thieves and fraudsters need and can access without any sophisticated equipment. The process is due to start now, and run until 2017, so we will be taking a look at this as it proceeds.

I’ll put some pictures up with explanations later today…

Australian police data loss and corruption

Here´s a tangled web… at first glance the story being reported in Australian outlets of the state of Victoria´s secret police losing highly confidential data on criminal associates looks like another of those stories so familiar from the UK about an incompetant state unable to safeguard personal data.

But it turns out to be rather more complicated.

It seems that this data loss involves corrupt officers connected to a drugs-smuggling ring. Now, research on identity theft by Jennifer Whitson and Kevin Haggerty in Canada has shown that a high percentage of incidents of frauds are related to the selling or use of data by employees or other organisational insiders. In the UK, we assume incompetance by our state and its numerous private sector associates, but perhaps in this assumption we are too quick to dismiss the possibility of corruption, crime and conspriacies…

European Parliament Agrees to Biometric Passports

The European Union’s plan to introduce biometric passports (with fingerprint images) will go ahead from the end of June after the European Parliament finally agreed to the proposal. This means that all states of the EU will now have to construct new databases of fingerprints for the entire population (including the UK and Ireland who, although outside the Schengen agreement on internal borders, voluntarily follow the same passport standards).

The Parliament did manage to introduce one major ammendment which rejected the European Commission’s plan to have children under 12 years-old fingerprinted as well – although some countries already do this. However, this vote was a rubber-stamping exercise by a ineffectual body.

The unreliability of fingerprint identification, which is mentioned in this report by PC Worldremains a major issue. Having talked to European Commission people at many different events, my general opinion of them  is that, whilst well-meaning, they are seriously lacking technological expertise and knowledge of the research in the area, and generally fail to listen to those who know except where they will confirm their existing opinions. Like most governments.