Hong Kong Gets Smart ID Cards

darnellmc writes: "This AP article is about Hong Kong's new smart ID cards (mandatory) with "embedded computer chips that hold names, pictures and birthdates -- as well as a digital template of both thumbprints". The picture in the article shows a man holding them and smiling. The article also mentions "Hong Kong's government backed down on proposals to have the cards carry health and bank records". The Hong Kong government hopes to add optional features like using them as driving licenses and library cards. This government learned nothing from the USA's abuse of the Social Security number, this is much worse. Hoping one card will do it all. These cards are also in the works in other countries like Finland, Malaysia and Japan where they are to be optional. Thailand is working on a mandatory card."

Optional?

[jlower]

If they are introduced as "optional" (as the article states some countries plan), how long before you simply can't do certain things without one?

Sort of like trying to live in the USA without a credit card. It can be done but it complicates your life enormously when you try to do things like rent a car, book hotel rooms, etc.

Sort of like disclosing your SSN (in the USA) is supposed to be 'optional' but you'll find it's not really optional when you try to get a loan, activate certain utilities, and so on.

Point being, 'optional' may be a way to get it in the door but it soon becomes mandantory for all practical purposes.

Re:ID Card Threat?

[BurritoWarrior]

Just pick up a copy of Orwell's 1984 and you will find the answers you are looking for.

We have always been at war with Eurasia.

Re:ID Card Threat?

[Clay Mitchell]

I assume people are worried about being tracked... But the only places I could think of needing to use it are when you are either a) getting on an air plane or b) entering a government building. honestly, considering how often people attack those 2 places, i think the national id card is a pretty damned good idea.

Re:ID Card Threat?

[palmersperry]

The "threats" that I'm aware of are :-

1) Compulsory ID cards only make sense if it's requirement to always carry them, and *that* only makes sense if the Police can stop anyone and ask to see them at anytime - at which point you're perilously close to a police state[1].

2) Badly implemented smart cards will make it easy for the theft of other peoples identities.

[1] Of course, Hong Kong has been perilously close (if only in geographic terms) to a police state ever since the Chinese revolution!

USA's abuse of SSN not a problem in Hong Kong

[armie]

This government learned nothing from the USA's abuse of the Social Security number, this is much worse.
ID cards are have been mandatory in Hong Kong for a very long time - they were just not "smart" yet.
Identidy theft/number abuse is NOT a problem.

Security Issues...

[SGDarkKnight]

well im sure everyone is thinking somewhere along the same lines of security issues with these cards. What will happen if someone is able to sucessfully duplicate an individuals card. The information has to be kept somewhere, and if that database ever gets hacked, say goodbye to everything - credit card numbers, back account information, health issues that could arrise from having all your health and medical conditions kept on this one card - - On the plus side i'm sure there is going to be lots of bounus to the card as well. Bac kto the medical reasons, anyone that carries their card could have all the treatment proceduers for that "rare life threating disease" they may have. I think it would be a major toss up, the list of pros and cons could go on for a very long time.

Re:ID Card Threat?

[grid geek]

Its all about who has what information about you.
An ID card could carry your full name, date of birth. Fine, no problem with this. Less hassle getting served at the bar 8).
Now add photo and the state has a current image of almost every citizen which could then be plugged into cctv systems at political demonstrations and immediately identify people opposed to the current government. Bye Bye Freedom of Speach and hello the ability to track someone where ever they go.
Fingerprints. The government doesn't have my fingerprints and I hope never will. Imagine you were at the scene of a crime, if the state already has your fingerprints they can match anyone who was there against their database, not just against known criminals.
Genetic finger print. Think of Gattaca and the eye lash being found by the police. Immediate identification with very small probability of error. Now tie this in to :
Banking - going for a loan? Any genetic defects and they'll increase the interest rate you're paying and demand cover in case you die before its repaid.
Insurance - any genetic abnormalities and then try getting insurance. Even worse if diseases such as HIV/AIDs were included in your information.
Finally the worst part Identity theft. Government ID card is supposed to prove beyond all reasonable doubt that you are who you say you are. If you have a card with your photo on it, with your fingerprints and genetic fingerprint all matching then obviously you must be the person named on it with access to all your bank accounts, property deeds etc. Anything I've missed?

Re:ID Card Threat?

[denny_d]

Smart Cards in general are *not* bad, I use one at school and it speeds access to the information I need about my schedule/profs/etc.*

However, it's the collection and the dissemination of the data that worries me most...China can do it because it has a very weak representative body and a very strong executive body...you can almost say the same for 'most' democratic states today...

Austria for example is proposing the same thing to counter it's immigration problems, complete with Thumbprints. Austria is also 'forcing' it's citizens to use a smart card for insurance...In a pseudo socialist state this is understandable. The 'state' is paying for the insurance (via citizens' taxes) so controlling entry/exit for hospitals is important.

The question though is how long before these kinds of cards will be used for work permits (as in the case of immigrants in HK and Austria (not yet complete)) all over the world...

Futurama ref: scan the career chip and viola, you have a job...or permission to live in such and such community.

We're used to badges for entrance into companies. How long before we're using a badge (smartcard) to do anything that involves the state or it's infrastructure?

Dennis

Already cracked.

[Noryungi]

From what I can see on the picture (not clear), the cards are standardized "smart"-chip cards.

These have been cracked, almost trivially, by a French hacker a year or two ago -- the models he cracked were bank/ATM cards.

All in all, I fail to see what the fuss is all about. Dealing with Chinese police is not easy, but this is not a surprise for most users, is it?

If such a card was introduced in, say, the European Union, citizens would probably have the right to:

• A. Refuse to show your card or swipe it in a card reader unless the person in front of you could produce reasonable evidence he/she is works for a law enforcement agency. That excludes giving your card to a merchant in order to buy something, for instance.
• B. Access all data which is contained on the card, and requests modifications and/or removal of sensitive information.

I am almost certain that the legal protections detailed above would be respected in a court of law, and enforced by the European Court for Human Rights.

Of course, that type of legal protection is only available in the EU, and not in Hong Kong. Or in the USA, for that matter...

So, on one hand, there is a chance of Big-Brotherish abuse... or a chance of ID theft or false-ID flood. Pick your poison. Fun future ahead for Hong Kong residents.

Re:What kind of crack are they on

[regen]

how long will it be before someone builds a remote reader that can pull info just by walking within a few feet of one?

I really doubt this would be an issue. The smart cards have no power supply nor do they have a radio transmitter. It would be extremely difficult to remotely power a device and remotely sense extract data from the device. You could possibly extract information from a reader when the device is in use, but it would be much easier to set up a fake reader to do this rather than doing it remotely from a real card reader.

This is similar to problems faced with ATM machines. A few years ago people started setting up fake ATM which would capture your ATM card info and PIN and then return an error. The crooks would forge new cards and clean out your account. No need to sniff data from working real ATMs when people would use your bogus ATM.

Re:What kind of crack are they on

[shimmin]

It is certainly possible to make it *extremely* difficult if not impossible to get a private key out of a smart-card. The NSA did it with Skipjack in the early nineties.

Techniques specific to cracking a smartcard have undone this work. If one knows the encryption algorithm used by the card and the hardware used to implement it, then because the card reader provides the card with power to do its computations, the power-demand-vs-time information gained by the reader can be used to reconstruct the key stored in the card.

All 15 of the AES submissions are vunlerable to this attack. Moral: never stick your smartcard in an untrusted slot.

Re:What kind of crack are they on

[fssd]

Okay, I live in Hong Kong. Actually that's not the worse part, as serveral ppl has mentioned, we would not mind carry such card around, since this is required by law to carry one around(smart or non-smart one, just like the SS). The problem is the way that they choose the vendor, who ever get the lowest price got it. The problem is the vendor who bid the project, Pacific Cyberworks [pccw.com] is not well known on such technology locally. They claim they can finish the whole thing within 18 months cycle, which if you think more about it, it's a ridiculous short time frame. Not to mention their bid is half of the second lowest bid. That makes me have a really bad feeling that the security on such system would not be throughly tested at all. sigh...

Re:Really?

[Merry_B.Buck]

According to AT Kearney [foreignpolicy.com], Finland has the highest combination of personal freedom + lack of government corruption in the world. Denmark, the Netherlands, and New Zealand also get slightly better ranks than the US.

Check out Singapore's "rank" -- low corruption + low levels of personal freedoms + huge tech infrastructure = the most "economically globalized" country in the world.

Re:Hmmm... in a communist country

[Czarnian]

Communist countries have had identity cards in the form of booklets for an extremely long time. You can bet that the citizens of China all have identity cards (apart from farmers who are a sub-class without any right of movement). Post-communist countries continue to have identity cards. The roots of identity cards/booklets go back to Czarist or even previous times, authoritarian regimes have almost always required subjects to carry internal passports.

An identity card is basically an internal passport, proves who you are and gives you access to certain areas/services or prevents police harrassment.

And from living in a post-communist country I can tell you how much of a bother they are. You can't get anything 'official' (tax, etc.) or 'semi-official' (bank) done without one even though fraud is just as easy to commit.

Re:ID Card Threat?

[osolemirnix]

"Compulsory ID cards only make sense if it's requirement to always carry them..."
I beg to differ.

Compulsory only means that every citizen has to have one, so that he can identify himself when needed (either if required by law or if he chooses). It doesn't necessarily mean that it's compulsory to carry the card at all times, neither does it mean that police must be allowed to stop and ask to see it without good reason.

There are dozens of situations where it makes perfect sense to have a reliable standardized ID, to be able to identify yourself.

As an example: the US authorities do not even have the slightest clue about the status of people living in their country. I used to live in the US for a year when I was 17 years old. I had a SSN and I got a drivers license there. When I turned 18, I got a letter from the draft office asking me to register with them. I don't exactly know how they got my name and birthdate, but I assume via the drivers license or SSN registration. Fact is, I never was a US citizen. At the time I got the letter I had already left the US (it was forwarded). The US draft office knew nothing about this. It required several letters to convince them that their registration process didn't even apply to me (as a non-US citizen). The only thing that did was my (non-US) ID.