The problem with public identifiers

There’s an intriguing story in the Montgomery County Sentinel which neatly illustrates a couple of things about identity systems. It concerns some high school students whose latest game is to spoof the number plate of someone else’s car and then deliberately speed past a speed camera. The first the unwitting owner of the genuine plate knows about it is when a $40 ticket lands on their doormat*.

So what does this tell us about identity systems? Well, first, that a permanent, public identifier (such as a number plate) is not necessarily a sufficient or reliable proof of identity. In this instance it’s clear that, as a credential, it’s not immune from forgery; nor does it, on its own, reliably and uniquely identify the holder.

Second, the creativity of those who set out to break or bend identity systems almost inevitably outstrips the ingenuity of the designers.

Would the same spoof work in the UK? In most cases, I suspect it would. Under UK law, speeding is a “strict liability” offence – meaning that you can’t plead mitigating circumstances, so it’s subject to a summary penalty; currently, UK law in this area reverses the presumption of innocence, so the burden of proof is on the recipient of a speeding ticket to prove that they were not the driver of the vehicle at the time (regardless of whether, as in this case, it wasn’t actually their vehicle); and the majority of UK speed cameras take a still photograph from behind the vehicle after it passes the camera… so the actual driver of the car doesn’t appear in the picture.

Some mobile and ‘face-on’ cameras capture the driver’s face with varying degrees of clarity, but again, the burden would be on the registered owner to prove that it wasn’t them at the wheel. Either way, it would certainly work as a nuisance attack, even if the victim did eventually get the ticket cancelled and any points knocked off their licence [sic].

*Incidentally, it’s funny how this story also illustrates some of the many differences between the US and UK English vernaculars. The US version would be about spoofing license [sic] plates and waiting for a $40 citation to wind up in someone’s mailbox… ;^)