The Register reports that "Home Secretary Alan Johnson has confirmed that the National Identity Register contains National Insurance numbers and answers to 'shared secrets'."

See: http://www.theregister.co.uk/2010/01/07/id_register_includes_ni_numbers/

Johnson was responding to a parliamentary question about "what information will be held on the National Identity Register which is not held on the UK Passport Database."

Inevitably, there will be concerns about privacy, but I have other concerns, too. "Shared secrets" refers to the sort of secret questions and answers that banks use to authenticate customers when they phone in or access their accounts online. Well, we can hope that they'll do a little better than "Your mother's maiden name" and other far-too-easily-available information. We can even hope that they'll do better than using questionable "publicly available" data as supplementary information, or at least be extremely picky about validating such data before they use it. I like to think I have an optimistic streak. 

(If you're unsure as to why I find this issue disturbing, see http://www.eset.com/threat-center/blog/2009/12/14/your-data-and-your-credit-card, http://avien.net/blog/?p=213 and http://avien.net/blog/?p=209.)

However, I'm also concerned about the incorporation of National Insurance numbers into this database: not because of their mere presence, but because I have to wonder how they'll be used for authentication. Will people be authenticated by asking them their NI number? I'm not aware of a predictive vulnerability in the allocation of NI numbers like the one discussed in relation to US Social Security Numbers in our paper "Social Security Numbers: Identifi cation is Not Authentication" - see http://www.eset.com/download/whitepapers/EsetWP-SocialSecurityNumbers20090810.pdf. But I don't believe that it's particularly difficult for a determined blackhat to get hold of a targeted individual's National Insurance number. I can't help wondering whether it might be used as if it were a password, in the same way that SSNs are sometimes misused in the US. Fortunately, I have absolute faith in the ability of any government agency to do the right thing when it comes to security. Invariably. Not.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/