Identity Cards: Evidence to the Home Affairs Select Committee
Evidence from the volunteers at Stand.org.uk
Saturday, January 3, 2004
Introduction
Stand is a voluntary group who seek to increase democratic involvement in the legislative process through the use of technology. In particular, we're interested in using the Internet to place Parliament and government in touch with informed citizens who have strong opinions, and long-standing knowledge, on issues regarding the Internet, new technology and the ramifications of the digital revolution.
Part of the rôle of Stand is to provide tools for concerned individuals of every political persuasion to provide their view directly, in ways and media convenient to our current democratic process. Another is to collate the concerns en masse that we receive from unaffiliated members of the public and seek to distil them in an aggregated form that might more easily be digested by the government's already overstretched civil service.
We responded, at not inconsiderable length, to the government's consultation, a year ago, into "Entitlement Cards and Identity Fraud". We submitted comments and concerns to every question the Home Office posed. As we considered the arguments against the introduction of an ID scheme to be very persuasive, we were very disappointed when David Blunkett insisted on introducing a scheme — particularly given that, when counting all the responses fairly, the individual comments raised by the consultation were overwhelmingly opposed to any such introduction.
As a result, we welcome, cautiously, the efforts of the Home Affairs Select Committee to take a more independent look at the issue. We hope that the issues we highlight and the arguments we put forward will help the Committee in their examination of wider consequences of the ID scheme being espoused by the Home Secretary. As the Committee has only a limited amount of time, we have tried to be terse, as the Committee has requested. Should the Committee — or anyone else — wish to read some of our arguments in more detail, our original report into ID cards, submitted as part of last year's Consultation, is available from our website and can be found at http://www.stand.org.uk/StandIdCardReport.doc (as a 400kb Microsoft Word document).
We are more than happy for any of our comments in this report to be made publicly available, in any forum. We ask that, in any citation, they be attributed to Stand.org.uk. This report is, as we have mentioned, a group effort, edited by Owen Blacker with help from James Cronin, Yoz Grahame, Cait Hurley, Manar Hussain, Malcolm Hutty, Tom Loosemore, Stefan Magdalinski, Danny O'Brien, Alaric Snell and Stuart Tily.
This report is released under version 1.0 of the "Attribution-ShareAlike" licence, from Creative Commons. Readers wishing to see the full version of the licence should visit Creative Commons' website at http://creativecommons.org/.
It should be noted that all quotes from the Oral Evidence session, held by the Home Affairs Select Committee on December 11, 2003, are taken from the uncorrected transcript and are under Parliamentary Copyright. The uncorrected transcript also disclaims the following:
Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
Readers viewing a printed copy of this document should be aware that italicised and underlined text is hyperlinked in electronic copies and that further reading is available on these subjects. If no electronic version is at hand, a full copy should be available for download from our website at http://www.stand.org.uk/, provided the Home Affairs Select Committee does not object to us publishing this document more widely.
Evidence to the Committee
Biometrics
1. One of the key components of the Home Office's proposed ID card scheme is the use of biometric identifiers. The consultation paper, released in mid–2002, suggested the use of one or more technologies from iris scans, facial geometry and fingerprinting. All of these technologies, though, are flawed and are unlikely to serve the purpose. We are aware that Simon Davies has been doing some work on the biometrics proposed by the Home Office and we believe that Privacy International's evidence will cover the minutiæ of the technologies themselves, so we shall leave those issues to be better covered there.
2. Whilst issues of scale with biometrics are becoming less problematic of late, looking up single records against a database of 75 million cardholders (to use the Home Office's figures) is still going to prove immensely problematic. Some of these problems would be mitigated were look-ups only ever to be made against a record stored on the card. In her answer to question 27 to the Committee, on December 11, though, Nicola Roche stated, "the check of [a] biometric against the National Identity Register can take place without a card". Whilst not relying on a biometric stored on the card means that forging a stored biometric is less worthwhile, this would mean that every check would need to liaise with the database and, thus, check against all 75 million records, introducing much larger consequences of the margins of error. This would only be compounded by any future, Europe-wide system expansions, for example.
Forgery and large IT projects
3. Forging the biometric inside the card is not likely to be very difficult, however. The planned use of these biometric might have made sense a decade ago, but digital cameras and high quality CCTV systems are now commonplace. This makes it almost trivial to steal or forge someone's facial profile or an iris image. All it would take to fake these supposedly unique biometrics is standard commercial software to post-process such a digital image.
4. The only way to secure on-card biometrics against such forgery would be to digitally sign them. All attempts have failed to implement a UK Government–wide Public Key Infrastructure, let alone a national one; it would be wishful thinking to hope that a PKI could be a cheap by-product of a national ID scheme and it is worthy of note that the consultation document makes no reference to costing it. A governmental PKI would be a prerequisite for digital signatures on the biometrics and would be a project little smaller than an ID project itself. It is, however, not mentioned in the Home Office consultation paper, despite the ability digitally to sign official documents being one of the few 'obvious' potential benefits of a scheme.
5. In addition, the Home Office has an abysmal record with public IT projects. An audit of the Police National Computer scheme suggested that "85% of records transferred by the Metropolitan Police contained significant errors"; the Criminal Records Bureau and the Libra Magistrates Court systems are well-known recent fiascos and the Passport Office has only recently recovered from the damage to its reputation after it failed to cope with the predictable rise in passport applications when children became required to have their own passports.
6. On top of this, checking against the National Identity Register, rather than the card, means that there will need to be a large infrastructure in order that everywhere can access the database itself. Not only does this increase the cost (and risk) inherent in building a large, nationwide IT infrastructure the likes of which would surpass many of the previous high-profile failures, but also it means that the National Identity Register would have to allow wide-scale, distributed access, massively increasing the potential for attack. This would still be the case, even if checking against the database were only to be the last-resort case for when an individual is not carrying their card (which, of course, is not proposed to be mandatory).
Data validity
7. We are also very concerned about the validity of the data being put into the National Identity Register. The registration process for an ID scheme will, necessarily, make use of existing primary documentation, such as birth certificates, passports, driver's licences, utility bills and the like. We already know that it is trivial — and relatively cheap — to obtain fraudulent copies of these. A Guardian journalist, just last year, was able to acquire all the paperwork for a new identity for under £500.
8. It's less than a year since the BBC's Paul Kenyon managed to obtain a driver's licence with the name and details of David Blunkett, who is, of course, statutorily ineligible to drive, being registered blind. To do this, Kenyon simply had to visit the Family Records Centre to acquire a copy of David Blunkett's birth certificate, the only proof of identity that was required — use of a technique written about by Frederick Forsyth in The Day of the Jackal over 30 years ago, yet still efficacious.
9. We find it exceptionally unlikely that the Passport Office, DVLA and DVLNI would be able to perform a "very rigorous background check on the individual based on the information that they supply in the application procedure" to create the "biographical footprint" for each of the "10 to 17 million […] cards per year" the Home Office estimates will be created. (Quotes from Katherine Courtney's oral evidence, in answer to Gwyn Prosser's question 48 and Janet Anderson's question 98). These agencies are already very busy running their primary functions; expecting them to be able to absorb increased demand and increased workload per case is, simply, unrealistic.
10. We are sure we don't need to remind the Committee of the problems when trying to run background checks on every single classroom assistant before the start of the academic year 2002–3, a scheme that ended up being deferred due to the massive backlog. Extrapolating the Criminal Records Bureau's figures for when they were "working flat out", their 40,000 in three weeks would still provide fewer than ¾ million background checks across a year.
The National Identity Register
11. We made several points in our consultation response, last year, regarding the astuteness of building a National Identity Register at all. We raised concerns over the government's motives in doing so and the uses to which such a database would be put. The Home Office was then mooting the "benefits" of an ID card in Electoral Registration, for example, and we raised arguments (against P8 and P16) as to why we felt this was an area in which the government should proceed particularly cautiously.
12. Creating a single database, containing (or linking to) all the State-held information on an individual, however, creates a tantalising target for attack and abuse. For the public thoroughly to be able to evaluate any scheme, full details would need to be made available on things like what data would ever be collated therewithin, who would have access to these data, what levels of authorisation and cryptographic protection would be applied to each part of the database, what sanctions there would be for illegitimate access or misuse of the data contained within it and so on.
13. These worries are already being provoked — it is only a couple of weeks since the announcement of a large data-sharing project between the DWP and the Inland Revenue, which will combine information on individuals' working lives. Similarly, the ONS recently consulted on the introduction of 'cradle to grave' electronic records. Both of these projects have significant privacy concerns. We believe Richard Norton-Taylor put things well in an article he wrote for The Guardian on September 21st, 2002, which we have included as Appendix A and is online at: http://masl.to/?I2DB122F6. In this article, he quotes concerns from the now–law lord Sir Nicholas Browne-Wilkinson and the then-Data Protection Registrar and provides examples to disabuse readers of the notion that "the innocent have nothing to fear", often used as justification for privacy-invasive public policies.
14. It is certainly worthy of note that the kind of invasive information-sharing envisaged by the Home Office is entirely at odds with the much more sensible policy at the Office of the
Identity Fraud
15. David Blunkett seems to be under the impression that an ID scheme would be the solution to fraud, notably identity theft — indeed he's guaranteed it will eliminate the problem. We are not alone in disputing this assertion. Indeed, it is our contention that an ID scheme may well result in a rise in identity fraud. At the moment, to impersonate someone, a criminal must acquire a substantial amount of their target's "biographical footprint" and several pieces of hard identity (passport, driver's licence etc), whereas most people will trust an ID card issued by the State; by stealing someone's ID card one could steal their very identity. This isn't very difficult now — Paul Kenyon also acquired Frederick Forsyth's identity in the programme we mentioned in paragraph 7, including a credit card against the millionaire's credit rating —, but a single piece of ID that would save criminals the effort of so much more work can only be a boon for identity theft.
16. Of course, it should be remembered that no ID card is going to be of any value in online transactions. Even with a smartcard, very few users are likely to have the hardware to validate their ID card before completing a sale and, as such, even fewer online stores are likely to request it, much less require it. We repeatedly read scaremongering articles about identity theft online, but an ID scheme will do absolutely nothing to address this issue.
Multiple names
17. One of the less well-understood problems with an ID scheme is that it is being heralded as "solving" the "problem" of individuals using multiple names. What tends to be overlooked, though, is that we have a Common Law right to use the name of our choosing in any given context, my 'real name' is any name by which any non-trivial group of people knows me. Whilst some of these uses may well be nefarious, most are entirely innocent. Consider the remarried mother, who is known at her children's school by the surname of her first husband, or the many people who have reason to use their maiden name or who customarily use their middle name (such as the sister of the author of this document).
18. This is more of a problem if, for example, banks require an ID card as proof of identity. One British poster to the UK Crypto list commented recently that he has at least twelve 'real name' identities — all entirely innocent and simply a factor of multiple languages, spelling and abbreviation — with bank accounts in more than one variant. Of course, simpler examples are easy to find: would the Prime Minister's wife's ID card read Mrs Cherie Blair or Ms Cherie Booth QC?
Changes of address
19. A more concerning side-effect of a National Identity Register would be that everyone in the UK would be forced compulsorily to inform the State of any change of address. As people move, on average, once every seven years — and substantially more than that in some cities and some demographics — any address given on registration is liable to be out of date by a card's expiry. Many people are, understandably, likely to object to the principle of having to inform the State that they've moved; this isn't the sex offenders' register, after all. But privacy demands aside, the amount of resources that would have to be devoted to processing change of address notifications from students, for example, is certainly not insubstantial.