A better class of ID card

Like it or not, Britain will have an ID card scheme within a few years. But the government may be missing a trick: modern technologies mean that a national identity scheme can do much more than simply prevent people doing things they shouldn't
March 17, 2005

Britain is going to have a national identity card scheme. The government's bill won its second reading before Christmas by 385 votes to 93. So it is time to stop debating whether it is a waste of money and whether it will do anything about terrorism, illegal immigration and so on. Instead, we should focus on how to make the scheme work. For that we need to know what the technology can and cannot do.

In a society where huge databases—private and public—store information about most aspects of our lives, the card itself is largely irrelevant when it comes to privacy. When he was home secretary, David Blunkett pointed out that if cheap and effective biometrics—unique physical identifiers—could be developed, the card might become superfluous. For instance, if you decided to go swimming at the local pool, you would walk in, a machine would register some physical detail (a CCTV camera might scan your face), look you up in the government database, pass your details to the local authority (to charge the fee to your account) and to the police (to check that you were not on an offenders' register). No need for a card. Nevertheless, I think a card is desirable. To see why, we need to look at what the identity scheme should do and how it might do it.

Separating the card from the register
The scheme proposed by the government (see box below) has two key technological components: a national identity register and a national identity card. The register will assign all citizens a unique identifier—the "national identity registration number." Two sets of computers are needed to implement this scheme. One set will form the register in a government office somewhere. Its focus will be preventative, stopping people from claiming benefits that they are not entitled to, working illegally and so on. Another lot of computers, the government hopes, will be built into smart identity cards in people's pockets. Its focus should be on enabling people to do things that they want to do, such as opening bank accounts and getting served in pubs if they are just over 18.

A great many of the government's goals—especially relating to the delivery of public services—could be met simply by building the register and nothing more. The efficiency of service delivery in welfare benefits, health, education and many other areas would be improved if everyone possessed an easily verifiable unique number. A great deal of money is now wasted because a council might have dozens of databases and be unable to establish whether a John Smith on one database is the same John Smith on another.

Some form of register is clearly a good idea. It is also a difficult job in itself: in October the head of the e-government unit, Ian Watmore, told the BBC that a national identity register shared by government agencies is "technologically impossible." What he probably meant was that it is impossible to build such a register, share the information between agencies and keep it secure.

Security is, naturally, central to the planning of the infrastructure. To achieve it, the register will match biometric identifiers (fingerprint, iris pattern and facial image, for example) with each citizen number in order to ensure that each number is linked to a unique individual and to stop people from obtaining more than one number. Some of the biometrics work pretty well, but no one method is good enough on its own. And that means recording several biometrics for all citizens—a complex and costly business.

Worries about privacy should be focused on the register, not the card. It is reasonable to be concerned about the future misuse of a register, whatever the intentions of those setting it up. A few months ago, a DVLA employee was sentenced to five months in prison for using DVLA computers to look up addresses associated with car registration numbers and passing them to animal rights activists—a number of homes were attacked as a result. This kind of abuse could be replicated on a grand scale in the proposed register. So it makes sense to assume that data returned by the register will not be confidential, and therefore to keep it to a bare minimum. The government's ID card bill, however, states that over 50 items of information about an individual will be stored on the register. This seems unnecessary. For example, the register will include national insurance numbers (NINos). But there is already a database of NINos, so it is hard to see why we need another one. The register as defined in the bill runs the risk of becoming a one-stop shop for identity thieves. On the other hand, it would be useful the other way around—for the NINo database to store each citizen's unique number (to detect stolen and duplicated NINos). Similarly, the national police computer, the DVLA computer or NHS health records could keep the unique citizens' numbers alongside names without any of the information in those computers being available on the central register. In such a system it would be easier for local and national agencies of the state to cross-reference, using the unique number. This could improve service delivery to citizens but will also need some system of data protection.

It is not obvious why the register should contain names, addresses or any of the personal information that the government intends to put on it. If the purpose of the register is to ensure the unique and verifiable match between a citizen's number and a citizen's biometric, then it need include only these two things. The police and some other authorities could be granted regulated access to check that someone is who they claim to be. This is how Eurodac, the EU fingerprint database for asylum-seekers, works: it holds only the biometric templates and no other personal information other than gender, and law enforcement officials can only ask: "Is this fingerprint in your database or not?" (Since it started in 2003, the system has detected that 7 per cent of asylum applications are apparently repeats.)

As any expert knows, complexity is the enemy of security. It will be hard enough to build the security we should all expect of the register—keeping our biometric data confidential—without adding more information and transactions, such as changes of address that need to be secured. We should resist this for the reasons that both civil rights commentators and security experts identify: we do not know what some future parliament might decide to do with the register. Let us keep it simple, viable and limited in scope. Then let us build a smart ID card to work with it.

A smart ID card for the 21st century
The card that we could build should have nothing in common with the one that Britons carried from 1939-52. That was just a piece of cardboard. The 21st-century card should depend on three new technologies: microcomputers, biometrics and digital signatures.

To see how to use these technologies, we need to consider what the ID card might be used for. The abstract idea of ID cards as a means of increasing our security is, of course, popular—with opinion polls consistently recording up to 80 per cent support. But as the costs and drawbacks become clearer, support will slip, as it did in Australia. The current government plan is estimated to cost £5.5bn and most citizens will have to pay £85 for membership of the system. A card that is a badge of citizenship but does nothing for people except cause hassle is unlikely to sustain support at those prices. The card has to provide a service for citizens that they cannot get without it. Curiously, that special service may be privacy. If the government were to decide to go for a genuinely smart card, it could deliver a national ID scheme that simultaneously provided both security and privacy for citizens.

This is because computers, biometrics and digital signatures can work together to disclose facts about someone without disclosing his or her full identity. Your ID card could send a message to a machine confirming that you are over 18 without disclosing who you are or what your citizen number is. The recipient of that message—Ladbrokes, say—would know that your "credential" was real and had not been forged and let you place a bet without knowing who you are. To understand how, you have to know a little about the technologies mentioned above.

Microcomputers first. Like chip and PIN credit and debit cards, ID cards will contain tiny, tamper-resistant computers. People cannot see what's held securely in those computers. So the only way that, for example, a hospital receptionist will be able to tell whether a patient's card is valid or not will be by using a machine to check it. Anything that is printed on a card could be forged or altered, so is largely irrelevant. We should probably restrict the front of the card to a simple picture of the holder and the citizen number.

What is inside the computer on the ID card is critical. The receptionist's machine could work in two ways. Let's assume that the biometric being used is a fingerprint. The machine could obtain the citizen number from the card and then send it, plus a freshly taken fingerprint, off to the central register for checking. This is a centralised system, as set out in the current bill.

Alternatively, the machine could ask the card whether the fingerprint is that of its rightful owner. Just as the new chip and PIN cards check the number you type in, the card could store and check its owner's biometrics under this so-called "distributed" system. The government has not yet decided whether to store biometric templates in the cards. It ought to. First, other related initiatives have done so, including the International Civil Aviation Organisation standard for smart passports, which stores a biometric (your facial image) in the chip inside the passport. Second, almost all the day-to-day usage of the card could work according to the distributed system, thus significantly reducing the cost and complexity of the central register. Imagine how many computers will be needed if the register has to manage all those queries. And what would happen if the network broke down? If the receptionist's machine could "stand alone," the system would be more resilient.

ID cards can increase privacy
The final piece of the technological jigsaw is the "digital signature," which is not part of the current government plan. Digital signatures can be used to verify and authenticate electronically transmitted information. If you attach a digital signature to a piece of information—say an email—there are two benefits. First, the signature is mathematically linked to the message: if anyone tampers with the information between sender and recipient, the signature will no longer be valid and the tampering will be apparent. Second, the recipient will know for sure who sent the message: the person or organisation whose public key decrypts the signature—thus providing authentification.

If you want to send your bank a signed message, say to make a withdrawal, you create the message, then mathematically generate the signature using your private key and the message itself. The bank can use your public key to verify the signature, and thus the transaction. But how does the bank know that some hacker hasn't swapped your public key for that of his Panamanian shell corporation? Digital signatures again. Your public key would be signed by a variety of authorities, such as the home office and perhaps the bank itself. Their keys are in turn also signed, creating a network of trust based on "public key cryptography." Those networks provide digital certificates combining the key with various useful facts about you: is over 18, can borrow library books, has a valid credit card.

In principle, anyone could issue such certificates. My bank could issue a digital certificate to my children. That way, my 10 year old could use his certificate to go into his Halo computer game chatroom as "terminator@cooldomain.com" or whatever, but would not be able to gain access to a chatroom for over-18s. This isn't a way of getting up to no good. If I do get up to no good in a chatroom as "Donald Duck," then the police will simply take a warrant to my bank, who will tell them exactly who Donald Duck is.

We can use these technologies to develop a flexible and sophisticated identity infrastructure. For one thing, these technologies mean that people can have lots of "virtual identities" if they want: your public key might be in all sorts of different certificates signed by different people for different reasons and your ID card might be allowed to generate its own private keys for you to use in different environments. This is a good thing. I don't want my kids using their real names in internet chatrooms any more than I want hospital whistleblowers to have to use their real names: a nurse, for example, ought to be able to send an email (to report lax hygiene routines, say) with a digital certificate that proves that she is a nurse, but not what her name is.

An ID card so constructed can improve its owner's life in quite different circumstances, too, such as starting a new job. On the first day, the employee produces his or her card. The employer uses a PC to check whether the card is genuine from its digital signature and to display the picture held inside the computer chip so that the employer can see that it's the right person. The employer submits the citizen number to the Inland Revenue, which matches the individual with the correct taxpayer record without the employer having access to any confidential tax information and generates a PAYE code for the accounts department. This saves time and effort.

It is because of these privacy issues that I think that Blunkett was wrong to suggest that biometrics could render cards superfluous. In the overwhelming majority of cases, citizens will use their cards not to prove who they are, but rather to prove something about themselves: they are entitled to be in Britain, over 18 or allowed to buy cigarettes. A properly designed ID card can disclose such credentials without any need for the central register to be accessed or identity to be disclosed (although it will make the card slightly more expensive).

There are some cases where citizens will use their ID card to prove identity—for example, when opening a bank account. You might open a new account by going to a cash machine in a bank branch, putting your eye up to the camera and showing your ID card: no forms, no gas bills and so on. ID cards would save citizens time and banks money.

In his book The Internet Galaxy, the sociologist Manuel Castells said that it is not Big Brother we should worry about, but the multitude of "little sisters": the thousands of databases that store every fact about our lives and our behaviour. People understandably worry about their personal data being stored by government agencies and companies around the world, but it is a fact of modern life and cannot be wished away. The threat lies in the co-ordination of little sisters without individual consent. If I, as a consumer, decide that I am happy for airline X and supermarket Y to tie their database descriptions of me together, that's fine—the decision is mine. The people who issue the digital certificates will be like these little sisters. Airline X should only be able to access the digital certificate issued to me by supermarket Y—and vice versa—with my consent.

Identity management that works
The examples of chatrooms, the internet and email point to a place where identity confirmation combined with privacy is desperately needed: cyberspace. If the government is wise enough to build an ID card that works online as well as offline, it might not only cut fraud but stimulate the new economy in important ways. If ID cards were to contain the software for making digital signatures, then when you logged on to your bank, the Inland Revenue or Tesco, they could be certain that it was you and vice versa because your ID card and the bank's computer would be able to check each other's digital certificates.

This may sound complex, but it is not that hard to implement because most web browsers and web servers already contain the necessary software. The reason that they do not use it is because it is too large an undertaking for them to give every consumer a secure identity.

Hong Kong has one of the smartest smart ID cards in the world and it uses digital certificates to give citizens just that kind of security online. Citizens who want to use their ID card on the web go to the postal service website and buy a digital certificate which is downloaded to their card. They can then log on to websites in complete security. Why can't we do the same? Online banking, online shopping and (one day) online government would be transformed by such an ID card.

Although neither digital signatures nor digital certificates are mentioned in the current bill, the government should want to do something in this area because it would make a real difference to British citizens. It isn't that difficult. Digital signatures have been around for years and there are all sorts of standards for storing and transmitting certificates and keys. Industry is perfectly capable of coming up with ways of building them into products.

Building a useful national identity management scheme is a huge undertaking that needs to balance many interests without becoming a tangled mess. As the government develops a more informed vision, the scheme could look rather different from the one set out in the bill. In particular, the idea that the register should store all personal details should be abandoned as soon as possible. If the register is restricted to storing citizen numbers, biometric templates and digital certificates, then the cost and complexity falls.

If the ID card is made smart enough to verify biometric templates and use digital signatures to disclose credentials without disclosing identity, its utility and attractiveness would be significantly enhanced. Individuals could access services more easily while maintaining privacy. This is a more optimistic perspective than that purveyed by the current "electronic cardboard" vision.

No card is a magic bullet against crime and terrorism. If you are a policeman trying to find out whether Dave Birch is really Joe Bloggs, then it is the register that will tell you. If you are a local council trying to find out if Dave Birch is already claiming housing benefit under another name, it is the register that will help you, since all housing benefit databases will be updated to store the citizen numbers of claimants. From a privacy perspective, a national ID card makes no difference.

But I want one, because a card that uses modern technology effectively is better for us than either a giant database or no card at all. This isn't just another huge government IT project. It's a unique piece of infrastructure for a modern society. Implemented badly, it will make our lives far worse. Implemented well, it could make them a lot better.

What is in the government bill?
The government introduced its ID cards bill in November, and hopes to get it on to the statute book before the election. As it stands, the scheme will be introduced in 2008. Participants will have to submit a range of personal details, including biometric identifiers, to a national identification register. They will then be given a national identity registration number and an ID card. The bill sets out over 50 types of information to be included on the national identity register, but does not specify what will be included on the card itself. The bill allows details on the register to be passed on, without the owner's consent, to various state bodies, including the Inland Revenue and the police, although reasons will need to be given. Initially, the minimum age for registration will be 16.
The scheme will initially be voluntary, although the bill includes a provision for parliament to make registration compulsory, and the government has said it wants to move towards this (there are no plans to force people to carry a card). The bill also allows for parliament to require users of public services to provide a card for eligibility checks. On current estimates, the scheme will cost £5.5bn to implement over ten years. The costs are to be covered by charging the public: the card alone will cost about £40, and a biometric passport, including entry on the register, around £85.