The government should not scrap its ID scheme but radically rethink it. It should postpone the idea of the ID card and focus instead on allocating a unique national identity number, backed by biometrics, to each citizen—that is all that needs to be held in a national registerby David Birch / October 27, 2007 / Leave a comment
Gordon Brown’s first six months in power present an opportunity to review many policy commitments, and one that is sure to be on his list is the national identity card scheme. It remains, in principle, popular with the public, but support is ebbing away as some of the civil libertarian attacks start to hit home and the costs rise. A useful checkpoint is coming up. Last year, as chancellor, Brown commissioned a public-private forum on identity management under the former head of HBOS, James Crosby, to look at the potential uses of the proposed scheme by business. The forum is due to report towards the end of the year, and this provides a convenient opportunity for reviewing the project. I say this not because I want Brown to scrap it—I’m sure he will not—but because I want him to take the time to make it better. That is, to make it simpler, cheaper and more useful.
Why? Well, not having an identity scheme is clearly sub-optimal, but I don’t think the proposed scheme is optimal either. I would prefer to see a third way: a scheme that takes into account both the march of technology and the practicalities of deployment; that meets the government’s goals but sets aside its presumed solution. We lack a technologically informed, socially aware vision for national identity management, and we need to construct one.
Will the database be secure?
What is being proposed? The government’s scheme has two components: a national identity register and a national identity card. The register is simply a database of information about individuals (name, address, fingerprints and so on). Its critics say there are two fundamental problems. The first is that it won’t work—not a wild prediction, given the history of government IT procurement. There’s no need to rehearse the litany of government IT catastrophes, except to note that soon after I began this article, the government scrapped the new computer system for registrars’ offices because it was a total failure.
The second claim is that the register won’t be secure, which means that it will make identity theft easier. In 2005, Microsoft broke ranks with other suppliers, saying that, “putting a comprehensive set of personal data in one place produces a honeypot effect, a highly attractive and richly rewarding target for criminals.” A further problem is access. You can keep nuclear missile launch codes secret, because few people have access to them. But when tens or even hundreds of thousands have access to something, secrecy is hard to guarantee.
Consider ContactPoint, the government’s proposed database of all under-18 year olds (which is unrelated to the national identity register). According to the government, the information that will be “visible to users” includes name, address, gender, date of birth and contact details of parents, schools, GP, health visitors and other practitioners. The government has said that people with “celebrity status” will have their children’s addresses and phone numbers concealed in some way. Why the “rich and famous” exception clause? The only possible reason is that politicians and civil servants have realised that criminals could use ContactPoint to obtain information illicitly. Permission to use the database has been extended beyond social workers, doctors and teachers to include a wide range of civil servants and children’s services—an estimated 330,000 people in all. What’s more, any voluntary group that provides services to local authorities or primary care trusts will be able to apply for access, as will local education authority officials. There are reasonable, and well-founded, concerns about privacy here, which cannot be dismissed by bland assurances that the “system” will be secure.
How identity numbers work
Despite this kind of criticism, procurement for the national identity register has already begun, although the scheme has changed since David Blunkett first outlined it back in 2003. Having said that it had “no fixed plans for the form and structure” of the database, the home office has, in its action plan, set out an architecture using existing databases at the department of work and pensions, the home office and the identity and passport service. Other aspects of the revised architecture are surprising. As Graham Titterington from the analysts Ovum pointed out, the role of biometric technologies appears to have been downgraded. The action plan has only a brief sentence on iris recognition, and talks only in general about “biometrics such as fingerprints.” This is very disappointing for people like me who think that there ought to be some kind of “gold standard” national identity management scheme that uses multiple biometrics to guarantee that people get on the register once and once only.
Let’s be clear. I think we need a register, but there is no way to make it secure, so we should not store personal data in it. Most of what the government (and I as a taxpayer and a citizen) want from a scheme can be achieved simply by allocating a unique national identity number (NIN) to individuals. The purpose of the national identity register then becomes simple and achievable: to associate NINs with unique individuals.
The efficiency of service delivery in welfare benefits, health, education and many other areas would be improved if everyone had a NIN that was easily verifiable as belonging to them. Goodness knows how much money is wasted because a council might have dozens of databases and be unable to establish whether David Jones on one database is the same David Jones on another. This is a problem that a national register could fix. Whether people have an identity card or not, if they have an identity number, then the delivery of a wide variety of services would be more efficient and effective.
The NIN should not entitle one to anything; it should have no connotations of citizenship or nationality. It should simply mean that the individual—any one of the billions in the world—is known, uniquely, to the British state. Having a number does not mean you are entitled to work here or have been declared free of foot-and-mouth. But it does mean that it is much simpler and more accurate for the vet, immigration officer or hospital clerk to look you up in whatever databases they need to in order to establish your credentials. If your number is in the database of failed asylum-seekers, it is easier to look up your number there (established beyond doubt by your biometrics) than it is to look up your name or whatever other proxies are used for identity at the moment.
Imagine a machine in your local benefits office. You look into the camera, and the clerk positions your fingers on the fingerprint reader. The machine takes your biometric reading—let’s say your face, your iris scans and your fingerprints—and contacts the national identity register. There are three possible outcomes. One, the machine reads your biometrics and finds you on the register, so it prints out a paper ticket with your picture and your existing NIN on it. Two, the machine reads your biometrics but can’t find you on the register, in which case you give your iris scan and fingerprints. This means that you are now on the register, and the machine prints out a paper ticket with your picture and your newly assigned NIN on it. The third possibility is that the machine can’t read your biometrics for some reason, so it tells you to go along to an “attended” service. This might be in the local hospital, where a doctor can attest that you have (for example) damaged irises that cannot be scanned by the machine, so the NIN will be stored alongside only your picture and your fingerprints. The machine then prints out a ticket with your picture and your NIN (also in Braille) on it.
Now, in five minutes or so (the same as a passport photo machine), you have your NIN. And it is guaranteed to be unique. There is no reason for the register to contain names, addresses or any other personal information. Anybody can store the NIN in their databases, and the government can provide a utility interface so that anyone can query it. And I mean anyone: a critical element of a utility solution is that while a policeman is perfectly entitled to ask me to prove who I am, I am equally at liberty to ask him to prove that he is a policeman. So my machine (let’s say my mobile phone) should be able to check his identity just as his machine can read mine.
There is a refinement to this idea that is already implemented in other modern schemes, like Austria’s. This is the idea of sectoral ID numbers (or SINs). This means that the NIN is held on the register but is not disclosed: instead, depending on who is asking, a different SIN is sent back. So the machine in the police station will get back a police SIN when I put my fingers on it: always the same one, so that they can use it in their database but not the same as the tax SIN given to the Revenue and Customs or the travel SIN given to the road toll gantries. Naturally, law enforcement agencies would, with an appropriate warrant, be able to go to the register and request any of the SINs given the biometrics. But they would not be able to trawl through other databases as a matter of course, because they cannot work out what the other SINs are from the police SIN.
This is because the SINs are derived from the NINs by one-way cryptography. In other words, the register can derive the SIN from the NIN, but no one can derive the NIN from the SIN. This sounds complex, but mathematically it is quite straightforward and it means that individual privacy is founded on mathematics rather than ombudsmen or a secretary of state’s discretion. Furthermore, there are technologies emerging that could be used to protect biometric images (such as photos or fingerprints) in the same way. They are not yet ready for commercial use, but in a few years it will be possible to give a “different” fingerprint to each organisation without them being able to use those fingerprints to join their databases together.
The two phases
While we’re building this utility solution, let’s forget about the card. Save the money while the various interests involved work in a more structured way to agree what they want a card to do. Then the technologists can design a card for the 21st century, as I have previously suggested (“A better class of ID card,” Prospect March 2005). Such a card would exploit three key technologies—microcomputers, biometrics and digital signatures—to provide a service that citizens want, that makes life easier for them, and that they will voluntarily choose to use. It would be even better if the card could provide a special service for citizens that they can’t get without it. Counterintuitively, that special service may well be privacy, because smart ID cards can be selective in what they disclose: they can, for example, prove to the door of the supercasino that you are over 21 and a British citizen without revealing anything else.
In the overwhelming majority of cases, people will use their card not to prove who they are, but rather to prove something about themselves: they are entitled to be in Britain, to use the NHS or to read a particular email. A properly designed ID card can disclose such credentials with no need for access to the register or unwarranted disclosure of identity.
Using these concepts, privacy is further strengthened, which means that the government is delivering something positive and beneficial to the average citizen. This seems critical to me, because building a useful national identity management scheme is a huge undertaking that requires popular support to make it work. A practical plan for Gordon Brown to achieve this would be to reorganise the national identity programme into two phases—the number and the card—and to get the number and register sorted out before spending money on cards. In phase one:
1. Focus on the NIN. It’s the 80/20 rule: most of the hoped-for benefits of an ID card are actually the benefits of having a unique number, and if we’re going to do anything we should aim for this gold standard.
2. Keep the register, but abandon the idea of storing personal data in it. Instead, store only the NIN and the subject’s biometrics. The cost of building and managing the register will fall dramatically.
3. Park the card for the time being. The government will save billions and can then work to define a privacy-enhancing ID card that will provide the clarity about citizenship and entitlements that the public and politicians seem to want.
4. Define the national identity infrastructure as a utility service based on industry standards, and allow third parties to begin developing value-added services (so that, for example, you can use your mobile phone to prove you’re old enough to get into a pub).
5. Publish a clear timetable explaining when the use of identity numbers will become mandatory in different environments, so that public and private sector organisations can plan for it.
In phase two, the government should develop an open ID card specification so that it can extend the power of the utility by, in effect, decentralising the register. Since a smart card is capable of telling the doctor my NHS number but my employer my national insurance number, they do not need to go online to the register. This makes the whole system more secure and robust, and gives the ID card a point, because it becomes a mechanism for delivering privacy and security to the citizen. Looking at ID this way—not as a central government imposition but as a utility that will simultaneously bring more security and privacy into our homes and businesses—makes a difference. It’s not too late.