<http://www.theregister.co.uk/2004/05/05/complete_idcard_guide/print.html> The Register Biting the hand that feeds IT The Register ; Internet and Law ; Digital Rights/Digital Wrongs ; Original URL: http://www.theregister.co.uk/2004/05/05/complete_idcard_guide/ Everything you never wanted to know about the UK ID card By John Lettice (john.lettice@theregister.co.uk) Published Wednesday 5th May 2004 20:47 GMT A pub bore's guide Do you know how the UK's projected compulsory ID card will work, and what it will entail? If you do, you're significantly in advance of David Blunkett and the Home Office, because although a draft bill and consultation document was published at the end of April, these really only provide signposts to what the powers that be would like it to be able to do, and a little bit of evidence as to how they might propose to get it to do these things. But we're considerably further on in terms of information than we were before the draft, and it's not likely to get much better by the time the consultation period ends. So, as our small contribution to the democratic process, we present The Register Idiot's Guide to the UK ID Card. What do you get, when? There will be a "family" of ID documents that will be phased in, beginning with passports. These will start to appear in three years, at which point it will not be possible to get an old style non-biometric passport. The system's non-compulsory nature therefore hinges on your not actually wanting a passport any more - otherwise you have to give the Passport Office the #73 for the new one. Rollout periods for other members of the family are not covered in the draft bill, but as these are introduced, the old version will similarly cease to exist. Proud owners of old-style perpetual paper UK driving licences, already smug because they don't have to cough up to renew the existing picture licence, can be even smugger. Until such time as Blunkett hunts us all down. The new ten year biometric driving licence will cost around #69, says the Home Office (what do they mean "around"? #68.99?) and the new ten year ID card #35. Which, if they don't get feature-consolidated pretty quickly, is an impressive outlay every ten years. 80 per cent penetration for the new ID is intended to be achieved by 2013. The draft bill includes power to set a date for the card becoming compulsory, but this will not happen until after "the initial stage of the identity card scheme was in place and following a vote in both Houses of Parliament on a detailed report which sets out all the reasons for the proposed move to compulsion." Correct - that does not specify a date. The ID document will contain a picture, one or more pieces of biometric ID, and a unique number which will identity you on the central database. The documentation at the moment only talks about what is likely to be visible on the document, with name and date of birth being put forward as the bare minimum. But it is more specific about the information that will be recorded in the database (see below). The Home Office suggests more visible information: "name, age, validity dates, whether a person has a right to work, and an unique number". There you go, feature-creep already. The biometric can be used to tie a specific individual to the ID document, and to look up an individual and identity them from the database. In that case, you theoretically don't need the document to identify someone in the first place, and the Home Office (and Blunkett) do airily suggest that people might want to have a database check performed on themselves in order to establish their identity. But as we explain below, this really is not something it's smart for them to be pinning too much hope on. Which biometric? For reasons explained here, (http://www.theregister.co.uk/2004/04/19/biometrics/) previous Home Office studies fix on fingerprint as the best combination of identifier and practicality, but recommend a second biometric to be used as a decider in order to bring false alarms down to a more acceptable level (using fingerprint alone with a reasonable trade-off between false alarms and failed matches, Heathrow would generate in excess of 1,000 false alarms a week). The choice of the second biometric isn't so obvious. Iris is in principle a more effective ID biometric than fingerprint, but you need optimum positioning, lighting etc, so it's not so good for widespread deployment or fast throughput in an immigration queue. Facial recognition currently doesn't cut it for mass ID purposes, but might just work as a 50:50 'decider throw' secondary biometric for use at entry points. But the big thing it has going for it is that it's been adopted by ICAO (the International Civil Aviation Authority) as the next step for machine-readable passports. So unless ICAO is persuaded to change its mind, it's coming in passports anyway. ICAO's decision, by the way, seems to have been made on the basis that face had a higher "compatibility" rating than fingerprint or iris. By this, they appear to mean that because passport-based identity currently leans heavily on the picture, it makes sense to carry on using the picture (Yes, we know - don't tell us, tell ICAO). So although the Home Office has kicked off a 10,000 volunteer trial of the three technologies, fingerprint seems the racing certainty for primary biometric, with facial a strong contender for the secondary. The Home Office no doubt has its own reasons for thinking the trial will tell it something useful, but as the target population is over 60 million (us, plus all the people we're looking for and have data on), and the British Airport Authority airports processed 134 million passengers last year (Heathrow 60 million, Gatwick 30 million), you could reasonably doubt that it will learn much of value applicable to very large throughputs and databases. Issues associated with the deployment of the secondary biometric readers (cost, location, environment) could well lead to their not being used outside of entry points and major installations, which might mean non-passport ID would use only the fingerprint. Other differences are likely to creep in; for example, the Home Office appears to be willing to allow veiled pictures for moslem women in ID, but the draft documentation reiterates current passport office guidelines, which amount to 'headscarf OK, veil bad'. So unless somebody's got it wrong, different strengths of ID are already creeping in, and any dreams you had about a single, do-anything document are way, way in the future. The Home Office's suggestion of three different levels of checking (see below), by the way, makes it clear that it in some senses accepts the view that you should use different strengths of security in different situations. But philosophically this doesn't entirely match with its pitching the cards as a single, high-strength security device. How will it work? That depends. The basic link is between you and the document, and this can be readily established by using a machine that checks you against the biometrics in the document. This is essentially a local check which depends on the document being valid and untampered with in the first place, but the introduction of biometrics in the document should make it significantly harder to produce forgeries, so we can expect a substantial initial increase in confidence in the piece of ID produced, even if we are simply looking at the picture and not bothering with the biometrics. Which is A Good Thing, because it's difficult to conceive of biometric readers being either welcome or likely to stay in usable nick for long at point of sale, doctor's surgery, council offices, etc. The Home Office suggests three likely levels of check for non-government purposes. Retailers would check the photo, banks etc would check the biometric and verify it against the database, and employers would check immigration status "via an automated telephone check." These suggestions most likely derive from the Home Office's doomed quest to make us love and demand ID cards, and on a voluntary basis are unlikely to become widespread. How often do you get asked for ID to back up your credit card? So why should shops want the new passport when they don't want the old passport? Banks do need to make pretty strict checks covering identity and place of residence when you open a bank account, but their existing systems work, and they won't jump into a new and unproven system which, from their point of view, brings little to the table, lightly. Plus they're already reading entirely different kinds of cards. And employee checks? Here comes the stick. Employers don't at the moment have to check immigration status when they hire someone, so why would they? Indeed, why would they care? But under the provisions of the Asylum and Immigration Act 1996 the secretary of state can make orders requiring eligibility checks by employers. This will be considered "closer to the date of implementation" of the ID card scheme. The Home Office, bless 'em, pitches ID cards as the "key to the UK's future", and witters (in the press release) (http://www.homeoffice.gov.uk/n_story.asp?item_id=918) that "crucially, the cards will help people to live their lives more easily, giving them a watertight proof of identity for use in daily transactions and travel." So it's clear they want all of your personal transactions to be underpinned by the national unique ID, but we've already seen that the private sector is unlikely to be keen. Not only that, it's more likely to be actively hostile. Banks and credit card companies do not want to make their systems dependent on a database they're not in control of, and no matter how much you want all of your credit cards on one piece of plastic (which is a bad idea anyway, trust us), they ain't going to give you it. They really are not going to help the government in its efforts to make the ID card popular. Really. Moving on from low level and relatively rare operation in the private sector, we get to the government and public sector. There will, as we've already suggested, be considerable resistance to the use of readers and the checking of cards in areas of the public sector, but this will be neither here nor there from the point of view of you, the user. Think about it: not that many of the public services you're likely to be using will be available if you don't establish an ID as part of the process, and you go onto a record as a part of that process. So doctors can be as precious as they like about not checking your ID card, but will still put you onto a list which can and will be checked against the ID register, and if it's not on there, consequences will ensue. As the system matures and increasingly interacts with other public sector ID systems, it will inevitably engulf the whole of the public sector, and it doesn't need support for this to happen. The arms of government that obviously do want to embrace the system are passports and immigration, and the police. It will most obviously sing and dance at the arrivals terminal, so it's worth at this point taking a small detour so that we understand that the singing and the dancing here will by no means be automatic. Passport Control We've already established that a biometric will be used to tie the bearer to the document, and that we can use a secondary biometric to deal with disputes, and a network check in addition to this. But rewind - how, physically, are we handling this? We need to have a reader that will take the biometric from the passport and compare it to a handprint (we'll assume we're doing fingers, OK?) which will probably be produced by placing one hand firmly on a flat surface. So we need the people coming in to understand what they're supposed to do and get it right, and we need to deal with failures to read the passport, and we need to intercept jokers, terrorists and our slower brethren who might be using false hands, cunning fingerprint gloves, or even just the wrong hand. We need an attendant combining a nice and a nasty attitude as appropriate to get them through, or whisk them off to another stage in the process where complete failures to read are checked more thoroughly. Maybe you get your terrorists in there, and you'll certainly get some immigration 'issues' but mostly you're likely to net perfectly innocent UK citizens whose fingers are worn/dirty or whose passports are bust. So you're detaining people you wouldn't have detained under the current system, and you need to undetain them pretty fast if you don't want unpleasant headlines about dud government IT systems in the press. Aside from reading failures and hardware failures, you'll have false matches and failures to identify, and you need procedures to deal with these. For a false match you need to check the secondary biometric to arbitrate, so you need to move these people quickly to that reader, and through it without their thinking 'I am being accused of being a terrorist.' Failure to identify is trickier, because you need to decide on a procedure. If they fail to match up to an apparently working passport, they might also fail to match up to a network check, because you're comparing them to the same thing, right? So do you have a fraud, or do you have somebody with worn fingerprints? If the secondary biometric is iris, then you can check them with that and be pretty sure which, but can you trust facial to be used as a primary identifier? No, you can't, so you you're either treating all of this category of exception as suspect, or you're making human decisions that will, as previously, not always hit the right target. Given that you will be able to check (unless the network is down) whether or not the passport, name and ID exists on the database, you can at least flag failures to read for future investigation. You might be able to avoid quite a bit of the above if you take a slightly different view of what it you're looking for. Failure to match, or false non-match, can be expected to run at a fairly high rate if false alarm/false match is kept down to an acceptable level. The bulk of your failures to match will, actually, be false non-matches, i.e. people who really are on the database but who don't match up to it in this particular instance. And a terrorist is unlikely to want to chance it on the basis that they've got, say a 5 per cent chance of getting through. So you ignore them all? Ah, but when word gets around, the bad guys and the multiple applicants will take steps to file down their fingerprints a little before they attempt entry, and your acceptable compromise starts to morph into a security hole. Which is why flagging failures is important. The network check is obviously useful in cases of passport failure (NB it's an offence not to get it fixed once you know it's broken), but is dependent on the network being up and the response being swift. The Home Office appears to envisage a pretty high level of network checking, but it seems reasonable to doubt that this will happen in real life. Current UK passports first became machine-readable in 1988, but are seldom machine-read. Theoretically this could be used to check that the passport actually exists, that the bearer is not on a watchlist, and that it has not been notified lost or stolen - but possibly not in the latter case. The Passport Office announced a lost and stolen database in December 2003, so IND (the Immigration and Nationality Directorate) may only recently have been able to start looking. Similarly IND has also been working on an automated fingerprint system, intended to match fingers against the 350,000 fingerprints (a 2001 figure) it has on file, and a "warnings list" system. It also has a case information system developed by Siemens and called ACID Warehouse. Really. As we contemplate how effectively we're not using the systems we've had available for 15 years, we should consider the way we're currently not using it. In the EU citizen channel at the airport we'll probably have the picture page of our passport looked at and be nodded through. The introduction of machines will add a more time-consuming stage to this (failures in the queue will slow you up, even if you register first time) and more staff. The process will still need the staff on the desk looking you over, unless we're going to trust machine decision-making entirely as our front line. As non-UK passports won't work with the system, other EU citizens will now have to have their own channel, faster than the UK one, or be sent to the Channel of Death, where we send everybody else. But if they are they'll complain to Brussels, and we'll be told to stoppit. There are actually strict EU limits on what immigration is allowed to ask the local citizenry - did you know this? "As a result of judgements in the European Court of Justice (ECJ), an immigration officer may not require an EEA national to answer questions regarding the purpose and duration of his journey and the financial means available to him. Examination should be restricted to the occasional discretionary warnings index check. Questions may only be directed at establishing whether the person's admission to the United Kingdom would result in a threat to public policy, or public security or public health." (Source: IND general guidance document. Get lippy at your own risk and don't blame us.) Many difficult questions will arise at the airport, where conditions will be just about as optimum as they can get. But what about elsewhere, what about the ferryport? At busy ones, the increasing size of the ferries can produce longish unloading queues already, and mostly all that happens is that drivers holding a clutch of things that looks like approximately the right number of the right documents are waved through. So where do we put the reader? And where do we put the holding area where all the passengers get out of the car, deliver their print and get back in? Where do we put the tailback (quick, there's another three ferryloads coming in)? Nightmare. Monitoring departures is actually harder, because typically the passport check is conducted by the ferry staff, and there's a non-secure holding area beyond this where passengers could be switched. We can all look forward to hearing how the government's going to figure this one out without bankrupting all the ferry companies. The Police The draft is quite specific that it will not be compulsory to carry an ID card, nor will it be permissible for the police to demand to see your card. But in the case of the driving licence (which will morph into an ID card) you'll still have to report to a police station to show it within seven days, and the consultation document tells us that "people will be able to have their biometrics checked against the Register even in the absence of a card on a voluntary basis in order to establish their identity if, for example, they are stopped by the police." To grasp the full import of this peculiarly British situation, we need to think a little about the powers the police already have, and the way they use them. They can't ask you for ID, but they can seek to establish your identity if they arrest you, and they can<//em> arrest you on grounds of reasonable suspicion. Questioning their reasonableness at this juncture is usually not constructive, although you may consider risking a polite indication that you are aware of the relevant laws. Also, their powers of stop and search have been reintroduced via several anti-terrorist measures, and these have been so widely deployed against demonstrators that even David Blunkett has expressed concern. Effectively though, if they want to find out who you are, they have the means to do so, and if they've arrested you, they have the means to find out who you are. But they actually only want to know who you are in pretty specific circumstances. There are those where their reasonable suspicion is actually pretty reasonable, and there are more heavy-handed and wider-ranging checks of, say, protesters at an arms fair. But bitter experience from the 80s means that they avoid stop and search operations that would be interpreted as ethnically targeted and that might trigger unfortunate riot-style situations. So the police are not going to voluntarily implement intensive ID checking in areas of high immigrant population, and the kind of gains that could be made (if you call lots more illegals caught plus lots of bits of London ablaze, gains) by pass-law style implementation of ID won't happen. News that senior police officers support a compulsory ID card is about as surprising as news that they've got fast cars with groovy flashing lights. But in operation the card is most likely to be an adminstrative convenience to them, used to provide a more reliable ID in circumstances where they're seeking to establish it. If the ID's present they can rely more on it being genuine, and if it's not they can establish ID quickly by checking against the database. This will, as at present, leave them with those with invalid ID, but the process should be faster. It'll also allow them to check immigration status and right to work, as these will be on the database even if they're not on the face of the card, so it speeds their processing here, if it's illegal immigrants they're looking for. How, though, do they do the biometric reading? The Home Office appears to envisage the use of mobile readers, but it's doubtful that these will prove reliable enough for use in some kind of networked handheld configuration, and they don't seem particularly compelling from the police point of view. A "reasonable suspicion" candidate with no ID card can be sent down to the station for checking, and one producing an ID card can be identified on the basis that the card is probably genuine and the bearer looks like the picture. If they're concerned about immigration status then a query based on the unique number can be made - biometric check is unnecessary. Nor are there any obvious scenarios where the existence of ID cards will reduce crime. If the police don't know who did it, then the ID card is no use. If they do, then the ID card is merely an administrative advantage. Sure, they know where you live, but so long as you know they know this, you're not there, right? 'What was that you said about them knowing where I live?' Ah yes, this takes us on to the National Identity Register, referred to largely in the documentation as "the Register." For the record, we are The Register, and you should therefore not worry about sentences like: "Clause 29 makes it an offence for any person to disclose information from the Register without lawful authority." Makes it damnable to write about though. The ID Register will hold data as specified in schedule 1 of the draft bill. This is: personal information - names, date and place of birth, gender, address; identifying information - photograph, fingerprint, other biometric information; residential status - nationality, entitlement to remain, terms and conditions of that entitlement; personal reference numbers - National Identity Registration Number and other government issued numbers, and validity periods of related documents; record history - historical information previously recorded, audit trail of changes and date of death; registration history - dates of application, changes to information, dates of confirmation, information regarding other ID cards already issued, details of counter-signatures; validation information - information provided by any application, modification, confirmation or issue and other steps taken in connection with an application or entry, details of any requirement to surrender; security information - personal identification numbers, password or other codes, and questions and answers that could be used to identify a person seeking access; access records - the audit trail of accesses to the entry. Not listed in schedule 1, but listed elsewhere in the documentation as being held by the Register, we have PIN, passport validation information, background evidence or document checks carried out to confirm status, details of non-UK ID (including foreign passports), and information (including biometrics, where available) of unsuccessful applications. Other categories can be added by the home secretary, and information can be added at the request of the holder, provided the home secretary agrees. Blood type and organ donor status are suggested examples of these, but this is slightly potty, given that in both cases you want the information to be immediately obvious to the medics, not dependent on them shoving your card into a reader first. So we can file that with the other feeble attempts to make the card popular. We can draw a number of conclusions from the information that's intended to be on the Register. The presence of "other government issued numbers" means that they can use the ID system to consolidate and weed the NHS and National Insurance systems as they add numbers. This will ultimately make it simpler to associate services with ID, without approval or cooperation of the operators of these services. PIN is interesting, because it could conceivably provide a mechanism for you to use your national ID over the Internet. ""In an increasingly technologically complex and global [sic - as opposed to, say, 'stubbornly oblong?'] world, correct identification has become critically important, and we want to ensure that UK citizens are properly protected and equipped to deal with this emerging world," Blunkett tells us. Unhappily, there is scant sign in the draft bill that they've actually twigged that fingerprints aren't going to be a whole heap of use when you're sitting in front of your screen (anybody who says 'personal reader', see me after class), and the odd mention of PIN is the only sign that there might be something there that they'll get to when they've time to think about anything beyond biometrics. Other listed information is, you'll note, heavily weighted towards immigration control. Clearly, the intention is to have a great deal of data on anybody who isn't a UK citizen from birth. Please yourself as to whether or not you feel this is too much information about you for the government to hold - a commissioner will be appointed to make sure the data is not abused, but actually that's not the half of it. Consider what it doesn't include, things like credit status or whether the security services are after you. Obviously if you're a wanted criminal or terrorist trying to flee the country, police and immigration are going to have you on their list (actually this isn't obvious at all, but they obviously should have you on it) in order to nick you when you hit the border check. So actually they'll have their own database which will interact with the ID Register. Similarly, a bank checking up on you is going to be checking credit rating, homeowner status, county court judgments etc, so will have its own external database and links to other external databases. It will likely prove useful to the bank to consult the Register to confirm you exist and where you live, and it's perfectly conceivable that the unique ID will therefore move out of the Register and into the world in general as a handy, well, unique identifier. So the government reps telling you there's not much in the database and there's a commissioner to mind it, so that's OK, are being really thick, in a 'don't know much about databases' sort of way. They are, without, clearly grasping it, proposing the ID Register as the focus around which an ever-increasing number of personal information databases revolve. They've set themselves a non-trivial task in keeping all of the specified information in the Register accurate and up to date, and the freeform nature of "information relating to an application or entry" will be a particular problem, because it should really be in another kind of database. Indeed, the amount of immigration-related data in the Register makes it look more like an immigration database than a general population register. Granted, the Home Office may be taking the view that the data should be there because it is needed by multiple agencies, but that's the case for much police and social services data too. If these (where they actually exist fully) can be external, why not immigration? From, the subject's perspective of course it doesn't matter whether the database is elegantly conceived and designed; what matters to subjects is the extent to which it enables the collation, use and abuse of data on them. By pitching the ID card as "watertight proof of identity for use in daily transactions and travel" the Home Office is essentially begging for the satellite databases to be produced. So, small piece of government control-freakery possibly under the commissioner's control, potential hordes of escaped privacy monsters enabled by said small database. Security and usability We can't comment on the security of the system at this juncture, but we can run down its sins against security good practice fairly readily. Experts who've given evidence to the Home Affairs Committee ID card enquiry so far have tended to fall into two camps on the scheme. The critics argue that placing all your eggs in one basket is stupid, while the apologists/supporters say that in principle the system can be made secure. If you're not immediately with the critics on this one, consider how the apologists react when pressed. They accept that by placing a great deal of reliance on one card, ID, database or whatever you are inevitably increasing the stakes, but say that in principle the system can be made to function, and can be secure. Pressed further they then concede that we can never guarantee anything 100 per cent. Security experts would be largely with the critics on this one - single points of failure are bad. The proposed ID system, however, has numerous of these, at least conceptually. If you actually need your ID card as the pivotal ID around which your life revolves, allowing you to use government services, financial services, buy stuff, then you're snookered if it breaks. Or if the network breaks. Or the Register. We also need to be concerned about what happens if the card (or the ID without the card) is stolen or compromised. Now, in principle this ought to be impossible or very hard, because the system is dependent on your particular biometric signature. But we've already noted government suggestions of areas where this would not be read, and we've suggested that not checking the biometric or not checking against the central database will be fairly common. So the theft value of the card will depend on how much of value can be obtained using it without tripping a strong biometric check. The more it is used for daily transactions, the higher this value will be. David Blunkett has claimed the system "will make identity theft and multiple identity impossible, not nearly impossible, impossible." Clearly this is untrue, but we need to assess the extent of its untruthfulness; aside from situations where ID theft is enabled by the security systems not actually being used, what about the possibility of the card, or the system, being compromised? Currently it is clearly harder to forge a biometric passport than it is a conventional one, but as biometric passports do not yet exist, why should forgers try to forge one? How much of the difficulty is because of it actually being harder, as opposed to there not having been any motivation for anybody to develop the skills yet? Clearly we can't yet be sure, but you can see the likely dangers. Traditional avenues such as switching the picture and changing the details may still be viable (although surely a bit more complicated) in instances where the biometric isn't read, and altering the biometric itself (clearly harder until it's cracked - then it's easy) could be useful if there's no network check, or depending on the procedures implemented around that check (see Passport Control, above). And there's also the job of making sure any invisible data tallies up - but never say never, it's at least as theoretically possible as the system is theoretically invulnerable, and if it is cracked, the Home Office has a very expensive security update rollout on its hands. The alternative to this is a more distributed, defence-in-depth, horses-for-courses approach where you use different strengths of ID, different cards and different systems where appropriate. A mugshot and a bearer who looks like she might be 12 is enough for a child's weekly season ticket, surely, while (despite howls to the contrary about identity fraud) a piece of plastic and a PIN is good enough to get a bank to give you money. Would the banks like a 100 per cent secure system? Certainly. Will the banks accept a system that eliminates fraud while turning away significant numbers of genuine customers? Not a chance. What they've got now is their current best compromise, and the ID system is not going to change that. Similarly, although the state of the NHS and National Insurance ID systems is lamentable, that is not entirely caused by the UK public sector being historically crap at implementing IT projects. It is in no small measure due to the fact that it really doesn't matter much. Certainly there's a fraud component in there, but it's an acceptable one from the point of view of the particular system, otherwise the system would have reacted by doing something about it. A rational estimate of the annual cost of 'health tourism', for example, is #200 million out of a total budget of #70 billion. From the system's point of view there is absolutely no point in it diverting resources from its primary objectives in order to tackle a problem that small. Other government ID systems can be positioned at different points along the scale. National Insurance should obviously be concerned about the use of fraudulently obtained numbers to get benefits, but hasn't a great deal of reason to worry about the status of a user provided they're working and paying in the money. Inland Revenue has more reason to be concerned about tying the number to real people in order to avoid tax frauds, and so on. There are varying levels of need in terms of identification, and it doesn't necessarily make sense to try to fulfill them all by attempting to devise a single, bulletproof ID system. And in the case of benefit fraud, although the Department of Work and Pensions has estimated total losses at #2 billion, or #7 billion, or vast numbers in between, it confesses it reckons ID-related benefit fraud amounts to a whole #50 million. What will you pay? No, really pay? David Blunkett has recently been pushing contorted piece of reasoning whereby he establishes that the cost of an ID card is in fact #4, rather than the large sums he will be charging. This implausible pitch hinges on the claim that most of the money would have to be spent in order to modernise the passport system anyway, but it kind of misses the point even if you were to accept that. If it is the state as a whole that requires something, then it is the state as whole that pays, and the money comes back through general taxation, right? Chancellor Gordon Brown refused to pay for it out of general taxation, as he does regarding much else, but if it had been an absolute necessity, then he couldn't have refused. Kick and scream for a long time, yes, but refuse, no. So one has one's doubts, and if one counter-argues that it's really the people travelling and driving who need the modernisations and should therefore pay, one still has to explain the others. The people who currently have to pay absolutely nothing for an ID card because they don't need to have one will have to pay their #4 in the form of a #35 payment in order to get an ID card. Of course, it's not compulsory. Until it is. And we could point to the essential weirdness of arriving at a situation where everybody in the country has to pay individually for something they have no choice but to buy. Isn't that a tax? And if it's not, then what's the point of taxes? Couldn't we just abolish them all and pay for everything by name? This hypothecation madness is however more properly a matter for New Labour's conscience than it is for The Register (capital T, emphasis), so we'll move on to the #3.1 billion. You can, with the aid of the tried and tested UK government IT project algorithm, double this and add ten per cent for luck. Some people already have, and we wouldn't put money on them being wrong. But what you cannot do is say why it will cost #3.1 billion (or at least #3.1 billion, if you insist). The home Office has been solemnly saying 3.1 for months now, but has not said how it arrived at this figure. This makes it remarkably difficult to assess whether it's going to be money well spent or not. As Ross Anderson said (along with much else worth reading (http://www.publications.parliament.uk/pa/cm200304/cmselect/cmhaff/uc130-iv/u...)) in his evidence to the Home Affairs Committee, " If the thing remains covered by Official Secrets to the point that even Parliament does not know which path the Home Office is intending to take, then that is bad news." We now have an indication of the path the Home Office intends to take, but we do not have cost breakdowns and we have not been presented with alternatives, ranging from simple modernisation of the passport system up to universal ID megaproject, with relevant estimates. We are supposed to be being consulted, but we have not been given sufficient justification for the rejection of the lesser options to be able to make an informed judgment on the adoption of the maximalist one. It's difficult to conceive that any system at the minimal end of the scale could possibly cost as much as #3.1 billion. If it's the case that passports need to be upgraded in order to conform to the US requirement for ICAO standard biometrics, then it is simply necessary that it have a facial biometric. Although the European Commission envisages the harmonisation of ID documents in the EU using biometrics, and intends fingerprint to fulfill the main role here, it has not ordered the introduction of ID cards where they don't exist. Nor need fingerprints be on passports, visa and ID documents for third country nationals immediately. Says the Commission: "...it could be considered that in their implementation Member States should have more flexibility. The facial image should be introduced as the first biometric identifier for reasons of interoperability. The introduction of the compulsory fingerprints need not necessarily happen at the same time, as it has not been decided whether the VIS [Visa Information System] will include biometric data from its very beginning." So if the Commission's drive for a "coherent approach" stands, then we will have facial biometric and fingerprint on passports, but we don't have to put both of them in yet. We could anticipate the Commission in order to save expenditure on future revisions, but we could possibly do as Canada has so far - leave space for the print, pending a final decision and/or (in Canada's case) a satisfactory agreement with the US. So what would this cost? You would have to allow for the new passport production processes, and you'd need to spend money on sufficient biometric reader systems to support passport applications. The total would most certainly not be #3.1 billion. But ah, you say, you'd also need the readers at entry and exit points, the central database and the network connecting it all. This is quite possibly the conclusion the Home Office has jumped to, but it ain't necessarily the right conclusion. The equipment you need is determined by what it is that you propose to do with the system. The current requirement is for passports with a facial biometric, but there is no requirement for you to actually read that biometric. And actually, those countries which intend to read facial biometrics with a view to learning something useful from them will give up fairly swiftly, for reasons explained above; the United States' current collection of mugshots at entry points speaks of some kind of cryogenic mindset, collecting the database in the hope that scientific advancement will eventually cure it. Here, we could perfectly well have toed the ICAO line by including facial and just carrying on identifying people by looking at the picture. We could certainly (and being us, we surely would) keep the biometric data on a central database for reference, but there's absolutely no need for us to actually access this database from checking points. We could, perfectly validly, view the biometric simply as a strengthening of the integrity of the document, and use a combination of visual appearance, supporting information and common sense to tie the bearer to the document. This is not as strong as the theoretical strength of the #3.1 billion system we're not sure will actually work, but it's considerably stronger than what we have, and could be seen as a highly cost-effective reform of the passport system. And, as various scenarios put forward above indicate, it is via the strengthening of the document that the bulk of the general gains of the system can be achieved. Some countries, incidentally, take this position to the extent that they throw away the biometric after it's been included in the document. The biometric in the document ties the individual to the document, so you don't need to store the biometric any more, right? Summary So, what have we got? We have an overall strengthening of the integrity ID documents in the UK, and in the case of the passport this is an important gain, primarily from an immigration point of view, but also in situations where passport would be used to establish ID (e.g. banking). The major gain is to be made simply via the document, and does not hinge on an ability to check with a central database. A local check of biometric against document could strengthen the ID further, but in most cases this shouldn't be necessary - looks like person, probably is person, sure passport isn't forged, pass, person. ID-related health and benefit fraud are not sufficiently extensive for them to justify a universal rollout of ID cards. The existence of a single, solid database of people in the UK could prove useful in tidying up National Insurance, NHS and tax records, but that single database will not even begin to exist until 2013, and these record systems do not need the strength of ID proposed by the Home Office in order to function. Yes, they need tidying up and weeding, but they could at least as well be tidied up by other means - and the tidying ought to start a bit sooner than in ten years time. For the security services, the ID scheme is largely an administrative convenience. It will not of itself help catch criminals or terrorists, nor will it help significantly in finding them. As and when the hypothetical ring of steel exists, checking all UK ID as it comes in and out of the country, then the security services will have (theoretically - depends on how good they are at sharing) a record of a suspect with UK ID entering or leaving the country. But if it's someone they seriously suspect they've got that already, check? And they've been known to track them all the way through Spain to Gibraltar, too... The other agenda As you were so rightly thinking, we missed one in the summary - immigration. This however fits better as the primary driver of the other agenda, the one that isn't in the draft and the consultation documentation, but that is slowly beginning to be spilled out in interviews and Committee evidence. We don't propose to pass an opinion on who started it, but the public, the Daily Mail, the Government and the Home Office are now whipping each other up into some kind of circular frenzy about immigration. And the buck stops at Blunkett's Home Office. A brief, but by no means comprehensive, list of Blunkett's headaches here will be useful. He has large numbers of asylum applicants to be processed and supported while they await processing. He has overloaded application systems at embassies throughout the world, overloaded processing systems in the UK, scandals caused by people shorting out the processing systems in order to deal with the backlog. He has asylum seekers whove been rejected and overstayers in the country somewhere, he doesn't know where. He has people applying again and again until they get in (no, he doesn't know how many, otherwise they wouldn't, right?). And he has people-trafficking. This is widely perceived as a huge issue, but actually the numbers are estimated by the police as quite small, the main illegal immigration problem being assisted entry, where a passport is sent out of the country, altered, comes back with the illegal immigrant, and is then sent out once more. We barely scratch the surface, but you can understand why Blunkett might just be the teensiest bit tetchy. He needs a magic bullet to fix all of this, and the ID card is it. But how does it fix it? We're really better off looking at how he thinks it will fix it. In recent statements Blunkett has pinned a great deal of hope on his knowing who's coming in, who's going out and who's here. To the Home Affairs Committee on 4th May, for example, he said he would be aware of "who is coming in and out, those who are resident, and those who are engaged in activities around terrorism." Note that he's aware of the latter already, and that this awareness has nothing to do with the existence or non-existence of an ID card system - it's a security services surveillance matter. The broader importance is the faith he's putting in a complete and accurate audit of the UK population, and his most pressing motivation for wanting this is immigration. If for a moment we just pretend he's actually going to get this, we can see how at least some of the immigration headaches get nailed. It doesn't help with the application overload, because we still have to create an ID for new applicants (even the ones we turn down straight away). It should get the lid on multiple applications, because we'll catch the matching biometrics. It should seriously impede assisted entry, provided it turns out the passport can't be altered, and it could have a similar effect on forgeries. Eventually, granted that knowing who's coming in and out actually works, it should reduce the number of people who're in the UK somewhere, but who can't be found and thrown out. They will die off or find some way of legitimising themselves. Blunkett himself concedes that it will be possible to establish a false ID, but then you'll be stuck with it for the rest of your life. Which would probably fine from the point of view of an illegal immigrant in the UK. And there are all sorts of people who'd find having just the one strong British ID in addition to any others they have quite handy. One could even toy with the notion of Osama bin Laden having one in order to draw disablement benefit while he's holed up in some Afghan cave. He'd only do it the once and then he'd be stuck with it though, so that's OK by David. Blunkett's dream of 100 per cent knowledge of what's in the UK is however marred by exceptions. He can't insist on 100 per cent before compulsion comes in, and once it does arrive, the pool will continue to be muddied by people coming in on short stays (no ID registration required) then vanishing. The 'unpeople' who're already here aren't likely to turn themselves in, and someone with no legitimate ID is clearly not someone who's going to arrive at the police station to show ID within seven days. So how do you nick them? Well, you can do it via mechanisms the Home Office has specifically ruled out - making carrying ID compulsory, ethnically targeted stop and searches and the like, but we've ruled all that out, haven't we? So what it hinges on is the card really becoming the "key" to life in the UK, used "in daily transactions and travel." The more widespread its use, the more checkpoints there will be, and the fewer aspects of daily life that will be available to you without your using the card. It is currently possible to exist in the UK without a valid identity, but the more checkpoints there are, the narrower the options of the ID-less will be. So it's not just desirable from the Home Office's point of view that the British public love and use the card, it's absolutely vital. If they don't the whole thing doesn't work. So do you want this? It's a system that won't achieve most of its objectives, and those it will achieve will be achieved via massive overdesign (secure passport system? Here, take this networked database and personal information register to go with it). You get a personal ID card you don't need. You pay vastly more than you need to for the ID documents you do need. It only addresses the immigration problem (most of the British public sees immigration as a problem) if you pretend to love it and use it all the time, in all sorts of areas where you don't need it and it's inappropriate. And you get the free centralised database of your personal information anyway, providing a locus for any number of government and private databases of your personal information. Don't worry you've nothing to hide - even from your bank, other banks, loan sharks and double glazing salespeople, right? It costs #3.1 billion for all this cool stuff. At least. Go and tell the Home Office how much you support it, you've got until the 20th July, and you'll find a link to the consultation document below. If you happen to agree with any of this article, paraphrase it, don't just copy it. If you do they'll just mark you down as a petition signer and disenfranchise you, like they did with the Stand objectors in the previous "consultation." Coonsultation input should be sent to Robin Woodland, Legislation Consultant, Identity Cards Programme, Home Office, 3rd Floor, Allington Towers, 19 Allington Street, Londob SW1E 5EB. They can be faxed to +44 (0)20 7035 5386 or emailed to identitycards@homeoffice.gsi.gov.uk, with 'consultation response' in the subject line. All of this information is prominently displayed on page 42 of the consultation document. . Related stories: Draft bill and consultation (http://www.homeoffice.gov.uk/docs3/identitycardsconsult.pdf) Glitches in ID card kit frustrate Blunkett's pod people (http://www.theregister.co.uk/2004/05/05/id_pilot_glitches/) UK public wants ID cards, and thinks we'll screw up the IT (http://www.theregister.co.uk/2004/04/22/id_cards/) Fingerprints as ID - good, bad, ugly? (http://www.theregister.co.uk/2004/04/19/biometrics/) ID cards: a guide for technically-challenged PMs (http://www.theregister.co.uk/2004/04/05/uk_id_cards/) ) Copyright 2004 -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'