Everything you never wanted to know about the UK ID card

R. A. Hettinga rah at shipwright.com
Wed May 5 15:55:23 PDT 2004


The Register

 Biting the hand that feeds IT

 The Register ; Internet and Law ; Digital Rights/Digital Wrongs ;

 Original URL: http://www.theregister.co.uk/2004/05/05/complete_idcard_guide/

Everything you never wanted to know about the UK ID card
By John Lettice (john.lettice at theregister.co.uk)
Published Wednesday 5th May 2004 20:47 GMT

A pub bore's guide Do you know how the UK's projected compulsory ID card
will work, and what it will entail? If you do, you're significantly in
advance of David Blunkett and the Home Office, because although a draft
bill and consultation document was published at the end of April, these
really only provide signposts to what the powers that be would like it to
be able to do, and a little bit of evidence as to how they might propose to
get it to do these things. But we're considerably further on in terms of
information than we were before the draft, and it's not likely to get much
better by the time the consultation period ends. So, as our small
contribution to the democratic process, we present The Register Idiot's
Guide to the UK ID Card.

What do you get, when? There will be a "family" of ID documents that will
be phased in, beginning with passports. These will start to appear in three
years, at which point it will not be possible to get an old style
non-biometric passport. The system's non-compulsory nature therefore hinges
on your not actually wanting a passport any more - otherwise you have to
give the Passport Office the #73 for the new one. Rollout periods for other
members of the family are not covered in the draft bill, but as these are
introduced, the old version will similarly cease to exist. Proud owners of
old-style perpetual paper UK driving licences, already smug because they
don't have to cough up to renew the existing picture licence, can be even
smugger. Until such time as Blunkett hunts us all down. The new ten year
biometric driving licence will cost around #69, says the Home Office (what
do they mean "around"? #68.99?) and the new ten year ID card #35. Which, if
they don't get feature-consolidated pretty quickly, is an impressive outlay
every ten years. 80 per cent penetration for the new ID is intended to be
achieved by 2013. The draft bill includes power to set a date for the card
becoming compulsory, but this will not happen until after "the initial
stage of the identity card scheme was in place and following a vote in both
Houses of Parliament on a detailed report which sets out all the reasons
for the proposed move to compulsion." Correct - that does not specify a

The ID document will contain a picture, one or more pieces of biometric ID,
and a unique number which will identity you on the central database. The
documentation at the moment only talks about what is likely to be visible
on the document, with name and date of birth being put forward as the bare
minimum. But it is more specific about the information that will be
recorded in the database (see below). The Home Office suggests more visible
information: "name, age, validity dates, whether a person has a right to
work, and an unique number". There you go, feature-creep already. The
biometric can be used to tie a specific individual to the ID document, and
to look up an individual and identity them from the database. In that case,
you theoretically don't need the document to identify someone in the first
place, and the Home Office (and Blunkett) do airily suggest that people
might want to have a database check performed on themselves in order to
establish their identity. But as we explain below, this really is not
something it's smart for them to be pinning too much hope on.

Which biometric? For reasons explained here,
(http://www.theregister.co.uk/2004/04/19/biometrics/) previous Home Office
studies fix on fingerprint as the best combination of identifier and
practicality, but recommend a second biometric to be used as a decider in
order to bring false alarms down to a more acceptable level (using
fingerprint alone with a reasonable trade-off between false alarms and
failed matches, Heathrow would generate in excess of 1,000 false alarms a
week). The choice of the second biometric isn't so obvious. Iris is in
principle a more effective ID biometric than fingerprint, but you need
optimum positioning, lighting etc, so it's not so good for widespread
deployment or fast throughput in an immigration queue.

Facial recognition currently doesn't cut it for mass ID purposes, but might
just work as a 50:50 'decider throw' secondary biometric for use at entry
points. But the big thing it has going for it is that it's been adopted by
ICAO (the International Civil Aviation Authority) as the next step for
machine-readable passports. So unless ICAO is persuaded to change its mind,
it's coming in passports anyway. ICAO's decision, by the way, seems to have
been made on the basis that face had a higher "compatibility" rating than
fingerprint or iris. By this, they appear to mean that because
passport-based identity currently leans heavily on the picture, it makes
sense to carry on using the picture (Yes, we know - don't tell us, tell

So although the Home Office has kicked off a 10,000 volunteer trial of the
three technologies, fingerprint seems the racing certainty for primary
biometric, with facial a strong contender for the secondary. The Home
Office no doubt has its own reasons for thinking the trial will tell it
something useful, but as the target population is over 60 million (us, plus
all the people we're looking for and have data on), and the British Airport
Authority airports processed 134 million passengers last year (Heathrow 60
million, Gatwick 30 million), you could reasonably doubt that it will learn
much of value applicable to very large throughputs and databases.

Issues associated with the deployment of the secondary biometric readers
(cost, location, environment) could well lead to their not being used
outside of entry points and major installations, which might mean
non-passport ID would use only the fingerprint. Other differences are
likely to creep in; for example, the Home Office appears to be willing to
allow veiled pictures for moslem women in ID, but the draft documentation
reiterates current passport office guidelines, which amount to 'headscarf
OK, veil bad'. So unless somebody's got it wrong, different strengths of ID
are already creeping in, and any dreams you had about a single, do-anything
document are way, way in the future. The Home Office's suggestion of three
different levels of checking (see below), by the way, makes it clear that
it in some senses accepts the view that you should use different strengths
of security in different situations. But philosophically this doesn't
entirely match with its pitching the cards as a single, high-strength
security device.

How will it work? That depends. The basic link is between you and the
document, and this can be readily established by using a machine that
checks you against the biometrics in the document. This is essentially a
local check which depends on the document being valid and untampered with
in the first place, but the introduction of biometrics in the document
should make it significantly harder to produce forgeries, so we can expect
a substantial initial increase in confidence in the piece of ID produced,
even if we are simply looking at the picture and not bothering with the

Which is A Good Thing, because it's difficult to conceive of biometric
readers being either welcome or likely to stay in usable nick for long at
point of sale, doctor's surgery, council offices, etc. The Home Office
suggests three likely levels of check for non-government purposes.
Retailers would check the photo, banks etc would check the biometric and
verify it against the database, and employers would check immigration
status "via an automated telephone check." These suggestions most likely
derive from the Home Office's doomed quest to make us love and demand ID
cards, and on a voluntary basis are unlikely to become widespread.

How often do you get asked for ID to back up your credit card? So why
should shops want the new passport when they don't want the old passport?
Banks do need to make pretty strict checks covering identity and place of
residence when you open a bank account, but their existing systems work,
and they won't jump into a new and unproven system which, from their point
of view, brings little to the table, lightly. Plus they're already reading
entirely different kinds of cards. And employee checks? Here comes the
stick. Employers don't at the moment have to check immigration status when
they hire someone, so why would they? Indeed, why would they care? But
under the provisions of the Asylum and Immigration Act 1996 the secretary
of state can make orders requiring eligibility checks by employers. This
will be considered "closer to the date of implementation" of the ID card

The Home Office, bless 'em, pitches ID cards as the "key to the UK's
future", and witters (in the press release)
(http://www.homeoffice.gov.uk/n_story.asp?item_id=918) that "crucially, the
cards will help people to live their lives more easily, giving them a
watertight proof of identity for use in daily transactions and travel." So
it's clear they want all of your personal transactions to be underpinned by
the national unique ID, but we've already seen that the private sector is
unlikely to be keen. Not only that, it's more likely to be actively
hostile. Banks and credit card companies do not want to make their systems
dependent on a database they're not in control of, and no matter how much
you want all of your credit cards on one piece of plastic (which is a bad
idea anyway, trust us), they ain't going to give you it. They really are
not going to help the government in its efforts to make the ID card
popular. Really.

Moving on from low level and relatively rare operation in the private
sector, we get to the government and public sector. There will, as we've
already suggested, be considerable resistance to the use of readers and the
checking of cards in areas of the public sector, but this will be neither
here nor there from the point of view of you, the user. Think about it: not
that many of the public services you're likely to be using will be
available if you don't establish an ID as part of the process, and you go
onto a record as a part of that process. So doctors can be as precious as
they like about not checking your ID card, but will still put you onto a
list which can and will be checked against the ID register, and if it's not
on there, consequences will ensue. As the system matures and increasingly
interacts with other public sector ID systems, it will inevitably engulf
the whole of the public sector, and it doesn't need support for this to

The arms of government that obviously do want to embrace the system are
passports and immigration, and the police. It will most obviously sing and
dance at the arrivals terminal, so it's worth at this point taking a small
detour so that we understand that the singing and the dancing here will by
no means be automatic.

Passport Control We've already established that a biometric will be used to
tie the bearer to the document, and that we can use a secondary biometric
to deal with disputes, and a network check in addition to this. But rewind
- how, physically, are we handling this?

We need to have a reader that will take the biometric from the passport and
compare it to a handprint (we'll assume we're doing fingers, OK?) which
will probably be produced by placing one hand firmly on a flat surface. So
we need the people coming in to understand what they're supposed to do and
get it right, and we need to deal with failures to read the passport, and
we need to intercept jokers, terrorists and our slower brethren who might
be using false hands, cunning fingerprint gloves, or even just the wrong
hand. We need an attendant combining a nice and a nasty attitude as
appropriate to get them through, or whisk them off to another stage in the
process where complete failures to read are checked more thoroughly. Maybe
you get your terrorists in there, and you'll certainly get some immigration
'issues' but mostly you're likely to net perfectly innocent UK citizens
whose fingers are worn/dirty or whose passports are bust. So you're
detaining people you wouldn't have detained under the current system, and
you need to undetain them pretty fast if you don't want unpleasant
headlines about dud government IT systems in the press.

Aside from reading failures and hardware failures, you'll have false
matches and failures to identify, and you need procedures to deal with
these. For a false match you need to check the secondary biometric to
arbitrate, so you need to move these people quickly to that reader, and
through it without their thinking 'I am being accused of being a
terrorist.' Failure to identify is trickier, because you need to decide on
a procedure. If they fail to match up to an apparently working passport,
they might also fail to match up to a network check, because you're
comparing them to the same thing, right? So do you have a fraud, or do you
have somebody with worn fingerprints? If the secondary biometric is iris,
then you can check them with that and be pretty sure which, but can you
trust facial to be used as a primary identifier? No, you can't, so you
you're either treating all of this category of exception as suspect, or
you're making human decisions that will, as previously, not always hit the
right target. Given that you will be able to check (unless the network is
down) whether or not the passport, name and ID exists on the database, you
can at least flag failures to read for future investigation.

You might be able to avoid quite a bit of the above if you take a slightly
different view of what it you're looking for. Failure to match, or false
non-match, can be expected to run at a fairly high rate if false
alarm/false match is kept down to an acceptable level. The bulk of your
failures to match will, actually, be false non-matches, i.e. people who
really are on the database but who don't match up to it in this particular
instance. And a terrorist is unlikely to want to chance it on the basis
that they've got, say a 5 per cent chance of getting through. So you ignore
them all? Ah, but when word gets around, the bad guys and the multiple
applicants will take steps to file down their fingerprints a little before
they attempt entry, and your acceptable compromise starts to morph into a
security hole. Which is why flagging failures is important.

The network check is obviously useful in cases of passport failure (NB it's
an offence not to get it fixed once you know it's broken), but is dependent
on the network being up and the response being swift. The Home Office
appears to envisage a pretty high level of network checking, but it seems
reasonable to doubt that this will happen in real life. Current UK
passports first became machine-readable in 1988, but are seldom
machine-read. Theoretically this could be used to check that the passport
actually exists, that the bearer is not on a watchlist, and that it has not
been notified lost or stolen - but possibly not in the latter case. The
Passport Office announced a lost and stolen database in December 2003, so
IND (the Immigration and Nationality Directorate) may only recently have
been able to start looking.

Similarly IND has also been working on an automated fingerprint system,
intended to match fingers against the 350,000 fingerprints (a 2001 figure)
it has on file, and a "warnings list" system. It also has a case
information system developed by Siemens and called ACID Warehouse. Really.

As we contemplate how effectively we're not using the systems we've had
available for 15 years, we should consider the way we're currently not
using it. In the EU citizen channel at the airport we'll probably have the
picture page of our passport looked at and be nodded through. The
introduction of machines will add a more time-consuming stage to this
(failures in the queue will slow you up, even if you register first time)
and more staff. The process will still need the staff on the desk looking
you over, unless we're going to trust machine decision-making entirely as
our front line. As non-UK passports won't work with the system, other EU
citizens will now have to have their own channel, faster than the UK one,
or be sent to the Channel of Death, where we send everybody else. But if
they are they'll complain to Brussels, and we'll be told to stoppit. There
are actually strict EU limits on what immigration is allowed to ask the
local citizenry - did you know this? "As a result of judgements in the
European Court of Justice (ECJ), an immigration officer may not require an
EEA national to answer questions regarding the purpose and duration of his
journey and the financial means available to him. Examination should be
restricted to the occasional discretionary warnings index check. Questions
may only be directed at establishing whether the person's admission to the
United Kingdom would result in a threat to public policy, or public
security or public health." (Source: IND general guidance document. Get
lippy at your own risk and don't blame us.)

Many difficult questions will arise at the airport, where conditions will
be just about as optimum as they can get. But what about elsewhere, what
about the ferryport? At busy ones, the increasing size of the ferries can
produce longish unloading queues already, and mostly all that happens is
that drivers holding a clutch of things that looks like approximately the
right number of the right documents are waved through. So where do we put
the reader? And where do we put the holding area where all the passengers
get out of the car, deliver their print and get back in? Where do we put
the tailback (quick, there's another three ferryloads coming in)?
Nightmare. Monitoring departures is actually harder, because typically the
passport check is conducted by the ferry staff, and there's a non-secure
holding area beyond this where passengers could be switched. We can all
look forward to hearing how the government's going to figure this one out
without bankrupting all the ferry companies.

The Police The draft is quite specific that it will not be compulsory to
carry an ID card, nor will it be permissible for the police to demand to
see your card. But in the case of the driving licence (which will morph
into an ID card) you'll still have to report to a police station to show it
within seven days, and the consultation document tells us that "people will
be able to have their biometrics checked against the Register even in the
absence of a card on a voluntary basis in order to establish their identity
if, for example, they are stopped by the police."

To grasp the full import of this peculiarly British situation, we need to
think a little about the powers the police already have, and the way they
use them. They can't ask you for ID, but they can seek to establish your
identity if they arrest you, and they can<//em> arrest you on grounds of
reasonable suspicion. Questioning their reasonableness at this juncture is
usually not constructive, although you may consider risking a polite
indication that you are aware of the relevant laws. Also, their powers of
stop and search have been reintroduced via several anti-terrorist measures,
and these have been so widely deployed against demonstrators that even
David Blunkett has expressed concern.

Effectively though, if they want to find out who you are, they have the
means to do so, and if they've arrested you, they have the means to find
out who you are. But they actually only want to know who you are in pretty
specific circumstances. There are those where their reasonable suspicion is
actually pretty reasonable, and there are more heavy-handed and
wider-ranging checks of, say, protesters at an arms fair. But bitter
experience from the 80s means that they avoid stop and search operations
that would be interpreted as ethnically targeted and that might trigger
unfortunate riot-style situations.

So the police are not going to voluntarily implement intensive ID checking
in areas of high immigrant population, and the kind of gains that could be
made (if you call lots more illegals caught plus lots of bits of London
ablaze, gains) by pass-law style implementation of ID won't happen.

News that senior police officers support a compulsory ID card is about as
surprising as news that they've got fast cars with groovy flashing lights.
But in operation the card is most likely to be an adminstrative convenience
to them, used to provide a more reliable ID in circumstances where they're
seeking to establish it. If the ID's present they can rely more on it being
genuine, and if it's not they can establish ID quickly by checking against
the database. This will, as at present, leave them with those with invalid
ID, but the process should be faster. It'll also allow them to check
immigration status and right to work, as these will be on the database even
if they're not on the face of the card, so it speeds their processing here,
if it's illegal immigrants they're looking for.

How, though, do they do the biometric reading? The Home Office appears to
envisage the use of mobile readers, but it's doubtful that these will prove
reliable enough for use in some kind of networked handheld configuration,
and they don't seem particularly compelling from the police point of view.
A "reasonable suspicion" candidate with no ID card can be sent down to the
station for checking, and one producing an ID card can be identified on the
basis that the card is probably genuine and the bearer looks like the
picture. If they're concerned about immigration status then a query based
on the unique number can be made - biometric check is unnecessary.

Nor are there any obvious scenarios where the existence of ID cards will
reduce crime. If the police don't know who did it, then the ID card is no
use. If they do, then the ID card is merely an administrative advantage.
Sure, they know where you live, but so long as you know they know this,
you're not there, right?

'What was that you said about them knowing where I live?' Ah yes, this
takes us on to the National Identity Register, referred to largely in the
documentation as "the Register." For the record, we are The Register, and
you should therefore not worry about sentences like: "Clause 29 makes it an
offence for any person to disclose information from the Register without
lawful authority."

Makes it damnable to write about though. The ID Register will hold data as
specified in schedule 1 of the draft bill. This is: personal information -
names, date and place of birth, gender, address; identifying information -
photograph, fingerprint, other biometric information; residential status -
nationality, entitlement to remain, terms and conditions of that
entitlement; personal reference numbers - National Identity Registration
Number and other government issued numbers, and validity periods of related
documents; record history - historical information previously recorded,
audit trail of changes and date of death; registration history - dates of
application, changes to information, dates of confirmation, information
regarding other ID cards already issued, details of counter-signatures;
validation information - information provided by any application,
modification, confirmation or issue and other steps taken in connection
with an application or entry, details of any requirement to surrender;
security information - personal identification numbers, password or other
codes, and questions and answers that could be used to identify a person
seeking access; access records - the audit trail of accesses to the entry.

Not listed in schedule 1, but listed elsewhere in the documentation as
being held by the Register, we have PIN, passport validation information,
background evidence or document checks carried out to confirm status,
details of non-UK ID (including foreign passports), and information
(including biometrics, where available) of unsuccessful applications. Other
categories can be added by the home secretary, and information can be added
at the request of the holder, provided the home secretary agrees. Blood
type and organ donor status are suggested examples of these, but this is
slightly potty, given that in both cases you want the information to be
immediately obvious to the medics, not dependent on them shoving your card
into a reader first. So we can file that with the other feeble attempts to
make the card popular.

We can draw a number of conclusions from the information that's intended to
be on the Register. The presence of "other government issued numbers" means
that they can use the ID system to consolidate and weed the NHS and
National Insurance systems as they add numbers. This will ultimately make
it simpler to associate services with ID, without approval or cooperation
of the operators of these services. PIN is interesting, because it could
conceivably provide a mechanism for you to use your national ID over the
Internet. ""In an increasingly technologically complex and global [sic - as
opposed to, say, 'stubbornly oblong?'] world, correct identification has
become critically important, and we want to ensure that UK citizens are
properly protected and equipped to deal with this emerging world," Blunkett
tells us. Unhappily, there is scant sign in the draft bill that they've
actually twigged that fingerprints aren't going to be a whole heap of use
when you're sitting in front of your screen (anybody who says 'personal
reader', see me after class), and the odd mention of PIN is the only sign
that there might be something there that they'll get to when they've time
to think about anything beyond biometrics.

Other listed information is, you'll note, heavily weighted towards
immigration control. Clearly, the intention is to have a great deal of data
on anybody who isn't a UK citizen from birth. Please yourself as to whether
or not you feel this is too much information about you for the government
to hold - a commissioner will be appointed to make sure the data is not
abused, but actually that's not the half of it. Consider what it doesn't
include, things like credit status or whether the security services are
after you. Obviously if you're a wanted criminal or terrorist trying to
flee the country, police and immigration are going to have you on their
list (actually this isn't obvious at all, but they obviously should have
you on it) in order to nick you when you hit the border check. So actually
they'll have their own database which will interact with the ID Register.
Similarly, a bank checking up on you is going to be checking credit rating,
homeowner status, county court judgments etc, so will have its own external
database and links to other external databases. It will likely prove useful
to the bank to consult the Register to confirm you exist and where you
live, and it's perfectly conceivable that the unique ID will therefore move
out of the Register and into the world in general as a handy, well, unique

So the government reps telling you there's not much in the database and
there's a commissioner to mind it, so that's OK, are being really thick, in
a 'don't know much about databases' sort of way. They are, without, clearly
grasping it, proposing the ID Register as the focus around which an
ever-increasing number of personal information databases revolve. They've
set themselves a non-trivial task in keeping all of the specified
information in the Register accurate and up to date, and the freeform
nature of "information relating to an application or entry" will be a
particular problem, because it should really be in another kind of
database. Indeed, the amount of immigration-related data in the Register
makes it look more like an immigration database than a general population
register. Granted, the Home Office may be taking the view that the data
should be there because it is needed by multiple agencies, but that's the
case for much police and social services data too. If these (where they
actually exist fully) can be external, why not immigration?

From, the subject's perspective of course it doesn't matter whether the
database is elegantly conceived and designed; what matters to subjects is
the extent to which it enables the collation, use and abuse of data on
them. By pitching the ID card as "watertight proof of identity for use in
daily transactions and travel" the Home Office is essentially begging for
the satellite databases to be produced. So, small piece of government
control-freakery possibly under the commissioner's control, potential
hordes of escaped privacy monsters enabled by said small database.

Security and usability We can't comment on the security of the system at
this juncture, but we can run down its sins against security good practice
fairly readily. Experts who've given evidence to the Home Affairs Committee
ID card enquiry so far have tended to fall into two camps on the scheme.
The critics argue that placing all your eggs in one basket is stupid, while
the apologists/supporters say that in principle the system can be made
secure. If you're not immediately with the critics on this one, consider
how the apologists react when pressed. They accept that by placing a great
deal of reliance on one card, ID, database or whatever you are inevitably
increasing the stakes, but say that in principle the system can be made to
function, and can be secure. Pressed further they then concede that we can
never guarantee anything 100 per cent.

Security experts would be largely with the critics on this one - single
points of failure are bad. The proposed ID system, however, has numerous of
these, at least conceptually. If you actually need your ID card as the
pivotal ID around which your life revolves, allowing you to use government
services, financial services, buy stuff, then you're snookered if it
breaks. Or if the network breaks. Or the Register.

We also need to be concerned about what happens if the card (or the ID
without the card) is stolen or compromised. Now, in principle this ought to
be impossible or very hard, because the system is dependent on your
particular biometric signature. But we've already noted government
suggestions of areas where this would not be read, and we've suggested that
not checking the biometric or not checking against the central database
will be fairly common. So the theft value of the card will depend on how
much of value can be obtained using it without tripping a strong biometric
check. The more it is used for daily transactions, the higher this value
will be.

David Blunkett has claimed the system "will make identity theft and
multiple identity impossible, not nearly impossible, impossible." Clearly
this is untrue, but we need to assess the extent of its untruthfulness;
aside from situations where ID theft is enabled by the security systems not
actually being used, what about the possibility of the card, or the system,
being compromised? Currently it is clearly harder to forge a biometric
passport than it is a conventional one, but as biometric passports do not
yet exist, why should forgers try to forge one? How much of the difficulty
is because of it actually being harder, as opposed to there not having been
any motivation for anybody to develop the skills yet? Clearly we can't yet
be sure, but you can see the likely dangers. Traditional avenues such as
switching the picture and changing the details may still be viable
(although surely a bit more complicated) in instances where the biometric
isn't read, and altering the biometric itself (clearly harder until it's
cracked - then it's easy) could be useful if there's no network check, or
depending on the procedures implemented around that check (see Passport
Control, above). And there's also the job of making sure any invisible data
tallies up - but never say never, it's at least as theoretically possible
as the system is theoretically invulnerable, and if it is cracked, the Home
Office has a very expensive security update rollout on its hands.

The alternative to this is a more distributed, defence-in-depth,
horses-for-courses approach where you use different strengths of ID,
different cards and different systems where appropriate. A mugshot and a
bearer who looks like she might be 12 is enough for a child's weekly season
ticket, surely, while (despite howls to the contrary about identity fraud)
a piece of plastic and a PIN is good enough to get a bank to give you
money. Would the banks like a 100 per cent secure system? Certainly. Will
the banks accept a system that eliminates fraud while turning away
significant numbers of genuine customers? Not a chance. What they've got
now is their current best compromise, and the ID system is not going to
change that. Similarly, although the state of the NHS and National
Insurance ID systems is lamentable, that is not entirely caused by the UK
public sector being historically crap at implementing IT projects. It is in
no small measure due to the fact that it really doesn't matter much.
Certainly there's a fraud component in there, but it's an acceptable one
from the point of view of the particular system, otherwise the system would
have reacted by doing something about it. A rational estimate of the annual
cost of 'health tourism', for example, is #200 million out of a total
budget of #70 billion. From the system's point of view there is absolutely
no point in it diverting resources from its primary objectives in order to
tackle a problem that small.

Other government ID systems can be positioned at different points along the
scale. National Insurance should obviously be concerned about the use of
fraudulently obtained numbers to get benefits, but hasn't a great deal of
reason to worry about the status of a user provided they're working and
paying in the money. Inland Revenue has more reason to be concerned about
tying the number to real people in order to avoid tax frauds, and so on.
There are varying levels of need in terms of identification, and it doesn't
necessarily make sense to try to fulfill them all by attempting to devise a
single, bulletproof ID system. And in the case of benefit fraud, although
the Department of Work and Pensions has estimated total losses at #2
billion, or #7 billion, or vast numbers in between, it confesses it reckons
ID-related benefit fraud amounts to a whole #50 million.

What will you pay? No, really pay?

David Blunkett has recently been pushing contorted piece of reasoning
whereby he establishes that the cost of an ID card is in fact #4, rather
than the large sums he will be charging. This implausible pitch hinges on
the claim that most of the money would have to be spent in order to
modernise the passport system anyway, but it kind of misses the point even
if you were to accept that. If it is the state as a whole that requires
something, then it is the state as whole that pays, and the money comes
back through general taxation, right? Chancellor Gordon Brown refused to
pay for it out of general taxation, as he does regarding much else, but if
it had been an absolute necessity, then he couldn't have refused. Kick and
scream for a long time, yes, but refuse, no.

So one has one's doubts, and if one counter-argues that it's really the
people travelling and driving who need the modernisations and should
therefore pay, one still has to explain the others. The people who
currently have to pay absolutely nothing for an ID card because they don't
need to have one will have to pay their #4 in the form of a #35 payment in
order to get an ID card. Of course, it's not compulsory. Until it is.

And we could point to the essential weirdness of arriving at a situation
where everybody in the country has to pay individually for something they
have no choice but to buy. Isn't that a tax? And if it's not, then what's
the point of taxes? Couldn't we just abolish them all and pay for
everything by name? This hypothecation madness is however more properly a
matter for New Labour's conscience than it is for The Register (capital T,
emphasis), so we'll move on to the #3.1 billion.

You can, with the aid of the tried and tested UK government IT project
algorithm, double this and add ten per cent for luck. Some people already
have, and we wouldn't put money on them being wrong. But what you cannot do
is say why it will cost #3.1 billion (or at least #3.1 billion, if you
insist). The home Office has been solemnly saying 3.1 for months now, but
has not said how it arrived at this figure. This makes it remarkably
difficult to assess whether it's going to be money well spent or not. As
Ross Anderson said (along with much else worth reading
in his evidence to the Home Affairs Committee, " If the thing remains
covered by Official Secrets to the point that even Parliament does not know
which path the Home Office is intending to take, then that is bad news."

We now have an indication of the path the Home Office intends to take, but
we do not have cost breakdowns and we have not been presented with
alternatives, ranging from simple modernisation of the passport system up
to universal ID megaproject, with relevant estimates. We are supposed to be
being consulted, but we have not been given sufficient justification for
the rejection of the lesser options to be able to make an informed judgment
on the adoption of the maximalist one.

It's difficult to conceive that any system at the minimal end of the scale
could possibly cost as much as #3.1 billion. If it's the case that
passports need to be upgraded in order to conform to the US requirement for
ICAO standard biometrics, then it is simply necessary that it have a facial
biometric. Although the European Commission envisages the harmonisation of
ID documents in the EU using biometrics, and intends fingerprint to fulfill
the main role here, it has not ordered the introduction of ID cards where
they don't exist. Nor need fingerprints be on passports, visa and ID
documents for third country nationals immediately. Says the Commission:
"...it could be considered that in their implementation Member States
should have more flexibility. The facial image should be introduced as the
first biometric identifier for reasons of interoperability. The
introduction of the compulsory fingerprints need not necessarily happen at
the same time, as it has not been decided whether the VIS [Visa Information
System] will include biometric data from its very beginning."

So if the Commission's drive for a "coherent approach" stands, then we will
have facial biometric and fingerprint on passports, but we don't have to
put both of them in yet. We could anticipate the Commission in order to
save expenditure on future revisions, but we could possibly do as Canada
has so far - leave space for the print, pending a final decision and/or (in
Canada's case) a satisfactory agreement with the US.

So what would this cost? You would have to allow for the new passport
production processes, and you'd need to spend money on sufficient biometric
reader systems to support passport applications. The total would most
certainly not be #3.1 billion. But ah, you say, you'd also need the readers
at entry and exit points, the central database and the network connecting
it all. This is quite possibly the conclusion the Home Office has jumped
to, but it ain't necessarily the right conclusion.

The equipment you need is determined by what it is that you propose to do
with the system. The current requirement is for passports with a facial
biometric, but there is no requirement for you to actually read that
biometric. And actually, those countries which intend to read facial
biometrics with a view to learning something useful from them will give up
fairly swiftly, for reasons explained above; the United States' current
collection of mugshots at entry points speaks of some kind of cryogenic
mindset, collecting the database in the hope that scientific advancement
will eventually cure it. Here, we could perfectly well have toed the ICAO
line by including facial and just carrying on identifying people by looking
at the picture.

We could certainly (and being us, we surely would) keep the biometric data
on a central database for reference, but there's absolutely no need for us
to actually access this database from checking points. We could, perfectly
validly, view the biometric simply as a strengthening of the integrity of
the document, and use a combination of visual appearance, supporting
information and common sense to tie the bearer to the document. This is not
as strong as the theoretical strength of the #3.1 billion system we're not
sure will actually work, but it's considerably stronger than what we have,
and could be seen as a highly cost-effective reform of the passport system.
And, as various scenarios put forward above indicate, it is via the
strengthening of the document that the bulk of the general gains of the
system can be achieved. Some countries, incidentally, take this position to
the extent that they throw away the biometric after it's been included in
the document. The biometric in the document ties the individual to the
document, so you don't need to store the biometric any more, right?


So, what have we got? We have an overall strengthening of the integrity ID
documents in the UK, and in the case of the passport this is an important
gain, primarily from an immigration point of view, but also in situations
where passport would be used to establish ID (e.g. banking). The major gain
is to be made simply via the document, and does not hinge on an ability to
check with a central database. A local check of biometric against document
could strengthen the ID further, but in most cases this shouldn't be
necessary - looks like person, probably is person, sure passport isn't
forged, pass, person.

ID-related health and benefit fraud are not sufficiently extensive for them
to justify a universal rollout of ID cards. The existence of a single,
solid database of people in the UK could prove useful in tidying up
National Insurance, NHS and tax records, but that single database will not
even begin to exist until 2013, and these record systems do not need the
strength of ID proposed by the Home Office in order to function. Yes, they
need tidying up and weeding, but they could at least as well be tidied up
by other means - and the tidying ought to start a bit sooner than in ten
years time.

For the security services, the ID scheme is largely an administrative
convenience. It will not of itself help catch criminals or terrorists, nor
will it help significantly in finding them. As and when the hypothetical
ring of steel exists, checking all UK ID as it comes in and out of the
country, then the security services will have (theoretically - depends on
how good they are at sharing) a record of a suspect with UK ID entering or
leaving the country. But if it's someone they seriously suspect they've got
that already, check? And they've been known to track them all the way
through Spain to Gibraltar, too...

The other agenda

As you were so rightly thinking, we missed one in the summary -
immigration. This however fits better as the primary driver of the other
agenda, the one that isn't in the draft and the consultation documentation,
but that is slowly beginning to be spilled out in interviews and Committee
evidence. We don't propose to pass an opinion on who started it, but the
public, the Daily Mail, the Government and the Home Office are now whipping
each other up into some kind of circular frenzy about immigration. And the
buck stops at Blunkett's Home Office.

A brief, but by no means comprehensive, list of Blunkett's headaches here
will be useful. He has large numbers of asylum applicants to be processed
and supported while they await processing. He has overloaded application
systems at embassies throughout the world, overloaded processing systems in
the UK, scandals caused by people shorting out the processing systems in
order to deal with the backlog. He has asylum seekers whove been rejected
and overstayers in the country somewhere, he doesn't know where. He has
people applying again and again until they get in (no, he doesn't know how
many, otherwise they wouldn't, right?). And he has people-trafficking. This
is widely perceived as a huge issue, but actually the numbers are estimated
by the police as quite small, the main illegal immigration problem being
assisted entry, where a passport is sent out of the country, altered, comes
back with the illegal immigrant, and is then sent out once more.

We barely scratch the surface, but you can understand why Blunkett might
just be the teensiest bit tetchy. He needs a magic bullet to fix all of
this, and the ID card is it. But how does it fix it? We're really better
off looking at how he thinks it will fix it.

In recent statements Blunkett has pinned a great deal of hope on his
knowing who's coming in, who's going out and who's here. To the Home
Affairs Committee on 4th May, for example, he said he would be aware of
"who is coming in and out, those who are resident, and those who are
engaged in activities around terrorism." Note that he's aware of the latter
already, and that this awareness has nothing to do with the existence or
non-existence of an ID card system - it's a security services surveillance
matter. The broader importance is the faith he's putting in a complete and
accurate audit of the UK population, and his most pressing motivation for
wanting this is immigration.

If for a moment we just pretend he's actually going to get this, we can see
how at least some of the immigration headaches get nailed. It doesn't help
with the application overload, because we still have to create an ID for
new applicants (even the ones we turn down straight away). It should get
the lid on multiple applications, because we'll catch the matching
biometrics. It should seriously impede assisted entry, provided it turns
out the passport can't be altered, and it could have a similar effect on
forgeries. Eventually, granted that knowing who's coming in and out
actually works, it should reduce the number of people who're in the UK
somewhere, but who can't be found and thrown out. They will die off or find
some way of legitimising themselves. Blunkett himself concedes that it will
be possible to establish a false ID, but then you'll be stuck with it for
the rest of your life.

Which would probably fine from the point of view of an illegal immigrant in
the UK. And there are all sorts of people who'd find having just the one
strong British ID in addition to any others they have quite handy. One
could even toy with the notion of Osama bin Laden having one in order to
draw disablement benefit while he's holed up in some Afghan cave. He'd only
do it the once and then he'd be stuck with it though, so that's OK by David.

Blunkett's dream of 100 per cent knowledge of what's in the UK is however
marred by exceptions. He can't insist on 100 per cent before compulsion
comes in, and once it does arrive, the pool will continue to be muddied by
people coming in on short stays (no ID registration required) then
vanishing. The 'unpeople' who're already here aren't likely to turn
themselves in, and someone with no legitimate ID is clearly not someone
who's going to arrive at the police station to show ID within seven days.
So how do you nick them?

Well, you can do it via mechanisms the Home Office has specifically ruled
out - making carrying ID compulsory, ethnically targeted stop and searches
and the like, but we've ruled all that out, haven't we? So what it hinges
on is the card really becoming the "key" to life in the UK, used "in daily
transactions and travel." The more widespread its use, the more checkpoints
there will be, and the fewer aspects of daily life that will be available
to you without your using the card. It is currently possible to exist in
the UK without a valid identity, but the more checkpoints there are, the
narrower the options of the ID-less will be. So it's not just desirable
from the Home Office's point of view that the British public love and use
the card, it's absolutely vital. If they don't the whole thing doesn't work.

So do you want this? It's a system that won't achieve most of its
objectives, and those it will achieve will be achieved via massive
overdesign (secure passport system? Here, take this networked database and
personal information register to go with it). You get a personal ID card
you don't need. You pay vastly more than you need to for the ID documents
you do need. It only addresses the immigration problem (most of the British
public sees immigration as a problem) if you pretend to love it and use it
all the time, in all sorts of areas where you don't need it and it's
inappropriate. And you get the free centralised database of your personal
information anyway, providing a locus for any number of government and
private databases of your personal information. Don't worry you've nothing
to hide - even from your bank, other banks, loan sharks and double glazing
salespeople, right?

It costs #3.1 billion for all this cool stuff. At least. Go and tell the
Home Office how much you support it, you've got until the 20th July, and
you'll find a link to the consultation document below. If you happen to
agree with any of this article, paraphrase it, don't just copy it. If you
do they'll just mark you down as a petition signer and disenfranchise you,
like they did with the Stand objectors in the previous "consultation."

Coonsultation input should be sent to Robin Woodland, Legislation
Consultant, Identity Cards Programme, Home Office, 3rd Floor, Allington
Towers, 19 Allington Street, Londob SW1E 5EB. They can be faxed to +44
(0)20 7035 5386 or emailed to identitycards at homeoffice.gsi.gov.uk, with
'consultation response' in the subject line. All of this information is
prominently displayed on page 42 of the consultation document. .

Related stories:

Draft bill and consultation

Glitches in ID card kit frustrate Blunkett's pod people

UK public wants ID cards, and thinks we'll screw up the IT

Fingerprints as ID - good, bad, ugly?

ID cards: a guide for technically-challenged PMs

) Copyright 2004

R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list