Tomorrow Elephant

Recently I had an excuse to do some research on the ID card scheme that the British Government has been pushing for a while now. I was applying for a job with POST, the Parliamentary Office of Science and Technology, and had to include a 2-page briefing-style note on the cards as a part of my application. I didn’t get the job, but since I worked quite hard on the sample briefing, I thought I’d make it available here (PDF link). It’s basically a brief summary of all the reading I did, and incorporates some insightful comments from a friend of a friend who happens to be a biometrics expert.

Of course, given that the report was intended for the Parliament, it doesn’t really reflect my own opinions on the ID card matter, so just to complement the dry matter-of-fact tone of the report a little, I’m going to have a little rant. This is quite lengthy, so if you prefer pictures instead of words, you can go see the musical version with the cute dog pianist. Or if you’re a more proactive type, No2Id has more stuff. Go, contribute, sign the pledge.

To put it briefly, I think the scheme is a terrible, misguided idea based on dubious economics, ideology and technology. While there may be some benefits to having a universal identity verification system, using a centralised database as the main component is sheer lunacy, as security guru Bruce Schneier points out, both from ethical and practical points of view. Many European countries (such as Germany) have Data Protection Acts that explicitly forbid the creation of massive databases on their citizens, and with good reason — the regimes where this sort of thing has actually been successful include the Communist East Germany, Vichy-era France and other totalitarian governments.

I don’t completely agree with all the conclusions of the London School of Economics report on the ID cards. Their criticism of the economical side of the project and a cold reminder of the bad history the UK has with big public ID projects are well-founded, but the way they treat the biometrics issue smacks of an attack on a straw man — they clearly do not understand the nature of technology as well as they understand economics (fair enough). It is well known that the proposed biometric elements of the ID cards are far from perfect, especially when it comes to iris recognition and, even worse, digital facial recognition. However, from a purely technologist standpoint it’s not inconceivable that during the ten years it’ll take to implement the project fully, biometrics will mature sufficiently to be usable — but the ID card scheme will benefit from these advances only if the data scanned in during the enrollment phase is of sufficiently high quality that the next-generation devices can make use of it. This will, of course, make the scheme a lot more expensive and put a lot of pressure on the organisations responsible for the enrollment of more than fifty million people.

Provided that this condition is met, the LSE conclusions about the reliability of biometrics are a little rash. That is not to say that even future biometrics will be infallible or impossible to forge, as Charlie points out — if the card scheme does go through, the phrase “giving the finger” may suddenly aquire a new, sinister meaning.

There are other human aspects that the government should really be taking into account. According to polls, possibly as many as three million people will refuse to obtain an ID card, thus effectively dropping out of the social system. The Passport Office Biometrics enrollment trial indicates that enrollment will take at least 10 minutes per person provided it’ll run smoothly. Fifty million times ten minutes is a lot of working hours. And, at the end of the day, it’s not certain how comfortable people will be with biometric systems, especially iris scans. It is likely there’ll be a lot of resentment and suspicion.

The most suspicious thing about the whole project is that it’s not clear that it will actually have any relevance to the issues the Home Office is worried about, such as ID fraud and terrorism. The Home Office says the scheme will pay for itself via savings coming from easier access to public services and reduced economic losses to identity fraud — something that’s pretty hard to quantify and it’s not entirely clear that the cards will eliminate fraud anyway: on the contrary, it might just inspire better forgeries. As for terrorism, the problem with the Identity Card Bill is that it does not actually impose criminal penalties for not having an identity card, only civil ones — i.e. fines. This means that the Bill could effectively be a tax on criminals: affluent organised crime bosses could certainly afford to pay off accumulating civil fines, no matter how large.

The alternative scheme proposed by the London School of Economics team appeals to me a lot more for many reasons. Firstly, it appears to utilize public-key cryptography and shared-secret protocols (although the precise mechanics are not explained in detail in the LSE report), which strikes me as a more solid and reliable basis for an identity verification system than biometrics. The LSE scheme relies on so-called “unidirectional identifiers” handed out by a Higher Government Authority which can then be used while interfacing with various institutions, both in the public and private sector: sort of like the differing forms of paper ID we use today. This kind of setup would guarantee that citizens would have at least some control over who can gather information about their lives. Notably, the scheme also lacks a vulnerable centralised database. I’m not qualified to judge if it’s going to be more cost-effective or not, but it would allow third parties to set up their own identity verification services (for instance, Tesco’s). Obviously, the UK government is not too keen on this, since it wants to be able to control whatever business models eventually emerge from the ID cards. No wonder they the Home Office recently published a fierce rebuttal to the LSE report. (See also the LSE response.)

Finally, the UK government has a terrible, terrible history with large-scale IT projects. Given that this particular project is of unprecedented scale, uses cutting-edge (and partially non-existent) technology and is pretty much the first of its kind in the world, I wouldn’t put too much trust in the British know-how, I’m sad to say.

And I haven’t even gotten into the whole paranoia aspect of the thing. Who exactly has access to this mountain of data about UK citizens’ lives? Combined with the EU data traffic record retention plan, it’s really starting to feel like the Panopticon is getting closer and closer. I’m not a complete cypherpunk, and identity theft is certainly an issue. There could be countless benefits from a universal, reliable identification system, especially for doing stuff online — given that one takes into account the greedy data-mining capabilities of government and private institutions and safeguards against them. But whatever this hypothetical identity grail may be, I very much doubt it’s described by the Identity Cards Bill of 2005.