It’s not often that a government technology project becomes a topic of derision in British pubs, but one recent initiative has achieved that dubious honor.
The project that has Britons talking revolves around a proposed national identity card and an accompanying identity-verification database system. The government says the scheme will help combat fraud, illegal immigration, organized crime, and terrorism. But critics insist it will be ineffective, expensive, and intrusive.
According to the proposal, every person living in the United Kingdom will be issued an ID card with a microchip containing some personal information—name, date and place of birth, and other details—as well as some biometric marks, such as fingerprint, face, or iris scans. This and possibly other data, collected when an individual applies for the card, would also be stored in a massive government-controlled central database.
The project’s proponents say that the card-database combination will provide a foolproof identity check. For example, suppose a bank wants to verify that you are who you say you are. First, using a card reader, the bank retrieves a unique number, called the National Identity Registration Number, that is stored on your card; then, with a biometric device, the bank captures your fingerprints or some other physical characteristic. Next, the bank transmits this information to the government’s database, which uses the unique number to find your records and verifies whether the received and stored biometric data match.
The identity card proposal was part of Prime Minister Tony Blair’s reelection platform and is now high on his Labor Party’s third-term agenda. The initiative has already consumed more than £20 million (about US $34 million)—mostly on consulting contracts and a biometrics trial—even though the government has yet to pass legislation approving a full rollout.
At press time, the bill, introduced last May, was making its way through Parliament, with a vote expected early this year. With the government going all out for a quick approval and critics doing their best to savage it, the outcome is highly uncertain. If the ID card scheme is approved without significant changes, it could become the largest technology project ever undertaken by the British government.
In a press conference on 27 June 2005, Blair noted that this year the UK and other countries will begin issuing passports with chips containing biometric data, as recommended by the International Civil Aviation Organization. The introduction of biometric passports, he said, “makes identity cards an idea whose time has come.”
Not everyone agrees. That same day, the prestigious London School of Economics and Political Science (LSE) released a 300-page report on the project. More than 100 industry and academic experts from all over the world contributed to the study, available at http://is.lse.ac.uk/idcard.
“We’re trying to say this is not the only way to do an identity card scheme,” says Edgar A. Whitley, a researcher at LSE and one of the coordinators of the report.
The study says that ID cards could in principle have some benefits to citizens, but it criticizes the current proposal for lacking well-defined goals; for example, the government never clearly explained what impact ID cards would have on identity theft and terrorism. Moreover, the report says, the ID cards’ proponents hugely underestimated the project’s cost. The government projection is £584 million per year, or about £5.8 billion for the expected 10-year rollout. But the LSE study estimated the expenditures at £10.6 billion to £19.2 billion.
The LSE researchers also concluded that the project’s deepest flaws are of a technical nature. “The controversy, challenges, and threats arising from the Government’s identity proposals,” they wrote, “are largely due to the technological design itself.”
First, there is the idea of a single central database, which they note could become a critical choke point if it suffers failures and denial-of-service attacks. And then there is the use of biometric systems, whose accuracy levels may not be adequate to handle such a large number of individuals, resulting in identification errors.
“No scheme on this scale has been undertaken anywhere in the world,” the report says. "Smaller and less ambitious systems have encountered substantial technological and operational problems that are likely to be amplified in a large-scale, national system" [see IEEE Spectrum’s “Passport To Nowhere,” January 2005, and “Why Software Fails,” September 2005].
Critics say the government adopted an identity management architecture that was actually developed for corporate environments. They say the proposed system may work for a company but it will not work for a society. “Many experts are astonished that the government is pushing this corporate architecture as the solution for government-to-citizen interactions,” says cryptography and privacy expert Stefan Brands, a professor at McGill University, in Montreal, who contributed to the LSE report.
Brands says that companies routinely use identity management systems to electronically track and profile employees accessing their corporate resources. “In the context of an enterprise, this may not be a concern,” he says, “but in the context of a national ID card, the privacy and security implications of such a panoptical identity architecture would be unprecedented.”
Moreover, putting the personal data of millions of people in one single place, as the government proposes, is “poor security and poor privacy practice,” wrote Jerry Fishenden, Microsoft Corp.’s national technology officer for the UK, in an article for The Scotsman late last year. It would be a highly attractive target for hackers, and the result, he concluded, could be “massive identity fraud on a scale beyond anything we have seen before.”
Privacy advocates argue that a database containing the biometrics of an entire adult population—for the UK, this means nearly 50 million people—is a shaky proposition by itself. But they say it’s even more troubling that the government plan calls for the database to record every occasion in which a person’s identity is verified. As a result, anyone with access to the system could get a detailed trail of a person’s important activities, says Simon Davies, director of the watchdog organization Privacy International, in London, and a visiting fellow at the LSE.
Critics like Davies also note that the proposed ID card law authorizes disclosure of information from the database without an individual’s consent. That information could go to a large number of entities, including the police, the secret service, and tax and revenue agencies. What, Davies asks, are the safeguards against official abuse?
The centralized aspect of the plan also bothers experts like Brands, because it’s neither necessary nor desirable. He notes that people now interact with public and private organizations using a number of identification documents—a driver’s license, a passport, a company badge, a health insurance card—and that this variety is good for individuals. Why? Because it strengthens people’s privacy and makes identity theft harder by decentralizing personal information.
The UK ID card proposal, however, could seriously erode this segmentation. Because the cards have unique numbers, different entities could eventually begin to use them as personal identifiers in their own systems. After all, this is exactly what happened with social security numbers in the United States and other countries. Created to keep track of a person’s contributions to the social security system, the number became a highly trusted identifier and wound up being used by many other organizations, including employers, investment-account firms, and even video rental stores. The result is that it became easier for fraudsters—especially insiders—to get hold of the information they needed to steal people’s identities.
The LSE report suggests an alternative to the government’s proposal: a method based on a distributed approach. The identity cards, instead of storing a single number, would have multiple strings of numbers. These sequences, known as digital credentials, could be authenticated by the government with cryptographic signatures, so that criminals couldn’t forge them. A person could store many credentials on the same card and use specific ones as identity proofs when, for example, entering a building, applying for welfare benefits, or opening a bank account. That way, company records, health and insurance files, financial information, and other data would not all be tied to the same number.
Moreover, this distributed approach eliminates the need for a central identity-verification system. Instead, the verification would take place locally. Consider again the bank example. The bank would use a device to scan your fingerprint, iris, or other identifying characteristic, just as before. But then, instead of sending this data to a remote system elsewhere, the bank would simply compare it with the biometrics stored on your card.
Such a system, the LSE researchers wrote, would be “simpler to implement and radically cheaper,” adding that the technologies in its proposal are “in widespread commercial use” and could be “cost-effectively scaled to cover the entire UK population.” In addition, they say that even though privacy and security issues still exist, this scheme wouldn’t put at risk sensitive data of the entire UK population.
But the government isn’t buying it. “The system that we’re proposing is the one we think is affordable and the one that we think will provide the best value,” says a spokeswoman for the Home Office, the UK department of internal affairs, which is in charge of the project. (The Home Office’s response to the LSE report is available at http://www.identitycards.gov.uk.) She adds that for such a huge system, a centralized approach “seems to be the only way that it would be possible.”
“Some of the people we’ll be talking to are people experienced in putting together large-scale databases,” she says. “We’ll be finding out exactly how they do that.”
And how about cost? Charging people £30 for each ID card (£93 for an ID card plus a biometric passport) will cover the cost, the spokeswoman says. And as for the LSE’s estimated costs, she adds, they “don’t actually add up.”
As supporters and critics further scrutinize the ID cards’ proposed legislation, the debate heats up in Parliament—and at the pub.
UK Biometric Identity Card
Goal: To introduce ID cards and an identity-verification system to prevent fraud, illegal immigration, crime, and terrorism.
Why It’s a Loser: The design of the system is based on unreliable and inadequate technologies that could result in privacy and security problems.
Organization: Home Office, the United Kingdom’s department of internal affairs.
Center of Activity: London.
Number of People on the Project: Not available.
Budget: More than £20 million in the research phase; rollout cost estimates range from £5.8 billion to £19.2 billion.