EXECUTIVE SUMMARY

  1.  Privacy International urges the Committee to approach the issue of identity cards with great caution. Many of the claims made for the technology behind card systems cannot be sustained. The justification advanced for the card may in some cases be well intentioned, but appears to be based more on emotion and rhetoric rather than credible research.

  2.  The biometric system that is proposed to form the identifier base for the card has not been successfully trailed anywhere in the world. Research evidence suggests that many of the claims made by the biometrics industry are false. Indeed the "one to many" biometrics architectures envisioned by some proponents of the UK scheme are entire fraudulent.

  3.  The cost of the ID card system, together with appropriate registration procedures, IT infrastructure, private and public sector compliance and parallel systems will be well in excess of informal estimates currently circulating.

  4.  The privacy threats arising from a national ID system cannot be overstated. An ID card in the UK environment will, in our view, breach the ECHR. A card will fundamentally violate the privacy and data protection principles enshrined in UK law.

  5.  There is no evidence in the research literature to establish that identity cards either reduce the threat of terrorism or reduce the incidence of crime. Indeed the establishment of an ID card requires the creation of a new range of offences, and introduces the very real threat of increased criminality in a number of realms.

  6.  The identity card proposed for the UK involves the concept of converged or "joined-up" data resources. This poses grave threats to the security of data. It also introduces the inevitability that data will be lost, misinterpreted, mutated or abused. Multiple-agency access to sensitive data greatly increases the potential for misuse of information, either through corrupt disclosure or lapses in security.

OVERVIEW

  By way of introduction, Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance by governments and corporations. PI is based in London, and has an office in Washington, DC. Together with members in 40 countries, PI has conducted campaigns and research throughout the world on issues ranging from wiretapping and national security activities, to ID cards, video surveillance, data matching, police information systems, and medical privacy. It is recognised as the most prominent critic internationally of ID systems. PI's website is www.privacyinternational.org We would be happy to provide further specific evidence if request by the Committee.

  The idea of a national ID card may be superficially attractive to some, but many countries have discovered that the technology creates more problems than it solves. ID cards have always served as an (initially) popular response to a crisis, but a quick scan of countries with ID cards shows that their introduction in recent times usually creates a range of unforeseen administrative and social complexities. Thailand, which introduced its first ID card in 1989, is still ironing out fundamental problems after all these years.

  No government has yet been able to identify any country where the presence of a card has deterred terrorists or reduced overall levels of crime. To achieve such an outcome, a government would require measures unthinkable in a free society.

THE CANADIAN INQUIRY

  A Canadian parliamentary committee tasked with the responsibility of reporting on options for a national ID card similar to the one proposed by David Blunkett has told Parliament that it could find no evidence to justify the scheme.

  The Committee's Interim report, tabled in the parliament last year http://www.parl.gc.ca/InfocomDoc/Documents/37/2/parlbus/commbus/house/reports/cimmrp06-e.htm states that the evidence provided to the Committee overwhelmingly refuted the need for a card.

  While stressing that the Committee had not yet reached a final position on the matter the Members almost unanimously declared the proposal a waste of time and resources. Government MP Joe Fontana, who chairs the committee, told press that the Committee was still struggling to determine why an ID card was even needed. "I think the fundamental question of why do we need to have a national ID card has yet to be answered," he said

  The Commons committee called into question polls indicating that Canadians approve of the idea, noting that these responses could have been based on how the questions were framed and affected by other questions asked at the same time.

  "At this point we've heard no evidence to suggest that Canada would be any better off or its security would be enhanced by a [national identity] card," committee member and Alliance MP Diane Ablonczy said. "What we have heard is that we need to upgrade the security features of our existing cards. The security of our existing documents, yes, we need to look at that very carefully. An expensive and comprehensive new card does not seem to impress anyone out there." http://www.theglobeandmail.com/servlet/story/RTGAM.20031007.wcard1007—3/BNStory/National/

  There is often an instinctive notion that a card system can be a conduit for "nation-building" in which cohesion and national identity can be strengthened. These are intuitive notions that have no relation to the stated justification for cards. In this sense a card may be an initiative grounded in nationalism.

  Patronage of the idea of an ID card is pursued with little quantifiable evidence of the claims made for cards systems. The presumption, for example, that a national card can improve law enforcement techniques, reduce illegal immigration, diminish fraud, assist national security or improve administrative efficiency is entirely instinctive. There is little, if any, evidence that a card system can achieve these goals.

FUNDAMENTAL INSECURITY

  The biometrics system proposed for the UK card is fundamentally unsound. China recently abandoned fingerprinting on its ID cards because of insurmountable technical problems,[67] while the British finance group Nationwide this year dropped plans to introduce fingerprints and eye scanning as a replacement for PINs.[68]

  US security experts Peter Neumann and Laurie Weinstein have observed "These supposedly unique IDs are often forged. Rings of phoney ID creators abound, for purposes including both crime and terrorism. Every attempt thus far at hardening ID cards against forgery has been compromised. Furthermore, insider abuse is a particular risk in any ID infrastructure".

  "The belief that "smart" NID cards could provide irrefutable biometric matches without false positives and negatives is fallacious. Also, such systems will still be cracked, and the criminals and terrorists we're most concerned about will find ways to exploit them, using the false sense of security that the cards provide to their own advantage—making us actually less secure as a result".[69]

There are also substantial security threats arising from a biometric based identity system. Computer security expert Bruce Schneier warns: "Biometrics also don't handle failure well. Imagine that Alice is using her thumbprint as a biometric, and someone steals the digital file. Now what? This isn't a digital certificate, where some trusted third party can issue her another one. This is her thumb. She has only two. Once someone steals your biometric, it remains stolen for life; there's no getting back to a secure situation".[70]

  Such a system, linked through tens of thousand of card readers to a central database, is the conventional means of dealing with the problem of counterfeit cards. The technology gap between governments and organised crime has now narrowed to such an extent that even the most highly secure cards are available as blanks weeks after their official introduction. Criminals and terrorists can in reality move more freely and more safely with several fake identities than they ever could in a country with multiple forms of ID.

  Identity cards may also contribute to the growth of terrorism and criminality. Last year 36 people were indicted in New Jersey for their part in a criminal enterprise in issuing thousands of fake drivers' licences. Eight staff of the New Jersey Division of Motor Vehicles have so far been arrested.

Even without the prospect of official corruption, the technology gap between governments and organised crime has now narrowed to such an extent that even the most highly secure cards are available as blanks weeks after their introduction. Criminals and terrorists can in reality move more freely and more safely with several fake "official" identities than they ever could in a country using multiple forms of "low-value" ID such as a birth certificate.

  Criminal use of fake identity documents does not necessarily involve the use of counterfeiting techniques. In 1999, a former UK accountant was charged with obtaining up to 500 passports under false identities. The scam was merely a manipulation of the primary documentation procedure.

  When such schemes are introduced in the current climate, three outcomes are inevitable. First, a high security ID card will become an internal passport, demanded in limitless situations. Don't leave home without it. Second, millions of people will be severely inconvenienced each year through lost, stolen or damaged cards or—more potentially devastating—through failure of the card's computer systems or the biometric reading machinery. Finally, as research by Privacy International has shown, the cards will inevitably be abused by officials who will use them as a mechanism for prejudice, discrimination or harassment. This latter point was addressed by the UK High Court in 1954 when it outlawed the wartime ID card.

  Other countries have also reached this conclusion. No common law country has ever adopted an ID card. When a national card was proposed in Australia in 1986, the idea was hastily scrapped after the biggest public campaign of opposition in recent history. The New Zealand public has responded with similar vigour, while the United States has traditionally opposed national cards.

THE BIOMETRICS HOAX

  All independent research studies have highlighted a huge gulf between the claims made by biometrics vendors, and the outcome of controlled testing. A recent study by the US Department of Defense found that iris recognition did better than most technologies, but one manufacturer's claim of a 0.5% false identification rate ballooned to 6% during the DOD tests.[71]

  A report issued by the US General Accounting Office in November 2002[72] reported that the largest iris scanning system currently in use had only 30,000 records. Such a small system will perform in a far different way to one involving millions or tens of millions of records.

  The GAO warned that it was "unknown" how a system with many millions of records would perform. A report from the National Institute for Science and Technology[73] concluded that it had insufficient records and data to determine whether iris recognition was an accurate identifier.

  The fundamental problem for the accurate functioning of biometrics rests with the relationship between a person's unique biometric, and the numbers of other identities it is matched against. This is a mater of simple mathematics. If a biometric scan of an eye or a fingerprint is matched one-to-one against the same scan that is recorded onto a card, the chance of an accurate match is extremely good. The margin of error can be set to a very sensitive level (say, to within plus or minus one per cent). However, if that scanned eye is matched against, say, one hundred other identities (one-to-many matching), the margin for error must be widened. Otherwise, the instances of false rejection will be unacceptable. If an eye scan is matched against a national database, as proponents of the UK system have suggested, the margin for error would be so wide as to make the system worthless.

  Proponents frequently assert that the iris recognition system generates no errors. This claim is akin to a goal keeper arguing that, based solely on the number of saved goals, he has a perfect record. A more accurate indication of the performance of iris recognition can be derived by taking into account the unruly "misses" that such assessment ignores.

  It may well be true that those irises recognised by the system can be matched with extreme accuracy against other irises recognised by the system. The key question is how many irises the system fails to accurately detect and therefore fails to match. The largest current project in the UAE provides no insight. Even if we were to take at face value the UAE Internal Ministry's assertion that none of the 3,684 "positive hits" were contested, we still have no clue about how many prohibited identities slipped through the system, or how many innocent people were wrongly identified.[74]

January 2004

68   See http://www.silicon.com/news/500013/1/6129.html Back

69   Risks of National Identity cards; Communications of the ACM No 44, 12th December 2001 http://www.csl.sri.com/users/neumann/insiderisks.html Back

70   Biometrics: Uses and abuses; Communications of the ACM, No 42, 8th August 1999 http://www.csl.sri.com/users/neumann/insiderisks.html Back

71   See BBC story at http://news.bbc.co.uk/1/hi/technology/3003571.stm Back

72   See the GAO's report on border security at http://www.gao.gov/new.items/d03546t.pdf Back

73   See report at http://www.itl.nist.gov/iad/894.03/NISTAPP-Nov02.pdf Back

74   These issues were comprehensively debated in New Scientist. Article http://www.newscientist.com/news/news.jsp?id=ns99994393 based on criticism of the technology. Followed by a letter to the editor from the inventor of iris scanning, Professor John Daugman http://www.newscientist.com/opinion/opletters.jsp?id=ns24257 followed by a rebuttal from Simon Davies http://www.newscientist.com/opinion/opletters.jsp?id=ns24269 in the current edition. Back