38. Memorandum submitted by
Privacy International
EXECUTIVE SUMMARY
1. Privacy International urges the Committee
to approach the issue of identity cards with great caution. Many
of the claims made for the technology behind card systems cannot
be sustained. The justification advanced for the card may in some
cases be well intentioned, but appears to be based more on emotion
and rhetoric rather than credible research.
2. The biometric system that is proposed
to form the identifier base for the card has not been successfully
trailed anywhere in the world. Research evidence suggests that
many of the claims made by the biometrics industry are false.
Indeed the "one to many" biometrics architectures envisioned
by some proponents of the UK scheme are entire fraudulent.
3. The cost of the ID card system, together
with appropriate registration procedures, IT infrastructure, private
and public sector compliance and parallel systems will be well
in excess of informal estimates currently circulating.
4. The privacy threats arising from a national
ID system cannot be overstated. An ID card in the UK environment
will, in our view, breach the ECHR. A card will fundamentally
violate the privacy and data protection principles enshrined in
UK law.
5. There is no evidence in the research
literature to establish that identity cards either reduce the
threat of terrorism or reduce the incidence of crime. Indeed the
establishment of an ID card requires the creation of a new range
of offences, and introduces the very real threat of increased
criminality in a number of realms.
6. The identity card proposed for the UK
involves the concept of converged or "joined-up" data
resources. This poses grave threats to the security of data. It
also introduces the inevitability that data will be lost, misinterpreted,
mutated or abused. Multiple-agency access to sensitive data greatly
increases the potential for misuse of information, either through
corrupt disclosure or lapses in security.
OVERVIEW
By way of introduction, Privacy International
(PI) is a human rights group formed in 1990 as a watchdog on surveillance
by governments and corporations. PI is based in London, and has
an office in Washington, DC. Together with members in 40 countries,
PI has conducted campaigns and research throughout the world on
issues ranging from wiretapping and national security activities,
to ID cards, video surveillance, data matching, police information
systems, and medical privacy. It is recognised as the most prominent
critic internationally of ID systems. PI's website is www.privacyinternational.org
We would be happy to provide further specific evidence if request
by the Committee.
The idea of a national ID card may be superficially
attractive to some, but many countries have discovered that the
technology creates more problems than it solves. ID cards have
always served as an (initially) popular response to a crisis,
but a quick scan of countries with ID cards shows that their introduction
in recent times usually creates a range of unforeseen administrative
and social complexities. Thailand, which introduced its first
ID card in 1989, is still ironing out fundamental problems after
all these years.
No government has yet been able to identify
any country where the presence of a card has deterred terrorists
or reduced overall levels of crime. To achieve such an outcome,
a government would require measures unthinkable in a free society.
THE CANADIAN
INQUIRY
A Canadian parliamentary committee tasked with
the responsibility of reporting on options for a national ID card
similar to the one proposed by David Blunkett has told Parliament
that it could find no evidence to justify the scheme.
The Committee's Interim report, tabled in the
parliament last year http://www.parl.gc.ca/InfocomDoc/Documents/37/2/parlbus/commbus/house/reports/cimmrp06-e.htm
states that the evidence provided to the Committee overwhelmingly
refuted the need for a card.
While stressing that the Committee had not yet
reached a final position on the matter the Members almost unanimously
declared the proposal a waste of time and resources. Government
MP Joe Fontana, who chairs the committee, told press that the
Committee was still struggling to determine why an ID card was
even needed. "I think the fundamental question of why do
we need to have a national ID card has yet to be answered,"
he said
The Commons committee called into question polls
indicating that Canadians approve of the idea, noting that these
responses could have been based on how the questions were framed
and affected by other questions asked at the same time.
"At this point we've heard no evidence
to suggest that Canada would be any better off or its security
would be enhanced by a [national identity] card," committee
member and Alliance MP Diane Ablonczy said. "What we have
heard is that we need to upgrade the security features of our
existing cards. The security of our existing documents, yes, we
need to look at that very carefully. An expensive and comprehensive
new card does not seem to impress anyone out there." http://www.theglobeandmail.com/servlet/story/RTGAM.20031007.wcard10073/BNStory/National/
There is often an instinctive notion that a
card system can be a conduit for "nation-building" in
which cohesion and national identity can be strengthened. These
are intuitive notions that have no relation to the stated justification
for cards. In this sense a card may be an initiative grounded
in nationalism.
Patronage of the idea of an ID card is pursued
with little quantifiable evidence of the claims made for cards
systems. The presumption, for example, that a national card can
improve law enforcement techniques, reduce illegal immigration,
diminish fraud, assist national security or improve administrative
efficiency is entirely instinctive. There is little, if any, evidence
that a card system can achieve these goals.
FUNDAMENTAL INSECURITY
The biometrics system proposed for the UK card
is fundamentally unsound. China recently abandoned fingerprinting
on its ID cards because of insurmountable technical problems,[67]
while the British finance group Nationwide this year dropped plans
to introduce fingerprints and eye scanning as a replacement for
PINs.[68]
US security experts Peter Neumann and Laurie
Weinstein have observed "These supposedly unique IDs are
often forged. Rings of phoney ID creators abound, for purposes
including both crime and terrorism. Every attempt thus far at
hardening ID cards against forgery has been compromised. Furthermore,
insider abuse is a particular risk in any ID infrastructure".
"The belief that "smart" NID
cards could provide irrefutable biometric matches without false
positives and negatives is fallacious. Also, such systems will
still be cracked, and the criminals and terrorists we're most
concerned about will find ways to exploit them, using the false
sense of security that the cards provide to their own advantagemaking
us actually less secure as a result".[69]
There are also substantial security threats arising
from a biometric based identity system. Computer security expert
Bruce Schneier warns: "Biometrics also don't handle failure
well. Imagine that Alice is using her thumbprint as a biometric,
and someone steals the digital file. Now what? This isn't a digital
certificate, where some trusted third party can issue her another
one. This is her thumb. She has only two. Once someone steals
your biometric, it remains stolen for life; there's no getting
back to a secure situation".[70]
Such a system, linked through tens of thousand
of card readers to a central database, is the conventional means
of dealing with the problem of counterfeit cards. The technology
gap between governments and organised crime has now narrowed to
such an extent that even the most highly secure cards are available
as blanks weeks after their official introduction. Criminals and
terrorists can in reality move more freely and more safely with
several fake identities than they ever could in a country with
multiple forms of ID.
Identity cards may also contribute to the growth
of terrorism and criminality. Last year 36 people were indicted
in New Jersey for their part in a criminal enterprise in issuing
thousands of fake drivers' licences. Eight staff of the New Jersey
Division of Motor Vehicles have so far been arrested.
Even without the prospect of official corruption,
the technology gap between governments and organised crime has
now narrowed to such an extent that even the most highly secure
cards are available as blanks weeks after their introduction.
Criminals and terrorists can in reality move more freely and more
safely with several fake "official" identities than
they ever could in a country using multiple forms of "low-value"
ID such as a birth certificate.
Criminal use of fake identity documents does
not necessarily involve the use of counterfeiting techniques.
In 1999, a former UK accountant was charged with obtaining up
to 500 passports under false identities. The scam was merely a
manipulation of the primary documentation procedure.
When such schemes are introduced in the current
climate, three outcomes are inevitable. First, a high security
ID card will become an internal passport, demanded in limitless
situations. Don't leave home without it. Second, millions of people
will be severely inconvenienced each year through lost, stolen
or damaged cards ormore potentially devastatingthrough
failure of the card's computer systems or the biometric reading
machinery. Finally, as research by Privacy International has shown,
the cards will inevitably be abused by officials who will use
them as a mechanism for prejudice, discrimination or harassment.
This latter point was addressed by the UK High Court in 1954 when
it outlawed the wartime ID card.
Other countries have also reached this conclusion.
No common law country has ever adopted an ID card. When a national
card was proposed in Australia in 1986, the idea was hastily scrapped
after the biggest public campaign of opposition in recent history.
The New Zealand public has responded with similar vigour, while
the United States has traditionally opposed national cards.
THE BIOMETRICS
HOAX
All independent research studies have highlighted
a huge gulf between the claims made by biometrics vendors, and
the outcome of controlled testing. A recent study by the US Department
of Defense found that iris recognition did better than most technologies,
but one manufacturer's claim of a 0.5% false identification rate
ballooned to 6% during the DOD tests.[71]
A report issued by the US General Accounting
Office in November 2002[72]
reported that the largest iris scanning system currently in use
had only 30,000 records. Such a small system will perform in a
far different way to one involving millions or tens of millions
of records.
The GAO warned that it was "unknown"
how a system with many millions of records would perform. A report
from the National Institute for Science and Technology[73]
concluded that it had insufficient records and data to determine
whether iris recognition was an accurate identifier.
The fundamental problem for the accurate functioning
of biometrics rests with the relationship between a person's unique
biometric, and the numbers of other identities it is matched against.
This is a mater of simple mathematics. If a biometric scan of
an eye or a fingerprint is matched one-to-one against the same
scan that is recorded onto a card, the chance of an accurate match
is extremely good. The margin of error can be set to a very sensitive
level (say, to within plus or minus one per cent). However, if
that scanned eye is matched against, say, one hundred other identities
(one-to-many matching), the margin for error must be widened.
Otherwise, the instances of false rejection will be unacceptable.
If an eye scan is matched against a national database, as proponents
of the UK system have suggested, the margin for error would be
so wide as to make the system worthless.
Proponents frequently assert that the iris recognition
system generates no errors. This claim is akin to a goal keeper
arguing that, based solely on the number of saved goals, he has
a perfect record. A more accurate indication of the performance
of iris recognition can be derived by taking into account the
unruly "misses" that such assessment ignores.
It may well be true that those irises recognised
by the system can be matched with extreme accuracy against other
irises recognised by the system. The key question is how many
irises the system fails to accurately detect and therefore fails
to match. The largest current project in the UAE provides no insight.
Even if we were to take at face value the UAE Internal Ministry's
assertion that none of the 3,684 "positive hits" were
contested, we still have no clue about how many prohibited identities
slipped through the system, or how many innocent people were wrongly
identified.[74]
January 2004
67 http://news.bbc.co.uk/1/hi/technology/3003571.stm Back
68
See http://www.silicon.com/news/500013/1/6129.html Back
69
Risks of National Identity cards; Communications of the ACM No
44, 12th December 2001 http://www.csl.sri.com/users/neumann/insiderisks.html Back
70
Biometrics: Uses and abuses; Communications of the ACM, No 42,
8th August 1999 http://www.csl.sri.com/users/neumann/insiderisks.html Back
71
See BBC story at http://news.bbc.co.uk/1/hi/technology/3003571.stm Back
72
See the GAO's report on border security at http://www.gao.gov/new.items/d03546t.pdf Back
73
See report at http://www.itl.nist.gov/iad/894.03/NISTAPP-Nov02.pdf Back
74
These issues were comprehensively debated in New Scientist. Article
http://www.newscientist.com/news/news.jsp?id=ns99994393 based
on criticism of the technology. Followed by a letter to the editor
from the inventor of iris scanning, Professor John Daugman http://www.newscientist.com/opinion/opletters.jsp?id=ns24257
followed by a rebuttal from Simon Davies http://www.newscientist.com/opinion/opletters.jsp?id=ns24269
in the current edition. Back
|