Memorandum submitted by Andrew Watson (ID 11)

About the Author: This submission is being made in a personal capacity, not as a representative of any organisation. The author has over 30 years’ experience in the IT industry, and has been following the progress of identity cards legislation since the 1990s.

Summary: Despite the eight years of planning that have apparently gone into it, and preparation costs that latterly peaked at over £230,000 per day1, the National Identity Scheme is completely inadequate for the identification and authentication needs of the 21st Century. Instead, it seems to have been designed around a Home Office desire to catalogue and number the UK’s permanent population. British citizens would have been coerced onto the National Identity Register when renewing their passports, and then forced to comply with the Scheme’s requirements for life by a draconian regime of repeated civil penalties. Now that the Scheme seems likely to be abolished, legislators and technologists must turn their attention to providing truly voluntary electronic mutual identification systems designed for the Internet Age.

________________________________________________________________________

1. On 7th December 2009 Gordon Brown, then Prime Minister, announced government plans "within the next five years, to shift the great majority of our large transactional services to become online only"2. Even as he spoke, millions of taxpayers were completing web-based self-assessments, and by 31st January 75% of that year’s 8.6 million tax returns had been filed online3, up from 66% the previous year.4 Online services are even more widely used in business, with online banking being perhaps the most prevalent; in 2008 more than 23 million people in Britain banked online.5 However, as the online economy grows, so does the challenge of safely authenticating online transactions.

2. Today most of us rely on usernames and passwords to identify and authenticate ourselves online. It’s a technique that’s changed little since the dawn of time-sharing computing in the 1960s and is increasingly vulnerable to fraud. The banks lost an estimated £52.5m to online fraud in 2008, up 132% from the previous year6. Online fraud is growing much more quickly than the 25% annual growth rate of legitimate online commerce,7 and has already forced the permanent suspension of one online government service: HM Revenue and Customs’ web-based child tax credit claim system permanently closed in 2005 after stolen personal details of 13,000 civil servants were used to defraud the department of an estimated £15m8 9. We clearly need to devise better ways to establish online identities, and to authenticate that the people and organisations we communicate with are the legitimate users of those identities.

3. The National Identity Scheme (to give the ID Card scheme its official name) had as its objective to become the country’s "trusted and preferred provider of identity services".10 However, despite Mr Brown’s declarations about online services, this huge, expensive, long-running project that his government had pursued since issuing a consultation paper in July 200211 did not even attempt to support online authentication, let alone help modernise authentication technology.12 As such, it was completely incompatible with the model of eGovernment that Labour Ministers claimed to be pursuing.

4. To an outside observer it seems clear that the designers of the National Identity Scheme never gave much thought to the challenges of identity authentication in the modern world, but were instead focussed on creating an electronic version of the wartime National Registration system, which between 1939 and its abolition in 1952 was held on paper in 7000 transcript books at a requisitioned hotel in Southport13. Although it was originally introduced for just three specified purposes (co-ordinating national service, national security and the administration of rationing), "function creep" inevitably set in, and by the early 1950s thirty-nine government agencies made use of the register14, with the accompanying Identity Cards frequently demanded so that the holders could be monitored and controlled via their official record. Resentment about this increasing bureaucracy helped Winston Churchill win the 1951 General Election on a campaign promise to "set the people free", and the abolition of the scheme followed within months.

5. From the 1950s to the 1990s periodic attempts were made to convince successive governments to reintroduce a population database. In 1974 Home Secretary Roy Jenkins rejected ID cards as a response to IRA terrorism15, and Peter Lilley, a minister from 1990-97, noted that the idea had been "hawked round Whitehall for decades" but was merely a "‘solution looking for a problem"16. When Home Secretary David Blunkett announced legislation for a National Identity Scheme in 2004 he repeatedly emphasised that one of the main aims was to create a "new, clean database" of the whole population17 18.

6. Advocates of the National Identity Scheme had become so obsessed with re-creating 1940s bureaucracy that they failed to notice the arrival of the 21st century. Despite its apparent modernity, the Scheme introduced by the (mis-named) Identity Cards Act 2006 is firmly rooted in a Victorian model of government. Citizens cannot use it to identify themselves to each other or to businesses online, or even over the telephone. All the proposed uses for the Scheme involve face-to-face transactions, such as collecting a parcel from a Post Office19 or going into a bank to transfer money between accounts20. Once citizens started being enrolled on the database, Ministers talked up the Scheme as a way of proving one’s age in face-to-face transactions, or as a surrogate passport when travelling in Europe21. The Scheme’s architects ignored online commerce, despite periodic reminders from the banking industry and others. In 2003 a spokesmen for an online bank told the Guardian that "when it comes to internet banking, I don't think identity cards could help"22. In 2006 prominent banker Sir James Crosby was asked to produce an official report on how the confusing proliferation of vulnerable identity assurance systems should be reformed to meet the needs of 21st century business. He said clearly that the NIS "will not be the catalyst for the emergence of the consumer-driven universal ID assurance system envisaged by this report", and laid out ten broad principles for future identification and authentication systems23, all of which the NIS completely fails to implement. By 2009 Colin Whittaker, head of security for UK banking body APACS, despairingly said of the NIS: "The online capabilities that we were hoping were going to be present are unlikely to be there for the foreseeable future".24

7. Far from being designed as an authentication system, the NIS seems primarily to have been motivated by a Home Office desire to hold data on every person permanently resident in the UK. It makes no provision for identifying companies, parts of government, or other entities that participate in transactions but are not individual people. The Scheme also provides no support for people and companies to authenticate themselves to each other. It only allows for people to identify themselves to the Home Office. The only type of remote authentication provided is a trivial collection of "security questions and answers" which "will only be used to enable a change of address or to report a lost or stolen identity card" by telephone to the Home Office25. This authentication is so weak that "any changes to core identity details" (such as a change of name) would require a visit to a government office. Thus, far from facilitating the vision of eGovernment, the NIS would in fact create new reasons for citizens to have face-to-face interviews with officialdom.

8. The Scheme’s advocates claimed that linking its database records to digitised photographs and fingerprints would prevent fraud, but in fact the data will rarely be used since "the vast majority of transactions under the initial phase of the Identity Card roll-out will be on the basis of visual verification only"26 – in other words, checking that the holder looks like the photograph on the card. This provides so little security that banks long ago abandoned putting the holder’s photograph on credit cards to reduce fraud. Even when they are used, biometric data have two intrinsic characteristics that render them useless for remote authentication; they aren’t secret, and cannot be revoked. We all leave a trail of biometric data behind us wherever we go, such as fingerprints on a glass, or pictures on CCTV cameras. Unless biometric terminals are closely supervised by trusted personnel, for instance at police stations and border posts, it’s easy to inject someone else’s biometric data into the system. In 2008 the German Chaos Computer Club neatly demonstrated the scale of the problem when it distributed thousands of copies of the German interior minister’s fingerprints, taken without his knowledge and printed on transparent film for use in fooling fingerprint readers27. Unlike encryption keys, passwords or other forms of authentication data, biometric data cannot be changed if they become known to attackers, leaving the victim vulnerable to biometric impersonation for life.

9. Like 1940s National Registration, the NIS was designed entirely for bureaucratic convenience, and offers no benefits to businesses, nor does it allow citizens to do anything that they can’t already do with existing documents and authentication systems. The Home Office understood that few people would volunteer to participate in a Scheme that brings the individual so few benefits, and leaked documents reveal that "various forms of coercion" were planned to "stimulate applications" 28 . Most notably, everyone applying for a passport after 2011 would have been compelled to enrol in the NIS, and will thereafter remain on the database for life, with the threat of repeated £1000 civil penalties to force them to maintain the accuracy of this database record.

10. The so-called National Identity Scheme is based on an antiquated concept of citizens identifying themselves to the state in face-to-face transactions which is so far removed from the needs of business or government in the Internet Age that even if it weren’t being abolished by the present government, it was bound to fall into disuse and disrepute. Not even the authoritarian regime of repeated punishments for those who would not comply could have saved it. Now that it seems likely to be abolished, our legislators and technologists have an opportunity to discuss and design the identification systems that we need for a 21st century economy. Such systems must be robust, usable, decentralised, and provide for mutual online identification and authorisation of citizens, companies and sections of government. They must be centred on the needs of the citizen, not Whitehall, be truly voluntary and neither attempt to introduce a centralised database nor rely on citizens being coerced into lifetime control of their identity data by a government department.

July 2010

---

[1] http://www.publicservice.co.uk/news_story.asp?id=11266

[2] http://www.kable.co.uk/gordon-brown-speech-it-plans-08dec09

[3] http://www.theregister.co.uk/2010/02/03/hmrc_tax_returns/

[4] http://www.hmrc.gov.uk/about/online-filing-figs.htm

[5]   http://www.attorneygeneral.gov.uk/nfa/GuidetoInformation/Documents/NFA_fraud_indicator.pdf

[6]   http://www.attorneygeneral.gov.uk/nfa/GuidetoInformation/Documents/NFA_fraud_indicator.pdf

[7] http://www.eweek.com/c/a/Enterprise-Applications/Euro-ECommerce-Hits-133B-25-Yearly-Growth-Projected/

[8] http://www.independent.co.uk/news/uk/politics/revealed-the-cashforfakeid-scandal-at-the-heart-of-the-government-478159.html

[9] http://news.bbc.co.uk/1/hi/business/4532682.stm

[10]   http://www.ips.gov.uk/cps/files/ips/live/assets/documents/IPS_Framework_1109_v4_web_version.pdf

[11] http://www.archive2.official-documents.co.uk/document/cm55/5557/5557.htm

[12] http://www.ips.gov.uk/cps/files/ips/live/assets/documents/09-05-06_Identity_Cards_Act_Secondary_Legislation_a_Response_to_the_Consultation.pdf para 3.23 to 3.25

[13] http://www.southportvisiter.co.uk/southport-entertainment/news-reviews/2009/09/25/smedley-hydro-opens-its-doors-to-the-public-in-birkdale-101022-24772682/

[14] http://www.historyandpolicy.org/papers/policy-paper-33.html

[15] http://news.bbc.co.uk/1/hi/uk/4139049.stm

[16] http://www.bowgroup.org/harriercollectionitems/IDCards.pdf Chapter 1

[17] http://www.publications.parliament.uk/pa/cm200304/cmselect/cmhaff/130/4050405.htm

[18] http://www.theregister.co.uk/2004/10/11/new_passport_equals_new_id_card/

[19] http://web.archive.org/web/20080105153037/http://www.ips.gov.uk/identity /how-idcard-daily-collecting.asp

[20] http://web.archive.org/web/20080129150906/www.ips.gov.uk/identity/how-id card-daily-transferring.asp

[21] http://www.itpro.co.uk/619807/home-office-brings-id-cards-to-london-with-youth-push

[22] http://technology.guardian.co.uk/online/story/0,,884668,00.html

[23] http://www.hm-treasury.gov.uk/media/6/7/identity_assurance060308.pdf

[24] http://www.silicon.com/management/cio-insights/2009/01/30/banks-id-cards-have-been-stripped-of-useful-features-39389272/

[25] http://www.ips.gov.uk/cps/files/ips/live/assets/documents/09-05-06_Identity_Cards_Act_Secondary_Legislation_a_Response_to_the_Consultation.pdf

[26] http://www.ips.gov.uk/cps/files/ips/live/assets/documents/NIS_Legislation.pdf

[27] http://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated/

[28] http://www.timesonline.co.uk/tol/news/politics/article3261968.ece