infinite ideas machine: ID cards Archives

November 09, 2004

Sign up, sign up

NO2ID have launched an e-Petition against the Government's Orwellian, intrusive, impractical and immensely wasteful ID cards and identity register proposals. Please take the time to visit http://www.no2id-petition.net/ and sign it - these people already did:

Spy Blog
UK Indymedia

Samizdata.net

Globalise Resistance

boingboing

UK ID Cards at Blog City (thanks, Trevor!)

Chris Lightfoot gets in a shameless plug

Blogdial

UK Crypto

ID Unknown, a p*ssed off punter whose individual response to the 2003 HO consultation (via Stand) was treated as a petition...

Shout99

Above Top Secret

Suspect Paki courts controversy...

electricinca.com

the Warzine blogsite

Fruitless Labour (short, but to the point!)

Protein Feed

SteveC's 'not funny' archive

Spinneyhead seems to be having a few problems, but he's got the right idea...

perlmonger

The England Project

Steve: Developing on the Edge

Samwise returns...

What You Can Get Away With

Atomic Razor

(Far from) Random and Irrelevant

Malbac

Tom at Random Etc

Simon's blog

And, of course, you could always buy the T-shirt while you're at it!

Posted by lankyphil at 03:36 AM | TrackBack

October 19, 2004

Devil's Advocate

Martin Brampton acts as an excellent Devil's Advocate in his article, Does the UK need ID cards? on silicon.com. The comments are starting to reflect people's growing concern with Blunkett's scheme - and I have to say, despite my inevitable bias, that I think the con's are being far more coherently argued than the pro's. "It'll be more convenient" and "Shut up, the polls say people want 'em" vs. growing suspicion of politicians, proven bureaucratic inefficiency, valuing liberal society, being considered safer by countries that have 'em, dubious 'benefits', prosecution by database, a tax on the forgetful, and analogies to the Weimar Republic.

Maybe the tone of the debate (what little there has been) is shifting - it's certainly time for more people to join in...

Posted by lankyphil at 03:56 PM | Comments (0) | TrackBack

September 30, 2004

e-Borders? More like a surveillance charter

John Lettice's comprehensive overview of the government's newly-announced e-Borders initiative, Blair's Britain vies with US in ID snoop wars, is in turns both terrifying and depressing. Blair, Blunkett et al. are steaming ahead with a scheme that far exceeds even US-VISIT (read Privacy International's analysis of that here) in its scope for surveillance of the general population.

And they're not even trying to walk before they run.

Project Semaphore, also announced yesterday, intends to track SIX MILLION people - beginning by the end of this year! I know the US is applying pressure on every other country to issue their citizens with biometric passports by the end of 2005 (we got a year's grace when the chips weren't ready in time), but emulating and then exceeding the worst aspects of Homeland Security has got to be the daftest response ever.

How much is this all going to cost? If just smartcards for UK citizens and one database will cost £3.1 billion (and the rest!) then the cost of e-Borders must be truly enormous. Where's the cost/benefit analysis? What *are* the benefits? And if it's intended to link in with ID cards (which it is) then just how much MORE of our personal data will be transferred to other countries for them to do with as they see fit, every time we travel?

Posted by lankyphil at 01:17 AM | TrackBack

September 23, 2004

Let's cut to the chase

Philip Chaston's, It's the Database, Stupid! on both White Rose and Samizdata.net raises some good points about what a couple of the speakers said, most notably:

Both were unable to provide a convincing story as to why the government was introducing this measure. Without understanding the motives behind the development of the ID scheme, it will prove far more difficult to halt or reverse.

Uncovering the government's (not so) hidden agendas is one line of attack - and, as Philip acknowledges, there is no one simple answer. New Labour are very definitely fans of 'centralising control through data' - but I am certain that all governments fall prey to this, to some degree. It's the nature of any bureacracy to perpetuate itself, and managing everyone's identity is pretty much the mother of all bureaucratic moves. So much so that it takes a large step towards authoritarianism, even totalitarianism...

I don't believe that there is some highly organised plot in the UK (or globally) by a sinister 'them' who wish to control every aspect of our lives. Rather I think that opportunist politicians, heavily influenced by companies who stand to make enormous profits and civil servants who sniff a gravy train in the making, are being fooled into thinking that technological 'quick fixes' can dig them out of problems that are either of their own making (through poor management or bad decision-making) or so complex that no single initiaive can hope to have any effect.

Those in power are rarely smart enough to understand the full implications of what they are doing, and even if they are they know that (a) they are nowadays unlikely ever to be held accountable for their actions, so long as they are fairly near the top of the Westminster pile, and (b) it's probably worth doing anyway as a step towards making their name, gaining position or garnering a lucrative Directorship or two when they leave office - the public/media memory for all but the biggest cock-ups being so short.

Of course, individuals such as Blunkett and Blair are driven by a more messianic sense of self-belief than most and are therefore doubly dangerous. But they are not actually evil, and I'm sure that they genuinely believe that they are doing things for the best. They're deluded and wrong, and lots of us know it - which is why we have to do something about it.

What might be the possible motives / agendas behind the current ID scheme, then? Here's a list, in no particular order:

1) Stephen Harrison, Katherine Courtney, et al. at the Home Office see a chance to head up a multibillion pound department of 1,000s (if not 10,000s!) in a job that will make them for life - and probably come with a gong or two if they don't spectacularly screw the pooch in the meanwhile.

2) David Blunkett 'sees' an opportunity to be seen to be tackling a whole bunch of issues. His Christian Stalinist (paternalistic / authoritarian) principles mean that he's entirely comfortable with trampling over the rights of the (good) many in pursuit of the (bad) few. The problem is that he can't actually show how what he's doing is actually going to help, and can't make a strong and consistent case for ID cards without keeping secrets - the figleaf of 'commercial confidentiality' - or making wild assertions, retracting them, then alluding to them again - e.g. on terrorism. ID cards, then, as political panacea.

3) Who in government gets to control citizen IDs? Maybe the various schemes currently in development - the Children's Bill, ONS's Citizen Information Project, etc. - reveal some sort of intragovernmental struggle for supremacy. Whichever department ends up running the database will effectively 'own' the population: HO vs. IR/Customs vs. DH vs. ??? Even the new ~~e-Envoy~~ Chief Information Officer, Ian Watmore, is saying that the government's plans look nothing like 'joined-up thinking'!

4) New Labour are, by now, incapable of making an objective decision about any technology-based scheme - having been lobbied so hard by suppliers and the mega-consultancies, who stand to make enormous profits from any scheme that goes ahead. The tech companies are falling over themselves to land this one, which may explain why Mr Blunkett's costings are so commercially sensitive - they don't want anyone knowing how deeply discounted (and therefore unrealistic) some of the costs actually are. You would think that by now someone in government would be smelling a rat, with all the overruns and overspends on IT projects. Wake up! These companies may quote you a low price, but we all know it's going to cost several to many times more by the time the job's 'done'.

[This one's been sitting in Draft for too long, but it seemed worth publishing as is. Please add any other motives or agendas that you think may be involved...]

Posted by lankyphil at 05:28 PM | Comments (1) | TrackBack

September 20, 2004

We have lift-off!

Our friends at Spy Blog and White Rose both wrote up the NO2ID public launch on Saturday. WTWU's account, NO2ID campaign launched to the public even has pictures - well, one at least: here.

Philip Chaston's, It's the Database, Stupid! on both White Rose and Samizdata.net goes into more detail and raises some good points, which I shall address in another post...

Posted by lankyphil at 07:13 PM | Comments (0) | TrackBack

September 08, 2004

NO2ID launch

Come to NO2ID's launch event as advertised on Upcoming.org, Indymedia and the NO2ID site.

Kick-off is at 11:00am on Saturday 18th September at The Corner Store, 33 Wellington Street, Covent Garden, London WC2E 7BN (nearest tube, Covent Garden - although Embankment, Temple and Charing Cross are all only about 5 mins walk away). There'll be speakers, etc. in the a.m. followed by lunch, then folks will be heading off to various parts of central London to do campaign-y things...

T-shirts, badges & stickers will be available on the day - as will shed loads of our shiny new leaflets. Come along, show your support and hit the streets. Let's get things started!

Posted by lankyphil at 01:12 AM | Comments (0) | TrackBack

August 29, 2004

Fraud down, theft up

Just when the banks would have you think that Chip'n'PIN was going to save your bacon...

Market analyst Datamonitor warns "that as it became more difficult for fraudsters to commit card fraud, they [are] likely to turn their attention to identity theft."

BUT as card-not-present fraud is one of the most common forms of fraud in the UK, how do they expect new cards of any type to tackle this? Remember, Chip'n'PIN is not primarily about fraud at all - it's about liability shift: from the banks to the retailers, and thence to you...

The banks have done a lot of successful and quite sensible stuff to combat fraud, including the use of AI pattern-detection to identify unusual transactions. Following up on these automated alerts with a phonecall to the account holder (I've had a couple myself) makes for pretty good two-way 'authentication' of the transactions: "We think you've just bought something expensive in France", "I have, I'm on holiday there", "OK, have a good time" vs. "We see you've bought something expensive in Turkey", "Turkey?! I've never even been there", "Aha - we'll stop the transaction, then, and issue you a new card".

In many ways, the Home Office will actually be playing into the hands of the identity thieves by bringing in ID cards 'hot on the heels' of chip'n'PIN - providing the professional criminals with an ideal opportunity to accumulate multiple identities before their *real* owners even come to register!

Why is it that neither the banks NOR government in this country are looking seriously at Digital Certificate-based identity schemes? Is it because DCs don't pretend to be anything other than what they are - i.e. an identity token - and the powers that be are (a) too dumb to realise that this is all that any ID technology can *really* offer (i.e. a more or less secure/costly token), or (b) motivated by agendas other than those that they promote - e.g. reducing fraud liability to increase shareholder value rather than preventing fraud (and thereby saving us, the customer, money) for the banks, and being able to digitally surveil the entire population and being seen to be doing something about some intractable social problems rather than actually preventing anything for the government?

You decide.

Posted by lankyphil at 09:13 AM | Comments (0) | TrackBack

August 28, 2004

Bingo! Ever heard of Private Credentials?

Dave Birch gets it.

From Second sight in Thursday's Guardian:

The identities within these national ID computers [i.e. smartcards] used to transact business (in the general sense, such as voting, shopping, booking a squash court and every thing else) in terminals, over the internet and via the television set are therefore not "real" identities (whatever they may be) but virtual identities: a kind of identity that exists only inside computers. Identity management in the physical world using national ID computers will have to converge with identity management in the rest of the virtual world.
...

If this is to be the case, we need to enure that the way these virtual identities are created and used is what we, as a society, really want from the future. There is one particular thing I really do want from them: anonymity. Why should the virtual identity stored on my national ID card be limited to Dave Birch? Why can't I have a couple? Why can't my card tell the pub that I'm virtually King Arthur when I'm proving that I'm over 18? It's none of their business who I really am.

It seems to me that this could be one of the most interesting features of identity computers: their ability to reveal relevant facts about a person (this person is allowed to enter this leisure centre, for example) while simultaneously keeping the person's identity private.

This is a theme and principle that has underpinned the work I've been doing for years now in the voluntary & public sector. Why *should* people be expected to give over one bit more information than is necessary for the required transaction? It's hardly as if any agency or organisation from the banks to charities (or even the church), the government to multinational corporations have proven themselves to be utterly 'squeaky clean' when it comes to abuse or misuse of personal information. Individual ignorance, accident and oversight account for some of this - but the institutionalised trading of personal data without the knowledge of the persons being referred to is not only big business, for some firms/sectors it's a business model!

Just because we have to identify certain aspects of ourselves to certain individuals or authorities at certain times, does not mean we should have to provide them with loads of linked pieces of information about ourselves. With regard to CareZone, for example, we wanted kids on the system to be able to digitally establish that they were a looked-after child, and therefore entitled to access certain services, without exposing any unnecessarily-identifying personal information. To address this I designed a system of personae (virtual identities) that performed as more than just simple avatars within the online shared space: they also provided ways in which even very young children could safely understand, manage and use appropriate digital identities.

The approach I took at the time seemed related (at least in principle) to Stefan Brands' 'Private Credentials', published by Zero Knowledge Systems in late 2000 [456 KB PDF file], but there are a number of other credential-based schemes - e.g. the electronic cash system described by Chaum (whose excellent 1992 Scientific American article on blind signatures, Achieving Electronic Privacy, I highly recommend), Fiat and Naor at Crypto '88 - that might feasibly combine PKI & digital certificates to achieve the sort of anonymity (or just simple privacy!) that Dave Birch desires.

Posted by lankyphil at 10:14 PM | Comments (0) | TrackBack

August 06, 2004

David Blunkett is an Arse

No, really.

Thanks to Phil in Brazil* for pointing this [blog] out to me ;)

Charlie Williams' brief, but incisive dissection of Blunkett's Response to the Home Affairs Select Committee report seems particularly apt.

*I met and conversed with Phil briefly, but very enjoyably, a few years back when he was working with Runtime Collective. If you make it to his Wiki, ThoughtStorms, I strongly recommend (strong) coffee...

Posted by lankyphil at 11:47 PM | Comments (0) | TrackBack

August 02, 2004

Good ol' Grauniad

Now here's a thing.

Last Thursday I wrote a letter to the Guardian, hoping to refute Blunkett & the Home Office's continued assertion that 80% of us support their proposals. We don't, and they know it - either that, or they're too bloody lazy or deluded to read anything but their own polls...

Anyway, it didn't get published and - to be honest - I didn't think it would. I put in too many figures and started to lose it a little at the end. If you've read much of this blog, that may not be too unfamiliar ;)

I thought it might just be worth putting the text of my letter up here, so here it is [scroll down for the happy ending]:

"Sir / Madam,

Your article on the home affairs select committee's criticism of David Blunkett's plans to introduce ID cards reveals the deep scepticism felt towards the scheme by MPs of all parties. What I find particularly disgraceful, though, is the fact that Mr Blunkett continues to assert that "over 80% in all focus group and opinion polls" support his proposals - as if this provided adequate justification for passing legislation, in any case!

He must be ignoring the recent Privacy International (YouGov) and Joseph Rowntree Reform Trust 'State of the Nation' polls that indicate levels of support as low as 61% nationally and just 56% regionally, in Scotland. Even the Detica (MORI) poll, hyped by the Home Office in May - in which the 80% figure was headlined - revealed that almost half (48%) of people would not want to pay for an ID card, and that 60% "have little or no confidence in the Government's ability to introduce ID cards without hitches".

Opposition to the proposals is deep, entrenched and growing rapidly as details of the scheme emerge. The Home Office, meanwhile, refuse to engage in proper and open debate, and roll on regardless with their increasingly unbelievable plans. If Labour truly think that ID cards have the support of the nation, they should put them in their manifesto and let the country decide before taking a step further.

And if Mr Blunkett wants to play cards, he really shouldn't let himself be caught stacking the deck.

Yours faithfully, etc."

Imagine my surprise when I was texted this morning to go buy a Guardian and, lo and behold, in the Letters section under ID cards are no panacea... it got published!

Edited to fit (thank God) and sandwiched between David Winnick MP and Dr. John Welford. I'm under no illusions - it was the NO2ID role that swung it, but gratifying nonetheless.

Posted by lankyphil at 11:42 PM | Comments (0) | TrackBack

July 31, 2004

Hacks report the HAC Report

[Apologies to any journalists, but I couldn't resist the pun]

It's been an interesting few days, kicked off by a fine evening spent selling NO2ID T-shirts and signing up supporters at the Big Brother Awards. 'Hi' to everyone (new) I met & remembered to tell about this blog.

And then, at about 1am on the 29th, a text arrived to tell me that someone had leaked the Home Affairs Committee report on ID cards to the Guardian...

Patrick Wintour's front page article, MPs attack Blunkett ID card plan, later that morning revealed the news that:

David Blunkett's plan for compulsory identity cards [would] be condemned by MPs... as improperly costed, poorly thought out, secretive and "lacking in clarity both over the scheme's scope and practical operation".

Of course - after the report had been officially released on the 30th - their Special Report, MPs say the case is made, but call for proper scrutiny, highlighted "the secrecy surrounding the costs of the scheme - put at anywhere between £1.3bn and £3.7bn" and gave a comprehensive summary of the concerns expressed by the Committee.

Today's Leader, Big brother database reports "the ever vigilant information commissioner Richard Thomas gave the most apposite warning about the government's draft identification cards bill yesterday. Forget the cards and concentrate on the national database that lies behind them and the people who will have access to it."

Indeed!

Meanwhile back to Thursday, and an honourable mention for NO2ID on The Register's write-up of the Big Brother Awards 2004 - uncannily timed to coincide with the launch of online sales of our campaign T-shirt on Cash'n'Carrion ;)

You can now read the HAC report itself here, or download the BBC's (advance) copy.

Mark Simpkins at consultationprocess has MoveableTyped the Summary, with the Report itself in the pipeline. Blogalicious!

David Blunkett's response is one of the most nauseating pieces of turd polishing I've ever had the misfortune to read. It reveals the next bunch of partial truths and outright lies that he's hoping to foist on the nation, and clearly identifies what he thinks people's concerns are or will be. No sign of any real evidence to back up his condescending reassurances and outrageous assertions, of course!

David Davies, the Shadow Home Secretary, is reported by 4NI as saying, "There are a whole series of problems, loopholes and weaknesses and the committee is absolutely right to highlight them. And this proposal may well lead to a very large database containing all the data about all citizens in one place, and that has serious civil liberties considerations too."

But while the the Tories have described the government's approach as "incoherent" and weak on detail, they have yet to come out as firmly against them. Hardly surprising given the fact that Michael Howard himself tried to introduce ID cards in the mid 90s, when he was Home Secretary - only giving up when he found them impossible to justify.

July 26, 2004

Fer cryin' out loud!

The Times reported yesterday that All children [are] to go on [a] 'big brother' computer. One aspect of the Children's Bill that, e.g. Spy Blog has been tracking with increasing alarm since at least March of this year, cf. Big Nanny database?

It's nothing less than the National Identity Register by the back door - creating dossiers on each and every child in the UK and, by association, their parents and/or guardians! The worrying thing is how little publicity this all-pervasive scheme with huge long-term effects is getting, especially given its pertinence to one of the most obvious gaps in the proposed ID cards / NIR scheme.

Add into the mix The Office for National Statistics' Citizen Information Project which proclaims it is "not about creating a comprehensive, centrally stored database on citizens", despite the fact that they are quite up front in saying:

"The unique reference number is primarily needed for the efficient running of the register. However, it could have a wider use, for example as a 'personal public services number' used across different public services. The design of the population register could facilitate the matching of records held in different databases."

They go on to say that, of course, this would *only* be possible if legislation is passed to permit such matching - but who the hell do these people think they are kidding? The government show every sign of passing several pieces of legislation of this type, doing their best to hide the construction of their 'database state' by burying the necessary clauses in superficially unrelated Draft Bills and initiatives.

Either they are thinking in a 'joined up' way, and this is clear evidence of their surveillance agenda, or the left hand really doesn't know what the right hand is doing - in which case they should really look at why they are attempting to build (at least) three costly centralised databases of unprecedented size and fill them with our personal data, when they haven't even been able to manage any of the existing identity databases to their own satisfaction!

Posted by lankyphil at 01:40 AM | Comments (0) | TrackBack

July 24, 2004

Pizza surveillance

I'd browsed past this ACLU Pizza animation a couple of times before I actually took the time to watch it all the way through. Well worth a couple of minutes of your time...

Posted by lankyphil at 01:23 AM | Comments (0) | TrackBack

July 20, 2004

Submission to the Home Office

What follows is the full text of my e-mail submission to the Home Office consultation on ID cards. The deadline is today so, if you haven't done so already, please do send something (even if it's just a simple 'I am against the proposed scheme and legislation' type mail) to identitycards@homeoffice.gsi.gov.uk, making sure the words 'consultation response' appear in the Subject line.

UPDATE: if you want to gather some inspiration from others' thoughts and comments then visit Spy Blog's excellent annotated blog of the Draft Bill or Mark Simpkins' equally excellent blog of the entire consultation document. And if you have a little more time, I heartily recommend you download and read Stand.org.uk's submission [219KB MS Word document].

Here goes nothing:

"Sir/Madam,

I am writing in response to the Home Office's document 'Legislation on Identity Cards: a consultation', published on 26th April 2004, which includes the draft clauses of an Identity Cards Bill.

For the purposes of registering responses as being for or against the proposed legislation and scheme, I am AGAINST - for the reasons I outline below.

I hope that, this time, the Home Office will recognise and publically acknowledge ALL individual electronically-submitted responses, something it failed to do in the previous consultation. For your information, I have designed a large-scale smartcard-based system for children, which was subsequently part-funded by DH, DfES & the Treasury and currently operates across a number of UK Local Authorities.

My first objection is that the name of the Draft Bill itself is disingenuous - as evidenced by the number of clauses and references to the National Identity Register within it. By 'headlining' ID cards, and not the NIR that underlies the whole scheme, the Home Office and Home Secretary avoid publicising the very thing that I have personally found most people object to. I have had numerous conversations in past months with members of the public, friends, acquaintances and professionals and the vast majority of them (even those who are initially in favour of ID cards) express doubts or change their opinion when made aware of the large database of personal information, including their fingerprints and iris scan, that will be required to operate the proposed scheme.

My second objection is to the government's continued misleading assertions about public support for ID cards and, e.g. misuse of the term 'voluntary' with regard to the scheme. It is highly unlikely that 80% of the population will apply voluntarily for an ID card - the 'trigger level' proposed for making them compulsory - as even the Detica/MORI poll to which the Home Office so frequently refers revealed that 48% of the population do not want to pay for an ID card, even if they think it might be a good idea!

Linking the scheme to passport and driving license renewals and applications - as would seem to be the government's intention - will mean that entry onto the NIR would be INvoluntary, unless citizens can choose to have their driving license or passport WITHOUT getting an NIR entry or ID card. There does not appear to be any provision for this at present (in fact it seems that this option is specifically being avoided) but, were there to be such provision, entry onto the NIR should at the very least require informed consent - i.e. be on a strictly 'opt in' not an 'opt out' basis.

Des Browne has stated within the last week that ID cards will become compulsory in 2008, and the Home Office seems determined to follow a schedule that even major suppliers think is unrealistic - while ignoring the fact that public support for ID cards is not as high and unwavering as the government would have us believe.

A recent ICM poll (commissioned by the Joseph Rowntree Reform Trust for their annual 'State of the Nation' report) shows that some 24% of people across the UK oppose biometric ID cards, with only 71% agreeing that they would be a good idea - and support in Scotland seems to have fallen as low as 56%. An earlier YouGov survey put support across the UK as low as 61%! This significant fall-off may explain why, despite the 80% level of support still quoted by the Home Office, it appears that MORI are having difficulties in recruiting sufficient volunteers for the current UKPS biometric enrollment trials. These sorts of difficulties are only going to get worse as the scheme proceeds and public awareness of its impact and implications increases.

Most worrying are the Prime Minister's and others' continued assertions that there are no longer any "significant civil liberties objections" when, in point of fact, there are. Simply ignoring those who express them and, e.g. refusing to attend public meetings (such as 'Mistaken Identity' at the LSE in May) that might prove difficult to convince or win over, DOES NOT mean that people are willing to forgo their existing rights and freedoms, or those of their fellow - or future - citizens. If the Home Office wish to continue asserting this, they should list precisely which civil liberties objections they have addressed and 'overcome'.

As I understand it, the government has failed to explain how ID cards and the NIR will avoid or prevent the following:

1) Exclusion - ID cards will disadvantage the most marginal and powerless people in society, creating a form of 'statelessness'. This would especially be of concern regarding the homeless, the aged and infirm and the mentally ill or incompetent.

2) Discrimination - ID cards will be used as a tool for racial prejudice. Recently published police statistics show a disproportionate growth in the number of Asian people stopped on the street since 9/11, and this dynamic would only be reinforced if ID cards were to become compulsory.

3) Loss of Privacy - ID cards will facilitation more collection and processing of data, and will destroy personal privacy. The definitions of 'consent' in the Draft Bill are too loose to prevent the routine sharing of information between agencies that I am not happy have good reason to share my data, and data in the NIR would in any case be too vulnerable to abuse by staff in any number of agencies - let alone the secondary information that may be available from an 'audit trail' of my identity transactions.

4) Loss of Sovereignty - ID cards (and other identity initiatives) are being forced on the UK by overseas authorities, specifically the US and EU. We have a proud history of world leadership and independence and yet this government seems willing to surrender some of its citizens' basic rights and liberties on the say-so of foreign powers.

5) Internal Passport / End to Presumption of Innocence - the ID card will inevitably become an indispensable document, to be demanded indiscriminately by anyone holding any position of authority. I don't need to carry my passport to walk down the street at present, why should I need to in future? I am innocent until proven guilty, not the other way around!

6) Lifechanging Inconvenience - the loss, failure or theft of an ID card that is demanded for so many important functions of life would effectively suspend the rights and normal functioning of the individual. Government IT systems are notoriously prone to error and instability, but if it is my very identity that is in question then I cannot afford any downtime or system failures. Ever.

7) Future 'Big Brother' - while this government, I am sure, genuinely believes that it would never abuse an ID card / NIR system it cannot guarantee that such a system would or could never be put to unintended hostile uses by a future administration. Though extreme, comparisons to Article 48 of the Weimar Republic and Hitler's extermination of the Jews are pertinent and throw into sharp contrast the current government's (over)reaction to 'Islamic' terrorism. The 'war on terror' is NOT World War II, and there is no immediate and overwhelming moral or practical justification for ID cards - if there were, the government would (and should) have brought them in immediately.

Due to the fact that I am not a lawyer or legislator I do not propose to offer a clause by clause response to the Draft Bill, but offer my remaining objections which fall into the following categories:

1) Feature creep & abuse of personal data - since the earliest mention of 'entitlement cards' to the current 'ID cards' scheme, the Home Office have inconsistently given a number of reasons as to why we should have them. I address these individually below, but wish to make the point that if you cannot even give a clear definition of what ID cards and the NIR are for at the outset it is unlikely that you will be able to correctly specify the system (especially its 'business rules') and highly likely that any system that is built will be prone to feature creep.

The scheme has variously been sold on its 'convenience' and 'cost-saving' properties. Both of these imply broad usage of its data records across government and the public sector, which would means the cards / NIR being hooked into numerous systems - each of which would offer another route of attack or compromise. It appears that feature creep is, far from being avoided, actually being designed into the system.

While strict security measures and sanctions against misuse may be applied, the reality is that centralising such a large amount of data and introducing complex links with a variety of services that employ a large number of people will almost inevitably lead to abuse - not only by those administering the system, but by anyone with access to it.

In combination with the Regulation of Investigatory Powers Act, the NIR will also open up new possibilities for widespread surveillance, profiling and other invasions of privacy - albeit by a limited number of people. The technological pursuit of efficient delivery of services should not be used to undermine the quite necessary and proper safeguards afforded by our currently decentralised systems. Mere efficiency should be balanced against potential abuses of private information, the erosion of personal privacy and other risks to society.

2) 'Infallibility' & biometrics - the Home Secretary would have us believe that biometrics will make for infallible identification, and that ID cards themselves will be unforgeable. This is dangerous nonsense and if anyone at, or appointed by, the Home Office genuinely believes it then they should be dismissed immediately - because they are obviously incapable of commissioning, let alone designing or implementing, a secure system! If the government is serious about, e.g. reducing identity fraud than it needs to be a lot more accurate in ALL of its public statements on identification technologies!

Some of the more well-informed and technologically-savvy individuals in the country, as well as a number of internationally-renowned independent experts, have serious misgivings about the maturity and practicality of biometric systems. Of course representatives of those companies that stand to make a profit from a biometric-based scheme will be telling government that everything can be worked out. I only hope that the Home Office will pay close attention to the dismal performance of the technologies, e.g. in its current (UKPS) trials and realise how badly they are being deceived by the suppliers. That is, of course, assuming that they are not already deluding themselves...

N.B. this is an area in which I have specifically relevant expertise. Whilst the kids I was working with [see para 3 above] at first sight thought that fingerprint technologies were 'cool', they soon became adamantly opposed to them (or any biometric) when they realised that their fingerprint data would be stored permanently on a database somewhere. The same is likely to be true for many members of the general public, who associate fingerprinting with criminality.

3) Supposed benefits - a number of 'reasons' have been given for the introduction of ID cards and the NIR, but little or no evidence has been provided to support or justify these. In fact, when challenged, the Home Secretary has been forced to modify or correct his statements (including those made in Parliament) regarding the use and effectiveness of ID cards.

So many reasons have been given that ID cards have begun to look like this government's answer to a whole range of problems to which there seem to be no easy answers. Being seen to be doing something may be politically expedient, but will not solve:

a) Terrorism - fighting terrorism requires sound intelligence and competent policing and, even if the NIR is to be used for wholesale surveillance and profiling and indiscriminate data-sharing across international borders, ID cards themselves (as the Home Secretary himself admits!) do not offer a solution.

The suicide bombers who carried out the 9/11 atrocities all had perfectly valid identification papers or compelling forgeries. Spanish ID cards did nothing to prevent or deter the train bombings in Madrid. In fact, of the 25 countries worst affected by terrorism since 1986, 80% have national identity cards - one third of which incorporate biometrics. Detailed research by, e.g. Privacy International, was unable to uncover a single instance where the presence of an ID card system was seen as a significant deterrent to terrorist activity.

b) Illegal immigration & working - as people will still be able to enter the country on a 3 month tourist visa, and what is proposed is a scheme for UK residents, there is no way in which ID cards can tackle immigration issues 'at source'. There are in any case already systems in place to deal with illegal immigration and black market illegal labour, but the authorities have shown themselves incapable of administering them.

Employers of illegal immigrants are often fully aware that they are breaking the law - but they don't ask to see National Insurance cards at present, and they won't check people's ID cards in future. ID cards will mean even more red tape and expense for legitimate businesses, but will be completely ignored by those who are already willing to act outside the law.

c) Health Tourism and other benefit fraud - there are already a range of systems in place (NHS numbers, National Insurance cards, etc.) that attempt to combat fraud and ensure people only get the services that they are entitled to. Some of these systems may require reform or improvement, but that is no reason to spend billions on a national ID card scheme.

The vast majority of benefit fraud comes about through understatement of income, circumstances and/or capital, none of which have anything to do with identity. In fact, when Michael Howard suggested the introduction of an ID card scheme in 1995, the DSS argued against it precisely because it would not have a noticeable effect on benefit fraud in the UK. More recently in 2003, Richard Kitchen of DWP stated that only 15% of the roughly £2 billion lost annually to fraud includes an initial motive to defraud - and of this, only a small amount involves deception of identity.

There could conceivably be serious and potentially life-threatening administrative problems for those who lose their ID card or have it stolen. And, e.g. the BMA doesn't want our already overstretched GPs and NHS doctors to have to become 'unofficial immigration inspectors', or to be put in a position where they must decide who receives care and who doesn't.

d) Identity theft - the government has singularly failed to maintain the integrity of any large-scale (identity) database, cf. National Insurance numbers, Driving Licenses and Passports. The creation of a new identity document will provide a high value target for fraudsters and history shows that the higher the potential gains from forgeries, the more resources that potential fraudsters will invest in circumventing the security provided by a system.

Far from reducing identity theft, ID cards are therefore more likely to encourage it! The more information and services that the Home Office tie into the NIR and ID cards, the more attractive they become as a target.

A more appropriate approach to tackling this issue would be a campaign of public education and better tracking of known stolen documents and cases of identity fraud. Tightening controls on the banks and credit reference agencies would also be more likely to have a positive effect than the creation of yet another card for citizens to carry.

4) Cost and value for money - the Home Office has failed to publish even a rough outline of the workings by which it arrived at a figure of £3.1 billion for the cost of the scheme. These costs have already doubled from the last time a figure was quoted, and others have come up with plausible calculations that show the figure to be closer to £6 billion - and which also note significant additional costs to business and public sector agencies when they are required to use ID cards to verify people's 'entitlement' to services.

Government IT projects are notorious for both time and budget overruns, and according to the Detica/MORI survey around 60% of people don't trust them to implement a scheme properly in any case! Looking at the government's track record, and that of the suppliers that they appoint, it isn't hard to see why...

As a citizen, I stand to gain very little in return for my £35-70 ID card not to mention the £60-120 per person that seems likely to come from my taxes. What I will get is a lot of inconvenience when my family and I have to attend a registration centre to 'prove our existence', nagging doubts once my and my loved ones' biometrics and other details are on a system that I know cannot be perfect, and a lifetime in a society based increasingly on fear and mistrust.

Not a price that I and many others will be willing to pay for a bunch of spurious 'benefits'.

***

In summary then, I don't believe the government is engaging in proper and open debate on an issue that is fundamental to its citizens' rights and freedoms; I have no confidence that it - or any future government - will be able to implement a system that is not open to widespread abuse and (for some individuals) critical failure; I am certain that any system which the government tries to build will cost a great deal more than is currently being forecast, and that the money used would be much better spent tackling the stated problems in other ways.

The Home Office's 'softly, softly' approach to bringing ID cards into force and the National Identity Register 'by the back door' speaks volumes as to their true intentions - and to the perfectly accurate assessment that if they attempted to bring them in all at once, they would face massive resistance from a public that at present remains largely ignorant of the full implications of the scheme.

Hoping that someone does at least read down this far and that, despite my firm opposition to the scheme, my comments will be taken seriously.

Yours faithfully,

Phil Booth"

Posted by lankyphil at 05:36 AM | Comments (0) | TrackBack

July 14, 2004

IMIS tells it like it is

Computer Weekly reports the Institute for the Management of Information Systems' response to the Home Office ID cards consultation in an article entitled, Biometric ID cards do little to cut fraud.

As one of, if not the leading international professional association devoted to the management of information systems within the business environment (representing 14,000 IT professionals) you've got to hope that Blunkett, Browne, Harrison, et al. will listen to IMIS.

They certainly don't want to listen to members of the public!

Posted by lankyphil at 12:26 PM | Comments (0) | TrackBack

July 09, 2004

More T-shirts and declaring an interest

Just spent most of today picking up & delivering the new batch of NO2ID campaign T-shirts [order 'em here for now, online fulfillment imminent!] around London, one of a number of things I'm now doing as NO2ID's recently-appointed finance and fundraising team leader.

We're very busy organising and making people aware of the growing opposition to biometric ID cards and the National Identity Register, so apologies if I don't post stuff here quite as regularly as I have been doing.

If you want to find out more about the NO2ID campaign, click on either of the T-shirts above.

If you wish to join our supporters' mailing list (low traffic, but you get to hear about events and register your opposition) then click here to send an e-mail request or visit http://www.no2id.com/mailman/listinfo/no2id-supporters

If you actually feel motivated to do something (write letters, hold meetings, hand out leaflets, etc.) then click here to send an e-mail request or visit http://www.no2id.com/mailman/listinfo/no2id-activists to subscribe to the 'activists' list. Not as scary as it sounds... honest :)

Posted by lankyphil at 09:14 PM | Comments (0) | TrackBack

July 05, 2004

Blog the Bill, mail the H.O.

A belated reference to Mark Simpkins' excellent consultationprocess blog, which has taken the Home Office's consultation document [553 KB PDF file] on the proposed ID Card (and National Identity Register) legislation and MoveableTyped it.

Being able to comment on, link directly to paragraphs and use trackback introduces a whole new dimension to the document - and begs the question why the Government, if it is so interested in 'consultation' and enamoured of e-Everything, has not adopted this approach. It certainly can't be the cost, if a private individual (with some help from a few friends) has been able to do it!

The deadline for responses is 20th July, so check it out online then send your feedback and comments to identitycards@homeoffice.gsi.gov.uk, including the words ‘consultation response’ in the subject title. Or write to:

Robin Woodland
Legislation Consultation, Identity Cards Programme
Home Office
3rd Floor, Allington Towers
19 Allington Street
London SW1E 5EB

Posted by lankyphil at 11:16 PM | Comments (0) | TrackBack

June 29, 2004

All about Janet (all about YOU!)

The Guardian published this cool but disturbing little Flash gizmo a while back, that reveals which agencies hold what information on you - and who they share it with.

Clicking around reveals a few mildly interesting factoids: the Child Support Agency, for example, links to exactly as many other agencies (in the private, as well as the public sector) as the Police National computer - and both are linked to far more than the Passport office.

And who owns the most comprehensive name and address database in Europe?

Television Licensing Tracking! And they're not even public sector...

Posted by lankyphil at 01:18 AM | Comments (0) | TrackBack

June 28, 2004

M$ 'Get the Facts'... ri-i-i-ight

John Lettice in El Reg's, MS, open source, The Facts and the fit-ups, describes (or more accurately, rips apart) one of Microsoft's recent series of UK seminars intended "to help customers better understand the debate surrounding Microsoft and Open Source software".

The spirit of "openness and honesty" (not) demonstrated by Microsoft seems vaguely reminiscent of... current Home Office behaviour. Simplistic arguments, 'evidence' skewed in your own favour and spin up the wazoo!

Microsoft's re-telling of the Newham incident shows a degree of selectivity with the truth that must have even Blunkett reeling in admiration. Buy your way into a contract and then say that you 'won' it on the long term value (TCO) of your product? Pull the other one...

El Reg were able to infiltrate various people into the event(s), so they can at least report on precisely who said what. A boon completely denied to us, the citizens of the UK, despite Home Office protestations that they are 'engaging' with the public in an open consultation process - while, behind closed doors, the industry briefings carry on regardless.

Posted by lankyphil at 06:16 PM | Comments (0) | TrackBack

June 25, 2004

Knowing me, knowing you

Steven Mathieson's article in the Guardian, Knowing me, knowing you, is another of his well-informed pieces on government IT policy. He quotes David Cameron (Conservative MP) who refers to the Govenment's "excuse culture": they've got a whole bunch of problems - such as illegal immigration, serious crime, terrorism - but no real answers, so they offer a National Identity Register-backed ID card scheme as a "cure-all".

When a 'new' controversy arrives in the media (e.g. the Bichard report, regarding the intelligence failures that contributed to the Soham murders) you can bet your bottom dollar that the Home Secretary or Home Office will try to 'work in' a role for ID cards or the NIR - leading to massive 'feature creep' before the things are even implemented, and even more worrying erosions of personal privacy and the presumption of innocence. For example, it is now proposed that allegations be attached to people's records (i.e. stuff that may not even have taken place, let alone been committed by the individual) and that ID cards should in some way be linked to the Criminal Records Bureau.

Are we all, therefore, to be tarred with the same brush as the paedophiles and serious criminals? And do you *really* think that little plastic cards are going to prove a serious impediment to these people?

One of the more worrying aspects of all this is the sheer number of current and upcoming public (and private) sector initiatives designed to track us and our behaviour. Thanks to Steven for the following list:

Citizen Information Project: National Statistics plans a population register of everyone in the UK, providing one place to update details and improving government statistics.
National Identity Register: to be built from scratch for the ID card scheme. To include every UK adult, subject to parliamentary vote, it will include reference numbers for databases such as national insurance and NHS numbers, and biometric measurements.

NHS Care Records Service: the national project has started building a patient database to contain summary medical records for all in England.

Coordinated Online Register of Electors: plans are to merge or link the electoral rolls managed by all UK local authorities.

Local databases of all children in England are being trialled.

The Department for Transport will produce a feasibility study on installing tracking devices in all vehicles this summer, allowing road pricing.

Private sector databases include credit reference agencies, loyalty cards and bank databases of card data.

If they are so interested in knowing me and knowing you, why is it they are not so keen on us knowing what they are doing... and why?!

Posted by lankyphil at 05:57 PM | Comments (0) | TrackBack

June 23, 2004

Hmmm - who are these guys?

ID Data seem to think they are in with a chance of getting the contract for Blunkett's ID cards:

ID Data has made its first move to be seriously considered as a supplier of choice for the UK's National ID Card.
At Intellect's high profile conference* attended by leading Home Office personnel and industry leaders, ID Data presented a challenging solution to the Government's needs for a mass issue of ID cards.

Peter Cox, CEO of ID Data plc, presented the Company's views on how they could assist the Government's plans to implement ID Cards within the UK.

*That'll be the closed industry event that the Home Office attended, the Monday after the Thursday on which they decided not to attend or be represented at the public LSE meeting on ID cards...

I think Atos Origin might have a few things to say about this! After all, it must have cost them quite a pretty penny to take over Schlumberger Sema earlier this year (who themselves had been lobbying hard for the introduction of biometric ID cards, and had by that point been chosen by the Home Office to run the UKPS biometric enrollment trial) and they'll be looking for a return on their investment.

The pity is that this is one of those situations where you want neither David or Goliath to win. It would be a tragedy of the highest order for us to lose our right to privacy, the presumption of innocence and the ability to assert our own identities in the mere pursuit of shareholder value.

Posted by lankyphil at 01:04 PM | Comments (0) | TrackBack

June 19, 2004

The Home Affairs Committee on ID cards sits again

An updated list (in reverse order) of the uncorrected transcripts of oral evidence, i.e. neither witnesses nor Members have had the opportunity to correct the record. The most recent two hearings also have links to their Parliament Live webcasts, but these are only stored for 14 days from their original transmission so catch 'em while they're there:

15th June 2004 - Chris Pounder (Editor, 'Data Protection and Privacy Practice') and Claire McNab (Vice-President, Press for Change), Dr Vivienne Nathanson (Director of Professional Activities, British Medical Association), Dr John Chisholm CBE (Chairman, General Practitioners Committee, BMA) and Trevor Phillips OBE (Chair, Commission for Racial Equality).

Read Spy Blog's comments and/or watch the webcast recorded on 15/6/04.

8th June 2004 - Roger Smith (Director, JUSTICE), Shami Chakrabarti (Director, Liberty), Simon Davies (Director, Privacy International) and Vicki Chapman (Head of Law Reform, the Law Society), and Richard Thomas (Information Commissioner) and Jonathan Bamford (Assistant Commissioner, responsible for data protection).

Webcast recorded on 8/6/04.

4th May 2004 - David Blunkett (Home Secretary), Desmond Browne (Minister of State for Citizenship and Immigration), Katherine Courtney (Director, Identity Cards Programme) and Stephen Harrison (Head, Identity Card Policy Unit, Home Office).

27th April 2004 - Len Cook (Registrar General for England and Wales) and Denis Roberts (Director for Registration Services, General Register Office) then Charles Clarke (Secretary of State, Department for Education and Skills), John Hutton (Minister of State for Health) and Chris Pond (Parliamentary Under-Secretary of State, Department for Work and Pensions).

20th April 2004 - John Harrison (Edentity), Andy Jebson (Cubic Transportation Systems), Richard Haddock (LaserCard Systems Corporation) and Neil Fisher (QinetiQ).

24th February 2004 - Nick Kalisperas (Senior Programme Manager, ID Card Working Group, Intellect), Geoff Llewellyn (Member, ID Card Working Group, Intellect), Ross Anderson (Foundation for Information Policy Research) and Martyn Thomas (UK Computing Research Committee).

10th February 2004 - Martin Hall (Director-General, Finance and Leasing Association), Gerald Vernon-Jackson (Local Government Association) and Jan Berry (Chairman, Police Federation).

3rd February 2004 - Shami Chakrabarti (Director, Liberty), Simon Davies (Director, Privacy International) and Vicky Chapman (Head of Law Reform, the Law Society) then Richard Thomas (Information Commissioner) and Jonathan Bamford (Assistant Information Commissioner, Identity Cards).

11th December 2003 - Nicola Roche (Director, Identity Card Policy Unit), Katherine Courtney (Director, Identity Cards Programme), Stephen Harrison (Head, Identity Card Policy Unit, Home Office).

Posted by lankyphil at 01:38 PM | Comments (0) | TrackBack

June 18, 2004

Give him a sign, Lord

Left click on the pic to check out the No2ID campaign site,
right click to "Save Image..." and pass it on.

Posted by lankyphil at 10:46 PM | Comments (0) | TrackBack

June 14, 2004

1... 2... 3... testing

Duncan's story on out-law.com today, entitled 'A close encounter with biometrics' offers a glimpse of what biometric enrollment - for Passports, Drivers' Licenses and ID cards, to name but three - may involve for us all.

Potentially incorrect readings, an inability to verify or match records due to simple communications failures and technicians who would rather trust a machine than think for themselves - even to assist a willing volunteer!

It is hard to see how this trial (already delayed and shortened because of previous supplier errors) is going to 'prove' anything other than the fact that biometrics are highly inconvenient and time-consuming and that the capture and reading technologies are not even close to reliable enough to ensure the levels of 'infallibility' touted by Mr. Blunkett and his ID card department.

If you see any future Home Office Press Release hailing the 'oustanding success' of the UKPS trial, you'll know for sure that these people simply don't care about us citizens, or even the validity of the citizen-held 'identity tokens' (e.g. biometric passports, ID cards) which they intend to issue and charge us for - it's the database that they want.

(im)Pure and simple.

And if this hypothetical Press Release were to mention 'valuable lessons learned'? How about the fact that, despite the much-touted "80%" public support for ID cards the trial was unable to muster even 7,000 volunteers: the Home Office should learn to ignore polls from companies that have a vested interest in the outcome. [MORI ran both the Detica-commissioned poll and the recruitment process for the UKPS trial]

The only lesson to be learned here, by any truly open-minded individual, is that even state-of-the-art biometric technologies are not up to the job of mass identification. With the 7+% enrollment failure rate currently being experienced on some types of biometric, over 4 million of us would be left without identities through machine error alone. And almost 1 in 10 'verifications' would fail in the real world, with all the attendant consequences...

N.B. those incredibly high 'positive & negative match' figures that you may hear bandied about relate only to what goes on in the database - which should bloody well work 100% of the time, seeing as *all* they are doing is matching sets of bits! They have nothing to do with whether the bits that are being checked (against) are actually yours, or are in the right place under the right name, or are even currently available. And no matter how much the technology improves, this will always remain the case.

Get real - ID cards (the way the Home Office wants to do 'em) just won't work.

Posted by lankyphil at 04:16 PM | Comments (0) | TrackBack

June 10, 2004

Satire in good form(s)

Check out the UK Department of Social Scrutiny's National ID Application Form.
I particularly liked,

Do you have a partner?
YES: Please send us some of their skin
NO: Please tell us about your pathological
inability to trust others on a seperate sheet

Parts 2, 3 and 4 also available:

About your ethical standpoint.
Your biometric data.

About your Majesty, Ma'am - for the Royal family!

Thanks to Adam for the pointer ;)

Posted by lankyphil at 11:43 PM | Comments (0) | TrackBack

June 09, 2004

3 more eyecatchin' designs...

Guess who's joined the No2ID campaign?
Artwork available on request, as before - you'll need to provide a photo though...

Posted by lankyphil at 02:08 PM | Comments (0) | TrackBack

June 08, 2004

UK Info Watchdog - bark or bite?

The Home Affairs Select Committee on Identity Cards was hearing evidence again this afternoon - the second time around for witnesses previously called on 3rd February, i.e. JUSTICE & The Law Society, Liberty & Privacy International and Richard Thomas, the Information Commissioner, and his Assistant, Jonathan Bamford. All being well, the uncorrected transcript will be made available within a couple of days as before.

Meanwhile, however, BBC NEWS reports the Watchdog's 'alarm' over ID cards:

Richard Thomas said he had initially greeted the plans with "healthy scepticism" but the details had changed his view to "increasing alarm".

He described the proposed scheme as "unprecedented" in international terms, and "was worried the British plans were more comprehensive and ambitious than any other scheme in the world." Predictably, Blunkett's spokespeople accused Thomas of "grandstanding" - but it is encouraging to hear some sense being spoken (and reported) about the Home Office proposals.

Mr Thomas told the MPs: "This is beginning to represent a really significant sea change in the relationship between state and every individual in this country."
It was now clear the scheme was not just about identity cards but about a national identity register, he said.

"It is not just about citizens having a piece of plastic to identify themselves. It's about the amount, the nature of the information held about every citizen and how that's going to be used in a wide range of activities."

Of course, the Home Office insist they are going to press ahead - quoting their "much wider responsibility to balance civil liberties* with ensuring our security against terrorism, immigration fraud and organised crime."

But hang on - I thought that Blunkett had already acknowledged that ID cards can't prevent terrorism [TheyWorkForYou.com really works!] or illegal immigration & working? And is he now trying to substitute 'organised crime' for 'identity fraud' - given the obvious flakiness of the Home Office's quoted estimates?

"In 2002 the Cabinet Office produced an interesting document following from a study entitled 'Identity Fraud: A Study'. Roger Smith, JUSTICE, argues that this report is much more thoughtful and sceptical in relation to identity cards. It asserts that £1.3 billion is lost due to identity fraud. However, when you analyse the data closely, it dissolves. Customs is worth £250 million loss on the basis of total MTIC fraud between £1.7million - £2.6 billion with a midpoint of £2.15 billion, we can assume that identity fraud is 10% of this figure." - from The Law Society meeting on 22/3/04, 'Identity Cards: Benefit Or Burden?'

*I thought there weren't supposed to be any "civil liberties objection[s] to [ID cards] in the vast majority of quarters" - according to the Prime Minister anyway?

And if this wasn't enough bad news for the beleaguered scheme, in their recent representation to HASC the British Computer Society - as reported by Computer Weekly - warns of their concerns about national ID cards:

"The risk of failure is significantly increased because there does not seem to be any firm and fixed statement of what the system is meant to achieve, what success or failure criteria are imposed and what scope limitations have been imposed."

i.e. if the Government can't properly (or even consistently!) state the aims, intentions and limits of their ID card & NIR system, how the hell do they propose to deliver it? BCS also raise a number of practical flaws - e.g. gathering biometrics from the disabled, dangers of data inaccuracy - and logical vulnerabilities of the scheme, e.g. registering people's identities at 16, rather than at birth.

It certainly begins to look like some of these objections might have teeth!

UPDATED 11/6/04: You can watch a recorded webcast of this Tuesday's Home Affairs Committee meeting on Parliament Live. N.B. previous sessions are also archived.

Posted by lankyphil at 10:43 PM | Comments (0) | TrackBack

June 06, 2004

Not so voluntary after all!

There are a couple of 'classic' quotes in today's Scotsman's article, Identity crisis as ID trial gets brush off:

Professor Alan Marshall, a specialist in human rights based at the University of Strathclyde, claimed the pilot scheme was intended to "soften up" the public to the concept of ID cards.
He said: "What this shows, is there is no overwhelming public appetite for, or recognition of, ID cards as being high on the list of tools to beat terrorism."

"Rather than having a debate on ID cards the government have decided on having a voluntary scheme."

"It would have been helpful for them to have people who supported the scheme being involved in it."

This, on the discovery that less than half the number of people expected and/or required have signed up for the trial - even after all its recent publicity! Patrick Harvie seems to sum things up well:

Green MSP Patrick Harvie, who picketed Home Office minister Des Browne when he arrived in Glasgow to launch the trial, said: "The pilot scheme was set up to learn lessons about how the cards system will run, and they should clearly learn a lesson from the fact that nobody wants it."
"If there are less than 7,000 in the country who want this enough to spare half an hour of their time to find out about it, then how many people can be in favour of it?"

How many indeed?

Even if the general attitude remains 'If you've got nothing to hide, you've got nothing to fear' the Home Office is going to have an increasingly difficult time equating this with active support for ID cards. Face it folks, no-one really wants to pay for the things - and few who look into it believe that they'll actually do what the Gov't says they will.

Posted by lankyphil at 11:55 PM | Comments (0) | TrackBack

June 04, 2004

Putting 2 and 2 together

John Leyden's report Accenture wins $10bn Homeland Security gig ends with some interesting facts that may well start to hit home later this year:

Since January, visitors to the US from many countries have been fingerprinted or photographed. Under the US Enhanced Border Security and Visa Entry Reform Act of 2002, countries whose citizens enjoy visa-free travel to the United States must issue passports with biometric identifiers no later than 26 October 2004.

Hmm - might this explain the Home Office's sudden hurry to get biometrics 'working' on UK passports?

Its bad enough that the European Union Commission have (ignoring the votes of the European Parliament!) signed an agreement with the US about the transfer of airline Passenger Name Record data - see Spy Blog and The Practical Nomad for detailed commentary and analysis - but for the US to foist biometrics on us all (even us supposed allies!) as a consequence / requirement of its own shaky 'Homeland Security' agenda?

Seems like the global bully-boy is revealing its own deep-seated insecurities, making threats (we'll fingerprint your citizens) and demands (spend billions on biometric technology - which US firms can supply, of course!) of those it knows will fall into line - with little to no chance of getting the *really* bad boys to comply...

UPDATED 10/6/04: Oops! It looks like an important Congressional committee has voted to strip Accenture (plus Dell, AT&T, Sprint and Raytheon) of their lucrative contract, "because Accenture is a foreign company that uses Bermuda as a tax haven."

Posted by lankyphil at 01:40 AM | Comments (0) | TrackBack

June 01, 2004

Steal this image

Click on the pic to check out the No2ID campaign site.

Posted by lankyphil at 11:39 PM | Comments (0) | TrackBack

May 31, 2004

Trust, trade or anonymity?

[After a coupla days off - hooray for Bank Holidays!]

Someone who White Rose now tell me wishes to remain anonymous (!) proposes a UK anonymity card:

"A more palatable alternative might be the UK anonymity card. Perhaps we would be persuaded to submit to a one-off secure registration process if the result gave us a card which could read and confirm our thumb print, but held no other personal information. It would just need a royal crest and text to the effect that the bearer is entitled to the service in question. It would prove you are the necessary age, or that you have a clean driving licence, but no more. The authentication is local and off-line, so it does not tell a central database who and where you are, and what you are doing. If you try to use it fraudulently or beyond the authorised limits, you are still nicked."

Meanwhile, Sarah Arnott in Computing thinks that 'ID cards for the right reason' mean:

"In the real world people can 'see' who you are. The same needs to be true in cyberspace and an obvious role for the government is to create that guaranteed online identity.
No longer is it a question of government as 'Big Brother' invading our privacy, but of it making the most of its unique position at the centre of society to provide a much-needed service.

ID cards should not be about the negative 'freedom from', but the positive 'freedom to'.

With a government-issued biometric ID card, swiped through a reader as I open my browser, I am free to buy, sell, bank, chat, pay my council tax, apply for a job - whatever it is I want to do - without having to remember a hundred passwords or retype my address a hundred times."

And Steve Bowbrick's, 'Second sight', on Guardian Online proposes an altogether different approach:

"I'd like to see Britain invest all the planned ID card budget in simpler, cheaper and more effective measures to increase trust, interdependence and transparency within our communities and institutions. The end result, though doubtless small, will surely be more useful than devoting the next 20 years of our national life to getting flawed ID cards working and preventing the bad guys from stealing the keys."

Alternatives abound, based on the growing perception that the Government's proposed ID card / NIR scheme is: (a) likely to be very unpopular - public support for ID cards is falling rapidly, and resistance is growing (see Detica's MORI poll [188 KB PDF file] 80% pro on 22/4/04 vs. PI's YouGov poll [45 KB PDF file] 61% pro on 19/5/04); (b) almost bound to be impractical and expensive, if it even works at all (biometrics ain't all they're cracked up to be, as past and current problems with the UKPS trials are showing); and (c) misconceived, misdirected* and unlikely to deliver the 'benefits' proposed by the Home Office (i.e. countering terrorism, preventing illegal working and reducing identity fraud).

*In fact, the whole exercise increasingly looks like a classic piece of misdirection, e.g. why is the National Information Register not included in the title of the Draft Bill when, in fact, it underpins the entire scheme and is the thing that requires/underlies the majority of the proposed legislation?

There is a clear agenda on the part of the Home Office to create a new 'clean' database but is this meant to enable the sort of 'joined-up' eGovernment that New Labour have promised, but just can't seem to deliver? Or is it motivated by the desire to be seen as a technological 'world leader', while meekly complying with increasingly invasive EU and US data-sharing 'requirements'?

Either way - and I'm sure there are other reasons behind this - what we could be left with, if the current proposals become law and the scheme goes ahead, is a surveillance culture in which personal privacy will count for next-to-nothing, and a society in which trust is dictated by little chips in pieces of plastic and Government database records over which we, the people, will have little to no control.

Posted by lankyphil at 11:13 PM | Comments (0) | TrackBack

May 27, 2004

Oops! Another biometric cockup

John Leyden in The Register's, FBI apology for Madrid bomb fingerprint fiasco, points out the dangers of over reliance on supposedly 'infallible' biometric evidence. As it turns out, the FBI incorrectly matched a digital copy of a fingerprint found on a bag full of detonators to an Oregon lawyer - who also happened to be a Muslim convert.

This Salt Lake Tribune article reveals just how much faith the FBI had in their systems:

"Court records unsealed Tuesday showed that the Spanish authorities had raised questions about the FBI's fingerprint match to Brandon Mayfield, 37, a Portland-area lawyer. Yet FBI officials were so confident of a match they described as "100 percent", they never bothered to look at the original print while they were in Madrid on April 21 to meet with Spanish investigators."

Reading further down the article, you begin to get a sense of the sort of 'guilt by association' that might become increasingly prevalent when or if our identity records are held in a centralised database. If this sort of thing happens when the dots are being joined by 'intelligent' human agents, how many more errors will occur when it's a piece of software doing the detective work?

Posted by lankyphil at 11:45 PM | Comments (0) | TrackBack

May 25, 2004

But I'm not a terrorist!

"If you've nothing to hide, you've got nothing to fear" is still bugging me (I've been wearing that T-shirt again...) and this SecurityFocus article, Firm names 'statistically likely' terrorists, begins to articulate why. [The firm is called Seisint, and even a quick look at the services they offer - and how they achieve them - begins to make my blood run cold. Go ACLU!]

Given that ID cards / NIR are being proposed as a means to combat terrorism and serious crime - something Blunkett and others initially headlined, but have since been forced to downplay - and that so much (public) money is going to be spent on the project, it is inconceivable that UK Police and Intelligence services will not be allowed to use software such as that described in the article, i.e. profiling individuals based on their NIR records.

Which is where the whole "If you've nothing to hide, you've got nothing to fear" thing begins to break down:

You may have done nothing wrong... but you may well fit the profile of people who have - or who the authorities think might.

You may not knowingly mix with terrorists or criminals... but who has lived in your house before you? Or who are those mates your kid met at college? What does a terrorist look like, anyway - and do you really think they'll be carrying an ID card stamped 'Suicide Bomber'?

And if something goes wrong with the technology or database records - which, of course, it never does! - how are you going to prove that you aren't that conman / extremist / murderer?

Of course, if ID cards do come in and you're white and middle class - like me - then you probably won't ever be stopped on the street and asked for your ID. That will (has, and continues to) happen to those of us that have darker skin, or look Asian or who dress according to their faith. Just because the risk to you personally is low, do not assume that holds for everyone - just start by examining your own prejudices!

No, I'm afraid "If you've nothing to hide, you've got nothing to fear" sounds to me, at best, like the sound of people collectively burying their heads in the sand and, at worst, its nothing more than saying "I'm all right, Jack..."

...FOR NOW!

Posted by lankyphil at 03:04 PM | Comments (0) | TrackBack

Independent advice? Not from this bunch!

Thanks to SpyBlog for (my) first heads-up on yesterday's announcement of PA Consulting being awarded the ID Card scheme "Development Partner" contract by UK Home Office, also covered by The Register, BBC News, Silicon.com and others.

Any and all of the above are more informative the less-than-forthcoming Home Office Press Release, repeated on PA Consulting's site.

The runner up - Deloitte - must be upset, especially as they were still in the running last week when The Scotsman revealed in its article, Advice on ID cards came from firm 'set to make millions', that the company had seconded one of its staff to work at the Home Office advising on the planned ID card network from September until March...

But, as John Lettice kindly pointed out to me, this is not so much about Deloitte trying to pull a fast one as the fact that "uk.gov is so addicted to getting free help from the industry that there is no way it can make a measured purchase decision about anything". Secondments are apparently common practice in UK government IT, and PA Consulting themselves have in the past 'lent' members of staff to, e.g. the eEnvoy's department.

All the big players do it, so is there any wonder that the government often displays such wild enthusiasm for 'magic bullet' IT solutions? Or that the smartcard agenda is so deeply embedded in government thinking that, ID cards or not, we are ploughing ahead with a 'chipped' future with scant regard for the long term social or financial consequences?

I'll leave you with a quote from an article written back in 2000 by the Home Office's new 'Development Partner':

"Integrating customer access is a radical proposition, but as a focus for effort it offers the promise of being one of the single most visible and effective initiatives in improving public services yet undertaken by this Government, and possibly any other since the Second World War. And it could be rolled out in the lifetime of a single Parliament. All this, and it would actually save public money. If New Labour is serious about empowering the customer of public services and of adopting radical measures to get more from less, then focusing on customer access is one of the answers." - PA Consulting Group, 'E-nable the customer to join-up government'

No agendas there, then!

UPDATED 25/5/04: a timely reminder by Philip Johnston in the Telegraph of PA Consulting's shaky track record re. the 'shambolic' start of the Criminal Records Bureau in 2002. Remember when a whole pile of kids couldn't go back to school after the summer hols because their new teachers hadn't been police checked? Thank you, PA! And (for the record) Capita, too.

Posted by lankyphil at 12:25 AM | Comments (0) | TrackBack

May 24, 2004

Chest-sized billboard

Well, the last T-shirt seems to be working quite well - each time I have worn it out & about several people have asked me what NIR means. Interestingly, even the ones who started off pretty pro-ID cards were a lot less sure that they liked the idea, especially when they found out it would involve the Gov't keeping a big database full of their (and their loved ones') fingerprints, iris scans and photographs...

Anyhow, as it keeps on coming up, I thought that I'd have a go at countering the whole "If you've got nothing to hide, you've got nothing to fear" 'argument' with this:

(Artwork available on request)

Posted by lankyphil at 03:33 PM | Comments (1) | TrackBack

Behind closed doors...

...or at least very expensive* ones to get through!

So Mr. Blunkett wouldn't 'face the music' last week at the LSE [read Dr. Simon Moores' review in Computer Weekly, via White Rose & Trevor Mendham's UK ID Cards blog] but now expects his colleagues - and, by implication, us - to believe that he can overcome all the technical and financial objections to the ID cards / NIR scheme in a paid-entry briefing to the very people who stand to make the most money out of it:

Home Secretary David Blunkett, has told MPs his department has been working closely with the IT industry and is to offer a seminar quashing the technical and financial impact of the scheme "once and for all."
The Home Office seminar is to be held with IT supplier, Intellect, and will take place at the Grange City Hotel, London on 24 May 2004. - 'Coalition of the unwilling: ID cards branded a faulty idea' on Contractor UK

*Today's Intellect event 'ID Cards: Next Steps' is sponsored by BT Syntegra, Sun Microsystems, Siemens Business Services Ltd & EDS and a ticket for a non-Intellect member would have set you back £464.13 - assuming members of the public could even have got one.

If Blunkett had these 'conclusive' arguments last week, then why could / did he (or a Home Office representative) not provide them to a PUBLIC meeting on the issues? If he didn't have them, then where did he get them from over the past few days?

All we are getting from the Government at present are assertions, made-up (and increasingly shaky) statistics, laughable guesstimates and a demonstration of almost unprecedented arrogance in their unwillingness to even participate in an open debate with opponents of the scheme, or even members of the electorate who express genuine concerns.

ID cards almost brought down the Australian Government in 1987 - does New Labour want to follow Blunkett and Blair over the same cliff? We shall have to see...

N.B. there are some encouraging noises being made in certain quarters of the Conservative camp, but do not forget that in 1995 Michael Howard (then Home Secretary) announced Government plans to bring forward a Green Paper setting out the various options available for a national identity card scheme - despite the fact that as recently as 1990 the Tories had said: "the government is not persuaded that the case for a voluntary identity card scheme has been made out, in terms of benefits either to the individual or the state" (HC Deb vol 146 c1302). - Charter 88 ID cards archive.

Posted by lankyphil at 12:29 PM | Comments (0) | TrackBack

May 23, 2004

Dupe-checking and the mechanics of trust

Thanks to Irdial for clarifying the proposed use of a centralised database in his scheme, now christened ISLAND: "The centralized database of photographs held by the passport office is there only to do duplicate application checks."

Setting aside the (not irrelevant) fact that I am specifically trying to counter the Home Office's current ID card proposals - that they seem very reluctant to broadcast (e.g. correctly naming the Draft Bill!) would require the creation of a National Identity Register containing multiple biometric records for each of us - and ISLAND is tackling the UKPS biometric passport scheme, I agree that an/each issuing authority must have some way in which to check that multiple ID documents are not issued to the same person.

I further agree that such a database might be inoffensive, "...as long as no one other than the passport office has access to it and it is used for this single purpose of dupechecking." In the case of ID cards and even the UKPS database (as Irdial later points out, regarding access by the Intelligence Services) this is unlikely to remain the case.

The problem is that the (inevitable) cost and creation of just one such database and its associated checking software seems to have provided irresitible temptation for the Government to contemplate and even start to legislate for feature creep on an unprecedented scale - i.e. allowing multiple agencies access to one big database (at least partially because it will spread the cost - now there's Gov't 'efficiency savings' for you, and it *only* comes at the price of compromising every citizen's right to privacy!) and furthermore letting them do all sorts of different types of cross-checks - maybe even speculative trawls, in the case/cause of anti-terrorism, tackling serious (and not-so-serious?) crime and international intelligence - in an attempt to establish 'once and for all' a singular mechanism by which we can identify each other or, more precisely, by which 'we' can identify ourselves to 'them'.

I agree fundamentally and absolutely with what Irdial says towards the end of his posting:

"...Part of the reason it works well in the UK is that you have to have your application form and photographs signed by a current passport holder. This works very much like the PGP "web of trust" where you can sign the PGP key of someone you know so that you can vouch for the identity of someone when they present their public key to a third party.

In this way, if the initial seed population of passports are issued correctly, and the people are trustworthy, you can generate a large body of good passports because everyone swears that the persons that they are introducing to the British Passport are known to them. This sort of dis[tr]ibuted human trust is far better for people than centralized trust; it puts a high value on the British Passport, makes citizens take responsibility for the security of the system..."

If we are going to rely on technology to establish or confirm identity then we need to marry it to existing human / social methods - which have stood us in good stead for centuries, if not millennia! - in order to maintain and build real trust within our globalised Information Society. For all sorts of reasons, the spread of Information & Communication Technologies included, the link between rights and responsibilities has been eroded. We must, if we are to have massive ICT systems permeating our lives, ensure that they are designed so as to persist and promote the best values and aspirations of our culture(s) and not use them as an excuse to give in to our worst fears and paranoias.

Just because something is easy to do - as large-scale ICT increasingly is, despite past incompetence and failures - or even if it seems immediately obvious, does not make that the best way to do it! Biometric duplicate-checking (to the extent that the software is capable, i.e. NEVER infallibly) may be able to prevent multiple ID documents being issued to the same person but it cannot, even in principle, prevent the wrong person being issued with an ID document in the name of / with details taken from a person who is not already on the system.

Maybe what we need to do is redesign, strengthen and extend/propagate the mechanisms by which we can vouch for each other (a la 'PGP web of trust') in such a way that the authorities can focus their attention - both positive (i.e. support & services for the most vulnerable & isolated) and negative (e.g. surveillance and capture of criminals) - on those individuals who we, the people, EQUALLY AS INDIVIDUALS identify as being difficult to trust.

N.B. there are obvious problems with this if we (attitudinally) or the authorities (institutionally) differentiate between the 'trustability' - i.e. ability to both trust and be trusted - of different, e.g. ethnic groups or communities of interest & circumstance, but I hope and believe that there may be enough commonality and interchange between people in all walks of life - at least at the level of individuals, especially those who advocate the rights of others - to overcome the mob thinking, media-induced hysteria and Gov't / corporate FUD that currently seems to prevail.

Practically-speaking, therefore, it may be as important or effective (even necessary?) to come up with the design for an organisation that can provide and protect citizen identity as with a (demonstration of a) technological system for issuing ID documents. People form networks, too, and it is the rules that we agree in this (real) world that should determine / dictate the specification of technological rule-based systems not vice versa!

Posted by lankyphil at 12:25 PM | Comments (0) | TrackBack

May 21, 2004

Divergent thoughts

Great! Irdial Discs is all fired up and has now outlined a(nother) web-based ID card demo using PIC cards (nice and cheap here), GPG for encryption - BUT using some form of database with facial recognition matching.

You may note that my last link is to Identix's ABIS™ system, "the industry’s first enterprise level [emphasis added] facial recognition matching platform, designed to solve the problem of large-scale facial image database search". This is, quite evidently, a non-trivial issue...

For me, though, there's a more fundamental problem with this proposal.

The system - not just the cards, although cards will be involved - that I want to demonstrate needs to challenge the whole notion of a centralised database, especially one that holds biometric records. A demonstration of the type described above is pretty much what the Government seems to be proposing, and would therefore fail (for my purposes) at the first hurdle! It is precisely the NIR that I, and others, consider to be the real problem - and probably the Home Office's real agenda.

The devil is very much in the detail when you have to design and implement 'secure' technologies, but you have to get your principles & values sorted first - so I am going to stick closer to Irdial's original (no central database) proposal in my own investigations. I hope I have explained myself clearly without giving any offense.

I'm still working on a PDF417 posting but, if folks want to read ahead, here's a paper from 3M-AiT Ltd on Using 2D Barcodes to Enhance the Security of Machine-Readable Travel Documents [543 KB PDF file] that I shall be referring to.

I'm heading out now for beers, but will sign off with a passing thought:

Any society large enough to contain strangers has developed tokens (e.g. ID documents) that need to be authenticated, to stand in (i.e. substitute) for direct knowledge and trust - but it is still only people who are meaningfully being identified. So when, in law, the record replaces the individual as the foundation of identity we shall have enslaved ourselves to a system devoid of trust, in which assertions and appearances matter more than the reality of our relationships, our bodies and our freedom.

Posted by lankyphil at 07:12 PM | Comments (0) | TrackBack

May 20, 2004

Mistaken Identity, missing politicians

Well, that was interesting.

Yesterday's Mistaken Identity public meeting at the LSE was notable in many respects, but one of the most glaring was the complete absence of any representative from the Government - despite repeated invitations to the Home Office and requests for even 'just' a back-bencher to attend!

[N.B. David Winnick (Labour MP) was there, but in his capacity as a member of the Home Affairs Committee - he's an obvious ID cards sceptic but had to, not least because of his current role, demonstrate a degree of impartiality.]

The only inferences that can be made are that either the Government simply do not wish to engage in a full and proper debate - something they could possibly have spun later, if only they had sent someone to 'take the flak' yesterday - or that they know that they have "no singular, convincing argument" (David Cameron, Shadow Leader of the Commons) so cannot risk attending a public event where this is likely to be required by an informed audience.

Given the far-reaching implications of the proposed legislation, and to paraphrase Paul Whitehouse (former Chief Constable, Sussex Police) "the onus is on those who advocate it to prove - by evidence, not assertion - that it will be a good thing". One of the key impressions I got from the afternoon was people's frustration at how the Government keep shifting the goalposts and changing their arguments, something that makes challenging the proposals very difficult.

In security technologies and privacy legislation the devil is absolutely in the detail. Without a specific proposal, or even a clear functional specification, the Government should simply not be allowed to proceed.

Also, as Roger Smith (Director, JUSTICE) pointed out, many - if not most - of the MPs and Ministers who vote on this Bill will not be in power by the time it is fully implemented in 2012/13. This means that they cannot actually be held accountable for "changing the relation between citizen and state from servant to master" (David Cameron again, lightly paraphrased). In order to provide the appearance of being tough on crime, immigration and terrorism in time for the next General Election Blair, Blunkett et al. are willing to throw away rights that we have had for centuries and cost us (yes, us - its our money!) billions on measures that will (provably!) have little, if any, impact on the problems they are supposed to address.

There were many excellent speakers and other highlights of the afternoon, for me, included:

Simon Thomas, Plaid Cymru, pointing out the bleeding obvious (i.e. that tackling terrorism is not about identity, it's about intelligence) and how the Scottish Parliament & Welsh Assembly will not, in any case, comply with ID cards - which, along with Northern & Southern Irish constitutional issues, will make ID cards at best an English scheme. He ended on the telling point that successful Government IT implementations have doubled in the past two years... to 34%!

Interestingly, Simon also said that he had been approached by a number of technology companies when he registered an interest in the ID cards issue - despite his negative stance on it! This, and Mark Oaten's (Liberal Democrat Home Affairs spokesman) allusion to the fact that one of the Government's current technology suppliers has just seconded an employee to the Home Office, confirms my concern that at least some of the 'advice' that Blunkett and others are taking is tainted. And that 'corporate tech' is attempting to muscle the UK into a smartcard future that it simply doesn't need...

Lord (Andrew) Philips of Sudbury, Liberal Democrat peer, was particularly good - especially in his detailed grasp of the system, e.g. regarding the nonsensical restriction of the powers of the Interception of Communications Commissioner, and his realistic take on the task ahead in persuading the 80-ish% that ID cards backed by a National Identity Register are a BAD IDEA.

He referred specifically to tackling the all-too-common "If you've got nothing to hide, you've got nothing to fear" argument and, although he didn't explicitly say the phrase, his comment "We're on no-one's list now" led me to think that "If you're not on their list, you won't exist" might imply/initiate a relevant counter-argument. [Wait for the T-shirt - I'm all for slogans!]

Karen Chouhan (Director, The 1990 Trust), Shami Chakrabati (Director, Liberty) and Dr Iqbal Sacranie's representative from the Muslim Council of Britain (Khaled Anees? I'm afraid I didn't hear his introduction) made me consider how ID cards of any sort are likely to impact on black, Muslim and other ethnic communities. They, and other speakers, made the valid point that ID cards could, in fact, end up provoking terrorism. If I, a white middle-class male, am made angry by the proposals how much more so will be a person who has to endure ID card-related stop and search, or NIR-derived 'surveillance'? Even top Tories and the former Police Constable were talking in terms of ID cards creating civil disobedience...

Shami Charabarti's speech had the highest concentration of soundbites; "presumed guilty until proved innocent", "the Home Secretary is looking for a police state without the police", "license to live" and also made a number of telling points - e.g. that Home Affairs policy and agendas are dangerously populist and could leave us in constitutional 'poverty', with untold social costs - never mind the financial. She pointed out that no other Common Law country will even countenance ID cards, and that even George W. Bush has been heard to say since 9/11 that they are counter to American civil liberties. She ended with, "we are too casual with our rights to personal privacy" - a statement with which I wholeheartedly agree.

Tony Bunyan (Editor, Statewatch) spoke knowledgeably on the EU perspective and pointed out something that I think needs to be highlighted in the campaign against - that the impact of ID cards on the individual is most likely to be felt when they have to go to an enrollment centre. Not just for ID cards, of course, but for their Passport - now every 5 years, simply because the company supplying the smartcards will only guarantee the chips for 5 years' use! Hmmm, someone just doubled their profits - and Driving License - which was supposed to last you until you were 70.

If you are arguing against ID cards, I believe you have to make it personal - make people think how much this is actually going to cost them in money and time, and blow the notion that this is a voluntary scheme out of the water. Having to have an ID card in order to get a Passport or Driving License - there is no provision for otherwise in the Bill - is nothing more than backdoor compulsion. How else does Blunkett propose/expect to get his 80% uptake?

Paul Whitehouse (ex-Sussex Police, see above) made the excellent point that putting technology into the field can disable the police's ability to act in the moment - if the connection or device fails - and that it tends, over time, to erode the intelligence, observation skills and initiative of individual officers. Passing the ID card test will never - and shouldn't ever! - mean you are above suspicion, but some may treat it that way and therefore be able to commit atrocities like the Madrid bombing whilst waving their IDs gaily in the face of the authorities, AND BEING WAVED ON.

Peter Williamson (President, The Law Society) spoke eloquently on behalf of the 116,000 solicitors in England and Wales, many of whom oppose the Bill - despite the fact that some of them stand to make a significant amount of money out of litigation when people sue the Gov't for screwing up their identity. This will happen (it already has in the US with one of the UKPS trial's technology partners!) and will add massively to the true and ultimate cost of the scheme.

Most of the politicans, including David Davis (Shadow Home Secretary), asked if the £3+ billion could be spent better elsewhere - and were quick to point out that the Home Office figures are only what it will cost the Home Office, not the other authorities and organisations who will at least have to buy scanners & upgrade their infrastructure - or employers & employees who will lose (cumulative) millions of days of work to enrollment, representing £100s of millions+ off the GNP...

Ross Anderson (Cambridge University Computer Laboratory & FIPR) spoke briefly - time was running short - but very much to the point:

"ID cards will inflict great inconvenience on our citizens, without quite inconveniencing the criminals."

And I have to end with the comment of Jonathan Bamford (Assistant Information Commisioner) that the actual name of the Bill is incorrect: this is not a Draft Identity Cards Bill, it is a 'Draft ID Cards underpinned by a central register (National Identity Register) and central registry number Bill'. Bit of a mouthful, but more accurate - and less saleable to the British public.

Think, people, think...

Many thanks to Simon Davies (LSE & Privacy International) for assorted ringleading duties - and all the rest who hosted, supported and attended the event. Now, let's get down to business!

[N.B. I've added the no2id campaign site to my links on the left, go have a look.]

UPDATED 21/5/04: If you want some proper journalists' takes on the meeting, try the BBC or Silicon.com. Also, Peter Williamson's (President of The Law Society) address [29 KB PDF file] is now available on the Privacy International site, and is well worth a read.

UPDATED 24/5/04: For those who couldn't make the event, Stand's page on the Mistaken Identity meeting now contains audio files of all the speakers in MP3 and Ogg Vorbis formats.

Posted by lankyphil at 07:03 PM | Comments (0) | TrackBack

May 19, 2004

Shift in public opinion

Privacy International have published 'A Nation Divided' [45 KB PDF file] - a poll of UK electors to determine views and opinion trends relating to the proposed National Identity Card. The poll was conducted by YouGov, who questioned a representative sample of 2,003 electors across the UK between May 11 & May 13.

It makes for interesting reading:

KEY FINDINGS
The majority say they support ID cards, but not to the extent that the
government claims.

61% of the population support compulsory identity cards. This
contrasts markedly with repeated claims by government that 80% are
in favour of its proposal.

However, the majority of respondents oppose key elements of the Draft
Identity Cards Bill.

Many people object to the legal requirement to notify government of
change of address (47% against; 41% in favour)

Most people object to the legal requirement to inform government
whenever a card is lost, stolen or damaged (45% against; 44% in
favour)

Opponents may be in the minority, but they are signalling a new Poll
Tax revolt.

28% of those opposing compulsory cards said they would take to the
streets to participate in demonstrations. This represents approximately
4.9 million people.

16% of those opposing compulsory cards said they would participate
in a "campaign of civil disobedience". This represents 2.8 million
people.

6% of those opposing compulsory cards said they would prefer to go
to prison rather than register for a card. This represents over a million
people.

Tory voters are much more likely to oppose the ID card proposals.

Nearly a quarter (24%) of Tory voters who object to compulsory ID
cards said they are prepared to take part in a “campaign of civil
disobedience”

Anyway, I'm off up to Mistaken Identity where it seems a certain Mr Blunkett will be notable by his absence! More later...

Posted by lankyphil at 10:41 AM | Comments (0) | TrackBack

Biometrics in Human Services User Group Newsletters

No longer published, Connecticut Department of Social Services' Biometrics in Human Services User Group Newsletter [final issue] offers "a fascinating 7 year up close and personal look at biometric technology through the eyes of government users."

Written by Dave Mintie - who now writes and edits Biometric Watch - its user focus and plain language approach means that quite a number of the articles are still relevant and the complete series provides a useful source of reference on applied biometrics. The BHSUG Newsletter Index allows you to search for articles by Issue Date, Author, Title, Technology, Industry & Location.

Posted by lankyphil at 12:09 AM | Comments (0) | TrackBack

May 18, 2004

Practical alternatives

This entry has been sitting in Draft for a while now, but - especially given this week's upcoming Missing Identity meeting - I'm becoming more and more convinced that it must be worth trying.

Back at the end of March, Irdial Discs published his No Central Biometric Database idea in reference to biometric passports, picked up in John Lettice's article on 19th April, 'Fingerprints as ID - good, bad, ugly?'. I have seen a number of subsequent references to it, but no evidence that the approach - or principle! - has been given any serious consideration by the 'powers that be'.

Simply stated, and in his own words:

"This is how you do it.
Each passport or ID document contains a cryptographically signed digital portrait of the holder, signed by the passport issuing authority.

When your passport is swiped, your picture comes up on the screen, loaded from the passport, and NOT a central database.

The digital signature of the passport photo is also downloaded.

A PGP-like signature check is done against the public key of the national passport issuing authority, which is stored on the keyring of the swiping device.

If the signature is good, the document is genuine.
If the signature is bad, the document is a forgery."

It is an elegant and potentially far cheaper solution than Blunkett's proposed scheme that solves the specific problem of forged identity documents in a way that addresses most, if not all, of the publically-expressed goals of ID cards and a National Identity Register - without requiring a central database.

The Home Office has requested feedback on the Draft Bill, and would - I believe - have to respond to a practical demonstration of such an approach. At the very least it may smoke out some of the ulterior motives / thinking behind the NIR, and at best it may raise / provoke a (techno)logical debate that currently doesn't seem to be happening.

This sort of fits with some of the things I have been doing professionally over the past few years (e.g. CareZone, where we had to grapple with lots of the issues around smartcards and security) and is very much in line with the philosophy of virtualised (a current joint venture - site in development), so I intend to dedicate a proportion of my time in the coming weeks to trying to build, document and - hopefully! - demonstrate a working version of a biometric (i.e. facial photo) 'ID document' that uses no central database.

I should say at the outset that I am NOT a 'hands-on' programmer, but I do have a fair amount of IT skills and experience - especially in the area of conceiving and getting prototypes built. Much of what seems to be required is in the public domain and if all that comes of this is a thorough written response to the Home Office then, in my opinion, it won't have been a complete waste of time.

Any help offered would, of course, be gratefully received!

N.B. I am aware that I may well be biting off more than I can chew, but I would at this point rather fail trying than not try at all!

Posted by lankyphil at 06:55 PM | Comments (4) | TrackBack

May 17, 2004

Fundamental principles

Thanks to White Rose for linking to Darren Andrews' cogent and elegantly-argued, 'The Case Against ID Cards: A Principled Approach'. It's so good, I just had to add it (as Freedom-Central.net) to the side bar...

Posted by lankyphil at 10:53 PM | Comments (0) | TrackBack

May 15, 2004

Is this how it goes?

Simon Davies' paper about Campaigns of Opposition to ID Card Schemes on the Privacy International site offers several insights and a superb in-depth analysis of the Australian anti-ID card campaign in the mid-80s:

"This movement, the largest in recent Australian history, forced a dissolution of the parliament, a general election, and unprecedented divisions within the Labour government."

Sounds like a good idea! Unfortunately, I somehow can't see that happening over here in the near future. One phrase in the closing paragraphs stands out for me, and cuts right to the heart of the matter:

"Trust within society would be replaced by the demand for formal identification."

In the current climate notions of trusting the government (and elements of the media) seem almost ridiculous. The arrogance and lack of principles demonstrated before, during and after the invasion of Iraq show a level of contempt for the citizenry - 1,000,000+ of whom marched to oppose the war - from a government that, despite holding a large majority in Parliament, fails to realise / acknowledge its crumbling mandate.

Tony Blair reckons he will be judged by history - I can tell him now that it'll happen a lot quicker than that!

[For crying out loud, the government are so desperate to get kids 'interested in politics' - i.e. actually voting - that they've even resorted to teaching 'citizenship' in schools. Fine, even admirable, in a healthy democracy - but a bit pathetic as a response when (young) people are turning off party politics in droves...]

But back to trust. Not only have a significant number of our leaders shown themselves to be untrustworthy (WMD anyone?), with ID cards / NIR they are demonstrating that they simply don't trust US (not the U.S. - if only!). It is terrifying that they seem to trust (a) the technology companies that stand to make untold millions out of an ID card scheme, and (b) technology itself more than the citizens that they are supposed to be serving.

In moving towards universal formal identification, the government will be further dismantling the 'human infrastructure' of society. ID cards won't ever help you get to know someone and yet, if implemented, will almost inevitably end up being used as some sort of transactional stand-in for trust - the irony being that, because they are based on technology (and therefore fallible), they are probably less trustworthy in the long run than actually getting to know a person. You know, build a relationship... have a conversation...

Posted by lankyphil at 11:38 PM | Comments (0) | TrackBack

May 14, 2004

Tying themselves in knots

Mr Lettice's delicious 'How to fool ID card system - give a false ID, say UK gov' article in El Reg points out just how useless / ineffective / unadministrable(? you know what I mean...) ID cards will be, unless it is made compulsory to carry them or, e.g. the police get to carry portable (NIR-connected) biometric scanners.

If David Blunkett thinks that the police are going to be happy to take the flak that this fundamental change in their relationship to the general public would cause, then he is sadly mistaken. In fact, it was precisely the routine stopping of law-abiding citizens and requiring that they show their ID papers that brought the wartime scheme to an end in 1953!

As the Lord Chief Justice of the time said, "such action tends to make the public resentful of the acts of the police and inclines them to obstruct them rather than to assist them". And that was back in the far-more-respectful-of-authority 'good old days'...

Posted by lankyphil at 10:46 PM | Comments (0) | TrackBack

May 13, 2004

Biometric fallacies

It's a few months old now, but the salient points of 'The emerging use of biometrics' in The Economist still have a bearing:

"Biometrics still do not work well enough for many applications in which they are being deployed."

UKPS biometrics trial, anyone?

"Biometrics have not yet spread beyond such niche markets, for two main reasons. The first is the unease they can inspire among users. Many people would prefer not to have to submit their eyes for scanning in order to withdraw money from a cash dispenser. The second reason is cost."

I wonder if MORI had asked 'Do you want to be fingerprinted and have your iris scanned and have both kept in a Government database?' instead of 'Would you have an ID card?' whether 80% of people would have said 'yes'?

And as for cost - £3.1 billion? And the rest...

"Governments either do not believe that the costs of biometrics still outweigh any potential benefits or, more likely, fearing more terrorism they simply do not care."

A classic knee-jerk reaction, but one that even Blunkett is having to play down these days. As the author says later in the article, "[it] is difficult to avoid the conclusion that the chief motivation for deploying biometrics is not so much to provide security, but to provide the appearance of security." N.B. for 'terrorism' read also 'illegal immigration', 'illegal working', etc.

"The oldest biometric is the one we use most frequently—a person's face. But while recognising faces is something that people can do easily, computers find it very difficult."

Recognising faces is something we are built to do (from the neurones up) but what we do is much, much more than simply recognise someone's face - we connect memories, have feelings and opinions about people and can build relationships with them over time. Computers compare pixels, measurements and database records according to fixed rules - nothing more. And only one of these provides a real basis for trust.

"It is only logical to expect biometric passports and visas to take a multibiometric approach."

Precisely because of the limits of each individual method! And they make the highly significant point also that, "...[the] other critical choice, driven by the limitations of biometric technology, is that these biometrics will be used for verification, not identification. That is because identification is simply not feasible with databases containing millions of users." [emphasis added]

There's lots more good stuff here, including a digestible run-down of the most common biometric methods - well worth a read.

Posted by lankyphil at 05:17 PM | Comments (0) | TrackBack

May 12, 2004

What's the hurry?

Trevor Mendham at The Chestnut Tree points out today's Independent article 'Blair to push Europe Bill before election', in which it is reported that Tony Blair "...has asked ministers to give top priority to two Bills in the Queen's Speech in November for a parliamentary session that would be cut short by the election. The Bills cover the new EU treaty and David Blunkett's controversial plans for identity cards."

David Blunkett is quoted as saying - shortly after the Madrid bombing - that the cards would probably be introduced "more quickly even than we anticipated, and that is because we are living in a new world and with a new threat that we have to take account of."

Yet since the introduction of the Draft Bill, in his evidence to the Home Affairs Committee, and twice (that I have heard myself) in radio interviews Blunkett has been forced to downplay ID cards' role in combating terrorism, and illegal immigration and working - the supposed primary purposes of the scheme! There may have been a subtle shift towards identity fraud as a justification - but this is only AFTER the mainstream media seems to have swallowed at least some of Blair and Blunkett's 'no significant civil liberties objections' assertions of last month.

It is quite clear that not only do the Government not acknowledge the serious concerns of a wide range of people - including those within their own party, CESG (the Government's own Information Assurance Technical Authority, part of GCHQ), the Law Society, the British Computer Society and many others, expressed during and since their so-called 'consultation' period - but that they want to railroad the legislation through without engaging in either proper debate or a realistic assessment of the scheme - e.g. its security model (and alternatives!), the capabilities of the various technologies proposed, etc.

Surely even those in the 'if you haven't done anything wrong, you haven't got anything to fear' camp (which I refuse to believe is actually 80% of us, when asked the right question) would agree that there needs to be transparent and rigorous examination of any proposed scheme's practicalities, and free and informed debate on all of the legal and civil liberty issues.

This legislation is so flawed in principle, the scheme so misconceived in practice and both have such far-reaching implications (it'll be your kids & grandkids that feel the weight of this, folks!) that only something as momentous and controversial as the Europe Bill could possibly mask the rotten stink of its passing.

It's an Information Society, people, but that doesn't mean that the Government has a monopoly on - or even grasp of - truth and common sense. It certainly doesn't mean that they have the right to issue me with my 'one, true' identity, based on something of mine that they have (forcibly) taken from me. The choice is pretty stark - resist now, or run the risk of finding it increasingly difficult to resist this and any future Government (of ANY party or persuasion) legislation or measures with which you and your descendents might disgree.

Posted by lankyphil at 01:45 PM | Comments (0) | TrackBack

May 11, 2004

I don't know whether to laugh or cry

Last Thursday's article in the Times, 'Long eyelashes and watery eyes thwart ID card technology' and Lucy Sheriff's take on it in El Reg report a (predicted) 7% failure rate in the iris recogniton part of the current UKPS biometric trials.

Hardly reassuring, even at this early stage of testing - but clear indication of why the Government wants multiple biometrics to be stored in the National Identity Register and on ID cards. This sort of failure rate scaled up across the population and number of identifications / authentications would seem to make for a system that was actually worse than useless!

You begin to see where the Government, like many others before them, (including myself, the first time I encountered biometrics / smartcards in systems design) may have got their security model wrong.

To get around these ridiculous failure rates, they think (or are told), why don't we put a copy of a good biometric reading on a smartcard? Its digital, therefore a perfect reproduction, and can then easily be compared with a record in the NIR - where we get impressively low failure rates - even if we can't get a good reading from the person who has presented the card to us on that particular occasion.

Wake up! You've just created a system vulnerable to (even inviting) precisely the sort of fraud you are attempting to eliminate - but just because you're using these fancy new biometrics, you think you've created a more secure system. So you promote it in ignorance - believing in the 'magic' of technology, while flying in the face of logic.

Here's how it really goes:

The minute you capture a biometric - e.g. fingerprint, iris scan, facial photograph - and make a copy of it, you are turning a 'something you are' into a 'something you (or I) have'. If, and only if, the sole copy of that record is kept safely locked up, and is accessed just to do direct comparisons with freshly-captured biometrics from people asserting to have that identity can you - WITHIN THE LIMITS OF THE TECHNOLOGY - authenticate a particular person at a particular time in a particular place.

Giving an individual a copy of his/her biometric records on a smartcard defeats the entire object of biometrics by turning something that ONLY one person can provide ('something you are') to authenticate him/herself into something that potentially anyone can provide ('something you have'). Its like handing out 'fraud tokens'... literally!

Stick with me.

So in introducing different 'modes' or 'levels' of authentication - e.g. locally to the card (no reference to NIR), card to NIR (even if local authentication fails) - you have utterly broken the reliability of your system. Someone can present a valid ID card and subvert the local biometric reader, or present a fake card at a session that they know will not reference the NIR with impunity.

Thus your system, which people have to use in their daily lives and in which they must trust completely - because it holds the key to their identity - is, in fact, creating a false sense of security.

The ultimate irony is that Blunkett and Blair seem to be driven by a need to be seen to be doing something about certain problems - terrorism, illegal immigration, etc. - but their solution is actually going to make things a whole lot worse, and not just in those areas!

And we - the citizens of the UK - are, of course, going to end up worse off than when we started with billions of pounds down the drain, stuck with a database and card system that permits criminals and terrorists to actually 'prove' they are us (while everyone has been told that this is now impossible) and allows certain authorities with sweeping remits, e.g. SOCA?, to surveil our movements and activities (even if we have done nothing wrong ourselves) to an unprecedented degree.

I'm not even getting into the fact that NIR records themselves could quite possibly get screwed up - as reported in today's piece in The Register, 'DHS and UK ID card biometric vendor in false ID lawsuit'.

So, finally, and just to explain the meaning / message of my t-shirt design [below]: I object to and oppose the creation of a National Identity Register and to the principle of putting digital biometric records into ID (smart)cards.

Posted by lankyphil at 07:29 PM | Comments (0) | TrackBack

May 10, 2004

T-shirt anyone?

(Artwork available on request)

Posted by lankyphil at 01:53 AM | Comments (1) | TrackBack

May 08, 2004

Spanner in the works?

Acording to evidence given by the Director of the Identity Cards Programme, Katherine Courtney, to the HAC on 4th May, the UKPS biometrics pilot has suffered from a few gremlins!

Old news if you read Spy Blog, I know - but I was a little surprised to hear that the much-vaunted trial is, in fact, "not about testing the robustness of biometric technology, it is instead about the customer experience, customer acceptance and the time it will take to enrol".

Huh?

Not only can't they get the capture process to work properly, but they're not even trying to find out if the underlying technology itself is up to the task! David Blunkett expects people will be "queuing up" for ID cards, and he could be right - but not for quite the reason he thinks...

Posted by lankyphil at 09:20 PM | Comments (0) | TrackBack

May 07, 2004

Biting the bullet

After a couple of well-informed comments from wtwu at Spy Blog, I've been trying to plough further through the Home Office Publications and Consultations Archive, Hansard and HAC transcripts [see below] in an attempt to bring myself fully up to speed (going back through the whole sorry history) in time for the 19th May. I think I need more hours in the day, and a new printer cartridge...

Posted by lankyphil at 03:15 PM | Comments (0) | TrackBack

Who are 'they' listening to?

'They' in this instance refers to the Home Affairs Committee on Identity Cards, who have published the uncorrected transcripts (i.e. neither witnesses nor Members have had the opportunity to correct the record) of oral evidence presented to them on the following dates:

11th December 2003 - Nicola Roche (Director, Identity Card Policy Unit), Katherine Courtney (Director, Identity Cards Programme), Stephen Harrison (Head, Identity Card Policy Unit, Home Office).

10th February 2004 - Martin Hall (Director-General, Finance and Leasing Association), Gerald Vernon-Jackson (Local Government Association) and Jan Berry (Chairman, Police Federation).

20th April 2004 - John Harrison (Edentity), Andy Jebson (Cubic Transportation Systems), Richard Haddock (LaserCard Systems Corporation) and Neil Fisher (QinetiQ).

There's a lot to read here, but bits of it are really significant - e.g. its, hopefully, the primary source material for some of the articles you may have read in the Press - and reassuring(?) evidence of Parliamentary process in action. I'll leave out any comments about horses' body parts (front or rear) and let you decide...

Posted by lankyphil at 01:02 AM | Comments (1) | TrackBack

May 06, 2004

Principles and reasoning

OK, before I get stuck in today I *highly* recommend you read John Lettice's excellent articles in The Register, Everything you never wanted to know about the UK ID card and Glitches in ID card kit frustrate Blunkett's pod people. The latter makes particular reference to Mr. Blunkett's recent 'jelly nailing' performance in front of the Home Affairs Committee:

"Blunkett's evidence does not seem to have been particularly enlightening. It was, he said, largely the media's fault that the counter-terrorism aspects of the ID scheme had been given so much attention, and he cited a Today programme interview of 14.9.2003 where he claims he said that although the ID card and the Register [the National Identity Register - let's be specific, please!] would help, they would not resolve the terrorist threat.
This latest Blunkett stance is however somewhat undermined by the alacrity with which both he and the Prime Minister have used the terror threat as a wedge to win approval for the scheme and to accelerate its introduction. Blunkett's position on the card vis a vis terrorism therefore seems to be that it is a useful weapon against terror, but when asked to explain how it will be useful against terror, he retorts that he never said it was a complete fix, and that the terror aspect had been greatly over-emphasised by the media.

As the Committee chairman testily remarked, this is a little like nailing jelly. But the serious point underlying this is that the Home Office's complete failure to nail down the specifics of what it wants, why and how it will work is vastly increasing the probability that the project will be a total catastrophe."

Following on from yesterday, when I was wondering about the figures and calculations behind the Government's £3.1bn estimate, I begin to think I would far rather hear a clear explanation of precisely what systems and approaches to digital identity the Home Office et al. have considered - and their reasons for pursuing or rejecting (aspects of) each.

[N.B. I would be very surprised to hear that any solution not involving a centralised database was up for serious consideration at any point. A NIR is about surveillance, whichever way you want to play/spin/use it - and if its not going to be used, what's the point in spending the money?]

Of course, we have the Draft Bill and Consultation Document - but these only outline what Mr Blunkett would like ID cards and a NIR to be able to do, not how they propose to achieve these goals in practice - nor, more worryingly, whether these goals are even reasonable in theory (based on past & current evidence). Before deciding policy, implementing legislation and imposing a phenomenally expensive scheme on the British public the Home Secretary should at least have to make a proper case for what he is doing.

What we have at present is mere assertion - par for the course, unfortunately, and in the context of Iraq, the 'War on Terror', etc. depressingly familiar.

Taking us into a war that many (1,000,000 marched!) did not want was bad enough. Using the same, or related, fears and excuses in an attempt to fundamentally change the relationship between citizen and State demonstrates a level of arrogance and disconnect that supercedes even Margaret Thatcher's worst efforts - e.g. "there's no such thing as society", the Poll Tax (and look where that got her). Misjudgements of this kind have the potential to twist society for generations to come and I, for one, would not like to live in a UK that treated me and my family as mindless sheep at best, and potential criminals at worst.

Mr. Blunkett, either give us a proper explanation of what EXACTLY it is you are going to do and how - or stop wasting your time and our money on pipedreams!

Posted by lankyphil at 06:03 PM | Comments (0) | TrackBack

May 05, 2004

Where will all our money go?

So, if each ID card costs £35 (barring replacements) while we 'officially' DON'T all have to have one - unless, e.g. we want to drive a car or go on holiday - how much money will the Government raise before making it compulsory? According to Mr. Blunkett's current 'vision' it will be of the order of 80% x 60,000,000 x £35 = over £1.5 billion, crudely speaking.

Making the cards compulsory from the outset would, of course, raise the spectre of having to make the damn things free - as are, e.g. NI cards currently - which would never do! I'm sure a certain Mr. Brown would have something to say about that - hence the Home Office's 'softly, softly, makee money' approach...

Its also not clear in anything I've read yet whether these fees will form a part of, or be in addition to, the billions that this whole scheme is supposedly going to cost. We have been told for over a year now that Government estimates are £3.1 billion for a card priced at around £40 - with independant experts raising this to £5 billion, even apart from the almost inevitable overspend. See, e.g. the Foundation for Information Policy Research who brand the UK Government's ID card scheme an expensive flop.

So where are these estimates - surely the public deserve to see the figures and calculations used?

Are we 'early adopters' (bar the initial 10,000 - unless their details actually are "destroyed at the end of the trial" as promised) therefore expected to bear a huge chunk of the cost of the implementation, development and maintenance of the NIR and associated systems? Or will yet another layer of muddled-up Government bureacracy that fails to address the real problems in hand end up being funded from our overstretched taxes?

And finally, can we (the early adopters) expect to get a refund when ID cards are finally made compulsory - but if so will we have to agree, e.g. to have our tax code entered into the NIR to receive it? Beware of 'feature creep' marketed under the banner of 'convenience'...

Posted by lankyphil at 12:55 AM | Comments (0) | TrackBack

May 04, 2004

Jobs for the boys?

Will Atos Origin, originally formed in 2000 by the merging of French (Axime + Sligos = Atos) & Dutch (Origin = Royal Philips Electronics subsidiary) IT management and services companies, who later acquired KPMG Consulting (to trade in the UK as Atos KPMG Consulting) turn out to be the soon-to-be-appointed "development partner bringing in detailed expertise from outside Government" as announced in last week's Home Office press release?

They are, after all, the ones running the current UK Passport Service Six Month Biometrics Enrolment Trial, which started only a couple of months behind schedule - an all-time record for a UK Government IT project!

Of course, their very recent acquisition of the world's leading smartcard solution provider, SchlumbergerSema (in January 2004) would make them the *obvious* choice - but could it possibly be a little arrogant of them to assert on their UK home page that:

"The increased strength and depth of our end-to-end solutions and services, coupled with our expertise in Enterprise, Financial Services, Medical Services, Public Sector, Telecom, Media and Utilities and Transport ensures that the new Atos Origin is the future of IT services in the UK." [emphasis added]

Is Atos Origin becoming so powerful that it can basically take over any company that it sees as having the potential to 'interfere' with its lucrative Public Sector contracts? Are current or future Governments likely to act (e.g. regarding anti-competitive practices) against a supplier that delivers the very core of their information infrastructure?

I'm not a great one for conspiracy theories - its hard to believe in an all-powerful, evil 'them' when greed, stupidity and untrammelled 'free' market forces seem to do just as good a job of screwing things up. The managements of the mega-consultancies, manufacturers and service companies are simply doing what comes naturally in business - i.e. keeping an eye to the bottom line - while certain politicians seem hell-bent on pissing away billions of our tax pounds, while simultaneously and systematically corrupting and undermining the fundamentals of an equal and fair Information Society.

UPDATED 5/5/04: Thanks to Trevor Mendham for pointing out the recent FT article 'Companies wary about running ID cards scheme' on his UK ID Cards blog. The article refers to concerns voiced by Capita and Serco - and mentions that Atos, EDS and Capgemini (who just last week were 'embracing a new consulting paradigm') are 'talking to the Home Office about how to build the database'!

Posted by lankyphil at 04:17 PM | Comments (4) | TrackBack

May 03, 2004

Good on the Lib Dems

They may not have a snowball's chance in hell of winning a General Election, but it appears there may be some sensible politicians out there after all. The Liberal Democrats seem to be, literally, living up to their name with their 10 point rejection of the ID card / NIR scheme, see: DRAFT ID CARDS BILL IS FLAWED.

Nothing you won't have heard before, but they do lay the gauntlet down to the Conservatives - pointing out that a cross party coalition in the Lords is the only way to defeat the Government on this. Hmmm...

Posted by lankyphil at 01:22 PM | Comments (0) | TrackBack

April 30, 2004

10 years for us - 2 years for them!

Spyblog makes the point that 10 years in jail for "possession of a false document" seems an unduly harsh punishment, especially as this would be an entirely new offence created by the introduction of ID cards - but simultaneously extended to, e.g. even non-UK driving licenses.

Clauses 27-36 of the Draft Bill [553 KB PDF file] do bear a little scrutiny - and beg a couple of questions:

Why is it that possession of false ID documents carries with it a maximum penalty of 10 years in prison, when unauthorised disclosure of ID information - an abuse of power / position that potentially undermines trust in the entire ID system - is punishable by a maximum sentence of 2 years and/or a fine?

Clause 31, though, reveals a level of uncertainty and paranoia that should not go unchallenged: why double the sentence for hacking the NIR? If you 'hack' pretty much any database in the country, the maximum penalty is five years - but tamper with the National Identity Register, and you'll get ten.

This is pure lunacy.

If you (have to) double the sanctions against hacker attacks to 'protect' your systems, then you demonstrate a basic lack of confidence in your security measures - which, no doubt, will make them even more attractive to 'recreational' (if somewhat foolhardy) hackers. And will have no effect whatsoever on the 'foreign nationals' who are highly incentivised to break in and compromise your systems.

Which brings me to another point - what platform(s) will the NIR use? Not Microsoft ones, surely (cf. the Governmemt Gateway)! The National Identity Register will, almost of necessity, be distributed across a number of systems and be vulnerable to attack via inherent weakesses in each. So I hope that someone in Government understands the many ways in which, e.g. Redmond's current version of 'Trustworthy Computing' is anything but...

On a broader point, if the general population is to be able to trust the security of the NIR / ID card system as implemented the Government should (must!) allow 'White Hat' hackers to probe its defences. The 'Black Hats' will be doing their best, so it would be crazy to penalise or threaten those who offer truly independent checks on what the Government and its chosen supplier(s) assert is the security of the system. Criminalising this sort of thing indictaes either a lack of faith in your security or a deluded assumption of infallability.

In the same way that exploits and cracks of common applications and Operating Systems are discovered and fixed, the NIR can only be made more secure - or be proved to be (techno)logically insecure - by the authorities and its suppliers addressing each known method of compromise. The reporting mechanism might get a little fouled up by the threat of 10 years in prison, but there doesn't seem to be an offense (yet) dealing with the publishing of exploits...

I can't quite imagine there being a 'Report a NIR vulnerability' button on the Home Office website any time in the near future!

Posted by lankyphil at 05:52 PM | Comments (0) | TrackBack

April 29, 2004

Let's get together

Privacy International - in association with Liberty, Statewatch, Stand and the Foundation for Information Policy Research - are holding an afternoon meeting at the London School of Economics on 19th May called MISTAKEN IDENTITY, all about the Government's proposed National Identity Card.

They promise 'key figures in the fields of law, politics, security, technology and human rights' will be there, with details of the programme available at the the conference site.

UPDATED 6/5/04: The draft programme (with invited speakers) has now been published - subject to change, but its looking very interesting:

13.30 Welcome. Simon Davies, London School of Economics

13.40 The Rt. Hon David Blunkett, Home Secretary (invited)

14.00 Mark Oaten MP, Lib-Dem Home Affairs spokesman
David Winnick MP, Labour
Simon Thomas MP, Plaid Cymru
Lord Phillips of Sudbury

14.35 Q&A with audience

14.45 Dr Iqbal Sacranie, Secretary General, Muslim Council of Britain

15.00 Roger Smith, Director, JUSTICE

15.15 Q&A with audience

15.25 Sir John Stevens, Commissioner, Metropolitan Police (invited)

15.40 Paul Whitehouse, former Chief Constable, Sussex Police

15.50 Q&A with audience

16.00 Peter Williamson, President of the Law Society

16.15 Professor Ross Anderson, Cambridge University

16.30 Jonathan Bamford, Assistant Information Commissioner

16.45 Q&A with audience

16.55 Next steps

17.00 Close

Posted by lankyphil at 01:01 AM | Comments (0) | TrackBack

April 28, 2004

Privacy, biometrics and the presumption of innocence

In an information society, absolute privacy exists only inside your own head.

Most people would agree with or admit to the need for at least a degree of privacy in everyday life (indeed it seems some, e.g. celebrities and politicians, are desperate for it!), but many do not fully appreciate the nuanced and often complex relationship between privacy and identity. Make no mistake, they are related - and, in the context of ID cards and a National Identity Register, a serious erosion of your own personal privacy may be just a single (mandatory) data field away!

An informative consideration of the privacy issues and options arising when implementing biometric security systems, the BioPrivacy Application Impact Framework and Technology Risk Ratings offered by the IBG BioPrivacy Initiative are well worth a few minutes' study.

The problem with using biometrics to 'tie everything together' in the NIR is that it will, once and for all time, give the State ownership of your identity: you will be who the State says you are - even if they are mistaken (and they do make mistakes!) - not who you assert, and can prove in a variety of State-and-otherwise-sanctioned ways, that you are. This really would be a fundamental change in UK civil society and has, justifiably, been characterised as the end of 'presumption of innocence'.

What may seem like a good idea now to those who believe that "if you've got nothing to hide, you've got nothing to worry about" may seem distinctly otherwise when, e.g. it is their 16 year old granddaughter who gets a permanent black mark on her ID record for having hung around with a dodgy crowd after school - some of whom were caught shoplifting.

As I understand it, the State exists to serve the people. With ID cards and an NIR, we are teetering on the edge of a slippery slope (of indeterminate steepness...) that leads to the State dictating who is a person. In a few short years if I don't want a State identity I will become, by default, either a criminal or a non-person!

Posted by lankyphil at 11:29 PM | Comments (0) | TrackBack

April 27, 2004

Do something

If you are even remotely bothered by the intended introduction of ID cards, and it appears that - especially if we are made to pay for them - a large number of you actually are then please register your objection(s) using one or several of the mechanisms at your disposal:

1) e-mail the Home Office

"On 26 April 2004 the Government published 'Legislation on Identity Cards: a consultation' [553 KB PDF file]. This set out for consultation the Government’s plans for legislation on identity cards and includes the draft clauses of an Identity Cards Bill. We welcome comments on the draft legislation from individuals and organisations. These can be sent to identitycards@homeoffice.gsi.gov.uk by including the words ‘consultation response’ in the subject title." Or by clicking on the e-mail address in the previous sentence...

2) Sign an e-petition* or vote in a poll

I'm sure there are/will be several out there - please let me know of any I have missed, and I shall attempt to make this a comprehensive list:

Liberty petition - click on the 'Petitions' tab, then 'No to ID Cards' link.

Trevor Mendham's BBC iCan campaign - registered BBCi members' votes have more clout

Clare Hewitt-Horsman's 'No to National Identity Cards in the UK' petition - although I'm not sure Clare has read the UK Government criteria for e-Petitions [see below].

UPDATED 5/5/04: The Campaign to Stop the National Identity Card (CASNIC) have an online petition.

*The Government has agreed to accept electronic petitions containing more than 300 'genuine signatures'. They appear to respond to each petition individually, even ones on the same subject, so long as it meets their basic criteria. Of course, the Government do not have a particularly good track record on aggregating individual responses into 'ad hoc petitions', hence my suggestion that you object using each of the different mechanisms available to you.

3) Fax your MP

Via the excellent FaxYourMP.com. Please pay attention to their guidelines and instructions and do not abuse this genuinely useful service, e.g. by trying to fax someone who isn't your MP. I have found it gets me a timely written response on House of Commons headed paper from my MP every time I use it - but then he is a Liberal Democrat!

4) Write a letter

Pretty much the same effect as (3) above, but with possibly a higher impact / better response rate. To find out the contact details of your local MP use this handy 'Constituency Locata' on the UK Parliament site.

Of course, you can write to any named MP at the House of Commons, London SW1A 0AA - but before you do, here's some sensible advice from the BBC on 'Writing to a political representative'.

5) Join or support an organisation

There are many(!) but, with specific regard to ID cards, you will probably find the following most useful and up-to-date:

Privacy International

Liberty

Stand

Statewatch

Posted by lankyphil at 01:18 AM | Comments (2) | TrackBack

April 26, 2004

Read all about it

For your delight and delectation, one freshly published Home Office consultation document: Legislation on Identity Cards | A Consultation [553 KB PDF file] and its official Press Release, DAVID BLUNKETT: NATIONAL ID CARD SCHEME IS THE KEY TO THE UK’S FUTURE.

The Government's current statements about Identity Cards seem to live in the 'Community and Race' section of the Home Office site, as do the Publications and Consultations Archives - well worth reading (although I recommend pre-emptive Anadin) for the background to and progress of UK ~~Entitlement~~ Identity Cards 'from the horse's mouth'.

Posted by lankyphil at 03:32 PM | Comments (0) | TrackBack

April 25, 2004

Blunkett for breakfast

The BBC Breakfast with Frost programme have published a transcript of today's interview with David Blunkett. I must say the picture they have chosen does him no favours whatsoever - but unfortunately neither does much of what he says.

Posted by lankyphil at 10:34 PM | Comments (0) | TrackBack

April 24, 2004

Anti-terrorism? Not necessarily!

The Government, and David Blunkett in particular, seem to be unclear on the real benefits of ID cards. Indeed, the Home Secretary has been making conflicting and contradictory statements on their potential to combat terrorism for quite some time - as evidenced by, for example, the record of Hansard on 3rd July 2002.

This month Privacy International have released a new study, 'Mistaken Identity; Exploring the Relationship Between National Identity Cards & the Prevention of Terrorism' [227 KB PDF file] which presents evidence and analysis to support the conclusion that Identity cards are not "a meaningful or significant component in anti-terrorism strategies". In fact, "[O]f the 25 countries that have been most adversely affected by terrorism since 1986, eighty per cent have national identity cards, one third of which incorporate biometrics"!

Similar points are touched on in the BBC's article, ID cards 'cannot stop terrorism' which reports recent objections from both Liberty and the Lib Dems with regard to terrorism, and the Earl of Selborne who warns of the "very real danger that we are sleepwalking into our technological future."

Posted by lankyphil at 09:42 PM | Comments (0) | TrackBack

April 23, 2004

I object! And I know a few others who do, too...

In the spirit of the debate that the Government would have us believe has happened, the BBC's article Should we carry ID cards? carries a set of associated comments which they say "reflect the balance of the opinion we have received".

Note that these could be seen to belie Tony Blair's assertion earlier this month that "in relation to ID cards... I think there is no longer a civil liberties objection to that in the vast majority of quarters."

So does he think that groups like Stand, Privacy International and Liberty are entirely unrepresentative of public opinion, or that a significant number of outstanding questions are simply undeserving of an answer?

Methinks Messrs. Blair & Blunkett may have been reading too many (and too much into) recent headlines...

Posted by lankyphil at 08:18 PM | Comments (0) | TrackBack

April 22, 2004

Lies, damned lies and statistics

Interestingly, the company (Detica) that commissioned the MORI report on ID cards that everyone is now referring to issued two 'contradictory' press releases today - a case of "let both sides quote us with something that suits their argument"?

On the one hand, British Public Gives Huge ‘Thumbs Up’ for National ID Cards - but on the other, British Public Sceptical Over Successful Introduction of National ID Card Scheme...

If you want to read the results of the MORI poll itself you can download it here: Detica - National Identity Cards.pdf [188 KB PDF file]

UPDATED 24/4/04: There's been a whole pile of commentary on this poll, here are a few of the highlights:

Silicon.com - ID cards: no data security fears – and no chance we'll pay for them

BBC NEWS - Public 'happy to carry ID cards'

The Register - UK public wants ID cards, and thinks we'll screw up the IT

Commentators seem to have picked up on scepticism about the Government's ability to implement ID cards, but take a range of views on the apparently overwhelming level of in principle public support for ID cards. It is disappointing that the (mainstream) press have not waded in with more substantial analyses - e.g. if you factor in 'desire to pay', the headlines would tell a completely different story!

I have to say also that I am less than happy with the methodology of at least one survey that I took recently - the Silicon.com Reader's Poll - which only attempted to qualify the responses of those who agreed with the principle of ID cards: disgreement in principle led to no further questions! I am not saying that the MORI poll was similarly flawed (in fact I highly doubt it) but, especially given my past experiences of (psychological) questionnaire design and social research, I would be wary of drawing any sweeping or definitive conclusions from what appears to be a very contradictory evidence base.

Posted by lankyphil at 04:20 PM | Comments (0) | TrackBack

April 20, 2004

What are the issues?

Courtesy of the BBC, a pretty impartial collation of the main issues surrounding ID cards and what you can do about them - ID cards: an iCan briefing.

There are many aspects to this complex debate but if you are reading this, I assume that you're interested in finding out more - and this site is not a bad place to start.

It could take a while, though...

Posted by lankyphil at 01:27 AM | Comments (0) | TrackBack

April 19, 2004

El Reg on the case

John Lettice's Special Report, ID cards: a guide for technically-challenged PMs, on The Register tackles many of the common misconceptions about biometrics and ID systems.

Misunderstanding the nature, limitations and implications of the use of biometrics is common and is something which I have professionally had to tackle in a public and voluntary sector context. Although there are some instances in which their use is justified, given current levels of maturity (i.e. not very) and the inherent fallibility (none can eliminate false negatives or false positives) of such systems, biometric implementations must be carefully managed - legislatively & organisationally as well as technologically - to ensure the actual benefits match up to the perceived ones, and that serious risks & negative consequences are avoided.

Posted by lankyphil at 11:48 PM | Comments (0) | TrackBack

April 18, 2004

Getting my goat

OK, I didn't start this blog with the intention of it becoming a rant - and I hope it doesn't and won't come across as one - but there's something that's been bugging me (professionally as well as personally) for some time and I see no point in holding off / avoiding posting on it, e.g. just because so many others are doing so. In fact I hope I can add something to the debate.

What I am referring to is the introduction of biometrically-enabled National ID cards in the UK, and the concomitant creation of a National Identity Register.

Of course I don't object to having to identify myself where appropriate - I hold a current UK passport and driving licence, for example - but I do object to the creation of the single huge database that must, given current Gov't and corporate thinking, sit at the 'back end' of any ID card system.

I believe that ID cards and a NIR are unlikely to deliver sufficient 'benefits' (and it has yet to be made explicit precisely what these are supposed to be) to justify the cost of implementation and maintenance, and that they will be sufficiently vulnerable to exploitation and abuse that they will, from the outset, seriously impinge on the civil liberties of some individuals and minority groups within society. In the long term I fear that the groundwork may be being laid for widespread (and possibly systemic) abuse of personal privacy and - in the worst case scenario - State persecution by a future, more oppressive Government than the one that currently holds power.

The risks and consequences of failure(s) are too high to brush aside or 'shelve until later' - later will, quite simply for some, be too late.

Just because the present Gov't has been unable to legislate to its satisfaction for data sharing between its various arms and agencies (see the Department for Constitutional Affairs site on Data Sharing for more information) and is having technological difficulties or is finding progress too slow in aligning its various systems and databases (despite such sensible initiatives as the e-Government Interoperability Framework) does not give it carte blanche to rush / push through a solution with such far-reaching implications and effects. Especially when it has shown every sign of wishing to ignore or downplay significant public objections.

Enough for now, I'm sure I'll have more to say later.

Posted by lankyphil at 09:48 PM | Comments (0) | TrackBack

infinite ideas machine