FIPR submission to Home Affairs Committee on ID Cards
Foundation for Information Policy Research (FIPR) is the leading think tank for Internet policy in
ID cards were abolished by Parliament half a century ago, repeated attempts
have been made to reintroduce them under some pretext or other – whether as
health cards, as benefit cards, or as smartcards to help Internet users
authenticate themselves. The present proposals combine many of these older
3. We responded to the Home Office consultation on entitlement cards, as we have to many of the consultations on previous proposals (see our website, www.fipr.org). We would welcome an opportunity to testify before the Committee. In this note, we suggest a few lines of enquiry for the Committee.
believes that the ‘one-card-fits-all’ approach is wrong, for reasons of systems
engineering, security, economics and policy. Instead, there should be a range
of access tokens, protocols or methods for different services. There are good
reasons why the typical citizen currently has a number of cards, keys and other
access tokens. Cramming more function into a token makes it more liable to
failure, more complex to maintain, a more attractive target for forgers, and a greater
threat to privacy. This holds regardless of whether one overloads a material
token, such as an identity card, or an immaterial one such as the US social
security number – whose widespread abuse
by businesses as an identifier facilitates all sorts of mischief from ‘identity
theft’ to privacy violations. The same holds in the private sector, which
issues more rather than fewer tokens as time goes by. Attempts to market
‘multifunction smartcards’ – tokens that could work as bank cards, electricity
meter cards, and even door keys – have repeatedly failed. Issues such as
branding, liability, compatibility of back-end systems, maintenance and
supplier lock-in have proved insuperable. Both the large companies that gambled
on identification during the dotcom boom
(Baltimore and Verisign) lost billions of pounds in shareholder value;
5. It has
been argued that government-issue ID is special, and must be designed to
support as many other applications as possible. This is mistaken.
We would now like to touch on a few further issues.
of the arguments made for identity cards is that they will help to cut
‘identity theft’ – where a thief masquerades as his ‘victim’ to obtain credit
and then absconds, leaving the ‘victim’ with a damaged credit rating that can
take much effort to repair. This is greatly over-hyped. From the viewpoint of
the impersonated party, identity theft is not theft at all, but libel. The
problem is that credit reference agencies in the
7. At present, biometric equipment sales are dominated by fingerprint readers. They are widely used overseas by welfare agencies, as they cut claims dramatically. This is partly because they make impersonation more difficult, but there is also a strong placebo effect. Many people are scared off claiming welfare benefits when they have to undergo regular fingerprint scanning in order to claim. This includes some people who have legal claims to benefit, as well as some who do not. The placebo effect is also the main reason why photo-ID works at all; randomised controlled trials have found that supermarket staff cannot tell the difference between credit cards carrying genuine ID photos that were slightly out of date, and cards bearing photos of other people that had been selected, from a pile of a few dozen cards, to be somewhat like the cardholder. Security mechanisms that rely on the placebo effect will degrade over time as the weakness of the mechanisms is understood. (There are also political issues with a strategy of welfare deterrence.)
8. Other biometric mechanisms may be used, such as iris codes and hand geometry. Iris codes in particular have much lower error rates than current fingerprint readers. They were originally developed with funding from a US weapons lab, and are appropriate in applications such as access control to a plutonium store – in professionally-supervised operation, and with a small number of subjects who are volunteers. However, if used as a general-purpose, compulsory mechanism for a large population (and especially if they are used in unattended operation, or by unskilled operators), they will not be as reliable. The bad guys will be able to learn the iris codes of large numbers of people (think of a Mafia-owned shop) and produce contact lenses that will fool readers. In general, biometrics suffer the disadvantage that they cannot be changed once compromised, unlike physical tokens such as credit cards. There will also be issues with people who have no eyes, or damaged eyes, and the larger number of people who dislike the infra-red light used by present iris scanning systems to illuminate the eye. (These issues are discussed in detail in the standard textbook ‘Security Engineering’ by Ross Anderson, the Chair of FIPR.)
10. Organisations that rely on an identification token will generally want it to be secure – they expect a low probability that an apparently genuine token is in fact forged. Citizens who carry a token will generally want it not to harm their privacy – the token should not make it significantly easier for third parties to link up information about them. But a single token, designed to serve as many purposes as possible, makes both requirements much harder to satisfy. We have already remarked that a single unique identifier will facilitate the sort of abuses common with the US social security number. As for security, it is unwise to aggregate targets – for example, it is not allowed to carry money in containers that hold classified information. Yet creating a card that gives access to everything from medical care through welfare benefits to air travel will create a huge target. Serious efforts will be made to forge it, not just by criminal organisations, but also by governments. The consequences should be considered very carefully indeed.
11. There is also the issue of public security, in the sense of the potential benefit of an ID card to policing operations. We suggest the Committee deal with this question not by asking chief constables whether they would like ID cards, but whether they would rather the Home Office spent the money on ID cards or give them extra cash to hire more officers and buy more equipment to increase their efficiency generally. If the cost in steady-state is £800m per annum, that translates to a 14% increase in police budgets.
12. We do not believe the Home Office’s costings. Public sector projects that consolidate a number of existing systems into a new, centralised one almost always cost much more than expected, not just in the short term but also in the long term. This is partly because of lock-in. The value of a software or facilities management contract to the supplier is largely dependent on how hard it will be for the customer to move to a competitor. If the costs of switching are, say, £100m, then a competitor is unlikely to come along until the incumbent’s pricing contains at least that much profit. While a naïve cost-benefit analysis might suggest that consolidating five £100m systems could yield a £300m system and thus save money, the reality is usually different: the consolidated system becomes more complex and ends up costing double in the medium-term, as it becomes much harder to switch suppliers. While some government departments (notably the MoD) have long experience (not always good) at managing lock-in by monopolistic suppliers, the Home Office’s proposals do not convince us that they are really aware of these issues.
13. The Home Office claims public support for identity cards. We question this. The claimed result appears to have been obtained by counting thousands of electronic submissions as a single submission, with the weak argument that it was some kind of petition. FIPR members and supporters made a number of these electronic submissions, and while most of us opposed identity cards in principle, not all of us did. The consultation process was thus deeply flawed, and the underlying attitude towards electronic communication is particularly worrying given plans to allow online voting in future elections.
14. The Home Office proposals seek to create an authentication token with the flexibility of a Swiss Army Knife. But a Swiss Army Knife is not a very good knife, nor a very good screwdriver, nor a very good corkscrew. If a tool is going to be used at all often, it is best to have one designed for the job. A one-card-fits-all solution to all authentication and fraud prevention problems across many public and private services is likely to be second-best for all of them, as well as more expensive. In the private sector, the credibility of universal authentication has been undermined by hard experience.
15. Unfortunately, successive UK governments have seen bundling as a means to overcome more fundamental objections to ID cards. The thinking appears to be that although the UK public might not accept ID cards per se, they might accept them if bundled with driving licenses, passports, welfare fraud control and access to the NHS. Yet the civil service’s record of designing systems to `kill two birds with one stone’ is abysmal: the birds usually fly away unharmed, while the taxpayer is left with an eyeful.
16. FIPR warns that bundling brings major additional risks, and strongly recommends that the case for ID cards should stand or fail on its merits. At present, the case has not been made.
17. Given that many countries have ID cards and many countries don’t, there would surely be no lack of empirical evidence to support the Home Office’s claims if they were true. The absence of such evidence is extremely damaging to its case. We therefore urge the Committee to advise the Home Secretary to either abandon the proposed scheme, or come back with a modified proposal that focuses exclusively on identity cards, that has a clear specification, whose benefits are shown to be achievable on a preponderance of all the empirical evidence. Finally, these benefits must show that ID cards are a better use of Home Office funds than an equivalent increase in the police budget.