FIPR submission to Home Affairs Committee on ID Cards

 

1.       The Foundation for Information Policy Research (FIPR) is the leading think tank for Internet policy in Britain. It studies the interaction between IT, government, business and civil society. It researches policy implications and alternatives, and promotes better understanding and dialogue between business, government and NGOs across Europe.

 

2.      Since ID cards were abolished by Parliament half a century ago, repeated attempts have been made to reintroduce them under some pretext or other – whether as health cards, as benefit cards, or as smartcards to help Internet users authenticate themselves. The present proposals combine many of these older ones. UK residents would have to obtain a card that would not only serve as ‘government-issue photo-ID’ but would also have a chip, at least one biometric apart from the photo, and links to records underlying other public services. It would become the single token regulating access to most government services, and would have to be produced not just when boarding an aircraft but also when registering with a GP, enrolling a child at school, or claiming benefits.

 

3.      We responded to the Home Office consultation on entitlement cards, as we have to many of the consultations on previous proposals (see our website, www.fipr.org). We would welcome an opportunity to testify before the Committee. In this note, we suggest a few lines of enquiry for the Committee.

 

One-card-fits-all

 

4.      FIPR believes that the ‘one-card-fits-all’ approach is wrong, for reasons of systems engineering, security, economics and policy. Instead, there should be a range of access tokens, protocols or methods for different services. There are good reasons why the typical citizen currently has a number of cards, keys and other access tokens. Cramming more function into a token makes it more liable to failure, more complex to maintain, a more attractive target for forgers, and a greater threat to privacy. This holds regardless of whether one overloads a material token, such as an identity card, or an immaterial one such as the US social security number –  whose widespread abuse by businesses as an identifier facilitates all sorts of mischief from ‘identity theft’ to privacy violations. The same holds in the private sector, which issues more rather than fewer tokens as time goes by. Attempts to market ‘multifunction smartcards’ – tokens that could work as bank cards, electricity meter cards, and even door keys – have repeatedly failed. Issues such as branding, liability, compatibility of back-end systems, maintenance and supplier lock-in have proved insuperable. Both the large companies that gambled on  identification during the dotcom boom (Baltimore and Verisign) lost billions of pounds in shareholder value; Baltimore was effectively ruined. The smartcard vendor that invested most heavily in multifunction cards (Gemplus) ended up laying off hundreds of staff.

 

5.      It has been argued that government-issue ID is special, and must be designed to support as many other applications as possible. This is mistaken. Germany has much longer experience of ID cards than we have, and their ID card system is designed to prevent cards being used for any other purpose. Cards are issued by local government, rather than centrally, and there is no national population register. The card number changes whenever the card is reissued; it is a card number rather than a citizen number. There is therefore little motive for businesses to try to use it as an identifier (which is illegal anyway). There is a separate system of health cards that carry residents’ health insurance details, and also some basic medical information. Welfare payments use different systems again. We do not advocate that the German system be adopted here lock, stock and barrel; rather, it serves to show that, if Parliament does decide to introduce ID cards, there are other and better ways of managing things.

 

We would now like to touch on a few further issues.

 

Identity Theft

 

6.            One of the arguments made for identity cards is that they will help to cut ‘identity theft’ – where a thief masquerades as his ‘victim’ to obtain credit and then absconds, leaving the ‘victim’ with a damaged credit rating that can take much effort to repair. This is greatly over-hyped. From the viewpoint of the impersonated party, identity theft is not theft at all, but libel. The problem is that credit reference agencies in the UK and the USA are reluctant to expunge inaccurate records. This is essentially a regulatory issue – a failure by the Information Commissioner to enforce the Data Protection Act, under which the agencies should not knowingly hold false information on data subjects. The agencies claim that they are merely holding data on behalf of the lenders, and the Commissioner has unfortunately gone along with this feeble excuse. If the Home Secretary is truly concerned about identity theft, he need simply request the Commissioner to enforce the existing law more vigorously. (As for the true victims, the lenders, they will continue to take risks about identity rather than losing business opportunities; fraud patterns do not appear to vary across Europe according to the existence or absence of ID cards.)

 

Biometrics

 

7.             At present, biometric equipment sales are dominated by fingerprint readers. They are widely used overseas by welfare agencies, as they cut claims dramatically. This is partly because they make impersonation more difficult, but there is also a strong placebo effect. Many people are scared off claiming welfare benefits when they have to undergo regular fingerprint scanning in order to claim. This includes some people who have legal claims to benefit, as well as some who do not. The placebo effect is also the main reason why photo-ID works at all; randomised controlled trials have found that supermarket staff cannot tell the difference between credit cards carrying genuine ID photos that were slightly out of date, and cards bearing photos of other people that had been selected, from a pile of a few dozen cards, to be somewhat like the cardholder. Security mechanisms that rely on the placebo effect will degrade over time as the weakness of the mechanisms is understood. (There are also political issues with a strategy of welfare deterrence.)

8.      Other biometric mechanisms may be used, such as iris codes and hand geometry. Iris codes in particular have much lower error rates than current fingerprint readers. They were originally developed with funding from a US weapons lab, and are appropriate in applications such as access control to a plutonium store – in professionally-supervised operation, and with a small number of subjects who are volunteers. However, if used as a general-purpose, compulsory mechanism for a large population (and especially if they are used in unattended operation, or by unskilled operators), they will not be as reliable. The bad guys will be able to learn the iris codes of large numbers of people (think of a Mafia-owned shop) and produce contact lenses that will fool readers. In general, biometrics suffer the disadvantage that they cannot be changed once compromised, unlike physical tokens such as credit cards. There will also be issues with people who have no eyes, or damaged eyes, and the larger number of people who dislike the infra-red light used by present iris scanning systems to illuminate the eye. (These issues are discussed in detail in the standard textbook ‘Security Engineering’ by Ross Anderson, the Chair of FIPR.)

 

Security and Privacy

 

10.    Organisations that rely on an identification token will generally want it to be secure – they expect a low probability that an apparently genuine token is in fact forged. Citizens who carry a token will generally want it not to harm their privacy – the token should not make it significantly easier for third parties to link up information about them. But a single token, designed to serve as many purposes as possible, makes both requirements much harder to satisfy. We have already remarked that a single unique identifier will facilitate the sort of abuses common with the US social security number. As for security, it is unwise to aggregate targets – for example, it is not allowed to carry money in containers that hold classified information. Yet creating a card that gives access to everything from medical care through welfare benefits to air travel will create a huge target. Serious efforts will be made to forge it, not just by criminal organisations, but also by governments. The consequences should be considered very carefully indeed.

 

11.     There is also the issue of public security, in the sense of the potential benefit of an ID card to policing operations. We suggest the Committee deal with this question not by asking chief constables whether they would like ID cards, but whether they would rather the Home Office spent the money on ID cards or give them extra cash to hire more officers and buy more equipment to increase their efficiency generally. If the cost in steady-state is £800m per annum, that translates to a 14% increase in police budgets.

 

Economics

 

12.    We do not believe the Home Office’s costings. Public sector projects that consolidate a number of existing systems into a new, centralised one almost always cost much more than expected, not just in the short term but also in the long term. This is partly because of lock-in. The value of a software or facilities management contract to the supplier is largely dependent on how hard it will be for the customer to move to a competitor. If the costs of switching are, say, £100m, then a competitor is unlikely to come along until the incumbent’s pricing contains at least that much profit. While a naïve cost-benefit analysis might suggest that consolidating five £100m systems could yield a £300m system and thus save money, the reality is usually different: the consolidated system becomes more complex and ends up costing double in the medium-term, as it becomes much harder to switch suppliers. While some government departments (notably the MoD) have long experience (not always good) at managing lock-in by monopolistic suppliers, the Home Office’s proposals do not convince us that they are really aware of these issues.

 

Public Opinion

 

13.    The Home Office claims public support for identity cards. We question this. The claimed result appears to have been obtained by counting thousands of electronic submissions as a single submission, with the weak argument that it was some kind of petition. FIPR members and supporters made a number of these electronic submissions, and while most of us opposed identity cards in principle, not all of us did. The consultation process was thus deeply flawed, and the underlying attitude towards electronic communication is particularly worrying given plans to allow online voting in future elections.

 

Conclusion

 

14.        The Home Office proposals seek to create an authentication token with the flexibility of a Swiss Army Knife. But a Swiss Army Knife is not a very good knife, nor a very good screwdriver, nor a very good corkscrew. If a tool is going to be used at all often, it is best to have one designed for the job. A one-card-fits-all solution to all authentication and fraud prevention problems across many public and private services is likely to be second-best for all of them, as well as more expensive. In the private sector, the credibility of universal authentication has been undermined by hard experience.

 

15.        Unfortunately, successive UK governments have seen bundling as a means to overcome more fundamental objections to ID cards. The thinking appears to be that although the UK public might not accept ID cards per se, they might accept them if bundled with driving licenses, passports, welfare fraud control and access to the NHS. Yet the civil service’s record of designing systems to `kill two birds with one stone’ is abysmal: the birds usually fly away unharmed, while the taxpayer is left with an eyeful.

 

16.        FIPR warns that bundling brings major additional risks, and strongly recommends that the case for ID cards should stand or fail on its merits. At present, the case has not been made.

 

17.         Given that many countries have ID cards and many countries don’t, there would surely be no lack of empirical evidence to support the Home Office’s claims if they were true. The absence of such evidence is extremely damaging to its case. We therefore urge the Committee to advise the Home Secretary to either abandon the proposed scheme, or come back with a modified proposal that focuses exclusively on identity cards, that has a clear specification, whose benefits are shown to be achievable on a preponderance of all the empirical evidence. Finally, these benefits must show that ID cards are a better use of Home Office funds than an equivalent increase in the police budget.