ID cards will be a great British Institution
The identity card scheme will become a “great British institution” on a par with the railways in the 19th Century, Home Office minister Liam Byrne says.
He said it was “time to get on with it” and predicted that the National Identity Scheme “will soon become part of the fabric of British life”.
But plans to “multiply the uses” of the ID scheme would mean there should be stronger accountability to Parliament.
Current ID trials include employment, age and criminal records checks.
The Home Office intends to introduce biometric identification for foreign nationals in 2008, with the first ID cards for British citizens issued in 2009.
The plans for ID cards have proved controversial and are opposed by both the Conservatives and the Liberal Democrats on cost, effectiveness and civil liberty grounds.
And Phil Booth, from the anti-ID card campaign group No2ID, said: “It is crazy to suggest that the best way to ‘protect’ our identities in the future is to hand them to the Home Office – the department of cock-up and cover-up. These are the last people on earth you should trust to keep your information safe.” …
Securing Our Identity: A 21st Century Public Good
19 June 2007
Speech by Liam Byrne MP, the Minister of State for Immigration, Citizenship & Nationality, to Chatham House on 19 June 2007
Revolutions in globalisation and technology – the leitmotif of your conference – have always brought radical new possibilities – but also potent new risks.
Modern Government’s task is not to run away from that change, or shrug our shoulders in indifference, or deny its existence – but to grasp it and use it to expand horizons not for the elite, but for ordinary working families.
The only people who will be able to reliably use the scheme will be those who can afford biometric scanners, ID card readers, and use of the Identity Verification Service (if they are allowed).
It could cost between £250 and £5,000 for one biometric reader alone, according to which Government Regulatory Impact Assessment you read. So let’s not get too excited about the possibilities for ordinary working families.
Let’s face it: in practice the scheme will only directly be used by the public and private sectors – not the public itself.
Now I’m not saying that this means there will be no benefit to the public, just that you as a member of the public are not going to reliably be able to check someone’s identity: e.g. your childminder.
Two weeks ago, Ruth Kelly and I argued that the changes we see in our country today are provoking not an identity crisis – but an identity challenge to our country and to communities, and to citizens.
The Identity Challenge
We work and live differently. The job for life is gone. Our families look very different to decades ago.
Hyper-mobility – physical and virtual – has become a fact of life. Nearly two thirds of consumers now have an internet connection at home.
In 2005, the value of British e-commerce topped £92 billion – an economy the size of Argentina. Last year British residents made 68 million journeys abroad and 32 million foreign nationals visited here.
It is this hyper-mobility, set on a stage of rapid social change, that gives rise to new possibilities for British people but which also brings new risks.
The identity challenge means that without identity systems we leave our borders vulnerable; we leave community safety nets vulnerable; and we leave individuals perhaps most vulnerable of all.
Let me give you one quick example of each:
First, our borders.
By the Spring just gone, we had checked the 10 fingerprints of almost 400,000 people applying for a visa for Britain. By the end of this month, we’ll be checking visa applicants in 75 countries.
Already we have found 4,000 hits against immigration databases. 70% were applying for visas from abroad, had already claimed asylum in Britain. Many claimed in a different identity. Nearly 1 in 10, we found was subject to removal directions.
Good for you.
- Including a Ghanaian, who applied for a visa in Accra, who biometric checks established had claimed asylum in the UK under a different identity as a Liberian national
- Including a Tanzanian national, who claimed never to have previously been to the UK but who had actually claimed asylum as a Somalian citizen
- Including an Albanian who applied for a visit visa in Europe, but who had claimed asylum as a Serbian national, again with a completely different identity.
So it is clear to us that the identity challenge at our borders is very real.
Why are these considered to be good reasons to have a centralised National Identity Register?
None of those people are going to be on the NIR prior to enrolling, and they don’t have to enrol unless they claim they intend to be here for more than three months.
Let’s not confuse, as Liam Byrne has done, the immigration, asylum and Visa databases with the NIR.
We already have Project IRIS at some of our airports. Surely all we want to do is count people coming in and out, and make sure – similar to the United Arab Emirates – that undesirables can’t return after we eject them.
We don’t need a centralised privacy abolishing database in order to secure our borders.
But it is real too for public safety nets.
The DWP estimates fraud costs the benefit system £800 million a year.
The DWP “estimates that £20m-£50m of benefit fraud arises as a result of identity fraud (i.e. claiming benefit in false identities).” (Update Estimate of the Cost of Identity Fraud to the UK Economy)
Not anything like £800m, is it?
So why mention £800m?
Multiple identity abuse by a single individual is a problem – perpetrated by people like the man in Cleveland, prosecuted for the fraudulent abuse of over 80 identities, and a fraud of almost one and a half million pounds (£1,412,000).
An extremely rare event.
But, the identity challenge is arguably sharpest for individual citizens, because in today’s online, hyper-mobile world, they can lose so much.
- In the past 6 years CIFAS, the UK Fraud Prevention Service, has recorded over 282,000 victims of identity fraud from reports by their private sector members – enough to fill a city the size of Sunderland.
Unfortunately the number of victims is increasing year on year. But why? Is it because we aren’t thinking properly about the problem?
Another point to make is that without looking at that figure (282,000) in detail, we don’t know whether or not it could be reduced by the Identity Card Scheme, and Mr Byrne makes no attempt to discuss it.
Just like the £800m benefit fraud, he throws such figures out there, and we are supposed to think they have something to do with the ID Card scheme.
- And at a cost to the British economy of £1.7 BN a year – more than the total budget of the entire Border and Immigration Agency.
As I’ve said on this blog a number of times before, the £1.7bn pa is a discredited guesstimate:
- “Government claims that identity fraud in the UK costs £1.7bn a year have been exposed as inaccurate” – or, dare I say it, ‘fraudulent’ – “with the real figure less than a third of that total, a silicon.com investigation has found.”
- Also see SpyBlog.
- There is a good Register article on the earlier claim that it costs £1.3bn pa.
Please don’t misunderstand – it could be more, it could be less. But it certainly isn’t £1.7bn for the reasons that the Government gives.
The Risk of Uncontrolled Response
Now in response to these kinds of risks, the private and public sector cannot and will not sit back.
And in the face of these risks, it is unlikely that the most well-off will be hurt first or hurt most. It will be those who cannot afford to buy their own defences.
Business is already building solutions.
In the US there are already 120,000 customers registered to pay at checkouts using biometric technology.
I don’t know what he is referring to here, but I don’t have a problem with that outline.
Manufacturers are working on fingerprint technology locks that would make stolen phones and MP3 players instantly worthless.
The Register says, “We’re still not clear which manufacturers he is talking about – if your company is making a fingerprint-activated mobile phone or MP3 player please do get in touch.”
Let’s hope manufacturers of “fingerprint-activated mobile phone or MP3 player” employ ‘liveness’ tests!
Some UK nightclubs already use biometrics, taking fingerprints to stop under-aged patrons and persistent troublemakers.
Fair enough. Why not? It is limited data collected for a specific purpose – and I have the choice of whether or not I want to visit such establishments. No such choice will exist with the National Identity scheme.
The Government is trialling biometrics at the borders.
Project IRIS – the Iris Recognition Immigration System provides fast and secure automated clearance through UK immigration controls.
As of 10th June almost 100,000 (91,378) had enrolled, and nearly half a million border crossings were recorded (405,745).
But if we persist with this public and private laissez-faire, it is frankly easy to see how, before long in Britain, the day will come when we have a mish-mash of unregulated, potentially unsafe systems, mushrooming in growth and size in a way that is just uneconomic.
- Unregulated – Because today no safeguards are really required or enforced.
Shurely shome mishtake: safeguards are required.
But on the latter point, enforcement: is he accusing organisations of not complying with data protection legislation? Or is he accusing the authorities of not enforcing data protection legislation? Or wot?
And what is he doing about it?
Furthermore, does lack of enforcement of one rule mean we should introduce another rule that says a similar thing to the first? Or should we instead simply enforce the first rule?
- i. Who exactly would have your details?
ii. Who could they pass on or sell your information to?
iii. What could they do with your fingerprints?
- Unsafe – because with low security standards laissez-faire schemes would continue to lay the public wide open to identity theft.
Hmm. Maybe – just maybe – we need to enforce higher security standards. The public would choose the scheme that suited them best. No-one in their right mind would pay for a scheme that was wide open to abuse.
I really don’t believe a lack of compliance with existing legislation is a reasonable excuse for the introduction of a privacy abolishing database.
- The sheer complexity of the systems may mean that you will not be able to correct inaccuracies.
I’d love to know the know the number of systems the average individual regularly accesses.
CIFAS claims that, “It can take between 3 and 48 hours of work for a typical victim to sort out their life and clear their name. In cases where a ‘total hijack’ has occurred, perhaps involving 20-30 different organisations, it may take the victim over 200 hours and cost up to £8000 before things are back to normal.”
“Over half of the respondents spent less than 24 hours rectifying the situation, 16 per cent took one to two hours and 12 per cent three to four hours. However, for 11 per cent it took longer than a week.“
I wonder how long it will take for a member of the public to rectify a mistake in the NIR. After all, we expect inaccuracies in databases of that size.
The consequences of inaccuracies have not been discussed, as far as I know.
- Uneconomic – because there would still be many cards and many systems.
Surely there will still be many cards and many systems when this ID card scheme is deployed, or does he think an ID card will replace debit cards, credit cards, and so on? I’m not sure the banks and credit card issuers will go for that.
- A proliferation of plastic, passwords and PINs.
That was a Government Minister recommending the opposite to what security experts recommend. Well done. No Mr Byrne, we shouldn’t use the same password or PIN for every system.
- A world that’s harder to manage, not easier. Systems with different technologies and languages that don’t talk to each other.
This has always been the case. Not sure how the ID card scheme will affect that.
- A world that is prone to a new and isolating kind of digital division.
My party has always been suspicious of growth in unregulated and unaccountable power and the risk of new inequalities.
That is why we advocate a publicly accountable, national solution. Something that becomes, in time, another part of our critical national infrastructure.
The Register points out that, “One might well look askance at the notion that a Government with such a grisly record in the implementation of critical national infrastructure, which is about to be run by a man whose current department perpetrated one of the more spectacular and expensive cases of web-based mass ID theft, is the most appropriate candidate to put your ID assets in one big pile and keep them safe for you. But that’s essentially what Byrne is recommending here.”
A 21st Century Public Good
Like the railways in the 19th century and the national grid in the 20th century, I think there are strong arguments for thinking of the National Identity System as a modern day public good – that very quickly becomes part and parcel of everyday life in Britain.
In other words, the central Government didn’t build the entire national rail infrastructure in one go. Initially it was all private and local.
So the first railways are possibly a good analogy for what some proponents of the principle, but opponents to this particular scheme, are arguing: regulated private sector provision of identity services, and may the best one win.
Not quite the analogy Mr Byrne has in mind.
But I believe its success will depend on three ingredients:
- its usefulness in everyday life;
- accessibility to everyone from all walks of life and its
- accountability to the country. Let me take each in turn.
Part of Everyday Life
I’ll mention again: “I take the view that it is part of being a good citizen, proving who you are, day in day out” (Andy Burnham, Home Office Minister, on the Today programme).
To underline this point about use, I announced last December five joint ventures between the Identity and Passport Service (IPS) and others.
Six months later there is already excellent progress. We believe the National Identity Scheme will help deliver: Criminal Records Bureau checks faster – particularly for those working with children and the vulnerable.
We have now designed new ways to make verification more effective and efficient, and we are now trialling with over two hundred CRB volunteers.
We think checks that take four weeks today could take four days with an ID Card.
But you, a member of the public, will have to ask an agency to do such a check, or the agency will do it on your behalf: e.g. when people apply to become registered childminders with an accredited agency.
Next year we will introduce Biometric Immigration Documents for foreign nationals.
The card will let employers check identity and entitlement more easily, rather than having to grapple with the raft of over 60 different documents foreign nationals can use to prove identity at and the right to work today.
I’m not sure employers have a problem with that. They have a statutory defence to a charge of employing someone not entitled to work in this country if they can show one or two of those 60 different documents. This seems to me to be more of a problem for the authorities, assuming they bother to enforce the rules.
Helping, I might add, the individual card holder to prove who they are, that they are entitled to work or study, open bank accounts and so on.
A pilot of a new Employers’ Checking Service is now underway.
It will soon include employers from construction, from retail, from hospitality, from agriculture and from finance. Early next year, a full service will go live.
It seems worth pointing out that one of the reasons why we have illegal immigration and working is because of the lack of enforcement of the rules we already have.
Third, we are working with the retail industry to standardise proof of age checks for the sales of restricted goods, including knives, solvents and alcohol.
At the end of this month, we will be presenting our findings and recommendations to the Proof of Age Standards Scheme board, based on excellent engagement with industry and individual business.
I wonder what portion of £5.5bn+ a proof of age scheme is worth.
Finally, we are developing blueprints for how both DWP and the Government Gateway can exploit
– I don’t believe he meant ‘exploit’ in a negative sense!
ID cards and Biometric Immigration Documents. Project initiation for both will begin next month.
So I can see already how secure identity will suffuse working life, private life and our use of public services.
But if the National Identity Scheme is to be the public good it could be, it must be accessible.
The great risk of laissez-faire identity systems is the risk that they could exclude people deliberately – or price them out of secure access to things.
Well, sure it’s a risk, but how likely is it?
That is why we have to keep costs down. Once in operation, the National Identity Scheme will be self-funding through fee income.
It will not use funds intended for any other Government purpose. In any case, 70 per cent of the cost of the scheme would have had to be spent upgrading our passports as part of the global move to increase passport security and incorporate biometrics, in line with other international standards.
First, 30% of £5.5bn (or whatever the cost of the scheme is this week) is still a lot: £1.65bn.
Second, international standards don’t require a National Identity Register.
We could, if we wanted, simply keep to the minimum requirement: a machine readable passport with a chip that contains a compressed image of the face. Everything else – fingerprints, irises, NIR – is up to the individual passport issuing state. Perhaps we don’t even need to spend 70% of £5.5bn.
Besides, can you imagine telling your partner, “well, we’d have to spend 70% on a new car anyway, so we might as well spend 100% on this flash one”.
But we have to keep our costs under scrutiny, and always propose the solutions we believe provide the public with the maximum value for money.
Finally, there is a requirement for accountability. The National Identity Register (NIR) will set new standards for best practice in protecting document, physical, staff and building security.
Even though it already breaches the Principles of Data Protection?
The IT systems holding the National Identity Register biographical and biometric information will be fully accredited by the government’s security authorities.
But a system created to build public trust must be overseen by something trusted by the public.
That is why I believe we should examine whether Parliamentary oversight can be strengthened further.
A National Identity Scheme Commissioner will be appointed to oversee the operation of the Scheme and report annually on the uses to which ID cards are put and the confidentiality and integrity of information recorded in the Register.
But if we are to multiply the uses of the NIR, I think we should look hard at how the Commissioner or Parliament is involved – more dynamically than an annual report. So I plan to meet those with views shortly to begin this conversation.
That seems good.
In conclusion, I believe we already have proven success in improving security in our identity service. Last year, UK passports were successfully upgraded to the new, more robust, e-Passports. Maintaining confidence in the integrity of the UK passport has allowed our citizens to continue to enjoy visa-free travel to the US.
And we are successfully rolling out interviews to crack down on fraudulent applications for passports.
But we have talked about this long enough. Now I believe it is time to get on with it.
In 20 years time, I suspect that the National Identity Scheme will be just a normal part of British life – another great British institution without which modern life, whatever it looks like in 2020, would be quite unthinkable.
Good maths there!
2007 + 20 = 2027