Out-Law News 6 min. read
28 Jun 2005, 1:54 pm
The LSE report, published on the eve of the second reading of the Identity Cards Bill in the House of Commons, was followed by a hard-hitting statement from Richard Thomas, the Information Commissioner, who said that the plans “risk an unnecessary and disproportionate intrusion into individuals’ privacy”.
He expressed the hope that “during the passage of the Bill parliamentarians will not just focus on the desirability of ID cards but look into the acceptability of Government recording so many unnecessary details of their own and their constituents’ lives.”
The Government published its proposals for the national ID card scheme in April 2004, revealing that the cards will be supported by a database containing detailed personal information on all cardholders, and which could potentially create an electronic fingerprint of everyone who uses a service, such as the NHS, that requires an ID card check.
The ID Cards Bill was reintroduced into Parliament several weeks ago, and is likely to be given a rough reception in the House of Commons today. First time round, those opposed to the Bill had sufficient support to ensure that it ran out of time in the run up to the General Election on 5th May. The Government is likely to find its task even more difficult this time in view of Labour’s reduced majority.
The timing of the LSE report, and the statement by the Information Commissioner, can only serve to heighten tensions. In response, the Prime Minister opened his monthly press conference yesterday with an appeal to the public to keep an “open mind” on the issue.
According to the report, The Identity Project: an assessment of the UK Identity Cards Bill and its implications, the proposals currently before Parliament are “too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence.”
They “miss key opportunities to establish a secure, trusted and cost-effective identity system,” and many of the stated objectives of the Bill could be better achieved in other ways.
The report criticises the Government’s reliance on untried technology – particularly biometrics – on a scale unseen anywhere in the world, for a purpose and operation that will require access from a large number of private and public bodies. Security will have to be “robust and resilient to malicious attacks”, says the report.
It adds:
“The success of a national identity system depends on a sensitive, cautious and cooperative approach involving all key stakeholder groups including an independent and rolling risk assessment and a regular review of management practices. We are not confident that these conditions have been satisfied in the development of the Identity Cards Bill. The risk of failure in the current proposals is therefore magnified to the point where the scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals.”
The report considers the costs involved in the scheme, estimating that the total figure is likely to be £10.6 billion if there are no cost over-runs or implementation problems. But uncertainties over how citizens will behave and how the scheme will work out in practice mean that the 'high cost' estimate could go up to £19.2 billion.
If all the costs associated with ID cards were borne by citizens (as Treasury rules currently require), the cost per card (plus passport) would be around £170 on the lowest cost basis and £230 on the median estimate, says the report.
"This report is not an argument for or against ID cards, but an impartial effort to improve the evidence base available to Parliament and the public," said Professor Patrick Dunleavy, Professor of Political Science and Public Policy at LSE.
"The Home Office currently officially suggests that ID cards will cost around £6 billion to implement over 10 years, but it has not yet justified this estimate in detail. By contrast, we recognise considerable uncertainties ahead with such a novel, high tech scheme and we show how these uncertainties might affect costings,” he added.
The report lists 10 perceived uncertainties:
Our 'best case' scenario is that it will cost around £10.6 billion (very roughly £170 per card and passport) though some of this cost may be absorbed into Government budgets and passed on through tax. If the scheme is fully integrated into Government IT systems this cost may increase considerably. Worst case: £19.2 billion, with a proportionately higher unit price per person.
Best case: once in 10 years for everyone. Worst case: once in five years for everyone. Median: some people (for instance, some elderly or ill people) will need to renew their biometrics every 5 years or more; some others will need to renew cards because of personal circumstance changes; but other people can go 10 years.
Best case: Loss and damage will be the same as for passports. Worst case: More problems than with passports because ID cards are in use much more.
Best case: People flock to enrol speedily and there is no tail end of resisters. Worst case: People need extensive chasing, some people resist cards to the end, and enrolment is slow.
Best case: No verification problems, few corrections, and simple re-enrolment. Worst case: Significant problems with verifications, more corrections, difficulties checking other databases; enforcement is more costly because of citizen resistance, and re-enrolment is somewhat more complex.
Best case: people come to embrace the Government's scheme, seeing benefits in having an ID card backed by a Register. Worst case: a mass campaign of non-cooperation that creates unbearable pressures on the system with consequent financial cost.
Best case: Government is able to maintain strict protection of data on the register. Cards use secure technologies to limit the threat of data misuse. Worst case: the scheme suffers from "function creep" to the extent that a card becomes an internal passport without which a person cannot function.
Best case: Government recognises the challenges that face many disabled people in relation to biometrics, and incorporates technology to meet and support these problems. Worst case: to rein in costs the Government buys cheap technology that inherently disadvantages disabled people, resulting in severe day-to-day problems for them, for instance, possible denial of service and loss of dignity.
Best case: the security of personal data remains much as it is in the current environment. Worst case: if intruders or hackers could compromise security, then large numbers of identity records are at risk.
Best case: No new ID fraud. Worst case: Some new, high tech ID fraud develops, with greater costs for those citizens affected. Successful identity theft of a person's biometric data would mean that their fingerprints or iris scans are permanently in the hands of criminals, with little hope of revoking them.
Information Commissioner Richard Thomas yesterday reiterated his concerns over the plans, warning, “The measures in the Bill go well beyond establishing a secure, reliable and trustworthy ID card.”
“The measures in relation to the National Identity Register and data trail of identity checks on individuals risk an unnecessary and disproportionate intrusion into individuals’ privacy,” he said. “They are not easily reconciled with fundamental data protection safeguards such as fair processing and deleting unnecessary personal information.”
He pointed to the Government’s desire to make the ID card the “gold standard” in proving identity – requiring individuals to provide information that can be checked, and biometric details that can link a particular card with a particular person.
The Commissioner said, “once this process is complete and the ‘gold standard’ established, there can be little justification for retention of all such details in a central National Identity Register.“
He was particularly concerned about the data trail that will be built up on the Register as individuals start to use their ID card to access services. The Commissioner believes that this must be considered in the context of initiatives such as CCTV surveillance, automatic number plate recognition and proposals to introduce satellite tracking of vehicles.
Each development, said the Commissioner, “puts in place another component in the infrastructure of a ‘surveillance society’.”
“To avoid this it is important that each component limits to the minimum the recording of information about individuals, otherwise we risk unleashing unwarranted intrusion into individuals lives by government and other public bodies,” he added, pointing to alternative, less intrusive systems – one of which has been put forward by the LSE.
In his opinion the Government should be looking to “establish a scheme which allows people to reliably identify themselves rather than one which enhances its ability to identify and record what its citizens do in their lives.”
