The UK government is going for overkill with its scheme for ID cards carrying biometric technology, says Bart Vansevenant.
A leaked Home Office document has revealed plans to roll out national ID cards in the UK. It proposes introducing the cards gradually over a 13-year period at a cost of about £3.1bn.
The cards, which have been criticised by privacy campaigners, are coming under increasing scrutiny from both security and cost perspectives owing to the government's intention to use biometric data, such as fingerprint or iris scans. This information will be held on a central database on to which the details of 50 million people aged over 16 will have to be entered.
As a Belgian, I am used to carrying an ID card. In the next five years I will have an e-ID as part of the Belpic project, which is the first in Europe to deploy electronic identity cards on a large scale. This scheme will allow me to enjoy the benefits of secure e-government services by adding a digital certificate to my card at a relatively minor cost.
So why am I sceptical regarding the UK's planned scheme? In a word: biometrics. The UK government is too ambitious in its plans to use biometric technology as a means of authenticating the identity of UK citizens.
I can see no reason to use biometric information at this time. The logistical and technical headache of collecting more than 50 million iris scans and entering them onto a central, secure database must not be underestimated. And what of the cost? Biometrics is notoriously complicated and expensive to administer.
The fundamental reason not to include biometrics is that for the purpose the cards should serve, it is unnecessary and a potential liability to use the technology.
The point of an ID card is to prove that a person is who the card says it is. Most authorities will accept a name, home address, date of birth and, ultimately, signature to confirm your identity unless you are closing your million-dollar bank account.
In thinking out its national ID card scheme, the UK government should realise that biometrics are just one technique to authenticate identity. In Belgium, the government chose a public key infrastructure solution with digital signatures because biometrics, on such a large scale (8 million people), is simply not practical.
Despite choosing the simpler and cheaper option of public key infrastructure, the Belgian government soon realised that it required an outsourced solution. This puts into perspective the enormity of the UK's planned biometric scheme.
I hope that the UK government carefully considers all its options for authentication before choosing biometrics. By proposing a "super card" before it is sure of what it will use the card for, could wind up being a very expensive mistake.
With no recent history of ID cards, a two-step roll-out appears most appropriate and cost effective for the UK. Cards initially issued with digital certificates - but with the potential for biometrics to be added at a later date - is the approach we are taking in Belgium. This way biometrics can be added in limited amounts, thus keeping the cost down and scaling the eventual roll-out to a manageable level.
Such an approach would also benefit the political and moral acceptance of the new scheme.
What's your view?
Do you think biometric technology on ID cards is necessary? Tell us in an e-mail >> Computerweekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Bart Vansevenant is director of European security strategies at Ubizen
This was first published in August 2003