ID Cards and the Perils of Identity Management

So the Home Office has decided to scale back its controversial plans for National ID Card Programme. Instead of a single, clean database generated from scratch, it will now build on three existing databases. This might be cheaper and present a much lower risk, but it represents a major step back for Identity Management across Government.

The critics and pundits will no doubt be pleased with themselves. They said it was too expensive, too risky and a threat to civil liberties. But most of the media debate missed the point. From an Identity Management perspective, a single, clean, meta authentication directory makes sense, provided the business case stands up. And there are Gateway reviews to examine this.

I must admit to some involvement with this Programme, having chaired the Private Sector User Group that helped to identify the business benefits for the ID Card. The business representatives involved were positive, though few would have been allowed by their PR departments to voice their support in public. I’ve also had the opportunity to discuss some of the societal issues with members of the public through the Royal Society Science in Society Programme. They were in favour provided the costs were not excessive.

Implementing an identity management programme in any organisation is a hard task. You know instinctively it’s the right move strategically. And you can identify dozens, perhaps hundreds, of solid business benefits. But up-front infrastructure investments that deliver longer-term savings shared across an organisation are never popular with business managers and investment appraisal functions.

In the case of ID Cards, the facts are also clouded by political spin, both for and against. And it’s an easy target for critics, who can simply play the FUD factor. Just point out that big Government IT projects never work, that the costs always overrun and that it will create a Big Brother State. Game over.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

You say you have been involved with the business case for ID cards. So just what are they, because none of the excuses put forward by the Govenment stand examination. "They will help against terrorists". No! none of the terrorists have made any attempt to hide their identities, most have been proud of who they are. "They will help with border control". No! how will my having an ID card stop an illegal getting in clinging to the underside of a lorry? "They will help with fraud". No! the vast majority of fraud is done remotely, the ID card can only be verified face to face in a place that has a finger print scanner. "They will be an entitlement card" No! this is possible now but no health worker is going to refuse treatment to anyone, ID card or no. Can you immagine it, a body arrives in an ambulance and a burly guard at the door says "No ID card no treatment, just stay there and die". "It will help the police identify people". No! If i am about nefarious busness I am hardly likely to carry my ID card with me. And in any case the police can arrest me if they have reason to do so no matter what I call myself. I think I have coverd all the main claims. Can you think of any others?
You shouldn't assume that Government presentation of policy is the sole basis for a business case. That's a different agenda and it operates at a different level of detail. Any enterprise or extended-enterprise Identity Management system offers substantial benefits in efficiency and enablement of new applications. It's obvious. Unfortunately many of these benefits don't translate well into the political sound bites of the day. So don't judge a programme just by it's political presentation. There's more to it than that. I'm not directly responsible so it would be inappropriate for me to comment and further.
You quoted above the Science in Society progam, and commented on the positive responses you recieved, specifically on societal issues. However, one of the aims if this program is, and I quote from their own web site, "To involve society positively in influencing and sharing responsibility for policy on scientific matters". In so far as the ID card system involves science, how come all the secrecy? The aims of this program seem to be directly at odds with the ID card scheme as it is currently being run, secretively. I know you are more interested in the technology then the politics, but you raised the point of "societal issues", ie politics.
I am not aware of any secret agenda for Identity Cards. I also disagree with your arguments against the claimed benefits. You can't dismiss them all on the basis of a handful of selected examples where they don't make a difference. There are plenty of cases where they do. As the Home Office state quite clearly on their Web site: "No-one has ever claimed ID cards are a panacea for global terrorism or crime. But we do know they will make a contribution to tackling crimes such as illegal working, money laundering and benefit fraud, which are enabled by the possession of multiple identities." My original posting did not aim to defend these claims. It focused on the benefits of a unified identity management infrastructure to Government IT. This is a good practice for any group of related organisation, as it improves acccuracy and security, enables easier navigation between services for customers and reduces duplication, and therefore saves money. By the way I didn't publish your last note because I didn't feel the language was appropriate for my site.
Illegal Working: The vast majority of people working in this country who should not be working are in the black economy, no tax no NI. My possessing an ID card will do absolutely nothing to stop that. A small number will be in jobs and paying tax, but why is it so important to stop them paying tax? There are moves afoot to allow this anyway. Benefit fraud: Again the vast majority of benefit fraud is people working while claiming benefits. Much of the multiple identity fraud could be reduced by doing better cross checking on applications. And if we are interested in reducing public fraud how about Tax Credits. At the start the scheme was so open to fraud they may just as well have re-named the site Simply doing the job better would be a cheaper and just as effective option. Money Laundering: I must admit that I know little about money laundering, not being a drug dealer myself. I do know that of all my bank accounts all but one have been opened on-line. The great weakness of ID cards is that they can only be verified face to face and in a place where there is a finger print scanner. If you can explain just how ID cards will help here I am sure many people will be most appreciative. So far I see no sufficient justification for the expenditure of £6bn and counting and some of the justifications have been risible if not downright insulting. If a senior exec had gone to the Board with the sort of business case we have seen so far he would return to his desk to find his P45.
In response to Adrian's messages I think it is instructive to look outside of the UK for examples of how the technology envisaged for the UK ID card scheme is being used to get a better understanding of the potential value. The situation in Belgian with the BelPic scheme is particularly interesting for a number of reasons, including: 1. The high and increasing range of applications the card is used for in every day life. 2. The strong level of voluntary take up by the population (5m+ already issued and on course for the whole population to have a card by 2009). 3. The fact that the Belgian's seem to see an effective and secure ID card scheme as helping to build trust between citizen and Government by helping people to exercise greater control over the way their personal data is maintained and used. It strikes me that if we were to apply some of these learnings to our own scheme, and embrace the opportunities presented by the technology it would actually go someway towards addressing some of the legitimate concerns of the privacy lobby.
If the card is to be justified on the grounds that it is useful to the citizen then I have a lot less beef. I do have concerns about the presumption that what is on the database is correct but we seem to have little freedom to inspect that information; there seem to be penalties for someone else making a mistake, but that is another thread. If the justification is on the bases of utility to the citizen there seems little justification for making them compulsory. I have a right to anonymity. If I chose no to do anything that requires me to identify myself of what use is an ID card? Why does the government feel it has to bar code me? Before we leave the subject of government justifications may I quote one more fatuous example? Tony Blair claimed that one use would be that it would enable the Police to trawl through attempting to match fingerprints from unsolved crimes. On the face of it a good idea, no one would approve of criminals going un-caught. However, automatic finger print matching is just not that good. The image of someone hitting a few keys on a terminal and shouting “we have him” is TV fantasy. The truth is that even against the much smaller database of known criminals there are typically several dozen hits. These are then eliminated or visually matched. Against a database of 6 million there would be so many hits it would just not be feasible. Tony Blair asserted this only once, presumably because someone had a little word in his ear, but the alarming thing is that he made the assertion at all. This gives the very strong impression that the business case was being made up on the hoof. In which case just what is the business case that justifies the pervasiveness and the enormous cost. One must have been prepared or the project would not have got past Gateway 1. On the basis of what I have heard so far I would not have allowed it past Gateway 0. Saying it 'seems like a real cool idea' is just not good enough.
For those who doubt my assertions above listen to Radio 4, 17:00 on 5th August. A certain Professor John Dougman has rather a lot to say. He asserts that the false match rate is about 1 in 1000. That means that trying to match against a database of 60 million, the population of the UK, will produce, on average, 60,000 hits. Can you really see a fingerprint expert sitting down to visually match that number? More worrying still, he asserts that the false reject rate is about 5%. That means that 1 in 20 times you want to verify your ID it will be rejected. With that sort of reject rate the scheme will lose credibility very quickly. If fact I think he is wrong, or at least badly reported. Figures I have seen set the figure at more like 0.3%. A lot more satisfactory provided the consequences of a false reject are not severe. Being whipped of to Camp Delta would be classed as severe. There are however specific difficulties. For people like brick layers who handle abrasive objects the false reject rate is very high indeed, making fingerprint ID virtually useless.