Entire population to be suspects in ID card fingerprint scheme

ID Cards Bill to give police powers to check the fingerprint records of all adults in the UK

ID Cards Bill to give police powers to check the fingerprint records of all adults in the UK

Police will have new powers to check scene-of-crime fingerprints against the biometric records of the entire UK adult population under the government’s national ID card scheme.

The plan has raised questions about the accuracy of fingerprints and whether they are reliable enough to identify suspects in a database of 64 million people.

The proposals contained in the small print of the ID Cards Bill are an expansion of the scope of the ID card programme, introduced by the home secretary to fight organised crime, terrorism, fraud and illegal working.

The ID Cards Bill gives police investigating crimes access to the national ID card database if they are unable to find matches on the police’s national fingerprint system, the Home Office confirmed.

"Police retain fingerprints from crime scenes," documents published with the ID Cards Bill stated. "It would be possible for the police to run checks of this information against the National Identity Register to identify possible suspects in unsolved cases. This would have broader applications than terrorism."

The plan represents a significant expansion of the police’s existing National Automated Fingerprint Information System (Nafis), which holds records on six million people.

But police and IT experts contacted by Computer Weekly warned that, without investment in biometric technology, population-scale matching of fingerprints could prove unreliable.

Ross Anderson, professor of security engineering at Cambridge University, said that matching fingerprints to a database the size of the population would lead to a serious risk of false matches.

Michael Baxter, chief constable of Cumbria and chairman of the Association of Chief Police Officers fingerprint board, said that although the Home Office proposal is feasible as an idea, "it is probably a step too far" given the current state of technology.

With the technology behind the ID card scheme still being defined, Baxter said an extension of fingerprint matching to the whole population would require investment to develop "technical capability, efficient interfaces and integrated business processes".

Neil Fisher, director of security solutions at Qinetiq, said, "If you have a database of 64 million, the probability that you will get the right match every time is low."

One former chief constable told Computer Weekly, "The greater the volume of work, the greater the number of mistakes."

The Home Office said it would need to carry out development work to investigate the compatibility between Nafis and the central population register planned for the ID card scheme.

The department said it already had experience of linking fingerprint databases from different suppliers, including linking the police national computer to finger-print databases of asylum seekers.

The alarm is sounded over plans to widen police access to information

The proposal to allow the police access to the national ID card biometric database has alarmed opposition MPs.

Liberal Democrat home affairs spokesman Mark Oaten accused the government of slipping the plan in through the back door.

"The Home Office is going too far, too quickly. If the government issued an edict for everyone to report to their local police station to be fingerprinted, people would be up in arms. The effect of this bill is essentially the same," he said.

Jonathan Bamford, assistant information commissioner, questioned whether there were adequate safeguards in place for widescale fingerprint matching.

He said the police should not be given access to fingerprint records and other personal data held on the ID card register as a matter of course.

"The national identity register is an incredibly powerful tool and provides an incredibly powerful picture of people.

"If the police and other authorities can check this information, we have to make sure the request is proportionate," he said.

Read more on IT risk management