The database state is fantastic

Fantasy Security

Talk given under the auspices of No2ID at the

28 February 2009

http://DematerialisedID.com/BCSL/cmlTalk.html

Ladies and Gentlemen, first of all, I would like to thank Andrew Watson, for the invitation to speak today. The topic he's given us is the database state. It's a big subject. It's a big subject in the UK. And it's by no means limited to the UK.

This talk, you'll be pleased to know, is limited, to just one aspect of the database state – the implementation here in the UK of the Identity Cards Act 2006 [1]. The job's been given to the Identity & Passport Service [2], IPS, which is an executive agency of the Home Office.

In some respects IPS's job isn't unprecedented. They've got to introduce ID cards. Hardly impossible, we're already knee deep in ID cards – driving licences, credit cards, passports, sports club membership cards, birth certificates, security passes to get into our offices at work, you name it.

The Identity Cards Act requires that these new cards should be backed up by a new database, the National Identity Register. There should be one record on this database for each ID cardholder.

So the Identity & Passport Service have to create a new database. But that isn't unprecedented either. Just like ID cards, we're already knee deep in national identity registers, too.

Her Majesty's Revenue and Customs, for example, have got records of all income tax payers and all corporation tax payers and everyone registered for VAT and they've got databases full of the recipients of child benefits and the recipients of tax credits. Most of the other departments of state also have national identity registers. So do local authorities. So do the banks and the insurance companies and the utility companies and the credit referencing agencies.

So why is it, that the Identity & Passport Service, suggest that it'll take another 13 years – until 2022 – to create their national identity register?

There has to be a good answer to that question. After all, ID cards are meant to defend us against crime and terrorism. And crime and terrorism are here now, criminals and terrorists aren't going to wait politely for 13 years while the Identity & Passport Service get their Act together.

According to IPS, the answer is that all these existing national identity registers have errors on them. And duplicates. And there are omissions.

And that's true enough. The database of National Insurance numbers, for example, has nine million records on it that the Department of Work and Pensions can't account for [3]. That's no good to the Identity & Passport Service. If you're trying to count, everyone in the country over the age of 16, if you're trying to do a stocktake of the 16+'s, it's no use coming up with a figure which is accurate only to the nearest nine million. You want one-for-one correspondence.

So now the question is, why should IPS's national identity register be any better than the national identity registers we already have? And why should IPS's ID cards be any better than the ID cards we already have?

There's a one word answer to these questions, ladies and gentlemen, according to the government – biometrics. Let me quote:

"Using biometric technology we can permanently link people to a unique identity", it says, in the Cabinet Office paper on the UK's eBorders scheme [4].

"Biometrics will tie an individual securely to a single unique identity. They are being used to prevent people using multiple or fraudulent identities", it says, in the Identity & Passport Service's first Strategic Action Plan [5].

Biometrics "will make it possible to securely link an individual to a unique identity", said the Prime Minister, a year ago [6].

"Identity cards are already a reality ... As the cards become more widely available the whole country will see real benefits for citizens, businesses and the country by giving a convenient and secure proof of identity that locks people to one identity", said the Home Secretary, a month ago [7].

So it looks as though we can have one-for-one correspondence, between people, and records on the National Identity Register, thanks to biometrics. That's the unique selling point of what IPS call the "National Identity Scheme". Biometrics. That's why the National Identity Scheme will work, in a way that all the other schemes haven't.

And that makes sense, doesn't it? We all know about DNA. Your DNA identifies you. It works.

But DNA isn't on offer in the National Identity Scheme. You can't ask a Jumbo jetful of passengers, to wait for four days, while their DNA tests come back from the lab, before they can be cleared through Immigration. So IPS are proposing to use fingerprints instead.

No problem with that. Fingerprints work. They've been trusted worldwide for 100 years. Fingerprint evidence is admissible in court, and if there's ever any doubt, independent experts are flown in from abroad to sort it out.

But that's traditional fingerprinting. Rolled prints, taken by police experts, using ink. And that's not on offer in the National Identity Scheme, either.

Instead of DNA, instead of traditional rolled prints, what's on offer is a completely different technology – flat print fingerprinting.

It's quick, there's no expert required, it's clean and it's hopelessly unreliable. Flat print fingerprinting is so different from traditional rolled prints that it's something of a confidence trick to call both technologies "fingerprinting" – one name for two very different things.

During the course of 2004, 10,000 of us volunteered to take part in the UK Passport Service biometrics enrolment trial.

The results are available in the 300-page official report [8] on the trial, from which you will see that flat print fingerprinting failed. For about 20% of participants in the trial, their identity couldn't be verified using their flat prints. About 20% of participants, were told by the computer that no, you're not you, your prints don't match the prints recorded on the register five minutes ago.

That's how different flat prints are to rolled prints. And that's one reason why flat print fingerprinting evidence isn't admissible in court. There won't be any international experts on tap – not with a 20% error rate, there won't.

The Identity & Passport Service said, in their first cost report [9], that they want people to prove their right to work in the UK. Prove it, or you can't work. They also said, prove your entitlement, or you can't claim benefits. Prove it, or you're not entitled to non-emergency state healthcare. Prove it, or your children aren't entitled to state education.

If those proofs depend on flat print fingerprints, then about 20% of people are going to have a big problem.

The usual assumption, is that there will be about 50 million UK ID cardholders at any one time. 20% of that, is ten million people. Not ten million criminals and terrorists. Ten million nice people.

Only a fantasist would pursue a scheme which would make it hard for millions of people to work and to get the healthcare and the education and the benefits to which they're entitled but that's exactly what the fantasists at the Identity & Passport Service are doing.

Only fantasists would continue to claim that their scheme could lock people to a single identity when they know perfectly well, that with the biometric technology they've chosen, millions of people can't be locked to any identity at all.

When IPS started issuing biometric visas to non-EEA students last November, they didn't issue any card readers to the universities and they didn't issue any finger scanners [10].

So the universities can't read the cards, they can't check that the bearers' prints match the prints on the cards and they can't check them against the National Identity Register because there are no telecommunications facilities and there's no National Identity Register.

To say, in that situation, as IPS do, that ID cards are now a reality is the action of a fantasist.

Italy [11] are serious. They have a national network of about 8,000 places where people can register for an ID card. The Netherlands [12] are serious, too, and they have a network of about 4,000 registration centres. Here in the UK, IPS have established a national network of just 69 registration centres [13].

Not 8,000. Not 4,000. 69. IPS aren't serious, they're fantasists.

That's three or four times I've accused them of being fantasists. And that's just today – I've been making this case for years [14]. And the response from the government? Silence.

It's not just me. In 2006, the House of Commons Science and Technology Committee [15] reviewed IPS's plans. The Committee recommended that no decision should be made about biometrics, before successful trials have been conducted. And the response? That's exactly what IPS are doing. They're pressing ahead with the National Identity Scheme, without a successful trial, of the technology they want us all to depend on. That is the action of a fantasist.

In their report, the Science and Technology Committee declared themselves to be – and I quote – concerned, surprised, regretful, sceptical and incredulous at the confusion, inconsistency and lack of clarity of IPS's plans.

Plans which, these fantasists, nevertheless pursue to this day. Biometrics will not make IPS's National Identity Register any better than all the other national identity registers. Biometrics will not make IPS's ID cards any better than all the other ID cards. Biometrics will not provide one-for-one correspondence. The state of the art today, reality, says that IPS are going to waste the next 13 years. Nice work if you can get it and as long as you have no dignity.

It's obviously unwise to entrust your personal details to the care of a fantasist. And it's obviously unrealistic to expect fantasists to protect you against crime and terrorism. We are being asked to pay the cost, in terms of privacy, and yet we won't receive the benefit of security. It's a rotten investment.

I leave you with this thought. I would like to be protected against crime and terrorism and it pains me to say that the National Identity Scheme can't achieve its objectives. But there it is, that bit of the database state, here in the UK and abroad, is fantastic.

[1] http://www.opsi.gov.uk/acts/acts2006/ukpga_20060015_en_1

[2] http://www.ips.gov.uk/

[3] http://www.telegraph.co.uk/news/uknews/1550036/Fraud-fear-as-millions-of-NI-numbers-are-lost.html

[4] http://dematerialisedid.com/pdfs/Securing_the_UK_Border_final.pdf

[5] http://dematerialisedid.com/PDFs/Strategic_Action_Plan.pdf

[6] http://www.number10.gov.uk/Page14285

[7] http://press.homeoffice.gov.uk/press-releases/Benefits-ID-cards-manchester

[8] http://dematerialisedid.com/PDFs/UKPSBiometrics_Enrolment_Trial_Report.pdf

[9] http://dematerialisedid.com/PDFs/costreport37.pdf

[10] http://www.guardian.co.uk/politics/2008/nov/30/idcards-civilliberties

[11] http://www.guidacomuni.it/

[12] http://dematerialisedid.com/PDFs/88_630_file.pdf