Dematerialised ID — Mobile phones are today's ID cards

Anonymity/identity

Capture

Dematerialisation

Campaign

Newcomers and returning visitors, please note that you are welcome to talk to the hermit using this new invention, email.

Dematerialised ID

The voluntary alternative

to material ID cards

A Proposal by David Moss

of Business Consultancy Services Ltd (BCSL)

Section 2

The paragraphs below are designed to prove one thing, in about 30 different ways, relentlessly, one argument after another – that we already have a supremely effective ID voucher scheme, based on our mobile phones.

Everything else follows from that. Among other implications, there is no point arguing about whether we should have an ID voucher scheme, it is too late. Also, there is no point spending money on an additional ID voucher scheme. Certainly not if it is based on the puny technology of smart cards.

The uptake of the mobile phone is viral, nothing will stop it, there is no point resisting it and it is culpable of the government to ignore it. The mobile phone system is an ID voucher scheme.

That applies in the UK, where the government are planning to issue us all with smart cards, even though we already have mobile phones. And it applies in every other country planning to do the same.

The sooner our governments see that the ID cards emperor is not wearing any clothes, the cheaper it will be for us taxpayers. And the sooner we will be able to benefit from the technologically literate identity management, based on mobile phones, which is already evolving.

Mobile phones are today's ID cards
The current intermittent debate about ID cards in the UK – should we or shouldn't we have them – is fatuous because it is too late. Between 80 and 90% of us already have an ID card in the form of our mobile phone.

This has not gone unnoticed by the police and HM Revenue & Customs (HMRC). To support their investigations, they make 500,000 requests a year for location and timing information from the mobile phone network operators. That is one request per minute, on average, every minute of the year.

The Identity Cards Act is based on a certain idea of what ID cards should look like. The idea is that ID cards have to include your name and a photograph of you printed on a credit card-sized rectangle of plastic. This idea is copied from what other countries happen to do and from the cards many people use to get into their office buildings, for example. That’s just what an ID card looks like. You don’t have to think about it.

It is the contention of this proposal that if you do take the trouble to think about it, then you realise that ID cards do not have to look like that. There are certain objectives for ID cards. The same objectives and more can be achieved and have been achieved by mobile phones. Technology has moved on since the cardboard ID cards and ration books of the Second World War. Our idea of what an ID card is can move with it.

If you once accept the fundamental premise of dematerialised ID that mobile phones are ID cards, if you once recognise what a valuable resource we already have in the global mobile phone network, then certain points follow.

... so we do not need to waste billions on IDNet
The Identity Cards Act requires the deployment of a new national network of ID card readers and biometric verification equipment. These terminals will be needed at airports and seaports, in police stations and benefits offices, banks, insurance companies, hospitals and GP surgeries, perhaps schools and universities and who knows where else? Churches? Pubs?

We cannot keep on referring to this network as the “national network of ID card readers and biometric verification equipment”. BCSL suggest that it should be referred to as “IDNet”.

No-one knows how many billions IDNet would cost. No budget for it is included in the Home Office’s July 2002 consultation paper on the ID card scheme, nor in any subsequent document of theirs. The cost would fall on public and private sector organisations alike. Yet another stealth tax.

What we do know is that IDNet is unnecessary. Mobile phones are today's ID cards and we already have four mobile phone networks up and running in the UK.

... we can avoid the unnecessary risks the government are taking with it
Deploying IDNet – installing and maintaining the terminals required – would be an expensive and complicated project. No sensible project manager genuinely interested in the success of the ID cards scheme would take on the risk of creating this new national network, not when there are already four mobile phone networks available.

... and we do not need to wait six years for a working ID voucher scheme
The Home Office's proposed scheme will not be deployed until 2012, whereas mobile phones and the associated infrastructure of databases and telecommunications equipment and retail outlets are already with us. There is no need to wait six years before addressing what the government say is the unprecedented security threat of Al-Qaeda terrorist attacks.

It may not be unprecedented. Indeed, thinking back to the depravities of the IRA, and thinking back to the Cold War fear of an “enemy within”, that seems historically inaccurate. But if the government believe that it is unprecedented, then, by their own logic, it is odd to wait six years to introduce their ID cards scheme when there is a better alternative already available and in use.

Dematerialised ID is at least as universal as the government's scheme
Between 80 and 90% of us have a mobile phone. That is not 100%. Mobile phone ownership is not universal.

The government scheme is called “universal” but it only applies to those aged 16 and over, it will have trouble including the many people whose biometrics cannot be registered or used to verify their identity, it will exclude overseas visitors staying for less than six months (originally three months) and there have been suggestions that the elderly will not be forced to have ID cards. So the government scheme does not apply to 100% of the population either and, in that sense, it is not universal.

Dematerialised ID tends similarly to exclude the elderly, who often do not like using mobile phones. On the other hand, it includes all the under-16s who have mobile phones and all the overseas visitors who have mobile phones. And it does not rely on biometrics, so it includes the 19% of people whose identity cannot be verified by their fingerprints, the 31% of people whose identity cannot be verified by their facial geometry and the 10% of people who cannot register their irisprints in the first place, let alone use them to verify their identity.

... on its own terms – universality – the government's scheme cannot help but fail
(The figures below are taken from Atos Origin's report on the UKPS biometrics trial conducted between April and December 2004.)

Note that the 19% (p.10) figure for fingerprints is consistent with the experience of US-VISIT, the fingerprint-based US scheme which has been in operation since 5 January 2004. Also, 19% is an average. The figure rises to 30% (p.64) for those aged 65 and over, i.e. 30% of the elderly cannot have their identity verified by their fingerprints.

Note also that the 10% (p.9) figure for irisprints applies to able-bodied people only. 10% of able-bodied people would not exist according to an ID card scheme that relied on irisprints. That figure rises to 39% (p.9) for the disabled.

And the figures for identity verification based on facial geometry are even worse. 31% (p.10) of able-bodied participants could not have their identity verified by this biometric. They would not exist and neither would 52% (sic, p.10) of the disabled.

Biometrics based on facial geometry are clearly too unreliable to be worth pursuing.

Irisprints may be worth pursuing. But it is a new technology without a long-established track record. Unlike fingerprints, and despite the film Minority Report, which is fiction, people cannot leave latent irisprints behind at the scene of a crime. And the police do not have an existing collection of irisprints on which to base watchlists, the way they do with fingerprints.

Fingerprints are the main biometric that most of the current and proposed ID card schemes in the world use. So we have, roughly, an 80-20 problem. 80% of the population can be included, 20% are excluded.

These figures are not a matter of opinion, open to debate. They are just facts. The biometrics chosen for the ID cards scheme are not capable of including all members of the chosen universe. So the scheme cannot be universal. And yet the government prospectus continues to hold it out as a universal scheme, see for example the Home Office website: "The NIR will be a new, highly secure database holding personal identity information and biometric data for everyone who has enrolled in the scheme".

... there will have to be additional schemes if the government are to achieve universality
What will the Home Office do about all the people excluded from the scheme? All these people who cannot register their biometrics? All these people whose biometrics are not good enough to verify their identity? All these non-biometric people?

The only answer BCSL has found came from Tony McNulty MP, who was at the time the Home Office Minister responsible: “… there are difficulties with the technology … not least with people with brown eyes ... none of these problems are new, but increasingly as biometrics are more and more used ... we think the technology can only get better and better and better …”.

His response is panglossian. It is facetious. It is unbusinesslike – no company would invest in a project on this basis.

The non-biometric among us cannot just be ignored. There will have to be other schemes to cater for them when it comes to fighting crime and terrorism and to the delivery of state benefits. All the security problems which are deemed to have been solved by biometrics will have to be reconsidered and solved some other way. For 20% of the population, we could spend billions on the ID cards scheme and still be no further forward.

... which is a political problem of their own making
And what will be the public reaction when it becomes clear that we are paying for at best an 80% solution when the government kept telling us that we were getting a 100% solution?

The public anger at the waste of money will be a self-inflicted wound on the government. No company offering a false prospectus would get a listing on the stock exchange. The government will not get this issue away.

... but it is just not sensible to aim for a single scheme
Neither scheme covers 100% of the universe. And why should they? Why should an ID voucher scheme include everybody?

A genuinely universal scheme would tend to become the single repository of authenticated identity. It would provide a single point of attack.

Evolution and free market economics both teach us that safety/survival/fitness lie in plurality. We already have several ways to establish identity. It is not a new problem. Multiple intersecting independent schemes are safer and can cover the whole population between them without any single scheme having to be universal.

Dematerialised ID has a good claim to be one of those schemes.

Dematerialised ID has more chance of achieving the government's limited crime-fighting objectives
The government have advanced several reasons for introducing ID cards. The emphasis keeps changing.

At one stage, counter-terrorism was specifically downgraded as an objective of the government scheme, which was meant rather to provide an emblem of citizenship:

"After the terrorist atrocities in the United States on 11 September 2001, I was asked whether the Government was considering introducing identity cards. I said at the time that any debate about identity cards should not centre exclusively on issues of national security. Far more important are the issues of citizenship and entitlement to services and it is in this context that I would like to see the debate unfold" (David Blunkett, Home Secretary, Foreword, July 2002 consultation paper).

Now, counter-terrorism and the fight against crime are advanced as major reasons for introducing the scheme, and the notion that an ID card could be the proud embodiment of being British has disappeared.

These are two admirable and popular objectives but no statistics have been presented to show that crime is lower in countries which have ID card schemes. Even if crime is lower in these countries, is it because of the ID cards or something else?

The government admit that ID cards will not eradicate crime or stop terrorism but state that they will at least impede criminals and terrorists. It is not clear how their proposed scheme will achieve even that. Spain's compulsory ID cards did not stop the Madrid railway bombings. And a mugger pointing a knife at you remains a threat, even if he is holding his ID card in the other hand.

By contrast, it is clear how dematerialised ID, with its use of mobile phones, already impedes criminals and terrorists:

From this point of view, mobile phones are the ideal ID voucher. They identify people. Call my mobile and you get me. People naturally carry their mobile phone with them wherever they go. Whenever there is a single blob of signal on the mobile's screen, people can be located accurately, often to within 50 metres, wherever they are in the world – the mobile phone network is global, the importance of borders and physical distance tends to dissolve. The network operators’ records show where a person is and where they have been. And they show who the person calls and who calls them.
Terrorists and criminals who do use mobile phones can be identified and tracked and their associates can be identified. That is a serious impediment.
Those who do not use them are also impeded in their pursuits. They are deprived of a very convenient method of communication, which is surely all-important in co-ordinating crimes and terrorist attacks.

... it helps to identify suspects
How do the police identify suspects? How do they know who to investigate, who to put under surveillance, who to arrest? The several answers to these questions identify the several intelligence schemes available. The police may receive tip-offs from informers, they may infiltrate extremist organisations, they may gather forensic evidence at crime scenes, they may monitor emails or exceptional cashflows in bank accounts, and so on. There are any number of such schemes and dematerialised ID, remember, is just one of them.

A useful one. The police may know that a particular mobile phone was in the vicinity of a crime at the right time but have no idea whose phone it is. By checking the mobile phone records, they can see who called this phone number and who was called by it. Somewhere among this set of associated phone numbers there may be a few for which the police can identify the usual bearer and so the investigation can take a step forward, there is a lead. It may be that the bearer of the unknown phone is completely blameless and can be excluded from further investigation. Or it may not.

This modus operandi is already used. Why else would there be over half a million enquiries made every year by the police and HMRC to the mobile phone network operators for location and timing data? Dematerialised ID is already with us:

"In the past five years, dozens of murderers have been convicted partly as a result of evidence about their mobile phones or those of their victims. Detectives now routinely contact the mobile phone networks and obtain details of phone calls made by and to a murder victim and from the prime suspects" (The Times, 18 December 2003).

That point has already been made. It is made again here simply to contrast mobile phones with smart cards. Smart cards provide no comparable useful intelligence.

The point should also be made that there is a difference between having the technology and actually delivering. Dematerialised ID provides intelligence. Whether that intelligence is correctly analysed and followed up is another matter.

... it helps to locate suspects
A Spanish national may be able to use his ID card to enter Estonia and there may be all sorts of useful security checks performed on entry. But once across the border, the ID card provides little assistance to the Estonian police if they want to locate him. A mobile phone would provide more assistance.

The same applies in the US, where 118,000 people pass through US-VISIT every day. How do the FBI track down someone the Department of Homeland Security have let through by mistake? His Border Crossing Card or visa is of little assistance in locating him. His mobile phone, by contrast, will locate him more or less continuously.

We could avoid this problem in the UK. If we were to issue entry permits and store them on people's mobile phones, the same device could be used for both immigration and subsequent location.

... and it helps to reduce more crimes – the big prize would come from reducing the various street crimes
One supposed benefit the government use to advocate their ID card scheme is the reduction of crimes like money laundering and identity theft. These are not, however, the crimes which worry people generally. Rather, it is crimes like mugging, burglary, drug-dealing, car theft and vandalism which depress the national mood.

These are all location-based crimes, and mobile phones help to locate the victims, criminals and witnesses involved. The political benefits of reducing these crimes and thus increasing the national sense of wellbeing are obvious and it is obvious how dematerialised ID could help. Already does help, let us hope, otherwise the police are not doing their job. Smart ID cards would make little contribution. They are based on the wrong technology to help much.

Dematerialised ID avoids the punitive feel of the government's scheme
Dematerialised ID includes the same main objectives as the government's ID cards scheme. The difference is that it achieves them without making everyone feel as though they are under suspicion:

Innocent people volunteer to pay for mobile phones because they are useful. They will not so readily volunteer to pay £93 (the Home Office’s latest estimate) for a biometric passport and an ID card.
They voluntarily carry their mobile phones with them wherever they go. They will not so readily volunteer to carry an ID card, a foreign practice, associated by the British with police states.
They voluntarily register such details about themselves as they have to, to get a mobile phone. They will not so readily register their fingerprints and irisprints. Fingerprinting, in particular, is associated with criminality.

... it avoids some of that scheme's civil liberties problems and thus reduces the political risks
Mobile phones track you and identify your associates. People know this. It is openly reported in the media how people are located and how alibis are checked by reference to mobile phone records.

Anyone looking at his monthly bill can see that there must be a set of databases somewhere which records all the numbers dialled. That is, he can see that his associates can be identified.

People know this and yet they still voluntarily use their mobile phones. Perhaps even civil liberties campaigners use mobile phones. Certainly there is no civil liberties campaign in the UK against the use of mobile phones.

A number of local authorities have voted not to use ID cards if and when they are introduced. They have not voted against the use of mobile phones.

Arguably, this neutralises the civil liberties issues raised by dematerialised ID. People have knowingly elected to forgo their privacy in exchange for the utility of the mobile phone. As a result, dematerialised ID reduces the political risks the government face in introducing an ID voucher scheme.

... and it provides clear ways to manage civil liberties
Perhaps, even so, people should be protected from themselves. The locus of the civil liberties problem is four databases maintained on each mobile phone network, the HLR (home location register), the VLR (visitor location register), the EIR (equipment identity register) and the AuC (authentication centre):

The HLR and VLR databases record where your phone is, prima facie evidence for where you are. The Identity Cards Act, as noted, allows visiting terrorists a six-month period of grace to case the joint before they have to apply for an ID card or leave the country. Thanks to its use of mobile phones, dematerialised ID impedes their activities, wherever they are in the world, as long as they are making a call from a mobile phone or to a mobile phone whose location is recorded on any of the UK's HLRs or VLRs. (For the two years until August 1998, Osama Bin Laden was tracked thanks to a satellite phone the CIA gave him. Then the penny dropped and he stopped using it.)
The EIR records details of all mobile phone handsets, supports billing and allows stolen handsets to be barred. Hussain Osman, one of the 21/7 would-be bombers, threw away the SIM card (subscriber identity module) of his phone and replaced it with a new one, thinking that that would stop him from being tracked. It didn’t. He kept the handset, which has an IMEI (international mobile equipment identifier). The IMEI is recorded on the EIR and it is thanks to that that he was followed from the UK to France to Italy and finally arrested: "Although the SIM card had been changed, the handset was the same, allowing police to track it to a specific area in Rome on 28 July". (Suppose that Mr Osman had had one of the government’s proposed ID cards. How would that have helped to do anything useful like find him so that he could be arrested? It wouldn’t.)
The AuC uses encryption techniques to authenticate handsets and other network equipment so that, for example, criminals cannot set up spoof networks. (Some similar facility would be required with IDNet to stop criminals setting up spoof networks of ID card readers and biometric verification equipment.)

Regulate who has warranted access to these databases and you can manage civil liberties, people can be protected from themselves.

The mobile phone is an infinitely better device than the smart card for locating criminals and terrorists
Often it is not identifying suspects that is the problem for the police, but finding them and compiling a case against them that will stand up in court. It is only once criminals and terrorists have been located that they can be arrested or put under surveillance.

Or as The Law Society put it in their evidence to the Home Affairs Committee: "The biggest problem for the police is not in identifying individuals, but rather in linking an individual to a crime. An identity card would add nothing to the existing tools available to the police".

Using an ID card will locate you. It is no different in that respect from using a cashpoint card. For 40 years now, whenever you have used your cashpoint card, a record has been made showing where you were and when. But you don't use your cashpoint card very often and you can get by without using it at all. If you do not want to be located, the same will be true of ID cards. So ID cards will not frequently provide a means of locating you.

Compare that with your mobile phone, which is constantly looking for the nearest phone mast to "associate" with, as it is known. You don't have to be using the phone, you don't have to be making or receiving a call, it just has to be switched on. There are places with no mobile phone reception but that is declining. Most of the time your phone is associated with a phone mast.

Remember the HLR and the VLR, the home location register and the visitor location register.

The location of your phone is recorded all the time that it is associated with a phone mast – every second of the day for many of us – on the HLR of your provider, Vodafone or Orange or whoever. That is the case whether you are in the UK or having a cup of coffee in a medieval market town in France. A US visitor to the UK will similarly have his location recorded on his provider's HLR in the US, perhaps Verizon, even while he is in the UK.

His location will also be recorded simultaneously on the VLR of whichever provider in the UK he has roamed onto. If he is in range of a T-Mobile phone mast, and Verizon has a roaming agreement with T-Mobile, then his location will be recorded on T-Mobile's VLR. Similarly, your location in France will be recorded on a French provider's VLR.

This is continuous, instant, real-time location. What more does the government want? The UK police can call the local gendarmerie and ask for someone to go to the cafe and arrest you, as they clearly did with Hussain Osman in Italy. ID cards have nothing similar to offer. So why consider them? The mobile phone is infinitely better at locating people. It is here, now and we have already paid for it.

Why do the government want us to pay for a second, expensive and inferior system? It is not as though they don't know about the location facilities of mobile phones. BCSL have been telling them since 31 January 2003, and we cannot be alone in this.

Campaigners who complain about the ID cards scheme by comparing it to the world of George Orwell's 1984 must have a poor opinion of Big Brother's competence. It seems patently obvious to BCSL that Big Brother would do the job properly and use mobile phones. Why would he waste money on smart cards?

It hasn't happened in the four years to date but soon, surely, the government will take the point. The UK government and other governments, too. Surely, they will soon look back and ask why on earth they based their scheme on smart cards, what possessed them, what delusion they were suffering from.

... dematerialised ID avoids wasting money on new smart cards
£2bn of the government's incomplete budget for the ID card scheme (July 2002 consultation paper, pp.139-41) is for the smart cards alone. People will not voluntarily carry smart ID cards with them wherever they go, smart cards will not generally help to locate people and they will not identify who people associate with.

Use the mobile phones people have paid for anyway and not only do you get a more effective ID voucher, not only do you know where to concentrate your efforts to manage civil liberties, but you also save £2bn.

... which are inflexible
If a system mistake is discovered in 2012, say, on the smart cards which have by then been issued, or if a new facility needs to be added, then all issued smart cards will need to be revoked and another £2bn will have to be spent on new ones. This high cost of corrections and upgrades will lead to inflexibility and reduced utility.

There is no equivalent cost in dematerialised ID, which is therefore not only cheaper but also more flexible.

... and which will stifle the growth of eCommerce
There is very little memory on smart cards, compared with mobile phones, which have enough memory to store all your contact details, music, photographs, videos, and so on. This may be what lies behind the Home Office's suggestion that only two fingerprints might be stored on each ID card instead of all 10:

"... It also emerged that the project was likely to be simplified dramatically. Rather than all ten fingerprints and other “biometrics” being stored on a microchip, the slimmed-down card may have only a digital photograph, or possibly two fingerprints" (The Times, 12 July 2006).

If eCommerce is to grow, we may want our credit cards and cheque books to be stored on our ID cards, along with our stockbroker dealing account, our library card and our health insurance card, our union membership card and our cricket club membership card, which allows us to buy drinks at the bar and to turn on the squash court lights. There would simply not be room on the government's proposed ID cards. There is already room on our mobile phones.

Smart cards would inhibit the growth of eCommerce. They would block the road to expanding the economy. Mobile phones would not.

Dematerialised ID can provide strong circumstantial evidence when it is needed to build a case
To say that mobile phones locate you is to use language loosely, a natural mistake or, you might say, a sleight of hand. The HLRs and VLRs are not recording where you are, they are recording where your phone is.

Dematerialised ID relies on being able generally to associate each mobile phone with a person. But mobile phone records can only provide circumstantial evidence. They reveal where the phone is, not where a particular person is. A person is not a mobile phone.

The phone may be being used, on any given occasion, by the usual user or by someone he has lent it to or by someone who has stolen it. The usual user may not be the person in whose name the phone is registered, e.g. your son may use a phone registered in your name and you may use a phone registered in the name of your employer. The phone may not be registered at all, it may be used on a pay-as-you-go basis.

There are all these problems for dematerialised ID. It is often going to be hard to establish the association between a mobile phone and a person but it is not impossible to do so and, when that association is established, the circumstantial evidence can be powerful. Look at the Holly Wells and Jessica Chapman case. Ian Huntley is known to have been in Ely, having new tyres fitted to his car, because his mobile phone records place him there. Maxine Carr is known for the same reason to have been in Grimsby, when she claimed to be in Soham.

... it has teeth
Stating baldly that the mobile phone is a voluntarily adopted electronic tag makes dematerialised ID sound nasty. The government’s proposed ID cards scheme seems cuddly by comparison. That is an index of how ineffective it is.

With a smart card, your identity would be tucked away in your wallet, next to the Threshers discount card, expiry date 12/99. With a mobile phone, your identity is continuously projected onto the record.

The global mobile phone network is here with us now. It is not going to go away. It is a mistake for the government to ignore it. The great strength of the network is that it creates, in the mobile phone, a more effective ID voucher than could ever previously have been feasible. Your mobile phone identifies you, it locates you at almost all times and it identifies your associates.

This great strength is also a great danger to civil liberties. That will remain the case under the Identity Cards Act. The Act is in that sense an expensive diversion from the real ID voucher scheme.

If the government will amend its scheme to rely on mobile phones, rather than smart cards, then attention will at last be drawn back to where it is needed, to the already pressing question how to regulate the mobile phone network operators, in such a way as to protect our civil liberties.

Is there nothing to be said against dematerialised ID?
There are a huge number of mobile phones and people take them with them everywhere and use them all day every day. That means that people lose a huge number of them.

People like mobile phones and want them and buy the best models they can. That makes them attractive to thieves and a huge number of mobile phones are stolen.

The problems for dematerialised ID are thus linked to its attraction, its success, its popularity. Half the street crime that BCSL suggests could be reduced by dematerialised ID is itself mobile phone theft or related to mobile phone theft.

... yes, the high incidence of the loss and theft of mobile phones will inhibit the adoption of mobile eCommerce
As long as this remains the case, people will quite rightly place limits on the extent to which they rely on their mobile phones. They will not willingly use them as wallets or credit cards or passports or visas. Not in large numbers, at least.

These applications are technologically feasible. They amount to a mobile version of eCommerce. They will not be widely adopted until mobile phones and the applications on them can be quickly:

replaced if they are lost.
made useless if they are stolen

Making a stolen phone useless seems simple. Remember the EIR, the equipment identity register. The EIR records the IMEI of each handset. Update the EIR and mark the IMEI as stolen, and the phone becomes useless, doesn't it?

In the case of amateur thefts, yes, and if any operator does not update their EIR quickly, then it is suggested that a case be brought against them, accusing them of being accessories after the fact. More stolen phones will soon be made useless, and the rate of theft will fall.

But the more professional thefts involve changing the IMEI. Making that impossible, the industry says, will take years and will be an on-going process. Only then will mobile eCommerce become gradually safer.

In the meantime, mobile phones remain useful tools in the fights against crime and terrorism. Even if they have been lost or stolen, mobile phones can be tracked.

... note that ID cards would face the same problems if they ever succeeded
Mobile phone loss and theft are problems which need to be managed. In that, they are not unique. Losing your credit cards or your passport or your driving licence is very disruptive now. In future, the loss and theft and counterfeiting of the government’s proposed ID cards would also need to be managed. They would face exactly the same problems as mobile phones. If they were successful.

Is there nothing to recommend smart cards over mobile phones?
The European Commission (EC) paid for the development of a general specification of identity management systems. The work was given to eESC, the eEurope Smart Card forum. In 2003, eESC produced OSCIE, the open smart card infrastructure for Europe, 2,000 pages or so of documentation, describing an identity management system based, naturally enough, on smart cards.

There is no eEMP, no europe Mobile Phone forum. Had there been, they might have produced an OMPIE, an open mobile phone infrastructure for Europe. As it is, instead of 2,000 pages of documentation, what we actually have is a working mobile phone industry.

And, instead of a working ID cards scheme based on smart cards, what we have is 2,000 pages or so of documentation, and the intention among most EU countries, the UK included, to deploy ID voucher schemes based on smart cards.

eESC is no more, and OSCIE is now the responsibility of the EU's IDABC unit (Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens) who say of OSCIE:

"Although smart cards were the main focus, it was also recognised that other non-card based solutions for carrying out qualified eServices are being developed. Work on mobile device technology is particularly important, as this medium potentially offers cost, security and functionality benefits over smart cards."

... biometrics? No, you can store those just as well, arguably better, on mobile phones
You can store biometrics on smart cards. True. In fact, you can store biometrics on any digital medium, whether that be smart cards, as the government propose, MP3 playears, digital cameras or mobile phones, as BCSL propose.

... photographs? No, you can store those just as well, arguably better, on mobile phones
ID cards should have a photograph of the bearer on them, visible to the naked eye. That is a conventional belief.

Dematerialised ID can abide by convention. We can store photographs on mobile phones. People already do.

The photographs should be official, of course, to have any value. There is a technology known as "PKI", the public key infrastrusture, designed specifically to ensure authenticity. PKI could be used to authenticate photographs on mobile phones, to vouch for the fact that they are official, Home Office photographs. That is the case not least because, more and more, PKI is built into the operating system of mobile phones, to support other applications which require authentication.

You need to ask yourself, though, just how useful it is to have a photograph of the bearer on an ID card or on anything else. People are not particularly good at matching the photograph to the person. The UK credit card companies paid for a trial to test the value of having people's photographs recorded on their credit cards. The results suggested that this would have the effect of increasing credit card fraud, not reducing it, and the idea was dropped.

The 16mm x 20mm photograph on the sample ID cards issued for the UKPS biometrics trials, in which BCSL took part, is less than a quarter the area of the 35mm x 45mm photograph on a conventional passport. It is tiny – take a look at the picture on a photocard driving licence for comparison – and any human being is going to be hard put to say whether or not it is a picture of the bearer.

... distribution? No, that is cheaper and quicker with mobile phones
Once your material ID card has been created, it has to be posted or couriered to you. That costs money and takes time. Hours. Or even days. A dematerialised equivalent could be sent to you, like a text message, more cheaply and more or less instantly.

Subsequently amending or revoking your material ID card would be similarly expensive and time-consuming, which would make the government unhealthily reluctant to correct or upgrade the ID cards scheme. A dematerialised equivalent can be quickly and cheaply amended or revoked, simply by making a phone call.

... monitoring? No, that is better done with mobile phones
Dematerialised ID opens the way to remote monitoring facilities which are incomparably more powerful than anything which can be done with ID cards.

Consider this example. Some individuals are exempt from paying UK tax on their overseas income as long as they spend no more than 90 days a year in the UK. The number of days they spend in the country could be counted by reference to the presence of their mobile phone on UK HLRs and VLRs. It certainly can't be counted using their ID card. They won't have one. Ex hypothesi, they are spending less than six months in the country.

... payments? No, ID cards will multiply the authentication problems, not reduce them
The claim is repeatedly made by the government that ID cards will help to reduce credit card fraud. Does that mean that we shall have to present our ID card as well as our credit card when we make a payment? How will that help? There will then be two cards to authenticate instead of one. It doesn't close security gaps, it opens new ones. ID cards would be a new threat to payments.

And that's when we're present at the point of sale. In the case of a customer-not-present payments, it is not clear that ID cards would help at all.

Remember PKI, the public key infrastructure. If your material credit card was replaced by a dematerialised, digital credit card stored on your mobile phone, then PKI could be used to authenticate all your payments, irrespective of whether you were present or not. PKI was developed so that spies could communicate securely at a distance, i.e. when they are not present in the same place. PKI is, thus, precisely the general solution to the customer-not-present problem.

Other countries are deploying ID card schemes based on smart cards. That is no reason for the UK to follow suit
The Home Office repeatedly argue that the UK has to introduce an ID card scheme because other countries are doing so. That is a poor argument.

In Hungary, they speak Hungarian. That is rarely advanced as a reason for us to speak Hungarian.

These other countries will look very sheepish if China, say, or India skip a generation and deploy ID voucher schemes based on mobile phones. They will be left with the under-powered and inflexible technology of an earlier generation.

There is no need for us to join the sheep. Surely we would rather see our domestic policy designed in the UK to suit the UK.

The proposed fixed location terminals would be inconvenient
All the energy, all the innovation, is with the mobile phone industry, not smart cards. While railway companies offer tickets transmitted to your mobile phone and football clubs offer membership cards on their fans' mobiles, what does the government offer? IDNet.

The IDNet terminals would be in fixed locations. This would be inconvenient compared with a mobile phone, which you can use more or less wherever you are, and the terminals would be subject to breakdown and to vandalism.

... the mobile phone is the ideal device for the mass depolyment of IT systems
Dematerialised ID is different. In dematerialised ID, the handset is the terminal.

Mobile phone handsets are portable computers (power source, processor, memory, operating system, software applications, keyboard, screen, microphone, speaker, video, ...) with built-in telephony, messaging and networking facilities. The networking facilities include dialled connections – which you have to pay for – and infra-red, Bluetooth and RFID connections – which are free. It is hard to imagine a device better adapted to the mass deployment of IT systems. Mere smart cards are miserably under-powered by comparison.

... dematerialised ID will empower people, including the disabled, instead of shackling them
Consider the case of disabled people. Remember OSCIE, the open smart card infrastructure for Europe. OSCIE recommendations specify a network of specially adapted terminals for the disabled, with “sound to augment poor sight capability”, “enhanced graphics [for those with] poor aural capability”, “user profiles held on the smart card [to] allow the terminal to adapt differently to different user requirements”, two pairs of screens and keyboards at each terminal, the lower pair being for wheelchair users, or perhaps a single pair “on a motorised stand”.

In a country where vandals smash bus shelters and we can’t even make the trains run on time, this is manifestly unrealistic.

It is also unnecessary. The text facilities on mobile phones make them ideal communication devices for deaf and dumb people. Voice synthesisers can be fitted to handsets so that text on the screen can be read out to blind people. Wheelchair users can hold their handset to their ear at whatever height it happens to be at the time. Anyone who cannot use a mobile phone, as required by dematerialised ID, would probably not be able to use the ID card and terminals required by the government scheme.

Disabled people, like everyone else, are more likely to be shackled by schemes which rely on fixed location terminals and more likely to be empowered by dematerialised ID.