Dematerialised ID — We do not need a new National Identity Register (NIR)

Anonymity/identity

Capture

Dematerialisation

Campaign

Newcomers and returning visitors, please note that you are welcome to talk to the hermit using this new invention, email.

Dematerialised ID

The voluntary alternative

to material ID cards

A Proposal by David Moss

of Business Consultancy Services Ltd (BCSL)

Section 5

For four years the government insisted that deployment of the ID cards scheme required a new database to be built, the National Identity Register (NIR). Then they noticed that they already have not one but several NIRs.

If anything, what is really needed, it is suggested, is a portal which allows the police and the security services to search several existing databases to support any current criminal or terrorist investigations.

We do not need a new National Identity Register (NIR)
If you are going to operate an ID voucher scheme, you need a list of IDs, a population register of some sort. Different countries adopt different approaches. Some have a single centralised database. Some have several distributed databases. BCSL's suggestion for dematerialised ID is to adopt the distributed database approach, involving a mixture of existing public sector and private sector databases.

... which is just as well, the government record with IT systems is lamentable
Recall the problems of government contracts let to Accenture/Arthur Andersen, EDS, Siemens, Capita and other IT services companies. The government are not good at computer systems. Think of the Child Support Agency, which is now finally going to be abandoned. Think of the National Health Service (NHS) National Programme for IT, two years behind schedule and 100% over budget. Think of the tax credits system – its website had to be taken down to stop growing fraudulent use and it has, in its time, paid tax credits by mistake to the value of £4bn. The examples could be multiplied.

The way taxpayers' money is wasted defies belief. It would not be tolerated in the private sector. The lessons must be learned.

... new project management techniques are introduced
For the Prime Minister, the lesson is that performance needs to be improved:

... Then there is the argument that ID cards and the national register simply will not work. This rests largely on the past failures, which I accept exist, of IT projects of all governments. This, however, seems to me an argument not to drop the scheme but to ensure it is done well.

In a bid to improve performance over the years, the civil service have implemented several project management techniques.

The present technique requires the Office of Government Commerce (OGC), a department of the Treasury, to perform various gateway reviews of projects. According to the Information Commissioner, the OGC's gateway reviews of the ID cards scheme should be published.

It should be the case that publishing the reviews would boost public confidence in the scheme and lend support to the Prime Minister's position.

... but when they are, they are cloaked in secrecy
Far from acceding to his ruling, the OGC are taking the Information Commissioner to court in an attempt to resist publication. It will be some time, as a result, before we know whether project management has become more professional.

... and the only way the public can find out what is happening is through leaks
In the meantime, all we have to go on is the government's previous record with computer systems. That, and the Home Secretary's view that the Home Office is "not fit for purpose" and has inadequate leadership, management systems and processes. And the leaked views of the OGC itself – it is no wonder that they are resisting publication if, despite these views, they are still going to recommend to the Chancellor that he sanction billions of pounds of expenditure on the ID cards scheme:

This has all the inauspicious signs of a project continuing to be driven by an arbitrary end date rather than reality.

I conclude that we are setting ourselves up to fail.

... the (un)affordability of all the individual programmes ... the very serious shortage of appropriately qualified staff and numbers of staff ... the lack of clear benefits from which to demonstrate a return on investment ...

The Home Office response, 27 minutes after the OGC email above, and a day before the OGC email below, was "I wouldn't argue with a lot of this ... It was a Mr Blair who wanted the 'early variant' card. Not my idea ..."

Just because ministers say do something does not mean we ignore reality - which is what seems to have happened on ID Cards.

I do not have a problem with ministers wanting a face saving solution ... a botched introduction of a descoped early variant ID Card, if it is subject to a media feeding frenzy (queues outside passport offices! and more recently IND) - which it might well be close to a general election, could put back the introduction of ID Cards for a generation and won't do much for IPS credibility nor for the Govt's election chances either (latter not our problem but might play with ministers).

My view based on present experience is that neither the Home Office or IPS should attempt challenging, they should be forced to do safe.

That is the OGC view. One of the OGC's jobs is to make sure that government IT is professionally managed. They are saying that, in this case, it is not.

And yet the Prime Minister still wants to proceed with the project. Despite "the lack of clear benefits from which to demonstrate a return on investment".

... leaks which suggest that the Home Office would be unwise to try to build the NIR from scratch
BCSL draws a different lesson from the evidence above. For the purposes of this section of the dematerialised ID proposal, the lesson is surely that it is not obvious that the Home Office are capable of creating and operating the National Identity Register database proposed in the Identity Cards Act.

They don't have to build a new one anyway – we already have plenty of NIRs
And it is not obvious that they have to:

We already have databases maintained by the Department of Health, for example, the Department for Work and Pensions, the Department for Education and Skills, the Home Office, the Foreign and Commonwealth Office, UKvisas and HMRC.
Then there are the databases maintained by central government agencies such as the Driver and Vehicle Licensing Agency, the Identity and Passport Service and Companies House (the scope of dematerialised ID extends beyond individuals to organisations as well).
And there are the databases maintained by local government, for the collection of Council Tax and council rents, for example, and for the operation of electoral registers.

In addition, there are private sector databases that the government can use:

They can pay, like anyone else, to use the credit referencing companies' databases (companies such as Experian), an option mentioned in the Home Office's July 2002 consultation document (para.4.9, 4.13, 5.18, etc ...).
And, unlike anyone else, using the Regulation of Investigatory Powers Act (RIPA), they can demand to see our emails and records of our other use of the Internet, and they can demand to see our phone records, both mobile and landline.

... and they already include all the personal data required for the purposes of the Identity Cards Act, apart from people's biometrics
Between them, these public and private sector databases must cover most people, most of them several times over. Between them, these public and private sector databases include all the personal data needed for the NIR, apart from people's biometrics.

While the biometrics in question are not reliable, this course of action is not recommended but, if they ever do become reliable, then a new database of people's biometrics could be built, gradually, as the biometrics are collected. We have had so-called "relational databases" since the 1980s and, using relational databases, the new biometrics database could be linked/related to the existing databases.

Central government records have been heavily computerised since at least the 1980s. It follows that civil liberties objections to building the NIR are around 20 years too late. The cogent objection is that building the NIR is unnecessary. Apart from people's biometrics, it already exists.

Making use of the existing databases would reduce costs, risks and delays
Any sensible manager interested in the success of the project would try to make use of existing resources. He would not ignore them. Why introduce the delay, while a new database is built, before the ID cards scheme can start? Why incur the costs, and run the risks, of building a new National Identity Register?

This matter was raised during the Home Affairs Committee examination of the Identity Cards Act. The Home Secretary took the view then that it would be better to start with a clean, new database:

Q628 Mrs Dean: How confident are you that your registration procedure will ensure that all entries on the National Identity Register are accurate and there are no duplicates or false entries?

Mr Blunkett: The reason why starting from scratch and having a clean database is so important is that the moment someone presents the same biometric but with a different identity, a different name and presentation, that would automatically show up as already existing on the database ...

A duplicate registration "would automatically show up as already existing" on an old database, too. It is not clear what the Home Secretary's point is here, why he thinks that you can only identify duplicate applications if you start with a new database.

It seems that he was exercised by errors on the existing databases. Omissions. Duplicates. Out of date data. Data that was wrong from the start. But you get errors with new databases, too. New errors – new omissions, new duplicates, and data that is wrong from the start in a new way.

If the government cannot implement procedures to keep the existing databases free of errors, then there is no reason to believe that they could keep a new database free of errors and so no justification for sanctioning the expenditure required to build a new database.

The prudent option must be to start with the existing databases. At least they exist.

This was recommended to the Home Office in BCSL's February 2003 proposal (para.1.4-5) and in several subsequent letters and further proposals. It was finally announced, in the Home Office's December 2006 Strategic Action Plan, that they would, after all, use existing databases (para.13-17) and in an interview with silicon.com, Mr James Hall, CEO of the Identity and Passport Service, said:

One of the key things we've been looking at is the use of existing government assets wherever useful. The Department for Work and Pensions has a very large Customer Information System (CIS) and we believe there is a huge opportunity to reuse that technology to store the biographic component of the National Identity Registry.

This change of systems design (from creating a new NIR database to using existing resources instead) was mocked by some of the press as a U-turn and a case of policy being "ditched". The more appropriate gloss on the matter is surely that – given that you want an NIR in the first place – it is a welcome outbreak of good sense. Four years late, four years after BCSL recommended it, but welcome nonetheless and we hope that further good sense will break out. That biometrics will be dropped until they become reliable. And that the ID cards scheme will be based on mobile phones, not smart cards.

What we need is a portal which can search the existing databases
The Home Office do not need to build a new database for the NIR. What is needed instead is a portal or gateway, call it "IPSPort", which links to the existing databases identified above (para.1.6). Building a portal is an easier job than building a database. There is no need to collect and verify data on 50m people. The job has a greater chance of success.

When IPS need to check someone's identity, they can use Google-type facilities on IPSPort to search the existing databases. The search results returned may include name, sex, address, date of birth, nationality, passport photograph and number, driving licence photograph and number, National Insurance number, employer's tax reference number, car registration number, criminal record (if any), and so on, all of which help to establish the identity of a suspected criminal or terrorist.

The custodians of the databases that IPS search all have their own procedures for establishing identity. The portal approach allows IPS to take advantage of the identity verification work which has already been done.

BCSL, with dematerialised ID in mind, particularly identifies the value of linking IPSPort to the databases maintained by the mobile phone network operators. That would help the police and the security services to establish the link between people and their mobile phones. It would help them to identify people and to locate them and to identify their associates. It would impede criminals and terrorists in their pursuits.

A portal able to cross-refer between all these sources would be a very powerful tool for checking identity. It would also raise legal questions about data protection and information-sharing, questions already raised in earlier BCSL proposals (para.1.33 and para.3.2):

The assumption made by BCSL is that it would be legal for IPSPort to cross-refer between public sector databases. That assumption may be false.
It is assumed also that it is legal to search the mobile phone network operators' databases – otherwise the police and HMRC wouldn't be doing it 500,000 or 1m times a year and, anyway, this is probably sanctioned by RIPA. If so, then RIPA would presumably also sanction searches on the databases maintained by BT and the other landline suppliers, the cable companies and the Internet service providers.
It is assumed also that it would be legal to search the credit referencing companies' databases – otherwise the Home Office wouldn't have suggested it and, anyway, these companies already operate services whereby anyone prepared to pay can search their databases.

These questions have been raised. They have not been answered. BCSL are not lawyers.

There are assertions in the media that information-sharing is illegal. The law which is broken by information-sharing is rarely identified. The Data Protection Act is occasionally appealed to. But actions taken for the purposes of "safeguarding national security" or "the prevention or detection of crime [or] the apprehension or prosecution of offenders" are exempted under clauses 28 and 29 of the Act.

The Department for Constitutional Affairs give some guidance, which suggests that information-sharing is not automatically illegal.

It is assumed therefore that this portal suggestion – the trivially obvious solution as far as any moderately capable IT consultant is concerned – is legally feasible when it comes to crime and terrorism, BCSL's principal concerns in this proposal. If it is not, then the suggestion must of course be withdrawn.

… any new database should concentrate on criminal/terrorist investigations
The results of IPS searches on the linked databases could themselves be stored in an IPSPort database, call it "IPSPortDB". IPSPortDB would be an investigations database, built up gradually, on an exception basis, when needs must, in pursuit of a criminal or terrorist investigation. Most people are not criminals or terrorists. And so, much to their satisfaction, most people would not be recorded on IPSPortDB.

The Identity Cards Act proposes that everyone aged 16 and over should be registered. Given that most people are not criminals or terrorists, most of the money spent on registration will be wasted. The portal approach advocated by BCSL directs effort to where it is needed. This is sniper fire compared with the government's blunderbuss.

People do not object at the moment to having their data recorded by HMRC, for example, or BT. It remains to be proved but people would probably not object to having their data recorded on IPSPortDB if it helped to eliminate them from terrorist investigations or helped to solve crimes of which they had been victim. If that is the case, then the portal approach advocated by BCSL may escape some of the civil liberties objections which the NIR is already attracting.