Monday, December 20, 2004

Charles Clarke's woolly defence of the govt's ID cards

Charles Clarke has written an article in The Times defending the govt's plans for identity cards. He claims that ID cards will prevent benefit fraud and help in the "War on Terror". However his claims do not stand up to scrutiny.

Take for example benefit fraud. He states:

Moreover, their help in tackling fraud will save tens of millions of pounds of taxpayers’ money. Some £50 million a year is claimed illegally from the benefits systems using false identities. This money can be far better spent improving schools and hospitals and fighting crime and antisocial behaviour.
However according to the govt's own regulatory impact assessment (see clause 19):
The current best estimate is that the additional running costs of the new Agency to issue ID cards on a wider basis will be £85m pa when averaged over a ten year period. A further £50m pa is the estimate for the average cost over ten years of the verification service but this would not fall on the individual card holder.
Thus the system is already projected at costing more than twice as much as could possibly be saved from benefit fraud on the govt's own figures!

Later on, Clarke accuses critics of ID cards for woolly liberal thinking, and claims there will be no real cost in civil liberties:
I believe that some critics of our proposals are guilty of liberal woolly thinking and spreading false fears when they wrongly claim that ID cards will erode our civil liberties, will revisit 1984, usher in the “Big Brother” society, or establish some kind of totalitarian police state. Those kinds of nightmare will be no more true of ID cards, when they are introduced, than they have been for the spread of cash and credit cards, driving licences, passports, work security passes and any number of the other current forms of ID that most of us now carry.
This argument is quite flawed. The forms of ID we now carry are either entirely voluntary (e.g credit cards, ATM cards, loyalty cards) or linked to and limited to very specific purposes (e.g. driving licences, passports). One is not even required to carry any of them, and one needn't own any of them if one doesn't wish to drive or travel abroad. None of them are universal.

However the main points missed in the above argument are that:
  • On the govt's current plans, the ID cards would become a licence to live, revokable at the touch of button. Once the cards become compulsory the govt plans for them to be required for getting a job, accessing government services and accessing benefits. It is highly likely they'll also become necessary for opening bank accounts, taking out mortgages, getting credit cards and making major transactions. Clarke's article even suggests they might be used for renting videos. With so much of daily life tied to these cards, it will be impossible or at least very difficult to live without one. And given that they'll be tied to a central database with one entry per person, they could be rendered useless at the touch of a button by govt officials either deleting or flagging the database entry. This isn't an identity card, this is an internal passport.
  • According to the ID cards bill, the database entries will record all accesses for auditing purposes, thus every time you or your card is checked against the corresponding database entry, this fact will be recorded. Thus if a card check is required for accessing e.g. medical or educational services, this fact will be recorded in the database. Thus the ID card system will enable detailed recording of your everyday activities, more comprehensive than any store's loyalty card and compulsory to boot.
  • The ID card will facilitate all sorts of surveillance activity. If every resident has one by law, then the police merely need to ask for identification when people leave, e.g. political or religious meetings, protests, pubs, or any venue. Although carrying one won't be compulsory, the bulk of the law abiding population is likely (a) to carry it (because it is needed for so many things) (b) hand it over. And there's nothing to stop a future govt making it compulsory to carry.
It thus seems clear to me that the proposed system will form a powerful tool for social control and has very little to do with eliminating benefit fraud. However Clarke's claims that it will be useful for fighting terrorism, will help with identity fraud, and will even help prevent such tragedies as the death of the cocklers in Morecambe Bay, remain:
For example, a secure identity system will help to prevent terrorist activity, more than a third of which makes use of false identities. It will make it far easier to address the vile trafficking in vulnerable human beings that ends in the tragedies of Morecambe Bay, exploitative near-slave labour or vile forced prostitution. It will reduce identity fraud, which now costs the UK more than £1.3 billion every year.

Taking the £1.3 billion figure first. This figure comes from a report on identity fraud produced by the government a few years ago (see Annex B for the figures). However the figures contributing to this are not reliable, often included items that identity cards would do nothing to fight and were often based on guesswork. For example the figure was compiled, in part, on the assumption that 10% of VAT fraud (£215m out of £2.15billion) was due to identity fraud. The figures for credit card fraud (£370m) included card not present fraud e.g. for internet payments or payments over the phone. ID cards would have no impact on this. Why is the govt using such a dodgy figure to argue for a flagship piece of legislation?

As for the Morecambe Bay cocklers they were working illegally and off the books for companies that did not have scruples about employing illegal immigrants trafficked in from outside the country. How likely is it that such companies would ensure all their employees had ID cards? How likely is it that illegal workers would contact the authorities to register? The problem here was a lack of policing of employment/immigration, not a lack of identity cards. Unless the policing of these areas is increased the identity cards will make no difference.

Finally to the terrorists using multiple identities, it would appear that on Clarke's figures most terrorists (about two thirds of them) do not do so and therefore would not be affected by identity cards. Still disrupting the activities of the remaining third would be quite useful. But will the identity cards do this?

It is here that the discussion has to get down to some technical issues and the hurdles the identity cards system faces. The government is relying on biometric scans such as fingerprints and iris scans to prevent multiple identities being registered on the system for the same person. So, for example, when you enroll on the system your biometric scans will be compared with those already on the system to try and ensure you only get one identity on the system. Clearly allowing multiple identities will seriously undermine the ability of the system to deal with any of the problems above.

And this is where things fall down. Biometric scans are scans of living systems (people!) and multiple scans of the same part of the same person will not be identical. Moreover when comparing biometric scans one looks for closeness of match. Thus when deciding whether two scans match, one has to decide where to draw the line -- how close a match is good enough. Thus each biometric has associated with it a false match rate (the chance of two scans from different people matching) and false nomatch rate (the chance of two scans from the same person not matching). These typically have to be balanced off against each other to find a happy mean.

Now suppose you have a false match rate for a biometric of say 1 in a billion (higher than any I've seen claimed for existing biometrics -- typical claims range from 1 in 10000 to 1 in a few million). Note that this must include the possibility of operator error in using the machines, faulty machines and software errors. Suppose further that the database already has 20 million entries in it. There will be almost a 2% chance that a false match occurs. I.e. 1 in 50 people will register a false match, against a database of 20 million. And this figure will grow with each addition. The govt's plans would involves millions of people registering per year. For each million new people added, one can expect 20,000 (and growing) false matches on a database of 20 million people. Any system for dealing with these false matches and trying to ensure they're not attempts to fool the system into taking multiple identities are likely thus to get overwhelmed, they'll need to deal with 10s of thousands of false positives.

To add further doubt, this is a large IT system, one of the largest the govt will ever have attempted to produce. It's record with such systems (criminal records bureau, passport office, etc) is atrocious. Even the Police National Computer is shot full of errors!

As if that weren't enough, both fingerprints and iris scans have been shown to be forgeable. For example, fingerprints have been forged from prints left on a glass. And Iris scanners have been fooled by someone looking through a picture of an Iris with a hole cut out where the pupil lies. Admittedly the latter technique wouldn't be practical in most situations, but the lack of sophistication of the technique suggests, e.g. contact lenses printed with an Iris might actually fool the scanners.

At any rate, I'd expect those wishing to fool the system to use the long roll out to study the system and the scanners intently for weaknesses. Given government incompetence, the technical limitations of biometrics and the sheer ambition of what the govt's attempting, it seems to me quite clear that it'll be lucky if it makes any positive impact on fighting identity fraud or any other problem the govt has cited at all.

Does this mean we have nothing to worry about? Not quite. Most law abiding people will cooperate with the system, and the system may well thus "work" for this section of the population. Thus law abiding people will find themselves subjected to a licence to live, intrusive surveillance and a bureacracy capable of meddling in just about every area their lives thanks to the card. The criminals and terrorists won't.

The cards should be abandoned as a waste of resources from an anti-crime/anti-terrorism/anti-benefit fraud point of view and as a serious erosion of privacy and individual freedom otherwise.

No comments: