ID don’t add up and meaningless concessions

First, if there were any doubt, let me point you to this article in The Register which demonstrates exactly how the Safety Elephant’s claim to have fixed the price of an ID card at £30 works – or rather doesn’t work as his assumptions on costs are a long way from being valid.

And now on to meaningless concessions…

Today, according to the Guardian, the Safety Elephant will make a string of ‘concessions’ on the content of the National Identity Register (NIR) which will include a requirement that primary legislation is required to extend the range of data held in the NIR and possibly an outright ban on the inclusive of particularly sensitive identifiers, those which identifiy police and medical records, for example.

All of which is meaningless; it looks like a major concession but it isn’t.

I’ve written several articles on technical aspects of the NIR, particularly the use of information contained in it to cross-link information held in different systems. On the face of it, the Safety Elephant’s concessions might appear to place quite strict limits on that happening – but does it?

No.

In a piece entitled ‘Where the truth becomes a lie‘ I noted:

This, then, is the unstated purpose of the National Identity Register, it acts as an index, and as ‘skeleton key’, to locate and unlock a vast range of information about individuals which is held across government and in a wide range of other databases and, indeed, will include from the outset a number of index references – what in database terms are called ‘keys’ – to other systems including your passport and driving licence numbers as your National Insurance Number.

In order, therefore, to link your medical records, or even your criminal record, to the Register its not necessary to store that information in the Register itself, only its location – another database – and the unique identifier – the key – required to identify and isolate your individual records from everyone else’s. And this information can be added to the Register at any time not by Act of Parliament but by secondary legislation, by a statutory instrument which is not, generally, subject to anything like the same degree of scrutiny or debate as a full Act.

And for all the world it looks as if that criticism of the system has been addressed, except that I also noted, later in that same piece:

The third and final deceit regarding the National Identity Register is rather less obvious than the other two yet, in many ways, potentially the intrusive and the most damaging to civil liberties inasmuch as it enables personal information and data to be linked to the Register without anyone even realising it.

In order to locate a specific piece of information in a database you need a ‘unique identifier’, a piece of information held in the database which is unique to that information – and when it comes to identifying information which relates to a specific individual, the Register provides just such a unique identifier, your National Identity Registration Number.

Now, if and/or when ID cards are introduced, one of the pieces of information which will be disclosed to anyone making a request to verify your identity will be your National Identity Registration Number, the number which uniquely identifies you – and once that information has been disclosed there is nothing in the Bill to say how it may then be recorded or used. The only protection, in law, you will have will be via the Data Protection Act which, when it comes to issues of privacy, is far from watertight.

In fact, its highly likely that a wide range of third parties will make use of and record your National Identity Registration Number as a matter of routine – one can envisage from the outset that the financial services industry will be amongst the earliest adopters and that before very long, banks, building societies, credit reference agencies, insurance and pension companies and others will all be tagging every single piece of information they hold with your Registration Number and using that number to exchange information about you an your finances. Once your National Identity Registration Number gets out ‘into the wild’ it can be used for a wide range of purposes outside of those specified in the Bill and with few controls on its use. More often than not, you may not even realise that its being used.

This same principle, that information tagged with the NIR number may be just as easily located and accessed as information tagged with other numbers held on the identity register, such as tax and benefit records which contain a national insurance number, is as true for the use of the NIR by government departments and agencies as it is for the private sector in the examples given above.

It matters not one bit that the Safety Elephant is now ruling out the inclusion of identifiers for police and medical records on the register itself if that that exclusion is not also matched with an equal prohibition against the unregulated and unregistered recording of the National Identity Registration Number (NIRN) in other information systems. Database keys, for that’s what we’re talking about here in technical terms, are a two-way street – if you have someone’s NIRN then you can easily locate information about them in any system which uses the NIRN as an identifier and, as yet, I’ve seen nothing in the legislation which offers any controls over the recording and use of the NIRN either within or outside government.

To paraphrase Tolkein, the National Identity Registration Number is nothing more nor less than:

One Number to rule them all,
One Number to find them,
One Number to bring them all
and in the darkness bind them

Finally, I should mention the new research report ‘Identity Cards: an assessment of awareness and demand for the Identity Cards Scheme’* which the Safety Elephant claims ‘demonstrates strong public support for the scheme’.

* Can’t get the direct link to work, so visit http://www.identitycards.gov.uk/publications.html for the report – it’s the October 2005 report.

And indeed, there in the report it states with confidence that 73% of the public support ID cards, a figure taken from reseach carried out in January/February 2005 and verified by follow-up research in August to take into account any changes in opinion which have arisen in the aftermath of the July attacks on London.

Of course, look more closely at the research and its methodology and things begin to look rather less conclusive.

One obvious problem is the sample size – a mere 983 adults aged 16-75 with an extra 125 parents of children aged 15 in the first study, and only 250 in the second ‘verification’ study – from which the government feel confident in deriving the clear opinion of over 40 million UK citizens.

Second, the research paper does not include a copy of the questionnaire used in the study nor does it address the question of whether participants had any knowledge or understanding of the wider debate around ID cards – in short there is no way to verify what the participants were asked and howand, therefore, no way of assessing how impartial the study may or may not have been.

One interesting point to note is that in explaining the methodology of the first study is states that ‘no specific BME breakdown was included’ – which is interesting enough given that Race Relations Amendment Act 200 places a specific duty on all public bodies, inclusing the government naturally, to consider the impact of any decision on race relations issues – one might reasonably have assumed, post 7/7, that some detailed consideration would have been given in particular to the views of the Muslim community on an issue with such obvious sensitivities as ID cards but evidently not. More to the point, when we come to brief appendix on the August research we find the language has changed – no longer is there ‘no specific BME breakdown’, noe there’s no ‘BME boost’. Presumably this means they made no effort to include more BME participants in the second sample than in the first, which is just as well as they appear not to know how many were included in the first study in anything more than the most general fashion.

Its also noticable that while a quick follow-study of ‘public opinion’ was carried out in August, no repeat study of the views of potential ID verification service users was done – which is just as well for the government as if this report on the views of members of the London Chamber of Commerce is anything to go by, they wouldn’t have got the answers they were looking for.

Irrespective of all this the fact remains that informed opinion amongst those who understand the technology and the detail of the ID cards proposal – outside of government and the biometric data industry which stands to fill its boots with our money if all this goes ahead – remains firmly against the introduction of ID cards for a whole raft of sound and detailed reasons that the government continues to ignore for no other reason than the fact that its not what they want to hear.