So you think you want an ID card pt2

Neil’s responded to my piece of yesterday here and, again, there are several points worth responding to:

Firstly the price tag of £30. You are right, it may well be inaccurate. But by the government coming out and stating this figure so loudly, aren’t they making it more difficult for themselves?

If they do believe they are vastly out on the figure, why say it? Sweden and Norway have just released biometric ID cards for around £30 (43Euros), so £180-300 seems to be a bit of a scare story, maybe we should trust the government on this one (strange concept I know).

As far as I know, ID cards are due to come out in what, 2007? It would be a bit silly of the government to say they’ll cost £30, and then charge much more than this in the run up to an election.

On the price, one needs to consider the political ‘games’ going behind the scenes on ID cards, particularly in relation to the role of the Treasury.

When the decision was taken by Blair/Blunkett to go ahead and pursue ID cards seriously, the Treasury’s response was to make it clear that the entire project would have to be self-financing – there would be no additional money from the Treasury to fund implementation. That, in anyone’s terms is as close to a vote of no confidence in the project as the Treasury will come without issuing a flat ‘no’ and suggests that Gordon is, to say the least, extremely lukewarm on the whole idea even if that’s something he can’t admit publicly.

Clarke has announced a ‘fixed’ price of £30 for two basic reasons:

First because the LSE’s report into the potential real costs did a hell of lot of damage on the public opinion front and demonstrated clearly that the project is extremely ‘price sensitive’ – as the cost rises so public support fall.

Second, and rather perversly, because having anmnounced a set price and knowing that ID cards are due to come on stream at around the time Brown takes the helm and starts to prepare for the next election, he now has a possible bargaining chip with the Treasury when it comes to releasing public funds for the project, either directly or via the back door into departmental budgets.

In effect, if costs start to over run and spiral, Gordon has three choices – bail out the project to keep the price down to £30, stick to his guns on self-financing and see the cost to the public rise heading in to an election, or kill the project outright as unworkable.

This, however, assumes everything runs on schedule and to time irrespective of where the costs end up heading, which does give him a fourth route out of this situation – simply set the treasury’s beancounters on to the project with orders to examine everything with a fine tooth comb – this would not only delay implementation but could provide a politically acceptable [for him] way out – as the dilligent ‘Iron Chancellor’ he examines the project in detail to ensure that costs are full accurate and realised before going ahead and then as newly annointed leader he pulls the plug – well, puts it on indefinite hold – after a detailed Treasury analysis – with no doubt an assist from the Audit Commission and Public Accounts Committee – demostrates that its not financially and technical viable.

If you know the Hitchhiker’s Guide to the Galaxy well, think of it as the ‘Magrathea strategy’ – mothball the whole thing until conditions are right knowing that the legislation’s already there when needed.

Cost comparisons with Norway, Sweden, etc are, I’m afraid, a matter of ‘apples and oranges’.

The biometric passports being introduced in Europe are both very different from the ID cards being proposed here – the only biometric identifier being used is a digital photograph which can be read by facial recognition software [no fingerprints or iris scans] – nor is there a massive database infrastructure required to support a central identity register.

One simple cannot compare costs between the two projects although one can reasonably argue that if it costs £30 in Sweded for a passport/ID card with simple biometrics and no central ID register then that proves that £30 is an unrealistic figure for the UK’s far more complex system.

Reading the EU press released linked in Neil’s piece raises a further area of concern in terms of security. Sweden’s system uses an RFID chip, which is basically a radio transponder which broadcasts your information to reads over a short range – anything from 10mm to 6 metres depending on the type of chip. I’d need to check the full technical specs of the Swedish system but unless they’re using one with a range of the very bottom of end of what is possible [which as this is Sweden seems very likely, I must admit] then there may be a risk of the information on cards being harvested using techniques similar to bluesnarfing.

You make good points about the govt’s poor record on IT projects, but thats not really a specific argument against ID cards. The ‘not on time and over budget’ argument has been used to argue against almost anything, from having the Olympics to the congestion charge.

This point runs into much of Neil’s following comments as it encompasses not only civil service practice in large-scale IT projects but also the present state of the technology itself.

The government’s poor record on IT projects is one of those factors which looks, at first site, like a bit of a straw man – after all this could hypothetically be the project where they finally get it right – but it isn’t as the concerns run far deeper that just the track record itself.

The list I gave in my original article spans not just the life of this present Labour government but include projects which date – in their conception at least – back to the Major government and possibly beyond.

It’s also by no means a complete catalogue of governmental failures on IT projects – such projects were routinely running late and over budget before Labour came to power and such problem arise at every level of the public sector including within Local Authorities of all political make-ups across the UK.

One cannot, therefore, attribute these problems solely to politicians or a particular adminsitration or political party.

It’s also fair to say that the fault here does not lie with IT professional working in the public sector, either. I know and have worked with quite a few over the years and they are, almost to a fault, hardworking, dilligent and skilled professionals.

Nevertheless, examine each of the cases listed in the first article and you’ll find that somewhere in there an evaluation has been carried out which has arrived at the same conclusion as evaluations of similar projects before and afterwards; that conclusion being the public sector, particularly the civil service and more particularly than that policy makers and non-technical managers do not know how to adequately project manage large scale IT-based projects. This is systemic fault in the public sector so widespread as to be almost axiomatic.

As someone who has watched these development closely and who has a strong technical background which includes working as an IT professional, nothing I’ve seen suggests that any of this has changed or that any real lessons have been learned from past failures – the people in government and in the civil service who are driving this project forward are no better equipped to deliver and project manage it successfully then their predecessor who failed so badly on a whole catlogue of projects which ran over both time and budget – the critical difference here being that unless the Treasury does relent on its ‘no public money’ stance, in this case the effects of such overruns will be all to visible and reflected directly in the price the public will be asked to pay. There is no hiding the screw-ups on this project.

All things being equal the government have a consistant track record of failure on IT projects even where proven, robust technology is being used, mainly as a result of poor project management and decision-making.

To give but one example, take the NHS e-mail system. While the rest of the world [quite literally] standardised their use of e-mail on the ubiquitous SMTP and POP3 protocal which drive almost every non-webmail e-mail service on the internet, a few years back the NHS decided to buck the trend an use a protocal called X400.

All went fairly well for a while until government demands for standardisation to facilitate the development of e-government services lead to the first e-government interoperability framework [e-gif][ standards which specified the use of SMTP and POP3 for e-mail, leaving the NHS to rip out and replace its entire e-mail system to bring it into line with the new government standards.

Even with established technology in place, the government get it wrong. What chance is there of them getting it right, therefore, when the technology they’re hanging their hat on is still unproven and some considerable way from being robust – as is clearly the case with biometrics.

Every trial of biometric recognition systems to date has shown an unacceptable rate of failure – 10% on the first trial of Uk biometric passports, problems with people with disabilities, dark skin, brown eyes, ‘worn’ fingerprints from things like typing and manual labour not to mention the problems that facial hair can cause – and that’s under ideal test conditions not under real world conditions where less than optimal lighting and misalignment of scanning equipment becomes a factor.

Matter get worse as in the same week that Tony McNulty claimed that UK Id cards will carry thirteen rather than three biometric identifiers – the trick is to count the 10 fingers and two eyes separately – comes this report which although very technical, demonstrates that combining biometrics may result in more and not fewer errors in recognition.

Ultimately, though, the thing we should be most concerned about, whether we support ID cards or not, is the manner in which this debate has developed and what that says about the attitude of government and the state to us, the citizens of the United Kingdom.

At every stage in this debate, the government has put forward its arguments for ID cards and on every single point those arguments have been challenged, analysed and rebutted in clear and precise detail.

And on every occasion that has happened the government has responded in the same way.

First, it tells us that whatever the argument against it, they reject it out of hand – no reasons are given, no logical or reasoned arguments are put forward, no real attempt in made to debate the issues or put forward counter arguments.

All we get is ‘We’re the government and we’re right, so you’re wrong – and no, we can’t explain why because that information is ‘commercially sensitive’.

Take, for example, Clarke’s claim, made before the general election, that identity fraud costs the UK £1.3 billion a year – this claim has long since been rebutted and thoroughly debunked, as shown here, yet during the third reading debate this week, Clarke yet again repeated this claim?

Does this not seem to you to show an complete and utter contempt for the British people? The arguments being put forward here are not coming from a small band of wing-nut conspiracy theorists, however much the government would like to pretend that the case – mots of the detailed argument are coming from people who in every significant respect are far better qualified and able to assess these plans than the government’s own advisors and, certainly, better qualified and more knowledgable than any Minister.

Yet the government refuses to listen to anyone but a small cabal of civil service advisors and the biometrics industry, which stands to rake in huge profits on the back of this bill.

Next we get the ritual ‘shifting of position’ – like Iraq where tyhe rationale has been:

“Well its about the threat of WMDs… err, no actually it’s about liberating the Iraqi people… errrm, well no its not that after all, its actually all part of the War on Terror’.

THe same thing has happened in this debate:

“It’ll combat terrorism”

[then July 7th happens]

“Oh, fuck, that one won’t work… let’s try identity fraud

Shit, that one isn’t working either…

Let’s blame Europs?… No…

How about the Amercians and this visa thing? No…

Why don;t we say it’ll be as cheap as chips… Oh fuck…”

Look at the debate as a whole, at the arguments for and against and its clear that the government have run out of excuses…

And worse than that, being partisan for a moment, they’ve put forward a law which the Tories have wanted all along but never had to balls to follow through with themselves and done it is such a way as to hand the moral high ground to the opposition, to allow them to claim to be the protectors of social justice and civil liberties when one of the strongest proponents of ID cards on their side was Michael Howard, the man who, until recently, lead the Tory Party.

So, all we get now is ‘We’re right, you’re wrong. Fuck you!”

So much for democracy, eh?

Or as Franklin Roosevelt sharply observed:

The liberty of a democracy is not safe if the people tolerate the growth of private power to a point where it comes strong than their democratic state itself.

That, in its essence, is fascism – ownership of government by an individual, by a group, or any controlling private power.

  • Unity, a lot of your concerns seem to be doubts about the cost and about the reliability of biometrics. If these could be solved, would your objection be removed, or is it more the principle you oppose? I’ll make a few specific points here on what you raised, and post more fuller tomorrow on the cost and biometric issues.

    Although the Swedish passports and ID cards do not have fingerprint information just yet, they have agree with EU regulations that they will have them by the deadline in 2006.

    Most other countries are looking at at least 3 biometric indicators in their travel documents, this would include fingerprint information.

    My understanding of the Swedish system is that their NIR is shared with Norway, though I will check on this.

    I will post a fuller response tomorrow to address the other issues raised. Cheers.

  • All International Civil Aviation Organisation standard compliant Machine readable Travel Documents

    http://www.icao.int/mrtd/Home/Index.cfm

    i.e. “Biometric Passports” , will have “contactless chips” in them, not just the Swedish ones.

    “Contactless RFID Biometric Passports in the UK – same risks as US RFID Passports”
    http://www.spy.org.uk/spyblog/archives/2005/03/contacless_rfid.html

    The US Passports will have RFID but no encryption, the German ones will have encyyption,

    The dithering UK Passport Office still has not decided on such a fundamental technical design decision, so it seems likely that they will waste moneyy on rushing out a temporary bodge which may have to be changed soon thereafter, in order to meet their target date for issuing the first Biometric Passports.

    No matter if the data stream between Passport and Reader is encrypted or not, the initial radio handshake has to be unenctpted and is sufficient for these Passports to potentially allow remote snooping and tracking by radio, of tourists and business travellers, through their clothing and luggage.

    In the worst case these could act as triggers for nationaility specific or individually targeted terrorist bombs.

    At best, they are going to increase the length of queues at airports by a significant amount – remember that even 10 seconds extra delay per person means that the last people off a Boeing 747 Jumbo jet will have to queue up for over an hour and forty minutes at peak times, when there is no way to increase the number of passport checking booths, or else, people will have to be waved through as they are now, totally defeating the point of the Biometric Passport in the first place.

    You are correct to state that comparing European ID Cards with even the new Smart Card ID cards being introduced in, say Belgium or the ICAO Biometric Passports is like comparing apples and oranges.

    Even the sophisticated Belgian ID Card, with built in Digital Signatures for use online (the lack of which is a major failing of the UK ID Card scheme) has steered clear of creating a centralised biometric database, for a population of around 6 million, although it too has privacy and security problems.

    “The problem with the Belgian eID card”
    http://www.idcorner.org/?p=121

  • eek! – I wish I could type “unencrypted” properly !

  • The price of the German Biometic Passport with sophisticated RFID encryption will be 59 Euros, which should be compared with the planned UK Biometric Passport price of