On Monday, Charles Clarke gave yet another one of his absurd assurances to Parliament – as chronicled by Spy Blog, of which the most interesting comment was this:
Perhaps I can go even further. All of the many databases that are held about all of us in this House—whether they concern finances, health or passports, or are in the private or the public sector—are insecure to a degree while we do not have an ID cards system. The ID cards system will provide security not only for the identity database itself but for all the other databases that hold data about the whole of this country.
Let’s try a bit of very basic logic here.
According to Safety, the ID Cards system with provide security for the identity database…
But, and this is a massive but, the ID cards system is secured by and against the identity database. In other words it is self-referential system in which the system is only as secure as the database and the database is only as secure as the system – compromise one and you compromise both.
Then we get to next important point – the ID cards system will provide security, so Safety envisages, for all other databases, in the public and private sector that hold data about the whole of the country – this not only proves the contention I made in my first set of articles on the National Identity Register, that it will reach into and connect together information not only from government systems but almost literally any system which holds personal data about you. me and everyone else. That meams all the personal financial information held by banks, credit card companies, credit reference agencies, employers, supermarkets – everything.
There are two clear implications here.
First, any security breach in the ID cards system at all, compromises the security of every single database that relies on that system for security – all of them. Identity theft, while obviously distressing if it happens to you, is still relatively difficult to effect and limited in scope.
Simple frauds using credit cards, false benefit claims, etc can be carried out, but the simple fact that different systems work differently, operate differently and if they are well designed, require different things on top of basic information in order to establish identity makes it still relatively difficult to takeover someone’s life wholesale – if it happens to you your credit card or bank account may take a hammering or a false claim for benefits may be made in your name but rarely do such thefts extend beyond compromising two or three differnt systems at most because each new fraud requires new information to validate identity and increases the likelyhood that the fraud will be detected.
Compromise the ID cards system and your entirely life is laid bare in an instant – there is nothing that the thief cannot know, obtain or access once they have your identity.
Are you prepared to place your absolute faith in the security of a single system when things like this happen?
Incidentally, I love the comment from Revenue and Customs at the end of the article:
Like any other organisation that pays out money there will be some people intent on defrauding the system and we designed tax credits with that in mind.
I really don’t think that quite what the HMRC spokeswoman meant to say.
The second and far more disturbing implication – in terms of civil liberties – is that once all these various systems are connected together by the ID cards system, your entire life becomes an open book to anyone with the authority to examine information held in these systems – that means the Police and most certainly the Security Services, plus a whole raft of civilian investigators attached to Revenue and Customs and the Department for Work and Pensions.
Once such a system is in place, there is nothing that is known about you and recorded on a linked database that a State functionary with sufficient authority cannot uncover and cross-reference will other information in that same system. This opens the door not only to overt electronic surveillence but also to the use of sophisticated pattern analysis algorhythms to routinely scan data for any unusal patterns of behaviour.
To give an example of what this might mean, such a system could operate on benefit claimants, automatically scanning various systems from tax records, to vehicle registrations to bank records, searching for and flagging up any unusal patterns of activity – unusual in this case meaning anything which indicates that an individual has more income than their benefit records say they should have or even greater expenditure than such records can account for. Quite literally, you could win £100 on the lottery and go on a bit of splurge down your local supermarket, only to the find investigators from the DWP on your doorstep in a fortnight demanding to know where you got the money.
Yes, it has the potential to be that intrusive.
Moreover, once the key piece of information in the system – the National Identity Registration Number – gets out into the wild and into private sector systems that number, which is the ultimate key to linking all these systems together, will be completely outside any control, even that of the government. Even those who may be fairly sanguine about the idea of the Police and Security Services having near unlimited capacity to scrutinise their lives cannot be happy about the prospect of private companies developing similar capabilities.
Only the inadequate and poorly understood Data Protection Act stands between citizens and the creation of massive, overarching personal data systems within the private sector over which there is no effective statutory control – suddenly your bank could find out exactly what you’ve been buying down at you local Tesco store, although the real moneymaker in this from private sector companies is the sale of near 100% accurate marketing information to companies looking to sell you their products.
Ok, so it’s not quite the advertising frenzy depicted in the film ‘Minority Report’ but its the same principle – marketers could well come to know to within a few pounds exactly how much disposable income you have and, therefore, how good a target you might prove for their products.
Will this happen? Of course it will – there’s too much potential money tied up in such a scheme for it not to and every possibility, if the government’s sums are anything like as badly wrong as the LSE have suggested, that you may even the govenrment actively colluding in such activities and supplying the key data for them themselves – how else is that going to pay for it otherwise if it doesn turn out that the real cost of system is nearer the LSE’s estimates than the governments.
Of course the other big moneymaker riding on the back of this system is the use of private security firms to vet employees.
If you have spent criminal convictions on your records, you might think that is completely private matter between you and the State – if you don’t work in a profession where the disclosure of spent convictions is required by law then those convictions are of no consequence and your present, or prospective employer has no means of finding out about them anyway. Right?
Wrong? Reference to such convictions may still appear anywhere from public court records to newspaper articles, if your brush with the law was ever reported in the press – what prevents them cropping up is that they are, for the most part, difficult to track down and, in most cases, even more difficult to relate to a specific individual if the offence took place several years ago – unless, of course, you have a fairly uncommon name. If a conviction for an assault by Joe Jones was reported in a small local paper, twenty years ago, then the chances of definitively linking that report to a specific Joe Jones today are pretty slim and too time-consuming to make for a profitable exercise, unless the client paying for the check to be done is prepared to pay top dollar.
Add a universal ID card system linked to every substantive database in the UK and suddenly this become a different proposition – the newspaper article reporting the assault may still be fairly difficult to trace, but with the sheer weight of accurate data on hand to cross-reference that article with, the task of matching it to a specific and identifiable Joe Jones becomes much easier – the effort of compiling and cross-referencing the massive amounts of personal information that is already out there into accessible private data systems for security vetting suddenly becomes a much more attractive proposition.
With each retelling of the tale by government ministers, their argument in favour of ID cards not only become less plausible, but the full, horrific, extent to which this system will intrude upon the lives of citizens becomes more apparent – and by turn more frightening. Now do people see what those of us who have opposed this from outset means when we talk about the ‘database state’?
If we wish to continue to live in a free society, then we cannot permit the creation of this system. It is a simple as that.