I feel a bit guilty about this as I’ve generally got quite a bit of time for Neil from the Brighton Regency Labour Party blog, but as its ID cards and Neil’s comments exhibit clear naivety as to what all the fuss is about then not only is a response called for but also a good fisking of comments.
So, on with the show…
The government have persuaded me, I want an ID card.
Thirty quid for a ten year card that allows you to travel around Europe, not much really, is it?
Houston, we have a problem right from the outset.
You see as Bernie Herden, head of the UK Passport Agency, admitted in July, the shelf-life of biometric identity systems - in this case passports - is gong to be rather less than 10 years, vis:
Herdan was pretty candid on forgers’ ability to circumvent new security measures, saying the agency would have to keep changing designs and would have to change its technology “more frequently than every ten years� as it races to keep ahead of forgers.
Changing designs and changing technology means changing the biometric passports themselves, and if that’s true for passports then its also going to be true for ID cards, which are based on the same systems and technology - and what are the chances of a free ‘upgrade’ when that happens? Yep, none.
What of Clarke’s £30 price tag claim?
As this analysis [also from the Register] shows, this claim is far from being as solid as its being sold. The cards should cost £30 but only if the government’s costings and assumptions are 100% correct all the way down the line and even KPMG, in their own carefully guarded fashion seem doubtful about that.
KPMG’s report does not, as Clarke has tried to imply, state that the government’s costings are robust or realistic, rather is says- in Clarke’s own words - that “independent analysis in a report from KPMG, a summary of which will be published shortly, has concluded that the costing methodology is robust and appropriate for this stage of development” with a footnote to this press release which adds this comment:
“KPMG have recommended improvements such as extending the sensitivity analysis, revisiting the process for estimating contingency and revisiting some cost assumptions. KPMG have confirmed that the majority of the cost assumptions are based on appropriate benchmarks and analysis from the public sector and suppliers.”
From years of dealing with the public sector, its invariably a bad sign when such strong emphasis is placed on ‘evaluating the process’. As older, wiser heads know well ‘evaluating the process’ is a standard blame reduction strategy in public sector circles which is used extensively when things go pear-shaped or are expected to go pear-shaped - you evaluate the process and when that is shown to be ‘robust’ you then blame everything that went wrong on ‘external factors’ and ‘unexpected changes in the external environment which were outside of the control of…’, all of which means that nothing of what went wrong was actually the fault of those with responsibility for the screw-up.
The main points highlighted by KPMG; ‘extending the sensitivity analysis’, ‘revisiting the process for estimating contingency’ and ‘revisiting some cost assumptions’ are all things which will impact directly on the overall cost of the project and, as sure as ‘eggs is eggs’ you can be certain that none of this will result in cost being revised downwards.
Lets also not forget that this is an ‘independent’ analysis which was paid for by the government and done to government specifications - of course a respected firm such as KPMG would never backpedal on its findings to please the customer would it [see Arthur Andersen].
Finally it should be noted, when it comes to the matter of independent analysis, the government have used the claim of ‘commercial sensitivity’ - an exemption under FOIA - to prevent anyone not on its payroll from examining the detailed costings of the project.
Faced with the LSE’s genuinely independent analysis of the scheme, which puts the real costs potentially as high as £180-300 per card, the government’s response has been first to state that it didn’t accept the LSE’s figures, while refusing to publish its own, following which it did publish a ‘rebuttal‘ which was both misleading and inaccurate and which, incidentally, failed to address the majority of the LSE’s criticisms of the scheme.
Also on costs, its worth noting this analysis from the Register, which looks at just one area in which the true costs of ID cards are being hidden from public sight; the as yet unspecified contributions to be made to the cost of the overall project from other government departments and agencies. No mention has yet been made by Clarke et al of the knock-on costs of the system that this will engender, either indirectly through taxes or cuts in services as money is taken from, for example, NHS budgets to pay for the cost of using ID verification in the health service or directly in increased costs for everything from passports to driving licences to criminal records certificates, where costs can be recouped by passing them on directly to the ‘customer’ in increased charges.
On of the more telling bits of analysis I’ve seen [will try to find the link] is one which shows that this system, on current costings, will only break even on near 100% take-up - which will only happen if/when ID cards become compulsory. If uptake is slow or there is significant resistance - and there are already more than 11,000 openly pledged refusniks who will fight this all the to the courts - then this whole system will turn into a money pit for the government.
And all this, so far, is predicated on the government’s costings being correct or as near correct as makes no difference - so before we leave the subject of the cost of the scheme lets just remind ourselves of the government’s stellar record on bringing home IT-based projects on-time and on-budget which includes:
The Inland Revenue tax credits system which locked up for 15 minutes at a time and led to staff walking out. After ten months, 220,000 cases were unresolved and 400,000 people got their money late.
The NIRS2 national insurance system that came in years late and massively over budget - costing £85 million in compensation and £68 million to put right.
The electronic personnel management system in the Inland Revenue that can only be used by managers on a Monday to ensure that demand doesn’t cause the system to fall over.
The on-line PAYE system that hasn’t been sufficiently well-tested.
Five million tax records lost by the Inland Revenue.
Problems with the Swanwick air traffic control system.
The Security Service’s new SCOPE computer, which is running three years late and 50% over budget for an underpowered system.
The HR system for the Northern Ireland Office which cost £3.3 million and didn’t work after nine years
A lack of performance monitoring on NHS IT, criticised as ‘an appalling waste of money’ by a parliamentary committee.
The BOWMAN military radio project, which came into limited use over a decade late at a cost of almost £2 billion.
The new Child Support Agency system which went massively over-budget and over-schedule
The complete cock-up of the payment card system that swallowed £1 billion before it was scrapped
The immigration document handling project that was scrapped after £77 million and a delay of years
The CRAMS system for the probation service that went 70% over budget
[List above courtesy of the excellent PoliticalHack]
When it comes to the matter of ID cards costing £30, I rest my case.
Yesterday, Charles Clarke announced that the cards will only hold the same information as a passport and that primary legislation would be needed to change this.
The bill specifies that only name, date and place of birth, gender, address, nationality and immigration status can be recorded on the ID database. When you think of all the records our telecoms/mobile companies, supermarkets, banks, credit card companies and ISPs hold, its a joke to suggest this is intrusive.
I’ve covered this point is some detail here the general gist of which is that Clarke’s supposed concessions are meaningless - without restrictions on the use and recording of the National Identity Registration Number from the National Identity Register there is nothing to prevent the development of an all-encompassing database state in which all the personal data held not only by government but by the telecoms/mobile companies, supermarkets, banks, credit card companies and ISPs, and a whole shed load of others besides can be linked together and used by government agencies to examine our lives in the minutest of detail.
If anyone thinks that can’t be done of that further legislation might be required to pull something like that off, then this other post of mine should soon disabuse them of that notion. And that’s just the powers accorded to civilian investigators working for the DSS - just think how the reach of Revenue and Customs, the Police and the Security Services will extend into such a huge cross-linked data system.
Further to this, everyone will have access to their own entry on the database and even information of who has been using it to verify their identity.
Spyblog was, last night, looking closely into this claim and, in particular, into the exact wording of Tony McNulty’s comments on this issue, which from the comments, were:
“Mr. McNulty: I certainly accept what my hon. Friend says about static as opposed to ever changing databases. She makes an entirely fair point. My hon. and learned Friend the Member for Medway (Mr. Marshall-Andrews) offered a lot of comedy about the Domesday book, but it is not a fair interpretation of the Bill to say that the Secretary of State can change anything in the database that he likes, and insert whatever he wants to. That is not the case. We want people to be able to access secure web sites, by means of their PIN number, so that they can adjust and change data on the register.”
As someone with more than 20 years dealing with IT both professionally and personally I can full concur with spyblog’s comment:
“So “hackers” or “phishers” or terrorists or criminals or foreign intelligence agencies etc. will be able to steal or muck around with NIR data without any of the security provided by Biometrics at all !!
How long before a computer virus brute force attacks your, by definition short PIN, and either compromises your information, and that of millions of other people, or causes you to have your NIR view/edit/update account to be locked or disabled - a Denial of Service ?
No doubt you will then be accused of tampering with the Register and sent to prison for 10 years, since it will be impossible for most people to prove that their IP address was hijacked or faked.”
It’s close to impossible to accurately assess the real level of fraud in online transactions as many of the most serious cases tend to go unreported - as an industry, like banking, it is tremendously ‘confidence sensitive’ with the result that problems are frequently ‘fixed’ on the quiet so as to avoid adverse publicity which might affect consumer confidence in a particular online system.
It has been, since the earliest days of computer-based fraud, an axiom that if you’re going to steal, steal big - banks and financial institutions are typically unwilling to even admit to major security breaches let alone large-scale thefts for fear that their customers will take their business elsewhere should they find out that the system they’ve been using has been seriously breached.
In all this, the weakest link in the chain is invariably the end user and their password or pin number, a fact known all too well to criminals as this report demonstrates.
We live in a world where people still fall for all the old scams, the now classic ‘419′ and lottery scams and, of course, pyramid schemes still trap people on a regular basis - there are plenty of people out there who would, and currently do, send confidential information about the bank account and pin number to complete strangers so long as the e-mail they get looks ‘official enough’.On that alone it should be obvious not only that a system which offers direct access to official identity records will be targeted right from the off but there are plenty of people out there gullible enough to be conned in turning over their pin number to fraudsters as well - a system secured on a pin number is an open invitation to “hackers”, “phishers”, terrorists, criminals - especially organised crime - and foreign intelligence agencies to ‘come and get it’.
I’ve argued all along that government just doesn’t understand the system its trying to put in place - if it did it wouldn’t be putting forward this evidence - and McNulty’s comments simply confirm that.
Fiona Mactaggert MP was a former head of Liberty and a vehement opponent, but she now sees the benefits of ID cards and argues that progression in biometrics technology have made them inevitable and worthwhile. She also categorically states that; “There will be no new powers for the police to demand ID cards”. This seems to address most of the opponents concerns.
No it doesn’t address ‘the opponent’s concerns’ at all.
First, the fact that there are no new police powers now does not mean that there will be no new police powers in the future.
Second, it should be obvious that even without such powers the Police can and will be demanding to see ID cards under their existing powers of stop and search.
The scenario isn’t difficult to imagine, is it? The Police decide that you look ’suspicious’ so you’re stopped and searched. Now suppose you look ‘foreign’ [i.e. non-white] - could there not then be a ‘reasonable suspicion’ that you might, just might, be an illegal immigrant? I mean how do the police tell someone who’s here legally from someone who isn’t?
By checking your immigration status on your ID card of course…
Of course, legally you don’t have to produce it but then what options do you have in this situation? You can show your card or you can be hauled off to the local nick to prove your identity.
In any case, a voluntary system in which citizen’s are not required to produce their ID Cards on demand by the Police is not really what the Police want - what they want, unsurprisingly, is a compulsory scheme and portable scanners which allow them to check identities in the field - at least that’s what they told the Home Affairs Select Committee in April 2004 when questioned about their views on proposals for ID cards.
As for Neil’s touching faith in Fiona McTaggart’s integrity as a former ‘head of Liberty’ - such things are entirely irrelevant.
Things change and it would be a rare - and short-lived - Minister indeed who managed not to ‘go native’ within weeks, or even days, of joining a department like the Home Office and who could stand up for personal beliefs in the face of being flanked by a mass of civil service advisors to tell her constantly:
“Ah, Minister. If only things were that easy”
Anyone who mistakenly believes that Ministers can easily carry private convictions forward into public office should, perhaps, acquaint themselves thoroughly with the story of Chinook ZD576 and note that a series of Labour Defence and Armed Forces Ministers which includes John Reid, John Spellar, Geoff Hoon and Adam Ingram have all, at different times, stood up in the Commons to stonewall and defend the verdict of gross negligence against the pilots, handed down by two [now retired] Air-Vice Marshalls even though that verdict was not supported by the actual unbiased conclusions of the RAF’s own Board of Inquiry and Air Accident Investigation Bureau, a Scottish Fatal Accident Inquiry and a Lord’s Select Committee which consisted of a former Justice of the Scottish Court of Appeal, three QC’s and Lord Tombs, an engineer who holds, amongst other things, nine honorary degrees in science and engineering from UK Universities.
And yet the MOD still refuses to this day to strike the verdict in case from the record.
What about the cost? Well a lot of the expense of upgrading passports to bio-metric technology is going to have to happen anyway to comply with US standards being introduced. Some costs might actually be recouped by savings in other departments by making an ID card standard for NHS and benefit access.
Costs I’ve already dealt with.
As for US standards - well as recently as June, the Times were reporting on Eire’s moves to ditch plans to introduce biometrics into its passport in the expectation that the US will ditch its plans to make them mandatory under its Visa Waiver programme.
Why? Because the US cannot get the technology to work accurately.
It’s also worth noting that the US specifications require only a digital image for facial recognition and either fingerprints or iris scans - they take their own fingerprint records when you arrive.
Let’s also remember that the EU has not finalised the spec for its own biometric passport as yet, nor is it guaranteed that the EU and US specs (if the latter happens) will be compatible - yep, its VHS vs Betamax time again!
So will it make a difference to crime, immigration, identity theft etc? (Clarke has already admitted it won’t make much, if any, difference to terrorism).
Well not according to Microsoft, their UK National Technology Officer Jerry Fishenden has warned that the UK ID card scheme could trigger “massive identity fraud on a scale beyond anything we have seen before.”
As Jerry rightly notes:
“Unlike other forms of information such as credit card details, if core biometric details such as your fingerprints are compromised, it is not going to be possible to provide you with new ones.”
Before going on to mention the ‘honeypot effect’ of putting a comprehensive set of personal data in one place, thus producing a “richly rewarding target for criminals,” and that we “should not be building systems that allow hackers to mine information so easily… Inappropriate technology design could provide new hi-tech ways of perpetrating massive identity fraud on a scale beyond anything we have seen before: the very problem the system was intended to prevent.”
This, for the non-technically minded, is a particularly salient issue. Outside of government circles and the biometrics industry, which stand to make billions of this scheme, no one in the independent technical community - those of us who understand the technology, its uses, abuses, limitations and implications; actually support the government’s plans to introduce ID cards.
The experts - those of us with an informed opinion - are firmly against and with good reason. The opposition here is not just a bunch of overly suspicious conspiracy theorists, wing-nuts and hardcore civil libertarians, many of us are hard-nosed techs who understand all too well how the system works, what can go wrong and where its limitations and fault are.
Which is precisely why the government has refused to provide any detail as to its proposals, costings, etc and faced with a community who do know what they’re dealing with and talking about - far better than any Minister - because its plans won’t stand up to that kind of detailed, hard-edged scrutiny.
Believe me, this is a debate we want. A debate we’ve been asking for all along and a debate we’ve consistently been denied by government. To borrow a saying from the pro-ID camp ‘if you’ve nothing to hide, then you’ve nothing to fear’ - so why are the government so obsessive in hiding the detail of their plans from those of us who can understand them and assess fully whether the rhetoric matches the reality?
Well most countries in Europe have ID cards and they wonder how we cope without them. It is just the natural progression of a responsible society that we do have them.
True. 11 out of 15 pre-accession EU nations have an ID card system.
None of the use biometrics, as yet, and none of them make use of the centralised, state-owned, identity register - in fact in countries such as Sweden, their ID card system is deliberately constructed in such a way as to prevent the government from accessing personal data without consent and to preclude the creation of the kind of national register our government wants. It’s also entirely voluntary as well.
I would actually go much further than the government and DNA test every baby at birth. I can hear the screams of outrage at this suggestion, but think what this would mean. Thousands of rapists caught at the first offence, more victims coming forward with a confidence they will get justice. The deterrent effect would be massive. This alone would make the process worthwhile without all the other benefits in crime reduction. This of course is just my own suggestion, nobody in the government would dare propose anything this controversial.
I’m not even sure I want to dignify this comment with a response.
Why stop at DNA? Why not let the government put telescreens in everyone’s home - as per ‘1984′ - it would certainly sort out the whole business of switching the terrestrial TV network over from analogue to digital at the same time and we could recoup some of the cost from the BBC licence fee.
When the Police were first permitted to gather DNA information for comparison with evidence from crime scenes - back in 1980’s - they were permitted to do so on the basis that dna profiles obtained from people who were subsequently eliminated from their enquiries would not be retained - such records were to be destroyed either six or twelve month following the closure of the case. This was set out explicitly in primary legislation.
After Labour came to power it was discovered that the Police had ignored this provision in the legislation and illegally retained this information and kept in on file.
And what did the government do?
Did they hold an inquiry? No.
Were there any prosecutions? No.
Were those responsible disciplined in any way? No.
What the government did instead was they inserted and passed a retrospective clause [in a new piece of legislation] to make what the Police had done legal after all.
And we should trust the government?
While it is good that plenty of criticism of the ID card scheme is forthcoming and that the legislation is carefully made (it can still be messed up), a lot of opponents are just not thinking this through properly, but acting on an instinctive mistrust of this government driven by the media.
Is any of what I’ve written here instinctive or driven by the media?
If anything the media [other than the technical press] were slow to respond to this issue and limited in their ability and capacity to put the opposition case across fully.
This is debate which, throughout, has been driven by, in the main, either technical press - who are not really renowned for their histrionics - and by a number of bloggers, especially those with a clear technical background from which to understand the issues in detail.
As with the debate on electoral reform before and after the last election, its more often than not been bloggers who’ve led and carried the debate, who’ve done the detailed analysis and the scut work in understanding exactly what this bill means and how it will impact on our society - but for a few op-ed puff pieces about ‘principles’ the media has been for the most part riding on our coat tails throughout.
It’s time we realised, like the 11 countries out of 15 in the EU that have ID cards, that the benefits outweigh the costs. I’m sure I’m not going to very popular with a lot of you out there for posting this, but I’ll give more details on this when I get them together.
Like I said, I do feel a little guilty at hammering one of Neil’s posts as more often than not I like the guy and his work.
There is nothing personal in all this - throughout I hope I’ve played the ball and not the man in my comments - nor, I suspect, is Neil’s view of ID cards that uncommon for all that it is deeply flawed and limited in its understanding of both the real debate and the real issues - which is perhaps the best reason of all for doing this as Neil has demonstrated the extent of public misconceptions about ID cards, the debate and, in particular, the opposition’s position and the issues we’re trying to raise.
Will anything I’ve written here change his opinion or that of others who support the introduction of ID cards for markedly the same reasons as those he’s put forward? I don’t know - but hopefully anyone reading this will now be better informed about the real nature of the debate and why, amongst those of us who do opposed this Bill, the opposition is so strong that more than 11,000 of us are prepared - and pledged - to go to prison [including Labour members like myself] rather than submit to a future under an omnipresent database state.
