People who've followed this blog for a while know that I'm very interested in the debate around government issued ID cards currently taking place in Britain. Like Americans, Britons aren't used to compulsary ID cards. The proposed British scheme is based on a single universal identifier used across all government contexts and possibly across commercial applications as well. It is tied to a central database and audit log intended to track all uses of citizen identity information. And the scheme would concentrate a great deal of information – including biometric data – in a single place, and then make it widely available to government employees and systems.
These factors taken together have already resulted in significant criticism, skepticism and frustration. The famous London School of Economics has recently produced the final version of a study by 100 of the country's top academics and experts. Those interested in identity issues will likely want to take a good long look at it. The report is hard hitting. It's well written. And it makes a number of technical points with great clarity. Don't miss it.
Some have been critical of the LSE report for being too “engaged”. That's because it attempts to estimate the cost of deployment of the government proposal. The authors claim British citizens will need to shell out 300 to 500 American dollars each for the compulsory ID cards and passports – a tax holiday in reverse!
Whatever the price tag turns out to be, there is no doubt that it would have been infinitely better to define a system which made people feel secure about the privacy of their identity information.
Here's how the LSE describes its report:
The likely cost of rolling out the UK government's current high-tech identity cards scheme will be £10.6 billion on the ‘low cost’ estimate of researchers at the London School of Economics and Political Science (LSE), without any cost over-runs or implementation problems. Key uncertainties over how citizens will behave and how the scheme will work out in practice mean that the ‘high cost’ estimate could go up to £19.2 billion. A median figure for this range is £14.5 billion.
If all the costs associated with ID cards were borne by citizens (as Treasury rules currently require), the cost per card (plus passport) would be around £170 on the lowest cost basis and £230 on the median estimate…
The LSE report The Identity Project: an assessment of the UK Identity Cards Bill and its implications is published today (27 June) after a six month study guided by a steering group of 14 professors and involving extensive consultations with nearly 100 industry representatives, experts and researchers from the UK and around the world. The project was co-ordinated by the Department of Information Systems at LSE.
The LSE report concludes that an ID card system could offer some basic public interest and commercial sector benefits. But it also identifies six other key areas of concern with the government's existing plans:
- Multiple purposes Evidence from other national identity systems shows that they perform best when established for clear and focused purposes. The UK scheme has multiple rather general rationales, suggesting that it has been ‘gold-plated’ to justify the high tech scheme. For example, the government estimates that identity fraud crimes may cost up to £1.3 billion a year, but only £35 million of this amount can be addressed by an ID card.
- Will the technology work? No scheme on this scale has been undertaken anywhere in the world. Smaller and less ambitious schemes have encountered substantial technological and operational problems that are likely to be amplified in a large-scale national system. The use of biometrics creates particular concerns, because this technology has never been used at such a scale.
- Is it legal? In its current form, the Identity Cards Bill appears to be unsafe in law. A number of elements potentially compromise Article 8 (privacy) and Article 14 (discrimination) of the European Convention on Human Rights. The government may also be in breach of law by requiring fingerprints as a pre-requisite for receipt of a passport. The report finds no clear case why the ID card requirements should be bound to internationally recognized requirements on passport documents.
- Security The National Data Register will create a very large data pool in one place that could be an enhanced risk in case of unauthorized accesses, hacking or malfunctions.
- Citizens’ acceptance An identity system that is well-accepted by citizens is likely to be far more successful in use than one that is controversial or raises privacy concerns. For example, it will be critical for realizing public value that citizens want to carry their ID cards with them and to use them in a wide range of settings.
- Will ID cards benefit businesses? Compliance with the terms of the ID cards Bill will mean even small firms are likely to have to pay £250 for smartcard readers and other requirements will add to the administrative burdens firms face.
The LSE report concurs with 79 out of the 85 recommendations made by the House of Commons Home Affairs Committee in its report on the draft Identity Cards Bill. Following up suggestions there and coming from industry and academic experts, the LSE team also set out an alternative ID card scheme that would still incorporate biometrics, but would be simpler to implement and radically cheaper. The LSE alternative ID card would also give citizens far more control over who can access data about them, and hence would be more likely to win positive public and industry support.
Dr Gus Hosein, a fellow in the Department of Information Systems at LSE, said : ‘We have proposed an alternative model that we believe to be cheaper, more secure and more effective than the current government proposal. It is important that Parliament gets the chance to consider a range of possible models before the ID Cards Bill is passed. Even if government figures were correct, the costs of the government scheme are disproportionately higher than the scheme's ability to protect the UK from crime, fraud or terrorism.’
Professor Patrick Dunleavy, Professor of Political Science and Public Policy at LSE, said: ‘This report is not an argument for or against ID cards, but an impartial effort to improve the evidence base available to Parliament and the public. The Home Office currently officially suggests that ID cards will cost around £6 billion to implement over ten years, but it has not yet justified this estimate in detail. By contrast, we recognize considerable uncertainties ahead with such a novel, high tech scheme and we show how these uncertainties might affect costings.’
I'm still travelling in Europe and too jet-lagged to comment as fully as might otherwise be the case. Stefan Brands, a cryptographer specializing in privacy who has contributed ideas to the report (and to this blog), pulls out key points here, here, here and, of course, here.