LSE report on the British ID Card Initiative

The LSE (London School of Economics) has released The Identity Project – An assessment of the UK Identity Cards Bill & its implications. (Interim Report). Ideal Government says:

It demolishes both the government’s published aims and their proposals.

Should such repeated high profile failures raise questions about the future of the Home Office: Has the current Home Office itself become a major threat to the UK?

I know everyone is busy, but really, take a look at this thoughtful report.

It is a breakthrough piece of work in exploring, in a holistic and all-sided way, the relation between social issues and technologies of identity. I suspect that government technology leaders and policy makers around the globe will pay increasingly more attention to the thinking it represents – if they want to avoid the missteps against which it is a reaction. The report includes a discussion of identity initiatives in France, giving the impression that the French have already transcended many of the problems not addressed in the British Government's proposals.

Consider these powerful arguments:

Individuals today are represented by an abundance of identifiers that are designed to be relied on only by one or a few service providers only in specific contexts. An Internet Service Provider does not record our NHS number (and has no knowledge or concern whether we have been issued such an identifier, nor any means of linking to such a number). Sport club membership cards are not linked with our employee information, and are identifiers issued in accordance with club membership policies and requirements. As a matter of design, the identifiers held by the sports club are in essence useless to any other entity other than the sports club. It is also fair to say that in a number of these relationships, records are not even in a computerised form. The personal data that is collected for the issuance of an identifier is not even verified, nor is it required to be.

Local identifiers enable service providers to identify individuals within their specific transaction contexts, to create accounts for them, and to effectively deal with fraudsters. At the same time, local identifiers have the important benefit of limiting the capabilities of service providers to create profiles of an individual’s activities with other parties. A pub owner does not need to know our name, birth date or birthplace but merely whether we are of the legal age to consume alcoholic beverages. Previously a relationship of trust would be established between the publican and the clientele; or a form of identity would be verified to ensure that the individual’s birth year is prior to the threshold year. Our prior means of identification involved natural segmentation that ensures that identity thieves can only do damage with specific providers where they have gained information on users of those providers.

Bravo! Then the report continues:

The envisioned national ID card would replace today’s local non-electronic identifiers by universal identifiers that are processed fully electronically. This migration would remove the natural segmentation of traditional activities. In the case of a pub, if additional information was disclosed, say through a national ID card, malicious staff could steal this information, or this information can be abused in other ways.

As a consequence, the damage that identity thieves can cause would no longer be confined to narrow domains, nor would identity thieves be impaired any longer by the inherent slowdowns of today’s non-electronic identification infrastructure. Furthermore, service providers and other parties would be able to electronically profile individuals across multiple activities on the basis of the universal electronic identifiers that would inescapably be disclosed when individuals interact with service providers.

Ironically, the currently envisioned ID card architecture therefore has severe implications for the security and autonomy of service providers. When the same universal electronic identifiers are relied on by a number of autonomous service providers in different domains, the security and privacy threats for the service providers no longer come only from eavesdroppers and other traditional outsiders. A rogue system administrator, a hacker, a virus, or an identity thief with insider status would be able to cause massive damage to service providers, could electronically monitor the identities and visiting times of all clients of service providers, and could impersonate and falsely deny access to the clients of service providers.

Again Bravo! This is a wonderful presentation of various ideas which have animated these pages for some months, and which lie behind our fourth law.

The discussion of how – technically speaking – unnecessary data centralization leads to increased and unmotivated risk also resonates deeply.

The report concludes:

In the context of a national ID card infrastructure, security and privacy are not opposites but, assuming that proper privacy-preserving technologies are deployed, are mutually reinforcing. In order to move forward constructively with a national ID card, it is important for government to investigate technological alternatives that hold the promise of multi-party security while preserving privacy.

Not only will this approach preserve privacy, but it will also protect the existing relationships in society. It will ensure that the rail company knows what it needs to know for granting special prices to students; that sports clubs know the required information for membership purposes; and the NHS has sufficient information to authenticate patients; without unnecessarily binding these relationships with additional needless information. This approach will also diminish the potential for the amassing and sharing of information that is unnecessary and disproportionate.

Published by

Kim Cameron

Work on identity.