ID cards: a guide for technically challenged Prime Ministers
John Lettice (firstname.lastname@example.org)Published Monday 5th April 2004 13:55 GMT
Special Report Think about it - it wouldn't be compulsory if you had a choice, would it? David Blunkett's national ID card scheme has had more spikings than Dracula, yet each time has plucked the stake from its heart and continued its purposeful stride towards the statute book.
In early November the British Cabinet opted for voluntary schemes to build a base, with a compulsory scheme coming "when the conditions for moving to a compulsory card are met." Days later, there was Blunkett before Parliament making what sounded like a victory speech. With or without a green light for national ID cards the bulk of the cost is to be incurred anyway, he made it clear. The system is to be brought in for passports, driving licences and a series of special cases (overseas residents, asylum seekers...) anyway, so as Blunkett spun it there's only an extra £4 each to be incurred for the full scheme, so, what the hell, we might as well go ahead.
And just last week Tony Blair gave cardshis seal of approval, (http://www.theregister.co.uk/content/4/36748.html) claiming that civil liberties objections had been largely overcome, and that the main challenges now were technical. Indeed they are, Tony, but we fear you have little grasp of how big they are.
So how the blazes did this happen? Why is the UK sleepwalking into an ID scheme that has not been discussed, but that is nevertheless somehow moving ahead at full steam? And, for that matter, why is Europe doing so? The United States? The world?
One of the other major components of Blunkett's standard 'we might as well do it anyway' presentation is the incontrovertible fact that Europe has standardised biometrics for ID roadmapped, (http://www.theregister.co.uk/content/6/33208.html) and that the US will be requiring biometrics on passports shortly. These two having moved, there does seem a certain inevitability to the rest of the world moving as well. So, if biometrics are to become the global standard for ID, we're obviously going to have to invest in biometric systems for our ID documentation, which is why there's no point in asking people whether or not they want biometrics on their passports and driving licences.
Which is all perfectly logical, except that there's one little nagging question - how did biometrics become the accepted, logical, inevitable international standard for ID in the first place?
Well, it's obvious, isn't it? If your fingerprints are found at the scene of the crime, then you almost certainly did it, didn't you? And similarly, other apparently unique characteristics such as your iris, your DNA and so on can prove conclusively who you are, where you are, and where you've been.
This obviousness clearly drives David Blunkett. He is unshakably convinced that, as biometrics identify the individual with a high degree of certainty, it stands to reason that biometrics provide a sound foundation, probably the only sound foundation, for ID systems. On the one hand we shouldn't be too hard in him for this, because it's a conviction shared by much of the population, but on the other he is part of the team that supposed to be running the country, so it seems to us he has a certain responsibility to think it through. Just a bit.
Given that the alleged free world is already barreling down this route with little or no sign that anybody has paused to think it through, we don't hold out a great deal of hope that they'll do so now, meaning they're all going to have to learn the hard and expensive way. But just in case there is the odd politician out there still prepared to consider the possibility that it does not stand to reason, we here propose a short, readily-understood Register explication of why it does not, and why, if we don't wake up very soon, we will end up spending several billion on proving to ourselves it does not.
Biometrics work Did we ever say they didn't? In the shape of fingerprints, biometrics have provided a highly accurate mechanism for identifying criminals for many years now. In this role they clearly work, and their accuracy has contributed heavily to the general viewpoint that fingerprinting must therefore surely be a kind of gold standard for identity. But think - what mechanisms are used and what data is required in order to match a suspect up with the scene of the crime? Well, first of all, you need a crime at which a fingerprint is left - note that this will in most cases be absent when a fingerprint is being used to check identity, but a databank containing the relevant fingerprint alongside hundreds of millions of others will exist.
In the case of the scene of the crime fingerprint, the matching is done against a database of known suspects and criminals, and may also be compared with the fingerprints of specific suspects. The matching process can be time-consuming and can involve a considerable amount of manual effort, but this is acceptable on the basis that the search being conducted is limited and relatively targeted. But on a wider, a far, far wider basis, this all gets complicated.
The fingerprints you leave vary to an extent, and although this won't save you if you left them at the murder scene, it can most certainly confuse automated systems. Obviously, the checking of fingerprints that are being used as the standard to validate ID documents has to be automated. You could leave a different print depending on the surface you touch, what you've been touching recently, how clean your hands are, or what you've been working with. Bricklayers, apparently, tend to have rather faint fingerprints. So you can maybe think of fingerprints as being a little bit analogue, variable enough to confuse machines, although still static enough to be readily-identifiable by human experts. It may be significant that already, just a few months into its introduction of fingerprint checking, the US government has started trying to define standards of compatibility for fingerprint reading equipment. This may be entirely because it's simply concerned about incompatibility, but could also be flagging growing matching problems.
Ultimately these can probably be licked by the application of computing power, but this is not the only difficulty. Let's assume we have a passport or a driving licence with a fingerprint on it, and a bearer we wish to match up. The simplest way to do this is as a local transaction. You have what ought to be a clear and standard print on the passport, you have what ought to be a pretty effective machine for reading fingerprints (sole purpose of machine - if it is ineffective, you have a big problem with your supplier), and you have a finger. Should be easy, right?
Whose identity is it anyway? Well it is, because all you're doing is checking two things. First you're checking that the finger of the bearer is the finger that left the print in the passport, which ought to be easy, and second, you're checking that the passport is genuine. Which is maybe harder. Virtually all countries have some level of problem with forged and falsely obtained passports. In the case of forgery it's a continual battle to make it harder (and actually, biometrics are a pretty good addition to the armoury in this area, because at this level they're relatively cheap and effective). Falsely obtained passports are however a lot trickier.
Biometrics on a document can by themselves only provide conclusive proof that the person presenting the document is the person whose biometrics are on the document, not who that person is. If you wish to be absolutely certain of this, then you need to be absolutely certain of the integrity of the issuing authority. In the UK at the moment, we can really only go as far as saying there is a high probability that the integrity of the Passport Office has not been compromised in the case of a particular document, and that there is a fairly high probability that the integrity of the DVLA has not been compromised with respect to a drivers licence. But it happens in both cases, and while steps are slowly (very slowly (http://news.bbc.co.uk/1/hi/magazine/3098104.stm)) being taken to increase the confidence we can have in these documents, only a fool would say fraud can be absolutely eliminated.
It's no accident that passport and drivers licence are being used as the cornerstones of the UK's universal identity card scheme, but beyond that we have a significant percentage of the population which will need to be added, without the creation of new false identities, and the integrity of the system as a whole will only be as good as the integrity of the authorisation used for this part of the population. Although most of these people will have some other kind of identifier, such as a national health or national insurance number, these are already too compromised to provide a solid basis for identity.
The current controversy in the UK over the entry of economic migrants also provides us with an example of how the overall integrity of a national ID system can be compromised. The numbers involved are apparently small in this case, but nevertheless a system which is designed to make decisions on the basis of validated data (in this case, concerning the subject's identity, resources and business plans) has been compromised by the rubber-stamping of applications based on fraudulent data. This route could have been used to convert false ID into legitimate UK ID. In this case the loophole appears to have been created by the operators (it's not yet clear at what level) overriding control systems in order to deal with backlogs. All large-scale data processing operations are vulnerable to this, and it would be reasonable to presume that large-scale ID data processing systems will at least initially introduce many vulnerabilities of this kind.
Overall in the UK, however, we're sitting comparatively pretty. Our issuing authorities are honest and reasonably efficient, so we can be reasonably confident that the bearer is who the document says they are. This is not the case elsewhere. In the home of the war on terror, the drivers licence is used as a form of universal identity card, has historically been obtainable under assumed names with ease, and has therefore (well after 9/11) therefore provided a ready basis for the creation of false identity. A massive and immediate tightening up of the issuing systems in the US would simply choke off one major source of new false identity, while the elimination of existing ones would be a far more daunting task.
You can, slowly reduce, maybe almost eliminate, false identity in the developed world, but what of the rest? There are plenty countries whose documents, because of fraud, incompetence, inadequate systems or plain old political collapse, you would reasonably suspect. But in between the documents you're fairly sure of and the documents you're reasonably sceptical of you have a fairly large area that will surely be targeted by the sensible terrorist in search of false identity. If one can bribe an issuing officer in a country whose passports nevertheless provide a reasonably high level of confidence (a close ally of the United States would be good), then who needs to mess around with forgeries?
So, back at the desk with the passport and the finger, we can be reasonably sure that a local check will be sufficient in the case of quite a number of documents we're fairly sure we can rely on, but not in the case of large numbers of other documents, which are those most likely to be carried by the people we would like to suspect - illegal immigrants, drug smugglers, terrorists - if we had the means to suspect them. So we need to check more.
I know, let's do the show online! As the US, with the enthusiastic support of Europe, is to all intents and purposes compelling the world to adopt biometrics as the ID standard, we will have an ever-growing, ever more global, database first of fingerprints, then of faceprints. 60 million for the UK, say 300 million plus for the US (they're already collecting), 4-500 million for Europe, and so it goes on. The arrival of modern standards of biometrics in passports will result in the production of matching (perhaps...) databases in the countries of the issuing authorities, and in an increasing exchange of these databases between countries.
The challenges here are obvious, and the data you're most likely to want to run an online check on (we've already established we'll trust most UK ID) is precisely the data you're going to be least sure of, and have most trouble in keeping up to date. You're not just going to have to check that a usually static data combination of biometrics and name/ID is valid, but all sorts of other stuff as well. Do the biometrics associated with the ID you're currently checking also apply to a previously used, different, ID? You can only be confident that they don't if you're prepared to crunch through the lot looking for duplicates. Also, you are going to need to be sure that matters that should be associated with the ID (outstanding warrants, recent atrocities, the deep suspicions of the CIA or the Humberside police) have been. So you're really talking about pouring vast amounts of data from many diverse (and unreliable) sources into the global database very, very frequently.
That's clearly a Big Brother nightmare, but it probably needs worrying about more on the grounds of the amount of money we're going to spend on it than because it's actually going to work. The problem for the authorities here, however is that they're going to have to try to make it work if it is going to deliver what they say it's going to deliver. If you do not check for duplicates, for example, then the system is not going to tell you that Fred Bloggs of Sollihul is in fact Osama bin Laden. A silly example? Yes and no - obviously, it is not very likely that our current entry systems are going to let someone called Fred Bloggs walk through when they look strangely like Osama bin Laden. However, if he checks out as Fred Bloggs, UK citizen, with no record under our future automated systems, then general appearance is rather less likely to be challenged, or even noticed. So the assumed reliability of the systems could actually increase the security of fugitives in the event of their having successfully obtained clean, genuine ID.
If you take a rational and realistic view of the current capabilities of the technology, and of what it will be capable of in the foreseeable future, then you'll realise that in almost all cases the system will default to the local check, and we'll be running on the current procedures (visual, customs officer's suspicions, watch-lists) to determine when further checking is required. This realistic view is however not necessarily shared by the people commissioning the systems. Some months back Fiona McTaggart, a Home Office Minister (at time of writing anyway) wrote in a self-exculpatory piece in The Guardian that in the future we wouldn't actually need passports and documentation.
Which is absolutely true, if you're checking biometrics against a central database every time, for every individual, whenever identification is required. Under these circumstances documentation, plastic, even clothing is entirely unnecessary, because you are your identity. Fiona did not say at what point in the future this scenario would be technically achievable, but it's all too likely that the Home Office thinks it's a lot closer than it really is, and that it will be developing accordingly.
Polluted inputs We've already looked at several examples of polluted inputs that could undermine the system's integrity - false US ID, inadequate, arbitrary or cursory UK checking systems, and input systems from many other parts of the world whose reliability is debatable. These can clearly provide routes for the people you wish to intercept to pass through your control points and swim happily in your system. But what about the broader issue of what you do about those individuals who do not have ID that can be processed by your systems? Most of the world's population currently falls into this category, and that will likely remain the case for many years - so what do you do about them?
Well, in order to process them you need to give them some form of ID that your system can process, and on a small scale we're already doing this. Most people visiting the US will now, one way or the other, have their biometrics on the US database, and the UK can been phasing in fingerprinting of travellers coming from areas with a high incidence of asylum seekers. But what are we actually doing in these cases? Effectively, we're creating an ID that is valid within our system for the individual, and as always that ID is only as good as the inputs on which we base our decision. The US or British consular official who grants the ID will make the decision on the basis of interview and supporting documentation, but how sure can we be about the validity of the information presented? And the more applications we have to process, the less likely we are to conduct examinations of the detail necessary for us to have confidence in that information. To avoid either being overwhelmed or ending up presiding over a rubber-stamping system, we therefore have to pressure countries to introduce ID systems which we can then presume provide a valid and accurate statement of an individual's identity. But will be really be confident in these, or will we simply be making that presumption in order to stop our own systems breaking down?
So who the hell do you think you are? We shouldn't get too sniffy about the reliability of identity systems in the developing world, because when it comes down to it we in the west have precious little justification in being so damned sure about identity. Try this little parlour game, which I promise you has a moral to it. Ask yourself who you are, how you know this, and how far back in your life you can get before you start to get a little doubtful. You won't get anything like so far back if you perform the exercise on friends and family, but stick with yourself for the moment. Your family can vouch for you up to a point - but are they telling the truth? You have a birth certificate, but is this really you? Is the information on it correct? How do you know?
Fingerprints don't work when you're born (even David Blunkett doesn't fingerprint newborn babes yet, anyway), and general DNA testing at birth doesn't exist yet either. But say it did, and you were then able to point out that your DNA matched the DNA on the birth record, therefore you were definitely you... Er, who? Of itself this simply means your DNA matches the birth record, which is just as close to establishing ID as your fingerprint matching your passport (we covered this, right?). But it also provides proof that you are related to the people in your immediate family (or not - hey, mom...), and various things about your broader ancestry.
Effectively, what it's doing is establishing an identity for you in relation to the identities of a number of people surrounding and preceding you. But your identity, or what you think of as your identity, is something that has been assumed, generally, and by the accepted systems, as genuine at some point. This is probably around time of birth, but not necessarily, and not entirely - Fergusson, for example, suggests a Fergus as parent (allegedly...) at some point in the past, while Smith suggests an ancestral occupation and Pasteur a dairyman (joke - don't write in).
Identity is actually something that is established through a series of factors, history, occupation, location, parentage, and the whereabouts and circumstances of you or your ancestors when state systems began to require fixed and recorded tagging systems. The existence of these fixed systems does not however mean that you do not have multiple identities or identifiers (more people in my street, for example, will know me as the bloke at the top of the road with the dodgy old motor than will know me by name), nor does it mean that what they regard as fixed is what you personally regard as your identity.
But they've got something they're happy to think of as your unique identity, and we think of what's happening now as a successor to the processes that defined that ID for them. In developed countries at some point in the past couple of centuries the music stopped, censuses were taken and identity standards were defined. Now governments are pushing for a similar, global exercise that will result in everybody having what government will view as a standard identity, and where there is no pre-existing reliable identifier (as in the instances where people who didn't use surnames were assigned them), a new, relatively arbitrary one will be created.
As we've seen, this doesn't get us very far, because what we're interested in is the things that are associated with this identity, rather than the identity itself. Granted that false identities will inevitably be imported into the new systems, we'll need to wait at least a generation for these to work through, and granted that the systems' efficacy in fighting crime is dependent on accurate input of new associations, we'll need to wait a lot longer than that. But we will be able to say who everybody was saying they were when they first entered the system. Cool - but is it helpful, or worth the money? ®
Blunkett ready to force through compulsory ID for UK (http://www.theregister.co.uk/content/6/36417.html)
Draft ID card bill makes it to Queen's speech (http://www.theregister.co.uk/content/archive/34213.html)
Mission impossible? Blunkett's big biometric ID adventure (http://www.theregister.co.uk/content/archive/33919.html)
IXEurope buys Swiss datacentrePublished Monday 5th April 2004 13:41 GMT
IXEurope - the privately-owned UK-based datacentre outfit - has acquired the entire stock of Telehouse Suisse SA from Telehouse International Corporation of Europe Ltd, a subsidiary of KDDI Corporation of Japan.
Financial details were not disclosed.
Said IXEurope chief exec Guy Willner: "Having weathered the storm over the last two years our management team is delighted to be in expansion phase again.
"IXEurope is now the market leader in Switzerland, which is a fast growing market due to its central position in Europe and its favourable tax laws."
IXEurope is backed by Bank of America Equity Partners and European Acquisition Capital and provides outsourced datacentre services and hosted solutions management in the UK, Germany, France and Switzerland. ®
House of COMMONS
MINUTES OF EVIDENCE
HOME AFFAIRS COMMITTEE
Tuesday 3 February 2004
MS SHAMI CHAKRABARTI, MR SIMON DAVIES and MS VICKY CHAPMAN
USE OF THE TRANSCRIPT
This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.
Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.
Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.
Taken before the Home Affairs Committee
on Tuesday 3 February 2004
Mr John Denham, in the Chair
Mr David Cameron
Mr James Clappison
Mrs Claire Curtis-Thomas
Mrs Janet Dean
Mr Gwyn Prosser
Mr John Taylor
Memoranda submitted by Liberty and Privacy International
Examination of Witnesses
Witnesses: Ms Shami Chakrabarti, Director, Liberty; Mr Simon Davies, Director, Privacy International; and Ms Vicky Chapman, Head of Law Reform, the Law Society, examined.
Q152 Chairman: Good afternoon and thank you very much indeed for coming before the Committee this afternoon for one of our sessions on identity cards. In welcoming the witnesses who are from three different organisations, which is not always the way that we do it, if you could each very briefly introduce yourselves for the record and give us just a couple of lines about your organisation.
Ms Chapman: I am Vicky Chapman and I am Head of Policy at the Law Society which regulates and represents solicitors.
Ms Chakrabarti: I am Shami Chakrabarti, the Director of Liberty, otherwise and formerly known as the National Council for Civil Liberties. It has been in existence this year for 70 years, though we do not look it we hope, and we have had an interest in all of that time with rule of law issues, privacy issues in particular and, latterly and importantly, issues of race equality.
Mr Davies: I am Simon Davies and I am the Director of Privacy International. Privacy International is a London based global privacy watchdog established since 1990. We have a twofold role since our inception: we have advised on policy and technology relating to ID cards and our reputation is as a destroyer of ID card systems, in a passive way I have to say.
Q153 Chairman: Is your exclusive focus on ID cards or have you held more of a civil liberties remit like Liberty?
Mr Davies: We have a remit concerning the entire privacy spectrum from RFIV chip card right to remote sensing satellites. It is full spectrum of about 200 different issues.
Q154 Chairman: Can you explain how you are financed. We are familiar with the other organisations.
Mr Davies: Most of our money comes from philanthropic foundations, principally the Urban Society Institute which is George Sorenson's philanthropic foundation. The organisation itself is apolitical; we do not have a political stance at any level.
Mr Taylor: Chairman, could I declare a non-financial interest. I am myself a member of the Law Society.
Q155 Chairman: Could I begin with a question I think particularly to Liberty and perhaps to Privacy International as well. I was struck by Liberty's written evidence that said that ID cards are a solution looking for a problem. Can we start with the problem end of this. To what extent do you think our society does face problems which arise from the difficulty in establishing people's identity?
Ms Chakrabarti: Our society certainly faces problems and I acknowledge that, in the current climate, people, myself and my colleagues included, are very worried about crime, terrorism, poverty and all sorts of societal ills. Our approach to ID cards is that we do have profound constitutional concerns about such a shift in the policy, what it means in our common law tradition, in our liberal democracy for the relationship between the individual and the state. What we say about that is that such a constitutional concern has to be rebutted by very compelling justification to the contrary that is necessary and proportionate. What we have yet to see in our view is clear evidence and a coherent argument as to how it is that a single national compulsory or indeed voluntary ID card would meet these problems of terrorism, illegal immigration and so on, and we feel that the Government's whole approach to this debate has been to call upon people like myself to say what is wrong with an ID card. We think that the proper constitutional approach and the proper approach in terms of the Convention on Human Rights is to look at what the specific problem to be addressed is and, in the light of concerns about privacy, personal autonomy and so on, how an ID card will actually solve that specific problem and indeed whether any such redress is necessary proportionate to our concerns.
Q156 Chairman: Would you accept that there are problems like a part of benefit fraud, issues like illegal working and issues like access to public services by people who are not entitled to them that are real problems that are based or stem in part from the difficulty in establishing people's identity?
Ms Chakrabarti: I think I must accept that in relation to some of those specifics. What I would say is that I actually believe very strongly that all of the problems that you have specifically addressed would be better addressed by purpose-specific identifying material rather than a single compulsory ID card, which we say (a) raises the bigger constitutional concerns and (b) is less likely to address the problems you have mentioned. In relation to benefit fraud, for example, we think that the concerns are usually about whether somebody is working ---
Q157 Chairman: I am not talking about people who are working. There is an element of benefit fraud which is undoubtedly carried out by people who are impersonating somebody else or claiming to be somebody they are not.
Ms Chakrabarti: That could be met we say better, more securely, effectively and indeed with less constitutional concern by a purpose-specific card. We have no problem at all with purpose-specific identity material that is used for a specific purpose. We have, for example, NHS cards already and we have National Insurance cards. Of course, they do not in themselves appear to be magic solutions. Making those more secure and more sophisticated is not something that we necessarily have a problem with.
Q158 Chairman: So, you have no difficulty in principle, if indeed at all, with the idea that there are circumstances in which society has every right to require robust systems of identification, be it whether an employer, for example, has a right, as indeed do the authorities, to question/establish somebody's identity before they can take a job in order to tackle illegal working? You accept that it is absolutely right that society has systems of identifying robustly who people are?
Ms Chakrabarti: Indeed, by purpose-specific identification material which is robust in its privacy protection.
Q159 Chairman: What is the difference in principle that you are trying to get at between, for example, somebody having one set of documents that establishes beyond all doubt and without danger of fraud that they are entitled to a job, another set of documents which establishes that they are entitled to use the National Health Service, another set of documents which establishes that they are entitled to benefit and a single piece of documentation which achieves all those three aims?
Ms Chakrabarti: There is a difference from both a constitutional point of view and indeed from a privacy point of view and Simon might be best to get into more technological concerns. From a constitutional point of view, it is worth noting that there is not a single compulsory identifier in any other common law tradition in the world and that demonstrates the heart of the argument. In our common law democratic tradition, the state answers to us and we do not answer to it for our entire identity. It is a very different matter to say that we identify ourselves and show our entitlement to two specific services for specific purposes. Once you change that relationship and create the infrastructure/the edifice of a different relationship where such a single identifier that is used for multi-purposes is created, I do not think I have to call into question the Home Secretary's motives but I say that it is a constitutional shift that remains for many years to come and which creates immediate concerns in relation to race relations in particular and I note that this particular scheme is flagged as partly a solution to concerns of illegal immigration which in itself means that such a card is going to be demanded with respect to people like me rather than people like you, Chairman but, secondly, there is inherent discrimination in the scheme because it is going to become compulsory for foreign nationals before it becomes compulsory for British nationals.
Q160 Chairman: Can I just take two points in there further. What do you say about an ID card in relation to illegal working? Surely if there are risks of racial discrimination because society is attempting to tackle illegal working, that is likely to stem from assumptions that are being made about what sort of people are likely to be illegal workers, not from whether they are being asked to produce two or three identity documents or a single identity card. I cannot see why using an identity card to identify illegal workers is fundamentally different in principle to having two or three other documents that people have to produce to prove they are entitled to work.
Ms Chakrabarti: In relation to the race argument specifically, you are of course quite right that there are already significant problems of race discrimination in the private and public sphere. For example, the statistics on the use of stop and search powers and one being eight times more likely as a young black male to be stopped and searched ... You are quite right, without even a single compulsory ID card ---
Q161 Chairman: We need to tackle that anyway irrespective of whether we change anything about identity cards.
Ms Chakrabarti: Absolutely, but we believe that that problem will be infinitely compounded by the creation of a single compulsory card or indeed a voluntary card which we say will be de facto compulsory and this is borne out by the comparative experience of other European countries where such cards have been used in France, Germany and Portugal in particular. There is not time to go on at length about that but we have attached a summary of our comparative research to our outline submissions.
Q162 Chairman: I am still a little unclear as to whether your objection is to living in a society in which all sorts of people are regularly asked to identify themselves in a given way. I do not think it is that because you have accepted that we need to do that for access to the NHS, for benefits or whatever, or is it that the practical dangers of establishing an identity card bring with them too many risks? I am having difficulty understanding your point about constitution though I can understand why you might have concerns about the practical consequences of establishing a card.. Can you help me a little more on that.
Ms Chakrabarti: Firstly, in relation to the various different services in modern society that you have mentioned, I do not think I can sign up to agreeing with you that one should have to identify oneself at every one of those, so I reserve my position about that. I am prepared to accept that there are certain times in modern life where it is appropriate, where it is justified, where the justificatory test is met. I do not think many of us in this room would have a problem identifying ourselves before we got on a transatlantic flight for example and there are many other examples too, but we do say that to create a single national compulsory identifier and a voluntary identifier becomes de facto compulsory and creates a shift in the relationship between the individual and the state, so that in fact you are required to identify yourself/to be called to account whether in practice and in an individual circumstance it is justified or not. In addition, there are the privacy concerns, the lack of privacy protection in this country. Germany has an ID card but also an incredibly strong law of privacy. We go for the ID card without the strong law of privacy and, in addition to constitutional and privacy concerns, there are grave, grave practical concerns about, for example, public authorities, policing and so on.
Q163 Chairman: Mr Davies, do you take a constitutional view or a practical objection to the ID card or both?
Mr Davies: I agree with the constitutional and the practical elements, both of which run very deep through this whole discussion. I also worry on the cultural and the personal level. Our concerns are, for example, that the ID card fundamentally changes inter-relationships between society, between citizens and the state. It changes the balance between citizens and the state. If you like, the nature of society becomes one where there is a requirement to prove who you are. In other words, it is the elimination of trust. I know that we live in the real world where perhaps we are moving to a future where trust cannot be assumed, but I would say that, on those three fundamental points - constitutional, societal and practical - we have fundamental objections to the sort of integrated ID scheme which has been proposed by the Government.
Q164 Chairman: Ms Chapman, the Law Society is not opposed in principle to a voluntary ID card but you worry that it is going to creep, as it were, into a compulsory card but, as more and more organisations require us or ask us to have a card, does that not simply show that the card was working in practice?
Ms Chapman: I think our comments about not being opposed in principle to a voluntary ID card were based on the fact that the original consultation paper from the Home Office was asking for voluntary or universal cards, so we responded to that question. I think that, in all honesty, the debate has moved on considerably and that now the question of a voluntary card is a bit of a red herring. I think it is clear, and indeed clear from the evidence given to this Committee by the Home Office officials, that what the Home Office has now in mind is a compulsory card. There were frequent references to moving to the compulsory stage. So, whilst that remains the case, I think that, in practice, a compulsory card is what is on the agenda.
Q165 Chairman: And your view on a compulsory card is ...?
Ms Chapman: We do not believe that the Government have made out the case for a compulsory card. We think it is a little unclear to try and understand what is actually being proposed. Various things have been claimed for the compulsory card tackling illegal immigration, illegal working, crime and identity fraud. I think that, in relation to all of those, it has not been demonstrated that, even if the card were able to assist, it is a proportionate response to the mischief that is being put up. There is also the cost-benefit analysis. We started with the idea of a fairly simple photo card; it is now clear that the Government are moving on to something much, much more sophisticated in terms of the biometrics. We do not really have any proper figures about what the cost would be and therefore I think that proportionality argument of cost benefit has not been made out.
Q166 David Winnick: Can I put this point perhaps to the Director of Liberty. Those who argue for an identity card scheme say in effect, "What is the trouble?" and would perhaps point to their wallets or handbags as the case may be and say, "Look, if we work in the House of Commons, we have to have an identity document. We are not allowed in otherwise unless we are recognised. We have credit cards" They argue that the situation is totally different from half a century ago. So, why all this agitation? Why not simply accept the inevitable?
Ms Chakrabarti: Indeed. This comes back to the question put to me by the Chairman about the difference between a number of cards used for specific purposes and a single unified card that has all sorts of information about you on it. In relation to, for example, a workplace card that gets you access to these Houses of Parliament or to other specific cards, in relation to each, the contract is made, the understanding/justification should be made out. Once you create a single combined card, the obvious result is that one does not need to make out the justification anymore and the card will be demanded; the card will be used across society whether there is a proper purpose and a proper justification or not. We also think that there are practical concerns in relation to how much information would be held on a single card, whether there would be proper protections or whether it would just spiral into all sorts of irrelevant and inappropriate data sharing.
Q167 David Winnick: What do you say to the view that the state already has - and I mean any modern state, Britain being no exception - all the information on a citizen, national insurance numbers and the rest, so where would be the difference, the advocates of identity cards so argue and I am playing devil's advocate at the moment, between that information which we know exists on a database centralised and all the rest of it on all of us if you are an ordinary resident in the United Kingdom and having an identity card?
Ms Chakrabarti: There is a real constitutional tradition in this country that says that Government/the state holds information about you but holds it in different places for different purposes. So, for example, the Inland Revenue has always held a certain amount of information about people but possibly had greater data access powers and more sensitive information about me than other public servants. The tradition in this country has always been that just because the state holds a piece of information about you in one place for one purpose, it does not mean that that information can then by passed around willy-nilly by the state or indeed to other agents either. That is something that we have had in this country forever and long before the Human Rights Act or anything of that kind. We have been moving apace in recent years - and this proposal is the latest step in that - to a complete step change from that idea that the state, in different places, holds information about you for specific purposes to a presumption of data sharing, and the ID card is just one representation/manifestation of that differing approach. It comes out in Cabinet Office documents and other proposals that there should now be a presumption of data sharing rather than our traditional constitutional presumption of holding specific information in specific places for specific purposes.
Q168 David Winnick: If the majority of people will accept an identity card - they may change their minds but if it is actually a fact of life - because the large majority say that that is the law, what number do the three of you estimate would simply say, "On the basis issue of civil liberties, I will not hold a card and defy the law"? Do you think it will be a handful or more?
Ms Chakrabarti: Of course it is an invidious position, when one is appearing before a parliamentary committee, to suggest what the law should be. To suggest that large numbers of people might, whatever the outcome of your deliberations, actually decide to disobey the law is not a nice position to be in. Of course, I am a civil libertarian but I am also a lawyer and my organisation has the greatest respect for these Houses of Parliament and the rule of law. However, there has been polling and various figures have been suggested. I believe a recent YouGov poll suggested that as many as 7% of those polled felt so strongly about the shift in the relationship ---
Q169 David Winnick: Do you believe that there will be those who feel so strongly?
Ms Chakrabarti: I am not at this point advocating - and I want to make that absolutely clear - disobedience because I am playing my part in this process, but, yes, there is a suggestion from many quarters - and I have no reason to disbelieve it - that a significant proportion of society might feel so strongly about this that they might feel that way inclined.
Mr Davies: I would like to add to those remarks. I had the good fortune to direct a campaign in Australia in 1987 against the national identity card proposal of the Hawke administration, very similar to the Government's current proposals minus the biometric. When we commenced the campaign in July 1987, there was a mood similar to that which we find here in the UK, about 5% to 10% of people hard line opposed to the concept of an ID card. In other words, people were pathologically opposed to what they perceived as greater power of the state. Within 12 weeks from the commencement of the campaign, that figure had shifted from roughly 10% against to 90% against. It did not take much to shift the entire Australian population - it turned on a sixpence. The reason it turned was because of pathology. All you need to do is present people with the evidence of the way authorities can abuse power and you will find a critical mass and, once that critical mass gets to 10% or 15% in any country, a sort of campaign snowball is created. My projection would be that we have not yet seen the launch of that snowball in Britain. In western societies, we do not know how the public will respond to the idea of the biometric, but our own research indicates that the opposition can be summarised in one line and that is, "This is my eye and you are not having it" and that is going to be a campaign slogan. It may have nothing to do with Privacy International, Liberty of the Law Society, but there will be a critical mass of those who are pathologically opposed to the concept not just of centralised administration of personal information but also to the very concept, the gut concept, of having one's eye or fingerprint taken, stored, used and reused. So, I think we have to deal here with practicalities and with pathologies.
Q170 Mrs Dean: I have a question on data sharing. I have constituents coming to me who want Government departments to talk to each other and to share data, for instance when they want to receive payment through the Child Support Agency. Could you give us examples of where you think data sharing would actually cause genuine problems to individuals rather than perception problems.
Ms Chakrabarti: I think that a genuine problem is caused whenever the process of giving more information than is strictly necessary or strictly agreed by Parliament under powers that gave Government departments to hold information is circumvented by a culture of willy-nilly data sharing. I completely understand the sentiment of your constituents that the left hand should know what the right hand is doing and that is a common sentiment about how Government works, but I am not sure that I would read from that an idea that, for example, sensitive personal health records that are held in the National Health Service about someone should be automatically, without these Houses debating it, without it being enshrined in law, without the proportionality argument having been made out ---
Q171 Chairman: Is there any proposal to do that?
Ms Chakrabarti: No. The question was put, how could there ever be a concern about more communication between departments?
Q172 Chairman: Just to be clear, there is not actually any proposal linked to the identity card to share people's private health records with anybody.
Ms Chakrabarti: I was answering a hypothetical about how people feel about sensitive personal information.
Q173 Bob Russell: Mr Davies, I am still trying to conjure up this thought of a snowball position in Australia! As I understand it, the vast majority of the member countries of the European Union and the vast majority of accession countries have ID, some compulsory, some voluntary. Is there any record of opposition in those European countries?
Mr Davies: To my knowledge, there is no evidence that a popular revolt has occurred in those countries. However, there is evidence, for example, that elements of the card system have been ruled illegal. For example in Greece, the religion data element of the card has been ruled unlawful. There have been sporadic concerns, for example, in areas of Italy and Spain, but no comprehensive national revolt as such. There certainly have been over the National Census, for example, in Holland and Germany but not over a card per se and that is possibly because, culturally, since the Second World War, many of these countries have been used to literally a cardboard card. What David Blunkett and the Government are proposing is radically different to anything we have seen on the continent. What he is proposing and what the Government are proposing is almost identical to the Chinese and the South-East Asian card systems. In fact, the blueprint for the MyKad system in Malaysia is identical in every respect to the one proposed by the Government. That, to me, brings us to a different discussion to the one which might have been had, for example, in Italy or in Germany.
Ms Chakrabarti: If I might just say a brief word about that European comparative experience. The only common law country in Europe, apart from this country, is Ireland which opposes ID cards. The race fear that I have tried to express to this Committee is completely borne out by the feeling of French Algerians, German Gastarbeiter and so on, so that is not just panic on my part, that is borne out by the evidence. Also, it has to be remembered that most countries in Europe that have these ID cards have had them for a very long time, so they have not actually addressed them in modern post-war and, in some cases, post-fascist regime climates. Some of these countries have had ID cards since those days and therefore do not, in a modern liberal democratic context, debate whether they are a good idea or not.
Q174 Bob Russell: Colleagues will be pursuing the international European aspect, but I have one question on UK population registers. There is a suggestion of a plan by the Office of National Statistics for a UK population register. Does it not make sense the exploit the new technology to make record keeping more efficient?
Ms Chapman: To some extent, this goes back on the question that was being asked earlier about the single point of contact with government agencies. I think what is being planned with the population register in some ways would be attractive because it would give you one single point of contact with all government agencies and that kind of one-stop shopping list is superficially attractive. There are a number of important points to bear in mind. One is that people may, for perfectly legitimate reasons, choose to identify themselves differently to different arms of Government. You could, for example, as a married man use your unmarried name with the tax office because that is the name you are known by when you are working and use your married name with the benefit office when you are claiming child benefit. So, it is not as straightforward as having a single piece of information which you want all the Government departments to know. The other thing is that different Government departments will want to verify pieces of information to different standards. The tax office do not care very much where you live, they just want to communicate with you. The benefit office may care an awful lot where you live because it may be relevant to the benefit that you are claiming, or indeed the local authority if you are, for example, claiming housing benefit. I think that there is a real danger that, with those kind of projects, you end up with a turf war between Government departments about the level of verification of information that is being brought forward. Inevitably of course, when you have a hub of information like that which has many arms going out to different parts of Government to local government, the dangers of that information being insecure are very high. I am no expert on the technical side and I am sure that Simon will know better, but inevitably there is the danger of that information becoming a piece of information that you did not want known from one department to another becoming known.
Mr Davies: Can I just add that there are two fundamental pillars of objection to this proposal. The first that Shami has mentioned is what we call the functional separation. Functional separation is one of the prerequisites of a free society. In other words, it is absolutely crucial that individuals are able to deal with the state and with the private sector on its own terms on its own turf. As soon as, for example, there was the capacity to notify the local authority department of housing that your parking fees are outstanding, you can imagine the sort of chaos and the denial of services and rights that such a situation would lead to.
Q175 Chairman: There are huge numbers of members of the public who cannot understand why the state does not collect fines and would actually rather like the state to be more effective in collecting fines that have been imposed on people and actually finding out where people live in order to collect fines might be seen by people as a good thing. Do you not accept that there is an argument that many members of the public think there is something wrong with a free society in which people break the law and do not have their fines collected and nobody does anything about it?
Mr Davies: Can I suggest that the majority of the public want fines collected by the state relating to other people and not to themselves! I have certainly had occasion to dispute levies - I will not say "fines" in this place - that have raised, various fees, which, had, I lost the dispute, could very well have turned into fines and even into court action. I want to deal with that particular arm of Government. What I would say is that there is a pathology within Government, almost an obsession, of joining everything together, the streamlining of Government services. From a security perspective, rule 101 of security is never centralise. It leads inevitably to disaster. If you have a centralised link to a single number, your security threat will exponentially increase and that is a fundamental rule of security.
Q176 Mr Prosser: I am finding the arguments intriguing, to say the least. On the question of functional separation, is it not the case that, even today and in recent years anyway, in limited circumstances, there is some exchange of information between agencies and is it not the fact that with serious cases, for instance child abuse, drug smuggling and serious organised crime, by linking up and exchanging limited information, we are able to crack down on those undesirable areas? I know that in my own casework, for instance, when there is a suspicion of a child or a baby being abused, Social Services can link into the other agencies and try to find the truth. That is a fact of life. I do not think that we should be absolutely antiseptic and surgically antiseptic from all of these pillars. Secondly, Ms Chakrabarti, you talk about your position in principle about having separate identifiers for this access, that access and a third access. In view of that, do you think that those identifiers should be sound? Should they be, as far as practical and possible, beyond forgery and the abusers?
Ms Chakrabarti: On the first point, of course I am not completely opposed to cooperation and indeed information sharing between the relevant Government departments. The point I just make is that the traditional constitutional route to achieving it in this country is for Members of Parliament like yourselves to look at legislation that provides the proper amount of information to the proper department for the proper purpose and indeed, if necessary, provides the appropriate gateways to sharing. It is all led in this country's tradition by what is necessary. What is it necessary for this department to know for what purpose? I am not saying that there should not be cooperation between the departments, I am not saying antiseptic separation, but no more than necessary. As to rather than being led by the idea that it would be incredibly convenient and attractive in a kind of new age sense to have this great big edifice called the National Government Information Database, in relation to forgery, I think it must be right that identifying documents and material and cards, identifiers of whatever kind, should be as robust as possible. I am not a technical expert but I rather suspect, from what I have heard and from what others have told me, that possibly no identifier in the world will ever be completely 150% robust and therefore there is actually additional security in a number of different identifiers.
Q177 Mr Prosser: You are avoiding the issue of practicality as if it is not important. Are you advocating then that people should be required to carry the best quality of identification for each of the various agencies and carry it all, so that, instead of one smartcard, have six or seven?
Ms Chakrabarti: I am sure I am being unclear. I am of course the Director of Liberty and am not advocating that people should be required to carry anything. What I said earlier is that it is appropriate that people identify themselves in modern society for certain specific purposes and we could disagree about what those purposes are, but I think there is better constitutional protection for the individual and better security for the state and the individual if that is provided by the range of ... I am always required, when I have to identify myself, to take a driving licence and a passport or a banker's card. That is because of this commonsense approach to the idea that, at times, more than one identifier is actually more secure. I do not agree that there is going to be such a thing as the perfect forgery-proof identity card, so I actually think that, from a practical point of view, one is better to have a number of identifiers.
Q178 Mr Prosser: In future years, in the European Union at least, our passports will become more secure with digital codes, moving towards the smart card idea. I do not know if you object to that and Mr Davies should come in on this. Mr Davies, you have talked about this resistance in Australia with people saying, "This is my eye imprint, do not steal it" but what about, "This is my image, do not steal it"? Are you going to ban photographs in passports? Is that not a bit fanciful?
Mr Davies: I am not suggesting that, in another 50 years, people will not get used to the idea of iris scan, but I will be dead by then and I just live in the here and now. My concern is that the concept of iris recognition hits at the gut instinct of a great many people. The concept of fingerprinting has criminal association. The photograph has less of an association because it is more widely used. If the Government's plans succeed, then I am quite sure that iris recognition in the next generation will be so commonplace that it will be the natural successor of the photograph. I have no intention of sitting idly by and allowing that to happen for a range of reasons. First of all, that there is an assumption of perfection about biometrics that simply is not borne out by the scientific evidence. If I want to steal the identity, for example, of any member of this Committee in a world with iris recognition, I need do no more than take a 5 megapixel digital camera shot of you and then your identity is stolen for the rest of your life; you will never revoke it; you will never reclaim it. I do not want to live in a world where that security threat exists. So, there is a fundamental difference between people's concerns over the iris scan and the photograph.
Q179 Mr Prosser: Do any of you oppose the developments which came in just two years ago which replaced paper identity cards for asylum seekers with the smart ARC card? The background to that was that there was widespread abuse of the earlier paper status letter and we had evidence of people making multiple applications for benefit and people without any claim whatsoever through the asylum system linking into the support system. So, the ARC card was brought in. It does not have biometric attributes but it has fingerprint identification and all the evidence I have heard is that it has not been forged and that it has brought order to a system which was going into chaos. What is your view on that?
Ms Chapman: Speaking for the Law Society, we certainly have no objection to the ARC card and our understanding from refugee communities is that it has been very welcome because very many asylum seekers find that because they do not have any other form of identification, it has proved very useful to them to have something which is a secure form of identity. So, as far as we are aware, it has been very successful.
Chairman: Does anybody wish to disagree with that general assessment of that particular card? I would like to move this on?
Q180 Mr Prosser: This is a specific question to Mr Davies in regard to the view of your organisation that identity cards in the UK would breach the European Convention on Human Rights. Do you want to tell us about that?
Mr Davies: Certainly and I will also, if I can, throw this to my colleagues here for supplementaries. We believe that the identity card as proposed by the Government would breach Article 8 of ECHR. There are two reasons for this. The first is that the concept of privacy intrusion is culturally relative. If I, in Britain, in a country and a culture with no history of identity cards, feel that my privacy has been taken away, then there has been a breach of Article 8 unless there are the usual overriding justifications. However, the judgments under Article 8 that we have seen so far relating to either arbitrary surveillance or mass surveillance give us an indication that the current scheme would fall if it were challenged. I am not suggesting that a simple identity card with specific stated purposes would not be lawful, it may very well be. We believe that the current proposal would be unlawful because it would fundamentally change the default of privacy in Britain.
Chairman: Mr Davies, I am going to stop you there because we have several more questions and another group of witnesses to get through this afternoon.
Q181 David Winnick: Do you feel, bearing in mind the danger of terrorism and the fact that we should all work on the reasonable assumption that, if the terrorists could, they will cause an outrage in Britain, that identity cards would in any way lessen the terrorist threat?
Ms Chakrabarti: Of course, at different times in different public arenas, the card has been suggested as a solution for a number of different kinds of crime and, in my view, the argument has not been made out in relation to any of them. Taking terrorism in particular because, in a sense, it worries us all the most, it would seem even the Home Secretary has not quite made up his mind about the effects or the efficacy of an ID card in fighting terrorism. Indeed, I think it is a fair quotation to say that there was an acceptance in the initial Home Office consultation paper that the ID card was not going to be very much about alleviating terrorism. I believe that the humility of this acceptance was praised by one of your subsequent witnesses today that, post-consultation, terrorism seemed to be flagged up again. I may be missing something, but nobody has ever explained to me how having a single national ID card is going to stamp out terrorism. I just have not heard the argument made out and the Home Office itself seems to prevaricate about that.
Q182 David Winnick: Would it not be right to say that, during the 30 years of terrorist outrages committed by the IRA, any identity card scheme would not have been of much use?
Ms Chakrabarti: I fail to see it. I hate to make a joke in such serious proceedings but it does not hurt occasionally. I was informed today that, within the last three months, the leader of the free world himself, President Bush, has ruled out an ID card, presumably because he does not think it is going to save the world from terrorism, but apparently he referred to such a scheme as fundamentally illiberal. So, there we are!
Ms Chapman: In relation to crime in general, I think it is fair to say that the problem the police face more often is not in identifying the person who committed the crime, it is in linking that person to the crime that was committed.
Q183 David Winnick: So, if an identity card scheme helped to fight terrorism, it would not be much help, if I have your three views right, in dealing with other forms of crime, the day-to-day crime which we are all concerned with as well. Are there any aspects of the ID scheme where you could argue, being yourselves devil advocates, that there may be some merit in having any such scheme with the Home Secretary is so keen, if not always Cabinet colleagues apparently, to have.
Mr Davies: From our perspective, the short answer is "no".
Ms Chakrabarti: What I would say is that if the Home Secretary refines his arguments and comes up with the evidence and says, "I believe that an ID card would really help in dealing with this particular type of crime", then the proper approach for the Home Secretary himself and indeed for this Committee and these Houses of Parliament, which are in my view the first Court of Human Rights in this country, would be to say, "Here is the problem which the Home Secretary is trying to address, this is the particular type of crime that he thinks will be alleviated" and the question will be, is he right about that? Does his evidence stack up? How serious is this type of crime? How much would it be alleviated? Then one would be saying, "Has that evidence and that argument rebutted the primary presumption in favour of our current constitutional arrangements and in favour of privacy?" That is the way round, if I may say so.
Q184 David Winnick: In order to try and make my questions as hard as possible, what do you say to the last view of the advocates of identity cards that they may not do this, that and the other that you have been telling us, but, at the end of it all, it will be possible for employers to check that, bearing in mind illegal workings in various parts of the country, if you had an identity card scheme - and the Chairman has been particularly keen in pursuing this view - at least it would be a check on such illegal workings? Is there not some merit in that argument?
Ms Chapman: I think there has been some confusion here about associating illegal entrants with illegal working and there is not a great deal of evidence to demonstrate that that link is there but, for many people who are working illegally - they may be overstayers, they may be students working more than 20 hours a week, they may be people whose permits have run out - clearly there are people working illegally but the real problem seems to be - and, judging from the CBI's evidence in response to the consultation paper they agree with this - the small number of employers who do not at the moment carry out the appropriate checks. There are a series of checks that can be made if employers are serious about not employing people illegally. The problem is of course that, for a small minority of employers, it is quite attractive to employ people illegally because you do not have to pay them the minimum wage and you do not have to worry about health and safety conditions.
Q185 David Winnick: Would a card not help to deal with that?
Ms Chapman: No, I do not think it would because that is not the problem. The problem is employers not carrying out the checks that they can currently carry out in order to prove that people can work here legally. If people are going to employ people illegally, they are going to employ people illegally regardless of whether or not we have a national identity card.
Q186 Mrs Curtis-Thomas: I want to raise questions particularly about data security. You stress the lack of public confidence in the Government's ability to keep a database secure. Is this not a question of perception that can be tackled by a number of means? Is there not an independent body whose judgment of the technical aspects of the Government's proposals you would trust to oversee the administration of the secure database?
Ms Chakrabarti: Firstly, we do not think it is just perception. We think that reviews in data matching under existing law and indeed in compliance with legislation such as the Regulation and Investigatory Powers Act suggest that there has not been desirable compliance and we feel that the trend has been very much towards that there has not been compliance with existing laws, so the law should therefore be broadened. I think that recent secondary legislation under RIPA really bears that out.
Q187 Mrs Curtis-Thomas: RIPA?
Ms Chakrabarti: The Regulation of Investigatory Powers Act. The approach to privacy has been very much ... There is not time to go into it but if I can just say that explanatory notes to orders produced under that legislation actually said - and the Committee will have access to these - that we are extending beyond the organisations that can have access to X, Y and Z and this was to give "ECHR cover to existing practice." The trend is very much that existing practice goes beyond the law, so we make the law more lax rather than get to grips with compliance. As to independent bodies reviewing practice to make us feel better, if I may say so, we are still at the drawing board stage of asking for this justification to outweigh the constitutional and privacy presumptions and the independent body in whom I personally put my trust is these Houses of Parliament.
Ms Chapman: May I just add to that. If I understood your question correctly, I think it is possible, in terms of the software that may be being developed, to check and recheck and recheck. Clearly, there are software systems where this kind of process has to go on: systems flying aircraft, systems dealing with hospital equipment. You can get independent verification of checking and rechecking the software and I think that, to that extent, such a check would be very welcome. However, I imagine that it would be hugely expensive. What I think that does not solve are three related problems. One is that, if you have a hub of information, you can do those software checks to ensure that it is secure but, the minute it starts communicating with other systems, it obviously becomes less secure and open to potential hacking. In the context of the identity card, the card itself might be vulnerable to change through people getting hold of the card and changing the information on the chip that it carries but also, more importantly, which I think is what Shami was touching on, is the individual and organisational process. It is about checking and supervising all the staff who are dealing with that information and it is not just the staff who are perhaps dealing with the information at the core, it is all the staff dealing with the information at all the related areas, all the different Government departments or whatever it is that the system may be communicating with. So, I think it is a very big and complex problem and I would certainly not claim to understand the technological side of it but, in terms of, if you like, verification of the core software, yes, you obviously can check and recheck that, but I do not think that solves the problem.
Mr Davies: If I could add, the verification of software is one of about 40 key security concerns in the Government's proposals and the security concerns that we have identified in our analysis range from the process of actually collecting data to the process of storing it and then to using interfaces, in other words which organisations have access and the security problems that would face them, then you have all the security problems relating to the card itself and the links between the various inter-related systems. So, it is 40 major security areas. The public might be aware of only one or two that are obvious.
Q188 Mrs Curtis-Thomas: Could I just make the comment that, having heard the evidence so far, I have not heard any positive arguments for an integrated card, but I would like to reiterate that, as a Member of Parliament, I am frequently dealing with people who would desperately like to see integration between departments. Issues about child protection are very topical and very real and the absence of any continuous card or any continuous information between the departments dealing with children is very serious and produces quite a number of serious problems. Having said that, I hope to hear more evidence which tries to alleviate my concerns in this area, but I would now like to go to the area of biometrics. Mr Davies, you seem to know quite a bit about biometrics. Do you agree that the difficulties inherent in the use of biometrics can be reduced by using just two, such as fingerprinting and iris recognition?
Mr Davies: Theoretically. Mathematically, it should be possible to improve accuracy by using two biometrics. What occurs at the practical level is that you exponentially increase the error rate. The problem is that, if you have two biometrics required, then you must have a secure link between the two, both must be functioning and the user has to know and to accurately operate each system, so there is an exponential threat of error or non-recording of the individual once you increase beyond the single biometric. There is then a cost issue. Already, the remits in police stations cost around about £85,000 each for fingerprints. You would be probably looking at £100,000 to £120,000 plus for an integrated system which would blow the Government's cost estimates out of the water. I do no want to labour this point but, with regard to the iris scan, this Committee will hear evidence, doubtless, that the iris scan has about a one in one billion chance of inaccuracy. In other words, its accuracy is almost perfect. I have to caution that the statistics being used are pure mathematics and not practicalities and I will subsequently send to the Committee the evidence presented by the General Accounting Office and the National Institute of Science and Technology in the United States which debunks the myth that a biometric such as iris recognition is secure or accurate.
Q189 Mrs Curtis-Thomas: Ms Chakrabarti, you believe there needs to be a thorough investigation into the problems associated with biometric identifiers. Is this not exactly what the Government has undertaken to do?
Ms Chakrabarti: In relation to the Passport Office primarily?
Q190 Mrs Curtis-Thomas: Yes.
Ms Chakrabarti: I am afraid that we feel that that was really quite inadequate as a proper investigation of feasibility.
Q191 Mrs Curtis-Thomas: Why is it inadequate?
Ms Chakrabarti: We think that, for example, the pilot group was completely self-selecting and the Home Office failed to record those people who refused to participate, so that causes a problem in terms of piloting how this would work if it were national, let alone compulsory. You cannot form an accurate pilot on a self-selecting group that leaves out people who would not co-operate. We are also really concerned that there has not been any real comparative work because one of the best ways to look at feasibility, and indeed to address some of our concerns about the impact on race relations and so on, is to do some proper comparative work on the experience elsewhere. Indeed, quoting from the Home Office consultation document, it was suggested that it was not possible to have follow-up discussions with all of the countries surveyed and we felt that the approach to the comparative experience was a little cherry-picking and did not really bring out some of the material that we have found with not huge resources at our disposal as a small NGO. We felt that that was pretty cursory.
Q192 Mrs Curtis-Thomas: Have you written to express your concerns and have you suggested new terms of reference for that study then?
Ms Chakrabarti: I will just check with my colleague if I may. I am not sure that we have.
Q193 Mrs Dean: Turning to race issues, which you raised earlier, you express concern over the possible effect that this would have on ethnic minorities. What reassurance would you require on the race impact assessment that the Home Office will publish with the draft Bill?
Ms Chakrabarti: Clearly, any impact assessment has to be objective and has to be fairly wide-ranging and we have concerns that, because the Home Office is the sponsoring department with the political interest in having ID cards, the Home Office may not be the best department, understandably. I am not calling into question good faith. It is an interested party and not perhaps the best department to look at the race implications. As I have mentioned, we think that comparative experience is really important to understanding the race concerns and we attached to my outline answers today some references to the treatment of Algerian men in France, Turkish Gastarbeiter in Germany and so on. The Chairman took me to existing problems in race relations and we talked about the terrible figures on stop-and-search and so on, and we feel very much that these could be compounded by the existence of such a card, so we have huge concerns about that. Further, the specific proposals put by the Home Secretary, his staged approach as set out, are in themselves structurally and institutionally discriminatory. The emphasis on immigration as the justification for an ID card is of itself, we say, going to increase the likelihood of discrimination in the application of the card, and also, crucially, in its two-tier staged nature it is in itself discriminatory. We have had advice that it may well breach the new law in targeting initially foreign nationals, including EU nationals, for the bite of the scheme before it becomes compulsory later down the line for British nationals.
Q194 Mrs Dean: Mr Davies, you say that your research shows that the card "will inevitably be abused by officials who will use them as a mechanism for prejudice, discrimination or harassment". Can you provide further details?
Mr Davies: That evidence can be located in a 1996 report which is on Privacy International's website, which I will circulate for the Committee's perusal later. Privacy International surveyed 40 countries with ID cards and found that it was very common for complaints to have been raised where there were administrative mechanisms to do so, that authorities had demanded identity cards speciously with intent to discriminate. It has to be remembered that in the 1950s the High Court effectively brought an end to the identity card because of what was perceived as heavy-handed use of the card by authorities and we see that as commonplace in almost every country outside Europe and even within Europe with specific racial groups, and Shami has mentioned some of these - in France, for example. It has to be seen that the card is something that can be used against an individual. The card can be demanded, it can be impounded, its information can be copied and used subsequently for different uses, so we see fundamental problems there.
Q195 Mrs Curtis-Thomas: Turning to the costs, do you accept the Government's argument that changes in international regulations, for example, the US visas, mean that biometric identifiers will have to be introduced anyway and therefore the additional overall costs are small over a ten-year period?
Ms Chapman: Clearly these changes are coming anyway. As you say, we are going to have changes with biometric passports. There are two things to say there. One is that our understanding is that the cost may be higher than the Government was suggesting, not least because they may need to be replaced every five years rather than every ten years, and therefore there is some indication that the costs to the individual may be significantly higher. Having a range of different methods of proving identity, as we were discussing earlier, so being able to look at a passport and at a driving licence and at an identity card or whatever, will actually be much better than trying to rely on a single card to prove identity, which may end up giving a false sense of security to people. I also think that there is a massive step-change from having a biometric passport to the sort of identity card that we understand the Government is putting forward at the moment. It is a wholly different scale of project and it should not just be seen as one further step along the road.
Q196 Mrs Dean: Do you have anything to add, Ms Chakrabarti?
Ms Chakrabarti: I do not want to dwell too much on cost. I would not support this proposal if it were free.
Q197 Chairman: That is a very good way to end. Can I thank you all very much for your evidence and for the written evidence that you submitted. We look forward to receiving the various bits and pieces of information you have promised to send to us.
Memorandum submitted by the Information Commissioner
Examination of Witnesses
Witnesses: Mr Richard Thomas, Information Commissioner, and Mr Jonathan Bamford, Assistant Information Commissioner, Identity Cards, examined.
Q198 Chairman: Good afternoon, Mr Thomas. You have heard the previous witnesses?
Mr Thomas: Indeed; thank you.
Q199 Chairman: Could you just introduce yourself and Mr Bamford for the record?
Mr Thomas: I have been the Information Commissioner for just over a year. I am responsible for promoting and enforcing both the Data Protection Act and the Freedom of Information Act. Jonathan Bamford is the Assistant Commissioner who leads on identity card issues. This was the first major policy issue I had to deal with on my appointment, just like my predecessor some eight years previously. I approached this issue with an open mind but, given my statutory responsibilities, a degree of healthy scepticism. Data protection and human rights legislation do not protect privacy at all costs. They include provisions balancing the pressing needs of society against the rights to individual privacy. My fundamental concern with this issue must be whether any eventual scheme is likely to be compliant with data protection requirements. I do not believe that I can say, "No, never, under any circumstances". A huge amount of my judgment will rest upon the details of any scheme which is brought forward. Does a particular scheme strike the right balance? With the Government's consultation document some 12 months ago I felt that it was too soon to make a final judgment, but I was clearly sceptical about the proposals being canvassed in that paper. This time last year I called for a draft Bill so that we would see more of the detail. I am delighted that the Government has agreed to go down that road. We still await the draft Bill and a lot of the very important details are still awaited. The Home Office paper, the Next Steps paper, does contain a section on privacy issues but I have to say that it is a bit on the thin side at the moment. At the moment many of my original concerns remain. I have outlined these in the memorandum which I have submitted to this committee. Perhaps the fundamental point I am making is that safeguards (highly important safeguards in my view) will be needed to address the privacy and data protection risks. I would be happy to elaborate on those in response to your questions.
Q200 David Winnick: As I understand the Government's position at this stage, what they want to bring in in due course, and it will not be in the next few years, is an identity card scheme which will be compulsory in the sense that everyone will be forced to give information but it will not be compulsory, so we are told, to carry it. Do you see in your role as Information Commissioner, Mr Thomas, much of a distinction between those two?
Mr Thomas: I think we have to await the details as they emerge. As I have understood what the Government is contemplating, it will be voluntary in theory but may come close to being compulsory in practice. The Government talks about using the card on a voluntary basis and using it with consent, but data protection law and theory are very focused on the need for consent to be freely given. I would not regard it, for example, as a freely given consent if one had no choice but to use the card for a particular type of transaction.
Q201 David Winnick: When you say "voluntary", if we can be absolutely clear on this, it will not be voluntary - and you will correct me if I am wrong - to decide whether or not you give information in order for the card to be issued because that would surely undermine having ID cards. As far as the citizen is concerned, if the law is duly passed by Parliament, it will be compulsory to give information; am I not right?
Mr Thomas: I think that is certainly correct at what the Government calls the compulsory phase. When the legislation moves on to the compulsory phase that will be compulsory, but I think that the Government's vision is that for the first phase it is up to the individual citizen to choose whether to opt in or not.
Q202 David Winnick: But when that stage is reached, that information has to be given (if it is reached), do you see a danger, if that scheme comes into being, where the Government in time, whichever government happens to be in office, decides that it is necessary for the card to be carried and therefore the police, in carrying out their duties, would regard it as somewhat suspicious, to say the least, if, when the person is asked for their identity card, it cannot be produced?
Mr Thomas: Certainly one of the concerns I have raised is what I have labelled "function creep" and I think in various ways one might anticipate that a scheme which might be justified at the moment with various safeguards might in due course be extended in various ways. One example of that is that the Government has said very clearly in its policy that the police will not have a stop-and-demand-to-see-the-card power, but clearly one would have anxieties if at some later stage that power were to be extended, whether by legislation or otherwise. One of the points I have attempted to make to this Committee is the need for various safeguards to be put in place right at the outset against function creep. I would like to see, for example, an explicit provision in any Bill that comes forward for a prohibition on the police stopping and seeing the card, not just the absence of a power to do so, but a prohibition on that to give reality to the commitments the Government has made in its papers. There are various other features I could suggest to guard against other types of function creep. We have to have these various safeguards at the outset. Once the genie is out of the bottle it is not one you can put back in again. For example, I would like to see on the face of the statute right at the outset a very clear indication of the stated purposes for this card. I would like to see at the outset a clear restriction on other sorts of use for this particular scheme, so making it quite clear, as the Government has said in its published documentation, that it is only to be used for certain defined purposes. This is a matter of data protection. If the purposes are there we know what it can be used for. Beyond that it would not normally be acceptable. If you would like me to elaborate on some of the other safeguards, I would like to see -----
Q203 David Winnick: They will be covered by colleagues. It is quite clear from the submission which you have kindly given to us and which we have read with interest that you do have, in your role as Information Commissioner, quite a lot of reservations about any scheme which at the moment the Home Secretary is intending to bring in.
Mr Thomas: Certainly I expressed quite strong reservations on the consultation paper. I felt that was not precise enough in terms of what was being put forward, in particular the absence of clarity as to the purposes. We have moved a bit further with the most recent paper but I have to remain, to use my own language, healthily sceptical until I see at least the draft Bill.
Q204 Chairman: Mr Cameron will ask questions in a few moments about function creep. You said that there will need to be detailed safeguards. How easy in principle or practice do you think it would be for the Government in a draft Bill to be able to set out the sorts of safeguards you are looking for? Are you in a position to be able to itemise those safeguards and to show how they could be put into legislation?
Mr Thomas: I do not think it is for me to tell the Government how to bring forward proposals, but I certainly would like to outline some of the safeguards. Some of these, I think, must be in the legislation; others are more of an operational nature. There is a mix, if you like, of the design and the operation of the scheme which are going to be needed if we are going to get the right sorts of safeguards. In the Bill itself, as I said just now, it is fundamentally important to have a very clear statement of the purposes for which the scheme is being put in place and restrictions on the use of the scheme beyond those purposes. Otherwise there are going to be data protection problems. I would also like to see some of the prohibitions which I indicated just now to Mr Winnick. Also, we have to be clear about some of the safeguards over the way in which the register is used and the way in which the card is used. I think it is important to keep a very clear distinction between the register and the card. For example, I would like to see it, if possible, designed into the face of the legislation that there should be only the absolute minimum information carried on the face of the card itself. I would be unhappy, for example, if national insurance numbers appeared on the face of the card. I would be unhappy if an address appeared on the face of the card. There are huge questions about access to the national identity register: who has access to it, for what sorts of purposes and how is that information to be used. There are quality of data issues. We have heard a bit already this afternoon about these important areas. Much of it is operational but I think some of it could be written into the design of the scheme itself. I have floated in my submission to you, as I have floated to the Home Office last year, the idea that an independent statutory body would have a role vis-à-vis identity cards. I think it is sufficiently important to perhaps think in terms of an independent body accountable directly to Parliament with responsibility for making sure the safeguards written in the legislation are delivered in reality. There are perhaps not many analogies but the BBC is one that springs to mind in recent weeks in terms of enthusiasm to assert independence and that may be one quasi-analogy to think about.
Q205 Bob Russell: No function creep there.
Mr Thomas: I hope that gives you a flavour of the sorts of matters I would like to see on the face of the Bill. I do say on the face of the Bill that I do not think this should be addressed by way of secondary legislation.
Q206 Chairman: I take your point but in principle you sound as though you are not saying to us that you could never design legislation or operations to meet these safeguards. It is a matter of whether the Government accepts your arguments and then chooses to put those in the Bill or puts in a system to monitor the operational effectiveness of the scheme.
Mr Thomas: It would be a mixture of both. I certainly recognise that in most European countries which are living within the same data protection directive that we live in there are various types of identity cards, so I am not saying, "No, never, it is impossible", but I do feel very strongly that there need to be the sorts of safeguards I have been outlining to you.
Q207 Mr Cameron: What is wrong with having a national insurance number on the card?
Mr Thomas: The national insurance number provides a key to a great deal of personal information - tax information, social security information. People do both value their privacy and the confidentiality and integrity of their own personal information. Once you start bandying around these sorts of numbers it makes it very much easier for people to lose control over that sort of information. My office already comes across really quite serious problems of what we call blagging - the black market in the buying and selling of personal information. When you begin to get the various bits of the personal jigsaw - the person's name, their address, their mother's maiden name, their national insurance number - it makes it easier and easier to get under the skin of that person's personal identity and their personal information.
Q208 Mr Cameron: I want to understand a bit more about function creep. Am I right in thinking that there are two sorts of function creep? There is one sort which is making this card cover more areas, ie, driving, national insurance identity, so it is creeping out into other areas of use, and there is the second sort of function creep giving the police more powers to arrest people if they do not have the card, that you must carry the card or whatever.
Mr Thomas: I have got three and perhaps more, but two along the lines you are suggesting. The first is extending the scheme to further purposes. How, for example, is it going to be used precisely in relation to health services? How is it going to be used in relation to education services? Where are the lines going to be drawn? The Government has said that it will not be required for emergency health care. Can we be sure that is always going to be the case? Secondly, as you mentioned earlier, there is production to the police. There is also a third type, which is more and more information being sucked into the system. This is entirely speculation now; it is not part of the current proposals, but I have anxieties about function creep going further and further. Would there ever be a time when racial information or religious information or criminal record information started getting into the system? Already we have heard that driving convictions will be associated with the driving licence. Are we comfortable with a society where quite large numbers of the male population have some sort of criminal record where all this information somehow becomes linked through the card or the register? It is not there at the moment. I am quite clear in my mind that the Government is not currently contemplating that, but I have to remind the committee that data protection comes out of central and eastern Europe and we have seen very tyrannical societies in the last century where information was used to catastrophic social cost, and I think one has to remember that the roots of data protection are to safeguard us against that. I do not want to be a shroud-waver. I am not making suggestions but I think we have to be aware of where it could go in much less benign society than we currently live in.
Q209 Mr Cameron: Your scepticism sounds extremely healthy to me. Is your solution to each type of function creep to have all these things on the face of the Bill in primary legislation? Would you apply that to each of your three types of function creep?
Mr Thomas: I would certainly be looking for appropriate prohibitions, restrictions or whatever addressing those sorts of issues. If we go down this road there would have to be legislation. I would rather see that at the outset with these sorts of issues addressed giving us some form of statutory guarantee. I appreciate that legislation cannot entrench these matters but we need to have the will of Parliament expressed on the face of the Bill with, I hope, as many safeguards as possible.
Q210 Mr Cameron: What do you mean by "strong and effective restrictions on inappropriate demands to produce an ID card"?
Mr Thomas: I think we can speculate here. I will give you an example. I would be unhappy if a local authority gymnasium required you to produce your identity card in order to make use of that local authority gym. I think that is going well beyond what should be acceptable. The local video shop, when you are renting a video: for them to insist upon the production of an identity card for you to rent a video would in my view be disproportionate and unacceptable and I would want to see appropriate restrictions stopping that sort of activity.
Q211 Mr Taylor: Mr Thomas, you have just voluntarily walked into the retail sector, if I may say so. Are you aware of the citizen card scheme which I think is used as proof of age in tobacco retailing?
Mr Thomas: Yes, I am.
Q212 Mr Taylor: Would you care to comment on the citizen's card scheme?
Mr Thomas: Yes, I had a meeting with the organisers of that scheme about six or seven months ago. My understanding is that about a million under-18 year olds are now on that scheme. I have looked at that scheme. I do not have any pressing or immediate concerns about it. I think it is serving a purpose. It is a voluntary scheme. People under 18 can sign up to it as they choose. I am not sure it has very much direct relevance to the identity card issue because everyone is talking about identity cards for adults only, that is, only those above 18 years old, so I think there is a relationship but I have not given serious thought to the inter-relationship with the particular subject this afternoon.
Q213 Chairman: Can I just be clear on the thinking here? You would be opposed to somebody offering a commercial service, perhaps a finance company, for example, requiring somebody to show their identity card in order to access that service?
Mr Thomas: I would be opposed to them insisting upon it. If they said, "You absolutely must produce your identity card", or if they discriminated against you because you could not produce your card, I think that would be an unhealthy development. I would like to see some restrictions there.
Q214 Chairman: The core information for the identity card, to begin with at least, is likely to be driving licence information and passport information. If any member of this committee wishes to buy or sell a house they will not find a solicitor who would be prepared to touch them unless they produce their passport or their driving licence, which is a consequence of legislation on money laundering passed by this House. Why is it acceptable to require individuals to provide their passport or their driving licence but it is not acceptable to require them to provide a document which is merely bringing together the same information on which those documents have been based?
Mr Thomas: I see this as a matter of choice. In the examples you have given the individual has a choice. They may choose to produce their passport; they may produce their driving licence; they may produce their utility bills, or there are other ways of choosing how to establish their identity. What I am concerned about is a situation where public and private sector suppliers outside the statutory purposes of this scheme can insist that you produce the identity card and nothing else.
Q215 Chairman: It is not quite as flexible as that in practice with the average firm of solicitors, is it, or is the distinction there that the solicitors are complying with the money laundering legislation?
Mr Thomas: For money laundering purposes there is quite a wide range of choice.
Q216 Mrs Dean: You mentioned the new independent body. Are there any other powers that you would like to see that body have other than those you have already mentioned?
Mr Thomas: I am not putting forward concrete proposals. The Next Steps paper simply uses the phrase "independent oversight" and does not say more than that. If I can share with you three possible issues here, one is that you could have an independent body running the scheme at arm's length from government which I think addresses some of the concerns about a monolithic organ of the state running this entire system. Secondly, you could have an independent body which is a dedicated regulator which oversees the government department running a scheme and you could have a dedicated body with various sorts of regulatory powers. Thirdly, there is my own office, ie, obviously I have to make sure that any activity, public or private, is compliant with data protection concerns. I do have powers of inspection and audit but only with the consent of the organisation concerned, which is a more general point and which I am not terribly happy about, so at the very least one could, if you like, give me mandatory powers of inspection, but that would be at the third tier. I hasten to say that most of my European counterparts, the data protection commissioners in other parts of Europe, when they do have identity cards, have the power to march in and carry out an inspection on the existing identity card systems in those countries which are less developed than those we are talking about this afternoon.
Q217 Mrs Dean: So if your powers were extended how would that fit in with the new independent body?
Mr Thomas: The Government I am not sure is contemplating an independent body. I am just throwing this idea out for debate and discussion but, if there were to be such a body, then I would see it as being a dedicated body with wider concerns and purely the data protection ones, but I would then be a longstop responsible for a wide range of activities. I am not a dedicated sector-specific regulator but I would be a sort of longstop looking at the data protection aspects.
Q218 Mrs Dean: Would you need extra resources?
Mr Thomas: I think we would need some extra resources to carry out that sort of function. I mentioned earlier that we have established an audit and inspection power. We are able to do that within our existing resources but it stops us doing other things. If we are going to have a specific role vis-à-vis identity cards then it is absolutely certain that we would need extra resources.
Q219 Chairman: Do you see the remit of such a body as simply ensuring strict compliance with whatever legislation had been passed by Parliament or would you see it having a remit, for example, to take into account the need to protect the benefit system or national security issues? In other words, who should be making the balance between the civil liberties issues and the national interest issues? Would that lie exclusively in Parliament, in the legislation or would the body itself have a job of advising on whether the balance was being struck properly?
Mr Thomas: I think my vision would be along the lines that it would be the statute, the act of Parliament, which laid out the various duties and functions of the individual body. So perhaps starting in terms of general oversight and, perhaps, if any new demands came along assessing and commenting on those; it may have a role in terms of producing codes of practice about the detailed operation of the scheme. I think, in terms of raising public awareness, there is a massive education programme going to be required here and such a body could have that sort of responsibility. Also, keeping the scheme under review; perhaps an annual or regular report to Parliament about how the scheme is operating. I throw these ideas out by way of speculation rather than as firm proposals.
Q220 Bob Russell: Mr Thomas, you have said that if there is to be an identity card that each issuing card should stand and be respected by other service providers. Is that a suggestion by you that there should be private sector involvement in issuing the cards?
Mr Thomas: That was no more than another sort of suggestion. I suppose I was a little disappointed when we looked at this a year ago that there was not more than one idea on the table. I was speculating that perhaps one way to avoid the risks of a central, state-run monolithic database of the entire population would be to have some sort of federated system where the statute might lay down basic minimum standards and then a range of organisations could issue cards to cover the population in that way. I am not developing a detailed plan but one could speculate that would be one way to, if you like, fragment and minimise the risks.
Q221 Bob Russell: Would that not create difficulties with the privatisation of identity cards, with Jarvis and Group 4 getting their tentacles in there?
Mr Thomas: I think one could speculate a range of organisations. One could imagine local authorities playing this sort of role, one could imagine trade unions, maybe financial institutions, or maybe retail organisations - but a little of what I call healthy competition may not be a bad thing in this area.
Q222 Bob Russell: Surely that is fragmentation? Would that not be fragmentation, which would lead to all sorts of security levels being compromised?
Mr Thomas: You would have to have very high standards, as you would for any central system. It is clearly fundamentally important to have robust security, whatever system comes out, and we have not talked a great deal about some of the risks to individuals where identity can be confused, where information leaks out, but the same problems are there whether it is a single system or whether it is a federated system.
Q223 Bob Russell: Would you not think there would be greater confidence in a central, publicly-owned authority in charge of identity cards, rather than a patchwork quilt?
Mr Thomas: I am saying no more than I would like to see a debate on the issue.
Q224 Bob Russell: You have expressed concern about the incremental approach used in introducing the ID scheme and you feel, as I understand it, that the necessary safeguards would not be in place from the outset. Surely, an incremental approach would be better, if you like, than the big bang approach, with everything happening on day one?
Mr Thomas: What I had in mind then (and I made the point to the Chairman earlier) was that I think it is fundamentally important to have the various safeguards in place from day one because I think that there are risks of function creep and there are risks of this arrangement being extended. We are contemplating here a massive infrastructure, and I think it is best to address the various issues up front and to get that sorted in a way which is accepted if the scheme is to proceed, rather than spend five or six years going down the track and then always chasing after the problems after they have arisen; I would rather anticipate those and get them into the design stage at the outset.
Q225 Mr Prosser: Mr Thomas, you have stressed the importance of quality of data and you have said that again this afternoon - the importance of avoiding errors especially in the initial database build-up. How confident are you in your discussions with Government that they are as enthusiastic about that area?
Mr Thomas: We have not had that many discussions with the Government. We are awaiting the draft Bill like anybody else, so I have not had any recent discussions at ministerial or official level. There are very welcome words in the Next Steps paper about the importance of security and confidentiality aspects, and I welcome the words. I have to make sure the words are turned into reality. The paper talks, for example, about identity theft, and sees this as a contribution to reducing or perhaps even mitigating problems of identity theft. I have some anxieties it could go the other way. If this becomes the gold standard, as the passport is the gold standard at the moment, there are risks that it will attract the attention of counterfeiters, of fraudsters (as the passport does at the moment) and if identity cards have a spurious authority then the innocent victim will suffer grievously in a range of situations. This can involve the liberty of the individual, it can affect their financial standing, and it can affect their career prospects. We have seen cases where inaccurate or inappropriate information is held on a database and that causes enormous damage to the individual.
Q226 Mr Prosser: Are there any specific practical measures you would like to recommend to Government to avoid those pitfalls?
Mr Thomas: We have touched upon some this afternoon. I do think there has to be a very explicit addressing of the issues. If I can just elaborate on some of the risks I have in mind, mistakes can almost certainly be made, in hardware, software and through human error. I organised a conference this time last year at which Professor David Ripon from the British Computer Society expressed some quite severe anxieties about operational aspects. So mistakes can be made in the processing of the information; people can get mixed up and muddled up. That is one area of concern. Another is false applications, where people get hold of the primary documentation - birth certificates, marriage certificates and all the rest of it - using what is called the biographical footprint from elsewhere, deliberately taking over someone's identity. Then you get the counterfeiters who are, if you like, manufacturing plastic cards and the chips. I am not an expert on how easy this would be but I do want the various risks to be very clearly addressed and identified.
Q227 Chairman: Would you like the independent body to be in a position to say, independently of government, whether the DVLA database or the Passport Agency database or any other databases they are using were sufficiently accurate and reliable to enable the scheme to succeed?
Mr Thomas: I am already an independent regulator and I can tell you already that there are sufficient concerns and problems with the quality of DVLA data and, to a lesser extent, with passport data. I voiced these concerns this time last year. In the consultation document the Government is contemplating migrating some of that data across. I am pleased, but in this latest paper the Government now recognises the need to start from scratch; it recognises deficiencies in some of these data holdings and is now contemplating using those as a check mechanism, which does raise other issues but at least now they are going to broadly start with a clean sheet of paper. That makes it more costly, I appreciate that, but I think we would have a nightmare of problems if we started using existing databases as the foundation for any identity card system.
Q228 Mr Taylor: Mr Thomas, you argue in favour of the minimum of data visible on the front of any ID card. You mentioned, in particular, the National Insurance Number. Would not increased encryption and storing of biometrics, for example, make the system expensive and unwieldy to use because of the need for card-readers here, there and everywhere?
Mr Thomas: I wonder if I could invite my Assistant Commissioner to address that question. He is my expert on biometrics.
Mr Bamford: To the extent that anybody is an expert on biometrics! I think you are absolutely right that to put in place an infrastructure that provides the right degree of confidence that the person is who they say they are will cost money, and that will be expensive. That is the price of putting in place a system which does what it is intended to do; that shows that the person is who they are claiming to be. Indeed, we are talking about two biometrics here, not just one, because the actual photograph is a biometric as well. We are going to have another biometric on there as well but it needs to be held at an appropriately secure level. With the appropriate level of encryption, we make sure that only those who should be able to unlock our biometric can do so. That involves putting in place safeguards in terms of it being a template rather than an image of a fingerprint or an iris - an actual representation that is in code somewhere - to make sure only the right people can unlock it. Card-readers and that sort of infrastructure will be expensive. The earlier evidence pointed to the use of the art card (?) and, of course, card-readers are included as part of that technology, as part of payment to asylum seekers.
Q229 Mr Taylor: I am a total layman in these matters, Mr Bamford, but would it be an utterly shallow paraphrase to translate "biometric" as a human measurement?
Mr Bamford: I do not think it would be that shallow. I might put it slightly differently.
Q230 Mr Taylor: How would you put it?
Mr Bamford: I would say it is a representation of a persistent physical characteristic.
Q231 Mr Taylor: I have one further question, with your permission, chairman, and I do not mind which of you gentlemen answers it. You have stated a preference for iris recognition to fingerprinting as a chosen biometric. Would the inclusion of more than one biometric cause you any greater concern? I am not, for this purpose, counting the photograph as one of the biometrics.
Mr Bamford: I think it does cause us increased concern because the question we have to ask ourselves is why do we need more and more biometrics on there? If this iris recognition biometric or fingerprint is of such quality to say that is the person they say they are, then that should stand on its own and we should not have further biometrics.
Q232 Mr Taylor: A billion-to-one, we were told earlier.
Mr Bamford: As you heard from earlier evidence, there are different debates on the reliability of biometrics. I believe the National Physical Laboratory had conducted some research and does believe that iris recognition is a viable biometric. I think the important thing from a personal privacy point of view is that if we approach the inclusion of a biometric then it is one that has less connotations with criminal activity, one that individuals might have more confidence that they are not leaving around the place. Being sat in this room with you today, I may well be leaving my fingerprints around. I doubt very much whether the camera in the corner is of sufficient quality to be able to capture my iris. It is not of sufficient quality, I am sure of that; you have to keep your head still and there are all sorts of problems. In a personal privacy sense you actually really know much more when you are having your iris captured and read than you would necessarily about a fingerprint which you leave around. So I think it is important, from our point of view, that we look at what is the most privacy-friendly of the biometrics. I know there are arguments there about whether we should have biometrics at all but if we are going to look at this we should go for ones that are privacy-friendly. If there is a cost on that, then that has to be put in the equation as "Is that a cost worth paying to ensure we have a reliable and privacy-friendly approach to this?"
Q233 Chairman: One last question, Mr Thomas, if I may. Talking about the database itself, what do you understand to be the relationship between the Home Office's proposals for the new database and the proposals for the Office of National Statistics for a UK Population Register? Are there issues about the one or two systems, as it may be, that we should be considering as part of our inquiry?
Mr Thomas: I have asked myself the same question. I have had a meeting with the Office of National Statistics and some meetings with officials at the Home Office in the earlier part of last year. I am not entirely clear in my own mind yet how the two inter-relate, and I have yet to see a full answer to that question about the inter-relationship. I suspect - and I can say no more than that - that the national population register, which is now called the system information project, will, in due course, somehow become the national identity register, but I have not been privy to detailed thinking on that.
Q234 Chairman: Do you wish to say anything to us about how those two projects might be approached, bearing in mind your particular statutory responsibilities?
Mr Thomas: I think I would say that fundamentally any identity card system backed up by a national database must be put on an absolutely clear statutory footing, and I hope that that would be the context in which those issues would be addressed. I think we should all be clear as to exactly what it is that the Government is contemplating in terms not only of the legal and constitutional framework but also the operational side behind that. Yes, there has been, I think, a feasibility study with the ONS (and I think they are moving on to the next phase now) but we need to be as clear as we can whether that indeed is going to be the embryonic form of the national identity register.
Q235 Chairman: I am sure the Committee will return to that.
Mr Thomas: Could I make one final point in closing? I would like to endorse what was mentioned earlier about the concept of a privacy impact assessment. This is a technique which has been used more and more in countries like Australia, Canada and the United States when major proposals are being put forward - that a privacy impact assessment should be conducted. It would seem to me this is one area crying out, in due course, when we see the draft Bill, for a privacy impact assessment.
Q236 Chairman: Thank you. Perhaps, Mr Thomas, on that note, we could invite you to send to the Committee any further information about the international experience which we may not have. Thank you very much indeed.
Mr Thomas: Thank you very much for your time.