ID cards: a guide for technically-challenged PMs
Why is the UK sleepwalking into an ID scheme that has not been discussed, but that is nevertheless somehow moving ahead at full steam? And, for that matter, why is Europe doing so? The United States? The world?
Think about it - it wouldn't be compulsory if you had a choice, would
it? David Blunkett's national ID card scheme has had more spikings
than Dracula, yet each time has plucked the stake from its heart and
continued its purposeful stride towards the statute book.
In early November the British Cabinet opted for voluntary schemes to
build a base, with a compulsory scheme coming "when the conditions for
moving to a compulsory card are met." Days later, there was Blunkett
before Parliament making what sounded like a victory speech. With or
without a green light for national ID cards the bulk of the cost is to
be incurred anyway, he made it clear. The system is to be brought in
for passports, driving licences and a series of special cases
(overseas residents, asylum seekers...) anyway, so as Blunkett spun it
there's only an extra 4 each to be incurred for the full scheme, so,
what the hell, we might as well go ahead.
And just last week Tony Blair gave cards his seal of approval,
claiming that civil liberties objections had been largely overcome,
and that the main challenges now were technical. Indeed they are,
Tony, but we fear you have little grasp of how big they are.
So how the blazes did this happen? Why is the UK sleepwalking into an
ID scheme that has not been discussed, but that is nevertheless
somehow moving ahead at full steam? And, for that matter, why is
Europe doing so? The United States? The world?
We might as well do it, anyway One of the other major components of
Blunkett's standard 'we might as well do it anyway' presentation is
the incontrovertible fact that Europe has standardised biometrics for
ID roadmapped, and that the US will be requiring biometrics on
passports shortly. These two having moved, there does seem a certain
inevitability to the rest of the world moving as well. So, if
biometrics are to become the global standard for ID, we're obviously
going to have to invest in biometric systems for our ID documentation,
which is why there's no point in asking people whether or not they
want biometrics on their passports and driving licences.
Which is all perfectly logical, except that there's one little nagging
question - how did biometrics become the accepted, logical, inevitable
international standard for ID in the first place?
Well, it's obvious, isn't it? If your fingerprints are found at the
scene of the crime, then you almost certainly did it, didn't you? And
similarly, other apparently unique characteristics such as your iris,
your DNA and so on can prove conclusively who you are, where you are,
and where you've been.
This obviousness clearly drives David Blunkett. He is unshakably
convinced that, as biometrics identify the individual with a high
degree of certainty, it stands to reason that biometrics provide
a sound foundation, probably the only sound foundation, for ID
systems. On the one hand we shouldn't be too hard in him for this,
because it's a conviction shared by much of the population, but on
the other he is part of the team that supposed to be running the
country, so it seems to us he has a certain responsibility to think
Just a bit.
Given that the alleged free world is already barreling down this route
with little or no sign that anybody has paused to think it through, we
don't hold out a great deal of hope that they'll do so now, meaning
they're all going to have to learn the hard and expensive way. But
just in case there is the odd politician out there still prepared to
consider the possibility that it does not stand to reason, we here
propose a short, readily-understood Register explication of why it
does not, and why, if we don't wake up very soon, we will end up
spending several billion on proving to ourselves it does not.
Biometrics works. Did we ever say they didn't? In the shape of
fingerprints, biometrics have provided a highly accurate mechanism
for identifying criminals for many years now. In this role they
clearly work, and their accuracy has contributed heavily to the
general viewpoint that fingerprinting must therefore surely be a
kind of gold standard for identity. But think - what mechanisms
are used and what data is required in order to match a suspect up
with the scene of the crime? Well, first of all, you need a crime
at which a fingerprint is left - note that this will in most cases
be absent when a fingerprint is being used to check identity, but a
databank containing the relevant fingerprint alongside hundreds of
millions of others will exist.
In the case of the scene of the crime fingerprint, the matching is
done against a database of known suspects and criminals, and may
also be compared with the fingerprints of specific suspects. The
matching process can be time-consuming and can involve a considerable
amount of manual effort, but this is acceptable on the basis that
the search being conducted is limited and relatively targeted.
But on a wider, a far, far wider basis, this all gets complicated.
The fingerprints you leave vary to an extent, and although this won't
save you if you left them at the murder scene, it can most certainly
confuse automated systems. Obviously, the checking of fingerprints
that are being used as the standard to validate ID documents has to be
automated. You could leave a different print depending on the surface
you touch, what you've been touching recently, how clean your hands
are, or what you've been working with.
Bricklayers, apparently, tend to have rather faint fingerprints. So
you can maybe think of fingerprints as being a little bit analogue,
variable enough to confuse machines, although still static enough to
be readily-identifiable by human experts. It may be significant that
already, just a few months into its introduction of fingerprint
checking, the US government has started trying to define standards of
compatibility for fingerprint reading equipment. This may be entirely
because it's simply concerned about incompatibility, but could also be
flagging growing matching problems. Ultimately these can probably be
licked by the application of computing power, but this is not the only
difficulty. Let's assume we have a passport or a driving licence with
a fingerprint on it, and a bearer we wish to match up. The simplest
way to do this is as a local transaction. You have what ought to be a
clear and standard print on the passport, you have what ought to be a
pretty effective machine for reading fingerprints (sole purpose of
machine - if it is ineffective, you have a big problem with your
supplier), and you have a finger. Should be easy, right?
Whose identity is it anyway? Well it is, because all you're doing is
checking two things. First you're checking that the finger of the
bearer is the finger that left the print in the passport, which ought
to be easy, and second, you're checking that the passport is genuine.
Which is maybe harder. Virtually all countries have some level of
problem with forged and falsely obtained passports. In the case of
forgery it's a continual battle to make it harder (and actually,
biometrics are a pretty good addition to the armoury in this area,
because at this level they're relatively cheap and effective).
Falsely obtained passports are however a lot trickier.
Biometrics on a document can by themselves only provide conclusive
proof that the person presenting the document is the person whose
biometrics are on the document, not who that person is. If you wish
to be absolutely certain of this, then you need to be absolutely
certain of the integrity of the issuing authority.
In the UK at the moment, we can really only go as far as saying there
is a high probability that the integrity of the Passport Office has
not been compromised in the case of a particular document, and that
there is a fairly high probability that the integrity of the DVLA has
not been compromised with respect to a drivers licence. But it
happens in both cases, and while steps are slowly (very slowly) being
taken to increase the confidence we can have in these documents, only
a fool would say fraud can be absolutely eliminated.
It's no accident that passport and drivers licence are being used as
the cornerstones of the UK's universal identity card scheme, but
beyond that we have a significant percentage of the population which
will need to be added, without the creation of new false identities,
and the integrity of the system as a whole will only be as good as the
integrity of the authorisation used for this part of the population.
Although most of these people will have some other kind of identifier,
such as a national health or national insurance number, these are
already too compromised to provide a solid basis for identity.
The current controversy in the UK over the entry of economic migrants
also provides us with an example of how the overall integrity of a
national ID system can be compromised. The numbers involved are
apparently small in this case, but nevertheless a system which is
designed to make decisions on the basis of validated data (in this
case, concerning the subject's identity, resources and business plans)
has been compromised by the rubber-stamping of applications based on
This route could have been used to convert false ID into legitimate UK
ID. In this case the loophole appears to have been created by the
operators (it's not yet clear at what level) overriding control
systems in order to deal with backlogs. All large-scale data
processing operations are vulnerable to this, and it would be
reasonable to presume that large-scale ID data processing systems will
at least initially introduce many vulnerabilities of this kind.
Do not worship false identities. Overall in the UK, however, we're
sitting comparatively pretty. Our issuing authorities are honest and
reasonably efficient, so we can be reasonably confident that the
bearer is who the document says they are.
This is not the case elsewhere. In the home of the war on terror, the
drivers licence is used as a form of universal identity card, has
historically been obtainable under assumed names with ease, and has
therefore (well after 9/11) therefore provided a ready basis for
the creation of false identity. A massive and immediate tightening
up of the issuing systems in the US would simply choke off one major
source of new false identity, while the elimination of existing ones
would be a far more daunting task.
You can, slowly reduce, maybe almost eliminate, false identity in the
developed world, but what of the rest?
There are plenty countries whose documents, because of fraud,
incompetence, inadequate systems or plain old political collapse, you
would reasonably suspect. But in between the documents you're fairly
sure of and the documents you're reasonably sceptical of you have a
fairly large area that will surely be targeted by the sensible
terrorist in search of false identity. If one can bribe an issuing
officer in a country whose passports nevertheless provide a reasonably
high level of confidence (a close ally of the United States would be
good), then who needs to mess around with forgeries?
So, back at the desk with the passport and the finger, we can be
reasonably sure that a local check will be sufficient in the case of
quite a number of documents we're fairly sure we can rely on, but
not in the case of large numbers of other documents, which are
those most likely to be carried by the people we would like to
suspect - illegal immigrants, drug smugglers, terrorists - if we had
the means to suspect them. So we need to check more.
I know, let's do the show online! As the US, with the enthusiastic
support of Europe, is to all intents and purposes compelling the world
to adopt biometrics as the ID standard, we will have an ever-growing,
ever more global, database first of fingerprints, then of faceprints.
60 million for the UK, say 300 million plus for the US (they're
already collecting), 4-500 million for Europe, and so it goes on. The
arrival of modern standards of biometrics in passports will result in
the production of matching (perhaps...) databases in the countries of
the issuing authorities, and in an increasing exchange of these
databases between countries.
The challenges here are obvious, and the data you're most likely to
want to run an online check on (we've already established we'll trust
most UK ID) is precisely the data you're going to be least sure of,
and have most trouble in keeping up to date. You're not just going
to have to check that a usually static data combination of biometrics
and name/ID is valid, but all sorts of other stuff as well.
Do the biometrics associated with the ID you're currently checking
also apply to a previously used, different, ID? You can only be
confident that they don't if you're prepared to crunch through the lot
looking for duplicates. Also, you are going to need to be sure that
matters that should be associated with the ID (outstanding warrants,
recent atrocities, the deep suspicions of the CIA or the Humberside
police) have been.
So you're really talking about pouring vast amounts of data from many
diverse (and unreliable) sources into the global database very, very
That's clearly a Big Brother nightmare, but it probably needs worrying
about more on the grounds of the amount of money we're going to spend
on it than because it's actually going to work. The problem for the
authorities here, however is that they're going to have to try to make
it work if it is going to deliver what they say it's going to deliver.
If you do not check for duplicates, for example, then the system is
not going to tell you that Fred Bloggs of Sollihul is in fact Osama
bin Laden. A silly example? Yes and no - obviously, it is not very
likely that our current entry systems are going to let someone called
Fred Bloggs walk through when they look strangely like Osama bin
Laden. However, if he checks out as Fred Bloggs, UK citizen, with no
record under our future automated systems, then general appearance is
rather less likely to be challenged, or even noticed. So the assumed
reliability of the systems could actually increase the security of
fugitives in the event of their having successfully obtained clean,
If you take a rational and realistic view of the current capabilities
of the technology, and of what it will be capable of in the
foreseeable future, then you'll realise that in almost all cases the
system will default to the local check, and we'll be running on the
current procedures (visual, customs officer's suspicions, watch-lists)
to determine when further checking is required. This realistic view
is however not necessarily shared by the people commissioning the
systems. Some months back Fiona McTaggart, a Home Office Minister (at
time of writing anyway) wrote in a self-exculpatory piece in The
Guardian that in the future we wouldn't actually need passports and
Which is absolutely true, if you're checking biometrics against a
central database every time, for every individual, whenever
identification is required. Under these circumstances documentation,
plastic, even clothing is entirely unnecessary, because you are your
identity. Fiona did not say at what point in the future this scenario
would be technically achievable, but it's all too likely that the Home
Office thinks it's a lot closer than it really is, and that it will be
Polluted inputs. We've already looked at several examples of polluted
inputs that could undermine the system's integrity - false US ID,
inadequate, arbitrary or cursory UK checking systems, and input
systems from many other parts of the world whose reliability is
debatable. These can clearly provide routes for the people you wish
to intercept to pass through your control points and swim happily
in your system. But what about the broader issue of what you do
about those individuals who do not have ID that can be processed
by your systems? Most of the world's population currently falls
into this category, and that will likely remain the case for many
years - so what do you do about them?
Well, in order to process them you need to give them some form of ID
that your system can process, and on a small scale we're already
doing this. Most people visiting the US will now, one way or the
other, have their biometrics on the US database, and the UK can
been phasing in fingerprinting of travellers coming from areas
with a high incidence of asylum seekers. But what are we actually
doing in these cases? Effectively, we're creating an ID that is
valid within our system for the individual, and as always that
ID is only as good as the inputs on which we base our decision.
The US or British consular official who grants the ID will make the
decision on the basis of interview and supporting documentation,
but how sure can we be about the validity of the information
presented? And the more applications we have to process, the
less likely we are to conduct examinations of the detail necessary
for us to have confidence in that information. To avoid either being
overwhelmed or ending up presiding over a rubber-stamping system,
we therefore have to pressure countries to introduce ID systems
which we can then presume provide a valid and accurate statement
of an individual's identity. But will be really be confident
in these, or will we simply be making that presumption in order to
stop our own systems breaking down?
So who the hell do you think you are? We shouldn't get too sniffy
about the reliability of identity systems in the developing world,
because when it comes down to it we in the west have precious
little justification in being so damned sure about identity.
Try this little parlour game, which I promise you has a moral to it.
Ask yourself who you are, how you know this, and how far back in
your life you can get before you start to get a little doubtful.
You won't get anything like so far back if you perform the exercise
on friends and family, but stick with yourself for the moment.
Your family can vouch for you up to a point - but are they
telling the truth? You have a birth certificate, but is this really
you? Is the information on it correct? How do you know?
Fingerprints don't work when you're born (even David Blunkett doesn't
fingerprint newborn babes yet, anyway), and general DNA testing at
birth doesn't exist yet either. But say it did, and you were then
able to point out that your DNA matched the DNA on the birth record,
therefore you were definitely you... Er, who? Of itself this simply
means your DNA matches the birth record, which is just as close to
establishing ID as your fingerprint matching your passport (we covered
this, right?). But it also provides proof that you are related to the
people in your immediate family (or not - hey, mom...), and various
things about your broader ancestry.
Effectively, what it's doing is establishing an identity for you in
relation to the identities of a number of people surrounding and
preceding you. But your identity, or what you think of as your
identity, is something that has been assumed, generally, and by
the accepted systems, as genuine at some point. This is probably
around time of birth, but not necessarily, and not entirely -
Fergusson, for example, suggests a Fergus as parent (allegedly...)
at some point in the past, while Smith suggests an ancestral
occupation and Pasteur a dairyman (joke - don't write in).
Identity is actually something that is established through a series of
factors, history, occupation, location, parentage, and the whereabouts
and circumstances of you or your ancestors when state systems began to
require fixed and recorded tagging systems. The existence of these
fixed systems does not however mean that you do not have multiple
identities or identifiers (more people in my street, for example, will
know me as the bloke at the top of the road with the dodgy old motor
than will know me by name), nor does it mean that what they regard as
fixed is what you personally regard as your identity.
But they've got something they're happy to think of as your unique
identity, and we think of what's happening now as a successor to the
processes that defined that ID for them. In developed countries at
some point in the past couple of centuries the music stopped,
censuses were taken and identity standards were defined. Now
governments are pushing for a similar, global exercise that will
result in everybody having what government will view as a standard
identity, and where there is no pre-existing reliable identifier
(as in the instances where people who didn't use surnames were
assigned them), a new, relatively arbitrary one will be created.
As we've seen, this doesn't get us very far, because what we're
interested in is the things that are associated with this identity,
rather than the identity itself. Granted that false identities will
inevitably be imported into the new systems, we'll need to wait at
least a generation for these to work through, and granted that the
systems' efficacy in fighting crime is dependent on accurate input of
new associations, we'll need to wait a lot longer than that. But we
will be able to say who everybody was saying they were when they first
entered the system. Cool - but is it helpful, or worth the money?
By John Lettice
add a comment on this article