Reprocessed, by Matt Patterson

Something approaching a weblog

Identity crisis

So, the government wants us to carry biometric national ID cards does it? Arguments about how dangerous the proposals are have been made elsewhere (NO2ID, the people behind that have plenty to say on the subject...) and while I agree that the whole thing reeks of a state power-grab, my overwhelming sense is that it's a real wasted opportunity.

There are two main problems with the government's proposed scheme. The first is that the governments stated reasons for wanting a ID card are pretty much entirely specious: terrorism, benefit fraud, and identity theft will probably be pretty much unaffected or get worse with the proposed scheme. Indeed, Lord Carlile, the government's official reviewer of terrorism legislation, has already said that ID cards 'couldn't possibly' have helped prevent the July 7 bombings. ID cards don't really address those problems, and the system will inevitably be laden with exploitable holes: social, mechanical, and electronic.

The second problem is that the scheme aims to create a central repository of vast amounts of personal information about everyone. It looks like the intention is for several agencies to store some or all of their information about someone in the repository. Let's face it, can you name a single government IT project in the last twenty years that has been brought in on time, on budget and working, or even one that has been brought in and worked? There's certainly nothing of this scale. Everything's going to be in there and it's going to break, and probably break horribly. It depends on biometrics, for crying out loud.

That's not good: the worst-case posited by groups like NO2ID is that a broken ID card system means people being expunged from the system, becoming official non-people. And that's not all. If you look at the bill you can find this section, which details who can get to your information. The answer, it seems, is just about anyone, and without your permission.

Here's the thing. I've got no objection to carrying a national ID card, but what's being proposed isn't solely about identity, it's about data aggregation. I had this idea. What if, instead of all my data being held centrally, my ID card validated my ID. When Social Services want to find out if I've been involved in child abuse, which they do through the CRB system (these checks are standard for anyone involved in youth work) then they know my ID, and the Police know my ID. I've applied to work with kids, Social Services say to the Police that person with ID X needs checking and the Police can hand the info over.

This is pretty much what can happen now, without ID cards or a national database, except that proving ID is a harder task: there's ambiguity about who I am. An ID card could make a whole load of those transactions easier.

The point is that the government seems to want to replace the transactions rather than make them easy. The reason I say that this is a big wasted opportunity is that there are several interesting prerequisites for a system where an ID card served to verify identity, and not store information. You'd need persistent, unique, ids, and you'd need to be able to query the ID database, but only to do things like verify that ID X was a real ID, or that person X claiming to be the holder of ID Y and authenticating themselves with digital signature Z was really who they claimed to be.

That sounds like it could be made into a web service. In fact, that could be a web service in the manner of the OpenID project. A government-backed and provided system which you could use to prove who you were to systems (blog commenting, banking, central government, local government) that you wanted to use and had chosen to identify yourself to. That would have been cool. And useful. And how often can you say that about a government IT project?

This is an admittedly naïve and optimistic view. I was chatting to Webb about this and he said:

my concern would be that the ID and the identity are being conflated. the ID isn't an int, it's a pointer: *ID

That's the rub, really. I'll have to think about that.

Not forgetting:

This page is: