A lot of people seem to think the Windrush scandal is an argument for national ID cards, and as a result, the Financial Times ran this collection of four short articles on four different experiences. This includes two European ones that are kind of OK, the disastrous Indian Aadhaar project, and one that hasn’t happened yet, here in the UK. Adam Payne, the author, ends up arguing that we should build a national biometric identity database but not issue the cards.
This is an absolutely terrible idea for several reasons. The first is that it offers all the downsides of compulsory ID without the benefits. If you think that, say, it would help people who are subject to racial discrimination to be able to unambiguously demonstrate their citizenship or immigration status, well, then you need to issue a document they can produce. What if the problematic cop or Jobcentre Plus bod or whoever refuses to check your biometrics, for example?
The second is operational in nature. If you are going to check biometrics against the register, this implies you can only check them on-line – no network, no checks. Alternatively, every agency that might want to do ID checks will have to have a copy of the register at every one of its locations. The former home secretary Charles Clarke once memorably advertised national ID cards on the grounds that you could use them to get a video from Blockbuster. This would imply hundreds of thousands of local register copies sculling about, in which case it will be absolutely certain that copies of it will be lost, stolen, or leaked. It would also be necessary to keep them up to date, not a trivial issue in itself.
Back when we fought and won the campaign against ID cards, the threat of data breaches was something we had to harp on again and again because at the same time it was largely hypothetical. Since 2010, though, we have seen a constant parade of enormous data losses. In the case of Yahoo! in 2014, a billion users’ data was lost. Wikileaks dumped the entire archive of US diplomatic cables. Target lost tens of millions of live credit cards. AshleyMadison let slip who was cheating on who, and ironically enough that it was cheating them. These are just the most outrageous examples. We live in the era of the data breach and it is high time the ID card fans hoisted in that the disasters have happened, that they are a reality.
The loss of a copy would be a serious matter, as just searching it for duplicate biometrics would give away everyone who used more than one name, something which is in fact your legal right. This would be very bad news for people fleeing abusive spouses or families, witnesses in major criminal cases or those threatened by organised crime, transgender individuals, police or security service informants, police or security service officers operating under cover, whistleblowers, journalists and their sources, refugees, and probably some more people I haven’t thought of. Also, if the proposal involves an audit trail of every time the register is accessed, like the original National ID Register, someone obtaining a copy would also know who had been checked at that location and when.
Actually-existing biometric ID systems, like the ones used to control access to data centres or the visas the Home Office actually issues, very rarely work in this way for precisely these reasons. Instead, they verify the fingerprint or iris photo or whatever against data stored on your card, and then verify the cryptographic signature on the card against the card issuer’s public keys. This process can work offline and independently of the central register and in fact doesn’t even need a central register, because it is the signing process itself that provides a guarantee of the card’s authenticity.
I think it is actually fair to say that in NO2ID we were much more vehemently opposed to the register than we were to the cards. If it had only been cards, there might have been something to discuss, although we didn’t trust the government to issue them without also creating a register. But from very early in the process, it was clear that the point was the register and the cards were more of an excuse.
A third problem here is that it is in the very nature of biometric identification that once compromised it is extremely difficult to revoke, because your biometrics are what they are. At least, this is what the theory says – it’s not as good as that in practice. Biometric systems can be spoofed and have been spoofed, and demonstrations of spoofing have been common at hacker events for over a decade. But in some sense that’s a good thing; if there is some noise in the process it’s at least possible to issue a new card that would not be identical with a previous, compromised one. Also, a cardless system is one-factor rather than two-factor authentication; you need only to either sign up with your real biometrics and some other name, or else present someone else’s biometrics. A system with a card requires you to do this and also steal, apply for, or make a valid card.
This brings me to my fourth and final point. The worst thing about this proposal is the insult to the public’s intelligence. The idea is to put over all the same problems the original NIR scheme had, plus some more quite serious ones, and hope nobody notices because they don’t have to carry a card. The only point in its favour is that it might pull the wool over our eyes. This is a good argument for Sir Humphrey Appleby; what a journalist is doing making it, I have no idea.