24 October 2005
Lord Holme of Cheltenham
House of Lords
London
SW1A 0PW
Sir:
Re: Identity Cards Bill
I note with some considerable interest and agreement your comments regarding this bill, as reported by BBC on-line today [24 October 2005], not least of which is your assertion that:
“Contrary to the government’s assertions, the committee reaffirms that the bill fundamentally alters the relationship between citizens and the state.â€?
I write today regarding a specific matter in relation to this Bill; one which it is my hope you will consider carefully and bring to the attention of colleagues in the House of Lords as they consider amendments to this pernicious piece of legislation.
Amongst the many misleading and disingenuous statements made by the Home Secretary during the course of the Third Reading debate on this bill I would draw your attention to this particular passage:
“The Bill also sets limits on the information that can be held on the register. It will not contain information about criminal convictions, financial records or political or religious opinions. Indeed, on Report, we have just amended the Bill so that it will not be possible to add a police national computer number to the register. No one will have access to the national identity register other than those operating it. What the Bill allows is for information to be provided from the register either with the consent of the individual or without that consent in strictly limited circumstances in accordance with the law of the land.�
This may be literally true but of itself it fails to acknowledge the extent to which the Bill makes possible the creation of an overarching ‘Database State’ in which all manner of personal data may be connected together and interlinked without either the knowledge or consent of the individual and will little, other the Data Protection Act, to fall back upon in the way of safeguards.
To provide a little background to the statement above, I possess more than twenty years experience, both professional and personal, in the field of information technology and am well-versed in matters relating to the design, development and operation of computer databases. In short I understand in some considerable technical detail how databases work and what they are and are not capable of and therefore have little difficulty in accurately interpreting the provisions of this particular Bill in relation to the scope and operation of the National Identity Register. Consequently I know full well that the assurances given by the Home Secretary in regards to the extension of the National Identity Register to encompass personal data such as Police, Medical and other financial records are not worth the paper that Hansard is printed on and that his concessions in making amendments to the Identity Cards Bill in line with these assurances are no concessions at all.
This is, admittedly, a rather technical issue but one of critical importance and I trust, therefore, that you will permit me to illustrate this issue with examples which may more readily explain my concerns than would be possible with a detailed technical exposition of the issue alone.
In stating clearly and unequivocally that “it will not be possible to add a police national computer number to the register�, the Home Secretary clearly wishes to convey the impression that it will not be possible to extend the National Identity Register in such a way as to permit information held on the Police National Computer to be directly linked to the National Identity Register. This is, however, not true.
In order to link together data held in two different databases, one requires only that that data includes a common reference number, what in industry parlance is termed an ‘unique identifier’, in order to create a relationship between the data held in each of the individual databases. An example of such a unique identifier in use today is the National Insurance Number, which is used both by Revenue and Customs and by the Department of Work and Pensions to identify data appertaining, respectively, to an individual’s Tax affairs (e.g. PAYE records) and Welfare Benefits records (e.g. claims and payments). Using this single unique identifier one can locate and examine an individual’s personal records in either system and, equally, one can connect both systems together to compare said records, as already happens in investigations of suspected benefit fraud under the provisions of the Social Security Fraud Act 2001.
As should be clear from the example of the National Insurance Number, any relationship between personal data held in two (or more) database systems that is based on an unique identifier is a ‘two-way street’ – to link that information together requires only that each database make use of the same unique identifier as a common reference point.
While the Home Secretary’s statement and the amendment to the Bill to which it relates may appear, to a casual observer, to rule out the creation of such a common reference point between the Identity Register and certain proscribed classes of information, Police and Medical Records having been cited explicitly; this is in fact not the case. To prevent the creation of such a link one must not only prevent the recording of relevant unique identifiers from Police and NHS systems in the National Identity Register; one must also prevent the recording of any unique identifier contained in the Identity Register in data held in the corresponding systems that you do not wish to be linked to it.
The National Identity Register contains just such a unique identifier; the National Identity Registration Number (NIRN), which is unique to every individual recorded in the National Identity Register and is explicitly included in the information which can be disclosed to third parties under paragraph 14(2)(a) of the Bill; being one of the items of data listed in paragraph 4 of schedule 1 to the Bill. Further, once the NIRN has been disclosed, the Bill provides for no explicit restrictions or constraints on its recording and/or use by a third party, not even to prevent that third party passing the NIRN on to others.
I trust that you will recognise immediately the significance of this issue.
Not only does it remain perfectly possible to create the very kind of linkages between Police, Medical and other records and the National Identity Register that the Home Secretary might otherwise appear to be ruling out; but once the NIRN gets out ‘into the wild’ though having been disclosed to a third party in the course of using the government’s identity verification service, it then becomes possible a third party; for the most part this will be private sector businesses, to use the NIRN as an identifier in their own database systems.
This has two immediate effects.
First, all such Private Sector databases wherever they are held become entirely transparent to the government and its ‘agents’; including the Police, Security Services, DWP investigators and pretty much any other agency with access to the National Identity Register and cause to wish to access or monitor personal data held about any citizen. The government et al will know exactly who is using the Register as it records all uses of it for verification of identity and will, therefore, know precisely where to look for data and what to look for – anything which includes or is linked to the NIRN.
Second, by providing a common reference point for establishing identity, it enables the Private Sector to more efficiently and accurately share and exchange personal data it holds about individual citizens. Even if we accept government’s assurances that it does not intend to create an all-encompassing governmental data system, which I don’t, there is nothing to prevent such a system being created in the Private Sector and entirely outside of the control of either government or the citizen. The Data Protection Act provides entirely insufficient safeguards to enable individual citizens to secure and protect their personal privacy in such a situation.
In short, without statutory restrictions on the disclosure, use and recording of the National Identity Registration Number by either proscribed government agencies or by the Private Sector the inevitably consequence of this Bill, if not a government-owned and operated ‘Database State’, will be but one or more parallel systems within the Private Sector over which there are no adequate controls or safeguards.
However, there is no fundamental reason why the NIRN should be, or has to be, disclosed to a third party in the course of providing an identity verification service.
There is significant body of both extant literature and technological development in the field of what are called ‘zero knowledge systems’, systems which enable the verification of identity without the requirement for either a National Identity Register or the disclosure of personal data to a third party. In such systems, identity verification is a simple matter of ‘yes or no’. The subject either is the person they claim to be, or they aren’t. For all that such systems can more than adequately perform the basic function of an identity card; i.e. verify identity, and provide far greater security and privacy to the citizen, the government has refused throughout to consider such a system as an alternative to its own proposal.
There is, quite simply, no benefit to the citizen in permitting the disclosure and recording of their National Identity Registration Number by a third party and the potential for considerable harm and unwarranted intrusion into their personal privacy if such is permitted without restriction, particularly as Private Sector businesses are rarely, if ever, bound to consider, let alone observe, the provisions of article 8 of ECHR in their dealing with the public. There is, however, both considerable benefit to the Private Sector in being handed, by government, the means to accurately share and exchange all manner of personal information and data about their employees, customers, etc. Regrettably, one must consider both that there are those ,either in government or in positions in which they are advising government on this Bill, who are both perfectly aware of this fact but who see no more significance in it than that it will assist greatly in selling the take up of identity verification services with the Private Sector, not least in creating a potential lucrative market for information sharing which will, no doubt, attract its full share of would-be middlemen and information brokers.
If the House of Lords succeeds in nothing else in its consideration of this Bill during the course of Third Reading it should be to bring forward an amendment to the Bill which places clear restrictions and prohibitions on the disclosure, use, recording and transfer to third parties of the National Identity Registration Number, particularly in relation to use of the NIRN by Private Sector businesses.
At the very least one would expect a diligent government to specify clearly in secondary legislation, if not primary legislation, which classes of ‘user’ the National Identity Registration Number may or may not – be disclosed to and upon what basis, for what reasons and for what uses the NIRN may be disclosed, recorded and or used. Transfers of the NIRN to other third parties should be prohibited outright. At best it should require that identity verification be conducted on a ‘zero knowledge’ basis such that the NIRN is never disclosed to a third party and incorporate clear legal sanctions against any third party found to be making use of the NIRN in any manner not specifically prescribed in law.
Thank you for your time and consideration, I trust I have been clear enough in raising my concerns, which are admittedly rather technical in nature that you may feel confident in bringing them to the attention of the House and might even consider putting forward an amendment to the Bill of the kind I have suggested in regards to the NIRN.
Regards
——-
Sending this today.
Oh, before anyone says anything – yes, I know Lord Holme is a Lib Dem peer but he is chair of the cross-party constitutional committee and this is so important that its a case of bollocks to party line.
And if I’ve not observed the proper form of address for writing to a peer, tough. I’m a republican.
Well put. You have persuaded me there are significant holes in the govt’s proposals.
Are there any disadvantages to the ‘zero knowledge system’? Doesn’t this strengthen the case for an ID system because it is more difficult to crack?
How would the transfer of information between third parties actually harm the innocent individual anyway?