Wednesday, November 02, 2005

ID cards and the National Identity Register

This post opposes the introduction of ID cards in the UK, by challenging some of the arguments made in support of the scheme.

It is written partly in response to Neil Harding's website, in which he outlines the reasons behind his support for the proposals. (Other sections have been written elsewhere, and are repeated here for convenience).

Comments are very welcome - I would especially appreciate it if anyone could point out any inaccuracies, and similarly if anyone could provide further information or references in support of any points made.

Neil Harding raises many points of interest. I won't try to answer all of them here, but I'll quote a selection of those I thought most important, together with my attempt at a refutation where appropriate.


1) "The main difference as I see it, between supporters of ID cards and those against, is this. I basically believe that our government in the UK, have on balance; the best interests of their citizens at heart. Whereas a lot of opponents see government as evil and corrupt and something we shouldn't co-operate with... [B]asically I believe government represents public opinion and government is an extension of us. We should consider the government as on our side and participate with it as much as we can. This is the best way to improve government... It seems all the objections opponents have to ID cards are, in fact, objections to bad government."

I don't agree. I, for one, do not believe the government to be evil or corrupt. I do see it as being often (collectively) unwise and shortsighted, and sometimes as having little or no respect for the opinions of 'ordinary' people (e.g. the Iraq war: the vast majority of the population opposed Britain's involvement, and the government utterly ignored their objections), but I certainly don't mean to imply that its intentions are bad. It is therefore perfectly possible to argue that a proposed Bill is unnecessary and unwise, without this being an attack on the government as an institution.

2) "Even if the ID card scheme did prove to be a complete disaster and I'm pretty sure that won't be the case. The cost at £5.8 billion is about the same as 1 years spend on the Iraq War.

We have elections every 5 years and it could quite easily be scrapped in the opening voluntary 5 year stage of its introduction if people are not happy. It would not be a massive problem for a trillion pound a year economy to overcome."

Two points come to mind:

i) While that may be true, £5.8 billion is still an awful lot of money! If the purported benefits of the ID scheme are in dispute (which they clearly are), whereas the benefits of allocating this money to the NHS or to education, for example, clearly aren't, then why take the significant risk that this money will be wasted?

ii) Also, in practice, I'd suggest that it's pretty unlikely the scheme would be repealed after that amount of money had been spent on it, regardless of how much of a disaster it turned out to be. There seems to be a prevailing attitude (in business, as well as in government) that having spent the money in the first place, you might as well now make the best of it... so it is doubtful that any future government would hold their hands up, confess that nothing useful can be made of the apparatus in place, and simply dismantle it all (and of course accept the mass redundancies that would follow, when those people brought in to maintain the scheme were no longer needed). Upshot: if the scheme is indeed unsound and needs to be stopped, then it is quite possibly now or never.

3) "ID cards work in practise. Sweden has a compulsory NIR ["National Identity Register"] which brings many benefits. NO2ID oppose a compulsory NIR but cannot answer the question; if it works in Sweden, why not here?" Also: "Why do 21 out of 25 EU countries think its worth it?"

Yes - why do they? Sweden (along with many other countries with ID systems in place) has significant problems with unsolved crime and illegal immigration. Tax and social security fraud are as common in Sweden as elsewhere in the EU; besides which, identity theft is rising steadily in Sweden, just as it is elsewhere. ID cards and registers may perhaps change the nature of certain crimes, but they certainly don't seem to be preventing them.

Indeed one school of academic thought seems to suggest that they may *increase* crime, as career criminals adapt their strategies - see for example this page for one argument in point. Here's an extract:

"Dr Finch points out that identity cards depend on birth certificates, passports and driving licences, ‘all of which’, she says, ‘are easy to obtain in someone else’s name.’ With these pieces of information we will issue ID cards which we will regard as infallible.

‘But you can’t change a bunch of insecure pieces of information into one secure one,’ says Finch. ‘If you do, you run the risk – and it’s a risk the Home Office has acknowledged – that someone else will get in first and register as you. Once your identity has been registered, you cannot register in that same identity – in other words, as you.’"

The mere fact that a lot of other countries have ID schemes in place is insufficient to justify developing one in the UK. Nor is it particularly helpful to refer to the fact that citizens in those countries often have no complaints about the scheme in place: those schemes often began a long time ago under a variety of different circumstances, and evolved into their present form only when their populations were used to them. Sweden is an interesting case in point, since that is the country which Neil Harding refers to as an ID success story: Sweden's national registration system dates back to the 17th century, when it began as compulsary registration with the Church. The register was only secularised in 1991, by which time, of course, the system had become part of the country's cultural heritage. Here's a (perhaps unnecessarily melodramatic) example: it's worth noting that the Hitler Youth (for those children born in Nazi Germany) were for the most part perfectly content with the regime in place: it is human nature to believe that the system in which we have grown up is the right one.

The fact that ID schemes exist in, and are deemed acceptable to the populace of, those countries which have long used them is not, therefore, convincing evidence in support of introducing a new scheme in the UK.

4) "Even opponents of ID cards admit identity fraud cost (latest figure 2002) at least £150 million a year (they also admit this is likely to be an underestimate). The annual running costs of ID cards will be £85 million. So this alone, means ID cards pay for themselves..."

Harding quite rightly states that the £150 million/year figure of the cost of identity fraud is probably an underestimate. However, estimates of the startup and running costs of the ID scheme itself have also varied wildly, so overall we'll perhaps not be too far off if we work with the estimates Harding gives, so: identity fraud costs £150m per year; the ID scheme will cost £5.8 billion to set up, and then £85m per year.

So let's assume for the sake of argument that these figures are correct, at least in proportion to each other, and that the ID scheme will successfully end *all* ID theft (thus cutting the cost to the country, from £150 million per year, to 0).

In this case, the net profit year-by-year, will be £150m (the saved cost of identity fraud) minus £85m (the running cost of the ID scheme), which == £65m per year.

The estimated startup cost we're working with is £5.8 billion, so for this to mean that "ID cards pay for themselves", as Harding suggests, this cost must be absorbed by the savings made. So:

£5.8 billion / £65m == 89.2 (approx)

So in other words: the ID scheme, even using Harding's own estimates, will not pay for itself for nearly ninety years.

Does that seem like a sound investment?

5) On the 'voluntary' phase, and in response to the challenge that the scheme will not be voluntary for passport applicants: "Nobody has to have a passport, so it is a voluntary scheme. I know this is a bit of a cop out, but it is the same argument you use when you suggest it is voluntary to have credit cards or debit cards, bank accounts, use supermarket loyalty cards, the internet, the library etc. etc. [all of which require giving personal information]".

With respect, the right not to register for a passport is not really comparable with the right not to use credit cards, loyalty cards, etc, because there is no threat hanging over us that it will soon become compulsory to use these other voluntary services. Those people (like myself) who are opposed to the ID scheme to the extent that they would consider emigrating to avoid it face this obvious problem: you can't leave the country without a passport, and you already can't get a passport without registering for an ID card. So for those of us whose passports are due to expire soon, what option, in reality, are we being left with? We can't leave the country without registering for an ID card, and if we remain here then it is entirely possible that the compulsory phase will come into force in 2013 and will thus catch up with us anyway. So how is this actually voluntary?

6) In response to the challenge that future governments might be less liberal and could then abuse the information stored in the NIR: "If you are going to assume a Nazi invasion in the future, maybe we should get rid of all our govt's records about us, just in case. Its a bit of an exceptional thing to do. Lets make everyone's lives worse for an indefinite period just in case the worst case scenario ever happens."

Fair point - clearly it is not sensible to base all our decisions on the basis that an illiberal regime may one day, somehow, take power. On the other hand, it is certainly far from impossible that this could happen, so would it not be better to strike a balance? i.e. maximise efficiency as far as possible without developing a system which could one day be abused. In the words of security technologist Bruce Schneier, "It is poor civic hygiene to install technologies that could someday facilitate a police state".

On this point, then: If it is the government's honest view that the nation would benefit from a centralised, universal way of proving identity, age and address, and from having a card and central register which provides an easy method of proving these things, then perhaps fair enough, in principle. However, why is it necessary that the register also store an array of other sensitive information, and moreover an exhaustive list of every time, place and circumstance where the card is used? It is this information - and the profile which it will build up of the individual's lifestyle, preferences and habits - which could potentially be abused in the future. So why not simply have the "ID card" be exactly that: a way of proving ID, and nothing more?

At the very least, there could be an automatic system which expunged records of transactions from the register after a long enough time had elapsed that they are not likely to be needed any more (e.g. five years) - but if the proposal is that this information is to be stored indefinitely, then the obvious question is: why? What is this information actually useful for? If the answer is that, after a suitable period has elapsed, it is unlikely to be used for anything, then surely common sense and good "civic hygiene", as Schneier puts it, would dictate that this data should then be deleted, so as to protect it against the possibility of future abuse? If this modification were inserted, I might - I stress might - be a little less concerned.

In addition to the above suggestions made by Neil Harding, ID cards have also often been cited as providing possible solutions to a number of other problems, so it is worth considering some of these as well:

"The ID system will stop benefit fraud".
I believe the general consensus is that it won't. Quoting Mr. Lilley, in an extract from one of the Commons Debates: "Of the identified frauds and abuse in my Department only 5 per cent. involve abuse through misrepresentation of identity. The bulk of fraud and abuse is the misrepresentation of circumstances of people whose identity is not in doubt... [so the] gains which might come from a compulsory identity card would probably be very small."

In other words, 95% of benefit fraud as it stands currently would be untouched by the introduction of an ID scheme. The ID scheme itself, on the other hand, will cost so much to set up and maintain that it would, again, be decades before it paid for itself, and that's assuming that new forms of fraud don't come along in the meantime.

"The scheme will stop illegal immigration"
How can it? Obviously no one entering the country will have an ID card, and those intending (or claiming that they intend) to remain in the UK for three months or less will not be obliged to get one - so all a would-be illegal immigrant will have to do is to claim they're here on holiday, and then disappear into the woodwork, whereupon they'll undoubtedly find unscupulous employers willing to pay cash-in-hand for work, so the transactions never appear on any record.

"ID cards will help prevent terrorism"
NO2ID's own site answers this point well, here: "Despite evidence that the biggest threat of terrorism is home-grown, arguments that ID cards will ‘protect’ us from foreign-born terrorists continue to grow. This is simply not the case. Foreigners who are in the UK for three months or less will not have to carry one. Three months is plenty of time to arrive, plant a bomb and leave again. To those who are resident and will have to carry them, an ID card will deter them no less than, say, a bus pass."

Another point which has been raised against those objecting to the scheme is this:

"The ID scheme will not demand any more personal information than is already held by the electoral register, banks, phone companies, etc"
This simply isn't true. Quite apart from the biometric stuff and other personal information stored, the register will keep a log of every time you use the card to prove your identity, and so will end up with a very comprehensive list of your habits, preferences and lifestyle (far more comprehensive than is stored on any database at present). There are a number of problems with this: firstly, it's true that different government departments, businesses, banks etc do tend to know between them a great deal about individuals - but that's just it: they only have this relatively complete picture between them. No single organisation has the complete picture stored in one place, and this makes complete identity theft relatively hard. If the Register comes into being and ends up being hacked into (and you can't honestly think this won't happen, sooner or later), then identity thieves can get all of the information they need instantly, from one place.

Secondly, while the government of today may be perfectly honest in its intentions not to sell information to businesses, for example, this is no guarantee that future governments will feel the same way - but by that time it would be too late, as there would already be complete dossiers on file for every citizen. In other words, allowing this scheme to go ahead is to gamble that all future governments will be at least as trustworthy with our personal information as this one purports to be.

So in conclusion: I believe that the supporters of the ID card proposals have failed to make out their case. If the scheme were to become law, it would have an undeniably high cost, both financially and (arguably) in terms of the erosion of the right to privacy. For these costs to be justified, there must be very strong reasons in favour of implementing the scheme. Quite simply, it seems that there are no such reasons, and thus that the government cannot be justified in forcing these costs upon the public.

If you agree, after considering all the arguments on both sides (e.g. I'd advise looking at NO2ID's homepage, as well as the government's own pages, e.g. here, advocating the scheme), then please consider signing NO2ID's pledge refusing to comply with the scheme. Alternatively, if you oppose ID cards but don't feel able to refuse to register for one, you might like to consider this pledge instead. If you have the time, there has been a great deal of useful debate about the issue here, at the first refusal pledge (which was successful, with over 11,000 signatures).

If you don't agree with anything discussed here, please leave a comment and tell me why!

Nic Shakeshaft, 2nd November 2005