Damian Hinds: Forget ID cards - it's the National Identity Register we have to worry about
Credit where it’s due. The Labour spin machine has scored a rare double hit. With the first they persuade the media they’ve had a change of heart on compulsory National Identity Cards, thereby neutralising an awkward issue. With the second, they quietly speed up the introduction of the National Identity Register, thereby furthering the real underlying aim.
As the Guardian reports, over 80% of people will find their way onto the National Identity Register as a result of applying for or renewing a passport (and will thereafter have a duty to notify the Register of changes in personal details or face a fine of up to £1,000). Additionally, young people turning 18 are likely to find increasingly that a ‘voluntary’ ID Card is pretty much compulsory if they ever want to buy a drink, so they’ll get on the Register too. At some point in the future when, say, 90% of people are on the Register, a government could easily decide that they now “might as well”, in the interests of efficiency, make the thing universal and compulsory.
The key debate is not, and never has been, about a plastic card. It is about the National Identity Register (NIR) that sits behind the card. The NIR is the daddy of all databases, which will allow (via everyone’s unique Identity Registration Number – in database parlance, the ‘index key’) the linking together of data held on us across the other 40+ public sector databases, existing, under construction, or planned.
In theory, once the system is at maturity, someone’s Identity Registration Number could allow the piecing together of their health record, their income and financial history, their mobile phone numbers and email addresses, their Oyster card usage, and where their car has been in the last few days.
It makes not a jot of difference to the overall architecture of the database state whether the Identity Registration Number appears on an ID Card, or on a passport, or indeed in no physical place at all. What matters ultimately is just that it is universal, reliable and unique – like a more robust National Insurance number, but used for more purposes, appearing in more systems, and linked to biometric data.
Many countries have ID cards; few would aspire to the British vision of such a mass of centralised, interlinked data. The government may adjust plans for individual jigsaw pieces of the database state, but their direction of travel is unchanged. If elected, the Conservatives will be able to scrap key parts of the programme, but much damage (and poison-pilling) can be done before then.
There is an enormous price tag to all this. Halting plans for compulsory ID Cards in the short term has relatively little impact on the overall cost to the government of the wider project. Indeed perhaps Alan Johnson gave away more than he intended when he said scrapping ID Cards themselves would save the public purse “diddly squat”. But the absence of a compulsory plastic card does of course make it trickier to attack the cost of ‘ID Cards’.
Which means that opponents have to address the principles involved.
There are clearly some benefits that could come from the National Identity Register and an efficient system of interlinked public sector databases. Dealing with government departments and agencies ought to be easier; and there would be benefits, too (if sometimes exaggerated) in tackling terrorism, benefit fraud, illegal immigration and crime in general.
Moreover, apart from the cost, many people can see no downside in the ID Register any more than they did in ID Cards, because “If I have nothing to hide, I have nothing to fear”. So, is there another downside? Opponents talk about a fundamental shift in the relationship between citizens and the state, but what does this actually mean – and why should I care? As a law-abiding citizen, what reason could I have to actually be worried about, let alone fearful of, the database state?
Here are three simple ones, and one big open-ended one:
1. Privacy. You do have something to hide
We all have things we want to keep to ourselves, or to be able to discuss confidentially without them becoming more widely known: finances, health, relationships. And there are people with legitimate reasons to want to keep their identity or whereabouts hidden: victims of domestic violence, witnesses, those hounded by the press.
Thanks to your Identity Registration Number, data held on you across multiple state agencies may be both more centralized (because it’s all linked together) and more distributed (because more people could access it). This increases the risk that someone who sees sensitive data on you turns out to be someone you would rather didn’t see it.
2. Balance. The state becomes more powerful and monolithic
Different parts of government do different things, and we have different sorts of relationships with them – consultative, confidential, transactional, even suspicious and standoffish. But once databases on individuals are linked up, the demarcations can get undermined. There may be things I am happy for one public sector agency to know, but not another. Joseph Rowntree researchers recently cited the case of mothers in Oxford becoming nervous of discussing post-natal depression with their GP, lest social services find out and try to intervene.
People ought to be able to challenge state agencies on a fair footing. Say you contest a parking fine, refuse to pay and are willing to go to court if necessary. In an ‘efficient’ world of linked databases, the fine could just be extracted from you by direct debit with your regular council tax payments, leaving you unable to protest.
3. Error. Something always goes wrong
Errors in the Criminal Records Bureau database have led to people losing their jobs and/or being stigmatised as criminals. When your ‘ID record’ impacts on so many more parts of life, and for so many more people, how much more is likely to go wrong?
As database security expert Toby Stevens puts it “Information security professionals always assume a system to be insecure, and plan for when – not if – data is lost or corrupted”. However much procedures are tightened, loss of data disks, program code bugs and clerical error will always be with us. The potential for problems caused by simple human error is magnified, the more data is linked, centralised and then distributed. And the consequences don’t bear thinking about if hackers managed to penetrate and destabilise the system.
4. Potential. The lines will get blurred
Government ministers issue multiple assurances on security and privacy: data sharing between departments will be strictly controlled; a limited number of people will have access; data miners will not be able to go on ‘fishing’ expeditions, and so on. Even if you do believe ministers and civil servants on this, the assurances are worth nothing beyond the short term, since they cannot predict how future holders of those posts will think. Many of the changes they say will not be made are technical matters, or questions of degree (such as the number of people who would have access to sensitive data) and would not require legislation. It is perhaps even possible that ministers don’t understand some of the technology, realise what it is capable of, or know every way it is being deployed.
Whatever the technology can do today, you can bet it’ll be able to do more tomorrow. As the data archive builds and processing speeds improve, it will be increasingly viable to do pattern-spotting (identifying patterns of behaviour that are quite likely to indicate wrong-doing, even if the wrongdoing itself isn’t identified) and predictive modelling (identifying clusters of characteristics and behaviour traits that often precede subsequent wrong-doing; indeed the Home Office’s ONSET system already tries this in a limited way). How confident can you be that no member of your family would ever come under suspicion in this way, despite their actual innocence?
So, what is to be done?
No sensible person suggests that government should not deploy technology to help serve citizens. No one is suggesting that the DVLA database should be wiped clean, or that GPs should revert to keeping only paper records in a filing cabinet.
But the safest defence against the potential ill side effects outlined above, is largely to maintain fragmentation of data stored on individuals. In short, for most data and most people, most of the time, the data held on separate databases should not all be linked i.e. there should be no National Identity Register, with the unique reference number that makes such linking possible.
There are some benefits to federating (i.e. linking up) databases across multiple government departments, but it should be possible to get most of these benefits with just a fraction of the drawbacks, if fully federated databases were allowed to exist only in a strictly limited number of categories. It would be sensible to have one listing children who for some good reason are believed to be at specific risk of abuse; one for convicted repeat criminals; one for terror suspects. The numbers involved ought to be monitored by Privy Counsellors to satisfy them that the scale of it is proportionate; and people should have a right to know that they (or their children) are on such a list, why, and what data is held, save for certain very tight categories of data relating to current criminal investigations, for example.
You don’t need the entire population on a database – nor even the 80% who have a passport – to make it useful.