A government report says the National Identity Scheme will fail if it does not primarily serve the public, including being free to join.
"To engage consumers' hearts and minds on the scale required, enrolment and any tokens should be provided free of charge," says Sir James Crosby, the former HBOS chief executive, in his much-delayed report on identity, published on 6 March, 2008.
Crosby's report shifts the emphasis of government policy away from identity management and towards identity assurance. It states: "ID assurance meets a clear and growing consumer need, whereas ID management addresses the interests of the owners of any identity database."
He recommends that the scheme should be accountable to Parliament, rather than government; that the amount of centrally held data should be minimised; and that citizens should be able to block reuse of their data except for national security purposes.
Crosby writes that there is a "fundamental" difference between providing individuals with a useful "ID assurance" service, which they would use enthusiastically and frequently in the manner of Google's free service, and constructing an "ID management" system, designed to serve the owner of the database through data sharing and consolidation.
He says that people must want to use an identity scheme, or it will fail — even from a security point of view. "An ID system will only help fulfil national security goals if it achieves mass take-up and usage. If citizens don't use a system regularly, it will be capable of providing very limited data for national security agencies. Thus, even the achievement of security objectives relies on consumers' active participation."
He adds: "Ironically therefore, the system that is genuinely consumer-led, because it meets consumers' needs and inspires their trust, would deliver a better national security outcome than one with its origins explicitly in security and data sharing across government."
Sir James also wrote that biometric data has its uses in tackling multiple identities, in reissuing tokens or in tackling identity fraud. But he warns that it "isn't the silver bullet", and that cross-checking biographical data on a number of databases — as financial services firms do — provides "the highest levels of assurance".
He concludes that, without a universal ID assurance system, British consumers will have to use a complex array of processes. "As a result, the UK will fail to secure the economic and social advantage achievable at the forefront of ID assurance systems and process," he wrote, which would become "tantamount to locking in disadvantage".
"James Crosby's report strongly challenges the Home Office concept of identity," said Philippe Martin, senior analyst at Kable, adding that it represented "another serious blow" to what he called the department's "stubborn authoritarian ambition". He noted that the fact that it had taken 18 months to produce a 48-page report — commissioned by Gordon Brown as chancellor &mda sh; suggested the original draft had been somewhat longer.
Martin added: "Luckily Jacqui Smith, the new home secretary, seems to have scaled down the vision, originally put forward by David Blunkett, in the latest NIS delivery plan published yesterday."
Talkback
Crosby and Schneier bring some common sense to the fraught issue of security and ID cards/databases. It would be very nice if the instruments of government would actually listen to such a common sense approach instead of adopting the authoritarian approach so much preferred by this government.
What I take from this is that the HO can't even bring themselves to take heed of their own paid, expert advice. They would rather preempt unfavourable reports like this with High-Spin to try and flavour people's minds before they read it .. they would rather commission surveys that incompletely inform before asking leading questions .. in fact they would rather do anything before taking note of their masters'(*) wishes and scrapping the idea completely.
(*) In case the reader misunderstood; by ".. their master's ..", I did of course mean us, not President Brown and co .. and I wasn't being ironic either!
After all of the underhanded, duplicitous and downright dirty behaviour to get this scheme online, I do not want *any* kind of ID scheme that comes from this lot. Once they have their hands on the data, I have no confidence that they will handle it with the respect it deserves. This isn't paranoia, this is being able to read the reports over the last months and years of great chunks of highly sensitive data just walking out the door.
To my mind, a lot, if not most of the stuff in the report makes perfect sense, but it is not enough to properly protect us and with something quite this powerful, not enough is nowhere near. You can set up all the electric fences, mine fields and attack dogs you like around something, but if you leave a path open through it, the rest is just expensive window dressing.