Tag Archives: Identity and Passport Service

ID Database Breached Before It’s Even Begun

The National Identity Register, the database underpinning the government’s continuing plans for ID cards, may not have been instituted yet, but one of the three systems which will comprise its core has already been breached:

Nine local authority workers have been sacked after illegally accessing personal details of the public held on the government’s national identity database.

In total, 34 council workers were found to have illegally accessed the Customer Information System (CIS) database, which is currently earmarked to form part of a linked-up network of three systems constituting the government’s national identity database.

The Identity and Passport Service (IPS) has countered, saying:

“IPS will make the systems supporting the national identity service as secure as possible, building on an excellent track record with the current passport database.

“Our proposals for the development of the national identity service seek to incorporate the use of technology supporting CIS to store biographical information. However, such information would be stored separately from any information held on CIS by the Department for Work and Pensions (DWP) and protected by strict audit and access controls.

“It will be a criminal offence to make any unauthorised disclosure of information and our security arrangements will also be subject to the independent scrutiny of both the information commissioner and a new identity commissioner.”

In order for our very identities to be protected from abuse by the government or simply its employees (and these 34 will be just the tip of the iceberg) we’ll need a government ‘identity commissioner’? How’s about no ID cards (no need/easily forged)? How’s about no National Identity Register? How’s about no National Identity Service? Henry Porter looks at the larger question of database security and how our identities will remain under greater threat because of the ID scheme:

A DWP spokesman suggested that the small number of breaches recorded indicated that unauthorised access by officials was spotted quickly. He did not, of course, acknowledge that these cases came from sample checks generated by the system.

This is absolutely critical. For years Professor Ross Anderson of Cambridge university and NO2ID have been arguing that by their nature large databases will never be free of such abuse. Anderson’s Rule means you cannot construct a database with scale, functionality and security because if you design a large system for ease of access it becomes insecure, while if you make it watertight it becomes impossible to use.

And yet government presses ahead with the grand scheme of linking database together and allowing access to hundreds of thousands of officials

This addiction to databases and the bureaucracies which underpin them is at the heart of most of our problems. Computers and software may make for an efficient way of handling vast amounts of data, but a total reliance on predictability, standardisation and methods of control are destroying the society they’re supposed to be protecting. As a people we resist being overly rational – the system will keep being breached because idiots in the civil service (or contracted out agencies), not to mention organised crime will simply want to. All the ‘identity commisioners’ in the world won’t be able to stop that. To bureaucratise identity itself is to court absolute disaster.

ID Cards on the Sly

So the suspicions raised that Jacqui Smith’s ‘backtracking’ from ID cards might not have been all it seemed were right. The five suppliers chosen to implement the National Identity Scheme have now been named:

CSC, EDS, Fujitsu, IBM, and Thales have been invited to sign framework contracts and form a Strategic Supplier Group for the scheme.

The group will then compete in a series of mini-competitions to win specific contracts for the various projects which will deliver the National Identity Scheme over the next five to ten years. The first projects will be to replace existing contracts that are due to expire. These include services for issuing UK Passports and Immigration and Asylum fingerprint processing for the UK Border Agency.

And let’s not forget the formal timetable:

Starting in November this year compulsory identity cards will be introduced for foreign nationals. From late 2009 cards will be rolled out to those employed in sensitive roles or locations where identity assurance is important to public protection, such as airside workers.

From 2010 identity cards will be available on a voluntary basis to young people to assist them in proving their identity as they start out on their independent life in society.

The enrolment of British citizens at high volumes will start from 2011/12, offering everyone a choice of receiving a separate identity card, passport or both.

Morally bankrupt. Of course what we must remember is that airside workers are already extensively security screened, that the line about young people taking up ID cards ‘voluntarily’ is a fraud, considering they won’t be able to apply for student loans without one, leaving the likelihood that by 2012 enough groups will be ‘voluntarily’ added, that the ‘voluntary’ take-up by the rest of society will become moot. Yes, you will still have the freedom to opt out, but it’ll mean you won’t be able to access a whole raft of key social needs like banking, insurance, housing or travel. Then of course there’s the requirement for the foreign nationals’ forced take-up this year…

It doesn’t matter whether the scheme is competitively bid for or is ‘protective of the public purse’ – the rationale for why society should invert its most fundamental relationship – that between the individual and the state – is not being discussed. Is it to combat terrorism? Well the Madrid bombers managed to sidestep them in Spain, and the 7/7 bombers were themselves British. Is it to protect against identity theft? The technology is hardly foolproof and individuals can take significant steps in life to manage their risk already. My MP told me she agreed with the scheme because the technology was already there, and used in other spheres, but that’s an argument which is ignorant of how and why technologies are adopted by societies. There’s always a pre-existing need from the ground up, otherwise schemes like this become about control – hardly a new thing for IBM, a corporation whose ID management expertise was used by the Nazis in the concentration camps.

Are we heading down that route? No. But it’s equally unacceptable for any 21st century government to tell its population that it’s privatising their identities, when a key basis of modernity itself has for the last three hundred years rested on the individual determining the state. There is no argument at all which can or should change that. Not only has this government been proven time and again to be incompetent and dishonest in its management of personal information, but there is no credible reason on earth in this instance why they should gather it in the first place. If for any reason this illiberal, unnecessary, dangerous scheme manages to survive the next election it must be fought.