"Entitlement Cards and Identity Fraud" Response of the Centre for Computing and Social Responsibility
Abstract
This is a response to the 2002 UK Home Office consultation on Entitlement Cards and Identity Fraud.
The Centre for Computing and Social Responsibility was glad to respond to the 1995 consultation on Identity Cards. That response is still available at http://www.ccsr.cse.dmu.ac.uk/resources/general/responses/id.html, and much of what was said then is still valid today. The proposals this time are, however, different and we have more information available, including numerous comments sent to us by members of the academic community in the United Kingdom and abroad. We thus offer this response to CM5557 "Entitlement Cards and Identity Fraud"
For convenience this response has been organised around the section ordering of the consultation document.
We find it disingenuous for the Government to call the cards "Entitlement Cards". According to section 1.3 of the consultation document "A card scheme would entail: establishing a secure database which could potentially hold core personal information about everyone", which constitutes an identity database, and "issuing … cards to everyone on the central database", yet rather than including data on entitlements directly, the scheme would involve "linking the core personal information to other databases which held service entitlement information". It is clear from this that the cards are more closely attached to the identity database than entitlements. Similarly, if the scheme was one primarily about entitlement, it would be expected that it would be brought forward by a department concerned with entitlements, rather than the Home Office, which is much more centrally concerned with issues of policing, security, law and order. Even supporters of what the Government calls a ‘universal’ scheme, such as Hackney (2003) are happy to call it a "compulsory identity card" scheme.
The use of the term "entitlement card" appears to be little more than thin camouflage, and as such constitutes an underhand way to introduce a fundamental change to civil rights in this country. We consider that it is likely to increase suspicion of any card scheme.
We are opposed to the principle of establishing a card scheme. As Kimppa (2003) puts it "From the fact that we might have a rather benevolent government now does not follow that we would also in the future (ask anyone who has lived in Germany during the 30's)"
Similarly, according to the Internet Regulation Consultant David Kerr (2003), "Operation of the scheme would … ultimately be only one step short of the ignominious South African Pass Laws".
As described in more detail below, we do not believe the scheme will establish "a more efficient and convenient way of providing services", and we do not believe it will be effective in "tackling illegal immigration and illegal working and combating identity fraud", since all of these are associated with the sorts of criminals who can be expected to be able to obtain fake or fraudulent cards if they wish.
It is claimed that a "drawback of a voluntary scheme could be that those people who could most benefit from having a simple, straightforward way to assert their rights and entitlements might be among the least likely to apply for a card". This argument appears to fly in the face of theories of rational choice, and with Sherwood (2003) we consider it to be "illogical". If people choose not to apply for a card, by far the most logical explanation of their action is that they judge that the balance of costs and benefits to them of having a card are such that they would not benefit from having a card. As Bird (2003) puts it "they are quite capable of making their own choices". Any judgement to the contrary by the state amounts to paternalism of a sort that is at odds with a free society. In the absence of clear evidence that those who do not apply for a card have misjudged the personal risks and other costs of having a card, or have underestimated the benefits, this sort of paternalism cannot possibly be justified.
It is our belief that voluntary card is not an option since it will very quickly become the norm and then compulsory by default. Third parties will increasingly want to use it as an identifier and so people will for forced to carry the "voluntary" card.
For a truly voluntary card to be introduced there would need to be legislation to restrict its usage that would include all of the safeguards we describe under 2.16 and 2.20/P5 below.
"The required use of a card would not preclude other ways of accessing services in an emergency for example when a card had been lost or stolen. No person would be denied access to a service in these circumstances. However a universal card scheme could still have a role in these cases, for example a service provider could be able to check with the card issuing authority that a card had been reported lost or stolen."
We are deeply concerned by this, since it is highly likely that a proportion of people will not realise that their card is lost or stolen until they need to access the service in an emergency.
While the police do not have the power to require a person to identify them self, there is a danger that refusal to identify oneself will put an innocent person under suspicion who would not otherwise be under suspicion, then meaning that the innocent person could be required, on pain of arrest, to identify them self. Unless the law specifically prohibits the police from construing refusal to identify oneself as grounds for suspicion the scheme described in the consultation paper will amount to a compulsory scheme of the sort that the Government explicitly states it does not wish to consult about.
We are opposed to a "universal" scheme of the sort described. We agree with the assessment of Thomson (2003) that it amounts to a compulsory scheme where "The fact that every legal resident has to obtain a card makes it compulsory. The fact that the card is the only way to access particular services is further compulsion." Since it appears that "not carrying one would arouse suspicion" (Brecher, 2003), and "Anyone not carrying the card will be assumed to have some ulterior motive" (Burton, 2003), carrying one will become effectively compulsory.
As with calling the cards ‘entitlement’ rather than ‘identity’ cards, we agree with Thomson (2003) that "Any claim that the scheme is not compulsory is simply an abuse of the English language designed to mislead the hearers about the nature of the scheme."
We agree with the assessment of Townsend (2003) that "There are alternative methods to achieve the published intentions." and that "even if there were not, the cost to personal liberty and freedom is too great".
There remains a serious concern that any ‘non-compulsory’ scheme will become essentially compulsory as ever more organisations require citizens to identify them self using this particular form of identification, until failure to present this particular form of identification on request will cause the individual to be viewed with suspicion. Hornsby (2003), an academic especially familiar with France, believes "this has happened in France", where it is "certainly most people's perception" that "the carrying of an identity card is … obligatory at all times".
We are deeply concerned about the possibility that "Parliament might be asked to approve a card scheme without a complete description … of the full range of its potential uses".
Given that a scheme will effectively[1] breach a long-standing tradition in this country that law abiding citizens are not required to carry proof of their identity, it is appropriate for parliament to be given details of the full range of circumstances in which individuals will be required to produce such a card or report changes of personal details. This will also help to ensure the avoidance of function creep of the card.
"rules for the sharing of any information contained in the card issuing database with other parties" (section 2.17) should prohibit the matching of records between databases in an attempt to identify anomolies for further investigation (in the way described at 2.39, below), since any such use will effectively reverse the balance of proof.
If it is the Government's intention that "it would not be possible to make a voluntary or universal scheme into a compulsory scheme without a change in primary legislation" (section 2.19), then any primary legislation to introduce a voluntary or universal scheme should explicitly prevent such a development, including enacting a prohibition such as outlined above (2.16) to ensure a scheme does not amount to a compulsory scheme. Such a provision would not, however, be sufficient. In order to prevent a non-compulsory scheme becoming essentially compulsory (in the way outlined in 2.19 above), the law should prohibit organisations from making presentation of the card the only way to access their services.
We are comfortable with the prospect that legislation may make it an offence to provide fake identity documents, prohibiting the production and sale of fake proof of age cards (and the like).
If there is "the potential for data sharing about individuals which might result from a card scheme", then it is clear to us, with Heminger (2003) that "what is needed is a well thought out legal framework to safeguard how the consolidated information is used".
We welcome the proposal that card holders should know any unique personal number, however, we are deeply concerned about the possibility that any unique personal number might be incorporated onto the card. Given the range of information that it might be possible to obtain or modify by giving such a number, we consider it to be prohibitively dangerous for such a number to appear on a card. Any information printed on a card may be exploited by "stalkers/bullies/loan sharks/violent people with a grudge … forcibly removing a card" (Hornsby, 2003). The less consequential damage that such people can do, the less incentive there will be for them to attack card holders in this way.
Similarly, having the address of the cardholder printed on the card can put the cardholder in danger of becoming a victim of crime. For example, house keys on their own are of little use to thieves unless combined with the address of the property in question. In some major cities, people going out for the evening consider it wise, therefore, to not carry anything other than a small amount of cash and their house keys. In these circumstances, thieves may well exploit any card that is routinely carried to increase the rewards from a street robbery, and thus may be more tempted to carry out such robberies. Alternatively, thefts from changing rooms at swimming pools and sports centres may become more rewarding if house keys can be stolen and the address be easily obtained by reference to a card that is more-or-less universally carried.
It is claimed that "A population register … would have stringent safeguards to protect the privacy of personal data." However, as Shim points out (2003), "Invariably personal data leaks. The FBI was not able to prevent their agent Robert Hanssen from divulging life and death information, information that affected national security". Data on UK police computer systems is frequently obtained by those who are not authorised to access such data. Similarly, in a recent survey (Prior, Fairweather and Rogerson, 2001, pp20-21) 17% percent of Information Systems Professionals agreed that "It is acceptable for me to use other employees' access codes with their permission to access data I am not authorised to see".
Given the size of the database, large numbers of personnel will be required to maintain its accuracy and to make queries of the database. We do not believe it will be possible to recruit, train and retain sufficient numbers of staff with adequate security clearance to maintain adequate safeguards over the personal data that will be accessible through the database. There is a clear conflict here with Principle 7 of the Data Protection Act 1998.
There is a simple relationship at work here. The greater the convenience of the use of a single access point for legitimate users, the greater the convenience of that access point for those who wish to abuse the system.
It is claimed that there would be "important customer service benefits, enabling people to enter core data only once". However, we agree with the assessment of Sherwood (2003) that "The savings in efficiency would be small compared to the intrusiveness and loss of privacy; moreover, errors would be more difficult to correct".
While we would not deny that a population register would facilitate matching of records between databases, we are not convinced that this is necessarily desirable. For example, matching a database of inhabited addresses with the database of television licences enables the identification of addresses of people who do not have television licences. However, the practice of such matching then puts those who are thus identified under suspicion, when there are legitimate reasons for not having a television licence (including not having a television). Having placed such individuals under suspicion, the burden of proof of guilt is effectively reversed, and those individuals are put under intense pressure to prove their innocence. While it is true that those who are innocent may well be able to prove that they are, such a reversal of the burden of proof is clearly contrary to long-established practice in this country of ‘innocent until proven guilty’, and a serious erosion of civil liberties.
Even if such data matching is not pursued officially, we concur with the view of Lewis (2003), that "The linking of unrelated databases is a recipe for abuse." To prevent such abuse, there need to be substantial access controls on each database, so that data on such databases as tax records and medical records are not accessed by those who do not have a legitimate reason for accessing them. To achieve such controls, it will be necessary to prevent access to such records being achieved by merely supplying a card number. Without such controls, a significant profile of the individual could be built up in a way which at present would be contrary to the Data Protection Act 1998.
It is easy to say that "The common database would replace the core data held inaccurately on existing databases", but the reality will be that in many circumstances where there is inconsistency between the existing databases, there will be no way of telling which is accurate. Unless substantial resources are dedicated to checking these inconsistencies, there is a high probability that for a proportion of the population the common database will replace core data held accurately on some databases with inaccurate core data. An additional burden will thus be placed on this proportion of the population, in the name of "efficiency".
Another problem may arise, as Miller (2003) points out, "If someone is taken ill and moves to a friend or relative to be looked after" in these circumstances "they do not want to have to get their Id. Card reissued to allow a house-call or a prescription delivered to the temporary address".
There are particular difficulties that may arise from using the population register as a replacement for the electoral register. Due to its function in our democracy, the electoral register must be widely available to party political campaigners, and any tighter controls on its availability would hinder our democracy in unacceptable ways. Because of this there are some citizens who have legitimate reasons (such as personal safety) for not being included in the register.
While there could be some role for a card in supporting the delivery of services over the internet, by assisting authentication, or in some circumstances by data stored on a smart chip, the possibility of theft or loss of cards would mean that few substantial benefits could be attached to the card without the use of corroborating identifiers (which would have to be of sorts that could not normally be obtained in the process of the theft of the card).
We are deeply concerned that "Existing cards such as loyalty cards issued by retailers could use the entitlement card". We share Shim's (2003) worry that "With the technology … released to the private sector, there is more opportunity for miscreants to have access to the equipment and find ways to subvert the intended purposes." Given the data that is planned to be freely visible on a card (figure 5.1 of the consultation document), such as date of birth, card number, nationality, National Insurance number and employment status, violations of privacy will accompany any such use. At present individuals can usually chose which of these details to reveal to businesses: if a card scheme is used in the way described, they will have no choice but to reveal all of these details to every business that uses their card.
If other data is carried on a smart chip, there is a severe danger that unauthorised access to such data will be attempted by businesses: according to Skygate's Chief Security Consultant, Pete Chown (2003) "Isolation between applications on one smartcard has historically not been very good." A particular worry about such unauthorised access to data is that it is likely to occur without the knowledge of the cardholder. This state of ignorance could persist for a considerable time resulting in possible financial and emotional cost to the cardholder (for example if the fact that they are entitled to disability benefit leaks to an insurer who uses that as a basis for refusing insurance).
Another concern is that individuals will be denied the opportunity to give slightly different versions of their identity to different organisations. At present a proportion of people intentionally make use of slight variations in the use of their initials and address, for example, to track the sale of details about them between organisations, and to identify violations of the Data Protection Act 1998 through such sales. Precisely to the extent that transactions will be based on ‘authoritative’ versions of identity by use of the card, these individual opportunities to identify illegality by businesses will be inhibited.
The greater the use of cards by such organisations, the greater the value of the cards both to the holder and also to any thief. The worry here is that "When a thief steals your identity, not only will he be stealing your access to borders and government services, but he will also be stealing your CASH CARD, grocery card, credit card, driving licence and every other card that you used to carry separately." (Lewis, 2003) A particular problem here is that this will increase the vulnerability of those who are already unusually vulnerable in our society (including those who live in the most deprived and crime-ravaged housing estates).
Even a supporter of the idea of universal card scheme, such as Professor Edwards (2003), views the idea of allowing such use of cards as "a stupid idea" saying "Identity cards and loyalty cards (or whatever) should not be combined".
We are deeply concerned that "people might be denied services while they waited for a replacement for a lost or stolen card". If this is the case, we fear that loan sharks and the like will be able to exploit a card to increase their power over their victims. The impact of this will be particularly severe if the right to work is linked to the possession of a card (as outlined in section 3.17). Under these circumstances, criminals seizing a card could thereby have a powerful hold with which to force the rightful holders of cards into unregulated illegal employment.
Equally, a policy of denial of such services would amount to a policy of denying needed help. Such a policy would be one of the clearest possible examples of immorality according to Kant's Categorical Imperative.
According to the consultation document "a significant amount of personal information would be held in one place and there would need to be sufficient safeguards to prevent abuse". Given the talents and resources of criminals, and the potential rewards to them of obtaining access to such information, the security demands on such a system will be massive. The problem is, as McNicholas (2003) puts it "There is no such thing as a 100% secure database": according to Skygate Technology's Chief Security Consultant "Doing this is beyond the state of the art in IT security" (Chown, 2003). So long as access is allowed to perform the necessary tasks of updating and use of the data, there will be ways for criminals to obtain or modify data, if they are sufficiently determined and, as appears to be the case with the plans, the rewards are sufficiently large. Worse, as Lewis (2003) puts it "The Government already uses inherently insecure software and networks to deliver information. Their track record is poor in this respect. … In a massive system, the potential for a large ‘batch breach’ is made very real."
A particular concern is that sensitive information is involved in many entitlements, such as entitlements to concessions (for example for disabled people) at leisure centres and swimming pools. While it is relatively easy to use an entitlement card to prove entitlement in such circumstances, the problem is how to still maintain appropriate confidentiality about this data, which is sensitive within the meaning of the Data Protection Act 1998. If there are sufficient controls over the release of sensitive data, the circumstances in which it is released to such facilities need to be strictly controlled, but it is impractical to maintain such strict controls over all of the thousands of leisure centres, which are run by diverse organisations. Each additional type of use for a card is likely to raise similar issues (for example entitlements to concessionary fares on public transport) and to increase the number of locations with card readers or database access terminals and the number of individuals with access to them that would have to be secured. The problem is that "The more people who have access to this linked database, the more potential sources of privacy violation are created" (Lewis, 2003). The only conclusion that can be drawn is that extensive use of a card to prove such entitlements is inevitably in conflict with practical maintenance of security of such sensitive data. The fear is very real that "We would end up with a system like the American one, were virtually all information about people is available with minimal checks." (Chown, 2003)
Given the record of large Government IT projects, we consider it unlikely that the scheme "would allow for more efficient and effective delivery of Government services". The card scheme itself would involve a considerable overhead of administration. As Lewis (2003) points out there is also a real danger that "Services will be made more inefficient by the addition of another layer of technology and bureaucracy on the already broken NHS and DSS systems."
We do not consider that the card scheme could "be a cost effective additional measure against identity fraud and related criminal activities". In addition to the difficulties mentioned in the consultation document, if the scheme works in anything like the way intended, the number of different independent sources that could be checked to establish identity would be reduced. Further, if a card is widely used as a way of establishing identity, it will be normal to accept the card, uncorroborated, as evidence of identity: this will make the obtaining a false identity particularly easy for those with access to the technology to produce counterfeit cards.
It appears to us that there is an irresolvable tension between making a card "very difficult to counterfeit" and providing "a simple way for employers to check valid cards".
The proposal that "The card could be issued on the production of valid documentation showing eligibility to work such as a national identity card from an EEA country" would make the security of the card scheme as weak as the security of the weakest EEA system.
A scheme that reduced "the burden of checks on subsequent employers" would increase the chances of employers seeking to ‘poach’ employees from each other, rather than bear the burden of the initial checks. If such ‘poaching’ were to take place it would be a further deterrent against the initial hiring of a legitimate migrant from another EEA country.
We consider it likely that the card scheme as described will do nothing to prevent illegal working, since forged cards will be available, the security will be as weak as the weakest EEA system, and those seeking the cost savings of illegal employees will be able to remove cards from employees to prevent them getting legitimate employment elsewhere in much the same way as passports are currently removed from some illegally employed migrant workers
We consider that attempts to use a card as a measure against illegal immigration will almost inevitably lead to racial discrimination against a proportion of the citizens of the UK, since they will be required to prove that they are legally resident and legally employed more often than white Anglo-Saxon citizens.
Other methods to combat illegal immigration, such as reducing the factors that cause people to find life in their previous country unbearable, are much more likely to be effective.
We are concerned that "an entitlement card … available to UK citizens in a form which allowed it to be used as a more convenient travel document" could lead to discrimination against non-citizens who are entitled to be resident.
We do not believe the "police, the intelligence services and other organisations investigating very serious crimes … should have access to … biometric information." We agree with Miller (2003) that "There is the risk both of false negatives (failure to recognise) and especially false positives (recognition of the wrong person) especially where the latter may be fraudulent." A particular difficulty, as Miller goes on to point out "is that a person cannot change their biometrics so in the case of someone else finding a way of forging them, there is no way that the individual can change the key. The compromise of security is permanent."
Further, since "biometrics can be changed due to illness or accident" (Miller 2003), there will need to be procedures to enable the recorded biometrics to be changed. Those seeking false identities might then exploit these procedures.
It will also be impossible to refuse to issue cards with the same biometric under different names since 1) monozygotic multiple births can result in identical biometrics (and where a person is born abroad there may be no way of knowing if the individual is a genuine monozygotic multiple or not) and 2) given that biometric data is only a representation of some aspects of the full physical characteristic, it is possible for individuals to have slightly different physical characteristics that are represented with identical biometric data.
As the researchers who were commissioned by the Government to investigate the technical issues of the implementation of electronic voting (see Fairweather and Rogerson, 2002, pp12-13), we consider it wholly inappropriate to use any identifier of long term validity in new ways of voting. To enable anonymity once encryption standards have been superceded requires temporary identifiers.
The card schemes as outlined will have severe costs and will not bring benefits as great as those claimed. We do not believe it is appropriate to introduce either a ‘voluntary’ or a ‘universal’ card scheme, since both are highly likely to become de facto compulsory card schemes of the sort that the Government is clear it does not wish to introduce.
Bird, Dave, 2003 Unemployed, email message, January.
Brecher, Robert, 2003 Reader in Moral Philosophy, University of Brighton, email message, January.
Burton, Paul F, 2003 Senior Lecturer, University of Strathclyde, email message, January
Edwards, John, 2003 Professor of Operation Research and Systems, Aston University, email message, January
Fairweather, N Ben and Rogerson, Simon, Technical Options Report online at http://www.local-regions.odpm.gov.uk/egov/e-voting/pdf/tech-report.pdf accessed 2003-01-21 also at http://www.idea-infoage.gov.uk/services/laser/e-voting/Technical%20Options%20Report.doc and http://www.local-regions.odpm.gov.uk/egov/e-voting/02/index.htm and linked pages
Hackney, Ray, 2003 Director BIT Research, Manchester Metropolitan University, email message, January
Heminger, Alan, 2003 Associate Professor, Air Force Institute of Technology, USA, email message, January
Hornsby, David, 2003 Lecturer in French, University of Kent at Canterbury, email message, January.
Kerr, David, 2003 Internet Regulation Consultant, email message, January
Kimppa, Kai, 2003 Research Assistant, University of Turku, Finland, email message, January.
Lewis, Martin, 2003 Systems Administrator, Borkowski Systems, email message, January.
McNicholas, Stephen, 2003 Quality Analyst, Trader Media Group, email message, January
Miller, Ian, 2003 Managing Director, Singularis Ltd, email message, January
Prior, Mary, Fairweather, N Ben and Rogerson, Simon, 2001 Is IT Ethical? 2000 ETHICOMP Survey of Professional Practice (Orpington: Institute for the Management of Information Systems)
Sherwood, Martha, 2003 Research Associate, University of Oregon, email message, January.
Shim, Jook-Ting, 2003, MBA, graduate research assistant and research student, Unversity of Central Florida College of Business Administration, email message, January
Thomson, CM, 2003, Head of Research, Neos Interactive Ltd, email message, January
Townsend, Kevin, 2003 Publisher, ITSecurity.com, email message, January