National Identity Register

Following on the theme from my post this morning about how we could protect data about us held by agencies of the state by using a sort of a personal key and PIN like your bank's call centre has to validate with you before they can access your data, my mind wandered onto other uses for such a key.

It has been a recurring theme in this blog that the internet in particular and modern communications in general represent a great threat to the balance of power between states (and incidentally also global "intermediary" corporations) and their citizens. I say threat, but it's only a threat if you are in a position of power in a state or corporation seeking to continue to exert control over your citizens. Indeed, for the individual, it is the greatest potential opportunity, and the vehicle by which Richard Cobden's quote at the top of this blog's front page may become reality: "Peace will come to earth when the people have more to do with each other and governments less."

Many of our institutions - governments, trans-national corporations, even currency - evolved to deal with issues of trust between people who would likely never have personal contact with each other in ever more remote markets. When trading, you've got to be able to trust that you will be paid for example - one person's "IOU" is not as good a guarantee as piece of paper endorsed collectively by an entire state - a national currency.

But we have an ever increasing range of other innovations to help us trust each other; developments that are increasing quickly with the advance of the internet. We can access our credit files, we can buy digital certificates that help give others confidence to trade with us over the web because they guarantee we are who we say we are and so on. So why not shift these into the "real world".

Why do we actually need, say, a passport to travel across borders, issued by a nation state, when we could have just as secure a guarantee of who we are through some kind of personal digital certificate from an organization bearing the risk, with strong encryption embedded in it? The British government keeps trying to sweeten its totalitarian ID card scheme by telling us, amongst other things, that it will make proving our identity to others in all sorts of transactions much easier. But in fact the history of government involvement in protecting the source data of those identities is appalling, and, as the technology gets more pervasive it seems to be getting worse.

How much confidence can you have in a government issued identity mechanism when so much data has gone missing already? Those identities are, thanks to state incompetence, all but worthless. Of course that's why, partly at least, they want to take biometric data. But in computer security it is generally accepted that being able to produce "something you have" (say a credit card or internet digital certificate) and "something you know" - a password, PIN, or private digital encryption key is far better than ony one or other of these pieces of information on its own. So far as I can see the ID card system, or the passport, with or without a national identity register, does not fulfill both of these - only the former. It is inherently weaker than the commercially available alternatives.

So, why not replace the need for passports issued by a state with identity mechanisms authenticated by trusted corporate or social organizations for whom financial success or failure rests on people being able to trust the people they certify. So you could have a personal account with Thawte as the primary guarantor, for example, and that certificate could be counter-signed by a certificate from other organizations, such as governments, who want to "mark your card" as one of their citizens, granting you the protections normally written on a passport.

It's not easy to get some of these certification authorities to guarantee your bona fides. You need often as much verification as you do to get a passport with other trusted people verifying who you are and so on. But you would not need to give these data to the poroous security mechanisms of the state which has proved beyond any reasonable doubt that they cannot keep the information secure, nor does it offer the other benefit of a private contract - the ability to sue the ass off them if they damage your reputation or security by losing your data - or the corporate incentive of only being able to make a profit if you actually deliver on what people expect of you.

And you also get a choice of how strong you want the certification to be. If it's only guaranteeing small personal trades for example, you may only need to spend a few pounds and fill in a quick web form, validate your address and you're in business. If you want to travel overseas, or deal in bigger sums, or trade with distant counterparties, you may want stronger levels of guarantee and pay accordingly. It's a global standard pretty well too. So you'd have no problems using it to prove your identity in all sorts of applications - travel, trade, opening a bank account, starting a company, getting insurance, benefits, accessing what little data about you the state actually needs and so on - none of which would need to be on any single central database owned by a bunch of data-incontinents like the government is proving to be with the attendant dangers of losing all your data at once.

So, you see, we no longer even need governments to help us prove who we are. And in fact they appear to be singularly bad at doing so. The threat inherent in this is that the currently all powerful state needs to be able to do this, or it loses control of its citizens. And they are shit scared of that. If we are not mindful, in their lust to maintain that power they will get immensely more authoritarian and intrusive. The time is coming when we will no longer need them. We must do all we can to hasten that day before they get their claws in too deep into these emerging trust mechanisms.

Following the revelation of yet more utter incompetence in government data handling the BBC asks...

Well, I posited a suggestion ten years ago now when I was on the Lib Dems' Civil Liberties Policy Working Group. At the time ID cards were but an evil glint in Liar, Liar, Tony Bliar's eyes but there was a clear feeling that they were pushing in that direction. But it was mainly in response to issues such as Regulation of Investigatory Powers Act and government wanting more and more surreptitious access to data already held about us and our activities.

My suggestion was that if government felt the need to keep all this data on us, the very least they could do would be to put us in charge of how and when it was accessed. We could all have an encryption key - it need not even be supplied by government - you could purchase one perhaps from Thawte or someone like that if, when, you decided you could not trust the government.

Two encryption keys would be required any time any bureaucrat or official decided they wanted to take a peek at any data the government held identifying you as the subject. A bit like a "nuclear key" where you need two people to turn the key for anything to work, the official would have their own key which would identify them as the person trying to access the data and check they were authorized to do so, and they would have to be in contact with the data subject, you, and, like a bank call centre does when they phone you would have to authenticate they were dealing with the real you by getting you to enter some of your PIN or similar before they'd get access.

Every government database system that held any data on individuals could have to go through an annual independent audit to ensure there was no inbuilt mechanism for bypassing such a security measure or, for example, copying data en masse with personal identifiers in. The system could be extended, voluntarily, to any organization that holds personal data - such as banks - if they felt it was more effective than creating their own, and the whole principle could be embedded in Data Protection legislation (not that the presence of Data Protection legislation stops the government currently breaking their own laws).

Remember, it's not so very long ago that when you submitted your tax return each part of it, or schedule, would be dealt with by a different official so that no one person could actually gain a picture of what you were worth. We need to return to that culture. Modern technology is great stuff, or it can be. But at the moment the culture seems to be to assume that systems ought to be intrusive rather than actively looking for ways as part of systems specifications to maintain the benefits of fast modern communications and data (for there are many) whilst not being intrusive. Witness the debate about road pricing - "eye in the sky spies" or "black box" systems that don't need to transfer data about your movements, only about your overall journey for the purpose of billing.

Would it grind government to a halt? Perhaps, though in saying that the former tax regime was entirely paper based and so much more troublesome and it didn't exactly collapse then and banks and other large data processing organizations use similar technology and still operate reasonably efficiently. Would government grinding to a halt be a terribly bad thing in any case I wonder?

But, whether the data is about criminals, child benefit recipients or recruits to the armed forces, this current government has proven itself utterly incapable of managing data, or perhaps just contemptuous of our rights. Personally, I doubt any other party's government would be doing much better - contempt for the citizen is embedded in Whitehall and Westminster, but Straw and Smith should resign over this latest data loss immediately. Resign and be tried as any data controller be would with such brazen data losses under their watch. Enough is enough. These bastards need to get out of our lives, or perhaps some day we will collectively decide we need to make them butt out, forcibly.

UPDATE:  My boss just pointed me to this article in Computer Weekly about Lib Dems calling for data commissioners to protect data about the public.  I'm not sure it's anywhere near adequate.  The liberal response should be, of course, to reduce the quantities of data first by being ruthless about who needs to store any data about us, but I can't see a data commissioner, even one for every database, will be any more effective than the current DPA regime of a responsible Data Owner who can be prosecuted for failure to comply with the act.  Clealry government departments need to be held responsible in the courts, with individuals answerable, just as they are in other organizations.  And at the top of the tree comes the minister concerned.  It is not technology that is at fault but a lax attitude to how that technology should be used that matters.  We need to change the culture such that databases are designed from the bottom up toassume, essentially, that the data subject is the one who by default has access not the data owners.

Thales, the successor to Thomson CSF, has won the first contract to start the design process for the National Identity Register which will be the more sinister side of the whole ID card system. For those of us committed to opposing ID cards and the NIR at every opportunity and wanting a way to boycott suppliers this presents a challenge. Many of the possible suppliers of course are not ones with big "brand names" you can easily boycott. Thales itself is mostly a government contractor, making war machines. And they are nearly a quarter owned by the French state. Both of these in my opinion make their appointment even worse (not because it is French, per se, but because it is partly controlled by a foreign state, however currently friendly that state may be).

But they do make, through their Thomson media subsidiary, a few things we can target. They are, for example the largest or perhaps sole supplier of the BT Homehub kit (and its equivalent from Orange). They also do an awful lot of facilities stuff for film, advertising and television (they own the Thorn EMI filming facilities firm), but it will always be quite difficult to find out which programs, films or advertisers are using them.

So the main real consumer product they can be identified with is Homehub. So, if you happen to be a BT subscriber and use one of those sexy boxes, maybe it's time to switch your communications provider?

(They also make set-top digital TV boxes and DVD equipment if you want to do some more digging around).

If, as the media and certain politicians seem to want us to believe, we have a "broken society " (whatever on earth that might actually mean), surely it is just reflecting how "broken" its leadership, government, has become. And I don't mean just the current Labour government. I mean government as an institution, even our democracy itself, if you will.

The state and its agents and those who act with its protection have routinely perpetrated force, violence and coercion, against their own citizens, against other countries, for aeons. The whole model is based on us surrendering some of our personal sovereignty. Some would no doubt rather say "pool" than "surrender" but look around you; "pooling" implies much more of a consensual relationship than reality attests to.

From cradle to grave, as they once promised, the state imposes itself on our lives and choices by more or less coercion. From compulsion in education, via criminalizing consensual or victimless behaviour (even thoughts and opinions) and right through to prosecuting wars "in our name", commanding our young men and women to kill or be killed. And most of all perhaps through taxation - it never hurts as hard as on the pocket!

In turns the state seems to infantilise and nanny us, to absolve us of personal responsibilities, and then, moralizing, blame us for all our own ills. Those who would rule us cynically play on our fears and talk up our aspirations according to their need to gain and retain power. And a tiny minority of us in our broken system can make or break that power for them, so have disproportionate influence over our fellow citizens.

That this has always gone on need hardly be stated. The biggest mystery, as Milton Friedman said, is why human-kind seems collectively to submit to authority - especially remarkable really when you consider that every step of human advance has actually arisen from someone stepping beyond the current conventions, bending the rules, exceeding the norm.

Supposedly benign regimes create instruments to comfort us, to fool us into thinking they are prepared to limit their own authority, whether we call them Geneva Conventions, Human Rights Acts or Data Protection, and then seem to break their own principles when it suits them, call it Guantanamo, pre-charge detention and control orders or ID cards and state databases.

It is often said that ("successful") politicians display many characteristics of psychopathy. How much more "broken" can we get than to submit ourselves to being ruled and represented by smooth talking, self centered, pathological liars? How much more scary than that such people have their hands on both our wallets and on the nuclear triggers? Is it any wonder that life on some of our streets can be vicious?

Apparently the Data Protection Act turned ten years old on Wednesday, according to El Reg. But you'd be forgiven for thinking it never existed, or has been repealed, given all the recent stories of data loss by, of all organizations, the government, and the newer suggestions that all our DNA, phone and internet communications records, should be in a database, forever, and instantly accessible to any accredited official (I won't say "qualified" because I suspect they won't be) with an easily contrived excuse.

Fortunately, the Information Commissioner, Richard Thomas, stands between the state and its ambition to know everything there is to know about its citizens and what they do, consume, learn and who they associate with. But with such a lax attitude to their own obligations under their own Data Protection laws somehow I doubt Mr Thomas will be heard, let alone listened to.

My attachment to a few home comforts prevents me from becoming a survivalist type, and I am too much of a coward to be a martyr. But I do seriously consider at times whether there is a way to opt out of this inexorable creep of the surveillance state. Emigration? Where would be any better though I wonder? Switzerland maybe, but I doubt they'd have me.

And I just do not understand why so many people, it seems from my view anyway, are able passively to accept this state encroachment into our lives. I know plenty who do not even see it going on. Why on earth is it any more acceptable say, for the state to know about all your telephone calls or emails than it would be, say, to open every posted letter somewhere in the postal system, or, creepier still, have someone follow you so they can check out who you talk to in the street or who you visit? I'm sure there have been times when this ability is exactly the reason why the Royal Mail existed - for intelligence purposes - and with a monopoly too, mind you, though in the popular conscience the Royal Mail, USPS and other national mail services are actually supposed to be trusted guarantors that nobody should tinker with private correspondence with impunity.

Of course, such surveillance of physical media communications or personal movements would be impractical on a mass scale whereas electronic communications tend to leave tracks for all sorts of (usually business) reasons. But "just because we can", just because massive scale monitoring is now feasible and manageable with electronic communications does not mean we should. I have a contract with a phone company, and the data even they keep should be limited to as little, and for as short a time as necessary, as needed to deliver me the service they promised. And indeed, that is core to the principles behind the Data Protection Act.

No doubt they will all say that you can breach those principles "in the national interest" or whatever. But at the very worst, such a situation should be the exception and not the rule, and should be subject at all times to proof of probable cause via judicial oversight. After all, the "national interest" could, and usually will be, what the government of the day decide it is if it is left up to them and their agents. I always have a rueful smile when I recall that for years each part of your annual tax return would be dealt with by a different Inland Revenue clerk so that no one government official would actually know what you earned in total. Can we ever hope to resurrect such a level of government respect for our privacy?

I'm not sure I believe any longer that grand government database and surveillance projects do originate in a genuine desire to do something good. I just think it is an innate trait of government and power to want to have as much information about those over whom they wield power or those on whom they are dependent for power as they possibly can. Acton's dictum is writ large in the creep of the surveillance state: "Power tends to corrupt, and absolute power corrupts absolutely". Information brings, and sustains power.

I linked to this post at the Libertarian Party blog the other day, but if you didn't read it then, please go have a look now. It's a light-hearted look at the inconveniences that could beset the most minor activities in your daily lives if all these supposedly beneficial systems actually come to pass. Forget that "if you've nothing to hide" crap, I challenge anyone to say they would not be severely pissed off with this level of "helpful" surveillance.

Yet all of this need not be the end game, just as I am sure today there are thousands of people trying to find new ways of evading the Chinese national firewall, or make a few phone calls without being billed for them, people will continue to develop ways of keeping one step ahead of the voracious information state. Ultimately, I don't believe that the state can win against the advance of the technology. But there is a danger, if we do not start constitutionally protecting our privacy now, that the state will keep trying on any pretext they can muster, and turn truly tyrannical in their desire to control information flows.

I seem to remember being told that once upon a time Inland Revenue officers used not to be allowed to work on different tax schedules so that no one officer would ever know a citizen's true financial position. Oh for such propriety today when whole records in their millions are transported around different departments merely for audit purposes. Much has been said today about the loss of disks containing the child benefit records of 25 million people and many have suggested that it would be quite wrong now to go ahead with ID cards knowing that information security is so lax in a government department that already holds sensitive data on each and every one of us.

I want to take a slightly different line. I have always been and remain utterly opposed to the system of ID cards linked to a database that is now legislated for. However when I was on the Lib Dems' Civil Liberties working party eight years ago or so I did propose a wholly different type of ID card/account that would come into its own in this situation.

My idea was that we could all have a card or account that would "lock" all data held on us by government and that would require us to be present, or able to authenticate online or on the phone like you do with your telephone or internet banking systems, before any government officer could access your data or authorize any transfer of a part of it to someone else. A sort of a "nuclear key" where both the data subject's and the data user's half of that key would effectively be needed to decrypt any of the data subject's personal information. Yes, it might slow certain things down, but let's face it, there are some things we really don't want government interfering in unbeknownst to us. One needn't even have to trust government to guarantee one's identity - you could open it up so an individual could choose a firm like Thawte, who provide guarantees of identity to online commerce sites we trust with £40bn of our custom each year, to guarantee their identity and private key.

Data about us is part of us. It is our right to know it's secure, especially when we have no choice in handing it over - and such circumstances should be minimized. Whether it's bank account details or DNA it's an invasion of our privacy and self-ownership and every additional byte stored about us is a step towards totalitarianism. The apparatus of government should be our servant and not our master and many fought and died to ensure that we were not enslaved by overbearing states in the twentieth century.

I do not see why the National Audit Office should want all the records on the database. Surely audit is about taking a sample to prove that procedures were being followed and the bona fides of the person being audited and the figures they have produced. HMRC should have a system of internal audit that itself can be verified without any other department needing access to the original data. And if they do need access to the original data, then it should be done on site in a secure area or through secure access direct to the systems concerned. No other business surely sends all of their customer records to their external auditors do they? Nor should they in the civil service, and if that's how NAO and District Audit work then that too should change and urgently.

Commentators like Richard Murphy are just plain wrong in insisting that this is not an extremely serious breach that highlights systemic problems in organizations that handle such huge amounts of data without the effective scrutiny of competition for their customers to keep them on their toes. No junior official, in fact I'd go so far as to say no individual official should have had access to the whole data universe without a great deal of additional verification. It defies belief that anyone thought this system was sufficiently secure.

And finally - a word of warning...

In this highly interactive and globalized society, if we continue to insist on potentially intangible bases - our incomes - for tax, the amount and intrusiveness of data they will need to hold on us can only increase. Another plus for taxing land.

Tristan points us to companies we might like to boycott who are now on he shortlist for contracts related to the ID cards and database:

ID Cards - companies to boycott:

El Reg gives us the list of companies able to bid for the ID cards contracts.
They are:

Accenture - BAE Systems - CSC - EDS - Fujitsu - IBM - Steria - Thales

Other ways to fight the ID card madness

But it got me thinking. Perhaps rather than just boycotting companies whose products, let's face it, most of us are unlikely to come into direct contact with other than IBM's (and even then having got rid of laptops to Lenovo probably not them), perhaps we should be more active. Perhaps we should start a campaign of mass action against senior officers of these companies, and major shareholders where appropriate. Like what the animal rights activists are doing but without the threats and violence.

After all, I would have thought that there are sound commercial reasons not to get involved. If a national ID cards scheme goes ahead there will be less scope for competition for creating computerised trust mechanisms in future. Of course the ones that get the contract will be in the money - at least until costs spiral and they get squeezed as with the NHS systems - but the losers will be locked out of ID and trust type systems for as long as the national scheme operates I'd suggest.

PS - I see from my logs that this post has made it onto some Accenture daily list of "negative" comments about them .  Good!  But to set your minds at rest, what I mean by "mass action" is shareholder action, using any influence we have in other organizations to get them not to do business with the companies who hope to be involved with the ID Cards, persuading like minded antiID card employees to not get involved and so on.  NOT Speak style attacks on executives, oh dearie me no!