This is information retrieval: the UK can lead the way with a twenty-first century ID card

This is information retrieval: the UK can lead the way with a twenty-first century ID card

This is information retrieval: the UK can lead the way with a twenty-first century ID card

Purpose – To explain how information technology could facilitate a secure and workable system of identity cards for the UK.Design/methodology/approach – This article begins with overview of the technological aspects of a national identity card scheme for the UK, examining the merits and demerits of the available technologies. It proceeds to analyse the security implications of such a scheme and the positive (or potentially negative) uses of identity cards and associated technologies.Findings – If properly implemented, a national identity card scheme need not compromise privacy, but could be used to enhance it, thus extending individual liberty as well as providing a more secure environment.Originality/value – The first objective and non-partisan study of a contentious issue in UK politics, as the UK seeks to learn from the experience of other European countries. It provides useful information for policy makers on both sides of the identity cards debate.

Keywords: Communication technologies, Information retrieval, Immigration, United Kingdom

The UK is going to join other European countries and issue a national identity card. What should this card do? How should it work? Can the UK draw on European experiences? We would argue that the UK can take the lead and create an ID card that sets a gold standard for modern ID cards: an ID card that, informed by European perspectives on data protection and privacy, can simultaneously facilitate Governments’ legitimate goals while strengthening their citizens’ right to a private life.

We all know, broadly, what the Government wants the card to do: in short, control immigration, fight terrorism, reduce crime and improve public services (Raines, 2004). We all know, broadly, what citizens don’t want it do: in short, create a “Big Brother”. Yet ID cards are neither necessary nor sufficient to create a “Big Brother” state. Therefore, we must not concentrate on ID cards in isolation: by themselves, they don’t mean any loss of privacy. On the other hand, they could be part of an infrastructure that (somewhat counter-intuitively) significantly enhances individual privacy. To see how, we need to first look at a modern national identity scheme – using the British government’s proposals as an interesting case study precisely because the UK is a “green field”, having not had an identity card since 1952[1] – and then make a suggestion as to what it could look like.

Registration

The scheme proposed by the British government has a number of elements. Two lots of computers will form the hub of the scheme. One lot will be the national identification register. Their focus will be preventative, stopping people from doing things that they want to do such as claiming benefits that they are not entitled to or working illegally. Another lot will be built into smart identity cards in people’s pockets. Their focus should be on enabling people to do things that they want to do: such as opening bank accounts and getting served in pubs.

Many of the government’s goals could be met simply by building the register. The administration of welfare benefits, health, education and other areas would be greatly improved if everyone had a unique number that was easily verifiable as belonging to them. So the register is a good idea and will do no more than bring the UK into line with other European countries.

For it to be useful, it must be correct. If people could obtain false or duplicate entries, the register would be undermined. This is why it will use biometrics to ensure that each number is linked to a unique individual. No biometric is perfect, however, which is why the register needs more than one (apart from anything else, some people lack some biometrics: a person may be missing a hand, for example). Requiring multiple biometrics doesn’t mean collecting hundreds of them and recording everything from a person’s gait and body odour[2] to weight and DNA in a huge database. (Incidentally, note that the UK DNA database already covers more than 6 percent of the population and there is a more than 40 percent chance of DNA found at the scene of a crime matching a name on the database (Beckley, 2004)). It does, however, mean that the Government will have to think carefully about which biometrics are to be collected (and how) because interviewing people to establish who they are and to obtain the relevant biometrics is unavoidably time-consuming and expensive.

The register should be the focus of citizens’ entirely reasonable concerns about privacy. Last year a government employee was sentenced to five months in prison for using the UK vehicle registration database to look up addresses associated with cars and passing them on to animal rights terrorists (as a result of which homes were attacked (DVLA, 2004)). This cannot be allowed to happen with the register or public trust and confidence will instantly evaporate.

The register must therefore be as secure as possible. One way to achieve this is to keep personal information off the register. The plan at present is to store some 50 categories of personal information including, to take a simple example, national insurance numbers (NINos). But a security professional might note that there is already a database of NINos and while it would be sensible for the NINo database to store each citizens’ number (to detect stolen and duplicated NINos: in 2002 the UK had 81 million NINos in a population of 60 million (Olson, 2004), there is no reasons for the register to store NINos. Replicating all personal data on the register adds to the security problem.

It is not at all clear why the register should contain personal information at all. Logically, its sole purpose is to associate the number with the biometrics. We should leave it at that. This is how the EU fingerprint database for asylum seekers (EURODAC) works: it only holds the biometric templates and the only query that law enforcement officials can make is “is this fingerprint in your database or not?” It appears to work. Since it started operation in 2003, the system has detected that 7 per cent of asylum applications are “repeats” (AP Worldstream, 2004). Let’s keep the register simple, viable and limited in scope. Then let’s build a smart ID card to work with it.

A smart ID card

The smart ID cards being deployed around the world (e.g. in Hong Kong) and in Europe (e.g. Belgium) are very different to Britain’s last ID card. That was just a piece of cardboard. The twenty-first century card will, by contrast, depend on three key technologies: microcomputers, biometrics and digital signatures. Together they can do things that cardboard cannot, and this is important. An ID card that is just a badge of citizenship, but does nothing for people except cause hassle, will never sustain support. It has to provide a special service for citizens that they value. That service may well be privacy.

Why? Because computers, biometrics and digital signatures can work together to disclose facts about someone without disclosing their full identity. This fundamental capability changes everything. Your ID card could, for example, send a message to a machine confirming that you are over 18 without disclosing who you are or what your citizen number is. The recipient of that message – Ladbrokes, say – would know that the message from the ID card is real (because of cryptography) and let you place a bet: but who you are could remain confidential. To understand how, you have to know a little about the technologies mentioned above.

Smart ID cards contain microcomputers, just like the “chip and PIN” bank cards increasingly familiar to consumers around the world (except in the USA, but that’s a different issue). These chips are critical. Anything that is printed on a card could be forged or altered but that should not affect the operation of the scheme: perhaps all the card should carry is a picture of the holder and their number (neither of which are secret). What’s in the chips cannot be forged.

This means that what is printed on a card is, essentially, irrelevant and that only way that a hospital receptionist will be able to tell whether a patient’s card is valid or not is by using a machine to check that the biometric corresponds with the person. This machine could work in one of two ways. The machine could either obtain the citizen number from the card and then send the number, plus the person’s biometric (fingerprint, say) off to the register for checking (as envisaged in the UK’s case) or the machine could give the fingerprint to the card and ask the computer on the card whether the fingerprint is that of its rightful owner (just as the new “chip and PIN” credit cards check the PIN you type in by themselves and then tell the retailer’s till whether the PIN was correct or not).

In regard to the latter case, the government is undecided about whether to store biometric templates in the cards, but it should. Almost all of the day-to-day usage of the card could be in this “local” mode (using a biometric or a PIN where high security is unnecessary), thus significantly reducing the cost and complexity of the register. Imagine how many computers will be needed if the register has to manage millions of queries every day: and what would happen if the network broke down, or the computers went wrong? If the receptionist’s machine can work “stand alone”, the overall system is much more resilient and reliable.

The final piece of the technological jigsaw is the digital signature. Understanding digital signatures requires knowledge of mathematics and cryptography. As this would be a diversion here (and as others, such as Singh (2000), have already done it far better than I ever could) I won’t go down that route. Suffice to note here that if you attach a digital signature, which is basically a big number, to some information (an e-mail message for example) then it means two things. First, if anyone changes the information then the signature will no longer be valid (so that you can detect tampering). Second, you know who the information came from (this is because the signature depends on a security key as well as the information, so if you know who the key belongs to then you know who made the signature).

But how do you know who the key belongs to? That’s the clever bit. Digital signatures use something called “public key cryptography”. A person (or an organisation) has two mathematically-related keys. These are the private key and the (hence the name) public key. In the context being discussed here, the private key would live inside your ID card. The public key would be known to, well, the public.

If you want to send your bank a signed message, you sign it using your private key. Your bank knows your public key, so they can check the signature. A potential fraudster could not use your public key to guess your private because of the mathematics linking the two: it’s all to do with large prime numbers and so intractable that legions of supercomputers would take millions of years … you know the score.

Put them together

Your ID card would contain your private key and only you would be able to use it. The card won’t sign anything unless it is given your fingerprint or PIN. Your identity, in a very real sense, then becomes your public key. That wouldn’t be much use to a pub, so the public key is stored inside a “digital certificate” that contains, for example, some identifier (e.g. an e-mail address) together with some credentials (e.g. is over 18) cryptographically secured by someone else (e.g. the Home Office). Now, the council doesn’t have to trust me, because I present them not with a key but with a certificate digitally-signed by the Home Office.

In principle anyone could issue such certificates. My bank could issue a digital certificate to my kids, perhaps. This way, my ten-year-old could go into a chat room as “UK_terminator@cooldomain.com” or whatever, but not be able to gain access to a chat room for over 18 s. This, incidentally, is not a way of perpetrating crimes. If I get up to no good in a chat room as Donald Duck, then the police will simply take a warrant to my bank who will tell them precisely who Donald Duck is (and what his ID number is).

The advantage of this digital certificate approach lays in the relationship between mathematics and economics. If it is technically possible to find out who has done what – when a crime has been committed, for example – but economically prohibitive (because of cryptography) to monitor people continuously on a large scale, then a reasonable privacy settlement can be achieved. In a few years time, when you walk into a nightclub you may have to wave your card over a reader by the door: the reader displays a red cross if you are under 18 or the picture from inside the chip if you are over 18. The doorman can see whether the picture displayed is you or not and so decide whether to let you in or not: the barman will not, however, know who you are.

Contrast this vision with what is happening in the USA, where the driving licence serves as a de facto ID card and bars actively collect the data from driver’s licences to use for marketing! This data is also being used by the police, who access the machines to see who is in a particular bar and this is causing concern among privacy experts, especially since the “carding” machines have been extended to cigarette purchasing (Wired News, 2004).

It isn’t all about credentials, of course. There are some cases where citizens will use the ID card to prove who they are. Opening a bank account, for example. One could envisage being able to open a new account by wandering up to a cash machine in a bank branch, putting your eye up to the camera and waving your ID card around: no forms, not gas bills, no passports, photocopies of driving licences and so on. ID cards would save citizens time and banks money.

Identity in cyberspace

A properly designed ID card can disclose such credentials with no need for access to the register or unwarranted disclosure of identity. But it can do other things as well, as the examples of chat rooms, the internet, and e-mail lead us to the place where a privacy-enhancing identity service is most desperately needed: cyberspace (Birch, 2003). If government are wise enough to build an ID card that works online as well as offline, they might not only cut fraud and crime but stimulate the “new economy” in a substantial way. They have, in any case, no real choice if they want to meet their goals for e-government because the electronic delivery of public services depends wholly on identity and authentication (Birch, 2004).

If ID cards were to contain the software for making digital signatures then, when you logged in to your bank, the Inland Revenue or Tesco, they could be certain that it was you and you could be certain that they are who they say they are and not fraudsters. The “digital certificate” that contains your key is not at all secret and could be obtained from many directories: similarly, your PC could obtain Tesco’s digital certificate from many places. This may sound complex, but it’s actually not that difficult to implement because almost all of the web browsers and web servers in the world already contain the standard software[3] to do this (they just don’t use it).

Hong Kong has one of the smartest smart ID cards in the world and it uses digital certificates to give citizens security online. Citizens who want to use their ID card on the web (or to digitally-sign Adobe Acrobat documents etc.) go to Hong Kong Post and buy a digital certificate which is downloaded to their card. They can then, for example, log in to online shopping sites in complete security (e-Cert Newsletter, 2004). Why can’t we do the same? Online banking, online shopping and (hopefully, one day), online government would be transformed by an ID card that worked this way.

Furthermore, if ID cards handled digital signatures, then you could send e-mails to your bank and they could be certain that the e-mails came from you. It works the other way round as well: there would be no more “phishing” because your bank could send signed e-mails to you. Ultimately, there would be no more spam because e-mail systems could simply delete all messages that didn’t have recognised signatures.

This is where they are going in Estonia, where their smart ID card uses internationally-standardised digital signature software (Martens, 2004). You sit down at your computer and put your card in the reader (a simple USB smart card reader is about £5), punch in your PIN and off you go. No-one can pretend to be you in an e-mail and no-one can read your e-mail even if they steal your computer. This would make a real difference to the average UK internet user. It really isn’t that complicated (in fact, it’s easier doing this with ID cards than without them). I use digital signatures all the time: Microsoft Entourage and Apple Mail, for example, already implement the secure e-mail standards[4] and work just fine. Please feel free to send me a digitally-signed and encrypted e-mail any time!

Digital signatures have been around for years and there are all sorts of standards for storing and transmitting the certificates and the keys. Industry is perfectly capable of coming up with ways of building them into products (in Belgium, Microsoft has announced that it will integrate the Belgian national smart identity card into its MSN software for chat rooms and so on (Foley, 2005)) and there are a great many business old and new that would take advantage of the infrastructure. Imagine how much simpler life would be for eBay if you could log on with your ID card (which eBay would trust because it knows the Home Office’s public key) and generate an eBay identity that all the marketplace participants could trust.

Vision

Building a useful national identity management scheme is a huge undertaking that needs to balance the interests of all of the stakeholders without becoming a tangled mess. Within such a scheme, a card to be carried by citizens should be seen as a means of spreading the benefits of the scheme to those stakeholders who are actually paying for it all: the general public. The way to do this is by building a scheme congruent with the current age and technology.

European countries should look at an ID card as a fundamental enabler of services and a means for individuals to take control of their identities and enhance privacy. Doing so, they can create a very different and far more optimistic vision than “electronic cardboard”. The ID card can then be useful and desirable. But it isn’t a magic bullet against crime and terrorism. It isn’t that important: it’s the register, unique numbers and biometrics that are crucial in that context. After all, this is information retrieval.

That (mandatory) card was introduced in a piece of wartime emergency legislation, the National Registration Act (1939). Each subsequent year, Parliament passed an Emergency Laws (Transitional Provisions) Act, continuing the effect of the National Registration Act, and it was not until 22 May 1952 that the cards were finally abolished (at which time their primary purpose appears to have been detecting bigamous marriages).

These examples are not made up. Consult Hyperion were retained by the Police Information Technology Organisation (PITO) to consider there (among others) as part of a long-term authentication strategy.

It’s called SSLv3, for the technically-minded.

S/MIME and PGP, for the technically-minded.

David Birch, John Elliott and Neil McEvoyConsult Hyperion, Guildford, UK