Feeds

Everything you never wanted to know about the UK ID card

Name, rank, serial number...

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

The Police

The draft is quite specific that it will not be compulsory to carry an ID card, nor will it be permissible for the police to demand to see your card. But in the case of the driving licence (which will morph into an ID card) you'll still have to report to a police station to show it within seven days, and the consultation document tells us that "people will be able to have their biometrics checked against the Register even in the absence of a card on a voluntary basis in order to establish their identity if, for example, they are stopped by the police."

To grasp the full import of this peculiarly British situation, we need to think a little about the powers the police already have, and the way they use them. They can't ask you for ID, but they can seek to establish your identity if they arrest you, and they can arrest you on grounds of reasonable suspicion. Questioning their reasonableness at this juncture is usually not constructive, although you may consider risking a polite indication that you are aware of the relevant laws. Also, their powers of stop and search have been reintroduced via several anti-terrorist measures, and these have been so widely deployed against demonstrators that even David Blunkett has expressed concern.

Effectively though, if they want to find out who you are, they have the means to do so, and if they've arrested you, they have the means to find out who you are. But they actually only want to know who you are in pretty specific circumstances. There are those where their reasonable suspicion is actually pretty reasonable, and there are more heavy-handed and wider-ranging checks of, say, protesters at an arms fair. But bitter experience from the 80s means that they avoid stop and search operations that would be interpreted as ethnically targeted and that might trigger unfortunate riot-style situations.

So the police are not going to voluntarily implement intensive ID checking in areas of high immigrant population, and the kind of gains that could be made (if you call lots more illegals caught plus lots of bits of London ablaze, gains) by pass-law style implementation of ID won't happen.

News that senior police officers support a compulsory ID card is about as surprising as news that they've got fast cars with groovy flashing lights. But in operation the card is most likely to be an adminstrative convenience to them, used to provide a more reliable ID in circumstances where they're seeking to establish it. If the ID's present they can rely more on it being genuine, and if it's not they can establish ID quickly by checking against the database. This will, as at present, leave them with those with invalid ID, but the process should be faster. It'll also allow them to check immigration status and right to work, as these will be on the database even if they're not on the face of the card, so it speeds their processing here, if it's illegal immigrants they're looking for.

How, though, do they do the biometric reading? The Home Office appears to envisage the use of mobile readers, but it's doubtful that these will prove reliable enough for use in some kind of networked handheld configuration, and they don't seem particularly compelling from the police point of view. A "reasonable suspicion" candidate with no ID card can be sent down to the station for checking, and one producing an ID card can be identified on the basis that the card is probably genuine and the bearer looks like the picture. If they're concerned about immigration status then a query based on the unique number can be made - biometric check is unnecessary.

Nor are there any obvious scenarios where the existence of ID cards will reduce crime. If the police don't know who did it, then the ID card is no use. If they do, then the ID card is merely an administrative advantage. Sure, they know where you live, but so long as you know they know this, you're not there, right?

'What was that you said about them knowing where I live?'

Ah yes, this takes us on to the National Identity Register, referred to largely in the documentation as "the Register." For the record, we are The Register, and you should therefore not worry about sentences like: "Clause 29 makes it an offence for any person to disclose information from the Register without lawful authority."

Makes it damnable to write about though. The ID Register will hold data as specified in schedule 1 of the draft bill. This is: personal information - names, date and place of birth, gender, address; identifying information - photograph, fingerprint, other biometric information; residential status - nationality, entitlement to remain, terms and conditions of that entitlement; personal reference numbers - National Identity Registration Number and other government issued numbers, and validity periods of related documents; record history - historical information previously recorded, audit trail of changes and date of death; registration history - dates of application, changes to information, dates of confirmation, information regarding other ID cards already issued, details of counter-signatures; validation information - information provided by any application, modification, confirmation or issue and other steps taken in connection with an application or entry, details of any requirement to surrender; security information - personal identification numbers, password or other codes, and questions and answers that could be used to identify a person seeking access; access records - the audit trail of accesses to the entry.

Not listed in schedule 1, but listed elsewhere in the documentation as being held by the Register, we have PIN, passport validation information, background evidence or document checks carried out to confirm status, details of non-UK ID (including foreign passports), and information (including biometrics, where available) of unsuccessful applications. Other categories can be added by the home secretary, and information can be added at the request of the holder, provided the home secretary agrees. Blood type and organ donor status are suggested examples of these, but this is slightly potty, given that in both cases you want the information to be immediately obvious to the medics, not dependent on them shoving your card into a reader first. So we can file that with the other feeble attempts to make the card popular.

We can draw a number of conclusions from the information that's intended to be on the Register. The presence of "other government issued numbers" means that they can use the ID system to consolidate and weed the NHS and National Insurance systems as they add numbers. This will ultimately make it simpler to associate services with ID, without approval or cooperation of the operators of these services. PIN is interesting, because it could conceivably provide a mechanism for you to use your national ID over the Internet. ""In an increasingly technologically complex and global [sic - as opposed to, say, 'stubbornly oblong?'] world, correct identification has become critically important, and we want to ensure that UK citizens are properly protected and equipped to deal with this emerging world," Blunkett tells us. Unhappily, there is scant sign in the draft bill that they've actually twigged that fingerprints aren't going to be a whole heap of use when you're sitting in front of your screen (anybody who says 'personal reader', see me after class), and the odd mention of PIN is the only sign that there might be something there that they'll get to when they've time to think about anything beyond biometrics.

Other listed information is, you'll note, heavily weighted towards immigration control. Clearly, the intention is to have a great deal of data on anybody who isn't a UK citizen from birth. Please yourself as to whether or not you feel this is too much information about you for the government to hold - a commissioner will be appointed to make sure the data is not abused, but actually that's not the half of it. Consider what it doesn't include, things like credit status or whether the security services are after you. Obviously if you're a wanted criminal or terrorist trying to flee the country, police and immigration are going to have you on their list (actually this isn't obvious at all, but they obviously should have you on it) in order to nick you when you hit the border check. So actually they'll have their own database which will interact with the ID Register. Similarly, a bank checking up on you is going to be checking credit rating, homeowner status, county court judgments etc, so will have its own external database and links to other external databases. It will likely prove useful to the bank to consult the Register to confirm you exist and where you live, and it's perfectly conceivable that the unique ID will therefore move out of the Register and into the world in general as a handy, well, unique identifier.

So the government reps telling you there's not much in the database and there's a commissioner to mind it, so that's OK, are being really thick, in a 'don't know much about databases' sort of way. They are, without, clearly grasping it, proposing the ID Register as the focus around which an ever-increasing number of personal information databases revolve. They've set themselves a non-trivial task in keeping all of the specified information in the Register accurate and up to date, and the freeform nature of "information relating to an application or entry" will be a particular problem, because it should really be in another kind of database. Indeed, the amount of immigration-related data in the Register makes it look more like an immigration database than a general population register. Granted, the Home Office may be taking the view that the data should be there because it is needed by multiple agencies, but that's the case for much police and social services data too. If these (where they actually exist fully) can be external, why not immigration?

From, the subject's perspective of course it doesn't matter whether the database is elegantly conceived and designed; what matters to subjects is the extent to which it enables the collation, use and abuse of data on them. By pitching the ID card as "watertight proof of identity for use in daily transactions and travel" the Home Office is essentially begging for the satellite databases to be produced. So, small piece of government control-freakery possibly under the commissioner's control, potential hordes of escaped privacy monsters enabled by said small database.

Secure remote control for conventional and virtual desktops

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.