Feeds

Everything you never wanted to know about the UK ID card

Name, rank, serial number...

  • alert
  • submit to reddit

Internet Security Threat Report 2014

The Police

The draft is quite specific that it will not be compulsory to carry an ID card, nor will it be permissible for the police to demand to see your card. But in the case of the driving licence (which will morph into an ID card) you'll still have to report to a police station to show it within seven days, and the consultation document tells us that "people will be able to have their biometrics checked against the Register even in the absence of a card on a voluntary basis in order to establish their identity if, for example, they are stopped by the police."

To grasp the full import of this peculiarly British situation, we need to think a little about the powers the police already have, and the way they use them. They can't ask you for ID, but they can seek to establish your identity if they arrest you, and they can arrest you on grounds of reasonable suspicion. Questioning their reasonableness at this juncture is usually not constructive, although you may consider risking a polite indication that you are aware of the relevant laws. Also, their powers of stop and search have been reintroduced via several anti-terrorist measures, and these have been so widely deployed against demonstrators that even David Blunkett has expressed concern.

Effectively though, if they want to find out who you are, they have the means to do so, and if they've arrested you, they have the means to find out who you are. But they actually only want to know who you are in pretty specific circumstances. There are those where their reasonable suspicion is actually pretty reasonable, and there are more heavy-handed and wider-ranging checks of, say, protesters at an arms fair. But bitter experience from the 80s means that they avoid stop and search operations that would be interpreted as ethnically targeted and that might trigger unfortunate riot-style situations.

So the police are not going to voluntarily implement intensive ID checking in areas of high immigrant population, and the kind of gains that could be made (if you call lots more illegals caught plus lots of bits of London ablaze, gains) by pass-law style implementation of ID won't happen.

News that senior police officers support a compulsory ID card is about as surprising as news that they've got fast cars with groovy flashing lights. But in operation the card is most likely to be an adminstrative convenience to them, used to provide a more reliable ID in circumstances where they're seeking to establish it. If the ID's present they can rely more on it being genuine, and if it's not they can establish ID quickly by checking against the database. This will, as at present, leave them with those with invalid ID, but the process should be faster. It'll also allow them to check immigration status and right to work, as these will be on the database even if they're not on the face of the card, so it speeds their processing here, if it's illegal immigrants they're looking for.

How, though, do they do the biometric reading? The Home Office appears to envisage the use of mobile readers, but it's doubtful that these will prove reliable enough for use in some kind of networked handheld configuration, and they don't seem particularly compelling from the police point of view. A "reasonable suspicion" candidate with no ID card can be sent down to the station for checking, and one producing an ID card can be identified on the basis that the card is probably genuine and the bearer looks like the picture. If they're concerned about immigration status then a query based on the unique number can be made - biometric check is unnecessary.

Nor are there any obvious scenarios where the existence of ID cards will reduce crime. If the police don't know who did it, then the ID card is no use. If they do, then the ID card is merely an administrative advantage. Sure, they know where you live, but so long as you know they know this, you're not there, right?

'What was that you said about them knowing where I live?'

Ah yes, this takes us on to the National Identity Register, referred to largely in the documentation as "the Register." For the record, we are The Register, and you should therefore not worry about sentences like: "Clause 29 makes it an offence for any person to disclose information from the Register without lawful authority."

Makes it damnable to write about though. The ID Register will hold data as specified in schedule 1 of the draft bill. This is: personal information - names, date and place of birth, gender, address; identifying information - photograph, fingerprint, other biometric information; residential status - nationality, entitlement to remain, terms and conditions of that entitlement; personal reference numbers - National Identity Registration Number and other government issued numbers, and validity periods of related documents; record history - historical information previously recorded, audit trail of changes and date of death; registration history - dates of application, changes to information, dates of confirmation, information regarding other ID cards already issued, details of counter-signatures; validation information - information provided by any application, modification, confirmation or issue and other steps taken in connection with an application or entry, details of any requirement to surrender; security information - personal identification numbers, password or other codes, and questions and answers that could be used to identify a person seeking access; access records - the audit trail of accesses to the entry.

Not listed in schedule 1, but listed elsewhere in the documentation as being held by the Register, we have PIN, passport validation information, background evidence or document checks carried out to confirm status, details of non-UK ID (including foreign passports), and information (including biometrics, where available) of unsuccessful applications. Other categories can be added by the home secretary, and information can be added at the request of the holder, provided the home secretary agrees. Blood type and organ donor status are suggested examples of these, but this is slightly potty, given that in both cases you want the information to be immediately obvious to the medics, not dependent on them shoving your card into a reader first. So we can file that with the other feeble attempts to make the card popular.

We can draw a number of conclusions from the information that's intended to be on the Register. The presence of "other government issued numbers" means that they can use the ID system to consolidate and weed the NHS and National Insurance systems as they add numbers. This will ultimately make it simpler to associate services with ID, without approval or cooperation of the operators of these services. PIN is interesting, because it could conceivably provide a mechanism for you to use your national ID over the Internet. ""In an increasingly technologically complex and global [sic - as opposed to, say, 'stubbornly oblong?'] world, correct identification has become critically important, and we want to ensure that UK citizens are properly protected and equipped to deal with this emerging world," Blunkett tells us. Unhappily, there is scant sign in the draft bill that they've actually twigged that fingerprints aren't going to be a whole heap of use when you're sitting in front of your screen (anybody who says 'personal reader', see me after class), and the odd mention of PIN is the only sign that there might be something there that they'll get to when they've time to think about anything beyond biometrics.

Other listed information is, you'll note, heavily weighted towards immigration control. Clearly, the intention is to have a great deal of data on anybody who isn't a UK citizen from birth. Please yourself as to whether or not you feel this is too much information about you for the government to hold - a commissioner will be appointed to make sure the data is not abused, but actually that's not the half of it. Consider what it doesn't include, things like credit status or whether the security services are after you. Obviously if you're a wanted criminal or terrorist trying to flee the country, police and immigration are going to have you on their list (actually this isn't obvious at all, but they obviously should have you on it) in order to nick you when you hit the border check. So actually they'll have their own database which will interact with the ID Register. Similarly, a bank checking up on you is going to be checking credit rating, homeowner status, county court judgments etc, so will have its own external database and links to other external databases. It will likely prove useful to the bank to consult the Register to confirm you exist and where you live, and it's perfectly conceivable that the unique ID will therefore move out of the Register and into the world in general as a handy, well, unique identifier.

So the government reps telling you there's not much in the database and there's a commissioner to mind it, so that's OK, are being really thick, in a 'don't know much about databases' sort of way. They are, without, clearly grasping it, proposing the ID Register as the focus around which an ever-increasing number of personal information databases revolve. They've set themselves a non-trivial task in keeping all of the specified information in the Register accurate and up to date, and the freeform nature of "information relating to an application or entry" will be a particular problem, because it should really be in another kind of database. Indeed, the amount of immigration-related data in the Register makes it look more like an immigration database than a general population register. Granted, the Home Office may be taking the view that the data should be there because it is needed by multiple agencies, but that's the case for much police and social services data too. If these (where they actually exist fully) can be external, why not immigration?

From, the subject's perspective of course it doesn't matter whether the database is elegantly conceived and designed; what matters to subjects is the extent to which it enables the collation, use and abuse of data on them. By pitching the ID card as "watertight proof of identity for use in daily transactions and travel" the Home Office is essentially begging for the satellite databases to be produced. So, small piece of government control-freakery possibly under the commissioner's control, potential hordes of escaped privacy monsters enabled by said small database.

Providing a secure and efficient Helpdesk

More from The Register

next story
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.