Feeds

ID scheme will be a costly, dangerous failure, says LSE report

Misses targets, multiple cost overshoots likely

  • alert
  • submit to reddit

High performance access to file storage

A report published today by the London School of Economics' Department of Information Systems concludes that the proposals set out in UK Government's ID Cards Bill are "too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence." The report accepts that a secure ID system could create "significant, though limited" benefits, that many of the objectives of the scheme could be achieved better by other means, and says the cost is likely to spiral to several times the current headline figure.

The LSE study involved more than 100 academics, and is claimed to be the most comprehensive analysis yet of the scheme. It views the technology being proposed as largely untested and unreliable, and says that despite the intended all-encompassing nature of the scheme, it misses key opportunities to establish a secure, trusted and cost-effective identity system. Identity theft could be better dealt with "by giving individuals greater control over the disclosure of their own personal information", while terrorism could be more effectively managed "through strengthened border patrols and increased presence at borders, or allocating adequate resources for conventional police intelligence work."

Cost of the current scheme could escalate in several areas. There could be "substantially higher implementation and operational costs than has been estimated" (this is traditional with UK Government IT projects anyway), while the registration costs for the individual may be higher than expected, and complexities associated with the registration process "may result in registration alone costing more than the projected overall cost of the identity system". The cost to business, downplayed even pitched as a "saving" for business in the Bill impact report, is also likely to be high. Card readers will be more expensive than claimed, and "private sector costs relating to the verification of individuals may account for a sum equal to or greater than the headline cost figure suggested by the government."

Even a UK Government IT project would surely be almost supernaturally unfortunate if it fell victim to all of these overruns, but there's enough there for 'think of a number and keep doubling it' to seem a fair summary.

Aside from the major issues of cost and ineffectiveness, the planned scheme is also legally dubious, clashing with data protection law and and likely to be in breach of the the European Convention on Human Rights and EU freedom of movement principles.

The risk of failure, says the report, is so great that "the scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals", and it could make us more, rather than less, insecure: "The proposed system unnecessarily introduces, at a national level, a new tier of technological and organisational infrastructure that will carry associated risks of failure. A fully integrated national system of this complexity and importance will be technologically precarious and could itself become a target for attacks by terrorists or others."

In considering more viable alternatives the report gives particular attention to France's e-government strategic plan, which is intended to be more citizen-driven, and to focus on the provision of user-friendly and accessible solutions within a climate of trust. The proposed French system, which is currently in consultation, envisages multiple forms of identification, emphasises simplicity and proportionality, and is intended to use a federated identification system which allows the individual to use a single identifier to access each service without the Government databases or the federator itself being able to make the links.

The report itself favours this kind of approach, and points out that it is "illegal' not 'sensible' to create a single internal passport just because there is an international imperative to introduce biometrics into border-control systems. It is technologically unremarkable to design an international travel and immigration biometric system, which links to other sector-specific identity systems only to an extent which is foreseeable, explicitly legislated, enforceable, and compliant with European Convention rights." Which, one could note might apply to the activities of Europe's Justice and Home Affairs as well as to those of the UK Home Office. The full report is available here.

Meanwhile the Bill, which is being considered by the House of Lords today, is coming under fire from other quarters. The Association for Payment Clearing Services (Apacs) says that costs could soar above estimates, while The Times reports that the ID Bill will be one of those to fall prior to the election (although the SOCA Bill seems likely to get through if the religious hatred clause is axed. One "member of the Government" indicated to The Times that New Labour saw the killing of the ID Bill as a trap for the Tory opposition. "They assume we want to get all of these Bills. I would sooner go on the doorstep and say, 'If you want ID cards vote for me.'"

Once the election campaign kicks off The Register will be pleased to hear of sightings of major Labour figures saying this, or similar, on the doorstep. We may compile a rogue's gallery. ®

Related stories:

ID scheme to die in pre-election cull?
How Blair high tech 'security' pledge will fix the wrong problem
Tory group report attacks ID scheme as a con trick

High performance access to file storage

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Nokia offers 'voluntary retirement' to 6,000+ Indian employees
India's 'predictability and stability' cited as mobe-maker's tax payment deadline nears
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Adrian Mole author Sue Townsend dies at 68
RIP Blighty's best-selling author of the 1980s
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Analysts: Bright future for smartphones, tablets, wearables
There's plenty of good money to be made if you stay out of the PC market
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.