HMG's fix for the immigration NI 'loophole' - build more backlogs

Spot the cure's built-in self-destruct...

Top three mobile application threats

Analysis On Thursday morning the Times runs a screamer claiming that the Department of Work & Pensions will happily issue a national insurance number even when it suspects the applicant is an illegal immigrant. By lunchtime the Government has promised to change the law to block this "loophole", and fairly swiftly we can see the latest component of the slow-motion train wreck that is the Home Office begin to slide into place.

It is of course a systems problem, and the next stage of the train wreck will happen as systems collide. The problem is that the national insurance number is merely a mechanism for collecting tax and national insurance from those in work, and providing benefits for those out of work and/or in need of them. It is not a national identity number, it does not form a part of a national identity system, and it was not intended as a mechanism for the control of immigration. Consider making it any of these and there is a clear risk of turning it into an easily-obtained tool for industrial-scale identity fraud - as is the case with social security numbers in the United States, and as, thanks to the bright sparks in HMG IT, happened here.

Actually, park thoughts of 'coming over here, stealing our jobs' for a moment and consider the UK national insurance number from the point of view of the national insurance system itself. This system faces two main challenges, collection of revenue and control of benefit fraud. When it comes to revenue collection the system need not be overly concerned about more numbers existing than there are people in the country (if, given recent headlines, we can be absolutely sure about that), because hey, if Mickey Mouse is paying his dues, well, we may not be wholly displeased with Mickey Mouse, right? Other Government departmental systems might well have different priorities, and hence be less likely to take such a happy-go-lucky view, but in essence (I do not say 'in operation') NI is a fairly simple system that ought to perform its allotted tasks fairly cost-effectively. This is especially the case if the DWP can dish out numbers with a minimum of administrative hassle.

From the point of view of fraud control the system's attitude might be different, because the ease with which one may obtain a number means that the DWP is to some extent providing an enabling tool for multi-ID benefit fraud, which does indeed occur. This however is clearly not a problem specific to illegal immigrants, and cost-benefit analysis (which, this being Government, the DWP almost certainly has not done) could well reveal that database trawls for suspicious multiple payments at the same address were better than a general tightening of the number issuing process. A more specific tightening of checks on immigrants, as is planned, might in principle have an impact on benefit fraud, but possibly quite a small one, given the reported size of the total 'dodgy' ID population, and again other control mechanisms (e.g. checks of purported employers, identification of suspiciously high worker turnover and/or volumes in specific employers or areas) might cost out better from the DWP's point of view.

Anyway, we should not automatically assume that the NI system is broken or particularly dysfunctional - but what are those lights at the other end of the tunnel?

Ah yes, the train. Thundering down the line towards the NI system we have the Immigration Imperative Express. Immigration control has become a Government priority over the past few years, and with the conversion of the Home Office into a shooting gallery for the public prints over the past few weeks it has become the priority. The overarching nature of this priority means that there is indeed an argument that immigration control should be seen as a top priority for every Government department, including the DWP. And having a DWP immigration problem rearing up alongside all of those Home Office immigration problems is the last thing the Government needs right now.

But is this a DWP problem? The DWP has certainly been lumbered with fixing it, but that seems to me rather unjust - consider the options that are available to the DWP when someone requests an NI number. According to the guidance that triggered the outcry, the only circumstance in which a NI number would be given to someone with suspect immigration documentation would be where the applicant had a job. In other circumstances, procedure is not to grant the number and to inform the Immigration and Nationality Directorate (IND).

It is not clear from the guidance that IND would have been informed in the case of these successful applicants, possibly not - DWP did tell IND about 3,300 cases of suspect documentation over last year, but these may all have been of the jobless variety. The Home Office is as yet unable to tell us what IND might have done about these tip-offs, but we can surmise.

Instead of granting the number, procedure could have been (and in the future may be) that in all cases where the documentation is suspect, DWP temporarily withholds the number pending IND verification of the documentation. But how does that work? If IND had a big, all-singing, all-dancing database system with a list of all immigrants, their current status and the terms and conditions of their right to work, if any, and if the DWP had a a similarly shiny system that could exchange data with IND, then it would all go swimmingly, right? But as we know, none of that is the case. DWP systems are no great shakes, but are at least anchored in part by the customers usually being tacked onto an employer or the route the benefits take to get to them (which often leads to an address). DWP systems could actually be quite simple, were it not for the nightmare complexities of the benefit system.

That is most certainly not the case for IND. IND does not know how many illegal immigrants there are, is pretty hazy regarding the number of legal ones, doesn't know with any great certainty whether or not specific individuals are rated for work in the UK, and while in theory it should have records of everything it has done (and hence the ability to spot, for example, a forged Indefinite Leave to Remain stamp), in practice it frequently can't find them. So if IND were seriously investigating an individual's status it might well need to check passport stamp and supporting documentation for forgery, and perhaps to do a little research into the applicant's biographical footprint. In many cases it would have to reconstruct a record from scratch - it's worth noting that this is precisely what it is going to have to do if the magic National Identity Register is to operate as specified.

Even for a functional organisation, doing that in every case would be a huge challenge. But the situation now, given the non-existence of the big databases and slick interconnect, is not much better if we just go for the simplest of checks. Say the applicant, who already has a job, comes in to the Jobcentre and asks for a number. The applicant's passport and/or documentation is viewed as suspect or inconclusive, so the granting of a number is delayed while passport and documentation go to IND. Factor in however long you think is a likely time for these to rattle around within the IND, er, 'system', then imagine what happens when they get to the top of the in-tray. The IND operative has to decide whether the applicant's documentation is genuine or fraudulent/forged/incorrect. Genuine is easy, just shove them back in the post and off you go, but any of the others could be quite hard.

IND having no record of granting status does not automatically mean that it was not granted, some forgeries are quite good, and many (of the very many, many) UK immigration stamps are quite basic and easy to forge. And IND starting to claim genuine applicants were fraudulent would add even more to the giant shitpile it already has.

Factor in as long as you like for the time doubtful documentation goes round and round IND while the backlog grows, and consider the situation of the applicant as the weeks turn to months because (remember?) the applicant has a job. How is he getting paid? How is tax and national insurance being deducted? DWP spokesmen on Thursday were, rather cravenly, claiming that they had a "legal obligation" to issue a number whatever, but stuff legal obligations - for gawd's sake, what the blazes are they supposed to do? Tell the applicant they can't have the job? Tell the employer to sack them? Tell them it's OK, you'll get paid gross for the next n months because we think you're an illegal immigrant? Bit of a result, that one - but seriously, if they can't issue an NI number until IND passes judgement, it's difficult to see what they could do other than issue a temporary NI number.

A process whereby life can go on as normal while IND does what it does best will certainly be necessary, if the DWP system is to avoid importing extra dysfunctionality from the dysfunctional IND system.

And note the minimal difference between the pre- and post-scandal situations. Before, the suspect had a job and an NI number, and the case might or might not have been referred to IND. After, the suspect will have a job and some mechanism to get by without an NI number, and the case will have been referred to IND. In neither case would there be any great likelihood of an early IND response or reaction to a referral. The simplest and most obvious response to the scandal, in fact, would have been for the DWP to instruct staff to carry on as before, granting NI numbers, but to ensure that all suspect applicants were referred to IND.

Clearly we don't need a new law, but we're going to get one anyway, and if the DWP is smart it will make sure it rustles up something along the lines of my 'notanNInumber' so that the show can go on while IND gets on with its backlog backlog.

The problem, such as it is, is not a loophole, and it is not a DWP problem - it is a Home Office problem. Multiple overlaid immigration policies and changes in immigration status and terms and conditions have produced a system where right to work cannot be determined with any great certainty by employers, the DWP, or by IND. The complexity of the system is such that, even without regular changes of targets and priorities from Downing Street and the Home Office, IND stands little or no chance of getting on top of it. And Government reaction to the "problem"? A jerk of the knee, another new law, and more complexity, targets and overload for IND. That is, the addition of even more of the 'special sauce' that has helped make the system such a wreck in the first place. ®

* The boilerplate Register 'why all this does not reinforce the need for ID cards' would possibly be appropriate here, but frankly we can't be bothered today. Check the first two links below - these should just about cover it.

Top three mobile application threats

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.