Original URL: https://www.theregister.com/2004/08/13/cbi_id_scheme_critique/

CBI wishes for the ID scheme we're not getting

It could be a good thing, but it isn't, apparently...

By John Lettice

Posted in Legal, 13th August 2004 13:45 GMT

The Confederation of British Industry, the public prints told us this morning, has backed the government's "flawed" ID card scheme, from which one might conclude that the UK business umbrella body thinks ID cards a good thing in principle, but that the scheme as currently presented needs a fair bit of work. This however is not so - the CBI says "employers are ready to back an ID [note that 'card' is missing] scheme in principle", then presents a long and broadly well-argued document discussing the issues of identity management as they relate to individuals and business.

The CBI does not say flat out that the entire scheme the government is proposing is rubbish, but by the time you've got to the bottom of its paper it has blown so many bits off of the edifice that there's not a lot left standing. The CBI's basic premise, as you would expect, is that a solid, reliable means for identity verification would be A Good Thing. Businesses have a legal liability in numerous (and growing) areas to verify identity, and individuals concerned about identity fraud would like solid mechanisms with which to prove their own identity and stop other people stealing it. Insert any personal caveats about trust, freedom and privacy here and there's really not a lot most people would disagree with, in principle.

Wishing for the existence of solid identity management systems is however not the same as agreeing either that they can be done, or that the government's unhinged faith in the buildability of a single, bulletproof, universal system is in the slightest bit justified. The CBI leads in by detailing some of the advantages that would accrue if "a single system of identity authentication" existed, pointing out that the card itself could become the token whereby public and private services were linked, and that "links to credit brands could be added and subtracted." But although it notes that the government appears to envisage businesses adopting the card, it says businesses are concerned "that the Government is driving forward a murky agenda without full appreciation of the potential drawbacks of a loosely-structured scheme."

"Government should clarify the overarching objective of the proposed ID Card scheme and define the potential benefits to business of being an integral part of the scheme." Warming to its theme, the CBI swiftly moves to the identity register as the nub of the matter. This should contain the minimum data necessary to identify individuals, the proposal to allow individuals to store voluntary information on it should be dropped, and the Home Secretary's powers to add new information should be curtailed. If it's supposed to confirm ID, then that's what it should do, and all of the other stuff simply introduces more scope for errors, inaccuracies and breaches of privacy. The CBI is arguing from the point of view of usefulness and effectiveness, but comes to similar conclusions to the privacy lobby here.

The government has made a great deal of noise about the supposed accuracy of biometrics as the key ID system, but hasn't come up with anything in the way of coherent plans for dealing with situations where biometrics aren't really relevant. Online transactions are not helped unless a completely secure and uncompromised biometric reader is involved, which rules out bank machines and Internet transactions for starters. The government does envisage issuing pins and passwords to people for use in situations of this sort, but as was noted in The Register when the draft bill was published, this effectively means the government is envisaging a tiered system of identity authentication, using different strengths of ID where appropriate, while talking horsefeathers about a single, invulnerable one.

The CBI queries the governments plans in this area to issue PINs and passwords for remote identification, citing the "inherent weakness of these traditional authentication methods" and volunteering "the experience and expertise of businesses in building different levels of database access be considered by Home Office as the scheme develops". Which makes sense, given that businesses have the most experience of secure transactions, and the most to lose if they're compromised.

It also questions the vagueness over "the requirements on and redress for private sector organisations involved in data-sharing gateways". Government wants business to embrace the scheme and in some cases (e.g. employment) will require that it do so, but government seems not to want to shoulder the responsibility if there are errors in the database and, say, you lose that job/mortgage because the registry says you're a failed asylum seeker on the run: "The CBI is concerned that the government will not accept liability for wrongful identification or verification of an individual through information on the Registry. Although government is keen to involve the private sector by using companies’ valuable intellectual property to create the national Registry, its willingness to transfer the risk associated with using the Registry onto business is disappointing. It could lead to instances where businesses that rely on ID cards as a trusted means of secure authentication, are financially liable for fraudulent activities conducted using a false identity, verified as accurate by the Registry."

Well indeed. The outfit also, very politely, makes the point that the government is entirely missing the point on identity verification needs for individuals and businesses: "... a lack of critical mass for authentication methods has resulted in business searching for an effective yet common means of authentication for b2b transactions. Given the Government target for all government tendering to be conducted online by 2005 there also exists a need to ensure that government can authenticate a company’s identity online as part of the online tendering process through the Government Gateway portal.

"The CBI urges the Home Office to consider how the ID card scheme could be developed to provide an authenticated means of identification for companies conducting business online, as a way to ensure the further development of online trading in b2b, b2c and b2g markets. The co-ordination of business initiatives in this area with the government proposals could also assist in reassuring business that a robust, reliable and secure framework for ID authentication can be developed without being solely reliant on the effectiveness of a single ID card."

Finally, the CBI considers biometrics, saying that it is "concerned at Government’s insistence on including biometrics in the draft Bill without conducting broadly based discussions with business on the practical complexities for its use. This is reflective of business concerns that Government is driving forward an agenda without full appreciation of the potential drawbacks of aspects of the scheme." It says that it supports the use of innovative technology, but says biometrics presents "significant challenges" as regards the accuracy of equipment. Unless this can be assured "it is unlikely that the ID card biometric component will sufficiently reassure businesses that an ID card by itself can provide a viable means of verifying an individual’s identity." Which is something of a sting in the tail. "The CBI suggests the government conduct further consultation with the wider business community on the issue of biometrics before moving ahead with the inclusion of biometric information in the ID card scheme."

As we said, once the CBI has finished there doesn't seem to be a whole lot left of the scheme, aside from the view that an identity would be A Good Thing in principle. ®

Related links:

CBI announcement
Full CBI document (word format)
Home Office prohibits happy biometric passports
ID cards: a bad idea, but we'll do it anyway
US wins David Blunkett Lifetime Menace Award
Tag, track, watch, analyse- UK goes mad on crime and terror IT
Everything you never wanted to know about the UK ID card