Original URL: http://www.theregister.co.uk/2009/07/09/id_cards_nir_tory_lib_plans/

KIlling ID cards and the NIR - the Tory and LibDem plans

This week the parties opened up on how they'll go about it

By John Lettice

Posted in Government, 9th July 2009 11:52 GMT

Analysis A future Tory government will cancel the ID Card Scheme - but, as The Register has asked several times, what does that mean? A broad commitment to abandon ID cards, even to cancel the National Identity Register database, leaves a certain amount of wiggle-room, particularly if - as is Tory policy - you're likely to be keeping plans for adding fingerprints to passports in place.

Chris Grayling

In a debate in the House of Commons this week, however, Shadow Home Secretary Chris Grayling was able to set out his store in some detail, to the extent that it's now possible to say where all three major parties stand on the NIR, on what we'll be left with if and when it's gone, and how they'll argue their respective cases at the next election.

Labour will continue to argue (and indeed did so in the debate), that the switch to biometric passports effectively leaves us with an ID scheme at the same cost, whichever party wins the next election, but the reality is that there is now clear blue water between all the parties.

Labour's pitch is ludicrous on several fronts, but is helpful for the purposes of analysis. According to Labour, most of the cost of the ID scheme is accounted for by the switchover to biometric passports, and a National Identity Register-type database will need to be retained in order to store the personal data necessary to operate biometric passports. The addition of fingerprints, says Labour, is necessary in order to fulfil our international obligations, and the bit of plastic is just a low-cost extra, an 'opportunity' that we'd be foolish to pass up on, given that we've got to spend most of the money anyway.

And depending on the amount of funk and fudge an incoming non-Labour administration employed, that could turn out to be true. The data that will form the basis of the NIR is already being gathered and stored, and when the Identity and Passport Service begin to issue the next generation of biometric passport, fingerprints will be collected and stored along with other personal data. So you can repeal the ID Cards Act and scrap the NIR, but if you do nothing else, you'll still be left with the core of the scheme, an NIR-like data store, and a state data-sharing regime that gives a broad range of organisations and departments access to that data. It is, as we said last week, a juggernaut.

But it's now clear that the Tories and the LibDems have no intention of doing nothing else, and that they're both set on tackling the problem, the NIR, as well as the symptom. Both are committed to the cancellation of the NIR, and both explain what they mean by this in sufficient detail for it to be certain that they'll really cancel it, rather than just cut it back a tad.

Fingerprints and biometric storage

Tory policy leaves most wiggle-room, but will certainly drastically cut back the amount of data stored. According to Shadow Home Secretary Chris Grayling, the NIR "establishes a level of data collection that goes far beyond anything that has ever been required for passports or that even needs to be required for a system of biometric passports. It remains our intention, as it was when my right hon. Friend was shadow Home Secretary, not to proceed with the national identity register. I see little reason why the rules that apply to the application for a passport should change radically given the current circumstances."

That implies an intent to scale back data collection to the status quo ante data set required for a passport application, with the addition of fingerprints. Grayling goes further than this with: "My view is that we should do the minimum that we have to do. If data are submitted for a passport application, they will probably be retained in the passport database. We do not need to create a gargantuan list of items with biometric data attached. We do not need to store somebody’s national insurance number and biometric data side by side with all the other items... on a national identity database. We need a passport system."

So that's not just a commitment to scrap the NIR, but a broader policy statement on government data-sharing.

But he'll still need to be storing data. Replying to a question from LidDem Home Affairs Spokesman Chris Huhne, Grayling said: "We will certainly cancel the national identity register. As the hon. Gentleman knows, we might be in a position in which, in order to allow people to travel to the United States, we need to process biometric data and to pursue the introduction of biometric passports. We have not backed away from the biometric passport option and, I understand, nor has he. Clearly, data collection will be necessary for biometric passports. However, it is not our intention to proceed with a compulsory national identity register."

Huhne was asking if Grayling intended to "cancel the contracts that are in place to establish the centralised biometric database," and you'll note that the clear implication of Grayling's answer is that no, he quite possibly might not be prepared to do that.

Regrettably, he also seems a little confused about what a biometric passport actually is, and what our international obligations are. As has been pointed out ad nauseam in The Register and elsewhere, our international obligations under ICAO begin and end with the 'biometric' passports we've already got. So when Grayling says "the biometric passport option" he actually means the revision 2 biometric passport with the addition of fingerprint biometrics.

It is helpful that he still thinks it's an option, however, because it is. The EU Schengen countries are now obliged to issue this class of passport (from 28th June 2009), but the UK isn't a Schengen country and doesn't need to join in. The Home Office is currently planning to introduce these passports from October 2010 (clue: because there's nothing the Commission can do to us if we don't start in June 2009), but says that from this date the passport "will have a new design and improved security features including the capacity to hold fingerprint biometrics".

Our emphasis there - a capacity to hold something is not necessarily filled with that something. Even the Home Office has some wiggle-room here, and any of the three main parties could conceivably find itself postponing or abandoning fingerprints in passports.

Grayling also incidentally seems a little off on travelling to the US. Yes, the US requires a biometric passport, and has done for some time. But it's the revision 1 biometric passport without fingerprints (which are also notably absent from US passports), and the Department of Homeland Security collects biometrics from you on entry, and a set of personal data from you prior to this. None of this is anything to do with you, even if you do get to be Home Secretary. Essentially, they just don't trust anybody else's data gathering, no matter how 'secure' it's supposed to be.

But we'll give Grayling seven out of ten. He has at least expressed the intention to collect the minimum of data necessary for a passport application, and unless it was a slip of the tongue, he's retaining the option to back out of collecting fingerprints. He hasn't got properly on top of what a biometric passport is, but that's the case with most MPs.*

*For the record, a standard 'biometric' passport is simply one with a digitally scanned picture in it which is also stored on a chip in the passport. If a picture of your face is a biometric - which it is - your passport has always been biometric. The ICAO definition confuses people, because they reasonably tend to assume that it must be in some way cleverer than that.

Just throw it all away?

LibDem spokesman Chris Huhne's stance is rather more radical, and has a certain appeal for security techies. He'd dump ID cards and the NIR, but he would not be storing biometric data (hence his question to Grayling). He points out that "the document would have the biometric data and it is an additional guarantee of veracity. Why is it necessary to go one step further and store it centrally?"

Huhne's argument here is that so long as one has confidence in the integrity of the document (passport) itself, one can have confidence in the biometric data on the chip. So comparing the bearer's biometric data with the data stored on the chip can be used to provide an accurate identification of the bearer. You don't need a central store or an online lookup, so you don't need to keep the biometric data. Online, or at all? It seems the LibDems are proposing to go for the 'not at all' option, which we think is one of those decisions civil servants would describe as 'courageous'.

But it's a perfectly rational approach, its main defect being that you've no ready mechanism for stopping the same person getting more than one passport, in different names. It assumes that no ID system is invulnerable, and that you're prepared to accept a trade-off between cost and fraud. Which is true - and a 'courageous' admission.

Huhne does however lose points on biometric identification: "During questions today, the Home Secretary was asked about the point of biometric data if they were not on the database, and on that issue we have an important point of difference with Chris Grayling. The answer is easy: biometrics enable the authorities to check that the holder of a passport — or, indeed, a card — is who they say they are. Biometric data such as fingerprints are much less easy to forge and equipment enables them to be checked; we do not need to put the data back on a database to make them useful. A central database is another logical step — a disproportionate one, in our view — in achieving higher security against identity fraud."

Now, how does this work under the proposed LibDem regime? Absent facial recognition software at the border that actually performs better than an attentive human and version one biometric passports are no better and no worse at identifying the bearer than picture ID - because that's what they are. So long as you have a mechanism at the border for determining with a reasonable degree of certainty that the chip hasn't been tampered with, then you can also be reasonably certain that the picture hasn't been tampered with. So if it's not the person pictured in the passport it's somebody who looks a bit like that person, right? This isn't quite the same thing as Huhne is saying (see tedious footnote**).

He is right, however, that fingerprints are much less easy to forge, and can be more readily checked by machine (theoretically - that is reportedly not the case if the machines are part of a Home Office trial). Fingerprint biometrics do tie the bearer to the document more securely than facial ones. But, erm, there's a slight problem here. Although Huhne here appears to be an enthusiast for fingerprints, and in some senses his 'we don't need to keep the data' pitch would be strengthened by their presence in passports, this isn't actually LibDem policy - or at least it wasn't in March, when a LibDem position paper said "The International Civil Aviation Organization (ICAO) only requires that passports are machine readable and contain a facial image. Liberal Democrats would... adhere to the ICAO standards."

Huhne's office actually sent us the policy paper, and we've asked them for clarification of what the policy is now. We'll update as and when they get back to us.

Overall, though, the picture is fairly positive. Both major opposition parties clearly are going to kill the NIR project in addition to dropping ID cards, and what they're saying makes it clear that they're going to have to rein-in IPS as well in order to deliver. IPS' quest to become the UK's standard identity services broker will, unless Labour gets back in, be over. Neither party seems yet to be fully on top of the technicalities of 'biometric' passports, but they both seem to be in the right ballpark, and with the right advice they'll surely get there. ®

** There is a widely - near-universally - held belief that the ICAO biometric passport standard is about identifying people. But it really would be a help if politicians could grasp the more subtle truth when they're considering ID systems. ICAO is about the document, and defending the integrity of the document. It does not issue passports, QED it has neither responsibility for or control over the identity of the person carrying the document, right?

So, the point of the 'biometric' in the passport is that it is one of a number of visible pieces of data in the passport book which are duplicated on the chip in the passport. Changing the visible data has always been and always will be achievable, but changing the data on the chip to match, without it being evident, is a lot harder (some of the reasons why here.) So in rev one, the 'biometric' in the chip is there mainly for document protection purposes, and for identification purposes it's no better and no worse than a picture. By adding fingerprints you do - assuming the widespread deployment of fast and accurate fingerprint readers - tie the document more securely to the individual, hence you have the makings of an ID system. But this isn't really a whole lot to do with ICAO, and it's not an ID system that came 'free' (as Labour would have it) with biometric passports. It's one you bolted onto biometric passports, and there's a whole bunch of other stuff you need to build out in order to make it much use. As a 20th Century ID system, that is. See here for why that's not a good idea.