ID scheme will be a costly, dangerous failure, says LSE report
Misses targets, multiple cost overshoots likely
A report published today by the London School of Economics' Department of Information Systems concludes that the proposals set out in UK Government's ID Cards Bill are "too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence." The report accepts that a secure ID system could create "significant, though limited" benefits, that many of the objectives of the scheme could be achieved better by other means, and says the cost is likely to spiral to several times the current headline figure.
The LSE study involved more than 100 academics, and is claimed to be the most comprehensive analysis yet of the scheme. It views the technology being proposed as largely untested and unreliable, and says that despite the intended all-encompassing nature of the scheme, it misses key opportunities to establish a secure, trusted and cost-effective identity system. Identity theft could be better dealt with "by giving individuals greater control over the disclosure of their own personal information", while terrorism could be more effectively managed "through strengthened border patrols and increased presence at borders, or allocating adequate resources for conventional police intelligence work."
Cost of the current scheme could escalate in several areas. There could be "substantially higher implementation and operational costs than has been estimated" (this is traditional with UK Government IT projects anyway), while the registration costs for the individual may be higher than expected, and complexities associated with the registration process "may result in registration alone costing more than the projected overall cost of the identity system". The cost to business, downplayed even pitched as a "saving" for business in the Bill impact report, is also likely to be high. Card readers will be more expensive than claimed, and "private sector costs relating to the verification of individuals may account for a sum equal to or greater than the headline cost figure suggested by the government."
Even a UK Government IT project would surely be almost supernaturally unfortunate if it fell victim to all of these overruns, but there's enough there for 'think of a number and keep doubling it' to seem a fair summary.
Aside from the major issues of cost and ineffectiveness, the planned scheme is also legally dubious, clashing with data protection law and and likely to be in breach of the the European Convention on Human Rights and EU freedom of movement principles.
The risk of failure, says the report, is so great that "the scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals", and it could make us more, rather than less, insecure: "The proposed system unnecessarily introduces, at a national level, a new tier of technological and organisational infrastructure that will carry associated risks of failure. A fully integrated national system of this complexity and importance will be technologically precarious and could itself become a target for attacks by terrorists or others."
In considering more viable alternatives the report gives particular attention to France's e-government strategic plan, which is intended to be more citizen-driven, and to focus on the provision of user-friendly and accessible solutions within a climate of trust. The proposed French system, which is currently in consultation, envisages multiple forms of identification, emphasises simplicity and proportionality, and is intended to use a federated identification system which allows the individual to use a single identifier to access each service without the Government databases or the federator itself being able to make the links.
The report itself favours this kind of approach, and points out that it is "illegal' not 'sensible' to create a single internal passport just because there is an international imperative to introduce biometrics into border-control systems. It is technologically unremarkable to design an international travel and immigration biometric system, which links to other sector-specific identity systems only to an extent which is foreseeable, explicitly legislated, enforceable, and compliant with European Convention rights." Which, one could note might apply to the activities of Europe's Justice and Home Affairs as well as to those of the UK Home Office. The full report is available here.
Meanwhile the Bill, which is being considered by the House of Lords today, is coming under fire from other quarters. The Association for Payment Clearing Services (Apacs) says that costs could soar above estimates, while The Times reports that the ID Bill will be one of those to fall prior to the election (although the SOCA Bill seems likely to get through if the religious hatred clause is axed. One "member of the Government" indicated to The Times that New Labour saw the killing of the ID Bill as a trap for the Tory opposition. "They assume we want to get all of these Bills. I would sooner go on the doorstep and say, 'If you want ID cards vote for me.'"
Once the election campaign kicks off The Register will be pleased to hear of sightings of major Labour figures saying this, or similar, on the doorstep. We may compile a rogue's gallery. ®
Sponsored: Becoming a Pragmatic Security Leader