Robin Wilton's esoterica

« Greetings from Stock... | Main | Rights of Guantanamo... »

13 Nov · Sun 2005

So, about these ID Cards, then

I know I promised more about last Wednesday's meeting, but it was a busy week, and this has been a busy and somewhat truncated weekend. So; the meeting was hosted by Baroness Anelay, and the two main protagonists were Andy Burnham, MP (Parliamentary Undersecretary of State at the Home Office) and Simon Davies of the LSE. There were a number of Peers in attendance, and a small cluster of what I later found out were Party Whips. Messrs Davies and Burnham have squared up to each other before, either in print (Simon was intimately associated with the London School of Economics' report in the ID Cards Bill) or in person --- they had in fact had a similar debate the evening before this discussion. My role on Wednesday was just to provide a quick indication of the so-called 'industry perspective'. Below I ascribe particular views and statements to people, notably Mr Burnham. I cannot claim these are verbatim quotations, but they are made based on my recollection and contemporaneous notes. I believe they are accurate, but am open to correction by anyone whose memory is clearer than mine... Simon and the Minister exercised some of the familiar arguments about lack of clarity in the costings of the whole scheme, and one point which emerged (seemingly for the first time) was that the Home Office calculations are, to put it simply, for 'their end of the system' only. They do not include the cost of integration with any departmental systems, this being something the departments themselves will have to bear. "They will want to do this because of the benefit to them of making use of the National Identity Register (NIR)". It is pretty clear that the Home Office expects to pay for the registration and issuing processes and the operation of the database itself; I would infer from Wednesday's comments that the Home Office will not be paying for whatever is intended to read the credentials at the point of verification, or of course for the integration mentioned. Although it was not discussed in this meeting, I think this raises the question of how the 'client' departments are going to fund such things, given that they all have strict Gershon (cost-reduction) targets to meet. The relevance of this is that the government seem now to be quoting a cost of £30 per card. If that is only going to pay for the Home Office's costs, where's the rest going to come from...? From my own selfish point of view, the most useful clarification from the Minister came in response to the concerns I raised about the scope and scalability of the proposed system. The NIR is a centralised repository; according to the proposals, it will consist of the register of information, and an auditable record of every access request. I had also thought it would include 'entitlements' information about the user, but I was put right on that point. It will not. In my view, the latter is a good thing. Entitlements, along with other transactional and historic data about a user, do not belong in a centrally-administered Home Office database. They belong in the department which 'owns' them... or rather, the department which has 'data custodian' responsibility over them on behalf of the user to whom they relate. It was unfortunate, Mr Burnham said, if the Bill had given rise to the impression that the NIR would store entitlement- or attribute-level data about the user; indeed, Data Protection principles would probably prohibit this. The intent was for it to store those credentials which could act as the 'key' to unlock such data back at the owning department. Again, in my view that is a good thing. It represents a much more federated architecture, and one in which responsibility for the entitlement- and attribute-level data stays with those who have some form of charter for its use. I have a residual concern about the wisom of trying to co-locate the audit log with the NIR; I think that runs the risk of at least doubling the throughput required of the system, for a function which is not directly related to its primary purpose of accurate and timely authentication. I also have a concern about something Mr Burnham said right at the end of the session, in response to a comment by the Secretary General of the NO2ID campaign. He said "I can see no privacy implication in supplying a biometric to be stored in the National Register". That worries me. I can see a vey clear privacy implication. If I deposit a facial biometric with the National Register, that biometric could be checked without my knowledge or consent using 'passive' technology such as CCTV. I think as privacy implications go, that's a biggie, and I would feel happier if the Minister concerned was, well, concerned.

Posted by racingsnake @ 09:46 PM GMT+00:00 [ Comments [5] ]

Comments:

"I had also thought it would include ‘entitlements‘ information about the user, but I was put right on that point. It will not."

"It was unfortunate, Mr Burnham said, if the Bill had given rise to the impression that the NIR would store entitlement- or attribute-level data about the user; indeed, Data Protection principles would probably prohibit this. The intent was for it to store those credentials which could act as the ‘key‘ to unlock such data back at the owning department"

Why is Andy Burnham surprised, when that is exactly the impression given by the list of registerable facts in Schedule 1 of the Identity Cards Bill

e.g.

"3 The following may be recorded in an individual’s entry in the Register—
(a) his nationality; (b) his entitlement to remain in the United Kingdom; (c) where that entitlement derives from a grant of leave to enter or remain in the United Kingdom, the terms and conditions of that leave."

How does the word "entitlement" used here on the face of the Bill square with Andy Burnham's comments ? These nationality and residence entitlement can be granted, changed or revoked in certain cases, so they are attribute level transactions.

"4 (1) The following may be recorded in an individual’s entry in the Register—
(c) any national insurance number allocated to him;"

Note how this wording includes the several valid NINOs which many individuals have been issued with by the Inland Revenue. If this is only recorded at the time of registration on the NIR, then what is the point ? If not, then how is it to be kept in synch with the Revenue's systems throughout a person's adult life ?

"(d) the number of any immigration document relating to him
(e) the number of any United Kingdom passport (within the meaning of the Immigration Act 1971 (c. 77)) that has been issued to him;
(f) the number of any passport issued to him by or on behalf of the authorities of a country or territory outside the United Kingdom or by or on behalf of an international organisation;
(g) the number of any document that can be used by him (in some or all circumstances) instead of a passport;
(h) the number of any identity card issued to him by the authorities of a country or territory outside the United Kingdom;
(i) any reference number allocated to him by the Secretary of State in connection with an application made by him for permission to enter or to remain in the United Kingdom;
(j) the number of any work permit (within the meaning of the Immigration Act 1971) relating to him;"

i.e. a duplication of many fields within the Immigration and Nationionality Directorates systems, rather than simply a "unique key" to unlock them.

"(k) any driver number given to him by a driving licence;"

i.e. a duplication of part of the DVLA system rather than a "unique key" based on Identity, to unlock it.

" (l) the number of any designated document which is held by him and is a document the number of which does not fall within any of the preceding sub-paragraphs;
(m) the date of expiry or period of validity of a document the number of which is recorded by virtue of this paragraph."

i.e. A catch-all for any other document of any sort, which can be added to this list simply by secondary legislation i.e. a rubber stamp for any Government with a workable majority.

Posted by Watching Them, Watching Us on November 14, 2005 at 12:06 AM GMT+00:00 #

Fascinating. Particularly with regard to entitlements. The bill does, as your previous poster indicates, clearly define atleast some 'entitlements' as in scope. Perhaps we need to define 'entitlements' a bit more clearly. Does entitlement to remain the the UK sit alongside entitlement to free NHS treatment, for example?

Having these NINOs as attributes clearly visible on the NIR as the bill describes seems unlikely to me. The bill is not a technical architecture document. I suspect that when it says things like "any national insurance number allocated" we are probably talking unique identifiers and/or hashes rather than the actual number itself in clear text...

One would hope so anyway. :-)

Posted by drew on November 16, 2005 at 09:16 AM GMT+00:00 #

A further thought on the biometric bit...

I'm not sure how practical it would be to take CCTV footage and run a biometric check against the contents of the NIR, assuming it had a reasonable set of biometrics installed.

Firstly CCTV images are not anywhere near the quality required to perform a biometric check and you are unlikely to have the right orientation to the camera for their convenience, particularly if you are a 'hoody' ;-)

Also, biometric authentication relies on the 1:1 principle. i.e. we know who we are supposed to be authenticating so we do the check against a single biometric and get a true/false response. For a situation where you want to scan a biometric repository for a possible match it would be a 1:Many search and could take hours to conduct. It's not impossible, but I don't see any way it could be done as a matter of course.

Unless the government already has a quantum computer and HD-CCTV with polymorphic attitude correction... who knows? ;-)

Posted by drew on November 16, 2005 at 09:26 AM GMT+00:00 #

Thanks Drew; apposite, as ever. I agree with you that there are currently some practical limitations on the ability to match facial biometrics without the consent of the user. However, 'on-street' CCTV is not the only use case. Consider CCTV image capture in more controlled circumstances such as in a lift or at a doorway.
Yes, image quality may currently be relatively poor, but think how quickly the resolution of minute digital cameras is increasing these days, sometime through hardware improvement, sometimes through better image processing algorithms.
The 1:1 principle is a valid point too, but it would seldom be a case of trying to find 1 in 50 million... more often than not there will be other corroborative factors which would greatly reduce that - for instance, if there were already some idea of gender, ethnicity, or even, say, a set of passenger manifests for a given period.
Some of these factors will cease to be significant over time. I think the underlying principle will still hold, though: there are forms of 'passively verified' biometric which can be verified with little or no user consent, and storing those biometrics in an NIR cannot truly be said to have no privacy implications...

Posted by Robin Wilton on November 18, 2005 at 12:19 PM GMT+00:00 #

Thanks also to SpyBlog for the detailed rebuttal of the claim that "there are no entitlements in the NIR". Clearly there are, though Drew makes the point that we may be talking about different things when we say entitlements.
I've made several posts in the past about what I see as the function and nature of 'entitlement' data, and have also set it out to some people in the Cabinet Office IT strategy community, but will have another go in a separate blog entry shortly.
I have also formulated some thoughts on specific items of 'identity meta-data', which are almost ready to be launched on an unsuspecting (and some might say undeserving) public. More on that story later.

Posted by Robin Wilton on November 18, 2005 at 12:24 PM GMT+00:00 #

Mon	Tue	Wed	Thu	Fri	Sat	Sun
« December 2009
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Today