INDIA'S NATIONAL MAGAZINE
from the publishers of THE HINDU
Why it failed in U.K.
R. RAMAKUMAR
Whitley was the research coordinator of the LSE Identity Project and represented the project at the Science and Technology Select Committee review of the scheme. He has written extensively about the United Kingdom's identity cards programme for both academic and trade audiences and is a frequent media commentator on the scheme. His recent publications include work on the technological and political aspects of the programme. In 2009, he co-authored with Gus Hosein a book titled Global Challenges for Identity Policies (Palgrave Macmillan, Basingstoke, U.K.). He spoke to Frontline at his LSE office on October 18.
Thank you Edgar for agreeing to do this interview. You would have guessed that the decision to do this interview is inspired by certain recent events in India, where an identity project largely similar to the project in the United Kingdom is being implemented. In your view, what were the major reasons behind the U.K. government's decision in 2004 to bring in an identity card project? Was there only an “internal security” dimension to it? Or were there other dimensions, too, such as “developmental”?
In many ways, this is a really great question to begin the interview, because it is kind of a puzzle that we have never been able to find a satisfactory answer to ourselves. The idea of having identity cards has been one that almost every Home Secretary had at least thought about and had some consultations with civil servants at some stage, before they backed out. So, in the U.K., in 2002, there was a discussion about “entitlement cards” that slowly gave way to “identity cards”. I think the idea that there was a single policy reason or a few policy reasons behind the identity card project would not fit the facts well. If you take entitlements to access public services, then a few features of the project could be thought of as leading us to such a view. If you take national security, then, certain other features of the project could be thought of as leading us to such a view. In addition, there was a real space where I could have jokingly said about the reasons behind the project as: “Oh, it is Tuesday today, so for today ‘X' might be the reason behind the project.” This was partly the way the description, discussion and arguments for the project evolved over time, both naturally as a policy development and in response to the challenges and questions that the project faced at each point of time.
So, by about 2009, when the popularity of the project was faltering badly, to put it mildly, emphasis suddenly moved to enabling young people, who did not necessarily have a detailed credit history or biographical footprints, to be able to prove who they are for frequent transactions, such as opening a bank account or registering for a mobile phone number, and so on. This particular strategy was a response to the fact that other claims were not proving to be successful, as they had initially hoped. Another argument was that this scheme would help to build confidence in people working in airports, which was a typical “national security” reason. But the airport unions fought back against it and they had to limit it to two small trial projects in two small airports. During other times, some of the arguments put forward were responses to policy design decisions. So, sometimes they thought it may be better to emphasise the idea that the ID card can be used to travel freely across Europe without carrying passports.
So, the claims and responses kept changing. That is why I said it was a great question to begin this conversation. If the idea of having a centralised database was to address questions of identity fraud, so that people would not have more than one identity card, then there were other ways in which you could do that without resort to such centralisation of personal information. So, I suspect there was a broad kind of direction; when some aspects of the project appeared to be faltering in popularity, other claims were made, and this process continued as the project evolved.
Discrimination concerns
Was the “entitlement card”, linked to the ID card project, linked to reforms in the National Health Services (NHS), that is, to reduce leakages?
It was essentially about concerns about people who were not entitled to public-funded services like the NHS having access to them. So, if students were entitled to the NHS during the period of their study, and they didn't return to their home country, maybe you could argue that fraud could be reduced if you insist that the ID card should be produced at the NHS centres. But there are practical problems that emerge from this policy. The counter argument was that this makes the doctor a receptionist, equates him to a border official, having to do duties way beyond what he was reasonably expected to do. Further, this also rewrites what citizenship or entitlement actually means.
There is also a very practical risk of discrimination. If a surgeon is doing this checking for entitlement, and I, as a white middle-class male, come along and say, “I am sorry, I don't have my card with me, but I would like to book a doctor's appointment”, will I be treated in the same way as a U.K. national whose skin colour is not white and first language is not English? The latter might be checked more despite the fact that their entitlement is exactly the same as mine, and there are consequential concerns of discrimination that are very serious.
What were the major arguments in the LSE report?
We had argued that the ID card system could offer some basic public interest and commercial sector benefits. But we also identified six key areas of concern with the government's plans. First, evidence from other national identity systems showed that such schemes performed best when established for clear and focussed purposes. The U.K. scheme had multiple, rather general, rationales, suggesting that it had been ‘gold-plated' to justify the high-tech scheme.
Secondly, there was concern over whether the technology would work. No scheme on this scale had been undertaken anywhere in the world. The India project is, of course, even bigger. Smaller and less ambitious schemes had encountered substantial technological and operational problems, which may get amplified in a large-scale national system. The use of biometrics created particular concerns, because this technology had never been used on such a scale.
Thirdly, there was the question of the scheme's legality. A number of elements of the scheme potentially compromised Article 8 (privacy) and Article 14 (discrimination) of the European Convention on Human Rights. The government was also in breach of law by requiring fingerprints as a pre-requisite for receipt of a passport. There was a lot of talk from the proponents about international obligations. However, the report found no case as to why the ID card requirements should be bound to passport documents.
Fourthly, we felt that the National Data Register was likely to create a very large data pool in one place that could be an enhanced security risk in case of unauthorised accesses, hacking or malfunctions.
Fifthly, according to us, an identity system that is well accepted by citizens is likely to be far more successful in use than one that is controversial or raises privacy concerns. This was important in order to realise the public value that citizens would want to carry their ID cards with them and to use them in a wide range of settings.
Finally, the cost part. Compliance with the ID cards Bill would have meant that even small firms would have had to pay £250 for smartcard readers and other requirements, which would have added to the administrative burdens that firms faced.
You have argued in the report that the “scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals”. Was privacy the legal right you were referring to?
Yes, privacy in terms of the data controlled by the government. There was a separate concern about the audit trail. So, when you entered into a transaction where you had to produce your ID card, the design of the system was such that a record would be kept of every such verification. Good idea, because it allows you to check for forgery in transactions. However, the negative version of that is it provides a detailed record of every transaction you have done, which can be of interest to either people browsing the database or to security services or whoever. The record here wouldn't be just that your identity was verified; there would be a little more data associated with the transaction. For example, you went to Health Clinic Number 45. They used your card and your fingerprint there for verification. They did this at 12:37 hours. There is a series of metadata associated with that visit that would be there in the audit trail. And, of course, it wouldn't take very long to realise that, actually, Health Clinic Number 45 is a sexual health clinic. If the audit trail also shows that you were there on a number of occasions, it might be reasonable to infer certain kinds of things that you perhaps do not want to disclose. Some things are not necessary to be disclosed, but which are being recorded and stored in an accessible way to various people because of the way the system is designed.
A second concern was with the way biometrics was being used. Although fingerprints and iris scans are useful ways of linking a person to their biometric, one problem if you take straightforward images is that they aren't revocable. So, if you have a password for your e-mail account, and you realise that someone has broken into your e-mail account, you can always reset your password. If the biometric is stolen, the possibility of revoking it becomes almost impossible. It's gone.
“Death of privacy” is what some argue in the wake of the massive technological advances that we have had. Your comments.
That is just one way of looking at the technological advances. To my mind, it is an overly deterministic proposition. What you are doing here is not allowing for user choice of designs and not allowing for innovative alternative designs. It's a too straightforward view. Clearly, there are privacy concerns that are more difficult to address with the new technologies. The fact that when you visit a web page, they know where you came from, what your browser configuration is, what plug-ins you have, what screen resolution, and so on. You could be pretty uniquely identified just from the browser. But there are things that you can do. You can do private browsing, you can have do-not-track options, you can delete your cookies and if you are really sophisticated, you could also do things like onion routing. There are also opportunities for companies to declare themselves as privacy-friendly, and they could be good competitors to other companies that are not so privacy-friendly. So, the idea of “death of privacy” is too simplistic a view.
There are always alternatives; there are always different ways in which a society can respond to these kinds of concerns and issues. There are always possibilities to have privacy-enhancing means of identification. For instance, you could have an ID card with a chip, which has your fingerprint, or a part of it, stored as a template. It is not stored in any central database, but it is in the chip of your card and your card is with you.
So, when you have to prove that you are you, you could just swipe the card and give your fingerprint, after which you could be identified as the bearer of that card. No one gets your information stored in that card. That's a privacy-friendly way of identification.
The first generation technology here are chip cards, the second generation technology is stickers on your mobile phones and the third generation technology is a chip inside your mobile phone. The chip may have your name, your database, your fingerprint template and a little bit more data on who issued it and all that. But nothing about where you have been, no audit trails, no records and thus, privacy-enhancing.
Are there countries that have tried these methods?
This has not yet become the obvious way to do it because it takes a while to get your head around. The point here is that you need to understand what it is that you want. Technically, you only want proof that the person is himself and a little bit more.
Biometric matching
You were very critical of the technology of biometrics being used in the project. You argued that “the technology envisioned for this scheme is, to a large extent, untested and unreliable”. Was this assessment based on technical inputs from biometric experts? Could you elaborate on the comments from biometric experts?
We used some feedback from biometric experts, but we also independently looked at already published research work on biometrics. Certainly, in terms of the untestedness, the scales of studies that had been done for both fingerprints and iris scans were fairly limited.
There were far better performance results on a 1:1 match. So, this is Edgar's fingerprint on the database, here is Edgar, we do 1:1 match; this is more likely to work. But that was not how the U.K. was planning to use it. The U.K. was trying to use biometrics to also prevent duplicate identities. The idea was that even if I try to enrol twice, and even if I had created a fake biographic identity (say, a John Smith with a different address), when my fingerprint came in for a second time, the system should come along and say: “We know this fingerprint, and this belongs to Edgar Whitley” and not say, John Smith. Here, you have to match every single biometric with every single previous biometric.
Biometric matching is not a perfect process. There is an element of judgment, and there will always be the result: “This fingerprint is pretty close to three other fingerprints”, which you then need to check manually and figure out. But this increases the cost, let alone concerns about reliability.
Now, there is always a possibility of a fraudulent use; that is, if I am really John Smith, I could have applied with Edgar Whitley's biographical details. That's possible, though difficult.
So, for instance, victims of domestic abuse could be given a completely new identity with a stolen set of biometrics.
You also have major issues with gender reassignment, which will create unnecessary interferences into your private life.
The U.K. project was to have iris scans, but they were dropped later. Was there a reason?
Iris scans were always present in the documents that were discussed in Parliament. The proponents of iris scans claim that they are far better than fingerprints at differentiating people. That is because you collect a far larger number of data points in your iris scan than in the fingerprint. The problem with the iris biometric at that time was that the set-up for the capture of the iris biometric had to be well managed.
If there is a sudden good sunshine, very noticeably the room is brightened up. So, you need to potentially adjust your iris-capture device to allow for those kinds of set-ups. But we know from the experience of airports that iris devices often have problems in operating at their full performance level; airports are designed by architects, and architects use lots of glass and open space, which allow for light to come in seamlessly and brighten up the space. This creates a lot of problems for iris recognition systems.
There is also interesting empirical research that shows that as you move from one version of the technology to newer versions, you get performance differences because they capture iris images slightly differently.
So, you don't get quite the same results in matching as you move with versions. These were the reasons why the U.K. government dropped iris scans from the plan in 2006.
What was the nature of the response among the British people to the identity project? Were there mass protests? Or was it mostly through the social media that the protest spread? And, was it due to these protests that the project was finally shelved in 2010?
It got scrapped because the parties that came to power were opposed to it. In practice, you don't vote on the basis of your view of one single scheme. There was a lobby group called “NO2ID”, which was very effective in getting the message out about their concerns with the whole process. I was on their mailing list, and every week, along with the news items on the scheme, there was also information on where meetings were to be held, where you could meet MPs and ask questions about the scheme, and so on. Scores of local activists got involved in this, again from both the Left and the Right. This was no civil disobedience movement, but just explaining what these proposals were and what they are going to mean, and trying to convince people over what some of the dangers were.
They were also continuously talking to journalists and explaining what this meant in practice, at levels of detail. They kept telling journalists why biometrics could not be the “magic bullet”. The press coverage was overwhelmingly comfortable with that critical analysis.
The technology press and its science and technology correspondents were eager to deal with these questions. They asked those questions. So, there was general awareness building in a major way.
Have you been following the Indian debate around unique ID numbers? Any views?
I have been following it one step removed. We have been speaking to people though. I think in India, too, it is important to raise these policy questions that I referred to just a while back.
Thank you very much, Edgar.