Giving identity cards a bad name

[Dave Birch] As I’ve constantly complained, what should one do if one is (broadly speaking) in favour of some form of smart identity card to bridge the worlds of physical and virtual identity, but one is (broadly speaking) against the government’s proposed system? Well, one policy might be to stop reading the newspapers and hope it will all get better. Consider, for example, the Department of Work and Pensions’ attempt to salvage a viable system from the Child Support Agency catastrophe, the Child Maintenance and Enforcement Commission (CMEC), which adds several sticks to beat recalcitrant parents with. There is going to be a ‘name and shame’ web site, credit blacklisting, monitored curfews (possible including electronic tagging) and the confiscation of passport and/or ID card. That’s joined-up government at work, presumably. The Child Maintenance & Other Payments Bill includes powers for the CMEC to disqualify an individual from “holding or obtaining travel authorisation”, with a travel authorisation being defined as a UK passport or as “an ID card… that… has been issued to a British citizen.” This kind of predictable — and tragic (in the sense of inevitable) — mission creep is an consequence of an ill-thought out identity infrastructure that is not up to the demands of a modern society or modern economy. And even if you think that taking away some ID-related privilege is the right thing to do to a deadbeat Dad, the use of the word “confiscation” reveals the basic mindset problem: “they” won’t stop you from renewing a public key certificate, delete an application from the card, change a security level or anything else that might smack of the 21st century, “they” will confiscate the card. Hey, Parliament, I’ve got 1952 on the line and they want their ID card back…

Technorati Tags: ID cards, management

There’s another side to this story as well. Punishing people by taking away their ID card will only work if you come up with myriad things that they need an ID card to do. And then you annoy every other law-abiding citizen by inconveniencing them. For example: if I need an ID card to do absolutely everything, then what happens if I lose my card? In Malaysia, where the smart ID card (“MyKad”) has been around for a while, 1,000 ID cards are lost every day and the government has just raised the fine for losing the card tenfold (and it goes up every time you lose it). Home Affairs Ministry parliamentary secretary Datuk Abdul Rahman Ibrahim said the new fines, expected to take effect later this year, are to make the people more responsible because

Since MyKad was introduced seven years ago, 2,123,611 people have lost the cards.

Where could the government make ID cards compulsory then? What about voting? That’s a simple example — and by “simple” I mean conceptually simple in this thought-piece, I don’t mean to imply that getting electronic voting working is simple, which is why I’ve invited James Heather from the University of Surrey to give a talk on the topic at this year’s Digital Identity Forum — and the chairman of the Electoral Commission in the U.K., Sam Younger, has already said that photo ID should be required at polling stations and that if (or, indeed, when) ID cards become compulsory they would “undoubtedly” be applied in elections. So let’s pretend that deadbeat Dads might be brought to heel by withdrawing their vote: why would you need to confiscate their card? Wouldn’t you just tell the voting booth to ignore this persons vote or not let them in to vote? Or not send an “this person can vote in this election” certificate to their card, or something like that?

Compare all of this with what is going on in British Columbia. There they are about to test “information cards architecture” (ie, Microsoft’s infocards) to allow citizens to connect with the government’s online services more safely and easily. Among other attributes, Bailey said using an information card means:

The government won’t know which sites the user visits.
The user is in control of shared information.
The cards won’t have to reveal users’ birthdates or addresses, or a student’s school. Instead, it could simply confirm the user is over 19, a B.C. resident or a student.
He compared using the card to using a driver’s licence for identification since, in both cases, the government does not know what the citizen is doing.

Ann Cavoukian, Ontario’s privacy Commissioner, said that this implementation will have “several key advantages” over username/password systems.

• The end of stolen, lost or forgotten passwords.
• Less “phishing,” when a password is stolen by an unauthorized user, because authentication used by one site is useless for another, even for the same information card. (Note: I’m not entirely sure what this means)
• Less storage of sensitive information, because the cards can resend it every time they are used, so the accessed site doesn’t need to retain it.

She simultaneously warned that the system could be misused and “become an infrastructure of universal surveillance”. Fair enough, but at least it’s a step into the 21st century.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]