A national identity register, done right

Summary

A national identity register of unique personal identifiers could make a significant contribution to improving government services.  We could introduce such a register without allowing the establishment of a surveillance state. 

The following five conditions would help to protect our liberties:

  • government data should be stored in decentralized databases, not in shared data warehouses;
  • citizens should have access to all data held about them by government
  • citizens should be able to see a log of all government access to their data
  • an independent information security ombudsman should police the systems
  • there should be no identity cards and no collection of biometric data

If all these protections were put in place, I would welcome a national identity register. If the Government will not implement any of them, I should like to know why not.

The benefits of unique personal identifiers

Many bloggers and other tech-savvy folk hold two apparently inconsistent thoughts about government data:

  • Governments should use technology to provide better public services, reducing the costs of administration and bureaucracy while providing services oriented around users rather than providers.
  • It would be an intolerable erosion of civil liberties for the Government to establish a central database which holds important personal details of each citizen.

The tension between these concerns is evident.  Government could be much more effective if its different computer systems could exchange information electronically.  For example, when parents register the birth of a new child, the government could automatically confirm that they are eligible for Child Benefit by checking their residence and nationality, and then initiating electronic payments directly into their bank account. There would be no need for the parents to complete the claim form or provide further information.  The government could also adjust the parents’ income tax deductions to take account of the Children’s Tax Credit, book an appointment with a Health Visitor, and schedule the new baby’s immunizations. 

This may sound far-fetched, but it is exactly what happens in Estonia. Because each individual in Estonia has a unique identifier which is used by every government system, an interaction with any government agency can trigger appropriate responses by other government systems.

The role of information matching in government

A very large proportion of government employees are engaged in collecting and matching information, often involving collecting the same data again and again.  Entire government agencies are devoted to tracking whether someone is entitled to a driving license, the names of voters at a particular address, or whether a person qualifies for housing benefit.   The same information is duplicated again and again across government.

Here is a list that includes 15 government services that a citizen needs to inform when they change address.  Nearly a decade ago the Cabinet Office tried to pilot a joined up government service that would enable citizens to notify government only once when they moved house.  The idea was that a single change of address system would automatically update multiple government databases. After several years, they gave up: without a unique personal identifier, there was no way reliably to ensure that the correct record in each system was being updated.

There are multiple disadvantages to the lack of joined up systems. As well as being very expensive, the duplication imposes significant costs on users of government services, who have to provide the same information repeatedly in slightly different forms; it reduces take-up of government services; and it limits the ability of government to provide services effectively. To put it emotively, Ian Huntley might not have killed Jessica Chapman and Holly Wells if government information systems had been able to share information.

Arguments against a national identity register

The present Government proposes to remedy this by introducing a National Identity Register (NIR), which will be a new database holding personal identity information and biometric data.  The NIR would contain only identity-related information: it would not include medical records, tax and benefits information or most other government records. It would, however, include a unique Identity Registration Number (IRN) which would be used as an index field for records held in other government systems.

The proposed identity register has run into considerable opposition. There are four main concerns about it:

  • the existence of unique identity numbers would make possible the creation of a massive virtual database including the national DNA Database, electronic surveillance data and phone and internet surfing records. Civil servants and secret services would be able to access and search through comprehensive files on every person resident in the UK, including current and previous jobs and addresses, tax and finances, family relationships, health, and religious or political affiliations.
  • there is a danger that comprehensive personal information could fall into the hands of third parties if there is a breach in IT security;
  • the database could be very expensive, especially given the history of government IT projects which overrun their budgets;
  • the national identity register underpins of the proposed introduction of national identity cards, which many people oppose.

A national identity register without the surveillance state

It is simple to design integrated government services while limiting the opportunities for a surveillance state.  The national identity register could sit at the centre of a distributed government computing architecture of shared security, data and message-reporting so that every government service can use common data efficiently and securely, without creating central Big Brother databases about each citizen. 

By using decentralized systems communicating by means of encrypted messages, there would be no government-wide virtual database.  For example, suppose that a local education authority wants to check whether a new teacher is on the register of people who are not allowed to work with children. The HR system at the education authority would automatically send an electronic message to the child protection register, containing an encrypted version of the identity registration number of the proposed teacher, together with the public key with which the number had been encrypted. The child protection register would check whether any of the people listed as risky in its database had identity numbers which, when similarly encrypted, matched what it had been sent, and it would warn the employer if there is a match. This would enable the employer to check if somebody is on the re
gister; but no government computer other than the employer initiating the request would have access to the identity of the proposed new employee. Hence there would be no central record of all new teachers being employed: that information would be held, as now, by decentralized HR systems of local education authorities and schools. The child protection authorities would only be able to discover the identity of the teacher if he or she is already on the register.

This is a far cry from a central database that collects information about each of us, and which enables officials to see huge quantities of information about our lives. These encrypted requests could be exchange across government with no way for the systems to build up a general picture of citizens’ lives.

Decentralized systems of this sort could actually protect rather than reduce the privacy of the citizen.  Under present arrangements, many government offices and systems have to exchange (and store copies) of information to enable them to do their jobs. With encrypted messaging, the information passing between agencies could be both more limited and fully logged and audited.

A national identity register done right

The following five principles should govern a joined up network of decentralized government databases integrated using a single personal identity registration number:

  • government systems should communicate over a common secure messaging layer by means of encrypted messages which limit and log the transfer of information between systems; in general requests made by client systems should be structured so that the request does not reveal additional information to the server systems;
  • citizens should be able to access all information held about them by government databases through a single web portal, to enable citizens to check that government-held information is accurate and to get it changed if necessary;
  • each database should log every time personal information is accessed by any government official or system; citizens should be able to see which information has been accessed, by whom and for what purpose;  an explicit court order would be needed in advance for a government agency to access personal information covertly (as it is now for telephone taps).
  • an information security auditor should be appointed as a public ombudsman to check that these principles are being implemented by all government systems.
  • the introduction of an identity register should be considered separately from the issue of national identity cards and the collection of biometric data.  In particular, the benefits of a national identity register, which may be considerable, should not be used to advocate the introduction of identity cards or the collection and storage of biometric data.

Answering the other criticisms of a national identity register

We listed above four criticisms of the national identity register. The proposals here deal with two of them: the risk of a surveillance state and the extension of the register to the introduction of national identity cards.  The other two are relatively straightforward to deal with:

  • risk of compromise
    information systems can be made secure.  Commercial banks judge that it is safe to provide online access to bank accounts, which means that secure and trusted systems can be designed to protect personal information. A decentralized set of government databases communicating by encrypted messages would be safer than data warehouses.
  • the cost and complexity
    designing a decentralized information architecture and building a national identity register is not, in itself, particularly complex and it need not be expensive.   A database containing a relatively small amount of information for 60 million people is a relatively straightforward IT project.  The complexity and cost comes in the corresponding changes to other systems that need to access the register (e.g. vehicle licensing, tax systems etc) – but this can be managed by encouraging those systems to evolve gradually as part of the normal cycle of upgrade and replacement, within a common architecture.

Conclusion

A properly designed, well regulated, decentralized architecture for government computing could provide hugely more efficient and effective services without introducing the Big Brother state that might result from the growth of common government databases.

There are five conditions for the introduction of a national identity register which would provide a high level of protection of basic liberties:

  • use of decentralized databases communicating by secure messaging;
  • guaranteed citizens’ access to all data held about them by government
  • guaranteed citizens’ access to a log of all government access to their data
  • the establishment of an independent information security ombudsman
  • no identity cards or biometric data

The Government’s case for the introduction of a national identity register would be hugely more persuasive if it would embrace principles such as these.  If it won’t, then one can only wonder why not.

Published by Owen Barder

Owen is Senior Fellow and Director for Europe at the Center for Global Development and a Visiting Professor in Practice at the London School of Economics. Owen was a civil servant for a quarter of a century, working in Number 10, the Treasury and the Department for International Development. Owen hosts the Development Drums podcast, and is the author Running for Fitness, the book and website. Owen is on Twitter and

Join the conversation

8 Comments

  1. Your "independent information security ombudsman" would, of course, turn out to be the spouse of a Government minister.

    Owen replies: Yes – the ombudsman is a bit of an afterthought and like you I don't have much faith in regulators as a guarantee of liberty.  The central problem is this: I think citizens should be able to see all the information about them in one place. But if the technology allows citizens to do this, then the government can too. You need something to stop them from building systems that enable them to do that.  

  2. This is excellent. I’m tired of hearing so much negativity about the proposed ID card scheme. Here, instead of simply wingeing about what’s on the table, you have proposed a much more viable alternative.

    Are there any plans to forward these ideas to the government? How can they be persuaded to consider this option?

  3. A great post. I’m not entirely clear, though, on the practical differences between what you are proposing and an indentity card. Would the police have mobile access to this database, for instance?

  4. An interesting look at the concept, and yes, I can see the advantages you highlight. But……

    How would we each have an individual "account" without a unique ID Number? And since plod and all the other "regulatory" agencies would definately want to be able to use the system (including Social Security and NHS) how would it be implemented without some sort of card? How would we know that the data visble to us, and the access logs, were the whole truth? I’ll bet the security services and police will be given "covert" access. This would be reasonable, given the nature of their task, but on the grounds that government always tries to expand doubtless the "covert" access will gradually spread to other agencies? How long before your data is covertly accessible to the Inland Revenue or NHS on some sort of "security" or "anti fraud" excuse?

    Secondly, banks and other commercial institutions have a vested interest in getting working systems at roughly the price budgetted. Government has no such qualms, simply by being able to squeeze more money from the electors, borrow more (and hence squeezing the electors in the future) or even, in the last resort, printing more money (yes, I know it’s inflationary, but it’s been done in the past and just because that was a disaster doesn’t mean some bunch of cretins won’t try it in the future).

    Thirdly, banks, or rather their clients, do suffer from various types of fraud linked to the false use of identities etc. You, I and a lot of the people who use the internet are moderately computer savvy and probably know to hide our details, change passwords frequently, shred credit card receipts etc etc. But we are a relatively small subset of the general population.

    Finally,  your acknowledgment that an ombudsman would be needed kind of presupposes that abuses will occur. And since the abuses will have to happen before anyone notices, that kind of presupposes that people will suffer hardship from this scheme. Maybe, after much investigation and many hearings, such hardships will be compensated for, but I wouldn’t trust the government, any government, to really make good in the true sense of the word.

    I realise that I may sound unduly paranoid and negative, but I think that the whole idea of national databases, whether central or dispersed, provides far too many opportunities for ordinary people to suffer some for of hardship to balance the advantages, which could be acheived by other, less intrusive means. Quite frankly I’d rather not give the buggers (of any party) the opportunity to create the potential mayhem that this system will probably cause.

    RM

  5. I appreciate Owen’s attempt to turn the world’s most intrusive mass-surveillance system on citizens into a good idea.  But he obviously still doesn’t understand the threat posed by a central index of unique identifiers aka numbering people.

    In your proposal, while the Govt has a choice to not build up a surveillance dossier on all of us, we don’t have the choice to prevent the Govt from doing so.

    Nor can we prevent MI5 etc from accessing our surveillance dossier, or even prove that they haven’t.

    As far as alternative systems, the LSE offered one and look how they were attacked by the Govt.

    If the Govt are so certain biometrics work, why don’t they simply take the biometrics of offenders and leave the rest of us alone?

    If they want to save us time in registering with different departments, why don’t they provide open-source software that we own and control which contacts Govt departments with minimum data in an unpredicatable way?

    I have been a campaigner for No2ID for 14 months.  At every point where we offered them less intrusive and cheaper alternatives, they denied us a voice where they could and persecuted us where they couldn’t.  This Govt have absolutely no intention of protecting our privacy, our freedom of speech or even our democracy.  They are dead set on creating the nightmare that Orwell predicted, thus making this debate pointless.

    I guarantee you that you will not get the Govt to listen.

  6. Your single identifier sounds like it would end up pretty much like the US SSN – in principle just an identifier, in practice used as a means of authentication by absolutely everyone, leading to huge problems with identity theft.

    If I walk up to you and identify myself as ID #13714199862 in your scheme, how can i provide authentication?

  7. Good points. It’s almost like big brother. The main problem is that people don’t trust governments. One thing is certain, we need to have a better system than now, especially online. Starting with a single identity for everything is probably too much but having a single identity online is an easier task. The UK based company iamdentity Ltd has taken this idea to practice by providing online users with a single identity that can be used across the Internet.

    It’s not only safer but also more convenient. If you move, you only need to update your information in one place and that’s it. The next time you log into an iamdentity enabled web site your details are automatically updated. You can even control who receives what data.

    Isn’t it time that there’s a proactive approach to these problems? Have a look at http://www.iamdentity.com and decide for yourself.

Leave a comment

Your email address will not be published. Required fields are marked *