A national identity register of unique personal identifiers could make a significant contribution to improving government services. We could introduce such a register without allowing the establishment of a surveillance state.
The following five conditions would help to protect our liberties:
- government data should be stored in decentralized databases, not in shared data warehouses;
- citizens should have access to all data held about them by government
- citizens should be able to see a log of all government access to their data
- an independent information security ombudsman should police the systems
- there should be no identity cards and no collection of biometric data
If all these protections were put in place, I would welcome a national identity register. If the Government will not implement any of them, I should like to know why not.
The benefits of unique personal identifiers
Many bloggers and other tech-savvy folk hold two apparently inconsistent thoughts about government data:
- Governments should use technology to provide better public services, reducing the costs of administration and bureaucracy while providing services oriented around users rather than providers.
- It would be an intolerable erosion of civil liberties for the Government to establish a central database which holds important personal details of each citizen.
The tension between these concerns is evident. Government could be much more effective if its different computer systems could exchange information electronically. For example, when parents register the birth of a new child, the government could automatically confirm that they are eligible for Child Benefit by checking their residence and nationality, and then initiating electronic payments directly into their bank account. There would be no need for the parents to complete the claim form or provide further information. The government could also adjust the parents’ income tax deductions to take account of the Children’s Tax Credit, book an appointment with a Health Visitor, and schedule the new baby’s immunizations.
This may sound far-fetched, but it is exactly what happens in Estonia. Because each individual in Estonia has a unique identifier which is used by every government system, an interaction with any government agency can trigger appropriate responses by other government systems.
The role of information matching in government
A very large proportion of government employees are engaged in collecting and matching information, often involving collecting the same data again and again. Entire government agencies are devoted to tracking whether someone is entitled to a driving license, the names of voters at a particular address, or whether a person qualifies for housing benefit. The same information is duplicated again and again across government.
Here is a list that includes 15 government services that a citizen needs to inform when they change address. Nearly a decade ago the Cabinet Office tried to pilot a joined up government service that would enable citizens to notify government only once when they moved house. The idea was that a single change of address system would automatically update multiple government databases. After several years, they gave up: without a unique personal identifier, there was no way reliably to ensure that the correct record in each system was being updated.
There are multiple disadvantages to the lack of joined up systems. As well as being very expensive, the duplication imposes significant costs on users of government services, who have to provide the same information repeatedly in slightly different forms; it reduces take-up of government services; and it limits the ability of government to provide services effectively. To put it emotively, Ian Huntley might not have killed Jessica Chapman and Holly Wells if government information systems had been able to share information.
Arguments against a national identity register
The present Government proposes to remedy this by introducing a National Identity Register (NIR), which will be a new database holding personal identity information and biometric data. The NIR would contain only identity-related information: it would not include medical records, tax and benefits information or most other government records. It would, however, include a unique Identity Registration Number (IRN) which would be used as an index field for records held in other government systems.
The proposed identity register has run into considerable opposition. There are four main concerns about it:
- the existence of unique identity numbers would make possible the creation of a massive virtual database including the national DNA Database, electronic surveillance data and phone and internet surfing records. Civil servants and secret services would be able to access and search through comprehensive files on every person resident in the UK, including current and previous jobs and addresses, tax and finances, family relationships, health, and religious or political affiliations.
- there is a danger that comprehensive personal information could fall into the hands of third parties if there is a breach in IT security;
- the database could be very expensive, especially given the history of government IT projects which overrun their budgets;
- the national identity register underpins of the proposed introduction of national identity cards, which many people oppose.
A national identity register without the surveillance state
It is simple to design integrated government services while limiting the opportunities for a surveillance state. The national identity register could sit at the centre of a distributed government computing architecture of shared security, data and message-reporting so that every government service can use common data efficiently and securely, without creating central Big Brother databases about each citizen.
By using decentralized systems communicating by means of encrypted messages, there would be no government-wide virtual database. For example, suppose that a local education authority wants to check whether a new teacher is on the register of people who are not allowed to work with children. The HR system at the education authority would automatically send an electronic message to the child protection register, containing an encrypted version of the identity registration number of the proposed teacher, together with the public key with which the number had been encrypted. The child protection register would check whether any of the people listed as risky in its database had identity numbers which, when similarly encrypted, matched what it had been sent, and it would warn the employer if there is a match. This would enable the employer to check if somebody is on the re
gister; but no government computer other than the employer initiating the request would have access to the identity of the proposed new employee. Hence there would be no central record of all new teachers being employed: that information would be held, as now, by decentralized HR systems of local education authorities and schools. The child protection authorities would only be able to discover the identity of the teacher if he or she is already on the register.
This is a far cry from a central database that collects information about each of us, and which enables officials to see huge quantities of information about our lives. These encrypted requests could be exchange across government with no way for the systems to build up a general picture of citizens’ lives.
Decentralized systems of this sort could actually protect rather than reduce the privacy of the citizen. Under present arrangements, many government offices and systems have to exchange (and store copies) of information to enable them to do their jobs. With encrypted messaging, the information passing between agencies could be both more limited and fully logged and audited.
A national identity register done right
The following five principles should govern a joined up network of decentralized government databases integrated using a single personal identity registration number:
- government systems should communicate over a common secure messaging layer by means of encrypted messages which limit and log the transfer of information between systems; in general requests made by client systems should be structured so that the request does not reveal additional information to the server systems;
- citizens should be able to access all information held about them by government databases through a single web portal, to enable citizens to check that government-held information is accurate and to get it changed if necessary;
- each database should log every time personal information is accessed by any government official or system; citizens should be able to see which information has been accessed, by whom and for what purpose; an explicit court order would be needed in advance for a government agency to access personal information covertly (as it is now for telephone taps).
- an information security auditor should be appointed as a public ombudsman to check that these principles are being implemented by all government systems.
- the introduction of an identity register should be considered separately from the issue of national identity cards and the collection of biometric data. In particular, the benefits of a national identity register, which may be considerable, should not be used to advocate the introduction of identity cards or the collection and storage of biometric data.
Answering the other criticisms of a national identity register
We listed above four criticisms of the national identity register. The proposals here deal with two of them: the risk of a surveillance state and the extension of the register to the introduction of national identity cards. The other two are relatively straightforward to deal with:
- risk of compromise
information systems can be made secure. Commercial banks judge that it is safe to provide online access to bank accounts, which means that secure and trusted systems can be designed to protect personal information. A decentralized set of government databases communicating by encrypted messages would be safer than data warehouses.
- the cost and complexity
designing a decentralized information architecture and building a national identity register is not, in itself, particularly complex and it need not be expensive. A database containing a relatively small amount of information for 60 million people is a relatively straightforward IT project. The complexity and cost comes in the corresponding changes to other systems that need to access the register (e.g. vehicle licensing, tax systems etc) – but this can be managed by encouraging those systems to evolve gradually as part of the normal cycle of upgrade and replacement, within a common architecture.
A properly designed, well regulated, decentralized architecture for government computing could provide hugely more efficient and effective services without introducing the Big Brother state that might result from the growth of common government databases.
There are five conditions for the introduction of a national identity register which would provide a high level of protection of basic liberties:
- use of decentralized databases communicating by secure messaging;
- guaranteed citizens’ access to all data held about them by government
- guaranteed citizens’ access to a log of all government access to their data
- the establishment of an independent information security ombudsman
- no identity cards or biometric data
The Government’s case for the introduction of a national identity register would be hugely more persuasive if it would embrace principles such as these. If it won’t, then one can only wonder why not.