... inspired by a discussion with a stranger in a queue, who somehow helped me to concentrate the gist into 1000 words, which I expand here slighly, in order to make a readable essay.
Executive Summary
- Entitlement cards are open to abuse, as not having an entitlement card must mean that the (non)bearer should be issued with one!
- Lack-of-Entitlement cards can also be "accidentally lost" when demanded, thereby promoting the (non)bearer to legitimacy, simply by not having something saying otherwise.
- Compulsory ID cards for all are simply not workable, even on a population of 60 million; in practice, we would need to ID the entire world for the system to work as advertised.
- Even then, we would not know anything about the people we were tracking, merely that they appear to have done certain things (flown here, had surgery there, educated somewhere else, etc..,).
- Since the Passport Agency wrongly issued 10,000 passports in the past year [BBC], to fraudulent applicants, we need not worry about the possibility of forgery - the Government will provide legitimate documentation to 60% of applicants!
Introduction
For any discussion on ID cards to work, we must assume that we are somehow in a position to judge and grade other members of our society (and, indeed, of our species, though hailing from other societies, customs and civilisations). This is not a precondition which I personally accept, but the entire premise of ID cards is that people will be judged on their "identity", which will determine how they are treated by our society. This nature of the question, leads to certain "requirements" which may not necessarily fit with the views of some people who see themsleves as citizens of a civilised, democratic society. I do not apologise for discussing what is necessary to meet those requirements. The requirements are implied by the question. That does not mean that I share the views stated as requirements in the following discussion.
Scenario One: Entitlement
When the Labour Government first aired the idea of ID cards, David Blunkett suggested "entitlement" as a "selling point" - a "Benefit Card" proving the bearer's entitlement to a certain benefit.
That is not the "easy win" that it might at first appear to be. It is still subject to theft, forgery, etc.
However, its absence must also have meaning... If I hold a card proving my entitlement to (say) Job Seeker's Allowance (JSA), then the fact that I do not hold a card, must mean that I am not already claiming JSA, and so - if I can show that I am available for work, perhaps by turning up at a JobCentre at a certain date/time, and do not have a benefit card, then I must be entitled to the benefit, and so am issued a benefit card.
The fact that I left my other benefit card at home is not something that I would necessarily disclose to the JobCentre.
I now have two "Benefit Cards." Zero gain for the Benefits agency, Government, or society. The benefit cheat has a slightly new twist on existing exploitable flaws in the system. Presumably, in both the current and proposed cheat scenarios, access to a second postal address would be useful; no difference in the threat level, either with or without an entitlement card.
Biometrics in Entitlement Cards
If we added some kind of "biometrics" to the system, then - other than the cost of adding (say) fingerprint scanners / readers to every benefits office - we would also need some method of change control with accountability. FUD (Fear, Uncertainty and Doubt) may also deter the casual fraudulent claimant, though in practice - even if there were two identical records on file under different names - it would be difficult to detect and harder still to prove.
The consequences of getting a false-positive (that is, if Mr. Jones and Ms. Smith are both genuine claimants, with similar-seeming fingerprints) are severe; One or the the other (maybe even both), if flagged as fraudulent claimants, being amongst the poorest of society, and dependant upon those benefits, risk getting those benefits withdrawn, and already-paid benefits redacted... Just because we can't devise a system which can conclusively determine that a given print belongs to Mr. Jones, and only Mr. Jones. The consequences are severe; the likelihood, on an 8-billion-person planet, is high.
Active attacks on such a system bring their own problems; given the level of the technology available at the local level, and the staff training available, it should be easy enough to convince "the system" that the prints I am providing today, are absolutely unrelated to those which I provided yesterday, in a different office.
Scenario Two: Lack-of-Entitlement
If certain "undesirables" (however defined by the current mood: common criminals, sex offenders, foreign users of the NHS, asylum seekers, etc) are required to hold an identity card, whilst "innocent" members of the public are not so burdened, then simply not holding such an ID card makes the (non)bearer automatically legitimate.
We could add draconian laws saying that the Police have the power to detain anybody for no reason whatsoever, whilst a thorough check is carried out to check if the person really is (or is not) an undesirable. However, the "innocent public" would be forced to accept the possibility of being locked up at any time, for no reason, simply for being innocent (and therefore not having a lack-of-entitlement card showing their lower status). There could be no comeback for this; no "unfair imprisonment" or "unreasonable arrest" charges, else the system would not be able to work at all. That is one price that "decent folk" must pay, if this approach is to be followed.
Such powers may need to be extended beyond the Police (and Army); if we want to make sure that Eastern-Europeans do not "take advantage" of our National Health Service (NHS), for example; front-line NHS delivery staff must also be empowered (and required) to refuse to provide essential services to anyone failing to prove their right to that service, even at the risk of the health (or even the life?) of the (non-)patient.
The same must be extended to all other state services, and those who provide them. Teachers cannot be expected to assess which of their students are entitled to an education; their raison d'être is to educate. Can they be asked to deny their skills to a person, any more than a paramedic, nurse or doctor can be asked to refuse to use their skills to help a person in need of them?
We would need some agency to determine, for the service providers, who is, and who is not, entitled to certain state services. It is not for the Teacher, the Nurse, the Refuse-Collector, to decide who is entitled to services, and whom belongs to the lower stratum of society.
I have not heard who will provide the definitive answers about the classification of the two (or greater?) tier society which ID cards, in their nature, must enforce.
Lest there be any confusion on this matter; this must, by definition, be a split society, whether it is split between the haves and the have-nots, or upon some other condition. In a global community, we can not rest having split the UK citizenship into one category or the other, but we must also deal with the other 8 billion people with whom we share the planet. We cannot categorise them (we cannot even categorise our own population, as has been seen above). We simply have no idea who they are.
Scenario Three: Proof of Identity
If we can't prove that someone is "worthy" or "unworthy" we must resort to simply proving that they are who they are.
To do this, we must know who they are. Because, as we have seen, whether it's in the holder's interest to hold, or not to hold, the ID, the system can still be widely abused, we must somehow change the state of the person themselves. Currently, the most obvious technology would be to implant them with some kind of RF-ID chip.
However, to be truly sure that the person is who their RFID chip says they are (and assuming that the ID chip itself cannot be tampered with in any way, and that this assumption will remain provably true throughout the person's life, quite possibly over a century), you must be there at the time of birth, and implant them without having lost sight of the baby from the moment of its birth.
Of course, you should also be sure of the identity of the mother - after all, if she gives birth to two children under two different assumed identities (of her own), then you will not know that these two children are related to each other, so you will not really know their true identities.
The data would all need to be stored by trusted computer systems, provably unhacked and unhackable, operated by provably trustworthy (uncorruptable, unthreatable, unbribable, etc) workers and vendors, over the course not just of operating the system, but of the many technical upgrades which would be inevitable over the course of each citizen's life. If the world's oldest person is 117, then they were born in 1890. If a person born today, in the year 2114 becomes the world's oldest person (unlikely, as medical advances continue), then their data will have travelled with them through their lifetime. Could our forefathers in 1890 have devised, and continuously operated, a provably secure system for retaining all that data for over 100 years? Can we, now?
If this would work from the technical side of things, and you explicitly trust all midwives (or have trusted civil servants present at all births (including those at home, those at the roadside on the way to hospital, etc etc), who can be entirely trusted to never weaken to any form of corruption, blackmail, threats, etc), then you might have a workable system whereby you know that the person who was born there and then, later went on to do certain other things. You would also be confident that the person who did thing X is not the person who did thing Y.
You would also have a totalitarian Big Brother state, not in the "screaming tabloid" sense of the phrase, but a real, state-controlled existence, unlike anything seen in Soviet Russia or elsewhere, at any time in history.
This would still tell you nothing about whether a person was "good" or "bad" (however you would define such a thing), only that you believe that they have done thing X in the past, and that they are not the person who did thing Y in the past (though of course, they could have done thing Y without being the person who you know did thing Y!)
Our Current Record
Passports
The UK passport office estimates that it issued ten thousand genuine passports in last 12 months to fraudulent applicants. For an ID card system to be secure, it must issue no such false documentation in a person's lifetime. A single wrongly-issued document would be a catastrophic failure of the system, as it will be inherently and absolutely trusted to be accurate. So, if you live to be 100 years, the system will need to be 12x100 = 12,000 times better than the current passport system. The passport system, of course, being related to national and international travel, is already treated far more carefully than the benefits system.
National Health Service
The NHS NPfIT programme was going to be based on a system of secured trust access; so that you give permission to your GP to access your records, who can then pass on that trust to a specialist when you get referred to them, and so on.
However, it adds far too much complexity, and fails to provide the claims made for the system that it will provide immediate access to key information, (web.archive.org cache)/(local copy taken 16th Feb 2011 from web.archive.org's most recent Jul 27 2007 copy) access to records when the patient is unable to give consent, and so on. The alternative is that anyone who can log on to the system at all, can access anybody else's records - their neighbours, their friends, even total strangers.
Otherwise, how would the system work at all?! This question has not been fully answered yet, because there is an inherent contradiction between the absolute privacy which we have been promised, and the utility which the NHS has been promised.
A workshop about these records raised doubts about nearly all of the claimed benefits and security features of the new system.
Oh, and did you know that there will be a Sealed Envelope on your health record, which you will not be allowed to access? I didn't, until now. ("Occasionally, a care professional may feel that it is not in a patient’s best interests to see certain information", and slide 5 of the PowerPoint: "clinicians can withhold limited information from patients")