national identity cards

purpose

fears relating to terrorism and illegal immigration, and the growing problems of identity theft and fraud have induced several countries’ governments to propose national identity card schemes, most recently the US, UK, Japan and France.

identity cards are nothing new: in developed countries most people own numerous identity documents: passport, driving licence, bank cards, library card, entry cards for school, office or sports club, and so on. a national identity card is primarily used to identify people to government agencies, in particular immigration, social/welfare and health departments.

proposed schemes

most proposed schemes centre around a national identity register, containing key details about each resident and the identity numbers allocated by government departments, encapsulating in one record an individual’s entire relationship with the state. each presentation of an identity card involves contact being made with the central register to verify identity (typically with a biometric signature) and retrieve an identity number (which can then be used to retrieve records held by that particular government agency).

there are three main grounds for serious concern with such schemes:

technically flawed

the risk of failure of a centralised system is high.
the tolerable level of risk of failure, sabotage and snooping is virtually zero.
the costs of commissioning and maintaining such large scale systems rise exponentially as the risks are reduced towards zero.

civil liberties infringed

large numbers of civil servants at many levels will have access to the national identity register on an ongoing basis.
safeguards to ensure that information is only released on a need-to-know basis may be flawed, circumvented illegally, or deliberately removed for misguided reasons.
it is a golden principal of civil liberties that nobody in a position of power should know more about an individual than necessary to do their job.
if you have nothing to hide, why worry? because, even in a stable country run by a benign government, there are people at all levels of power who are prejudiced, indiscreet, vindictive or paranoid; and because anyone may become a victim of injustice.

unnecessary

the data stored in the central register could just as well be stored on the card itself.
all information on the card could be encrypted in such a way as to make it tamper-proof and updatable only by authorised agencies.

the alternative

do away with a central identify register, and you can have a safe, robust solution that does not infringe civil liberties. chip-and-PIN cards do not use a central database: that’s why stand-along card readers, issued by many banks, do not need to be connected to the Internet (whereas chip-and-pin terminals do, because they need to communicate with the card holder’s bank to check that the card is not stolen and that there are sufficient funds).

simple cryptographic techniques make all of this possible: an individual’s signatures (which can range from a PIN to a photograph of the person’s retina) can be encoded (‘hashed’) in such a way that the the actual signature can never be retrieved. this creates a unique ‘signature hash’. external identifiers (such as a National Insurance number) are encrypted using the signature hash as a key, and can only be decrypted with the same key. since the encryption hash is never stored (and does not contain anything that can link it back to an individual), it must be created afresh from the individual’s actual signature every time an external identifier needs to be retrieved.

all that is required is a framework of standards defining how an individual’s unique signatures are generated and verified; and how those signatures may be used to secure third party data. if a government or, better, an independent standards organisation, defines and publishes open standards, then any government or private body could issue a universal identity card, which any other body could use to store and retrieve identity information. every application would be completely independent of all others, and could employ the most appropriate type of signature (from a PIN to multi-factor biometrics), balancing security with equipment costs.

specification requirements

the technical and procedural framework for storing, updating, and retrieving data from an identity card should be published as an open standard.
the standard must allow for different levels or combinations of identity verification to be used by different bodies depending on the risks entailed by misidentification.
the standard should allow for verification by PIN or password entry (since biometric verification will not be possible or cost-effective in all situations).
the standard must allow for remote identity verification, for instance over the the Internet.
the standard must allow for the technology used to verify identity and encrypt data to be changed over time (as more reliable systems are developed).
all information on the card must be encrypted in such a way as to make it tamper-proof.
an individual’s biometric signature must normally be stored only on the individual’s card. (temporary exceptions would apply for criminal investigations and medical emergencies, and permanent exceptions for certain classes of convicted criminals and those with impaired mental function.)
any public or private body should be able to store its own identity number for an individual on his or her identity card, allowing it to be used in place of other identity cards.
it must be possible to make a backup or copy of an identity card with minimal difficulty.
the card should be able to hold critical medical details (e.g. blood group, severe allergies, organ donation preferences) and emergency contact details if desired by the holder.

contributors

Edward Leigh