Monday 24 December 2007, by Lodge Juliet
ARE you who you say you are? Biometric identity cards are designed to prove your claim. But they are only part of the answer. And they are also part of the bigger problem of e-government, as both the Alistair Darling fiasco and numerous other examples of the Government losing important records show.
The loss of 25 million personal details was an accident waiting to happen. It illustrates four key problems of using computer-based administration for public policy purposes.
First is the problem of declining public trust in the political claims made to justify ever-more online administration of public and commercial services.
More technology is equated with «greener» paper-less transactions. The lure of a technological quick fix to boost efficiency and security for government and citizens is dangerously easy to sell and equally easy to roll out. The challenge to liberty is ignored at our peril.
Second is the organisational problem of using the new technology. Discounts persuade us to register and pay online for goods and services, like motor and TV licences. But who keeps our records, how are they stored securely and where they are actually administered? Out-sourcing all manner of information is common. Call centres around the world handle our data, from telephone companies to banks. But in which country is our personal information held and subject to what rules on data protection, privacy and accountability?
Third is the problem of the day-to-day storage and retrieval of our personal information. Who is allowed access to it and for what purposes? Can we limit access to it? Or is it open to anyone for «staff training» or legal «law enforcement» purposes?
Fourth, what can we do if incorrect information is held about us? Is it easy to find out and get it changed? What if our identities have been misappropriated, «shared» with others, changed or corrupted by a typing mistake?
All the data protection and privacy legislation in the world is useless in the face of casual disregard of the imperative principles of data minimisation and purpose limitation, weak PINs rather than biometric or other encryption, and sloppy procedures.
Governments create data banks and exchange information about us among civil service departments. While mistakes do happen, there is no excuse for the private and public sectors failing to insist on the highest possible levels of security for the protection of our information.
Banks and the financial sector are alert to the problems of insider fraud, to the need for vetting and training their personnel and for «baking-in» security into their computer systems to make them as robust as possible from insider and outsider intrusion and attack.
Biometric identifiers in passports and ID cards have their place in authenticating the claimed identity of people crossing borders, and in combating visa-hopping and fraud. Holders of biometric passports travelling to the Algarve are familiar with how this works: their passport photo is scanned and matched against their real face.
Do people comply with these sort of efficiency gains often because they have no choice or out of ignorance (as they do not think about the consequences) or because personal convenience matters more to them that protecting their privacy?
People have been verichipped like animals in Barcelona bars in order to get their drinks faster. Payment and registration by fingerprint recognition is growing in Germany, and in English schools.
All cut the risk of identity fraud. This is a very different proposition to that of storing personal information that can be accessed and used for many different purposes by many different agencies without our express consent or knowledge.
How many people check with whom their local councils «share» information, whether with companies checking our council tax records or other credentials?
What should be done? The Government needs to review how our personal data is held and exchanged among the private and public sector. Quality codes of practice for managing it are useless in the absence of robust requirements on system integrity.
E-government requires a complete review of how and by whom we are governed. Automated information exchange by any agency is not neutral in its impact.
The absence of joined-up thinking about the underlying scientific, technological and politico-legal assumptions of using technology for public and private sector purposes challenges us to rethink not only the introduction of IDcards but how we define ourselves, and how we visualise, value and protect our liberty and security.
Juliet Lodge is a professor in the Institute of Communication Studies at the University of Leeds, director of research on e-governance, and author of Are You Who You Say You Are?, a new book on biometrics.