Accountable and transparent e-security - the case of British (in)security, borders and biometrics

Introduction

The use of biometrics identifiers for ICT enabled public policy purposes poses particular problems in the UK. This paper shows how claimsmaking regarding biometrics is mired in discourses of (in)security. These challenge the essence of the credibility, justness and democratic legitimacy of policymakers, and trust in the authority and values of the political system itself.

In order to better understand this, this paper takes the example of the advocacy and use of biometrics by government in the UK to show that transparency and openness which the British government claimed was an advantage of ICT roll-out, has been a double-edged sword in a state where political discourse reflects (in)security.

The paper first discusses why biometric identifiers is problematic in the UK. It then examines some of the biometric applications and their purposes, making particular reference to the ECHR’s landmark ruling on fingerprint retention before examining e-passports and identity in the UK.

eGovernment and transparency

An under-estimated effect of egovernment, it has been argued is that it has increased the scrutability of government and administration by parliamentary bodies and rendered their activities more transparent and potentially open to legal challenge. Enhanced transparency and accountability to parliament is assumed to ensue with the implication that greater legitimacy is inherent in government policies that are implemented. But this effect is a side-effect rather than a core objective of government administration of its business using ICTs. More data are easily recorded and new venues opened for tracking, exchanging, challenging or correcting the data and calling government to account. However, this business process management approach to the use of ICTs for government service delivery takes government out of context. It separates administrative and bureaucratic information collection from both the administrative cultures within which information is collected by government departments, and from the political culture of the state. Consequently, it risks overlooking the impact the use of ICTs can have on the organisation of government business at a broader level, the potential impact of how it is used on society, political values and norms, and on the communication of the core business of government vis-a-vis the citizen.

The claims-making surrounding government investment in ICTs for political purposes (from mundane administration of civil purpose forms, such as television licences, road tax, birth certificates, etc to border control purposes, such as vis enrolment, travel documentation, passports, etc) is critical to understanding the credibility of the claims made, their acceptability as legitimate and believable and the consequent trust, distrust or mistrust that citizens then have in the democratic legitimacy and justness of both the data collection and the purposes for which they are held, used and by whom. ICTs transformational impact on government and society goes far beyond the mere administrative demands of bureaucracy. It affects the operation of government through the construction of public-private partnerships, some of which are partially outsourced in cyber-space; and crucially it impacts on practices of democratic accountability and the justiability of government decisions and legislation. Moreover, the British example – when compared to that of Austria and Finland – shows how claimsmaking mired in discourses of (in)security challenge the essence of the credibility, justness and democratic legitimacy of policymakers and trust in the authority and values of the political system itself.

Biometric IDs and (in)security

Using biometrics in egovernment applications and notably the fact that information can be linked up from different sources adds a veil of (in)security to an application designed to convince the citizen as to its added-value for security. The use of biometric identification for all manner of purposes, starting with passports and visas, makes the citizen transparent (traceable) for the government regardless of whether or not the affirmed purpose is surveillance and tracking or not. It shows that the British government’s claims in respect of its establishment of a National Identity Register (NIR), are far from credible or trusted by citizens. The NIR is intended to use biometrics as an element in identity management and become the main instrument for effective and reliable identification and authentication of the identity of all residents in the UK.

Although the use of fingerprints goes back centuries, the automated identification of people through the use of their bodily characteristics or behavioural traits is a relatively recent phenomenon. Modern generation biometrics were born in the UK. British mathematician Alan Turing, a German code breaker at Bletchley Park in 1943, started work on the development of an automatic machine that would be able to identify people over the telephone by their voice prints. This was the basic idea behind what is now known as speaker identification or voice biometrics.

There are many different definitions of ‘biometrics’, most of which refer to the measurement of physical attributes (excluding DNA), and some of which include in this the identification of behavioural patterns that result in ‘profiling’ techniques. ICTs allow human body characteristics such as fingerprints, retinas and irises, voice patterns, facial patterns, hand measurements, to be captured and used for automated identification or authentication purposes. Only in the late 1990s did biometrics start to make inroads as a technology that could be used in large scale identification of authentication systems. The terrorist attacks in the early 2000s, led governments to see in biometrics a tool to identify, track and potentially exclude people with specific biometric traits, and as such to be presented to the public as essential elements in boosting the effectiveness of polices to combat international terrorism and organised crime. In the UK, where historically people had ceased after 1945 to carry identity cards, the idea of enrolling people’s biometric data for identification purposes was particularly controversial. Political opposition to identity card schemes grew and the Government began to introduce a number of measures to introduce them by stealth, including updating the facial biometric in passports by digitising it, and following EU prescriptions for biometrics including fingerprints in visas and passports. It also introduced a range of other cards serving to authenticate individual identity – new driving licences, cards to prove age for younger people wanting to go clubbing or buy alcohol, health cards, including the EU health card and automated repeat prescriptions from pharmacies, and new school records linking data from different agencies. In short, biometrics became pervasive thanks in part to ICTs.

The justifications for and the claims made in respect of introducing biometric identifiers, in far from clear, transparent or credible ways, led to a sense of biometric identification being introduced by stealth on a piecemeal basis.

In 2003, the Parliamentary Under-Secretary for the Home Office presented a list of project likely to use biometric identifiers in response to a parliamentary question. The projects included: the first and second biometric in the British passport; biometric identifiers in the identity cards programme; UK visas biometric programme; biometric travel documents; biometric residence permit; IAFS (Immigration and Asylum Fingerprints System); e-Borders programme; PITO project to use face recognition to support FIND; LANTERN (a mobile fingerprint system) and the national DNA database. In addition, the Under-Secretary of State listed some smaller projects involving the Home Office: IDENT1, Application Registration Cards (ARC); ISRP, VIAFS, Iris Recognition Immigration System (IRIS), C-Nomis, pilot of methadone dispensing system using iris recognition at HMP Eastwood Park, and a trial of fingerprint based access control to IT systems in prisons.

In practice, automated identity recognition was soon piloted at British airports (and others in the EU) during the European football championship, often with little or no public debate. This was easy to justify as part of efforts to curb hooliganism, anti-social behaviour and crime (of which terrorism was but one example). The choice of which biometric to use for what purpose is neither value-free nor neutral in its impact. It can be determined by corporate interests, insufficient understanding by those procuring the technological applications of their strengths and weaknesses, disingenuousness as to their impact and a rush to be ‘modern’ and adopt innovative administrative processes using ICTs without sufficient risk or impact assessments.

Below, the paper examines the kind of biometrics sampled and or stored and for which purpose.

DNA is not a biometric. DNA comparison is not an automated process allowing access to a given service or across a border in the same way that a biometric identifier is used. It is used, however, to check the probability of correspondence between person x and the DNA sample that most closely matches it held on a DNA database. DNA technology is often regarded as a biometric technology because is an advanced technology for measuring and analysing biological data. The Under-Secretary for the Home Office referred to the national DNA database (NDNAD, Scotland has its own with different rules) as such. This database is the largest of its kind in Europe, with permissive rules that allow a high number of DNA samples and profiles to be taken and retained. It is possible in the UK to retain bodily samples and DNA profiles upon arrest for any offence, regardless of whether a charge and conviction follows. With the DNA of 940,000 people on file the UK has the most «profiled» population in the world. At the end of 2008, the number of profiles held was rising at the rate of 6,000 per week. Police are only allowed to keep DNA profiles on the national database from people who are convicted of the offence for which the sample was taken. All other samples must be destroyed. However, a Home Office Inspectorate of Constabulary report, «Under the Microscope», estimated that from 752,718 DNA profiles held at the time of their study those of 50,000 individuals which should have been destroyed have been retained. This figure was based on a claimed non-conviction rate of 20%, although others suggest this is as high as 45%. Moreover, the UK is believed to hold the DNA of 4 million people on its database.

There have also been individual cases about illegally retained DNA samples. In 2008 a conviction for murder was quashed at the Court of Appeal following an unsound conviction on the strength of DNA evidence based on blood found on a glove. The police matched the blood to a DNA sample taken from the prisoner a year previously when he was suspected of drugs offences. At the time, he had not been charged. Nevertheless, his profile was placed in the national register. The Court affirmed the rules in Section 64 (3B) of Police and Criminal Evidence Act 1984 which state that:

«Information derived from the sample of any person entitled to its destruction... shall not be used - (a) in evidence against the person entitled; or (b) for the purposes of any investigation of an offence. If the sample was used for purposes of an investigation then all evidence resulting from that information must be excluded».

Purpose limitation is an important principle that is being applied to ‘biometric’ identifiers. It must also be noted that earlier DNA sampling techniques were cruder and less precise than more modern ones, and that criminals have also been deliberately leaving the DNA of other people (on cigarette butts for example) at crime scenes. The courts, however, have focussed on the issue of the retention of biometric samples by alluding to the principles of purpose limitation and the need to distinguish between crime detection objectives and the right to privacy . The European Court of Human Rights, in the case S. & Marper v. the UK took this on when the ECHR Grand Chamber (the Court) found unanimously that the retention by the police of fingerprints and DNA samples from a man and a boy arrested, but not convicted, violated their right to privacy.

The judgment provided a landmark decision setting limits to the growth of national DNA databases in general and that of the UK in particular. The case and the arguments of Mr Marper had previously been rejected by the House of Lords, which had placed the importance of crime detection above issues of data privacy.

Regards the issue of fingerprint retention, the Court made a definitive decision upon the issue of retention per se . It held that fingerprints also form unique personal data, but rather than their mere retention constituting an interference with the rights protected under Article 8, it was the fact that the fingerprints were taken in connection with a criminal investigation and retained for the purpose of crime detection that constituted the interference . This distinction may have considerable implications for the ability of European governments to retain fingerprint data without consent where it is not related to criminal investigation, assuming of course that a person knows that fingerprints have been taken (as they would when present in enrolment) rather than as a result of forensic investigations. Politicians ‘biometrics’ have been lifted from glasses, for example, at events.

Having established that privacy was at stake, the next question for the Court was to decide whether the retention was necessary within a democratic society. The Court was critical of the indiscriminate nature of the powers of retention, powers which are not time-limited and do not distinguish between suspected offenders on the basis of the gravity of the crime of which they are suspected. In addition, the failure to distinguish between adult and minor offenders was noted with a reminder of the need to pay special attention to the privacy needs of minors within the criminal justice system. Further, the Court noted the that ethnicity could be deduced from DNA samples and restated its position that an individual’s ethnic identity falls within the meaning of privacy. In conclusion, the Court found that the balance between private and public interests had not been well met and the UK had overstepped its margin of appreciation.

Many suggest that the Court’s decision has cut the ground out from under the UK DNA database legislation, and argue that a thorough review of the UK laws and regulations seems appropriate. So does this judgment have implications beyond DNA forensics? Would there be a case to be made against country-wide biometric databases with fraud prevention or security objectives on the basis of privacy protection? A detailed analysis of the Marper Case would suggest the following criteria could play a role in determining whether the balance between private and public interests is lost and retention is no longer proportionate: (1) the indiscriminate nature of the power of retention; (2) absence of time limit ;(3) absence of provision for independent review; (4) considerable risk of stigmatization (5) insufficient protection of minors .

UK border agency and biometrics

Three other biometric schemes mentioned by the Parliamentary Under-Secretary for the Home Office are important. The three schemes concern the UK Border Agency, a shadow agency of the Home Office: the visas biometrics programme, IRIS and the ARC. The Border Agency is designed to improve the United Kingdoms’ security by ensuring stronger border protection whilst simultaneously enhancing the efficiency of crossing borders for legitimate travellers and trade. The Agency brings together the work previously carried out by the Border and Immigration Agency, Customs detection work at the border from Her Majesty’s Revenue and Customs (HMRC) and UK Visa Services from the Foreign and Commonwealth Office (FCO).

Through the UK visas biometrics programme , biometric visas (including fingerprint scans) are being issued to foreign nationals who wish to enter the UK and require an entry visa. The programme covers three quarters of the world’s population and operates in 135 countries. More than one million fingerprint scans have already been completed and stored. The UK Border Agency (section visa services) manages 146 visa sections in UK embassies, high commissions and consulates. The visa operation is self-funding through the collection of visa fees, and in 2006/7 the total income from these fees was £190 million, and rising as fees rose.

All UK visa applicants, save for those benefiting from a limited number of exemptions and exceptions, are required to provide biometric data (10-digit finger scans and a digital photograph) as part of the application process. The criteria for falling within the exemptions and exceptions have not been made public, although exemptions are publicly known as being available to Heads of State. Visa applicants have to attend the nearest visa application centre in person and the visa application will not be processed until the applicant has provided the necessary biometric information. Applicants are warned not to have any decoration (such as henna), or any cuts or other markings on their fingertips before having finger scans taken. Applicants are informed that the biometric data will be stored on a central government database in the UK and checked against UK government records. Assurance is given that it will be handled in accordance with the UK’s strict data protection laws, but no mention is made of European Union arrangements for sharing data.

The claimed benefits of using biometrics for the Visa applicants are stated as contributing to: identity fraud and theft prevention; keeping visa applicants and their family safe from crime and terrorism by ‘ensuring that we can make travelling to, and being in the UK more secure’; preventing accidental mistake in identifying visa applicants by making it easier to distinguish them from another person with the same or similar name; and expediting, in the longer term, swifter passage through automatic automatic gates of entry at UK ports and airports.

A dual-pronged efficiency gain is implied : one for the applicant, and the other for cost-gains for bureaucracy. Faster transit through barriers is also one of the stated objectives of the UK Border Agency’s Iris Recognition Immigration System (IRIS) at UK airports such as Manchester, Birmingham, Gatwick and Heathrow. The aim of the scheme is to provide a fast, secure and convenient way for foreign and returning UK travellers to enter the UK. The IRIS system (such as that also used at Schipol) uses a photograph of the iris pattern, converts it into a digital code and then compares it with others stored in a secure database. When it matches the captured iris pattern with the corresponding one on the database and the registration is still valid, that person can enter the United Kingdom by passing through the IRIS barrier located in the immigration arrival hall. A traveller has to take time to register as a one off first (and renew it annually, in the case of Schipol). Once registered, a traveller entering the United Kingdom can get through border controls with the IRIS system in about 20 seconds. Figures about the number of iris scans stored are not publicly available. The system in use in Schipol attracts those able to pay the annual fee, largely professionals and businessmen, rather than the public. It is therefore seen as potentially unjust in discriminating against those unable to afford enrolment. IRIS recognition is not as widely used as fingerprinting and IRIS recognition does not carry the stigma of being associated with criminal activity and criminal forensics that fingerprints do. Fingerprinting asylum seekers (the ‘them’ differentiated from ‘us) has a longer history in the EU . The fingerprints of asylum seekers are recorded when they register for an Application Registration Card (ARC). This is only one aspect of a long vetting process. The issuance of the ARC has been in the hands of the UK Border Agency since April 2008. Through EURODAC the fingerprints of asylum seekers can be checked against a European database to prevent identity fraud in general and also to make sure that asylum seekers will only be able to seek political asylum in the EU member states of arrival.

Recently, criminal law and intelligence purposes were added to Eurodac to allow access to the data to law enforcement agencies such as national police forces or Europol. The critical opinions of the European Data Protection Supervisor and of the Meijer Committee were largely ignored and the amendments adopted even though both the EDPS and Meijer had warned the proposed amendments would endanger the original purpose of Eurodac: to assist the effective implementation of the Dublin system.

Apart from the issue of purpose limitation, one of the main arguments against allowing these new purposes to be added is that access by law enforcement authorities to Eurodac data increases the likelihood of continued storage of data on asylum seekers in this database. This also in cases where data should have been deleted according to the Articles 7, 10 and 12 of the Eurodac Regulation. According to the Meijers Committee, the current practice of Eurodac shows that it is difficult to delete the data in accordance with the rules of the Eurodac Regulation. For example, the Dutch Minister of Justice, answering parliamentary questions, had to admit that in 2007 there was still no mechanism available to guarantee that asylum seekers who obtained the status of refugee, were issued a residence permit or were naturalised would be automatically deleted from Eurodac, as provided in the Eurodac Regulation.

In this area, parliamentary control is lacking in several countries, including the UK. In this respect, there would be scope for a better parliamentary scrutiny in working more closely together with the UK ICO office. Apart from its national tasks in the field of data protection and freedom of information, the Information Commissioner is also the UK national supervisory authority for Europol, Eurodac, and the Customs Information System (CIS) and is a member of the Europol, Eurodac, Eurojust and CIS Joint Supervisory Authority. The Commissioner is also the designated national supervisory authority for the Schengen Information System and attends the SIS Joint Supervisory Authority as an observer prior to the UK accession.

The result of the current practice as observed by the Meijers Committee and NGOs such as Statewatch UK is that data on recognised refugees or EU citizens remain registered in Eurodac and will be used for police and intelligence purposes. As a result, refugees and other persons in need of international protection are more inclined to refrain from filing a formal application for asylum or show obstructive behaviour in order to remain invisible.

Organizational experience with operating automated fingerprint identification systems lends support to social action based on a logic of appropriateness . Moreover, once a system is established, it has to be used. Therefore, with standard biometric control procedures already in place, the matching of established rules to new situations tends to take precedence over comprehensive analyses of the expected consequences of alternative courses of action. Experience-based processes of solution-driven problem solving can be characterised, as some argue, by recognising precedents rather than by a calculation of costs and benefits. This is akin to the logic of group-think and decisionmaking under crisis and time pressure.

From the perspective of the sociology of law, this same process is likely to occur without government intervention. Mathiesen in his analysis of Norwegian participation in Europol and Eurodac observes that the horizontal integration of the Europol and Eurodac systems expands by internal sociological forces, far from the control of nation-state institutions. The process of horizontal interlockings and vertical de-couplings are taken as given. This results in system agents taking pride and finding legitimacy in such developments. As they become part of their systems, they develop emotional attachments with their systems and the colleague agents working in them, they see their particular system as something they should foster, and feel great satisfaction when they manage to make the system function still better. Mathiesen points out that these are commonplace processes through which agents become more or less enveloped by the systems they are working in. What is needed is enforced accountability to non-participants in a system of checks and balances. However, in the case of Norway too, parliamentary scrutiny is minimal and public or media awareness tiny. It is higher in the UK but the pervasive (in)security discourse detracts attention away from parliamentary responsibility, accountability and control. Consequently, the claims made by the Border Agency go relatively unchallenged, even when confronted by the problems arising over the implicit tracking by university administrations, on the Agency’s behalf, in and out of the UK of certain international students.

The border agency’s mission is to improve the nation’s security through stronger border protection. The use of biometrics is presented as necessary, efficient and safe.

The electronic passport

Holding a passport allows UK citizens to exercise one of their fundamental rights: to leave and enter the country. However, its data is linkable for other purposes.

The UK home office Identity and passport service is responsible for the passport and the national identity scheme (NIS). To comply with the US Visa Waiver Programme and other international requirements the UK introduced an electronic passport in 2006. Although the UK could have decided not to participate in the European passport regulation, it decided to join the EU effort to agree on a passport that would meet the most recent ICAO standards and US demands.

The main aim of the introduction of the European electronic passport is to strengthen border controls, also by including a digitally stored face scan that would allow one-to-many comparisons. The new passport contains an electronic chip storing a digital facial image of the passport holder. The chip can be read using an appropriate electronic reader located at border control. EU requirements stipulate that electronic passports within the EU should include a second biometric identifier as well as the facial scan by 2009 but second generation British biometric passports will first be issued in 2010. These passports will also store the holder’s fingerprint scans on the chip. Although government claims that the second generation biometric passports will boost the verifiability of the claim as to the authenticity of the person presenting himself with the passport, technological weaknesses remain serious.

The differences between Basic Access Control and Extended Access Control in relation to the possibility of skimming are considerable and the release of information from a chip without a passport holder’s consent is still an issue with second generation electronic passports. Compared to the traditional passport, the wireless character of the e-passport introduces new safety risks for the holder, the issuing and the accepting state. Data security and the credibility of government claims regarding its safety remain problematic.

The Central Office of Information has been publishing track research to assess public attitudes to the passport and the new identity card scheme. Of the sample in February 2009, 11% of respondents trusted the government strongly and 26% slightly to keep data safe. For the Identity and Passport Service, these figures were better at respectively, 35 and 35 per cent. The (biometric) data held on the passport will not stand alone but will be stored and eventually be available for cross checking against the NIR. The details of whether inclusion in the NIR will be voluntary or obligatory and possible data exchange between the various authorities and the NIR will be discussed below. Suffice it here to stress that function creep is inevitable given the technical specification of the European e-passport and the international infrastructure on which biometric verification relies. Function creep is built-in allowing new possibilities to be incorporated either spontaneously or by dint of new policy initiatives.

Criticism against the introduction of biometrics in the e-passport can lead to confusion between the idea of a biometric and the use to which it is put as part of or in the service of another objective. Some see ‘biometry’ as being seriously overrated especially by politicians and policy makers. ‘Despite the growth in applications, the large-scale use of biometrics is untested. The difficulty is it is not only unproven in a huge single application (such as e-passports), but also not with many different applications in parallel (including «biometry for fun».’ Diverse applications may have no, or weak, or incompatible security features. Without baked-in robust security architectures, fraud is both possible and probable. If a biometric has been ‘stolen’ or compromise, the authentic person trying to re-claim it, can have grave difficulties in proving his authenticity or in proving that he was not responsible for something he did not do.

Function creep is also inevitable once biometric verification is used in one application, for one purpose – such as border crossings. Indeed, adnministrations and commerce favouring ‘inter-operability’ or claiming that one-stop e-citizen cards will offer huge savings and convenience gains to citizens, seek to link-up data for both good and nefarious purposes, many of which are unknowable, invisible and open to fraud, theft, data mining, data re-configuration, onward sale and abuse of the privacy of the person who supplied the data for one purpose originally. Neither EU regulations or directives, nor data minimisation principles sufficiently guard against this.

Many governments too uncritically accept function creep and seek interoperability before ensuring that the legal remedies against data mining and misuse, respect for security architectures and the principles of data minimisation and purpose limitation are in place. Even governments believed to be among the most vigilant have failed in this respect and clearly not heeded the warnings and recommendations of data protection and information authorities. Among the latest criticisms are those against the German government . Governments seem to permit onward data re-configuration and selling to parties without the explicit consent of the data subject, and the signs of public disquiet (probably too late to undo the damage already done) gravitate towards the easily grasped issue of a central data base. This epitomises all the ills of information collation and sharing. The introduction of a central data base is in the process of being implemented or under discussion in many EU member states even though the decision as to whether or not to introduce a central (biometric) database is left to the member states under the EU passport regulation.

The UK national identity system and biometrics Until recently, the UK was one of only a few EU member states not to have an identity card system. Now, the National Identity Scheme (NIS) provides the overarching framework for introducing it by stealth through government initiatives on the use of biometrics in the UK. The NIS, based on the Identity Cards Act passed in March 2006, provides a comprehensive way for the Government to record and store personal identity information. The Home Office points out that each ID card will be unique, and will combine the cardholder’s biometric data with their checked and confirmed identity details – called a ‘biographical footprint’. The Government claims that these are measures to boost individual and collective security: «These identity details and the biometrics will be stored on the national identity register. Basic identity information will also be held in a chip on the ID card itself. The cards will be linked to their owners by unique biometric information (for example, fingerprints). This is needed to ensure that your card is really yours, and to protect you from identity theft.»

Function creep and multi-purpose applications are built in. The NIS will also make it possible for an individual to prove his or her identity to certain trusted non-government agencies such as banks. The scheme is built on a number of government controlled biometric applications already mentioned above, such as biometric visas, biometric passports and identity cards, including those cards issued to foreign nationals in the form of biometric immigration documents. The NIS will apply to all those, including foreign nationals, over 16 years old who legally reside or work in the UK. It is a long-term programme which will take several years before it comes fully into operation. The official roll-out schedule is as follows:

From 25 November 2008 start of the issue of compulsory identity cards to foreign nationals coming to work or study in the UK. By spring 2009, over 50,000 cards were expected to have been issued. .

In the first half of 2009, contracts to be awarded for application and enrolment, biometrics storage systems and the production of identity cards and passports.

From Autumn 2009, the start of issuing mandatory identity cards for airside workers - starting with an 18 month evaluation at Manchester and London City airports.

In late 2009, volunteers to be offered the chance to enrol for the first identity cards.

From 2010, starting with young people, identity cards to be offered on a voluntary basis to ‘anyone who will benefit from them in their daily lives.’

From 2011/12 the roll-out of identity cards to the wider population on an entirely voluntary basis.

The last point about the voluntary basis of the cards might suggest that there is an alternative which would allow an individual to get some form of identification without biometrics. However, this is not the case. The claim as to the voluntary nature of applying for the identity card is seriously restricted by the fact that individuals will soon need one to travel or conduct certain business (such as opening a bank account).

Visiting Manchester at the end of January 2009, Home Secretary Jacqui Smith announced that work was underway to identify a number of areas across the UK where British nationals could be among the first to apply for an identity card, claiming in a speech at Manchester town hall, that the advantages of having one included being able to offer:

a universal and simple proof of identity that brings convenience for organizations and individuals – that means an end to the disorganized use of photocopied bank statements, phone bills and birth certificates;

the Service will give you control of who can see your personal details – that means an end to revealing details about your finances or personal life just to prove who you are and where you live;

ensuring that foreign nationals living, working and studying here legally are able to easily prove their identity and prevent those here illegally from benefiting from the privileges of Britain; and

convenient travel in Europe using the identity card

She also announced the launch of a new website giving the public more information on keeping their identity secure. This website is designed to give British nationals interested in getting identity card up-to-date information on developments and would allow them to register for notification as soon as the National Identity Service goes live in their region.

Biometric Information and the National Identity Register Although the title of the Act suggests otherwise, the basis of the Act is not the ID card but a database (The National Identity Register: NIR) containing information relating to individuals. The ID card will only be issued after the required «registrable» facts have been entered into the NIR. The term ‘identifying information’ is also used in the Act and applies to biometric data especially. The Act refers to a photograph of head and shoulders, fingerprints and ‘other biometric information’ as well as to a digital signature. By using the term ‘identifying information’ as a label for biometric data, the UK legislator shows that it places its trust primarily on biometrics for the authentication of identity. The website for example explains: «Your biometrics will be permanently paired with your biographical information to create completely unique and secure identity data». When a person enrols biometric information (e.g. facial image, fingerprints) will be recorded and subsequently maintained on the NIR. The data are checked against existing records and stored on the UK Border Agency systems and within the microchip card.

The ID cards thus combine the cardholder’s biometric data with their checked and confirmed biographical information covering basic personal details (e.g. name, address, date of birth). Obviously, a sub-set of the identity information held on the NIR is also printed on an identity card – an apolycarbonate photo card with an electronic chip. The chip holds the identity information as printed visibly on the card such as a digital photograph but also contains two fingerprints. Each card has its own Identity Registration Number (IRN), which is printed on the card and a Personal Identification Number (PIN), which the cardholder can set and use as one would for a credit or debit card.

Accredited organisations both public and private sector organisations such as banks) can check an ID card and or an NIR record with the permission of the holder (although there is no real ‘choice’ but to agree if a person wants the service provided by a bank or other organisation). In this case, different levels of verification apply, depending on the service a person wants to access. Basically, an individual’s identity/data or information as presented will be compared with his/her entry in the NIR.

There are three levels of verification. The lowest level is a check using the photo on the ID card. The next level involves two factor verification: a check of the physical card including the photo and the use of the personal identification number (PIN) and/or designated questions. The highest level check includes biometrics. Subjects will be able to obtain information when and by whom their information was consulted. However, this is neither cheap, time-efficient or genuinely something that anyone can do for themselves. The NIR is also multi-purpose in that through it those who use it to verify the identity of a person, will find in it detailed information on the movements and the transactions of all UK residents holding a passport, an identity card, a residence permit and so forth. Tracing and tracking of persons and their personal details will become possible at a much larger scale. Although police and prosecution’s access to files may be allowed under the same rules as previously, the amount and nature of the data available will change considerably. Concepts such as consent and cooperation may even need to be redefined as a result of what is happening in practice. This in turn may cause a new focus on the right to be informed. Not to be informed of some of the new data handling possibilities might constitute a taking away of rights in practice.

Transparency and accountability

In terms of the traceability of the individual citizen and accountability for the running of the NIR, the first important question is whether registration under the Act is compulsory. Registration is only required for certain groups of people, such as all individuals requiring a new passport and specific categories of people mentioned in Section 7 of the Act. As soon as a person is registered, this person becomes also under an obligation to notify changes and errors. In the case of the registration of biometric data, this means that as soon as individuals become aware of an error in (the recording of) their biometric data, notification of this is compulsory on pain of civil penalty. Therefore all British passport and identity card holders will eventually be on the NIR on a compulsory basis and will also be under an obligation to report errors/abuse they observe relating to their biometric data.

The second question is whether the increased possibilities to trace and track an individual (increased transparency of the citizen) as a result of the creation of the NIR are an acceptable side effect. Where do we draw the line of an unacceptable change in the balance of power between citizens and the state?

The NIR is not intended to constitute as a single, large, database, and different sets of NIR information – biometric, biographical and administrative – are not all held in a single system, but stored and compartmentalized. So far, medical records, tax and benefits information and other government records are not stored in the NIR. It is, however, clear that the register will have links with other government systems to share identity data, and support identity checking services. How linkeability will be facilitated or limited is not yet clear. The decisions regarding interoperability may well change character over time. This means that biometric information can at some point be automatically linked to other kind of data than on the NIR as foreseen at this moment in time.

The third issue is the fallback issue. With the roll out of such a large scale system, efficient fallback procedures will become crucial. From the point of view of the citizen, there are two main concerns: failure-to-acquire and its procedural consequences (problems with providing a biometric scan, for example the very young, handicapped, physically compromised, elderly, accident victims etc) and biometric identity theft (fraud with biometrics). As the examples above suggest, the UK government’s claims ignore or minimise these concerns.

The Home Secretary is ultimately responsible to Parliament for the running of the scheme. The yet to be established independent National Identity Scheme Commissioner is tocontinually review the operation of the scheme and report to the Home Secretary, who has to share the report with Parliament and answer MPs’ questions. Finally, the Information Commissioner’s key powers to protect personal information, will also apply to information held in the NIR. Actually securing redress will be time-consuming, expensive and problematic and certainly discriminatory in practice if not intent.

The Identity Project and Biometrics

In 2005, the London School of Economics (LSE) examined the potential impacts and benefits of the National Identity Scheme in detail. The findings were presented in a much debated report The Identity Project: an assessment of the UK Identity Cards Bill and its implications . In this report the LSE concluded that the scheme could offer some basis public interest and commercial sector benefits. However, the main findings and conclusions drawn up in the report indicated that the scheme as proposed would be too complex, technically unsafe, and overly prescriptive and would lack a foundation of public trust and confidence. In particular, with regard to biometrics, the report indicated that the technology was, to a large extent, untested and unreliable. The LSE report especially noted that: «a fully integrated national system of this complexity and importance will be technologically precarious and could itself become a target for attacks by terrorists or others.» And with regard to the National Identity Register the report stated that the Register may itself pose a far larger risk to the safety and security of UK citizens than any of the problems that it is intended to address. In the section on biometrics the report stressed that technology was always imperfect and that it should be the servant not the master of decisionmakers.

It appears that in the UK, and in many other states, technology remains master and that as a result, a semi-privatisation of government administration has eroded parliamentary accountability, compromised and reconfigured the ability of parliamentary accountability and openness in practice and made the ultimate locus of authority in digi-space invisible, incomprehensible and so uncontrollable potentially.

UK school children and biometrics

The use of biometric technologies in schools illustrates some of the wider issues relating to public attitudes, public policy and transparency. Conservative estimates are that 1,000 schools in the England and Wales use biometrics of their pupils claiming that they increase the efficiency of their processes or increase safety on their school premises. The campaigning organisation Leave them Kids Alone most recent estimates of the number of schools using biometric data systems stands at over 5,000 primary and secondary schools, implying that nearly 1,000,000 children have already been fingerprinted by their schools. In 2007, one national newspaper estimated that soon 5,900,000 children would have gone through the process of being fingerprinted.

At least 20 private companies sell biometric products that could be used by educational establishments in the UK. It was only when some schools started using biometric applications for library loans, school access or registration of school lunches without consulting parents first, a few individual parents started a protest. The protests were given some publicity through the media, resulting in a political response. Questions were asked in the House of Commons and House of Lords, an MEP started an investigation in his constituency and individual concerned parents filed requests for information in the context if the Freedom of Information Act (hereafter FOI). The parent pressure group, «Leave them Kids Alone» provided advice and information on its website for pupils, school management, staff, governors and so forth. Some time later, the Information Commissioner for England and Wales and BECTA issued guidelines on the use of biometrics a school context. In February 2009, the first draft of Scottish guidelines was also published.

Most schools in the UK use finger scan technology, often encouraged by vendors to take a particular system rather than being in a position independently to investigate the introduction of a biometric system. In 2007, a school in Scotland was the first in the UK to use palm vein authentication for paying for school meals. This application has been developed by Yarg Biometrics and Fujitsu Services. Palm vein data are often considered less privacy sensitive than finger scans because these biometric data are less likely to be collected elsewhere (law enforcement for example) and therefore less likely to be used for other purposes. The Scottish school claimed the scheme was to boost speed and make lunch more attractive to pupils. The palm vein system is also claimed to be socially inclusive, avoiding stigmatising children on benefits normally needing to present meal tickets instead of cash, but those with disabilities are still not able to use it easily. BECTA guidelines concern the introduction of biometrics in schools. The Authority singles out three different potential applications: cashless catering, automated attendance and registration and school library automation. It claims the following advantages to cashless catering:

«Pupils in receipt of free school meals are not identifiable, which can help to avoid a pupil being stigmatised. In addition, pupils do not need cash to pay for their lunches, reducing the opportunity for bullying and theft. Such systems can also speed up service in canteens and dining rooms. In this instance, biometric technologies can offer some additional advantages over other identification mechanisms:

Pupils do not need to remember to bring anything with them to the canteen and there is nothing that can be lost.

Costs can be reduced as, for example, there is no requirement to replace lost or damaged smartcards.

The risk of bullying and theft may be further reduced, as there is no opportunity for pupils to steal and use other pupils’ smartcards to pay for meals.»

BECTA also sees advantages of automated attendance and registration in identifying, tracking and combating truancy. ‘....The advantages of employing biometric systems over other technologies are similar to those in .... (cashless catering and for library use). In addition, in this particular example, there is no opportunity for pupils to register absent pupils using their smartcards. Pupils must be physically present to register their attendance.»

In their guidelines, the ICO and BECTA mainly focus on legal issues. They point out that schools should treat biometric data as personal data. When the biometric data of a pupil are obtained than the school must ensure that the pupils and/or the parents (depending on the age) are provided with a Fair Processing Notice which will contain information as to:

the name of the data controller (the school)

the purposes for which the data is held

any information required to make the processing fair, including any third parties to whom the data may be passed.

In addition, schools must comply with the following data protection principles: data must

be fairly and lawfully processed

be processed for limited purposes

be adequate, relevant and not excessive

be accurate

be kept no longer than necessary

be processed in accordance with data subjects’ rights

be secure

Local councils have recognised that the decisions whether or not to introduce biometric technology lies with the schools and their governing bodies. Some local councils have nevertheless taken a stance against the use of biometrics at schools. Liverpool schools for example, have been told the decision to install controversial fingerprinting technology rests with them. The city council distanced itself from the technology amid fears pupil information could end up in the wrong hands. Becta had warned schools to be sensitive to parental concerns about data (mis)use, and to adopt, as good practice, a policy of openness towards parents and pupils in explaining the purpose behind and need for the new ICTs, data storage and retention periods. The use of and possible data sharing with other parties has to be explained and although Becta suggested that personal data would be secure and not be forwarded to any third parties, in practice information sharing, facilitated by ICTs, is widespread. Social welfare, health and education agencies do share information and it is widely accessible to a growing number of people in local authorities, as well as to credit rating agencies like Experian . There is little trust in the claims that data will be kept securely. Whether all biometric data on children is destroyed immediately the child leaves school is a relatively minor issue compared to the vast information bank on each child and its family.

One of the problems in information sharing that is either automated or facilitated by the manual input of data is that people are unable to opt out of it. Alternative means of accessing data, even one’s personal data, are commercially available (for example in the shape of smart cards) but the principle of giving the data subject control over the content, entry, erasure, accessibility etc of their data has not been the first or even last guiding principle when systems have been created. This is not just a question of ensuring (in the case of schools for example) that although the school is acting legally and handling biometric data in the same way as other data (and subject to the Data Protection Act 1998). It is about a cultural change at all levels of administration and government in public policy implementation, and especially with regard to the cost-saving ‘efficiency’ measures in private-public partnership arrangements, outsourcing, data re-sale, and re-configuration which creates new data that ceases to be the property of the data subject.

One MP criticised the British government’s biometrics advice to schools for failing to incorporate a parent’s right to be consulted in law. Liberal Democrat MP Greg Mulholland told the Commons on 23 July 2007 that the guidance failed to introduce a legal requirement for schools to acquire parental consent before collecting their child’s biometric data. He demanded that at least schools be put under a legal obligation to consult with parents. When taking data protection legislation and ICO and Becta guidelines as a starting point, the question remained, is it illegal for schools to collect pupils’ fingerprints without their parents’ consent? In August 2008, the ICO published a press release to clarify this matter.

The information Commissioner stated there were two issues here. First of all, it was a misconception that all processing of personal data must take place on the basis of consent. Second, there was nothing in the Data Protection Act that states that until a child reaches a specific age any data protection rights they have should be exercised by their parents or guardian. For the purposes of the Act the pupils themselves are «data subjects»: it is they who should in the first instance be informed and consulted about the use of their personal data. The Information Commissioner continued that deciding when children are mature enough to decide how their personal information should be used is difficult. The ICO pointed out that on the one hand, as pupils mature they are entitled to an increasing measure of autonomy. On the other hand, while pupils might understand a simple explanation of why their fingerprints are being taken, they may well not appreciate the potential wider implications. The Information Commissioner concluded that unless schools can be certain that all children understand the implications of giving their fingerprints, they must fully involve parents in order to ensure that the information is obtained fairly: ‘ In view of the sensitivity of the issue and the importance of parents’ role in education it would also be a heavy-handed approach for schools not to respect the wishes of those pupils and parents who object to school fingerprinting initiatives.’

However, it is disingenuous to assume that when officials and parliamentarians, apparently charged with safeguarding the state’s citizens, are so ill-informed or unconcerned about how data is stored, used, out-sourced etc, children will be any better placed to make informed decisions. The problems of the very young and handicapped among them are too readily dismissed and when teachers act in loco parentis is it likely that they will be immune from the kind of group think (or intimidation to conform) in a school where the ‘authorities’ want ICT automated information sharing and data collection to be the norm?

Moreover, the ICO’s advice is insufficiently taken into account. The ICO pointed out that there are biometric applications (like smartcards) that technically allow alternative methods of authenticating identity and to allow those wishing to «opt out» to be given alternative means of accessing the same services. The ICO has also criticised BECTA and argued that the takingof fingerprints is not inclusive (as Becta claims) but still redolent of stigmatising people, and perceived as an indicative of mistrust and suspicion and so is identified with being «treated like criminals». Others fear that if children are persuaded to part with important personal information (including a ‘unique’ biometric), their sense of privacy and accountability will be compromised, and they will not reflect thereafter on ‘routine’ information sharing. Some suggest that fingerprinting in schools is part of a concerted attempt to «soften up» the younger generation for increased state privacy intrusion, including initiatives such as ID cards and DNA testing.

The actual use of data – the principles of purpose limitation, data minimisation and prevention of function creep – is paramount. However, these principles have already been ignored in the establishment of existing ICT information sharing systems. Is it likely that any new ones will dismantle these and begin afresh? Probably not. Any use of biometric technologies outside law enforcement should be considered in the light of such negative responses. However, these concerns, while raising wider questions of public attitude and public policy, are not specifically data protection issues.

The decision to use biometrics by schools in England and Wales lies with the school itself, and its governors. Informing pupils and parents in advance and offering «opt out» facilities should form part of the standard procedure. To some the use of biometrics in schools is a socialization of children into unquestioned acceptance of biometrics for day to day routines. Although a campaigning organization has been set up and there has been some attention in the press and in parliament, it seems that public debate on this issue is not intensifying, whilst the roll out and use of biometric identities explodes for mundane purposes that have nothing to do with the original ‘security’ purpose and which , potentially, risk introducing insecurities.

International law and biometrics

The national privacy framework for biometrics is the Data Protection Act 1998, which came into force in March 2000, (hereinafter the ‘DPA’). It applies in principle to the collection and processing of biometric data. However, the DPA does not contain specific provisions which mention biometric data as such. Other laws may govern certain aspects of the use of biometrics too. This applies to criminal law such as the Police and Criminal Evidence Act 1984 and the Criminal Justice and Police Act 2001, immigration law (Borders, Citizenship and Immigration Bill ) , health and safety laws, labour laws, and contract law (legal liability) and so forth. Recently, some British employers have started to introduce biometrics in the workplace as a way of monitoring their staff. In August 2008, Westminster Council’s Community Protection Management team installed finger print recognition machines in various workplaces across the borough. This was done without consultation or even notification of staff representatives. About 200 employees in the street management services department were to be asked to provide their fingerprints. Branch Secretary Phil Vaughan of Unison wrote to the Leader of the Council demanding to know why the machines had been installed without any consultation. The Union pointed out that practices such as finger-printing employees as a way of monitoring their time-keeping, sickness absence raises serious questions about personal privacy and intrusive employment practices. Unison negotiated with Westminster’s Chief Executive to explain why the union opposed the policy and its members would refuse to cooperate. Shortly after the project was discontinued. There are no (national) court cases involving biometrics yet. The only exception is case law about the use of DNA (see above).

It is clear that beyond the directly applicable national legal framework, the right to privacy and the use of biometrics is complex. This applies especially to the use of biometrics in the context of the fight against terrorism. The Framework Decision on the protection of personal data in the field of police and judicial cooperation in criminal matters is the first general data protection instrument in the EU third pillar.

In a response to its adoption , the EDPS reminded the EU Institutions that it had repeatedly called for significant improvements of the proposal to ensure high standards in the level of protection offered and warned against a dilution of data protection standards. The current decision was not amended to meet these criticisms. The EDPS reiterated its position that besides the inclusion of domestic data in the scope of the decision,

«Further work was needed with regard to the following main points:

• the need to distinguish between different categories of data subjects, such as

suspects, criminals, witnesses and victims, to ensure that their data are processed with more appropriate safeguards;

• ensuring an adequate level of protection for exchanges with third countries

according to a common EU standard;

• providing consistency with the first pillar’s Data protection Directive 95/46/EC, in particular by limiting the purposes for which personal data may be further processed.»

In a recent report, the following broad standards have been derived from the judgments of the European Court of Human Rights, the case-law of the European Court of Justice, and in Recommendation R(87)15:

«1. There must be a legal basis for any collection, storing, use, analysis, disclosure/sharing of personal data for law enforcement and anti-terrorist purposes. A vague, broad general statutory basis is not sufficient; rather:

2. Such processing must be based on specific legal rules relating to the particular kind of processing operation in question; these rules must be binding, and they must lay down appropriate limits on the statutory powers such as:

 a precise description of the kind of information that may be recorded;

 a precise description of the categories of people against whom surveillance measures such as gathering and keeping information may be taken.

 a precise description of the circumstances in which such measures may be taken

 a clearly set out procedure to be followed for the authorisation of such measures;

 limits on the storing of old information and on the time for which new information can be retained;

 explicit, detailed provisions concerning:

the grounds on which files can be opened;

the procedure to be followed [for opening or accessing the files];

the persons authorised to consult the files;

the nature of the files;

the use that may be made of the information in the files.

It follows from the above:

(1) that the collection of data on «contacts and associates» (i.e. on persons not suspected of involvement in a specific crime or of posing a threat), the collection of information through intrusive, secret means (telephone tapping and email interception etc.; «bugging»; informers; agents), and the use of «profiling» techniques, and indeed «preventive» policing generally, must be subject to a particularly strict «necessity» and «proportionality» test (.....);

(2) that «hard» (factual) and «soft» (intelligence) data should be clearly distinguished; and that data on different categories of data subjects (officially indicted persons, suspects, associates, incidental contacts, witnesses and victims, etc.) should likewise be clearly distinguished; (3) that the nature of information and intelligence coming from private parties such as businesses or credit reference agencies requires additional safeguards, inter alia in order to ensure the accuracy of this information since these are personal data that have been collected for commercial purposes in a commercial environment; and

(4) that access should only be allowed on a case-by-case basis, for specified purposes and under judicial control in the Member States.

3. Such rules can be set out in subsidiary rules or regulations - but in order to qualify as «law» in Convention terms, they must be published.»

Recent developments: the UK Information Commissioner and biometrics

The mission statement at the top of the UK Information Commissioner’s home page states that the Commissioner is: «the UK’s independent authority set up to promote access to official information and to protect personal information».

The Information Commissioner has proposed some legal measures to further protect private data, also with a view to possible security lapses that concern biometric data. In his evidence to the House of Commons Justice Committee inquiry into the protection of private data he made two specific proposals. The first is to give the ICO the power to force data holders to commission an independent audit of their procedures. The second is a requirement for bodies to notify the ICO or a similar body, when a major and potentially dangerous privacy breach has occurred, as well as notifying the individuals who may be affected.

The UK government plans to increase penalties for trading in personal data, from a fine as currently set to two years imprisonment under new penalties in the Criminal Justice and Immigration bill.

The House of Commons Home Affairs Committee issued a report on the Surveillance Society. In his response to the report the Information Commissioner supported the proposal that the Home Office should submit contingency plans for the loss of biometric information to the ICO. The Committee also recommended that the Home Office should address ICO concerns on administrative information collected as part of the National Identity Register (paragraph 248 of the Report). In its reply the ICO stresses its continuing concern that the amount of information is kept to the minimum with administrative information deleted as soon as it has served its purpose. The ICO states it is particularly concerned about the ‘audit trail’ data and wants this minimised, access restricted and early deletion. In January 2009, the Information Commissioner’s Office (ICO) forced the Home Office to sign a formal declaration promising to hold personal data securely in the future. With immediate effect, all portable and mobile devices which are used to store and transmit personal information must be encrypted. The case in question occurred in August 2008; when a Home Office contractor, PA Consulting lost an unencrypted memory stick holding sensitive personal details of thousands of people serving custodial sentences or who had previously been convicted of criminal offences. Mick Gorrill, assistant information commissioner, issued the following statement: « This breach illustrates that even though a contractor lost the data, it is the data controller (the Home Office) which is responsible for the security of the information. It is vital that sensitive personal information is handled properly and held securely at all times. «The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. The Home Office recognises the seriousness of this data loss and has agreed to take immediate remedial action. It has also agreed to conduct future audits to ensure compliance with the Act. Failure to meet the terms of the Undertaking is likely to lead to further enforcement action by the ICO»

Conclusion:

The use of biometrics is only one aspect of a wider development under which personal and bodily characteristics as well as behaviour and individual acts of individuals are recorded and kept by a range of government agencies and private parties. The extent to which these data will be shared and exchanged in future must be determined by rules, rights and political processes that respect the principles of public accountability, transparency and openness. This openness cannot simply be at the level of the simplest statement as to the process of considering something. Informed information must be easily available. A side effect of the use of biometrics in government identity management is certainly that citizens are becoming more traceable. This is a result of the recording and storing of biometric data in combination with e- administration of government and public policy at all levels. It will be more difficult for citizens (Us) as well as foreigners (Them) to stay somewhere unnoticed. This requires a rethinking of the balance between private and public interests in which information, consent and cooperation must play a crucial role. This also requires a discussion to what extent citizens should be traceable by public and private authorities, whether for commercial transactions or other purposes. As it stands, the proliferation of personal information - including biometric data - seems an irreversible process that carries risks for all involved. At the same time, proliferation has more potential benefits for the data handlers than for those whose data are held. The example of biometrics in schools has shown that apart from the legal issues, there are practical, social, health and education aspects to the introduction of biometrics also. The impact of the use of biometrics on individuals and society as a whole is only just beginning to surface regularly in political and media discourse. Many of the early claims of the benefits of ICT automated information sharing and exchange, and biometrics for verifying identity claims, are questionable and must be rigorously challenged.

Politics and the law lag so far behind the technological advances, whose impact will be vast as nanotech applications and the possibilities of ambient intelligence applications are fully exploited, that it is vital for parliamentarians, data protection supervisors and those with whom they work, to rethink how visible, public accountability can be demonstrated to the good of the citizen at a time when important personal facets comprising the identity those citizens’ are on sale and circulating in cyberspace. Digitising identity has consequences for terrestrial government and management practices and immediately must prompt a rethink of the too easy acceptance of inter-operability as a panacea to combating criminality and so enhancing security. (In) security is the norm in digi-space.