The surveillance state – The practical problems and implications of biometric identities

Note: I wrote this piece at a time when a British identity card seemed a very real possibility because the Blair Government had produced a consultative Green Paper and was pushing the subject hard in Parliament and the media. The Blair scheme was very intrusive because it envisaged not merely government collected data being tied to the ID card but also data collected by private organisations such as the large supermarkets.

Such a card did not materialise then but the threat of it has not gone away. Perhaps it will not come overtly as an ID card but covertly, almost as an emergent property, through the ever expanding government databases (which are in the process of being linked) and the rapid government move to doing all government business online only which not only increases the data held but makes operating with some form of digital ID next to impossible.

Although the essay was written nine years ago, the problems raised still hold true.

——————————————————————————————————

Published in The July 2004 issue of The Individual, the journal of the Society for
Individual Freedom (www.individualist.org.uk).

The practical problems and implications of biometric identities

Robert Henderson

The libertarian and moral implications of ID cards have generated a great amount of newsprint, but much less attention has been given to what biometric based ID cards will mean in practice or to their practicality. This is a serious deficiency because a biometric-based ID card will be an entirely different animal from any
non-biometric-based ID card.

If it is successful, such a system will give a government unprecedented control of the lives of the individual – the ID card would potentially be a licence to legally exist – and if flawed in operation, cause untold disruption and personal misery.

How effective are biometric data as identifiers?

Biometric identifiers are generally presented to the public as foolproof, Big Brother, sci-fi-style technology. The reality is that there is no biometric identifier which is anything like foolproof, nor, as we all know to our daily cost, any computer system which does not regularly crash.

What would be the most likely biometric data to be used? Iris scanning, fingerprinting and facial parameter recognition are the frontrunners, either singly or in combination. Facial parameters are far from foolproof, while fingerprinting, despite what is generally thought, is far from conclusive being decided on points of similarity rather than an absolute individual singularity. One suspects that iris print recognition has similar drawbacks, whatever the “experts” tell us.

Take the expert on biometric testing Professor John Daugman, who is based in Cambridge University. He developed the algorithm for iris recognition. In the Daily Telegraph (12 5 2004) he is reported as saying: ” “The key point is the relative complexity of the iris, compared to, say, the fingerprint,” explains Professor Daugman, who is based at Cambridge University. “The iris is much more random and much more complex, so it Is much more likely to be truly unique.

“Randomness is measured in degrees of freedom. The face bas less than 20 degrees of freedom. Fingerprints have 40 degrees of freedom, but the iris has 200 degrees of freedom. “If we wanted the face to be as complex as the iris, we would need to have five mouths and seven noses…”

Prof Daugman goes on to say that “The technology has never yet given a false match and we have made millions of comparisons so far,” then unblushingly admits there have been problem with eye lashes and eye malformations. I think we should translate his remark as “The technology has never given a false reading where we have been able to get a readable iris print.”

The Home Office Commons select committee recently went to a demonstration of iris-scanning. The Daily Telegraph (7 5 2004) reported: “Members of the Commons home affairs select committee who tried out the technology yesterday were told that up to seven per cent of scans could fail.”

I heard a member of the committee, Liberal Democrat Bob Russell, on Radio 5 (6 May) telling of his experiences. His iris test failed because his eyes watered profusely. Russell also said that the test was as intrusive as a visit to the opticians with lights being shone directly into the eye. He found the experience physically unpleasant.

DNA analysis – which would be more certain – is a theoretical possibility, but whether it would be technically possible now or within the foreseeable future to have a system which could analyse DNA samples quickly enough is dubious. The person checking an identity would have to have a means of checking within minutes a DNA sample taken from a suspect and then comparing that with the DNA record in the central database.

As things stand, the most likely biometric identifiers on the card and database will be fingerprints and facial profiling, the latter to act as a decider if the fingerprint test does not produce a positive identification. The reason why facial profiling will be probably be chosen in front of iris recognition is that the International Civil Aviation Authority is pushing for it in machine-readable passports.

The problems of damage and biometric impersonation

A fingerprint could be damaged by scarring or a temporary injury. Ditto an iris print. As for facial parameter recognition, how effective is that going to be as a person ages? Doubtless the ”experts” will claim that basic facial parameters – breadth of forehead, distance between eyes and such forth – remain constant enough, but as the system is far from foolproof to begin with – Prof Daugman puts it as the least effective of the three biometrics being considered – can we honestly be sure that ageing may not produce sufficient change through, say, muscle relaxation or gum shrinkage, to distort the face sufficiently to cause a false non-recognition result?

Biometric impersonation could conceivably occur with people wearing contact lenses to give a false iris print (the experts such as Prof Daugman swear blind this would not fool a scanner because it uses infra red which would show up a flat plate , ie the contact lens, over the iris, but you know what experts are like) or having fingerprint ”masks” of someone else to wear on their fingers. Further down the line surgical techniques, including genetic surgery, could be used to alter someone’s biometric data.

There is also the question of technological advance generally. We simply cannot envisage what advances may be made which will breach what is now seen as a seemingly secure system.

What of the robustness of the Government’s computer system? Will it break down or even ever get to a stage of development where it can go live? We all know what a mess large government computer projects have been. Why should this, which is even larger and more complicated than those now in existence, be anything other than a mess.

Could biometric cards be successfully forged?

Could biometric cards ever be foolproof in even the narrow sense of being impossible to forge? Could forgeries exist? If biometric data are to be stored on a central database which can be immediately accessed it would be pointless to get a false card if the system would pick up duplicated biometric data. However, someone, for example, a foreigner, whose details have never been on the database, could get a card in a false name using false initial documentation – the initial identification of the person can only be done by good old fashioned methods such as passports and driving licences. There is also, of course, the opportunity for bribery of those operating the system.

If the database programme does not have the facility to check new biometric data against that already on the database, multiple applications for cards under different names could be made.

If there is not immediate verification of the biometric data by reference to the database, forged cards could be used because all the card would do is provide whatever data the forger chooses to put on the card when the card is put into a reader. Moreover, if the card is simply put into a reader and verified with the data held on the database, all that tells you is that the card is in agreement with the database. It does not tell you whether the person who holds the card is the same person. Thus the identities of legitimate cardholders could be copied onto forged cards. The only certain way of stopping this would be to read the data directly from the cardholder and compare it with data held on the central database.

Another problem would be the possibility of a card forger placing a programme on the card which would surreptitiously override the application to the central database and place data contained on the card in the reader in a form in which looked as though it came from the central database, a trick akin to placing videos in security systems to give the impression that a surveillance system is working when it is not.

The initial identification of those applying for cards

A basic problem of false identification exists at the point where the person’s identity is to be established before the identity card is to be issued. Forged documents will be of the type which are now forged, ie without biometric data. Over the generations this might become a smaller problem as children are registered at birth, but for the foreseeable future it will be a major difficulty.

The initial registering of the 60 million people in Britain will also be a massive task. Even if new passports and driving licences are going to require biometric data allowing the database to be gradually built up over years, that will still leave millions of people who neither drive nor have passports. The administrative problems of ensuring all those are issued with cards will be immense.

What non-biometric data could be on the database It would be impractical to include data which will regularly change such as a person’s address or workplace. Yet that is precisely the type of non-biometric data which is most useful in identifying someone. And what will the police do if they pick up a suspect but have to rely on the subject to give them an address?

The administrative problems in the field

These are mind-boggling. Can one imagine the ordinary policeman or immigration officer comfortably or efficiently using complicated machines to read the data either from the cards or directly from the cardholder? Or how about every store or bank requiring one? Think of your average bored teenager serving in a shop and then let your mind boggle at the idea of them taking an iris print. One can all too easily imagine a situation where using the machine is simply not done because the operator cannot be bothered or does not understand the procedure. British passports have been machine readable since 1988. How many are ever machine read? Very few.

Equally demanding would be the mammoth task of maintaining literally thousands (potentially tens of thousands) of machine card readers around the country. The likelihood is that many would break down and in such circumstances identity checks would simply be made by a non-id card means.

The potential practical ill effects of a biometric-based ID card

There are potentially massive practical problems which could arise from such a card. What happens if a person’s card is lost or the biometric data used as an identifier is damaged, e.g. by scarring a fingerprint? How would they actually exist if the card is necessary for daily living?

The failure rate for recognition requests would not have to be large to make the security of the card and its practical use as an identifier problematical. With a database of 60 million (the UK population) even a one tenth of one percent failure would mean 60,000 potential failures, each of which could be repeated many times if the card is needed for a wide range of activity which is the Government’s intention. (A Home Office press release states “crucially, the cards will help people live their lives more easily, giving them watertight proof of identity for use in daily transactions and travel” – http://www.homeoffice.gov.uk/n_story.asp?item_id=91). Imagine that you are one of the unlucky ones whose biometrics do not identify you positively, being faced over and over again with the need to prove who you are by other means.

There is also the strong possibility that false information will be put into the database. Governments will not be able to resist the temptation of going beyond the mere identification of someone. They will wish to store details of other things such as criminal records, health data and welfare take-up.

When an identity card was introduced in 1939 it had three purposes: to aid the function of rationing, help conscription and improve security and immigration. When a Commons committee examined the experience of the ID in 1950 (when it was still in force) the number of purposes had risen to 39.

One may be certain that something similar will occur if a biometric card is introduced. Indeed, the schedule 1 of the draft Bill currently doing the “consultation” rounds has a long list of information to be included on the ID register. This includes names, date and place of birth, photograph, fingerprint (and other biometric information), residential status, nationality, entitlement to remain in Britain and the exact terms of the right to remain and a National Identity Registration Number. It will also carry a record of any changes made to the Register.

The more information the more uses to which the card will be put. The more powerful computer technology becomes, the greater the ease and range of sharing information.

There is also the possibility that simple error will result in non-biometric data being entered which will make the identity of the person suspect, e.g., the wrong middle name. At best that would be extremely inconvenient for the individual. Or suppose your health records have the wrong blood group in-putted and you do not know. You have an accident and are taken to hospital unconscious and the wrong blood is used for a transfusion?

More generally, what would happen if the government computer system crashed, either through its own inherent weaknesses or from a malicious hackers attack? How would the world work if everything has become dependent upon the person’s state stored identity? The quick answer is the world would not work.

There is also the question of security. In principle a system could be set up whereby the machine card readers (or readers of biometric data directly from the individual) could have varying levels of access. All readers would identify you as the individual corresponding to the biometric data, but additional information such as health and credit data would be restricted to those with a legitimate reason to know them.

For example, you go to hospital and their reader will allow them to see what your health data is but nothing more. You go to get credit from a store and the shop’s reader gives them access only to your credit status.

Fine in principle, but does anyone believe that any of the information on the card would not rapidly become successfully “hacked” by anyone with the necessary IT skills? There is no reason to believe so because every other “secure” system to date has been hacked, even those with the highest security.

ID Cards are not the problem, the database is

Identity cards as such are a red herring. If the system is sophisticated enough to read from a database and check it immediately against biometric data taken directly from a suspect there would be no need for a card because the person would carry his own identification all the time, i.e. his or her biometric data. It is the database which is the problem.

The overt purposes of the proposed card

What effects would an identity card have on welfare abuse, crime, illegal immigration and security? If the card is voluntary or carrying it is optional, it will little if any effect on the last three items, for any person stopped who does not have a card will simply fail to appear with his or her card at a police station within the seven days as proposed in the draft Bill. However, let us assume that the carrying the card becomes obligatory. What then?

In theory, welfare benefits, including NHS treatment, housing and education could be better controlled, but there is the small matter of 400 million odd citizens from other EU countries to consider who have or shortly will have an absolute right to benefits in the UK. To those can be added millions more from around the world from countries such as Australia and Canada who have reciprocal welfare arrangements with the UK? Will they have to apply for a UK card before they get them?

Perhaps, but what of emergency health treatment? Would any government, when shove comes to push, have the will to deny treatment to those without a card? Moreover, what of failed asylum seekers who are not deported because it is deemed that their native countries are too dangerous to return the failed asylum seeker to? Will they be denied treatment even where the illness or injury is serious but not immediately life threatening, for example, if they are HIV-positive?

An ID card is no help in solving crime generally because the police can only arrest or investigate those people whom they have already identified. In theory a card might reduce fraud based on identity misrepresentation, but that assumes private companies will play ball with the Government’s stated intention that cards will be used “indaily transactions and travel”. As they all have their own cards and identification systems which are getting ever more sophisticated, it is extremely dubious that they will willingly add another layer of expensive security to their own.

As for illegal immigration, a government could make it impossible for a person to work legally in Britain unless they have a card. However, to enforce that would require an immense bureaucracy and a willingness to harass both employers and the general public severely. Employers would have to be regularly prosecuted and subject to stiff penalties for employing illegal labour, while the general public would find that they were essentially slaves requiring the permission of the state to gain employment. In fact, if a card was made necessary for not only employment but welfare and transactions such as opening a bank account or using a credit card, the individual would effectively require the permission of the state to live. Ultimately, the state could control people simply by discontinuing money in the form of notes and coins and making people use cards for all purchases.

As an anti-terrorist measure it would be pretty meaningless because any visitor to this country will not have to have an identity card. As tens of millions of visits are made each year, any terrorist could operate without ever being asked to prove his identity by any means other than would now be employed. As for any home grown terrorist, they will be able to get a valid card and until identified as a terrorist, by which time identity is established, they will be able to use it to move freely in the UK. It is also true that once human beings become reliant on machine checks they tend to treat them as holy writ and become much less generally observant and suspicious.

What if the proposed UK system proves inoperable?

The proposed UK card will not begin to be implemented if at all until 2007 and, even by the Government’s estimates, it will take many years to establish universal coverage of the UK population. But even if the card is never fully implemented by further legislation the government will have a database with the biometric details of most of the population in a few years through their inclusion on passports and driving licences. This will be shared by government departments and other public agencies. It will be subject to hacking and the corrupt release of information by those working within the system.

If such a system is implemented I predict that all those who are pro-ID card will be converted to the anti-card camp the first time they are stopped by the police and asked for it, or the first time their biometrics are checked and show a false negative, or the first time the database crashes and makes transactions impossible because identity cannot be verified, or the first time that they lose their card and find their lives in limbo.

Those who are against ID cards on principle will need no urging to oppose them. But even those who are in principle supportive of the idea of an ID card – and regrettably polls consistently show 70-80% of Britons in favour – may still rationally reject the idea of this card because of the sheer impracticality of the proposed system and its palpable failure to meet the objectives which persuaded them to become supporters.

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: