PRIVACY
INTERNATIONAL
Submission to the Citizenship & Immigration Committee of the Canadian Parliament
National Identity Cards
October 4, 2003
This written submission follows a meeting between Privacy International and the Citizenship & Immigration Committee, which took place at the Committee's request on June 24th 2003 in London, UK.
Executive summary
Privacy International urges the Committee to approach the issue of identity cards with great caution. Many of the claims made for the technology behind card systems cannot be sustained. The justification advanced for the card may in some cases be well intentioned, but appears to be based more on emotion and rhetoric rather than credible research.
The biometric system that is proposed to form the identifier base for the card has not been successfully trailed anywhere in the world. Research evidence suggests that many of the claims made by the biometrics industry are false. Indeed the "one to many" biometrics architectures envisioned by some proponents of the Canadian scheme are entire fraudulent.
The cost of the ID card system, together with appropriate registration procedures, IT infrastructure, private and public sector compliance and parallel systems will be well in excess of informal estimates currently circulating. Based on UK, European and South East Asian costings we estimate that a Canadian system at the point of full implementation will cost $7 billion (Canadian).
The privacy threats arising from a national ID system cannot be overstated. An ID card in the Canadian environment will in all likelihood breach the Charter on Rights and Freedoms. A card will fundamentally violate the privacy and data protection principles enshrined in Canadian law.
There is no evidence in the research literature to establish that identity cards either reduce the threat of terrorism or reduce the incidence of crime. Indeed the establishment of an ID card requires the creation of a new range of offences, and introduces the very real threat of increased criminality in a number of realms.
The identity card proposed for Canada involves the concept of converged or "joined-up" data resources. This poses grave threats to the security of data. It also introduces the inevitability that data will be lost, misinterpreted, mutated or abused. Multiple-agency access to sensitive data greatly increases the potential for misuse of information, either through corrupt disclosure or lapses in security.
Overview
National identity cards have been embraced by the governments of numerous countries throughout the past twenty years. Increasingly, the proponents of such systems have argued for the inclusion of comprehensive information matching and for a biometric identifier such as an iris scan or fingerprint. The United Kingdom and Canada are currently considering such systems, while Belgium and China are in the first stages of implementation of ID cards.
The stated justification for identity schemes varies widely, but it usually extends to several perceived benefits, notably reduction of fraud, an increase in administrative efficiency and the combating of unlawful immigration.
There is, however, often an instinctive notion that a card system can be a conduit for "nation-building" in which cohesion and national identity can be strengthened. These are intuitive notions that have no relation to the stated justification for cards. In this sense a card may be an initiative grounded in nationalism.
Patronage of the idea of an ID card is pursued with little quantifiable evidence of the claims made for cards systems. The presumption, for example, that a national card can improve law enforcement techniques, reduce illegal immigration, diminish fraud, assist national security or improve administrative efficiency is entirely instinctive. There is little, if any, evidence that a card system can achieve these goals.
The principle reason for this situation resides in the sort of nationalism mentioned earlier. Such countries as Malaysia, China, Singapore and Indonesia have openly promoted the card as a means of establishing national "membership" and cohesion. This was expressed last year in the UK by a government MP, Dr Nick Palmer, who told a public meeting on ID cards that he felt an identity card could create a "bond" between all people. Card systems often bear the name or symbol of the country (such as the now defunct Australia card and Kiwi card).
The biometrics system proposed for the Canadian card is fundamentally unsound. China recently abandoned fingerprinting on its ID cards because of insurmountable technical problems,[1] while the British finance group Nationwide this year dropped plans to introduce fingerprints and eye scanning as a replacement for PINs[2].
US security experts Peter Neumann and Laurie Weinstein have observed "These supposedly unique IDs are often forged. Rings of phony ID creators abound, for purposes including both crime and terrorism. Every attempt thus far at hardening ID cards against forgery has been compromised. Furthermore, insider abuse is a particular risk in any ID infrastructure".
"The belief that ``smart'' NID cards could provide irrefutable biometric matches without false positives and negatives is fallacious. Also, such systems will still be cracked, and the criminals and terrorists we're most concerned about will find ways to exploit them, using the false sense of security that the cards provide to their own advantage -- making us actually less secure as a result".[3]
There are also substantial security threats arising from a biometric based identity system. Computer security expert Bruce Schneier warns: "Biometrics also don't handle failure well. Imagine that Alice is using her thumbprint as a biometric, and someone steals the digital file. Now what? This isn't a digital certificate, where some trusted third party can issue her another one. This is her thumb. She has only two. Once someone steals your biometric, it remains stolen for life; there's no getting back to a secure situation".[4]
This submission discusses the implications and risks associated with national ID cards with specific reference to both biometrics and to information matching. The paper assesses the arguments advanced for the use of this technology, and weighs the evidence from a legal, social and technical perspective.
Key issues and background
Proposals for the introduction of government identity card systems are causing controversy around the world. The UK and Canadian parliaments are currently considering national schemes that would result in a comprehensive compulsory identity system. Australia, New Zealand and the United States are also tinkering with the idea, but are encountering stiff political resistance. Developing countries are rushing to implement ID systems, while across Europe, governments have investigated options for extending the functionality of ID cards. All such initiatives have encountered unforeseen and extremely complex legal, technical and organisational problems.
Such measures have always generated debate over their potential impact on privacy and civil rights. While these are crucial issues, the consequences of the technology are far more wide-ranging and significant. At their heart, the systems invariably pave the way for the joining-up of government and the development of a comprehensive linkage between public and private sector information systems.
The civil liberties argument against ID cards has been debated for more than two decades. Rights advocates have consistently argued that not only will such initiatives turn nations into more authoritarian societies, but they will fundamentally change for all time the relationship between citizen and state, the nature of government, and the character of the nation.
This profound impact is inevitable because the modern ID card is not merely a simple piece of plastic. It is the visible component of a highly complex web of interactive technology that fuses the most intimate characteristics of the individual, with the machinery of state. It is also the means by which legal and administrative powers of government can - in theory - be both streamlined and amplified.
Almost every national ID card system introduced in the last fifteen years has contained three components that have the potential to devastate personal freedom and privacy. To begin, each citizen may be obliged to surrender a finger print or retina print to a national database. This information is combined with other personal data such as race, age and residential status. A photograph completes the dossier. Then, in order to give the card the necessary legal gravity, its' introduction must be accompanied by a substantial increase in police power. Authorities will, after all, want to demand the card in a wide range of circumstances, and people must be compelled to comply. The most significant, yet most subtle, element is that the card and its numbering system then form the administrative basis for a linkage of information between all government departments. The number is ultimately the most powerful element of the system.
Such a system, linked through tens of thousand of card readers to a central database, is the conventional means of dealing with the problem of counterfeit cards. The technology gap between governments and organised crime has now narrowed to such an extent that even the most highly secure cards are available as blanks weeks after their official introduction. Criminals and terrorists can in reality move more freely and more safely with several fake identities than they ever could in a country with multiple forms of ID.
To make sure people are who they claim to be, the new generation of cards such as those introduced last year in Malaysia incorporate a chip containing the "biometric" - a fingerprint, retina or hand scan - of the holder. The card and the finger are placed into a reader, and the person is "validated". Authorities can access further personal information stored on the chip to confirm the holder's identity. This validation process can be undertaken on the street, in airports, schools, banks, swimming pools or office buildings. For a card to serve the purpose of combating terrorism and identity theft, it would have to be used as a validation mechanism many times a day, in innumerable circumstances.
This sobering outcome is rarely promoted by government. Instead, such initiatives are benignly dressed up as "citizen cards" that guarantee entitlement to benefits and services and which streamline a person's dealings with government. Five years ago, after the last debate in the UK over ID cards, the government quietly buried such proposals when it discovered that a card would cost billions of pounds more than expected, would do little to prevent crime, and may end up becoming a monumentally unpopular initiative.[5]
On the last two occasions that an ID card concept was seriously floated in the UK, it became clear that support for ID cards was patchy at best. The last time around (crime was the issue of the moment), even the Association of Chief Police Officers (ACPO) argued that a card would have little impact on crime and could damage the relations between police and the public.
Times and circumstances change, it is true, but if an ID card was unworkable five years ago, why would it work now? The short answer is that it would not work these days, unless the biometric was added and the whole system was verified through a national database. That is not a card: it is a national surveillance infrastructure.
Identity cards may also contribute to the growth of terrorism and criminality. Last year 36 people were indicted in New Jersey for their part in a criminal enterprise in issuing thousands of fake drivers' licences. Eight staff of the New Jersey Division of Motor Vehicles have so far been arrested.
For a country in which the drivers' licence is the closest parallel to an ID card (a national card has always been unacceptable to Congress), the arrests caused widespread dismay. A spokesman for the Criminal Justice Division of New Jersey told the New York Times that the parking lots of the Division of Motor Vehicles in at least six counties were like "flea markets for illegal documents." One of the departmental staff in Wayne County took payments of $50 to $100 each for some 3,000 licenses.
Corruption from within: for government, it is the scourge that dares not speak its name. Now, despite its intention to strengthen the drivers licence the US has lost faith in the integrity of its primary means of identification. Corruption on a similar scale besets most official ID schemes. High demand and huge investment by criminals entices officials to bend or break the rules of eligibility. The same is inevitable in Canada and other countries.
The experience in New Jersey is one of many factors that should temper the any government's puppy-like enthusiasm for the potential benefit of an ID card. Ministers imagine an instrument that will curb illegal immigration, eliminate crime and fraud, slash tax evasion and thwart terrorism. In reality, they have embarked on a project that may well intensify and compound these problems.
Consider the practicalities. How would any citizen go about obtaining an ID card? And how would it be different to the way a criminal, terrorist or illegal immigrant would obtain one?
In all of its consultations down the years, western governments have been mute on this central point. Any ID card would probably be issued subject to a personal interview, similar perhaps to the process of obtaining a National Insurance number or a New Jersey Drivers license. An applicant might attend a meeting with a junior official who would ask mechanically for two forms of ID and a proof of residency. The applicant would be asked a few standard questions, after which the ID card would be formally issued.
Where before they might have carried a copy of a dead person's birth certificate, and maybe a drivers' licence and a savings bank number, they criminals would now possess the ultimate no-questions-asked ID. Maybe more than one such ID.
An ID card is, after all, just a high-value amplification of the primary identity documents presented by its owner. The US administration has perhaps learned that herein resides a fundamental flaw in the notion of the infallible ID card.
Shortly after the September 11 attacks on the US, the FBI announced that at least four of the hijackers had obtained valid US drivers licences. For the Virginia Department of Motor Vehicles, which had been identified as the culprit, it was one of the more sobering moments in its long history. The Virginia authorities embarked on a frantic audit of their application procedures, but reported that there was little they could do to thwart the problem.
Just like all card issuers worldwide, the licensing department had no choice but to rely on standard documents of identity, the validity of which is difficult to determine. Once an applicant had produced a Social Security Number, a passport, a birth certificate, and perhaps a bank account, all the criteria for issuing a licence would have been satisfied. What more could the authority do to establish entitlement for a license?
One unavoidable problem for the Virginia licensing authorities was that in the real world, one basic form of ID is used to obtain another form of ID. Two forms of ID lead to the granting of a third. And so on. There are limits in a free society on the extent to which a government can make demands on the individual beyond requiring the disclosure of these documents.
Even so, the Virginia license authority read out the riot act to its staff, warning them to be especially meticulous in dealing with applications. "Don't annoy our customers", advised senior management, "but do everything you can to identify potential terrorists and 'illegals'"". Except for some minor tweaking, the authorisation procedure continued as before, with the primary difference doubtless being that fake ID's will come at a higher price.
But what of those applicants do not have the necessary documents? What a gift for corrupt civil servants or contract staff in search of extra cash. Corruption among the ranks of civil servants is a fact of life. Following a two year inquiry, the New South Wales Independent Commission against Corruption in Australia revealed in 1992 that corruption in the civil service had reached "epidemic and endemic proportions".
The scenario is made worse by the prospect of the ID scheme being outsourced to a private company, or - even worse - loaded onto an already overworked government agency.
Governments may choose to ignore the threat of corruption in the ranks of the issuing entity, but the banks are not so naive. They adopt a "threat model" that assumes a corruption rate of between one and two per cent of staff.
Even without the prospect of official corruption, the technology gap between governments and organised crime has now narrowed to such an extent that even the most highly secure cards are available as blanks weeks after their introduction. Criminals and terrorists can in reality move more freely and more safely with several fake "official" identities than they ever could in a country using multiple forms of "low-value" ID such as a birth certificate.
Criminal use of fake identity documents does not necessarily involve the use of counterfeiting techniques. In 1999, a former UK accountant was charged with obtaining up to 500 passports under false identities. The scam was merely a manipulation of the primary documentation procedure.
It is worth considering some inevitable formulae that apply across the board to the black-market economy. Whenever governments attempt to introduce an ID card, it is always based on the aim of eliminating false identity. The higher the "integrity" (reliability and accuracy) of a card, the greater is its value to criminals and illegal immigrants. A high-value card attracts substantially larger investment in corruption and counterfeit activity. The equation is simple: higher value ID equals greater criminal activity.
When such schemes are introduced in the current climate, three outcomes are inevitable. First, a high security ID card will become an internal passport, demanded in limitless situations. Don't leave home without it. Second, millions of people will be severely inconvenienced each year through lost, stolen or damaged cards or - more potentially devastating - through failure of the card's computer systems or the biometric reading machinery. Finally, as research by Privacy International has shown, the cards will inevitably be abused by officials who will use them as a mechanism for prejudice, discrimination or harassment. This latter point was addressed by the UK High Court in 1954 when it outlawed the wartime ID card.
Other countries have also reached this conclusion. No common law country has ever adopted an ID card. When a national card was proposed in Australia in 1986, the idea was hastily scrapped after the biggest public campaign of opposition in recent history. The New Zealand public has responded with similar vigour, while the United States has traditionally opposed national cards.
Their fears are well founded. Over the past eighteen months in particular national leaders in both hemispheres have affirmed with surprising gusto that the pursuit of a safer society must prompt a reassessment of individual liberties and privacy. In other words, creating a substantial increase in the right of the state to place controls on all citizens, and shifting the default in favour of comprehensive surveillance over the population. It is the Identity card that has become the most blatant manifestation of this push for greater surveillance.
Cost is yet another consideration. Five years ago the UK government estimated that the overall cost of manufacturing and managing a card would be around 20 pounds per head. The baseline cost of a biometric card these days will run to at least 45 pounds. This adds up to an expenditure in excess of two billion pounds. This figure will treble when the cost of computer system modification, biographical registration and private sector compliance is added. The Canadian Privacy Commissioner recently estimated that the cost of a national card in his country would be close to five billion dollars (Canadian). Based on UK and European figures, Privacy International estimates that a Canadian card will cost in excess of $7 billion.
The idea of a national ID card is superficially attractive, but many countries have discovered that the technology creates more problems than it solves. ID cards have always served as a sexy political response to a crisis, but a quick scan of countries with ID cards shows that their introduction in recent times usually creates a range of unforeseen administrative and social complexities. Thailand, which introduced its first ID card in 1989, is still ironing out fundamental problems after all these years.
No government has yet been able to identify any country where the presence of a card has deterred terrorists. To achieve such an outcome, a government would require measures unthinkable in a free society.
Government thus face a difficult choice. Either they introduce a high security biometric card that will challenge every tenet of freedom, or they introduce a low or medium security card that will soon be available to criminals and terrorists on the black market.
The biometrics hoax
All independent research studies have highlighted a huge gulf between the claims made by biometrics vendors, and the outcome of controlled testing.
A recent study by the US Department of Defense found that iris recognition did better than most technologies, but one manufacturer's claim of a 0.5% false identification rate ballooned to 6% during the DOD tests.[6]
A report issued by the US General Accounting Office in November 2002 [7] reported that the largest iris scanning system currently in use had only 30,000 records. Such a small system will perform in a far different way to one involving millions or tens of millions of records.
The GAO warned that it was "unknown" how a system with many millions of records would perform. A report from the National Institute for Science and Technology[8] concluded that it had insufficient records and data to determine whether iris recognition was an accurate identifier.
The fundamental problem for the accurate functioning of biometrics rests with the relationship between a person's unique biometric, and the numbers of other identities it is matched against. This is a mater of simple mathematics. If a biometric scan of an eye or a fingerprint is matched one-to-one against the same scan that is recorded onto a card, the chance of an accurate match is extremely good. The margin of error can be set to a very sensitive level (say, to within plus or minus one per cent). However, if that scanned eye is matched against, say, one hundred other identities (one-to-many matching), the margin for error must be widened. Otherwise, the instances of false rejection will be unacceptable. If an eye scan is matched against a national database, as proponents of the Canadian system have suggested, the margin for error would be so wide as to make the system worthless.
It is, therefore, mathematically and technically impossible to build and operate a national database of biometric identities without creating an inevitable false rejection on almost every occasion that a person uses the system.
Data matching elements of the ID scheme
The automated sharing of data across organisations can impose substantial risk to individuals, to the reliability of information, professional effectiveness and integrity, organisational reputation and society at large.[9]
Data matching amongst multiple agencies is a complex and often unachievable goal. A successful matching programme involving multiple sources will require a highly sensitive and rigorous meshing of core conditions. Among these are a precise framework of definitions, a back-up or alternate system of equal integrity and a set of interlinking codes and practices that ensure that information does not degrade or mutate.
It can be assumed that the threat to the reliability of data will increase markedly as a matching programme moves from a simple partnership to a multiple conglomerate. It can equally be assumed that a matching programme will consistently fail if it relies on inferential or "soft" data elements.
For some years organisations have been fixated on the idea of converged or "joined-up" data resources. This poses grave threats to the security of data. It also introduces the inevitability that data will be lost, misinterpreted, mutated or abused. Multiple-agency access to sensitive data greatly increases the potential for misuse of information, either through corrupt disclosure or lapses in security.
Security threats rise exponentially according to the expansion in the number of data uses beyond the "first generation" source. A simple two-agency partnership involving raw "hard" data stands a greater chance of maintaining its security and integrity. The reliability of data and the threats to its security vastly increase with each new application of the data.
Agencies using a multiple source matching system can encounter significant information overload. This is particularly so in the case of health, welfare and child protection, where the need to corroborate, confirm and sift data to determine correct identities and events can create greater threats and a more onerous workload than existed in a manual system.
Data matching also creates a threat to the internal evolution of organisations. This is particularly so in areas of activity that require constant change and evaluation, such as exists in areas of education and health. A matching regime can become the centre of gravity, stifling the evolution process and creating unnecessary threats to the stability of organisational relationships and to the relevance of procedures.
Identity cards and Identity theft
At first sight, it appears logical to argue that a high integrity identity system will help combat identity theft. There is, however, a substantial body of evidence to demonstrate that the establishment of centralised identity can increase the incidence of identity theft.
The clearest example of this relationship exists in the United States, where the Social Security Number has become an identity hub and a central reference point to index and link identity. Obtaining a person's SSN provides a single interface with that person's dealings with a vast number of private and public bodies. Hence the level of identity theft in the US is disproportionately high.
This situation applies equally in Australia, where the introduction of a Tax File Number has also increased the incidence of identity theft beyond the levels experienced in the UK and other countries that lack such a central numbering system.
The key element that supports identity theft is the widespread availability of a central number, linked to a range of personal information. Consumer groups in the US have recently criticised the Senate Banking Committee for failing to take action to reverse this trend. The Consumers Union argues that identity theft will continue to rise until the relationship between the SSN and the publication of personal details in the finance sector can be reduced.[10]
Cost
Our estimates of the overall cost of a Canadian national ID card are based on a full set of criteria. These include, but are not limited to:
á Establishment of a full IT infrastructure
á The cost of the cards themselves, together with an estimated three replacements in the life of the card
á Public and private sector compliance
á Training
á Biographical registration processes
á Establishment of alternate and backup systems
á Card reading machinery
á Data matching provisions
á Costs relating to regulatory procedures
á Operating costs, including maintenance and operation of the infrastructure
á Additional staff costs
á Data matching systems related to registration and operation of the system
In its recent consultation paper on the introduction of "Entitlement Cards" the UK government estimated that the baseline cost of a smart card with biometrics would be approximately 3.2 billion pounds (7.2 billion CAN).
This figure should be amended to reflect Canada's smaller population (approximately fifty per cent that of the UK). A margin of ten per cent should be added to represent the less favourable economies of scale.
Thus, on the parameters of UK official baseline estimates, the Canadian card will cost $4 billion (CAN).
However, the UK estimates did not include a number of key costs. These include:
á Cost of three replacements in the life of the card
á Private sector compliance
á The full cost of biographical registration processes
á Establishment of alternate and backup systems
á Costs relating to regulatory procedures
The most accurate private sector compliance costs have been calculated by Australian industry groups, who estimated that private sector compliance would amount to at least fifty per cent of the total operational cost of the card system.
Backup systems, which would be required as a core design element of the card system would add a further twenty per cent to the overall cost.
Additional and replacement cards would involve a cost component of approximately thirty percent of the initial registration and administration cost.
Together with other categories, this results in a combined cost of $7 billion (CAN) for a national ID system.