After over 2 years delay, the Home Office has finally published a Draft ID Cards Bill and Consultation document (.pdf) ?Legislation on Identity Cards: a consultation
Here are a few immediate points of concern, no doubt more will emerge upon further study:
NO ! NO ! NO! - this turns the ID card into a potential Genocide or Apartheid Card. How easy would it be to produce an address based arrest or vigilante hate list of everybody with "Mohammed" in their name ?
There is no justification for including Address information on the ID Card or on the central database.
Apart from the thousands of people of no fixed abode, the ?1000 fine for not having "accurate and up to date" information in the system is evil.
40% of the electoral roll changes each year in London, with 25% in other major cities. Are people going to be stung for another ID card fee and and another day stolen from their holidays or earnings to re-register every time they change address ?
Gathering up into a central target and potentially disclosing the addresses of battered wives and children, victims of sexual abuse, Confidential Human Informants, members of the police, prison or security services etc. must be a bad idea and will put people's lives at risk. People in these categories refute the canard of "nothing to hide, nothing to fear".
There should be no special categories or exemptions, no address information should be held on the system.
The requirement to register your current address, and all other addresses, and all previous addresses, is actually potentially more stringent than the change of address notifications which are imposed on people on the Violent and Sexual Offender's Register. Offenders (ViSOR) only might be photographed or fingerprinted, everybody on the National ID Register will be photographed and fingerprinted and possibly have other biometric details taken e.g. iris scans as well, for the rest of their lives (unlike offenders on ViSOR)
Even the Home Office's own Entitlement Card focus group research showed that Address information was the most contentious issue, especially amongst ethnic minorities.
What are the procedures when someone dies ?
How are people going to authenticated as being dead ?
Where are the criminal penalties to safeguard against corrupt petty officials or another Dr. Harold Shipman from fraudulently signing a death certificate when someone is alive, and causing their existing Passport or ID Card to be flagged as no longer valid ?
There are over 30,000 "zombies" in India who are in this situation where their relatives have had them declared legally dead, in order to steal their property.
31 Tampering with Register (surely they mean "the Register" ?)
Amending Section 3 of the Computer Misuse Act 1990 is a waste of time. The whole CMA needs to be reformed (it predates the popularity of the Internet and the World Wide Web).
It is probably a Good Idea to create a class of Critical National Infrastructure computer and telecomms systems with harsher penalties if these are attacked, but also with penalties for the operators amd managers, company directors, civil servants and Ministers in charge of these systems if they fail to spend enough money and resources to maintain them at state of the art security patch levels.
However, the vague, undefined wording about a category of computer system called a "National Identity Register" computer with a harsher than standard penalty of 10 years in jail, is meaningless and open to misinterpretation. Do they mean the actual core servers and infrastructure, or does this also include the peripheral data entry or enrolment terminals, or the entire Internet Virtual Private Network in between ?
There is no acknowledgement or thought of Denial of Service attacks which do not alter any data but which would have a devastating effect on the ID Card system.
National Identity Scheme Commisssioner
If his annual reports can be censored, and, it would seem he has no powers or budget or staff to investigate complaints from the public, then Sir Swinton Thomas (if he really exists), the "invisible" Interception Commissioner might as well be doing the job .
It is to be welcomed that a full audit trail is to be kept, including who has asked for ID information about an individual.
If, as has been claimed, the system is to reduce the number of racist or unfair police "stops and searches" then the individual must have access to the full audit trail in order to show that they have beenn harrassed unecessarily.
The deliberate Data Protection Act delay of 41 days to reply to a Data Subject Access request should be sufficient for any tactical policing issues e.g. an imminent arrest, to be irrelevant in acceeding to such a request.
29 Unauthorised Disclosure of information
Why does the Official Secrets Act not apply to this scheme ?
Surely the ID Card data must be considered to be Protecively Marked material at the level of Confidential or Secret or higher classification ? i.e. must not be sent unencrypted via internet email etc.
Does the 2 years in jail for anybody working on the National ID Register who discloses information, also appy to any systems design or architecture information as opposed to passwords or individual citizen's data records ?
The defence of "he believed, on reasonable ground, that he had lawful authority to make the disclosure in question" is an evil clause and should be struck out. Either someone is properely authorised or they are not. There should be no discretion in the matter, and if it means that the Home Secretary has to sign to authorise each disclosure, then so be it. If there is no proper chain of command and authorisation structure, then the scheme should never be started.
Does this actually make this ID scheme incompatible with ICAO Biometric Passports, by prohibiting the system from being linked with other national government's Passport or Border Control systems ?
Possession of counterfeiting equipment:
The same mistakes as were made with the Mobile Telephone (Re-programming) Act 2002 are being repeated with respect to posssesion of "dual use" computer, smartcard reader or printing equipment.
In whose opinion, exactly, is a particular computer etc. deemed to have been "designed or amended" to produce counterfeit ID documents ? There should be no such discretion or intellectual burden left to the opinion of a police officer - they simply do not have a clue as to the technology.
20 Disclosures without consent of a registered individual
It is good to see that the Home Office has not made any provision for Data Sharing or Disclosure without consent to foreign governments e.g. it will make it llegal to share ID Card data data with the controversial CAPPS 2 passenger information system in the USA. Obviously there is the "voluntary" aspect of travelling to the USA, where you could be deemed to have given permission to share this data, but the other , more controversial areas, where the USA authorities have full access to passenger lists etc of flights which are not even going to the USA, but are operated by carriers who do so, should, in theory be illegal and punishable by up to 2 years in jail. Is this really what the Home Office intended ?
The definition of "fingerprint" is unclear - does it mean one finger, if so, which one, or all ten digits ?
There is no mention of preferential treatment for veiled Muslim women, or any other group in the Bill. Stupid media leaks and disinformation !