The controversial Identity Cards Bill is starting its Committee stage in the House of Commons today. There is another Committee session due on Thursday and it will all be completed by Thursday 27th January 2005, a scandalously short time allowed for amendments and debate on such a complicated and controversial Bill which seeks to fundamentally change the trust relationship between the government and the people of the United Kingdom.
The list of Amendments which have been tabled up to and including today Tuesday 18th has been published - 184 amendments so far!
- 1 Labour Government amendment
- 2 Labour amendments
- 82 Conservative amendments
- 70 Liberal Democrat amendments
- 27 joint Liberal Democrat and Conservative amendments,
- 2 new clauses tabled by the Conservatives
Let us know if we have miscounted the number of amendments in each category, but it gives an idea of how complicated and controversial this Bill is. It is self evident how little detailed scrutiny of the Identity Cards Bill there can possibly be by MPs before the 27th January deadline.
Despite this large number of amendments, there are some astonishing ommissions, e.g. there is no amendment which addresses the apallingly draughted 31 Tampering with the Register etc.:
31 (3) (b)
"where it makes it more difficult or impossible for such information to be retrieved in a legible form from a computer on which it is stored by the Secretary of State, or contributes to making that more difficult or impossible."
This now threatens any Civil Servant, perhaps working in one of the thousands of Registration and Enrolment centres that will be needed, with up to 10 years in jail if they participate in any otherwise legal industrial action, such as going on strike or working to rule.
Similarly, any IT contractor who makes a mistake, which affects the service level availability, such as that which happened recently to 60,000 desktop computers at the Department for Work and Pensions, will also be subject to the same astonishingly stupid clause.
Presumably this is the Home Office's amateur attempt, to condense into a single sub-clause, some infinite power or other to deal with deliberate Denial of Service attacks. This is a very complicated legal concept which deserves its own statute or at least a whole section of a revised Computer Misuse Act, so as to be applicable to far more important Critical National Infrastructure systems where people's lives are at risk e.g. air traffic control systems, medical systems, nuclear power station control systems etc., rather than the National Identity Register.
The line between "normal" service, and deliberate "Denial of Service" , taking into account "normal" queues , peak hours, weather conditions etc etc. is not at all clear, and the
Home Office was totally clueless when it came to the Computer Misuses (Amendment) Bill of 2002, sponsored as a private member's Bill by the Earl of Northesk, which tried to raise some of these issues, albeit in an unsatisfactory way.
Given that the Government plan seems to be to license private sector companies, e.g. the financial credit reference bureaux to have access to the National Identity Register, then this wretched clause also applies a fine or 10 years in jail penalty to employees of those these companies, even if it is only their computer systems which fail, or there is a technical or industrial action problem with say and intermediate telecommunications service provider, even if the core National Identity Register is working fine.
The same is also true of any other Government departments or agencies e.g. the National Health Service, which get Parliamentary approval to make use of the National Identity register database - any failure of their IT systems, or industrial action by their personnel, which "makes it more difficult or impossible for such information to be retrieved in a legible form from a computer on which it is stored "
will also attract up to 10 years in prison, even if the core National Identity register is working perfectly ok.
The subclause (2) "is reckless as to whether or not his conduct will cause such a modification;" could also catch out large sections of the Computer Software and Hardware and Services industries, who might be tempted to accept contracts to supply the National Identity Register.
Commercial contract law "get out clauses" and "End User Licence Agreements" can be applied to financial penalties and liquidated damages, but they cannot be used to exempt employees or directors of companies from this bit of Criminal Law i.e. fines and up to 10 years in prison for supplyiing less than perfect computer systems - an impossible task.
Will any IT supplier actually be stupid enough to risk accepting a National Identity Register contract ?
Similarly, there are no amendments which adress 13 Invalidity and surrender of ID cards (8) (a)
" In this section—
(a) references to a card having been damaged include references to anything in or on it being, or having become, unreadable or otherwise unusable; and"
This is an iniquitous clause, which attempts to shift all the blame and risk of malfunctioning or sub-standard smart cards or smart card biometric readers, or any part of the IT network infrastructure, onto the poor citizen, rather than on to the manufacturer or operator or Government where it belongs.
How is an ordinary member of the public, without their own private fully security compliant , Biometric reader, meant to be aware of a damaged or otherwise unusable ID card ? They face the risk of up to 51 months in prison and/or a fine of up to £5000 and have no control or consumer rights, despite having paid upwards of £80 for the item.
There are many possible scenarios where an ID Card which has not been tampered with fails to be read by a particular reader device correctly e.g.
Failure of a finger print scanner due to excessive oil and salt deposits at an airport after several hundred passengers who have been nibbling on "free" packets of peanuts etc. Have been processed.
Perfectly legal radio interference on the licence free Industrial Scientific and Medical radio frequencies which are used by RFID chips and contacless smart cards – there is no comeback from the Radio Communications Agency, since the equipment manufacturers and operators of the Scheme have not paid say £20 billion like the Mobile Phone networks have, for exclusive use of a portion of the radio spectrum.
Future "upgades" to reader hardware or software could easily render some or all ID cards unreadable, again with all the "blame"” being put on the innocent citizen. c.f. the recent disaster at the Department for Work and Pensions as a result of an out of control software update.
"Year 2000 Millenium Bug" type problems caused by incorrect time synchronisation and expiry of Digital Certificates etc,
The stupid wording "anything in or on it having become unreadable or otherwise unusable" wording of this clause also makes it an offence when the Government has to revoke or disable an ID Card because of a security breach which has nothing to do with the innocent citizen.
Smart Cards, just like credit cards, will suffer from normal "wear and tear" and the budget should take into account the expected rate of failed or sub-standard cards.
Under the Sale of Goods Act, ID Cards, for which the individual member of the public will have had to pay upwards of £85 or more, should be "fit for purpose" and should be replaced for free if they fail to be read and have not been deliberately tampered with.
There are no amendments about Schedule 1 (1) Personal information which lists controversial personal information such as address and gender, and all prvious addresses and previous genders, which is more than what is required for the Violent and Sexual Offenders Register and which are not strictly necessary for a biometric identity system.