Some lowlights of the fifth day of the House of Lords Committee stage debate on the Identity Cards Bill 2005 on Wednesday 14th December 2005:
Baroness Scotland of Asthal:
Amendments Nos. 142 and 143, in the name of the noble Earl, Lord Northesk, would have the effect that the ID card would not be able to contain any information of which the individual to whom the card was issued was unaware and would not be able to contain any information in an encrypted form. I assure your Lordships that we have no intention of storing identity information on the ID card that is not known to the individual. There will be some technical information on the card's chip that we do not envisage revealing in explicit detail to the individual. Such information concerns the card's security features and its ability to be read by specific card readers—and the reasons for that are absolutely clear. But that information certainly contains no additional identity information and, if I may respectfully say so, that
14 Dec 2005 : Column 1260
technical data is nothing new. Such features are absolutely common in the use of credit or debit cards today and are central to how the cards function.
The encryption of information stored on the ID card is necessary to ensure that data on the card's chip is secure and that approved readers alone are able to access it for clearly designed purposes. For example, without encryption the ID card would not meet International Civil Aviation Organisation standards for basic and enhanced access control to information on the chip of the card, and therefore would not be valid for travel. Additionally, without encryption, the possibility of implementing remote authentication technology with a potential of combating identity fraud for those using the Internet would be lost, as important technical information on the chip would be completely unprotected.
With that lucid explanation, I hope that the noble Lord and the noble Earl will be satisfied.
Does the Home Office really not understand the difference between Encrypted data and a Digital Signature ??
Baroness Scotland has just mislead Parliament by claiming that the ICAO Machine Readable Travel Document specifications require "encrypted data", - they do not. Indeed the lack of a requirement for encrypted RFID communications channels is one of the major security criticisms of those specifications.
The whole scheme would be better if there was the
standard Smart Card facility to generate a public/private encryption/digital signing key using tcryptographic hardware on the chip, and stored nowhere else, exactly like billions of Mobile Phone SIMs do. This might make the scheme of some use in preventing online fraud etc. but this is not what the Home Office is planning, unlike the ID Card schemes in other countries.
There will be no open access to information on the register. Private companies will not be able to access or buy National Identity Register entries. However, with the consent of the ID card-holder, banks or other approved businesses will be able to verify identity by checking an ID card against the National Identity Register. This will mainly involve confirming that the card is valid, has not been reported lost or stolen, and that the information shown on the card is correct. It could also allow identity information not shown on the face of the card, such as address, to be provided, but, again, only—I repeat, "only"—with the consent of the card-holder.
The card-holder's biometric may also, with his consent, be confirmed against the biometric held on the National Identity Register. However, there is an important caveat: Clause 14 specifically prevents fingerprints or other biometric information being provided from the register to a private sector organisation, even with the consent of the individual. The clause also prevents administrative information that is not related to confirming identity, such as an ID card-holder's record history, being provided to a private sector organisation again, even with the card-holder's consent.
How exactly does clause 14 do this ?
If a biometric scanner in a private company e.g. an airline hotel or car rental agency, either in the UK or overseas, asks for you to confirm your ID Card identity via a fingerprint scanner etc. ("because the equipment is designed to deal with a wide range of foreign ICAO Passports and ID Cards"), is Lord Bassam saying that they will not be able to verify against the NIR biometrics ?
Even if all that they are allowed to verify is the name , address and validity of the ID Card, they will still have a copy of your biometrics as well, from their own scanner, if not from the NIR !
Where is the prohibition for multi-national companies e.g. British airways, Avis car rental, Vodaphone , Hilton Hotels etc from using their internal data networks to use their UK offices which have signed up to the Verification services to effevvtively export such data anywhere else in the world ?
Commercial logic dictates that such companies will try to create their own Biomettic Databases, so that they only have to pay the minimum number of NIR fees to the Government i.e. once per customer initially for the lifetime of the Card.
The Earl of Northesk: withdrew his amendment which sought to corrected the utterly unfair situation whereby a faulty ID Card is deemed to be the fault of the holder, not the supplier of the smart card or of any faulty biomteric reader equipment which damages it. Replacement cards under such circumstances will not be free issue !
This will make people even more reluctant to use these ID cards, for fear of damaging or losing them.
Incredibly, for a Government so dead set on using Biometics, they are missing an opportunity. If Biometrics work and only the registered user can make use of a lost or stolen ID Card, then there should be no objection to issuing two ID Cards a normal one and a spare copy. The additional cost at enrolment would only be that of the spare SmartCard itself a couple of pounds at most.
Many people are already rightly worried about losing trheir Passport when travelling, as avoiding the bureaucratic hell that this leads to is more valuable than the amount of money they usually carry about their person.
Of course, under Tony Blair's new plans for reducing the limit down to only £1000, that the Asset Recovery Agency can confiscate even if you have not been convicted of a crime, will make travelling on holiday with your family's spending money a worrying business anyway.
Baroness Scotland of Asthal:
In addition, I should make it clear that an individual gives consent to only one verification at a time. You cannot give blanket verification to an agency. You say, "I will allow you to verify my name and address for this singular transaction". Those who have that verification will get that information verified to them on that occasion. If they then want another transaction, the individual would have to give consent. It is very similar to the procedure with banks and others: we have to give—I will use the noble Lord's word—"express" and informed consent. I hope the noble Lord will see that this amendment would therefore be unnecessary.
If the "gold standard" is such a good idea, why does no modern currency or financial system rely on it any longer ?
Baroness Scotland of Asthal:
Over time the identity card will become the gold standard way of proving identity throughout the United Kingdom.
Why is all this alleged detail of the scheme only coming out in dribs and drabs during this debate ?
Why is there no public document describing, step by step, how the Home Office's scheme would work in practice, to the same level of detail or more, as the alternative prroposal by the London School of Economics ?
Or are they just making it up as they go along ?
Baroness Scotland of Asthall:
The noble Lord, Lord Phillips, was troubled earlier about why we have to ask for both ID card and other evidence. I should like to clarify the position because it feeds into this debate. It may be necessary in some circumstances to check that the person with the card is really the holder and not, for example, his identical twin or an impostor. There are a number of identical twins and we may therefore ask, for example, for a PIN number. We envisage that individuals will have a PIN number which they can use to verify that they are who they say they are, or we may use a biometric, such as a fingerprint, to obtain confirmation.
There was a
†Identity Cards Bill—House to be again in Committee [The Baroness Scotland of Asthal] [5th Report from the Delegated Powers Committee]
[It is expected that the Committee stage of the Identity Cards Bill will conclude]