The House of Lords, has further defeated the Government by passing a couple of Opposition amendments during the last day of their Report Stage consideration of the Identity Cards Bill 2005.
The role of National Identity Scheme Commissioner will, if these amendments stand, be widened somewhat, and the annual report will go to Parliament rather than to the Home Secretary.
We missed whether or not the amendment setting up a Technical Advisory Board like that set up under the Regulation of Investigatory Powers Act passed or not.
"Amendment 100 - Leave out Clause 31" was "not moved"
The Earl of Northesk did make a strong case for leaving out Clause 31 Tampering with the Register etc,
Either the Computer Misuse Act is sufficient protection , or the proposed amendments to the CMA in the controversial new Police and Justice Bill, which increase tthe maximum penalties to 10 years in the same way as Clause 31 does, are sufficient. These penalties apply or would apply to all computer systems , not just the National Identity Register.
Baroness Scotland made a another verbal assurance that neither Civil Servants going on strike , nor IT Contractors who made a mistake would fall foul of the dubious
"(b) where it makes it more difficult or impossible for such information to be retrieved in a legible form from a computer on which it is stored by the Secretary of State, or contributes to making that more difficult or impossible."
Baroness Scotland's claims that it would not apply to "temporary" situations, flies in the face of the wording of the Clause 31 which specifically says
"(9) In this section- "conduct" includes acts and omissions; and "modification" includes a temporary modification."
The words of a Government Minister during a debate in the House of Lords carry no legal authority, and they are not taken into account in a Court. It is only what is written "on the face of the Act" which can be interpreted.
Only when there is some doubt about the meaning of a phrase, does Hansard get consulted, and "the sense of Parliament" may be considered. However, this is not done by a Magistrates Court or a Crown Court, but only after conviction on Appeal, or if leave has been given for an expensive High Court Judicial Review.
The "sense of Parliament", given that today has been the first actual debate on Clause 31 in all the sessions of the Commons and the Lords ,on two identical Clause 31 in the old 2004 Bill and the current 2005 Bill, is that they have no "sense".
What was not mentioned by either side was that Clause 31 will also have an effect on the use of encryption,.
Encryption can make things "more difficult of impossible", as it inevitably needs more computer processing power, and involves more complicated human administrative procedures, especially regarding cryptographic key changes. It is deliberately designed to make things illegible
Arguably Clause 31 precludes the the use of any encryption whatsoever, even if the system is only designed to work in an encrypted manner, with no unencrypted modes of operation, which is what we would expect from the National Identity Register.
More obviously, it affects the use of any third party encryption wrappers or tunnels over which the Home Office does not have direct control or access to the cryptographic keys. Very often, the ID Card holder will have no control over such cryptographic session keys either.
This would therefore make illegal (punishable by up to 10 years in prison and / or an unlimited fine), the use of:
- Encrypted web browsing SSL./TLS sessions, e.g. with the proposed "web portal" for looking up your NIR details and perhaps initiating Change of Address detail changes etc.
- GSM and 3GPP mobile phones - these are all encrypted normally between the handset and the Cell Base Station transmitter, but this encryption can be switched off to use a "null cipher" at times of heavy load on the network.
- Virtual Private Network encrypted tunnels ,
- WIFi wireless local area networks (admittedly many of these are not encrypted by default, but every security expert recommends that they they should be)
All this affects not just the core NIR systems, but any authorised "gateways" connected to it, i.e. the 265 Government departments and the 44,000 private sector organisations which the Home Office's Procurement Strategy Market Sounding document estimated would need to be "accredited" to use th NIR.
We are disappointed, but not surprised that the Home Office and Parliament has failed to see the unintended consequences of this badly draughted Clause 31.
On the other hand, perhaps more people in the IT industry will now join the cross party NO2ID Campaign in condemning this Bill, as a result.