Corporate identity - new scandal over ID cards

The government could be warming up for another big scandal over ID cards, according to a new report, Corporate Identity – a critical analysis of private companies’ engagement with the identity cards scheme.

Submitted by Steven. on February 12, 2006

It looks at which companies are involved, their records, the government’s record in outsourcing IT projects, and what the IT industry thinks of the ID cards scheme.

The report, by Corporate Watch, can be downloaded here:
http://www.corporatewatch.org.uk/download.php?id=40

Companies previously involved in IT disasters are lining up to bid for contracts under the ID cards scheme. They include:

* EDS, of Child Support Agency fame, which last year had to pay out £71m compensation to HM Revenue and Customs over the catastrophic introduction of the tax credits scheme.

* Siemens Business Services, responsible for the Immigration and Nationality Directorate computer system, which was supposed to speed up processing asylum applications, but was scrapped in 2001 after costing around £80m.

* Atos Origin, which built the NHS e-booking system and also ran the biometric registration trial scheme in 2004, which was quietly buried. After registering and verifying biometrics in a large-scale real-life scenario it encountered major problems, particularly with disabled participants, some of whom were unable to register any of the 13 biometrics.

* Unisys, involved in introducing a national ID card system in Panama. The four-year contract was terminated in 2002 after security breaches led to a Colombian man being found with 500 blank high-tech digital cards, and the company admitted having 30,000 more cards which should have been handed over to the government.

A Unisys executive told the Guardian last year, ‘A national ID card for the UK is overly ambitious, extremely expensive and will not be a panacea against terrorism or fraud, although it will make a company like mine very happy.’

Companies, including Microsoft and QinetiQ, have expressed serious doubts over both the security of the planned National Identity Register and the capabilities of biometric technology. Former chair of QinetiQ, Dame Pauline Neville-Jones, pointed out just how overambitious the scheme is, ‘The requirement for 100 per cent accuracy is huge and I don’t think we’ve ever seen a system which is 100 per cent accurate.’

Companies can’t take all the blame, however. Poor planning and mismanagement by government departments and the lack of transparency in government IT procurement are a large part of the problem.

But surely problems can be avoided by proper drafting of contracts? In an ideal world, maybe, but the writing of public-sector technology contracts itself is currently contracted out. ‘The government has no lawyers who deal with technology procurement.’ according to a specialist technology lawyer quoted in The Lawyer magazine, who went on to add, ‘The government is the dream client.’

Obviously, there are more issues around corporate involvement with the ID cards scheme than are covered in the published report. One of these is profiteering. When a company or government body makes part of its money from selling the data it administers, the incentive to sell can be stronger than the obligation of privacy. This was exposed in November 2005 in the case of the Driver and Vehicle Licensing Agency (DVLA), which was found to be selling drivers’ personal details – including home addresses – to 157 companies including a clamping firm run by convicted criminals1. In March 2005, a Science and Technology Select Committee report into the privatised Forensic Science Service (FSS) questioned the lack of ethical oversight in selling access to genetic data on the police National DNA Database (NDNAD).[2]

In June last year the Independent on Sunday reported that card-holders’ details could be sold to private companies. The Home Office denied this, though Immigration Minister Tony McNulty told the BBC that banks would be able to verify card details against a database – for a fee. But apparently any claim the information would be sold was ‘without foundation’.[3] Privacy campaigners at Spy Blog have also pointed out that there is no criminal sanction in the ID cards bill to prevent ‘fishing’ for information on the NIR.[4] There will be no shortage of potential buyers for data from the NIR - http://silicon.com columnist Martin Brampton reports that the music industry is already starting the queue to gain access to data in order to clamp down on music piracy.[5]

Since writing Corporate Identity, we have heard about another report by industry-funded ‘ID-entity’, which asserts that ‘If the UK decides to pursue [the ID cards scheme] technology will not be the limiting factor.’[6] However, the UK Computing Research Committee (CRC), an expert panel of academics and representatives of the British Computer Society and the Institution of Electrical Engineers, issued a scathing response to the ID-entity report, attacking its assertions on technical feasibilty (‘premature’), and pointing out that without knowing in detail the requirements for the NIR, ‘it is impossible to know if the assertions made here are valid’. Most interestingly, the CRC holds that, whatever the state of existing technology, the NIR needs something different:

‘The UK-NIR will necessarily have a completely different status from existing systems … It will have a fundamental formal and operational status as the basis of citizenship for every individual citizen in the UK. For this reason alone it requires an altogether higher standard of design, specification, implementation, and operation than ordinary database systems.’[7]

So the bad news is that there is more to worry about with ID cards than just the civil liberties and state control issues. But the good news is that, given who’s likely to be running the scheme, they may never get here…

Notes
[1] http://thescotsman.scotsman.com/index.cfm?id=2313242005

[2] Science and Technology Select Committee report ‘Forensic Science on Trial’ March 2005 paragraph 79 www.publications.parliament.uk/pa/cm200405/cmselect/cmsctech/96/9602.htm#evidence

[3] BBC News Online ‘ID card database “not for sale”’ 26/6/05 http://news.bbc.co.uk/1/hi/uk_politics/4624735.stm

[4] Spy Blog 27/6/05 http://www.spy.org.uk/spyblog/2005/06/home_office_ministers_in_pre_2.html

[5] http://Silicon.com ‘ID cards – another reason to protest’ Martin Brampton 29/11/05 http://www.silicon.com/publicsector/0,3800010403,39154616,00.htm

[6] ‘An assessment of the technologies needed for a national identity cards scheme’ ID-entity, October 2005

[7] ‘Comments by the UKCRC on “An assessment of the technologies needed for a National Identity Cards Scheme”’ 9/12/05 http://www.ukcrc.org.uk/resource/reports/UKCRC-IDcards.pdf

By Corporate Watch, and edited by libcom
www.corporatewatch.org.uk

Comments