Can the UK ID scheme be operated securely?

Several people I’ve spoken to recently have remarked that real-time social media like Twitter seem to reduce the frequency with which they blog… and I suspect it’s the same for me. It’s partly because Twitter soaks up time, and partly because it also soaks up some of those spur-of-the-moment ideas and comments which otherwise might have developed into fully-fledged postings. However, looked at the right way, I guess that might also signal a flight to quality rather than quantity of blog posts. Here’s hoping…
But I digress – or whatever a digression is called when it comes at the beginning, rather than part way through.
I’ve just got back from last week’s Burton Catalyst conference in San Diego – an excellent event, by the way, and congratulations to the Burton Group analysts who did such a good job of adding value, both through their own subject-matter expertise and by making introductions and connections so constructively between attendees. Over lunch, I got into a discussion with one of the analysts about the UK National Identity Scheme (NIS), whether or not it was a good idea, and whether or not there are reliable grounds for opposing it. As ever, discussing UK policy while abroad gave a great opportunity to look at it from a different perspective.
The view he expressed was, essentially, that there isn’t a good reason to oppose ID Cards on the basis of their use for e-government service delivery – the benefit of reliable authentication for joined-up government is worth having; however, there’s a risk involved if you suspect that the government lacks the competence to run such a scheme securely, and that risk might outweigh the potential benefit.
There were two other points which we noted and then moved on:

  • first, that there are those who feel the National Identity Scheme is currently unaffordable;
  • second, that cancelling the ‘small, visible, individual plastic card’ component of the system does nothing to mitigate the risk of operating the large, invisible, mass-scale repositories’ component of the system.

So, what of the question of competence? Well, the picture revealed by ComputerWeekly‘s FoI requests is not entirely reassuring. They list a number of breaches involving inappropriate insider access to records in the CIS (Customer Information System) database, one of the three major repositories in the Scheme. On the one hand, some breaches are indeed being discovered and those responsible are being disciplined (including dismissal). A DWP spokesman is quoted as saying that “the small number of incidents shows that the CIS security system is working”.
On the other hand, the article questions whether all breaches are actually being noticed (and/or reported), and suggests that many were only discovered after sample checks, rather than through alerts being triggered.
There’s also the issue of how many people have, or will have, access to the data held in the NIS. Currently it stands at about 200,000 civil servants, across 480 local government bodies and a number of central government departments. That figure will increase as data-sharing between the CIS and other departments such as the DVLA (Driver and Vehicle Licensing Agency) is put in place. Interestingly, a case study on the DWP’s own website gives this description of the DVLA’s ‘purpose of use’ for access to the CIS:

“to confirm receipt of higher rate mobility component of Disability Living Allowance for entitlement to exemption of vehicle licensing duty”

That’s really quite specific. Indeed, it might lead one to wonder whether that purpose makes it proportionate to expose the CIS’ 92,000,000 records to the DVLA user population. It’s not easy to find out the size of that population, but according to the DVLA’s annual report for 2007-2008 there were about 6,500 people on their payroll (this does not necessarily include those employed as part of ‘contracted-out services’, a separate item in the accounts).
The stated purpose also makes it legitimate to wonder what safeguards are in place to ensure that the data are not accessed for other purposes. The DVLA itself does not have an especially happy history where data sharing is concerned. After it reported £6.3m of income from selling motorists’ information to third parties, the government drafted new rules on acceptable use and sharing.
Returning, then, to the question of competence to run the National Identity Scheme securely: the DWP says it’s doing a good job of keeping the CIS secure, despite a small number of identified insider breaches; but the CIS is only one of three major repositories in the Scheme, each owned by a different department. All three of them need protecting if the whole is to be meaningfully secure. Then there’s the issue of securing access by ‘user’ departments such as the DVLA: the difficulty of doing that grows with each department added, and the growth is almost certainly exponential rather than linear.