An interesting day yesterday providing evidence to the House of Commons Science and Technology Committee inquiry into how the Government makes use of scientific and technological evidence. The session was focused on the UK identity card and followed on from the sessions a few weeks ago with Katherine Courtney and her team from the Home Office (a draft transcript of which is available online here).
It’s been some years since I last gave evidence to a Committee – when I worked at Parliament it was a routine, if sometimes unpredictable, experience for me in both the Lords and Commons. Perhaps I’m perverse, but I rather enjoy the experience. There’s something about the questioning and answering, the debate and digging into the credibility of evidence and witnesses that makes the work of these Committees the heart of our Parliament for me. It’s good that in a democracy we should all be called to account (and also be given an opportunity to explain ourselves and help inform the wider public debate).
Yesterday there were two panels in front of the Committee. The first of these was myself, Nick Kalisperas (Intellect – the industry body used by the Home Office for consultation), Professor Martyn Thomas (UK Computing Research Committee) and David Birch (Consult Hyperion).
Following our session, the next four up were Dr Tony Mansfield (National Physical Laboratory), Dr John Daugman (University of Cambridge), Dr Edgar Whitley (London School of Economics and Political Science), and Professor Angela Sasse (University College London).
Both panels provided evidence for an hour apiece, with a lot of questions from Committee members about the consultation, risk assessment of the potential ID card business and technical architectures, advice on the reliability of technology and the like.
Of course, when the evidence is published, you’ll be able to see verbatim what we all said and the Committee’s reaction. But in the meantime, I’d summarise some of my comments into three broad areas:
- the ID cards consultation to date has been focused more on the procurement process than the business requirements and technology issues. The Home Office team expressed a desire not to stifle innovation by getting into the specifics of potential architectures. But I think it would be really useful to see a UK government study into the risks, feasibility and comparative merits of centralised versus decentralised identity systems in terms of systems reliability theory, or modern computer security concepts (including the widespread contemporary experience of large scale data breaches, social engineering and phishing attacks).
- given the fastest growth in ID fraud is online (through for example phishing attacks), it was unclear how the ID card would work in online scenarios (would it default for example to just chip and PIN?). And given that the delivery of online public services is a key part of the Transformational Government agenda, this is clearly an area in which a well-designed ID card could yield major benefits and tie in well with other identity initiatives including across health, local and central government and the private sector
- some concerns arose from the limited number of publicly available scenarios of how the ID card could be used in practice. And of those available, there are potential issues with their descriptions of the card’s usage in practice. For example, the scenario here indicates that the ID card will disclose your date of birth to any third party that needs proof of age entitlement (eg to buy alcohol or to get an old age pensioner discount). However, I believe this is not good practice based on our experiences with ID fraud. All that needs to be revealed in such a situation is that the person is over 18 or over 60/65. Neither their date of birth or age needs to be revealed. In fact, handing over personal information such as date of birth to anyone who requests sight of an ID card could generate vulnerabilities elsewhere: for example, telephone banking uses date of birth as one of the ‘secrets’ to prove who you are when you phone up. We need to be very careful that the ID card does not add to any potential identity fraud issues when there is a great opportunity for it to help enhance our privacy, as Dave Birch indicated in his evidence.
Both my written evidence and oral evidence provided yesterday will be published in due course by the Committee along with those of the other witnesses. I’ll let you know when that happens.
I look forward to seeing the Committee’s overall conclusions and recommendations on how scientific and technological evidence is impacting public policy. There are enormous benefits to UK plc to be taken from the incorporation of scientific and technological advice into the very heart of policy-making itself.
In fact, I’d argue that it’s essential for us to do so for our future economic prosperity.
This blog post originally appeared when I hosted NTOUK on SimpleBlog. It’s one of several I’m retrieving and posting here to bring together my posts in one place. The content and date shown for this post replicates the original. Many links are, inevitably, broken: where I can, I’ll substitute ones that work, particularly where the Internet Archive Wayback Machine has captured the content originally linked to.