Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2018
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Roger Clarke **
Version of 8 February 2006
© Xamax Consultancy Pty Ltd, 1987, 2006
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/NatIDSchemeElms.html
Many organisations that deal with individuals need to run an identification scheme of some kind. See (Clarke 1994c). Guidelines for the design of schemes featuring chips, in such forms as smart-cards, are provided in Clarke (1997), and the significance of multiple identities and nyms was considered in Clarke (1999). This paper does not give any further consideration to such specific-purpose schemes.
Many countries, particularly in Europe, run multi-purpose schemes. These are in many cases reasonably-described as being 'inhabitant registration schemes'. Their purposes are limited to a small number of specific applications, typically taxation administration, social benefits administration and insurance, and health insurance. This paper does not give any further consideration to bounded multi-purpose schemes, except to the extent that they may be transformed into a general-purpose national identification scheme by removing the limitations on their scope of use.
This paper is concerned with general-purpose schemes. The term 'national identity scheme' is used, to refer to a suite of measures designed as a general-purpose means of achieving consistent and reliable identification of humans, throughout a country, particularly in relation to their relationships with governments and government agencies, but also in their relationships with private sector organisations.
Specific-purpose schemes embody threats to privacy. These have been addressed (variously adequately and unsatisfactorily) by data protection laws emerging from the Fair Information Practices (FIPs) movement of the 1970s, and codified in the OECD's 1980 Guidelines.
Bounded multi-purpose schemes are much more threatening, because they break down the data silos and identity silos that have been far more effective privacy protections that weak FIPs-style legislation. They require more specific constraints that reflect the level of threat. Countries that have them, such as Germany and Switzerland, generally have such additional protections.
This paper is motivated by the enormity of the threat represented by general-purpose national identification schemes. They have been implemented in such countries as Malaysia and Singapore, which are not noted bastions of civil liberties. But there are also proposals for such schemes in nations that have previously valued freedoms much more highly, including The Netherlands, Germany, the U.K., Canada, and Australia.
This paper presents an analysis of the elements of a national identification scheme. Its purpose is to ensure that the debates taking place in countries whose governments are proposing such schemes are informed about what each proposal actually entails.
The paper thereby lays a foundation whereby a vital question can be addressed. Can such schemes be permitted, subject to strong privacy protections, or are they in themselves so antithetical to liberty as to be incapable of control, and hence incompatible with the concept of a free nation. Other papers and presentations by the author consider that question, e.g. Clarke (2006).
Proponents of national identification schemes like to present them as being something simple and unthreatening. Most commonly, they focus on the scheme being all about 'just another card'. And they promote real and mythical advantages of the card, e.g. it will reduce 'wallet-bulge', and it will provide a single authoritative identification token that every government agency and company will accept.
But such a national identification scheme involves many elements.
This document provides an overview of them. The model represents an expansion of Exhibit 1 of Clarke (1987). The adaptations include the removal of references to the Australia Card, and updates to reflect two decades of rapid change in technological capability, and in technological and bureaucratic fashion. A set of Resources is provided.
The following sections outline the many elements of a national identification scheme:
This contains data about every member of the entire population.
It may be a centralised system; but this is highly unlikely, given the nature of information technology, the vast scale of the available data, the vast scale of the systems that handle it, and the diversity among the systems' purposes. It is much more likely to be a hub system, providing linkages among multiple databases in order to achieve a 'virtually centralised' database.
A first option is for the database to be created ab initio as part of the launch of the new scheme. Every person in the country may be required to present themselves for registration, and to provide copies of documents that attest to their having operated in the economy and society, and of their use of a name (or possibly multiple names). Data can be captured from those documents, and during interview, and used to populate that person's record in the database (and perhaps also to record each of the documents - such as birth certificates, drivers' licences and passports) as having been already used in the establishment of a record).
Such procedures are not merely an extraordinary impost on people, but they are also fraught with all manner of challenges and insecurity. For example, every 'false identity' established by criminals is likely to be entrenched rather than eradicated; and people who have been insufficiently careful and ordered in their dealings with government (or who have lost their documents through fire or other catastrophe) will encounter great difficulties and inconveniences.
A second approach to establishing the database is by re-naming and modifying an existing database, e.g. that has been created and maintained by a taxation, social services, health or census agency. The data in all such systems is inevitably specific-purpose, and of very dubious quality. A special case that may suffer rather less from the quality problems inherent in this approach is the extension of a pre-existing 'inhabitant registration scheme' to additional purposes, as appears to be the approach being adopted in Germany and Hong Kong.
A third, and perhaps more common approach that has been proposed for the establishment of a database to support a national identification scheme involves a complex process of merging existing sources of data, and allocating each merged record to someone who claims it as theirs. An outline of the process is as follows:
Any national identification scheme has a database at its core, and is crucially dependent upon its existence, on the quality of the data in the records, and on the reality of the inference that each record has a one-to-one correspondence with a particular human being.
A means is needed to relate an entry in the database (a digital persona) to a physical human being. There are two approaches that can be used, the first of long standing, and the second emergent.
Commonly, an identifier is assigned to each digital persona, such that no two digital personas have the same identifier. This is commonly a series of digits, but may include alphabetic characters. It may convey information (such as year of birth), or may be arbitrary and in itself meaningless.
An identifier is intended to be issued such that every person of a defined population has precisely one. Some means is needed to associate each digital persona in the database with a single human being. All such mechanisms are highly error-prone.
Further challenges arise in relation to:
An alternative approach that may be approaching feasibility is to use a measure of some aspect of the physical person. The term 'biometric' is commonly used for such measures. Examples that have some degree of scientific and engineering credibility include a thumbprint, a set of 10 prints of the fingers and thumbs, hand geometry, and iris-scans. There is a host of failed and failing alternative technologies.
The term 'entifier' is appropriate to use in this context, rather than 'identifier'. The reason is that the signifier relates directly to the entity, the human being. Identifiers have always related to one or more of the many identities that every person has. We have successfully sustained many identities and separate digital personae, to reflect the quite different roles we play when performing different functions, and interacting with different organisations.
There are many attempts by organisations to destroy the protections individuals have enjoyed through these 'identity silos'. Biometrics suppliers grossly misrepresent the capabilities of their products, and are attracting vast sums from government agencies obsessed with 'the war on terrorism'. The buyers willingly suspend their disbelief, and pretend to the public that technologies will do things that they clearly do not do, and in many cases could never do. IT professionals fail to draw attention to the deficiencies, senior executives fall into line with the security mantra, and projects roll forward that would fail any reasonable test of legitimacy and viability.
Various schemes are being devised that involve a biometric being captured, encoded, and stored in a database (and/or on a token, which is addressed in the next section). A person is then expected to present the appropriate part of themselves in order to make the signifier available. A vast array of serious problems arise in relation to the application of biometrics.
These problems have been exacerbated by the project being undertaken by the US Administration to collect the biometrics of everyone that they possibly can (including overseas tourists, and everyone who comes to the notice of law enforcement agencies for any reason). This creates the probability of those biometrics being used by the US and its close allies for any purpose that is thought to be useful, including masquerade and planting evidence.
Even if biometrics-based schemes could be made to function reliably, and not create a class of outliers running into the millions, they suffer from the serious problem that a person's biometrics aren't a secret, can be captured, and can be used by others to masquerade as that person.
Means is needed whereby an organisation can collect a signifier for a person they are dealing with, and hence gain access to the relevant entry in the organisation's own database and/or the hub-database that is central to the scheme.
Reflecting the two different types of signifier, there are two ways in which this may be done.
A unique national identifier is inevitably long, and difficult to remember. In addition, many organisations are suspicious of people, and would prefer to collect the identifier in some way other than having the person say it or key it into a device. Many schemes therefore involve an identification token, which is intended to enable easy capture of the identifier.
Currently, identification tokens are envisioned as 'identity cards', but many other carriers are possible, such as rings, bracelets, anklets, belt-buckles, and chips inserted into the human body.
Generally, such schemes involve an identification token being created for each member of the defined population, with the intention that the relevant individual be forced to collect it, and use it, often.
If any schemes are ever introduced that involve a biometric as the signifier, then the 'entification token' is the person themselves.
Some proposals involve an intermediate mechanism, whereby the signifier is still a 'national identification number' which is stored on a card, but the card also contains a biometric. The use of this is discussed below.
The database, signifier and token create the possibility of social control, but they do not in themselves deliver it. Various business processes need to be specified and performed, that will ensure that they are applied appropriately,
Authentication involves the testing of an assertion, in order to provide a level of confidence about whether it's true or not. For example, people mostly don't simply accept statements but cross-check the claimed facts with other sources. Similarly, people evaluate an assertion such as 'this is a $100 banknote' (e.g. by looking at it, and comparing it against another example of the same kind of banknote). An overview is provided in Clarke (2004).
Identity authentication is a process whereby checking is performed, in order to be confident that the person presenting appears to be entitled to use that identity. Entity authentication, on the other hand, tests the proposition that the person presenting is the same human being that the entry in the national database is meant to relate to. (There are many circumstances in which the difference is very important. For example, many actions are taken by the Club Treasurer, the current shift-leader in a seven-day/three-shift operation, and the secretary of a corporations. What matters is not really who the person is, but rather what role they are playing, and whether they are authorised to do so).
Identification tokens such as cards may carry a photograph, which is meant to assist the organisation to check that the person presenting is the appropriate person. Other authentication mechanisms include supposed 'secrets' that only the right person is supposed to know (e.g. passwords, PINs, answers to personal questions).
If the signifier is a biometric entifier rather than a national id code, then the authentication process involves collecting a new measure of the person, and comparing it against the entry in the database. The nature of biometrics is such that the match is not exact. The match may be highly inexact, and woe betide a person who is an inconvenient provider of the chosen biometric. (Millions of people have thumbprints and eyes that are difficult for devices to read, and outliers are treated as being suspicious, and in any such scheme will suffer poor service, delays and aggression).
An intermediate use of biometrics was discussed in the previous section.
The aim is for each identification token only to be able to be used by 'the right person'. One way to achieve that could be to build into the identification card a pre-recorded biometric of that person.
Entity authentication could then be performed by requiring the person to submit to the collection of a new biometric, and comparing the new one with that recorded on the token. The association of the person with the card can thereby be established, the national id code extracted from the card, and the current transaction associated with the appropriate data selected from the organisation's own database and/or the central hub-database.
This suffers from all of the difficulties mentioned in the previous sections. It could conceivably be implemented in an at least partially privacy-protective manner, by restricting access to the biometric to the devices that measure it, and the card. Despite the existence of this option, proposals almost always involve storage of the biometric in a central database as well, creating the opportunity for the State to create masquerades.
Authentication involves a one-to-one comparison between a new biometric, and the pre-recorded biometric for the relevant person.
The process commonly referred to as 'identification' is quite different. There is no assertion of what entry in the database is associated with the person, i.e. the relevant identifier is not known.
Data is collected about the individual, and a trawl of the entire database is conducted, in a search for possible matches.
The trawling process may be perfomed using any data that is available to the organisation. If the database contains biometric reference measures for some or all people whose records are in the database, and a biometric can be collected from the person concerned, then the trawling can focus on comparison between biometrics.
Biometric technologies produce results that are significantly variable, and hence all matching processes are 'fuzzy' rather than precise. So multiple potential matches are produced when biometrics are used as a basis for identification. Where such schemes are used, the large numbers of 'false positives' (i.e. records that show a potential match) will create severe problems for the people about whom unjustified suspicions arise.
It is not sufficient for the database, signifier and token to exist and be used in a quality-assured manner. They need to be used, and they need to be used widely, in order to generate sufficient data-points to track and hence provide the means for control over aberrant behaviour.
Any national identification scheme involves widespread trafficking in data containing the identifier.
A first set of flows is necessary between organisations that perform registration and the operator of the national database, the issuer of the signifier, and the issuer of the token.
A further set of flows is necessary between agencies responsible for social control functions and the hub database. That may spawn further flows out to other social control agencies.
Because private sector organisations perform critical functions in areas relevant to social control (such as finance, transportation and health), they too must interact with the hub database.
With so much traffic, bottlenecks are inevitable. In any case, some transactions are of interest to only a sub-set of organisations. Hence at least some data flows are directly between them, without involving the hub.
All of these data flows report on an individual using the same identifier. HIV sufferers, lottery-winners trying not to divulge their winnings to their neighbours or even their relatives, victims of domestic violence, must either convince the government to issue them with a second official 'identity' (using the scheme set aside for national security operatives, undercover police, and protected witnesses), or accept that they live in an open society, with nowhere to hide.
Any national identification scheme involves widespread use of the (id)entifier by a wide variety of organisations throughout the public and private sectors.
Government agencies align their information systems in order to use the identifier. Many organisations in the private sector also need to use the identifier, because they are part of the infrastructure of surveillance and social control. Naturally, they want to be able to use the identifier for their own purposes as well. There is then a natural tendency for them to align their own information systems with it. It therefore naturally becomes the general-purpose identifier for an individual, throughout the economy as well as the society.
Inevitably, anything that prevents the free flow of personal data (such as data protection law) is then perceived to be an impediment to 'good government' and 'business efficiency'. For their part, human rights activists now find it much harder to argue that data must be silo'd. Identity no longer is, and hence the barriers that previously appeared to be natural and important are no longer in place.
Any national identification scheme involves widespread use of the hub-database, or information from the hub-database.
Initially, its use may be limited to government agencies, and even perhaps a sub-set of them. But the identifier has to be in the possession of the many agencies that play a role in social control. They need access to the database at least in order to authenticate individuals that present themselves to the agency, and they can readily demonstrate efficiencies that can be achieved if they have more general access to the data. (Global change of address is frequently argued to be something that individuals cannot be relied upon to handle themselves, and that would be much more efficiently dealt with if each agency updated a hub database, and all agencies then automatically became aware of the change by interacting with the hub).
The same arguments apply to corporations. They also perform many social control functions on behalf of the government, and hence need to have access at least in the performance of authentication functions. But they have an interest in having access to all of the available data. The government prefers to avoid paying service-fees to companies for the fucntions they perform on the government's behalf. It is only natural that the government grant access, in lieu of payment.
There are no natural boundaries. The citizen databank and dossier was decried by the free world when it was developed in Communist countries.
Yet governments of hitherto free nations are now claiming that they can justify a national identification based on the technological imperative ('we can do it, therefore we must') and the demonstrably unrelated, but convenient, 'war on terrorism'.
Specifications for business processes are all very well, but there needs to be a motivation for them to be used. Self-interest is one form of motivation. But this is not sufficient to ensure that all necessary data-points are gathered. It is necessary to impose responsibilities.
A national identification scheme is worthless unless a large number of obligations are imposed on individuals. These include:
A national identification scheme would only achieve its objective of cowing the population if obligations are imposed on organisations. It is highly unlikely that the obligations would be limited to government agencies. That is because governments seek to transfer costs elsewhere, because many previously governmental functions are outsourced to the private sector, and because many control-points in society are in companies (particularly banks, but also many other providers of consumer services).
These organisations need to have obligations, including:
Private sector organisations inevitably incur substantial costs in complying with such obligations. Governments try to avoid subsidising these costs. They are much more likely to offer a quid pro quo. That is one of the reasons why 'function creep' is inevitable. Corporations are bound to be permitted more and more freedom in their use of elements of the national identification scheme, in return for providing the State with much of its power over the population.
The creation of obligations, motivating though it may be, is still not sufficient to ensure that the database, signifier, token, quality assurance processes, and widespread use and reporting will actually be performed.
A substantial government apparatus is essential, to prevent people and organisations from avoiding their obligations, to detect non-compliance, to enable prompt investigation and remedial action, and to impose sanctions on the non-conformists who are undermining the carefully-constructed social control apparatus.
A national identity scheme involves a very substantial set of elements. Together, they provide extraordinary power over the normal individuals who are subject to them.
There would, however, have to be exceptions. Some government-approved categories of individuals would need to be treated differently. National security operatives, undercover police and government inspectors and spies involved in enforcing the scheme are clear cases. So too are politicians, senior government officers, and senior private sector executives who are subject to undue risk during the early stages when public disaffection with the national identification scheme results in the risk of violence.
There would remain some individuals who are committed to operating outside the law. In order to minimise this, the gathering of data will need to be extremely intensive, at least during the interim phase before terrorist and criminal elements have been eliminated. Special measures will be needed to address the possibility that criminal elements might infiltrate the protected space designated for specified government-approved categories. These will need to remain secret, for security reasons.
The benefits that proponents claim for national identification schemes cannot be achieved unless very tight control is exercised over society as a whole, and each individual that lives in it. Hence:
Analysis conducted here and elsewhere shows that national identity schemes are an extremist measure, attuned to the needs of countries subject to central planning and despots, not to the expectations of free countries.
Clarke R. (1987) 'Just Another Piece of Plastic for your Wallet: The 'Australia Card' Scheme' Prometheus 5,1 (June 1987). Republished in Computers & Society 18,1 (January 1988), together with an important Addendum, published in Computers & Society 18,3 (July 1988), at http://www.rogerclarke.com/DV/OzCard.html
Clarke R. (1994a) 'Dataveillance By Governments: The Technique Of Computer Matching' Information Technology & People 7,2 (June 1994) 46-85, at http://www.rogerclarke.com/DV/MatchIntro.html
Clarke R. (1994b) 'The Digital Persona and its Application to Data Surveillance' The Information Society 10,2 (June 1994), at http://www.rogerclarke.com/DV/DigPersona.html
Clarke R. (1994c) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Infor. Techno. & People 7,4 (December 1994) 6-37, at http://www.rogerclarke.com/DV/HumanID.html
Clarke R. (1997) 'Chip-Based ID: Promise and Peril' Invited Address to a Workshop on 'Identity cards, with or without microprocessors: Efficiency versus confidentiality', Proc. Int'l Conf. on Privacy, Montreal, 23-26 September 1997, at http://www.rogerclarke.com/DV/IDCards97.html
Clarke R. (1999) 'Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice' Proc. User Identification & Privacy Protection Conference, Stockholm, 14-15 June 1999, at http://www.rogerclarke.com/DV/UIPP99.html
Clarke R. (2004) 'Identification and Authentication Fundamentals' Xamax Consultancy Pty Ltd, May 2004, at http://www.rogerclarke.com/DV/IdAuthFundas.html
Clarke R. (2006) 'National Identity Cards? Bust the Myth of 'Security über Alles'!' Xamax Consultancy Pty Ltd, invited presentation to a Session on 'National Identity Cards: The Privacy-Security Balance', at the 7th Annual Privacy & Security Conference of the Government of British Columbia, 9-10 February 2006, Victoria BC, at http://www.rogerclarke.com/DV/NatID-BC-0602.html
My lengthy list of publications in these areas is indexed here.
The Australian Privacy Foundation's list of resources on national identification schemes us indexed here.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 7 October 1996 - Last Amended: 8 February 2006 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/NatIDSchemeElms.html