Could this be the latest ploy by the UK government to encourage people to adopt the still voluntary National ID Card? Under government plans revealed in October it seems that everyone wanting to buy a new mobile phone will be forced to provide some official form of identification and that appears to mean either a passport or an ID card. This registration data will be stored on a new government database.
In the UK there are about 72 million phones in operation of which about 40 million are prepaid and can be bought over the counter in a supermarket with cash and with no identification of the user. These pay as you go phones are attractive to a broad spectrum of users including unfortunately criminals and terrorists.
These moves are all part of the Data Communications Bill planned for the Queens speech in November although latest rumours suggest that Jacqui Smith the Home Secretary may have put these plans on hold due to the increasing concerns raised by her own officials. The idea is for the government to build a database on all citizens’ activity with the internet or mobile phones, text messages (57 billion in the UK in 2007), eMails (3 billion every day) and internet web activity (much bigger still). As commentators have pointed out this would be the ultimate surveillance state, you could track the location of a target’s mobile phone, then use the DVLA database to get their car registration number, the Police database to track the movement of the car using the automatic number plate recognition system currently installed on all major roads in the UK. And of course you could track all associated people through their mobile phones and have a look to see what they are up to.
Just in case you had forgotten the state can also track a citizen’s activity by their use of financial payment cards, travel cards, close circuit TV cameras (4.2 million in the UK) and their travel records as per the new e-Borders database. It sounds just like a Sci-Fi film from the 70’s yet today this is where we are in the UK and yet we need to know is this a step too far?
If there was a totally trusted body with totally trusted employees, a totally trusted way of accurately acquiring the data and a totally trusted database handling all this data by totally trusted users then I guess few people would complain. In fact the only time you would hear about it is when some criminal or terrorist is brought to judgement or even better when some atrocity has been avoided. The trouble is we don’t actually have any confidence in any of these parameters.
Nobody really trusts the Government and in fact they have arguably badly impeached their reputation by using the terrorism laws to freeze the bank accounts of the Icelandic banks in the UK this month. It makes the actions of local authorities look like trivia in their spying on citizens to check their dog walking habits and to see where they are habiting/cohabiting or what have you in terms of rights for schools placements. This is not a good start for a new national database.
Does anybody seriously believe you can have totally trusted employees? Whether for personal gain or to protect their current status or possessions people can always be motivated to take unlawful actions. Remember the 600 people disciplined in DWP for having a look at records not required as part of their work tasks, similar things are known to happen in the NHS and probably just about any other office you can think off – the tax office for example. It doesn’t stop there because people also make mistakes (yes, all of us) which can lead to the compromise of confidential data. It’s now almost a daily occurrence to see who the latest guilty party is. Not only the government off course but often their advisors, PA Consulting, EDS and Deloittes have all recently made the front page with lost laptops, disks or memory sticks.
Then you have the matter of accurately and securely acquiring the registration data. Now with ID cards and e-Passports there are biometrics designed to stop multiple and false applications. The trouble is that this doesn’t work too well in the field when you don’t do a similar biometric check because bogus cards or passports will not be detected particularly when the terminals are incapable of checking the digital signatures. I can’t imagine the local supermarket having a biometric reader in order to sell a mobile phone. And one thing you can bet on is that criminals and terrorists will be the experts at knowing how to get by with false identity documents.
In terms of the security of the database itself and more particularly the access control to the data in the database. If you have a large number of authorised users then you immediately have a problem controlling authorised access. One imagines that for this sort of planned database there will be a large number of users across multiple departmental/organisational boundaries. Perhaps we could mandate 2 Factor authentication, a good use of smart cards and one that we might well expect to see on the increase. But then we have yet another registration problem of identifying the users and managing the authentication system and its database, no mean feat.
In fact we can almost certainly conclude that any database of this scale with its myriad of users is going to result in breaches to user privacy. Worse it may even be by design, the deep packet content filtering system being tested by BT (PHORM) as part of a new targeted advertising scheme is sort of in the middle of all of this, look at what the user is doing on the internet and target the advertising accordingly – pretty invasive stuff particularly if you can’t opt out.
So the question is will all this really happen? Well it has already started with GCHQ reportedly being given £1 billion to set up a network of black boxes on the internet to monitor traffic with total project costs estimated at £12 billion. Remember ECHELON, the signals intelligence collection and analysis system developed under the UK-USA Security Agreement to monitor fax, emails and other data communications. Apparently this was not capable of really doing the job and that this new approach is designed to correct the shortcomings.
As for the new National Database well that seems less likely, I can’t imagine the privacy bodies letting this one go by without a fight.