Opponents of ID cards have renewed their attacks on the scheme, claiming security is being watered down even as the cost of the cards rises.
By Nick Heath | Cards will only be checked against biometric details on the National Identity Register (NIR) in a “minority of cases” according to Home Office documents, prompting accusations it has been relegated to a “flash and go” card.
The Home Office consultation documents said: “Most transactions involving the identity cards are likely to be visual checks of the card, or a local check of the information held on the card (eg using a scanner).
“In only a minority of cases – requiring the highest standard of identity assurance – will it be necessary to check identity against information on the NIR.”
Ian Angell, a professor at the London School of Economics (LSE) and one of the authors of a report into the scheme, said this undermines the government’s claim the ID card system will offer a rock-solid way of verifying a person’s identity by locking an ID to biometric details on a secure database.
And Phil Booth, national co-ordinator for ID cards pressure group NO2ID, said: “It makes the whole system a nonsense; the government is saying that ultimately the whole national identity scheme will come down to a ‘flash and go’ system.
“A system that is presumed secure which is in fact insecure… is worse than having no system at all.”
LSE’s Angell said: “If they do not check the database then fraud will go up as criminals will quickly figure this out and be able to make a copy of the card and change the photo.
“These shortcuts are going to turn it into a hugely expensive failure.”
But an Identity and Passport Service spokesman denied the system would be vulnerable to fraud: “The majority of instances where people use their identity cards will be day-to-day situations where the cards offer a convenient method of proving identity such as a young person proving their age to buy alcohol,” he said.
“Whenever the highest level of identity assurance is vital to prevent fraudulent and criminal activity – such as high-end financial transactions or at our borders – checks will always be made against the national identity register.
“The card itself will be protected against forgery by a number of security features. The Identity and Passport Service has issued more than 12 million e-passports to date and nobody has successfully cloned the chip,” the spokesman said.
It has also been revealed the National Identity Register Number (Nirno) will now not appear on the card or its embedded chip. Director of Privacy International Simon Davies welcomed the removal of the Nirno, following concerns it could be cross referenced across multiple transactions – such as proof-of-age purchases or opening a bank account – to track a person’s everyday activities.
“For five years we expressed concern about publishing the Nirno, it is amazing that it has taken all this time and £150m for the government to decide to take this initiative,” Davies said.
On 6 November the government began touting for high-street businesses and other companies to install the equipment to take the 10 fingerprints, facial and signature scan that will be stored in the NIR. It named the Post Office as an example of possible contenders and said local authorities are also being considered as enrolment centres.
Critics say it will inflate the £30 it will cost for a card as the public also have to pay to have their fingerprints taken, with the Home Office estimating the scanners will generate between £120m and £280m per year for business.
Shadow home secretary Dominic Grieve said: “We already know that ID cards will do nothing to improve our security but may make it worse. Now we see that the already substantial cost to the tax payer is going to increase. This is particularly outrageous given the current economic crisis.”
A cost projection for the scheme for British nationals also showed the cost over the next 10 years has increased by £45m to £4.78bn from estimates in May 2008, with a warning that the costs were likely to change as contract negotiations were finalised.
In consultation, businesses expressed fears about the risks of leaving the enrolment to companies, saying they want to see it “delivered by accountable public servants, and particularly not by companies owned and controlled outside the UK”.
These worries about whether government and the private sector could be trusted to handle and transfer scans of people’s fingerprints, faces and signatures were echoed by the public, particularly in light of the recent spate of data breaches.
Home Office consultation documents revealed: “One of the key concerns raised regarding the market delivering biometric enrolment services is the security and integrity of the application process.
“This is also our key concern and we will not deliver these services through the market unless we think security and integrity principles can be upheld.
“Where application and enrolment services are provided by an open market, we will set integrity and security standards which will be enforced consistently across the network of market providers.”
Small businesses were also anxious about the cost of introducing the scheme and equipment to check identity on the cards, stressing the “need for particular support” from the government and citing difficulties with the introduction of chip and PIN equipment.
A national identity scheme commissioner will also be appointed to work alongside the information commissioner to ensure data for the scheme is being properly stored, secured and collected by government and the private sector.
The government says it will continue talking to business about the commercial benefits of taking part in the enrolment and “improved identity assurance”.