Privacy is like a big yellow taxi: you only really understand what you had when it's gone. This difficulty is why it's so hard to make informed decisions about personal data – and it's also why political discussions of privacy become so fraught, especially when any debate is framed as a conflict between (national) security and privacy.
"Government traditionally believes that one has to strike a trade-off between privacy and security", says Toby Stevens, director of the Enterprise Privacy Group, a specialist consultancy in this area. "The government asks itself how much privacy or liberty can be sacrificed to achieve security outcomes. It never says, 'Do we need to give up any form of privacy to achieve this outcome?' They start from the assumption that it's reasonable to give up privacy to achieve security every time, and there's a growing mood that this is not a reasonable assumption to make. We see it in the resurgence of UK civil liberties over the last few years. It's the wrong starting point."
|"Government traditionally believes that one has to strike a trade-off between privacy and security"|
The well-known security expert Bruce Schneier goes further, calling the supposed trade-off between security and privacy a "false dichotomy" that makes no sense. "Look at door locks", he says. In fact, he adds, "Very anti-privacy security measures actually make security worse. Like the national ID card."
The ID card is a worked example of these issues. Schneier often talks and writes about the politics of fear in which political parties win and keep public office by sending the message "You're scared and we can keep you safe." So, he says, first you have to scare people: "You need people to buy into your problem before they will buy into you as a solution."
The history of ID card proposals bears that out: these proposals surfaced every few years from the time the last ID card was abolished in 1952 until the Identity Cards Act finally passed in 2006. Each time, the problem ID cards were intended to solve was different and drawn from the day's headlines. In the 1980s, for example, after the Hillsborough disaster, it was to prevent football hooliganism; in 2003 we heard a lot about benefit fraud; now the most commonly cited benefit is to control illegal immigration. But the political climate that made the 2006 Act possible was, as Alistair Clark documented in his diaries, created by 9/11.
ID cards began rolling out to approximately 50 000 non-EEA foreign nationals at the end of 2008 under the separate UK Borders Act 2007. Autumn 2009 is supposed to see the first issuance of ID cards under the 2006 Act, to workers at Manchester and London City airports. In the Identity and Passport Service's delivery plan for ID cards, published in 2008, Home Secretary Jacqui Smith called ID cards "crucial to delivering the benefits of improved identity management and identity assurance for all who have the right to live and work in this country." She also said, "I want individuals to have as much control and ownership of their own data as possible."
Phil Booth, the national director of the campaigning organisation No2ID, and other opponents of the ID card have frequently made the point that the issue isn't the ID card itself but the National Identity Register database behind it. "We are focusing on the database state", he says. "The government's basic argument with ID cards is that everyone should be forced to hand us the master copy of their personal details – a corpus of data, 50 categories of information – in order for us to be able to deal with that information as we wish."
|"The political climate that made the 2006 Act possible was, as Alistair Clark documented in his diaries, created by 9/11"|
Both Booth and Schneier disagree with the political stance Stevens referred to that turns up so often in political discussions: that privacy and security are the opposing ends of a sliding scale and any concession to one necessarily involves losing some of the other.
"[Information security] is not the same as data protection is not the same as privacy," Booth says. "Information security and data protection are prerequisites for privacy. If you can't do the first, you aren't addressing how people feel about how their information is handled. So I don't think the government is engaging with privacy at all." The HMRC incident, he says, showed clearly that "the government weren't doing information security."
Rolling out the ID card system is the province of the Identity and Passport Service (IPS), which insists that the card will improve personal security. Instead of taking personal records such as bank statements or telephone bills to a mobile phone shop in order to open an account, for example, you will be able to use the ID card.
Vocal critics – No2ID, Privacy International, Liberty – of the ID card are easy to find. But it is very hard to find anyone outside the Identity and Passport Service -the department tasked with rolling out the scheme - who will defend the ID card against its many critics.
Sureyya Cansoy, head of public sector programmes for the IT industry association Intellect, some of whose members are likely to provide technology behind the scheme, prefers to talk about identity management in general. "The key is to have appropriate identity management systems in place so that government can deliver good quality services," she says. "You have to look at the wider agenda than simply the identity card and whether it's good for us or not."
You can't, Cansoy says, deny concerns such as whether the government can successfully protect personal data or whether it may use data collected for one purpose for a different one, but "There is a role for government to address those by highlighting the benefits to society." Her example: the controversial children's database ContactPoint: "People say how bad it is that they're collecting information, but on the other hand children are unfortunately dying because of abuse and torture that they suffer at the hands of their families and having something like ContactPoint might prevent some of those cases. There are always two sides."
Anthony Golledge, head of technical consulting for Detica UK, a specialist in turning large amounts of information into usable intelligence, believes the problem the government is trying to tackle is hard, but important. "The prize for getting it right is really valuable", he says.
"Organised criminals and benefits cheats know that government is sometimes less Big Brother and more Bungling Brother – and they exploit this. There are real identity blind spots between different parts of government, something which the national identity scheme can start to fix." But, Golledge adds, "The scheme has to learn from past mistakes by thinking like the criminals, who will attack the scheme in its early days."
The IPS itself said, in a written statement: “The Government’s first priority is to protect the public. But Britain is proud to have a long standing defence of liberty, and personal privacy remains fundamentally important to who we are as a society.
“The issue of privacy has formed an important part of the design process for the introduction of identity cards. They are expected to reduce the information unnecessarily held about an individual on many different databases. The scheme will also be implemented fully in accordance with existing legislative safeguards such as the Human Rights Act and the Data Protection Act.”
The IPS however, has been so far unwilling to engage directly with technical criticisms or to discuss security and privacy tradeoffs with the ID cards.
Lack of expertise
Dave Birch, who as director for Consult Hyperion has been involved in designing no less than three ID card systems and is now consulting on an ID card system for Ireland, has a theory about this.
"It would seem to me that there is more engineering input to ID card design in other countries. Here it seems to be civil servants who may be well-meaning but, at higher levels, don't have as much science and engineering background as other countries. Our experience designing the ID card in Hong Kong, for example, was that the officials we were dealing with are science and engineering literate. It's not as clear to me in the UK that that's the case."
|"Why is it that we have a card that doesn't even aspire to the functionality of the card they have in Lithuania?"|
The broader issue, Birch says, is that ID card systems do not have to be invasive. "Why did we end up with a fundamentally backward looking ID card, when we should have been building the first 21st century ID card?" he asks. "Why is it that we have a card that doesn't even aspire to the functionality of the card they have in Lithuania?" That card, he says, has an OpenID responder, so the card can be used to log onto internet sites. Or take Germany's card, which provides a separate online pseudonym for each online service provider so they can't conspire to violate your privacy. "How come we're building an electronic simulation of what we used to have in 1952, when these other countries are moving forward?"
Ultimately, Booth thinks that the biggest problem is that the debate is framed too narrowly. "One million people can access ContactPoint. We're accused of being extremists and alarmists – then prove it won't happen. That is the politics of privacy – to hold the government to account for what it says it's doing, compromising people's personal safety and introducing personal risk. If you're balancing off the notion of national security against aggregate personal insecurity – then you may be starting to have a more rational debate about things than to say 'privacy versus security'."
The trade-off everyone talks about isn't between security and privacy, but between both of those things and politics.