Monday, December 11, 2006

Database Usage and the Meta Database

NO2ID mention the idea of a meta database on their site, it seems something appropriate to bring up while discussing how private companies might use services provided by the national identity register. Before going on, i'll try to go over one of the key concepts of the ID card database.

In any IT system that keeps track of peoples names and addresses, a common practice is to assign each one a unique number. This ensures that a record can be guaranteed as absolutley unique and be kept track of over it's lifetime in a system.

The IRN (Identity Reference NUmber) is the unique identifier that is assigned to a person when they are first entered on to the system. THe idea being that by performing a Detection of Multiple Identities Check you will be able to ensure that a person is only recorded once on a system and can be told apart from people who may have lived at the same address or have similar names.

Uses and Abuses
In the IT systems of government departments would be able to make use of the IRN to better identify someone. For example, by recording the IRN of a benefit claimant they would be able to check if this IRN is already on the system to see if the person is already claiming benefit. Someone convicted of a child abuse could have their IRN recorded, meaning that by making a background check requiring an ID card you could instantly know if someone was safe to employ.

This cartoon (originally posed by Citizen Dale) demonstrates the potential danger posed by misuse of the IRN. A company could aquire a lot of information based around someones IRN.

For example, companies like Experian currently use a combination of name and address to identify people for credit reference checks. By using the IRN they would be able to keep much better track of people. Marketing companies could potentially consolidate data based around this IRN and know a huge amount about someone (what kind of car you drive, whether you've just had a child, what you tend to buy at the supermarket). If not kept in check, there is a very great danger to people's privacy.

My thoughts
I don't advocate the kind of usage that I've highlighted above, but I dont believe that ID cards will lead to this kind of usage provided it is taken into consideration. I'm not sure exactly what the home office has in mind for making private data available but I would propose the following.

  • No private company should be able to use the NIR to extract data, they may only check data they have been given againt it. (e.g. Rather than being able to ask "this is ID Card number 4612787295, this is their biometric, what are their details?" they can ask "This person claims to be Citizen Andreas of 26 Loyal Citizen street, their ID number is 4612787295 and this is their biometric, are these details correct?")

  • Only a very limited set of companies (I'm mainly thinking banks and financial institutions) should be permitted to make use of the IRN (this would prevent the kind of privacy abuse noted above.

I'm currently in two minds as to whether companies should be allowed to check data they have without a card number and biometric. This would allow marketing companies who send out large mailings to eliminate out of date addresses. I'm open to opinions on the subject.

If these kind of concerns are taken aboard I think it is possible to have an ID card system that addresses many of the legitimate privacy concerns.


Jeremy Wickins said...

That's an interesting article, Citizen, I think you are being a bit naive. I am conducting PhD research on the risk of biometrics leading to social exclusion, and below is a quote from my draft thesis:

"... biometrics, in some scenarios, will form the gateway to social goods such as state financial benefits and health care,(“ID card database to support a public service delivery agenda”,, December 6th, 2004. ( =news)), employment, and semi- and wholly-private goods such as lending libraries and video rental stores. Giving evidence on the Identity Cards Bill 2004, when asked whether libraries and video rental shops might be allowed to require the ID card the then UK Home Secretary told the Home Affairs Committee, “Wherever someone is required to prove their identity and those operating that particular service have registered so they can use a [ID card] reader then that would be fine.” (House of Commons Home Affairs Committee, Minutes of Evidence, May 4, 2004). Clause 14, subsection 5 of the Identity Cards Bill 2005 enables an accreditation scheme to be set up, allowing private organisations to apply for approval to make checks of ID cards. See the Bill’s Explanatory notes, paragraph 97. ( Once biometrics identity cards become established by law, it is likely that, either as a result of further direct legislation, or for convenience, the use of the cards, and therefore biometrics, will also become necessary for other goods such as: access to professional services such as solicitors and accountants (‘New client? ID card please’, Accountancy Age, December 2nd, 2004. http:/; access to financial services such as opening a bank account; and housing, either rented or bought, temporary or permanent."

I spend a lot of time in the Czech Republic, where they have ID cards, and from my experience there, that IRN will be used for more things than you can shake a stick at - from accessing your bank account to checking in a a hotel/B&B.

Incidentally, has anyone else noted that ID cards are often associated with countries that have had, or have just acquired, oppressive regimes ...?

Citizen Andreas said...

The Home Secretary's answer is puzzling, a registration system exists, although he does not expressly rule out any particular type of business from using the system.

Personally I see no reason why a video store or library would need to be so absolutely certain of someone's identity. I think that overuse of ID checks could pose a potential security hazard (i'll cover this in a later post).

In the case of solicitors,accountants and financial institutions, if legislation were to come about to require the capture of ID information, the key to privacy depends on what ID information is logged in the audit trail.

Personally, I've never thought of Sweden, Spain of Germany as that opressive.

Oliver_Coombes said...

Honestly, people like you wolf down Tony Blair's crap and tell us it tastes like honey.

I will never register for, or carry, and ID card. NEVER! You might as well write to your buddy John Reid and tell him to ready a cell for me.