Control of Identity

Individual control of personal identity data

My identity should be my responsibility. This implies that the information about my body should be under my control and not the state or other institution. Other people, the state and other institutions need only enough access to this information to prove that I am who I claim to be.

The suggestion is to put citizens in control of their own identity by means of a trusted third party which will hold the data and make selected parts of it available on a need-to-know basis.

Here is how I see the details:

The trusted third party would be known as an Identity Data Holder (IDH). There can be a number of these with citizens free to choose which one they use.
IDHs need to be constituted so that they are trusted by both the state and its members.
I suggest that IDHs would be best constituted as mutuals, owned by the Members whose identity data is being held. For myself, I would feel that my privacy is more secure without a set of shareholders or a corporation with interests that might conflict with mine.
There are a lot of potential automated biometrics, e.g., finger prints, iris scans, voice prints, facial metrics and signatures. The identity of an individual is confirmed by scanning with the appropriate scanning machine.
The IDH will hold a comprehensive set of tests for each of their customers along with other personal data such as medical records and DNA data.
I understand that all current biometric techniques can give wrong results and clearly not all are applicable to all individuals, for example fingerprints can be worn away by handling abrasive objects such as bricks and there is a medical condition in which the the iris is missing.
Every resident is issued with a unique identity code. It would not be particularly secret and would be used by various state and other bodies, for example the Benefits Agency and banks. The intention is that this would provide a unified system, replacing credit cards etc.
When the individual needs to establish their identity to an Authority^[1], they will present their identity code, which might be on an ID card, a mobile telephone, an implanted chip or tattooed bar code. This code will have the identity of the IDH appended. The Authority will use whatever scanners they might have and transmit the result to the IDH, who will test it and reply with a yes/no/uncertain. Depending on the importance of the transaction, the Authority may try alternative scanners.
For less important transactions, or where internet connection is difficult, there would be a Chip and PIN alternative.
The IDH may with advantage keep an archive of the descriptions coming in from customers and use this to check for irregularities that might indicate malevolent activity.
Each IDH will have a duty to establish that every one of their customers is unique. This will require routine checking with all other IDHs. It would do this by periodically scanning each customer with all current relevant techniques and sending the descriptions to the other IDHs, who would run tests from all their own customers. The enquiring IDH would be informed of occurrence of positive results but not the identity of the individual. In the event of a number of different biometrics giving positive results would need closer investigation. This might happen with identical twins for example or it might be one individual attempting to cheat by establishing two identities.

So far we have seen how the system could allow an Authority can establish that an ID code belongs to the individual presenting it. It would do this with as high a degree of certainty as needed, without giving away anything else.

This is the primary function of the system, however there are other functions that the system could provide, but only if doing so does not compromise this primary function:

Storing medical records and making them selectively available, e.g. to a GP
Making a subset of these available in an emergency
Providing an anonymous but checkable vote.
Making selected data available to bona-fide medical researchers
Controlled access for criminal investigations.
Control of non-citizens.
Automated charging for services, e.g., ticketless public transport.
Providing the security behind e-payments schemes, such as Oyster (London Underground), Octopus (Hong Kong), Dexit (Toronto), e-points
On-line access to restricted sites.

Privacy should be regarded as a privilege that should be granted to all law abiding citizens. It can be withdrawn from citizens involved in illicit activities. For example, a citizen attempting to use someone else's identity. It may also be useful to as a weapon against drug use.

Non-citizens fall into two categories, authorised and unauthorised. The former would be mainly visitors holding passports with a legitimate reason for their visit. Eventually international agreements and standardisation might allow them to use their own ID abroad, otherwise some sort of limited ID would be required.

Unauthorised non-citizens include illegal immigrants, asylum seekers and over-stayers. They would be issued with IDs by a state controlled IDH. The primary objective is to keep track of these individuals so that the complex process of determining status can be done without having to impose expensive and inhumane restrictions. They would not have the privilege of privacy.

The system has to be proof against all sorts of abuse, from:

The state, e.g., to persecute a minority
Corporations, e.g., to influence potential purchasers or voters.
Hackers, who would see it as another challenge
Identity theft, e.g., to access bank accounts
Theft of identity cards
Criminal infiltration of the IDH, e.g. a staff member passing out information
Take over of the IDH by a shady operator, such as a corporation set up as a front for organised crime.
The setting up of an IDH by a group of customers with an illicit intention, such as a group of peadophiles or armed revolutionaries.
Incompetent management.

If IDHs were constituted as Mutual Societies, all Members would have the same involvement and an equal interest in efficient holding of their data. There could be a requirement that Directors are positively vetted for absence of criminal links, similar to the case of the people who run casinos.

The Mutual Society could contract out the actual running of the computer systems, possibly to a bank, which has experience of running secure systems.

The aim would be to make the use of a stolen identity by the use of someone else's identity code, very hazardous because:

The thief would not know which biometrics might be applied so, even if they had the skills to fake specific techniques, they would not be able to fake them all and would not know which ones might be used.
The IDH could use routine biometrics to identify the thief. The chances are that the thief would already have forfeited their privacy.

Each IDH would have to finance itself, Sources of income could include:

A charge per identification. The identity code would serve instead of a multitude of bank cards. It would be presented by the customer, who would indicate which of their accounts they wished to use. The bank would pay a transaction fee for the identification service similar to the current cost of establishing identity.
A members fee
Sale of data, rendered anonymous to the satisfaction of Members, e.g., to pharmaceutical companies.

Why would anyone want this scheme?

To establish the principle that data concerning my body belongs to me and not the state or the health service.
To prevent access to this data by a malevolent authority.
To prevent access by corporations who are becoming increasingly capable of manipulating us by deducing our buying and voting intentions from existing data bases.
To streamline routine transactions, e.g., credit card purchases, use of public transport
For personal safety by making theft of a card by a pickpocket or mugger unattractive and carrying loose currency unnecessary.
To make access to bank accounts etc. more secure by making identity theft as difficult as required.
To forestall any attempt by the government to instigate an unsatisfactory and expensive ID scheme.
To give a paramedic instant access to the specific medical data that they need to know in the event of an accident.
The technology for decoding DNA is improving rapidly and individuals will have the option of getting an increasingly larger part of their genome read. This data could be used against the individual, for example by genetic markers that indicate race or insurance risks. It can also be used in ways that are beneficial to the individual. This scheme gives control of who has access to this data to the individual.

We were probably all impressed at the speed with which the police apprehended the failed bombers in the recent attempt, but perhaps we should be a bit concerned about the march of cctv installations and the continued development of automatic identification technology. Big Brother is indeed watching us and is increasingly enabled to do so by this technology in a way that was just not practical in 1984.

The proposed government ID card scheme has come in for a lot of criticism. The main points are:

It is expensive
The government's record on setting up major IT projects is not good
There are civil liberties issues. In the extreme, a future fascist state could use it to identify racial groups it wants to exterminate.
It will commit to specific biometric techniques. Current techniques are imperfect and the technology can be expected to develop.
It makes the citizen's personal data the property of the state, which they could sell to whom they please. This has already been suggested as a means to finance the scheme.

Why would the government welcome this scheme?

It provides a way out of the dilemma of promoting a policy that is unpopular, expensive and unlikely to work, as against not promoting this policy and being perceived soft on terrorism etc.
It provides the potential of a checkable, anonymous, remote voting system.
Benefit cheating can be made far more difficult.
Fully implemented, the use of this scheme would become ubiquitous, so that people would choose to carry them and use them instead of bank cards, door and car keys, tickets for public services.
Non-citizens would not have the privilege of privacy and because it would become difficult to lead a normal life without having and using a card, the government will have a powerful tool for keeping track of this group of people, without infringing the civil liberties of citizens.
Removal of the privilege of privacy would form a useful new form of punishment for certain persistent offenders.

Use of the system to identify miscreants.

This is the difficult one! On the one hand it seems a good thing for criminals to be identified more accurately, but on the other there is a need to protect members engaged in legitimate but unpopular activities. In the end I think there are crimes so horrific that we would want the police to identify DNA left at the scene of the crime, but there needs to be a procedure to supervise the process to avoid abuse of the system.

In any enquiry the initial response of the IDHs would be to require the individual detective to identify themselves. The next stage would allow the detective to make an enquiry about the existence of a person with a specific biometric. This would go to all the IDHs and the result would be the number of fits and an estimate of the reliability of the identification. To get the actual identities the detective would apply to an independent supervisory person, maybe a magistrate, to confirm to the IDH that this was a serious crime. The IDH would then give the identity provided the reliability of identification met suitable guidelines. All steps in this process would be documented. The police would not be allowed to build up their own database by retaining this identification data, however, they would have access to a far more comprehensive database of biometric data than they could ever hope to amass themselves, coupled with supportable statistics of reliability. Controlling and supervising access would ensure the ideal of policing is by consent.

^[1] An "Authority" would include banks, who are there to serve their customers as well as the tax office which exists to serve the state.