The title of the talk was “The Future of Privacy” and Schneier’s treatment of his topic was comprehensive. He started by listing some technologies and practices that can threaten our privacy: overt surveillance systems; mobile phones, RFID tags and the like that produce personal information as a byproduct; automatic identification technologies such as ANPR; and unique identifiers in gadgets such as digital cameras or colour laser-printers.

Schneier reminded us of his famous saying, that just as greenhouse gasses are the polution of the industrial age, data is the polution of the information age. Data is generated when we transact business, swipe our loyalty cards, use a travel card or drive through an automatic toll-booth. We give it away when we socialise by email, instant messenger and Facebook. Sometimes other people release data about us – possibly without our consent. As the cost of processing and storing all this information falls to zero even data of marginal value becomes worth keeping. In fact it’s often cheaper to keep everything than to decide what should be deleted! Data that was ephemeral 20 years ago is now stored.

In the information society most data about us isn’t controlled by us. In the US, laws protect the data that is under our control, but in the information society it tends not to be. Our Gmail, phone records, medical records, financial transactions and photos of us on Facebook are all controlled by someone else. EU law is substantially better in this area but it could still be improved.

Such a wealth of data enables new forms of surveillance. For example, surveillance can now occur backwards in time. This was done in London after the 7/7 bombings – the people responsible, and the route they took on the day, were identified after the fact from surveillance-system footage. Pervasive data collection also enables wholesale surveillance – not “follow that car” but “follow every car.”

What will be the privacy impact of our society’s continuing technological advancement?

Schneier believes a step change is coming. We live in a unique time: cameras are everywhere AND we can see them; identity checks happen all the time AND we know they’re happening. However technology is a great distrupter of equilibriums and Moore’s law is a friend of intrusive tools. Soon face-recognition software will obviate the need to carry ID – when you walk into your workplace they’ll already know who you are and whether you’re supposed to be there.

New invasive technologies will emerge and become pervasive: digital video surveillance with automatic face recognition; networked cameras that can track people through a city automatically; better tracking of our personal devices through their radio signatures or RFID tags; better quality images from cameras. Our era will herald the death of ephemeral conversation. Soon everything we say and do will be on the record. We could try to reject these technologies, but once general adoption occurs, opting out starts to look suspicious. In some cases the authorities have already argued that, “They left their mobile phone at home, which shows they didn’t want anyone to know where they were going.”

What can we do about these threats to our privacy?

Schneier doesn’t believe we can engineer our way back to a more private world. Privacy-enhancing technologies already exist and they could go a long way towards retoring the balance if they gained widespread adoption. However people are seduced by convenience so they tend to make bad privacy trade-offs. We’re on Facebook because our friends are, and while we’re chatting to them we’re focused on the conversation, not on how much data we’re releasing or to whom.

A lot can be done by paying attention to the default settings of software and systems. Most of us won’t change these so if they are secure from the outset any loss of privacy will be minimised. However companies like Facebook make more money the more public we make our data so there’s no incentive for them to set privacy-enhancing defaults.

We need to press for legislation that protects privacy: comprehensive laws regulating what can be done with personal information about us and more privacy protection from the police. However the law finds it difficult to keep up with the pace of technological change.

We also need to start talking about the value of privacy. We want it as a social good. Individual privacy protects us from those in power and it’s also a fundamental human need. Privacy is a part of dignity.

Schneier rejects the security versus privacy notion as a false dichotomy. Only identity-based security reduces privacy and the effectiveness of this is limited. Physical security measures such as locks and burglar alarms don’t reduce privacy. Nor does knowing that you might have to fight back if terrorists hijack your flight. We don’t need to know who’s sat next to us on an aeroplane – we just need to know know whether they’re planning to blow it up! However checking intent is difficult so we check identity instead and pretend that’s the same thing.

Privacy and openness have different effects on Governments and citizens. Government secrecy increases its power whereas transparency and openness reduces it. Conversely, forced openness in people increases the inbalance in power between them and the state, yet forced openness in Government reduces the gap. The balance we need to strike is between liberty and control not privacy and security. Real security comes from having both liberty and privacy.

The above notwithstanding, sometimes we are forced to trade between security and privacy, for example when we give the police the power to search our homes. In such cases we can maintain the balance of power through audit and oversight. Search warrants are a security measure that restrict police searches to only those cases where a magistrate – an impartial advocate for the suspect – can be convinced there are reasonable grounds for suspicion.

Schneier concluded that the death of privacy is over-stated. Left unregulated and unconstrained, technology tends to tip the balance of our society against individual privacy, however it doesn’t make the balancing act go away. Society can choose to deliberately reset the balance with legislation.

We may ultimately have to wait for a new generation of digitally-savvy lawmakers to take office before the the future of privacy can be guaranteed in the information age.

Colour me unsurprised.

The consultants who carried out this work are from the same community of experts who have been warning [pdf] that the cards would be cracked since the Home Office first disclosed the mechanics of the scheme.

The alterations can be detected with a check against the National Identity Register (assuming this hasn’t also been compromised) however each such look-up will cost around £2. The Government expects the majority of transactions will be authorised through local checks rather than referring back to the central database.

Once someone automates the attack and publishes their code on the Internet, anyone with half a brain, the right mobile phone and access to the world-wide web will be able to change their Government-issued identity at will. As the cards use RFID chips this could be done in seconds while on the move. You wouldn’t even have to remove your card from your wallet.

Disturbingly, your card could also be changed without your knowledge by someone standing close to you, or from dozens of feet away with the right sort of radio antenna hooked up to a portable computer. The process leaves no trace, so when your card is subsequently checked against the database and is found to have been modified, it will be impossible to determine when the changes were made or by whom.

Possessing a falsified ID card could land you with a fine and up to two years in gaol. Owning the equipment or software needed to make the changes could be enough to win you a decade-long stay at Her Majesty’s pleasure. [Identity Cards Act 2006 s25 and s29].

If it weren’t for these stiff penalties, I’d be tempted to suggest the ability to change the details on your own ID card is an unintended benefit of the scheme, not for the Government but for those who value their privacy.

The National Identity Register will store fifty different classes of information about you in a collection of linked databases. The Transformational Government project (also known as the Database State initiative) plans to share all of this information with any official who cares to look. This is the antithesis of the “least privilege” security principal: that people should be given access to just enough sensitive information to do their job, but no more. For example you may wish to tell your doctor about your medical history but not about your bank balance or speeding fines. The ID card scheme wrests from you control over your personal information and gives it to the state: it will not be possible for individuals to choose which “registrable facts” about them are made available to whom.

It would be possible to regain some of this control, however, if we were able to change at will the details stored on our own ID cards. Facts that we are not willing to share could be either falsified, replaced with nonsense or erased. A mobile phone “identity management” application could be written to store multiple personality profiles for your ID card. Using this, you could switch between personae as the need arises, perhaps even employing your phone’s in-built GPS chip to make sure the “Mr. Smith” profile is on the card when you’re at the Doctor’s surgery and the “Mr. Jones” profile is active when visiting your bank. Being able to compartmentalise your relationships with third parties in this way would be a very strong personal privacy measure.

Yep, that’s right, I have just suggested committing fraud to regain some control over your identity in the event that you are made subject to the ID cards scheme. It’s a damning indictment of the relationship between UK citizens and the state that we should have cause to consider this at all. It’s a more damning indictment of the Government’s competence and character that it chose to pursue this illiberal scheme despite strident warnings and opposition from just about everyone who knows anything about security and technology. “We told them so” brings cold comfort after so much money and freedom has been wasted.

As each nail in the coffin of the ID cards scheme is hammered home the true motivation of the Home Office in persuing such an abysmal farce becomes ever more clear. If the Government understood security and respected individual privacy they would allow each of us to choose how much personal information we want to reveal to others. Instead they are trying to assume control over our identity, to nationalise it in a register that is not only a gross violation of the right to a private life, but will also lock those who conform into a system of fines and a lifetime of administrative strife. All in the pursuit of the ultimate bureaucratic convenience.

The confirmation that ID cards are totally insecure is a mortal wound. If the Government doesn’t now scrap this benighted scheme then we must scrap this Government at the General Election.

UPDATED 10/8/09 14:00 to add:

The Home Office has apparently turned down repeated offers to demonstrate this breach by the researchers who discovered it. A spokesperson said that the story was rubbish. The Home Office has published details of the encryption technologies used by ID cards scheme.

I’m disappointed, but not surprised, that the Home Office thinks security is a product which, if sprinkled liberally over a system in a manner similar to magic pixie dust, will somehow make it impervious to attack. It’s no good having “elliptic-curve cryptography” and “root certificates with RSA 4096-bit strength keys” if the system allows these things to be tampered with or circumvented.

Props to the Home Office spin department though: releasing the geeky details has distracted at least some of the press from holding them to account on the principles of the scheme.

Under the guise of improving passport security, the Identity and Passport Service (IPS) will begin forcing all new applicants to register with the ID cards database from April this year.

This morning, IPS Chief executive James Hall was in full spin mode: “I think people will recognise that its appropriate once in their lifetime to go through a little bit more inconvenience in order that we can ensure the integrity of the passport document.”

I would agree with interviewing applicants if the purpose of this exercise was only to improve passport security, but it isn’t. Once you’ve submitted to the interrogation, and your eligibility for a passport has been established, you will then be forcibly registered on the Government’s ID card database.

There’s no need for this. The only reason passports are being linked to ID cards is to ensure the Government gets that file on your private life it so desperately wants. It won’t improve passport security one iota, and you’ll be exposed to all the risks and disadvantages of having everything about you recorded in a massive online database.

Of course it’s not compulsory to have a passport, so the Government can call ID cards “optional” on a technicality. However there are many whose jobs require foreign travel. How voluntary will registration feel to them? Not to mention anyone who has relatives abroad, or would perhaps like to take a foreign holiday.

If you’re over 16 you can spare yourself the ignominy of an “intrusive interview” (the Government’s words) and keep yourself off the National Identity Register for ten years by renewing your passport now. If you don’t already hold one, you need to do this straight away, as the interrogations will begin for new applicants in April.

More info can be found at Renew For Freedom.

Apply now and tell your friends.

In my letter, I argued that safeguards on the NIR should be at least as strong as those protecting your home and business premises from being searched by the state. This would mean the police and security services would require a warrant or court order to gain access to your identity.

I’m happy to report that Mr. Hall has replied. I’m less happy to report that his response is far from comforting:

“You ask whether access to the database will be subject to obtaining a court order or warrant …

“Requests for information will not be granted automatically but will be subject to rules under section 21 of the Act … [This section] provides for regulations to be made concerning how the request for information should be made, at which level of seniority the power to request information may be given, and other requirements which requests must satisfy.

“These regulations will be subject to the affirmative process, meaning that they must be approved by both Houses of Parliament before coming into effect. Once arrangements are in place, they will be subject to oversight by the National Identity Scheme Commissioner in the case of the police and by the Intelligence Services Commissioner in the case of the security services.”

Mr. Hall seems to be saying that there are currently no rules governing access by the authorities to information about you held in the National Identity Register. They’re not sure how they’re going to control access, but you should be reassured that once Parliament has agreed a method, there will be a couple of Government quangos appointed to make sure it’s done right.

In other words, they haven’t thought about it yet.

This is why the Identity and Passport Service is unable to explain the safeguards planned to protect your identity from arbitrary intrusion by the state.

There are none.

In my experience, security has to be considered from the start of the project lifecycle to stand any chance of being effective. Sadly it seems the Home Office and the IPS are leaving it all until later, when the implementation of effective security will be much more expensive and difficult (perhaps impossible).

The Government wants to assume responsibilty for your identity. Shouldn’t they also take responsibility for protecting it?

No, silly me: if they wanted to do that they wouldn’t have dreamed up this ridiculous ID cards scheme in the first place.

“…it seems to me debatable that we are actually entering a surveillance society – and the things which are normally pointed at, like CCTV cameras, are usually being introduced under public pressure to increase personal safety. I don’t think that ID Cards will threaten personal privacy. Rather the reverse; they will likely reduce the number of times you have to reveal personal information and increase the security of your personal data. Maybe we should start arguing the case that ID Cards will reduce the threat of the Surveillance Society and help safeguard civil liberties.”

This statement is all kinds of wrong! Your right to privacy is your right to be known by only those people you trust. A National Identity Register would mean you are forced to trust the system, the operators, the Government, the technology, everything that it relies upon and everything that relies upon it. This sounds to me exactly like the kind of disproportionate and systematic privacy intrusion that would indicate a surveillance society.

Among the many other issues that were discussed, the subject of who will have access to the data on the National Identity Register was broached. Here’s another extract from the transcript:

Michael Anderson: How many people will have access to the data collected in relation to ID cards?

James replies: Michael, thanks for the question. The Identity and Passport Service today has 3,800 employees, of whom just over 3,000 are involved in authorising passports. We don’t yet know the future size of the organisation but we do not expect it to be greatly larger than the current organisation. Other organisations will be able to verify their data against the National Identity Register, but they their employees will not have access to the register itself. You might be interested to know that this can already happen with passports presented as proof of identity when opening a bank account or taking out a loan. This is proving very effective in discouraging fraud.

Noting that Mr. Hall had carefully avoided answering the question, I asked a follow-up:

Richard: Your answer to Michael Anderson doesn’t take into account the Police, Goverment departments or the security services. What is the real figure?

James replies: Richard, I take your point. The Identity Cards Act does allow information to be provided from the register to police and security services where it is necessary in the public interest for the prevention and detection of crime. The people who would have access will be IPS staff who will able to provide the information.

I then sought to find out whether a court order or warrant would be needed before access to our private data would be granted. This would seem reasonable, as oversight by the courts is a security measure against undue invasion of privacy by the state. Similar rules safeguard your home and business premises against unwarranted intrusion. However, Mr Hall declined to answer my second question.

I don’t want ID cards, but if they’re forced upon us, the least I expect is for there to be proper oversight of the system and strong safeguards against improper use of the information stored therein. If we’re to believe that the system will not be used for indiscriminite surveillance, reassurances in this area are essential. I’ll therefore be writing to James Hall to seek clarification. I’ll let you know what I find out.