Report - Guardian

110 The LSE Identity Project Report: June 2005Will identity cards facilitate identity fraud?Quite apart from the overall cost to the taxpayer of initiating a national identity cardscheme, recent estimates of the cost to individuals of buying an identity card run to £93per person. 294 This is, quite simply, beyond the means of many citizens and mayconstitute a further incentive for criminals to invest in pioneering identity card forgery.Perhaps an easier route than forgery is persuading an insider in the identity card issuingcentre to issue a false identity, either with money, through blackmail or throughcollaboration. The deterrents intended to stop this type of activity which are containedin the Bill would only be effective if there was a significant fear of apprehension. Yetinsider fraud is endemic to organisations of all forms.Another possibility is that the guardians of the database themselves make a securityerror, opening up the records of many ordinary citizens to an unscrupulous few. There isplenty of form for this sort of thing from the biggest of businesses, such as Choicepointand Bank of America. 295 Given the fact that government websites are premium targetsfor malicious hackers, it is reasonable to assume that, sooner or later, the database’ssecurity will be breached, probably on multiple occasions. This opens up the possibilityof existing details being stolen or changed, either accidentally or otherwise, and it ispossible that someone might find a way to create new records. The Prime Minister’sOfficial Spokesman has said that:“The national register of information would be protected and peoplehad that assurance.” 296In guaranteeing that the national identity database will be secure, the government isignoring precedent. No database’s security can be guaranteed, particularly one thatcontains this amount of information, which will likely be accessed millions of timesevery day, with data changed on thousands of individuals every day, and particularlywhen this information is so valuable.One of the worries of a centralised database which is supposedly secure is that, if forsome reason an ordinary citizen’s identity information is changed and becomesinaccurate, he may not know it for a considerable time. The studies in the US indicatethat many forms of fraud remain unknown to the victim for a number of years. 297 Oncehe does find that his record is inaccurate, it may be too late if he has already sufferedsome detriment. If the cultural perception is that the database is ‘secure’ there may be aneffective reversal of the burden of proof such that the victim of the inaccurate recordmust effectively prove that it is inaccurate. Section 12 of the Identity Cards Bill(notification of changes affecting accuracy of Register) does nothing to assuage thesefears, requiring the individual to provide proof that the entry in the register is inaccurateand that the information he is putting forward is accurate. In our extensive experiencewith information systems across many organisations, we have never found a databasefree of errors and inaccuracies; limiting these problems is one of the key purposes ofdata protection law.294 Home Office Identity Cards Briefing, May 2005 http://www.homeoffice.gov.uk/docs4/Id_Cards_Briefing.pdf295 http://www.securityfocus.com/columnists/305296 Morning press briefing 1100 BST from 25 May 2005 http://www.number-10.gov.uk/output/Page7548.asp297 FTC report.