Respond to the Scottish Identity Database Consultation Today

tl;dr Go here, download the Respondent Information Form and submit this before Wednesday 25th February to say that the proposals require primary legislation and should only be put forward after full public debate has taken place around the issues given the fact that the proposals will fundamentally restructure the relationship of citizen to state.

It’s rare that I write something on my blog and ask people to act. But tonight is one of those exceptions.

A national identity card?

For many years, the concept of a national identity card has been put forward by various political parties around the UK. However, each time the topic has proved to be political suicide. Proposals have proved to be unpopular and consistently rejected by the electorate. Increasingly, as more people interact online, it’s become obvious that the risks of building up such a valuable store of information greatly exceed the potential benefits that any such scheme can deliver.

And yet, despite the general resistance to the concept of an identity scheme across the UK over the years, here in Scotland we face the very real risk that minor legislation that has been proposed to extend the functionality of NHS records will, in effect, have exactly the same effect by creating a national identity database.

I spent the evening tonight at an event organised by the Open Rights Group in Scotland who have taken on the important role of coordinating attempts to raise awareness and resistance to this legislation being enacted without appropriate levels of debate. The proposals come in the form of secondary legislation with a consultation period currently running under the slightly innocuous title of the Consultation on proposed amendments to the National Health Service Central Register (Scotland) Regulations 2006.

Legislation that has an impact way beyond your medical records

Before you go any further, I suggest you read ORG’s detailed response to the Consultation. The crux of the matter is this: if you live in Scotland, the chances are that the NHS already holds a record of the fact that you exist. But the problem is that this new legislation would enable the reference number that uniquely identifies you as an individual to be shared freely with another 100-plus Scottish agencies.

Why is this a big deal? The practical reality of the proposal as drafted is that it would create a Scottish identity database. We face a very real possibility that public bodies could then start to mine such data in order to build their intelligence about you in pursuit of ends that may directly conflict your own.

So, to use a simplistic example, seeing your choice of library books used against you when it comes to claiming unemployment benefit (too much fiction, not enough textbooks?) becomes a very real possibility. Or how about the fact that most people who undergo some form of addiction counselling would normally want that information to be restricted rather than being shared widely amongst thousands of employees across different organisations. And it’s not difficult to envisage a situation whereby a victim of domestic violence learns of the increased transparency about her personal details and therefore attempts to remain outside the health system with issues unreported in order to prevent an abusive ex-partner who works for a public body from tracking her down.

The proposed model does of course brings with it certain efficiencies. But the reality is that the risks of potential misuse arising from the collection of such information are huge. By creating a comprehensive list of personal identifiers, we create an environment within which the temptation to use such a treasure trove of information for irrelevant or minor uses will inevitably grow over time.

I’m not going to write more about the privacy debate here. There are plenty of well-rehearsed arguments from plenty of people who are far more eloquent than I can be who have written fantastic pieces detailing the risks of implementing similar systems over the years (I recommend reading Wendy Grossman’s excellent SCRIPT essay on identity cards from 2005). But I did want to point out the following:

The massive risk of centralisation

If there’s one thing I’ve learned from my time spent with decentralised systems around Bitcoin and the blockchain it’s this – design a system to protect value by putting everything within centralised locations and restricting access and you inevitably end up with a system that will always – always – act as a red flag to hackers.

The more valuable that data (whether it’s money or personal information), the greater the incentive to attack it once it’s stored in one location. We’re not there yet but blockchain technologies will solve this problem ultimately I’m convinced.

So we have a database – now what?

The question here isn’t necessarily whether or not we trust our public bodies to use such collected information for good. The question is whether we trust their defences to be 100% secure from any breaches (either internal or external). To save you the effort, I’ll answer that now. No, we can’t.

Whether we believe the future intentions of governments to be noble or not, the problem is that once such information has been handily compiled into a database, it cannot be somehow decompile so it will remain permanently at risk of being accessed by others. If you need an example, consider the fact that centralised security didn’t turn out so well for those world-leading experts in cyber-security the NSA did it?

Is the technology up to scratch?

The general consensus is that the technology systems utilised by the public sector in Scotland are lagging behind those in use down south. Not a good foundation to use for the storage of the crown jewels, as it were. If the NSA weren’t able to protect their own confidential data, I’m not convinced that the powers-that-be at Holyrood will be able to deliver a system that’s more successful in some way.

Have certain politicians changed their minds?

ID cards were rejected by many different politicians when the last serious attempt was made to introduce them a few years ago. That includes the SNP who are currently backing this legislation. Back in 2005, the Scottish Government actually published a paper on Identity Management and Privacy Principles (revised in October 2014) which explicitly stated that public bodies must avoid sharing persistent identifiers when it comes to identity. Yet that is exactly what is proposed in this model. Have certain politicians forgotten their previous position on this issue? Or are people simply not talking to each other?

Respond to the Consultation

This is in no way a comprehensive post that details all the key issues. It is, however, I hope a timely one in the fact that it is important for as many people as possible to both learn about the proposals and the fact that the Consultation itself closes in under a week. Regardless of your views – pro or anti – this is not by any stretch of the imagination legislation that should go through a democratic system without a wider public debate being held. It has the potential to fundamentally redraw the boundaries of citizenship within society and it needs more people to become engaged. This is not simply a Scottish debate. It’s inconceivable that if such a system is introduced in this country that it will somehow not be adopted south of the border at some point down the line.

Please do. You can respond to the consultation here.