Identity accidents waiting to happen – and they will

Published in Tribune, 7 December 2007

WHEN the child benefit CDs were lost in the post two weeks ago, putting 25 million people at risk of identity theft (and one Chancellor at risk of dismissal), I felt a distinct sense of déja vu. A few years ago, a chequebook my bank was sending me went similarly AWOL – and the first indication I had that anything was wrong was when a cash machine told me I was £14,500 overdrawn.

In the weeks that followed, this happened again and again. My bank’s security measures seemed powerless to stop the thieves from presenting my cheques – although they were able to tell me on one occasion that they had been used to buy fifteen grand’s worth of goods from a jewellery firm. For perhaps the only time in my life, I was thankful not to have that much money in my account: what saved me from ruin wasn’t any safety mechanism that the bank had, but that the dodgy cheques had bounced due to inadequate funds. My bank balance was quickly restored – but not my faith in the banking system and the Royal Mail.

It’s worrying to think there was nothing in the way of criminals stealing my money other than me not having any for them to steal. The first line of defence – the signature line on the cheque – did nothing. The sophisticated anti-fraud monitoring that seems to kick in and block my Visa card whenever I buy a computer game or go on holiday didn’t see anything odd in a 21-year-old student’s cheques being used to buy diamonds. And despite me warning the bank as soon as I became aware of the problem, the dodgy cheques kept being cashed.

All this makes me rather worried about the national identity register that the Government plans to bring in alongside its ID cards scheme. If a bunch of criminals in league with a dishonest postman can steal £15,000 from a bank account using a chequebook and a forged signature, what could a determined crook do if the wealth of information that the Government is collecting on us fell into his hands?

I fear that ministers are yet to understand the nature of the beast they are creating – and their response to the benefit CDs debacle hardly inspires confidence that they are going to any time soon. They seem set on blaming individuals and specific failures, rather than recognising that there are systemic (and inevitable) risks in such complex systems. Eliminate one problem and another will pop up.

The ID cards and database scheme is running into political trouble now, but it could still go through if the Government promises new safeguards. However, the trouble with massive technological projects such as the national ID register is that complexity multiplies the possible failure points – and it quickly becomes impossible to guess where the next problem will arise. The risk doesn’t just lie in the implementation of such a scheme. Even a perfectly executed ID database would be an accident waiting to happen.

The sociologist Charles Perrow identified this sort of problem in his fascinating 1984 book, Normal Accidents. In it, he argued that accidents or blunders in highly complex and tightly integrated modern technologies are defined by unpredictable interactions between components of the systems. Often, he pointed out, even safety features end up causing new risks because of the increased complexity they bring.

And Government IT programmes such as the child benefit database or the national ID register are remarkably similar in nature to the technologies Perrow discussed more than 20 years ago.
Who could have predicted, after all, that the weak point in the child benefit system was a civil servant failing to tick the “special delivery” box when he handed a pack of CDs to the courier?
No doubt the national ID register will not have the same failings as the child benefit database. Civil servants will not be able to download it onto CDs, dodgy courier companies will not be trusted with the data. But this is simply reacting to the last failure, rather than realising that the risks lie at the very heart of the system.

An ID database is inherently insecure, and there is nothing we can do about that. We can make it as secure as possible, but there is no guessing when or how the next breach will happen. So the question is not how to eliminate them altogether, but whether the inevitable risks are justified by the benefits of such a project.

The Government’s case for ID cards, as far as I can tell, seems to boil down to three arguments: that they will make illegal immigrants’ lives difficult, they will help fight terrorism and they will prevent ID fraud.

On the first point, I wonder if illegal immigrants don’t already have a miserable enough time without us spending billions making their existence harder. On whether the database will successfully combat ID fraud and terrorism, all I can do is to ask a painfully obvious question, albeit one no one in the Government seems to have uttered: How exactly is putting people’s personal information on an insecure database going to protect their identity from criminals and fanatics?