The DNA database and Mark Dixie

Update: The Times also has a useful look at Labour’s claims on this issue.

The Labour Party continue to portray Tory plans to restrict the retention of DNA of those charged, but never convicted, of a crime as somehow being “soft” on criminals, citing the case of Sally Anne Bowman who was killed and raped by Mark Dixie:

Gordon Brown MP, Prime Minister and Leader of the Labour Party, and Alan Johnson MP, Labour’s Home Secretary, will today make a campaign visit to highlight the vital role that DNA plays in tackling violent crime and why Labour has been fighting Tory plans to downgrade the DNA database.

At the visit in Stevenage the Prime Minister and Home Secretary will be joined by Linda Bowman, whose daughter Sally Anne was murdered in 2005.

Sally Anne’s murderer Mark Dixie was convicted through use of the DNA register, having been arrested but not convicted in a pub brawl.

The problem with this line of attack is that the Tories’ plans would not have made any difference in Mark Dixie’s case. When he was arrested his DNA was taken and compared to samples from the Sally Anne Bowman case. There was no need to have his DNA on the database to do that. There was thus no need to retain DNA for those never charged or never convicted to solve similar such cases. All that’s needed is to have a database of DNA collected from crime scenes and to have a policy of checking arrestees’ DNA against that of old crime scenes.

Such an approach is surely a far more proportionate use of DNA, far more respectful of privacy whilst at the same time more focussed on solving crime than retention of the DNA of those never charged with a crime in the first place, or those who have charges dropped or are acquitted.

Meanwhile, Genewatch point out that many of Labour’s other claims about the DNA database have to be taken with a large dose of salt.

Advertisements

Charles Clarke’s woolly defence of the govt’s ID cards

Charles Clarke has written an article in The Times defending the govt’s plans for identity cards. He claims that ID cards will prevent benefit fraud and help in the “War on Terror”. However his claims do not stand up to scrutiny.

Take for example benefit fraud. He states:

Moreover, their help in tackling fraud will save tens of millions of pounds of taxpayers’ money. Some £50 million a year is claimed illegally from the benefits systems using false identities. This money can be far better spent improving schools and hospitals and fighting crime and antisocial behaviour.

However according to the govt’s own regulatory impact assessment (see clause 19):

The current best estimate is that the additional running costs of the new Agency to issue ID cards on a wider basis will be £85m pa when averaged over a ten year period. A further £50m pa is the estimate for the average cost over ten years of the verification service but this would not fall on the individual card holder.

Thus the system is already projected at costing more than twice as much as could possibly be saved from benefit fraud on the govt’s own figures!

Later on, Clarke accuses critics of ID cards for woolly liberal thinking, and claims there will be no real cost in civil liberties:

I believe that some critics of our proposals are guilty of liberal woolly thinking and spreading false fears when they wrongly claim that ID cards will erode our civil liberties, will revisit 1984, usher in the “Big Brother” society, or establish some kind of totalitarian police state. Those kinds of nightmare will be no more true of ID cards, when they are introduced, than they have been for the spread of cash and credit cards, driving licences, passports, work security passes and any number of the other current forms of ID that most of us now carry.

This argument is quite flawed. The forms of ID we now carry are either entirely voluntary (e.g credit cards, ATM cards, loyalty cards) or linked to and limited to very specific purposes (e.g. driving licences, passports). One is not even required to carry any of them, and one needn’t own any of them if one doesn’t wish to drive or travel abroad. None of them are universal.

However the main points missed in the above argument are that:

  • On the govt’s current plans, the ID cards would become a licence to live, revokable at the touch of button. Once the cards become compulsory the govt plans for them to be required for getting a job, accessing government services and accessing benefits. It is highly likely they’ll also become necessary for opening bank accounts, taking out mortgages, getting credit cards and making major transactions. Clarke’s article even suggests they might be used for renting videos. With so much of daily life tied to these cards, it will be impossible or at least very difficult to live without one. And given that they’ll be tied to a central database with one entry per person, they could be rendered useless at the touch of a button by govt officials either deleting or flagging the database entry. This isn’t an identity card, this is an internal passport.
  • According to the ID cards bill, the database entries will record all accesses for auditing purposes, thus every time you or your card is checked against the corresponding database entry, this fact will be recorded. Thus if a card check is required for accessing e.g. medical or educational services, this fact will be recorded in the database. Thus the ID card system will enable detailed recording of your everyday activities, more comprehensive than any store’s loyalty card and compulsory to boot.
  • The ID card will facilitate all sorts of surveillance activity. If every resident has one by law, then the police merely need to ask for identification when people leave, e.g. political or religious meetings, protests, pubs, or any venue. Although carrying one won’t be compulsory, the bulk of the law abiding population is likely (a) to carry it (because it is needed for so many things) (b) hand it over. And there’s nothing to stop a future govt making it compulsory to carry.

It thus seems clear to me that the proposed system will form a powerful tool for social control and has very little to do with eliminating benefit fraud. However Clarke’s claims that it will be useful for fighting terrorism, will help with identity fraud, and will even help prevent such tragedies as the death of the cocklers in Morecambe Bay, remain:

For example, a secure identity system will help to prevent terrorist activity, more than a third of which makes use of false identities. It will make it far easier to address the vile trafficking in vulnerable human beings that ends in the tragedies of Morecambe Bay, exploitative near-slave labour or vile forced prostitution. It will reduce identity fraud, which now costs the UK more than £1.3 billion every year.

Taking the £1.3 billion figure first. This figure comes from a report on identity fraud produced by the government a few years ago (see Annex B for the figures). However the figures contributing to this are not reliable, often included items that identity cards would do nothing to fight and were often based on guesswork. For example the figure was compiled, in part, on the assumption that 10% of VAT fraud (£215m out of £2.15billion) was due to identity fraud. The figures for credit card fraud (£370m) included card not present fraud e.g. for internet payments or payments over the phone. ID cards would have no impact on this. Why is the govt using such a dodgy figure to argue for a flagship piece of legislation?

As for the Morecambe Bay cocklers they were working illegally and off the books for companies that did not have scruples about employing illegal immigrants trafficked in from outside the country. How likely is it that such companies would ensure all their employees had ID cards? How likely is it that illegal workers would contact the authorities to register? The problem here was a lack of policing of employment/immigration, not a lack of identity cards. Unless the policing of these areas is increased the identity cards will make no difference.

Finally to the terrorists using multiple identities, it would appear that on Clarke’s figures most terrorists (about two thirds of them) do not do so and therefore would not be affected by identity cards. Still disrupting the activities of the remaining third would be quite useful. But will the identity cards do this?

It is here that the discussion has to get down to some technical issues and the hurdles the identity cards system faces. The government is relying on biometric scans such as fingerprints and iris scans to prevent multiple identities being registered on the system for the same person. So, for example, when you enroll on the system your biometric scans will be compared with those already on the system to try and ensure you only get one identity on the system. Clearly allowing multiple identities will seriously undermine the ability of the system to deal with any of the problems above.

And this is where things fall down. Biometric scans are scans of living systems (people!) and multiple scans of the same part of the same person will not be identical. Moreover when comparing biometric scans one looks for closeness of match. Thus when deciding whether two scans match, one has to decide where to draw the line — how close a match is good enough. Thus each biometric has associated with it a false match rate (the chance of two scans from different people matching) and false nomatch rate (the chance of two scans from the same person not matching). These typically have to be balanced off against each other to find a happy mean.

Now suppose you have a false match rate for a biometric of say 1 in a billion (higher than any I’ve seen claimed for existing biometrics — typical claims range from 1 in 10000 to 1 in a few million). Note that this must include the possibility of operator error in using the machines, faulty machines and software errors. Suppose further that the database already has 20 million entries in it. There will be almost a 2% chance that a false match occurs. I.e. 1 in 50 people will register a false match, against a database of 20 million. And this figure will grow with each addition. The govt’s plans would involves millions of people registering per year. For each million new people added, one can expect 20,000 (and growing) false matches on a database of 20 million people. Any system for dealing with these false matches and trying to ensure they’re not attempts to fool the system into taking multiple identities are likely thus to get overwhelmed, they’ll need to deal with 10s of thousands of false positives.

To add further doubt, this is a large IT system, one of the largest the govt will ever have attempted to produce. It’s record with such systems (criminal records bureau, passport office, etc) is atrocious. Even the Police National Computer is shot full of errors!

As if that weren’t enough, both fingerprints and iris scans have been shown to be forgeable. For example, fingerprints have been forged from prints left on a glass. And Iris scanners have been fooled by someone looking through a picture of an Iris with a hole cut out where the pupil lies. Admittedly the latter technique wouldn’t be practical in most situations, but the lack of sophistication of the technique suggests, e.g. contact lenses printed with an Iris might actually fool the scanners.

At any rate, I’d expect those wishing to fool the system to use the long roll out to study the system and the scanners intently for weaknesses. Given government incompetence, the technical limitations of biometrics and the sheer ambition of what the govt’s attempting, it seems to me quite clear that it’ll be lucky if it makes any positive impact on fighting identity fraud or any other problem the govt has cited at all.

Does this mean we have nothing to worry about? Not quite. Most law abiding people will cooperate with the system, and the system may well thus “work” for this section of the population. Thus law abiding people will find themselves subjected to a licence to live, intrusive surveillance and a bureacracy capable of meddling in just about every area their lives thanks to the card. The criminals and terrorists won’t.

The cards should be abandoned as a waste of resources from an anti-crime/anti-terrorism/anti-benefit fraud point of view and as a serious erosion of privacy and individual freedom otherwise.

Posted in Uncategorized. Tags: , , , , , . Comments Off on Charles Clarke’s woolly defence of the govt’s ID cards

ID cards and biometrics

Fiona McTaggart, a govt minister and former chairwoman of Liberty, defends ID cards in a Guardian article. An excellent rebuttal can be found at spy.org.uk’s blog, and the Guardian’s letters section also contains some excellent points. An interesting section from the spy.org.uk rebuttal is this:

Here we go again, the repetition of the false claim that biometrics are somehow unique. Not even the people with a vested commercial interest in selling the technology dare to make that claim. Your “biometric characteristics” may be reasonably individual to you personally, but that is not the same as saying that what ends up inside a Smart Card or database is “unique” or “unforgeable”.

The specious reasoning goes along the lines of: if your Smart ID Card ever gets lost or stolen, there would be no need to worry, since, for example your fingerprint biometric would make it impossible for anybody else to use it, thereby crushing Identity Theft.

Leaving aside the statistics of False Positives, False Negatives, and the small percentage of people with no usable biometric at all (tens of thousands in a population of 60 million) the fact is that you leave your fingerprints all over your ID Card. There is a very high probability (around 80%) that latent fingerprints taken off your ID Card could be used to construct a “false finger” which is sufficient to fool the finger print scanner.

Emphasis added. The point here is that biometric identifiers are compared with each other in a manner that is probabilistic. The higher the number of data points compared, the more certain you can be that a match is a real match but the less certain you can be that you’ll get a match. Thus you have to trade off the false positives, getting a match on biometrics from 2 different people, against the false negatives, failing to detect that two biometric readings are from the same person.

Now if someone claims that they’ve got a false positive rate for a particular biometric system, of 1 in a billion this might sound like it will give real certainty and allow a national identity register to be created in a manner that prevents people from applying from multiple identities. They’d reason that in a population of 60million, a 1 in a billion chance of a false positive is safe. They’d be wrong.

To compare every person’s biometric with every other person’s biometric (as would be required to create the database in this manner) would involve (60,000,000 times 59,999,999)/2 = 1,799,999,970,000,000
comparisons. For each comparison there’s 1 billionth of a chance of getting a false positive. You’d therefore expect
1799999.97 of those comparisons to return a false positive match. That’s roughly 1.8million false positive matches. Note that that does not involve 1.8million people, but rather 1.8million comparisons.

In other words, you can guarantee that there will be a large number of false positive matches as the database is assembled. Without a means of determining whether a positive match is a true or false positive, you won’t be able to prevent people from creating multiple identities on the system. Worse, if you concentrate on getting such a low false positive rate, the false negative rate is likely to shoot up, making if even more likely that if someone did try to get multiple identities on the system, their attempt would not even show up as a positive match. And note that the false positive rate needs to cover software glitches, hardware glitches and human error too. Also, if you double the size of the population you roughly quadruple the number of comparisons.

It seems to me that without a solution to this, the idea that a national ID card can provide a secure and reliable means of verifying identity is simply a mirage.

Posted in Uncategorized. Tags: , , , , , . Comments Off on ID cards and biometrics