When the eyes don't have it

With its built-in iris measurements and fingerprints, the high-tech ID card is held up by the govern

Just over a year ago, David Blunkett declared his belief in magic. "The ID card system will make identity theft impossible," he said. "Not nearly impossible: impossible." Security geeks everywhere shook their heads and groaned, but the Home Secretary wasn't listening.

Now that the Identity Cards Bill looks likely to become law, however, at an estimated cost of £5.5bn, and with compulsory biometric registration and criminal penalties for non-compliance, it is time to listen. Cryptographers can read the technology that so dazzles the government. They can see that the Home Office's plans are founded on hubris and heading for disaster. They also know there is an ethical way of rescuing the project.

"Public opinion likes the idea of ID cards because it seems like the ultimate solution to all known problems," says Brian Gladman, retired director of strategic electronic communications at the Ministry of Defence. "But actually, the way this bill is designed enables a police state. You're not going to be allowed to opt out of having an ID card, the linked databases make detailed tracking feasible, and a system with this combination of complexity and scale is way beyond the state of the art. It won't be reliable or safe. Anybody with access to the database will be able to target anybody. It's horrendous what you'll be able to do."

The National Identity Register is the less-publicised part of the government's ID cards strategy. Bigger than any such scheme anywhere in the world, it will hold detailed information on roughly 46 million people, and it is meant to work like this.

You will be summoned (with up to a £2,500 fine for non-attendance) to visit a clerk, who will take your biometrics: the iris pattern in your eye, a fingerprint and a digital photograph. They will go into the system along with your name and other information, and you will hand over £85 and get a passport, ID registration number and card. From that moment, every use of your card will be automatically added to your government record, or "audit trail", whether it's at the social security office, your bank, Sainsbury's, the sexual health clinic, your office or on the way to your Alcoholics Anonymous meeting. Over time, a detailed and permanent account of your activities will build up.

The state will own this information. You won't get to see it, but it will be available to the police, the Inland Revenue, other public bodies and any commercial concerns the Home Secretary chooses. These visitors won't leave their own audit trail saying that they've called. We won't know who is observing us.

The government wants to reassure us. It says it's trustworthy; it says there's a lot of scattered data out there about us anyway - surely it's just common sense to link it up? Yet security experts know that the linking and aggregation of detailed personal information on this gigantic scale will be unstable and dangerous to everyone, because of the depth of what it reveals, because of its secrecy and because it will present a vulnerable target for electronic attack, whether by hostile governments, by international terrorism, or by your spiteful colleague.

Once compiled and linked, detailed data on tens of millions of people can't easily be separated out or destroyed. In March, a team of academics from the London School of Economics, together with technical and policy specialists from Europe and the US, noted in The Identity Project: an assessment of the UK Identity Cards Bill and its implications that the bill includes potential violations of Article 8 (privacy) and Article 14 (discrimination) of the European Convention on Human Rights. They also found it to be in direct conflict with the UK Data Protection Act 1998 - to which the government's solution is simply to lift the scheme out of the data protection regime.

Jamie, a black-clad young mathematician in a Manchester basement cafe with a black silk rose in his ponytail, is a master of the art of prising open electronic security systems, earning £1,000 a day for the trickier jobs. "If I wanted to steal someone's identity, so-called, it wouldn't be hard under the new scheme," he says.

He explains: "Analytically, what's a biometric? It tells you that this card matches that iris. It doesn't tell you who I am, though. I'd just take someone else's life details - people's true information is mostly a matter of public record, and it's surprising what else you can find out from what they throw or give away. Then I'd register those details with my own biometric and name. There, I've faked an ID. Easy. Falsifying data from scratch is trickier, but not impossible. You'd buy a birth certificate - using the name of someone who died young is good. Then you'd join a temp agency; get a P45 and P60; get your manager to sign and certify your photo using the false name; open a bank account with it. It'd take about a month." Unsurprisingly, Jamie is unimpressed by government rhetoric. "The off-the-shelf systems they're using are easy to break. Tying so much information together in one place will make it very insecure. If I wanted to circumvent it, I could. Half the members of every university maths department in Britain probably could. Most won't, but one day someone's going to say: 'It's a computer system - let's break it!' And then you might find the whole UK benefits system disabled by someone sitting at a terminal in North Korea."

Among those concerned about the outlook is the Information Commissioner for the UK, Richard Thomas, who wrote last year: "As the full magnitude of the proposals starts to emerge, my previous healthy scepticism has turned to increasing alarm." The LSE report, meanwhile, summarises the bill as "too complex, technically unsafe [and] overly prescriptive".

Even its overt aims don't stand up to scrutiny. In a study last year, the human rights watchdog Privacy International found no evidence that ID cards really do combat terrorism. Terrorists typically move across borders using legitimate tourist visas (as in the 9/11 attacks) or have a valid ID (the Madrid bombings). You can't read someone's intentions in their fingerprint. The scheme won't prevent identity theft either: US experience shows that using widely known numbers to link personal information with identity actually increases such theft. It won't really detect or prevent crime, in which evidence-gathering is more important than identity. It won't stop benefit fraud: identity falsification amounts to less than 1 per cent of such offences. What it will do, in its ponderous devouring of civil liberties and its naively old-fashioned, lock-step, Seventies-style design, is open up the possibilities for new kinds of national and international crime on a grand scale.

It could all be so different. A hundred ways exist of establishing personal identity and connecting it with safely separated databases. As the geeks point out, when you change where the information is kept, and how it's kept, you change everything.

"The government's design could hardly be worse for privacy, with the agencies that'll have access, and its vulnerability to being hacked into," says Ian Brown of University College London and the Foundation for Information Policy Research. "There are lots of technical alternatives."

You begin with a statement of requirements. What is the system really for, and what are the democratic trade-offs between privacy, efficiency and security? Solutions follow. A scheme being considered in France, for example, would retain all your personal information on the ID card itself, with no external database. A unique "master identifier", securely embedded within your card, would allow good governance of data-sharing for legitimate public policy reasons, while limiting infringements of privacy.

Real biometric identification doesn't require a card anyway: just a small electronic device that recognises, say, your fingerprint. By placing your finger on it, you yourself would release encrypted, accurate, unique information to any authenticated computer: in a bank, at the doctor's, anywhere. The receiving computer would be assured of your data; but it would not be able to trace who you were. Confidential, elegant, cheap, simple - and no database or audit trail needed.

"People have been experimenting with this technology for at least ten years," remarks Dr Brown. "Privacy-protecting personal biometric ID readers are nothing new. But is there the political will to use them?"

History determines imagination. "They constantly try to escape/From the darkness outside and within/By dreaming of systems so perfect that no one will need to be good," wrote T S Eliot in the 1930s. The organising mechanisms of the police states whose rise he was chronicling were, in themselves, every bit as morally neutral as today's technology, but that didn't stop fascism locking everyone down in the end.

We need not sleepwalk into a mass surveillance system this time around. If we want an ID scheme - and there are arguments for having one - then the technology itself offers a way forward. The machines don't have to oppress us, encouraging disobedience and crime; they can instead civilise, educate and empower. Privacy and security need not be opposites; they can and should be mutually reinforcing. There's no magic about technology. The magic is in people, their creativity and willingness to change.