When The Computer Owns Your Name


There’s one policy difference in tomorrow’s UK election that hasn’t made the headlines here in Australia, but it is likely to be felt here sooner or later.

The UK Labour Government is in the process of rolling out a new National Identity Scheme (NIS), which would transform the way the law regards individual identity in subtle but profound ways.

Under the new UK scheme, a collection of defined information becomes an individual’s digital identity for transactional purposes. When they’re combined, a person’s full name, gender, date and place of birth and "identifying information" — their photograph, signature or fingerprints — become a digital identity.

One of the transformations under the NIS is its presumption of one person, one identity. Currently at common law, there is no defined concept of transactional identity and an individual can legitimately use more than one name, providing fraud is not involved. Stage names and noms de plume are well established examples of legitimate uses of another name.

But perhaps the most profound change the NIS system introduces is the way it would affect a vast array of personal transactions. Under the NIS, an individual’s transaction identity will be used for private and public sector dealings ranging from government services to financial transactions. What is crucial here is that it does more than just identify an individual, it enables transactions. As well, in the longer term, information recorded under the scheme will also be used for security and law enforcement purposes.

Obviously, any system for identifying people can be judged on its reliability, but interestingly, reliability is likely to be affected by the transformation of personal identity into something that is stored as data rather than embodied in a person holding documents. The form and function of this new concept of digital identity under the NIS differs from a passport and other official documents like a birth certificate which have for many years been used to establish the 100 points of identity and the Know Your Customer information currently needed for many transactions.

The obvious difference is that those documents are tangible whereas the information which constitutes identity under the UK scheme is intangible: it is stored and transmitted digitally.

And there is another important distinction. Now, as a result of the UK scheme, there is a clear distinction between identification and identity. Prior to this, there was no clear legal concept of identity for transactional purposes. Although commonly referred to as "identity" documents, documents like a birth certificate and a passport are essentially used for identification and for that reason they are required to be presented in person.

It’s true that the new concept places some importance on the need for the system to carry out identification — official documents and records are checked at the time of registration under the scheme — but digital identity goes beyond just identification.

This is where the system’s influence on personal transactions comes in. At the time of a transaction, the system looks for a match between the required information as presented and the information on record. Regardless of whether the transaction identity information is presented in-person or remotely, if all the identity information presented at the time of the transaction matches the information recorded in the National Identity Register (NIR), then the system automatically authorises dealings with that identity.

Under the scheme, the minimum set of information required for a transaction is an individual’s name, gender, date of birth, place of birth, and "identifying information". For most routine transactions, "identifying information" will be an individual’s appearance, checked against a facial photograph recorded on the National Identity Register and in the chip on the ID card, if one is issued. A digitally recorded handwritten signature may also be used but biometrics (which initially will be limited to fingerprints) will only be used for major transactions, predominantly of a financial nature.

This concept of transactional identity — something which consists of a defined set of information — has been used in commercial practice for years. However, its appearance in legislation which establishes a national identity scheme arguably confirms its emergence as a distinct new legal concept. Effectively, an individual’s identity under the NIS becomes his or her official identity.

So what are the ramifications of this new concept? In particular, what are the consequences for an individual whose identity information is misused by another individual?

Although "identifying information" is relied upon to verify identity at the time of a transaction, that information and the processes used — such as facial photographs and fingerprints — are hardly foolproof. The problem is that once information is entered into the NIR, it is presumed to be correct. In consequence, the NIS provides not only the opportunity but ideal conditions for a fraudster to construct and to assume a false identity.

Such false digital identities can be created using either fabricated or real information. For example, a biographical footprint can readily be constructed so that each official document and/or record depends on the one before it. This pyramid of falsified identity can then be used to register under the scheme.

Alternatively, the fraudster can simply use the identity of a person who is not already recorded on the NIR, such as a deceased person or a young child.

Upon registration under the new scheme, the perpetrator provides his or her authentic biometrics and photograph as the additional "identifying information". If there is reason to doubt the authenticity of someone’s digital identity, biometric data will be sought, but in this scenario those biometrics will match. The possibility of a false identity being created and used in this way was acknowledged as far back as 2004 by the then Home Secretary David Blunkett. 

The ramifications for victims of this type of fraud are potentially very serious. Yes, privacy rights can be invoked in the event of identity fraud — but the protection provided by privacy laws in the UK is imperfect and generally inadequate.

The NIR scheme is currently being phased-in on a voluntary basis for British citizens, with full roll-out planned for 2012. What this means is that from 2012, registration on the NIR will be compulsory for all British citizens over the age of 16 who wish to hold or apply for a passport. Registration will become general and compulsory in 2017.

As mentioned earlier, this policy is a Labour one, and Labour might not be around very long to implement it. But although both the Conservatives and the Liberal Democrats are promising to drop the scheme if elected tomorrow, the concept of digital identity is not going to disappear. Whether or not this particular scheme proceeds, the emergent concept of digital identity will transform the way all kinds of transactions are conducted — and is set to fundamentally change the commercial and legal landscape in which they take place.

Launched in 2004, New Matilda is one of Australia's oldest online independent publications. It's focus is on investigative journalism and analysis, with occasional smart arsery thrown in for reasons of sanity. New Matilda is owned and edited by Walkley Award and Human Rights Award winning journalist Chris Graham.