The Government last week confirmed that the UK's planned ID card is intended to operate as a 'passport lite' that could be used for travel within the European Union, and signalled that Home Office thinking may be moving towards the use of a PIN as a common mechanism for verification. The card's operation as a passport, said Under Secretary of State Andy Burnham, dictates that it will need to use ICAO standard RFID contactless reader technology, while use of chip and PIN would allow it to be compatible with banking and retail systems.
That means, he said, that it could function both as a contact and contactless card. PIN would also provide some measure of protection for internet transactions, but on its own, no more than that of a credit card. Nor is it immediately obvious what kind of transaction an ID card holder might want or need to conduct via the national chip and PIN infrastructure. There are however possible advantages for the Government in using the commercial chip and PIN network, not least of these being that audit trails would be far more extensive, providing a far more detailed picture of the user's movements.
The Government's view that the passport lite aspect of the card requires that it have a contactless capability however has interesting ramifications.
ID cards are already used for identification at border crossings in Europe, and the UK Presidency called for common standards on ID cards within Europe just days after taking office. The UK's call for common standards to "ensure that data stored on Identity Cards is appropriately protected but can be read by other Member States" is however some distance from receiving proposals for, and deciding on, those standards.
Nor is it clear that contactless ID card readers to ICAO standards will be accepted across the whole EU, that Member States have the intention of using such readers, or whether it is even feasible to use them on a Europe-wide basis. Statewatch reports (while also challenging the legality of the EU's ID card moves) that governments have been sent a questionnaire asking what checks and equipment they intend to install at borders, and whether they intend to carry out one-to-one or one-to-many checks.
The primary purpose of these readers, if they're installed at all, will be to check passports, and if appropriate common standards for ID cards are agreed then it may make sense for member states which use contactless readers to check passports to also use them for checking ID cards. This isn't quite what one might understand from Burnham's claim that current plans to use ID cards for European travel mean that "the card will need to meet standards established by the International Civil Aviation Organisation (ICAO), which require the card to be contactless in order to be considered a valid travel document."
As the European Union can (and does) decide what can be used as a "valid travel document" within its own borders, and is the body responsible for doing the considering here, one wonders what ICAO has to do with the matter. Designating national ID cards as travel documents could of course be part of a cunning plan to get around the legal difficulties Statewatch puts forward.
At the moment, however, the UK has decided on an interface standard for its own ID card scheme based on the assumption that there will be a standard EU ID card, that this will be a standard passport lite, and that it will conform to an international contactless passport standard that is readable globally. Having decided on this standard, it will then make obvious sense for the UK to use ICAO-standard contactless technology for readers within the UK as well.
The security implications of this have been well trampled in respect of passport use, but if - as the Government hopes - ID cards are used widely within the UK, the potential for security breaches will obviously be greatly increased. As indeed will other opportunities. Wouldn't it be handy if, say, the local housing office knew exactly who you were the moment you walked through the door, and had your file on screen ready by the time you reached the counter? No? Perhaps not...