- Kable, Thursday 28 May 2009 00.05 BST
In the eyes of some, David Blunkett is a governmental IT bogeyman. He was home secretary when the move towards the National Identity Scheme began to gather pace with plans, now going into implementation, for biometric ID cards and the National Identity Register. It embodies everything that, according to the critics of government databases, poses a massive threat to privacy and civil liberties in the UK.
He recently surprised many by talking publicly about the need to balance IT related security measures with concerns over the implications for human rights. But he has not made any U-turns; he is still ready to argue the case for the identity card and the importance of using biometrics to provide proof of identity.
Blunkett made his point in a speech to the Infosecurity Europe conference in London in late April, where he highlighted "the enormity of the potential of identity theft," and argued: "That is why biometric identification with properly authenticated and reliable methods of verification is so crucial."
He also made it clear that he has been giving some serious thought to a number of issues in his role of honorary chair of the Advisory Board of the Information Systems Security Association. In his speech he warned that insufficient attention is being paid to the danger of cyber attack, that the London Olympics of 2012 could become a target for online criminals and terrorists, and that an alternative is needed to the recently abandoned proposal for a central communications database. But he also stood by the thinking behind the government's plans, and made it clear that he believes the substance of them remains sound.
Speaking to journalists, he acknowledges that over the past couple of years the level of public support for the identity card has fallen from when it was first proposed. He is also ready to entertain the idea that it may be possible to drop the plan to issue identity cards, as people are being issued with biometric passports that would fulfil the same function of providing verification of the holder's identity.
But he says the decline in support has been prompted by a lot of noise about worst case scenarios, and the fact that supporters of the scheme have not been as media savvy as its opponents. He also ruefully suggests that, if the cards were dropped, perceptions would soon turn back in their favour.
"It's possible to say that people will make the biometric passport their proof of identity, given that at least 80% of the UK population has a passport.
"But over time people would probably ask if they could have something more convenient. They would ask 'Can you issue a small card that we could carry just for identification and European travel?' We can say 'Yes, and it will cost you a little extra for five years.'"
He also defends the much criticised National Identity Register – another element of the scheme – describing it as "a better audited method of what we have when we issue passports".
"What we have done for passports is perfectly reasonable," he adds. "The issue is not what we hold on it; I have always promised that we would only hold what we need. It takes the steam out of the criticisms when you point out that what is being held is only the same as the data held for passports and driving licences. Then the biometric makes someone's identity protectable."
He also asserts that many people believe they are at risk of identity theft, but that awareness of the processes and technology to protect them from it is very low. It makes it necessary, he claims, to highlight the technology that can protect identities, the processes that make it work, and the information that people need to secure themselves.
This conveys a recognition that the proponents of identity cards have lost ground in the battle for hearts and minds, but a belief that they can still win public confidence if they match their opponents' performance in the media.
Given his robust stance on identification, it is surprising that he is quite sanguine about the government's decision, shortly before the conversation, not to go ahead with a central communications database. The plan to keep a record of the basic details rather than the content of communications had been portrayed as a major measure in preserving national security, but Blunkett says it was sensible for the government to retreat from the measure.
"It was politically necessary and strategically necessary," he says. "Politically, the government had to assure people that it wasn't planning a mega Big Brother. Strategically, the technology, people and processes are not yet there."
But he insists that government has to take some measures to monitor potential threats, and that the changes in the way people communicate, from landline to mobile to the internet, are making it more difficult to do so under the existing legislation. This will demand a workable alternative to the central database, and answers to questions such as who will be able to access the information and how they will do so.
"The case for retaining data is clear, but we are in an environment at the moment where the country as a whole is not easy with the idea of a centralised system," he says.
This has not been the only recent retreat by the government on a controversial issue: a few weeks ago it dropped its plan, in clause 152 of the Coroners and Justice Bill, to facilitate the easier sharing of personal data between government agencies. Blunkett is more critical of this plan, suggesting the government was going a step too far, despite understanding the case in favour.
"Government recognised the case for dropping clause 152," he says. "It wasn't that there shouldn't be retention and sharing of information; it's always been done as part of public life on the basis of proper verification."
The trouble is none of us want our personal information to be open and data sharing has to be controlled to allay public fears. It leaves open questions about where is the line between what data should legitimately be shared by public sector organisations and what should be more carefully protected.
"I don't think public service generally has sufficient awareness at the senior management level that this needs to be dealt with, about what needs to be done about data retention and a proper level of verification for data sharing," Blunkett says. "But it's good that the review of the Regulation of Investigatory Powers Act is taking place; it should be very tough about who can authorise what.
"But what worries me, especially in relation to clause 152, is the well meaning belief that we must have to keep this because it can come in handy, rather than because of what we need to do by retaining and sharing data."
He has not, however, been impressed by all of the criticisms of the government's record, claiming that some have been based on inaccurate information that has been steadily recycled to create various myths. Dispelling these myths would be an important step in finding a workable consensus on the limits of sharing data.
The anxieties in this area are being fuelled by the government's failures to handle data securely. Blunkett does not try to make excuses, but he suggests that commercial companies have often been no better, and that in public and private sectors there should be a stronger code of legal responsibility for doing the job effectively.
"I accept entirely that what should apply to business should apply to the public sector," he says. "We have to ask where does the controlling mind lie? The acts are already in place to deal with this, but there is a requirement to follow through on them. We have to ask who is doing the enforcement ?
"In the public sector there has been a major tightening of the messages, including embedding the idea that responsibility lies with the senior levels, but there's still a major challenge in embedding individuals' responsibilities. We need to tighten up and recognise that processes are as important as the technology used."
He used his Infosecurity speech to sound a warning about the dangers of a cyber attack on the London Olympics in 2012, claiming that if one was even partially successful it could do a lot of harm to the standing of London and the UK economy. Online commerce is one of the few areas of the economy that is currently growing strongly, but reports of crime in areas such as ticketing and accommodation could seriously undermine public confidence, at home and overseas, and make it more difficult for UK firms to sustain the growth.
The authorities already face a major challenge in the exponential growth of online fraud, and Blunkett calls for more support, and a higher profile, to be given to the Olympic Security Directorate and the Metropolitan Police e-Crime Unit. If there is proper coordination between the agencies involved and they are given the chance to keep the Games secure, it could provide a significant boost for the national economy.
"It's an opportunity to show what we could do in protecting ourselves, and what London could be in e-commerce," he says.
"We need to think through not just the physical side of security, but what might happen in the case of a cyber attack. The worst case would see low level organised criminals start to link up with serious organised crime or Al Qaeda, who could see the opportunity of a major hit.
"It would be as devastating as a physical attack but without the loss of life."
He stops short of saying government is not doing enough to fight cyber crime, but says there is a need for more awareness of the threat throughout the system, and that there could be a more coordinated effort between the different agencies involved.
Of course, none of this can be seen as reflecting government policy; but given Blunkett's long record on the front bench and his reputation as a loyalist, it suggests that senior members of the Labour Party could be questioning the assumptions that underlie some of their policies on information management. Whether this makes much of a difference to what happens over the next year remains to be seen.
First published in GC magazine, June 2009. Apply for a subscription
