Wary of the Public Services Card? You have good reason to be
No national ID card has proven invulnerable to accidental leaks or dedicated hackers
This week the Government announced it had reached its goal of issuing at least three million public service cards by the end of 2017.
Some 3.034 million of us now have cards that the Government continues to insist are neither “compulsory” (although they may be “mandatory”) nor national identification cards.
Meanwhile, evidence mounts that they are effectively compulsory, and are being treated as de facto national ID cards by the state.
If they aren’t creeping towards “compulsory”, why would anyone bother to go to the hassle of getting one – which requires assembling a bunch of documents, and bringing along a perfectly good national ID that already exists (such as a passport), setting up an appointment at a social welfare services office, waiting in a queue and spending 15 minutes or so going through the form and having your photo and signature digitally captured for the card?
Most people won’t go through this just for the fun of it. The card is now deemed necessary for a range of activities when an Irish resident interacts with the State. Not just to get social welfare benefits – as, surely, far fewer than three million adults access these – but to take a driver theory test, apply for a first-time or lost passport, submit citizenship applications, and to get “access to high value or personal online public services”, according to State website welfare.ie.
Yet bizarrely, in this strange dance of inversion, even though you need a PSC to get a passport or apply for citizenship, and can use a passport to get a PSC, the PSC is not deemed adequate proof of identification to get a driving permit or licence.
And it’s not a national ID card, but it kind of is, as it is now included as acceptable personal ID on the form to collect a package from An Post.
The latest formal government suggestion for PSC mission creep is to force social media companies such as Facebook to require its use when someone creates an account.
As a method of increasing personal accountability, Minister of State for Older People Jim Daly has written to the EU suggesting that the PSC could be used to verify ID when someone creates an account on Twitter, Instagram or Facebook.
This is a really, really bad idea (and not just because innumerable human rights activists and their network of family, friends and colleagues require social media anonymity as a life-and-death matter).
A PSC-cum-national ID card link to personal social media accounts makes a defining bridge between an individual and all their social media data – likely to be highly personal – which exposes even more linked, sensitive data in any breach.
Consider the case of the beleaguered Aadhaar Indian state services card, which stores biometric identifying data, including photographs, retina scans and thumbprints, on more than a billion Indian citizens. The card is required to – you guessed it – access various state welfare services.
Government departments accidentally published details from the entire database online a while back. Now, those data, including name, photograph, email and home addresses, and phone numbers of a billion people, are being sold online for the equivalent of €7. All the same kinds of information are on the Irish PSC.
Meanwhile, Facebook has started a trial that requires some Indians in one region to use their Aadhaar card to sign up for a Facebook account, thus potentially linking even more identifiable personal information to breached account data. Oh, what could go wrong?
Another worry: what a state might get from such a requirement. Consider China, which is moving to a system whereby a social media account becomes your easily tracked and parsed national ID, used to establish your credit score but also ensuring your every social media post, your location check-ins, your daily activity, can be easily amassed by the state. This is not a ‘what if’ scenario. It is already happening.
And happening to a significant degree that includes micro-managed social control. The Washington Post’s China correspondent, Emily Rauhala, tweeted last week: “I’m on the Tianjin to Beijing train and the automated announcement just warned us that breaking train rules will hurt our personal credit scores!”
So, no. We should not link social media accounts to any state ID.
More crucially, we need to question and nationally debate the need for either a national ID card or a de facto one, such as the PSC.
What information, what databases – public and private – are or will be linked to such a card? Why? And how secure is the card?
Not one national ID card yet has proven to be invulnerable to either stupid accidental disclosures or dedicated hackers. Having third-party exposure, social media or otherwise, increases risks further by pushing security responsibility to additional parties.
Why are we continuing to roll out a card with so little transparency about what it is for, what it does, and what could be done with it, with zero public discussion?