Your search terms are highly sensitive and very private. They are also uniquely identifiable. Examining what you search for can reveal deeply personal facts about you, such as your online reading habits, medical history, finances, sexual preferences and political affiliations.

A database of search terms, linked to subscriber accounts, would be a clear violation of the privacy rights of everyone who uses the Internet in Europe.

I’ve written to my MEPs urging them not to sign Written Declaration 29 and to withdraw their signature if they have already signed. You should do the same – it takes two minutes through writetothem.com

Here’s my letter (but, as always, please use your own words for maximum effect).

Dear Timothy Kirkhope, Edward McMillan-Scott, Andrew Brons, Godfrey Bloom, Diana Wallis and Linda McAvan,

Written declaration 29 [pdf] calls on the European Commission to extend the data retention directive (2006/24/EC) to Internet search-engines. If this were to happen all private searches done on Google et al would be monitored. I feel this would be an intolerable violation of article 8 ECHR privacy rights.

Written declaration 29 is being marketed within the European Parliament by using an emotionally-loaded picture of a child and talking about the need to set up an ”early warning system” to combat child abuse. Laudable though that aim is, as a technical expert it’s my opinion that these measures cannot achieve it, and the marketing is therefore misleading. Some MEPs have already said they feel they have been misled into signing the declaration because of the way in which it was presented to them.

If the declaration is adopted the names of the signatories will be made public.

If you have signed written declaration 29 and feel you have been misled I urge you to withdraw your signature.

Christian Engström MEP has published more information on his website.

Mobile ANPR cameras are also used by some police forces. These are deployed in popular locations such as shopping centres for so-called “lockdown” operations, where every vehicle entering the area is checked against records as police fish for reasons to impound cars and fine drivers. One such operation in November 2008, which was filmed for television (relevant segment starts at 21m30s), saw 369 vehicles stopped, 84 tickets issued, 51 cars seized and 12 people arrested at Bluewater shopping centre in Kent – in a single day.

It’s no longer a case of “follow that car” but “follow every car.”

ACPO defend their wholesale surveillance system by pointing to a few high-profile cases where ANPR evidence has formed part of a prosecution. They’re less keen to highlight the cases of mistaken identity, inaccurate record-keeping and official ineptitude that have left innocent people standing on the kerbside holding a ticket as an officer drives away in their vehicle. Even if these drivers manage to prove the database wrong they can end up paying hundreds of pounds in fees to get their car back – if it hasn’t been crushed.

Supporters of ANPR technology claim vehicle license-plate data is exempt from the Data Protection Act because it’s not “personal information” (it’s about the vehicle not the driver). However the Driver and Vehicle Licensing Agency (DVLA) sells access to the names and addresses of registered vehicle-keepers for £2.50p a time, making this distinction academic.

In common with the National Identity Register, National DNA Database and all the other tentacles of the database state, once this information is collected there’s nothing to stop it falling into the hands of other public or private organisations, either by accident, commercial arrangement or official decree. Wouldn’t you like to know where your partner really drives off to while you’re at work? I bet there’s a good number of private investigators who would.

The Information Commissioner’s Office is currently “working with” ACPO to determine whether the national ANPR network is “appropriate and proportionate” – which means nobody bothered to ask those questions before the system was commissioned.

Who stands up for the public interest in the rush to implement new technologies like ANPR for official convenience? I don’t recall there being a public or Parliamentary debate on giving the police these game-changing surveillance powers. Has anyone considered the down-side of collecting all this data?

Somehow I doubt it.

The title of the talk was “The Future of Privacy” and Schneier’s treatment of his topic was comprehensive. He started by listing some technologies and practices that can threaten our privacy: overt surveillance systems; mobile phones, RFID tags and the like that produce personal information as a byproduct; automatic identification technologies such as ANPR; and unique identifiers in gadgets such as digital cameras or colour laser-printers.

Schneier reminded us of his famous saying, that just as greenhouse gasses are the polution of the industrial age, data is the polution of the information age. Data is generated when we transact business, swipe our loyalty cards, use a travel card or drive through an automatic toll-booth. We give it away when we socialise by email, instant messenger and Facebook. Sometimes other people release data about us – possibly without our consent. As the cost of processing and storing all this information falls to zero even data of marginal value becomes worth keeping. In fact it’s often cheaper to keep everything than to decide what should be deleted! Data that was ephemeral 20 years ago is now stored.

In the information society most data about us isn’t controlled by us. In the US, laws protect the data that is under our control, but in the information society it tends not to be. Our Gmail, phone records, medical records, financial transactions and photos of us on Facebook are all controlled by someone else. EU law is substantially better in this area but it could still be improved.

Such a wealth of data enables new forms of surveillance. For example, surveillance can now occur backwards in time. This was done in London after the 7/7 bombings – the people responsible, and the route they took on the day, were identified after the fact from surveillance-system footage. Pervasive data collection also enables wholesale surveillance – not “follow that car” but “follow every car.”

What will be the privacy impact of our society’s continuing technological advancement?

Schneier believes a step change is coming. We live in a unique time: cameras are everywhere AND we can see them; identity checks happen all the time AND we know they’re happening. However technology is a great distrupter of equilibriums and Moore’s law is a friend of intrusive tools. Soon face-recognition software will obviate the need to carry ID – when you walk into your workplace they’ll already know who you are and whether you’re supposed to be there.

New invasive technologies will emerge and become pervasive: digital video surveillance with automatic face recognition; networked cameras that can track people through a city automatically; better tracking of our personal devices through their radio signatures or RFID tags; better quality images from cameras. Our era will herald the death of ephemeral conversation. Soon everything we say and do will be on the record. We could try to reject these technologies, but once general adoption occurs, opting out starts to look suspicious. In some cases the authorities have already argued that, “They left their mobile phone at home, which shows they didn’t want anyone to know where they were going.”

What can we do about these threats to our privacy?

Schneier doesn’t believe we can engineer our way back to a more private world. Privacy-enhancing technologies already exist and they could go a long way towards retoring the balance if they gained widespread adoption. However people are seduced by convenience so they tend to make bad privacy trade-offs. We’re on Facebook because our friends are, and while we’re chatting to them we’re focused on the conversation, not on how much data we’re releasing or to whom.

A lot can be done by paying attention to the default settings of software and systems. Most of us won’t change these so if they are secure from the outset any loss of privacy will be minimised. However companies like Facebook make more money the more public we make our data so there’s no incentive for them to set privacy-enhancing defaults.

We need to press for legislation that protects privacy: comprehensive laws regulating what can be done with personal information about us and more privacy protection from the police. However the law finds it difficult to keep up with the pace of technological change.

We also need to start talking about the value of privacy. We want it as a social good. Individual privacy protects us from those in power and it’s also a fundamental human need. Privacy is a part of dignity.

Schneier rejects the security versus privacy notion as a false dichotomy. Only identity-based security reduces privacy and the effectiveness of this is limited. Physical security measures such as locks and burglar alarms don’t reduce privacy. Nor does knowing that you might have to fight back if terrorists hijack your flight. We don’t need to know who’s sat next to us on an aeroplane – we just need to know know whether they’re planning to blow it up! However checking intent is difficult so we check identity instead and pretend that’s the same thing.

Privacy and openness have different effects on Governments and citizens. Government secrecy increases its power whereas transparency and openness reduces it. Conversely, forced openness in people increases the inbalance in power between them and the state, yet forced openness in Government reduces the gap. The balance we need to strike is between liberty and control not privacy and security. Real security comes from having both liberty and privacy.

The above notwithstanding, sometimes we are forced to trade between security and privacy, for example when we give the police the power to search our homes. In such cases we can maintain the balance of power through audit and oversight. Search warrants are a security measure that restrict police searches to only those cases where a magistrate – an impartial advocate for the suspect – can be convinced there are reasonable grounds for suspicion.

Schneier concluded that the death of privacy is over-stated. Left unregulated and unconstrained, technology tends to tip the balance of our society against individual privacy, however it doesn’t make the balancing act go away. Society can choose to deliberately reset the balance with legislation.

We may ultimately have to wait for a new generation of digitally-savvy lawmakers to take office before the the future of privacy can be guaranteed in the information age.

Colour me unsurprised.

The consultants who carried out this work are from the same community of experts who have been warning [pdf] that the cards would be cracked since the Home Office first disclosed the mechanics of the scheme.

The alterations can be detected with a check against the National Identity Register (assuming this hasn’t also been compromised) however each such look-up will cost around £2. The Government expects the majority of transactions will be authorised through local checks rather than referring back to the central database.

Once someone automates the attack and publishes their code on the Internet, anyone with half a brain, the right mobile phone and access to the world-wide web will be able to change their Government-issued identity at will. As the cards use RFID chips this could be done in seconds while on the move. You wouldn’t even have to remove your card from your wallet.

Disturbingly, your card could also be changed without your knowledge by someone standing close to you, or from dozens of feet away with the right sort of radio antenna hooked up to a portable computer. The process leaves no trace, so when your card is subsequently checked against the database and is found to have been modified, it will be impossible to determine when the changes were made or by whom.

Possessing a falsified ID card could land you with a fine and up to two years in gaol. Owning the equipment or software needed to make the changes could be enough to win you a decade-long stay at Her Majesty’s pleasure. [Identity Cards Act 2006 s25 and s29].

If it weren’t for these stiff penalties, I’d be tempted to suggest the ability to change the details on your own ID card is an unintended benefit of the scheme, not for the Government but for those who value their privacy.

The National Identity Register will store fifty different classes of information about you in a collection of linked databases. The Transformational Government project (also known as the Database State initiative) plans to share all of this information with any official who cares to look. This is the antithesis of the “least privilege” security principal: that people should be given access to just enough sensitive information to do their job, but no more. For example you may wish to tell your doctor about your medical history but not about your bank balance or speeding fines. The ID card scheme wrests from you control over your personal information and gives it to the state: it will not be possible for individuals to choose which “registrable facts” about them are made available to whom.

It would be possible to regain some of this control, however, if we were able to change at will the details stored on our own ID cards. Facts that we are not willing to share could be either falsified, replaced with nonsense or erased. A mobile phone “identity management” application could be written to store multiple personality profiles for your ID card. Using this, you could switch between personae as the need arises, perhaps even employing your phone’s in-built GPS chip to make sure the “Mr. Smith” profile is on the card when you’re at the Doctor’s surgery and the “Mr. Jones” profile is active when visiting your bank. Being able to compartmentalise your relationships with third parties in this way would be a very strong personal privacy measure.

Yep, that’s right, I have just suggested committing fraud to regain some control over your identity in the event that you are made subject to the ID cards scheme. It’s a damning indictment of the relationship between UK citizens and the state that we should have cause to consider this at all. It’s a more damning indictment of the Government’s competence and character that it chose to pursue this illiberal scheme despite strident warnings and opposition from just about everyone who knows anything about security and technology. “We told them so” brings cold comfort after so much money and freedom has been wasted.

As each nail in the coffin of the ID cards scheme is hammered home the true motivation of the Home Office in persuing such an abysmal farce becomes ever more clear. If the Government understood security and respected individual privacy they would allow each of us to choose how much personal information we want to reveal to others. Instead they are trying to assume control over our identity, to nationalise it in a register that is not only a gross violation of the right to a private life, but will also lock those who conform into a system of fines and a lifetime of administrative strife. All in the pursuit of the ultimate bureaucratic convenience.

The confirmation that ID cards are totally insecure is a mortal wound. If the Government doesn’t now scrap this benighted scheme then we must scrap this Government at the General Election.

UPDATED 10/8/09 14:00 to add:

The Home Office has apparently turned down repeated offers to demonstrate this breach by the researchers who discovered it. A spokesperson said that the story was rubbish. The Home Office has published details of the encryption technologies used by ID cards scheme.

I’m disappointed, but not surprised, that the Home Office thinks security is a product which, if sprinkled liberally over a system in a manner similar to magic pixie dust, will somehow make it impervious to attack. It’s no good having “elliptic-curve cryptography” and “root certificates with RSA 4096-bit strength keys” if the system allows these things to be tampered with or circumvented.

Props to the Home Office spin department though: releasing the geeky details has distracted at least some of the press from holding them to account on the principles of the scheme.

In recent days the Home Secretary has announced that airside workers at Manchester and City airports will no longer be compelled to enroll with the National Identity Register as a condition of their continued employment. This news has been presented as a pledge that Identity Cards will never be compulsory for UK subjects. The press seems to have forgotten that this has always been the Government’s position while Mr Johnson seems to have done one thing and announced another.

I understand the Home Secretary intends to “designate” under the Identity Cards Act a plethora of documents, licenses and permits required by people in their daily lives. Passports will be chief amongst these. Once designated, it will be impossible to apply for (or renew) such documents without also enrolling onto the National Identity Register.

So holding an ID card will remain voluntary, however enrollment on the National Identity Register will be made impossible to avoid, as the list of designated documents expands to include driving licenses; CRB checks; licenses to practice professions such as teaching, social-work, law and medicine. How about marriage certificates? Birth certificates? Death certificates?!

I would like to see the Home Secretary and the Identity and Passport Service held to account on this point. I believe the National Identity Register presents a clear threat to the freedom of UK subjects and to their right to a private life. I find it both sinister and cynical that the Government plans to present a series of Hobson’s choices to the country, forcing people to submit to registration in return for a continuation of rights and privileges they already enjoy, while claiming that our co-operation is voluntary. I find the suggestion that we will have a free choice in the matter objectionable in light of the facts as I understand them.

I would like to ask the Home Secretary whether he plans to make enrollment on the National Identity Register compulsory, or if his recent statements about the voluntary nature of ID cards mean he intents never to designate an official document. If the latter, will he commit to amending the Identity Cards Act to remove the power to designate documents, thus turning the scheme into a truly voluntary affair? If not, what percentage of the population does he expect to be forced to register as a result of the documents they find they can’t live without being designated?

I would be grateful if you could represent my views to the House during Monday’s debate on Identity Cards. Please can you also seek an answer to my questions from the Home Secretary.

Stop the Database State. Join NO2ID today.