The database state
Violations, abuses and screw ups dominated the public PSC debate, but no credible alternative was offeredPrint
10 November 2017 | 0
It is always a good thing to be amongst educated and informed people who do not hold the same views as yourself. The main reasons are that it will either open your mind to new possibilities and ways of thinking, or it will make you question your own beliefs to the point where you must either modify them based on new evidence or reaffirm them with even greater proofs to defend them.
Regardless, the experience is usually invigorating and energising.
So it was with some dismay that I left the recent meeting organised by the Irish Council for Civil Liberties (ICCL) on the public services card (PSC) having been utterly baffled by the arguments presented by a wide range of domestic and international domain experts.
“In a country of a growing, yet aging population, where resources are still stretched and funding is tight, how do we provide public services to the citizenry where as much as possible is done online, freeing real people to deal with the elements that need to be delivered by a human?”
Firstly, the panel was entirely one sided, with no representation whatsoever for either the card scheme itself, or the public services. Secondly, the audience seemed to be compromised mainly of supporters, with little or no dissenting voices or serious questions for the panel.
This entire publication hardly has the capacity to go through each and every point that was presented, but suffice to say there were comprehensive presentations on the legal, civil, personal and political elements of the PSC, though curiously none on the technical.
So, for the purposes of brevity, I’ll sum up the objections.
The legal people highlighted that the entire PSC scheme, including the aggregation of databases behind the single unique identifier for citizens to support public services, was underpinned by poor legislation that was badly defined and was done without consultation with the very subjects of the system.
Fair enough, no argument there.
There was also criticism for the lack of public consultation in general, particularly around how data was to be gathered, used, stored and accessed and by whom.
Again, no argument there. The current government, and the last, have been spectacularly bad at communicating the benefits of what they are doing as regards digital public services, in contrast to the services themselves.
There followed a litany of objections based on abuses of data, poor data practices, data hygiene and privacy protections. These included everything from abuses of the Garda PULSE system, to unwarranted access of citizen data by public service workers and data access for non-official reasons.
There was even an objection based on the fact that databases of citizen data would be too much of a honeypot for hackers and criminals.
National ID card
Speakers from international privacy organisations said that such databases are unnecessary, intrusive and violate rights to privacy, with repeated choruses of a ‘national ID card’.
And of course, there was the citing of the case, widely reported, of the elderly woman who was denied her state pension payments because she refused to sign up for the mandatory, but not compulsory, PSC.
I listened to all of these reasonable, informed and educated people with a growing sense of frustration. Eventually I could hold no more and had to simply ask what seemed to me the obvious question.
In a country where we have a growing, yet aging population, where resources are still stretched and funding is tight, how do we provide public services to the citizenry where as much as possible is done online, freeing real people to deal with the elements that need to be delivered by a human?
The answer from the entire assembled wisdom was nothing—not one of them had a single alternative. There was not one suggested a way in which digital services could be delivered to all based on identity, that would satisfy their demands for privacy.
When pressed as to why linked databases across public services were ‘a bad thing’ and what the alternative was to support digital service delivery, there was mention of Estonia of course, and Germany where the public services, I was reliably informed, work on the basis of what was termed ‘sharding’, where links are possible for cross referencing individual records, but separations remained to protect privacy.
While I was heartened at least that some knowledge was present of another EU state doing something digitally in public services that did not engender horror, on further research, I was told by a representative of the Office of the Government CIO here that Germany was planning to end such practices in the near future and go with fully connected databases, as the current system was too cumbersome as it looked to develop its offerings for more services.
I was put in mind by the entire discussion of the old axiom that hard cases make bad laws. While no one could argue with the examples of violations cited, there seemed to be a complete lack of awareness, or lack of acknowledgement at least, that society has changed in its attitude to privacy and personal data in recent decades, and that industry, particularly the IT industry, has also changed to keep up.
No longer is it acceptable to allow people access to sensitive data on an everything, anytime basis. Now, it is understood that it is necessary to provide access on a need to know, task or role based restrictive policy. No longer will someone be able to look up anyone for anything in a public service database, be they cop, social worker or public service mandarin.
Furthermore, the example of a single Garda logging on to PULSE and then all others using that log in because the system was too slow and cumbersome to have each one log in and out separately would also be mitigated, as adequate systems of access, based on restrictive policies using properly resourced infrastructure would negate the practice.
Again, the policy based access would mean that anyone who did seek to access what they were not allowed to would have that attempt logged and investigated. If a legitimate reason was found for the attempt it could be authorised, otherwise the incident would result in disciplinary action.
But even with all of these fears addressed, there was still a fundamental objection to a linked database of citizen information to positively identify citizens for service access. One UK campaigner said that the citizenry must resist what he called the “database state”.
Aghast, I again asked how could modern public services be delivered without such facilities? The campaigner’s presentation had featured a picture of the East German Stasi paper filing system as if to say that would suffice. He seemed unaware that the population of East Germany in 1989 was some 16.5 million. That is now heading for 81 million in today’s Germany.
And finally to the objection to a ‘national identity card’, I find myself increasingly saying, so what? No citizen will be required to carry the PSC, and no official or law enforcement agent will be entitled to ask for such identification without legitimate reason or suspicion, so what difference does it make?
The point then offered was that it is impossible to say how laws will change in the future.
At this point, I decided it was probably unprofitable to engage further.
Balance and insight
Apart from the total lack of not even an opposing voice but one, at least, that was familiar with the proposed citizen identity system, I was agog at the lack of understanding of how digital services work and how they can be a multiplier for stretched resources in public services. The cries of abuse and ill-handling were not met with any cognisance of how modern policy-based systems can not only mitigate but negate such cases. Now accidents and maliciousness cannot ever be ruled out, but for the most part, these objections can be easily met.
Poor handling by ministers aside, there seemed to be no thinking at all as to credible alternatives that could offer anything like the same level of capability, while meeting the desired privacy levels.
In all, I was severely disappointed in the assembled argument and had my faith shaken in what appeared to be a civic-minded endeavour.