"No scheme on this scale has been undertaken anywhere in the world," the report says. "Smaller and less ambitious systems have encountered substantial technological and operational problems that are likely to be amplified in a large-scale, national system" [see IEEE Spectrum's "Passport To Nowhere," January 2005, and "Why Software Fails," September 2005].

Critics say the government adopted an identity management architecture that was actually developed for corporate environments. They say the proposed system may work for a company but it will not work for a society. "Many experts are astonished that the government is pushing this corporate architecture as the solution for government-to-citizen interactions," says cryptography and privacy expert Stefan Brands, a professor at McGill University, in Montreal, who contributed to the LSE report.

Brands says that companies routinely use identity management systems to electronically track and profile employees accessing their corporate resources. "In the context of an enterprise, this may not be a concern," he says, "but in the context of a national ID card, the privacy and security implications of such a panoptical identity architecture would be unprecedented."

Moreover, putting the personal data of millions of people in one single place, as the government proposes, is "poor security and poor privacy practice," wrote Jerry Fishenden, Microsoft Corp.'s national technology officer for the UK, in an article for The Scotsman late last year. It would be a highly attractive target for hackers, and the result, he concluded, could be "massive identity fraud on a scale beyond anything we have seen before."

Privacy advocates argue that a database containing the biometrics of an entire adult population—for the UK, this means nearly 50 million people—is a shaky proposition by itself. But they say it's even more troubling that the government plan calls for the database to record every occasion in which a person's identity is verified. As a result, anyone with access to the system could get a detailed trail of a person's important activities, says Simon Davies, director of the watchdog organization Privacy International, in London, and a visiting fellow at the LSE.

Critics like Davies also note that the proposed ID card law authorizes disclosure of information from the database without an individual's consent. That information could go to a large number of entities, including the police, the secret service, and tax and revenue agencies. What, Davies asks, are the safeguards against official abuse?

The centralized aspect of the plan also bothers experts like Brands, because it's neither necessary nor desirable. He notes that people now interact with public and private organizations using a number of identification documents—a driver's license, a passport, a company badge, a health insurance card—and that this variety is good for individuals. Why? Because it strengthens people's privacy and makes identity theft harder by decentralizing personal information.

The UK ID card proposal, however, could seriously erode this segmentation. Because the cards have unique numbers, different entities could eventually begin to use them as personal identifiers in their own systems. After all, this is exactly what happened with social security numbers in the United States and other countries. Created to keep track of a person's contributions to the social security system, the number became a highly trusted identifier and wound up being used by many other organizations, including employers, investment-account firms, and even video rental stores. The result is that it became easier for fraudsters—especially insiders—to get hold of the information they needed to steal people's identities.

The LSE report suggests an alternative to the government's proposal: a method based on a distributed approach. The identity cards, instead of storing a single number, would have multiple strings of numbers. These sequences, known as digital credentials, could be authenticated by the government with cryptographic signatures, so that criminals couldn't forge them. A person could store many credentials on the same card and use specific ones as identity proofs when, for example, entering a building, applying for welfare benefits, or opening a bank account. That way, company records, health and insurance files, financial information, and other data would not all be tied to the same number.

Moreover, this distributed approach eliminates the need for a central identity-verification system. Instead, the verification would take place locally. Consider again the bank example. The bank would use a device to scan your fingerprint, iris, or other identifying characteristic, just as before. But then, instead of sending this data to a remote system elsewhere, the bank would simply compare it with the biometrics stored on your card.

Such a system, the LSE researchers wrote, would be "simpler to implement and radically cheaper," adding that the technologies in its proposal are "in widespread commercial use" and could be "cost-effectively scaled to cover the entire UK population." In addition, they say that even though privacy and security issues still exist, this scheme wouldn't put at risk sensitive data of the entire UK population.

But the government isn't buying it. "The system that we're proposing is the one we think is affordable and the one that we think will provide the best value," says a spokeswoman for the Home Office, the UK department of internal affairs, which is in charge of the project. (The Home Office's response to the LSE report is available at http://www.identitycards.gov.uk.) She adds that for such a huge system, a centralized approach "seems to be the only way that it would be possible."

"Some of the people we'll be talking to are people experienced in putting together large-scale databases," she says. "We'll be finding out exactly how they do that."

And how about cost? Charging people £30 for each ID card (£93 for an ID card plus a biometric passport) will cover the cost, the spokeswoman says. And as for the LSE's estimated costs, she adds, they "don't actually add up."

As supporters and critics further scrutinize the ID cards' proposed legislation, the debate heats up in Parliament—and at the pub.

UK Biometric Identity Card

Goal: To introduce ID cards and an identity-verification system to prevent fraud, illegal immigration, crime, and terrorism.

Why It's a Loser: The design of the system is based on unreliable and inadequate technologies that could result in privacy and security problems.

Organization: Home Office, the United Kingdom's department of internal affairs.

Center of Activity: London.

Number of People on the Project: Not available.

Budget: More than £20 million in the research phase; rollout cost estimates range from £5.8 billion to £19.2 billion.