Gartner Blog Network


Did UK citizens dodge an ID Card bullet?

by Robin Wilton  |  March 31, 2011  |  2 Comments

Amidst all the Google/FTC reaction, my Twitter board lit up today with  some fascinating traffic from online privacy advocates in Pakistan about their National Database and Registration Authority. It seems NADRA launched a service in 2009 which, thanks to an agreement with three mobile network operators in the country, makes it possible for any citizen to text a CNIC Computerised National Identity Card (CNIC) number to the number 7000. In return they will get a text message containing the first name, last name and father’s name of whoever that card is registered to. Another of NADRA’s announcements about the service adds that they may disclose “any other content they deem appropriate” – and that law enforcement agencies have a separate “7001” number for their own requests.

Interestingly, beyond that split across two numbers, the scheme has no concept of a ‘valid requester’; anyone is entitled to check any CNIC number via the 7000 code. If you, as a subscriber to one of the three mobile networks, want to send random CNICs in and see who you get, nothing will stop you. It will cost you something – though I can’t be precise about how much. In principle, the charge is 15 rupees (about 12 UK pence or 18 US cents) per message. In practice, one local privacy advocate has so far received 42 text messages, all about his own CNIC number, in response to a single request. He is a little miffed…

Billing issues aside, you might wonder why it’s appropriate for every citizen to have access to such a mechanism. Although it was launched as a ID Card validation service, it somehow manages to go beyond that (in the sense that you can enquire against the database even if a card is not present) while at the same time falling short (it doesn’t actually validate the card, if a card is present… it just tells you what name is associated with that CNIC).

If I have no legal or contractual right to ask you for your CNIC, why should I have the ability to check your CNIC and be told your name (let alone your father’s name)? I regret I am unable to ansewr that question on NADRA’s behalf – though if I find out, I’ll be glad to let you know.

There is a slightly more pernicious side to this, apparently. I’m told that some forms and registration processes intentionally just ask Pakistani citizens for their CNIC number (but not their name or other personal details), just as a general indication of citizenship. That seems like a nice, privacy-respecting step – unless it is trivial for the collector of that number to ping the central database and fill in the blanks.

It’s tempting to sit back and say “well, something like that could never happen in the UK, could it?”. Couldn’t it? To my mind, this example just goes to show how things that are technically straightforward can give rise to the need for a large and potentially complicated governance layer, including not just technical controls to establish properly authorised access, but also procedural and legal controls to ensure that those who do have authorised access cannot abuse that access, intentionally or otherwise.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: 

Robin Wilton
Research Director
26 years IT industry

Robin Wilton is a research director with a particular interest in digital identity and privacy (and their relationship to public policy), access control and single sign-on, and the productive use of public key infrastructures. Read Full Bio


Thoughts on Did UK citizens dodge an ID Card bullet?


  1. Shahzad Ahmad says:

    One more minor detail to the NADRA system is that when we sent our CNIC for info, just to see how it works, I received 48 replies for one request, one of my colleague got 8 and probably none for another person. Shows that how faulty the system is and more concerning that it costs money and involves all different telcos.

    In addition, our info request to 7001 replied that we are not authorized to use this service. This probably means that there are specifically assigned numbers for “law enforcing agencies” to get this data. If that is the case, then where is the judicial oversight for such an action by agencies. Do you think we should raise this at this level or just move on that it is normal thing in banana republics 😉

  2. Che says:

    All I can say is that “Privacy Advocates” are quiescent while this mass invasion of public privacy is happening under the umbrella of providing empowerment through identity.

    The provision of personal data using SC is ridiculous but I have heard there are far more sophisticated ways of sharing data between banks, security agencies and embassies that is going unnoticed.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.