Rushed law is bad law – or so the saying goes. The principle, while certainly not universally true, has been demonstrated with enough regularity over the years for policy makers to have become more cautious, though not necessarily less fallible.
In recent times, the availability of sophisticated and powerful information technology has introduced a new dynamic into the creation of new policy: IT can provide dramatic, powerful solutions, making it tempting for lawmakers and those in authority to put it to immediate use; but, as dozens of huge, failed projects have shown, it is also complicated, expensive and frequently addresses the wrong problem.
There are hundreds of examples, but there is nothing like a security problem to demonstrate the point. The perceived threat to life or property induces a search for immediate and dramatic solutions, with technology increasingly looked on as a panacea for security problems. So it is, for example, that the US government has rushed to deploy and mandate biometric passports long before other countries are willing or able to deploy the technology, thereby reducing the effectiveness of the measure and damaging its own economy; and the UK government's plans to introduce national ID cards are in spite of the enormous costs, practical problems and the fact there is little evidence that they will prevent either fraud or terrorism (see Information Age, June 2005).
In the case of ID cards, the grand, centralised, technological solution being proposed has already drawn much criticism. Aside from the obvious civil liberties objections, many are puzzled at the government's determination to take a centralised approach, rather than a distributed one based on legacy investments. With dozens of ID schemes in existence (bank cards, driving licences, passports, etc), why not legislate to encourage or allow greater harmonisation of these, rather than start all over again?
The whole ID card scheme is reminiscent of the planned EFTPOS (electronic funds transfer at point of sale) card that the big banks planned to introduce in the 1980s. This revolutionary card would enable shoppers to buy goods at the check-out with one card, with the payment deducted directly from their bank accounts. A huge new database, costing hundreds of millions of pounds to build and run, would hold cardholder and transaction information, with the details being exchanged with bank account data in real time. Only after two or three years, and much discord, did one or two banks break ranks and decide the aims of the scheme could be achieved by linking their existing systems together.
In a related field, US companies are currently struggling to implement the now notorious Sarbanes-Oxley Act, which requires executives to sign off on such a detailed level of knowledge about their companies that it would not be possible without huge new investments in IT. The IT suppliers have loved it, but many others think it has gone too far, damaging the economy and prompting many companies to delist from Wall Street. Even Michael Oxley, one of the act's authors, recently said: "If I had another crack at it, I would have provided a bit more flexibility."
Meanwhile, in India, the National Association of Software and Services Companies (Nasscom) is involved in another kind of grand solution, this time in response to information security problems. With the backing of the Indian government, it intends to create a registry of all of the country's IT professionals. The goal: to prevent untrustworthy people from working in call centres or in IT development.
In India, where maintaining the country's brand as a secure place to do business is essential, this move might just pay for itself, although the system is far from foolproof: IDs can be faked, and dozens of people can usually access data, from inside and outside India, who would not be required to register. But in other countries where privacy and even human rights issues are considered more important, such a system would be extremely difficult to expense.
Once again, the answers may lie not at the centre, but at the local and company level. BT, for example, requires new recruits to provide evidence of their criminal record – or lack of one. And most frauds and security problems are more effectively dealt with by process and cultural changes than technological ones.
None of this is intended to argue that hurried law or big IT-based projects are necessarily bad. The London congestion charge, for example, managed by a complex back-end computer system, was widely forecast to fail but has been a great success – as have many different national police databases. Even so, legislation underpinned by the big IT-led solution should usually be regarded with great suspicion.