1.  INTRODUCTION

  British Telecommunications plc (BT) is pleased to respond to the Home Affairs Select Committee's request for submissions from interested parties in support of its inquiry into ID cards.

  BT does not offer a view on the merits of an ID card scheme, however, as a leading global provider of communications and ICT systems, the company has the expertise and track record to advise on the practicality and implications of a system of this nature. This submission outlines a number of points that require consideration before initiating the delivery of an information, communications and technology (ICT) solution of this scale.

2.  AREAS ON WHICH THE COMMITTEE REQUESTED COMMENT

2.1  The practical issues involved in the ID database and biometric identifiers

  From BT's experience, a number of practical issues will require further consideration in this area:

—  The performance of the database—The storage and interrogation of the ID data will be heavily reliant on the architecture and the type of data stored. The two primary uses of the database will be for:

—  "Identification" on citizen enrolment.

—  "Verification" on checking a citizens claimed identity.

It is predicted these uses will require a high performance system, given the potential access requirements. For identification, the whole database will need to be scanned for each enrolment, to ensure biometric uniqueness. This requirement also raises the issue of ensuring effective "point of transaction" technology and the network over which the system will run.

—  Access to the database—The issue of who will be allowed access to the ID database will require careful consideration. Clearly only authorised individuals will be allowed access but setting the limits of authorisation will require deliberation. International access may be required to enable British missions abroad to continue to issue passports. There will be implications around data protection, and the security and integrity of the system to enable such access.

—  Disaster Recovery—The consequences of anything but the briefest failure of the system could prove catastrophic. The physical location of the ID database, back-up databases and the disaster recovery strategy will need careful consideration.

—  Biometric types—The Government has suggested a number of biometric types. These are briefly described:

—  Fingerprint recognition is in use in a number of applications and is a relative success. Issues with fingerprint recognition include the high rate of false non-match results and social inclusion given that in the current UK population approximately one in a thousand people are unable to provide the required four suitable fingerprints. Another potential problem area is the public perception of the process of taking fingerprints and its link with the criminal justice process.

—  Iris recognition is as yet unproven in large-scale biometric applications. Issues include the physical size of the each individual datum and for a population in excess of 50 million, the need for an image of both irises to ensure uniqueness. Around one in ten thousand people do not have a suitable iris for recognition.

—  Voice recognition contains issues around uniqueness and the physical size of the information required to be stored for each individual. Voice, could however, add a secure layer to any ID check that was completed over the telephone.

—  Facial recognition is not currently sufficiently reliable for the identification of each member of the population and recent trials have shown relatively poor identification performance.

—  Written signature and hand geometry have also been suggested as possible solutions but these are not as reliable as those described above.

—  Biometric selection and operation—To ensure the successful national roll-out of an ID card, the following issues should be considered:

—  The degree of uniqueness of the biometric to be used as an identifier.

—  The number of types of biometric required.

—  How secure and robust is the technology?

—  The speed and ease at which the biometric can be recorded and retrieved at point of contact.

—  The staffing levels required for operation and maintenance.

—  The margin of error considered acceptable over the whole process: collection of biometric data, transfer of this onto a card, secure delivery to the correct individual and accurate recognition at point of contact.

—  How those unable to provide biometric data will included.

—  How long records will be archived once the individual has died.

—  What should be done with an individual's biometric information if he/she goes missing?

—  Who owns the biometric data. The Government Department/Agency or the individual who provided the sample?

—  How socially acceptable and inclusive is the chosen biometric?

2.2  The security and integrity of the proposed system

  BT provides managed services for many ICT solutions and believes the security and integrity of the proposed system is paramount to achieving the Governments objectives of reducing fraud and crime. Consideration should be given to the following:

—  Card security—End to end card security should address:

—  The biometric readers at point of contact.

—  The manufacturing process including the transfer of individual biometric information to the location of manufacture.

—  The encryption of this data on the card.

—  The accessibility of data stored on the card for alternative applications.

—  The physical delivery of the card to the correct individual.

—  The point at which a card is removed from the public domain.

—  The destruction of the card.

—  User access—All operational and physical user access to the system should itself require National ID card authentication. Comprehensive audit trails of all system access must be maintained, and enable the aggregation of such data from all the components in the system, to ensure non-repudiation of transactions.

—  Security issue escalation and management—Security problems could vary from rejected identity verification through to attempts to compromise the system. It is essential that an operation is formed with trained staff and that technology and processes that support security (and other) issue resolution are defined and managed.

—  Accreditation and standards—The solution should conform to the highest security levels, ensuring the certification of all participants and that all data stored on cards and sent over networks is encrypted.

The solution should also adhere to all relevant international standards, for example, the Multi Application Smart Card (MAS) Standard that provides the specifications of interoperable and flexible smart card architectures for a number of sectors including Government. Other standards exist within Europe and the United States and should be considered. A suitable standard that is acceptable to all Government Departments should be agreed to facilitate any future use from other Departments, for example the DWP, DVLA etc.

—  Future proofing—BT dedicates teams to the advancement of technology and believes that any technology employed should not only be proven but is also as future proofed as possible.

2.3  The operational use of ID cards in establishing identity, accessing public services, and tackling illegal migration, crime, and terrorism

  This section includes comments concerning the practical issues of individual registration as well as the operation of the scheme:

—  Enrolment and Initial Identification—Thought must be given to the location of the devices for capture of the biometric and initial registration details of all individuals, to ensure social inclusion. This process must be completed under authorised supervision to eliminate fraudulent applications.

This local registration point could be responsible for validating the "identification" of the applicant. Alternatively this could occur at a separate secure processing centre.

This is potentially the weakest link in the system. Should the integrity of the system be compromised at this stage, the operation and the credibility of the system will be fundamentally undermined.

—  Card Production and Delivery—If "identification" is validated at the local registration site, cards could also be manufactured here. Alternatively manufacture could occur at a separate location. If capacity allowed this separate location could be the existing UKPS and DVLA operations or alternatively a new operation. Conducting manufacture, issue and delivery at a separate location raises questions such as:

—  How an individual's registration details can be securely transferred from the site of registration to the secure processing centre?

—  How the card could be delivered securely to the correct individual?

—  Identity checking in operation—There are a number of levels of identity check possible, including the:

—  Visual check against the card.

—  Check of a citizen's ID number/password against the central database.

—  Check of a biometric against that stored on the card.

—  Check of a biometric against that stored on the central database.

Further guidance is required on when each of the above would be applicable. Government should also consider mobile checking situations.

2.4  The estimated cost of the system

  This section covers considerations relating to the cost of the system.

—  Costs—The cost of the system will vary according to several factors:

—  The number of biometrics used for each individual.

—  The amount of information stored on each card for entitlement and identification.

—  The required speed of the system in responding to specific queries at point of contact.

—  The required level of security of each site hosting a database.

—  The proportion of the new system that can be accommodated on existing systems. For example DVLA and UK Passport Agency databases and other existing Government Department infrastructure.

—  The rate of renewal, updated personal information or replacement of lost cards.

—  Funding—The funding for the scheme could be shared across several Government Departments. Decisions on the level of costs to be passed on to the individual must take social inclusion into account. It is possible that an arrangement between the public and private sectors will be required to facilitate the funding for a project of this size.

2.5  Other Considerations

—  Departmental Engagement—The Government could plan to engage with all relevant Departments to understand any ID card—related activities underway and ensure they are all aligned to an overall ID scheme strategy.

—  Management of the Scheme—It is likely that this scheme will require inter-Departmental working and, as the solution evolves over time, may require the Government to engage and deliver operations with private sector organisations.

3.  SUMMARY

  Planning and delivering this scheme will create challenges and requirements for the Government in numerous areas, many of which are detailed above.

  The final cost of the system will vary on exact system requirements including whether it is tendered as a single, co-ordinated, cross-cutting scheme, or as a series of smaller projects. The latter may involve participating Government departments evolving their relevant processes and technology towards a model for operating the ID scheme.

  Some form of partnership with the private sector will be essential. The implementation timescales for the scheme are challenging and early clarification of the procurement strategy and engagement with potential suppliers is essential. As past projects have shown, the chances of success are greatly improved if a partnership between public and private sectors is created at the project definition phase and carried through into implementation and operation. BT believes such an approach reduce risk and assist in an effective rollout of this programme.

January 2004