1.  SUMMARY

  This paper was prepared for submission to The Home Affairs Committee in response to its request for evidence. It describes an approach to identity cards which has the following key features:

—  No compulsion to acquire a card.

—  No compulsion to carry a card.

—  Payment made to those Registering.

—  Progressive Disincentives for those not Registering.

  This approach maintains all the benefits associated with having identity cards, but avoids those aspects that may give rise to objections. The initial estimates are that it will take eight years to complete the task of Registering the entire population at a cost of some £10 billion, and £500 million per annum thereafter to maintain the system.

2.  THE AUTHOR

  This paper was prepared by Nigel Foster of Great Communications Limited. He designed and implemented some of the most complex commercial computer applications then in existence until 1974, when he joined IBM. In the 1980s, inter alia, he designed, sold and implemented the new computer systems that transformed DVLA, on time and within budget. During the 1990s Nigel was an Internet pioneer. He now Directs an innovative software and services Company (which has no connection with identity cards).

3.  BACKGROUND

  There have been a number of calls over the years for identity cards to be issued to UK residents as an aid to law enforcement and to try and reduce fraudulent claims on the Social Security system. Recently, the perception that the State has lost control over entry into the United Kingdom and allegations of "health tourism" have caused a revival of interest in the subject. Counter arguments are normally on general grounds of liberty, and reference is often made to the hated "pass laws" that existed in South Africa. Recent proposals have included charging fairly substantial sums for such a card, and there is already talk of a "boycott" which reminds one of the Poll Tax saga. Counter-spin has re-dubbed the card as "the entitlement card" without dealing with the various objections raised.

4.  A NATIONAL PERSONNEL FILE

  All Companies and Government Departments have some form of personnel file for their employees. Indeed it is a legal requirement to have one. Many, perhaps most, people find it astonishing that the State does not have a similar file of its residents. The starting point of this proposal is for the creation of the National Personnel File. The "personnel number" could be used widely, both by Business and by Government Departments such as the DVLA and IR. The advantages of this, for both State and citizen, are that State-financed services would be available only to those residents entitled them and scarce resources would not be wasted on those not so entitled.

  The personnel file will include the obvious items (name, date of birth, place of birth etc), two digitised pictures (front and side) and such other biometric data as may be economic to collect. People often mention DNA, fingerprints and Iris patterns as suitable candidates for storing on such a database and all have their plus and minus points. It is not practical (in both time and cost terms) to analyse and store more than a tiny fraction of a humans DNA. Automated fingerprint systems are not nearly 100% accurate and there are already Internet sites dealing with Iris counterfeiting. No doubt over time the economics and reliability of the various methods will improve, and new ones will be invented, but in the meantime it would be wise to collect as much data as possible, even if it is not practical to utilise it all at the start of operations. With this system, security is paramount, as people will try and "break the system" from day one.

  People already do have National Insurance (NI) numbers, which are used as the index in a number of UK Government systems, but by no means all or even most. There are some 20 million more NI numbers than people, and whilst this difference has been explained away in a variety of ingenious ways, there can be no doubt that the system is badly compromised. There is no way of confirming that the person claiming to be so-and-so really is that person from the NI system as no photograph or biometric data is kept. This is why one sees prosecutions for DSS fraud where one person may have dozens of identities. We are in the position of having a near-useless stock control system—one that is in desperate need of a stock-check.

  As biometric data can only be captured by a personal visit to a secure facility, it is misleading to compare a proposed ID system to the Driver's License or Passport systems, both of which operate mostly via the post. Passports and Drivers License details would be input to the identity system. Each applicant would need to be seen by an experienced person (a retired police officer, for example) and details recorded. The vast majority would require no further investigation, but some would. Duplicate biometric data would be detected automatically so multiple identities (one person having many identities) would be eliminated providing that the "stock check" were conducted with integrity. The opposite "scam" of multiple people (one identity being used by many people) would be harder to detect but the use of the central "photograph" and spot checks with some biometric data would make such a deceit much harder to sustain.

5.  OUTLINE DESIGN

  The Master Personnel Database would exist twice, at 2 secure locations. Each copy of the Master Database would have no contact with the outside world by any telecommunications facility, so that "hacking" will be impossible. Staff will be positively vetted and all updating will be done via checked "transaction files" which will be physically delivered on secure media or transmitted in encrypted form using various security techniques to an independent system offline from the Master. After independent updating the two systems will be checked against each other using "hashing" techniques so that any "subverting" would need to be performed on both systems at the same time. The approach at the centre is similar to that of very secure financial systems. By utilising read-only copies for operational use we get the ease-of-use associated with the Internet by implementing a series if Intranets. It should be added that using Internet technology does not imply public Internet access.

  All Operational access to the database will actually be to multiple copies or subsets of the Master which can be refreshed each day from the "Master". Access to these copies will use Internet Standards, so that cheap, off-the-shelf devices can be used to store and access them. The normal Operational Subset for Uniformed Police use might include the Photos and basic (name etc) data, whereas CID may also want (say) fingerprint data and Forensic Labs might need DNA data. The point is that many of these Operational Subsets can be created and then integrated relatively easily into existing systems. Thus the Police could, if they wish, have a link to/from existing PNCU systems so that a wanted person might be identified. This architecture avoids any "Big Brother" charge, and allows rapid local utilisation of the relevant data within the existing local security protocols.

  Most important of all, such a design makes it unnecessary to actually carry an identity card, as the information would be online to authorised personnel. If, for example, a uniformed policeman required someone to identify themselves, and they had no id-card with them, then simple inputting of name and date of birth is likely to produce one "hit" and a picture. This could be done on a modern mobile phone or similar using simple internet browser technology. At Social Security offices, access would be via a standard PC using standard software. In the event of multiple "hits", then "tie breakers" could be used, such as the "mothers maiden name" favoured by the Credit Card Companies. In fact the process of identifying oneself would be very similar to that employed by Credit Card Companies when dealing with a telephone query, but with the addition of a picture. If a card was produced and the Policeman suspected that he was dealing with a forgery, then the simple input of the personnel number would deliver a picture and other data for comparison. This would make the forging of cards fairly pointless, unless one could also subvert both the Master Databases.

6.  IMPLEMENTATION CONSIDERATIONS

  Computer systems are only as good as the quality of the data they use—garbage in, garbage out. Collection and input of the primary data (name, image, fingerprints etc) and examination of documents required (passport, Birth Certificate etc) must be done at reasonably secure locations and conducted by trusted and experienced staff face-to-face with the applicant. As it is to be expected that determined efforts will be made to subvert this aspect of the system, cross checks must be made to other Government systems as appropriate and perhaps to commercial organisations such as Experian to check on the Register of Voters.

  As the main objectives of this system are to assist is controlling crime, identity fraud and illegal residency, it would be sensible to implement this system first for those groups most likely to fall into these categories. The suggested implementation sequence is:

1. Those claiming asylum (at the point of claiming).

2. Those who have claimed asylum and are awaiting a verdict.

3. Those living here illegally (it is suggested that these people be granted an amnesty if they Register which will give them a period of grace).

4. Those claiming Social Security benefits for the first time.

5. Those already claiming benefits.

6. The rest of the population, possibly in (say) alphabetic sequence.

7.  CHARGING AND COMPULSION

  It has been suggested that people be charged quite substantial sums for Registering. As great benefits will be felt by the nation as a whole over many years, and as charging will act as a focus for dissent as with the "Poll Tax" such a policy would be myopic. The Registration process will inconvenience honest people and the State will gain hugely. People should be rewarded for Registering—perhaps £50 per person. This would cost about £3 billion.

  It has been assumed by commentators that Registration would be compulsory—but why? It matters not if a legal resident and would-be martyr declines to Register. Compulsion would exist only for groups 1 to 3 as defined above.

  However it may be that after the completion of implementation one might give the Police, C & E etc greater powers if people had not Registered, and to progressively require Registration to claim various State Benefits. In addition the types of commercial organisations that currently insist on customers producing Utility Bills and the like will probably require the production of an identity card.

  This combination of pressures will ensure very high Registration percentages without compulsion.

8.  TIMETABLE

  The UK Government has a very poor record implementing computer systems on time and to budget. Further, this system requires sophisticated and secure clerical processing and bulk processing of biometric data. Security is paramount, but one might also argue that time is of the essence. If one were freed from the bureaucratic process and good leaders and managers appointed with a clear brief and appropriate powers and budgets, how long might implementation take?

  1. Recruitment and key personnel and Creation of outline plan and design, including biometric definitions and clerical systems—1 year.

  2. Detailed design of database, data-collection, clerical and security processes—1 year.

  3. Implementation of "mark 1" system including testing and clerical training—1 year.

  4. Input of population of (say) 60,000,000 people —5 years (see 9 below).

  Items 1 through 3 above do have some overlap, so all of item 1 need not be complete before item 2 is started, and so on. On this basis the timetable might be reduced somewhat. In addition, during item 1 some prioritising may occur for political reasons. By the same token, politics will cause unforeseen difficulties. The earliest possible time to commence operations would be 2.5 years from the starting date, and in the real world, 3 years is ambitious enough. Thus it will take 8 years to fully implement the system from the starting date.

9.  COSTS

  The vast bulk of the costs will be in the collection and verifying of the personnel data. There will also be technology costs such as those associated with storing the duplexed Master databases. If one assumes 1 megabyte of data per person, (60 terrabytes total) the cost should not exceed £5 million and pro-rata. Thus 10 megabytes per person would cost less than £50 million to store securely. These prices are declining all the time and core technology costs can be safely ignored as an important factor.

  To collect and verify the personnel data it will be a requirement for all applicants (with obvious exceptions such as the bed-bound) to attend a local centre, where digital photographs, iris scans and fingerprints would be taken, documents inspected, and any questions asked. Obviously many cases will be simple, and others very complex. Taking a view of the time needed/person, and assuming that one person can on average process four applicants/day, then some 15,000 people would be required to complete the task in five years. For a "classic" nuclear family of four passport-holders, this may seem easy, but firstly, not everyone falls into that category, and secondly there will be significant "back office" tasks to perform. This estimate should be treated with some caution, and one of the outputs of the first year's work will be a more accurate estimate. At this stage it would be prudent to treat this estimate as a minimum, and budget for "up to 25,000 people" for five years, and to maintain the database thereafter, perhaps 10,000 people permanently. The maintenance would include births, deaths and marriages, new immigrants and new photographs as babies grow up to become adults and other changes to the basic data. If a reliable "residents" data source existed, then significant indirect savings should accrue to other Government departments over time in addition to the direct savings from reducing fraud.

  During the "take-on" phase (25,000 people for five years) I have assumed a cost-of-employment of £50,000 pp/pa, to include office space, furniture, PC, networking and so on. This gives a set-up cost of £1.25 billion pa for five years, or £6.25 billion in total, including collecting DNA (but merely storing it securely), Iris and fingerprint data. The £50 pp bounty would cost a further £3 billion. Allowing for development costs and additional infrastructure technology, the cost up to the conclusion of the take-on is estimated to be in the order of £10 Billion over eight years.

  The maintenance phase on the same basis would cost £500 million per annum and phase in over five years. As DVLA costs some £300 million pa, this estimate is within common-sense bounds.

  In addition there will be costs incurred for storing the Operational subsets and accessing them in various applications. Due to the architecture of the system, in many cases these new facilities will be able to be linked in to existing systems straightforwardly and cost justified by a local business case.

10.  BIOMETRICS

  This investment would give a secure system with digitised photographs and verified personal data. However whilst fingerprints, DNA samples and iris images can and should be collected at this stage, and the cost of so doing is included, it is unclear what should be done with them. All three technologies have significant uses and limitations. To "sequence" a small part of DNA to look for specific small components can cost as little as $50 per sample in bulk. But to process 12 million samples per annum requires a whole new industry. The security aspects, the need to keep a separate physical sample for possible fuller analysis and the need to sequence sufficient base-pairs to ensure near uniqueness probably means an extra cost of, at the very least, £50 pp, or £3 billion in total, and probably a great deal more. The advantages of so doing are unclear as there is no such thing as an on-the-fly DNA reader. However DNA in the final analysis does allow the positive identification of a person or part of a person. Iris images are probably unique but the iris "readers" are only 95% accurate even under ideal conditions. Imagine one person in twenty being detained at Gatwick in August. Similar considerations apply to fingerprinting. The common-sense compromise would be to collect such data from each applicant, but to use it very selectively. As technologies advance, it may well become economical to make more use of the biometric data.

11.  THE IDENTITY CARD

  With the definitive record being held centrally, the actual card is more of a convenience. It should not be necessary to have much more elaborate mechanisms than are employed by the more advanced credit-card Companies, or ski-resorts such as Verbier (here a transponder in the lift-pass signals the expiry date to the turnstile-controlling computer and transmits the image of the skier to a monitor screen, all without being removed from the skier's pocket). Because the physical card is only a convenience and not the "true record", lost cards can easily be cancelled and re-issued.

  Where "being on the system" is compulsory (say, for the collection of certain benefits) than the card itself could trigger an access to the central (copy) database, and the "photograph" (and any other relevant data) stored there would be displayed. This would make card forgery nearly pointless. This is vitally important as there is no such thing as a secure identity card—as least not for very long. Any technology on an ID-card can be reverse engineered and subverted in time. The Central Database can be made much more secure. The Identity Card is merely one useful output from the "National Personnel System".

January 2004