The Institution of Electrical Engineers (IEE) is the largest engineering institution in Europe with a membership of some 130,000 professional engineers who represent key sectors including electronics, communications, computing, energy, manufacturing, and transport. Many of our members have experience in the practical issues involved in developing complex databases. Members have also been involved in the design, acquisition and management of trustworthy and dependable information systems. We therefore welcome the opportunity to submit evidence to the House of Commons Home Affairs Committee inquiry into government proposals for an identity card scheme.

DATABASE AND BIOMETRIC IDENTIFIERS

  Essential requirements for a biometric identifier database include: establishing the identity of the person giving the biometric to a high level of assurance; ensuring that the stored biometric cannot be tampered with, even by organised criminals with substantial resources; and ensuring that the equipment that reads the individual and compares with the stored biometric has a very low rate of both false positive and false negative errors. In this context two issues should be addressed.

  Firstly, if an individual's biometric data is compromised either by accident or as part of an identity theft, the damage to the individual could be substantial. The Committee should seek information on the mechanisms and compensation schemes that would be introduced to ameliorate this damage. Secondly the Committee should investigate the cumulative error rate from each element of the system. It should then consider whether or not this is acceptable as a daily failure rate at (for example) benefit offices, ports and airports, and other high-volume locations.

SECURITY AND INTEGRITY

  Whilst the security and integrity of the database are paramount, so too are considerations of integration between the ID system and other databases that hold personal information. For instance many organisations already have access to an individual's credit rating, and many sectors (for instance insurance) share information. At the moment these information systems and databases are merged and linked without much regulation and are therefore open to misuse and abuse. Unregulated access to the ID system would in our view be unacceptable and place its integrity at severe risk of compromise. It is also inevitable that attempts will be made to access the database either for improper purposes or to modify it for improper reasons. Therefore the most stringent measures and precautions must be put in place firstly to deter such activity (including the necessary legal instruments), secondly to detect a potential compromise "as it happens", thirdly to protect the system "in real time", and fourthly to react to restore the integrity of the system. The Committee should inquire as to how these requirements would be achieved.

  Of equal concern to the security and integrity of the systems are the issues of trust and risk. There continues to be much adverse publicity about the alleged shortfalls of the information systems and databases that are at the hub of the child maintenance and support arrangements, and the child and working tax credits schemes. These apparent systemic failures have significantly degraded public confidence to the extent that it is clearly not necessary to actually subvert a system to undermine its trust. Whilst a lack of trust in the examples quoted is felt by a "relatively" small number of people, if replicated across an ID system that is used and depended upon by the whole population, it would have a catastrophic impact.

  There are well articulated public concerns related to the introduction and subsequent management of an ID card system, and both social and technical issues that need to be explored. The Committee should investigate how these issues are to be tackled, and how policy makers will broaden their range of thinking to better inform the debate. This should in our view include appropriate social and technological research, and rigorous system prototyping with public involvement, all of which would require resources and time.

  The "flip side" of trust is risk. The ID system would by its very nature be a high risk project, and risk management options would include: avoidance of the risk by desisting from that activity altogether; mitigation of the risk by introducing controls on the activity; transfer of the risk by insurance or by contracts with third parties; and acceptance and management of the risk. Whatever risk reduction strategy is agreed, it is essential that decision makers demonstrate their understanding of the delicate relationship between trust and risk, and reach a balance that is acceptable not only to government but also the general public.

OPERATIONAL USE

  Various claims have been made for the efficacy of ID cards in reducing crime, benefit fraud, illegal immigration etc. Various counterclaims have been made that ID cards are used to oppress minority groups. There are many countries in the world that have ID cards and many that do not. We suggest that an independent analysis, free of commercial or political pressures, is commissioned to evaluate the various hypotheses about the effects of introducing ID cards by comparing the situations in other countries. This simple, low-cost exercise should be an absolute requirement before any money is spent on implementing a scheme in the UK.

  It is likely that any scheme would involve a central database of biometric details correlated with individual names and addresses and other personal data. Research has shown that some categories of individuals (racial groups and people with certain medical conditions) have a higher failure rate with certain biometrics. The Committee should consider how the operation of a proposed ID card scheme would be made non-discriminatory, and seek scientific evidence as to which biometric is most likely to achieve that aim.

COST

  The Government does not have a good success rate in achieving large computer-based projects either on time or within budget. One of the reasons for this poor record is that companies and consortia chosen to deliver the solutions all too often fail to draw upon the best software engineering and computer science knowledge. Therefore, unless the traditional procurement process is to be radically revised, it is almost certain that the project will overrun badly, or fail. The cost analysis for the project should be based on typical outcomes of other complex projects, not on stand-alone estimates that invariably assume over-optimistic development and performance achievements. It is also essential that costs include assessments of the balance between trust and risk, that funds are made available for independent studies into the effects of introducing ID cards, for social and technological research, and system prototyping. The Committee should probe deeply into the basis of assessments for project time, cost and performance, and the options not only for development and procurement, but also operation and support.

SCOPE OF THIS REPLY

  In addition to representing the views of the IEE, this reply takes account of general comments from the UK Computing Research Committee (UKCRC) (printed at EV 265-269), an expert panel of the IEE. However, because of their expert knowledge in certain areas of interest to the committee, the UKCRC has prepared a separate reply. A copy is enclosed for reference and whilst their response is complementary to the IEE's, their views do not necessarily reflect those of the IEE as a whole. Should you have any further questions, I would be happy to discuss them with you. The IEE could also provide an expert group to help you with your inquiry and any future work.

Dr Nicholas Moiseiwitsch

Head of Engineering Policy

January 2004