34. Memorandum submitted by
Northrop Grumman
PREFACE
Northrop Grumman is a global leader in the development,
integration, implementation, supply and test of solutions in the
identity market and is proud to be the prime contractor for the
largest existing biometric database in the UK, the National Automated
Fingerprint Identification System (NAFIS). Based on the experience
gained in this programme and others in the international arena,
we have been able to identify a number of issues that should be
considered in the implementation of a National Identification
Card scheme and we have summarised them below.
In order to convey the breadth of the subject
within the constraints of a summary document we have presented
many of the topics in bullet point format. We would of course
welcome more detailed discussion under appropriate conditions
if beneficial.
CONSIDERATIONS FOR A NATIONAL IDENTIFICATION
SCHEME
SUMMARY
Northrop Grumman Mission Systems Europe (NGMSE)
understands that the Government is searching for new ways to provide
essential services to its citizens which will include the reduction
of fraud, combat illegal migration/working, tackle crime, combat
terrorism and help to prevent identity theft.
The majority of UK citizens already carry identification
items/cards to go about their daily business. The introduction
of a single means of identification could be seen as a welcome
development, if implemented carefully. This could be promoted
further if the card had the additional benefit of convenience,
reducing crime and enhancing national security.
The operational use of a National ID Card scheme
should balance cost, public opinion, civil liberties concerns,
practicality and usefulness to both citizen and State.
THE CARD
The opportunity for using a single card that
is a passport, driving licence and entitlement card could prove
to be an economic and viable solution. Most UK citizens have a
passport, driving licence or both. All new driving licences are
available as a card (with associated documentation) and as future
passports are also expected to be cards, also, it is an logical
progression to develop one card for all uses.
Any identity card that included passport information
would need to comply with International Civil Aviation Organisation
(ICAO).
Some elementary needs for each card application
are discussed below:
Passport
Smart technology with biometrics required by March
2005 in order to meet US visa waiver scheme requirements.
A passport card would not only have to have data
(including biometrics) on the smart chip but must have the relevant
information necessary for the immigration authorities to see and
read (eg name, address, DoB, photo, signature, expiry date).
The passport card must have a smart chip with biometric
data resident on it (eg photo facial, iris, finger print) adequately
protected.
The passport should be able to contain visa information.
The visa could be loaded onto the smart chip ("paper"
visas being available for countries not participating).
Driving licence
The information that is readable by the authorities
(eg name, address, DoB, insurance details, category etc.)
Eg, addition of points for traffic offences, upgrade
from provisional to full and extensions to license for HGV etc.
Entitlement
The type of entitlement (eg for free health care,
senior citizen privileges etc) could be displayed on the card
or held confidentially on the chip.
The system in its entirety should be designed
to assure integrity and protect citizens against theft or misuse
of their identity.
Biometrics
The use of biometrics gives the user a unique
identifier that should protect against identity theft and fraud.
In addition it can be used in the fight against crime (including
terrorism) by making the acquisition of multiple identities very
difficult.
The following should be considered:
There are several biometrics available under current
technologies. International standards (predominately ICAO) call
for fingerprint, Iris and photo (facial). Other biometrics that
could be stored, include signature and in the future, possibly
DNA.
Each biometric has predicted error rates. Fingerprint
and iris, for example, have better rates than photo-biometrics.
The integrity/accuracy of the biometric is attributable
to the method of collection and the algorithms associated with
it.
The suitability of particular biometric technology
depends in part on the technology and implementation and must
be assessed in relation to the required use (known as a "usage
scenario").
INFORMATION HANDLING
AND DATABASES
Large scale central database
— A central database that is capable
of handling data for 60 million citizens will need to be deployed.
Data for storage will include:
— Personal details (name, address,
DoB, etc).
— ID card type (ID only, passport,
driving licence, entitlement).
— Biometric information (fingerprint,
Iris, Photo, etc).
Note: to hold all the above biometric information
will require a very large database. A limited choice of biometric
most suitable (ie best-fit, low error rates, size, cost) may have
to be considered in order to ease implementation.
— Loading of information on the database
may be over a period determined by renewal of existing documentation
(passport, driving licence) rather than as a "Big Bang"
event.
— Database construction and management.
— Considerations: Physical and electronic
security, Data Protection Act (DPA) requirements, unauthorised
access, management and configuration. These will all have to be
carefully designed and managed.
Primary database access
— Checking each and every citizen (eg
on enrolment and entry to the UK, potentially millions of checks
a year) against central database(s):
— System performance issues such
as latency.
— Scalability and system growth.
— Reliability and accuracy.
Database access for verification
— Cross checking if ID card is deemed
suspicious:
— Localised check of ID then confirmation
against central database.
— Round the clock system availability.
The information stored on the Card will have
to be in human readable and smart chip form. The human readable
information may be: name, DoB, address, signature and photo. The
Smart chip might contain the cryptographically protected fingerprint,
iris scan, signature, etc.
REGISTRATION AND
VERIFICATION
Registration will require an infrastructure
to process a very large number of applicants allowing for changes
of status, eg marriage, loss, damage. Cards will be replaced on
average every three years. This could be in the region of 20 million
transactions per year (60 million people every three years), which
is approximately 100,000 per working day (on 200 working days
in the year). These figures will depend on the card technology
used and hours of working used.
It will be essential that there is a single
registration infrastructure; separate organisations, such as the
DVLA, NHS, UKPS would not wish to maintain expensive (competing)
identity registration systems. This will require the appropriate
sharing of identification data amongst card issuing agencies.
Out-sourcing registration to commercial organisations such as
banks, may be difficult to "quality control" and may
result in a loss of confidence in the system.
VERIFICATION
It is envisaged that verification will be a
"two step" process. Most verification will only require
the presence of the card and cardholder. In our experience this
will present some logistical challenges which are solvable but
require careful thought. Mostly, this will be sufficient, since
the ID cards should be hard to counterfeit, by including, but
not limited to modern cryptography.
For "important" verifications, such
as an immigration check, verification may be carried out against
the National ID Registry itself. This verification scheme would
allow for the ID to become an identification "gold standard"
for the general public (for example for use in banks, shops, securing
loans) without compromising or giving access to the central registry,
which would be reserved for government uses.
SECURITY
Card security will be a major issue as current
card technology could be compromised by well-resourced "hackers"
who have unlimited amounts of uncontrolled access to a number
of card "samples". Other concerns include:
— Physical—Possible attack
on building holding the ID database, possibly with the assistance
of "insiders".
— Virtual—Computer hackers.
— Access privileges—Different
access rights would have to be set up for the various authorities
that would access the database. Use of encryption and data segmentation
to protect the data from unauthorised access. Especially for entitlement
providers.
— Remote access—Access from
remote sites, and the security measures needed, will have to be
addressed.
RENEWAL AND
UPDATING
Renewal and updating of the Card needs to be
addressed from the outset.
If the Card is to be a dual passport/driving
licence, possibly inclusive of other entitlements, the following
operations might apply:
Passport:
— 10 or five year renewal.
— Change of information on card.
Driving licence:
— Changes of information (eg address,
category).
— Inclusion of points for traffic offences.
Entitlement:
— Changes of entitlement.
Some operations are common, eg lost or stolen
cards, change of personal information. However, the various individual
cards currently have unique requirements, eg driving licence and
passport renewal.
Another consideration is the life/durability
of the card. As identified above cards may need renewing on average
every three years.
COST
The costs of a scheme will largely be a function
of the technical and commercial aspects of the proposed system.
The costs will be better controlled by collaboration
between the Government and suppliers and the identification of
risk and mitigation in the early phases of the system development.
The currently envisaged costs may well be radically
revised downwards as new and better technology and techniques
become available. Any system design must take this into account
and be able to respond swiftly and accordingly to gain maximum
advantage in the reduction of cost and time.
IDEAS ON HOW TO ACHIEVE A SUCCESSFUL NATIONAL
ID CARD SYSTEM
FEATURES OF
A CARD
SYSTEM
A fundamental element to make a successful ID
Card system is by gathering information in the preliminary stages
of the programme.
Lessons learned from suppliers that have proven
experience in similar and comparative large-scale schemes should
be considered.
Identity and privilege data should be separated.
This can provide safeguards against aggregation or use of data
that would impact public acceptability (the Big Brother factor)
of any such scheme. Technologies are available which can achieve
this aim.
Data that would be retained for any form of
identification could be limited to that which is already captured
as a matter of public record (eg register of births, deaths, marriages,
electoral roles and census). Other data retention such as would
be subject to "weeding" rules eg where the data has
a short life.
Data relating to specific entitlements should
remain private between the citizen and the entitlement provider
and not aggregated across multiple providers.
SMART SYSTEM
DESIGN
There are key advantages to "Smart Chip"
designs. They are:
— The large data storage capacity of
the chip can allow the data visible on the card, and much more,
to be stored. This could be read, reducing duplication in keying
data and increasing accuracy.
— The flexibility to implement new
uses of the card in a phased approach by adding new entitlement
information to an existing card. It would also allow entitlement
to be revoked at the point of issue.
— Biometric data on the chip can be
compared against live data without having to refer to the central
database.
— Data can be held on the card in an
encrypted form, allowing providers to have secure access to their
data without having access to other provider's data.
GOVERNMENT/INDUSTRY
PARTNERSHIP
In order for the National Identification Card
scheme to be a success the Government will have to work closely
with the commercial sector. Government/Industry partnerships may
be established to ensure the expectations for the system are clearly
understood and that the technology and techniques available are
acceptable to meet those requirements.
January 2004
| 
