Examination of Witnesses (Questions 332
TUESDAY 24 FEBRUARY 2004
Q332 Chairman: Good afternoon. Thank
you very much indeed for coming to the Committee this afternoon.
As we have four witnesses today could you briefly introduce yourselves
and the organisations you come from?
Mr Llewellyn: Geoff Llewellyn,
Member of the Intellect Working Party on ID Cards.
Mr Kalisperas: Nick Kalisperas.
I am the Senior Programme Manager at Intellect with responsibility
for the ID card programme.
Q333 Chairman: Perhaps you could
say for the record what Intellect is.
Mr Kalisperas: Intellect is the
trade association representing IT, telecoms and electronics companies
in the UK.
Professor Thomas: I am Martyn
Thomas, representing UKCRC, the UK Computing Research Committee,
which is an expert panel of the Institution of Electrical Engineers
and the British Computer Society dealing with matters that affect
Professor Anderson: I am Ross
Anderson. I chair the Foundation for Information Policy Research,
which is Britain's leading internet policy think-tank. My day
job is as Professor of Security Engineering at Cambridge University.
Q334 Chairman: Thank you very much.
With four witnesses we obviously want to get a full range of views.
Can I start with possibly a very basic question but one that has
now come up several times in our inquiry into identity cards,
which is whether it is necessary for somebody to carry a card
in order to have an identification system? For example, if there
were, as is proposed, a central database carrying a certain amount
of biometric information do you need a card or would it be possible
to use that database simply by having sufficient biometric readers
around the place to meet all the practical purposes?
Professor Thomas: In principle
it would work. In practice it would require a lot of hardware
and a lot of calls on that central database, so it may not be
practical but it is theoretically possible.
Q335 Chairman: What is the difference
in principle between a situation where somebody who carries a
card, which is possibly not of any great use unless you have got
some sort of fingerprinting apparatus to check that the data on
the card is the same as the fingerprint the person has got or
that the iris scan is the same as the one on the card, and checking
the card against a local biometric reader and checking the person
against a central database? What is the practical difference between
the two, or is the assumption that the ID card will work in lots
of circumstances where you are never going to want to check the
Professor Anderson: You could
look, for example at what happens with the airlines which
are increasingly abolishing tickets. Within the controlled environment
of an airport or airline system you can just as easily record
the fact that Joe Bloggs, born on such-and-such, has got a ticket
to fly to New York. Similarly, you could have this information
available on line. Bear in mind that in the first phase of this
we are talking about a digitised photograph rather than fingerprints
or iris codes. You could have a system whereby you went and said,
"I am John Denham, born on such-and-such a date", the
Passport Office will type this in and your mug shot and Passport
Office files will come up. The main objection to that would be
first, what happens if the database is down; have you got a means
of off-line checking, and secondly, there is the issue of reassurance.
I certainly felt slightly nervous the first few times I went to
get on a plane without a ticket.
Mr Llewellyn: I could perhaps
link the two questions you pose there: is a card necessary and
what are the practicalities? There is a very strong argument that
having a physical card is something that gives a tangibility to
the whole process which is reassuring to citizens as a whole and
it makes the whole process rather easier to understand. In terms
of the value of a card at point of use, there is a kind of hierarchy
of security issues that one would need to address. For example,
if you were trying to get into Fort Knox you would want to have
absolutely strong confirmation that you were who you said you
were, whereas there are other lower sensitivity, lower value transactions
where simply holding the card which contains your photograph would
be quite sufficient to prove your identity for the purposes of
that transaction. The idea of a card which has the photograph
and the biometrics embedded on the chip gives you the flexibility
to run a whole variety of different checks against the card or,
for a very highly sensitive transaction, against a central database.
Q336 Chairman: For the purposes for
which the Government have said that a card would be used, which
is at the core largely migration, immigration and citizenship
issues and access to some public services like health but not
to other public services like education, at which points in that
hierarchy is it sufficient just to have a card? Where would you
need to have the higher level of identity checking?
Mr Llewellyn: I think one would
need to take notice of that and have a fuller specification of
the types of transaction, but notionally one could set out a hierarchy
of transactions which were typically undertaken with a card and
as part of the preparation for implementing a scheme of this sort
there would be a convention which would be established, I would
imagine, either in the legislation or in discussion which would
say, "These are the types of transactions that are appropriate
and these are the ones where a higher level of certification is
Professor Thomas: There is a fundamental
issue here which I think will come up a number of times, and that
is that the Government has identified a number of application
areas of the card but nothing that I have been able to find identifies
why the ID card as proposed is a solution to any particular problems
in those application areas. Until that is done most of the questions
you ask in this area do not have an answer because you are not
asking the right people. You need to be asking the Home Office.
Professor Anderson: I must say
I am slightly alarmed at the proposal that ID cards be foisted
on the health service. I have had some experience in the past
of dealing with medical information systems and there has been
a debate in a number of countries about whether you should put
things like emergency medical information onto either a medical
insurance smart card or onto a national identity card. The experience
from overseas, such as it is, suggests that this is a bad idea
for safety reasons. Suppose, for example, you are diabetic. At
the moment you might carry a bracelet with you, you might carry
a special purpose card in your wallet so that if you pass out
somewhere the ambulanceman has a hint. If that vanishes into a
secure chip on a card that can only be read by authorised people
and you pass out on an aeroplane over the Atlantic that is a different
matter. One or two countries, like Germany, have gone down this
route but a number of other countries have on mature reflection
decided that it is not a good idea, and so I would be particularly
anxious for the Government to think long and hard before calling
the NHS into this particular project.
Q337 Chairman: My understanding has
been that it was more about establishing whether you are entitled
to have any sort of NHS treatment as opposed to a card carrying
medical records. The point that has been brought out is that you
are saying to the Committee that we need sharper definition of
exactly what the purposes are and the places in which identity
is required for you to be able to tell us whether carrying a card
or having your identity checked against a central register would
be the appropriate response. Is that fair?
Professor Thomas: Yes.
Q338 Chairman: Can we move on to
Professor Anderson? I think the IFPR said that you are sceptical
about the advantages of a single card, preferring perhaps to have
a range of different cards or identifiers specific to particular
services that people might want to access. Is that right?
Professor Anderson: That is right.
The smart card industry has had over the last 15 years a number
of projects to persuade people that a multi-function smart card
might be a good thing. I have been involved peripherally in one
or two of these, for example, trying to design a system that was
simultaneously a banking card and a card for prepayment of electricity
meters. The experience of these attempts and pilots was almost
uniformly negative. Technically it is usually not a big deal to
have a card with two applications on it but from the administrative
point of view and the point of view of legal liability and issues
such as whose logo is on the card, who is liable when something
breaks, things are very much more difficult. If you are a banker
the last thing you want to do is to be held liable for a power
cut or for somebody being unable to get electricity if they suffer
as a result. For these reasons the experience of industry is that
everybody wants their own card, they want their own customer database
and they want control of their own mechanisms to access that database.
Q339 Mr Taylor: Mr Chairman, forgive
me: I did not quite catch what Professor Anderson said about dual
use, one of which I think you said was a banking card and the
other was something to do with electricity supply, and I did not
quite catch it.
Professor Anderson: This was ten
years ago when the Government of South Africa decided to electrify
a couple of million homes and, as many of the poor people had
no addresses, let alone credit ratings, it was necessary to bring
in prepayment electricity meters. The question was whether existing
banking smart cards could be used for the purpose, such as the
smart cards which people use to share taxi rides. The answer was
that technically it would be easy to do but the liability and
branding and other business issues were simply a nightmare.