TUESDAY 24 FEBRUARY 2004

MR NICK KALISPERAS, MR GEOFF LLEWELLYN, PROFESSOR ROSS ANDERSON AND PROFESSOR MARTYN THOMAS

  Q340  Chairman: That is what some people would put as a producer point of view. The electricity company did not want to do it and the bank did not want to do it. From a citizen's point of view is there not a case for saying that people would find it quite annoying to have to carry eight or ten different cards for different purposes, all of which are there to identify them? Is there not some advantage from the citizen's point of view instead to have one card which fulfils all those functions? If we are talking about the citizen's point of view is that not where we should start from?

  Professor Anderson: It might be nice to have but in my view it is not likely to happen as a practical matter. There is other experience. For example, in our university we have brought in a university card to try and unify the various kinds of door locking/photocopier access to our hundred or so libraries and again we ran into problems with that. As a general principle, if you have one mechanism that you make serve more purposes then you make it more fragile, you make it more expensive, you make it more difficult to maintain and it becomes a road block in the things that all sorts of people are trying to do. It is very much more convenient, if you are responsible for a particular library, if you can issue a customer with your own card.

  Q341  Chairman: In the university complex does that mean you have a different list of people who are entitled to use the photocopier from those who are entitled to use the library and so on, or are you talking about different cards but the same database of students and university staff? Are you saying that not only do you have separate cards to identify yourself but you also want separate databases maintained separately, even though it is the same people on them?

  Professor Anderson: As a practical matter you end up with hundreds of separate back-end databases. Each library will have a database of which books are out at the moment; each college, if it is using this for access to buildings, will have its own list of who is a member of the college and which buildings they are allowed to go into. If it is using it for college meal payments then it has to run accounts for each of the students who are using the system. This proliferates very rapidly on a very large scale and it becomes very difficult to have one single centralised system.

  Q342  Chairman: The Government has clearly set out to say that they want one database for all people in the country to which various applications can then be applied. Are you saying that that is fundamentally a wrong approach?

  Professor Anderson: I think it would be completely unrealistic to have one database from which lots of commercial companies built their systems. I think it would even be dangerous, for example, to try and unify the databases of the Passport Office, the National Insurance database and the DVLA because when you unify such databases that means that whichever company is managing them has a much greater hold over the Government and that means that the cost tends to go up, the difficulty of making changes increases and the flexibility of the system decreases, and ministers are in effect held over a barrel because it becomes simply too risky to change the system once it becomes critical to the infrastructure for a very large part of the public sector.

  Q343  Chairman: That was not a success for you, I gather. Does anybody else have a view?

  Mr Llewellyn: I am afraid it means stepping back for a moment. Again, to refer back to the model of use of a card, a card which has to be referred on every occasion of use to a single central database has the advantages of high security, but it has the vulnerabilities of the requirement for the network to be up and running all the time. If you take the point I made earlier about the hierarchy of security and the hierarchy of sensitivity of transactions, then you could see that for a card which was issued to a unique individual under the auspices of the state and which has got the highest possible certification—the holder of that card is actually Joe Bloggs and that can be proved by relating the information on the card to the fingerprint, the iris or whatever it might be, of the person who is there—that proof of identity is then quite enough on its own to act as a key to other databases. For example, if you have got that highest integrity proof of identity, it becomes a multi-purpose card. It does not mean that you have to have a single database. You could perfectly well have your library, your meals, whatever it might be, accessed by that single key but there would be many databases, all accessed by that single key. The critical thing is that the padlocking of that card as an electronic token to the unique individual then enables that card to be used to open up lots of boxes, if you like, and the boxes could be university accounts, they could be tax accounts, they could be social security accounts or whatever, or it could be your free bus pass. The key thing is the association of the unique individual with that electronic token and that has no implications for one massive database. You do not have to have a massive database which has got all of these applications on it. What you need is a single secure key.

  Q344  Chairman: Professor Thomas?

  Professor Thomas: There is a technical systems engineering issue here which is captured in popular wisdom by "don't put all your eggs in one basket". If you create either a single card that has multi functions or a single database then you are adding to the nation's critical infrastructure unnecessarily and by doing that you are making a very large range of services, probably a growing range of services, vulnerable to a single attack, either a deliberate attack or a fault that arises as a consequence of mis-implementation or accident. This seems (and undoubtedly is) an extremely foolish thing to do if you do not need to do it. First, you create a target that is worth subverting and therefore you increase the resources that will be applied to subverting it. Secondly, you increase the damage that is done when, by whatever means, that particular system gets compromised. If it is an individual's card that is compromised, you have increased the damage to them because they do not have the back-up mechanisms of all the multiple cards that they currently have for getting access to other parts of their life. If it is a central system that is compromised, then you are really in trouble because everybody potentially is having difficulties over all the aspects of their lives that are implemented on that system.

  Mr Kalisperas: I think that fundamentally we are in danger of mixing two issues here. The Home Office proposal as it stands at the moment is for a card that verifies identity or for a system that verifies identity. Whether the system itself in the longer term provides access to either commercial or other public services is a separate debate. What we would like to see, and we have said this repeatedly, is an evolutionary card. That can only be done through discussion with industry and with organisations such as those who are here at this table. Jumping ahead to what the inevitable end product is obscures the necessity of getting the original specification right, and that can only be done through a thorough examination of the issues with the various stakeholders.

  Q345  Mr Cameron: What is the point, Mr Kalisperas, of having a system if the intention is not to use it for some of the services that have been outlined? I am confused. Professor Anderson and Professor Thomas seem to be in the "don't put all your eggs in one basket" camp, and I can understand that: you have got one card that gives you access to all these services and if something goes wrong with the database you are in real trouble. I am not quite following the argument at the other end of the table, the Intellect argument; my intellect is clearly not up to it. Can you have another go in explaining why you disagree with them, and in particular answering this point: what is the point of having a card if it does not give you access to services and, if it does give you access to services, are you not in the "eggs in one basket" problem that they have outlined so clearly?

  Mr Llewellyn: There is a rather strong analogy between the introduction of paper money as a means of exchange, making our economy work 300 or 400 years ago, and the cards that we are now talking about. Paper money is a system which has got critical dependencies. It can be forged, it can be played around with in various ways, and yet everybody can see the very obvious advantages in terms of liquidity in the economy and making the economy work using paper money as a way forward. I think we need to have a similar vision, if you like, of the potential up-side of a secure electronic key. The point that Nick was making about a migration path and an evolutionary card bears on that. In terms of the "eggs in one basket" argument, the fact that there is a single database of citizens obviously does mean that there is one source of truth, if you like, and you would need to be absolutely sure that when an ID card was issued to a unique individual there was the highest possible integrity in the process for issuing that card to that individual, but once that has been done the fact that you have got a single database means, for example, that if the card were lost, which is one of the potential "eggs in one basket" problems that has been mentioned, then replacing the card that had been lost would be a much simpler process because you would simply go to a single location and demonstrate that you possessed the biometric in question and a replacement card could be given to you immediately and the card that had been lost would be of no use to somebody else who tried to use it because they would not have the appropriate biometric. In terms of the "eggs in one basket" argument from the point of view of the individual's convenience, I think that there is a response to that.

  Q346  Mr Prosser: Mr Llewellyn, Intellect have told us that their members have been involved in card schemes very similar to what the Government is proposing in various parts of the world. What would you say are the most important practical lessons you have learned from that involvement?

  Mr Llewellyn: It is clear that in issuing an electronic token which is potentially of such great value and significance it is very important that we should address all of the process issues to do with issuing such a valuable token and do it very thoroughly. I made the point about the integrity of the system which issued the cards in the first place. Clearly, what the UK passport service is currently trialling is a component of the process which would issue these cards to individuals, so it is very important that the integrity of the system which issues the cards is very high. I would add another point from a personal perspective, which is that government does need to think through all of the implications of the introduction of the card, and I echo the professors' point that it needs to be clear about the circumstances of use so as to think through all of the scenarios and circumstances of use and have a clear understanding of what is to be done if there are glitches in the process so that people are not paralysed by an unforeseen incident.. Foresight is very important on the part of government. Finally, there is a vision, if you like, which says, "Here is something which is potentially opening up the full potential of the electronic universe that is all around us", and there needs to be that visionary expression of where the future might go in delivering convenience to citizens and saving costs in the administration of government.

  Q347  Mr Prosser: Professor Thomas and Professor Anderson, both your organisations talk about the German system of identity cards and you seem to show some support for that approach. What are the advantages?

  Professor Thomas: I am attracted by what little I know of that system simply because the card number is merely an identifier for the card, not for the individual, but when the card is re-issued, as it will be periodically through the person's life, they get a new number. That stops the number being used by large numbers of other organisations as a personal identifier, as, for example, happens with the social security number in the United States with a range of problems which are fairly well known.

  Professor Anderson: I endorse that. The Germans have perhaps the strictest interpretation of data protection law in the European Union. They have a tradition of identity cards which goes back at least to Bismarck. They have found that it is not as difficult to reconcile the two and in fact, if you look at a German identity card it looks just like the back page of a passport with the same kind of information. On your passport you have got a passport number rather than your national insurance number, so if somebody starts trying to identify you as this number then next week when your passport runs out the database will be confounded. There is an existing practical way of identifying people. I think that the Government's recent proposals, namely, of building on the existing passport system and then perhaps filling in the gaps later (subject to parliamentary approval) are a lot more sensible and practical than what was being talked about at the beginning. None the less we must ask the question: why are passports not used very much more widely by businesses and by other service organisations at present?

  Q348  Mr Prosser: Professor Thomas, you mentioned the way that the US security number system can be abused. Can you tell us a little more about that and how widespread it is? Is it worse than in this country in the way national insurance numbers are stolen?

  Professor Thomas: It is unfortunately common in the United States for the social security number to be used for all kinds of identifying purposes. For example, students enrolling in courses on campus will routinely have their accounts set up with their social security numbers as their passwords. Since it is very easy to obtain somebody else's social security number it means that it is very easy to pretend to be them under a wide range of circumstances. Once you start doing that you can acquire further information about them that makes it even easier to impersonate them. The fact that you have a single identifier that stays with you for life, which becomes widely known to other people for legitimate or illegitimate reasons and which then gives those people the ability to access your personal information and to impersonate you, is a plague that is causing a very wide amount of damage throughout the United States.

  Q349  Chairman: If the Government in its proposals came forward and said, "We will not have a lifetime number identifier", as they are proposing at the moment, would there be any consequences for what the Government says it wants to achieve with an ID card, or is that a simple policy change that they could make and still carry on with the business of identifying people?

  Professor Thomas: You need to understand what they really want to do with the identification card. If all they want is the ability to have a physical token which can be shown to belong to a particular individual on some occasion when they are challenged, and some data that is on that card which is valid at the point of challenge, then clearly you do not need a long history of use; you do not need that data trail to persist over an extended period of time. Even then you have got the problem of what happens when the security on the individual card is compromised.

  Q350  Chairman: Supposing they dropped the lifelong number; you would be able to use it as an identifier. What would they not be able to use it for?

  Professor Thomas: Unless it was merely a fiction that it was not a lifelong number or was merely a subsequent manifestation of a pointer into a common database, they would not be able to trace the pattern of usage of that card, that number, that identity, over an extended period of time.

  Q351  Mr Taylor: My first question is applicable to all witnesses. Could I ask you what evidence of identity should be required for enrolment into the system and is it practicable to check the whole database at each new enrolment to ensure that a biometric just registered is not already on the database?

  Professor Thomas: That clearly depends how important it is to you that you have got the identity right. One of the problems of using a single card for multiple purposes is that you need to make sure that the integrity of the enrolment process is adequate for the most demanding application for which this identity will ever be used. If you are going to use the identity card as a means of letting certain select individuals into rooms that contain top secret documents then you are going to have to ensure that all people who enrol go through an enrolment process that satisfies the requirements of the security services for access to top secret documents. If all it is ever going to be used for is to give people access to free transport on buses then you can afford to be a little more relaxed about it.

  Professor Anderson: A lot of care has to be given to the issue of pre-enrolment fraud. This is already a big deal and once we start putting chips in passports it will become worse. I am told that there was recently a gang exposed that was selling British nationalities to people in Pakistan, which was obviously of concern given that there are terrorists thereabout. The modus operandi was to put an advert in a newspaper in Britain offering a job for, say, a security guard at a slightly larger than usual wage, say, £7 an hour. Thousands of people applied, they filled in on the application form all the information that you need to apply for a British passport, and they were also asked whether they had got a passport. Out of that bundle you take some people who do not have passports and you fill in the passport application forms in their name with the photographs of the guys you want to get into the country; standard pre-enrolment fraud. You are not going to make that any more difficult when you bring in a chip. You may in fact increase the incentives for it and that has to be thought about very carefully.

  Mr Llewellyn: I would make an observation there though that, with the association of a biometric with a smart card chip, or a chip where the chip is in a card or some other thing, it would I think be much more difficult to do the kind of fraud that has just been   described because the unique individual characteristic of the person who is enrolled as it were blocks anybody else from taking that same identity and it blocks anybody else from attempting to present part of themselves off as the person who has just offered their biometric and had it registered on  the database. Therefore, with adequate documentary fraudulent proof you could register as me but then I could not register as me because our biometrics would clash when we were trying to get into the same database. With the addition of the biometrics to the enrolment process here you do not eliminate the danger that somebody with the right forged documents could impersonate me but you would then make it impossible for me to register in my own name and you would also make it impossible for them to register in another name, and as soon as there was a clash caused by the duplication of biometrics there would be an incidence to be investigated.

  Professor Anderson: With respect, I do not think biometrics change much in this context because if our chap from Al-Qaeda has got a passport pretending to be Suleiman Mahmoud from Bradford, then as soon as Suleiman applies for a passport under the current state of affairs the fact that the passport has already been issued in his name can cause an alarm to sound. The issue here is the average time that will elapse between the person being impersonated and his applying for a passport. There is also a second issue, which is the kind of biometric you use. If you use a biometric such as an iris code then you will be able to notice if somebody has applied for a passport in two different names, but if, as is proposed in phase one, all you have got is a digitised photograph sitting in a contactless smart card chip in the spine of your passport, there is no such warning because it is very difficult, indeed it is a computationally infeasible task, to match faces with any useful degree of precision.

  Q352  Mr Taylor: Assuming the system had successfully been put in place using both fingerprinting and iris recognition and covering 60 million people, how long do you think it would take to register an individual and how long to verify identity?

  Mr Llewellyn: The first thing to say is that the UK passport service is currently undertaking a trial, one of the major objectives of which is to look at the process time from a person coming through a door into an office to going out having registered, and so the time for that transaction is at the moment being explored. It will obviously not be appropriate to try and say anything definitive about that.

  Q353  Mr Taylor: Because we will know their answer in due course?

  Mr Llewellyn: Yes, we will know the answer arising from that trial. Early indications in terms of what has been done in laboratories would say that the time to capture a biometric and put it on to a database and print a card which has got that biometric embedded in the chip is in the low number of minutes. We are not talking about an hour's process or anything of that sort. What is vitally important, of course, is that you not only have that component of the process which is the biometric component, but you also have the process which is the checking of any documentary evidence that the person has with them and possibly checking what is called the biographical footprint, which would be something where corroboration of a person's identity would be sought by reference to other data sources, and those things are potentially much more time-consuming than the process of offering and capturing a biometric.

  Q354  Mr Taylor: It is not much use for me to leave the station where these things are issued with a card that perfectly reflects my fingerprints and perfectly reflects my iris unless somewhere it also says "John Taylor, born 19 August 1941", so there are going to have to be some other inputs which I am going to have to be able to verify.

  Mr Llewellyn: Yes, absolutely. The whole question of the process to issue an ID card is exactly what is being explored in part by the passport service trial at the moment, and there is no doubt that in addition to having a fingerprint or an eyeball you would also need to have documentary evidence in other areas to show who you are, and all of those things have to be collated so that at the time that you enrol there is confidence that the documentary evidence is correct, that the biographical footprint is correct and that a good quality biometric trace has been captured. Once those three are put together then you have what can be described as a gold standard of identity attribution and that is the critical thing which would underpin the integrity of any system using an ID card. Referring back to some of the answers that were made earlier regarding the IT systems and the integrity of those, I think we do need to allow for the fact that the sophistication of the technology has advanced and is advancing very dramatically, which means that we can have much more confidence in an IT system built today than we can in systems that are ten years old.

  Q355  Mr Taylor: Should we not in the margin at this stage say that there is also going to need to be addressed the training of the people who do the enrolling?

  Mr Llewellyn: It is absolutely critical that the enrolment process is a matter of people and technology and documents and the people have to be properly trained, the technology has to be robust and the documents have to be of high quality and capable of being checked. This is not by any means just a technology issue. It is also a people, processes and principles issue.

  Q356  Mr Taylor: Chairman, I have one more question which I would like to put to Professor Anderson if I may. Professor, I think you said that fraud patterns do not appear to vary across Europe according to the presence or absence of ID cards, but what about levels of fraud? First of all, are you content with the assertion that I have attributed to you?

  Professor Anderson: Yes.

  Q357  Mr Taylor: The question then is, what about the levels of fraud?

  Professor Anderson: I worked for three or four years in the banking industry and as a consultant for them occasionally thereafter and my experience from that is that the main determinant of levels of fraud is not the card technology that you use but how diligent you are at checking online whether a transaction is valid or not. In Spain, for example, where they made a rule 15 years ago that all credit card transactions had to be verified with the bank regardless of how small the amount, they had a much better reduction in fraud than they did in France where they went to a more complex card technology. In my experience that was a defining experiment. It is not the card technology; it is the processes that surround it.

  Q358  David Winnick: Is it not interesting, Professor Anderson, that in the Home Office consultation document the argument is put forward that it is possible that if a card scheme came about the banks and other financial institutions would rely on that to such an extent that they would not necessarily check in the manner in which they are now doing? In other words it would weaken the fight against fraud rather than strengthen it?

  Professor Anderson: I cannot see the banks moving to somebody else's technology for the basic processes of getting cash out of an ATM or paying for a meal at a restaurant. What might perhaps be useful is that when you open a bank account you might be able to present a passport rather than having to go round with armfuls of gas bills, water bills and so on. This is something that could be done today. Most people have passports and an even larger proportion of people who open bank accounts have passports, and so I suspect that by simply changing money laundering guidelines the Government could encourage banks to accept passports rather than gas bills as primary identification. As far as subsequent transactions are concerned, I doubt that the technologies would be even remotely compatible. What is proposed by the ICAO for the new biometric passport is a contactless smart card chip of the kind that is typically used in door opening applications, whereas what the banks have standardised on for EMV in the chip-and-PIN process is a contact smart card and the two have their advantages and disadvantages in different situations but they are not compatible.

  David Winnick: Do you get the impression that if a particular argument in favour of an ID card falls by the wayside the Home Secretary is only too willing to come forward with another argument to justify it?

  Q359  Chairman: That would be a leading question in the old Perry Mason days, but please do answer it.

  Professor Anderson: I see a number of arguments in favour of ID cards that I do not find at all convincing and, not being involved in the cut and thrust of party-political fervours, I have tried to deflate them gently in the submission I have made to the Home Office.