Examination of Witnesses (Questions 340
- 359)
TUESDAY 24 FEBRUARY 2004
MR NICK
KALISPERAS, MR
GEOFF LLEWELLYN,
PROFESSOR ROSS
ANDERSON AND
PROFESSOR MARTYN
THOMAS
Q340 Chairman: That is what some
people would put as a producer point of view. The electricity
company did not want to do it and the bank did not want to do
it. From a citizen's point of view is there not a case for saying
that people would find it quite annoying to have to carry eight
or ten different cards for different purposes, all of which are
there to identify them? Is there not some advantage from the citizen's
point of view instead to have one card which fulfils all those
functions? If we are talking about the citizen's point of view
is that not where we should start from?
Professor Anderson: It might be
nice to have but in my view it is not likely to happen as a practical
matter. There is other experience. For example, in our university
we have brought in a university card to try and unify the various
kinds of door locking/photocopier access to our hundred or so
libraries and again we ran into problems with that. As a general
principle, if you have one mechanism that you make serve more
purposes then you make it more fragile, you make it more expensive,
you make it more difficult to maintain and it becomes a road block
in the things that all sorts of people are trying to do. It is
very much more convenient, if you are responsible for a particular
library, if you can issue a customer with your own card.
Q341 Chairman: In the university
complex does that mean you have a different list of people who
are entitled to use the photocopier from those who are entitled
to use the library and so on, or are you talking about different
cards but the same database of students and university staff?
Are you saying that not only do you have separate cards to identify
yourself but you also want separate databases maintained separately,
even though it is the same people on them?
Professor Anderson: As a practical
matter you end up with hundreds of separate back-end databases.
Each library will have a database of which books are out at the
moment; each college, if it is using this for access to buildings,
will have its own list of who is a member of the college and which
buildings they are allowed to go into. If it is using it for college
meal payments then it has to run accounts for each of the students
who are using the system. This proliferates very rapidly on a
very large scale and it becomes very difficult to have one single
centralised system.
Q342 Chairman: The Government has
clearly set out to say that they want one database for all people
in the country to which various applications can then be applied.
Are you saying that that is fundamentally a wrong approach?
Professor Anderson: I think it
would be completely unrealistic to have one database from which
lots of commercial companies built their systems. I think it would
even be dangerous, for example, to try and unify the databases
of the Passport Office, the National Insurance database and the
DVLA because when you unify such databases that means that whichever
company is managing them has a much greater hold over the Government
and that means that the cost tends to go up, the difficulty of
making changes increases and the flexibility of the system decreases,
and ministers are in effect held over a barrel because it becomes
simply too risky to change the system once it becomes critical
to the infrastructure for a very large part of the public sector.
Q343 Chairman: That was not a success
for you, I gather. Does anybody else have a view?
Mr Llewellyn: I am afraid it means
stepping back for a moment. Again, to refer back to the model
of use of a card, a card which has to be referred on every occasion
of use to a single central database has the advantages of high
security, but it has the vulnerabilities of the requirement for
the network to be up and running all the time. If you take the
point I made earlier about the hierarchy of security and the hierarchy
of sensitivity of transactions, then you could see that for a
card which was issued to a unique individual under the auspices
of the state and which has got the highest possible certificationthe
holder of that card is actually Joe Bloggs and that can be proved
by relating the information on the card to the fingerprint, the
iris or whatever it might be, of the person who is therethat
proof of identity is then quite enough on its own to act as a
key to other databases. For example, if you have got that highest
integrity proof of identity, it becomes a multi-purpose card.
It does not mean that you have to have a single database. You
could perfectly well have your library, your meals, whatever it
might be, accessed by that single key but there would be many
databases, all accessed by that single key. The critical thing
is that the padlocking of that card as an electronic token to
the unique individual then enables that card to be used to open
up lots of boxes, if you like, and the boxes could be university
accounts, they could be tax accounts, they could be social security
accounts or whatever, or it could be your free bus pass. The key
thing is the association of the unique individual with that electronic
token and that has no implications for one massive database. You
do not have to have a massive database which has got all of these
applications on it. What you need is a single secure key.
Q344 Chairman: Professor Thomas?
Professor Thomas: There is a technical
systems engineering issue here which is captured in popular wisdom
by "don't put all your eggs in one basket". If you create
either a single card that has multi functions or a single database
then you are adding to the nation's critical infrastructure unnecessarily
and by doing that you are making a very large range of services,
probably a growing range of services, vulnerable to a single attack,
either a deliberate attack or a fault that arises as a consequence
of mis-implementation or accident. This seems (and undoubtedly
is) an extremely foolish thing to do if you do not need to do
it. First, you create a target that is worth subverting and therefore
you increase the resources that will be applied to subverting
it. Secondly, you increase the damage that is done when, by whatever
means, that particular system gets compromised. If it is an individual's
card that is compromised, you have increased the damage to them
because they do not have the back-up mechanisms of all the multiple
cards that they currently have for getting access to other parts
of their life. If it is a central system that is compromised,
then you are really in trouble because everybody potentially is
having difficulties over all the aspects of their lives that are
implemented on that system.
Mr Kalisperas: I think that fundamentally
we are in danger of mixing two issues here. The Home Office proposal
as it stands at the moment is for a card that verifies identity
or for a system that verifies identity. Whether the system itself
in the longer term provides access to either commercial or other
public services is a separate debate. What we would like to see,
and we have said this repeatedly, is an evolutionary card. That
can only be done through discussion with industry and with organisations
such as those who are here at this table. Jumping ahead to what
the inevitable end product is obscures the necessity of getting
the original specification right, and that can only be done through
a thorough examination of the issues with the various stakeholders.
Q345 Mr Cameron: What is the point,
Mr Kalisperas, of having a system if the intention is not to use
it for some of the services that have been outlined? I am confused.
Professor Anderson and Professor Thomas seem to be in the "don't
put all your eggs in one basket" camp, and I can understand
that: you have got one card that gives you access to all these
services and if something goes wrong with the database you are
in real trouble. I am not quite following the argument at the
other end of the table, the Intellect argument; my intellect is
clearly not up to it. Can you have another go in explaining why
you disagree with them, and in particular answering this point:
what is the point of having a card if it does not give you access
to services and, if it does give you access to services, are you
not in the "eggs in one basket" problem that they have
outlined so clearly?
Mr Llewellyn: There is a rather
strong analogy between the introduction of paper money as a means
of exchange, making our economy work 300 or 400 years ago, and
the cards that we are now talking about. Paper money is a system
which has got critical dependencies. It can be forged, it can
be played around with in various ways, and yet everybody can see
the very obvious advantages in terms of liquidity in the economy
and making the economy work using paper money as a way forward.
I think we need to have a similar vision, if you like, of the
potential up-side of a secure electronic key. The point that Nick
was making about a migration path and an evolutionary card bears
on that. In terms of the "eggs in one basket" argument,
the fact that there is a single database of citizens obviously
does mean that there is one source of truth, if you like, and
you would need to be absolutely sure that when an ID card was
issued to a unique individual there was the highest possible integrity
in the process for issuing that card to that individual, but once
that has been done the fact that you have got a single database
means, for example, that if the card were lost, which is one of
the potential "eggs in one basket" problems that has
been mentioned, then replacing the card that had been lost would
be a much simpler process because you would simply go to a single
location and demonstrate that you possessed the biometric in question
and a replacement card could be given to you immediately and the
card that had been lost would be of no use to somebody else who
tried to use it because they would not have the appropriate biometric.
In terms of the "eggs in one basket" argument from the
point of view of the individual's convenience, I think that there
is a response to that.
Q346 Mr Prosser: Mr Llewellyn, Intellect
have told us that their members have been involved in card schemes
very similar to what the Government is proposing in various parts
of the world. What would you say are the most important practical
lessons you have learned from that involvement?
Mr Llewellyn: It is clear that
in issuing an electronic token which is potentially of such great
value and significance it is very important that we should address
all of the process issues to do with issuing such a valuable token
and do it very thoroughly. I made the point about the integrity
of the system which issued the cards in the first place. Clearly,
what the UK passport service is currently trialling is a component
of the process which would issue these cards to individuals, so
it is very important that the integrity of the system which issues
the cards is very high. I would add another point from a personal
perspective, which is that government does need to think through
all of the implications of the introduction of the card, and I
echo the professors' point that it needs to be clear about the
circumstances of use so as to think through all of the scenarios
and circumstances of use and have a clear understanding of what
is to be done if there are glitches in the process so that people
are not paralysed by an unforeseen incident.. Foresight is very
important on the part of government. Finally, there is a vision,
if you like, which says, "Here is something which is potentially
opening up the full potential of the electronic universe that
is all around us", and there needs to be that visionary expression
of where the future might go in delivering convenience to citizens
and saving costs in the administration of government.
Q347 Mr Prosser: Professor Thomas
and Professor Anderson, both your organisations talk about the
German system of identity cards and you seem to show some support
for that approach. What are the advantages?
Professor Thomas: I am attracted
by what little I know of that system simply because the card number
is merely an identifier for the card, not for the individual,
but when the card is re-issued, as it will be periodically through
the person's life, they get a new number. That stops the number
being used by large numbers of other organisations as a personal
identifier, as, for example, happens with the social security
number in the United States with a range of problems which are
fairly well known.
Professor Anderson: I endorse
that. The Germans have perhaps the strictest interpretation of
data protection law in the European Union. They have a tradition
of identity cards which goes back at least to Bismarck. They have
found that it is not as difficult to reconcile the two and in
fact, if you look at a German identity card it looks just like
the back page of a passport with the same kind of information.
On your passport you have got a passport number rather than your
national insurance number, so if somebody starts trying to identify
you as this number then next week when your passport runs out
the database will be confounded. There is an existing practical
way of identifying people. I think that the Government's recent
proposals, namely, of building on the existing passport system
and then perhaps filling in the gaps later (subject to parliamentary
approval) are a lot more sensible and practical than what was
being talked about at the beginning. None the less we must ask
the question: why are passports not used very much more widely
by businesses and by other service organisations at present?
Q348 Mr Prosser: Professor Thomas,
you mentioned the way that the US security number system can be
abused. Can you tell us a little more about that and how widespread
it is? Is it worse than in this country in the way national insurance
numbers are stolen?
Professor Thomas: It is unfortunately
common in the United States for the social security number to
be used for all kinds of identifying purposes. For example, students
enrolling in courses on campus will routinely have their accounts
set up with their social security numbers as their passwords.
Since it is very easy to obtain somebody else's social security
number it means that it is very easy to pretend to be them under
a wide range of circumstances. Once you start doing that you can
acquire further information about them that makes it even easier
to impersonate them. The fact that you have a single identifier
that stays with you for life, which becomes widely known to other
people for legitimate or illegitimate reasons and which then gives
those people the ability to access your personal information and
to impersonate you, is a plague that is causing a very wide amount
of damage throughout the United States.
Q349 Chairman: If the Government
in its proposals came forward and said, "We will not have
a lifetime number identifier", as they are proposing at the
moment, would there be any consequences for what the Government
says it wants to achieve with an ID card, or is that a simple
policy change that they could make and still carry on with the
business of identifying people?
Professor Thomas: You need to
understand what they really want to do with the identification
card. If all they want is the ability to have a physical token
which can be shown to belong to a particular individual on some
occasion when they are challenged, and some data that is on that
card which is valid at the point of challenge, then clearly you
do not need a long history of use; you do not need that data trail
to persist over an extended period of time. Even then you have
got the problem of what happens when the security on the individual
card is compromised.
Q350 Chairman: Supposing they dropped
the lifelong number; you would be able to use it as an identifier.
What would they not be able to use it for?
Professor Thomas: Unless it was
merely a fiction that it was not a lifelong number or was merely
a subsequent manifestation of a pointer into a common database,
they would not be able to trace the pattern of usage of that card,
that number, that identity, over an extended period of time.
Q351 Mr Taylor: My first question
is applicable to all witnesses. Could I ask you what evidence
of identity should be required for enrolment into the system and
is it practicable to check the whole database at each new enrolment
to ensure that a biometric just registered is not already on the
database?
Professor Thomas: That clearly
depends how important it is to you that you have got the identity
right. One of the problems of using a single card for multiple
purposes is that you need to make sure that the integrity of the
enrolment process is adequate for the most demanding application
for which this identity will ever be used. If you are going to
use the identity card as a means of letting certain select individuals
into rooms that contain top secret documents then you are going
to have to ensure that all people who enrol go through an enrolment
process that satisfies the requirements of the security services
for access to top secret documents. If all it is ever going to
be used for is to give people access to free transport on buses
then you can afford to be a little more relaxed about it.
Professor Anderson: A lot of care
has to be given to the issue of pre-enrolment fraud. This is already
a big deal and once we start putting chips in passports it will
become worse. I am told that there was recently a gang exposed
that was selling British nationalities to people in Pakistan,
which was obviously of concern given that there are terrorists
thereabout. The modus operandi was to put an advert in
a newspaper in Britain offering a job for, say, a security guard
at a slightly larger than usual wage, say, £7 an hour. Thousands
of people applied, they filled in on the application form all
the information that you need to apply for a British passport,
and they were also asked whether they had got a passport. Out
of that bundle you take some people who do not have passports
and you fill in the passport application forms in their name with
the photographs of the guys you want to get into the country;
standard pre-enrolment fraud. You are not going to make that any
more difficult when you bring in a chip. You may in fact increase
the incentives for it and that has to be thought about very carefully.
Mr Llewellyn: I would make an
observation there though that, with the association of a biometric
with a smart card chip, or a chip where the chip is in a card
or some other thing, it would I think be much more difficult to
do the kind of fraud that has just been described because
the unique individual characteristic of the person who is enrolled
as it were blocks anybody else from taking that same identity
and it blocks anybody else from attempting to present part of
themselves off as the person who has just offered their biometric
and had it registered on the database. Therefore, with adequate
documentary fraudulent proof you could register as me but then
I could not register as me because our biometrics would clash
when we were trying to get into the same database. With the addition
of the biometrics to the enrolment process here you do not eliminate
the danger that somebody with the right forged documents could
impersonate me but you would then make it impossible for me to
register in my own name and you would also make it impossible
for them to register in another name, and as soon as there was
a clash caused by the duplication of biometrics there would be
an incidence to be investigated.
Professor Anderson: With respect,
I do not think biometrics change much in this context because
if our chap from Al-Qaeda has got a passport pretending to be
Suleiman Mahmoud from Bradford, then as soon as Suleiman applies
for a passport under the current state of affairs the fact that
the passport has already been issued in his name can cause an
alarm to sound. The issue here is the average time that will elapse
between the person being impersonated and his applying for a passport.
There is also a second issue, which is the kind of biometric you
use. If you use a biometric such as an iris code then you will
be able to notice if somebody has applied for a passport in two
different names, but if, as is proposed in phase one, all you
have got is a digitised photograph sitting in a contactless smart
card chip in the spine of your passport, there is no such warning
because it is very difficult, indeed it is a computationally infeasible
task, to match faces with any useful degree of precision.
Q352 Mr Taylor: Assuming the system
had successfully been put in place using both fingerprinting and
iris recognition and covering 60 million people, how long do you
think it would take to register an individual and how long to
verify identity?
Mr Llewellyn: The first thing
to say is that the UK passport service is currently undertaking
a trial, one of the major objectives of which is to look at the
process time from a person coming through a door into an office
to going out having registered, and so the time for that transaction
is at the moment being explored. It will obviously not be appropriate
to try and say anything definitive about that.
Q353 Mr Taylor: Because we will know
their answer in due course?
Mr Llewellyn: Yes, we will know
the answer arising from that trial. Early indications in terms
of what has been done in laboratories would say that the time
to capture a biometric and put it on to a database and print a
card which has got that biometric embedded in the chip is in the
low number of minutes. We are not talking about an hour's process
or anything of that sort. What is vitally important, of course,
is that you not only have that component of the process which
is the biometric component, but you also have the process which
is the checking of any documentary evidence that the person has
with them and possibly checking what is called the biographical
footprint, which would be something where corroboration of a person's
identity would be sought by reference to other data sources, and
those things are potentially much more time-consuming than the
process of offering and capturing a biometric.
Q354 Mr Taylor: It is not much use
for me to leave the station where these things are issued with
a card that perfectly reflects my fingerprints and perfectly reflects
my iris unless somewhere it also says "John Taylor, born
19 August 1941", so there are going to have to be some other
inputs which I am going to have to be able to verify.
Mr Llewellyn: Yes, absolutely.
The whole question of the process to issue an ID card is exactly
what is being explored in part by the passport service trial at
the moment, and there is no doubt that in addition to having a
fingerprint or an eyeball you would also need to have documentary
evidence in other areas to show who you are, and all of those
things have to be collated so that at the time that you enrol
there is confidence that the documentary evidence is correct,
that the biographical footprint is correct and that a good quality
biometric trace has been captured. Once those three are put together
then you have what can be described as a gold standard of identity
attribution and that is the critical thing which would underpin
the integrity of any system using an ID card. Referring back to
some of the answers that were made earlier regarding the IT systems
and the integrity of those, I think we do need to allow for the
fact that the sophistication of the technology has advanced and
is advancing very dramatically, which means that we can have much
more confidence in an IT system built today than we can in systems
that are ten years old.
Q355 Mr Taylor: Should we not in
the margin at this stage say that there is also going to need
to be addressed the training of the people who do the enrolling?
Mr Llewellyn: It is absolutely
critical that the enrolment process is a matter of people and
technology and documents and the people have to be properly trained,
the technology has to be robust and the documents have to be of
high quality and capable of being checked. This is not by any
means just a technology issue. It is also a people, processes
and principles issue.
Q356 Mr Taylor: Chairman, I have
one more question which I would like to put to Professor Anderson
if I may. Professor, I think you said that fraud patterns do not
appear to vary across Europe according to the presence or absence
of ID cards, but what about levels of fraud? First of all, are
you content with the assertion that I have attributed to you?
Professor Anderson: Yes.
Q357 Mr Taylor: The question then
is, what about the levels of fraud?
Professor Anderson: I worked for
three or four years in the banking industry and as a consultant
for them occasionally thereafter and my experience from that is
that the main determinant of levels of fraud is not the card technology
that you use but how diligent you are at checking online whether
a transaction is valid or not. In Spain, for example, where they
made a rule 15 years ago that all credit card transactions had
to be verified with the bank regardless of how small the amount,
they had a much better reduction in fraud than they did in France
where they went to a more complex card technology. In my experience
that was a defining experiment. It is not the card technology;
it is the processes that surround it.
Q358 David Winnick: Is it not interesting,
Professor Anderson, that in the Home Office consultation document
the argument is put forward that it is possible that if a card
scheme came about the banks and other financial institutions would
rely on that to such an extent that they would not necessarily
check in the manner in which they are now doing? In other words
it would weaken the fight against fraud rather than strengthen
it?
Professor Anderson: I cannot see
the banks moving to somebody else's technology for the basic processes
of getting cash out of an ATM or paying for a meal at a restaurant.
What might perhaps be useful is that when you open a bank account
you might be able to present a passport rather than having to
go round with armfuls of gas bills, water bills and so on. This
is something that could be done today. Most people have passports
and an even larger proportion of people who open bank accounts
have passports, and so I suspect that by simply changing money
laundering guidelines the Government could encourage banks to
accept passports rather than gas bills as primary identification.
As far as subsequent transactions are concerned, I doubt that
the technologies would be even remotely compatible. What is proposed
by the ICAO for the new biometric passport is a contactless smart
card chip of the kind that is typically used in door opening applications,
whereas what the banks have standardised on for EMV in the chip-and-PIN
process is a contact smart card and the two have their advantages
and disadvantages in different situations but they are not compatible.
David Winnick: Do you get the
impression that if a particular argument in favour of an ID card
falls by the wayside the Home Secretary is only too willing to
come forward with another argument to justify it?
Q359 Chairman: That would be a leading
question in the old Perry Mason days, but please do answer it.
Professor Anderson: I see a number
of arguments in favour of ID cards that I do not find at all convincing
and, not being involved in the cut and thrust of party-political
fervours, I have tried to deflate them gently in the submission
I have made to the Home Office.
|