Examination of Witnesses (Questions 380
TUESDAY 24 FEBRUARY 2004
Q380 Mrs Dean: Can I turn to you,
Professor Thomas. Your doubts about the analysis of error rates
for biometrics in the Home Office-sponsored feasibility study
lead you to argue that "a well-controlled, independent, large-scale
study" should be undertaken. In your view, does the UK Passport
Service pilot meet these criteria?
Professor Thomas: I think it is
capable of doing so. It is clear that the trial could very easily,
were it the case, show that currently available biometric technology
was not acceptable. Whether it can give you high confidence that
it would be acceptable is not clear. In particular, until the
full requirements of the system are known and the acceptable reject
rates for application have been determined, it is not clear what
criteria the trial could work to. I have not seen a full specification
of everything that the trial is going to determine. For example,
if it was focusing merely on enrolment times that does not necessarily
give you all the information that you would need to know whether
the reject rates would be acceptable for use in all the locations
where you might want to use it. Also, I have some concerns about
the statistical sample that MORI will produce because unless they
have very good information about all the factors that affect the
biometrics that they are looking at and their distribution in
the populationI am not aware that data exists but perhaps
it doesI do not know how they would draw a statistical
sample that they could feel confident that managed to be sufficiently
representative that you were not left with the problem that perhaps
there is some group in the population who are going to be terribly
disadvantaged by the introduction of this mechanism: people on
particular medication, people with particular medical conditions,
or some combination of those two perhaps.
Q381 Mrs Dean: In your view, what
is an acceptable rate of mismatches?
Professor Thomas: That depends
entirely on the applications for which it is going to be used.
That is a requirements issue for the Home Office.
Q382 Mrs Dean: What measures need
to be in place to deal with cases where individuals are wrongly
denied access to services?
Professor Thomas: Again, it depends
on the services that they are denied access to and what you consider
to be adequate recompense. The danger is that if there is not
a statutory framework for that then it would be determined by
the court and it could turn out to be extremely expensive depending
on what the courts decide.
Q383 Mrs Dean: Turning to all of
you, how do you think that the inclusion of biometrics will affect
public acceptance of ID cards?
Mr Llewellyn: I am aware of a
public opinion survey that was conducted at the beginning of 2003
which was with a highly respectable sample according to current
methodologies which asked views on the principle of an entitlement
card, as it was titled at the time, and public acceptance there
was 80% in favour of the principle of an ID card. When people
were asked what they felt about the biometric process of capturing
the biometric, be it a fingerprint or whatever, again there was
a clear majority who were content with the idea of a biometric
being given. My view on the public acceptability of biometrics
as a way of securing a card is that there is already a high degree
of acceptance amongst the general public.
Q384 Mrs Dean: Do either of the professors
want to comment?
Professor Anderson: I suppose
back when I was involved with the banking industry we had some
experience with this because in the mid-1980s Nixdorf came out
with a banking terminal which could identify people by their fingerprints.
There was a lot of discussion about whether this would be appropriate
and there were some trials that were done. What we found was that
in Germany, and I do not recall any data for the UK, there was
resistance to this because fingerprints are associated with being
arrested and carted off to the police station. In fact, there
was quite strong resistance. In India and Saudi Arabia there was
no resistance because they have large illiterate populations who
are used to operating their bank accounts by means of a thumbprint
on a passbook. My guestimate would be that if you put fingerprints
into an ID card there might be significantly more public resistance
than if you have merely an electronic digitised photograph. With
iris scans it would be somewhere in-between because some people
are sensitive to the infrared light that is used to illuminate
the eye while the scan is being done. What I expect you will also
find that they did not pick up in the Passport Office study is
that people who live in remote areas will find it a confounded
nuisance not to be able to renew their passport by post, or perhaps
eventually to be told to go and get an ID card in the city otherwise
they will not be able to use their GP any more. I think of my
parents, for example, living in the West of Scotland, getting
on a bit, being ordered to go to Glasgow or, worse still, to Peterborough
to present themselves for scanning and I can imagine my father
would be rather cross. Multiply that by millions of people living
in rural areas and you can expect some kind of backlash there.
Finally, you have got to look at groups who simply cannot provide
the required biometric. Thousands of people in the UK have got
no fingerprints thanks to Thalidomide, surgery, diabetes, accidents,
etc; tens of thousands of people do not have eyes and cannot offer
iris prints. Again, an awful lot of thought has to go into these
groups at the margin who are not going to be picked up simply
by a public opinion process involving a few thousand people wandering
through the Passport Office.
Mr Llewellyn: Can I just make
a point of information regarding the Passport Service trial. That
Passport Service trial is part of the sample where individuals
who would go through the process would be selected deliberately
in association with disability lobby groups in order precisely
to represent the variety of physiological challenges that people
experience. It is not a matter of simply taking the first 10,000
people off the street, there will be a deliberate plan to incorporate
people who have the kinds of physical challenges that would make
biometrics difficult to achieve on the face of it.
Q385 David Winnick: In your paper,
Professor Anderson, at paragraph 13 on page four, you question
the Home Office claim that there is public support for identity
cards. The Home Secretary has made quite a bit of publicity or
what have you saying the survey shows there is widespread public
acceptance. Why does your organisation and yourself apparently
disagree with that?
Professor Anderson: This is a
point that I reckon would be more substantively made by Stand,
which is stand.org.uk, which is an organisation of volunteers
who try to facilitate electronic participation in the political
process. As I recall, during the Home Office consultation they
made available a website whereby people could easily make their
responses to the consultation on ID cards. My understanding is,
and I am not a member of Stand but I have spoken to them, all
of these responses were treated as a single petition and thus
as one vote by one organisation against ID cards rather than,
as the Stand people thought appropriate, 5,000 submissions by
individual members of the public, the majority of whom were against
identity cards. In fact, one of my colleagues at the university
sent a submission via Stand which was supportive of identity cardshe
is from Germany and he thinks identity cards are greatand
he was most put out that his vote in favour of identity cards
was counted as one-five thousandth of a vote against. I believe
this is an issue that has been aired already in other fora.
Q386 David Winnick: No doubt we will
take that up with the Home Secretary. Your organisation, Intellect,
argues: "The success of an ID card programme depends both
on widespread acceptance and uptake by the citizens and extensive
publicity of its benefits". Would you care to comment on
Mr Llewellyn: Sorry, the success
Q387 David Winnick: ". . . on
widespread acceptance and uptake by the citizens and extensive
publicity of its benefits". That is the view of your organisation.
Mr Kalisperas: Without being too
flippant here, it is almost a statement of the obvious. Allied
with any work which goes on in looking at the technical aspects
of the card and implementing the IT solution, there also needs
to be an extensive communication campaign explaining to the public
why an ID card is needed in whatever form the Home Office decides
to finally launch one. An extensive campaign needs to take place
to ensure that the public feel comfortable with the enrolment
process and registration process. In effect, the point that we
have tried to get across, which maybe some other organisations
do not seem to understand, is we are not talking about an IT project,
we are talking about a business change project. The technology
is just one aspect of that. We need to ensure that you have the
right people running the registration and enrolment processes,
we need to ensure that the political will is there, we need to
ensure that the right people are being trained and we need to
ensure that the right sort of legislation for technology is there.
All of that requires time and all of that requires co-ordination.
It is clear that what we need are all of the various stakeholders
pulling in one direction rather than a few organisations carping
from the sidelines.
Q388 David Winnick: What you have
just said for me, I do not know about my colleagues, seems to
uphold every single word that Professor Anderson replied to me,
namely that there is not so much enthusiasm for the cardcorrect
me if I am wrongbut what is required is for the Home Office
and the Government generally to persuade the public that such
a card is necessary.
Mr Kalisperas: What we need from
the Government, and it has been a recurring theme throughout this
session, is more information on the exact specification of the
card. That is what we need.
Q389 David Winnick: So really you
do not disagree with what Professor Anderson said?
Mr Kalisperas: At this present
moment in time it is almost like asking how long is a piece of
string. At the moment you are saying "Are you in favour of
ID cards, yes or no?" and different people will interpret
that question in different ways. Until we actually know exactly
what an ID card will entail then there is no way that you can
judge public opinion realistically in much the same way if you
ask a member of the general public today how they are going to
vote, are they going to vote Labour, Conservative or Liberal Democrat.
Their views today may be influenced by a variety of different
things and if you ask the same question tomorrow or in a year's
time it may be entirely different. Until we actually see what
an ID card will do, clearly specified from the Home Office what
the registration process will entail and what the enrolment process
will entail, until we have a clear idea of that it is far too
early to judge whether public opinion, yes or no, is in favour
of the card.
David Winnick: You are saying that public
opinion has not made up its mind one way or the other.
Q390 Bob Russell: Gentlemen, throughout
the hearing this afternoon security has been uppermost in the
questions and in your answers, and I make no apology for returning
to that without wishing to go over the same ground. I think this
statement from the Foundation for Information Policy Research
crystallises exactly the concerns where it says: "Creating
a card that gives access to everything from medical care to welfare
benefits to air travel will create a huge target. Serious efforts
will be made to forge it, not just by criminal organisations,
but also by governments", presumably foreign governments
and not our own. I wonder if I could ask all of the witnesses
how secure can a biometric card be? What measures can you take
to prevent someone tampering with a stolen card to change the
biometric data on it or, in fact, to utilise it for their own
Professor Anderson: Assuming that
we have launched some time in the next two years a passport which
has got a chip in it which contains a digitised image of the holder's
face, what we would expect to find is passports where the chip
has been removed, where you have taken the chip out of one passport
and put it another so that you get a different reading of the
chip when you read it electronically from what you would have
when you simply open it and look at it. We had experience of this
in banking back in the 1980s because when people brought in the
first terminals that could be used to swipe and verify credit
cards, what the bad guys did was they got a stolen credit card
and they would then re-encode the magnetic strip with data that
they had taken, typically from a carbon that was discarded in
the bin of a posh restaurant. A rich person's credit card details
were encoded on the strip, on the card, whose embossing details
were stolen. The villain then goes to a bullion merchant and buys
a few thousand pounds' worth of Krugerands and the terminal says
"This card is fine" but then when the merchant submits
the voucher it bounces. This caused us immense problems in the
mid-1980s. You can expect the same kind of problems. You can expect
all sorts of other incremental problems. They are typically not
going to be problems where somebody breaks a specific mechanism
but where people exploit procedural work-arounds, where they manage
to work their knife between two slabs of the floor and prise the
stones apart a little bit. It will be this kind of thing that
you will get in the first instance. Later on what you may find
is either people find some way of tampering with the chips themselves,
for instance being used in offline mode, or you may find it more
likely that people will start tooling up with fake contact lenses
and fingertip covers which is an awful lot easier than tampering
with the chip is nowadays. What you may also find is people will
find some means of tampering with the database because the database,
presumably, will be relatively shielded against direct attack
but people are still going to have to input information into it.
For all of the organisations which enrol people one way or another,
and think of all the British consulates around the world you can
go to if you are a British citizen resident abroad and you can
get your passport renewed, is it always going to be the case that
no one single employee of any of these organisations will be working
for the other side or on their own account? I would say that the
likelihood of maintaining complete control over all the staff
with the power to register people on the database is minuscule.
You have got all these things to worry about and there will be
Q391 Bob Russell: Mr Llewellyn, what
is your answer to that Domesday scenario?
Mr Llewellyn: I think it is precisely
a Domesday scenario. Let us go back to some basics. If you are
looking at the physical integrity of the chip that is on the card
then the industry would say, and I am not personally competent
to go into the bits and bytes of this, that the chips on the cards
cannot be interfered with in a way which is not, as it were, tamper-evident.
In other words, you could get into the core of the card and change
something that reflected the identity, but the very process of
going into the core of the card and doing that would render the
chip unusable. I think the scenario modelled on the old mag stripe
days is simply a canard because chips on cards, or chips not necessarily
on cards, are intrinsically very, very much more difficult to
interfere with than the mag stripe. Clearly you would need more
technically competent people than I to convince you that the chips
are absolutely fraud-proof but I believe there is a very, very
strong assurance that you cannot mess around with the chip without
it being apparent. That is one point. The second one is the integrity
of the biometrics which, as it were, padlock the individual human
to this electronic trace. There again, fingerprints and iris codes
have a very, very high level of integrity, notwithstanding the
points that were made about spoofing. I think it is true that
the latest generations of cameras and the latest generations of
fingerprint detectors are extraordinarily difficult to spoof.
It would be stupid to say that they are impossible to spoof but
they have very high levels. If you combine the very great difficulty
of interfering with the chip with the very great difficulty of
interfering with the biometric you, as it were, multiply two very,
very tiny risks and create a minuscule risk.
Q392 Bob Russell: Would that miniscule
risk be made even more miniscule if fingerprinting and iris recognition
details were taken at an earlier age? What would be the earliest
age at which you would suggest somebody could get an identity
Mr Llewellyn: I believe that the
fundamental science in looking at the physiology of the eye would
say that the iris code is stable from the age of six months, so
it would be possible theoretically to take somebody in infancy
and capture a biometric that would be stable throughout their
lives as long as they kept their eyes. Yes, clearly the earlier
that you capture the biometric and associate it with the unique
human being the more robust would be the long-term system you
put in place.
Q393 Bob Russell: Presumably the
fingerprints would have to wait until maturity?
Mr Llewellyn: I believe it is
the case that fingerprints do change not only because of physiological
interference and so on, but they actually evolve, and certainly
the face does as well. From that point of view, comparing the
three major candidates for biometrics, the iris technology would
appear to be more robust but there are other considerations.
Q394 Bob Russell: Professor Thomas,
you observed that security and integrity are not absolute qualities.
From your experience of database management, what level of database
security is possible, if at all?
Professor Thomas: You have got
issues to do with security of the chip on the card and you have
got issues to do with security of any data that is stored elsewhere.
You need to look at both aspects because it may be data on the
card whose security you are worried about or it may be data stored
in a linked database that you are using the card as a key to access.
I do not have the level of complacency about the security of chips
on cards that Intellect have. No card based chip has yet proved
to be completely unable to be broken open if you are prepared
to apply sufficient resources to it. Although you may have to
wreck a few chips in the process, once you have actually determined
how to break the encryption on the chip and you can understand
the workings you can make your own.
Q395 Bob Russell: Mr Kalisperas,
you were disagreeing.
Mr Kalisperas: While I am spending
probably the rest of the evening working out how we have managed
to offend Professor Thomas, I would like to say that we have been
working with the Home Office for two years and we have seen a
variety of different companiesobviously Professor Thomas
has not had that exposurewho have been quite innovative
in the security that they can apply to card technology. If the
Committee wishes we would be more than happy to provide information
on the various different types of securities that we have come
across, both as they relate to the design of the card, as it relates
to paints, as it relates to databases, etc. We would be more than
happy to provide a paper.
Q396 Bob Russell: A very simple question
to which I would be grateful for a relatively short answer. Can
the security of every record be realistically guaranteed?
Mr Kalisperas: Yes.
Q397 Bob Russell: We have got a "yes"
there and shaking of the heads there, the jury must be out.
Professor Thomas: The easy way
to break it is simply to subvert somebody who has got a legitimate
reason to be able to change it.
Professor Anderson: This is the
point I made earlier. If the third secretary in our embassy in
Damascus is working for the Syrian secret police and has the ability
to register people in the system and change details then the Syrian
secret police have the ability to register people in the system
and change details, that is fundamental.
Q398 Chairman: Mr Llewellyn, could
you deal with that? You did not deal with the human failure in
your previous answer.
Mr Llewellyn: Quite clearly, any
IT system is only as good as the humans who operate it. This would
underline the principle that the implementation of anything along
these lines requires what you could describe as the 3Rs: restriction
in the way that the system is implemented so that there is clear
specification of what can and cannot be done; regulation of the
users of the system, and that would include the third secretary
in the embassy; and redress, which would mean systems whereby
any abuse could be acted upon quickly once it is detected. It
is not given to human beings to achieve perfection, so the answer
to Mr Russell's question is no, it simply cannot be guaranteed,
that would be absurd. What one can say is that taking a sensible
approach to the risks and the opportunities, the risks on the
one hand of fraud and the opportunities on the other hand of delivering
government services much more efficiently, saving money in the
delivery of government, there is a balance to be struck between
those. The view of the industry would be that the upside opportunity
for process improvements which translate into savings and improved
services outweighs the undeniable risk of fraud.
Q399 Bob Russell: If I could put
this question to Intellect, because Professor Thomas believes
that a system built on commercially available products cannot
be made secure against sustained assault. Do you believe that
your members can meet the technological changes created by the
Government's proposals? Does this include guaranteeing security
and integrity of the system? I know you have partially answered
but I need to pin you down a bit more on it.
Mr Llewellyn: I think a guarantee
in the sense of a statement of absolute certainty cannot be made,
could not be made and it is just not given to us in the human