TUESDAY 24 FEBRUARY 2004

MR NICK KALISPERAS, MR GEOFF LLEWELLYN, PROFESSOR ROSS ANDERSON AND PROFESSOR MARTYN THOMAS

  Q380  Mrs Dean: Can I turn to you, Professor Thomas. Your doubts about the analysis of error rates for biometrics in the Home Office-sponsored feasibility study lead you to argue that "a well-controlled, independent, large-scale study" should be undertaken. In your view, does the UK Passport Service pilot meet these criteria?

  Professor Thomas: I think it is capable of doing so. It is clear that the trial could very easily, were it the case, show that currently available biometric technology was not acceptable. Whether it can give you high confidence that it would be acceptable is not clear. In particular, until the full requirements of the system are known and the acceptable reject rates for application have been determined, it is not clear what criteria the trial could work to. I have not seen a full specification of everything that the trial is going to determine. For example, if it was focusing merely on enrolment times that does not necessarily give you all the information that you would need to know whether the reject rates would be acceptable for use in all the locations where you might want to use it. Also, I have some concerns about the statistical sample that MORI will produce because unless they have very good information about all the factors that affect the biometrics that they are looking at and their distribution in the population—I am not aware that data exists but perhaps it does—I do not know how they would draw a statistical sample that they could feel confident that managed to be sufficiently representative that you were not left with the problem that perhaps there is some group in the population who are going to be terribly disadvantaged by the introduction of this mechanism: people on particular medication, people with particular medical conditions, or some combination of those two perhaps.

  Q381  Mrs Dean: In your view, what is an acceptable rate of mismatches?

  Professor Thomas: That depends entirely on the applications for which it is going to be used. That is a requirements issue for the Home Office.

  Q382  Mrs Dean: What measures need to be in place to deal with cases where individuals are wrongly denied access to services?

  Professor Thomas: Again, it depends on the services that they are denied access to and what you consider to be adequate recompense. The danger is that if there is not a statutory framework for that then it would be determined by the court and it could turn out to be extremely expensive depending on what the courts decide.

  Q383  Mrs Dean: Turning to all of you, how do you think that the inclusion of biometrics will affect public acceptance of ID cards?

  Mr Llewellyn: I am aware of a public opinion survey that was conducted at the beginning of 2003 which was with a highly respectable sample according to current methodologies which asked views on the principle of an entitlement card, as it was titled at the time, and public acceptance there was 80% in favour of the principle of an ID card. When people were asked what they felt about the biometric process of capturing the biometric, be it a fingerprint or whatever, again there was a clear majority who were content with the idea of a biometric being given. My view on the public acceptability of biometrics as a way of securing a card is that there is already a high degree of acceptance amongst the general public.

  Q384  Mrs Dean: Do either of the professors want to comment?

  Professor Anderson: I suppose back when I was involved with the banking industry we had some experience with this because in the mid-1980s Nixdorf came out with a banking terminal which could identify people by their fingerprints. There was a lot of discussion about whether this would be appropriate and there were some trials that were done. What we found was that in Germany, and I do not recall any data for the UK, there was resistance to this because fingerprints are associated with being arrested and carted off to the police station. In fact, there was quite strong resistance. In India and Saudi Arabia there was no resistance because they have large illiterate populations who are used to operating their bank accounts by means of a thumbprint on a passbook. My guestimate would be that if you put fingerprints into an ID card there might be significantly more public resistance than if you have merely an electronic digitised photograph. With iris scans it would be somewhere in-between because some people are sensitive to the infrared light that is used to illuminate the eye while the scan is being done. What I expect you will also find that they did not pick up in the Passport Office study is that people who live in remote areas will find it a confounded nuisance not to be able to renew their passport by post, or perhaps eventually to be told to go and get an ID card in the city otherwise they will not be able to use their GP any more. I think of my parents, for example, living in the West of Scotland, getting on a bit, being ordered to go to Glasgow or, worse still, to Peterborough to present themselves for scanning and I can imagine my father would be rather cross. Multiply that by millions of people living in rural areas and you can expect some kind of backlash there. Finally, you have got to look at groups who simply cannot provide the required biometric. Thousands of people in the UK have got no fingerprints thanks to Thalidomide, surgery, diabetes, accidents, etc; tens of thousands of people do not have eyes and cannot offer iris prints. Again, an awful lot of thought has to go into these groups at the margin who are not going to be picked up simply by a public opinion process involving a few thousand people wandering through the Passport Office.

  Mr Llewellyn: Can I just make a point of information regarding the Passport Service trial. That Passport Service trial is part of the sample where individuals who would go through the process would be selected deliberately in association with disability lobby groups in order precisely to represent the variety of physiological challenges that people experience. It is not a matter of simply taking the first 10,000 people off the street, there will be a deliberate plan to incorporate people who have the kinds of physical challenges that would make biometrics difficult to achieve on the face of it.

  Q385  David Winnick: In your paper, Professor Anderson, at paragraph 13 on page four, you question the Home Office claim that there is public support for identity cards. The Home Secretary has made quite a bit of publicity or what have you saying the survey shows there is widespread public acceptance. Why does your organisation and yourself apparently disagree with that?

  Professor Anderson: This is a point that I reckon would be more substantively made by Stand, which is stand.org.uk, which is an organisation of volunteers who try to facilitate electronic participation in the political process. As I recall, during the Home Office consultation they made available a website whereby people could easily make their responses to the consultation on ID cards. My understanding is, and I am not a member of Stand but I have spoken to them, all of these responses were treated as a single petition and thus as one vote by one organisation against ID cards rather than, as the Stand people thought appropriate, 5,000 submissions by individual members of the public, the majority of whom were against identity cards. In fact, one of my colleagues at the university sent a submission via Stand which was supportive of identity cards—he is from Germany and he thinks identity cards are great—and he was most put out that his vote in favour of identity cards was counted as one-five thousandth of a vote against. I believe this is an issue that has been aired already in other fora.

  Q386  David Winnick: No doubt we will take that up with the Home Secretary. Your organisation, Intellect, argues: "The success of an ID card programme depends both on widespread acceptance and uptake by the citizens and extensive publicity of its benefits". Would you care to comment on that?

  Mr Llewellyn: Sorry, the success depends?

  Q387  David Winnick: ". . . on widespread acceptance and uptake by the citizens and extensive publicity of its benefits". That is the view of your organisation.

  Mr Kalisperas: Without being too flippant here, it is almost a statement of the obvious. Allied with any work which goes on in looking at the technical aspects of the card and implementing the IT solution, there also needs to be an extensive communication campaign explaining to the public why an ID card is needed in whatever form the Home Office decides to finally launch one. An extensive campaign needs to take place to ensure that the public feel comfortable with the enrolment process and registration process. In effect, the point that we have tried to get across, which maybe some other organisations do not seem to understand, is we are not talking about an IT project, we are talking about a business change project. The technology is just one aspect of that. We need to ensure that you have the right people running the registration and enrolment processes, we need to ensure that the political will is there, we need to ensure that the right people are being trained and we need to ensure that the right sort of legislation for technology is there. All of that requires time and all of that requires co-ordination. It is clear that what we need are all of the various stakeholders pulling in one direction rather than a few organisations carping from the sidelines.

  Q388  David Winnick: What you have just said for me, I do not know about my colleagues, seems to uphold every single word that Professor Anderson replied to me, namely that there is not so much enthusiasm for the card—correct me if I am wrong—but what is required is for the Home Office and the Government generally to persuade the public that such a card is necessary.

  Mr Kalisperas: What we need from the Government, and it has been a recurring theme throughout this session, is more information on the exact specification of the card. That is what we need.

  Q389  David Winnick: So really you do not disagree with what Professor Anderson said?

  Mr Kalisperas: At this present moment in time it is almost like asking how long is a piece of string. At the moment you are saying "Are you in favour of ID cards, yes or no?" and different people will interpret that question in different ways. Until we actually know exactly what an ID card will entail then there is no way that you can judge public opinion realistically in much the same way if you ask a member of the general public today how they are going to vote, are they going to vote Labour, Conservative or Liberal Democrat. Their views today may be influenced by a variety of different things and if you ask the same question tomorrow or in a year's time it may be entirely different. Until we actually see what an ID card will do, clearly specified from the Home Office what the registration process will entail and what the enrolment process will entail, until we have a clear idea of that it is far too early to judge whether public opinion, yes or no, is in favour of the card.

  David Winnick: You are saying that public opinion has not made up its mind one way or the other.

  Q390  Bob Russell: Gentlemen, throughout the hearing this afternoon security has been uppermost in the questions and in your answers, and I make no apology for returning to that without wishing to go over the same ground. I think this statement from the Foundation for Information Policy Research crystallises exactly the concerns where it says: "Creating a card that gives access to everything from medical care to welfare benefits to air travel will create a huge target. Serious efforts will be made to forge it, not just by criminal organisations, but also by governments", presumably foreign governments and not our own. I wonder if I could ask all of the witnesses how secure can a biometric card be? What measures can you take to prevent someone tampering with a stolen card to change the biometric data on it or, in fact, to utilise it for their own benefit?

  Professor Anderson: Assuming that we have launched some time in the next two years a passport which has got a chip in it which contains a digitised image of the holder's face, what we would expect to find is passports where the chip has been removed, where you have taken the chip out of one passport and put it another so that you get a different reading of the chip when you read it electronically from what you would have when you simply open it and look at it. We had experience of this in banking back in the 1980s because when people brought in the first terminals that could be used to swipe and verify credit cards, what the bad guys did was they got a stolen credit card and they would then re-encode the magnetic strip with data that they had taken, typically from a carbon that was discarded in the bin of a posh restaurant. A rich person's credit card details were encoded on the strip, on the card, whose embossing details were stolen. The villain then goes to a bullion merchant and buys a few thousand pounds' worth of Krugerands and the terminal says "This card is fine" but then when the merchant submits the voucher it bounces. This caused us immense problems in the mid-1980s. You can expect the same kind of problems. You can expect all sorts of other incremental problems. They are typically not going to be problems where somebody breaks a specific mechanism but where people exploit procedural work-arounds, where they manage to work their knife between two slabs of the floor and prise the stones apart a little bit. It will be this kind of thing that you will get in the first instance. Later on what you may find is either people find some way of tampering with the chips themselves, for instance being used in offline mode, or you may find it more likely that people will start tooling up with fake contact lenses and fingertip covers which is an awful lot easier than tampering with the chip is nowadays. What you may also find is people will find some means of tampering with the database because the database, presumably, will be relatively shielded against direct attack but people are still going to have to input information into it. For all of the organisations which enrol people one way or another, and think of all the British consulates around the world you can go to if you are a British citizen resident abroad and you can get your passport renewed, is it always going to be the case that no one single employee of any of these organisations will be working for the other side or on their own account? I would say that the likelihood of maintaining complete control over all the staff with the power to register people on the database is minuscule. You have got all these things to worry about and there will be leakage.

  Q391  Bob Russell: Mr Llewellyn, what is your answer to that Domesday scenario?

  Mr Llewellyn: I think it is precisely a Domesday scenario. Let us go back to some basics. If you are looking at the physical integrity of the chip that is on the card then the industry would say, and I am not personally competent to go into the bits and bytes of this, that the chips on the cards cannot be interfered with in a way which is not, as it were, tamper-evident. In other words, you could get into the core of the card and change something that reflected the identity, but the very process of going into the core of the card and doing that would render the chip unusable. I think the scenario modelled on the old mag stripe days is simply a canard because chips on cards, or chips not necessarily on cards, are intrinsically very, very much more difficult to interfere with than the mag stripe. Clearly you would need more technically competent people than I to convince you that the chips are absolutely fraud-proof but I believe there is a very, very strong assurance that you cannot mess around with the chip without it being apparent. That is one point. The second one is the integrity of the biometrics which, as it were, padlock the individual human to this electronic trace. There again, fingerprints and iris codes have a very, very high level of integrity, notwithstanding the points that were made about spoofing. I think it is true that the latest generations of cameras and the latest generations of fingerprint detectors are extraordinarily difficult to spoof. It would be stupid to say that they are impossible to spoof but they have very high levels. If you combine the very great difficulty of interfering with the chip with the very great difficulty of interfering with the biometric you, as it were, multiply two very, very tiny risks and create a minuscule risk.

  Q392  Bob Russell: Would that miniscule risk be made even more miniscule if fingerprinting and iris recognition details were taken at an earlier age? What would be the earliest age at which you would suggest somebody could get an identity card recognition?

  Mr Llewellyn: I believe that the fundamental science in looking at the physiology of the eye would say that the iris code is stable from the age of six months, so it would be possible theoretically to take somebody in infancy and capture a biometric that would be stable throughout their lives as long as they kept their eyes. Yes, clearly the earlier that you capture the biometric and associate it with the unique human being the more robust would be the long-term system you put in place.

  Q393  Bob Russell: Presumably the fingerprints would have to wait until maturity?

  Mr Llewellyn: I believe it is the case that fingerprints do change not only because of physiological interference and so on, but they actually evolve, and certainly the face does as well. From that point of view, comparing the three major candidates for biometrics, the iris technology would appear to be more robust but there are other considerations.

  Q394  Bob Russell: Professor Thomas, you observed that security and integrity are not absolute qualities. From your experience of database management, what level of database security is possible, if at all?

  Professor Thomas: You have got issues to do with security of the chip on the card and you have got issues to do with security of any data that is stored elsewhere. You need to look at both aspects because it may be data on the card whose security you are worried about or it may be data stored in a linked database that you are using the card as a key to access. I do not have the level of complacency about the security of chips on cards that Intellect have. No card based chip has yet proved to be completely unable to be broken open if you are prepared to apply sufficient resources to it. Although you may have to wreck a few chips in the process, once you have actually determined how to break the encryption on the chip and you can understand the workings you can make your own.

  Q395  Bob Russell: Mr Kalisperas, you were disagreeing.

  Mr Kalisperas: While I am spending probably the rest of the evening working out how we have managed to offend Professor Thomas, I would like to say that we have been working with the Home Office for two years and we have seen a variety of different companies—obviously Professor Thomas has not had that exposure—who have been quite innovative in the security that they can apply to card technology. If the Committee wishes we would be more than happy to provide information on the various different types of securities that we have come across, both as they relate to the design of the card, as it relates to paints, as it relates to databases, etc. We would be more than happy to provide a paper.

  Q396  Bob Russell: A very simple question to which I would be grateful for a relatively short answer. Can the security of every record be realistically guaranteed?

  Mr Kalisperas: Yes.

  Q397  Bob Russell: We have got a "yes" there and shaking of the heads there, the jury must be out.

  Professor Thomas: The easy way to break it is simply to subvert somebody who has got a legitimate reason to be able to change it.

  Professor Anderson: This is the point I made earlier. If the third secretary in our embassy in Damascus is working for the Syrian secret police and has the ability to register people in the system and change details then the Syrian secret police have the ability to register people in the system and change details, that is fundamental.

  Q398  Chairman: Mr Llewellyn, could you deal with that? You did not deal with the human failure in your previous answer.

  Mr Llewellyn: Quite clearly, any IT system is only as good as the humans who operate it. This would underline the principle that the implementation of anything along these lines requires what you could describe as the 3Rs: restriction in the way that the system is implemented so that there is clear specification of what can and cannot be done; regulation of the users of the system, and that would include the third secretary in the embassy; and redress, which would mean systems whereby any abuse could be acted upon quickly once it is detected. It is not given to human beings to achieve perfection, so the answer to Mr Russell's question is no, it simply cannot be guaranteed, that would be absurd. What one can say is that taking a sensible approach to the risks and the opportunities, the risks on the one hand of fraud and the opportunities on the other hand of delivering government services much more efficiently, saving money in the delivery of government, there is a balance to be struck between those. The view of the industry would be that the upside opportunity for process improvements which translate into savings and improved services outweighs the undeniable risk of fraud.

  Q399  Bob Russell: If I could put this question to Intellect, because Professor Thomas believes that a system built on commercially available products cannot be made secure against sustained assault. Do you believe that your members can meet the technological changes created by the Government's proposals? Does this include guaranteeing security and integrity of the system? I know you have partially answered but I need to pin you down a bit more on it.

  Mr Llewellyn: I think a guarantee in the sense of a statement of absolute certainty cannot be made, could not be made and it is just not given to us in the human race.