Select Committee on Home Affairs Minutes of Evidence


Examination of Witnesses (Questions 420 - 439)

TUESDAY 20 APRIL 2004

MR JOHN HARRISON, MR ANDY JEBSON, MR RICHARD HADDOCK AND MR NEIL FISHER

  Q420  Chairman: Mr Fisher, your company, I think, has taken a different view on this and says that we should start with the ONS Operation Register. Can you tell us why you come to a different conclusion?

  Mr Fisher: We do not believe that you have to start from scratch. Clearly the identity risk will be new, but there is a lot of merit in combining with existing databases to create a much larger virtual single database which looks single but is disbursed to create another value out of the linkage between your authentication and your clear identity on your birth certificate.

  Q421  Chairman: Could I ask you both whether this choice is critical to the design of a new system or whether it is one of those issues that you can argue either way and you can make the system work whichever approach you take?

  Mr Fisher: By the linkage with existing systems you are going to create a very enriched database which is highly robust and which will, I believe, provide much better verification of your identity by your authentication, and in doing so you will have a much more resilient system and one which is stronger against possible attacks from fraudsters and the like.

  Q422  Chairman: Mr Jebson?

  Mr Jebson: I do not disagree with my colleague's observations there. I think the point that we would make is that it comes down to the planning and what you want the database to do. You have talked about richness of data. I think that what the Government must consider is what else it might want to do in the future with an identity card. If it is a pure identity card from the outset and it is never going to be anything else, you would have to balance that against the richness of data that might be used for other purposes later.

  Q423  Chairman: Mr Harrison, if I have understood your evidence, you philosophically take a completely different approach to that?

  Mr Harrison: Perhaps.

  Q424  Chairman: Can you try to explain to the Committee the difference in approach which, as I understand it, does not depend on a single central database?

  Mr Harrison: Well, yes and no. We accept that the Government is perfectly right in its desire, if it wishes to do so, to create a single national population register, card, identity, database. The question then is how that identity information, that authentication information, is going to be used across the rest of society.

  Q425  Chairman: Can you keep your voice up?

  Mr Harrison: The question is how that high quality authentication information is going to be used across the rest of society; whether it is going to be used purely in Central Government, by local authorities, by the health sector, by the education sector—that is the particular subject where we get interested.

  Q426  Chairman: Can you expand on that, please?

  Mr Harrison: I can, but it is a slightly involved argument. I think you start... This is a subject called "federated identity" which has become of increasing interest in the last couple of years and is being pursued by various standards bodies in the US. To understand federation you have to start with the notion of identity. Some people believe that you have just one identity and that you are John Denham in every relationship you have. The other alternative would be to say that you have many different identities, that each identity you have is a function of relationship and that the purpose of the identity card is essentially to create an authenticated evidence of the relationship that you happen to have with the Home Office, which is perfectly good and a sensible thing to do, especially in this time of mass migration across borders. The question then is how you use the evidence of that identity you have with the Home Office for other purposes: say, to identify yourself to your school, which is a different relationship, or to your health provider, which is a different relationship again, or even to your family and friends. That is roughly the subject target area of federated identity.

  Q427  Chairman: Can somebody explain to me what, in practice, would be the difference between the sort of single database which in its different origins is put forward by Mr Fisher and Mr Jebson and what is proposed by Mr Harrison? If I am a member of the public and I have got my identity on a register somewhere and I wish to either (a) use it to prove I am who I say I am to the police or (b) to establish that I am entitled to use the National Health Service, what is the difference in operation that you see?

  Mr Harrison: The difference is largely one of consent, whether you actually give explicit consent for use of identity information from, say, the Home Office database to other parties, or whether that is done effectively automatically through the back room.

  Mr Fisher: I think our view would be that, yes, there is a concern that all and sundry in government can access the register to find out information for their purposes. We would not advocate that. We would say that the register is a very valuable national resource in a digital age and that access to it by those who wish to glean some information from some sort, be it law enforcement, be it tax, be it health, would need to have good reason to do and so would need to go through a body whereby they apply, and their reasons for applying are scrutinised, to access this extremely valuable resource. One of the points I would like to make is that, of course, an individual, once you have got your ID card, every time you are authenticated, it will not go back to the register. You do not have to do that. Your authentication, your card, is proof that you have been registered and therefore, provided you and your card are together, that is all you need to do. So it is not necessary to keep going back to the register every time you need to be authenticated.

  Mr Jebson: If I may, both arguments are very sound, but they have been taken, I think, from the perspective of government looking outwards rather than the citizen looking inwards. If I make a personal observation here: what would I do if I had an identity card? Where would it benefit me? One thing that comes immediately to mind is that, provided the strict controls are in place that the Data Protection Act requires in this country, something that occurs to me is that I have a portable token that might contain, for example, some medical information which could be used in the event of a road accident. If you have one device doing one job only, am I now going to have a health card, am I then going to have another benefits card? Whereas you have a single valuable recognised token of your identity that can be used in a number of different arenas.

  Q428  Chairman: In a previous session, Professor Thomas said to us if you create either a single card that has multi-functions or a single database, you are adding to the nation's critical infrastructure unnecessarily and, by doing that, you are making a large range of services vulnerable to a single attack, either a deliberate attack or a fault that arises, for some reason, in the system. How do you respond to that criticism that was put to the Committee previously that, in essence, any database becomes vulnerable the more functions you hang on that database, the more likely it is either to go wrong by accident or because somebody has deliberately set out to undermine it?

  Mr Jebson: I think I sense part of the answer that will be coming here. It is absolutely true, and I would be very wrong to say that you can make 100% certain security in any given situation whether it is one database or ten. I believe, however, that using the technology that is even currently available it is possible to put such a high level of security into that system that the risk is significantly minimised—that is not to say I do not recognise it—and it must be included and incorporated into the planning.

  Q429  Chairman: Mr Harrison.

  Mr Harrison: I think I accept the Professor's point about the dangers of having too many applications running from one database, and I hark back to what I said about the point of identity being a function of relationship. The number of times we have to prove identity for Home Office purposes is relatively few, maybe once or twice a year at the outside. The number of times you have to prove identity for other purposes, say, coming into a work-place or going into a school or going into a hospital or some other transaction that happens day to day, perhaps with local authorities, they are numerically much, much greater and it would be nonsensical to create an infrastructure that throws all of those back at one central database. Federation does not do that.

  Q430  Chairman: Mr Haddock, what is your view of this? I know you are essentially a card provider.

  Mr Haddock: I am more of the card provider, that is true, and I leave the database structure to my experts to the right. However, because our card does have a very high data capacity, our view is that all the records that are in the National Registry should also be included on the card so the citizen has his own records on his card at all times, and it is up to him where and how he presents it, and the National Registry, whatever form of database you choose to use, may be kept more closed and used only in the case of issuing lost or stolen cards or perhaps by more selective checks by authority; but the citizen having his own data in a secure medium is certainly a way to address this.

  Chairman: I think we will move on to look now at the choices between the different types of cards. Mr Taylor.

  Q431  Mr Taylor: Thank you very much, Mr Chairman. I suppose in a sense—and this is me as a layman, by the way, without any of your expertise—in my mind I am sort of beginning to address the question: what sort of a card? Smart card, barcode, optical memory card? I would like to ask all or any of our witnesses, Mr Chairman, prefacing by saying, you have different views of the type of card needed. What do you think are the essential technical features of an ID card? In other words, to help us towards the question what sort of card, what are the essential ingredients? What must it be able to do?

  Mr Haddock: I think most of that is in written evidence we supplied. Obviously any card that you provide should be the most secure and counterfeit-resistant document you can provide because a citizen is going to rely upon that characteristic of it in his daily life. Clearly, if it could be counterfeit the whole scheme is in jeopardy. For that reason the product we manufacture using optical memory has the intrinsic property of being non-erasable. This non-erasability allows you to know that once you put data on the card no-one can change it or alter it, not even we, because when the laser burns data on the card it is like punching holes in a piece of paper: once they are there they are there; they cannot be erased. You can add more data to the cards, so you can put on more applications, or update addresses, but you cannot erase what is there. Other technologies are intrinsically erasable, so there is a fundamental difference there, and the use of optical memory gives you high data capacity so, as you evolve to different types of biometrics or different requirements, you can add those to the card without reissuing them and it becomes a very cost-effective document to use. It can be augmented with the other technologies: an optical card can have on an IC chip, a contactless chip, a barcode, all in one, if you wish, so you can make a multi-functional card without having to compromise on any type of functionality.

  Mr Jebson: If I may, I would add to that. I think that what you have heard from my colleagues gives you both ends of the spectrum, and in Cubic's written submission we talked a great deal about planning. Richard has talked extensively about the type of card and how much you can put into the card, the multi-application card, which would support some of what I propose, that it becomes the single point of contact for the citizen as he is travelling around. On the other hand, there is the observation that that would require multiple database interactions. You can have a card which is highly secure which is nothing more than an identity card and all of the work is then pushed back to the central database. It is about planning. It is about knowing where you want the end product to be, because that will in turn govern the price that you pay for both the card and the system.

  Mr Harrison: I think I would endorse what Mr Jebson says. The big change in the last few years has been the arrival of near ubiquitous networks: everything is more or less connected to each other by increasingly broad-band networks. Given that, it becomes nonsensical, in our view, to expect to carry out a lot of the work on the card. The card is simply a secure token to information held elsewhere. The question becomes how the information held elsewhere is structured, owned, governed and how people get access to it.

  Mr Fisher: By "the card", of course, I assume you are talking about the actual token, the storage device that the citizen will have?

  Q432  Mr Taylor: Yes.

  Mr Fisher: There are a lot of ways of going at this, but we believe that there are a number of factors, one of which is cost, one of which is ease of use; the other one is the other functionality you can get from the storage device that you use. Clearly, cards are one way and they are very common; in America they use cards almost for everything. We believe that a storage device can be made in many different forms right now, and, for example, there is the example of a 2D barcode which holds about 1300 bytes, and that is one of the designing constraints, is the size of the biometric file that represents you. You can normally get that down to about 500, 600 bytes on finger and face, so plenty of room in here for something like that. Of course this is printable and it is you. Even if somebody stole it, it is of absolutely no use to them whatsoever. So having a printable storage device is actually very useful. This "flash memory", which you can get for less than a pound, less than 50p now, gives you a megabyte of information. It is also a storage device which is extremely useful. Like any storage device recording data, it can be encrypted and made extremely secure. All those features are still in this. We would say, because QinetiQ are research and development, so we basically evaluate all these things, that there are a lot of options open to you to design a system that is friendly to the citizen, cost-effective, operationally very effective, allows ease of use, and one of the important things about this is all I need is my face—if this is a facial biometric—my face and my biometric to gain access to whatever it is I want to gain access to provided what I want to gain access to has the reader for this facial biometric. It does not have to go on the network, it does not have to go back to the register, just the two of us together are all you need to open the key, as it were, open the lock. So we believe that this is not particularly high-tech. A lot of this technology is extremely mature right now, achievable right now, and, yes, you can use cards, but I think the factor you will have to understand and remember is the cost of the whole system and the running of the system, and that is a factor in the implementation of the storage device for sure.

  Q433  Chairman: Mr Fisher and Mr Haddock, you are being terribly polite, which is as it should be. You have both got completely different approaches to this. If you were arguing about this in private, what would you be saying to each other more bluntly than you are at the moment about the strengths of each others systems? We have, as I understand it, at the moment a pretty high-tech, pretty secure card on the one hand and a fairly low tech approach on the other. How does the Committee ever come to review which approach is right?

  Mr Haddock: Just because it is high-tech does not mean it is expensive. The US Government pays less than $4 a card for the US Green Card, and the Green Card stores high-resolution photographs, colour photographs, high-resolution fingerprints; it has 2800 data tracks; each one of those data tracks is equivalent to this piece of paper, so you can have that data but update it continuously. The important thing to understand about biometrics is that 1300 bytes is enough to have a template file of a biometric—that is a mathematical extraction of the image of the fingerprint or the face—but not enough to have a true image that is a high-resolution photograph or fingerprint that you can extract such minutiae from. You want a card, I think, that would have global inner compatibility so you can take your card to the United States, or Italy, or whatever, and have that be used. In order to do that you need the real images on the card and from that you can extract whatever mathematical minutiae files are required by that environment. In Italy they may have a different system that you have in the UK. If you bring with you a secure biometric image of your face or image of your fingerprint, it can be interchanged between systems without additional cost. It gives you vendor independence, because those minutiae files are all vendor specific and proprietary. So the value of multiple biometrics and true images has been seen throughout international standards bodies. In the passport world they are mandating at minimum 32K, which they recognise as being insufficient and really want up to a quarter to a half a megabyte of data in order to store these types of images. I think if you want a long-life card that has the ability to be future proof, you need data capacity, you need updatability and you need to store the true image files, because biometrics will change but your fingerprint image, your face and so forth, will not, and so you do not want to get trapped into biometric minutiae files that are vendor specific, you want the ability to be able to take it across platforms and across country borders, which means you need the data storage on the token or card.

  Mr Harrison: May I clarify one comment that I made. I suggested that from our point of view the purpose of a card was to provide a secure key, and that is entirely right. So for us it is essentially a thin card, a token that is used to access information elsewhere. That does not mean necessarily that you do not store the biometric on the card, you may well do that. In effect, you will use the biometric to unlock the key a little bit like the way in which a PIN number is used to unlock bank cards at the moment.

  Mr Fisher: High-tech does not mean it is expensive, low-tech does not mean it is vulnerable. The system, the capture system, the processing system, whichever biometric you use, is going to be the same whatever the data storage device. Our driver for evaluation for sure is to keep it simple. It is something that, you know, Mrs Snooks can actually understand and use quite easily in order to receive benefits from it. Is it going to be cheaper for her to have something like this than to have a card when it is four or five dollars a card? These are fractions of a penny. She can print off as many as she wants. If she loses it, it does not matter, she can print off another one, the same as other memory devices. We are an evaluation company as well and we look at the fidelity of storage devices such as LaserCard has got—there are a lot of others, there are smart chips, of course, which have not been mentioned as yet—and looking at the future the driver has to be cost and keeping it simple and we would recommend something as simple as printing out your biometric.

  Q434  Mr Taylor: My next question is to a degree about timescale, and, with permission, I will address to it Cubic and LSC primarily, because both of you mention that creating an effective system and a standard for cards will take time. LSC also mentions significant costs. Do you think it feasible for the Home Office to plan a phased introduction of cards leading to universalisation in, say, 2013, possibly sooner? How far do different types of card affect the timescale?

  Mr Haddock: If I can start with that. I think we have some experience now in five different countries starting from scratch through the planning process to the point where they have all issued cards. The most impressive one was the Canadian Government, where, shortly after 9/11, they decided they wanted to upgrade their permanent resident card to an optical memory card, and within nine months of making that decision they were issuing cards to their citizens. They said by June 28th 2002 they must be issued, and we thought it was very aggressive but we agreed to it and on June 28th they issued cards. It was on time, on budget, so it can be done, and I think your schedule could be cut in half and probably for half the money, given the appropriate decisions.

  Mr Jebson: If I may, the phrase at the end there is the critical one, the "appropriate decisions". Cubic is a systems integrator. Our job is to deliver the entire solution. It is not just about the card. The card will have an impact. You have to look at the availability of the plastic, of the silica, etcetera, but I would say that from what we have studied and what is available as information, then the scheduling that the Government has proposed is well deliverable.

  Mr Fisher: Certainly it is well deliverable by 2013. When do you start? Well, I think the timescale you have at the moment could be cut down. The technology is demonstrable to date and mature enough to date to get something started, and we believe that certainly a system designed and a pilot could be achieved certainly well within two years with a run out starting after that.

  Q435  Mr Taylor: You would say that 2013 was rather a soft, sloppy target, would you? We could get well inside that if we wanted to?

  Mr Fisher: Soft, sloppy—I did not use those words, but—

  Q436  Mr Taylor: Nor was I attributing them to you, but you can attribute them to me!

  Mr Fisher: I think, yes, I think once you have decided and once the Government decides on exactly how it wants to go about it, and we are talking about the three elements of data capture, data processing and data storage and what it wants to use, then you can get down to designing a system quite quickly. Again, we would not advocate a compulsory system. I think that is adding problems. I think it has got to be voluntary, opt in or opt out, that does not really matter, but pick-up will be fast and I think you will find that a target of certainly five years before then is achievable.

  Mr Jebson: If I may, the only observation I would make is that one should always use prudence with large scale IT projects. My colleagues are correct, you can shorten the timescale, but you must not run the risk of shortening the timescale at the expense of delivering a real working solution.

  Mr Harrison: I would agree that it is entirely feasible to deliver a straightforward effectively one-to-one relationship with the Home Office ID card in a relatively short number of years before 2013. How that identity information is going to be used throughout the rest of the country is going to take longer: because at the moment there is very little clarity in the thinking about how the links are going to be created between the Home Office database and other databases, other service providers.

  Q437  Mr Taylor: My next question is primarily directed to LSC. Mr Haddock, you list a number of security features that you believe should be incorporated into the card during manufacture. Are these achievable within the Home Office's costings?

  Mr Haddock: Yes, they are. I think most of those design features are something that a properly implemented system would have at very small incremental cost. The idea of serialising cards so every card is traceable back to its manufacturer, the fact that you have unique media format that is owned by the British Government—these are design choices made early on in the programme. There may be a small engineering charge, but it would be less than a penny a card by the time your system is implemented, and you can get nearly all of those intrinsic data security elements. Some of the physical ones, if you want additional stamps and holograms and overlays, there is a consumable cost associated with them, but I see no problem in either cost or timescale to get all those features in your card.

  Q438  Mr Taylor: Is the Italian card now operational?

  Mr Haddock: It is now operational. The reason I am in Europe is because I was invited last week by the Italian Government to come to their session that they had in Rome where they introduced the CIE Card (the Carta d'Identita Elettronica) to other Member States of the EU and invited me to speak about the optical card portion of that last Friday. Then they proceeded to take approximately 50 people representing about 30 countries on a walking tour of the city of Prato where they could watch the cards being issued in the city where the person's face and signature and fingerprint biometric was being captured in real-time as they issued the cards. The whole process took maybe five to six minutes. The card was then issued to the citizen and you followed them through the city where they used it at both services for paying taxes, on police stands where they checked the optical memory stripe to bring up the face and fingerprints of the person. So it is operational. They have ordered about 2 million cards. They have issued less than a million, but over 600,000, something in that range, and they are committed to a full scale roll-out in the coming few years.

  Q439  Mr Taylor: Are you at liberty to tell us how much this has cost the Italian Government?

  Mr Haddock: I do not know the entire cost structure, because we supply what we call a chip-ready optical card, that is an optical card that has a place where they can insert their own IC chips. It is a hybrid card containing both the optical memory stripe and an IC chip. After we provide the cards to the Italian Government they, in their own manufacturing process, embed an IC chip. They add their own software, they add additional cost and value to the system, so I cannot tell you directly what it is, but the optical card portion of it is slightly greater than the US card but it is not significantly more.


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2004
Prepared 30 July 2004