Examination of Witnesses (Questions 420
- 439)
TUESDAY 20 APRIL 2004
MR JOHN
HARRISON, MR
ANDY JEBSON,
MR RICHARD
HADDOCK AND
MR NEIL
FISHER
Q420 Chairman: Mr Fisher, your company,
I think, has taken a different view on this and says that we should
start with the ONS Operation Register. Can you tell us why you
come to a different conclusion?
Mr Fisher: We do not believe that
you have to start from scratch. Clearly the identity risk will
be new, but there is a lot of merit in combining with existing
databases to create a much larger virtual single database which
looks single but is disbursed to create another value out of the
linkage between your authentication and your clear identity on
your birth certificate.
Q421 Chairman: Could I ask you both
whether this choice is critical to the design of a new system
or whether it is one of those issues that you can argue either
way and you can make the system work whichever approach you take?
Mr Fisher: By the linkage with
existing systems you are going to create a very enriched database
which is highly robust and which will, I believe, provide much
better verification of your identity by your authentication, and
in doing so you will have a much more resilient system and one
which is stronger against possible attacks from fraudsters and
the like.
Q422 Chairman: Mr Jebson?
Mr Jebson: I do not disagree with
my colleague's observations there. I think the point that we would
make is that it comes down to the planning and what you want the
database to do. You have talked about richness of data. I think
that what the Government must consider is what else it might want
to do in the future with an identity card. If it is a pure identity
card from the outset and it is never going to be anything else,
you would have to balance that against the richness of data that
might be used for other purposes later.
Q423 Chairman: Mr Harrison, if I
have understood your evidence, you philosophically take a completely
different approach to that?
Mr Harrison: Perhaps.
Q424 Chairman: Can you try to explain
to the Committee the difference in approach which, as I understand
it, does not depend on a single central database?
Mr Harrison: Well, yes and no.
We accept that the Government is perfectly right in its desire,
if it wishes to do so, to create a single national population
register, card, identity, database. The question then is how that
identity information, that authentication information, is going
to be used across the rest of society.
Q425 Chairman: Can you keep your
voice up?
Mr Harrison: The question is how
that high quality authentication information is going to be used
across the rest of society; whether it is going to be used purely
in Central Government, by local authorities, by the health sector,
by the education sectorthat is the particular subject where
we get interested.
Q426 Chairman: Can you expand on
that, please?
Mr Harrison: I can, but it is
a slightly involved argument. I think you start... This is a subject
called "federated identity" which has become of increasing
interest in the last couple of years and is being pursued by various
standards bodies in the US. To understand federation you have
to start with the notion of identity. Some people believe that
you have just one identity and that you are John Denham in every
relationship you have. The other alternative would be to say that
you have many different identities, that each identity you have
is a function of relationship and that the purpose of the identity
card is essentially to create an authenticated evidence of the
relationship that you happen to have with the Home Office, which
is perfectly good and a sensible thing to do, especially in this
time of mass migration across borders. The question then is how
you use the evidence of that identity you have with the Home Office
for other purposes: say, to identify yourself to your school,
which is a different relationship, or to your health provider,
which is a different relationship again, or even to your family
and friends. That is roughly the subject target area of federated
identity.
Q427 Chairman: Can somebody explain
to me what, in practice, would be the difference between the sort
of single database which in its different origins is put forward
by Mr Fisher and Mr Jebson and what is proposed by Mr Harrison?
If I am a member of the public and I have got my identity on a
register somewhere and I wish to either (a) use it to prove I
am who I say I am to the police or (b) to establish that I am
entitled to use the National Health Service, what is the difference
in operation that you see?
Mr Harrison: The difference is
largely one of consent, whether you actually give explicit consent
for use of identity information from, say, the Home Office database
to other parties, or whether that is done effectively automatically
through the back room.
Mr Fisher: I think our view would
be that, yes, there is a concern that all and sundry in government
can access the register to find out information for their purposes.
We would not advocate that. We would say that the register is
a very valuable national resource in a digital age and that access
to it by those who wish to glean some information from some sort,
be it law enforcement, be it tax, be it health, would need to
have good reason to do and so would need to go through a body
whereby they apply, and their reasons for applying are scrutinised,
to access this extremely valuable resource. One of the points
I would like to make is that, of course, an individual, once you
have got your ID card, every time you are authenticated, it will
not go back to the register. You do not have to do that. Your
authentication, your card, is proof that you have been registered
and therefore, provided you and your card are together, that is
all you need to do. So it is not necessary to keep going back
to the register every time you need to be authenticated.
Mr Jebson: If I may, both arguments
are very sound, but they have been taken, I think, from the perspective
of government looking outwards rather than the citizen looking
inwards. If I make a personal observation here: what would I do
if I had an identity card? Where would it benefit me? One thing
that comes immediately to mind is that, provided the strict controls
are in place that the Data Protection Act requires in this country,
something that occurs to me is that I have a portable token that
might contain, for example, some medical information which could
be used in the event of a road accident. If you have one device
doing one job only, am I now going to have a health card, am I
then going to have another benefits card? Whereas you have a single
valuable recognised token of your identity that can be used in
a number of different arenas.
Q428 Chairman: In a previous session,
Professor Thomas said to us if you create either a single card
that has multi-functions or a single database, you are adding
to the nation's critical infrastructure unnecessarily and, by
doing that, you are making a large range of services vulnerable
to a single attack, either a deliberate attack or a fault that
arises, for some reason, in the system. How do you respond to
that criticism that was put to the Committee previously that,
in essence, any database becomes vulnerable the more functions
you hang on that database, the more likely it is either to go
wrong by accident or because somebody has deliberately set out
to undermine it?
Mr Jebson: I think I sense part
of the answer that will be coming here. It is absolutely true,
and I would be very wrong to say that you can make 100% certain
security in any given situation whether it is one database or
ten. I believe, however, that using the technology that is even
currently available it is possible to put such a high level of
security into that system that the risk is significantly minimisedthat
is not to say I do not recognise itand it must be included
and incorporated into the planning.
Q429 Chairman: Mr Harrison.
Mr Harrison: I think I accept
the Professor's point about the dangers of having too many applications
running from one database, and I hark back to what I said about
the point of identity being a function of relationship. The number
of times we have to prove identity for Home Office purposes is
relatively few, maybe once or twice a year at the outside. The
number of times you have to prove identity for other purposes,
say, coming into a work-place or going into a school or going
into a hospital or some other transaction that happens day to
day, perhaps with local authorities, they are numerically much,
much greater and it would be nonsensical to create an infrastructure
that throws all of those back at one central database. Federation
does not do that.
Q430 Chairman: Mr Haddock, what is
your view of this? I know you are essentially a card provider.
Mr Haddock: I am more of the card
provider, that is true, and I leave the database structure to
my experts to the right. However, because our card does have a
very high data capacity, our view is that all the records that
are in the National Registry should also be included on the card
so the citizen has his own records on his card at all times, and
it is up to him where and how he presents it, and the National
Registry, whatever form of database you choose to use, may be
kept more closed and used only in the case of issuing lost or
stolen cards or perhaps by more selective checks by authority;
but the citizen having his own data in a secure medium is certainly
a way to address this.
Chairman: I think we will move on to
look now at the choices between the different types of cards.
Mr Taylor.
Q431 Mr Taylor: Thank you very much,
Mr Chairman. I suppose in a senseand this is me as a layman,
by the way, without any of your expertisein my mind I am
sort of beginning to address the question: what sort of a card?
Smart card, barcode, optical memory card? I would like to ask
all or any of our witnesses, Mr Chairman, prefacing by saying,
you have different views of the type of card needed. What do you
think are the essential technical features of an ID card? In other
words, to help us towards the question what sort of card, what
are the essential ingredients? What must it be able to do?
Mr Haddock: I think most of that
is in written evidence we supplied. Obviously any card that you
provide should be the most secure and counterfeit-resistant document
you can provide because a citizen is going to rely upon that characteristic
of it in his daily life. Clearly, if it could be counterfeit the
whole scheme is in jeopardy. For that reason the product we manufacture
using optical memory has the intrinsic property of being non-erasable.
This non-erasability allows you to know that once you put data
on the card no-one can change it or alter it, not even we, because
when the laser burns data on the card it is like punching holes
in a piece of paper: once they are there they are there; they
cannot be erased. You can add more data to the cards, so you can
put on more applications, or update addresses, but you cannot
erase what is there. Other technologies are intrinsically erasable,
so there is a fundamental difference there, and the use of optical
memory gives you high data capacity so, as you evolve to different
types of biometrics or different requirements, you can add those
to the card without reissuing them and it becomes a very cost-effective
document to use. It can be augmented with the other technologies:
an optical card can have on an IC chip, a contactless chip, a
barcode, all in one, if you wish, so you can make a multi-functional
card without having to compromise on any type of functionality.
Mr Jebson: If I may, I would add
to that. I think that what you have heard from my colleagues gives
you both ends of the spectrum, and in Cubic's written submission
we talked a great deal about planning. Richard has talked extensively
about the type of card and how much you can put into the card,
the multi-application card, which would support some of what I
propose, that it becomes the single point of contact for the citizen
as he is travelling around. On the other hand, there is the observation
that that would require multiple database interactions. You can
have a card which is highly secure which is nothing more than
an identity card and all of the work is then pushed back to the
central database. It is about planning. It is about knowing where
you want the end product to be, because that will in turn govern
the price that you pay for both the card and the system.
Mr Harrison: I think I would endorse
what Mr Jebson says. The big change in the last few years has
been the arrival of near ubiquitous networks: everything is more
or less connected to each other by increasingly broad-band networks.
Given that, it becomes nonsensical, in our view, to expect to
carry out a lot of the work on the card. The card is simply a
secure token to information held elsewhere. The question becomes
how the information held elsewhere is structured, owned, governed
and how people get access to it.
Mr Fisher: By "the card",
of course, I assume you are talking about the actual token, the
storage device that the citizen will have?
Q432 Mr Taylor: Yes.
Mr Fisher: There are a lot of
ways of going at this, but we believe that there are a number
of factors, one of which is cost, one of which is ease of use;
the other one is the other functionality you can get from the
storage device that you use. Clearly, cards are one way and they
are very common; in America they use cards almost for everything.
We believe that a storage device can be made in many different
forms right now, and, for example, there is the example of a 2D
barcode which holds about 1300 bytes, and that is one of the designing
constraints, is the size of the biometric file that represents
you. You can normally get that down to about 500, 600 bytes on
finger and face, so plenty of room in here for something like
that. Of course this is printable and it is you. Even if somebody
stole it, it is of absolutely no use to them whatsoever. So having
a printable storage device is actually very useful. This "flash
memory", which you can get for less than a pound, less than
50p now, gives you a megabyte of information. It is also a storage
device which is extremely useful. Like any storage device recording
data, it can be encrypted and made extremely secure. All those
features are still in this. We would say, because QinetiQ are
research and development, so we basically evaluate all these things,
that there are a lot of options open to you to design a system
that is friendly to the citizen, cost-effective, operationally
very effective, allows ease of use, and one of the important things
about this is all I need is my faceif this is a facial
biometricmy face and my biometric to gain access to whatever
it is I want to gain access to provided what I want to gain access
to has the reader for this facial biometric. It does not have
to go on the network, it does not have to go back to the register,
just the two of us together are all you need to open the key,
as it were, open the lock. So we believe that this is not particularly
high-tech. A lot of this technology is extremely mature right
now, achievable right now, and, yes, you can use cards, but I
think the factor you will have to understand and remember is the
cost of the whole system and the running of the system, and that
is a factor in the implementation of the storage device for sure.
Q433 Chairman: Mr Fisher and Mr Haddock,
you are being terribly polite, which is as it should be. You have
both got completely different approaches to this. If you were
arguing about this in private, what would you be saying to each
other more bluntly than you are at the moment about the strengths
of each others systems? We have, as I understand it, at the moment
a pretty high-tech, pretty secure card on the one hand and a fairly
low tech approach on the other. How does the Committee ever come
to review which approach is right?
Mr Haddock: Just because it is
high-tech does not mean it is expensive. The US Government pays
less than $4 a card for the US Green Card, and the Green Card
stores high-resolution photographs, colour photographs, high-resolution
fingerprints; it has 2800 data tracks; each one of those data
tracks is equivalent to this piece of paper, so you can have that
data but update it continuously. The important thing to understand
about biometrics is that 1300 bytes is enough to have a template
file of a biometricthat is a mathematical extraction of
the image of the fingerprint or the facebut not enough
to have a true image that is a high-resolution photograph or fingerprint
that you can extract such minutiae from. You want a card, I think,
that would have global inner compatibility so you can take your
card to the United States, or Italy, or whatever, and have that
be used. In order to do that you need the real images on the card
and from that you can extract whatever mathematical minutiae files
are required by that environment. In Italy they may have a different
system that you have in the UK. If you bring with you a secure
biometric image of your face or image of your fingerprint, it
can be interchanged between systems without additional cost. It
gives you vendor independence, because those minutiae files are
all vendor specific and proprietary. So the value of multiple
biometrics and true images has been seen throughout international
standards bodies. In the passport world they are mandating at
minimum 32K, which they recognise as being insufficient and really
want up to a quarter to a half a megabyte of data in order to
store these types of images. I think if you want a long-life card
that has the ability to be future proof, you need data capacity,
you need updatability and you need to store the true image files,
because biometrics will change but your fingerprint image, your
face and so forth, will not, and so you do not want to get trapped
into biometric minutiae files that are vendor specific, you want
the ability to be able to take it across platforms and across
country borders, which means you need the data storage on the
token or card.
Mr Harrison: May I clarify one
comment that I made. I suggested that from our point of view the
purpose of a card was to provide a secure key, and that is entirely
right. So for us it is essentially a thin card, a token that is
used to access information elsewhere. That does not mean necessarily
that you do not store the biometric on the card, you may well
do that. In effect, you will use the biometric to unlock the key
a little bit like the way in which a PIN number is used to unlock
bank cards at the moment.
Mr Fisher: High-tech does not
mean it is expensive, low-tech does not mean it is vulnerable.
The system, the capture system, the processing system, whichever
biometric you use, is going to be the same whatever the data storage
device. Our driver for evaluation for sure is to keep it simple.
It is something that, you know, Mrs Snooks can actually understand
and use quite easily in order to receive benefits from it. Is
it going to be cheaper for her to have something like this than
to have a card when it is four or five dollars a card? These are
fractions of a penny. She can print off as many as she wants.
If she loses it, it does not matter, she can print off another
one, the same as other memory devices. We are an evaluation company
as well and we look at the fidelity of storage devices such as
LaserCard has gotthere are a lot of others, there are smart
chips, of course, which have not been mentioned as yetand
looking at the future the driver has to be cost and keeping it
simple and we would recommend something as simple as printing
out your biometric.
Q434 Mr Taylor: My next question
is to a degree about timescale, and, with permission, I will address
to it Cubic and LSC primarily, because both of you mention that
creating an effective system and a standard for cards will take
time. LSC also mentions significant costs. Do you think it feasible
for the Home Office to plan a phased introduction of cards leading
to universalisation in, say, 2013, possibly sooner? How far do
different types of card affect the timescale?
Mr Haddock: If I can start with
that. I think we have some experience now in five different countries
starting from scratch through the planning process to the point
where they have all issued cards. The most impressive one was
the Canadian Government, where, shortly after 9/11, they decided
they wanted to upgrade their permanent resident card to an optical
memory card, and within nine months of making that decision they
were issuing cards to their citizens. They said by June 28th 2002
they must be issued, and we thought it was very aggressive but
we agreed to it and on June 28th they issued cards. It was on
time, on budget, so it can be done, and I think your schedule
could be cut in half and probably for half the money, given the
appropriate decisions.
Mr Jebson: If I may, the phrase
at the end there is the critical one, the "appropriate decisions".
Cubic is a systems integrator. Our job is to deliver the entire
solution. It is not just about the card. The card will have an
impact. You have to look at the availability of the plastic, of
the silica, etcetera, but I would say that from what we have studied
and what is available as information, then the scheduling that
the Government has proposed is well deliverable.
Mr Fisher: Certainly it is well
deliverable by 2013. When do you start? Well, I think the timescale
you have at the moment could be cut down. The technology is demonstrable
to date and mature enough to date to get something started, and
we believe that certainly a system designed and a pilot could
be achieved certainly well within two years with a run out starting
after that.
Q435 Mr Taylor: You would say that
2013 was rather a soft, sloppy target, would you? We could get
well inside that if we wanted to?
Mr Fisher: Soft, sloppyI
did not use those words, but
Q436 Mr Taylor: Nor was I attributing
them to you, but you can attribute them to me!
Mr Fisher: I think, yes, I think
once you have decided and once the Government decides on exactly
how it wants to go about it, and we are talking about the three
elements of data capture, data processing and data storage and
what it wants to use, then you can get down to designing a system
quite quickly. Again, we would not advocate a compulsory system.
I think that is adding problems. I think it has got to be voluntary,
opt in or opt out, that does not really matter, but pick-up will
be fast and I think you will find that a target of certainly five
years before then is achievable.
Mr Jebson: If I may, the only
observation I would make is that one should always use prudence
with large scale IT projects. My colleagues are correct, you can
shorten the timescale, but you must not run the risk of shortening
the timescale at the expense of delivering a real working solution.
Mr Harrison: I would agree that
it is entirely feasible to deliver a straightforward effectively
one-to-one relationship with the Home Office ID card in a relatively
short number of years before 2013. How that identity information
is going to be used throughout the rest of the country is going
to take longer: because at the moment there is very little clarity
in the thinking about how the links are going to be created between
the Home Office database and other databases, other service providers.
Q437 Mr Taylor: My next question
is primarily directed to LSC. Mr Haddock, you list a number of
security features that you believe should be incorporated into
the card during manufacture. Are these achievable within the Home
Office's costings?
Mr Haddock: Yes, they are. I think
most of those design features are something that a properly implemented
system would have at very small incremental cost. The idea of
serialising cards so every card is traceable back to its manufacturer,
the fact that you have unique media format that is owned by the
British Governmentthese are design choices made early on
in the programme. There may be a small engineering charge, but
it would be less than a penny a card by the time your system is
implemented, and you can get nearly all of those intrinsic data
security elements. Some of the physical ones, if you want additional
stamps and holograms and overlays, there is a consumable cost
associated with them, but I see no problem in either cost or timescale
to get all those features in your card.
Q438 Mr Taylor: Is the Italian card
now operational?
Mr Haddock: It is now operational.
The reason I am in Europe is because I was invited last week by
the Italian Government to come to their session that they had
in Rome where they introduced the CIE Card (the Carta d'Identita
Elettronica) to other Member States of the EU and invited me to
speak about the optical card portion of that last Friday. Then
they proceeded to take approximately 50 people representing about
30 countries on a walking tour of the city of Prato where they
could watch the cards being issued in the city where the person's
face and signature and fingerprint biometric was being captured
in real-time as they issued the cards. The whole process took
maybe five to six minutes. The card was then issued to the citizen
and you followed them through the city where they used it at both
services for paying taxes, on police stands where they checked
the optical memory stripe to bring up the face and fingerprints
of the person. So it is operational. They have ordered about 2
million cards. They have issued less than a million, but over
600,000, something in that range, and they are committed to a
full scale roll-out in the coming few years.
Q439 Mr Taylor: Are you at liberty
to tell us how much this has cost the Italian Government?
Mr Haddock: I do not know the
entire cost structure, because we supply what we call a chip-ready
optical card, that is an optical card that has a place where they
can insert their own IC chips. It is a hybrid card containing
both the optical memory stripe and an IC chip. After we provide
the cards to the Italian Government they, in their own manufacturing
process, embed an IC chip. They add their own software, they add
additional cost and value to the system, so I cannot tell you
directly what it is, but the optical card portion of it is slightly
greater than the US card but it is not significantly more.
|