TUESDAY 20 APRIL 2004

MR JOHN HARRISON, MR ANDY JEBSON, MR RICHARD HADDOCK AND MR NEIL FISHER

  Q440  Mr Taylor: I have one further slightly different question for you. We live in an age where computer systems get hacked. Suppose, with the best will in the world, we were to bring out an absolute state of the art identity card, the best that the best minds could produce, and then somewhere, months or perhaps a year or so down the track, somebody came up with an offensive technology which had not been anticipated at the time and hacked into the system. Would it be possible to add on subsequent defences?

  Mr Haddock: I believe so. Part of the advantage of the optical memory is that there is a lot of reserve capacity. The Italian Government spent four years planning for their ID card programme. They had 40 experts from different parts of industry, from electronics and printing and government institutions, to define what they wanted in their card. A lot of it was directed at the issue of security, so if cards were stolen or encoders were stolen, anything violated the security, they still had a secure system, and I think their architecture does that by providing encoded data that shows the entire audit trail of the issuing system on the card If that was violated by some method, it would be a straightforward matter for them to write additional credentials to future cards which could not be duplicated by that entity, so that I think that they would continue without having to reissue the entire card population to know that they still have a secure system.

  Q441  Mrs Curtis-Thomas: Mr Harrison and Mr Haddock, your conversation about various merits of your cards was intriguing. I think the message I got was that simple, Mr Fisher, meant local or just national to the UK, more complex means international. One is cheaper than the other, but more expensive means a global card. Did I get that message right?

  Mr Haddock: I am telling you that you can have more global interchange by having more data and more biometrics of the full images on a card, and our card does comply with international standards for logical data format, and so all these five cards that our customers have issued are compatible in one system, whereas the US system that has been put up can authenticate Canadian and US based cards. When an Italian card, or a Saudi card, comes into the system, we can authenticate that it is a real card from the data structure being recognised as one leaves that country but the system cannot read all the data because it has been held protected by those governments. So it gives you a lot of flexibility in how and where you share your data, but you do not have to choose to do that, you can use intrinsic security for inter-country purposes or partition the memory to have additional multi-applications for health and other welfare benefits, although I agree with my colleagues that adding multi-functions, while technically it is no problem, certainly adds to the complexity of the issuing and maintenance of any system.

  Mr Fisher: The approach we have taken is purely for the UK, but the simplicity of it and its lack of cost, of course, would allow anybody coming here to do it. We feel, and I have been to America a lot and I have seen the data card system in operation on the Mexican border, and such. It is an elaborate system and does not necessarily pay credence to the principles of authentication that we have outlined in our written evidence.

  Mr Haddock: Can I ask why not?

  Q442  Chairman: Do, please?

  Mr Jebson: Shall I sit back here and just let you two go for it!

  Q443  Chairman: Mr Fisher, would you like to answer that, as it has been posed?

  Mr Fisher: Yes, because some of the things we are talking about is that that is a single card. We are talking about the benefits of perhaps the simplicity of having an authentication storage device which is easy to use and allows you to access the benefits that that sort of permission regime gives you. So, for example, you can have as many of these as you like, it does not matter; it is only you; only you can access to this, and you can attach this to anything you want which is yours, so your baggage going through the airport, you can have it printed on your boarding card, you can have it etched onto your card, you can have it tagged to your baby in the maternity ward. You can do all sort of aspects of authentication linkage that creates a much richer and safer and better quality of life society than you can by just having a single card which is just for you.

  Mr Haddock: You keep referring to that card as being you. You agree that that is a template-based biometric that you are referring to there?

  Mr Fisher: It is, yes.

  Mr Haddock: Therefore it is a proprietary format and it therefore is a single point of attack to learn how to make a template file, which is a fairly straightforward matter, and once that has been done then anybody can put stickers on anything and claim them to be you or whomever they want, so I do not think that is a very secure methodology to have multiple stickers.

  Q444  Chairman: That was a fascinating exchange. I am going to ask Mr—

  Mr Haddock: The other point about cards being complex to use is that you can read the data in two seconds, so it is not very complicated.

  Q445  Mrs Curtis-Thomas: The next question is that when mobile phones were first introduced you could only use them in certain parts of the country. You had to rely on a massive number of telecommunication masts so that you could use it anywhere. If we use the mobile phone technology as an example here, if we take your card, where could we use it now in the world and where might we be able to use it in the world 10 years from now?

  Mr Haddock: You could use it in the US Government system that they are installing right now which should be all functional by summer this year. The Canadian Government has installed 115 on their border sites and a properly designed card by your Government could allow that system either to just verify it is an authentic UK ID card or allow them to read face and fingerprint, whatever you want. It is under your control, but it would be compatible with that system, so already you would have US and Canadian compatibility and also it would be compatible with the Italian and Saudi systems. It is under your control how much of that you want to give them, but, in addition, we believe in the coming months and years many other countries will also adopt the use of optical stripes, because you can add other technologies to it. The Italians chose to have a micro-chip to provide E-Government services and an optical stripe for IDs.

  Q446  Mrs Curtis-Thomas: So at the moment we could use it maybe in Scotland and Devon, but with the rest of the country we would draw a bit of a blank?

  Mr Haddock: Yes.[1]

  Mrs Curtis-Thomas: Okay, I accept that.

  Q447  Bob Russell: Mr Fisher, you support what is described as a comparatively low-tech approach, although when phrases like 2D barcodes or one megabyte memory sticks are used, to me that is rocket science. Anyway, you support an apparently low-tech approach. So would not bar codes and memory sticks, as has been indicated already, be more vulnerable to forgery than more high-tech solutions?

  Mr Fisher: I do not see how. It is a storage device; that is all. How the biometric is protected on it is the same whether it is a storage device or a laser card or anything else. Therefore the feature that you are asking about is will it take a strong encryption of some sort, a strong security on the data? Well, yes, it can.

  Q448  Bob Russell: But, Mr Haddock, a witness for the prosecution, stated that they are very vulnerable to forgery?

  Mr Fisher: No, I do not see how it is. If it is strongly encrypted, strongly secure and it is me only I can access it.

  Q449  Bob Russell: What would be the cost of production of the sort of card you favour?

  Mr Fisher: This is the whole point. If you have something like a 2D card, something which is reasonably low-tech, then you can have it on any material that you like. For example, if your comfort zone is that you have it on a card, then you can have it on a simple card; plastic cards are extremely cheap. But it is mine, you see, this is me, this is my biometric, and therefore I may want it on a card, I may want to print it on to my documents, I may want to have it attached to my luggage tags. There is no reason why I should not have the ability to have it on my home computer to access my home computer as a sign-in. There is a whole raft of things which you can do with a biometric which is in a digital format. All we are talking about here in terms of the card is a storage device.

  Q450  Bob Russell: I wonder if I could come back to the cost, because the Select Committee is considering not only the principle of whether to have identity cards but also (a) what would be the costs produced and (b) some very high figures have been suggested as to what the Government will start charging individuals for an identity card of some sort?

  Mr Fisher: I think this figure has come from an assumption it is going to be a chip card or something very similar. What we are saying is take a step back and try to look and see what it is you are trying to do. If an individual wishes to have his biometric in a variety of formats, which is perfectly possible, then an ordinary plastic card with a barcode printed on it, as they have in America on driving licences and everything else, is extremely cheap.

  Q451  Bob Russell: If you cannot give us the answer, then I wonder if you could write to the Committee and let us know how much extremely cheap is?

  Mr Fisher: This costs fractions of a penny to print off.

  Q452  Bob Russell: Therefore the administrative cost would be considerably greater than the production costs?

  Mr Harrison: I think that is nearly always the case.

  Q453  Bob Russell: Would that be common to all?

  Mr Harrison: Pretty much, yes.

  Q454  Bob Russell: So the administrative costs would be common to all. Mr Harrison, if I may come to you next. You have described identity card as primarily a secure key rather than an identity token. What consequence does your approach have for the type of card used?

  Mr Harrison: Well, cards may have two parts to them, one is the plastic face, the other is probably some kind of electronic machine readable component, which could be a chip, it could be a barcode. I would imagine that the plastic face will have a photograph, a name, etcetera, the machine readable part will probably have some kind of certificate or anonymous certificate that will enable the card to be used as a key to the particular kind of point of presence that we envisage.

  Q455  Bob Russell: Mr Haddock, finally your experience of coming to the Houses of Parliament, how would you high-tech identity card have helped or hindered you in gaining access here?

  Mr Haddock: I found I did not need any card or identification, all I needed was my material to go through your metal inspector.

  Mr Jebson: I would like to try and pick up a couple of the points that Mr Russell and Mrs Curtis-Thomas have raised. Unfortunately it is one of those things where I am not going to give you the answers, but I am going to suggest that there are a couple of questions that should go into the process. We have talked about the price of the card, and again I am sorry if I sound pedantic, I am going to come back and say, you must consider the price of the system. It is the system that gives you the integrity, and dependent on what you want the system to do will determine whether you want a very, very low-cost biometric or a higher cost. I think you have taken the point extremely well that issuing is as much a part of the cost of the system. I am sure you are very familiar with the Oystercard. There are 1.4 million of those out there. I think it is commercially sensitive as to the exact price of that card because things like the volume, quantity discounts, that type of thing, will come into play. I think you need to ask whether you want that card to be a card for life or a card, like your passport, that will be renewed over a period of time, whatever that is, five years or 10 years, because in planning your system you have to accept that you may want to revalidate that individual is still the same individual, that it is still the same address. One closing observation, Mr Fisher talked about the cost of technology. There is a well-known computing law, Moore's Law of Computing: the processor speed doubles every year, the price halves every year. He has shown you a memory stick from a computer. That is a memory stick from a computer that I bought yesterday. It is freely available. It has got a 32 megabyte storage capacity for those who are interested in that terrible technology, but, more importantly, it costs me exactly one quarter of the price of the same size of memory stick two years ago, and that little silver patch in the middle is a biometric fingerprint reader. So that is a biometrically protected device already at a very low price. Understanding the combination of the system, the design and what the end product will be that will help answer the question of how much.

  Q456  Mr Clappison: Can I turn to the subjects of government procurement and system specification and in particular what the Home Office need to do to adequately specify their requirements. Could I ask Mr Jebson—and just to remind him of what he said in his written evidence—you call for carefully defined requirements that are not prescriptive or too lengthy. Does your experience of delivering government smartcard projects encourage you to date and is it realistic to expect precise requirements at the beginning of a national system of this scale?

  Mr Jebson: Thank you for the question. I would have to draw on my experience from delivering the Oyster scheme in London, and I think pragmatically some very clear decisions have been made because the technology advanced from the day it was originally planned. Had the requirement been very, very prescriptive, then I do not believe that the Oyster system would be out there functioning as well as it is today. It is a very fine balance between being over-prescriptive in order to perhaps get a level playing field from suppliers and avoiding talking to a supplier and saying, "That is what I want to achieve. How can I best achieve it?"

  Q457  Mr Clappison: Can I move on to the question of security. Mr Haddock, I think you were touching on this earlier and I give you another opportunity to come back to it. You list a number of security features you think should be specified for cards and readers. How detailed do you think this specification should be?

  Mr Haddock: I think, as laid out in this document, it is a fairly generalised prescription of features. Those features are not unique just to optical memory, although I do believe that optical memory better addresses that than any other type. But I think if you put in your specification that your system must have a token that has these characteristics, I do not think you have to get too much more prescriptive than that, although I believe that you need to also add other security elements for making sure that there is a product available with the ability to be sure the data cannot be changed and so forth.

  Q458  Mr Clappison: You mentioned in answer to earlier questions your experience of the Italian system. What lessons have we to learn from the procurement process of that system?

  Mr Haddock: That is an unusual process, particularly in Italy, because it has been a long and ongoing process for—it was about four years of planning and now, just in the last year, they have really starting issuing the card. The procurement process started in what they called the Experimental Phase because they had a group of 40 companies and government agencies who were providing input to them and from that they asked that same group to do a pilot programme of two hundred thousand cards to learn how well it worked and adjust to specifications and so forth. From that they started putting out procurements for sections of the system, not the whole system. They wanted a personalisation system, a printer system, database system, so they did not attempt to keep the whole thing as one procurement but rather, once they understood what the process was, one added—

  Q459  Mr Clappison: Do you think it is better to go for a whole system—

  Mr Haddock: I think to get complete satisfaction, in the end you are better to ask for the whole thing, although I think there are sections which you could cut. I think there is certainly a difference between structuring the national database to collect the biometrics and prepare the data is one thing altogether, and from my point of view, if that database existed it would be quite easy to provide a quotation, assuming that the data set is there, how much would it cost to take that data and personalise, initialise cards and mail them to your citizens. We could easily quote against that.