Examination of Witnesses (Questions 460
TUESDAY 20 APRIL 2004
Q460 Mr Clappison: How long has the
whole Italian process taken? When did they decide to go for it.
Mr Haddock: I would say it has
taken about five years, but about two years of the actual trying
to do it, whereas the Canadian case was less than a year, the
US Government was a couple of years.
Q461 Mr Clappison: I am going to
come back to that in a moment. I would like to ask Mr Harrison
first why he thinks that the OGC Gateway system is inadequate,
and what he means by saying that it lacks any kind of sustainable
business model and fails to address the real issue?
Mr Harrison: I fear that I may
have been a little bit misquoted. In fact, I should qualify that.
The Gateway system as a means of ensuring high quality procurements
by government is entirely sensible and straightforward. I may
perhaps have been referring to the government gateway which is
the authentication system run by the Office of the Envoy, which
is a very different thing. That is essentially a means of allowing
the Government to receive digital certificates in one central
place and for the identity to be used by different government
departments without having then to repeat the infrastructure.
On that specific point, we would say that the effort to create
a central point, a central intermediary, if you like, for authentication
of the individual versus Central Government departments is pretty
well done, but to suppose that that central point of authentication
is going to work for the individual to local authorities to education
to the health sector, etcetera, is perhaps so optimistic
as to be naive. Could I perhaps make one further point? Federation,
which is what I am talking about mainly, is a fairly new set of
ideas which is sometimes rather difficult to explain. I do not
know that I have done a particularly good job. Maybe if I illustrate.
This is my wallet. I have in here probably 12 pieces of identity,
12 identity tokens, namely plastic cards. I have another one here
which is my mobile phone which identifies me to my mobile phone
network. All of them are to some extent high quality security
tokens. What we are about to do with the Home Office mentality
is to issue another the identity token to all 60 million people
in the UK without any notion that they have certain elements in
common and that if we get it right you can create a system, an
infrastructure, that does a lot of the jobs of all of them at
much lower cost whilst emphasising privacy.
Q462 Mr Clappison: Could I ask each
of you briefly, if I may, when within the Home Office's 10 years
timescale do you think the Government needs to decide exactly
what it wants the system to do and what sort of card it wants
and how feasible it will then be to add applications at a later
Mr Harrison: It is a design process
like any other design process. You take, you should take, the
big decisions about the infrastructure, the basic shape of the
thing, very early on. You create the outline, and then, as time
goes by, you can fill in the detail. What is very, very expensive
and almost catastrophic is to go a number of years down the path
and then change the overall outline.
Mr Fisher: I agree with that.
You have to get it right in macro terms from the very beginning
and keep at it.
Mr Jebson: I would entirely endorse
Mr Haddock: I agree with that
Mr Clappison: That is very helpful. Thank
Chairman: Let us see if Mr Singh has
as much luck!
Q463 Mr Singh: Mr Jebson, Cubic strongly
supports the inclusion of a biometric element to any identity
card. I think you suggest either fingerprints or iris scanning?
Mr Jebson: I think what we have
said in our written evidence is you can take either route. You
can take the third one, being facial recognition, digital facial
recognition, all three have strengths and weaknesses. You can
make an argument that in some cases you may need more than one.
For example, the fingerprint, which is quite a commonly known
biometric, has to be taken into context of the fact that people
might feel it is intrusive because there is a physical contact
between the finger and the device that is authenticating it compared
with iris scanning which is much less intrusive. It is really
about the level of security you want, and I would incline towards
the very highest level, which you may wish to consider more than
one. Again fingerprints: fingerprints wear out. It is a rather
silly thing to say, but somebody who is working in a building
site, their fingerprints wear out. So if you have only got that
option, you may find yourself having to re-validate, re-authenticate
quite a large part of the population.
Q464 Mr Singh: Presumably in choosing
either one or the other or both cost is a factor?
Mr Jebson: At the moment fingerprint
technologies are probably a lower cost than iris scanning. That
is not to say over the next two to three years that would not
Mr Fisher: Iris scanning is quite
expensive and reasonably intrusive; fingerprint is intrusive but
it is mature technology; face does not have to be intrusive, it
can be almost seen as transparent to the person being authenticated
and matches some commercial processes very well indeed.
Q465 Mr Singh: What would you recommend,
Mr Fisher: Well, a bit like Cubic,
I think you have to match what it is you are trying to do, the
security environment you are in, the risks you are faced with
and your own commercial process. So, for example if you are a
government then you are trying to strongly authenticate people
who are trying to get in; time may not be a factor. If you are
an airport, then you are trying to get passengers through in a
way where the security is matched to the risk environment and
therefore you may have wish to have faster authentication process.
The technologies are mature, so each individual may have a number
of different biometrics. There is no technical reason why they
should not have that.
Q466 Mr Singh: Can I continue with
you, Mr Haddock, because I think in your company there is something
called an embedded hologram. Can you explain what that is?
Mr Haddock: To touch briefly on
your previous comment about biometrics, I think it is essential
in any properly designed system that you have more than one biometric,
for the reasons citedcertain sections of society cannot
be enrolled in certain biometric programmes because of a disability
or lack of the feature concernedso I think you need to
design a system with more than one to be inclusive of all your
population, and it should not cost very much more incrementally.
As I said, I watched the Italian Government capturing biometric
data from their citizens. They took their photograph, they took
their fingerprint, they had them sign a piece of paper and scanned
that and they did it in less than five minutes. So the cost of
operating the cameras to do this is almost nothing. The only cost
associated is when you have to licence the algorithm to decode
some of these proprietary biometricsyou pay a royalty per
useand that is something you need to look into for your
own purposes, but the actual cost of capturing the images is essentially
nil. So, that said, the embedded hologram is a unique characteristic
of optical media, because we have a highly reflective surface,
like a CD ROM, and we write data with a laser to encode the data
files on the card, and, as I say, once they are written they cannot
be erased; but we have an additional feature to change the laser
data recording mode is writing in and take the same image files
which you needed to get the photograph of the person and write
that image file into the optical media surface (at the same time
as the digital data is encoded) in such a way that you can actually
see the person's face in the optical media layer. By comparing
that image to the printed card image you get an additional security
layer knowing that the media and the card body are linked together;
and because that embedded hologram, as we call it, is part of
the data surface it is a very secure feature of the card and one
that the US Government and the Canadian Government, the Italian
Government and the Saudi Governmentthey all use it as a
core security element of their ID card programmes.
Q467 Mr Singh: What biometric are
the Italians using?
Mr Haddock: Pardon me?
Q468 Mr Singh: What biometric are
the Italians using?
Mr Haddock: The fingerprint, facethey
have a full colour face image, although at this point they are
not biometrically verifying it, they are displaying it on a computer
screen and visually comparing at this point. The card is capable
of storing the minutiae files, as they are called, which are generated
by the mathematical algorithm which is necessary to do a computer-based
match (which is what is on your sticker), and they have the fingerprint
image which is in the optical memory of their card, and they have
the written signature scanned and digitised on the optical memory
Q469 Chairman: Mr Harrison, do you
have any views?
Mr Harrison: On the style of biometric?
Q470 Chairman: Yes.
Mr Harrison: Not really, biometrics
is not our field. We simply presume and assume that there will
be a secure key which may be enabled by a biometric, but for us
it is just a black box.
Q471 Chairman: On a different issue
slightly, I do not know what is happening in Canada, or the US
or Italy, but in the UK there is likely to be a huge debate, a
civil liberties debate, about the introduction of identity cards.
I do not know if that has happened elsewhere, but do you think,
if we are adding biometrics, that will heighten the debate, will
there be acceptance of biometrics, or will there be resistance?
Mr Haddock: I can comment about
Canada, because the Canadian Government believes they hold their
own citizens' privacy at a very high level. That was a very stringently
debated issue on their issuance of a card that was going to contain
any personal biometric data. What is currently on the Canadian
card is a facial photograph of the person, (which is actually
in black and white because they laser-engrave the card), and it
has a digitised signature of the person (where again it is a scan
of the signature), and they have allocated a space in the secure
partition of the optical memory for a fingerprint, but currently
they are not putting the fingerprint in it because they are still
considering the privacy implications. So in that case they built
the flexibility to upgrade in the future into their system. I
think you can see the flexibility offered by that choice.
Mr Harrison: You can look back
at the history of card technology used in society, particularly
by the banks over the least ten or twenty years, and they started
with paid cheques, they then produced bank cards, we now have
bank card with holograms, we will soon be going for bank cards
with chip and pin, and by and large most people did not object
to that at all because they saw it to be to their benefit, and
that I think is key. If you can find a way of making people realise
that the identity card and the services that it can deliver are
to their benefit, that they deliver things that they would not
otherwise receive, then the biometric is simply a means to an
end; but if the biometric is imposed on a card which does not
deliver to the majority of the population something that they
do not already have, then it may be more difficult.
Q472 Chairman: So you believe that
the card has to be more than just a simple identifier, it has
to be an entitlement card of some kind?
Mr Harrison: I think certainly
entitlement is a benefit that can delivered by a card, but there
are a lot of other services that can be delivered using a secure
identifier into federated identity architecture. We talk about
intelligent mail direction, we talk about lifelong medical records,
we talk about cross-domain transactions such as the simple one
of getting a parking permit which is a three-domain transaction:
yourself, borough council, DVLA and proof of residence. At the
moment that is very difficult because it is cross-domain. If you
design the system right you can enable that kind of thing, which
is definitely to the advantage of consumers without too much additional
Q473 Chairman: Mr Fisher.
Mr Fisher: Entitlement, I understand,
is a term the Home Office do not want to use. I would say it is
more like a permission card. You are accessing permissions you
already have. You are verifying it. You can have these permissions.
So I would agree entirely with Mr Harrison that promoting the
benefits of the card will immediately attract the positive attention
of society. The consultation paper highlights the perceived negative
aspects which are, if you like, law enforcement, the heavy hand
of the law, big brother, which are all very necessary in this
rather heightened security environment we live in now, but they
should be overwhelmed really by the benefits to people in society.
There will always also be a white noise of the population who
in any circumstances will not wish to join. Well, they still have
to be authenticated within this heightened security society, but
it is just that they will have to join the queue over there and
that will take them a bit longer and all the rest of it, but if
that is what they want, that is what they can have and I think
that has to be accommodated.
Mr Harrison: Can I add one further
point which is that in a sense, and people may laugh, but issuing
an identity card is a relatively clean and simple thing to do.
The thing which, in our view, takes a lot longer and is far more
complicated is devising and developing the business applications
that will depend on it. The Home Office rightly has a lot on its
plate at the moment. It is focused with a very tight, close team
doing this one thing, but at the moment there is very little communication
with the rest of society about how the identity card is going
to be able to be used more broadly and if we are going to deliver
these positive benefits, that communication has to start at some
point in the not too distant future.
Mr Jebson: I was going to endorse
what my colleagues have just said. I think there are two strands
to this. One is to ensure that the message is communicated as
to the benefits and I think parallel to that reassurance about
data protection. I think if you have a good communications programme
with the public, then the vast majority will accept it, will endorse
it and welcome it. If I may say, from my own past experience of
running a train-operating company, there will be a small portion
of the public who will not want it and unfortunately no amount
of good publicity can change that. The vast majority of people
just want to be communicated with clearly, simply and to be reassured.
Mr Haddock: The Italian Government
approach to this is that the card really has two functions, one
being as an e-government services card with an IC chip on it which
is there for that purpose, and it has an optical stripe for secure
identification. If you go to the Italian website or look at their
promotional materials, their messages to their citizens are all
about e-government services and all the benefits that they are
going to get, that they can pay their taxes, they can get their
records at City Hall, and there are all of these things that they
can do with their chip which is part of the card. They do not
really talk much about the fact that it is a secure national ID
card, so they are building public support for it by talking about
e-government services. It is really almost like two cards in one
with the chip and the optical stripe doing two different things.
The national security group wants the optical stripe for security,
but it is not being sold on that, it is being sold on government
Q474 Mr Prosser: I want to continue
on this theme of public acceptability and effectively taking away
barriers or even selling it to the public. First of all to Mr
Jebson, you have stressed the importance of swift and easy issuing
and swift and easy checking and we have heard some examples of
how long it might take to issue the biometric card or the identifiers,
but what is your view? How long should that take?
Mr Jebson: To be honest with you,
Mr Prosser, I would not dwell on how long it should take. I think
what you have to look at is the acceptance by the citizen.
Q475 Mr Prosser: How much do you
think they will accept?
Mr Jebson: If I use this analogy
of when we are issuing Oyster cards, the passenger who is taking
on an annual season ticket perhaps, which is very high value to
them, is quite prepared to spend four to five minutes authenticating
themselves and assuring themselves that they are properly registered
to get that benefit. It will change as they use the card and for
those of you who use the Underground on a regular basis, then
four to five minutes is totally unacceptable and they expect a
gateline to operate within a couple of milliseconds, so it is
really about different situations requiring different periods
of time. From personal experience of passports perhaps, if you
are planning carefully, then I believe you can allow two to four
weeks to get your passport. If you have forgotten to plan carefully,
then you find yourself rushing up to Victoria, having made an
appointment, and getting your passport turned around in four hours.
I think it is need driven rather than it has to be that amount
Mr Haddock: I would like to put
in a word for the UK Foreign Office which issues passports. They
gave me a tour in Washington of their passport issuing centre
which was amazingly efficient and without anyone paying any premiums,
they were turning around passports in 24 hours as the normal course
of business, so I think at least they should be applauded for
Q476 Mr Prosser: Mr Jebson, you were
having a discussion there with Mr Singh about a campaign of awareness,
a campaign to encourage people. If you were designing that campaign,
how would you design it, how would you approach it?
Mr Jebson: I think I would like,
in American terms, to take the Fifth Amendment on that one right
now and suggest that we would be very happy to invite my colleagues
from Transys to provide some written evidence on how, working
with TfL, we have launched the Oyster card in this country.
Q477 Mr Prosser: I must get one of
these Oyster cards. Coming back to the campaign, we have heard
from some of you that the Italian experience was that it was a
successful campaign. Can you draw on many other examples of good
practice of a campaign and preparing the ground to get over some
of the barriers which are in people's minds?
Mr Haddock: The Canadian Government
put out a PR campaign about their new permanent resident card
and actually the card is a very beautifully designed card. They
did a good job in designing it and it makes you want to own one,
so there is some pride of ownership associated with it in the
newspapers. It is called the Maple Leaf Card and it was splashed
all over the press there. They actually won three international
awards within three months of it being issued for both technical
and aesthetic qualities. They then put out technology fliers on
the benefits of it and got a high rate of acceptance. Of course
they also had the advantage of having a pre-existing paper document
which they could force to expire and oblige people, if they wanted
to continue to have the privileges associated with that document,
to upgrade to the new card. Since the UK has no national ID system
in place now, you do not have that option.
Q478 Mr Prosser: Mr Fisher, how much
pride of ownership would there be in our card, do you think?
Mr Fisher: Well, the point about
it is that such an authentication device is going to become part
of everyday life and, therefore, very quickly you will become
conditioned to it. It is not necessarily a card, it could be a
card, it does not really matter, but because it is going to be
a necessity in the future, then as far as the campaign is concerned,
there are going to be a number of people who, for example, and
I take the Home Office guidelines here, need to renew their driving
licence and they get the card at the same time, they need to renew
their passport and they get the card at the same time, but I do
not think that is part of the campaign. You need to bring in people
who would not necessarily do those things and I think you can
use a number of incentives. Dare I say, as a taxpayer, I see a
tax incentive involved, but you could do so to get the thing moving
and get it going.
Q479 Mr Prosser: You emphasise quite
strongly in your written evidence the importance of security of
procedures and the openness of the system in order to encourage
Mr Fisher: Correct.
2 Not printed. Back