House of COMMONS
MINUTES OF EVIDENCE
HOME AFFAIRS COMMITTEE
Tuesday 20 April 2004
MR JOHN HARRISON, MR ANDY JEBSON,
MR RICHARD HADDOCK and MR NEIL FISHER
USE OF THE TRANSCRIPT
Taken before the Home Affairs Committee
on Tuesday 20 April 2004
Mr John Denham, in the Chair
Mr James Clappison
Mrs Claire Curtis-Thomas
Mr Gwyn Prosser
Mr Marsha Singh
Mr John Taylor
Witnesses: Mr John Harrison, Edentity, Mr Andy Jebson, Director, Cubic Transportation Systems, Mr Richard Haddock, Chief Executive Officer, LaserCard Systems Corporation, and Mr Neill Fisher, Director of Security Solutions, QinetiQ, examined.
Q414 Chairman: Good afternoon, gentlemen. Thank you very much indeed for coming to give evidence to the Committee this afternoon, which is, as you know, one of a series of hearings that we are having into the issue of identity and entitlement cards, and we expect, in due course, to give drafts scrutiny to the Bill that the Government finally publish on ID cards. I wonder before we start if each of you could briefly introduce yourself and the organisation that you represent. Mr Haddock, I think you have come further than anyone else. Can we start with you, please?
Mr Haddock: Thank you. My name is Richard Haddock. I am the President of LaserCard Systems Corporation - that is a subsidiary of Drexler Technology Corporation, Mountain View, California. Our company is the world's leading supplier of multi-biometric ID cards. Our cards are used throughout five countries in world. We have sold approximately 20 million cards throughout the United States; they are used in Mexico; the Canadian Government; the Italian Government and the Saudi Arabian Government are now beginning to use our products. We are in the process of assisting the US Government in the fielding of 1,000 biometric verification systems across the US border entry points and the Canadian Government simultaneously so they will be able to biometrically verify their card base. We feel our card is the most secure and cost-effective means of providing national identification documentation and we are pleased to be here today to share the information with you.
Q415 Chairman: Thank you very much indeed. Mr Jebson.
Mr Jebson: Andy Jebson. I am a director of Cubic Transportation Systems Ltd, which in turn is part of the Cubic Corporation based out of the US. Our other division is Defence Systems. In the transportation side, we are with the world leaders in the provision of transportation systems, ticketing solutions. We operate over five Continents and perhaps in the UK we are best known as being the technology partner that has delivered the London Transport system, the Oystercard, which I am sure we are all familiar with today. As my colleague has said, we are delighted to be here to offer our experience and expertise.
Q416 Chairman: Thank you. Mr Fisher.
Mr Fisher: Neil Fisher, I am the Director of Security Solutions at QinetiQ, which is Europe's largest research and development company, with emphasis on security and defence. Our work covers a very broad canvas from land, sea, air, space, cyber-space and water, and our drive really is to create solutions that integrate people process and technology.
Q417 Chairman: Thank you. Mr Harrison.
Mr Harrison: My name is John Harrison. I am the Director of a small company by the name of Edentity that has spent the last four years or so advocating the need for the design of a federated digital identity infrastructure that can be used to facilitate a wide range of identity-related transactions across society, both government and the private sector.
Q418 Chairman: Thank you very much indeed. Obviously in today's session we are particularly going to be interested in improving our understanding of some of the major choices that have to be made over the design and structure of any ID card or entitlement card system. So we hope that between you your expertise will at least elucidate the issues that we need to be thinking about. Perhaps I could start off by asking you some questions about the database that is proposed for an entitlement or ID system: questions of whether to create a new database or build on an existing database, some of the issues about advantages and disadvantages of a single database. Perhaps I could ask this to Mr Jebson. You, I think, have come down in favour of the Home Office's proposal to create from scratch a new national identity register. Some of our earlier witnesses have argued against this approach of putting all the eggs in one basket, saying it makes the system more vulnerable. What is your assessment of that argument?
Mr Jebson: I think it is a very valid argument that all technologies can be viewed in a number of different ways. From our perspective, if I use, for example, the London Transport situation, the prestige databases are contained in a very secure facility in one single site so that there are limits on the access to the data over things like communications links. Significantly, we are able to deliver high levels of security of access by the individual because we maintain those databases, and there are multiple ones, not just the one database, in one place. I think the other observation I would make is that we are not necessarily talking about a single database. Our system is completely backed up in a separate site but, again, highly secure because it is all in one place.
Q419 Chairman: Could I ask you to separate the two issues. You have responded largely on the issue of whether one has a single database. The other issue that is covered by this is whether we start from something we have got at the moment or whether we start a new database from scratch. What is your view there?
Mr Jebson: I would suggest that it is better to start from scratch because you then can ensure integrity of the data from the outset. Whenever you have a situation where you are bringing together multiple databases, in our experience that involves the risk of corrupting the data because you may have different people making different entries.
Q420 Chairman: Mr Fisher, your company, I think, has taken a different view on this and says that we should start with the ONS Operation Register. Can you tell us why you come to a different conclusion?
Mr Fisher: We do not believe that you have to start from scratch. Clearly the identity risk will be new, but there is a lot of merit in combining with existing databases to create a much larger virtual single database which looks single but is disbursed to create another value out of the linkage between your authentication and your clear identity on your birth certificate.
Q421 Chairman: Could I ask you both whether this choice is critical to the design of a new system or whether it is one of those issues that you can argue either way and you can make the system work whichever approach you take?
Mr Fisher: By the linkage with existing systems you are going to create a very enriched database which is highly robust and which will, I believe, provide much better verification of your identity by your authentication, and in doing so you will have a much more resilient system and one which is stronger against possible attacks from fraudsters and the like.
Q422 Chairman: Mr Jebson?
Mr Jebson: I do not disagree with my colleague's observations there. I think the point that we would make is that it comes down to the planning and what you want the database to do. You have talked about richness of data. I think that what the Government must consider is what else it might want to do in the future with an identity card. If it is a pure identity card from the outset and it is never going to be anything else, you would have to balance that against the richness of data that might be used for other purposes later.
Q423 Chairman: Mr Harrison, if I have understood your evidence, you philosophically take a completely different approach to that?
Mr Harrison: Perhaps.
Q424 Chairman: Can you try to explain to the Committee the difference in approach which, as I understand it, does not depend on a single central database?
Mr Harrison: Well, yes and no. We accept that the Government is perfectly right in its desire, if it wishes to do so, to create a single national population register, card, identity, database. The question then is how that identity information, that authentication information, is going to be used across the rest of society.
Q425 Chairman: Can you keep your voice up?
Mr Harrison: The question is how that high quality authentication information is going to be used across the rest of society; whether it is going to be used purely in Central Government, by local authorities, by the health sector, by the education sector - that is the particular subject where we get interested.
Q426 Chairman: Can you expand on that, please?
Mr Harrison: I can, but it is a slightly involved argument. I think you start... This is a subject called "federated identity" which has become of increasing interest in the last couple of years and is being pursued by various standards bodies in the US. To understand federation you have to start with the notion of identity. Some people believe that you have just one identity and that you are John Denham in every relationship you have. The other alternative would be to say that you have many different identities, that each identity you have is a function of relationship and that the purpose of the identity card is essentially to create an authenticated evidence of the relationship that you happen to have with the Home Office, which is perfectly well, fun, good and a sensible thing to do, especially in this time of mass migration across borders. The question then is how you use the evidence of that identity you have with the Home Office for other purposes: say, to identify yourself to your school, which is a different relationship, or to your health provider, which is a different relationship again, or even to your family and friends. That is roughly the subject target area of federated identity.
Q427 Chairman: Can somebody explain to me what, in practice, would be the difference between the sort of single database which in its different origins is put forward by Mr Fisher and Mr Jebson and what is proposed by Mr Harrison? If I am a member of the public and I have got my identity on a register somewhere and I wish to either (a) use it to prove I am who I say I am to the police or (b) to establish that I am entitled to use the National Health Service, what is the difference in operation that you see?
Mr Harrison: The difference is largely one of consent, whether you actually give explicit consent for use of identity information from, say, the Home Office database to other parties, or whether that is done effectively automatically through the back room.
Mr Fisher: I think our view would be that, yes, there is a concern that all and sundry in government can access the register to find out information for their purposes. We would not advocate that. We would say that the register is a very valuable national resource in a digital age and that access to it by those who wish to glean some information from some sort, be it law enforcement, be it tax, be it health, would need to have good reason to do and so would need to go through a body whereby they apply, and their reasons for applying are scrutinised, to access this extremely valuable resource. One of the points I would like to make is that, of course, an individual, once you have got your ID card, every time you are authenticated, it will not go back to the register. You do not have to do that. Your authentication, your card, is proof that you have been registered and therefore, provided you and your card are together, that is all you need to do. So it is not necessary to keep going back to the register every time you need to be authenticated.
Mr Jebson: If I may, both arguments are very sound, but they have been taken, I think, from the perspective of government looking outwards rather than the citizen looking inwards. If I make a personal observation here: what would I do if I had an identity card? Where would it benefit me? One thing that comes immediately to mind is that, provided the strict controls are in place that the Data Protection Act requires in this country, something that occurs to me is that I have a portable token that might contain, for example, some medical information which could be used in the event of a road accident. If you have one device doing one job only, am I now going to have a health card, am I then going to have another benefits card? Whereas you have a single valuable recognised token of your identity that can be used in a number of different arenas.
Q428 Chairman: In a previous session, Professor Thomas said to us if you create either a single card that has multi-functions or a single database, you are adding to the nation's critical infrastructure unnecessarily and, by doing that, you are making a large range of services vulnerable to a single attack, either a deliberate attack or a fault that arises, for some reason, in the system. How do you respond to that criticism that was put to the Committee previously that, in essence, any database becomes vulnerable the more functions you hang on that database, the more likely it is either to go wrong by accident or because somebody has deliberately set out to undermine it?
Mr Jebson: I think I sense part of the answer that will be coming here. It is absolutely true, and I would be very wrong to say that you can make 100% certain security in any given situation whether it is one database or ten. I believe, however, that using the technology that is even currently available it is possible to put such a high level of security into that system that the risk is significantly minimised - that is not to say I do not recognise it - and it must be included and incorporated into the planning.
Q429 Chairman: Mr Harrison.
Mr Harrison: I think I accept the Professor's point about the dangers of having too many applications running from one database, and I hark back to what I said about the point of identity being a function of relationship. The number of times we have to prove identity for Home Office purposes is relatively few, maybe once or twice a year at the outside. The number of times you have to prove identity for other purposes, say, coming into a work-place or going into a school or going into a hospital or some other transaction that happens day to day, perhaps with local authorities, they are numerically much, much greater and it would be nonsensical to create an infrastructure that throws all of those back at one central database. Federation does not do that.
Q430 Chairman: Mr Haddock, what is your view of this? I know you are essentially a card provider.
Mr Haddock: I am more of the card provider, that is true, and I leave the database structure to my experts to the right. However, because our card does have a very high data capacity, our view is that all the records that are in the National Registry should also be included on the card so the citizen has his own records on his card at all times, and it is up to him where and how he presents it, and the National Registry, whatever form of database you choose to use, may be kept more closed and used only in the case of issuing lost or stolen cards or perhaps by more selective checks by authority; but the citizen having his own data in a secure medium is certainly a way to address this.
Chairman: I think we will move on to look now at the choices between the different types of cards. Mr Taylor.
Q431 Mr Taylor: Thank you very much, Mr Chairman. I suppose in a sense - and this is me as a layman, by the way, without any of your expertise - in my mind I am sort of beginning to address the question: what sort of a card? Smart card, barcode, optical memory card? I would like to ask all or any of our witnesses, Mr Chairman, prefacing by saying, you have different views of the type of card needed. What do you think are the essential technical features of an ID card? In other words, to help us towards the question what sort of card, what are the essential ingredients? What must it be able to do?
Mr Haddock: I think that is, most of that is in our written evidence we supplied. Obviously any card that you provide should be the most secure and counterfeit-resistant document you can provide because a citizen is going to rely upon that characteristic of it in his daily life. Clearly, if it could be counterfeit the whole scheme is in jeopardy. For that reason the product we manufacture using optical memory has the intrinsic property of being non-erasable. This non-erasability allows you to know that once you put data on the card no-one can change it or alter it, not even we, because when the laser burns data on the card it is like punching holes in a piece of paper: once they are there they are there; they cannot be erased. You can add more data to the cards, so you can put on more applications, or update addresses, but you cannot erase what is there. Other technologies are intrinsically erasable, so there is a fundamental difference there, and the use of optical memory gives you high data capacity so, as you evolve to different types of biometrics or different requirements, you can add those to the card without reissuing them and it becomes a very cost-effective document to use. It can be augmented with the other technologies: (1) an optical card can have on an IC chip, a contactless(?) chip, a barcode, all in one, if you wish, so you can make a multi-functional card without having to compromise on any type of functionality.
Mr Jebson: If I may, I would add to that. I think that what you have heard from my colleagues gives you both ends of the spectrum, and in Cubic's written submission we talked a great deal about planning. Richard has talked extensively about the type of card and how much you can put into the card, the multi-application card, which would support some of what I propose, that it becomes the single point of contact for the citizen as he is travelling around. On the other hand, there is the observation that that would require multiple database interactions. You can have a card which is highly secure which is nothing more than an identity card and all of the work is then pushed back to the central database. It is about planning. It is about knowing where you want the end product to be, because that will in turn govern the price that you pay for both the card and the system.
Mr Harrison: I think I would endorse what Mr Jebson says. The big change in the last few years has been the arrival of near ubiquitous networks: everything is more or less connected to each other by increasingly broad-band networks. Given that, it becomes nonsensical, in our view, to expect to carry out a lot of the work on the card. The card is simply a secure token to information held elsewhere. The question becomes how the information held elsewhere is structured, owned, governed and how people get access to it.
Mr Fisher: By "the card", of course, I assume you are talking about the actual token, the storage device that the citizen will have?
Q432 Mr Taylor: Yes.
Mr Fisher: There are a lot of ways of going at this, but we believe that there are a number of factors, one of which is cost, one of which is ease of use; the other one is the other functionality you can get from the storage device that you use. Clearly, cards are one way and they are very common; in America they use cards almost for everything. We believe that a storage device can be made in many different forms right now, and, for example, there is the example of a 2D barcode which holds about 1300 bytes, and that is one of the designing constraints, is the size of the biometric file that represents you. You can normally get that down to about 500, 600 bytes on finger and face, so plenty of room in here for something like that. Of course this is printable and it is you. Even if somebody stole it, it is of absolutely no use to them whatsoever. So having a printable storage device is actually very useful. This "flash memory", which you can get for less than a pound, less than 50p now, gives you a megabyte of information. It is also a storage device which is extremely useful. Like any storage device recording data, it can be encrypted and made extremely secure. All those features are still in this. We would say, because QinetiQ are research and development, so we basically evaluate all these things, that there are lot of options open to you to design a system that is friendly to the citizen, cost-effective, operationally very effective, allows ease of use, and one of the important things about this is all I need is my face - if this is a facial biometric - my face and my biometric to gain access to whatever it is I want to gain access to provided what I want to gain access to has the reader for this facial biometric. It does not have to go on the network, it does not have to go back to the register, just the two of us together are all you need to open the key, as it were, open the lock. So we believe that this is not particularly high-tech. A lot of this technology is extremely mature right now, achievable right now, and, yes, you can use cards, but I think the factor you will you have to understand and remember is the cost of the whole system and the running of the system, and that is a factor in the implementation of the storage device for sure. 60 million.
Q433 Chairman: Mr Fisher and Mr Haddock, you are being terribly polite, which is as it should be. You have both got completely different approaches to this. If you were arguing about this in private, what would you be saying to each other more bluntly than you are at the moment about the strengths of each others systems? We have, as I understand it, at the moment a pretty high-tech pretty secure card on the one hand and a fairly low tech approach on the other. How does the Committee ever come to review which approach is right?
Mr Haddock: Just because it is high-tech does not mean it is expensive. The US Government pays less than $4 a card for the US Green Card, and the Green Card stores high-resolution photographs, colour photographs, high-resolution fingerprints; it has 2800 data tracks; each one of those data tracks is equivalent to this piece of paper, so you can have that data but update it continuously. The important thing to understand about biometrics is that 1300 bytes is enough to have a template file of a biometric - that is a mathematical extraction of the image of the fingerprint or the face - but not enough to have a true image that is a high-resolution photograph or fingerprint that you can extract such minutiae from. You want a card, I think, that would have global inner compatibility so you can take your card to the United States, or Italy, or whatever, and have that be used. In order to do that you need the real images on the card and from that you can extract whatever mathematical minutiae files are required by that environment. In Italy they may have a different system that you have in the UK. If you bring with you a secure biometric image of your face or image of your fingerprint, it can be interchanged between systems without additional cost. It gives you vendor independence, because those minutiae files are all vendor specific and proprietary. So the value of multiple biometrics and true images has been seen throughout international standards bodies. In the passport world they are mandating at minimum 32K, which they recognise as being insufficient and really want up to a quarter to one and a half megabytes of data in order to store these types of images. I think if you want a long-life card that has the ability to be future proof, you need data capacity, you need updatability and you need to store the true image files, because biometrics will change but your fingerprint image, your face and so forth, will not, and so you do not want to get trapped into biometric minutiae files that are specific to vendor specific, you want the ability to be able to take it across platforms and cross country, which means you need the data storage on the token or card.
Mr Harrison: May I clarify one comment that I made. I suggested that from our point of view the purpose of a card was to provide a secure key, and that is entirely right. So for us it is essentially a thin card, a token that is used to access information elsewhere. That does not mean necessarily that you do not store the biometric on the card, you may well do that. In effect, you will use the biometric to unlock the key a little bit like the way in which a pin number is used to unlock bank cards at the moment.
Mr Fisher: High-tech does not mean it is expensive, low-tech does not mean it is vulnerable. The system, the capture system, the processing system, whichever biometric you use, is going to be the same whatever the data storage device. Our driver for evaluation for sure is to keep it simple. It is something that, you know, Mrs Snooks can actually understand and use quite easily in order to receive benefits from it. Is it going to be cheaper for her to have something like this than to have a card when it is four or five dollars a card? These are fractions of a penny. She can print off as many as she wants. If she loses it, it does not matter, she can print off another one, the same as other memory devices. We are an evaluation company as well and we look at the fidelity of storage devices such as LaserCard has got - there are a lot of others, there are smart chips, of course, which have not been mentioned as yet - and looking at the future the driver has to be cost and keeping it simple and we would recommend something as simple as printing out your biometric.
Q434 Mr Taylor: My next question is to a degree about timescale, and, with permission, I will address to it Cubic and LSC primarily, because both of you mention that creating an effective system and a standard for cards will take time. LSC also mentions significant costs. Do you think it feasible for the Home Office to plan a phased introduction of cards leading to universalisation in, say, 2013, possibly sooner? How far do different types of card affect the timescale?
Mr Haddock: If I can start with that. I think we have some experience now in five different countries starting from scratch through the planning process to the point where they have all issued cards. The most impressive one was the Canadian Government, where, shortly after 9/11, they decided they wanted up to upgrade their permanent resident card to an optical strike card, and within nine months of making that decision they were issuing cards to their citizens. They said by June 28th they must be issued, and we thought it was very aggressive but we agreed to it and on June 28th they issued cards. It was on time, on budget, so it can be done, and I think your schedule could be cut in half and probably for half the money, given the appropriate decisions.
Mr Jebson: If I may, the phrase at the end there is the critical one, the "appropriate decisions". Cubic is a systems integrator. Our job is to deliver the entire solution. It is not just about the card. The card will have an impact. You have to look at the availability of the plastic, of the silica, etcetera, but I would say that from what we have studied and what is available as information, then the scheduling that the Government has proposed is well deliverable.
Mr Fisher: Certainly it is well deliverable by 2013. When do you start? Well, I think the timescale you have at the moment could be cut down. The technology is demonstrable to date and mature enough to date to get something started, and we believe that certainly a system designed and a pilot could be achieved certainly well within two years with a run out starting after that.
Q435 Mr Taylor: You would say that 2013 was rather a soft, sloppy target, would you? We could get well inside that if we wanted to?
Mr Fisher: Soft, sloppy - I did not use those words, but----
Q436 Mr Taylor: Nor was I attributing them to you, but you can attribute them to me!
Mr Fisher: I think, yes, I think once you have decided and once the Government decides on exactly how it wants to go about it, and we are talking about the three elements of data capture, data processing and data storage and what it wants to use, then you can get down to designing a system quite quickly. Again, we would not advocate a compulsory system. I think that is adding problems. I think it has got to be voluntary, opt in or opt out, that does not really matter, but pick-up will be fast and I think you will find that a target of certainly five years before then is achievable.
Mr Jebson: If I may, the only observation I would make is that one should always use prudence with large scale IT projects. My colleagues are correct, you can shorten the timescale, but you must not run the risk of shortening the timescale at the expense of delivering a real working solution.
Mr Harrison: I would agree that it is entirely feasible to deliver a straightforward effectively one-to-one, yourself, one relationship with the Home Office ID card in a relatively short number of years before 2013. How that identity information is going to be used throughout the rest of the country is going to take longer: because at the moment there is very little clarity in the thinking about how the links are going to be created between the Home Office database and other databases, other service providers.
Q437 Mr Taylor: My next question is primarily directed to LSC. Mr Haddock, you list a number of security features that you believe should be incorporated into the card during manufacture. Are these achievable within the Home Office's costings?
Mr Haddock: Yes, it is. I think most of those design features are something that a properly implemented system would have at very small incremental cost. The idea of serialising cards so every card is traceable back to its manufacturer, the fact that you have unique media format that is owned by the British Government - these are design choices made early on in the program. There is may be a small engineering charge, but it would be less than a penny a card by the time your system is implemented, and you can get nearly all of those intrinsic data security elements. Some of the physical ones, if you want additional stamps and holograms and overlays, there is a medium cost associated with that, but I see no problem in either cost or timescale to get all those features in your card.
Q438 Mr Taylor: Is the Italian card now operational?
Mr Haddock: It is now operational. The reason I am in Europe is because I was invited last week by the Italian Government to come to their session that they had in Rome where they introduced the CIE Card (the Carta d'Identita Elettronica) to other Member States of the EU and invited me to speak about the optical card portion of that last Friday. Then they proceeded to take approximately 50 people representing about 30 countries on a walking tour of the city of Prada where they could watch the cards being issued in the city where the person's face and signature and fingerprint biometric was being captured in real-time as they issued the cards. The whole process took maybe five to six minutes. The card was then issued to the citizen and you followed them through the city where they used it at both services for paying taxes, on police stands where they checked the optical memory stripe to bring up the face and fingerprints of the person. So it is operational. They have ordered about 2 million cards. They have issued less than a million, but over 600,000, something in that range, and they are committed to a full scale roll-out in the coming few years.
Q439 Mr Taylor: Are you at liberty to tell us how much this has cost the Italian Government?
Mr Haddock: I do not know the entire cost structure, because we supply what we call a chip radio-optical card, that is an optical card that has a place where they can insert their own IC chips. It is a hybrid card containing both the optical memory stripe and an IC chip. After we provide the cards to the Italian Government they, in their own manufacturing process, embed an IC chip. They add their own software, they add additional cost and value to the system, so I cannot tell you directly what it is, but the optical card portion of it not - it is slightly greater than the US card but it is not....
Q440 Mr Taylor: I have one further slightly different question for you. We live in an age where computer systems get hacked. Suppose, with the best will in the world, we were to bring out an absolute state of the art identity card, the best that the best minds could produce, and then somewhere, months or perhaps a year or so down the track, somebody came up with an offensive technology which had not been anticipated at the time and hacked into the system. Would it be possible to add on subsequent defences?
Mr Haddock: I believe so. Part of the advantage of the optical memory is that there is a lot of reserve capacity. The Italian Government spent four years planning for their ID card program. They had 40 experts from different parts of industry, from electronics and printing and government institutions, to define what they wanted in their card. A lot of it was directed at the issue of security, so if cards were stolen or encoders were stolen, anything violated the security, they still had a secure system, and I think their architecture does that by providing encoded data that shows the entire audit trail of the issuing system on the card If that was violated by some method, it would be a straightforward matter for them to write additional credentials to future cards which could not be duplicated by that entity, so that I think that they would continue without having to reissue the entire card population to know that they still have a secure system.
Q441 Mrs Curtis-Thomas: Mr Harrison and Mr Haddock, your conversation about various merits of your cards was intriguing. I think the message I got was that simple, Mr Fisher, meant local or just national to the UK, more complex means international. One is cheaper than the other, but more expensive means a global card. Did I get that message right?
Mr Haddock: I am telling you that you can have more global interchange by having more data and more biometrics of the full images on a card, and our card does comply with international standards for logical data format, and so all these five cards we have issued are all compatible in one system, whereas the US system that has been put up can re-invalidate Canadian and US based cards, so there is three of them. When an Italian card, or a Soli card, comes into the system, we can authenticate it is a real card from the data structure being recognised as one leaves that country but it cannot the read the data because it has been held protected by those governments. So it gives you a lot of flexibility in how and where you share your data, but you do not have to choose to do that, you can use intrinsic security for inter-country purposes or partition the memory to have additional multi-applications for health and other welfare benefits, although I agree with my colleagues that adding multi-functions, while technically it is no problem, certainly adds to the complexity of the issuing and maintenance of any system.
Mr Fisher: The approach we have taken is purely for the UK, but the simplicity of it and its lack of cost, of course, would allow anybody coming here to do it. We feel, and I have been to America a lot and I have seen the data card system in operation on the Mexican border, and such. It is an elaborate system and does not necessarily pay credence to the principles of authentication that we have outlined in our written evidence.
Mr Haddock: Can I ask why not?
Q442 Chairman: Do, please?
Mr Jebson: Shall I sit back here and just let you two go for it!
Q443 Chairman: Mr Fisher, would you like to answer that, as it has been posed?
Mr Fisher: Yes, because some of the things we are talking about is that that is a single card. We are talking about the benefits of perhaps the simplicity of having an authentication storage device which is easy to use and allows you to access the benefits that that sort of permission regime gives you. So, for example, you can have as many of these as you like, it does not matter; it is only you; only you can access to this, and you can attach this to anything you want which is yours, so your baggage going through the airport, you can have it printed on your boarding card, you can have it etched onto your card, you can have it tagged to your baby in the maternity ward. You can do all sort of aspects of authentication linkage that creates a much richer and safer and better quality of life society than you can by just having a single card which is just for you.
Mr Haddock: You keep referring to that card as being you. You agree that that is a template based biometric that you are referring to there?
Mr Fisher: It is, yes.
Mr Haddock: Therefore it is a proprietary format of someone and it therefore is a single point of attack to learn how to make a template file, which is a fairly straightforward matter, and once that has been done then anybody can put stickers on anything and claim them to be you or whomever they want, so I do not think that is a very secure methodology to have multiple stickers.
Q444 Chairman: That was a fascinating exchange. I am going to ask Mr----
Mr Haddock: The other point about cards being complex to use is that you can read the data in two seconds, so it is not very complicated.
Q445 Mrs Curtis-Thomas: The next question is that when mobile phones were first introduced you could only use them in certain parts of the country. You had to rely on a massive number of telecommunication masts so that you could use it anywhere. If we use the mobile phone technology as an example here, if we take your card, where could we use it now in the world and where might we be able to use it in the world 10 years from now?
Mr Haddock: You could use it in the US Government system that they are putting the styles and sites out right now which should be all functional by summer this year. The Canadian Government is putting 150 on their border sites and a properly designed card by your Government could allow that system either to just verify it is an authentic UK ID card or allow to them read face and fingerprint, whatever you want. It is under your control, but it would be compatible with that system, so already you would have US and Canadian compatibility and also it would be compatible with the Italian and Saudi systems. It is under your control how much of that you want to give them, but, in addition, we believe in the coming months and years many other countries will also adopt the use of optical stripes, because you can add other technologies to it. The Italians chose to have a micro-chip to provide E-Government services and an optical stripe for IDs.
Q446 Mrs Curtis-Thomas: So at the moment we could use it maybe in Scotland and Devon, but with the rest of the country we would draw a bit of a blank?
Mr Haddock: Yes.
Mrs Curtis-Thomas: Okay, I accept that.
Q447 Bob Russell: Mr Fisher, you support what is described as a comparatively low-tech approach, although when phrases like 2D barcodes or one megabyte memory sticks are used, to me that is rocket science. Anyway, you support an apparently low-tech approach. So would not bar codes and memory sticks, as has been indicated already, be more vulnerable to forgery than more high-tech solutions?
Mr Fisher: I do not see how. It is a storage device; that is all. How the biometric is protected on it is the same whether it is a storage device or a laser card or anything else. Therefore the feature that you are asking about is will it take a strong encryption of some sort, a strong security on the data? Well, yes, it can.
Q448 Bob Russell: But, Mr Haddock, a witness for the prosecution, stated that they are very vulnerable to forgery?
Mr Fisher: No, I do not see how it is. If it is strongly encrypted, strongly secure and it is me only I can access it.
Q449 Bob Russell: What would be the cost of production of the sort of card you favour?
Mr Fisher: This is the whole point. If you have something like a 2D card, something which is reasonably low-tech, then you can have it on any material that you like. For example, if your comfort zone is that you have it on a card, then you can have it on a simple card; plastic cards are extremely cheap. But it is mine, you see, this is me, this is my biometric, and therefore I may want it on a card, I may want to print it on to my documents, I may want to have it attached to my luggage tags. There is no reason why I should not have the ability to have it on my home computer to access my home computer as a sign-in. There is a whole raft of things which you can do with a biometric which is in a digital format. All we are talking about here in terms of the card is a storage device.
Q450 Bob Russell: I wonder if I could come back to the cost, because the Select Committee is considering not only the principle of whether to have identity cards but also (a) what would be the costs produced and (b) some very high figures have been suggested as to what the Government will start charging individuals for an identity card of some sort?
Mr Fisher: I think this figure has come from an assumption it is going to be a chip card or something very similar. What we are saying is take a step back and try to look and see what it is you are trying to do. If an individual wishes to have his biometric in a variety of formats, which is perfectly possible, then an ordinary plastic card with a barcode printed on it, as they have in America on driving licences and everything else, is extremely cheap.
Q451 Bob Russell: If you cannot give us the answer, then I wonder if you could write to the Committee and let us know how much extremely cheap is?
Mr Fisher: This costs fractions of a penny to print off.
Q452 Bob Russell: Therefore the administrative cost would be considerably greater than the production costs?
Mr Harrison: I think that is nearly always the case.
Q453 Bob Russell: Would that be common to all?
Mr Harrison: Pretty much, yes.
Q454 Bob Russell: So the administrative costs would be common to all. Mr Harrison, if I may come to you next. You have described identity card as primarily a secure key rather than an identity token. What consequence does your approach have for the type of card used?
Mr Harrison: Well, cards may have two parts to them, one is the plastic face, the other is probably some kind of electronic machine readable component, which could be a chip, it could be a barcode. I would imagine that the plastic face will have a photograph, a name, etcetera, the machine readable part will probably have some kind of certificate or anonymous certificate that will enable the card to be used as a key to the particular kind of point of presence that we envisage.
Q455 Bob Russell: Mr Haddock, finally you experience of coming to the Houses of Parliament, how would you high-tech identity card have helped or hindered you in gaining access here?
Mr Haddock: I found I did not need any card or identification, all I needed was my material to go through your metal inspector.
Mr Jebson: I would like to try and pick up a couple of the points that Mr Russell and Mrs Curtis-Thomas have raised. Unfortunately it is one of those things where I am not going to give you the answers, but I am going to suggest that there are a couple of questions that should go into the process. We have talked about the price of the card, and again I am sorry if I sound pedantic, I am going to come back and say, you must consider the price of the system. It is the system gives you the integrity, and dependent on what you want the system to do will determine whether you want a very, very low-cost biometric or a higher cost. I think you have taken the point extremely well that issuing is as much a part of the cost of the system. I am sure you are very familiar with the Oystercard. There are 1.4 million of those out there. I think it is commercially sensitive as to the exact price of that card because things like the volume, quantity discounts, that type of thing, will come into play. I think you need to ask whether you want that card to be a card for life or a card, like your passport, that will be renewed over a period of time, whatever that is, five years or 10 years, because in planning your system you have to accept that you may want to revalidate that individual is still the same individual, that it is still the same address. One closing observation, Mr Fisher talked about the cost of technology. There is a well-known computing law, Waugh's Law of Computing: the processor speed doubles every year, the price halves every year. He has shown you a memory stick from a computer. That is a memory stick from a computer that I bought yesterday. It is freely available. It has got a 32 megabyte storage capacity for those who are interested in that terrible technology, but, more importantly, it costs me exactly one quarter of the price of the same size of memory stick two years ago, and that little silver patch in the middle is a biometric fingerprint reader. So that is a biometrically protected device already at a very low price. Understanding the combination of the system, the design and what the end product will be that will help answer the question of how much.
Q456 Mr Clappison: Can I turn to the subjects of government procurement and system specification and in particular what the Home Office need to do to adequately specify their requirements. Could I ask Mr Jebson - and just to remind him of what he said in his written evidence - you call for carefully defined requirements that are not prescriptive or too lengthy. Does your experience of delivering government smartcard projects encourage you to date and is it realistic to expect precise requirements at the beginning of a national system of this scale?
Mr Jebson: Thank you for the question. I would have to draw on my experience from delivering the Oyster scheme in London, and I think pragmatically some very clear decisions have been made because the technology advanced from the day it was originally planned. Had the requirement been very, very prescriptive, then I do not believe that the Oyster system would be out there functioning as well as it is today. It is a very fine balance between being over-prescriptive in order to perhaps get a level playing field from suppliers and avoiding talking to a supplier and saying, "That is what I want to achieve. How can I best achieve it?"
Q457 Mr Clappison: Can I move on to the question of security. Mr Haddock, I think you were touching on this earlier and I give you another opportunity to come back to it. You list a number of security features you think should be specified for cards and readers. How detailed do you think this specification should be?
Q458 Mr Haddock: I think, as laid out in this document, it is a fairly generalised prescription of features. Those features are not unique just to optical memory, although I do believe that optical memory better addresses that than any other type. But I think if you put in your specification that your system must have an immediate token that has these characteristics, I do not think you have to get too much more prescriptive than that, although I believe that you need to also add to that there are other security elements of making sure that there is a produce assistance with the ability to be sure the data cannot be changed and so forth.
Q459 Mr Clappison: You mentioned in answer to earlier questions your experience of the Italian system. What lessons have we to learn from the procurement process of that system?
Mr Haddock: That is an unusual process, particularly in Italy, because it has been a long and ongoing process for - it was about four years of planning and now, just in the last year, they have really starting issuing the card. The procurement process started in what they call the experimentation phase because they had a group of 40 companies and government agencies who were providing input to them and from that they asked that same group do a pilot programme of several hundred thousand cards to learn how well it worked and adjust to specifications and so forth, and from that they started putting out procurements for sections of the system, not the whole system. They wanted a personalisation system, a printer system, database system, so they did not attempt to keep the whole thing as one procurement but rather, once they understood what the process was, one added----
Q460 Mr Clappison: Do you think it is better to go for a whole system----
Mr Haddock: I think to get complete satisfaction, in the end you are better to ask for the whole thing, although I think there are sections which you could cut. I think there is certainly a difference between structuring the national database to collect the biometrics and prepare the data is one thing altogether, and from my point of view, if that database existed it would be quite easy to provide a quotation, assuming that the data set is there, how much would it cost to take that data and personalise, initialise cards and mail them to your citizens. We could easily quote against that.
Q461 Mr Clappison: How long has the whole Italian process taken? When did they decide to go for it.
Mr Haddock: I would say it has taken about five years, but about two years of the actual trying to do it, whereas the Canadian case was less than a year, the US Government was a couple of years.
Q462 Mr Clappison: I am going to come back to that in a moment. I would like to ask Mr Harrison first why he thinks that the OGC Gateway system is inadequate, and what he means by saying that it lacks any kind of sustainable business model and fails to address the real issue?
Mr Harrison: I fear that I may have been a little bit misquoted. In fact, I should qualify that. The Gateway system as a means of ensuring high quality procurements by government is entirely sensible and straightforward. I may perhaps have been referring to the government gateway which is the authentication run by the Office of the Envoy, which is a very different thing. That is essentially a means of allowing the Government to receive digital certificates in one central place and for the identity to be used by different government departments without having then to repeat the infrastructure. On that specific point, we would say that the effort to create a central point, a central intermediary, if you like, for authentication of the individual versus Central Government departments is pretty well done, but to suppose that that central point of authentication is going to work for the individual to local authorities to education to the health sector, etcetera, is perhaps so optimistic as to be naive. Could I perhaps make one further point? Federation, which is what I am talking about mainly, is a fairly new set of ideas which is sometimes rather difficult to explain. I do not know that I have done a particularly good job. Maybe if I illustrate. This is my wallet. I have in here probably 12 pieces of identity, 12 identity tokens, namely plastic cards. I have another one here which is my mobile phone which identifies me to my mobile phone network. All of them are to some extent high quality security tokens. What we are about to do with the Home Office mentality is to issue another the identity token to all 60 million people in the UK without any notion that they have certain elements in common and that if we get it right you can create a system, an infrastructure, that does a lot of the jobs of all of them at much lower cost whilst emphasising privacy.
Q463 Mr Clappison: Could I ask each of you briefly, if I may, when within the Home Office's 10 years timescale do you think the Government needs to decide exactly what it wants the system to do and what sort of card it wants and how feasible it will then be to add applications at a later date?
Mr Harrison: It is a design process like any other design process. You take, you should the take, the big decisions about the infrastructure, the basic shape of the thing, very early on. You create the outline, and then, as time goes by, you can fill in the detail. What is very, very expensive and almost catastrophic is to go a number of years down the path and then change the overall outline.
Mr Fisher: I agree with that. You have to get it right in macro terms from the very beginning and keep at it.
Mr Jebson: I would entirely endorse that.
Mr Haddock: I agree with that as well.
Mr Clappison: That is very helpful. Thank you.
Chairman: Let us see if Mr Singh has as much luck!
Q464 Mr Singh: Mr Jebson, Cubic strongly supports the inclusion of a biometric element to any identity card. I think you suggest either fingerprints or iris scanning?
Mr Jebson: I think what we have said in our written evidence is you can take either route. You can take the third one, being facial recognition, digital facial recognition, all three have strengths and weaknesses. You can make an argument that in some cases you may need more than one. For example, the fingerprint, which is quite a commonly known biometric, has to be taken into context of the fact that people might feel it is intrusive because there is a physical contact between the finger and the device that is authenticating it compared with iris scanning which is much unless intrusive. It is really about the level of security you want, and I would incline towards the very highest level, which you may wish to consider more than one. Again fingerprints: fingerprints wear out. It is a rather silly thing to say, but somebody who is working in a building site, their fingerprints wear out. So if you have only got that option, you may find yourself having to re-validate, re-authenticate quite a large part of the population.
Q465 Mr Singh: Presumably in choosing either one or the other or both cost is a factor?
Mr Jebson: At the moment fingerprint technologies are probably a lower cost than iris scanning. That is not to say over the next two to three years that would not change.
Mr Fisher: Iris scanning is quite expensive and reasonably intrusive; fingerprint is intrusive but it is mature technology; face does not have to be intrusive, it can be almost seen as transparent to the person being authenticated and matches some commercial processes very well indeed.
Q466 Mr Singh: What would you recommend, Mr Fisher?
Mr Fisher: Well, a bit like Cubic, I think you have to match what it is you are trying to do, the security environment you are in, the risks you are faced with and your own commercial process. So, for example if you are a government then you are trying to strongly authenticate people who are trying to get in; time may not be a factor. If you are an airport, then you are trying to get passengers through in a way where the security is matched to the risk environment and therefore you may have wish to have faster authentication process. The technologies are mature, so each individual may have a number of different biometrics. There is no technical reason why they should not have that.
Q467 Mr Singh: Can I continue with you, Mr Haddock, because I think in your company there is something called an embedded hologram. Can you explain what that is?
Mr Haddock: To touch briefly on your previous comment about biometrics, I think it is essential in any properly designed system that you have more than one biometric, for the reasons cited - sometimes fingerprints might not work and people with dark eyes, iris scans, or hard face recognition are some interesting issues - so I think you need to design a system with more than one to be inclusive of all your population, and it should cost very much more incrementally. As I said, I watched the Italian Government capturing biometric data from their citizens. They took their photograph, they took their fingerprint, they had them sign a piece of paper and scanned that and they did it in less than five minutes. So the cost of operating the cameras to do this is almost nothing. The only cost associated is when you have to licence the outrythym to decode some of these proprietary biometrics - you pay a royalty per use - and that is something you need to look into for your own purposes, but the actual cost of capturing the images is essentially free. So, that said, the embedded hologram is a unique characteristic of optical media, because we have a highly reflective surface, like a CD ROM, and we write data with a laser to encode the data files on the card, and, as I say, once they are written they cannot be erased; but we have an additional builder to change the mode the laser is writing in and take the same image files which you needed to get the photograph of the person and write that image file into the optical media surface at the same time as the data is encoded so you can see the person's face in the optical media layer; and by being able to compare that image to the printed card image you get an additional security layer knowing that the media and the card body are linked together; and because that embedded hologram, as we call it, is part of the data surface it is a very security feature of the card and one that the US Government and the Canadian Government, the Italian Government and the Saudi Government - they all use it as a core security element of their national ID cards.
Q468 Mr Singh: What biometric are the Italians using?
Mr Haddock: Pardon me?
Q469 Mr Singh: What biometric are the Italians using?
Mr Haddock: The fingerprint, face - they have a full colour face image, although at this point they are not biometrically validating this, they are bringing it up and looking in comparison at this point, although that is capable of having these minutiae files, as they are called, which is the mathematical outrythym which is necessary to do a computer-based match, which is what is on your sticker, and they have the fingerprint captured image which is on the optical stripe of their card, and they have your written signature scanned and digitised with just a picture of your signature on the card.
Q470 Chairman: Mr Harrison, do you have any views?
Mr Harrison: On the style of biometric?
Q471 Chairman: Yes.
Mr Harrison: Not really, biometrics is not our field. We simply presume and assume that there will be a secure key which may be enabled by a biometric, but for us it is just a black box.
Q472 Chairman: On a different issue slightly, I do not know what is happening in Canada, or the US or Italy, but in the UK there is likely to be a huge debate, a civil liberties debate, about the introduction of identity cards. I do not know if that has happened elsewhere, but do you think, if we are adding biometrics, that will heighten the debate, will there be acceptance of biometrics, or will there be resistance?
Mr Haddock: I can comment about Canada, because the Canadian Government believes they hold their own citizens' privacy at a very high level, and that was a very stringently debated issue on their issuance of the card that was going to contain any personal biometric data. What is currently on the Canadian card is a full photograph of the person, which is actually in black and white because the laser engraved that card, it has a digital signature of the person where again it is a scan of the signature, and they have allocated a space in the secure partition of the optical memory for a fingerprint, but currently they are not putting the fingerprint in it because they are still considering the privacy implications. So in that case they built the flexibility to upgrade it in the future into their system. I think that in that case you can see the flexibility offered by that choice.
Mr Harrison: You can look back at the history of card technology used in society, particularly by the banks over the least ten or twenty years, and they started with paid cheques, they then produced bank cards, we now have bank card with holograms, we will soon be going for bank cards with chip and pin, and by and large most people did not object to that at all because they saw it to be to their benefit, and that I think is key. If you can find a way of making people realise that the identity card and the services that it can deliver are to their benefit, that they deliver things that they would not otherwise receive, then the biometric is simply a means to an end; but if the biometric is imposed on a card which does not deliver to the majority of the population something that they do not already have, then it may be more difficult.
Q473 Chairman: So you believe that the card has to be more than just a simple identifier, it has to be an entitlement card of some kind?
Mr Harrison: I think certainly entitlement is a benefit that can delivered by a card, but there are a lot of other services that can be delivered using a secure identifier into federated identity architecture. We talk about intelligent memory direction, we talk about lifelong medical records, we talk about across the main transactions such as the simple one of getting a parking permit which is a three-domain transaction: yourself, borough council, DVLA and proof of residence. At the moment that is very difficult because it is across the main. If you design the system right you can enable that kind of thing, which is definitely to the advantage of consumers without too much additional cost.
Q474 Chairman: Mr Fisher.
Mr Fisher: Entitlement, I understand, is a term the Home Office want to use. I would say it is more like a permission card. You are accessing permissions you already have. You are verifying it. You can have these permissions. So I would agree entirely with Mr Harrison that promoting the benefits of the card will immediately attract the positive attention of society. That speaks up the perceived negative aspects which are, if you like, law enforcement, the heavy hand of the law, big brother, which are all very necessary in this rather heightened security environment we live in now, but they should be overwhelmed really by the benefits to people in society. There will always also be a white noise of the population who in any circumstances will not wish to join. Well, they still have to be authenticated within this heightened security society, but it is just that they will have to join the queue over there and that will take them a bit longer and all the rest of it, but if that is what they want, that is what they can have and I think that has to be accommodated.
Mr Harrison: Can I add one further point which is that in a sense, and people may laugh, but issuing an identity card is a relatively clean and simple thing to do. The thing which, in our view, takes a lot longer and is far more complicated is devising and developing the business applications that will depend on it. The Home Office rightly has a lot on its plate at the moment. It is focused with a very tight, close team doing this one thing, but at the moment there is very little communication with the rest of society about how the identity card is going to be able to be used more broadly and if we are going to deliver these positive benefits, that communication has to start at some point in the not too distant future.
Mr Jebson: I was going to endorse what my colleagues have just said. I think there are two strands to this. One is to ensure that the message is communicated as to the benefits and I think parallel to that reassurance about data protection. I think if you have a good communications programme with the public, then the vast majority will accept it, will endorse it and welcome it. If I may say, from my own past experience of running a train-operating company, there will be a small portion of the public who will not want it and unfortunately no amount of good publicity can change that. The vast majority of people just want to be communicated with clearly, simply and to be reassured.
Mr Haddock: The Italian Government approach to this is that the card really has two functions, one being as an e-government services card with an IC chip on it which is really there for that purpose, and it has an optical stripe for secure identification. If you go to the Italian website or look at their promotional materials, their messages to their citizens are all about e-government services and all the benefits that they are going to get, that they can pay their taxes, they can get their records at City Hall, and there are all of these things that they can do with their chip which is part of the card. They do not really talk much about the fact that it is a secure national ID card, so they are building public support for it by talking about e-government services. It is really almost like two cards in one with the chip and the optical stripe doing two different things, and the national security group wants the optical stripe for the security, but it is not being sold on that, it is being sold on government services.
Q475 Mr Prosser: I want to continue on this theme of public acceptability and effectively taking away barriers or even selling it to the public. First of all to Mr Jebson, you have stressed the importance of swift and easy issuing and swift and easy checking and we have heard some examples of how long it might take to issue the biometric card or the identifiers, but what is your view? How long should that take?
Mr Jebson: To be honest with you, Mr Prosser, I would not dwell on how long it should take. I think what you have to look at is the acceptance by the citizen.
Q476 Mr Prosser: How much do you think they will accept?
Mr Jebson: If I use this analogy of when we are issuing Oyster cards, the passenger who is taking on an annual season ticket perhaps, which is very high value to them, is quite prepared to spend four to five minutes authenticating themselves and assuring themselves that they are properly registered to get that benefit. It will change as they use the card and for those of you who use the Underground on a regular basis, then four to five minutes is totally unacceptable and they expect a gateline to operate within a couple of milliseconds, so it is really about different situations requiring different periods of time. From personal experience of passports perhaps, if you are planning carefully, then I believe you can allow two to four weeks to get your passport. If you have forgotten to plan carefully, then you find yourself rushing up to Victoria, having made an appointment, and getting your passport turned around in four hours. I think it is need driven rather than it has to be that amount of time.
Mr Haddock: I would like to put in a word for the UK Foreign Office which issues passports. They gave me a tour in Washington of their passport issuing centre which was amazingly efficient and without anyone paying any premiums, they were turning around passports in 24 hours as the normal course of business, so I think at least they should be applauded for that.
Q477 Mr Prosser: Mr Jebson, you were having a discussion there with Mr Singh about a campaign of awareness, a campaign to encourage people. If you were designing that campaign, how would you design it, how would you approach it?
Mr Jebson: I think I would like, in American terms, to take the Fifth Amendment on that one right now and suggest that we would be very happy to invite my colleagues from Transis to provide some written evidence on how, working with TfL, we have launched the Oyster card in this country.
Q478 Mr Prosser: I must get one of these Oyster cards. Coming back to the campaign, we have heard from some of you that the Italian experience was that it was a successful campaign. Can you draw on many other examples of good practice of a campaign and preparing the ground to get over some of the barriers which are in people's minds?
Mr Haddock: The Canadian Government put out a campaign about their new permanent resident card and actually the card is a very beautifully designed card, so they did a good job in what it looks like and it makes you want to own one, so there is some pride of ownership associated with it in the newspapers. It is called the Maple Leaf Card and it is splashed over there. They actually won three international awards within three months of it being issued for both technical and aesthetic qualities. They then put out technology fliers on the benefits of it and got a high rate of acceptance. Of course they also had the advantage of having a pre-existing paper document which they could force to expire and make people, if they wanted to continue to have the privileges associated with that card, have to upgrade to a new card, so it is because you have no system in place now that you do not have that ability.
Q479 Mr Prosser: Mr Fisher, how much pride of ownership would there be in our card, do you think?
Mr Fisher: Well, the point about it is that such an authentication device is going to become part of everyday life and, therefore, very quickly you will become conditioned to it. It is not necessarily a card, it could be a card, it does not really matter, but because it is going to be a necessity in the future, then as far as the campaign is concerned, there are going to be a number of people who, for example, and I take the Home Office guidelines here, need to renew their driving licence and they get the card at the same time, they need to renew their passport and they get the card at the same time, but I do not think that is part of the campaign. You need to bring in people who would not necessarily do those things and I think you can use a number of incentives. Dare I say, as a taxpayer, I see a tax incentive involved, but you could do so to get the thing moving and get it going.
Q480 Mr Prosser: You emphasise quite strongly in your written evidence the importance of security of procedures and the openness of the system in order to encourage people.
Mr Fisher: Correct.
Q481 Mr Prosser: How can we reassure the public of that?
Mr Fisher: Well, that is a political question really and I am not really qualified to answer it as an employee in QinetiQ. The database we have and the way it is processed is going to be extremely valuable and the public need to be assured that every safeguard is taken to make sure that this very valuable national resource is looked after in a proper way.
Q482 Mr Prosser: Are there other areas where the public need reassurance?
Mr Fisher: In what way, sorry?
Q483 Mr Prosser: Apart from as to the openness of the system and the security of the system.
Mr Fisher: They need to know that the database and the system are secure, that the people who are registering you are cleared people and that every due care and attention is taken as, for example, you automatically trust when you have your passport renewed. As far as the card is concerned, the data storage device that they are giving with their biometric on it, their authentication key on it, then really they need to have confidence that actually as long as they look after it and keep it with them or, as I was saying, if it is a barcode, it really does not matter, they do not have to take special care. We do not want to frighten the public that this is an extremely expensive and special card that they have to take care of. They need to be able to treat it like ordinary life really as perhaps they would their cheque card or any other.
Q484 Mr Prosser: And you still advocate the voluntary approach?
Mr Fisher: Absolutely.
Q485 Mr Prosser: Do you see that graduating or evolving into a universally accepted system in due course?
Mr Fisher: Yes, I do. I think it will become the norm.
Mr Harrison: I think suggesting that a card can be anything other than voluntary is almost counter-productive. The very process of asking a person to take a card out of his wallet and hand it over to a third party implies that he will do it voluntarily and he can barely be compelled to do it, short of thumbscrews, so the thing has to be voluntary. It may be universal in the sense that everyone has to have one to get the service they want to obtain, but compulsory as in big brother state compelling you to have one, surely not.
Mr Prosser: I think we all agree on that.
Q486 Chairman: You have described, Mr Haddock, in Italy the process where a large number of experts and companies were involved in what appears to be quite an open way in helping to devise the system. Would you draw a contrast between that and the way in which the project is being approached in this country?
Mr Haddock: Well, I have not been aware in great detail of how it has been approached because it has seemed like a much more closed procedure from our perspective, although I would not say that we have enough on-the-ground presence perhaps to say that with great certainty, but it does not seem as open a process as was conducted in Italy.
Q487 Chairman: Others may wish to comment, but does it seem surprising that perhaps no more than two or three weeks away from publication of the Bill which will set the process in train, we really do not know the answers to virtually all of the questions we have been discussing this afternoon?
Mr Haddock: I would say that if you have not heard about the technologies that you have heard about today, you could not proceed with a Bill on that basis until there has been a process by which people can fully understand the relative merits of everything presented.
Q488 Chairman: I think the position is that we have heard of the technologies, but we certainly have no idea at the moment which of the technologies, if any, might be favoured by the Government. Do any of the others have a view as to whether really we should be as advanced as we are with so many questions still being unanswered?
Mr Harrison: It depends on the nature of the Bill. Is it not simply going to be enabling legislation which will allow the details of the card and the system architecture to be developed at a later date?
Mr Fisher: Yes, I would go along with that. Provided the Bill addresses the principle of authenticating the population in a way where we have an identity register, then the details of how that is implemented we can get on with straight after.
Mr Jebson: I was going to say, as a supplier, a sort of non-statement, that I think the key to the Bill, as my colleagues have just said, is that it is an enabling tool and I am quite relaxed that government and its agencies have spent time understanding at least the principles of what they are trying to decide before coming to perhaps individual suppliers for solutions. It fits in the timescales we have and, to echo, as an enabling tool, it is excellent and I think, from my own observation, a lot of the questions which have come out today make me feel very comfortable that the right questions are being asked at the right point in the process.
Q489 Chairman: I do not want to ask you to answer what is obviously a political question for Members of Parliament, but, as people involved in the industry, do you think it would be wise for Parliament to pass an enabling Bill before knowing the answers to some of these questions, for example, which type of architecture we want for the database, whether they should be drawn from a new source or from existing databases, which type of cards? At what point should Parliament take a view about the overall system, albeit we will not have the dots and commas of every bit of legislation?
Mr Harrison: I realise that I tend to repeat the point rather frequently, but I think that the decision about the degree to which the system will be traditionally hierarchical in the normally understood sense of identity cards and the point at which it will split off and become federated perhaps for use by local authorities, education and health, to me that is a fundamental one and needs to be taken fairly early on and properly explained both to the population at large and to Parliament.
Q490 Mr Singh: Would it be possible to have a DNA sample on an ID card and, if you had a DNA sample, would you then need any other biometric measures?
Mr Haddock: It is technically possible to put both the mathematical model of the DNA structure on the card because that is a datafile. If you mean actually putting real DNA on the card, I guess that anything can be done. However, I think, from a practical point of view, the speed of the analysis of DNA is not compatible with transited borders where you need to identify people in two seconds.
Mr Fisher: DNA is just another biometric technique and there are a lot of biometric techniques being researched and developed right now.
Q491 Mrs Curtis-Thomas: I have two questions really and I go back to you, Mr Harrison, and also to Mr Fisher. Mr Fisher, you said something very interesting. You said that the card is going to be a necessity in the future. Well, it will be up to this Parliament to decide whether or not it is going to be a necessity here, but if the Government does not make it a necessity, what other organisations are clamouring for an identity card, other than the banks?
Mr Fisher: I stand corrected. I think all of this has to do with an evolving digital society where all our systems and processes become digitised whether we see them or do not see them, and with the speed of transaction, the ease of transaction and the costs of transaction brought about by the digital society, it means that a lot of it is automated, so in order for you to access, say, your money on-line or whatever, it will require you to be able to be authenticated in a way that is unique to you. The automated issue is very, very high, so there is no human intervention to recognise you and, therefore, if you do not introduce an ID card or authentication device on a system of some sort, you are going to have the private sector producing more elaborate means of authentication of individuals in any case, so in the time-frame that you have of until 2013, yes, instead of one general authentication device which is accepted and passed by Parliament, we are going to have a whole range of them, I suggest.
Q492 Mrs Curtis-Thomas: Mr Harrison, my question to you is about your federated identity architecture. You talked just a moment ago about hierarchies, but I am presuming, and I would like some confirmation please, that what you have in Italy is a federated architecture because it allows you to gain access to information in different government departments. Am I right in that?
Mr Harrison: I do not have very detailed knowledge of the Italian system, but given that the general novelty of federated approaches to the architecture of the systems and the fact that they only really started to be developed in the last couple of years, I would be surprised if the Italian system uses federation to a very high degree.
Q493 Mrs Curtis-Thomas: So is federated architecture an academic study?
Mr Harrison: Not at all.
Q494 Mrs Curtis-Thomas: So is it a reality and, if it is a reality, where is it a reality?
Mr Harrison: I think the first time it reached public attention was probably in 2001 with the formation of what is called the Liberty Alliance in the United States. That was an open standards group initiated by some microsystems and backed by a large number of consumer-based companies, such as American Express, Vodafone, Nokia, Ericsson and the like. There have been other standards groups, there are other standards groups and there is one backed by IBM and Microsoft. There is a third one put forward by Oasis which is a vendor-neutral industry standards body, but it has only started in the last two or three years. The particular thing that we do in Edentity is we have thought about the likely future of a federated approach and how it impacts on organisational and commercial models. Does that help?
Q495 Mrs Curtis-Thomas: It does help, but it does tell me that within the UK we will have a pretty difficult problem in terms of establishing an architectural fingerprint for each of those departments and then finding a linkage which joins them altogether. Is that a correct assumption?
Mr Harrison: I do not think there is any theoretical or technical difficulty. Federation is all about using the principle of individual consent to govern the sharing of data between different entities, be they in the public sector or in the public and private sectors. It does raise the question, the very important and difficult question as to whether the public sector should be regarded essentially as one organisation for data protection purposes, meaning essentially that they have a free flow of data between the different public sector entities, or whether, in contrast, the public sector should be regarded as a kind of federation, each comprising a large number of distinct legal entities where the individual has the right to give consent or deny consent for the transmission of information between different public sector entities.
Q496 Mr Taylor: Mr Harrison, this may sound frivolous, but it certainly is not intended to be. The Greek philosophers and geometers had a technique for testing arguments to destruction by taking them to a point where they became absurd. I would like to engage with you on the point because you seem, amongst our witnesses, to be the one who is most reticent about any form of compulsion. You have said, I think, more than once this afternoon that, as far as you are concerned, it must be a voluntary system. Do I understand you correctly?
Mr Harrison: Yes and no. We call the traditional approach to the architecture of identity systems the "hierarchic approach". Essentially, you have a top-down position of federation tokens and there are certain applications within society where that is unavoidable. I might mention passport, DVLA, tax, criminal records, probably the negative aspects of social care, et cetera, all of the things where the individual does not necessarily benefit from identifying himself to authority.
Q497 Mr Taylor: This is where I want you to join me in a sort of walk to the edge of the cliff. Suppose that levels of car crime in this country, suppose, had risen to an intolerable degree and suppose it became public policy to require people to produce an ID card to the specification which was otherwise only a voluntary system, but suppose the State or one of its agencies says, "The situation with car crime is that you must produce one of these cards to our specification before we will give you a driving licence or allow you to insure or tax your vehicle". Now, would that be compulsory?
Mr Harrison: In our view, in our definition, that would not be compulsory because the individual has a choice of whether or not to obtain a licence and drive a car.
Q498 Mr Taylor: Would any of you like to chip in on that or do you agree with him? For many people, Mr Harrison, in this day and age, having a car is actually essential, dare I suggest that as a proposition.
Mr Harrison: I would agree, sir, that the distinction between compulsory and voluntary is not a black and white thing and there is a significant grey area in the middle, but if you look at the extremes, I think they are quite clear.
Q499 Chairman: I wonder if I could draw this to a close by asking, I am afraid, another rather basic question to see if my understanding is right. All of the systems we have discussed have some sort of central database which has some biometric information on it which identifies me or you with the information that is on the database. Am I right in thinking that one of the distinctions between the approaches which have been advocated is that those that are the simpler systems will require far more verification of the biometric data than the more complex systems? In other words, Mr Fisher, you held up your barcode and it may be you, but it may be me and neither of us can know whether that represented you or me without testing our biometric data. Am I right in thinking that with the more complex card, it is more likely that that will be relied upon just for visual identification and, therefore, basic biometric checking will happen less often because the card is seen to have been a higher quality? I would like to know whether that assumption is right, but secondly, and this is quite critical to our whole inquiry, looking ten years into the future, are we actually looking to a future where we will not rely on visual identification, photographs on cards, but we will in any case assume tens of thousands of places around the country in all sorts of different situations that are able to iris-scan or check fingerprints or whatever the biometric data is? What is the world we are going to be looking at by the time that 80 per cent of the population have got these cards, according to the Government's plans?
Mr Fisher: I think it is entirely feasible to suggest that the future is a digital world which is highly automated with very few human interventions, manual interventions in the process of authentication and, therefore, the system will rely on you being authenticated in an automatic manner.
Q500 Chairman: How many readers of biometric information do you expect to be in place across the country in ten years' time, say, if I go to my bank, if I go to a railway station, if I want a ticket to a football match?
Mr Fisher: Absolutely. I believe that with transportation security, banking security, shops, access into shopping malls, that sort of thing, it is going to be very widespread.
Q501 Chairman: So rather than the model that one might have at the moment where some of our police stations, but not all of them, have on-line fingerprinting access to the database, that sort of thing will be pretty commonplace?
Mr Fisher: I think it will be very commonplace.
Q502 Chairman: Mr Haddock, do you share that assumption?
Mr Haddock: No, I do not. I think technology implementation has come a lot slower than planned in general. Do we have a paperless office yet? That was supposed to happen 20 years ago. Paper does not go away and I want a card that when I look at it, it is on the desk and I can pick it up and tell my face, my name, my fingerprints on it, so I know just at that level that it is my card and I can look at the optical media to see my embedded hologram, so if I put it in a reader, I can verify myself, so you need levels of identification and security for different aspects of society. For some general access of perhaps just walking through the bank door and as long as you have some sort of ID, it is okay, but to access your account, now you need to electronically validate it, so I do not think it is going to be a ubiquitous database in the sky and I sure as hell hope not.
Q503 Chairman: Mr Jebson and Mr Harrison, you are both interested in system design perhaps more than card technology. How quickly does the Government have to decide whether it is Mr Fisher's vision or Mr Haddock's vision for the future? How quickly does the Government have to decide in order for the entire project to go ahead or is it a decision which can be delayed until some way down the line?
Mr Jebson: No, it is not. I would say within the year. One thing I would add, and I think it echoes some of what has been said here, is that four years ago I was sitting in a committee discussing Smart cards and whether they were going to come out into the wide world or not and one of the major objectors at that point in time was the representative from the retail traders' association because he felt he was being forced down a path on behalf of his members of chip and pin. Sitting here as a citizen today, I am extremely unhappy that they have not implemented that already.
Mr Harrison: I think that the Government needs to make the decision about the overall architecture relatively quickly. It can then probably delay work on many of its implications for some time, but the longer it delays and the longer it fails to spell out the positive benefits of the card, the greater the risk of public rejection.
Mr Haddock: If you have the ability to call for evidence, one thing you might wish to consider is to call for evidence which gives you specific proposals on the costs and implementation plans of given architectures and have people come to present to you in real dollars, cents and time how much they think a given architecture which they can describe would cost you and how long it would take to implement it and have people tell you from their own expertise.
Chairman: We will bear that in mind for future evidence sessions. Thank you, gentlemen, very much indeed.