EXECUTIVE SUMMARY

  The author submits that ID Card policy was developed in relative isolation from technology information and expertise, except for biometrics, and that that isolation continues—but it is believed that tentative new outreach from other Depts has recently started. The author concludes that the following are still not addressed in the project:

—  real technical requirements of other Departments of State and of the Local Government area; and

—  established government policy on Information Assurance.

  However, the author accepts that international standardisation has not provided sufficient underpinning for the ID Card project's vision, and then argues that the necessary expertise and pre-standards documents are available but are being ignored by the project and brushed aside at the standardisation level by vested interests in continental European industry. UK central government is largely seen as not assisting standardisation, and is handicapped by procurement and internal departmental rules when it tries to form technology partnerships with the private sector.

SUBMISSION

  1.  The Committee states that it is charged with examining the "expenditure, policy and administration of the Office of Science and Technology and its associated public bodies"[30].

  2.  The Home Office ID Card project is technically an Information and Communications Technology (ICT) project. Much of the design and implementation of such a project should therefore be subject to engineering discipline.

  3.  In those areas of ICT where industry, commerce and the public sector discuss the technology of secure methods and participate in the development of international standards, including topics in the use of smart cards in the hands of citizens, the OST is not visible and does not participate.

  4.  The POST Report 200 on Government IT Projects[31] is the result of a study of IT, not of ICT. IT in government is typically a configuration of servers, secure internal networks, and client terminals systems. ICT:

—  involves a much wider network of often insecure communications channels (in many cases this will include communication across the public internet); and

—  incorporates stand-alone terminal systems that may well connect to a variety of servers under the control of many organisations.

  5.  UK central and local government, and the European Commission, encourage the use of ICT to provide and support services to citizens. For example in the UK:

—  Central government departments (eg Revenue and Customs) provide, through the Government Gateway firewall, a growing number of on-line services accessible across the public internet.

—  Local Government, encouraged and supported by ODPM, has implemented on its web sites a number of transaction services as well as providing information, and is slowly adopting smart card technology.

—  DfT (and its predecessors) has supported an initiative intended to introduce seamless electronic ticketing in public transport, albeit not without some significant difficulties.

  6.  ICT has been rolling out since access to the internet became widely available. First to take it up in volume were commercial organisations that could afford the relatively high communications costs, and more recently it is available to most of the UK population[32] and to almost all businesses.

  7.  Standardisation in ICT has developed apace through two routes:

—  the community of internet service providers; and

—  formal international standardisation and pre-standardisation bodies.

  The two sets of standards and specifications are now seen to clash with each other.

  8.  Within the formal standards bodies, the UK DTI has long been promoting and supporting the development of one very relevant work area: information security standards. These were first developed for IT and more recently for ICT [1]. However, the DTI has delegated many other areas of standardisation to BSI, and in particular all responsibility for standards related to smart cards. BSI has in turn delegated all responsibility for smart card standards to the bankers via their association APACS[33]. The result is that, apart from some admin and expenses support, there is no DTI involvement in standardisation of secure token technology and associated transaction methods, and the ISO/IEC 17799 User Group[34] is largely concerned with the security of centralised IT systems. It has been left to ODPM to move forward in the understanding of ICT in government (particularly of course in local government), but there is no consistent support for standardisation from that source[35]—and OST has not been visible there, either.

  9.  Internet technology standardisation is in the hands of an international co-operative of Internet Service Providers and suppliers of the technology that they use. The results are pragmatic, directly informed by practitioners, and contribute greatly to the making of a market in the hardware and software systems used within the internet.

  10.  The EC has invested considerable sums to aid the understanding, development and demonstration of ICT and in particular of methods using smart card technology. They see the technology as a way for the public sector to improve service delivery at the same time as becoming more efficient. However, for secure transaction technology the EC wanted "solutions" but overall found that the standardisation funding enabled the production of mostly components that do not fit together well. Components from different suppliers, while standards compliant, are too often not interchangeable or interoperable[36] and generally do not contribute to the development of adequately secure services. From the UK, the participation in these programmes has largely been by individuals and SMEs—but we do not have a large scale or coherent smart card or secure transaction system provider industry in this country; it is the French and Germans that dominate, with the Dutch not far behind.

  11.  Overall, I conclude that OST has not participated in the development of technology for ICT for public sector service delivery to citizens. Thus an important guiding hand for the public sector is missing from this area.

  12.  The author of this submission was alerted to the S&T Committee's request for submissions by way of an email from the S&T Committee office that was forwarded by the Smartex Group, a group of companies operating (albeit on a commercial basis) a set of Forums where industry, commerce and the public sector can interact on ICT and secure token topics. The email set out specific questions[37] of interest to the Committee. The remainder of this submission addresses those specific questions, but first some introductory statements.

  13.  In para 10 above is a note that the EC wants "solutions". One has to ask: At what level? I contend that ICT is an enabling technology, not an application level set of solutions. But if developers of ICT components and methods do not understand their actual and potential customers, their component and system level solutions will either fail in the market, or, if (as is the case with most of the UK public sector[38]) the customer is not sufficiently informed, the market will stagger along without fulfilling its potential and the customer (and the end users) will not be satisfied. The technology has to be flexible, particularly so in the case of the UK public sector (see POST Report 200 about changing requirements), and therefore has to be decoupled from the requirements of any particular customer's programme while at the same time generalising from them.

  14.  The public sector should work in compliance with international and national standards. Too often UK public sector procurements and operational contracts with ICT content do not require compliance with Information Security standards, or with Quality standards (ISO 9000 series and sector specific derivatives), including not requiring compliance with stated government policy on Information Assurance (see [5] to [12]). That has significant adverse consequences for both service delivery and suppliers—and it indicates that risk (the "Treatment of risk" topic in the No 9 Announcement) is not being handled at all well. A 2005 initiative to set up a Local eGovernment Standards Board has failed to gain funding from ODPM. While all of that is a topic in its own right, it does lead to a more general point that was confirmed by Ian Watmore (then eGU CIO) at the e-Government Conference in Sheffield in May 2005: procurement by the public sector of ICT systems and services is today largely in the hands of people without expertise in this technology area, whereas until the early 1990s public sector purchasers of IT systems generally had the expertise or were required to obtain it from a public sector source. There are some similarities today with the problems that small companies had 25 years ago when trying to purchase or lease reliable photocopiers suited to their real needs.

  15.  My experience and awareness of industry involvement in the ID Card project is mainly from the point of view of SMEs and individual expert consultants. We have considerable contact with central and local government personnel and programmes, as well as amongst our own network of businesses and individuals. We also have some contact with large IT suppliers and consultancies, but that does not usually result in any exchange of information beyond realising that a number of the larger UK businesses who are or claim to be active in this area have very little expertise in ICT and in particular in the use of secure tokens (usually in the form of smart cards) as vital components in secure systems.

16.   Was there sufficient certainty about the technology when the policy was drawn up?

  17.  When the current Govt ID Card policy was introduced, it appeared to be very straightforward:

—  ID Cards will be introduced, first on a voluntary basis.

—  The cards will be smart cards.

—  A new population register and database for citizens (and some others) will be created.

—  Citizens (and others) will be registered and entered into the new database, using a new process, before being issued with an ID Card.

—  The cards will be useable in transactions with the public sector, in order to verify the identity and, where appropriate, the entitlement, of the person carrying the card.

—  Transaction records of card holder activity, as evidenced by use of the ID card to access the verification system, will be kept in a database.

  18.  If that policy is to be implemented as a single centralised scheme with dedicated terminals and a private network (an intranet in today's technology), then, apart from the biometric methods included in the policy, the core system components follow a now classical secure ICT system architecture:

—  Smart cards.

—  Registration method used to populate a database and issue cards.

—  Database.

—  Verification service.

—  Communications channels.

—  Terminals.

—  Security management.

  19.  The author of this submission is not a biometrics expert, and therefore that technology is not addressed here, although some information received in industry seminars is referred to.

  20.  That, apart from the biometrics, a centralised scheme such as is outlined above could be implemented at the time that ID Card policy was drawn up, and done so securely, was certain:

—  The Mondex project demonstrated by 1995, to the satisfaction of GCHQ, that smart cards in the hands of citizens could be used in a secure manner (in the Mondex case this is for storage and transfer of funds within the money supply).

—  Database methods, scalable to global scale, were commercially available.

—  The banks have had for some time a secure (but expensive) network of ATMs, and another secure (and global) network for inter-bank money transfers.

—  That suitable secure, dedicated terminals could be developed and produced at acceptable cost was demonstrated by commercial interests in the USA (Wave Systems) and by a consortium of bankers and industry in France (a development that led to the FINREAD specifications [2] via EC grants).

  21.  The difficulty was that such a classical system architecture did not fit even central government requirements. Other departments of state were asked how they would use the ID card in their own transactions with citizens, and soon discovered that no provision was being made for linking their own systems into the central verification scheme, or for dealing with the legal and constitutional consequences. On that second point, it appears that a patient attending at a Health Centre would be asked for a Health Card (a programme being developed by DoH) and an ID Card: the Health Card would be inserted into one terminal and the ID Card would be inserted into another terminal. The ID Card system would then be responsible for telling the doctor (or receptionist) whether or not the patient is eligible for NHS treatment, whereas the DoH wants their system to make that decision[39].

  22.  Rephrasing the question:

  Was the technology for a network of secure systems, using a secure token in the hands of the citizen and widely deployed secure functions in PCs used as terminals, developed at the time that govt policy was made?

  23.  Again, biometrics are excluded from the answer.

  24.  No: the relevant technology was at the modelling stage in the e-Europe Smart Cards 2003 programme, [40]but EC funding stopped in 2003 and industry has not picked up the baton. Other countries, particularly Japan, have made some progress since 2003. The USA has attempted to define secure methods, initially for the CAC[41] programme and more recently as a prelude to the Federal employee and civilian contractors secure access programme, [42]but they have not so far succeeded in developing satisfactory networked methods. [43]

  25.  A correspondent[44] tells me that, at a 14 February 2006 e-Government Forum in Westminster, Andy Burnham MP (Home Office) said that some detailed decisions about technology are still to be made. Would that this could be done in an open forum.

26.   To what extent did the status of technology influence the Government's policy development?

  From my point of view it is impossible to answer this.

27.   Which sources of evidence were used when the policy was developed?

  I can only answer this in the negative: to my knowledge, none of the people with whom I have been in contact, in both public and private sector, were (except in biometrics and perhaps in OeE's security partner CSIA) consulted by Home Office during policy development prior to mid 2005. That there were meetings at which HO was present and independent experts were also present is not disputed, but these were not HO consultations.

28.   Will performance levels of technology be established far enough in advance?

  29.  If the simple architecture set out above is implemented, performance levels (except perhaps for biometrics) are already known from schemes in other countries. In the biometric field, information made available in industry seminars suggests that performance levels are now known, but that only expensive equipment (costing an order of magnitude more than the HO's £750 per terminal to purchase and properly install) will provide adequate performance, and only then when managed and operated by skilled staff.

  30.  If a true distributed network is required, it will not be possible to re-engineer public administration within the ID Card project timescale, and linking together the systems of the many departments of state, together with local govt, is still an unknown quantity. That is not to say that we could not now plan the architecture of a staged identity management system that could quickly be of use to many public sector bodies.

31.   What mechanisms are in place for feeding ongoing developments in technology into the plans for policy implementation?

  32.  Apart from biometrics, none. Encounters with some large systems implementors suggest that the procurement process inhibits such feeding in of developments. Specialist secure systems suppliers who wish to participate in this type of project are all offering proprietary technology, and there is no forum for them to work as a group with Home Office on common interface specifications. International standardisation is not producing specifications directly applicable to the real multi-authority secure transaction methodology requirement of the project, in part because the UK does not fund or organise the necessary participation. At the UK SME and individual consultant level, HO started in 2004 to attend Working Groups hosted in both public and private sectors, but in general (again I exclude biometrics) the HO attendees are not experienced in secure systems and smart card technology or in the management of technology, and the encounters have been at best barren.

  33.  For example:

(1)  DfT-sponsored Transport Card Forum Working Group 14: HO representatives have attended several meetings. At one meeting a person from the HO's team of consultants from PA was present, and she admitted that there were no smart card specialists in the PA team.

(2)  eGU Smart Card Working Group (govt representatives and invited consultants) determined, by the time of its last meeting (Feb 2005), that:

—  there was no route for other public sector bodies to feed requirements into HO policy;

—  eGU had no money to develop, and no authority to enforce implementation of, a detailed specification for cross-departmental identity management (although later in 2005 eGU did gain some funding, and has worked with ODPM on the Government Connect project[45]).

  34.  eGU SCWG was to a limited extent a useful peer group mechanism, but it seems that eGU attention moved back to single schemes and systems rather than cross-department collaboration. It should be noted that attendance at SCWG by independent experts and consultancy companies was not funded, yet eGU was clearly in need of expert assistance.

35.   What is the role of international co-operation and advice?

  36.  Within the European Commission there appears to have been a disagreement on how far the Commission can mandate features of a smart card ID Card. Legislation gives each Member State the responsibility for the design of any ID Card that they wish to issue, but some argue that the EC can and should mandate the electronic content. In the end the Commission has made no pronouncement, and thus there is no Directive on electronic content (including security). [46]

  37.  CEN Technical Committee 224 WG15 is developing a European Specification for a Citizen Card—it turns out that this is an ID Card specification. However, the work is dominated by French and German commercial interests and suffers from the general problems of standardisation in this field: too many options, no work on system level security and risk management, the clash between internet specifications and smart card standards, and acceptance of insecure PCs as terminals with no provision to mitigate their insecurity.

  38.  As noted in para 24, the eESC 2005 programme was not funded, and it did not proceed. It intended to have information security and e-ID (use of secure ID across the internet from home and office) as major topics. However, a small number of the earlier eESC participants are attempting to operate a global e-ID forum.

  39.  Countries around particularly the northern hemisphere have ID Card programmes, and the USA has its federal programme (para 24), but these appear to be developed in isolation, despite promises of interoperability.

40.   Has the cost of the technology been accurately estimated?

  41.  No, not even for the basic central scheme and dedicated terminal architecture—this is primarily because of the biometric technology being under-developed, partly because procurement rules prevent accurate price estimating, and I suggest partly because there is no real scheme design available and no experts employed on costing.

  42.  The more general networked development, involving alignment of databases across multiple central government departments and with local govt (a core part of general administrative process re-engineering) is, I believe, just now beginning to be discussed between ODPM and eGU. Costing is a long way away.

43.   To what extent has the Government invested in R&D to enhance the understanding of the technology and to further develop the technology itself?

  44.  Direct investment: None that I know of (but then I'm not involved in biometrics work).

  45.  Indirect investment: UK contributes to EC funds from which grants are made to R&D and technology projects. However, EC funds have since 2003 largely moved away from projects relevant to public sector ICT.

  46.  Government Connect (ODPM funded [4]) intends to move into e-ID and will have to consider R&D in this area, but it is currently concentrating on secure email for local govt officers and outside organisations with which they work when handling personal information (eg in social services, where I have personal experience of the current use of insecure email).

47.   The author

  The author of this submission is an independent consultant in ICT strategy and secure solution design, with particular interest in smart cards and associated secure terminal equipment. He has contributed to several European pre-standardisation and standardisation projects in this area, and was contracted in 1999-2000 to carry out a technical edit on the UK Government smart cards Modernising Government Framework [12]. He has also been a Director of the ITSO[47] management company, and is currently consulting on a public sector travel concession pass project compliant with the ITSO specification and method. During the 1990s he managed a company providing technical services to the Mondex e-money card project and related banking projects.

February 2006

48.  REFERENCES

  1.  BS 7799-1 and -2, and more recently their international successors ISO/IEC 17799:2005 and ISO/IEC 27001:2005 (BS 7799-2:2005); also BS 7799-3:2006.

  2.  www.finread.com, plus continuing work in the Global Platform consortium www.globalplatform.org

  3.  Global Interoperability Framework (GIF) for Identification, Authentication and electronic Signature (IAS)—see Volume 3 of the Open Smart Card Infrastructure for Europe (OSCIE), available at www.iosis.org/oscie.

  4.  Government Connect www.govconnect.gov.uk

  The following UK policy documents are catalogued at a series of web pages starting at http://www.govtalk.gov.uk/archive/archive.asp?librarydocs=5

  5.  Security—e-Government Strategy Framework Policy and Guidelines Version 4.0.

  6.  Assurance—e-Government Strategy Framework Policy and Guidelines Version 2.0.

  7.  Registration and Authentication—e-Government Strategy Framework Policy and Guidelines Version 3.0.

  8.  Trust Services—e-Government Strategy Framework Policy and Guidelines Version 3.0.

  9.  Network Defence—e-Government Strategy Framework Policy and Guidelines Version 2.0.

  10.  HMG's Minimum Requirements for the Verification of the Identity of Individuals.

  11.  HMG's Minimum Requirements for the Verification of the Identity of Organisations.

  12.  Smart Cards Framework: Modernising Government: Framework for Information Age Government: Smart cards.

31   July 2003. Back

32   Most of those who do not have internet access at home can now easily find Local Authority internet rooms, terminals in educational institutions, public kiosks, and internet cafes; also mobile phone technology is crossing over to internet services. Back

33   APACS is currently recruiting a new head of standards, as their long term holder of that post has moved on to "special projects". Back

34   That User Group's Secretariat within DTI is distributing its material on paper by snail mail, instead of using email. Back

35   Except in one important respect, the ODPM National Smart Card Project became more of a "learning on the job" project for local govt officers rather than a serious set of specifications and guidelines for the deployment of ICT and citizen service smart cards; support for most of the documents produced has now ceased; the important output is a smart card management system and a data map on one type of smart card-for more details contact Bracknell Forest District Council, or Richard Tyndall richard.tyndall@mouchelparkman.com (Programme Manager). Back

36   Interchangeable means that similar components from different suppliers can substitute for each other; interoperable means that a component from one supplier will always work correctly across the network in conjunction with another system, no matter who supplies that other system or its components. Back

37   See Annex to this submission. Back

38   Acknowledged by Ian Watmore at the May 2005 Sheffield e-Gov Conference. Back

39   Hot off the press is a 21 February article in Computer Weekly reporting a new initiative in linking departmental systems: "A cross-government committee has begun developing a technology roadmap that will allow local authorities to build ID card checks into their websites . . ." http://www.computerweekly.com/Articles/2006/02/21/214300/IDcheckstogoonline.htm Back

40   The author of this submission was editor on the modelling project (OSCIE GIF)-see [3]. Back

41   Common Access Card: US military ID card. Back

42   Mandate issued by President Bush in August 2004: Homeland Security Presidential Directive-12 (HSPD-12). Back

43   Discussion with USA representative during Plenary Meeting of the MMUSST CEN/ISSS pre-standards Workshop http://www.cenorm.be/cenorm/businessdomains/businessdomains/isss/activity/ws-mmust.asp or www.mmusst.org. Back

44   Mick Davies, who is associated with the Sheffield e-Gov Centre of Excellence and is Chair of LASSeO (Local Authority Smart card Standards eOrganisation, a voluntary group). Back

45   Some information can be found at [4], but the major secure development is the enhancement of the Government Gateway to provide secure identity management by means of a PKI. Back

46   However, there is a Directive on electronic signature, which mandates use of a smart card as the Secure Signature Creation Device. The current HO ID Card project does not require electronic signature, but other departments may wish to use it as they learn from the experience of other EU countries. Back

47   Integrated Transport Smart card Organisation, responsible for developing and managing the specification and support services for the DfT-sponsored and mandated electronic ticketing method for public transport www.itso.org.uk Back