"SCIENTIFIC ADVICE, RISK AND EVIDENCE: HOW THE GOVERNMENT HANDLES THEM"

  1.  I welcome the opportunity to provide evidence to the committee as it deliberates this topic and the case study of the technologies supporting identity cards. I note that to date the committee has received little evidence regarding social science. I also note that the Home Office has indicated that they have made extensive use of "social science studies have been used extensively to guide the decision making process within the programme:

—  Research has been used to guide scheme design on issues such as price acceptability and acceptable customer time commitment.

—  It has also been used to support business case assumptions on volumetrics and likely customer behaviour.

—  From a marketing perspective social science has also been used to guide the external marketing strategy by ensuring it is developed to address the public's issues and concerns.

  The mechanism for incorporating the result of social science work into the programme is predominantly a robust change control process. Assumptions are validate through research and when the research rejects a current assumption a change request is raised. All our marketers on the programme are also thoroughly briefed on the research findings and provide direct support into different work-streams. As such, they will share the findings across the programme".

  2.  Although this input from social science may well have been valuable to the Home Office with reference to the development of the National Identity Scheme, it is a narrow perspective on social science and where the social sciences could be used to improve the scheme.

  3.  I direct a major research programme (PACCIT) with leading academic researchers from the social and computing sciences in universities across the UK. When the research councils and the DTI committed to fund the PACCIT initiative they did so in the recognition that IT systems often fail to deliver their intended benefits because the systems have been designed with a lack of understanding about the users' needs and the context of use. Good multidisciplinary research drawing on both social and computing science is needed to help overcome these problems. From my knowledge of the development of the National Identity Scheme, there is a real danger of both of these problems. The challenges of implementing the various biometric technologies have been the focus of concern, and it appears that less attention has been given to the challenges of how to design and implement the system in ways that are usable, useful and appropriate.

  4.  If the further development of the scheme is to be successful, it will be important that the Home Office draws on expertise from a suitable range of expertise from social and computing science to ensure the National Identity Scheme is designed and implemented to meet these criteria. The specification for the system and the trials of the proposed technologies referred to in oral evidence to the Committee on 22 March 2006 must be broadly scoped to include not only the technologies in isolation, but the system as a whole. Sufficient time must be included to refine the design in the light of evidence from realistic trials of the system in operation. It will be important to ensure that the relevant expertise is available to gather and analyse this data on the whole system performance. The Home Office may need to engage independent experts to help evaluate the trials and help feed the information back in to the process of refining the design.

  5.  One important aspect of this process is the enrolment process. The performance of the various biometric technologies per se is important, but it is the performance of these technologies in the varied intended enrolment settings, with the staff who are likely to be operating the systems, with the range of likely potential customers, that is key. The Home Office state they have taken some advice from social scientists about the "acceptable customer time commitment". In addition the trials will need to consider and monitor the complete customer and staff experience of enrolment, to ensure the system works in an efficient and acceptable way, or to determine what alterations are needed to make it do so.

  6.  The need for such considerations can be illustrated with reference to the information and case studies provided on the Home Office (www.identitycards.gov.uk). The site includes information about how ID card will work in practice and lists a wide variety of organisations that are expected to use the scheme to check the identities of their customers. These range from banks, Royal mail, Universities, airlines, vehicle and property rental companies, retailers of all kinds including internet based companies, libraries and video/DVD rental companies. A moment's reflection on these very different contexts of use, highlights the design challenges this very varied set of requirements presents. The Home Office web site acknowledges in its illustrative everyday examples, that these kinds of organisations will need different levels of security but the different contexts require more consideration than this.

  7.  One of the complications in designing and implementing an effective National Identity Scheme, is first identifying who are the prime "users" of the technology, whose needs the scheme should be designed to serve. Some of the benefits described by the Home Office are described in terms of benefits to the customer, in terms of the speed and efficiency with which they can establish their rights to certain services. In the examples however the focus seems more on the needs of the service provider to check identification. This may reflect the nature of core Home Office responsibilities for services such as crime and immigration, where the "customers" and their needs are not particularly salient. The important point is that the design specification that may emerge from this standpoint, may not lead to appropriate or acceptable solutions in other areas.

  8.  One of the case studies illustrates this, and the point made by Professor Thomas in his oral evidence to the committee on the need to distinguish between authentication and identification. (3/5/06 response to Q489). To use the ID card to prove you are old enough to buy alcohol or obtain an-over 65 discount, you need to establish that you have reached the legal age. You do not as the case study describes, need to have the shop assistant confirming the customer's identity or date of birth. Many people would regard the latter as an invasion of privacy. The key point I want to make is that the Home Office needs to be more sensitised to these social concerns and ensure that the system is designed to ensure what the European Courts are defining as "a reasonable expectation of privacy". This sensitivity needs to extent to scoping the system specification appropriately. The card should not make available to service providers more information than they genuinely need. So for example the card might indicate, without the need to access the data base, that someone is over 18 but not their date of birth.

  9.  The list of potential user of the scheme include "retailers of all kinds" which again has some worrying implications for privacy as well as raising similar design challenges. In many cases all retailers require to know is that the customer has the means to pay for the goods or services. The identity of the customer might be very valuable information for retailers for marketing or customer profiling but the system should not allow access to more information than is needed. The Home Office web site provides assurances that identity checks can only be conducted with the customer's consent, and that these checks will simply confirm "your identity or other known facts, such as your address details from NIR". The scope of the "other known facts", and to whom they are made available, needs careful consideration. The design of the system has to ensure that even when consent has been given, the system allows access to the minimum necessary information. The very wide variety of potential contexts of use, make this design requirement essential.

  10.   Multiple Identities. In social science it is acknowledged that we all have multiple roles and identities. We are parents, employees, spouses, citizens, sufferers from various illnesses, football fans, opera lovers, recovering alcoholics etc etc. We quite legitimately might wish to keep these roles and identities separate. Both English and Scots Law allow individuals to be known by a variety of names. For some individuals this is not just a matter of personal preference but a very serious matter. To take just three examples, for women leaving abusive relationships or for individuals being stalked, or for celebrities, apparently innocuous identity information about name(s) and addresses may be very sensitive. If such information has to be revealed and verified in a wide range of service encounters from libraries to video rentals to travel agents, serious invasions of privacy may occur. The design and implementation of the National Identity System must be flexible enough to protect information individuals consider sensitive or to allow other forms of verification of entitlement to services.

11.  IN SUMMARY

  The National Identity Scheme is a very challenging project. It is a complex socio-technical system and to be effective will require that the Home Office considers the social as well as the technical dimensions. The effective design and implementation of IT systems requires among other things, an understanding of the users' needs and the context of use, and this information needs to feed into the design of the system. At present the Home Office may not be very well connected to sources of independent expertise on the social and computing sciences, which could be useful in helping them scope the requirements of the proposed system. The design of the system should ensure that the system respects the privacy of individuals, and enshrines the "reasonable expectation of privacy". The design should support the distinction between authentication and identification and should allow service providers to access only necessary information. It will be essential to conduct substantial and realistic trials of the system. These should be independently evaluated, including in terms of the customer and staff experience. The data should feed into refinements to the proposed system.

  12.  The views expressed are my own. Some of the concepts in this evidence emerged from discussions with colleagues on the DTI Foresight Project on Cyber Trust & Crime Prevention, (see R Mansell & B Collins (Eds) Trust and Crime in Information Societies (2005). Edward Elgar: Cheltenham) and the Royal Academy of Engineering Working Group on Dilemmas of Privacy & Surveillance (report to be published this year).

June 2006