DR TONY MANSFIELD, DR JOHN DAUGMAN, DR EDGAR WHITLEY AND PROFESSOR ANGELA SASSE

3 MAY 2006

  Q540  Chairman: Is it achievable, as well?

  Dr Mansfield: The different biometrics are kind of there for different purposes. I think if we have an identity document we would want it to look like a traditional identity document and, indeed, to be used as a passport within Europe. That implies it should have a photo on it which means you are collecting face biometrics. Also so you may be using finger prints as a primary biometric to establish a unique identity. Moreover, you may want a third biometric so that citizens that have an identity card, a wide variety of citizens, are able to biometrically prove their identity. If some people have difficulty finger printing, they can use iris instead. The fact there are three biometrics does not necessarily mean they have to be fused in a very complicated way and add a lot to the complexity of the scheme. Some of the things are there quite naturally; some are there to give an element of choice.

  Dr Daugman: The role of substitution opportunity is clear; some people may lack eyes or fingers. The fusion is a much more subtle issue because, if you combine a strong biometric with a weak one, for example, the face is a very weak biometric, in a certain sense you can end up with a performance that is intermediate between the two—in other words, averaged, in other words, inferior to what you would end up with had you used only the stronger biometric. Now, there are ways to fuse stronger and weaker biometrics to improve performance, that is a subtle mathematical point, but I believe as currently expressed the goals of the Home Office do not contemplate fusion but more substitution.

  Q541  Dr Turner: Is that absolutely clear, that fusion is not involved?

  Dr Daugman: I have seen correspondence from Katherine Courtney to that effect. For example, iris has the unique ability to make vast database searches without making false matches, but it is not necessarily the easiest to use. Face in a sense is the easiest thing to present; it is just not very discriminating; so to search for detection of multiple identities in the clean, new database register would be the main role for iris, not every time you want to use a credit card. You see, if you combine biometrics at decision level in a certain sense you are using either an "or" rule or an "and" rule. The "or" rule says you should pass either of my tests. In that case the false match rate gets worse; the false reject rate gets better. The "and" rule says you must pass both my tests. In that case the false match rate gets better, and the false reject rate gets worse. So there are subtleties about the two different types of errors that can be made in the biometrics and the desiderata of fusion schemes.

  Q542  Chairman: Do you basically agree, both of you, with that assessment?

  Dr Whitley: In terms of what?

  Q543  Chairman: That (a) we are not looking for fusion, and to be fair the Government has not said it is going to have huge technologies, but we are looking for three biometrics which give you alternatives within the recognition system.

  Dr Whitley: Except of course that if you are going to be using biometrics at the front line rather than for enrolment then saying you are going to have either finger prints or iris—probably not face—for a reasonable security risk, then that means you are going to have to have two different sets of readers which, again, has cost implications and practicality implications.

  Professor Sasse: For the individual it does have implications. If you have to enrol on three biometrics rather than one the enrolment time goes up. Also potentially I have seen in the past that particularly people who do not use the systems frequently easily get confused between face recognition and the iris system and they end up presenting their face to the iris system and vice versa.

  Q544  Dr Iddon: John Daugman, iris recognition is controversial, is it not?

  Dr Daugman: I do not think it is particularly controversial, no. There is a lot of misunderstanding about the eye. A typical argument against iris recognition goes as follows: the iris is part of the eye; the retina is also part of the eye; oh, look, here are some conditions and diseases that may affect the retina, therefore iris recognition will not work. That was the general thrust of the LSE objection to the scientific feasibility of the iris biometric, so clearly that is based just on an elementary misunderstanding about the parts of the eye. For example, cataracts affect the lens of the eye which is behind the iris and in front of the retina, so cloudiness of the lens and cataract would interfere with retinal imaging but certainly not iris imaging. That was one of several such elementary misstatements of fact that occurred in the LSE report and in the public and in the media.

  Q545  Dr Iddon: What about biological changes in women, for example?

  Dr Daugman: Yes. MPs have made a number of groundless statements, for example, that women who are menstruating cannot use iris recognition.

  Q546  Chairman: Excuse me, John. We made that assertion because we heard evidence in the US to that effect. It was not something that MPs made up. It was on the basis of evidence which we had in the US.

  Dr Daugman: I would love to know the nature of that evidence. I do not know what model of menstruation involves the iris. Likewise there are assertions that looking at an iris camera will give you an epileptic fit. These are speculations which have a history of rising in their credibility because what is introduced as a speculation in one report, or document, including US Government documents and the GAO report, become promoted to the status of facts in the next report, and—

  Q547  Dr Iddon: Are you saying there is no scientific evidence for these biological changes? When a woman becomes pregnant, for example. It is not just menstruation.

  Dr Daugman: I have done considerable investigation into this question over the last 10 years, the question does the iris change, and there is a lot of history I can tell you out there. There is currently no scientific evidence that I am aware of that supports the view that the iris changes over time. Now, there is a cult practice called iridology which is similar to palm reading, it claims to be able to assess the state of health of each organ in your body as well as assess your personality and your interpersonal compatibilities and, indeed, predict your future. That is, of course, hocus pocus and there are six or seven published scientific studies by medical groups that bothered to try to take it seriously and do double blind studies, and their articles are published in journals like the British Medical Journal and the Journal of the American Medical Association with titles like Looking for Gall Bladder Disease in a Patient's Iris.

  Professor Sasse: My title is Professor of Human-Centred Technology so if people are concerned about some of these issues then I will just turn around and basically say that there is no scientific evidence; it is hocus pocus, and dismiss it. In some parts of Europe there are parts of the medical establishment and there are certainly lots of people who believe in alternative medicine and found that it has helped them. Therefore, there are, of course, concerns basically that, if their iris image is stored in a database that the Government has access to, this might have implications, say, for medical treatment you can get or being selected or omitted from certain jobs, or whatever. I think it is quite hard, and not right to just go and dismiss these things. There is more of a process that has to take place. Similarly, I have spoken to some doctors who basically say that they can see changes in the iris. I cannot say they are right or wrong, but there definitely is a belief and it is not useful to dismiss these things out of hand. The other point is this confusion between the retina and the iris, which is something that is confused by the general public. Quite forgivable because they are both called a scan even though they are quite different technologies, and what the user sees is this light beam coming out of it, and they get confused and think their eye is being scanned, when all that happens is this beam illuminates the iris to make sure you take a good enough photograph. But I think the manufacturers of these systems do themselves a disservice by calling it a scan which keeps furthering this misconception between the two.

  Dr Mansfield: We have run evaluations of biometric technology and we have not observed any such thing with menstruating women or whatever, so it is unlikely to be a direct cause and effect. There may be other issues which are associated with a particular person which meant they had difficulty in using a particular iris scanner, or were in a bad mood and would not co-operate on a certain date, or whatever. So there is no reason why iris recognition technology should have such an effect.

  Chairman: It would not affect MPs!

  Q548  Dr Iddon: Tony, you said facial recognition was not a feasible option, yet the Home Office appears to be pursuing this line of inquiry. Why?

  Dr Mansfield: We said face recognition was not a feasible option for identifying one person in the national population, and that is fairly obvious when you consider identical twins, where one would appear very similar to another. But if you have a passport you are expected to have a face image on the passport to meet with international requirements, if your passport is going to be usable. Therefore, it is natural that faces would be collected and would be one of the biometrics within an identity card scheme.

  Q549  Dr Iddon: Angela, we have not mentioned so far this morning the societal impact of any scheme that might be introduced with identity cards. Do you think the Home Office has done any or even sufficient research on the societal impact of an ID scheme?

  Professor Sasse: I think they did become aware of the issue during the Home Affairs Select Committee investigation. There were basically several submissions that pointed out that there is a certain part of society where people have complicated lives, that there are people who could not very easily go to enrolment centres and so on, so, yes, they certainly did start to engage with that issue. I am not sure that really in every detail the impact on various individuals in society has been considered thoroughly enough.

  Dr Whitley: I have just a quick illustration. At the Westminster e-Forum meeting on 14 February there was a speaker from a mental health charity[5] pointing out that if you have mental health problems and schizophrenia[6] and are concerned about government, being forced to enrol in a government-controlled database is clearly not going to be very beneficial for you.

  Q550 Dr Iddon: So what do we do about this?

  Professor Sasse: Similarly another example is that doing the UKPS trial it became quite clear that certain groups of disabled people have significant problems with some of the technology, but I have just been approached, for instance, by the RNIB who say that from this report they cannot work out what exactly the reasons for it are and yet this charity, for instance, is not able to investigate in more detail exactly what the problems are and how the systems should be developed. So there is a bit of a lack of depth and a lack of following-up on problems that have been discovered to see how they could be overcome.

  Q551  Dr Iddon: So is anybody pursuing any research in this?

  Dr Mansfield: From my current involvement with the ID cards programme, I am aware that some of these problems are being followed up.

  Q552  Chairman: By whom?

  Dr Mansfield: By the Home Office.

  Dr Daugman: I am working with three ophthalmology groups investigating those questions about whether individuals who have visual impairments have difficulty with iris recognition. Those are the RNIB, the Manchester Eye Hospital and the Edinburgh Eye Hospital. I have arranged for equipment to be made available to them so they can conduct that research.

  Q553  Dr Turner: Can you give me your views, please, on the risks involved in this project, and do you think that the Home Office has considered them seriously enough?

  Dr Mansfield: In 2003 I was at a risk workshop[7] at an early stage looking to try and identify the risks and possible mitigations. It is certainly well aware of the risks and is identifying and trying to manage risks. The risks I would say are probably because it is a very large project, a very large procurement, of which biometrics is just one small part. There seems to have been a focus on the biometric element as being the most technical and perhaps least understood element of the whole scheme, and to my mind assuming that is where all the risks lie is totally incorrect.

  Dr Daugman: In April of 2004, about two years ago, an important study called The Challenges of Complex IT Systems was published by the Royal Academy of Engineering in co-operation with the British Computer Society. That is a substantial document that tries to understand both why complex IT systems have in the past sometimes failed and it also charts the progress internationally of the failure rates, which have improved quite a lot in 10 years. That document, together with other significant documents on risk assessment, is a big part of the brief that has been given to the members of the Biometric Assurance Group.

  Q554  Dr Turner: Presumably there has to be a risk that biometric data can be falsified, or at least stolen and attributed to the wrong person, especially if a successful potential hijacker, for instance, were to hack into the database. How certain can any of you be that those highly dangerous risks cannot happen?

  Dr Daugman: CESG within GCHQ have a substantial research programme in this area. I am assisting them in assessing the security risk. You have to distinguish between two kinds of replay attacks; the digital one, which involves hacking into the database, trying to steal or decrypt a secret part of the database, and the other is an analogue replay attack by putting on a latex gummy finger print, for example. Those have different counter measures associated with them. Briefly, the risk of digital replay attacks are essentially those of cryptographic code-breaking, so they have encryption protocols which have been well established for decades now, particularly DES3. Those are certainly no greater than the risks of security communication, and incidentally with some biometrics you can permute the bits, or the bytes, of the data so that a given stored iris code has no value tomorrow or next month, or indeed one minute from now, because there are 10 to the 507th power different permutations of the data, provided that the same permutation protocol is followed at the hosts, as at the database. Essentially an iris code as a digital set of data becomes of no value, if it is stolen, it has no value after the next permutation. I would say there is greater vulnerability, substantially, to analogue replay attacks, for example, wearing a contact lens which has somebody else's iris pattern printed onto it, either for concealing your own identity or impersonating another identity. I regard that risk as probably the weakest point of that particular biometric. There are eight or 10 physical methods as well as software methods that have been developed to detect false patterns on the surface of the eye as opposed to the iris pattern. The true iris lies inside the eye; the pupil is always moving; the iris pattern is stretching as the pupil moves—there are six or eight physiological as well as other photonic counter measures but most of those are unproven, they are assertions of principle, and that is going to be one of the main elements of testing and assessment in the forthcoming year.

  Professor Sasse: There are a lot of different ways of attacking a system and it might be quite difficult to mount such a technical attack but, on the other hand, bribing somebody to store my biometrics against a different name is fairly straightforward, so what you have to do is the entire socio-technical system. That is, the identity card system has to be engineered and operated to an extremely high standard, not just of technical assurance but also of behaviour and monitoring and auditing of all the interactions that take place with a system. The problems that have happened in the past are simply because the wrong person's name has been entered against the wrong biometric. There have been several cases of false arrests in the US, and you may remember the Brendan Mayfield case, so these kind of things happen and I think you have to consider there are many different ways of how you could try and attack and misuse the identity in a system, and that it is quite a complex exercise. I think any security professional will tell you that you cannot guarantee that a particular risk will actually happen; all you can do is mitigate the risk to the degree of the resources you have available to do it.

  Q555  Chairman: Do you agree with that?

  Dr Whitley: Yes. In terms of the risk it is broader. There is a very practical risk that the IPS is only piloting the recording of fingerprints from late 2007[8], and the scheme is supposed to be up and running in 2008/2009. If that piloting reveals more problems than the roll-out scale that they are talking about, and I think they are talking about up to 50,000 enrolments a day, so if there are any practical problems there are risks there. There are the security risks, the lack of specifications, the central database rather than a distributed one, all those kinds of things, and there is also the risk that Ministers seem to be want to be rushing the scheme for political reasons. They want enough people to be on the scheme so if they do not win the next election the Conservatives will have a much more difficult case for cancelling the project[9]. And, again, rushing projects makes things go wrong.

  Q556 Adam Afriyie: In the US, United Arab Emirates, Hong Kong, Philippines and Belgium, I think, there are various different ID card models. To your knowledge, has the Home Office investigated these various international models and, if so, have they learned the lessons that other nations have learned?

  Professor Sasse: Yes. I think they have taken great effort to look at other schemes that are in operation and to learn as much as possible from them. However, as a scientist I have a slight problem with some of that in that in several of these schemes there are no proper controlled observations available, so what we will be getting is a statement from the Government saying, "We will give you the exact figures for the UAE. They have operated these schemes for these persons, they have made so many successful arrests", and they will claim that no person in the database has managed to enter the United Arab Emirates. Now, if you managed to beat that iris scanner and managed to get into the United Arab Emirates—it is a claim that is very difficult to verify! There have been no observed, properly controlled trials where we would have the figures that we can work on. We basically have to take on trust what they are saying. Also, what you have to consider is that systems operate in a particular social and cultural context, and the social and cultural context in those countries may not be exactly the same as in the United Kingdom, so certain behaviour that might be required from the citizen user in order to make the systems operate that may be perfectly acceptable there may not be acceptable to the citizens of the United Kingdom, and that aspect has not been looked at in a great amount of detail.

  Q557  Adam Afriyie: My experience echoes yours. I was in Dubai recently and I did not see any piece of equipment anywhere scanning anything—

  Dr Daugman: That is because you did not require a visa to enter. It is only for foreign nationals who require a visa who are submitted to the iris camera. And, by the way, about 1 million iris codes have been enrolled in that deployment, and about 8 million in Andhra Pradesh in India in a welfare scheme, so the total number of iris enrolments is now around 10 million—

  Dr Whitley: I was simply quoting from the Home Office submission. That is all.

  Q558  Chairman: But the point Angela was making is it is hard to verify the effectiveness of these schemes.

  Dr Mansfield: In the schemes which are operating somewhere else using biometrics one of the things we know is that the environment, the population that is using the system, have a strong influence on the performance and the way these systems will work, so it does not matter how closely we look at other large schemes; it does not necessarily tell us exactly what would happen with biometrics on the United Kingdom scheme and, as Angela pointed out, the operational data is not quite the same as data in cold circumstances so one has to interpret what one finds out.

  Q559  Mr Devine: I think I know the answer to this but has there been a lack of open, informed debate regarding this scheme amongst the public?

  Dr Daugman: I think I have answered that!

  Dr Mansfield: It is open but not terribly well informed.

  Professor Sasse: Yes.

  Dr Whitley: Yes.

6   Note by the witness: I misspoke here; I meant "paranoia", rather than "schizophrenia". Back

7   Note by the witness: Entitlement Cards Risk Workshop, 6 March 2003, Home Office. Back

8   Page 31 of PDF of UKIPS Corporate Plan 2006-16 available at http://www.passport.gov.uk/downloads/IPS-Corporate-Plans06.pd Back

9   Jean Eaglesham and Maija Palmer, "Labour races to introduce ID cards", Financial Times, April 17 2006. Back